diff --git a/non_plat/adbd.te b/non_plat/adbd.te index e8698fc..83ef768 100644 --- a/non_plat/adbd.te +++ b/non_plat/adbd.te @@ -34,6 +34,7 @@ allow adbd adbd_data_file:file create_file_perms; allow adbd qemu_pipe_device:chr_file rw_file_perms; # user load adb pull /data/aee_exp db +typeattribute adbd data_between_core_and_vendor_violators; allow adbd aee_exp_data_file:dir r_dir_perms; allow adbd aee_exp_data_file:file r_file_perms; diff --git a/non_plat/aee_aed.te b/non_plat/aee_aed.te index c94a13d..2039565 100644 --- a/non_plat/aee_aed.te +++ b/non_plat/aee_aed.te @@ -22,6 +22,7 @@ allow aee_aed mtd_device:chr_file rw_file_perms; allow aee_aed RT_Monitor_device:chr_file r_file_perms; #data/aee_exp +typeattribute aee_aed data_between_core_and_vendor_violators; allow aee_aed aee_exp_data_file:dir create_dir_perms; allow aee_aed aee_exp_data_file:file create_file_perms; @@ -43,7 +44,7 @@ set_prop(aee_aed, persist_aee_prop); set_prop(aee_aed, debug_mtk_aee_prop); # /proc/lk_env -allow aee_aed proc_lk_env:file rw_file_perms; +#allow aee_aed proc_lk_env:file rw_file_perms; # Purpose: Allow aee_aedv to read /proc/pid/exe allow aee_aed exec_type:file r_file_perms; diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index d2fec50..7a593d8 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -31,6 +31,7 @@ allow aee_aedv sdcard_type:dir create_dir_perms; allow aee_aedv sdcard_type:file create_file_perms; #data/anr +typeattribute aee_aedv data_between_core_and_vendor_violators; allow aee_aedv anr_data_file:dir create_dir_perms; allow aee_aedv anr_data_file:file create_file_perms; @@ -183,7 +184,6 @@ allow aee_aedv debugfs_page_owner_slim_debug:file { read open }; allow aee_aedv debugfs_ion_mm_heap:dir search; allow aee_aedv debugfs_ion_mm_heap:file { read open }; allow aee_aedv debugfs_ion_mm_heap:lnk_file read; -allow aee_aedv debugfs_ion_mm_heap:lnk_file read; allow aee_aedv debugfs_cpuhvfs:dir search; allow aee_aedv debugfs_cpuhvfs:file { read open }; allow aee_aedv debugfs_emi_mbw_buf:file { read open }; diff --git a/non_plat/aee_core_forwarder.te b/non_plat/aee_core_forwarder.te index 3258c52..ba5cb23 100644 --- a/non_plat/aee_core_forwarder.te +++ b/non_plat/aee_core_forwarder.te @@ -16,6 +16,7 @@ init_daemon_domain(aee_core_forwarder) allow aee_core_forwarder aee_core_data_file:dir relabelto; allow aee_core_forwarder aee_core_data_file:dir create_dir_perms; allow aee_core_forwarder aee_core_data_file:file create_file_perms; +typeattribute aee_core_forwarder data_between_core_and_vendor_violators; allow aee_core_forwarder system_data_file:dir { write relabelfrom create add_name }; #mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip diff --git a/non_plat/audiocmdservice_atci.te b/non_plat/audiocmdservice_atci.te index b533a7b..885dc66 100644 --- a/non_plat/audiocmdservice_atci.te +++ b/non_plat/audiocmdservice_atci.te @@ -3,6 +3,7 @@ # Read/Write NV allow audiocmdservice_atci nvram_device:devfile_class_set rw_file_perms; +typeattribute audiocmdservice_atci data_between_core_and_vendor_violators; allow audiocmdservice_atci nvram_data_file:dir create_dir_perms; allow audiocmdservice_atci nvram_data_file:{file lnk_file} create_file_perms; allow audiocmdservice_atci nvdata_file:dir create_dir_perms; diff --git a/non_plat/audioserver.te b/non_plat/audioserver.te index e3659fb..42a473f 100644 --- a/non_plat/audioserver.te +++ b/non_plat/audioserver.te @@ -16,7 +16,7 @@ allow audioserver ttySDIO_device:chr_file rw_file_perms; # Data: WK14.44 # Operation : Migration # Purpose : for low SD card latency issue -allow audioserver sysfs_lowmemorykiller:file { read open }; +#allow audioserver sysfs_lowmemorykiller:file { read open }; # Data: WK14.45 # Operation : Migration @@ -24,6 +24,7 @@ allow audioserver sysfs_lowmemorykiller:file { read open }; allow audioserver proc_mtkcooler:dir search; allow audioserver proc_mtktz:dir search; allow audioserver proc_thermal:dir search; +typeattribute audioserver data_between_core_and_vendor_violators; allow audioserver thermal_manager_data_file:file create_file_perms; allow audioserver thermal_manager_data_file:dir { rw_dir_perms setattr }; @@ -35,7 +36,7 @@ allow audioserver offloadservice_device:chr_file rw_file_perms; # Date : WK16.17 # Operation : Migration # Purpose: read/open sysfs node -allow audioserver sysfs_ccci:file r_file_perms; +#allow audioserver sysfs_ccci:file r_file_perms; # Date : WK16.18 # Operation : Migration @@ -45,7 +46,7 @@ allow audioserver tmpfs:dir search; # Date : WK16.18 # Operation : Migration # Purpose: access sysfs node -allow audioserver sysfs:file { open read write }; +#allow audioserver sysfs:file { open read write }; allow audioserver sysfs_ccci:dir search; # Purpose: Dump debug info @@ -60,8 +61,6 @@ allow audioserver proc_ged:file {open read write ioctl getattr}; # Purpose: Allow to trigger AEE dump allow audioserver aee_aed:unix_stream_socket connectto; - - # Date : WK17.28 # Operation : MT6757 SQC # Purpose : Change thermal config diff --git a/non_plat/boot_logo_updater.te b/non_plat/boot_logo_updater.te index 00e8613..281d160 100644 --- a/non_plat/boot_logo_updater.te +++ b/non_plat/boot_logo_updater.te @@ -14,7 +14,7 @@ allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms; #To access file at /dev/logo allow boot_logo_updater logo_device:chr_file r_file_perms; # To access file at /proc/lk_env -allow boot_logo_updater proc_lk_env:file rw_file_perms; +#allow boot_logo_updater proc_lk_env:file rw_file_perms; # Date : WK16.25 # Operation : Global_Device/Uniservice Feature diff --git a/non_plat/bootanim.te b/non_plat/bootanim.te index e47fc8b..0f54609 100644 --- a/non_plat/bootanim.te +++ b/non_plat/bootanim.te @@ -5,6 +5,7 @@ # Date : WK14.37 # Operation : Migration # Purpose : for opetator +typeattribute bootanim data_between_core_and_vendor_violators; allow bootanim custom_file:dir search; allow bootanim custom_file:file r_file_perms; allow bootanim bootani_prop:property_service set; diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index 64f21a4..2b2a14e 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -16,7 +16,6 @@ binder_call(cameraserver, mtk_hal_camera) # call the graphics allocator hal binder_call(cameraserver, hal_graphics_allocator) - # ----------------------------------- # Android O # Purpose: Debugging @@ -24,13 +23,11 @@ binder_call(cameraserver, hal_graphics_allocator) # Purpose: adb shell dumpsys media.camera --unreachable allow cameraserver self:process { ptrace }; - # ----------------------------------- # Purpose: property access # ----------------------------------- allow cameraserver mtkcam_prop:file { open read getattr }; - # Date : WK14.31 # Operation : Migration # Purpose : camera devices access. @@ -40,11 +37,12 @@ allow cameraserver vpu_device:chr_file rw_file_perms; allow cameraserver kd_camera_hw_device:chr_file rw_file_perms; allow cameraserver seninf_device:chr_file rw_file_perms; allow cameraserver self:capability { setuid ipc_lock sys_nice }; -allow cameraserver sysfs_wake_lock:file rw_file_perms; +#allow cameraserver sysfs_wake_lock:file rw_file_perms; allow cameraserver MTK_SMI_device:chr_file r_file_perms; allow cameraserver camera_pipemgr_device:chr_file r_file_perms; allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms; allow cameraserver lens_device:chr_file rw_file_perms; +typeattribute cameraserver data_between_core_and_vendor_violators; allow cameraserver nvdata_file:dir { write search add_name }; allow cameraserver nvdata_file:file { read write getattr setattr open create }; allow cameraserver nvram_data_file:dir search; @@ -52,9 +50,9 @@ allow cameraserver nvram_data_file:dir w_dir_perms; allow cameraserver nvram_data_file:file create_file_perms; allow cameraserver nvram_data_file:lnk_file read; allow cameraserver nvdata_file:lnk_file read; -allow cameraserver proc:file { read ioctl open }; -allow cameraserver proc_meminfo:file { read getattr open }; -allow cameraserver sysfs:file { read write open }; +#allow cameraserver proc:file { read ioctl open }; +#allow cameraserver proc_meminfo:file { read getattr open }; +#allow cameraserver sysfs:file { read write open }; # Date : WK14.34 # Operation : Migration @@ -146,7 +144,6 @@ allow cameraserver MAINAF_device:chr_file rw_file_perms; allow cameraserver MAIN2AF_device:chr_file rw_file_perms; allow cameraserver SUBAF_device:chr_file rw_file_perms; - # Data : WK14.38 # Operation : Migration # Purpose : for boot animation. @@ -221,7 +218,7 @@ allow cameraserver surfaceflinger:file getattr; # Data: WK14.44 # Operation : Migration # Purpose : for low SD card latency issue -allow cameraserver sysfs_lowmemorykiller:file { read open }; +#allow cameraserver sysfs_lowmemorykiller:file { read open }; # Data: WK14.45 # Operation : Migration @@ -281,13 +278,11 @@ allow cameraserver mnt_user_file:lnk_file {read write}; # Purpose: Allow cameraserver to read binder from surfaceflinger allow cameraserver surfaceflinger:fifo_file {read write}; - # Date : WK15.45 # Purpose : camera read/write /nvcfg/camera data allow cameraserver nvcfg_file:dir create_dir_perms; allow cameraserver nvcfg_file:file create_file_perms; - # Date : WK15.46 # Operation : Migration # Purpose : DPE Driver @@ -314,9 +309,10 @@ allow cameraserver gpu_device:dir search; # Operation : Migration # Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) allow cameraserver property_socket:sock_file write; -allow cameraserver proc:file getattr; +#allow cameraserver proc:file getattr; allow cameraserver shell_exec:file { execute read getattr open}; domain_auto_trans(cameraserver, thermal_manager_exec, thermal_manager) +typeattribute cameraserver system_executes_vendor_violators; allow cameraserver thermal_manager_exec:file { read getattr open execute}; allow cameraserver init:unix_stream_socket