[ALPS04639771] SEPolicy: Modify workaround

[Detail]
There is a workaround for bring-up,
now it needs to be modified.

[Solution]
1.Split workaround to sepcial *.te
2.Modify ged sepolicy
3.Modify mistake
4.Add sepolicy

MTK-Commit-Id: 5a2b7e3fdc826a7ca6bc70a3810f14c1661e7d79

Change-Id: I0894de45e014a5eae754e35b57fbc9b21bc4bf90
CR-Id: ALPS04639771
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK

non_plat/aee_core_forwarder.te

@@ -8,3 +8,11 @@
 allow aee_core_forwarder aee_exp_data_file:dir { write add_name search };
 allow aee_core_forwarder aee_exp_data_file:file { write create open getattr };
 allow aee_core_forwarder hwservicemanager_prop:file { read open getattr };
+
+# Date: 2019/06/14
+# Operation : Migration
+# Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder
+wakelock_use(aee_core_forwarder)
+allow aee_core_forwarder aee_aed:unix_stream_socket connectto;
+allow aee_core_forwarder aee_core_data_file:dir read;
+hwbinder_use(aee_core_forwarder)

non_plat/app.te

@@ -5,29 +5,7 @@
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
 allow appdomain proc_ged:file rw_file_perms;
-allowxperm appdomain proc_ged:file ioctl {
+allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls };
- GED_BRIDGE_IO_LOG_BUF_GET
- GED_BRIDGE_IO_LOG_BUF_WRITE
- GED_BRIDGE_IO_LOG_BUF_RESET
- GED_BRIDGE_IO_BOOST_GPU_FREQ
- GED_BRIDGE_IO_MONITOR_3D_FENCE
- GED_BRIDGE_IO_QUERY_INFO
- GED_BRIDGE_IO_NOTIFY_VSYNC
- GED_BRIDGE_IO_DVFS_PROBE
- GED_BRIDGE_IO_DVFS_UM_RETURN
- GED_BRIDGE_IO_EVENT_NOTIFY
- GED_BRIDGE_IO_WAIT_HW_VSYNC
- GED_BRIDGE_IO_QUERY_TARGET_FPS
- GED_BRIDGE_IO_VSYNC_WAIT
- GED_BRIDGE_IO_GPU_HINT_TO_CPU
- GED_BRIDGE_IO_GE_ALLOC
- GED_BRIDGE_IO_GE_GET
- GED_BRIDGE_IO_GE_SET
- GED_BRIDGE_IO_GPU_TIMESTAMP
- GED_BRIDGE_IO_TARGET_FPS
- GED_BRIDGE_IO_GE_INFO
- GED_BRIDGE_IO_GPU_TUNER_STATUS
-};
 
 # Date : W16.42
 # Operation : Integration

non_plat/atci_service.te

@@ -84,7 +84,7 @@ allow atci_service vendor_shell_exec:file { read execute open execute_no_trans }
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow atci_service proc_ged:file {open read write ioctl getattr};
+allow atci_service proc_ged:file rw_file_perms;
 
 # Date : WK16.35
 # Operation : Migration

non_plat/atcid.te

@@ -30,7 +30,7 @@ allow atcid self:capability sys_time;
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow atcid proc_ged:file {open read write ioctl getattr};
+allow atcid proc_ged:file rw_file_perms;
 
 # Date : WK17.23
 # Stage: O Migration, SQC

non_plat/audioserver.te

@@ -46,8 +46,12 @@ allow audioserver fuse:file write;
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow audioserver proc_ged:file {open read write ioctl getattr};
+allow audioserver proc_ged:file rw_file_perms;
 
