[ALPS03982747] Remove unused sepolicy rules
Some rules is no need any more, need to remove it. MTK-Commit-Id: 49685f1299d990a7195a2d54b955517d8f2cc699 Change-Id: I4a590ad781589cf94989ce72c88751ac10b82eae CR-Id: ALPS03982747 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
This commit is contained in:
mtk12101
parent
57ee420c72
commit
722798a334
@ -7,17 +7,3 @@
|
||||
type MtkCodecService_exec , exec_type, file_type, vendor_file_type;
|
||||
type MtkCodecService ,domain;
|
||||
|
||||
|
||||
# ==============================================
|
||||
# MTK Policy Rule
|
||||
# ==============================================
|
||||
|
||||
# Date : WK16.12
|
||||
# Operation : Migration
|
||||
# Purpose : Do APE decode operation and exchange data with mediaserver.
|
||||
#binder_use(MtkCodecService)
|
||||
#init_daemon_domain(MtkCodecService)
|
||||
#binder_call(MtkCodecService,mediaserver)
|
||||
#allow MtkCodecService mtk_codec_service_service:service_manager add;
|
||||
#allow MtkCodecService self:capability{setuid sys_nice};
|
||||
#allow MtkCodecService dumpstate:fd use;
|
||||
|
||||
@ -22,7 +22,6 @@ allow aee_aedv block_device:dir search;
|
||||
allow aee_aedv mtd_device:dir create_dir_perms;
|
||||
allow aee_aedv mtd_device:chr_file rw_file_perms;
|
||||
|
||||
#allow aee_aedv userdata_block_device:blk_file create_file_perms; # neverallow
|
||||
# NE flow: /dev/RT_Monitor
|
||||
allow aee_aedv RT_Monitor_device:chr_file r_file_perms;
|
||||
|
||||
@ -30,10 +29,6 @@ allow aee_aedv RT_Monitor_device:chr_file r_file_perms;
|
||||
allow aee_aedv sdcard_type:dir create_dir_perms;
|
||||
allow aee_aedv sdcard_type:file create_file_perms;
|
||||
|
||||
#data/anr
|
||||
#allow aee_aedv anr_data_file:dir create_dir_perms;
|
||||
#allow aee_aedv anr_data_file:file create_file_perms;
|
||||
|
||||
#data/aee_exp
|
||||
allow aee_aedv aee_exp_vendor_file:dir create_dir_perms;
|
||||
allow aee_aedv aee_exp_vendor_file:file create_file_perms;
|
||||
@ -56,16 +51,10 @@ allow aee_aedv domain:lnk_file getattr;
|
||||
#core-pattern
|
||||
allow aee_aedv usermodehelper:file r_file_perms;
|
||||
|
||||
#suid_dumpable
|
||||
# allow aee_aedv proc_security:file r_file_perms; neverallow
|
||||
|
||||
#property
|
||||
allow aee_aedv init:unix_stream_socket connectto;
|
||||
allow aee_aedv property_socket:sock_file write;
|
||||
|
||||
#allow aee_aedv call binaries labeled "system_file" under /system/bin/
|
||||
# allow aee_aedv system_file:file execute_no_trans;
|
||||
|
||||
allow aee_aedv init:process getsched;
|
||||
allow aee_aedv kernel:process getsched;
|
||||
|
||||
@ -74,23 +63,11 @@ allow aee_aedv kernel:process getsched;
|
||||
# Purpose: For pagemap & pageflags information in NE DB
|
||||
userdebug_or_eng(`allow aee_aedv self:capability sys_admin;')
|
||||
|
||||
# Date: W16.17
|
||||
# Operation: N0 Migeration
|
||||
# Purpose: creat dir "aee_exp" under /data
|
||||
#allow aee_aedv system_data_file:dir { write create add_name };
|
||||
|
||||
# Purpose: aee_aedv set property
|
||||
set_prop(aee_aedv, persist_mtk_aee_prop);
|
||||
set_prop(aee_aedv, persist_aee_prop);
|
||||
set_prop(aee_aedv, debug_mtk_aee_prop);
|
||||
|
||||
# Purpose: allow aee_aedv to access toolbox
|
||||
# allow aee_aedv toolbox_exec:file { execute execute_no_trans };
|
||||
|
||||
# purpose: allow aee_aedv to access storage on N version
|
||||
#allow aee_aedv media_rw_data_file:file { create_file_perms };
|
||||
#allow aee_aedv media_rw_data_file:dir { create_dir_perms };
|
||||
|
||||
# Purpose: mnt/user/*
|
||||
allow aee_aedv mnt_user_file:dir search;
|
||||
allow aee_aedv mnt_user_file:lnk_file read;
|
||||
@ -98,15 +75,6 @@ allow aee_aedv mnt_user_file:lnk_file read;
|
||||
allow aee_aedv storage_file:dir search;
|
||||
allow aee_aedv storage_file:lnk_file read;
|
||||
|
||||
# Date : WK17.09
|
||||
# Operation : AEE UT for Android O
|
||||
# Purpose : for AEE module to dump files
|
||||
# domain_auto_trans(aee_aedv, dumpstate_exec, dumpstate)
|
||||
|
||||
# Purpose : aee_aedv communicate with aee_core_forwarder
|
||||
# allow aee_aedv aee_core_forwarder:dir search;
|
||||
# allow aee_aedv aee_core_forwarder:file { read getattr open };
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow aee_aedv su:dir {search read open };
|
||||
allow aee_aedv su:file { read getattr open };
|
||||
@ -117,7 +85,7 @@ allow aee_aedv aee_tombstone_data_file:dir w_dir_perms;
|
||||
allow aee_aedv aee_tombstone_data_file:file create_file_perms;
|
||||
|
||||
# /proc/pid/
|
||||
#allow aee_aedv self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module};
|
||||
allow aee_aedv self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module};
|
||||
|
||||
# PROCESS_FILE_STATE
|
||||
allow aee_aedv dumpstate:unix_stream_socket { read write ioctl };
|
||||
@ -127,7 +95,6 @@ allow aee_aedv dumpstate:file r_file_perms;
|
||||
allow aee_aedv proc:file rw_file_perms;
|
||||
allow aee_aedv logdr_socket:sock_file write;
|
||||
allow aee_aedv logd:unix_stream_socket connectto;
|
||||
# allow aee_aedv system_ndebug_socket:sock_file write; mask for never allow rule
|
||||
|
||||
# vibrator
|
||||
allow aee_aedv sysfs_vibrator:file w_file_perms;
|
||||
@ -146,7 +113,6 @@ allow aee_aedv {
|
||||
-keystore
|
||||
-init
|
||||
}:process ptrace;
|
||||
#allow aee_aedv dalvikcache_data_file:dir r_dir_perms;
|
||||
allow aee_aedv zygote_exec:file r_file_perms;
|
||||
allow aee_aedv init_exec:file r_file_perms;
|
||||
|
||||
@ -270,9 +236,6 @@ allow aee_aedv sysfs_leds:file r_file_perms;
|
||||
allow aee_aedv sysfs_ccci:dir search;
|
||||
allow aee_aedv sysfs_ccci:file r_file_perms;
|
||||
|
||||
#allow aee_aedv system_data_file:dir getattr;
|
||||
#allow aee_aedv system_data_file:file open;
|
||||
|
||||
# Purpose:
|
||||
# 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied
|
||||
# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r:
|
||||
|
||||
@ -38,7 +38,6 @@ allow audioserver tmpfs:dir search;
|
||||
# Date : WK16.18
|
||||
# Operation : Migration
|
||||
# Purpose: access sysfs node
|
||||
#allow audioserver sysfs:file { open read write };
|
||||
allow audioserver sysfs_ccci:dir search;
|
||||
|
||||
# Purpose: Dump debug info
|
||||
|
||||
@ -1,7 +0,0 @@
|
||||
# ==============================================
|
||||
# MTK Policy Rule
|
||||
# ============
|
||||
|
||||
# Date : WK16.33
|
||||
# Purpose: Allow to access ged for gralloc_extra functions
|
||||
#allow autoplay_app proc_ged:file {open read write ioctl getattr};
|
||||
@ -29,5 +29,5 @@ allow biosensord_nvram nvdata_file:dir rw_dir_perms;
|
||||
allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms};
|
||||
allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms;
|
||||
allow biosensord_nvram biometric_device:chr_file { open ioctl read write };
|
||||
#allow biosensord_nvram self:capability { dac_read_search chown fsetid dac_override };
|
||||
allow biosensord_nvram self:capability { chown fsetid };
|
||||
allow biosensord_nvram system_data_file:lnk_file read;
|
||||
|
||||
@ -42,16 +42,8 @@ allow cameraserver MTK_SMI_device:chr_file r_file_perms;
|
||||
allow cameraserver camera_pipemgr_device:chr_file r_file_perms;
|
||||
allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms;
|
||||
allow cameraserver lens_device:chr_file rw_file_perms;
|
||||
allow cameraserver nvdata_file:dir { write search add_name };
|
||||
allow cameraserver nvdata_file:file { read write getattr setattr open create };
|
||||
allow cameraserver nvram_data_file:dir search;
|
||||
allow cameraserver nvram_data_file:dir w_dir_perms;
|
||||
allow cameraserver nvram_data_file:file create_file_perms;
|
||||
allow cameraserver nvram_data_file:lnk_file read;
|
||||
allow cameraserver nvdata_file:lnk_file read;
|
||||
#allow cameraserver proc:file { read ioctl open };
|
||||
allow cameraserver proc_meminfo:file { read getattr open };
|
||||
#allow cameraserver sysfs:file { read write open };
|
||||
|
||||
# Date : WK14.34
|
||||
# Operation : Migration
|
||||
@ -90,13 +82,6 @@ allow cameraserver camera_sysram_device:chr_file r_file_perms;
|
||||
# Purpose : VDEC/VENC device node
|
||||
allow cameraserver Vcodec_device:chr_file rw_file_perms;
|
||||
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : MMProfile debug
|
||||
# userdebug_or_eng(`
|
||||
#allow cameraserver debugfs:file {read ioctl getattr search};
|
||||
# ')
|
||||
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : access nvram, otp, ccci cdoec devices.
|
||||
@ -111,7 +96,6 @@ allow cameraserver bootdevice_block_device:blk_file rw_file_perms;
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : for SW codec VP/VR
|
||||
#allow cameraserver mtk_device:chr_file { read write ioctl open };
|
||||
allow cameraserver mtk_sched_device:chr_file rw_file_perms;
|
||||
|
||||
# Date : WK14.38
|
||||
@ -167,8 +151,6 @@ binder_call(cameraserver,MtkCodecService)
|
||||
# Data : WK14.39
|
||||
# Operation : Migration
|
||||
# Purpose : HW encrypt SW codec
|
||||
allow cameraserver mediaserver_data_file:file create_file_perms;
|
||||
allow cameraserver mediaserver_data_file:dir create_dir_perms;
|
||||
allow cameraserver sec_device:chr_file r_file_perms;
|
||||
|
||||
# Date : WK14.40
|
||||
@ -225,8 +207,6 @@ allow cameraserver sysfs_lowmemorykiller:file { read open };
|
||||
allow cameraserver proc_mtkcooler:dir search;
|
||||
allow cameraserver proc_mtktz:dir search;
|
||||
allow cameraserver proc_thermal:dir search;
|
||||
allow cameraserver thermal_manager_data_file:file create_file_perms;
|
||||
allow cameraserver thermal_manager_data_file:dir { rw_dir_perms setattr };
|
||||
|
||||
# Date : WK14.46
|
||||
# Operation : Migration
|
||||
@ -277,11 +257,6 @@ allow cameraserver mnt_user_file:lnk_file {read write};
|
||||
# Purpose: Allow cameraserver to read binder from surfaceflinger
|
||||
allow cameraserver surfaceflinger:fifo_file {read write};
|
||||
|
||||
# Date : WK15.45
|
||||
# Purpose : camera read/write /nvcfg/camera data
|
||||
allow cameraserver nvcfg_file:dir create_dir_perms;
|
||||
allow cameraserver nvcfg_file:file create_file_perms;
|
||||
|
||||
# Date : WK15.46
|
||||
# Operation : Migration
|
||||
# Purpose : DPE Driver
|
||||
@ -349,7 +324,6 @@ allow cameraserver aee_aed:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# Purpose: Allow to access debugfs_ion dir.