connectto; @@ -327,7 +323,7 @@ allow cameraserver camera_rsc_device:chr_file rw_file_perms; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow cameraserver proc_ged:file {open read write ioctl getattr}; +#allow cameraserver proc_ged:file {open read write ioctl getattr}; # Date : WK16.33 # Operation : Migration @@ -367,7 +363,7 @@ allow cameraserver camera_owe_device:chr_file rw_file_perms; # Date : WK17.25 # Operation : Migration -allow cameraserver debugfs_tracing:file { write open }; +#allow cameraserver debugfs_tracing:file { write open }; allow cameraserver nvram_data_file:dir { add_name write create}; allow cameraserver nvram_data_file:file { write getattr setattr read create open }; allow cameraserver debugfs_ion:dir search; @@ -397,4 +393,4 @@ allow cameraserver camera_mfb_device:chr_file rw_file_perms; # Operation : MT6771 SQC # Purpose: Allow permgr access allow cameraserver proc_perfmgr:dir {read search}; -allow cameraserver proc_perfmgr:file {open read ioctl}; +#allow cameraserver proc_perfmgr:file {open read ioctl}; diff --git a/non_plat/ccci_mdinit.te b/non_plat/ccci_mdinit.te index 9633b2d..1421f67 100644 --- a/non_plat/ccci_mdinit.te +++ b/non_plat/ccci_mdinit.te @@ -68,6 +68,7 @@ allow ccci_mdinit bootdevice_block_device:blk_file rw_file_perms; set_prop(ccci_mdinit, ril_mux_report_case_prop) +typeattribute ccci_mdinit data_between_core_and_vendor_violators; allow ccci_mdinit mdlog_data_file:dir search; allow ccci_mdinit mdlog_data_file:file r_file_perms; diff --git a/non_plat/cmddumper.te b/non_plat/cmddumper.te index dd10345..43cea85 100644 --- a/non_plat/cmddumper.te +++ b/non_plat/cmddumper.te @@ -25,5 +25,5 @@ allow cmddumper media_rw_data_file:dir { create_dir_perms }; allow cmddumper file_contexts_file:file { read getattr open }; # purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode -allow cmddumper sysfs:file { read open }; +#allow cmddumper sysfs:file { read open }; diff --git a/non_plat/drmserver.te b/non_plat/drmserver.te index 8755b64..d825d03 100644 --- a/non_plat/drmserver.te +++ b/non_plat/drmserver.te @@ -4,4 +4,4 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow drmserver proc_ged:file {open read write ioctl getattr}; +#allow drmserver proc_ged:file {open read write ioctl getattr}; diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te index e1121d2..d8870e5 100644 --- a/non_plat/dumpstate.te +++ b/non_plat/dumpstate.te @@ -9,6 +9,7 @@ set_prop(dumpstate, debug_bq_dump_prop); allow dumpstate aed_device:chr_file { read getattr }; # Purpose: data/dumpsys/* +typeattribute dumpstate data_between_core_and_vendor_violators; allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms }; allow dumpstate aee_dumpsys_data_file:file { create_file_perms }; @@ -35,19 +36,18 @@ allow dumpstate debugfs_page_owner_slim_debug:file { read open }; allow dumpstate debugfs_ion_mm_heap:dir search; allow dumpstate debugfs_ion_mm_heap:file { read open }; allow dumpstate debugfs_ion_mm_heap:lnk_file read; -allow dumpstate debugfs_ion_mm_heap:lnk_file read; allow dumpstate debugfs_cpuhvfs:dir search; allow dumpstate debugfs_cpuhvfs:file { read open }; # Purpose: /sys/kernel/ccci/md_chn allow dumpstate sysfs_ccci:dir search; -allow dumpstate sysfs_ccci:file { read open }; +#allow dumpstate sysfs_ccci:file { read open }; # Purpose: leds status allow dumpstate sysfs_leds:lnk_file read; # Purpose: /sys/module/lowmemorykiller/parameters/adj -allow dumpstate sysfs_lowmemorykiller:file { read open }; +#allow dumpstate sysfs_lowmemorykiller:file { read open }; allow dumpstate sysfs_lowmemorykiller:dir search; # Purpose: /dev/block/mmcblk0p10 @@ -69,7 +69,7 @@ allow dumpstate aee_aed:unix_stream_socket { read write ioctl }; # allow dumpstate config_gz:file read; allow dumpstate sysfs_leds:dir r_dir_perms; -allow dumpstate sysfs_leds:file r_file_perms; +#allow dumpstate sysfs_leds:file r_file_perms; # Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied # { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r: diff --git a/non_plat/em_svr.te b/non_plat/em_svr.te index 432bed3..fc988eb 100644 --- a/non_plat/em_svr.te +++ b/non_plat/em_svr.te @@ -8,6 +8,7 @@ allow em_svr misc_sd_device:chr_file { read open ioctl }; allow em_svr als_ps_device:chr_file { read ioctl open }; allow em_svr gsensor_device:chr_file { read ioctl open }; allow em_svr gyroscope_device:chr_file { read ioctl open }; +typeattribute em_svr data_between_core_and_vendor_violators; allow em_svr nvram_data_file:dir { write read open add_name search }; allow em_svr nvram_data_file:file { write getattr setattr read create open }; allow em_svr nvram_data_file:lnk_file read; @@ -15,30 +16,30 @@ allow em_svr nvdata_file:lnk_file read; allow em_svr nvdata_file:dir { write read open add_name search }; allow em_svr nvdata_file:file { write getattr setattr read create open }; allow em_svr nvram_device:chr_file { open read write ioctl }; +typeattribute em_svr system_executes_vendor_violators; allow em_svr thermal_manager_exec:file { getattr execute read open execute_no_trans }; allow em_svr proc_mtkcooler:dir search; -allow em_svr proc_mtkcooler:file { read getattr open write }; +#allow em_svr proc_mtkcooler:file { read getattr open write }; allow em_svr proc_thermal:dir search; -allow em_svr proc_thermal:file { read getattr open write }; +#allow em_svr proc_thermal:file { read getattr open write }; allow em_svr proc_mtktz:dir search; -allow em_svr proc_mtktz:file { read getattr open write }; -allow em_svr proc_slogger:file { read getattr open write }; -allow em_svr proc_lk_env:file { read getattr open write ioctl}; +#allow em_svr proc_mtktz:file { read getattr open write }; +#allow em_svr proc_slogger:file { read getattr open write }; +#allow em_svr proc_lk_env:file { read getattr open write ioctl}; allow em_svr para_block_device:blk_file { read open }; # Date: 2015/12/22 # Operation : M Migration # Purpose : Battery Log can change temperature userdebug_or_eng(` allow em_svr proc_battery_cmd:dir search; -allow em_svr proc_battery_cmd:file { read getattr open write }; +#allow em_svr proc_battery_cmd:file { read getattr open write }; ') # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow em_svr proc_ged:file {open read write ioctl getattr}; +#allow em_svr proc_ged:file {open read write ioctl getattr}; # Date : WK17.42 # Purpose: Allow to query md log filter bin allow em_svr md_block_device:blk_file { read open }; - diff --git a/non_plat/emdlogger.te b/non_plat/emdlogger.te index 2a8b67d..cf938fb 100644 --- a/non_plat/emdlogger.te +++ b/non_plat/emdlogger.te @@ -57,11 +57,11 @@ allow emdlogger storage_file:file { create_file_perms }; #permission for read boot mode #avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -allow emdlogger sysfs:file { read open }; +#allow emdlogger sysfs:file { read open }; # Allow read to sys/kernel/ccci/* files allow emdlogger sysfs_ccci:dir search; -allow emdlogger sysfs_ccci:file r_file_perms; +#allow emdlogger sysfs_ccci:file r_file_perms; # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 diff --git a/non_plat/factory.te b/non_plat/factory.te index a29a2d3..39eca30 100644 --- a/non_plat/factory.te +++ b/non_plat/factory.te @@ -5,7 +5,6 @@ # Type Declaration # ============================================== - # ============================================== # MTK Policy Rule # ============================================== @@ -52,13 +51,12 @@ allow factory vmodem_device:chr_file rw_file_perms; # Purpose: for nand project allow factory mtd_device:dir search; allow factory mtd_device:chr_file rw_file_perms; -allow factory mtd_device:chr_file rw_file_perms; allow factory self:capability sys_resource; allow factory pro_info_device:chr_file rw_file_perms; # Data: WK15.28 # Purpose: for mt-ramdump reset -allow factory proc_mrdump_rst:file w_file_perms; +#allow factory proc_mrdump_rst:file w_file_perms; #Date: WK15.31 #Purpose: define factory_data_file instead of system_data_file @@ -75,6 +73,7 @@ allow factory factory_idle_state_prop:property_service set; # Date: WK15.46 # Purpose: gps factory mode +typeattribute factory data_between_core_and_vendor_violators; allow factory agpsd_data_file:dir search; allow factory apk_data_file:dir write; #allow factory gps_data_file:dir r_dir_perms; @@ -220,7 +219,7 @@ allow factory input_device:dir rw_dir_perms; # Purpose: N Migration For ccci sysfs node # Allow read to sys/kernel/ccci/* files allow factory sysfs_ccci:dir search; -allow factory sysfs_ccci:file r_file_perms; +#allow factory sysfs_ccci:file r_file_perms; # Date: WK16.18 # Purpose: N Migration For boot_mode @@ -228,7 +227,7 @@ allow factory sysfs_ccci:file r_file_perms; # avc: denied { read } for name="boot_mode" dev="sysfs" ino=117 # scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 # tclass=file permissive=0 -allow factory sysfs:file rw_file_perms; +#allow factory sysfs:file rw_file_perms; # Date: WK16.30 #Purpose: For gps test @@ -259,7 +258,7 @@ allow factory flashlight_device:chr_file rw_file_perms; # Date : WK16.48 # Purpose: For SmartPa speaker calibration allow factory proc:dir search; -allow factory proc:file {open read write}; +#allow factory proc:file {open read write}; # Date: WK15.25 #Purpose: for unmount sdcardfs and stop services which are using data partition @@ -270,19 +269,19 @@ allow factory tmpfs:filesystem unmount; allow factory sysfs:dir { read open }; allow factory sysfs_leds:dir search; allow factory sysfs_leds:lnk_file read; -allow factory sysfs_vibrator:file {open read write}; +#allow factory sysfs_vibrator:file {open read write}; allow factory ion_device:chr_file { read open ioctl }; allow factory debugfs_ion:dir search; -allow factory proc:file ioctl; +#allow factory proc:file ioctl; # Date: WK17.27 # Purpose: STMicro NFC solution integration allow factory st21nfc_device:chr_file { open read getattr write ioctl }; allow factory nfc_socket:dir search; -allow factory vendor_file:file { getattr execute execute_no_trans read open }; +#allow factory vendor_file:file { getattr execute execute_no_trans read open }; set_prop(factory,hwservicemanager_prop); hwbinder_use(factory); hal_client_domain(factory, hal_nfc); -allow factory debugfs_tracing:file { open write }; +#allow factory debugfs_tracing:file { open write }; # Date : WK17.32 # Operation : O Migration @@ -293,10 +292,9 @@ allow factory mtk_cmdq_device:chr_file { read ioctl open }; # Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode set_prop(factory,ctl_ccci_fsd_prop); - # Date : WK17.38 # Operation : O Migration # Purpose: Allow to access sysfs allow factory sysfs_therm:dir search; -allow factory sysfs_therm:file {open read write}; +#allow factory sysfs_therm:file {open read write}; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index 82a2722..29065bf 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -281,7 +281,7 @@ /dev/socket/soc_vt_svc(/.