 # Date : WK16.48
 # Purpose: Allow to trigger AEE dump
 allow audioserver aee_aed:unix_stream_socket connectto;
+
+# Date: 2019/06/14
+# Operation : Migration
+get_prop(audioserver, vendor_default_prop)

non_plat/bluetooth.te

@@ -19,3 +19,7 @@ set_prop(bluetooth, debug_prop)
 # Add dir create perms for bluetooth on /data/misc/bluetooth/logs
 allow bluetooth bluetooth_logs_data_file:dir { create_dir_perms relabelto };
 allow bluetooth bluetooth_logs_data_file:fifo_file { create_file_perms };
+
+# Date: 2019/06/14
+# Operation : Migration
+get_prop(bluetooth, mtk_amslog_prop)

non_plat/bootanim.te

@@ -25,29 +25,7 @@ allow bootanim proc_perfmgr:file r_file_perms;
 # Date : WK19.11
 # Operation : Migration
 # Purpose : Allow to access ged for ioctl related functions
-allowxperm bootanim proc_ged:file ioctl {
+allowxperm bootanim proc_ged:file ioctl { proc_ged_ioctls };
-  GED_BRIDGE_IO_LOG_BUF_GET
-  GED_BRIDGE_IO_LOG_BUF_WRITE
-  GED_BRIDGE_IO_LOG_BUF_RESET
-  GED_BRIDGE_IO_BOOST_GPU_FREQ
-  GED_BRIDGE_IO_MONITOR_3D_FENCE
-  GED_BRIDGE_IO_QUERY_INFO
-  GED_BRIDGE_IO_NOTIFY_VSYNC
-  GED_BRIDGE_IO_DVFS_PROBE
-  GED_BRIDGE_IO_DVFS_UM_RETURN
-  GED_BRIDGE_IO_EVENT_NOTIFY
-  GED_BRIDGE_IO_WAIT_HW_VSYNC
-  GED_BRIDGE_IO_QUERY_TARGET_FPS
-  GED_BRIDGE_IO_VSYNC_WAIT
-  GED_BRIDGE_IO_GPU_HINT_TO_CPU
-  GED_BRIDGE_IO_GE_ALLOC
-  GED_BRIDGE_IO_GE_GET
-  GED_BRIDGE_IO_GE_SET
-  GED_BRIDGE_IO_GPU_TIMESTAMP
-  GED_BRIDGE_IO_TARGET_FPS
-  GED_BRIDGE_IO_GE_INFO
-  GED_BRIDGE_IO_GPU_TUNER_STATUS
-};
 allowxperm bootanim proc_perfmgr:file ioctl {
   PERFMGR_FPSGO_QUEUE
   PERFMGR_FPSGO_DEQUEUE

non_plat/cameraserver.te

@@ -295,10 +295,7 @@ allow cameraserver gpu_device:dir search;
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
 allow cameraserver proc_ged:file rw_file_perms;
-allowxperm cameraserver proc_ged:file ioctl {
+allowxperm cameraserver proc_ged:file ioctl { proc_ged_ioctls };
-  GED_BRIDGE_IO_GE_GET
-  GED_BRIDGE_IO_GPU_TIMESTAMP
-};
 
 # Date : WK16.33
 # Operation : Migration

non_plat/drmserver.te

@@ -4,4 +4,4 @@
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow drmserver proc_ged:file {open read write ioctl getattr};
+allow drmserver proc_ged:file rw_file_perms;

non_plat/hal_audio.te

@@ -0,0 +1,10 @@
+# ==============================================
+# MTK Policy Rule
+# ============
+
+# Date: 2019/06/14
+# Operation : Migration
+# Purpose : interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+hal_attribute_hwservice(hal_audio, hal_audio_hwservice)

non_plat/hal_graphics_allocator.te

@@ -2,4 +2,4 @@
 # Operation : Add sepolicy
 # Purpose : Add policy for gralloc HIDL
 
-allow hal_graphics_allocator proc_ged:file { read ioctl open };
+allow hal_graphics_allocator proc_ged:file r_file_perms;

non_plat/hal_graphics_allocator_default.te

@@ -19,9 +19,5 @@ allow hal_graphics_allocator_default debugfs_tracing:file open;
 