|
||||
#allow cameraserver debugfs_ion:dir search;
|
||||
allow cameraserver system_data_file:lnk_file read;
|
||||
|
||||
# Date : WK17.19
|
||||
@ -359,9 +333,6 @@ allow cameraserver camera_owe_device:chr_file rw_file_perms;
|
||||
|
||||
# Date : WK17.25
|
||||
# Operation : Migration
|
||||
#allow cameraserver debugfs_tracing:file { write open };
|
||||
allow cameraserver nvram_data_file:dir { add_name write create};
|
||||
allow cameraserver nvram_data_file:file { write getattr setattr read create open };
|
||||
allow cameraserver debugfs_ion:dir search;
|
||||
|
||||
# Date : WK17.30
|
||||
|
||||
@ -18,9 +18,6 @@ allow cmddumper debug_prop:property_service set;
|
||||
allow cmddumper media_rw_data_file:file { create_file_perms };
|
||||
allow cmddumper media_rw_data_file:dir { create_dir_perms };
|
||||
|
||||
# purpose: access vmodem device
|
||||
#allow cmddumper vmodem_device:chr_file { create_file_perms };
|
||||
|
||||
# purpose: access plat_file_contexts
|
||||
allow cmddumper file_contexts_file:file { read getattr open };
|
||||
|
||||
|
||||
@ -41,8 +41,6 @@ allow connsyslogger vfat:file create_file_perms;
|
||||
allow connsyslogger mnt_user_file:dir search;
|
||||
allow connsyslogger mnt_user_file:lnk_file read;
|
||||
allow connsyslogger storage_file:lnk_file read;
|
||||
#allow connsyslogger self:capability { chown dac_override };
|
||||
#allow connsyslogger proc:file {setattr write read open};
|
||||
|
||||
#permission for use SELinux API
|
||||
allow connsyslogger rootfs:file r_file_perms;
|
||||
|
||||
@ -69,7 +69,6 @@ allow dumpstate aee_aed:unix_stream_socket { read write ioctl };
|
||||
# allow dumpstate config_gz:file read;
|
||||
|
||||
allow dumpstate sysfs_leds:dir r_dir_perms;
|
||||
#allow dumpstate sysfs_leds:file r_file_perms;
|
||||
|
||||
# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied
|
||||
# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
|
||||
|
||||
@ -23,8 +23,6 @@ allow em_svr proc_battery_cmd:file { create write open };
|
||||
|
||||
# Date: WK1812
|
||||
# Purpose: add for light/proximity sensor
|
||||
#allow em_svr nvdata_file:dir { write open search read add_name };
|
||||
#allow em_svr nvdata_file:file { getattr read write create open setattr };
|
||||
allow em_svr nvram_device:blk_file { open read write };
|
||||
|
||||
# Date: WK1812
|
||||
|
||||
@ -1,5 +1,4 @@
|
||||
#allow emdlogger to set property
|
||||
#allow emdlogger debug_mdlogger_prop:property_service set;
|
||||
allow emdlogger debug_prop:property_service set;
|
||||
allow emdlogger persist_mtklog_prop:property_service set;
|
||||
allow emdlogger system_radio_prop:property_service set;
|
||||
@ -37,7 +36,6 @@ allow emdlogger vfat:dir create_dir_perms;
|
||||
allow emdlogger vfat:file create_file_perms;
|
||||
|
||||
#modem logger permission in storage in android M version
|
||||
#allow emdlogger log_device:chr_file { write open };
|
||||
allow emdlogger mnt_user_file:dir search;
|
||||
allow emdlogger mnt_user_file:lnk_file read;
|
||||
allow emdlogger storage_file:lnk_file read;
|
||||
@ -94,7 +92,7 @@ allow emdlogger file_contexts_file:file { read getattr open };
|
||||
|
||||
allow emdlogger block_device:dir search;
|
||||
allow emdlogger md_block_device:blk_file { read open };
|
||||
#allow emdlogger self:capability { chown dac_override };
|
||||
allow emdlogger self:capability { chown };
|
||||
|
||||
|
||||
# purpose: allow emdlogger to access persist.meta.connecttype
|
||||
|
||||
@ -65,11 +65,8 @@ allow factory proc_mrdump_rst:file w_file_perms;
|
||||
#Date: WK15.31
|
||||
#Purpose: define factory_data_file instead of system_data_file
|
||||
# because system_data_file is sensitive partition from M
|
||||
#allow factory self:capability2 block_suspend;
|
||||
wakelock_use(factory);
|
||||
allow factory storage_file:dir { write create add_name search mounton };
|
||||
#allow factory factory_data_file:file create_file_perms;
|
||||
#allow factory shell_exec:file r_file_perms;
|
||||
|
||||
# Date: WK15.44
|
||||
# Purpose: factory idle current status
|
||||
@ -78,15 +75,9 @@ allow factory vendor_factory_idle_state_prop:property_service set;
|
||||
# Date: WK15.46
|
||||
# Purpose: gps factory mode
|
||||
allow factory agpsd_data_file:dir search;
|
||||
#allow factory apk_data_file:dir write;
|
||||
#allow factory gps_data_file:dir r_dir_perms;
|
||||
#allow factory gps_data_file:dir { write open };
|
||||
#allow factory gps_data_file:file { read write };
|
||||
allow factory gps_data_file:dir { write add_name search remove_name unlink};
|
||||
allow factory gps_data_file:file { read write open create getattr append setattr unlink lock};
|
||||
allow factory gps_data_file:lnk_file read;
|
||||
# allow factory gps_emi_device:chr_file { read write };
|
||||
#allow factory shell_exec:file x_file_perms;
|
||||
allow factory storage_file:lnk_file r_file_perms;
|
||||
|
||||
#Date: WK15.48
|
||||
@ -108,8 +99,6 @@ allow factory nvdata_file:lnk_file r_file_perms;
|
||||
allow factory nvram_device:chr_file rw_file_perms;
|
||||
allow factory nvram_device:blk_file rw_file_perms;
|
||||
allow factory nvdata_device:blk_file rw_file_perms;
|
||||
# Purpose : Allow factory read /data/nvram link
|
||||
#allow factory system_data_file:lnk_file read;
|
||||
|
||||
#Date: WK16.12
|
||||
#Purpose: For sensor test
|
||||
@ -215,9 +204,6 @@ allow factory audiohal_prop:property_service set;
|
||||
allow factory input_device:chr_file r_file_perms;
|
||||
allow factory input_device:dir rw_dir_perms;
|
||||
|
||||
#Purpose: For gps test
|
||||
#allow factory gps_device:chr_file rw_file_perms;
|
||||
|
||||
# Date: WK16.17
|
||||
# Purpose: N Migration For ccci sysfs node
|
||||
# Allow read to sys/kernel/ccci/* files
|
||||
@ -233,10 +219,6 @@ allow factory sysfs_ccci:file r_file_perms;
|
||||
allow factory sysfs_boot_mode:file { read open };
|
||||
allow factory sysfs_boot_type:file { read open };
|
||||
|
||||
# Date: WK16.30
|
||||
#Purpose: For gps test
|
||||
#allow factory media_rw_data_file:dir search;
|
||||
#allow factory gps_data_file:dir add_name;
|
||||
#TODO:: MTK need to remove later
|
||||
not_full_treble(`
|
||||
allow factory mnld:unix_dgram_socket sendto;
|
||||
@ -245,13 +227,10 @@ not_full_treble(`
|
||||
# Date: WK16.31
|
||||
#Purpose: For gps test
|
||||
allow factory mnld_prop:property_service set;
|
||||
#allow factory media_rw_data_file:dir { read open };
|
||||
#allow factory gps_data_file:file create_file_perms;
|
||||
|
||||
# Date: WK16.33
|
||||
#Purpose: for unmount sdcardfs and stop services which are using data partition
|
||||
allow factory sdcard_type:filesystem unmount;
|
||||
#allow factory toolbox_exec:file { read open getattr execute execute_no_trans };
|
||||
allow factory ctl_default_prop:property_service set;
|
||||
|
||||
# Date : WK16.35
|
||||
@ -272,16 +251,12 @@ allow factory sysfs_leds:lnk_file read;
|
||||
allow factory sysfs_vibrator:file {open read write};
|
||||
allow factory ion_device:chr_file { read open ioctl };
|
||||
allow factory debugfs_ion:dir search;
|
||||
#allow factory proc:file ioctl;
|
||||
# Date: WK17.27
|
||||
# Purpose: STMicro NFC solution integration
|
||||
allow factory st21nfc_device:chr_file { open read getattr write ioctl };
|
||||
#allow factory nfc_socket:dir search;
|
||||
#allow factory vendor_file:file { getattr execute execute_no_trans read open };
|
||||
set_prop(factory,hwservicemanager_prop);
|
||||
hwbinder_use(factory);
|
||||
hal_client_domain(factory, hal_nfc);
|
||||
#allow factory debugfs_tracing:file { open write };
|
||||
|
||||
# Date : WK17.32
|
||||
# Operation : O Migration
|
||||
@ -314,10 +289,8 @@ allow factory kernel:system module_request;
|
||||
allow factory node:tcp_socket node_bind;
|
||||
allow factory userdata_block_device:blk_file rw_file_perms;
|
||||
allow factory port:tcp_socket { name_bind name_connect };
|
||||
#allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time sys_boot sys_admin };
|
||||
allow factory self:capability { sys_module ipc_lock sys_nice net_raw fsetid net_admin sys_time sys_boot sys_admin };
|
||||
allow factory sdcard_type:dir r_dir_perms;
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow factory self:netlink_route_socket create_socket_perms;
|
||||
allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
|
||||
allow factory proc_net:file { read getattr open };
|
||||
allowxperm factory self:udp_socket ioctl priv_sock_ioctls;
|
||||
@ -328,8 +301,6 @@ allow factory self:tcp_socket create_stream_socket_perms;
|
||||
allow factory self:udp_socket create_socket_perms;
|
||||
|
||||
allow factory sysfs_wake_lock:file rw_file_perms;
|
||||
##allow factory system_data_file:dir w_dir_perms;
|
||||
##allow factory system_data_file:sock_file create_file_perms;
|
||||
allow factory system_file:file x_file_perms;
|
||||
|
||||
# For Light HIDL permission
|
||||
|
||||
@ -41,37 +41,12 @@ allow fuelgauged kmsg_device:chr_file w_file_perms;
|
||||
# Data : WK14.43
|
||||
# Operation : Migration
|
||||
# Purpose : For fg daemon can comminucate with kernel
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.t
|
||||
#allow fuelgauged fuelgauged:netlink_kobject_uevent_socket create_socket_perms;
|
||||
#allow fuelgauged fuelgauged:netlink_socket create_socket_perms;
|
||||
allow fuelgauged self:netlink_socket create;
|
||||
allow fuelgauged self:netlink_socket create_socket_perms_no_ioctl;
|
||||
allow fuelgauged self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
|
||||
|
||||
# Data : WK16.21
|
||||
# Operation : New Feature
|
||||
# Purpose : For fg daemon can access /data/FG folder
|
||||
#file_type_auto_trans(fuelgauged, system_data_file, fuelgauged_file);
|
||||
#allow fuelgauged fuelgauged_file:file rw_file_perms;
|
||||
#allow fuelgauged system_data_file:dir rw_dir_perms;
|
||||
|
||||
# Data : WK16.21
|
||||
# Operation : New Feature
|
||||
# Purpose : For fg daemon can do nvram r/w to save car_tune_value
|
||||
#allow fuelgauged nvdata_file:dir rw_dir_perms;
|
||||
#allow fuelgauged nvdata_file:file {rw_file_perms create_file_perms};
|
||||
#allow fuelgauged nvram_data_file:lnk_file rw_file_perms;
|
||||
#allow fuelgauged nvdata_file:lnk_file rw_file_perms;
|
||||
|
||||
# Data : WK16.39
|
||||
#allow fuelgauged self:capability { chown fsetid dac_override };
|
||||
|
||||
# Data : W16.43
|
||||
# Operation : New Feature
|
||||
# Purpose : Change from /data to /cache
|
||||
#allow fuelgauged cache_file:file {rw_file_perms create_file_perms};
|
||||
#allow fuelgauged cache_file:dir {rw_dir_perms create_dir_perms};
|
||||
#allow fuelgauged sysfs:file {rw_file_perms create_file_perms};
|
||||
allow fuelgauged self:capability { chown fsetid };
|
||||
|
||||
# Date: W17.22
|
||||
# Operation : New Feature
|
||||
|
||||
@ -22,13 +22,6 @@ type fuelgauged_nvram_file, file_type, data_file_type;
|
||||
|
||||
init_daemon_domain(fuelgauged_nvram)
|
||||
|
||||
# Data : WK16.21
|
||||
# Operation : New Feature
|
||||
# Purpose : For fg daemon can access /data/FG folder
|
||||
#file_type_auto_trans(fuelgauged_nvram, system_data_file, fuelgauged_nvram_file);
|
||||
#allow fuelgauged_nvram fuelgauged_nvram_file:file rw_file_perms;
|
||||
#allow fuelgauged_nvram system_data_file:dir rw_dir_perms;
|
||||
|
||||
# Data : WK16.21
|
||||
# Operation : New Feature
|
||||
# Purpose : For fg daemon can do nvram r/w to save car_tune_value
|
||||
@ -43,9 +36,7 @@ allow fuelgauged_nvram fuelgauged_file:file {rw_file_perms create_file_perms};
|
||||
# Data : W16.43
|
||||
# Operation : New Feature
|
||||
# Purpose : Change from /data to /cache
|
||||
#allow fuelgauged_nvram cache_file:file {rw_file_perms create_file_perms};
|
||||
#allow fuelgauged_nvram cache_file:dir {rw_dir_perms create_dir_perms};
|
||||
#allow fuelgauged_nvram self:capability { dac_read_search dac_override chown };
|
||||
allow fuelgauged_nvram self:capability { chown };
|
||||
allow fuelgauged_nvram kmsg_device:chr_file { write open };
|
||||
allow fuelgauged_nvram self:capability fsetid;