*)? u:object_r:soc_vt_svc_socket:s0 /dev/socket/soc_vt_tcv(/.*)? u:object_r:soc_vt_tcv_socket:s0 /dev/socket/sysctl(/.*)? u:object_r:sysctl_socket:s0 -/dev/socket/vold(/.*)? u:object_r:vold_socket:s0 +#/dev/socket/vold(/.*)? u:object_r:vold_socket:s0 /dev/socket/volte_vt(/.*)? u:object_r:volte_vt_socket:s0 /dev/socket/wpa_wlan0(/.*)? u:object_r:wpa_wlan0_socket:s0 /dev/stpant(/.*)? u:object_r:stpant_device:s0 diff --git a/non_plat/fuelgauged.te b/non_plat/fuelgauged.te index 8b24ed4..26b8590 100644 --- a/non_plat/fuelgauged.te +++ b/non_plat/fuelgauged.te @@ -53,6 +53,7 @@ allow fuelgauged self:netlink_route_socket { bind create getattr write nlmsg_rea # Purpose : For fg daemon can access /data/FG folder file_type_auto_trans(fuelgauged, system_data_file, fuelgauged_file); allow fuelgauged fuelgauged_file:file rw_file_perms; +typeattribute fuelgauged data_between_core_and_vendor_violators; allow fuelgauged system_data_file:dir rw_dir_perms; # Data : WK16.21 diff --git a/non_plat/fuelgauged_nvram.te b/non_plat/fuelgauged_nvram.te index 78eadbe..3078edf 100644 --- a/non_plat/fuelgauged_nvram.te +++ b/non_plat/fuelgauged_nvram.te @@ -27,6 +27,7 @@ init_daemon_domain(fuelgauged_nvram) # Purpose : For fg daemon can access /data/FG folder file_type_auto_trans(fuelgauged_nvram, system_data_file, fuelgauged_nvram_file); allow fuelgauged_nvram fuelgauged_nvram_file:file rw_file_perms; +typeattribute fuelgauged_nvram data_between_core_and_vendor_violators; allow fuelgauged_nvram system_data_file:dir rw_dir_perms; # Data : WK16.21 diff --git a/non_plat/fuelgauged_static.te b/non_plat/fuelgauged_static.te index 77394ef..b031338 100644 --- a/non_plat/fuelgauged_static.te +++ b/non_plat/fuelgauged_static.te @@ -26,6 +26,7 @@ allow fuelgauged_static kmsg_device:chr_file w_file_perms; # Data : WK16.21 # Operation : New Feature # Purpose : For fg daemon can do nvram r/w to save car_tune_value +typeattribute fuelgauged_static data_between_core_and_vendor_violators; allow fuelgauged_static nvdata_file:dir rw_dir_perms; allow fuelgauged_static nvdata_file:file {rw_file_perms create_file_perms}; allow fuelgauged_static nvram_data_file:lnk_file rw_file_perms; diff --git a/non_plat/kernel.te b/non_plat/kernel.te index 4cf46a2..cd6a94b 100644 --- a/non_plat/kernel.te +++ b/non_plat/kernel.te @@ -21,6 +21,7 @@ allow kernel system_data_file:lnk_file r_file_perms; # Date : WK14.31 # Operation : Migration # Purpose : transit from kernel to aee_core_forwarder domain when executing aee_core_forwarder +typeattribute kernel system_executes_vendor_violators; domain_auto_trans(kernel, aee_core_forwarder_exec, aee_core_forwarder) # Date : WK14.43 @@ -49,6 +50,7 @@ allow kernel proc_thermal:dir search; # because wifi driver need to access nvram to get radio configuration. On Userdebug or Eng load, # factory engineers may need to update nvram by Egineer Mode, so we need to grant write permissions # on Eng or Userdebug load +typeattribute kernel data_between_core_and_vendor_violators; allow kernel nvram_data_file:dir search; allow kernel nvram_data_file:file r_file_perms; allow kernel nvram_data_file:lnk_file read; diff --git a/non_plat/keystore.te b/non_plat/keystore.te index 38a12b2..9d7e4c7 100644 --- a/non_plat/keystore.te +++ b/non_plat/keystore.te @@ -10,5 +10,5 @@ allow keystore app_data_file:file write; # Date : WK17.30 2017/07/25 # Operation : keystore # Purpose : Fix keystore boot selinux violation -allow keystore debugfs_tracing:file write; +#allow keystore debugfs_tracing:file write; allow hal_keymaster_default debugfs_tracing:file write; diff --git a/non_plat/mdlogger.te b/non_plat/mdlogger.te index 3f671dc..a46f388 100644 --- a/non_plat/mdlogger.te +++ b/non_plat/mdlogger.te @@ -36,7 +36,7 @@ allow mdlogger storage_file:file { create_file_perms }; # Allow read to sys/kernel/ccci/* files allow mdlogger sysfs_ccci:dir search; -allow mdlogger sysfs_ccci:file r_file_perms; +#allow mdlogger sysfs_ccci:file r_file_perms; # purpose: allow mdlogger to access storage in new version allow mdlogger media_rw_data_file:file { create_file_perms }; diff --git a/non_plat/mediaextractor.te b/non_plat/mediaextractor.te index 12157b8..fda7974 100644 --- a/non_plat/mediaextractor.te +++ b/non_plat/mediaextractor.te @@ -4,4 +4,4 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow mediaextractor proc_ged:file {open read write ioctl getattr}; +#allow mediaextractor proc_ged:file {open read write ioctl getattr}; diff --git a/non_plat/mediaserver.te b/non_plat/mediaserver.te index 59a7629..ad2b015 100644 --- a/non_plat/mediaserver.te +++ b/non_plat/mediaserver.te @@ -22,6 +22,7 @@ allow mediaserver lens_device:chr_file rw_file_perms; # Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam. allow mediaserver sdcard_type:dir { w_dir_perms create }; allow mediaserver sdcard_type:file create; +typeattribute mediaserver data_between_core_and_vendor_violators; allow mediaserver nvram_data_file:dir w_dir_perms; allow mediaserver nvram_data_file:file create_file_perms; allow mediaserver nvram_data_file:lnk_file read; @@ -304,6 +305,7 @@ allow mediaserver camera_tsf_device:chr_file rw_file_perms; # Operation : N Migration # Purpose : add permission for thermal manager domain_auto_trans(mediaserver, thermal_manager_exec, thermal_manager) +typeattribute mediaserver system_executes_vendor_violators; allow mediaserver thermal_manager_exec:file { read getattr open execute}; # Date : WK16.32 @@ -345,7 +347,7 @@ allow mediaserver camera_owe_device:chr_file rw_file_perms; # Date : WK17.27 # Operation : O Migration # Purpose : m4u Driver -allow mediaserver proc:file r_file_perms; +#allow mediaserver proc:file r_file_perms; # Date : WK17.29 # Operation : O Migration diff --git a/non_plat/merged_hal_service.te b/non_plat/merged_hal_service.te index d4cde7d..3a2d668 100644 --- a/non_plat/merged_hal_service.te +++ b/non_plat/merged_hal_service.te @@ -59,6 +59,7 @@ allow merged_hal_service init:unix_stream_socket connectto; allow merged_hal_service property_socket:sock_file write; allow merged_hal_service sysfs:file write; #allow merged_hal_service self:capability { fowner chown dac_override fsetid }; +typeattribute merged_hal_service data_between_core_and_vendor_violators; allow merged_hal_service system_data_file:dir create_file_perms; allow merged_hal_service nvram_device:chr_file rw_file_perms; allow merged_hal_service pro_info_device:chr_file rw_file_perms; diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te index 8472f14..372ee3f 100644 --- a/non_plat/meta_tst.te +++ b/non_plat/meta_tst.te @@ -39,6 +39,7 @@ allow meta_tst cache_block_device:blk_file rw_file_perms; # Date: WK16.12 # Operation : Migration # Purpose : for meta mode nvram +typeattribute meta_tst data_between_core_and_vendor_violators; allow meta_tst nvram_data_file:dir create_dir_perms; allow meta_tst nvram_data_file:file create_file_perms; allow meta_tst nvram_data_file:lnk_file r_file_perms; @@ -49,7 +50,6 @@ allow meta_tst nvram_device:chr_file rw_file_perms; allow meta_tst nvram_device:blk_file rw_file_perms; allow meta_tst nvdata_device:blk_file rw_file_perms; - # Date: WK14.47 # Operation : Migration # Purpose : for meta mode audio @@ -63,7 +63,6 @@ set_prop(meta_tst, audiohal_prop); allow meta_tst rtc_device:chr_file r_file_perms; allow meta_tst MT_pmic_adc_cali_device:chr_file rw_file_perms; - # Date: WK14.45 # Operation : Migration # Purpose : HDCP @@ -120,7 +119,6 @@ allow meta_tst FM50AF_device:chr_file rw_file_perms; # Purpose : meta mode wifi allow meta_tst wmtWifi_device:chr_file w_file_perms; - # Date: WK16.12 # Operation : Migration # Purpose : meta mode BT @@ -157,8 +155,7 @@ allow meta_tst key_install_data_file:file create_file_perms; # Date: WK14.51 # Purpose : set/get cryptfs cfg in sys env allow meta_tst misc_device:chr_file rw_file_perms; -allow meta_tst proc_lk_env:file rw_file_perms; - +#allow meta_tst proc_lk_env:file rw_file_perms; # Purpose : FT_EMMC_OP_FORMAT_TCARD allow meta_tst block_device:blk_file getattr; @@ -179,7 +176,6 @@ allow meta_tst self:process execmem; allow meta_tst mtd_device:dir search; allow meta_tst mtd_device:chr_file rw_file_perms; - # Date: WK15.38 # Purpose: M Migration for CCT linker fail allow meta_tst sdcard_type:dir create_dir_perms; @@ -191,14 +187,14 @@ allow meta_tst storage_file:lnk_file read; # Date: WK16.17 # Purpose: N Migration For ccci sysfs node allow meta_tst sysfs_ccci:dir search; -allow meta_tst sysfs_ccci:file r_file_perms; +#allow meta_tst sysfs_ccci:file r_file_perms; #Date: W16.17 # Purpose: N Migration for meta_tst get com port type and uart port info # detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10): #avc: denied { read } for pid=203 comm="meta_tst" name="meta_com_type_info" dev= #"sysfs" ino=11073 