From 722798a3347f9da35fb48fffa360dea84b3b99aa Mon Sep 17 00:00:00 2001 From: mtk12101 Date: Sat, 18 Jan 2020 10:02:25 +0800 Subject: [PATCH] [ALPS03982747] Remove unused sepolicy rules Some rules is no need any more, need to remove it. MTK-Commit-Id: 49685f1299d990a7195a2d54b955517d8f2cc699 Change-Id: I4a590ad781589cf94989ce72c88751ac10b82eae CR-Id: ALPS03982747 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK --- non_plat/MtkCodecService.te | 14 ----- non_plat/aee_aedv.te | 39 +------------ non_plat/audioserver.te | 1 - non_plat/autoplay_app.te | 7 --- non_plat/biosensord_nvram.te | 2 +- non_plat/cameraserver.te | 29 ---------- non_plat/cmddumper.te | 3 - non_plat/connsyslogger.te | 2 - non_plat/dumpstate.te | 1 - non_plat/em_svr.te | 2 - non_plat/emdlogger.te | 4 +- non_plat/factory.te | 31 +--------- non_plat/fuelgauged.te | 27 +-------- non_plat/fuelgauged_nvram.te | 11 +--- non_plat/hal_gnss_default.te | 1 - non_plat/hal_graphics_composer_default.te | 1 - non_plat/init.te | 1 - non_plat/kernel.te | 10 ---- non_plat/keystore.te | 1 - non_plat/mdlogger.te | 1 - non_plat/mediacodec.te | 56 ------------------- non_plat/mediaserver.te | 44 --------------- non_plat/merged_hal_service.te | 1 - non_plat/meta_tst.te | 47 +--------------- non_plat/mnld.te | 5 +- non_plat/mobile_log_d.te | 1 - non_plat/mtk_hal_audio.te | 17 +----- non_plat/mtk_hal_camera.te | 8 --- non_plat/mtk_hal_gnss.te | 1 - non_plat/mtk_hal_pq.te | 2 - non_plat/mtk_hal_sensors.te | 3 - non_plat/mtkbootanimation.te | 9 --- non_plat/mtkfusionrild.te | 21 ------- non_plat/mtkrild.te | 16 ------ non_plat/muxreport.te | 3 - non_plat/nvram_agent_binder.te | 8 +-- non_plat/nvram_daemon.te | 25 +-------- non_plat/platform_app.te | 5 -- non_plat/radio.te | 1 - non_plat/spm_loader.te | 1 - non_plat/stp_dump3.te | 2 +- non_plat/surfaceflinger.te | 6 -- non_plat/system_server.te | 4 -- non_plat/thermal_manager.te | 1 - non_plat/thermalloadalgod.te | 2 - non_plat/untrusted_app.te | 5 -- non_plat/update_engine.te | 1 - non_plat/wlan_assistant.te | 2 - plat_private/aee_aed.te | 11 +--- plat_private/aee_core_forwarder.te | 21 +------ plat_private/audiocmdservice_atci.te | 3 - plat_private/boot_logo_updater.te | 6 -- plat_private/bootanim.te | 6 -- plat_private/cmddumper.te | 6 -- plat_private/dumpstate.te | 1 - plat_private/em_svr.te | 2 +- plat_private/emdlogger.te | 7 +-- plat_private/mdlogger.te | 2 - plat_private/mobile_log_d.te | 2 +- plat_private/mtkbootanimation.te | 12 ---- plat_private/netdiag.te | 11 ---- plat_private/ppp.te | 4 +- plat_private/shell.te | 3 - plat_private/storagemanagerd.te | 12 ---- plat_private/thermalindicator.te | 3 +- prebuilts/api/26.0/plat_private/aee_aed.te | 11 +--- .../26.0/plat_private/audiocmdservice_atci.te | 3 - .../26.0/plat_private/boot_logo_updater.te | 3 - prebuilts/api/26.0/plat_private/bootanim.te | 14 ----- prebuilts/api/26.0/plat_private/cmddumper.te | 5 -- prebuilts/api/26.0/plat_private/em_svr.te | 21 +------ prebuilts/api/26.0/plat_private/emdlogger.te | 4 -- .../26.0/plat_private/fuelgauged_static.te | 9 +-- prebuilts/api/26.0/plat_private/mdlogger.te | 4 -- prebuilts/api/26.0/plat_private/meta_tst.te | 3 +- .../api/26.0/plat_private/mobile_log_d.te | 3 +- prebuilts/api/26.0/plat_private/netdiag.te | 7 --- prebuilts/api/26.0/plat_private/ppp.te | 3 - .../api/26.0/plat_private/thermalindicator.te | 3 +- 79 files changed, 26 insertions(+), 664 deletions(-) delete mode 100644 non_plat/autoplay_app.te delete mode 100755 plat_private/shell.te delete mode 100644 plat_private/storagemanagerd.te diff --git a/non_plat/MtkCodecService.te b/non_plat/MtkCodecService.te index ee12292..f9229a7 100644 --- a/non_plat/MtkCodecService.te +++ b/non_plat/MtkCodecService.te @@ -7,17 +7,3 @@ type MtkCodecService_exec , exec_type, file_type, vendor_file_type; type MtkCodecService ,domain; - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK16.12 -# Operation : Migration -# Purpose : Do APE decode operation and exchange data with mediaserver. -#binder_use(MtkCodecService) -#init_daemon_domain(MtkCodecService) -#binder_call(MtkCodecService,mediaserver) -#allow MtkCodecService mtk_codec_service_service:service_manager add; -#allow MtkCodecService self:capability{setuid sys_nice}; -#allow MtkCodecService dumpstate:fd use; diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index f5a4940..8feaed8 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -22,7 +22,6 @@ allow aee_aedv block_device:dir search; allow aee_aedv mtd_device:dir create_dir_perms; allow aee_aedv mtd_device:chr_file rw_file_perms; -#allow aee_aedv userdata_block_device:blk_file create_file_perms; # neverallow # NE flow: /dev/RT_Monitor allow aee_aedv RT_Monitor_device:chr_file r_file_perms; @@ -30,10 +29,6 @@ allow aee_aedv RT_Monitor_device:chr_file r_file_perms; allow aee_aedv sdcard_type:dir create_dir_perms; allow aee_aedv sdcard_type:file create_file_perms; -#data/anr -#allow aee_aedv anr_data_file:dir create_dir_perms; -#allow aee_aedv anr_data_file:file create_file_perms; - #data/aee_exp allow aee_aedv aee_exp_vendor_file:dir create_dir_perms; allow aee_aedv aee_exp_vendor_file:file create_file_perms; @@ -56,16 +51,10 @@ allow aee_aedv domain:lnk_file getattr; #core-pattern allow aee_aedv usermodehelper:file r_file_perms; -#suid_dumpable -# allow aee_aedv proc_security:file r_file_perms; neverallow - #property allow aee_aedv init:unix_stream_socket connectto; allow aee_aedv property_socket:sock_file write; -#allow aee_aedv call binaries labeled "system_file" under /system/bin/ -# allow aee_aedv system_file:file execute_no_trans; - allow aee_aedv init:process getsched; allow aee_aedv kernel:process getsched; @@ -74,23 +63,11 @@ allow aee_aedv kernel:process getsched; # Purpose: For pagemap & pageflags information in NE DB userdebug_or_eng(`allow aee_aedv self:capability sys_admin;') -# Date: W16.17 -# Operation: N0 Migeration -# Purpose: creat dir "aee_exp" under /data -#allow aee_aedv system_data_file:dir { write create add_name }; - # Purpose: aee_aedv set property set_prop(aee_aedv, persist_mtk_aee_prop); set_prop(aee_aedv, persist_aee_prop); set_prop(aee_aedv, debug_mtk_aee_prop); -# Purpose: allow aee_aedv to access toolbox -# allow aee_aedv toolbox_exec:file { execute execute_no_trans }; - -# purpose: allow aee_aedv to access storage on N version -#allow aee_aedv media_rw_data_file:file { create_file_perms }; -#allow aee_aedv media_rw_data_file:dir { create_dir_perms }; - # Purpose: mnt/user/* allow aee_aedv mnt_user_file:dir search; allow aee_aedv mnt_user_file:lnk_file read; @@ -98,15 +75,6 @@ allow aee_aedv mnt_user_file:lnk_file read; allow aee_aedv storage_file:dir search; allow aee_aedv storage_file:lnk_file read; -# Date : WK17.09 -# Operation : AEE UT for Android O -# Purpose : for AEE module to dump files -# domain_auto_trans(aee_aedv, dumpstate_exec, dumpstate) - -# Purpose : aee_aedv communicate with aee_core_forwarder -# allow aee_aedv aee_core_forwarder:dir search; -# allow aee_aedv aee_core_forwarder:file { read getattr open }; - userdebug_or_eng(` allow aee_aedv su:dir {search read open }; allow aee_aedv su:file { read getattr open }; @@ -117,7 +85,7 @@ allow aee_aedv aee_tombstone_data_file:dir w_dir_perms; allow aee_aedv aee_tombstone_data_file:file create_file_perms; # /proc/pid/ -#allow aee_aedv self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module}; +allow aee_aedv self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module}; # PROCESS_FILE_STATE allow aee_aedv dumpstate:unix_stream_socket { read write ioctl }; @@ -127,7 +95,6 @@ allow aee_aedv dumpstate:file r_file_perms; allow aee_aedv proc:file rw_file_perms; allow aee_aedv logdr_socket:sock_file write; allow aee_aedv logd:unix_stream_socket connectto; -# allow aee_aedv system_ndebug_socket:sock_file write; mask for never allow rule # vibrator allow aee_aedv sysfs_vibrator:file w_file_perms; @@ -146,7 +113,6 @@ allow aee_aedv { -keystore -init }:process ptrace; -#allow aee_aedv dalvikcache_data_file:dir r_dir_perms; allow aee_aedv zygote_exec:file r_file_perms; allow aee_aedv init_exec:file r_file_perms; @@ -270,9 +236,6 @@ allow aee_aedv sysfs_leds:file r_file_perms; allow aee_aedv sysfs_ccci:dir search; allow aee_aedv sysfs_ccci:file r_file_perms; -#allow aee_aedv system_data_file:dir getattr; -#allow aee_aedv system_data_file:file open; - # Purpose: # 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied # { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r: diff --git a/non_plat/audioserver.te b/non_plat/audioserver.te index f639c2a..566ba2c 100644 --- a/non_plat/audioserver.te +++ b/non_plat/audioserver.te @@ -38,7 +38,6 @@ allow audioserver tmpfs:dir search; # Date : WK16.18 # Operation : Migration # Purpose: access sysfs node -#allow audioserver sysfs:file { open read write }; allow audioserver sysfs_ccci:dir search; # Purpose: Dump debug info diff --git a/non_plat/autoplay_app.te b/non_plat/autoplay_app.te deleted file mode 100644 index ae4ab67..0000000 --- a/non_plat/autoplay_app.te +++ /dev/null @@ -1,7 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -#allow autoplay_app proc_ged:file {open read write ioctl getattr}; diff --git a/non_plat/biosensord_nvram.te b/non_plat/biosensord_nvram.te index 0ab7fb4..dc1b19f 100644 --- a/non_plat/biosensord_nvram.te +++ b/non_plat/biosensord_nvram.te @@ -29,5 +29,5 @@ allow biosensord_nvram nvdata_file:dir rw_dir_perms; allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms}; allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms; allow biosensord_nvram biometric_device:chr_file { open ioctl read write }; -#allow biosensord_nvram self:capability { dac_read_search chown fsetid dac_override }; +allow biosensord_nvram self:capability { chown fsetid }; allow biosensord_nvram system_data_file:lnk_file read; diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index bacc003..5df036f 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -42,16 +42,8 @@ allow cameraserver MTK_SMI_device:chr_file r_file_perms; allow cameraserver camera_pipemgr_device:chr_file r_file_perms; allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms; allow cameraserver lens_device:chr_file rw_file_perms; -allow cameraserver nvdata_file:dir { write search add_name }; -allow cameraserver nvdata_file:file { read write getattr setattr open create }; -allow cameraserver nvram_data_file:dir search; -allow cameraserver nvram_data_file:dir w_dir_perms; -allow cameraserver nvram_data_file:file create_file_perms; -allow cameraserver nvram_data_file:lnk_file read; allow cameraserver nvdata_file:lnk_file read; -#allow cameraserver proc:file { read ioctl open }; allow cameraserver proc_meminfo:file { read getattr open }; -#allow cameraserver sysfs:file { read write open }; # Date : WK14.34 # Operation : Migration @@ -90,13 +82,6 @@ allow cameraserver camera_sysram_device:chr_file r_file_perms; # Purpose : VDEC/VENC device node allow cameraserver Vcodec_device:chr_file rw_file_perms; -# Date : WK14.36 -# Operation : Migration -# Purpose : MMProfile debug -# userdebug_or_eng(` -#allow cameraserver debugfs:file {read ioctl getattr search}; -# ') - # Date : WK14.36 # Operation : Migration # Purpose : access nvram, otp, ccci cdoec devices. @@ -111,7 +96,6 @@ allow cameraserver bootdevice_block_device:blk_file rw_file_perms; # Date : WK14.36 # Operation : Migration # Purpose : for SW codec VP/VR -#allow cameraserver mtk_device:chr_file { read write ioctl open }; allow cameraserver mtk_sched_device:chr_file rw_file_perms; # Date : WK14.38 @@ -167,8 +151,6 @@ binder_call(cameraserver,MtkCodecService) # Data : WK14.39 # Operation : Migration # Purpose : HW encrypt SW codec -allow cameraserver mediaserver_data_file:file create_file_perms; -allow cameraserver mediaserver_data_file:dir create_dir_perms; allow cameraserver sec_device:chr_file r_file_perms; # Date : WK14.40 @@ -225,8 +207,6 @@ allow cameraserver sysfs_lowmemorykiller:file { read open }; allow cameraserver proc_mtkcooler:dir search; allow cameraserver proc_mtktz:dir search; allow cameraserver proc_thermal:dir search; -allow cameraserver thermal_manager_data_file:file create_file_perms; -allow cameraserver thermal_manager_data_file:dir { rw_dir_perms setattr }; # Date : WK14.46 # Operation : Migration @@ -277,11 +257,6 @@ allow cameraserver mnt_user_file:lnk_file {read write}; # Purpose: Allow cameraserver to read binder from surfaceflinger allow cameraserver surfaceflinger:fifo_file {read write}; -# Date : WK15.45 -# Purpose : camera read/write /nvcfg/camera data -allow cameraserver nvcfg_file:dir create_dir_perms; -allow cameraserver nvcfg_file:file create_file_perms; - # Date : WK15.46 # Operation : Migration # Purpose : DPE Driver @@ -349,7 +324,6 @@ allow cameraserver aee_aed:unix_stream_socket connectto; ') # Purpose: Allow to access debugfs_ion dir. -#allow cameraserver debugfs_ion:dir search; allow cameraserver system_data_file:lnk_file read; # Date : WK17.19 @@ -359,9 +333,6 @@ allow cameraserver camera_owe_device:chr_file rw_file_perms; # Date : WK17.25 # Operation : Migration -#allow cameraserver debugfs_tracing:file { write open }; -allow cameraserver nvram_data_file:dir { add_name write create}; -allow cameraserver nvram_data_file:file { write getattr setattr read create open }; allow cameraserver debugfs_ion:dir search; # Date : WK17.30 diff --git a/non_plat/cmddumper.te b/non_plat/cmddumper.te index 8e88f2a..6bc2b5c 100644 --- a/non_plat/cmddumper.te +++ b/non_plat/cmddumper.te @@ -18,9 +18,6 @@ allow cmddumper debug_prop:property_service set; allow cmddumper media_rw_data_file:file { create_file_perms }; allow cmddumper media_rw_data_file:dir { create_dir_perms }; -# purpose: access vmodem device -#allow cmddumper vmodem_device:chr_file { create_file_perms }; - # purpose: access plat_file_contexts allow cmddumper file_contexts_file:file { read getattr open }; diff --git a/non_plat/connsyslogger.te b/non_plat/connsyslogger.te index 179764d..8a216fd 100755 --- a/non_plat/connsyslogger.te +++ b/non_plat/connsyslogger.te @@ -41,8 +41,6 @@ allow connsyslogger vfat:file create_file_perms; allow connsyslogger mnt_user_file:dir search; allow connsyslogger mnt_user_file:lnk_file read; allow connsyslogger storage_file:lnk_file read; -#allow connsyslogger self:capability { chown dac_override }; -#allow connsyslogger proc:file {setattr write read open}; #permission for use SELinux API allow connsyslogger rootfs:file r_file_perms; diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te index cc1c18f..d23d26a 100644 --- a/non_plat/dumpstate.te +++ b/non_plat/dumpstate.te @@ -69,7 +69,6 @@ allow dumpstate aee_aed:unix_stream_socket { read write ioctl }; # allow dumpstate config_gz:file read; allow dumpstate sysfs_leds:dir r_dir_perms; -#allow dumpstate sysfs_leds:file r_file_perms; # Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied # { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r: diff --git a/non_plat/em_svr.te b/non_plat/em_svr.te index bd91d20..0e3a491 100644 --- a/non_plat/em_svr.te +++ b/non_plat/em_svr.te @@ -23,8 +23,6 @@ allow em_svr proc_battery_cmd:file { create write open }; # Date: WK1812 # Purpose: add for light/proximity sensor -#allow em_svr nvdata_file:dir { write open search read add_name }; -#allow em_svr nvdata_file:file { getattr read write create open setattr }; allow em_svr nvram_device:blk_file { open read write }; # Date: WK1812 diff --git a/non_plat/emdlogger.te b/non_plat/emdlogger.te index 490bdf4..d283970 100644 --- a/non_plat/emdlogger.te +++ b/non_plat/emdlogger.te @@ -1,5 +1,4 @@ #allow emdlogger to set property -#allow emdlogger debug_mdlogger_prop:property_service set; allow emdlogger debug_prop:property_service set; allow emdlogger persist_mtklog_prop:property_service set; allow emdlogger system_radio_prop:property_service set; @@ -37,7 +36,6 @@ allow emdlogger vfat:dir create_dir_perms; allow emdlogger vfat:file create_file_perms; #modem logger permission in storage in android M version -#allow emdlogger log_device:chr_file { write open }; allow emdlogger mnt_user_file:dir search; allow emdlogger mnt_user_file:lnk_file read; allow emdlogger storage_file:lnk_file read; @@ -94,7 +92,7 @@ allow emdlogger file_contexts_file:file { read getattr open }; allow emdlogger block_device:dir search; allow emdlogger md_block_device:blk_file { read open }; -#allow emdlogger self:capability { chown dac_override }; +allow emdlogger self:capability { chown }; # purpose: allow emdlogger to access persist.meta.connecttype diff --git a/non_plat/factory.te b/non_plat/factory.te index 0b4b673..57deabd 100644 --- a/non_plat/factory.te +++ b/non_plat/factory.te @@ -65,11 +65,8 @@ allow factory proc_mrdump_rst:file w_file_perms; #Date: WK15.31 #Purpose: define factory_data_file instead of system_data_file # because system_data_file is sensitive partition from M -#allow factory self:capability2 block_suspend; wakelock_use(factory); allow factory storage_file:dir { write create add_name search mounton }; -#allow factory factory_data_file:file create_file_perms; -#allow factory shell_exec:file r_file_perms; # Date: WK15.44 # Purpose: factory idle current status @@ -78,15 +75,9 @@ allow factory vendor_factory_idle_state_prop:property_service set; # Date: WK15.46 # Purpose: gps factory mode allow factory agpsd_data_file:dir search; -#allow factory apk_data_file:dir write; -#allow factory gps_data_file:dir r_dir_perms; -#allow factory gps_data_file:dir { write open }; -#allow factory gps_data_file:file { read write }; allow