|
||||
|
||||
|
||||
@ -1,5 +1,4 @@
|
||||
# Communicate over a socket created by mnld process.
|
||||
#allow hal_gnss debuggerd:fd use;
|
||||
allow hal_gnss_default mnld_data_file:sock_file create_file_perms;
|
||||
allow hal_gnss_default mnld_data_file:sock_file rw_file_perms;
|
||||
allow hal_gnss_default mnld_data_file:dir create_file_perms;
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
vndbinder_use(hal_graphics_composer_default)
|
||||
|
||||
allow hal_graphics_composer_default debugfs_ged:dir search;
|
||||
#allow hal_graphics_composer_default debugfs_ion:dir search;
|
||||
|
||||
# Date : WK17.09
|
||||
# Operation : Add sepolicy
|
||||
|
||||
@ -96,7 +96,6 @@ allow init protect_f_data_file:dir mounton;
|
||||
allow init protect_s_data_file:dir mounton;
|
||||
allow init nvcfg_file:dir mounton;
|
||||
allow init persist_data_file:dir mounton;
|
||||
#allow init system_file:dir setattr;
|
||||
allow init tmpfs:lnk_file create;
|
||||
|
||||
# boot process denial clean up
|
||||
|
||||
@ -18,16 +18,6 @@ allow kernel vold_device:blk_file rw_file_perms;
|
||||
# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature)
|
||||
allow kernel system_data_file:lnk_file r_file_perms;
|
||||
|
||||
# Date : WK14.43
|
||||
# Operation : Migration
|
||||
# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature)
|
||||
#allow kernel nvram_device:blk_file rw_file_perms;
|
||||
|
||||
# Date : WK15.29
|
||||
# Operation : Migration
|
||||
# Purpose : grant wifi data file access for mtk_wmtd as root.
|
||||
#allow kernel self:capability { dac_read_search dac_override };
|
||||
|
||||
# Date : WK15.35
|
||||
# Operation : Migration
|
||||
# Purpose : grant fon_image_data_file read permission for loop device
|
||||
|
||||
@ -10,5 +10,4 @@ allow keystore app_data_file:file write;
|
||||
# Date : WK17.30 2017/07/25
|
||||
# Operation : keystore
|
||||
# Purpose : Fix keystore boot selinux violation
|
||||
#allow keystore debugfs_tracing:file write;
|
||||
allow hal_keymaster_default debugfs_tracing:file write;
|
||||
|
||||
@ -23,7 +23,6 @@ allow mdlogger vfat:dir create_dir_perms;
|
||||
allow mdlogger vfat:file create_file_perms;
|
||||
|
||||
#mdlogger for read /sdcard
|
||||
#allow mdlogger log_device:chr_file w_file_perms;
|
||||
allow mdlogger tmpfs:lnk_file read;
|
||||
allow mdlogger storage_file:lnk_file rw_file_perms;
|
||||
allow mdlogger mnt_user_file:dir search;
|
||||
|
||||
@ -7,12 +7,6 @@
|
||||
# Purpose : VP/VR
|
||||
allow mediacodec devmap_device:chr_file { ioctl };
|
||||
|
||||
# Date : WK14.34
|
||||
# Operation : Migration
|
||||
# Purpose : Smartcard Service
|
||||
#allow mediacodec self:netlink_kobject_uevent_socket read;
|
||||
#allow mediacodec system_data_file:file open;
|
||||
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : VDEC/VENC device node
|
||||
@ -42,34 +36,11 @@ allow mediacodec nvdata_file:file create_file_perms;
|
||||
allow mediacodec devmap_device:chr_file r_file_perms;
|
||||
allow mediacodec proc_meminfo:file {read getattr open};
|
||||
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : MMProfile debug
|
||||
# userdebug_or_eng(`
|
||||
#allow mediacodec debugfs:file {read ioctl getattr};
|
||||
# ')
|
||||
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : for SW codec VP/VR
|
||||
#allow mediacodec mtk_device:chr_file { read write ioctl open };
|
||||
allow mediacodec mtk_sched_device:chr_file { read write ioctl open };
|
||||
|
||||
# Date : WK14.38
|
||||
# Operation : Migration
|
||||
# Purpose : NVRam access
|
||||
#allow mediacodec block_device:dir { write search };
|
||||
|
||||
# Data : WK14.38
|
||||
# Operation : Migration
|
||||
# Purpose : for boot animation.
|
||||
#allow mediacodec bootanim:binder { transfer call };
|
||||
|
||||
# Date : WK14.39
|
||||
# Operation : Migration
|
||||
# Purpose : APE PLAYBACK
|
||||
#binder_call(mediacodec,MtkCodecService)
|
||||
|
||||
# Data : WK14.39
|
||||
# Operation : Migration
|
||||
# Purpose : HW encrypt SW codec
|
||||
@ -100,32 +71,11 @@ allow mediacodec thermal_manager_data_file:file create_file_perms;
|
||||
allow mediacodec thermal_manager_data_file:dir { rw_dir_perms setattr };
|
||||
allow mediacodec thermal_manager_data_file:dir search;
|
||||
|
||||
# Date : WK14.46
|
||||
# Operation : Migration
|
||||
# Purpose : for MTK Emulator HW GPU
|
||||
#allow mediacodec qemu_pipe_device:chr_file rw_file_perms;
|
||||
|
||||
# Data : WK14.47
|
||||
# Operation : CTS
|
||||
# Purpose : cts search strange app
|
||||
allow mediacodec untrusted_app:dir search;
|
||||
|
||||
# Date : WK15.35
|
||||
# Operation : Migration
|
||||
# Purpose: Allow mediacodec to read binder from surfaceflinger
|
||||
#allow mediacodec surfaceflinger:fifo_file {read write};
|
||||
|
||||
# Date : WK15.45
|
||||
# Operation : 1/32x SlowMotion SQC
|
||||
# Purpose : for Clearmotion LowPower Switch
|
||||
#allow mediacodec mjc_lib_prop:property_service set;
|
||||
#allow mediacodec mtk_mjc_prop:property_service set;
|
||||
|
||||
# Date : WK15.02
|
||||
# Operation : 120Hz Feature SQC
|
||||
# Purpose : for 120Hz Smart Switch
|
||||
#allow mediacodec mtk_rrc_device:chr_file { read write ioctl open };
|
||||
|
||||
# Date : WK14.39
|
||||
# Operation : Migration
|
||||
# Purpose : MJC Driver
|
||||
@ -150,8 +100,6 @@ allow mediacodec surfaceflinger:fifo_file rw_file_perms;
|
||||
# Operator: Whitney SQC
|
||||
# Purpose: mediacodec use gpu
|
||||
allow mediacodec gpu_device:dir search;
|
||||
#allow mediacodec debug_prop:property_service set;
|
||||
#allow mediacodec system_prop:property_service set;
|
||||
|
||||
# Date : W18.01
|
||||
# Add for turn on SElinux in enforcing mode
|
||||
@ -196,7 +144,3 @@ allow mediacodec mtk_thermal_config_prop:property_service set;
|
||||
allow mediacodec graphics_device:chr_file { ioctl open read };
|
||||
allow mediacodec graphics_device:dir search;
|
||||
|
||||
# Date : WK18.03
|
||||
# Operation : MT6771 SQC
|
||||
# Purpose : Video SW decoder setprop for dex2oat thread 2
|
||||
#allow mediacodec dalvik_prop:property_service set;
|
||||
|
||||
@ -22,12 +22,8 @@ allow mediaserver lens_device:chr_file rw_file_perms;
|
||||
# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
|
||||
allow mediaserver sdcard_type:dir { w_dir_perms create };
|
||||
allow mediaserver sdcard_type:file create;
|
||||
#allow mediaserver nvram_data_file:dir w_dir_perms;
|
||||
#allow mediaserver nvram_data_file:file create_file_perms;
|
||||
allow mediaserver nvram_data_file:lnk_file read;
|
||||
allow mediaserver nvdata_file:lnk_file read;
|
||||
#allow mediaserver nvdata_file:dir w_dir_perms;
|
||||
#allow mediaserver nvdata_file:file create_file_perms;
|
||||
allow mediaserver sdcard_type:dir remove_name;
|
||||
allow mediaserver sdcard_type:file unlink;
|
||||
|
||||
@ -35,8 +31,6 @@ allow mediaserver sdcard_type:file unlink;
|
||||
# Operation : Migration
|
||||
# Purpose : nvram access (dumchar case for nand and legacy chip)
|
||||
allow mediaserver nvram_device:chr_file rw_file_perms;
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow mediaserver self:netlink_kobject_uevent_socket { create setopt bind };
|
||||
allow mediaserver self:capability { net_admin };
|
||||
|
||||
# Date : WK14.34
|
||||
@ -47,8 +41,6 @@ allow mediaserver devmap_device:chr_file { ioctl };
|
||||
# Date : WK14.34
|
||||
# Operation : Migration
|
||||
# Purpose : Smartcard Service
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow mediaserver self:netlink_kobject_uevent_socket read;
|
||||
allow mediaserver system_data_file:file open;
|
||||
|
||||
# Date : WK14.36
|
||||
@ -68,13 +60,6 @@ allow mediaserver camera_sysram_device:chr_file r_file_perms;
|
||||
# Purpose : VDEC/VENC device node
|
||||
allow mediaserver Vcodec_device:chr_file rw_file_perms;
|
||||
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : MMProfile debug
|
||||
# userdebug_or_eng(`
|
||||
#allow mediaserver debugfs:file {read ioctl getattr};
|
||||
# ')
|
||||
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : access nvram, otp, ccci cdoec devices.
