From 62cf1a413a23ebf412bfbbefedc91a8f8bb6db2f Mon Sep 17 00:00:00 2001 From: Shanshan Guo Date: Sat, 18 Jan 2020 10:15:29 +0800 Subject: [PATCH] [ALPS04639771] SEPolicy: Modify workaround [Detail] There is a workaround for bring-up, now it needs to be modified. [Solution] 1.Split workaround to sepcial *.te 2.Modify ged sepolicy 3.Modify mistake 4.Add sepolicy MTK-Commit-Id: 5a2b7e3fdc826a7ca6bc70a3810f14c1661e7d79 Change-Id: I0894de45e014a5eae754e35b57fbc9b21bc4bf90 CR-Id: ALPS04639771 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK --- non_plat/aee_core_forwarder.te | 8 ++++ non_plat/app.te | 24 +--------- non_plat/atci_service.te | 2 +- non_plat/atcid.te | 2 +- non_plat/audioserver.te | 6 ++- non_plat/bluetooth.te | 4 ++ non_plat/bootanim.te | 24 +--------- non_plat/cameraserver.te | 5 +-- non_plat/drmserver.te | 2 +- non_plat/hal_audio.te | 10 +++++ non_plat/hal_graphics_allocator.te | 2 +- non_plat/hal_graphics_allocator_default.te | 6 +-- non_plat/hal_graphics_composer_default.te | 25 +---------- non_plat/ioctl_defines | 3 -- non_plat/ioctl_macros | 24 ++++++++++ non_plat/mediacodec.te | 4 +- non_plat/mediadrmserver.te | 2 +- non_plat/mediaextractor.te | 2 +- non_plat/mediaserver.te | 13 +++--- non_plat/merged_hal_service.te | 12 +++-- non_plat/mtk_hal_audio.te | 8 +++- non_plat/mtk_hal_camera.te | 13 +++--- non_plat/mtk_hal_gpu.te | 25 +---------- non_plat/mtkbootanimation.te | 2 +- non_plat/platform_app.te | 5 +++ non_plat/{mtkfusionrild.te => rild.te} | 4 ++ non_plat/shared_relro.te | 7 +++ non_plat/surfaceflinger.te | 28 +----------- non_plat/system_app.te | 6 +++ non_plat/system_server.te | 28 +++--------- non_plat/thermalindicator.te | 2 +- non_plat/ueventd.te | 6 ++- non_plat/wmt_loader.te | 4 ++ non_plat/workaround.te | 51 ---------------------- non_plat/zygote.te | 2 +- 35 files changed, 134 insertions(+), 237 deletions(-) create mode 100644 non_plat/hal_audio.te create mode 100644 non_plat/ioctl_macros rename non_plat/{mtkfusionrild.te => rild.te} (98%) create mode 100644 non_plat/shared_relro.te delete mode 100644 non_plat/workaround.te diff --git a/non_plat/aee_core_forwarder.te b/non_plat/aee_core_forwarder.te index 255df42..2a6d951 100644 --- a/non_plat/aee_core_forwarder.te +++ b/non_plat/aee_core_forwarder.te @@ -8,3 +8,11 @@ allow aee_core_forwarder aee_exp_data_file:dir { write add_name search }; allow aee_core_forwarder aee_exp_data_file:file { write create open getattr }; allow aee_core_forwarder hwservicemanager_prop:file { read open getattr }; + +# Date: 2019/06/14 +# Operation : Migration +# Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder +wakelock_use(aee_core_forwarder) +allow aee_core_forwarder aee_aed:unix_stream_socket connectto; +allow aee_core_forwarder aee_core_data_file:dir read; +hwbinder_use(aee_core_forwarder) diff --git a/non_plat/app.te b/non_plat/app.te index d902cd2..ed037b0 100644 --- a/non_plat/app.te +++ b/non_plat/app.te @@ -5,29 +5,7 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions allow appdomain proc_ged:file rw_file_perms; -allowxperm appdomain proc_ged:file ioctl { - GED_BRIDGE_IO_LOG_BUF_GET - GED_BRIDGE_IO_LOG_BUF_WRITE - GED_BRIDGE_IO_LOG_BUF_RESET - GED_BRIDGE_IO_BOOST_GPU_FREQ - GED_BRIDGE_IO_MONITOR_3D_FENCE - GED_BRIDGE_IO_QUERY_INFO - GED_BRIDGE_IO_NOTIFY_VSYNC - GED_BRIDGE_IO_DVFS_PROBE - GED_BRIDGE_IO_DVFS_UM_RETURN - GED_BRIDGE_IO_EVENT_NOTIFY - GED_BRIDGE_IO_WAIT_HW_VSYNC - GED_BRIDGE_IO_QUERY_TARGET_FPS - GED_BRIDGE_IO_VSYNC_WAIT - GED_BRIDGE_IO_GPU_HINT_TO_CPU - GED_BRIDGE_IO_GE_ALLOC - GED_BRIDGE_IO_GE_GET - GED_BRIDGE_IO_GE_SET - GED_BRIDGE_IO_GPU_TIMESTAMP - GED_BRIDGE_IO_TARGET_FPS - GED_BRIDGE_IO_GE_INFO - GED_BRIDGE_IO_GPU_TUNER_STATUS -}; +allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls }; # Date : W16.42 # Operation : Integration diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te index 73b2f06..e455ad6 100644 --- a/non_plat/atci_service.te +++ b/non_plat/atci_service.te @@ -84,7 +84,7 @@ allow atci_service vendor_shell_exec:file { read execute open execute_no_trans } # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow atci_service proc_ged:file {open read write ioctl getattr}; +allow atci_service proc_ged:file rw_file_perms; # Date : WK16.35 # Operation : Migration diff --git a/non_plat/atcid.te b/non_plat/atcid.te index 7050bc2..1b1eddd 100644 --- a/non_plat/atcid.te +++ b/non_plat/atcid.te @@ -30,7 +30,7 @@ allow atcid self:capability sys_time; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow atcid proc_ged:file {open read write ioctl getattr}; +allow atcid proc_ged:file rw_file_perms; # Date : WK17.23 # Stage: O Migration, SQC diff --git a/non_plat/audioserver.te b/non_plat/audioserver.te index 566ba2c..e4451c8 100644 --- a/non_plat/audioserver.te +++ b/non_plat/audioserver.te @@ -46,8 +46,12 @@ allow audioserver fuse:file write; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow audioserver proc_ged:file {open read write ioctl getattr}; +allow audioserver proc_ged:file rw_file_perms; # Date : WK16.48 # Purpose: Allow to trigger AEE dump allow audioserver aee_aed:unix_stream_socket connectto; + +# Date: 2019/06/14 +# Operation : Migration +get_prop(audioserver, vendor_default_prop) diff --git a/non_plat/bluetooth.te b/non_plat/bluetooth.te index d0952ca..ec4d725 100644 --- a/non_plat/bluetooth.te +++ b/non_plat/bluetooth.te @@ -19,3 +19,7 @@ set_prop(bluetooth, debug_prop) # Add dir create perms for bluetooth on /data/misc/bluetooth/logs allow bluetooth bluetooth_logs_data_file:dir { create_dir_perms relabelto }; allow bluetooth bluetooth_logs_data_file:fifo_file { create_file_perms }; + +# Date: 2019/06/14 +# Operation : Migration +get_prop(bluetooth, mtk_amslog_prop) diff --git a/non_plat/bootanim.te b/non_plat/bootanim.te index d8caa3a..4f0bc35 100644 --- a/non_plat/bootanim.te +++ b/non_plat/bootanim.te @@ -25,29 +25,7 @@ allow bootanim proc_perfmgr:file r_file_perms; # Date : WK19.11 # Operation : Migration # Purpose : Allow to access ged for ioctl related functions -allowxperm bootanim proc_ged:file ioctl { - GED_BRIDGE_IO_LOG_BUF_GET - GED_BRIDGE_IO_LOG_BUF_WRITE - GED_BRIDGE_IO_LOG_BUF_RESET - GED_BRIDGE_IO_BOOST_GPU_FREQ - GED_BRIDGE_IO_MONITOR_3D_FENCE - GED_BRIDGE_IO_QUERY_INFO - GED_BRIDGE_IO_NOTIFY_VSYNC - GED_BRIDGE_IO_DVFS_PROBE - GED_BRIDGE_IO_DVFS_UM_RETURN - GED_BRIDGE_IO_EVENT_NOTIFY - GED_BRIDGE_IO_WAIT_HW_VSYNC - GED_BRIDGE_IO_QUERY_TARGET_FPS - GED_BRIDGE_IO_VSYNC_WAIT - GED_BRIDGE_IO_GPU_HINT_TO_CPU - GED_BRIDGE_IO_GE_ALLOC - GED_BRIDGE_IO_GE_GET - GED_BRIDGE_IO_GE_SET - GED_BRIDGE_IO_GPU_TIMESTAMP - GED_BRIDGE_IO_TARGET_FPS - GED_BRIDGE_IO_GE_INFO - GED_BRIDGE_IO_GPU_TUNER_STATUS -}; +allowxperm bootanim proc_ged:file ioctl { proc_ged_ioctls }; allowxperm bootanim proc_perfmgr:file ioctl { PERFMGR_FPSGO_QUEUE PERFMGR_FPSGO_DEQUEUE diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index 6542c42..e2e04d6 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -295,10 +295,7 @@ allow cameraserver gpu_device:dir search; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions allow cameraserver proc_ged:file rw_file_perms; -allowxperm cameraserver proc_ged:file ioctl { - GED_BRIDGE_IO_GE_GET - GED_BRIDGE_IO_GPU_TIMESTAMP -}; +allowxperm cameraserver proc_ged:file ioctl { proc_ged_ioctls }; # Date : WK16.33 # Operation : Migration diff --git a/non_plat/drmserver.te b/non_plat/drmserver.te index 8755b64..6086c27 100644 --- a/non_plat/drmserver.te +++ b/non_plat/drmserver.te @@ -4,4 +4,4 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow drmserver proc_ged:file {open read write ioctl getattr}; +allow drmserver proc_ged:file rw_file_perms; diff --git a/non_plat/hal_audio.te b/non_plat/hal_audio.te new file mode 100644 index 0000000..9245891 --- /dev/null +++ b/non_plat/hal_audio.te @@ -0,0 +1,10 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date: 2019/06/14 +# Operation : Migration +# Purpose : interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice +binder_call(hal_audio_client, hal_audio_server) +binder_call(hal_audio_server, hal_audio_client) +hal_attribute_hwservice(hal_audio, hal_audio_hwservice) diff --git a/non_plat/hal_graphics_allocator.te b/non_plat/hal_graphics_allocator.te index 310c04a..6da702d 100644 --- a/non_plat/hal_graphics_allocator.te +++ b/non_plat/hal_graphics_allocator.te @@ -2,4 +2,4 @@ # Operation : Add sepolicy # Purpose : Add policy for gralloc HIDL -allow hal_graphics_allocator proc_ged:file { read ioctl open }; +allow hal_graphics_allocator proc_ged:file r_file_perms; diff --git a/non_plat/hal_graphics_allocator_default.te b/non_plat/hal_graphics_allocator_default.te index 921aaac..4814d6c 100644 --- a/non_plat/hal_graphics_allocator_default.te +++ b/non_plat/hal_graphics_allocator_default.te @@ -19,9 +19,5 @@ allow hal_graphics_allocator_default debugfs_tracing:file open; #============= hal_graphics_allocator_default ============== allow hal_graphics_allocator_default proc_ged:file r_file_perms; -allowxperm hal_graphics_allocator_default proc_ged:file ioctl { -GED_BRIDGE_IO_GE_ALLOC -GED_BRIDGE_IO_GE_GET -GED_BRIDGE_IO_GE_SET -}; +allowxperm hal_graphics_allocator_default proc_ged:file ioctl { proc_ged_ioctls }; diff --git a/non_plat/hal_graphics_composer_default.te b/non_plat/hal_graphics_composer_default.te index 4cee937..2f4c397 100644 --- a/non_plat/hal_graphics_composer_default.te +++ b/non_plat/hal_graphics_composer_default.te @@ -7,7 +7,7 @@ allow hal_graphics_composer_default debugfs_ged:dir search; # Purpose : Add polivy for hwc HIDL allow hal_graphics_composer_default proc:file { read getattr open ioctl }; -allow hal_graphics_composer_default proc_ged:file { read ioctl open }; +allow hal_graphics_composer_default proc_ged:file r_file_perms; allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; # Date : WK17.21 @@ -19,13 +19,8 @@ allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_mana # Purpose: GPU driver required allow hal_graphics_composer_default gpu_device:dir search; -#============= hal_graphics_composer_default ============== allow hal_graphics_composer_default debugfs_ion:dir search; - -#============= hal_graphics_composer_default ============== allow hal_graphics_composer_default debugfs_tracing:file write; - -#============= hal_graphics_composer_default ============== allow hal_graphics_composer_default debugfs_tracing:file open; # Date : WK17.30 @@ -47,26 +42,10 @@ set_prop(hal_graphics_composer_default, graphics_hwc_latch_unsignaled_prop) # Date : WK18.03 # Purpose: Allow to access property dev/mdp_sync -#============= hal_graphics_composer_default ============== allow hal_graphics_composer_default mtk_mdp_device:chr_file { read write open ioctl }; - allow hal_graphics_composer_default mdp_device:chr_file rw_file_perms; - allow hal_graphics_composer_default tee_device:chr_file rw_file_perms; - -allowxperm hal_graphics_composer_default proc_ged:file ioctl { -GED_BRIDGE_IO_LOG_BUF_GET -GED_BRIDGE_IO_GE_INFO -GED_BRIDGE_IO_GE_GET -GED_BRIDGE_IO_GE_SET -GED_BRIDGE_IO_LOG_BUF_WRITE -GED_BRIDGE_IO_GE_ALLOC -GED_BRIDGE_IO_BOOST_GPU_FREQ -GED_BRIDGE_IO_IOCTLCMD_0F -GED_BRIDGE_IO_IOCTLCMD_10 -GED_BRIDGE_IO_MONITOR_3D_FENCE -GED_BRIDGE_IO_QUERY_INFO -}; +allowxperm hal_graphics_composer_default proc_ged:file ioctl { proc_ged_ioctls }; # Date: 2018/11/08 # Operation : JPEG diff --git a/non_plat/ioctl_defines b/non_plat/ioctl_defines index ce6b85b..39b2e27 100755 --- a/non_plat/ioctl_defines +++ b/non_plat/ioctl_defines @@ -24,9 +24,6 @@ define(`GED_BRIDGE_IO_TARGET_FPS', `0x6768') define(`GED_BRIDGE_IO_GE_INFO', `0x6769') define(`GED_BRIDGE_IO_GPU_TUNER_STATUS', `0x676a') -define(`GED_BRIDGE_IO_IOCTLCMD_0F', `0x670f') -define(`GED_BRIDGE_IO_IOCTLCMD_10', `0x6710') - ##################################### # perf_ioctl.h : FPSGO # diff --git a/non_plat/ioctl_macros b/non_plat/ioctl_macros new file mode 100644 index 0000000..61b70c1 --- /dev/null +++ b/non_plat/ioctl_macros @@ -0,0 +1,24 @@ +# proc_ged ioctls +define(`proc_ged_ioctls', `{ + GED_BRIDGE_IO_LOG_BUF_GET + GED_BRIDGE_IO_LOG_BUF_WRITE + GED_BRIDGE_IO_LOG_BUF_RESET + GED_BRIDGE_IO_BOOST_GPU_FREQ + GED_BRIDGE_IO_MONITOR_3D_FENCE + GED_BRIDGE_IO_QUERY_INFO + GED_BRIDGE_IO_NOTIFY_VSYNC + GED_BRIDGE_IO_DVFS_PROBE + GED_BRIDGE_IO_DVFS_UM_RETURN + GED_BRIDGE_IO_EVENT_NOTIFY + GED_BRIDGE_IO_WAIT_HW_VSYNC + GED_BRIDGE_IO_QUERY_TARGET_FPS + GED_BRIDGE_IO_VSYNC_WAIT + GED_BRIDGE_IO_GPU_HINT_TO_CPU + GED_BRIDGE_IO_GE_ALLOC + GED_BRIDGE_IO_GE_GET + GED_BRIDGE_IO_GE_SET + GED_BRIDGE_IO_GPU_TIMESTAMP + GED_BRIDGE_IO_TARGET_FPS + GED_BRIDGE_IO_GE_INFO + GED_BRIDGE_IO_GPU_TUNER_STATUS +}') diff --git a/non_plat/mediacodec.te b/non_plat/mediacodec.te index 24cbd15..4ad2184 100644 --- a/non_plat/mediacodec.te +++ b/non_plat/mediacodec.te @@ -89,8 +89,8 @@ allow mediacodec MtkCodecService:binder transfer; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow mediacodec proc_ged:file {open read write ioctl getattr}; -allowxperm mediacodec proc_ged:file ioctl { GED_BRIDGE_IO_GE_GET GED_BRIDGE_IO_GE_SET }; +allow mediacodec proc_ged:file rw_file_perms; +allowxperm mediacodec proc_ged:file ioctl { proc_ged_ioctls }; # Data : WK16.42 # Operator: Whitney bring up diff --git a/non_plat/mediadrmserver.te b/non_plat/mediadrmserver.te index 0af74b7..70f5178 100644 --- a/non_plat/mediadrmserver.te +++ b/non_plat/mediadrmserver.te @@ -4,6 +4,6 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow mediadrmserver proc_ged:file {open read write ioctl getattr}; +allow mediadrmserver proc_ged:file rw_file_perms; diff --git a/non_plat/mediaextractor.te b/non_plat/mediaextractor.te index 1c7f302..1ce425f 100644 --- a/non_plat/mediaextractor.te +++ b/non_plat/mediaextractor.te @@ -4,7 +4,7 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow mediaextractor proc_ged:file {open read write ioctl getattr}; +allow mediaextractor proc_ged:file rw_file_perms; #============= mediaextractor ============== allow mediaextractor vfat:file r_file_perms; diff --git a/non_plat/mediaserver.te b/non_plat/mediaserver.te index 17673c0..f1aff36 100644 --- a/non_plat/mediaserver.te +++ b/non_plat/mediaserver.te @@ -261,7 +261,8 @@ allow mediaserver camera_rsc_device:chr_file rw_file_perms; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow mediaserver proc_ged:file {open read write ioctl getattr}; +allow mediaserver proc_ged:file rw_file_perms; +allowxperm mediaserver proc_ged:file ioctl { proc_ged_ioctls }; # Date : WK16.33 # Operation : N Migration @@ -315,12 +316,12 @@ allow mediaserver camera_mfb_device:chr_file rw_file_perms; # Operation : MT6771 SQC # Purpose : Allow permgr access allow mediaserver proc_perfmgr:dir {read search}; -allow mediaserver proc_perfmgr:file {open read ioctl}; +allow mediaserver proc_perfmgr:file r_file_perms; allowxperm mediaserver proc_perfmgr:file ioctl { -GED_BRIDGE_IO_BOOST_GPU_FREQ -GED_BRIDGE_IO_IOCTLCMD_0F -GED_BRIDGE_IO_LOG_BUF_WRITE -GED_BRIDGE_IO_IOCTLCMD_10 + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_BQID }; # Date : WK18.18 diff --git a/non_plat/merged_hal_service.te b/non_plat/merged_hal_service.te index b37f1bd..df44f98 100644 --- a/non_plat/merged_hal_service.te +++ b/non_plat/merged_hal_service.te @@ -35,7 +35,7 @@ allow merged_hal_service mnld:unix_dgram_socket sendto; #graphics allocator permissions hal_server_domain(merged_hal_service, hal_graphics_allocator) allow merged_hal_service gpu_device:dir search; -allow merged_hal_service sw_sync_device:chr_file { open read write getattr ioctl }; +allow merged_hal_service sw_sync_device:chr_file rw_file_perms; allow merged_hal_service debugfs_ion:dir search; allow merged_hal_service debugfs_tracing:file write; allow merged_hal_service debugfs_tracing:file open; @@ -54,14 +54,14 @@ allow merged_hal_service debugfs_tracing:file write; #power permissions allow merged_hal_service proc:dir {search getattr}; -allow merged_hal_service proc:file {getattr open read write ioctl}; +allow merged_hal_service proc:file rw_file_perms; allow merged_hal_service debugfs_ged:dir search; allow merged_hal_service debugfs_ged:file { getattr open read write }; allow merged_hal_service proc_thermal:file { write open }; allow merged_hal_service proc_thermal:dir search; allow merged_hal_service sysfs:file {open write read}; allow merged_hal_service proc_perfmgr:dir search; -allow merged_hal_service proc_perfmgr:file { getattr open read write ioctl }; +allow merged_hal_service proc_perfmgr:file rw_file_perms; allow merged_hal_service sdcard_type:dir create_dir_perms; allow merged_hal_service sdcard_type:file create_file_perms; allow merged_hal_service eemcs_device:chr_file rw_file_perms; @@ -88,4 +88,8 @@ allow merged_hal_service proc_stat:file {open read getattr }; # Date : WK19.11 # Operation : Q Migration -allowxperm merged_hal_service proc_ged:file ioctl {GED_BRIDGE_IO_GE_ALLOC GED_BRIDGE_IO_GE_GET}; +allowxperm merged_hal_service proc_ged:file ioctl { proc_ged_ioctls }; + +# Date: 2019/06/14 +# Operation : Migration +allow merged_hal_service nvram_agent_binder_hwservice:hwservice_manager find; diff --git a/non_plat/mtk_hal_audio.te b/non_plat/mtk_hal_audio.te index 5e81407..860c243 100644 --- a/non_plat/mtk_hal_audio.te +++ b/non_plat/mtk_hal_audio.te @@ -190,7 +190,7 @@ allow mtk_hal_audio sdcard_type:file { create_file_perms }; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow mtk_hal_audio proc_ged:file {open read write ioctl getattr}; +allow mtk_hal_audio proc_ged:file rw_file_perms; set_prop(mtk_hal_audio,hwservicemanager_prop); allow mtk_hal_audio storage_file:dir search; @@ -224,3 +224,9 @@ allow mtk_hal_audio audio_scp_device:chr_file r_file_perms; # Operation: P migration # Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() allow mtk_hal_audio mnt_vendor_file:dir search; + +# Date: 2019/06/14 +# Operation : Migration +allow mtk_hal_audio audioserver:fifo_file w_file_perms; +allow mtk_hal_audio sysfs_boot_mode:file r_file_perms; +allow mtk_hal_audio sysfs_dt_firmware_android:dir search; diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te index b3df156..16516e6 100644 --- a/non_plat/mtk_hal_camera.te +++ b/non_plat/mtk_hal_camera.te @@ -249,13 +249,8 @@ allow mtk_hal_camera gpu_device:dir search; allow mtk_hal_camera