factory gps_data_file:dir { write add_name search remove_name unlink}; allow factory gps_data_file:file { read write open create getattr append setattr unlink lock}; allow factory gps_data_file:lnk_file read; -# allow factory gps_emi_device:chr_file { read write }; -#allow factory shell_exec:file x_file_perms; allow factory storage_file:lnk_file r_file_perms; #Date: WK15.48 @@ -108,8 +99,6 @@ allow factory nvdata_file:lnk_file r_file_perms; allow factory nvram_device:chr_file rw_file_perms; allow factory nvram_device:blk_file rw_file_perms; allow factory nvdata_device:blk_file rw_file_perms; -# Purpose : Allow factory read /data/nvram link -#allow factory system_data_file:lnk_file read; #Date: WK16.12 #Purpose: For sensor test @@ -215,9 +204,6 @@ allow factory audiohal_prop:property_service set; allow factory input_device:chr_file r_file_perms; allow factory input_device:dir rw_dir_perms; -#Purpose: For gps test -#allow factory gps_device:chr_file rw_file_perms; - # Date: WK16.17 # Purpose: N Migration For ccci sysfs node # Allow read to sys/kernel/ccci/* files @@ -233,10 +219,6 @@ allow factory sysfs_ccci:file r_file_perms; allow factory sysfs_boot_mode:file { read open }; allow factory sysfs_boot_type:file { read open }; -# Date: WK16.30 -#Purpose: For gps test -#allow factory media_rw_data_file:dir search; -#allow factory gps_data_file:dir add_name; #TODO:: MTK need to remove later not_full_treble(` allow factory mnld:unix_dgram_socket sendto; @@ -245,13 +227,10 @@ not_full_treble(` # Date: WK16.31 #Purpose: For gps test allow factory mnld_prop:property_service set; -#allow factory media_rw_data_file:dir { read open }; -#allow factory gps_data_file:file create_file_perms; # Date: WK16.33 #Purpose: for unmount sdcardfs and stop services which are using data partition allow factory sdcard_type:filesystem unmount; -#allow factory toolbox_exec:file { read open getattr execute execute_no_trans }; allow factory ctl_default_prop:property_service set; # Date : WK16.35 @@ -272,16 +251,12 @@ allow factory sysfs_leds:lnk_file read; allow factory sysfs_vibrator:file {open read write}; allow factory ion_device:chr_file { read open ioctl }; allow factory debugfs_ion:dir search; -#allow factory proc:file ioctl; # Date: WK17.27 # Purpose: STMicro NFC solution integration allow factory st21nfc_device:chr_file { open read getattr write ioctl }; -#allow factory nfc_socket:dir search; -#allow factory vendor_file:file { getattr execute execute_no_trans read open }; set_prop(factory,hwservicemanager_prop); hwbinder_use(factory); hal_client_domain(factory, hal_nfc); -#allow factory debugfs_tracing:file { open write }; # Date : WK17.32 # Operation : O Migration @@ -314,10 +289,8 @@ allow factory kernel:system module_request; allow factory node:tcp_socket node_bind; allow factory userdata_block_device:blk_file rw_file_perms; allow factory port:tcp_socket { name_bind name_connect }; -#allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time sys_boot sys_admin }; +allow factory self:capability { sys_module ipc_lock sys_nice net_raw fsetid net_admin sys_time sys_boot sys_admin }; allow factory sdcard_type:dir r_dir_perms; -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow factory self:netlink_route_socket create_socket_perms; allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; allow factory proc_net:file { read getattr open }; allowxperm factory self:udp_socket ioctl priv_sock_ioctls; @@ -328,8 +301,6 @@ allow factory self:tcp_socket create_stream_socket_perms; allow factory self:udp_socket create_socket_perms; allow factory sysfs_wake_lock:file rw_file_perms; -##allow factory system_data_file:dir w_dir_perms; -##allow factory system_data_file:sock_file create_file_perms; allow factory system_file:file x_file_perms; # For Light HIDL permission diff --git a/non_plat/fuelgauged.te b/non_plat/fuelgauged.te index b687d2b..332043a 100644 --- a/non_plat/fuelgauged.te +++ b/non_plat/fuelgauged.te @@ -41,37 +41,12 @@ allow fuelgauged kmsg_device:chr_file w_file_perms; # Data : WK14.43 # Operation : Migration # Purpose : For fg daemon can comminucate with kernel -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.t -#allow fuelgauged fuelgauged:netlink_kobject_uevent_socket create_socket_perms; -#allow fuelgauged fuelgauged:netlink_socket create_socket_perms; allow fuelgauged self:netlink_socket create; allow fuelgauged self:netlink_socket create_socket_perms_no_ioctl; allow fuelgauged self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; -# Data : WK16.21 -# Operation : New Feature -# Purpose : For fg daemon can access /data/FG folder -#file_type_auto_trans(fuelgauged, system_data_file, fuelgauged_file); -#allow fuelgauged fuelgauged_file:file rw_file_perms; -#allow fuelgauged system_data_file:dir rw_dir_perms; - -# Data : WK16.21 -# Operation : New Feature -# Purpose : For fg daemon can do nvram r/w to save car_tune_value -#allow fuelgauged nvdata_file:dir rw_dir_perms; -#allow fuelgauged nvdata_file:file {rw_file_perms create_file_perms}; -#allow fuelgauged nvram_data_file:lnk_file rw_file_perms; -#allow fuelgauged nvdata_file:lnk_file rw_file_perms; - # Data : WK16.39 -#allow fuelgauged self:capability { chown fsetid dac_override }; - -# Data : W16.43 -# Operation : New Feature -# Purpose : Change from /data to /cache -#allow fuelgauged cache_file:file {rw_file_perms create_file_perms}; -#allow fuelgauged cache_file:dir {rw_dir_perms create_dir_perms}; -#allow fuelgauged sysfs:file {rw_file_perms create_file_perms}; +allow fuelgauged self:capability { chown fsetid }; # Date: W17.22 # Operation : New Feature diff --git a/non_plat/fuelgauged_nvram.te b/non_plat/fuelgauged_nvram.te index fcd1749..1bf2585 100644 --- a/non_plat/fuelgauged_nvram.te +++ b/non_plat/fuelgauged_nvram.te @@ -22,13 +22,6 @@ type fuelgauged_nvram_file, file_type, data_file_type; init_daemon_domain(fuelgauged_nvram) -# Data : WK16.21 -# Operation : New Feature -# Purpose : For fg daemon can access /data/FG folder -#file_type_auto_trans(fuelgauged_nvram, system_data_file, fuelgauged_nvram_file); -#allow fuelgauged_nvram fuelgauged_nvram_file:file rw_file_perms; -#allow fuelgauged_nvram system_data_file:dir rw_dir_perms; - # Data : WK16.21 # Operation : New Feature # Purpose : For fg daemon can do nvram r/w to save car_tune_value @@ -43,9 +36,7 @@ allow fuelgauged_nvram fuelgauged_file:file {rw_file_perms create_file_perms}; # Data : W16.43 # Operation : New Feature # Purpose : Change from /data to /cache -#allow fuelgauged_nvram cache_file:file {rw_file_perms create_file_perms}; -#allow fuelgauged_nvram cache_file:dir {rw_dir_perms create_dir_perms}; -#allow fuelgauged_nvram self:capability { dac_read_search dac_override chown }; +allow fuelgauged_nvram self:capability { chown }; allow fuelgauged_nvram kmsg_device:chr_file { write open }; allow fuelgauged_nvram self:capability fsetid; diff --git a/non_plat/hal_gnss_default.te b/non_plat/hal_gnss_default.te index 9d7fb58..884aacf 100644 --- a/non_plat/hal_gnss_default.te +++ b/non_plat/hal_gnss_default.te @@ -1,5 +1,4 @@ # Communicate over a socket created by mnld process. -#allow hal_gnss debuggerd:fd use; allow hal_gnss_default mnld_data_file:sock_file create_file_perms; allow hal_gnss_default mnld_data_file:sock_file rw_file_perms; allow hal_gnss_default mnld_data_file:dir create_file_perms; diff --git a/non_plat/hal_graphics_composer_default.te b/non_plat/hal_graphics_composer_default.te index eb035db..1ecff2a 100644 --- a/non_plat/hal_graphics_composer_default.te +++ b/non_plat/hal_graphics_composer_default.te @@ -1,7 +1,6 @@ vndbinder_use(hal_graphics_composer_default) allow hal_graphics_composer_default debugfs_ged:dir search; -#allow hal_graphics_composer_default debugfs_ion:dir search; # Date : WK17.09 # Operation : Add sepolicy diff --git a/non_plat/init.te b/non_plat/init.te index 8614696..ae26cce 100644 --- a/non_plat/init.te +++ b/non_plat/init.te @@ -96,7 +96,6 @@ allow init protect_f_data_file:dir mounton; allow init protect_s_data_file:dir mounton; allow init nvcfg_file:dir mounton; allow init persist_data_file:dir mounton; -#allow init system_file:dir setattr; allow init tmpfs:lnk_file create; # boot process denial clean up diff --git a/non_plat/kernel.te b/non_plat/kernel.te index 105c711..6207094 100644 --- a/non_plat/kernel.te +++ b/non_plat/kernel.te @@ -18,16 +18,6 @@ allow kernel vold_device:blk_file rw_file_perms; # Purpose : Access to nvarm for reading MAC. (LOS WIFI feature) allow kernel system_data_file:lnk_file r_file_perms; -# Date : WK14.43 -# Operation : Migration -# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature) -#allow kernel nvram_device:blk_file rw_file_perms; - -# Date : WK15.29 -# Operation : Migration -# Purpose : grant wifi data