|
||||
@ -89,7 +74,6 @@ allow mediaserver bootdevice_block_device:blk_file rw_file_perms;
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : for SW codec VP/VR
|
||||
#allow mediaserver mtk_device:chr_file { read write ioctl open };
|
||||
allow mediaserver mtk_sched_device:chr_file rw_file_perms;
|
||||
|
||||
# Date : WK14.38
|
||||
@ -144,13 +128,6 @@ allow mediaserver camera_fdvt_device:chr_file rw_file_perms;
|
||||
# Purpose : APE PLAYBACK
|
||||
binder_call(mediaserver,MtkCodecService)
|
||||
|
||||
# Data : WK14.39
|
||||
# Operation : Migration
|
||||
# Purpose : HW encrypt SW codec
|
||||
#allow mediaserver mediaserver_data_file:file create_file_perms;
|
||||
#allow mediaserver mediaserver_data_file:dir create_dir_perms;
|
||||
#allow mediaserver sec_device:chr_file r_file_perms;
|
||||
|
||||
# Date : WK14.40
|
||||
# Operation : Migration
|
||||
# Purpose : HDMI driver access
|
||||
@ -172,13 +149,6 @@ binder_call(mediaserver,audiocmdservice_atci)
|
||||
# Purpose : mtk_jpeg
|
||||
allow mediaserver mtk_jpeg_device:chr_file r_file_perms;
|
||||
|
||||
# Date : WK14.41
|
||||
# Operation : Migration
|
||||
# Purpose : Lossless BT audio
|
||||
#allow mediaserver shell_exec:file { read open execute execute_no_trans };
|
||||
#allow mediaserver system_file:file execute_no_trans;
|
||||
#allow mediaserver zygote_exec:file execute_no_trans;
|
||||
|
||||
# Date : WK14.41
|
||||
# Operation : Migration
|
||||
# Purpose : WFD HID Driver
|
||||
@ -218,8 +188,6 @@ allow mediaserver sysfs_lowmemorykiller:file { read open };
|
||||
allow mediaserver proc_mtkcooler:dir search;
|
||||
allow mediaserver proc_mtktz:dir search;
|
||||
allow mediaserver proc_thermal:dir search;
|
||||
#allow mediaserver thermal_manager_data_file:file create_file_perms;
|
||||
#allow mediaserver thermal_manager_data_file:dir { rw_dir_perms setattr };
|
||||
|
||||
# Date : WK14.46
|
||||
# Operation : Migration
|
||||
@ -276,13 +244,6 @@ allow mediaserver mnt_user_file:lnk_file {read write};
|
||||
# Purpose: Allow mediaserver to read binder from surfaceflinger
|
||||
allow mediaserver surfaceflinger:fifo_file {read write};
|
||||
|
||||
|
||||
# Date : WK15.45
|
||||
# Purpose : camera read/write /nvcfg/camera data
|
||||
#allow mediaserver nvcfg_file:dir create_dir_perms;
|
||||
#allow mediaserver nvcfg_file:file create_file_perms;
|
||||
|
||||
|
||||
# Date : WK15.46
|
||||
# Operation : Migration
|
||||
# Purpose : DPE Driver
|
||||
@ -329,11 +290,6 @@ allow mediaserver sw_sync_device:chr_file rw_file_perms;
|
||||
# Purpose : OWE Driver
|
||||
allow mediaserver camera_owe_device:chr_file rw_file_perms;
|
||||
|
||||
# Date : WK17.27
|
||||
# Operation : O Migration
|
||||
# Purpose : m4u Driver
|
||||
#allow mediaserver proc:file r_file_perms;
|
||||
|
||||
# Date : WK17.30
|
||||
# Operation : O Migration
|
||||
# Purpose: Allow to access cmdq driver
|
||||
|
||||
@ -57,7 +57,6 @@ allow merged_hal_service proc:dir {search getattr};
|
||||
allow merged_hal_service proc:file {getattr open read write ioctl};
|
||||
allow merged_hal_service debugfs_ged:dir search;
|
||||
allow merged_hal_service debugfs_ged:file { getattr open read write };
|
||||
#allow merged_hal_service system_data_file:dir { create write add_name };
|
||||
allow merged_hal_service proc_thermal:file { write open };
|
||||
allow merged_hal_service proc_thermal:dir search;
|
||||
allow merged_hal_service sysfs:file {open write read};
|
||||
|
||||
@ -140,9 +140,6 @@ allow meta_tst stpbt_device:chr_file rw_file_perms;
|
||||
# Date: WK16.12
|
||||
# Operation : Migration
|
||||
# Purpose : meta mode GPS
|
||||
#allow meta_tst gps_device:chr_file rw_file_perms;
|
||||
#allow meta_tst gps_data_file:file create_file_perms;
|
||||
#allow meta_tst gps_data_file:dir rw_dir_perms;
|
||||
allow meta_tst gps_data_file:dir { write add_name search remove_name unlink};
|
||||
allow meta_tst gps_data_file:file { read write open create getattr append setattr unlink lock};
|
||||
allow meta_tst gps_data_file:lnk_file read;
|
||||
@ -160,8 +157,6 @@ allow meta_tst mt6605_device:chr_file rw_file_perms;
|
||||
#Date WK14.49
|
||||
#Operation : Migration
|
||||
#Purpose : DRM key installation
|
||||
#allow meta_tst shell_exec:file rx_file_perms;
|
||||
#allow meta_tst system_data_file:dir create;
|
||||
allow meta_tst key_install_data_file:dir w_dir_perms;
|
||||
allow meta_tst key_install_data_file:file create_file_perms;
|
||||
|
||||
@ -173,8 +168,6 @@ allow meta_tst proc_lk_env:file rw_file_perms;
|
||||
# Purpose : FT_EMMC_OP_FORMAT_TCARD
|
||||
allow meta_tst block_device:blk_file getattr;
|
||||
allow meta_tst system_block_device:blk_file getattr;
|
||||
#allow meta_tst fuse_device:chr_file getattr;
|
||||
#allow meta_tst shell_exec:file r_file_perms;
|
||||
|
||||
# Date: WK15.52
|
||||
# Purpose : NVRAM related LID
|
||||
@ -226,15 +219,6 @@ allow meta_tst system_file:dir r_dir_perms;
|
||||
# Purpose: for CCCI reboot modem
|
||||
allow meta_tst gsm0710muxd_device:chr_file rw_file_perms;
|
||||
|
||||
# Date: WK16.20
|
||||
# Purpose: meta_tst set sys.usb.config
|
||||
#set_prop(meta_tst, system_radio_prop);
|
||||
|
||||
#Date: W16.33
|
||||
# Purpose: N Migration For CCT
|
||||
#allow meta_tst media_rw_data_file:dir { search read open getattr };
|
||||
#allow meta_tst media_rw_data_file:file { write open read};
|
||||
|
||||
# Date : WK16.35
|
||||
# Purpose : Update camera flashlight driver device file
|
||||
allow meta_tst flashlight_device:chr_file rw_file_perms;
|
||||
@ -252,7 +236,6 @@ allow meta_tst nvcfg_file:dir { search read open };
|
||||
#Date: W16.45
|
||||
# Purpose : Allow unmount sdcardfs mounted on /data/media
|
||||
allow meta_tst sdcard_type:filesystem unmount;
|
||||
#allow meta_tst toolbox_exec:file { getattr execute execute_no_trans read open };
|
||||
allow meta_tst storage_stub_file:dir search;
|
||||
|
||||
# Date : WK16.19
|
||||
@ -277,15 +260,9 @@ allow meta_tst ctl_default_prop:property_service set;
|
||||
# Purpose : Allow meta_tst stop service which occupy data partition.
|
||||
allow meta_tst ctl_emdlogger1_prop:property_service set;
|
||||
|
||||
#Date: W17.27
|
||||
# Purpose : Allow meta_tst read /data/nvram link
|
||||
#allow meta_tst system_data_file:lnk_file read;
|
||||
|
||||
#Date: W17.27
|
||||
# Purpose: STMicro NFC solution integration
|
||||
allow meta_tst st21nfc_device:chr_file { open read write ioctl };
|
||||
#allow meta_tst factory_data_file:sock_file { write unlink };
|
||||
#allow meta_tst nfc_socket:dir search;
|
||||
allow meta_tst vendor_file:file { getattr execute execute_no_trans read open };
|
||||
set_prop(meta_tst,hwservicemanager_prop);
|
||||
hwbinder_use(meta_tst);
|
||||
@ -309,28 +286,6 @@ allow meta_tst md_block_device:blk_file { read open };
|
||||
allow meta_tst mddb_data_file:file { create open write read getattr};
|
||||
allow meta_tst mddb_data_file:dir { search write add_name create getattr read open };
|
||||
|
||||
# Date: W17.43
|
||||
# Purpose : meta connect with mdlogger by socket.
|
||||
#allow meta_tst emdlogger:unix_stream_socket connectto;
|
||||
|
||||
# Date: W17.43
|
||||
# Purpose : meta connect with mobilelog by socket.
|
||||
#allow meta_tst mobile_log_d:unix_stream_socket connectto;
|
||||
|
||||
# Date: W17.43
|
||||
# Purpose : meta access mobile log.
|
||||
#allow meta_tst logtemp_data_file:dir { relabelto create_dir_perms };
|
||||
#allow meta_tst logtemp_data_file:file create_file_perms;
|
||||
#allow meta_tst data_tmpfs_log_file:dir create_dir_perms;
|
||||
#allow meta_tst data_tmpfs_log_file:file create_file_perms;
|
||||
|
||||
# Date: W17.43
|
||||
# Purpose meta access on /data/mdlog
|
||||
#allow meta_tst mdlog_data_file:dir { create_dir_perms relabelto };
|
||||
#allow meta_tst mdlog_data_file:fifo_file { create_file_perms };
|
||||
#allow meta_tst mdlog_data_file:file { create_file_perms };
|
||||
#allow meta_tst system_data_file:dir { create_dir_perms relabelfrom};
|
||||
|
||||
# Date: W17.43
|
||||
# Purpose : Allow meta_tst to call android.hardware.audio@2.0-service-mediatek
|
||||
binder_call(meta_tst, mtk_hal_audio)
|
||||
@ -398,4 +353,4 @@ allow meta_tst sysfs_dt_firmware_android:dir { read open search };
|
||||
# Purpose : Allow meta_tst to communicate with driver thru socket
|
||||
allow meta_tst meta_tst:capability { sys_module net_admin net_raw };
|
||||
allow meta_tst self:udp_socket { create ioctl };
|
||||
allowxperm meta_tst self:udp_socket ioctl priv_sock_ioctls;
|
||||
allowxperm meta_tst self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
@ -37,7 +37,6 @@ allow mnld mnld_device:chr_file rw_file_perms;
|
||||
allow mnld mnld_data_file:file rw_file_perms;
|
||||
allow mnld mnld_data_file:file create_file_perms;
|
||||
allow mnld mnld_data_file:fifo_file create_file_perms;
|
||||
#allow mnld gps_device:chr_file rw_file_perms;
|
||||
# Purpose : For init process
|
||||
allow mnld init:unix_stream_socket connectto;
|
||||
allow mnld init:udp_socket { read write };
|
||||
@ -54,7 +53,7 @@ allow mnld block_device:dir search;
|
||||
allow mnld mnld_prop:property_service set;
|
||||
allow mnld property_socket:sock_file write;
|
||||
allow mnld mdlog_device:chr_file { read write };
|
||||
#allow mnld self:capability { fsetid dac_override };
|
||||
allow mnld self:capability { fsetid };
|
||||
allow mnld stpbt_device:chr_file { read write };
|
||||
allow mnld ttyGS_device:chr_file { read write };
|
||||
# Purpose : For file system operations
|
||||
@ -91,4 +90,4 @@ allow mnld fwk_sensor_hwservice:hwservice_manager find;
|
||||
allow mnld hwservicemanager_prop:file { read open getattr };
|
||||
allow mnld debugfs_tracing:file { open write };
|
||||
|
||||
allow mnld mnt_vendor_file:dir search;
|
||||
allow mnld mnt_vendor_file:dir search;
|
||||
|
||||
@ -2,7 +2,6 @@
|
||||
allow mobile_log_d sysfs_boot_mode:file { open read };
|
||||
|
||||
#proc/ access
|
||||
#allow mobile_log_d proc:file r_file_perms;
|
||||
allow mobile_log_d proc_kmsg:file r_file_perms;
|
||||
allow mobile_log_d proc_cmdline:file r_file_perms;
|
||||
allow mobile_log_d proc_atf_log:dir search;
|
||||
|
||||
@ -12,12 +12,6 @@ allow mtk_hal_audio ion_device:chr_file r_file_perms;
|
||||
|
||||
allow mtk_hal_audio system_file:dir { open read };