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -allow meta_tst sysfs:file rw_file_perms; +#allow meta_tst sysfs:file rw_file_perms; #Date: W16.17 # Purpose: N Migration For meta_tst load MD NVRAM database @@ -259,7 +255,7 @@ allow meta_tst self:netlink_socket create_socket_perms_no_ioctl; allow meta_tst self:rawip_socket create; allow meta_tst self:udp_socket create_socket_perms_no_ioctl; allow meta_tst self:rawip_socket create_socket_perms_no_ioctl; -allow meta_tst proc_ged:file r_file_perms; +#allow meta_tst proc_ged:file r_file_perms; allowxperm meta_tst self:udp_socket ioctl {SIOCSIFFLAGS SIOCGIFCONF SIOCIWFIRSTPRIV_08 SIOCIWFIRSTPRIV_09}; allow meta_tst meta_tst:netlink_generic_socket { read write getattr bind create setopt }; @@ -294,11 +290,11 @@ allow meta_tst system_data_file:lnk_file read; allow meta_tst st21nfc_device:chr_file { open read write ioctl }; allow meta_tst factory_data_file:sock_file { write unlink }; allow meta_tst nfc_socket:dir search; -allow meta_tst vendor_file:file { getattr execute execute_no_trans read open }; +#allow meta_tst vendor_file:file { getattr execute execute_no_trans read open }; set_prop(meta_tst,hwservicemanager_prop); hwbinder_use(meta_tst); hal_client_domain(meta_tst, hal_nfc); -allow meta_tst debugfs_tracing:file { open write }; +#allow meta_tst debugfs_tracing:file { open write }; # Date: W17.29 # Purpose : Allow meta_tst to call vendor.mediatek.hardware.keymaster_attestation@1.0-service. @@ -308,7 +304,7 @@ hal_client_domain(meta_tst, mtk_hal_keyattestation) # Operation : Android O migration # Purpose : add sepolicy for accessing sysfs_leds allow meta_tst sysfs_leds:lnk_file read; -allow meta_tst sysfs_leds:file rw_file_perms; +#allow meta_tst sysfs_leds:file rw_file_perms; allow meta_tst sysfs_leds:dir r_dir_perms; # Date: WK17.43 @@ -345,15 +341,15 @@ binder_call(meta_tst, mtk_hal_audio) allow meta_tst mtk_hal_audio:binder call; allow meta_tst hal_audio_hwservice:hwservice_manager find; allow meta_tst mtk_audiohal_data_file:dir {read search open}; -allow meta_tst proc:file {read open}; +#allow meta_tst proc:file {read open}; allow meta_tst audio_device:chr_file rw_file_perms; allow meta_tst audio_device:dir w_dir_perms; allow meta_tst audiohal_prop:property_service set; #Data:W1745 # Purpose : Allow meta_tst to open and read proc/bootprof -allow meta_tst proc:file write; -allow meta_tst proc:file getattr; +#allow meta_tst proc:file write; +#allow meta_tst proc:file getattr; # Date:W17.51 # Operation : lbs hal diff --git a/non_plat/mnld.te b/non_plat/mnld.te index b98c18b..539e70f 100644 --- a/non_plat/mnld.te +++ b/non_plat/mnld.te @@ -49,6 +49,7 @@ allow mnld lbs_hidl_service:unix_dgram_socket sendto; allow mnld merged_hal_service:unix_dgram_socket sendto; # Purpose : For access system data +typeattribute mnld data_between_core_and_vendor_violators; allow mnld system_data_file:dir { write add_name }; allow mnld system_data_file:lnk_file read; allow mnld bootdevice_block_device:blk_file rw_file_perms; diff --git a/non_plat/mobile_log_d.te b/non_plat/mobile_log_d.te index a79de4a..2cb3827 100644 --- a/non_plat/mobile_log_d.te +++ b/non_plat/mobile_log_d.te @@ -1,14 +1,15 @@ #scp -allow mobile_log_d sysfs_scp:file { open write }; +#allow mobile_log_d sysfs_scp:file { open write }; allow mobile_log_d sysfs_scp:dir search; allow mobile_log_d scp_device:chr_file { read open }; #sspm -allow mobile_log_d sysfs_sspm:file { open write }; +#allow mobile_log_d sysfs_sspm:file { open write }; allow mobile_log_d sysfs_sspm:dir search; allow mobile_log_d sspm_device:chr_file { read open }; #data/misc/mblog +typeattribute mobile_log_d data_between_core_and_vendor_violators; allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms }; allow mobile_log_d logmisc_data_file:file create_file_perms; diff --git a/non_plat/mpe.te b/non_plat/mpe.te index 84c62d7..ce5f2d9 100644 --- a/non_plat/mpe.te +++ b/non_plat/mpe.te @@ -17,6 +17,8 @@ type MPED_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(MPED) net_domain(MPED) +typeattribute MPED data_between_core_and_vendor_violators; + # Date : WK15.29 # Operation : Feature Developing # Purpose : Setup Connection with GPS for sensor aiding data exchange diff --git a/non_plat/mtk_agpsd.te b/non_plat/mtk_agpsd.te index fa352e8..3c8dec2 100644 --- a/non_plat/mtk_agpsd.te +++ b/non_plat/mtk_agpsd.te @@ -34,6 +34,7 @@ allow mtk_agpsd mnt_user_file:dir create_dir_perms; allow mtk_agpsd tmpfs:lnk_file create_file_perms; allow mtk_agpsd storage_file:lnk_file create_file_perms; allow mtk_agpsd mnt_user_file:lnk_file create_file_perms; +typeattribute mtk_agpsd data_between_core_and_vendor_violators; allow mtk_agpsd media_rw_data_file:dir { search write add_name read open }; allow mtk_agpsd media_rw_data_file:file { create open append read getattr }; diff --git a/non_plat/mtk_hal_audio.te b/non_plat/mtk_hal_audio.te index 867ee6e..0bd4263 100644 --- a/non_plat/mtk_hal_audio.te +++ b/non_plat/mtk_hal_audio.te @@ -47,6 +47,7 @@ allow mtk_hal_audio nvdata_file:dir w_dir_perms; allow mtk_hal_audio nvdata_file:file create_file_perms; allow mtk_hal_audio sdcard_type:dir remove_name; allow mtk_hal_audio sdcard_type:file unlink; +typeattribute mtk_hal_audio data_between_core_and_vendor_violators; allow mtk_hal_audio system_data_file:lnk_file read; # Date : WK14.34 diff --git a/non_plat/mtk_hal_bluetooth.te b/non_plat/mtk_hal_bluetooth.te index cdfd84b..55c221f 100644 --- a/non_plat/mtk_hal_bluetooth.te +++ b/non_plat/mtk_hal_bluetooth.te @@ -34,6 +34,7 @@ userdebug_or_eng(` ') # Logging for backward compatibility +typeattribute mtk_hal_bluetooth data_between_core_and_vendor_violators; allow mtk_hal_bluetooth bluetooth_data_file:dir ra_dir_perms; allow mtk_hal_bluetooth bluetooth_data_file:file create_file_perms; diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te index 300abb7..f77df38 100644 --- a/non_plat/mtk_hal_camera.te +++ b/non_plat/mtk_hal_camera.te @@ -29,7 +29,6 @@ vndbinder_use(mtk_hal_camera) allow mtk_hal_camera hwservicemanager_prop:file { open read getattr }; - # ----------------------------------- # Purpose: Allow camerahalserver to perform binder IPC to servers and callbacks. # ----------------------------------- @@ -119,7 +118,6 @@ allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms; allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms; allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms; - # ----------------------------------- # Purpose: Other device drivers used by camera # ----------------------------------- @@ -127,7 +125,6 @@ allow mtk_hal_camera ion_device:chr_file rw_file_perms; allow mtk_hal_camera sw_sync_device:chr_file getattr; allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms; - # ----------------------------------- # Purpose: Filesystem in Userspace (FUSE) # - sdcard access (buffer dump for EM mode) @@ -135,7 +132,6 @@ allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms; allow mtk_hal_camera fuse:dir { search read write }; allow mtk_hal_camera fuse:file rw_file_perms; - # ----------------------------------- # Purpose: Storage access # ----------------------------------- @@ -148,20 +144,16 @@ allow mtk_hal_camera nvram_data_file:file { write getattr setattr read create op allow mtk_hal_camera nvram_device:chr_file rw_file_perms; allow mtk_hal_camera self:netlink_kobject_uevent_socket { create setopt bind }; - ## Date : WK14.XX-15.XX ## sdcard access - dump for debug allow mtk_hal_camera sdcard_type:dir { write add_name create }; allow mtk_hal_camera sdcard_type:file { append create getattr }; - - # ----------------------------------- # Purpose: property access # ----------------------------------- allow mtk_hal_camera mtkcam_prop:file { open read getattr }; - # ----------------------------------- # Android O # Purpose: Shell Debugging @@ -171,7 +163,6 @@ allow mtk_hal_camera mtkcam_prop:file { open read getattr }; allow mtk_hal_camera shell:unix_stream_socket { read write }; allow mtk_hal_camera shell:fifo_file write; - # ----------------------------------- # Android O # Purpose: AEE Debugging @@ -188,7 +179,6 @@ allow mtk_hal_camera dumpstate:fifo_file write; allow mtk_hal_camera aee_exp_data_file:dir { w_dir_perms }; allow mtk_hal_camera aee_exp_data_file:file { create_file_perms }; - # ----------------------------------- # Android O # Purpose: Debugging @@ -196,7 +186,6 @@ allow mtk_hal_camera aee_exp_data_file:file { create_file_perms }; # Purpose: libmemunreachable.so/GetUnreachableMemory() allow mtk_hal_camera self:process { ptrace }; - ################################################################################ # Date : WK14.XX-15.XX # Operation : Copy from Media server @@ -206,7 +195,6 @@ allow mtk_hal_camera nvdata_file:dir { write search add_name }; allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create }; allow mtk_hal_camera proc_meminfo:file { read getattr open }; - ## Purpose : for low SD card latency issue allow mtk_hal_camera sysfs_lowmemorykiller:file { read open }; @@ -224,6 +212,7 @@ allow mtk_hal_camera untrusted_app:dir search; allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms; ## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump +typeattribute mtk_hal_camera data_between_core_and_vendor_violators; allow mtk_hal_camera system_data_file:dir write; allow mtk_hal_camera storage_file:lnk_file {read write}; allow mtk_hal_camera mnt_user_file:dir {write read search}; @@ -260,7 +249,6 @@ allow mtk_hal_camera proc_ged:file {open read write ioctl getattr}; ## Purpose: Allow to call hal_graphics_allocator binder. allow mtk_hal_camera system_data_file:lnk_file read; - allow mtk_hal_camera debugfs_tracing:file { write open }; ## Purpose : camera3 IT/CTS diff --git a/non_plat/mtk_hal_power.te b/non_plat/mtk_hal_power.te index 53fe57f..8bb07fa 100644 --- a/non_plat/mtk_hal_power.te +++ b/non_plat/mtk_hal_power.te @@ -29,6 +29,7 @@ allow mtk_hal_power sysfs_devices_system_cpu:file write; allow mtk_hal_power debugfs_ged:dir search; allow mtk_hal_power debugfs_ged:file { getattr open read write }; +typeattribute mtk_hal_power data_between_core_and_vendor_violators; allow mtk_hal_power system_data_file:dir { create write add_name }; # proc_thermal diff --git a/non_plat/mtkbootanimation.te b/non_plat/mtkbootanimation.te index 8082bdd..60b8ace 100644 --- a/non_plat/mtkbootanimation.te +++ b/non_plat/mtkbootanimation.te @@ -5,6 +5,7 @@ # Date : WK14.37 # Operation : Migration # Purpose : for opetator +typeattribute mtkbootanimation data_between_core_and_vendor_violators; allow mtkbootanimation custom_file:dir search; allow mtkbootanimation custom_file:file r_file_perms; allow mtkbootanimation bootani_prop:property_service set; @@ -16,12 +17,12 @@ allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow mtkbootanimation proc_ged:file {open read write ioctl getattr}; +#allow mtkbootanimation proc_ged:file {open read write ioctl getattr}; # Date : WK14.31 # Operation : Migration # Purpose : access to sec mem proc interface. -allow mtkbootanimation proc_secmem:file { read open}; +#allow mtkbootanimation proc_secmem:file { read open}; # Date : WK14.36 # Operation : Migration @@ -52,4 +53,4 @@ allow mtkbootanimation guiext-server_service:service_manager find; # Operation : Migration # Purpose : FPSGO integration allow mtkbootanimation proc_perfmgr:dir {search read}; -allow mtkbootanimation proc_perfmgr:file {open read ioctl}; +#allow mtkbootanimation proc_perfmgr:file {open read ioctl}; diff --git a/non_plat/mtkfusionrild.te b/non_plat/mtkfusionrild.te index 62256a4..20561bd 100644 --- a/non_plat/mtkfusionrild.te +++ b/non_plat/mtkfusionrild.te @@ -45,6 +45,7 @@ allow rild bluetooth_efs_file:dir r_dir_perms; # Allow access permission to dir/files # (radio data/system data/proc/etc) +typeattribute rild data_between_core_and_vendor_violators; allow rild radio_data_file:dir rw_dir_perms; allow rild radio_data_file:file create_file_perms; allow rild sdcard_type:dir r_dir_perms; diff --git a/non_plat/mtkrild.te b/non_plat/mtkrild.te index 1e747a7..69d9500 100644 --- a/non_plat/mtkrild.te +++ b/non_plat/mtkrild.te @@ -52,6 +52,7 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms; # Allow access permission to dir/files # (radio data/system data/proc/etc) +typeattribute mtkrild data_between_core_and_vendor_violators; allow mtkrild radio_data_file:dir rw_dir_perms; allow mtkrild radio_data_file:file create_file_perms; allow mtkrild sdcard_type:dir r_dir_perms; diff --git a/non_plat/nvram_agent_binder.te b/non_plat/nvram_agent_binder.te index f9e2378..7b9eed0 100644 --- a/non_plat/nvram_agent_binder.te +++ b/non_plat/nvram_agent_binder.te @@ -1,7 +1,6 @@ # ============================================== # Policy File of /vendor/bin/nvram_agent_binder Executable File - # ============================================== # Type Declaration # ============================================== @@ -18,7 +17,6 @@ init_daemon_domain(nvram_agent_binder) # Purpose : ensure nvram user can access nvram file normally. allow nvram_agent_binder nvram_agent_service:service_manager add; - # Date : WK14.43 # Operation : 2rd Selinux Migration # Purpose : the role of nvram_agent_binder is same with nvram_daemon except property_set & exect permission @@ -42,6 +40,7 @@ allow nvram_agent_binder init:unix_stream_socket connectto; allow nvram_agent_binder property_socket:sock_file write; allow nvram_agent_binder sysfs:file write; #allow nvram_agent_binder self:capability { fowner chown dac_override fsetid }; +typeattribute nvram_agent_binder data_between_core_and_vendor_violators; allow nvram_agent_binder system_data_file:dir create_file_perms; # Purpose: for backup @@ -57,7 +56,6 @@ allow nvram_agent_binder mtd_device:chr_file rw_file_perms; #for nvram agent hidl allow nvram_agent_binder hwservicemanager_prop:file r_file_perms; - #for nvram hidl client support allow nvram_agent_binder sysfs:file { read open }; allow nvram_agent_binder system_data_file:lnk_file read; diff --git a/non_plat/nvram_daemon.te b/non_plat/nvram_daemon.te index 069b677..c915dc8 100644 --- a/non_plat/nvram_daemon.te +++ b/non_plat/nvram_daemon.te @@ -70,6 +70,7 @@ allow nvram_daemon proc_lk_env:file rw_file_perms; # Purpose: for workaround # Todo: Remove this policy +typeattribute nvram_daemon data_between_core_and_vendor_violators; allow nvram_daemon system_data_file:dir write; # Purpose: property set diff --git a/non_plat/platform_app.te b/non_plat/platform_app.te index 713a171..f2cbee4 100644 --- a/non_plat/platform_app.te +++ b/non_plat/platform_app.te @@ -72,7 +72,7 @@ allow platform_app aee_aed:unix_stream_socket connectto; # Date : WK17.31 # Operation : O Migration # Purpose : m4u Driver -allow platform_app proc:file r_file_perms; +#allow platform_app proc:file r_file_perms; # Date : WK17.44 # Operation : O Migration diff --git a/non_plat/radio.te b/non_plat/radio.te index 7f24a21..034b530 100644 --- a/non_plat/radio.te +++ b/non_plat/radio.te @@ -160,7 +160,7 @@ allow radio hal_nfc_hwservice:hwservice_manager find; binder_call(radio, hal_nfc) binder_call(hal_nfc, radio) hwbinder_use(radio); -allow radio debugfs_tracing:file write; +#allow radio debugfs_tracing:file write; #hal_client_domain(radio, hal_nfc) typeattribute radio halclientdomain; typeattribute radio hal_nfc_client; diff --git a/non_plat/stp_dump3.te b/non_plat/stp_dump3.te index b366cfe..5262990 100644 --- a/non_plat/stp_dump3.te +++ b/non_plat/stp_dump3.te @@ -25,6 +25,7 @@ file_type_auto_trans(stp_dump3,system_data_file,stp_dump_data_file) allow stp_dump3 self:netlink_socket { read write getattr bind create setopt }; allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt }; #allow stp_dump3 media_rw_data_file:sock_file { write create unlink setattr }; +typeattribute stp_dump3 data_between_core_and_vendor_violators; allow stp_dump3 media_rw_data_file:dir { add_name setattr }; allow stp_dump3 media_rw_data_file:dir rmdir; allow stp_dump3 media_rw_data_file:dir { open read write create setattr getattr add_name remove_name search}; diff --git a/non_plat/surfaceflinger.te b/non_plat/surfaceflinger.te index a1e8a5f..c711ff9 100644 --- a/non_plat/surfaceflinger.te +++ b/non_plat/surfaceflinger.te @@ -10,7 +10,7 @@ allow surfaceflinger debug_prop:property_service set; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow surfaceflinger proc_ged:file {open read write ioctl getattr}; +#allow surfaceflinger proc_ged:file {open read write ioctl getattr}; # Date : W16.42 # Operation : Integration @@ -20,16 +20,16 @@ allow surfaceflinger gpu_device:dir search; # Date : WK17.12 # Purpose: Fix bootup fail -allow surfaceflinger proc:file r_file_perms; +#allow surfaceflinger proc:file r_file_perms; #============= surfaceflinger ============== allow surfaceflinger debugfs_ion:dir search; #============= surfaceflinger ============== -allow surfaceflinger debugfs_tracing:file write; +#allow surfaceflinger debugfs_tracing:file write; #============= surfaceflinger ============== -allow surfaceflinger debugfs_tracing:file open; +#allow surfaceflinger debugfs_tracing:file open; # Date : WK17.30 # Operation : O Migration @@ -56,7 +56,7 @@ allow surfaceflinger mtkbootanimation:file { read getattr open }; # Operation : Migration # Purpose: Allow to access perfmgr allow surfaceflinger proc_perfmgr:dir {read search}; -allow surfaceflinger proc_perfmgr:file {open read ioctl}; +#allow surfaceflinger proc_perfmgr:file {open read ioctl}; # Date : WK17.43 # Operation : Debug diff --git a/non_plat/system_server.te b/non_plat/system_server.te index 4cac41f..0ff426a 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -14,9 +14,10 @@ allow system_server wmtWifi_device:chr_file w_file_perms; #allow system_server gps_data_file:dir rw_dir_perms; # /proc access. -allow system_server proc:file w_file_perms; +#allow system_server proc:file w_file_perms; # /data/dontpanic access. +typeattribute system_server data_between_core_and_vendor_violators; allow system_server dontpanic_data_file:dir search; # /data/agps_supl access. @@ -35,7 +36,7 @@ allow system_server zygote:binder impersonate; allow system_server ctl_bootanim_prop:property_service set; # After connected to DHCPv6, enabled 6to4 IPv6 AP to get property. -allow system_server proc_net:file w_file_perms; +#allow system_server proc_net:file w_file_perms; r_dir_file(system_server, wide_dhcpv6_data_file) # For dumpsys. @@ -72,7 +73,7 @@ allow system_server sysfs_dcm:file rw_file_perms; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow system_server proc_ged:file {open read write ioctl getattr}; +#allow system_server proc_ged:file {open read write ioctl getattr}; # Date : WK16.36 # Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW @@ -106,7 +107,7 @@ allow system_server ttyMT_device:chr_file rw_file_perms; # Operation : thermal hal Feature developing # Purpose : thermal hal interface permission allow system_server proc_mtktz:dir search; -allow system_server proc_mtktz:file r_file_perms; +#allow system_server proc_mtktz:file r_file_perms; # Date : WK16.46 # Operation: PowerManager set persist.meta.connecttype property @@ -204,7 +205,6 @@ allow system_server dhcp_data_file:file create_file_perms; # Purpose : lbs hidl interface permission hal_client_domain(system_server, mtk_hal_lbs) - # Date : WK17.12 # Operation : MT6799 SQC # Purpose : Change thermal config @@ -215,4 +215,4 @@ allow system_server mtk_thermal_config_prop:property_service set; # Operation : Migration # Purpose : perfmgr permission allow system_server proc_perfmgr:dir {read search}; -allow system_server proc_perfmgr:file {open read ioctl}; +#allow system_server proc_perfmgr:file {open read ioctl}; diff --git a/non_plat/thermal_manager.te b/non_plat/thermal_manager.te index d373baa..f28166e 100644 --- a/non_plat/thermal_manager.te +++ b/non_plat/thermal_manager.te @@ -18,6 +18,7 @@ allow thermal_manager proc_thermal:dir search; allow thermal_manager proc_mtkcooler:file rw_file_perms; allow thermal_manager proc_mtktz:file rw_file_perms; allow thermal_manager proc_thermal:file rw_file_perms; +typeattribute thermal_manager data_between_core_and_vendor_violators; allow thermal_manager system_data_file:dir { write add_name }; #allow thermal_manager self:capability { fowner chown fsetid dac_override }; @@ -32,7 +33,6 @@ allow thermal_manager mediaserver:fifo_file { read write }; #allow thermal_manager pq:fd use; allow thermal_manager mediaserver:tcp_socket { read write }; - # Date : WK16.30 # Operation : Migration # Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) diff --git a/non_plat/untrusted_app.te b/non_plat/untrusted_app.te index 7db6850..110653d 100644 --- a/non_plat/untrusted_app.te +++ b/non_plat/untrusted_app.te @@ -37,7 +37,9 @@ allow untrusted_app_25 sysfs_therm:file { getattr open read }; # Operation: Development RenderScript opt # Purpose : Allow RenderScript Opt RS2CL to invoke standalone executable # properly for thermal tests at OEM/ODM. +typeattribute untrusted_app_25 system_executes_vendor_violators; allow untrusted_app_25 vendor_file:file execute_no_trans; +typeattribute untrusted_app system_executes_vendor_violators; allow untrusted_app vendor_file:file execute_no_trans; # Date : WK17.39 diff --git a/non_plat/vold.te b/non_plat/vold.te index 4d10d6e..d01a5d1 100644 --- a/non_plat/vold.te +++ b/non_plat/vold.te @@ -12,6 +12,7 @@ allow vold iso9660:filesystem unmount; # Date : WK16.19 # Operation : Migration # Purpose : dotrim for the mountpoints in fstab +typeattribute vold data_between_core_and_vendor_violators; allow vold nvdata_file:dir r_dir_perms; allow vold protect_f_data_file:dir r_dir_perms; allow vold protect_s_data_file:dir r_dir_perms; diff --git a/non_plat/zygote.te b/non_plat/zygote.te index 5147cde..3f71f0b 100644 --- a/non_plat/zygote.te +++ b/non_plat/zygote.te @@ -4,7 +4,7 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow zygote proc_ged:file {open read write ioctl getattr}; +#allow zygote proc_ged:file {open read write ioctl getattr}; # Date : WK17.02 # Purpose: Allow to access gpu for memtrack functions diff --git a/plat_private/aee_aed.te b/plat_private/aee_aed.te index 94481d1..b6b3b2b 100644 --- a/plat_private/aee_aed.te +++ b/plat_private/aee_aed.te @@ -100,13 +100,13 @@ allow aee_aed dumpstate:unix_stream_socket { read write ioctl }; allow aee_aed dumpstate:dir search; allow aee_aed dumpstate:file r_file_perms; -allow aee_aed proc:file rw_file_perms; +#allow aee_aed proc:file rw_file_perms; allow aee_aed logdr_socket:sock_file write; allow aee_aed logd:unix_stream_socket connectto; # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule # vibrator -allow aee_aed sysfs_vibrator:file w_file_perms; +#allow aee_aed sysfs_vibrator:file w_file_perms; # Data : 2017/03/22 # Operation : add NE flow rule for Android O @@ -133,4 +133,4 @@ allow aee_aed crash_dump:file r_file_perms; # [ 217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read } # for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -allow aee_aed sysfs:file r_file_perms; +#allow aee_aed sysfs:file r_file_perms; diff --git a/plat_private/audiocmdservice_atci.te b/plat_private/audiocmdservice_atci.te index cf24268..64ef12f 100644 --- a/plat_private/audiocmdservice_atci.te +++ b/plat_private/audiocmdservice_atci.te @@ -24,7 +24,6 @@ binder_call(audiocmdservice_atci, audioserver) allow audiocmdservice_atci audioserver:dir w_dir_perms; allow audiocmdservice_atci audioserver_service:service_manager find; - # Access to fuse file system allow audiocmdservice_atci sdcard_type:file create_file_perms; allow audiocmdservice_atci sdcard_type:dir w_dir_perms; @@ -33,8 +32,6 @@ allow audiocmdservice_atci sdcard_type:dir w_dir_perms; allow audiocmdservice_atci media_rw_data_file:dir create_dir_perms; allow audiocmdservice_atci media_rw_data_file:file create_file_perms; - - #To access the file at /dev/kmsg allow audiocmdservice_atci kmsg_device:chr_file w_file_perms; @@ -48,4 +45,4 @@ allow radio audiocmdservice_atci_exec:file getattr; #Android O porting hwbinder_use(audiocmdservice_atci) get_prop(audiocmdservice_atci, hwservicemanager_prop); -allow audiocmdservice_atci debugfs_tracing:file rw_file_perms; +#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms; diff --git a/plat_private/boot_logo_updater.te b/plat_private/boot_logo_updater.te index 3217a1c..18c6272 100644 --- a/plat_private/boot_logo_updater.te +++ b/plat_private/boot_logo_updater.te @@ -23,7 +23,7 @@ allow boot_logo_updater init:unix_stream_socket connectto; allow boot_logo_updater property_socket:sock_file write; #allow boot_logo_updater self:capability dac_override; # To access some boot_mode infornation -allow boot_logo_updater sysfs:file rw_file_perms; +#allow boot_logo_updater sysfs:file rw_file_perms; # To access directory /dev/block/mmcblk0 or /dev/block/sdc allow boot_logo_updater block_device:dir search; allow boot_logo_updater graphics_device:dir search; @@ -40,10 +40,10 @@ allow boot_logo_updater sysfs:dir read; # sanity fail for ALPS03604686: # for path="/sys/firmware/devicetree/base/firmware/android/fstab" andfor name = "cmdline" and "mtdblock14" allow boot_logo_updater mtd_device:blk_file read; -allow boot_logo_updater proc:file read; +#allow boot_logo_updater proc:file read; allow boot_logo_updater sysfs:dir open; # for path="/proc/cmdline and ="/dev/block/mtdblock14" -allow boot_logo_updater proc:file open; +#allow boot_logo_updater proc:file open; allow boot_logo_updater system_data_file:dir write; allow boot_logo_updater mtd_device:blk_file open; diff --git a/plat_private/bootanim.te b/plat_private/bootanim.te index 652485f..ff07c9e 100644 --- a/plat_private/bootanim.te +++ b/plat_private/bootanim.te @@ -42,10 +42,8 @@ allow bootanim surfaceflinger:fifo_file rw_file_perms; allow bootanim gpu_device:dir search; - +#============= bootanim ============== +#allow bootanim debugfs_tracing:file write; #============= bootanim ============== -allow bootanim debugfs_tracing:file write; - -#============= bootanim ============== -allow bootanim debugfs_tracing:file open; +#allow bootanim debugfs_tracing:file open; diff --git a/plat_private/cmddumper.te b/plat_private/cmddumper.te index a6a4d69..e1d8f6a 100644 --- a/plat_private/cmddumper.te +++ b/plat_private/cmddumper.te @@ -38,4 +38,5 @@ allow cmddumper media_rw_data_file:dir { create_dir_perms }; allow cmddumper file_contexts_file:file { read getattr open }; # purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode -allow cmddumper sysfs:file { read open }; \ No newline at end of file +#allow cmddumper sysfs:file { read open }; + diff --git a/plat_private/drmserver.te b/plat_private/drmserver.te index fda42f1..7c727e8 100644 --- a/plat_private/drmserver.te +++ b/plat_private/drmserver.te @@ -3,4 +3,4 @@ # ====================== # =======drmserver====== -allow drmserver sysfs:file { read open }; +#allow drmserver sysfs:file { read open }; diff --git a/plat_private/dumpstate.te b/plat_private/dumpstate.te index 0c05881..b4a6819 100644 --- a/plat_private/dumpstate.te +++ b/plat_private/dumpstate.te @@ -14,7 +14,7 @@ allow dumpstate mnt_user_file:lnk_file read; allow dumpstate storage_file:lnk_file read; # Purpose: timer_intval. this is neverallow -allow dumpstate sysfs:file r_file_perms; +#allow dumpstate sysfs:file r_file_perms; allow dumpstate app_data_file:dir search; allow dumpstate kmsg_device:chr_file r_file_perms; diff --git a/plat_private/em_svr.te b/plat_private/em_svr.te index 7f7fa41..9456f8c 100644 --- a/plat_private/em_svr.te +++ b/plat_private/em_svr.te @@ -1,7 +1,6 @@ # ============================================== # Policy File of /system/bin/em_svr Executable File - # ============================================== # Type Declaration # ============================================== @@ -26,8 +25,8 @@ init_daemon_domain(em_svr) # Date: W14.38 2014/09/17 # Operation : Migration # Purpose : for em_svr -allow em_svr proc:file write; -allow em_svr sysfs:file write; +#allow em_svr proc:file write; +#allow em_svr sysfs:file write; allow em_svr shell_exec:file { read execute open getattr execute_no_trans }; allow em_svr system_file:file execute_no_trans; allow em_svr block_device:dir search; @@ -35,7 +34,7 @@ allow em_svr graphics_device:chr_file { read write open ioctl}; allow em_svr graphics_device:dir search; allow em_svr radio_data_file:dir { search write add_name create }; allow em_svr radio_data_file:file { create write open read }; -allow em_svr sysfs_devices_system_cpu:file write; +#allow em_svr sysfs_devices_system_cpu:file write; #allow em_svr self:capability { dac_override sys_nice fowner chown fsetid }; allow em_svr self:process execmem; allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open }; @@ -43,7 +42,6 @@ allow em_svr kernel:system module_request; allow em_svr sdcard_type:dir create_dir_perms; allow em_svr sdcard_type:file create_file_perms; - # Date: 2015/08/09 # Operation : M Migration # Purpose : set policy for surfaceflinger_service @@ -63,8 +61,8 @@ binder_call(em_svr, surfaceflinger) # Purpose : add policy for desense/Power/Memory access system file allow em_svr toolbox_exec:file { getattr execute read open execute_no_trans }; allow em_svr vendor_toolbox_exec:file { getattr }; -allow em_svr proc:file { open read }; -allow em_svr sysfs:file { read }; +#allow em_svr proc:file { open read }; +#allow em_svr sysfs:file { read }; # Date: 2017/07/19 # Operation : O Migration @@ -76,13 +74,12 @@ allow em_svr system_data_file:lnk_file { read }; # Purpose : add policy for system data file access allow em_svr system_data_file:file open; - # Date: 2017/07/13 # Operation: O Migration # Purpose: add policy for backlight file access allow em_svr sysfs_leds:dir search; allow em_svr sysfs_leds:lnk_file read; -allow em_svr sysfs:file open; +#allow em_svr sysfs:file open; # Date: WK1742 # Purpose: add em_svr to access md log filter in sdcard diff --git a/plat_private/emdlogger.te b/plat_private/emdlogger.te index 55d3f2e..e8a9391 100755 --- a/plat_private/emdlogger.te +++ b/plat_private/emdlogger.te @@ -49,7 +49,7 @@ allow emdlogger storage_file:file { create_file_perms }; #permission for read boot mode #avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -allow emdlogger sysfs:file { read open }; +#allow emdlogger sysfs:file { read open }; # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 diff --git a/plat_private/factory.te b/plat_private/factory.te index dfd738f..a2a5a9d 100644 --- a/plat_private/factory.te +++ b/plat_private/factory.te @@ -12,7 +12,6 @@ typeattribute factory coredomain; # ============================================== init_daemon_domain(factory) - allow factory property_socket:sock_file write; allow factory init:unix_stream_socket connectto; allow factory kernel:system module_request; @@ -24,7 +23,7 @@ allow factory sdcard_type:dir r_dir_perms; ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te #allow factory self:netlink_route_socket create_socket_perms; allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; -allow factory proc_net:file { read getattr open }; +#allow factory proc_net:file { read getattr open }; allowxperm factory self:udp_socket ioctl priv_sock_ioctls; allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID}; @@ -32,7 +31,7 @@ allow factory self:process execmem; allow factory self:tcp_socket create_stream_socket_perms; allow factory self:udp_socket create_socket_perms; -allow factory sysfs_wake_lock:file rw_file_perms; +#allow factory sysfs_wake_lock:file rw_file_perms; allow factory system_data_file:dir w_dir_perms; allow factory system_data_file:sock_file create_file_perms; allow factory system_file:file x_file_perms; diff --git a/plat_private/kisd.te b/plat_private/kisd.te index 32d8f1c..68c04a5 100644 --- a/plat_private/kisd.te +++ b/plat_private/kisd.te @@ -16,6 +16,7 @@ typeattribute kisd coredomain; init_daemon_domain(kisd) allow kisd tee_device:chr_file {read write open ioctl}; +typeattribute kisd data_between_core_and_vendor_violators; allow kisd provision_file:dir {read write open ioctl add_name search remove_name}; allow kisd provision_file:file {create read write open getattr unlink}; allow kisd system_file:file {execute_no_trans}; diff --git a/plat_private/mdlogger.te b/plat_private/mdlogger.te index 282fc6b..cc6eeea 100644 --- a/plat_private/mdlogger.te +++ b/plat_private/mdlogger.te @@ -48,7 +48,7 @@ allow mdlogger file_contexts_file:file { read getattr open }; #permission for read boot mode #avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -allow mdlogger sysfs:file { read open }; +#allow mdlogger sysfs:file { read open }; # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 diff --git a/plat_private/meta_tst.te b/plat_private/meta_tst.te index f4da912..7c4ecc1 100644 --- a/plat_private/meta_tst.te +++ b/plat_private/meta_tst.te @@ -26,7 +26,7 @@ allow meta_tst self:tcp_socket { create connect setopt bind }; allow meta_tst self:tcp_socket { bind setopt listen accept read write }; allow meta_tst self:udp_socket { create ioctl }; allow meta_tst self:capability { sys_boot ipc_lock }; -allow meta_tst sysfs_wake_lock:file rw_file_perms; +#allow meta_tst sysfs_wake_lock:file rw_file_perms; #allow meta_tst sysfs:file write; allow meta_tst property_socket:sock_file w_file_perms; #allow meta_tst vold_socket:sock_file w_file_perms; diff --git a/plat_private/mobile_log_d.te b/plat_private/mobile_log_d.te index 9a38913..987e9a6 100644 --- a/plat_private/mobile_log_d.te +++ b/plat_private/mobile_log_d.te @@ -60,10 +60,10 @@ allow mobile_log_d mmc_prop:file { getattr open }; allow mobile_log_d safemode_prop:file { getattr open }; #proc/ access -allow mobile_log_d proc:file r_file_perms; +#allow mobile_log_d proc:file r_file_perms; # boot_mdoe file access -allow mobile_log_d sysfs:file { open read }; +#allow mobile_log_d sysfs:file { open read }; # purpose: allow MobileLog to access storage in N version allow mobile_log_d media_rw_data_file:file create_file_perms; @@ -71,6 +71,6 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms; # access debugfs/tracing/instances/ allow mobile_log_d debugfs_tracing:dir create_dir_perms; -allow mobile_log_d debugfs_tracing:file create_file_perms; +#allow mobile_log_d debugfs_tracing:file create_file_perms; allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms; -allow mobile_log_d debugfs_tracing_instances:file create_file_perms; +#allow mobile_log_d debugfs_tracing_instances:file create_file_perms; diff --git a/plat_private/mtkbootanimation.te b/plat_private/mtkbootanimation.te index 529b3ef..e2ea4a8 100644 --- a/plat_private/mtkbootanimation.te +++ b/plat_private/mtkbootanimation.te @@ -39,9 +39,9 @@ allow mtkbootanimation hal_graphics_allocator:fd use; allow mtkbootanimation hal_graphics_composer:fd use; # Read access to pseudo filesystems. -r_dir_file(mtkbootanimation, proc) -allow mtkbootanimation proc_meminfo:file r_file_perms; -r_dir_file(mtkbootanimation, sysfs) +#r_dir_file(mtkbootanimation, proc) +#allow mtkbootanimation proc_meminfo:file r_file_perms; +#r_dir_file(mtkbootanimation, sysfs) r_dir_file(mtkbootanimation, cgroup) # System file accesses. @@ -89,7 +89,7 @@ allow mtkbootanimation gpu_device:dir search; #============= bootanim ============== -allow mtkbootanimation debugfs_tracing:file write; +#allow mtkbootanimation debugfs_tracing:file write; #============= bootanim ============== -allow mtkbootanimation debugfs_tracing:file open; +#allow mtkbootanimation debugfs_tracing:file open; diff --git a/plat_private/thermalindicator.te b/plat_private/thermalindicator.te index b5f496b..8a9131d 100644 --- a/plat_private/thermalindicator.te +++ b/plat_private/thermalindicator.te @@ -31,7 +31,7 @@ allow servicemanager thermalindicator:process { getattr }; typeattribute thermalindicator mlstrustedsubject; allow thermalindicator proc:dir {search getattr}; -allow thermalindicator proc:file read; +#allow thermalindicator proc:file read; allow thermalindicator shell:dir search; allow thermalindicator platform_app:dir search; allow thermalindicator platform_app:file {open read getattr}; diff --git a/plat_private/vold.te b/plat_private/vold.te index e729da9..4ae70b9 100644 --- a/plat_private/vold.te +++ b/plat_private/vold.te @@ -5,4 +5,4 @@ # volume manager #============= vold ============== -allow vold debugfs_tracing:file write; +#allow vold debugfs_tracing:file write; diff --git a/prebuilts/api/26.0/plat_private/aee_aed.te b/prebuilts/api/26.0/plat_private/aee_aed.te index 64591a5..00cf482 100755 --- a/prebuilts/api/26.0/plat_private/aee_aed.te +++ b/prebuilts/api/26.0/plat_private/aee_aed.te @@ -100,13 +100,13 @@ allow aee_aed dumpstate:unix_stream_socket { read write ioctl }; allow aee_aed dumpstate:dir search; allow aee_aed dumpstate:file r_file_perms; -allow aee_aed proc:file rw_file_perms; +#allow aee_aed proc:file rw_file_perms; allow aee_aed logdr_socket:sock_file write; allow aee_aed logd:unix_stream_socket connectto; # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule # vibrator -allow aee_aed sysfs_vibrator:file w_file_perms; +#allow aee_aed sysfs_vibrator:file w_file_perms; # Data : 2017/03/22 # Operation : add NE flow rule for Android O @@ -133,4 +133,4 @@ allow aee_aed crash_dump:file r_file_perms; # [ 217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read } # for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -allow aee_aed sysfs:file r_file_perms; +#allow aee_aed sysfs:file r_file_perms; diff --git a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te index abf9061..19f37e1 100755 --- a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te +++ b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te @@ -49,4 +49,4 @@ allow radio audiocmdservice_atci_exec:file getattr; #Android O porting hwbinder_use(audiocmdservice_atci) get_prop(audiocmdservice_atci, hwservicemanager_prop); -allow audiocmdservice_atci debugfs_tracing:file rw_file_perms; +#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms; diff --git a/prebuilts/api/26.0/plat_private/boot_logo_updater.te b/prebuilts/api/26.0/plat_private/boot_logo_updater.te index 62e63fa..52c38f0 100755 --- a/prebuilts/api/26.0/plat_private/boot_logo_updater.te +++ b/prebuilts/api/26.0/plat_private/boot_logo_updater.te @@ -23,7 +23,7 @@ allow boot_logo_updater init:unix_stream_socket connectto; allow boot_logo_updater property_socket:sock_file write; #allow boot_logo_updater self:capability dac_override; # To access some boot_mode infornation -allow boot_logo_updater sysfs:file rw_file_perms; +#allow boot_logo_updater sysfs:file rw_file_perms; # To access directory /dev/block/mmcblk0 or /dev/block/sdc allow boot_logo_updater block_device:dir search; allow boot_logo_updater graphics_device:dir search; diff --git a/prebuilts/api/26.0/plat_private/bootanim.te b/prebuilts/api/26.0/plat_private/bootanim.te index 19a10b7..edad4f0 100755 --- a/prebuilts/api/26.0/plat_private/bootanim.te +++ b/prebuilts/api/26.0/plat_private/bootanim.te @@ -44,7 +44,7 @@ allow bootanim gpu_device:dir search; #============= bootanim ============== -allow bootanim debugfs_tracing:file write; +#allow bootanim debugfs_tracing:file write; #============= bootanim ============== -allow bootanim debugfs_tracing:file open; +#allow bootanim debugfs_tracing:file open; diff --git a/prebuilts/api/26.0/plat_private/cmddumper.te