file access for mtk_wmtd as root. -#allow kernel self:capability { dac_read_search dac_override }; - # Date : WK15.35 # Operation : Migration # Purpose : grant fon_image_data_file read permission for loop device diff --git a/non_plat/keystore.te b/non_plat/keystore.te index 9d7e4c7..174c8f5 100644 --- a/non_plat/keystore.te +++ b/non_plat/keystore.te @@ -10,5 +10,4 @@ allow keystore app_data_file:file write; # Date : WK17.30 2017/07/25 # Operation : keystore # Purpose : Fix keystore boot selinux violation -#allow keystore debugfs_tracing:file write; allow hal_keymaster_default debugfs_tracing:file write; diff --git a/non_plat/mdlogger.te b/non_plat/mdlogger.te index e8f4767..9c34bf2 100644 --- a/non_plat/mdlogger.te +++ b/non_plat/mdlogger.te @@ -23,7 +23,6 @@ allow mdlogger vfat:dir create_dir_perms; allow mdlogger vfat:file create_file_perms; #mdlogger for read /sdcard -#allow mdlogger log_device:chr_file w_file_perms; allow mdlogger tmpfs:lnk_file read; allow mdlogger storage_file:lnk_file rw_file_perms; allow mdlogger mnt_user_file:dir search; diff --git a/non_plat/mediacodec.te b/non_plat/mediacodec.te index c267535..475740f 100644 --- a/non_plat/mediacodec.te +++ b/non_plat/mediacodec.te @@ -7,12 +7,6 @@ # Purpose : VP/VR allow mediacodec devmap_device:chr_file { ioctl }; -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -#allow mediacodec self:netlink_kobject_uevent_socket read; -#allow mediacodec system_data_file:file open; - # Date : WK14.36 # Operation : Migration # Purpose : VDEC/VENC device node @@ -42,34 +36,11 @@ allow mediacodec nvdata_file:file create_file_perms; allow mediacodec devmap_device:chr_file r_file_perms; allow mediacodec proc_meminfo:file {read getattr open}; -# Date : WK14.36 -# Operation : Migration -# Purpose : MMProfile debug -# userdebug_or_eng(` -#allow mediacodec debugfs:file {read ioctl getattr}; -# ') - # Date : WK14.36 # Operation : Migration # Purpose : for SW codec VP/VR -#allow mediacodec mtk_device:chr_file { read write ioctl open }; allow mediacodec mtk_sched_device:chr_file { read write ioctl open }; -# Date : WK14.38 -# Operation : Migration -# Purpose : NVRam access -#allow mediacodec block_device:dir { write search }; - -# Data : WK14.38 -# Operation : Migration -# Purpose : for boot animation. -#allow mediacodec bootanim:binder { transfer call }; - -# Date : WK14.39 -# Operation : Migration -# Purpose : APE PLAYBACK -#binder_call(mediacodec,MtkCodecService) - # Data : WK14.39 # Operation : Migration # Purpose : HW encrypt SW codec @@ -100,32 +71,11 @@ allow mediacodec thermal_manager_data_file:file create_file_perms; allow mediacodec thermal_manager_data_file:dir { rw_dir_perms setattr }; allow mediacodec thermal_manager_data_file:dir search; -# Date : WK14.46 -# Operation : Migration -# Purpose : for MTK Emulator HW GPU -#allow mediacodec qemu_pipe_device:chr_file rw_file_perms; - # Data : WK14.47 # Operation : CTS # Purpose : cts search strange app allow mediacodec untrusted_app:dir search; -# Date : WK15.35 -# Operation : Migration -# Purpose: Allow mediacodec to read binder from surfaceflinger -#allow mediacodec surfaceflinger:fifo_file {read write}; - -# Date : WK15.45 -# Operation : 1/32x SlowMotion SQC -# Purpose : for Clearmotion LowPower Switch -#allow mediacodec mjc_lib_prop:property_service set; -#allow mediacodec mtk_mjc_prop:property_service set; - -# Date : WK15.02 -# Operation : 120Hz Feature SQC -# Purpose : for 120Hz Smart Switch -#allow mediacodec mtk_rrc_device:chr_file { read write ioctl open }; - # Date : WK14.39 # Operation : Migration # Purpose : MJC Driver @@ -150,8 +100,6 @@ allow mediacodec surfaceflinger:fifo_file rw_file_perms; # Operator: Whitney SQC # Purpose: mediacodec use gpu allow mediacodec gpu_device:dir search; -#allow mediacodec debug_prop:property_service set; -#allow mediacodec system_prop:property_service set; # Date : W18.01 # Add for turn on SElinux in enforcing mode @@ -196,7 +144,3 @@ allow mediacodec mtk_thermal_config_prop:property_service set; allow mediacodec graphics_device:chr_file { ioctl open read }; allow mediacodec graphics_device:dir search; -# Date : WK18.03 -# Operation : MT6771 SQC -# Purpose : Video SW decoder setprop for dex2oat thread 2 -#allow mediacodec dalvik_prop:property_service set; diff --git a/non_plat/mediaserver.te b/non_plat/mediaserver.te index 2cca9d1..8495c85 100644 --- a/non_plat/mediaserver.te +++ b/non_plat/mediaserver.te @@ -22,12 +22,8 @@ allow mediaserver lens_device:chr_file rw_file_perms; # Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam. allow mediaserver sdcard_type:dir { w_dir_perms create }; allow mediaserver sdcard_type:file create; -#allow mediaserver nvram_data_file:dir w_dir_perms; -#allow mediaserver nvram_data_file:file create_file_perms; allow mediaserver nvram_data_file:lnk_file read; allow mediaserver nvdata_file:lnk_file read; -#allow mediaserver nvdata_file:dir w_dir_perms; -#allow mediaserver nvdata_file:file create_file_perms; allow mediaserver sdcard_type:dir remove_name; allow mediaserver sdcard_type:file unlink; @@ -35,8 +31,6 @@ allow mediaserver sdcard_type:file unlink; # Operation : Migration # Purpose : nvram access (dumchar case for nand and legacy chip) allow mediaserver nvram_device:chr_file rw_file_perms; -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow mediaserver self:netlink_kobject_uevent_socket { create setopt bind }; allow mediaserver self:capability { net_admin }; # Date : WK14.34 @@ -47,8 +41,6 @@ allow mediaserver devmap_device:chr_file { ioctl }; # Date : WK14.34 # Operation : Migration # Purpose : Smartcard Service -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow mediaserver self:netlink_kobject_uevent_socket read; allow mediaserver system_data_file:file open; # Date : WK14.36 @@ -68,13 +60,6 @@ allow mediaserver camera_sysram_device:chr_file r_file_perms; # Purpose : VDEC/VENC device node allow mediaserver Vcodec_device:chr_file rw_file_perms; -# Date : WK14.36 -# Operation : Migration -# Purpose : MMProfile debug -# userdebug_or_eng(` -#allow mediaserver debugfs:file {read ioctl getattr}; -# ') - # Date : WK14.36 # Operation : Migration # Purpose : access nvram, otp, ccci cdoec devices. @@ -89,7 +74,6 @@ allow mediaserver bootdevice_block_device:blk_file rw_file_perms; # Date : WK14.36 # Operation : Migration # Purpose : for SW codec VP/VR -#allow mediaserver mtk_device:chr_file { read write ioctl open }; allow mediaserver mtk_sched_device:chr_file rw_file_perms; # Date : WK14.38 @@ -144,13 +128,6 @@ allow mediaserver camera_fdvt_device:chr_file rw_file_perms; # Purpose : APE PLAYBACK binder_call(mediaserver,MtkCodecService) -# Data : WK14.39 -# Operation : Migration -# Purpose : HW encrypt SW codec -#allow mediaserver mediaserver_data_file:file create_file_perms; -#allow mediaserver mediaserver_data_file:dir create_dir_perms; -#allow mediaserver sec_device:chr_file r_file_perms; - # Date : WK14.40 # Operation : Migration # Purpose : HDMI driver access @@ -172,13 +149,6 @@ binder_call(mediaserver,audiocmdservice_atci) # Purpose : mtk_jpeg allow mediaserver mtk_jpeg_device:chr_file r_file_perms; -# Date : WK14.41 -# Operation : Migration -# Purpose : Lossless BT audio -#allow mediaserver shell_exec:file { read open execute execute_no_trans }; -#allow mediaserver system_file:file execute_no_trans; -#allow mediaserver zygote_exec:file execute_no_trans; - # Date : WK14.41 # Operation : Migration # Purpose : WFD HID Driver @@ -218,8 +188,6 @@ allow mediaserver sysfs_lowmemorykiller:file { read open }; allow mediaserver proc_mtkcooler:dir search; allow mediaserver proc_mtktz:dir search; allow mediaserver proc_thermal:dir search; -#allow mediaserver thermal_manager_data_file:file create_file_perms; -#allow mediaserver thermal_manager_data_file:dir { rw_dir_perms setattr }; # Date : WK14.46 # Operation : Migration @@ -276,13 +244,6 @@ allow mediaserver mnt_user_file:lnk_file {read write}; # Purpose: Allow mediaserver to read binder from surfaceflinger allow mediaserver surfaceflinger:fifo_file {read write}; - -# Date : WK15.45 -# Purpose : camera read/write /nvcfg/camera data -#allow mediaserver nvcfg_file:dir create_dir_perms; -#allow mediaserver nvcfg_file:file create_file_perms; - - # Date : WK15.46 # Operation : Migration # Purpose : DPE Driver @@ -329,11 +290,6 @@ allow mediaserver sw_sync_device:chr_file rw_file_perms; # Purpose : OWE Driver allow mediaserver camera_owe_device:chr_file rw_file_perms; -# Date : WK17.27 -# Operation : O Migration -# Purpose : m4u Driver -#allow mediaserver proc:file r_file_perms; - # Date : WK17.30 # Operation : O Migration # Purpose: Allow to access cmdq driver diff --git a/non_plat/merged_hal_service.te b/non_plat/merged_hal_service.te index 35f76a5..3594dae 100644 --- a/non_plat/merged_hal_service.te +++ b/non_plat/merged_hal_service.te @@ -57,7 +57,6 @@ allow merged_hal_service proc:dir {search getattr}; allow merged_hal_service proc:file {getattr open read write ioctl}; allow merged_hal_service debugfs_ged:dir search; allow merged_hal_service debugfs_ged:file { getattr open read write }; -#allow merged_hal_service system_data_file:dir { create write add_name }; allow merged_hal_service proc_thermal:file { write open }; allow merged_hal_service proc_thermal:dir search; allow merged_hal_service sysfs:file {open write read}; diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te index 904e2d7..dc550ab 100644 --- a/non_plat/meta_tst.te +++ b/non_plat/meta_tst.te @@ -140,9 +140,6 @@ allow meta_tst stpbt_device:chr_file rw_file_perms; # Date: WK16.12 # Operation : Migration # Purpose : meta mode GPS -#allow meta_tst gps_device:chr_file rw_file_perms; -#allow meta_tst gps_data_file:file create_file_perms; -#allow meta_tst gps_data_file:dir rw_dir_perms; allow meta_tst gps_data_file:dir { write add_name search remove_name unlink}; allow meta_tst gps_data_file:file { read write open create getattr append setattr unlink lock}; allow meta_tst gps_data_file:lnk_file read; @@ -160,8 +157,6 @@ allow meta_tst mt6605_device:chr_file rw_file_perms; #Date WK14.49 #Operation : Migration #Purpose : DRM key installation -#allow meta_tst shell_exec:file rx_file_perms; -#allow meta_tst system_data_file:dir create; allow meta_tst key_install_data_file:dir w_dir_perms; allow meta_tst key_install_data_file:file create_file_perms; @@ -173,8 +168,6 @@ allow meta_tst proc_lk_env:file rw_file_perms; # Purpose : FT_EMMC_OP_FORMAT_TCARD allow meta_tst block_device:blk_file getattr; allow meta_tst system_block_device:blk_file getattr; -#allow meta_tst fuse_device:chr_file getattr; -#allow meta_tst shell_exec:file r_file_perms; # Date: WK15.52 # Purpose : NVRAM related LID @@ -226,15 +219,6 @@ allow meta_tst system_file:dir r_dir_perms; # Purpose: for CCCI reboot modem allow meta_tst gsm0710muxd_device:chr_file rw_file_perms; -# Date: WK16.20 -# Purpose: meta_tst set sys.usb.config -#set_prop(meta_tst, system_radio_prop); - -#Date: W16.33 -# Purpose: N Migration For CCT -#allow meta_tst media_rw_data_file:dir { search read open getattr }; -#allow meta_tst media_rw_data_file:file { write open read}; - # Date : WK16.35 # Purpose : Update camera flashlight driver device file allow meta_tst flashlight_device:chr_file rw_file_perms; @@ -252,7 +236,6 @@ allow meta_tst nvcfg_file:dir { search read open }; #Date: W16.45 # Purpose : Allow unmount sdcardfs mounted on /data/media allow meta_tst sdcard_type:filesystem unmount; -#allow meta_tst toolbox_exec:file { getattr execute execute_no_trans read open }; allow meta_tst storage_stub_file:dir search; # Date : WK16.19 @@ -277,15 +260,9 @@ allow meta_tst ctl_default_prop:property_service set; # Purpose : Allow meta_tst stop service which occupy data partition. allow meta_tst ctl_emdlogger1_prop:property_service set; -#Date: W17.27 -# Purpose : Allow meta_tst read /data/nvram link -#allow meta_tst system_data_file:lnk_file read; - #Date: W17.27 # Purpose: STMicro NFC solution integration allow meta_tst st21nfc_device:chr_file { open read write ioctl }; -#allow meta_tst factory_data_file:sock_file { write unlink }; -#allow meta_tst nfc_socket:dir search; allow meta_tst vendor_file:file { getattr execute execute_no_trans read open }; set_prop(meta_tst,hwservicemanager_prop); hwbinder_use(meta_tst); @@ -309,28 +286,6 @@ allow meta_tst md_block_device:blk_file { read open }; allow meta_tst mddb_data_file:file { create open write read getattr}; allow meta_tst mddb_data_file:dir { search write add_name create getattr read open }; -# Date: W17.43 -# Purpose : meta connect with mdlogger by socket. -#allow meta_tst emdlogger:unix_stream_socket connectto; - -# Date: W17.43 -# Purpose : meta connect with mobilelog by socket. -#allow meta_tst mobile_log_d:unix_stream_socket connectto; - -# Date: W17.43 -# Purpose : meta access mobile log. -#allow meta_tst logtemp_data_file:dir { relabelto create_dir_perms }; -#allow meta_tst logtemp_data_file:file create_file_perms; -#allow meta_tst data_tmpfs_log_file:dir create_dir_perms; -#allow meta_tst data_tmpfs_log_file:file create_file_perms; - -# Date: W17.43 -# Purpose meta access on /data/mdlog -#allow meta_tst mdlog_data_file:dir { create_dir_perms relabelto }; -#allow meta_tst mdlog_data_file:fifo_file { create_file_perms }; -#allow meta_tst mdlog_data_file:file { create_file_perms }; -#allow meta_tst system_data_file:dir { create_dir_perms relabelfrom}; - # Date: W17.43 # Purpose : Allow meta_tst to call android.hardware.audio@2.0-service-mediatek binder_call(meta_tst, mtk_hal_audio) @@ -398,4 +353,4 @@ allow meta_tst sysfs_dt_firmware_android:dir { read open search }; # Purpose : Allow meta_tst to communicate with driver thru socket allow meta_tst meta_tst:capability { sys_module net_admin net_raw }; allow meta_tst self:udp_socket { create ioctl }; -allowxperm meta_tst self:udp_socket ioctl priv_sock_ioctls; \ No newline at end of file +allowxperm meta_tst self:udp_socket ioctl priv_sock_ioctls; diff --git a/non_plat/mnld.te b/non_plat/mnld.te index 73bd066..2bf1d91 100644 --- a/non_plat/mnld.te +++ b/non_plat/mnld.te @@ -37,7 +37,6 @@ allow mnld mnld_device:chr_file rw_file_perms; allow mnld mnld_data_file:file rw_file_perms; allow mnld mnld_data_file:file create_file_perms; allow mnld mnld_data_file:fifo_file create_file_perms; -#allow mnld gps_device:chr_file rw_file_perms; # Purpose : For init process allow mnld init:unix_stream_socket connectto; allow mnld init:udp_socket { read write }; @@ -54,7 +53,7 @@ allow mnld block_device:dir search; allow mnld mnld_prop:property_service set; allow mnld property_socket:sock_file write; allow mnld mdlog_device:chr_file { read write }; -#allow mnld self:capability { fsetid dac_override }; +allow mnld self:capability { fsetid }; allow mnld stpbt_device:chr_file { read write }; allow mnld ttyGS_device:chr_file { read write }; # Purpose : For file system operations @@ -91,4 +90,4 @@ allow mnld fwk_sensor_hwservice:hwservice_manager find; allow mnld hwservicemanager_prop:file { read open getattr }; allow mnld debugfs_tracing:file { open write }; -allow mnld mnt_vendor_file:dir search; \ No newline at end of file +allow mnld mnt_vendor_file:dir search; diff --git a/non_plat/mobile_log_d.te b/non_plat/mobile_log_d.te index b7f148b..e17b9d4 100644 --- a/non_plat/mobile_log_d.te +++ b/non_plat/mobile_log_d.te @@ -2,7 +2,6 @@ allow mobile_log_d sysfs_boot_mode:file { open read }; #proc/ access -#allow mobile_log_d proc:file r_file_perms; allow mobile_log_d proc_kmsg:file r_file_perms; allow mobile_log_d proc_cmdline:file r_file_perms; allow mobile_log_d proc_atf_log:dir search; diff --git a/non_plat/mtk_hal_audio.te b/non_plat/mtk_hal_audio.te index 66b572f..98eda64 100644 --- a/non_plat/mtk_hal_audio.te +++ b/non_plat/mtk_hal_audio.te @@ -12,12 +12,6 @@ allow mtk_hal_audio ion_device:chr_file r_file_perms; allow mtk_hal_audio system_file:dir { open read }; -userdebug_or_eng(` - # used for pcm capture for debug. - #allow mtk_hal_audio audiohal_data_file:dir create_dir_perms; - #allow mtk_hal_audio audiohal_data_file:file create_file_perms; -') - r_dir_file(mtk_hal_audio, proc) allow mtk_hal_audio audio_device:dir r_dir_perms; allow mtk_hal_audio audio_device:chr_file rw_file_perms; @@ -53,7 +47,6 @@ allow mtk_hal_audio sdcard_type:file unlink; # Purpose : nvram access (dumchar case for nand and legacy chip) allow mtk_hal_audio nvram_device:chr_file rw_file_perms; allow mtk_hal_audio self:netlink_kobject_uevent_socket { create setopt bind }; -#allow mtk_hal_audio self:capability { net_admin }; # Date : WK14.34 # Operation : Migration @@ -63,7 +56,6 @@ allow mtk_hal_audio self:netlink_kobject_uevent_socket read; # Date : WK14.36 # Operation : Migration # Purpose : media server and bt process communication for A2DP data.and other control flow -#allow mtk_hal_audio bluetooth:unix_dgram_socket sendto; allow mtk_hal_audio bt_a2dp_stream_socket:sock_file write; allow mtk_hal_audio bt_int_adp_socket:sock_file write; @@ -107,13 +99,6 @@ allow mtk_hal_audio graphics_device:chr_file rw_file_perms; # Purpose : Smartpa allow mtk_hal_audio smartpa_device:chr_file rw_file_perms; -# Date : WK14.41 -# Operation : Migration -# Purpose : Lossless BT audio -#allow mtk_hal_audio shell_exec:file { read open execute execute_no_trans }; -#allow mtk_hal_audio system_file:file execute_no_trans; -#allow mtk_hal_audio zygote_exec:file execute_no_trans; - # Date : WK14.41 # Operation : Migration # Purpose : WFD HID Driver @@ -236,4 +221,4 @@ allow mtk_hal_audio audio_ipi_device:chr_file { read write