|
||||
|
||||
userdebug_or_eng(`
|
||||
# used for pcm capture for debug.
|
||||
#allow mtk_hal_audio audiohal_data_file:dir create_dir_perms;
|
||||
#allow mtk_hal_audio audiohal_data_file:file create_file_perms;
|
||||
')
|
||||
|
||||
r_dir_file(mtk_hal_audio, proc)
|
||||
allow mtk_hal_audio audio_device:dir r_dir_perms;
|
||||
allow mtk_hal_audio audio_device:chr_file rw_file_perms;
|
||||
@ -53,7 +47,6 @@ allow mtk_hal_audio sdcard_type:file unlink;
|
||||
# Purpose : nvram access (dumchar case for nand and legacy chip)
|
||||
allow mtk_hal_audio nvram_device:chr_file rw_file_perms;
|
||||
allow mtk_hal_audio self:netlink_kobject_uevent_socket { create setopt bind };
|
||||
#allow mtk_hal_audio self:capability { net_admin };
|
||||
|
||||
# Date : WK14.34
|
||||
# Operation : Migration
|
||||
@ -63,7 +56,6 @@ allow mtk_hal_audio self:netlink_kobject_uevent_socket read;
|
||||
# Date : WK14.36
|
||||
# Operation : Migration
|
||||
# Purpose : media server and bt process communication for A2DP data.and other control flow
|
||||
#allow mtk_hal_audio bluetooth:unix_dgram_socket sendto;
|
||||
allow mtk_hal_audio bt_a2dp_stream_socket:sock_file write;
|
||||
allow mtk_hal_audio bt_int_adp_socket:sock_file write;
|
||||
|
||||
@ -107,13 +99,6 @@ allow mtk_hal_audio graphics_device:chr_file rw_file_perms;
|
||||
# Purpose : Smartpa
|
||||
allow mtk_hal_audio smartpa_device:chr_file rw_file_perms;
|
||||
|
||||
# Date : WK14.41
|
||||
# Operation : Migration
|
||||
# Purpose : Lossless BT audio
|
||||
#allow mtk_hal_audio shell_exec:file { read open execute execute_no_trans };
|
||||
#allow mtk_hal_audio system_file:file execute_no_trans;
|
||||
#allow mtk_hal_audio zygote_exec:file execute_no_trans;
|
||||
|
||||
# Date : WK14.41
|
||||
# Operation : Migration
|
||||
# Purpose : WFD HID Driver
|
||||
@ -236,4 +221,4 @@ allow mtk_hal_audio audio_ipi_device:chr_file { read write ioctl open };
|
||||
# Date : WK18.21
|
||||
# Operation: P migration
|
||||
# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
|
||||
allow mtk_hal_audio mnt_vendor_file:dir search;
|
||||
allow mtk_hal_audio mnt_vendor_file:dir search;
|
||||
|
||||
@ -173,12 +173,6 @@ allow mtk_hal_camera dumpstate:unix_stream_socket { read write };
|
||||
allow mtk_hal_camera dumpstate:fd { use };
|
||||
allow mtk_hal_camera dumpstate:fifo_file write;
|
||||
|
||||
# Purpose: avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.fXpwOm/SYS_DEBUG_MTKCAM"
|
||||
# dev="dm-0" ino=82287 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_data_file:s0
|
||||
# tclass=file permissive=0
|
||||
#allow mtk_hal_camera aee_exp_data_file:dir { w_dir_perms };
|
||||
#allow mtk_hal_camera aee_exp_data_file:file { create_file_perms };
|
||||
|
||||
# -----------------------------------
|
||||
# Android O
|
||||
# Purpose: Debugging
|
||||
@ -212,11 +206,9 @@ allow mtk_hal_camera untrusted_app:dir search;
|
||||
allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms;
|
||||
|
||||
## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
|
||||
#allow mtk_hal_camera system_data_file:dir write;
|
||||
allow mtk_hal_camera storage_file:lnk_file {read write};
|
||||
allow mtk_hal_camera mnt_user_file:dir {write read search};
|
||||
allow mtk_hal_camera mnt_user_file:lnk_file {read write};
|
||||
#allow mtk_hal_camera media_rw_data_file:dir {getattr create};
|
||||
|
||||
## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger
|
||||
allow mtk_hal_camera surfaceflinger:fifo_file {read write};
|
||||
|
||||
@ -10,7 +10,6 @@ vndbinder_use(mtk_hal_gnss)
|
||||
r_dir_file(mtk_hal_gnss, system_file)
|
||||
|
||||
# Communicate over a socket created by mnld process.
|
||||
#allow mtk_hal_gnss debuggerd:fd use;
|
||||
allow mtk_hal_gnss mnld_data_file:sock_file create_file_perms;
|
||||
allow mtk_hal_gnss mnld_data_file:sock_file rw_file_perms;
|
||||
allow mtk_hal_gnss mnld_data_file:dir create_file_perms;
|
||||
|
||||
@ -33,8 +33,6 @@ allow mtk_hal_pq graphics_device:chr_file { read write open ioctl };
|
||||
# Purpose : Allow property set
|
||||
allow mtk_hal_pq init:unix_stream_socket connectto;
|
||||
allow mtk_hal_pq property_socket:sock_file write;
|
||||
#allow mtk_hal_pq system_prop:property_service set;
|
||||
#allow mtk_hal_pq debug_prop:property_service set;
|
||||
|
||||
# Purpose : Allow permission to get AmbientLux from hwservice_manager
|
||||
allow mtk_hal_pq fwk_sensor_hwservice:hwservice_manager find;
|
||||
|
||||
@ -36,9 +36,6 @@ allow mtk_hal_sensors hwservicemanager_prop:file r_file_perms;
|
||||
#hwservicemanager
|
||||
hal_server_domain(mtk_hal_sensors, hal_sensors);
|
||||
|
||||
#allow mtk_hal_sensors hal_sensors_hwservice:hwservice_manager { add find };
|
||||
#allow mtk_hal_sensors hidl_base_hwservice:hwservice_manager add;
|
||||
|
||||
# Access sensor bio devices
|
||||
allow mtk_hal_sensors sensorlist_device:chr_file rw_file_perms;
|
||||
allow mtk_hal_sensors m_acc_misc_device:chr_file rw_file_perms;
|
||||
|
||||
@ -33,15 +33,6 @@ allow mtkbootanimation guiext-server:binder transfer;
|
||||
# Purpose : for gpu access
|
||||
allow mtkbootanimation dri_device:chr_file { read write open ioctl };
|
||||
|
||||
# Date : WK14.37
|
||||
# Operation : Migration
|
||||
# Purpose : for op
|
||||
#allow mtkbootanimation terservice:binder call;
|
||||
|
||||
# Date : WK15.30
|
||||
# Operation : Migration
|
||||
# Purpose : for device bring up, not to block early migration/sanity
|
||||
#allow mtkbootanimation terservice_service:service_manager find;
|
||||
# Date : WK17.29
|
||||
# Operation : Migration
|
||||
# Purpose : for device bring up
|
||||
|
||||
@ -15,16 +15,12 @@ allow rild kernel:system module_request;
|
||||
|
||||
# Capabilities assigned for rild
|
||||
allow rild self:capability { setuid net_admin net_raw };
|
||||
#allow rild self:capability dac_override;
|
||||
|
||||
# Control cgroups
|
||||
allow rild cgroup:dir create_dir_perms;
|
||||
|
||||
# Property service
|
||||
# allow set RIL related properties (radio./net./system./etc)
|
||||
#set_prop(rild, radio_prop)
|
||||
#set_prop(rild, net_radio_prop)
|
||||
#set_prop(rild, system_radio_prop)
|
||||
auditallow rild net_radio_prop:property_service set;
|
||||
auditallow rild system_radio_prop:property_service set;
|
||||
set_prop(rild, ril_active_md_prop)
|
||||
@ -45,34 +41,20 @@ allow rild bluetooth_efs_file:dir r_dir_perms;
|
||||
# Allow access permission to dir/files
|
||||
# (radio data/system data/proc/etc)
|
||||
# Violate Android P rule
|
||||
#allow rild radio_data_file:dir rw_dir_perms;
|
||||
#allow rild radio_data_file:file create_file_perms;
|
||||
allow rild sdcard_type:dir r_dir_perms;
|
||||
# Violate Android P rule
|
||||
#allow rild system_data_file:dir r_dir_perms;
|
||||
#allow rild system_data_file:file r_file_perms;
|
||||
allow rild system_file:file x_file_perms;
|
||||
allow rild proc:file rw_file_perms;
|
||||
allow rild proc_net:file w_file_perms;
|
||||
|
||||
# Allow rild to create and use netlink sockets.
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow rild self:netlink_socket create_socket_perms;
|
||||
#allow rild self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
# Set and get routes directly via netlink.
|
||||
allow rild self:netlink_route_socket nlmsg_write;
|
||||
|
||||
# Allow rild to create sockets.
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow rild self:socket create_socket_perms;
|
||||
|
||||
# Allow read/write to devices/files
|
||||
allow rild alarm_device:chr_file rw_file_perms;
|
||||
allow rild radio_device:chr_file rw_file_perms;
|
||||
allow rild radio_device:blk_file r_file_perms;
|
||||
allow rild mtd_device:dir search;
|
||||
# Allow read/write to uart driver (for GPS)
|
||||
#allow rild gps_device:chr_file rw_file_perms;
|
||||
# Allow read/write to tty devices
|
||||
allow rild tty_device:chr_file rw_file_perms;
|
||||
allow rild eemcs_device:chr_file { rw_file_perms };
|
||||
@ -89,7 +71,6 @@ allow rild para_block_device:blk_file { rw_file_perms };
|
||||
|
||||
# Allow dir search, fd uses
|
||||
allow rild block_device:dir search;
|
||||
#allow rild platformblk_device:dir search;
|
||||
allow rild platform_app:fd use;
|
||||
allow rild radio:fd use;
|
||||
|
||||
@ -119,8 +100,6 @@ allow rild mtk_agpsd:unix_stream_socket connectto;
|
||||
#Date 2017/10/12
|
||||
#Purpose: allow set MTU size
|
||||
allow rild toolbox_exec:file getattr;
|
||||
#allow rild toolbox_exec:file {execute read open};
|
||||
#allow rild toolbox_exec:file {execute_no_trans};
|
||||
allow rild mtk_net_ipv6_prop:property_service set;
|
||||
|
||||
#Dat: 2017/10/17
|
||||
|
||||
@ -18,7 +18,6 @@ allow mtkrild kernel:system module_request;
|
||||
|
||||
# Capabilities assigned for mtkrild
|
||||
allow mtkrild self:capability { setuid net_admin net_raw };
|
||||
#allow mtkrild self:capability dac_override;
|
||||
|
||||
# Control cgroups
|
||||
allow mtkrild cgroup:dir create_dir_perms;
|
||||
@ -52,34 +51,20 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms;
|
||||
# Allow access permission to dir/files
|
||||
# (radio data/system data/proc/etc)
|
||||
# Violate Android P rule
|
||||
#allow mtkrild radio_data_file:dir rw_dir_perms;
|
||||
#allow mtkrild radio_data_file:file create_file_perms;
|
||||
allow mtkrild sdcard_type:dir r_dir_perms;
|
||||
# Violate Android P rule
|
||||
#allow mtkrild system_data_file:dir r_dir_perms;
|
||||
#allow mtkrild system_data_file:file r_file_perms;
|
||||
allow mtkrild system_file:file x_file_perms;
|
||||
allow mtkrild proc:file rw_file_perms;
|
||||
allow mtkrild proc_net:file w_file_perms;
|
||||
|
||||
# Allow mtkrild to create and use netlink sockets.
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow mtkrild self:netlink_socket create_socket_perms;
|
||||
#allow mtkrild self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
# Set and get routes directly via netlink.
|
||||
allow mtkrild self:netlink_route_socket nlmsg_write;
|
||||
|
||||
# Allow mtkrild to create sockets.
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow mtkrild self:socket create_socket_perms;
|
||||
|
||||
# Allow read/write to devices/files
|
||||
allow mtkrild alarm_device:chr_file rw_file_perms;
|
||||
allow mtkrild radio_device:chr_file rw_file_perms;
|
||||
allow mtkrild radio_device:blk_file r_file_perms;
|
||||
allow mtkrild mtd_device:dir search;
|
||||
# Allow read/write to uart driver (for GPS)
|
||||
#allow mtkrild gps_device:chr_file rw_file_perms;
|
||||
# Allow read/write to tty devices
|
||||
allow mtkrild tty_device:chr_file rw_file_perms;
|
||||
allow mtkrild eemcs_device:chr_file { rw_file_perms };
|
||||
@ -96,7 +81,6 @@ allow mtkrild para_block_device:blk_file { rw_file_perms };
|
||||
|
||||
# Allow dir search, fd uses
|
||||
allow mtkrild block_device:dir search;
|
||||
#allow mtkrild platformblk_device:dir search;
|
||||
allow mtkrild platform_app:fd use;
|
||||
allow mtkrild radio:fd use;
|
||||
|
||||
|
||||
@ -12,9 +12,6 @@ type muxreport ,domain;
|
||||
# ==============================================
|
||||
init_daemon_domain(muxreport)
|
||||
|
||||
# Capabilities assigned for muxreport
|
||||
#allow muxreport self:capability dac_override;
|
||||
|
||||
# Property service
|
||||
# allow set muxreport control properties
|
||||
set_prop(muxreport, ril_mux_report_case_prop)
|
||||
|
||||
@ -30,8 +30,6 @@ allow nvram_agent_binder nvdata_file:lnk_file read;
|
||||
allow nvram_agent_binder nvdata_file:dir create_dir_perms;
|
||||
allow nvram_agent_binder nvdata_file:file create_file_perms;
|
||||
|
||||
#allow nvram_agent_binder system_file:file execute_no_trans;
|
||||
|
||||
allow nvram_agent_binder als_ps_device:chr_file r_file_perms;
|
||||
allow nvram_agent_binder mtk-adc-cali_device:chr_file rw_file_perms;
|
||||
allow nvram_agent_binder gsensor_device:chr_file r_file_perms;
|
||||
@ -39,9 +37,7 @@ allow nvram_agent_binder gyroscope_device:chr_file r_file_perms;
|
||||
allow nvram_agent_binder init:unix_stream_socket connectto;
|
||||
allow nvram_agent_binder property_socket:sock_file write;
|
||||
allow nvram_agent_binder sysfs:file write;
|
||||
#allow nvram_agent_binder self:capability { fowner chown dac_override fsetid };
|
||||
#remove from Android P
|
||||
#allow nvram_agent_binder system_data_file:dir create_file_perms;
|
||||
allow nvram_agent_binder self:capability { fowner chown fsetid };
|
||||
|
||||
# Purpose: for backup
|
||||
allow nvram_agent_binder nvram_device:chr_file rw_file_perms;
|
||||
@ -58,8 +54,6 @@ allow nvram_agent_binder hwservicemanager_prop:file r_file_perms;
|
||||
|
||||
#for nvram hidl client support
|
||||
allow nvram_agent_binder sysfs:file { read open };
|
||||
#remove from android P
|
||||
#allow nvram_agent_binder system_data_file:lnk_file read;
|
||||
|
||||
# Allow to use HWBinder IPC
|
||||
hwbinder_use(nvram_agent_binder);
|
||||
|
||||
@ -24,16 +24,9 @@ allow nvram_daemon nvram_device:blk_file rw_file_perms;
|
||||
allow nvram_daemon bootdevice_block_device:blk_file rw_file_perms;
|
||||
allow nvram_daemon nvdata_device:blk_file rw_file_perms;
|
||||
|
||||
|
||||
# Date : WK14.34
|
||||
# Operation : Migration
|
||||
# Purpose : the option is used to tell that if other processes can access nvram.
|
||||
#allow nvram_daemon system_prop:property_service set;
|
||||
|
||||
# Date : WK14.35
|
||||
# Operation : chown folder and file permission
|
||||
# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L.