 #============= hal_graphics_allocator_default ==============
 allow hal_graphics_allocator_default proc_ged:file r_file_perms;
-allowxperm hal_graphics_allocator_default proc_ged:file ioctl {
+allowxperm hal_graphics_allocator_default proc_ged:file ioctl { proc_ged_ioctls };
-GED_BRIDGE_IO_GE_ALLOC
-GED_BRIDGE_IO_GE_GET
-GED_BRIDGE_IO_GE_SET
-};
 

non_plat/hal_graphics_composer_default.te

@@ -7,7 +7,7 @@ allow hal_graphics_composer_default debugfs_ged:dir search;
 # Purpose : Add polivy for hwc HIDL
 
 allow hal_graphics_composer_default proc:file { read getattr open ioctl };
-allow hal_graphics_composer_default proc_ged:file { read ioctl open };
+allow hal_graphics_composer_default proc_ged:file r_file_perms;
 allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt };
 
 # Date : WK17.21
@@ -19,13 +19,8 @@ allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_mana
 # Purpose: GPU driver required
 allow hal_graphics_composer_default gpu_device:dir search;
 
-#============= hal_graphics_composer_default ==============
 allow hal_graphics_composer_default debugfs_ion:dir search;
-
-#============= hal_graphics_composer_default ==============
 allow hal_graphics_composer_default debugfs_tracing:file write;
-
-#============= hal_graphics_composer_default ==============
 allow hal_graphics_composer_default debugfs_tracing:file open;
 
 # Date : WK17.30
@@ -47,26 +42,10 @@ set_prop(hal_graphics_composer_default, graphics_hwc_latch_unsignaled_prop)
 
 # Date : WK18.03
 # Purpose: Allow to access property dev/mdp_sync
-#============= hal_graphics_composer_default ==============
 allow hal_graphics_composer_default mtk_mdp_device:chr_file { read write open ioctl };
-
 allow hal_graphics_composer_default mdp_device:chr_file rw_file_perms;
-
 allow hal_graphics_composer_default tee_device:chr_file rw_file_perms;
-
+allowxperm hal_graphics_composer_default proc_ged:file ioctl { proc_ged_ioctls };
-allowxperm hal_graphics_composer_default proc_ged:file ioctl {
-GED_BRIDGE_IO_LOG_BUF_GET
-GED_BRIDGE_IO_GE_INFO
-GED_BRIDGE_IO_GE_GET
-GED_BRIDGE_IO_GE_SET
-GED_BRIDGE_IO_LOG_BUF_WRITE
-GED_BRIDGE_IO_GE_ALLOC
-GED_BRIDGE_IO_BOOST_GPU_FREQ
-GED_BRIDGE_IO_IOCTLCMD_0F
-GED_BRIDGE_IO_IOCTLCMD_10
-GED_BRIDGE_IO_MONITOR_3D_FENCE
-GED_BRIDGE_IO_QUERY_INFO
-};
 
 # Date: 2018/11/08
 # Operation : JPEG

non_plat/ioctl_defines

@@ -24,9 +24,6 @@ define(`GED_BRIDGE_IO_TARGET_FPS', `0x6768')
 define(`GED_BRIDGE_IO_GE_INFO', `0x6769')
 define(`GED_BRIDGE_IO_GPU_TUNER_STATUS', `0x676a')
 
-define(`GED_BRIDGE_IO_IOCTLCMD_0F', `0x670f')
-define(`GED_BRIDGE_IO_IOCTLCMD_10', `0x6710')
-
 #####################################
 # perf_ioctl.h : FPSGO
 #