gpu_device:chr_file rw_file_perms; ## Purpose: Allow to access ged for gralloc_extra functions -allow mtk_hal_camera proc_ged:file {open read write ioctl getattr}; -allowxperm mtk_hal_camera proc_ged:file ioctl { - GED_BRIDGE_IO_GE_GET - GED_BRIDGE_IO_GE_SET - GED_BRIDGE_IO_LOG_BUF_GET - GED_BRIDGE_IO_QUERY_INFO -}; +allow mtk_hal_camera proc_ged:file rw_file_perms; +allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls }; ################################################################################ # Date : WK17 @@ -338,3 +333,7 @@ allow mtk_hal_camera proc_isp_p2:file {create_file_perms}; # Purpose : AINR/Thermal Boost allow mtk_hal_camera system_data_file:dir { getattr }; + +# Date: 2019/06/14 +# Operation : Migration +allow mtk_hal_camera sysfs_dt_firmware_android:dir search; diff --git a/non_plat/mtk_hal_gpu.te b/non_plat/mtk_hal_gpu.te index 4c41a9d..939351d 100644 --- a/non_plat/mtk_hal_gpu.te +++ b/non_plat/mtk_hal_gpu.te @@ -42,34 +42,11 @@ allow mtk_hal_gpu property_socket:sock_file write; allow mtk_hal_gpu debugfs_ged:dir rw_dir_perms; allow mtk_hal_gpu debugfs_ged:file rw_file_perms; allow mtk_hal_gpu proc_ged:file rw_file_perms; +allowxperm mtk_hal_gpu proc_ged:file ioctl { proc_ged_ioctls }; allow mtk_hal_gpu hal_graphics_allocator_default:fd use; allow mtk_hal_gpu ion_device:chr_file r_file_perms; allow mtk_hal_gpu debugfs_ion:dir search; -allowxperm mtk_hal_gpu proc_ged:file ioctl { - GED_BRIDGE_IO_LOG_BUF_GET - GED_BRIDGE_IO_LOG_BUF_WRITE - GED_BRIDGE_IO_LOG_BUF_RESET - GED_BRIDGE_IO_BOOST_GPU_FREQ - GED_BRIDGE_IO_MONITOR_3D_FENCE - GED_BRIDGE_IO_QUERY_INFO - GED_BRIDGE_IO_NOTIFY_VSYNC - GED_BRIDGE_IO_DVFS_PROBE - GED_BRIDGE_IO_DVFS_UM_RETURN - GED_BRIDGE_IO_EVENT_NOTIFY - GED_BRIDGE_IO_WAIT_HW_VSYNC - GED_BRIDGE_IO_QUERY_TARGET_FPS - GED_BRIDGE_IO_VSYNC_WAIT - GED_BRIDGE_IO_GPU_HINT_TO_CPU - GED_BRIDGE_IO_GE_ALLOC - GED_BRIDGE_IO_GE_GET - GED_BRIDGE_IO_GE_SET - GED_BRIDGE_IO_GPU_TIMESTAMP - GED_BRIDGE_IO_TARGET_FPS - GED_BRIDGE_IO_GE_INFO - GED_BRIDGE_IO_GPU_TUNER_STATUS -}; - allow mtk_hal_gpu merged_hal_service:fd use; diff --git a/non_plat/mtkbootanimation.te b/non_plat/mtkbootanimation.te index 5affa51..11a4874 100644 --- a/non_plat/mtkbootanimation.te +++ b/non_plat/mtkbootanimation.te @@ -14,7 +14,7 @@ allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow mtkbootanimation proc_ged:file {open read write ioctl getattr}; +allow mtkbootanimation proc_ged:file rw_file_perms; # ============================================== # Type Declaration for secmem diff --git a/non_plat/platform_app.te b/non_plat/platform_app.te index 32b2e8a..40d108a 100644 --- a/non_plat/platform_app.te +++ b/non_plat/platform_app.te @@ -108,3 +108,8 @@ get_prop(platform_app, vendor_connsysfw_prop) # Purpose : JPEG need to use PQ via MMS HIDL allow platform_app mtk_hal_mms_hwservice:hwservice_manager find; allow platform_app mtk_hal_mms:binder call; + +# Date: 2019/06/14 +# Operation : Migration +# Purpose : platform_app need get mtk_amslog_prop +get_prop(platform_app, mtk_amslog_prop) diff --git a/non_plat/mtkfusionrild.te b/non_plat/rild.te similarity index 98% rename from non_plat/mtkfusionrild.te rename to non_plat/rild.te index 5fcde4e..49a9af0 100644 --- a/non_plat/mtkfusionrild.te +++ b/non_plat/rild.te @@ -146,3 +146,7 @@ set_prop(rild, mtk_ss_vendor_prop) # Date : 2018/2/27 # Purpose : for NVRAM recovery mechanism set_prop(rild,powerctl_prop); + +# Date: 2019/06/14 +# Operation : Migration +allow rild proc_cmdline:file r_file_perms; diff --git a/non_plat/shared_relro.te b/non_plat/shared_relro.te new file mode 100644 index 0000000..88430ee --- /dev/null +++ b/non_plat/shared_relro.te @@ -0,0 +1,7 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date: 2019/06/14 +# Operation : Migration +get_prop(shared_relro, mtk_amslog_prop) diff --git a/non_plat/surfaceflinger.te b/non_plat/surfaceflinger.te index 91fc852..619cad3 100644 --- a/non_plat/surfaceflinger.te +++ b/non_plat/surfaceflinger.te @@ -11,6 +11,7 @@ allow surfaceflinger debug_prop:property_service set; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions allow surfaceflinger proc_ged:file rw_file_perms; +allowxperm surfaceflinger proc_ged:file ioctl { proc_ged_ioctls }; # Date : W16.42 # Operation : Integration @@ -67,33 +68,6 @@ allow surfaceflinger hal_graphics_composer_default:lnk_file read; # Purpose: Allow to dump buffer queue get_prop(surfaceflinger, debug_bq_dump_prop) -allowxperm surfaceflinger proc_perfmgr:file ioctl {GED_BRIDGE_IO_LOG_BUF_GET GED_BRIDGE_IO_BOOST_GPU_FREQ GED_BRIDGE_IO_QUERY_INFO}; -allowxperm surfaceflinger proc_ged:file ioctl { -  GED_BRIDGE_IO_LOG_BUF_GET -  GED_BRIDGE_IO_BOOST_GPU_FREQ -  GED_BRIDGE_IO_QUERY_INFO -  GED_BRIDGE_IO_GE_GET -  GED_BRIDGE_IO_LOG_BUF_WRITE -  GED_BRIDGE_IO_GE_SET -  GED_BRIDGE_IO_GE_ALLOC -  GED_BRIDGE_IO_GE_INFO - GED_BRIDGE_IO_IOCTLCMD_0F - GED_BRIDGE_IO_IOCTLCMD_10 -  GED_BRIDGE_IO_MONITOR_3D_FENCE -  GED_BRIDGE_IO_NOTIFY_VSYNC -  GED_BRIDGE_IO_DVFS_PROBE -  GED_BRIDGE_IO_DVFS_UM_RETURN -  GED_BRIDGE_IO_EVENT_NOTIFY -  GED_BRIDGE_IO_WAIT_HW_VSYNC -  GED_BRIDGE_IO_QUERY_TARGET_FPS -  GED_BRIDGE_IO_VSYNC_WAIT -  GED_BRIDGE_IO_GPU_HINT_TO_CPU -  GED_BRIDGE_IO_LOG_BUF_RESET -  GED_BRIDGE_IO_GPU_TIMESTAMP -  GED_BRIDGE_IO_TARGET_FPS -  GED_BRIDGE_IO_GPU_TUNER_STATUS -}; - # Date : WK19.4 # Operation : P Migration # Purpose: Allow to access /dev/mdp_device driver diff --git a/non_plat/system_app.te b/non_plat/system_app.te index bb9f531..91bcf0b 100644 --- a/non_plat/system_app.te +++ b/non_plat/system_app.te @@ -34,3 +34,9 @@ allow system_app aee_exp_data_file:dir r_dir_perms; # Purpose : JPEG need to use PQ via MMS HIDL allow system_app mtk_hal_mms_hwservice:hwservice_manager find; allow system_app mtk_hal_mms:binder call; + +# Date: 2019/06/14 +# Operation : Migration +# Purpose : system_app need get mtk_amslog_prop +get_prop(system_app, mtk_amslog_prop) +get_prop(system_app, vendor_default_prop) diff --git a/non_plat/system_server.te b/non_plat/system_server.te index e446bef..bba72c3 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -202,26 +202,8 @@ allow system_server alarm_device:chr_file rw_file_perms; # Operation: Q migration # Purpose : Allow system_server to use ioctl/ioctlcmd allow system_server proc_ged:file rw_file_perms; -allowxperm system_server proc_ged:file ioctl { - GED_BRIDGE_IO_LOG_BUF_GET - GED_BRIDGE_IO_LOG_BUF_WRITE - GED_BRIDGE_IO_LOG_BUF_RESET - GED_BRIDGE_IO_BOOST_GPU_FREQ - GED_BRIDGE_IO_MONITOR_3D_FENCE - GED_BRIDGE_IO_QUERY_INFO - GED_BRIDGE_IO_NOTIFY_VSYNC - GED_BRIDGE_IO_DVFS_PROBE - GED_BRIDGE_IO_DVFS_UM_RETURN - GED_BRIDGE_IO_EVENT_NOTIFY - GED_BRIDGE_IO_WAIT_HW_VSYNC - GED_BRIDGE_IO_QUERY_TARGET_FPS - GED_BRIDGE_IO_VSYNC_WAIT - GED_BRIDGE_IO_GPU_HINT_TO_CPU - GED_BRIDGE_IO_GE_ALLOC - GED_BRIDGE_IO_GE_GET - GED_BRIDGE_IO_GE_SET - GED_BRIDGE_IO_GPU_TIMESTAMP - GED_BRIDGE_IO_TARGET_FPS - GED_BRIDGE_IO_GE_INFO - GED_BRIDGE_IO_GPU_TUNER_STATUS - }; +allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls }; + +# Date: 2019/06/14 +# Operation : Migration +get_prop(system_server, vendor_default_prop) diff --git a/non_plat/thermalindicator.te b/non_plat/thermalindicator.te index 22d2042..a7256a9 100644 --- a/non_plat/thermalindicator.te +++ b/non_plat/thermalindicator.te @@ -1,3 +1,3 