|
||||
#allow nvram_daemon shell_exec:file rx_file_perms;
|
||||
allow nvram_daemon nvram_data_file:dir create_dir_perms;
|
||||
allow nvram_daemon nvram_data_file:file create_file_perms;
|
||||
allow nvram_daemon nvram_data_file:lnk_file read;
|
||||
@ -41,8 +34,6 @@ allow nvram_daemon nvdata_file:lnk_file read;
|
||||
allow nvram_daemon nvdata_file:dir create_dir_perms;
|
||||
allow nvram_daemon nvdata_file:file create_file_perms;
|
||||
|
||||
#allow nvram_daemon system_file:file execute_no_trans;
|
||||
|
||||
allow nvram_daemon als_ps_device:chr_file r_file_perms;
|
||||
allow nvram_daemon mtk-adc-cali_device:chr_file rw_file_perms;
|
||||
allow nvram_daemon gsensor_device:chr_file r_file_perms;
|
||||
@ -50,9 +41,8 @@ allow nvram_daemon gyroscope_device:chr_file r_file_perms;
|
||||
allow nvram_daemon init:unix_stream_socket connectto;
|
||||
|
||||
# Purpose: for property set
|
||||
#allow nvram_daemon property_socket:sock_file w_file_perms;
|
||||
allow nvram_daemon sysfs:file w_file_perms;
|
||||
#allow nvram_daemon self:capability { fowner chown dac_override fsetid };
|
||||
allow nvram_daemon self:capability { fowner chown fsetid };
|
||||
|
||||
# Purpose: for backup
|
||||
allow nvram_daemon nvram_device:chr_file rw_file_perms;
|
||||
@ -68,32 +58,19 @@ allow nvram_daemon mtd_device:chr_file rw_file_perms;
|
||||
allow nvram_daemon kmsg_device:chr_file w_file_perms;
|
||||
allow nvram_daemon proc_lk_env:file rw_file_perms;
|
||||
|
||||
# Purpose: for workaround
|
||||
# Todo: Remove this policy
|
||||
#remove from Android P
|
||||
#allow nvram_daemon system_data_file:dir write;
|
||||
|
||||
# Purpose: property set
|
||||
allow nvram_daemon service_nvram_init_prop:property_service set;
|
||||
|
||||
# Purpose: copy /fstab*
|
||||
allow nvram_daemon rootfs:dir { read open };
|
||||
allow nvram_daemon rootfs:file r_file_perms;
|
||||
#remove from Android P
|
||||
#allow nvram_daemon system_data_file:lnk_file read;
|
||||
|
||||
# Purpose: remove /data/nvram link
|
||||
#remove from Android P
|
||||
#allow nvram_daemon system_data_file:dir { remove_name add_name };
|
||||
#allow nvram_daemon system_data_file:lnk_file { create unlink };
|
||||
allow nvram_daemon nvram_data_file:lnk_file unlink;
|
||||
# Purpose: for run toolbox command: chown chmode..
|
||||
#allow nvram_daemon toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Purpose: for setting property
|
||||
# ro.wlan.mtk.wifi.5g relabel to wifi_5g_prop
|
||||
# denied { set } for property=ro.wlan.mtk.wifi.5g pid=242 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
|
||||
#allow nvram_daemon wifi_5g_prop:property_service set;
|
||||
set_prop(nvram_daemon, service_nvram_init_prop)
|
||||
set_prop(nvram_daemon, wifi_5g_prop)
|
||||
|
||||
|
||||
@ -73,11 +73,6 @@ not_full_treble(`
|
||||
# Package: MTKLogger/Debugutils
|
||||
allow platform_app aee_aed:unix_stream_socket connectto;
|
||||
|
||||
# Date : WK17.31
|
||||
# Operation : O Migration
|
||||
# Purpose : m4u Driver
|
||||
#allow platform_app proc:file r_file_perms;
|
||||
|
||||
# Date : WK17.46
|
||||
# Operation : Migration
|
||||
# Purpose : allow MTKLogger to read KE DB
|
||||
|
||||
@ -83,7 +83,6 @@ allow radio media_rw_data_file:file { create_file_perms };
|
||||
# Purpose :
|
||||
# Swift APK integration - access ccci dir/file
|
||||
allow radio ccci_fsd:dir { r_dir_perms };
|
||||
#allow radio ccci_fsd:file { r_file_perms };
|
||||
|
||||
# Date : 2016/07/25
|
||||
# Operation : Bluetooth access NVRAM fail in Engineer Mode
|
||||
|
||||
@ -16,5 +16,4 @@ type spm_loader ,domain;
|
||||
init_daemon_domain(spm_loader)
|
||||
|
||||
# Read to /dev/spm
|
||||
#allow spm_loader self:capability { dac_read_search dac_override };
|
||||
allow spm_loader spm_device:chr_file r_file_perms;
|
||||
|
||||
@ -20,7 +20,7 @@ type stp_dump3 ,domain;
|
||||
# ==============================================
|
||||
# MTK Policy Rule
|
||||
# ==============================================
|
||||
#allow stp_dump3 self:capability { net_admin fowner chown fsetid dac_override };
|
||||
allow stp_dump3 self:capability { net_admin fowner chown fsetid };
|
||||
allow stp_dump3 self:netlink_socket { read write getattr bind create setopt };
|
||||
allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt };
|
||||
allow stp_dump3 wmtdetect_device:chr_file { read write ioctl open };
|
||||
|
||||
@ -25,12 +25,6 @@ allow surfaceflinger proc_bootprof:file r_file_perms;
|
||||
#============= surfaceflinger ==============
|
||||
allow surfaceflinger debugfs_ion:dir search;
|
||||
|
||||
#============= surfaceflinger ==============
|
||||
#allow surfaceflinger debugfs_tracing:file write;
|
||||
|
||||
#============= surfaceflinger ==============
|
||||
#allow surfaceflinger debugfs_tracing:file open;
|
||||
|
||||
# Date : WK17.30
|
||||
# Operation : O Migration
|
||||
# Purpose: Allow to access cmdq driver
|
||||
|
||||
@ -74,10 +74,6 @@ allow system_server ttyMT_device:chr_file rw_file_perms;
|
||||
# Purpose: Allow to access UART1 ttyS
|
||||
allow system_server ttyS_device:chr_file rw_file_perms;
|
||||
|
||||
# Date : WK16.44
|
||||
# Purpose: Allow to access gpsonly driver
|
||||
#allow system_server gps_device:chr_file rw_file_perms;
|
||||
|
||||
# Date:W16.46
|
||||
# Operation : thermal hal Feature developing
|
||||
# Purpose : thermal hal interface permission
|
||||
|
||||
@ -28,7 +28,6 @@ allow thermal_manager thermal_manager_data_file:dir { rw_dir_perms setattr };
|
||||
|
||||
allow thermal_manager mediaserver:fd use;
|
||||
allow thermal_manager mediaserver:fifo_file { read write };
|
||||
#allow thermal_manager pq:fd use;
|
||||
allow thermal_manager mediaserver:tcp_socket { read write };
|
||||
|
||||
# Date : WK16.30
|
||||
|
||||
@ -24,8 +24,6 @@ file_type_auto_trans(thermal_manager, vendor_data_file, thermal_manager_data_fil
|
||||
allow thermalloadalgod input_device:dir { r_dir_perms write };
|
||||
allow thermalloadalgod input_device:file r_file_perms;
|
||||
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow thermalloadalgod thermalloadalgod:netlink_kobject_uevent_socket { write create bind read};
|
||||
allow thermalloadalgod thermalloadalgod:netlink_socket { create bind write read};
|
||||
|
||||
allow thermalloadalgod thermal_manager_data_file:dir create_dir_perms;