non_plat/ioctl_macros

@@ -0,0 +1,24 @@
+# proc_ged ioctls
+define(`proc_ged_ioctls', `{
+  GED_BRIDGE_IO_LOG_BUF_GET
+  GED_BRIDGE_IO_LOG_BUF_WRITE
+  GED_BRIDGE_IO_LOG_BUF_RESET
+  GED_BRIDGE_IO_BOOST_GPU_FREQ
+  GED_BRIDGE_IO_MONITOR_3D_FENCE
+  GED_BRIDGE_IO_QUERY_INFO
+  GED_BRIDGE_IO_NOTIFY_VSYNC
+  GED_BRIDGE_IO_DVFS_PROBE
+  GED_BRIDGE_IO_DVFS_UM_RETURN
+  GED_BRIDGE_IO_EVENT_NOTIFY
+  GED_BRIDGE_IO_WAIT_HW_VSYNC
+  GED_BRIDGE_IO_QUERY_TARGET_FPS
+  GED_BRIDGE_IO_VSYNC_WAIT
+  GED_BRIDGE_IO_GPU_HINT_TO_CPU
+  GED_BRIDGE_IO_GE_ALLOC
+  GED_BRIDGE_IO_GE_GET
+  GED_BRIDGE_IO_GE_SET
+  GED_BRIDGE_IO_GPU_TIMESTAMP
+  GED_BRIDGE_IO_TARGET_FPS
+  GED_BRIDGE_IO_GE_INFO
+  GED_BRIDGE_IO_GPU_TUNER_STATUS
+}')

non_plat/mediacodec.te

@@ -89,8 +89,8 @@ allow mediacodec MtkCodecService:binder transfer;
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow mediacodec proc_ged:file {open read write ioctl getattr};
+allow mediacodec proc_ged:file rw_file_perms;
-allowxperm mediacodec proc_ged:file ioctl { GED_BRIDGE_IO_GE_GET GED_BRIDGE_IO_GE_SET };
+allowxperm mediacodec proc_ged:file ioctl { proc_ged_ioctls };
 
 # Data : WK16.42
 # Operator: Whitney bring up

non_plat/mediadrmserver.te

@@ -4,6 +4,6 @@
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow mediadrmserver proc_ged:file {open read write ioctl getattr};
+allow mediadrmserver proc_ged:file rw_file_perms;
 
 

non_plat/mediaextractor.te

@@ -4,7 +4,7 @@
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow mediaextractor proc_ged:file {open read write ioctl getattr};
+allow mediaextractor proc_ged:file rw_file_perms;
 
 #============= mediaextractor ==============
 allow mediaextractor vfat:file r_file_perms;

non_plat/mediaserver.te

@@ -261,7 +261,8 @@ allow mediaserver camera_rsc_device:chr_file rw_file_perms;
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow mediaserver proc_ged:file {open read write ioctl getattr};
+allow mediaserver proc_ged:file rw_file_perms;
+allowxperm mediaserver proc_ged:file ioctl { proc_ged_ioctls };
 
 # Date : WK16.33
 # Operation : N Migration
@@ -315,12 +316,12 @@ allow mediaserver camera_mfb_device:chr_file rw_file_perms;
 # Operation : MT6771 SQC
 # Purpose : Allow permgr access
 allow mediaserver proc_perfmgr:dir {read search};
-allow mediaserver proc_perfmgr:file {open read ioctl};
+allow mediaserver proc_perfmgr:file r_file_perms;
 allowxperm mediaserver proc_perfmgr:file ioctl {
-GED_BRIDGE_IO_BOOST_GPU_FREQ
+ PERFMGR_FPSGO_DEQUEUE
-GED_BRIDGE_IO_IOCTLCMD_0F
+ PERFMGR_FPSGO_QUEUE_CONNECT
-GED_BRIDGE_IO_LOG_BUF_WRITE
+ PERFMGR_FPSGO_QUEUE
-GED_BRIDGE_IO_IOCTLCMD_10
+ PERFMGR_FPSGO_BQID
 };
 
 # Date : WK18.18

non_plat/merged_hal_service.te

@@ -35,7 +35,7 @@ allow merged_hal_service mnld:unix_dgram_socket sendto;
 #graphics allocator permissions
 hal_server_domain(merged_hal_service, hal_graphics_allocator)
 allow merged_hal_service gpu_device:dir search;
-allow merged_hal_service sw_sync_device:chr_file { open read write getattr ioctl };
+allow merged_hal_service sw_sync_device:chr_file rw_file_perms;
 allow merged_hal_service debugfs_ion:dir search;
 allow merged_hal_service debugfs_tracing:file write;
 allow merged_hal_service debugfs_tracing:file open;
@@ -54,14 +54,14 @@ allow merged_hal_service debugfs_tracing:file write;
 