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow thermalindicator proc_ged:file {open read write ioctl getattr}; \ No newline at end of file +allow thermalindicator proc_ged:file rw_file_perms; diff --git a/non_plat/ueventd.te b/non_plat/ueventd.te index 7d61b84..a98faaa 100644 --- a/non_plat/ueventd.te +++ b/non_plat/ueventd.te @@ -7,4 +7,8 @@ allow ueventd proc_net:file r_file_perms; # Purpose : Add for A/B system allow ueventd device:chr_file { relabelfrom relabelto }; allow ueventd m_acc_misc_device:chr_file { relabelfrom relabelto }; -allow ueventd m_mag_misc_device:chr_file { relabelfrom relabelto }; \ No newline at end of file +allow ueventd m_mag_misc_device:chr_file { relabelfrom relabelto }; + +# Date: 2019/06/14 +# Operation : Migration +allow ueventd tmpfs:lnk_file r_file_perms; diff --git a/non_plat/wmt_loader.te b/non_plat/wmt_loader.te index fe1b1e3..de04ce6 100644 --- a/non_plat/wmt_loader.te +++ b/non_plat/wmt_loader.te @@ -26,3 +26,7 @@ allow wmt_loader stpwmt_device:chr_file rw_file_perms; allow wmt_loader devpts:chr_file rwx_file_perms; allow wmt_loader proc:file setattr; + +# Date: 2019/06/14 +# Operation : Migration +allow wmt_loader proc_wmtdbg:file setattr; diff --git a/non_plat/workaround.te b/non_plat/workaround.te deleted file mode 100644 index 6077167..0000000 --- a/non_plat/workaround.te +++ /dev/null @@ -1,51 +0,0 @@ - - -#============= aee_core_forwarder ============== -allow aee_core_forwarder aee_aed:unix_stream_socket connectto; -allow aee_core_forwarder aee_core_data_file:dir read; -allow aee_core_forwarder hwservicemanager:binder { call transfer }; - -#============= audioserver ============== -allow audioserver vendor_default_prop:file read; - -#============= bluetooth ============== -allow bluetooth mtk_amslog_prop:file read; - -#============= merged_hal_service ============== -allow merged_hal_service nvram_agent_binder_hwservice:hwservice_manager find; - -#============= mtk_hal_audio ============== -allow mtk_hal_audio audioserver:fifo_file write; -allow mtk_hal_audio sysfs_boot_mode:file read; -allow mtk_hal_audio sysfs_dt_firmware_android:dir search; - -#============= mtk_hal_camera ============== -allow mtk_hal_camera sysfs_dt_firmware_android:dir search; - -#============= platform_app ============== -allow platform_app mtk_amslog_prop:file read; - -#============= rild ============== -allow rild proc_cmdline:file read; - -#============= shared_relro ============== -allow shared_relro mtk_amslog_prop:file read; - -#============= system_server ============== -allow system_server vendor_default_prop:file read; - -#============= ueventd ============== -allow ueventd tmpfs:lnk_file read; - -#============= wmt_loader ============== -allow wmt_loader proc_wmtdbg:file setattr; - -# interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice -allow hal_audio_client hal_audio_hwservice:hwservice_manager find; -allow hal_audio_server hal_audio_hwservice:hwservice_manager find; -allow hal_audio hal_audio_hwservice:hwservice_manager find; - - -# interface=android.system.suspend::ISystemSuspend for aee_core_forwarder -allow aee_core_forwarder system_suspend_hwservice:hwservice_manager find; -allow hwservicemanager aee_core_forwarder:binder transfer; \ No newline at end of file diff --git a/non_plat/zygote.te b/non_plat/zygote.te index 68e8971..82dedf9 100644 --- a/non_plat/zygote.te +++ b/non_plat/zygote.te @@ -4,7 +4,7 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -allow zygote proc_ged:file {open read write ioctl getattr}; +allow zygote proc_ged:file rw_file_perms; # Date : WK17.02 # Purpose: Allow to access gpu for memtrack functions