|
||||
|
||||
@ -4,11 +4,6 @@
|
||||
|
||||
# TODO:: Security Issue.
|
||||
|
||||
# Date : 2014/09/09
|
||||
# Operation : Development GMO Feature "Move OAT to SD Card"
|
||||
# Purpose : for GMO ROM Size Slim
|
||||
#allow untrusted_app dalvikcache_data_file:lnk_file read;
|
||||
|
||||
# Date: 2016/02/26
|
||||
# Operation: Migration
|
||||
# Purpose: Allow MTK modified ElephantStress and WhatsTemp to read thermal zone temperatures
|
||||
|
||||
@ -19,7 +19,6 @@ allow update_engine para_block_device:blk_file rw_file_perms;
|
||||
|
||||
|
||||
# Add for update_engine call by system_app
|
||||
#allow update_engine self:capability dac_override;
|
||||
allow update_engine system_app:binder { call transfer };
|
||||
|
||||
# Add for update_engine with postinstall
|
||||
|
||||
@ -21,8 +21,6 @@ init_daemon_domain(wlan_assistant)
|
||||
allow wlan_assistant agpsd_data_file:sock_file write;
|
||||
allow wlan_assistant mtk_agpsd:unix_dgram_socket sendto;
|
||||
allow wlan_assistant agpsd_data_file:dir search;
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow wlan_assistant self:netlink_socket create_socket_perms;
|
||||
allow wlan_assistant self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
allow wlan_assistant self:udp_socket { create ioctl };
|
||||
|
||||
|
||||
@ -17,8 +17,6 @@ init_daemon_domain(aee_aed)
|
||||
# AED start: /dev/block/expdb
|
||||
allow aee_aed block_device:dir search;
|
||||
|
||||
#allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow
|
||||
|
||||
# aee db dir and db files
|
||||
allow aee_aed sdcard_type:dir create_dir_perms;
|
||||
allow aee_aed sdcard_type:file create_file_perms;
|
||||
@ -90,7 +88,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms;
|
||||
allow aee_aed tombstone_data_file:file create_file_perms;
|
||||
|
||||
# /proc/pid/
|
||||
#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };
|
||||
allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };
|
||||
|
||||
# system(cmd) aee_dumpstate aee_archive
|
||||
allow aee_aed shell_exec:file rx_file_perms;
|
||||
@ -100,7 +98,6 @@ allow aee_aed dumpstate:unix_stream_socket { read write ioctl };
|
||||
allow aee_aed dumpstate:dir search;
|
||||
allow aee_aed dumpstate:file r_file_perms;
|
||||
|
||||
#allow aee_aed proc:file rw_file_perms;
|
||||
allow aee_aed logdr_socket:sock_file write;
|
||||
allow aee_aed logd:unix_stream_socket connectto;
|
||||
# allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule
|
||||
@ -129,12 +126,6 @@ allow aee_aed init_exec:file r_file_perms;
|
||||
allow aee_aed crash_dump:dir search;
|
||||
allow aee_aed crash_dump:file r_file_perms;
|
||||
|
||||
# Purpose:
|
||||
# [ 217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read }
|
||||
# for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0
|
||||
# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
|
||||
#allow aee_aed sysfs:file r_file_perms;
|
||||
|
||||
# Purpose : allow aee_aed to read /proc/version
|
||||
allow aee_aed proc_version:file { read open };
|
||||
|
||||
|
||||
@ -12,21 +12,10 @@ typeattribute aee_core_forwarder coredomain;
|
||||
# ==============================================
|
||||
init_daemon_domain(aee_core_forwarder)
|
||||
|
||||
#/data/core/zcorexxx.zip
|
||||
#allow aee_core_forwarder aee_core_data_file:dir relabelto;
|
||||
#allow aee_core_forwarder aee_core_data_file:dir create_dir_perms;
|
||||
#allow aee_core_forwarder aee_core_data_file:file create_file_perms;
|
||||
#allow aee_core_forwarder system_data_file:dir { write relabelfrom create add_name };
|
||||
|
||||
#mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip
|
||||
allow aee_core_forwarder sdcard_type:dir create_dir_perms;
|
||||
allow aee_core_forwarder sdcard_type:file create_file_perms;
|
||||
allow aee_core_forwarder self:capability { fsetid setgid };
|
||||
#allow aee_core_forwarder aee_exp_data_file:dir create_dir_perms;
|
||||
#allow aee_core_forwarder aee_exp_data_file:file create_file_perms;
|
||||
|
||||
#mkdir(path, mode)
|
||||
#allow aee_core_forwarder self:capability dac_override;
|
||||
|
||||
#read STDIN_FILENO
|
||||
allow aee_core_forwarder kernel:fifo_file read;
|
||||
@ -62,8 +51,7 @@ dontaudit aee_core_forwarder untrusted_app:dir search;
|
||||
# Operation : N0 Migration
|
||||
# Purpose : access for pipefs
|
||||
allow aee_core_forwarder kernel:fd use;
|
||||
# Purpose : read AEE persist property
|
||||
#allow aee_core_forwarder persist_aee_prop:file r_file_perms;
|
||||
|
||||
# Purpose: search root dir "/"
|
||||
allow aee_core_forwarder tmpfs:dir search;
|
||||
# Purpose : read /selinux_version
|
||||
@ -98,13 +86,6 @@ dontaudit aee_core_forwarder self:capability sys_ptrace;
|
||||
allow aee_core_forwarder media_rw_data_file:dir w_dir_perms;
|
||||
allow aee_core_forwarder media_rw_data_file:file { create open write };
|
||||
|
||||
# Data : 2017/03/08
|
||||
# Operation : fix aee_core_forwarder connect to aee_aedv
|
||||
# Purpose : type=1400 audit(0.0:6594): avc: denied { connectto } for
|
||||
# path=00616E64726F69643A6165655F616564 scontext=u:r:aee_core_forwarder:s0
|
||||
# tcontext=u:r:aee_aedv:s0 tclass=unix_stream_socket permissive=0
|
||||
#allow aee_core_forwarder aee_aedv:unix_stream_socket connectto;
|
||||
|
||||
# Data : 2017/08/04
|
||||
# Operation : fix sys_nice selinux warning
|
||||
# Purpose : type=1400 audit(0.0:50): avc: denied { sys_nice } for capability=23
|
||||
|
||||
@ -14,13 +14,11 @@ init_daemon_domain(audiocmdservice_atci)
|
||||
# Perform Binder IPC for audio tuning tool and access to mediaserver
|
||||
binder_use(audiocmdservice_atci)
|
||||
binder_call(audiocmdservice_atci, mediaserver)
|
||||
#allow audiocmdservice_atci mediaserver:chr_file create_file_perms;
|
||||
allow audiocmdservice_atci mediaserver:dir w_dir_perms;
|
||||
allow audiocmdservice_atci mediaserver_service:service_manager find;
|
||||
|
||||
# Since Android N, google separates mediaserver to audioserver and cameraserver
|
||||
binder_call(audiocmdservice_atci, audioserver)
|
||||
#allow audiocmdservice_atci audioserver:chr_file create_file_perms;
|
||||
allow audiocmdservice_atci audioserver:dir w_dir_perms;
|
||||
allow audiocmdservice_atci audioserver_service:service_manager find;
|
||||
|
||||
@ -45,4 +43,3 @@ allow radio audiocmdservice_atci_exec:file getattr;
|
||||
#Android O porting
|
||||
hwbinder_use(audiocmdservice_atci)
|
||||
get_prop(audiocmdservice_atci, hwservicemanager_prop);
|
||||
#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms;
|
||||
|
||||
@ -21,9 +21,6 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms;
|
||||
# For IPC communication
|
||||
allow boot_logo_updater init:unix_stream_socket connectto;
|
||||
allow boot_logo_updater property_socket:sock_file write;
|
||||
#allow boot_logo_updater self:capability dac_override;
|
||||
# To access some boot_mode infornation
|
||||
#allow boot_logo_updater sysfs:file rw_file_perms;
|
||||
# To access directory /dev/block/mmcblk0 or /dev/block/sdc
|
||||
allow boot_logo_updater block_device:dir search;
|
||||
allow boot_logo_updater graphics_device:dir search;
|
||||
@ -40,10 +37,7 @@ allow boot_logo_updater sysfs:dir read;
|
||||
# sanity fail for ALPS03604686:
|
||||
# for path="/sys/firmware/devicetree/base/firmware/android/fstab" andfor name = "cmdline" and "mtdblock14"
|
||||
allow boot_logo_updater mtd_device:blk_file read;
|
||||
#allow boot_logo_updater proc:file read;
|
||||
allow boot_logo_updater sysfs:dir open;
|
||||
# for path="/proc/cmdline and ="/dev/block/mtdblock14"
|
||||
#allow boot_logo_updater proc:file open;
|
||||
allow boot_logo_updater system_data_file:dir write;
|
||||
allow boot_logo_updater mtd_device:blk_file open;
|
||||
|
||||
|
||||
@ -2,12 +2,6 @@
|
||||
# MTK Policy Rule
|
||||
# ============
|
||||
|
||||
# Date : WK14.31
|
||||
# Operation : Migration
|
||||
# Purpose : For IPC communication
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow bootanim self:netlink_socket create_socket_perms;
|
||||
|
||||
# Date : WK14.32
|
||||
# Operation : Migration
|
||||
# Purpose : for playing boot tone
|
||||
|
||||
@ -31,12 +31,6 @@ allow cmddumper system_file:file x_file_perms;
|
||||
allow cmddumper media_rw_data_file:file { create_file_perms };
|
||||
allow cmddumper media_rw_data_file:dir { create_dir_perms };
|
||||
|
||||
# purpose: access vmodem device
|
||||
#allow cmddumper vmodem_device:chr_file { create_file_perms };
|
||||
|
||||
# purpose: access plat_file_contexts
|
||||
allow cmddumper file_contexts_file:file { read getattr open };
|
||||
|
||||
# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
|
||||
#allow cmddumper sysfs:file { read open };
|
||||
|
||||
|
||||
@ -14,7 +14,6 @@ allow dumpstate mnt_user_file:lnk_file read;
|
||||
allow dumpstate storage_file:lnk_file read;
|
||||
|
||||
# Purpose: timer_intval. this is neverallow
|
||||
#allow dumpstate sysfs:file r_file_perms;
|
||||
allow dumpstate app_data_file:dir search;
|
||||
allow dumpstate kmsg_device:chr_file r_file_perms;
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ allow em_svr sysfs_leds:dir search;
|
||||
|
||||
# Date: WK1812
|
||||
# Purpose: add for sensor calibration
|
||||
#allow em_svr self:capability { dac_read_search dac_override chown fsetid };
|
||||
allow em_svr self:capability { chown fsetid };
|
||||
|
||||
# Date: WK1812
|
||||
# Purpose: add for shell cmd
|
||||
|
||||
@ -29,7 +29,6 @@ allow emdlogger vfat:dir create_dir_perms;
|
||||
allow emdlogger vfat:file create_file_perms;
|
||||
|
||||
#modem logger permission in storage in android M version
|
||||
#allow emdlogger log_device:chr_file { write open };
|
||||
allow emdlogger mnt_user_file:dir search;
|
||||
allow emdlogger mnt_user_file:lnk_file read;
|
||||
allow emdlogger storage_file:lnk_file read;
|
||||
@ -47,10 +46,6 @@ allow emdlogger storage_file:dir { create_dir_perms };
|
||||
allow emdlogger tmpfs:lnk_file read;
|
||||
allow emdlogger storage_file:file { create_file_perms };
|
||||
|
||||
#permission for read boot mode
|
||||
#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
|
||||
#allow emdlogger sysfs:file { read open };
|
||||
|
||||
# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
|
||||
# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
|
||||
allow emdlogger system_file:dir read;
|
||||
@ -76,4 +71,4 @@ allow emdlogger proc_cmdline:file { read getattr open };
|
||||
allow emdlogger sysfs_dt_firmware_android:dir search;
|
||||
allow emdlogger sysfs_dt_firmware_android:file { read open getattr };
|
||||
allow emdlogger system_file:dir open;
|
||||
allow emdlogger vendor_default_prop:file { read getattr open };
|
||||
allow emdlogger vendor_default_prop:file { read getattr open };
|
||||
|
||||
@ -27,8 +27,6 @@ allow mdlogger self:tcp_socket { create_stream_socket_perms };
|
||||
allow mdlogger vfat:dir create_dir_perms;
|
||||
allow mdlogger vfat:file create_file_perms;
|
||||
|
||||
#mdlogger for read /sdcard
|
||||
#allow mdlogger log_device:chr_file w_file_perms;
|
||||
allow mdlogger tmpfs:lnk_file read;
|
||||
allow mdlogger storage_file:lnk_file rw_file_perms;
|
||||
allow mdlogger mnt_user_file:dir search;
|
||||
|
||||
@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop)
|
||||
unix_socket_connect(mobile_log_d, logdr, logd);
|
||||
|
||||
#capability
|
||||
#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid };
|
||||
allow mobile_log_d self:capability { setuid setgid chown fowner fsetid };
|
||||
allow mobile_log_d self:capability { setuid chown setgid };
|
||||
allow mobile_log_d self:capability2 syslog;
|
||||
|
||||
|
||||
@ -46,11 +46,6 @@ r_dir_file(mtkbootanimation, cgroup)