 #power permissions
 allow merged_hal_service proc:dir  {search getattr};
-allow merged_hal_service proc:file {getattr open read write ioctl};
+allow merged_hal_service proc:file rw_file_perms;
 allow merged_hal_service debugfs_ged:dir search;
 allow merged_hal_service debugfs_ged:file { getattr open read write };
 allow merged_hal_service proc_thermal:file { write open };
 allow merged_hal_service proc_thermal:dir search;
 allow merged_hal_service sysfs:file {open write read};
 allow merged_hal_service proc_perfmgr:dir search;
-allow merged_hal_service proc_perfmgr:file { getattr open read write ioctl };
+allow merged_hal_service proc_perfmgr:file rw_file_perms;
 allow merged_hal_service sdcard_type:dir create_dir_perms;
 allow merged_hal_service sdcard_type:file create_file_perms;
 allow merged_hal_service eemcs_device:chr_file rw_file_perms;
@@ -88,4 +88,8 @@ allow merged_hal_service proc_stat:file {open read getattr };
 
 # Date : WK19.11
 # Operation : Q Migration
-allowxperm merged_hal_service proc_ged:file ioctl {GED_BRIDGE_IO_GE_ALLOC GED_BRIDGE_IO_GE_GET};
+allowxperm merged_hal_service proc_ged:file ioctl { proc_ged_ioctls };
+
+# Date: 2019/06/14
+# Operation : Migration
+allow merged_hal_service nvram_agent_binder_hwservice:hwservice_manager find;

non_plat/mtk_hal_audio.te

@@ -190,7 +190,7 @@ allow mtk_hal_audio sdcard_type:file { create_file_perms };
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow mtk_hal_audio proc_ged:file {open read write ioctl getattr};
+allow mtk_hal_audio proc_ged:file rw_file_perms;
 
 set_prop(mtk_hal_audio,hwservicemanager_prop);
 allow mtk_hal_audio storage_file:dir search;
@@ -224,3 +224,9 @@ allow mtk_hal_audio audio_scp_device:chr_file r_file_perms;
 # Operation: P migration
 # Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
 allow mtk_hal_audio mnt_vendor_file:dir search;
+
+# Date: 2019/06/14
+# Operation : Migration
+allow mtk_hal_audio audioserver:fifo_file w_file_perms;
+allow mtk_hal_audio sysfs_boot_mode:file r_file_perms;
+allow mtk_hal_audio sysfs_dt_firmware_android:dir search;

non_plat/mtk_hal_camera.te

@@ -249,13 +249,8 @@ allow mtk_hal_camera gpu_device:dir search;
 allow mtk_hal_camera gpu_device:chr_file rw_file_perms;
 
 ## Purpose: Allow to access ged for gralloc_extra functions
-allow mtk_hal_camera proc_ged:file {open read write ioctl getattr};
+allow mtk_hal_camera proc_ged:file rw_file_perms;
-allowxperm mtk_hal_camera proc_ged:file ioctl {
+allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls };
-    GED_BRIDGE_IO_GE_GET
-    GED_BRIDGE_IO_GE_SET
-    GED_BRIDGE_IO_LOG_BUF_GET
-    GED_BRIDGE_IO_QUERY_INFO
-};
 
 ################################################################################
 # Date : WK17
@@ -338,3 +333,7 @@ allow mtk_hal_camera proc_isp_p2:file {create_file_perms};
 