ioctl open }; # Date : WK18.21 # Operation: P migration # Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() -allow mtk_hal_audio mnt_vendor_file:dir search; \ No newline at end of file +allow mtk_hal_audio mnt_vendor_file:dir search; diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te index 73fed92..94afa7f 100644 --- a/non_plat/mtk_hal_camera.te +++ b/non_plat/mtk_hal_camera.te @@ -173,12 +173,6 @@ allow mtk_hal_camera dumpstate:unix_stream_socket { read write }; allow mtk_hal_camera dumpstate:fd { use }; allow mtk_hal_camera dumpstate:fifo_file write; -# Purpose: avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.fXpwOm/SYS_DEBUG_MTKCAM" -# dev="dm-0" ino=82287 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_data_file:s0 -# tclass=file permissive=0 -#allow mtk_hal_camera aee_exp_data_file:dir { w_dir_perms }; -#allow mtk_hal_camera aee_exp_data_file:file { create_file_perms }; - # ----------------------------------- # Android O # Purpose: Debugging @@ -212,11 +206,9 @@ allow mtk_hal_camera untrusted_app:dir search; allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms; ## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -#allow mtk_hal_camera system_data_file:dir write; allow mtk_hal_camera storage_file:lnk_file {read write}; allow mtk_hal_camera mnt_user_file:dir {write read search}; allow mtk_hal_camera mnt_user_file:lnk_file {read write}; -#allow mtk_hal_camera media_rw_data_file:dir {getattr create}; ## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger allow mtk_hal_camera surfaceflinger:fifo_file {read write}; diff --git a/non_plat/mtk_hal_gnss.te b/non_plat/mtk_hal_gnss.te index ffcfa3e..5cf7294 100644 --- a/non_plat/mtk_hal_gnss.te +++ b/non_plat/mtk_hal_gnss.te @@ -10,7 +10,6 @@ vndbinder_use(mtk_hal_gnss) r_dir_file(mtk_hal_gnss, system_file) # Communicate over a socket created by mnld process. -#allow mtk_hal_gnss debuggerd:fd use; allow mtk_hal_gnss mnld_data_file:sock_file create_file_perms; allow mtk_hal_gnss mnld_data_file:sock_file rw_file_perms; allow mtk_hal_gnss mnld_data_file:dir create_file_perms; diff --git a/non_plat/mtk_hal_pq.te b/non_plat/mtk_hal_pq.te index f561d53..87b6c59 100644 --- a/non_plat/mtk_hal_pq.te +++ b/non_plat/mtk_hal_pq.te @@ -33,8 +33,6 @@ allow mtk_hal_pq graphics_device:chr_file { read write open ioctl }; # Purpose : Allow property set allow mtk_hal_pq init:unix_stream_socket connectto; allow mtk_hal_pq property_socket:sock_file write; -#allow mtk_hal_pq system_prop:property_service set; -#allow mtk_hal_pq debug_prop:property_service set; # Purpose : Allow permission to get AmbientLux from hwservice_manager allow mtk_hal_pq fwk_sensor_hwservice:hwservice_manager find; diff --git a/non_plat/mtk_hal_sensors.te b/non_plat/mtk_hal_sensors.te index e15b8fd..142a6ac 100644 --- a/non_plat/mtk_hal_sensors.te +++ b/non_plat/mtk_hal_sensors.te @@ -36,9 +36,6 @@ allow mtk_hal_sensors hwservicemanager_prop:file r_file_perms; #hwservicemanager hal_server_domain(mtk_hal_sensors, hal_sensors); -#allow mtk_hal_sensors hal_sensors_hwservice:hwservice_manager { add find }; -#allow mtk_hal_sensors hidl_base_hwservice:hwservice_manager add; - # Access sensor bio devices allow mtk_hal_sensors sensorlist_device:chr_file rw_file_perms; allow mtk_hal_sensors m_acc_misc_device:chr_file rw_file_perms; diff --git a/non_plat/mtkbootanimation.te b/non_plat/mtkbootanimation.te index b40b0b0..506206b 100644 --- a/non_plat/mtkbootanimation.te +++ b/non_plat/mtkbootanimation.te @@ -33,15 +33,6 @@ allow mtkbootanimation guiext-server:binder transfer; # Purpose : for gpu access allow mtkbootanimation dri_device:chr_file { read write open ioctl }; -# Date : WK14.37 -# Operation : Migration -# Purpose : for op -#allow mtkbootanimation terservice:binder call; - -# Date : WK15.30 -# Operation : Migration -# Purpose : for device bring up, not to block early migration/sanity -#allow mtkbootanimation terservice_service:service_manager find; # Date : WK17.29 # Operation : Migration # Purpose : for device bring up diff --git a/non_plat/mtkfusionrild.te b/non_plat/mtkfusionrild.te index 20bde09..a1aec3d 100644 --- a/non_plat/mtkfusionrild.te +++ b/non_plat/mtkfusionrild.te @@ -15,16 +15,12 @@ allow rild kernel:system module_request; # Capabilities assigned for rild allow rild self:capability { setuid net_admin net_raw }; -#allow rild self:capability dac_override; # Control cgroups allow rild cgroup:dir create_dir_perms; # Property service # allow set RIL related properties (radio./net./system./etc) -#set_prop(rild, radio_prop) -#set_prop(rild, net_radio_prop) -#set_prop(rild, system_radio_prop) auditallow rild net_radio_prop:property_service set; auditallow rild system_radio_prop:property_service set; set_prop(rild, ril_active_md_prop) @@ -45,34 +41,20 @@ allow rild bluetooth_efs_file:dir r_dir_perms; # Allow access permission to dir/files # (radio data/system data/proc/etc) # Violate Android P rule -#allow rild radio_data_file:dir rw_dir_perms; -#allow rild radio_data_file:file create_file_perms; allow rild sdcard_type:dir r_dir_perms; -# Violate Android P rule -#allow rild system_data_file:dir r_dir_perms; -#allow rild system_data_file:file r_file_perms; allow rild system_file:file x_file_perms; allow rild proc:file rw_file_perms; allow rild proc_net:file w_file_perms; # Allow rild to create and use netlink sockets. -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow rild self:netlink_socket create_socket_perms; -#allow rild self:netlink_kobject_uevent_socket create_socket_perms; # Set and get routes directly via netlink. allow rild self:netlink_route_socket nlmsg_write; -# Allow rild to create sockets. -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow rild self:socket create_socket_perms; - # Allow read/write to devices/files allow rild alarm_device:chr_file rw_file_perms; allow rild radio_device:chr_file rw_file_perms; allow rild radio_device:blk_file r_file_perms; allow rild mtd_device:dir search; -# Allow read/write to uart driver (for GPS) -#allow rild gps_device:chr_file rw_file_perms; # Allow read/write to tty devices allow rild tty_device:chr_file rw_file_perms; allow rild eemcs_device:chr_file { rw_file_perms }; @@ -89,7 +71,6 @@ allow rild para_block_device:blk_file { rw_file_perms }; # Allow dir search, fd uses allow rild block_device:dir search; -#allow rild platformblk_device:dir search; allow rild platform_app:fd use; allow rild radio:fd use; @@ -119,8 +100,6 @@ allow rild mtk_agpsd:unix_stream_socket connectto; #Date 2017/10/12 #Purpose: allow set MTU size allow rild toolbox_exec:file getattr; -#allow rild toolbox_exec:file {execute read open}; -#allow rild toolbox_exec:file {execute_no_trans}; allow rild mtk_net_ipv6_prop:property_service set; #Dat: 2017/10/17 diff --git a/non_plat/mtkrild.te b/non_plat/mtkrild.te index 559500a..686e122 100644 --- a/non_plat/mtkrild.te +++ b/non_plat/mtkrild.te @@ -18,7 +18,6 @@ allow mtkrild kernel:system module_request; # Capabilities assigned for mtkrild allow mtkrild self:capability { setuid net_admin net_raw }; -#allow mtkrild self:capability dac_override; # Control cgroups allow mtkrild cgroup:dir create_dir_perms; @@ -52,34 +51,20 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms; # Allow access permission to dir/files # (radio data/system data/proc/etc) # Violate Android P rule -#allow mtkrild radio_data_file:dir rw_dir_perms; -#allow mtkrild radio_data_file:file create_file_perms; allow mtkrild sdcard_type:dir r_dir_perms; # Violate Android P rule -#allow mtkrild system_data_file:dir r_dir_perms; -#allow mtkrild system_data_file:file r_file_perms; allow mtkrild system_file:file x_file_perms; allow mtkrild proc:file rw_file_perms; allow mtkrild proc_net:file w_file_perms; -# Allow mtkrild to create and use netlink sockets. -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow mtkrild self:netlink_socket create_socket_perms; -#allow mtkrild self:netlink_kobject_uevent_socket create_socket_perms; # Set and get routes directly via netlink. allow mtkrild self:netlink_route_socket nlmsg_write; -# Allow mtkrild to create sockets. -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow mtkrild self:socket create_socket_perms; - # Allow read/write to devices/files allow mtkrild alarm_device:chr_file rw_file_perms; allow mtkrild radio_device:chr_file rw_file_perms; allow mtkrild radio_device:blk_file r_file_perms; allow mtkrild mtd_device:dir search; -# Allow read/write to uart driver (for GPS) -#allow mtkrild gps_device:chr_file rw_file_perms; # Allow read/write to tty devices allow mtkrild tty_device:chr_file rw_file_perms; allow mtkrild eemcs_device:chr_file { rw_file_perms }; @@ -96,7 +81,6 @@ allow mtkrild para_block_device:blk_file { rw_file_perms }; # Allow dir search, fd uses