From 628e0eccb8a6478f135fba28633506d70bc40afd Mon Sep 17 00:00:00 2001 From: mtk11285 Date: Sat, 18 Jan 2020 09:50:43 +0800 Subject: [PATCH] [ALPS03841705] AEE porting on Android P about selinux [Detail] 1. add some rules 2. temp solution for getting ro.*.mediatek.version.branch/ ro.*.mediatek.version.release property MTK-Commit-Id: 12c4d79a10293c4611233c985c29dca94f6e24ae Change-Id: Ice4d565664f95a456f985ed138f302fe7ac4dbff CR-Id: ALPS03841705 Feature: Android Exception Engine(AEE) --- non_plat/adbd.te | 2 ++ non_plat/aee_aed.te | 4 ++++ non_plat/aee_aedv.te | 9 +++++++++ non_plat/dumpstate.te | 4 ++-- non_plat/file.te | 1 - non_plat/shell.te | 5 +++++ plat_private/aee_aed.te | 5 ++++- plat_private/dumpstate.te | 5 ++++- 8 files changed, 30 insertions(+), 5 deletions(-) diff --git a/non_plat/adbd.te b/non_plat/adbd.te index 2e7b5f2..c66441b 100644 --- a/non_plat/adbd.te +++ b/non_plat/adbd.te @@ -8,3 +8,5 @@ # Operator: Migration # Purpose: Allow adbd to read KE DB allow adbd aee_dumpsys_data_file:file r_file_perms; +allow adbd aee_exp_data_file:dir r_dir_perms; +allow adbd aee_exp_data_file:file r_file_perms; diff --git a/non_plat/aee_aed.te b/non_plat/aee_aed.te index 3354ec8..225c2ee 100644 --- a/non_plat/aee_aed.te +++ b/non_plat/aee_aed.te @@ -54,6 +54,10 @@ allow aee_aed proc_cpu_alignment:file { write open }; # Purpose: Allow aee_aed to access /sys/devices/virtual/timed_output/vibrator/enable allow aee_aed sysfs_vibrator_setting:dir search; allow aee_aed sysfs_vibrator_setting:file w_file_perms; +allow aee_aed sysfs_vibrator:dir search; # Purpose: Allow aee_aed to read /proc/kpageflags allow aee_aed proc_kpageflags:file r_file_perms; + +# temp solution +get_prop(aee_aed, vendor_default_prop) diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index 63ecb0e..9254d66 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -402,6 +402,7 @@ allow aee_aedv proc_last_kmsg:file r_file_perms; # Purpose: Allow aee_aedv to access /sys/devices/virtual/timed_output/vibrator/enable allow aee_aedv sysfs_vibrator_setting:dir search; allow aee_aedv sysfs_vibrator_setting:file w_file_perms; +allow aee_aedv sysfs_vibrator:dir search; # Purpose: Allow aee_aedv to read /sys/kernel/debug/rcu/rcu_callback_log allow aee_aedv debugfs_rcu:file r_file_perms; @@ -419,3 +420,11 @@ allow aee_aedv sysfs_boot:file r_file_perms; userdebug_or_eng(` allow aee_aedv debugfs_tracing_debug:file { r_file_perms write }; ') +# Purpose: allow aee_aedv self to sys_ptrace +userdebug_or_eng(`allow aee_aedv self:capability sys_ptrace;') + +#Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace +allow aee_aedv proc_slabtrace:file r_file_perms; + +# temp solution +get_prop(aee_aedv, vendor_default_prop) diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te index d0f9101..b28de63 100644 --- a/non_plat/dumpstate.te +++ b/non_plat/dumpstate.te @@ -53,8 +53,8 @@ allow dumpstate sysfs_lowmemorykiller:dir search; allow dumpstate expdb_block_device:blk_file { read write ioctl open }; #/data/anr/SF_RTT -#allow dumpstate sf_rtt_file:dir search; -#allow dumpstate sf_rtt_file:file r_file_perms; +allow dumpstate sf_rtt_file:dir search; +allow dumpstate sf_rtt_file:file r_file_perms; # Data : 2017/03/22 # Operation : add fd use selinux rule diff --git a/non_plat/file.te b/non_plat/file.te index 6d2003b..be49646 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -115,7 +115,6 @@ type aee_core_vendor_file, file_type, data_file_type; type aee_tombstone_data_file, file_type, data_file_type; # AEE exp -#type aee_exp_data_file, file_type, data_file_type; type aee_exp_data_file, file_type, data_file_type, core_data_file_type; type aee_exp_vendor_file, file_type, data_file_type; type aee_dumpsys_data_file, file_type, data_file_type, core_data_file_type; diff --git a/non_plat/shell.te b/non_plat/shell.te index eede6b6..3a4c196 100644 --- a/non_plat/shell.te +++ b/non_plat/shell.te @@ -18,3 +18,8 @@ set_prop(shell, mtkcam_prop) # Date : WK17.36 # Purpose : allow shell to dump the debugging information of power hal. hal_client_domain(shell, hal_power) +allow shell aee_exp_vendor_file:dir r_dir_perms; +allow shell aee_exp_vendor_file:file r_file_perms; +allow shell aee_exp_data_file:dir r_dir_perms; +allow shell aee_exp_data_file:file r_file_perms; + diff --git a/plat_private/aee_aed.te b/plat_private/aee_aed.te index 41c629e..ce3872d 100644 --- a/plat_private/aee_aed.te +++ b/plat_private/aee_aed.te @@ -139,7 +139,10 @@ allow aee_aed crash_dump:file r_file_perms; allow aee_aed proc_version:file { read open }; # Purpose : allow aee_aed self to sys_nice/chown -allow aee_aed self:capability { sys_nice chown }; +allow aee_aed self:capability { sys_nice chown fowner}; # Purpose: Allow aee_aed to write /sys/kernel/debug/tracing/snapshot userdebug_or_eng(`allow aee_aed debugfs_tracing_debug:file { write open };') + +# Purpose: Allow aee_aed self to sys_ptrace +userdebug_or_eng(`allow aee_aed self:capability sys_ptrace;') diff --git a/plat_private/dumpstate.te b/plat_private/dumpstate.te index c668aec..6365be7 100644 --- a/plat_private/dumpstate.te +++ b/plat_private/dumpstate.te @@ -45,5 +45,8 @@ allow dumpstate hal_camera_hwservice:hwservice_manager find; #Purpose: Allow dumpstate to read/write /sys/kernel/debug/tracing/buffer_total_size_kb userdebug_or_eng(`allow dumpstate debugfs_tracing_debug:file { r_file_perms write };') -# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable +# Purpose: Allow dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable allow dumpstate sysfs_vibrator:file write; + +# Purpose : Allow dumpstate self to sys_nice +allow dumpstate self:capability sys_nice;