 # Purpose : AINR/Thermal Boost
 allow mtk_hal_camera system_data_file:dir { getattr };
+
+# Date: 2019/06/14
+# Operation : Migration
+allow mtk_hal_camera sysfs_dt_firmware_android:dir search;

non_plat/mtk_hal_gpu.te

@@ -42,34 +42,11 @@ allow mtk_hal_gpu property_socket:sock_file write;
 allow mtk_hal_gpu debugfs_ged:dir rw_dir_perms;
 allow mtk_hal_gpu debugfs_ged:file rw_file_perms;
 allow mtk_hal_gpu proc_ged:file rw_file_perms;
+allowxperm mtk_hal_gpu proc_ged:file ioctl { proc_ged_ioctls };
 
 allow mtk_hal_gpu hal_graphics_allocator_default:fd use;
 allow mtk_hal_gpu ion_device:chr_file r_file_perms;
 allow mtk_hal_gpu debugfs_ion:dir search;
 
-allowxperm mtk_hal_gpu proc_ged:file ioctl {
-	GED_BRIDGE_IO_LOG_BUF_GET
-	GED_BRIDGE_IO_LOG_BUF_WRITE
-	GED_BRIDGE_IO_LOG_BUF_RESET
-	GED_BRIDGE_IO_BOOST_GPU_FREQ
-	GED_BRIDGE_IO_MONITOR_3D_FENCE
-	GED_BRIDGE_IO_QUERY_INFO
-	GED_BRIDGE_IO_NOTIFY_VSYNC
-	GED_BRIDGE_IO_DVFS_PROBE
-	GED_BRIDGE_IO_DVFS_UM_RETURN
-	GED_BRIDGE_IO_EVENT_NOTIFY
-	GED_BRIDGE_IO_WAIT_HW_VSYNC
-	GED_BRIDGE_IO_QUERY_TARGET_FPS
-	GED_BRIDGE_IO_VSYNC_WAIT
-	GED_BRIDGE_IO_GPU_HINT_TO_CPU
-	GED_BRIDGE_IO_GE_ALLOC
-	GED_BRIDGE_IO_GE_GET
-	GED_BRIDGE_IO_GE_SET
-	GED_BRIDGE_IO_GPU_TIMESTAMP
-	GED_BRIDGE_IO_TARGET_FPS
-	GED_BRIDGE_IO_GE_INFO
-	GED_BRIDGE_IO_GPU_TUNER_STATUS
-};
-
 allow mtk_hal_gpu merged_hal_service:fd use;
 

non_plat/mtkbootanimation.te

@@ -14,7 +14,7 @@ allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms;
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow mtkbootanimation proc_ged:file {open read write ioctl getattr};
+allow mtkbootanimation proc_ged:file rw_file_perms;
 
 # ==============================================
 # Type Declaration for secmem

non_plat/platform_app.te

@@ -108,3 +108,8 @@ get_prop(platform_app, vendor_connsysfw_prop)
 # Purpose : JPEG need to use PQ via MMS HIDL
 allow platform_app mtk_hal_mms_hwservice:hwservice_manager find;
 allow platform_app mtk_hal_mms:binder call;
+
+# Date: 2019/06/14
+# Operation : Migration
+# Purpose : platform_app need get mtk_amslog_prop
+get_prop(platform_app, mtk_amslog_prop)

non_plat/rild.te

@@ -146,3 +146,7 @@ set_prop(rild, mtk_ss_vendor_prop)
 # Date : 2018/2/27
 # Purpose : for NVRAM recovery mechanism
 set_prop(rild,powerctl_prop);
+
+# Date: 2019/06/14
+# Operation : Migration
+allow rild proc_cmdline:file r_file_perms;

non_plat/shared_relro.te

@@ -0,0 +1,7 @@
+# ==============================================
+# MTK Policy Rule
+# ============
+
+# Date: 2019/06/14
+# Operation : Migration
+get_prop(shared_relro, mtk_amslog_prop)

non_plat/surfaceflinger.te

@@ -11,6 +11,7 @@ allow surfaceflinger debug_prop:property_service set;
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
 allow surfaceflinger proc_ged:file rw_file_perms;
+allowxperm surfaceflinger proc_ged:file ioctl { proc_ged_ioctls };
 
 # Date : W16.42
 # Operation : Integration
@@ -67,33 +68,6 @@ allow surfaceflinger hal_graphics_composer_default:lnk_file read;
 # Purpose: Allow to dump buffer queue
 get_prop(surfaceflinger, debug_bq_dump_prop)
 