allow mtkrild block_device:dir search; -#allow mtkrild platformblk_device:dir search; allow mtkrild platform_app:fd use; allow mtkrild radio:fd use; diff --git a/non_plat/muxreport.te b/non_plat/muxreport.te index 5ce2fbf..1b7243b 100644 --- a/non_plat/muxreport.te +++ b/non_plat/muxreport.te @@ -12,9 +12,6 @@ type muxreport ,domain; # ============================================== init_daemon_domain(muxreport) -# Capabilities assigned for muxreport -#allow muxreport self:capability dac_override; - # Property service # allow set muxreport control properties set_prop(muxreport, ril_mux_report_case_prop) diff --git a/non_plat/nvram_agent_binder.te b/non_plat/nvram_agent_binder.te index a26c372..9c6a26b 100644 --- a/non_plat/nvram_agent_binder.te +++ b/non_plat/nvram_agent_binder.te @@ -30,8 +30,6 @@ allow nvram_agent_binder nvdata_file:lnk_file read; allow nvram_agent_binder nvdata_file:dir create_dir_perms; allow nvram_agent_binder nvdata_file:file create_file_perms; -#allow nvram_agent_binder system_file:file execute_no_trans; - allow nvram_agent_binder als_ps_device:chr_file r_file_perms; allow nvram_agent_binder mtk-adc-cali_device:chr_file rw_file_perms; allow nvram_agent_binder gsensor_device:chr_file r_file_perms; @@ -39,9 +37,7 @@ allow nvram_agent_binder gyroscope_device:chr_file r_file_perms; allow nvram_agent_binder init:unix_stream_socket connectto; allow nvram_agent_binder property_socket:sock_file write; allow nvram_agent_binder sysfs:file write; -#allow nvram_agent_binder self:capability { fowner chown dac_override fsetid }; -#remove from Android P -#allow nvram_agent_binder system_data_file:dir create_file_perms; +allow nvram_agent_binder self:capability { fowner chown fsetid }; # Purpose: for backup allow nvram_agent_binder nvram_device:chr_file rw_file_perms; @@ -58,8 +54,6 @@ allow nvram_agent_binder hwservicemanager_prop:file r_file_perms; #for nvram hidl client support allow nvram_agent_binder sysfs:file { read open }; -#remove from android P -#allow nvram_agent_binder system_data_file:lnk_file read; # Allow to use HWBinder IPC hwbinder_use(nvram_agent_binder); diff --git a/non_plat/nvram_daemon.te b/non_plat/nvram_daemon.te index 4155038..8930615 100644 --- a/non_plat/nvram_daemon.te +++ b/non_plat/nvram_daemon.te @@ -24,16 +24,9 @@ allow nvram_daemon nvram_device:blk_file rw_file_perms; allow nvram_daemon bootdevice_block_device:blk_file rw_file_perms; allow nvram_daemon nvdata_device:blk_file rw_file_perms; - -# Date : WK14.34 -# Operation : Migration -# Purpose : the option is used to tell that if other processes can access nvram. -#allow nvram_daemon system_prop:property_service set; - # Date : WK14.35 # Operation : chown folder and file permission # Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L. -#allow nvram_daemon shell_exec:file rx_file_perms; allow nvram_daemon nvram_data_file:dir create_dir_perms; allow nvram_daemon nvram_data_file:file create_file_perms; allow nvram_daemon nvram_data_file:lnk_file read; @@ -41,8 +34,6 @@ allow nvram_daemon nvdata_file:lnk_file read; allow nvram_daemon nvdata_file:dir create_dir_perms; allow nvram_daemon nvdata_file:file create_file_perms; -#allow nvram_daemon system_file:file execute_no_trans; - allow nvram_daemon als_ps_device:chr_file r_file_perms; allow nvram_daemon mtk-adc-cali_device:chr_file rw_file_perms; allow nvram_daemon gsensor_device:chr_file r_file_perms; @@ -50,9 +41,8 @@ allow nvram_daemon gyroscope_device:chr_file r_file_perms; allow nvram_daemon init:unix_stream_socket connectto; # Purpose: for property set -#allow nvram_daemon property_socket:sock_file w_file_perms; allow nvram_daemon sysfs:file w_file_perms; -#allow nvram_daemon self:capability { fowner chown dac_override fsetid }; +allow nvram_daemon self:capability { fowner chown fsetid }; # Purpose: for backup allow nvram_daemon nvram_device:chr_file rw_file_perms; @@ -68,32 +58,19 @@ allow nvram_daemon mtd_device:chr_file rw_file_perms; allow nvram_daemon kmsg_device:chr_file w_file_perms; allow nvram_daemon proc_lk_env:file rw_file_perms; -# Purpose: for workaround -# Todo: Remove this policy -#remove from Android P -#allow nvram_daemon system_data_file:dir write; - # Purpose: property set allow nvram_daemon service_nvram_init_prop:property_service set; # Purpose: copy /fstab* allow nvram_daemon rootfs:dir { read open }; allow nvram_daemon rootfs:file r_file_perms; -#remove from Android P -#allow nvram_daemon system_data_file:lnk_file read; # Purpose: remove /data/nvram link -#remove from Android P -#allow nvram_daemon system_data_file:dir { remove_name add_name }; -#allow nvram_daemon system_data_file:lnk_file { create unlink }; allow nvram_daemon nvram_data_file:lnk_file unlink; -# Purpose: for run toolbox command: chown chmode.. -#allow nvram_daemon toolbox_exec:file rx_file_perms; # Purpose: for setting property # ro.wlan.mtk.wifi.5g relabel to wifi_5g_prop # denied { set } for property=ro.wlan.mtk.wifi.5g pid=242 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1 -#allow nvram_daemon wifi_5g_prop:property_service set; set_prop(nvram_daemon, service_nvram_init_prop) set_prop(nvram_daemon, wifi_5g_prop) diff --git a/non_plat/platform_app.te b/non_plat/platform_app.te index 16dcbb6..017de4f 100644 --- a/non_plat/platform_app.te +++ b/non_plat/platform_app.te @@ -73,11 +73,6 @@ not_full_treble(` # Package: MTKLogger/Debugutils allow platform_app aee_aed:unix_stream_socket connectto; -# Date : WK17.31 -# Operation : O Migration -# Purpose : m4u Driver -#allow platform_app proc:file r_file_perms; - # Date : WK17.46 # Operation : Migration # Purpose : allow MTKLogger to read KE DB diff --git a/non_plat/radio.te b/non_plat/radio.te index e189522..3ce53e6 100644 --- a/non_plat/radio.te +++ b/non_plat/radio.te @@ -83,7 +83,6 @@ allow radio media_rw_data_file:file { create_file_perms }; # Purpose : # Swift APK integration - access ccci dir/file allow radio ccci_fsd:dir { r_dir_perms }; -#allow radio ccci_fsd:file { r_file_perms }; # Date : 2016/07/25 # Operation : Bluetooth access NVRAM fail in Engineer Mode diff --git a/non_plat/spm_loader.te b/non_plat/spm_loader.te index ff4c72a..d0f5984 100644 --- a/non_plat/spm_loader.te +++ b/non_plat/spm_loader.te @@ -16,5 +16,4 @@ type spm_loader ,domain; init_daemon_domain(spm_loader) # Read to /dev/spm -#allow spm_loader self:capability { dac_read_search dac_override }; allow spm_loader spm_device:chr_file r_file_perms; diff --git a/non_plat/stp_dump3.te b/non_plat/stp_dump3.te index c2e74d6..57bee5f 100644 --- a/non_plat/stp_dump3.te +++ b/non_plat/stp_dump3.te @@ -20,7 +20,7 @@ type stp_dump3 ,domain; # ============================================== # MTK Policy Rule # ============================================== -#allow stp_dump3 self:capability { net_admin fowner chown fsetid dac_override }; +allow stp_dump3 self:capability { net_admin fowner chown fsetid }; allow stp_dump3 self:netlink_socket { read write getattr bind create setopt }; allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt }; allow stp_dump3 wmtdetect_device:chr_file { read write ioctl open }; diff --git a/non_plat/surfaceflinger.te b/non_plat/surfaceflinger.te index ed32ea3..acfd9b1 100644 --- a/non_plat/surfaceflinger.te +++ b/non_plat/surfaceflinger.te @@ -25,12 +25,6 @@ allow surfaceflinger proc_bootprof:file r_file_perms; #============= surfaceflinger ============== allow surfaceflinger debugfs_ion:dir search; -#============= surfaceflinger ============== -#allow surfaceflinger debugfs_tracing:file write; - -#============= surfaceflinger ============== -#allow surfaceflinger debugfs_tracing:file open; - # Date : WK17.30 # Operation : O Migration # Purpose: Allow to access cmdq driver diff --git a/non_plat/system_server.te b/non_plat/system_server.te index cd0e647..d82145f 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -74,10 +74,6 @@ allow system_server ttyMT_device:chr_file rw_file_perms; # Purpose: Allow to access UART1 ttyS allow system_server ttyS_device:chr_file rw_file_perms; -# Date : WK16.44 -# Purpose: Allow to access gpsonly driver -#allow system_server gps_device:chr_file rw_file_perms; - # Date:W16.46 # Operation : thermal hal Feature developing # Purpose : thermal hal interface permission diff --git a/non_plat/thermal_manager.te b/non_plat/thermal_manager.te index a000c1e..8870015 100644 --- a/non_plat/thermal_manager.te +++ b/non_plat/thermal_manager.te @@ -28,7 +28,6 @@ allow thermal_manager thermal_manager_data_file:dir { rw_dir_perms setattr }; allow thermal_manager mediaserver:fd use; allow thermal_manager mediaserver:fifo_file { read write }; -#allow thermal_manager pq:fd use; allow thermal_manager mediaserver:tcp_socket { read write }; # Date : WK16.30 diff --git a/non_plat/thermalloadalgod.te