b/prebuilts/api/26.0/plat_private/cmddumper.te index a6a4d69..7ae391a 100755 --- a/prebuilts/api/26.0/plat_private/cmddumper.te +++ b/prebuilts/api/26.0/plat_private/cmddumper.te @@ -38,4 +38,4 @@ allow cmddumper media_rw_data_file:dir { create_dir_perms }; allow cmddumper file_contexts_file:file { read getattr open }; # purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode -allow cmddumper sysfs:file { read open }; \ No newline at end of file +#allow cmddumper sysfs:file { read open }; \ No newline at end of file diff --git a/prebuilts/api/26.0/plat_private/drmserver.te b/prebuilts/api/26.0/plat_private/drmserver.te index fda42f1..7c727e8 100755 --- a/prebuilts/api/26.0/plat_private/drmserver.te +++ b/prebuilts/api/26.0/plat_private/drmserver.te @@ -3,4 +3,4 @@ # ====================== # =======drmserver====== -allow drmserver sysfs:file { read open }; +#allow drmserver sysfs:file { read open }; diff --git a/prebuilts/api/26.0/plat_private/dumpstate.te b/prebuilts/api/26.0/plat_private/dumpstate.te index 69cf7c9..e7f4b0a 100755 --- a/prebuilts/api/26.0/plat_private/dumpstate.te +++ b/prebuilts/api/26.0/plat_private/dumpstate.te @@ -14,7 +14,7 @@ allow dumpstate mnt_user_file:lnk_file read; allow dumpstate storage_file:lnk_file read; # Purpose: timer_intval. this is neverallow -allow dumpstate sysfs:file r_file_perms; +#allow dumpstate sysfs:file r_file_perms; allow dumpstate app_data_file:dir search; allow dumpstate kmsg_device:chr_file r_file_perms; diff --git a/prebuilts/api/26.0/plat_private/em_svr.te b/prebuilts/api/26.0/plat_private/em_svr.te index 460e33a..b3fffcb 100755 --- a/prebuilts/api/26.0/plat_private/em_svr.te +++ b/prebuilts/api/26.0/plat_private/em_svr.te @@ -26,8 +26,8 @@ init_daemon_domain(em_svr) # Date: W14.38 2014/09/17 # Operation : Migration # Purpose : for em_svr -allow em_svr proc:file write; -allow em_svr sysfs:file write; +#allow em_svr proc:file write; +#allow em_svr sysfs:file write; allow em_svr shell_exec:file { read execute open getattr execute_no_trans }; allow em_svr system_file:file execute_no_trans; allow em_svr block_device:dir search; @@ -35,7 +35,7 @@ allow em_svr graphics_device:chr_file { read write open ioctl}; allow em_svr graphics_device:dir search; allow em_svr radio_data_file:dir { search write add_name create }; allow em_svr radio_data_file:file { create write open read }; -allow em_svr sysfs_devices_system_cpu:file write; +#allow em_svr sysfs_devices_system_cpu:file write; #allow em_svr self:capability { dac_override sys_nice fowner chown fsetid }; allow em_svr self:process execmem; allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open }; @@ -63,8 +63,8 @@ binder_call(em_svr, surfaceflinger) # Purpose : add policy for desense/Power/Memory access system file allow em_svr toolbox_exec:file { getattr execute read open execute_no_trans }; allow em_svr vendor_toolbox_exec:file { getattr }; -allow em_svr proc:file { open read }; -allow em_svr sysfs:file { read }; +#allow em_svr proc:file { open read }; +#allow em_svr sysfs:file { read }; # Date: 2017/07/19 # Operation : O Migration @@ -81,5 +81,5 @@ allow em_svr system_data_file:file open; # Purpose: add policy for backlight file access allow em_svr sysfs_leds:dir search; allow em_svr sysfs_leds:lnk_file read; -allow em_svr sysfs:file open; +#allow em_svr sysfs:file open; diff --git a/prebuilts/api/26.0/plat_private/emdlogger.te b/prebuilts/api/26.0/plat_private/emdlogger.te index 5603c9e..92facb8 100755 --- a/prebuilts/api/26.0/plat_private/emdlogger.te +++ b/prebuilts/api/26.0/plat_private/emdlogger.te @@ -49,7 +49,7 @@ allow emdlogger storage_file:file { create_file_perms }; #permission for read boot mode #avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -allow emdlogger sysfs:file { read open }; +#allow emdlogger sysfs:file { read open }; # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 diff --git a/prebuilts/api/26.0/plat_private/factory.te b/prebuilts/api/26.0/plat_private/factory.te index ca25c0a..2365e93 100755 --- a/prebuilts/api/26.0/plat_private/factory.te +++ b/prebuilts/api/26.0/plat_private/factory.te @@ -24,7 +24,7 @@ allow factory sdcard_type:dir r_dir_perms; ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te #allow factory self:netlink_route_socket create_socket_perms; allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; -allow factory proc_net:file { read getattr open }; +#allow factory proc_net:file { read getattr open }; allowxperm factory self:udp_socket ioctl priv_sock_ioctls; allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID}; @@ -32,7 +32,7 @@ allow factory self:process execmem; allow factory self:tcp_socket create_stream_socket_perms; allow factory self:udp_socket create_socket_perms; -allow factory sysfs_wake_lock:file rw_file_perms; +#allow factory sysfs_wake_lock:file rw_file_perms; allow factory system_data_file:dir w_dir_perms; allow factory system_data_file:sock_file create_file_perms; allow factory system_file:file x_file_perms; diff --git a/prebuilts/api/26.0/plat_private/kisd.te b/prebuilts/api/26.0/plat_private/kisd.te index c952116..856859b 100755 --- a/prebuilts/api/26.0/plat_private/kisd.te +++ b/prebuilts/api/26.0/plat_private/kisd.te @@ -16,6 +16,7 @@ typeattribute kisd coredomain; init_daemon_domain(kisd) allow kisd tee_device:chr_file {read write open ioctl}; +typeattribute kisd data_between_core_and_vendor_violators; allow kisd provision_file:dir {read write open ioctl add_name search remove_name}; allow kisd provision_file:file {create read write open getattr unlink}; allow kisd system_file:file {execute_no_trans}; diff --git a/prebuilts/api/26.0/plat_private/mdlogger.te b/prebuilts/api/26.0/plat_private/mdlogger.te index b9cebbd..7a27110 100755 --- a/prebuilts/api/26.0/plat_private/mdlogger.te +++ b/prebuilts/api/26.0/plat_private/mdlogger.te @@ -47,7 +47,7 @@ allow mdlogger file_contexts_file:file { read getattr open }; #permission for read boot mode #avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -allow mdlogger sysfs:file { read open }; +#allow mdlogger sysfs:file { read open }; # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 diff --git a/prebuilts/api/26.0/plat_private/meta_tst.te b/prebuilts/api/26.0/plat_private/meta_tst.te index f4da912..7c4ecc1 100755 --- a/prebuilts/api/26.0/plat_private/meta_tst.te +++ b/prebuilts/api/26.0/plat_private/meta_tst.te @@ -26,7 +26,7 @@ allow meta_tst self:tcp_socket { create connect setopt bind }; allow meta_tst self:tcp_socket { bind setopt listen accept read write }; allow meta_tst self:udp_socket { create ioctl }; allow meta_tst self:capability { sys_boot ipc_lock }; -allow meta_tst sysfs_wake_lock:file rw_file_perms; +#allow meta_tst sysfs_wake_lock:file rw_file_perms; #allow meta_tst sysfs:file write; allow meta_tst property_socket:sock_file w_file_perms; #allow meta_tst vold_socket:sock_file w_file_perms; diff --git a/prebuilts/api/26.0/plat_private/mobile_log_d.te b/prebuilts/api/26.0/plat_private/mobile_log_d.te index 9a38913..987e9a6 100755 --- a/prebuilts/api/26.0/plat_private/mobile_log_d.te +++ b/prebuilts/api/26.0/plat_private/mobile_log_d.te @@ -60,10 +60,10 @@ allow mobile_log_d mmc_prop:file { getattr open }; allow mobile_log_d safemode_prop:file { getattr open }; #proc/ access -allow mobile_log_d proc:file r_file_perms; +#allow mobile_log_d proc:file r_file_perms; # boot_mdoe file access -allow mobile_log_d sysfs:file { open read }; +#allow mobile_log_d sysfs:file { open read }; # purpose: allow MobileLog to access storage in N version allow mobile_log_d media_rw_data_file:file create_file_perms; @@ -71,6 +71,6 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms; # access debugfs/tracing/instances/ allow mobile_log_d debugfs_tracing:dir create_dir_perms; -allow mobile_log_d debugfs_tracing:file create_file_perms; +#allow mobile_log_d debugfs_tracing:file create_file_perms; allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms; -allow mobile_log_d debugfs_tracing_instances:file create_file_perms; +#allow mobile_log_d debugfs_tracing_instances:file create_file_perms; diff --git a/prebuilts/api/26.0/plat_private/system_server.te b/prebuilts/api/26.0/plat_private/system_server.te index 7a5ffc1..dbf4d77 100755 --- a/prebuilts/api/26.0/plat_private/system_server.te +++ b/prebuilts/api/26.0/plat_private/system_server.te @@ -6,7 +6,7 @@ allow system_server zygote:binder impersonate; # Property service. allow system_server ctl_bootanim_prop:property_service set; # After connected to DHCPv6, enabled 6to4 IPv6 AP to get property. -allow system_server proc_net:file w_file_perms; +#allow system_server proc_net:file w_file_perms; # Querying zygote socket. allow system_server zygote:unix_stream_socket { getopt getattr }; # Date : WK16.36 diff --git a/prebuilts/api/26.0/plat_private/thermalindicator.te b/prebuilts/api/26.0/plat_private/thermalindicator.te index b5f496b..8a9131d 100755 --- a/prebuilts/api/26.0/plat_private/thermalindicator.te +++ b/prebuilts/api/26.0/plat_private/thermalindicator.te @@ -31,7 +31,7 @@ allow servicemanager thermalindicator:process { getattr }; typeattribute thermalindicator mlstrustedsubject; allow thermalindicator proc:dir {search getattr}; -allow thermalindicator proc:file read; +#allow thermalindicator proc:file read; allow thermalindicator shell:dir search; allow thermalindicator platform_app:dir search; allow thermalindicator platform_app:file {open read getattr}; diff --git a/prebuilts/api/26.0/plat_private/vold.te b/prebuilts/api/26.0/plat_private/vold.te index e729da9..4ae70b9 100755 --- a/prebuilts/api/26.0/plat_private/vold.te +++ b/prebuilts/api/26.0/plat_private/vold.te @@ -5,4 +5,4 @@ # volume manager #============= vold ============== -allow vold debugfs_tracing:file write; +#allow vold debugfs_tracing:file write;