-allowxperm surfaceflinger proc_perfmgr:file ioctl {GED_BRIDGE_IO_LOG_BUF_GET GED_BRIDGE_IO_BOOST_GPU_FREQ GED_BRIDGE_IO_QUERY_INFO};
-allowxperm surfaceflinger proc_ged:file ioctl {
-  GED_BRIDGE_IO_LOG_BUF_GET
-  GED_BRIDGE_IO_BOOST_GPU_FREQ
-  GED_BRIDGE_IO_QUERY_INFO
-  GED_BRIDGE_IO_GE_GET
-  GED_BRIDGE_IO_LOG_BUF_WRITE
-  GED_BRIDGE_IO_GE_SET
-  GED_BRIDGE_IO_GE_ALLOC
-  GED_BRIDGE_IO_GE_INFO
-  GED_BRIDGE_IO_IOCTLCMD_0F
-  GED_BRIDGE_IO_IOCTLCMD_10
-  GED_BRIDGE_IO_MONITOR_3D_FENCE
-  GED_BRIDGE_IO_NOTIFY_VSYNC
-  GED_BRIDGE_IO_DVFS_PROBE
-  GED_BRIDGE_IO_DVFS_UM_RETURN
-  GED_BRIDGE_IO_EVENT_NOTIFY
-  GED_BRIDGE_IO_WAIT_HW_VSYNC
-  GED_BRIDGE_IO_QUERY_TARGET_FPS
-  GED_BRIDGE_IO_VSYNC_WAIT
-  GED_BRIDGE_IO_GPU_HINT_TO_CPU
-  GED_BRIDGE_IO_LOG_BUF_RESET
-  GED_BRIDGE_IO_GPU_TIMESTAMP
-  GED_BRIDGE_IO_TARGET_FPS
-  GED_BRIDGE_IO_GPU_TUNER_STATUS
-};
-
 # Date : WK19.4
 # Operation : P Migration
 # Purpose: Allow to access /dev/mdp_device driver

non_plat/system_app.te

@@ -34,3 +34,9 @@ allow system_app aee_exp_data_file:dir r_dir_perms;
 # Purpose : JPEG need to use PQ via MMS HIDL
 allow system_app mtk_hal_mms_hwservice:hwservice_manager find;
 allow system_app mtk_hal_mms:binder call;
+
+# Date: 2019/06/14
+# Operation : Migration
+# Purpose : system_app need get mtk_amslog_prop
+get_prop(system_app, mtk_amslog_prop)
+get_prop(system_app, vendor_default_prop)

non_plat/system_server.te

@@ -202,26 +202,8 @@ allow system_server alarm_device:chr_file rw_file_perms;
 # Operation: Q migration
 # Purpose : Allow system_server to use ioctl/ioctlcmd
 allow system_server proc_ged:file rw_file_perms;
-allowxperm system_server proc_ged:file ioctl {
+allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls };
-  GED_BRIDGE_IO_LOG_BUF_GET
+
-  GED_BRIDGE_IO_LOG_BUF_WRITE
+# Date: 2019/06/14
-  GED_BRIDGE_IO_LOG_BUF_RESET
+# Operation : Migration
-  GED_BRIDGE_IO_BOOST_GPU_FREQ
+get_prop(system_server, vendor_default_prop)
-  GED_BRIDGE_IO_MONITOR_3D_FENCE
-  GED_BRIDGE_IO_QUERY_INFO
-  GED_BRIDGE_IO_NOTIFY_VSYNC
-  GED_BRIDGE_IO_DVFS_PROBE
-  GED_BRIDGE_IO_DVFS_UM_RETURN
-  GED_BRIDGE_IO_EVENT_NOTIFY
-  GED_BRIDGE_IO_WAIT_HW_VSYNC
-  GED_BRIDGE_IO_QUERY_TARGET_FPS
-  GED_BRIDGE_IO_VSYNC_WAIT
-  GED_BRIDGE_IO_GPU_HINT_TO_CPU
-  GED_BRIDGE_IO_GE_ALLOC
-  GED_BRIDGE_IO_GE_GET
-  GED_BRIDGE_IO_GE_SET
-  GED_BRIDGE_IO_GPU_TIMESTAMP
-  GED_BRIDGE_IO_TARGET_FPS
-  GED_BRIDGE_IO_GE_INFO
-  GED_BRIDGE_IO_GPU_TUNER_STATUS
-  };