|
||||
|
||||
# System file accesses.
|
||||
allow mtkbootanimation system_file:dir r_dir_perms;
|
||||
# Date : WK14.31
|
||||
# Operation : Migration
|
||||
# Purpose : For IPC communication
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow mtkbootanimation self:netlink_socket create_socket_perms;
|
||||
|
||||
# Date : WK14.32
|
||||
# Operation : Migration
|
||||
@ -86,10 +81,3 @@ allow mtkbootanimation surfaceflinger:fifo_file rw_file_perms;
|
||||
|
||||
allow mtkbootanimation gpu_device:dir search;
|
||||
|
||||
|
||||
|
||||
#============= bootanim ==============
|
||||
#allow mtkbootanimation debugfs_tracing:file write;
|
||||
|
||||
#============= bootanim ==============
|
||||
#allow mtkbootanimation debugfs_tracing:file open;
|
||||
|
||||
@ -59,13 +59,6 @@ allow netdiag netpolicy_service:service_manager find;
|
||||
allow netdiag network_management_service:service_manager find;
|
||||
allow netdiag settings_service:service_manager find;
|
||||
|
||||
|
||||
|
||||
# Purpose : for socket with MTKLogger
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow netdiag self:socket_class_set { create_socket_perms };
|
||||
#allow netdiag self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||
|
||||
# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
|
||||
allow netdiag device_logging_prop:file { getattr open };
|
||||
allow netdiag mmc_prop:file { getattr open };
|
||||
@ -97,10 +90,6 @@ allow netdiag self:udp_socket { ioctl create };
|
||||
#avc: denied { open } for path="/dev/__properties__/u:object_r:atm_ipaddr_prop:s0"
|
||||
#avc: denied { getattr } for path="/dev/__properties__/u:object_r:atm_ipaddr_prop:s0"
|
||||
#avc: denied { open } for path="/dev/__properties__/u:object_r:atm_mdmode_prop:s0"
|
||||
#allow netdiag atm_ipaddr_prop:file { getattr open };
|
||||
#allow netdiag atm_mdmode_prop:file { getattr open };
|
||||
#allow netdiag bluetooth_a2dp_offload_prop:file { getattr open };
|
||||
#allow netdiag bluetooth_prop:file open;
|
||||
allow netdiag proc_qtaguid_stat:dir { read open search };
|
||||
allow netdiag proc_qtaguid_stat:file { read getattr open };
|
||||
allow netdiag vendor_default_prop:file { read getattr open };
|
||||
|
||||
@ -16,9 +16,7 @@ allow ppp property_socket:sock_file write;
|
||||
# Purpose: for PPPOE Test
|
||||
|
||||
allow ppp devpts:chr_file { read write ioctl open setattr };
|
||||
#allow ppp self:capability { setuid net_raw setgid dac_override };
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow ppp self:packet_socket { write ioctl setopt read bind create };
|
||||
allow ppp self:capability { setuid net_raw setgid };
|
||||
allow ppp shell_exec:file { read execute open execute_no_trans };
|
||||
|
||||
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
# ==============================================
|
||||
# MTK Policy Rule
|
||||
# ============
|
||||
@ -1,12 +0,0 @@
|
||||
# ==============================================
|
||||
# Policy File of storagemanagerd Executable File
|
||||
|
||||
# ==============================================
|
||||
# Type Declaration
|
||||
# ==============================================
|
||||
|
||||
# Act as 'vold' context to mount storages
|
||||
|
||||
# ==============================================
|
||||
# MTK Policy Rule
|
||||
# ==============================================
|
||||
@ -31,11 +31,10 @@ allow servicemanager thermalindicator:process { getattr };
|
||||
typeattribute thermalindicator mlstrustedsubject;
|
||||
|
||||
allow thermalindicator proc:dir {search getattr};
|
||||
#allow thermalindicator proc:file read;
|
||||
allow thermalindicator shell:dir search;
|
||||
allow thermalindicator platform_app:dir search;
|
||||
allow thermalindicator platform_app:file {open read getattr};
|
||||
allow thermalindicator untrusted_app:dir search;
|
||||
allow thermalindicator untrusted_app:file {open read getattr};
|
||||
allow thermalindicator mediaserver:dir search;
|
||||
allow thermalindicator mediaserver:file {open read getattr};
|
||||
allow thermalindicator mediaserver:file {open read getattr};
|
||||
|
||||
@ -17,8 +17,6 @@ init_daemon_domain(aee_aed)
|
||||
# AED start: /dev/block/expdb
|
||||
allow aee_aed block_device:dir search;
|
||||
|
||||
#allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow
|
||||
|
||||
# aee db dir and db files
|
||||
allow aee_aed sdcard_type:dir create_dir_perms;
|
||||
allow aee_aed sdcard_type:file create_file_perms;
|
||||
@ -40,7 +38,6 @@ allow aee_aed usermodehelper:file r_file_perms;
|
||||
allow aee_aed init:unix_stream_socket connectto;
|
||||
allow aee_aed property_socket:sock_file write;
|
||||
|
||||
#allow aee_aed call binaries labeled "system_file" under /system/bin/
|
||||
allow aee_aed system_file:file execute_no_trans;
|
||||
|
||||
allow aee_aed init:process getsched;
|
||||
@ -90,7 +87,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms;
|
||||
allow aee_aed tombstone_data_file:file create_file_perms;
|
||||
|
||||
# /proc/pid/
|
||||
#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module};
|
||||
allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module};
|
||||
|
||||
# system(cmd) aee_dumpstate aee_archive
|
||||
allow aee_aed shell_exec:file rx_file_perms;
|
||||
@ -127,9 +124,3 @@ allow aee_aed init_exec:file r_file_perms;
|
||||
# Purpose : make aee_aed can get notify from crash_dump
|
||||
allow aee_aed crash_dump:dir search;
|
||||
allow aee_aed crash_dump:file r_file_perms;
|
||||
|
||||
# Purpose:
|
||||
# [ 217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read }
|
||||
# for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0
|
||||
# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
|
||||
#allow aee_aed sysfs:file r_file_perms;
|
||||
|
||||
@ -14,13 +14,11 @@ init_daemon_domain(audiocmdservice_atci)
|
||||
# Perform Binder IPC for audio tuning tool and access to mediaserver
|
||||
binder_use(audiocmdservice_atci)
|
||||
binder_call(audiocmdservice_atci, mediaserver)
|
||||
#allow audiocmdservice_atci mediaserver:chr_file create_file_perms;
|
||||
allow audiocmdservice_atci mediaserver:dir w_dir_perms;
|
||||
allow audiocmdservice_atci mediaserver_service:service_manager find;
|
||||
|
||||
# Since Android N, google separates mediaserver to audioserver and cameraserver
|
||||
binder_call(audiocmdservice_atci, audioserver)
|
||||
#allow audiocmdservice_atci audioserver:chr_file create_file_perms;
|
||||
allow audiocmdservice_atci audioserver:dir w_dir_perms;
|
||||
allow audiocmdservice_atci audioserver_service:service_manager find;
|
||||
|
||||
@ -49,4 +47,3 @@ allow radio audiocmdservice_atci_exec:file getattr;
|
||||
#Android O porting
|
||||
hwbinder_use(audiocmdservice_atci)
|
||||
get_prop(audiocmdservice_atci, hwservicemanager_prop);
|
||||
#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms;
|
||||
|
||||
@ -21,9 +21,6 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms;
|
||||
# For IPC communication
|
||||
allow boot_logo_updater init:unix_stream_socket connectto;
|
||||
allow boot_logo_updater property_socket:sock_file write;
|
||||
#allow boot_logo_updater self:capability dac_override;
|
||||
# To access some boot_mode infornation
|
||||
#allow boot_logo_updater sysfs:file rw_file_perms;
|
||||
# To access directory /dev/block/mmcblk0 or /dev/block/sdc
|
||||
allow boot_logo_updater block_device:dir search;
|
||||
allow boot_logo_updater graphics_device:dir search;
|
||||
|
||||
@ -2,12 +2,6 @@
|
||||
# MTK Policy Rule
|
||||
# ============
|
||||
|
||||
# Date : WK14.31
|
||||
# Operation : Migration
|
||||
# Purpose : For IPC communication
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow bootanim self:netlink_socket create_socket_perms;
|
||||
|
||||
# Date : WK14.32
|
||||
# Operation : Migration
|
||||
# Purpose : for playing boot tone
|
||||
@ -40,11 +34,3 @@ allow bootanim surfaceflinger:fifo_file rw_file_perms;
|
||||
# Purpose : DRM / DRI GPU driver required
|
||||
|
||||
allow bootanim gpu_device:dir search;
|
||||
|
||||
|
||||
|
||||
#============= bootanim ==============
|
||||
#allow bootanim debugfs_tracing:file write;
|
||||
|
||||
#============= bootanim ==============
|
||||
#allow bootanim debugfs_tracing:file open;
|
||||
|
||||
@ -31,11 +31,6 @@ allow cmddumper system_file:file x_file_perms;
|
||||
allow cmddumper media_rw_data_file:file { create_file_perms };
|
||||
allow cmddumper media_rw_data_file:dir { create_dir_perms };
|
||||
|
||||
# purpose: access vmodem device
|
||||
#allow cmddumper vmodem_device:chr_file { create_file_perms };
|
||||
|
||||
# purpose: access plat_file_contexts
|
||||
allow cmddumper file_contexts_file:file { read getattr open };
|
||||
|
||||
# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
|
||||
#allow cmddumper sysfs:file { read open };
|
||||
@ -48,7 +48,7 @@ allow em_svr sysfs_leds:dir search;
|
||||
|
||||
# Date: WK1812
|
||||
# Purpose: add for sensor calibration
|
||||
#allow em_svr self:capability { dac_read_search dac_override chown fsetid };
|
||||
allow em_svr self:capability { chown fsetid };
|
||||
|
||||
# Date: WK1812
|
||||
# Purpose: add for shell cmd
|
||||
@ -60,23 +60,4 @@ allow em_svr toolbox_exec:file { getattr execute read open execute_no_trans };
|
||||
|
||||
# Date: WK1812
|
||||
# Purpose: sys file access
|
||||
#allow em_svr sysfs:file { getattr read write open };
|
||||
allow em_svr sysfs:dir { open read };
|
||||
|
||||
# Date: WK1812
|
||||
# Purpose: proc file access
|
||||
#allow em_svr proc:file { getattr open read write };
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -47,10 +47,6 @@ allow emdlogger storage_file:dir { create_dir_perms };
|
||||
allow emdlogger tmpfs:lnk_file read;
|
||||
allow emdlogger storage_file:file { create_file_perms };
|
||||
|
||||
#permission for read boot mode
|
||||
#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
|
||||
#allow emdlogger sysfs:file { read open };
|
||||
|
||||
# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
|
||||
# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
|
||||
allow emdlogger system_file:dir read;
|
||||
|
||||
@ -27,13 +27,6 @@ init_daemon_domain(fuelgauged_static)
|
||||
allow fuelgauged_static input_device:dir rw_dir_perms;
|
||||
allow fuelgauged_static input_device:file r_file_perms;
|
||||
|
||||
|
||||
# Data : WK14.43
|
||||
# Operation : Migration
|
||||
# Purpose : For fg daemon can comminucate with kernel
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow fuelgauged_static fuelgauged_static:netlink_kobject_uevent_socket create_socket_perms;
|
||||
#allow fuelgauged_static fuelgauged_static:netlink_socket create_socket_perms;
|
||||
# Data : WK16.21
|
||||
# Operation : New Feature
|
||||
# Purpose : For fg daemon can access /data/FG folder
|
||||
@ -47,4 +40,4 @@ allow fuelgauged_static system_data_file:dir rw_dir_perms;
|
||||
allow fuelgauged_static rootfs:file entrypoint;
|
||||
|
||||
# Data : WK16.39
|
||||
#allow fuelgauged_static self:capability { chown fsetid dac_override };
|
||||
allow fuelgauged_static self:capability { chown fsetid };
|
||||
|
||||
@ -45,10 +45,6 @@ allow mdlogger storage_file:file { create_file_perms };
|
||||
## purpose: avc: denied { read } for name="plat_file_contexts"
|
||||
allow mdlogger file_contexts_file:file { read getattr open };
|
||||
|
||||
#permission for read boot mode
|
||||
#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
|
||||
#allow mdlogger sysfs:file { read open };
|
||||
|
||||
# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
|
||||
# scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
|
||||
allow mdlogger system_file:dir read;
|
||||
|
||||
@ -21,13 +21,12 @@ init_daemon_domain(meta_tst)
|
||||
#============= meta_tst =========================
|
||||
|
||||
allow meta_tst port:tcp_socket { name_connect name_bind };
|
||||
#allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin };
|
||||
allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin };
|
||||
allow meta_tst self:tcp_socket { create connect setopt bind };
|
||||
allow meta_tst self:tcp_socket { bind setopt listen accept read write };
|
||||
allow meta_tst self:udp_socket { create ioctl };
|
||||
allow meta_tst self:capability { sys_boot ipc_lock };
|
||||
allow meta_tst sysfs_wake_lock:file rw_file_perms;
|
||||
#allow meta_tst sysfs:file write;
|
||||
allow meta_tst property_socket:sock_file w_file_perms;
|
||||
allow meta_tst init:unix_stream_socket connectto;
|
||||
allow meta_tst vold:unix_stream_socket connectto;
|
||||
|
||||
@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop)
|
||||
unix_socket_connect(mobile_log_d, logdr, logd);
|
||||
|
||||
#capability
|
||||
#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid };
|
||||
allow mobile_log_d self:capability { setuid setgid chown fowner fsetid };
|
||||
allow mobile_log_d self:capability { setuid chown setgid };
|
||||
allow mobile_log_d self:capability2 syslog;
|
||||
|
||||
@ -66,6 +66,5 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms;
|
||||
|
||||
# access debugfs/tracing/instances/
|
||||
allow mobile_log_d debugfs_tracing:dir create_dir_perms;
|
||||
#allow mobile_log_d debugfs_tracing:file create_file_perms;
|
||||
allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
|
||||
allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
|
||||
|
||||
@ -59,13 +59,6 @@ allow netdiag netpolicy_service:service_manager find;
|
||||
allow netdiag network_management_service:service_manager find;
|
||||
allow netdiag settings_service:service_manager find;
|
||||
|
||||
|
||||
|
||||
# Purpose : for socket with MTKLogger
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow netdiag self:socket_class_set { create_socket_perms };
|
||||
#allow netdiag self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||
|
||||
# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
|
||||
allow netdiag device_logging_prop:file { getattr open };
|
||||
allow netdiag mmc_prop:file { getattr open };
|
||||
|
||||
@ -16,9 +16,6 @@ allow ppp property_socket:sock_file write;
|
||||
# Purpose: for PPPOE Test
|
||||
|
||||
allow ppp devpts:chr_file { read write ioctl open setattr };
|
||||
#allow ppp self:capability { setuid net_raw setgid dac_override };
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow ppp self:packet_socket { write ioctl setopt read bind create };
|
||||
allow ppp shell_exec:file { read execute open execute_no_trans };
|
||||
|
||||
|
||||
|
||||
@ -31,11 +31,10 @@ allow servicemanager thermalindicator:process { getattr };
|
||||
typeattribute thermalindicator mlstrustedsubject;
|
||||
|
||||
allow thermalindicator proc:dir {search getattr};
|
||||
#allow thermalindicator proc:file read;
|
||||
allow thermalindicator shell:dir search;
|
||||
allow thermalindicator platform_app:dir search;
|
||||
allow thermalindicator platform_app:file {open read getattr};
|
||||
allow thermalindicator untrusted_app:dir search;
|
||||
allow thermalindicator untrusted_app:file {open read getattr};
|
||||
allow thermalindicator mediaserver:dir search;
|
||||
allow thermalindicator mediaserver:file {open read getattr};
|
||||
allow thermalindicator mediaserver:file {open read getattr};
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user