non_plat/thermalindicator.te

@@ -1,3 +1,3 @@
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow thermalindicator proc_ged:file {open read write ioctl getattr};
+allow thermalindicator proc_ged:file rw_file_perms;

non_plat/ueventd.te

@@ -7,4 +7,8 @@ allow ueventd proc_net:file r_file_perms;
 # Purpose : Add for A/B system
 allow ueventd device:chr_file { relabelfrom relabelto };
 allow ueventd m_acc_misc_device:chr_file { relabelfrom relabelto };
-allow ueventd m_mag_misc_device:chr_file { relabelfrom relabelto };
+allow ueventd m_mag_misc_device:chr_file { relabelfrom relabelto };
+
+# Date: 2019/06/14
+# Operation : Migration
+allow ueventd tmpfs:lnk_file r_file_perms;

non_plat/wmt_loader.te

@@ -26,3 +26,7 @@ allow wmt_loader stpwmt_device:chr_file rw_file_perms;
 allow wmt_loader devpts:chr_file rwx_file_perms;
 
 allow wmt_loader proc:file setattr;
+
+# Date: 2019/06/14
+# Operation : Migration
+allow wmt_loader proc_wmtdbg:file setattr;

non_plat/workaround.te

@@ -1,51 +0,0 @@
-
-
-#============= aee_core_forwarder ==============
-allow aee_core_forwarder aee_aed:unix_stream_socket connectto;
-allow aee_core_forwarder aee_core_data_file:dir read;
-allow aee_core_forwarder hwservicemanager:binder { call transfer };
-
-#============= audioserver ==============
-allow audioserver vendor_default_prop:file read;
-
-#============= bluetooth ==============
-allow bluetooth mtk_amslog_prop:file read;
-
-#============= merged_hal_service ==============
-allow merged_hal_service nvram_agent_binder_hwservice:hwservice_manager find;
-
-#============= mtk_hal_audio ==============
-allow mtk_hal_audio audioserver:fifo_file write;
-allow mtk_hal_audio sysfs_boot_mode:file read;
-allow mtk_hal_audio sysfs_dt_firmware_android:dir search;
-
-#============= mtk_hal_camera ==============
-allow mtk_hal_camera sysfs_dt_firmware_android:dir search;
-
-#============= platform_app ==============
-allow platform_app mtk_amslog_prop:file read;
-
-#============= rild ==============
-allow rild proc_cmdline:file read;
-
-#============= shared_relro ==============
-allow shared_relro mtk_amslog_prop:file read;
-
-#============= system_server ==============
-allow system_server vendor_default_prop:file read;
-
-#============= ueventd ==============
-allow ueventd tmpfs:lnk_file read;
-
-#============= wmt_loader ==============
-allow wmt_loader proc_wmtdbg:file setattr;
-
-# interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice
-allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
-allow hal_audio_server hal_audio_hwservice:hwservice_manager find;
-allow hal_audio hal_audio_hwservice:hwservice_manager find;
-
-
-# interface=android.system.suspend::ISystemSuspend for aee_core_forwarder
-allow aee_core_forwarder system_suspend_hwservice:hwservice_manager find;
-allow hwservicemanager aee_core_forwarder:binder transfer;

non_plat/zygote.te

@@ -4,7 +4,7 @@
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow zygote proc_ged:file {open read write ioctl getattr};
+allow zygote proc_ged:file rw_file_perms;
 
 # Date : WK17.02
 # Purpose: Allow to access gpu for memtrack functions