b/non_plat/thermalloadalgod.te index f2c2a89..15a639e 100644 --- a/non_plat/thermalloadalgod.te +++ b/non_plat/thermalloadalgod.te @@ -24,8 +24,6 @@ file_type_auto_trans(thermal_manager, vendor_data_file, thermal_manager_data_fil allow thermalloadalgod input_device:dir { r_dir_perms write }; allow thermalloadalgod input_device:file r_file_perms; -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow thermalloadalgod thermalloadalgod:netlink_kobject_uevent_socket { write create bind read}; allow thermalloadalgod thermalloadalgod:netlink_socket { create bind write read}; allow thermalloadalgod thermal_manager_data_file:dir create_dir_perms; diff --git a/non_plat/untrusted_app.te b/non_plat/untrusted_app.te index 0588bf3..d72c8e4 100644 --- a/non_plat/untrusted_app.te +++ b/non_plat/untrusted_app.te @@ -4,11 +4,6 @@ # TODO:: Security Issue. -# Date : 2014/09/09 -# Operation : Development GMO Feature "Move OAT to SD Card" -# Purpose : for GMO ROM Size Slim -#allow untrusted_app dalvikcache_data_file:lnk_file read; - # Date: 2016/02/26 # Operation: Migration # Purpose: Allow MTK modified ElephantStress and WhatsTemp to read thermal zone temperatures diff --git a/non_plat/update_engine.te b/non_plat/update_engine.te index 94c9ec8..31fb7e5 100644 --- a/non_plat/update_engine.te +++ b/non_plat/update_engine.te @@ -19,7 +19,6 @@ allow update_engine para_block_device:blk_file rw_file_perms; # Add for update_engine call by system_app -#allow update_engine self:capability dac_override; allow update_engine system_app:binder { call transfer }; # Add for update_engine with postinstall diff --git a/non_plat/wlan_assistant.te b/non_plat/wlan_assistant.te index f2f4db2..62372db 100644 --- a/non_plat/wlan_assistant.te +++ b/non_plat/wlan_assistant.te @@ -21,8 +21,6 @@ init_daemon_domain(wlan_assistant) allow wlan_assistant agpsd_data_file:sock_file write; allow wlan_assistant mtk_agpsd:unix_dgram_socket sendto; allow wlan_assistant agpsd_data_file:dir search; -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow wlan_assistant self:netlink_socket create_socket_perms; allow wlan_assistant self:netlink_generic_socket create_socket_perms_no_ioctl; allow wlan_assistant self:udp_socket { create ioctl }; diff --git a/plat_private/aee_aed.te b/plat_private/aee_aed.te index 5c43cad..2bf37ad 100644 --- a/plat_private/aee_aed.te +++ b/plat_private/aee_aed.te @@ -17,8 +17,6 @@ init_daemon_domain(aee_aed) # AED start: /dev/block/expdb allow aee_aed block_device:dir search; -#allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow - # aee db dir and db files allow aee_aed sdcard_type:dir create_dir_perms; allow aee_aed sdcard_type:file create_file_perms; @@ -90,7 +88,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms; allow aee_aed tombstone_data_file:file create_file_perms; # /proc/pid/ -#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill }; +allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill }; # system(cmd) aee_dumpstate aee_archive allow aee_aed shell_exec:file rx_file_perms; @@ -100,7 +98,6 @@ allow aee_aed dumpstate:unix_stream_socket { read write ioctl }; allow aee_aed dumpstate:dir search; allow aee_aed dumpstate:file r_file_perms; -#allow aee_aed proc:file rw_file_perms; allow aee_aed logdr_socket:sock_file write; allow aee_aed logd:unix_stream_socket connectto; # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule @@ -129,12 +126,6 @@ allow aee_aed init_exec:file r_file_perms; allow aee_aed crash_dump:dir search; allow aee_aed crash_dump:file r_file_perms; -# Purpose: -# [ 217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read } -# for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0 -# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -#allow aee_aed sysfs:file r_file_perms; - # Purpose : allow aee_aed to read /proc/version allow aee_aed proc_version:file { read open }; diff --git a/plat_private/aee_core_forwarder.te b/plat_private/aee_core_forwarder.te index d2d223c..141fb55 100644 --- a/plat_private/aee_core_forwarder.te +++ b/plat_private/aee_core_forwarder.te @@ -12,21 +12,10 @@ typeattribute aee_core_forwarder coredomain; # ============================================== init_daemon_domain(aee_core_forwarder) -#/data/core/zcorexxx.zip -#allow aee_core_forwarder aee_core_data_file:dir relabelto; -#allow aee_core_forwarder aee_core_data_file:dir create_dir_perms; -#allow aee_core_forwarder aee_core_data_file:file create_file_perms; -#allow aee_core_forwarder system_data_file:dir { write relabelfrom create add_name }; - #mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip allow aee_core_forwarder sdcard_type:dir create_dir_perms; allow aee_core_forwarder sdcard_type:file create_file_perms; allow aee_core_forwarder self:capability { fsetid setgid }; -#allow aee_core_forwarder aee_exp_data_file:dir create_dir_perms; -#allow aee_core_forwarder aee_exp_data_file:file create_file_perms; - -#mkdir(path, mode) -#allow aee_core_forwarder self:capability dac_override; #read STDIN_FILENO allow aee_core_forwarder kernel:fifo_file read; @@ -62,8 +51,7 @@ dontaudit aee_core_forwarder untrusted_app:dir search; # Operation : N0 Migration # Purpose : access for pipefs allow aee_core_forwarder kernel:fd use; -# Purpose : read AEE persist property -#allow aee_core_forwarder persist_aee_prop:file r_file_perms; + # Purpose: search root dir "/" allow aee_core_forwarder tmpfs:dir search; # Purpose : read /selinux_version @@ -98,13 +86,6 @@ dontaudit aee_core_forwarder self:capability sys_ptrace; allow aee_core_forwarder media_rw_data_file:dir w_dir_perms; allow aee_core_forwarder media_rw_data_file:file { create open write }; -# Data : 2017/03/08 -# Operation : fix aee_core_forwarder connect to aee_aedv -# Purpose : type=1400 audit(0.0:6594): avc: denied { connectto } for -# path=00616E64726F69643A6165655F616564 scontext=u:r:aee_core_forwarder:s0 -# tcontext=u:r:aee_aedv:s0 tclass=unix_stream_socket permissive=0 -#allow aee_core_forwarder aee_aedv:unix_stream_socket connectto; - # Data : 2017/08/04 # Operation : fix sys_nice selinux warning # Purpose : type=1400 audit(0.0:50): avc: denied { sys_nice } for capability=23 diff --git a/plat_private/audiocmdservice_atci.te b/plat_private/audiocmdservice_atci.te index 64ef12f..7d21ae9 100644 --- a/plat_private/audiocmdservice_atci.te +++ b/plat_private/audiocmdservice_atci.te @@ -14,13 +14,11 @@ init_daemon_domain(audiocmdservice_atci) # Perform Binder IPC for audio tuning tool and access to mediaserver binder_use(audiocmdservice_atci) binder_call(audiocmdservice_atci, mediaserver) -#allow audiocmdservice_atci mediaserver:chr_file create_file_perms; allow audiocmdservice_atci mediaserver:dir w_dir_perms; allow audiocmdservice_atci mediaserver_service:service_manager find; # Since Android N, google separates mediaserver to audioserver and cameraserver binder_call(audiocmdservice_atci, audioserver) -#allow audiocmdservice_atci audioserver:chr_file create_file_perms; allow audiocmdservice_atci audioserver:dir w_dir_perms; allow audiocmdservice_atci audioserver_service:service_manager find; @@ -45,4 +43,3 @@ allow radio audiocmdservice_atci_exec:file getattr; #Android O porting hwbinder_use(audiocmdservice_atci) get_prop(audiocmdservice_atci, hwservicemanager_prop); -#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms; diff --git a/plat_private/boot_logo_updater.te b/plat_private/boot_logo_updater.te index 18c6272..d46b0f2 100644 --- a/plat_private/boot_logo_updater.te +++ b/plat_private/boot_logo_updater.te @@ -21,9 +21,6 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms; # For IPC communication allow boot_logo_updater init:unix_stream_socket connectto; allow boot_logo_updater property_socket:sock_file write; -#allow boot_logo_updater self:capability dac_override; -# To access some boot_mode infornation -#allow boot_logo_updater sysfs:file rw_file_perms; # To access directory /dev/block/mmcblk0 or /dev/block/sdc allow boot_logo_updater block_device:dir search; allow boot_logo_updater graphics_device:dir search; @@ -40,10 +37,7 @@ allow boot_logo_updater sysfs:dir read; # sanity fail for ALPS03604686: # for path="/sys/firmware/devicetree/base/firmware/android/fstab" andfor name = "cmdline" and "mtdblock14" allow boot_logo_updater mtd_device:blk_file read; -#allow boot_logo_updater proc:file read; allow boot_logo_updater sysfs:dir open; -# for path="/proc/cmdline and ="/dev/block/mtdblock14" -#allow boot_logo_updater proc:file open; allow boot_logo_updater system_data_file:dir write; allow boot_logo_updater mtd_device:blk_file open; diff --git a/plat_private/bootanim.te b/plat_private/bootanim.te index ff07c9e..46fe429 100644 --- a/plat_private/bootanim.te +++ b/plat_private/bootanim.te @@ -2,12 +2,6 @@ # MTK Policy Rule # ============ -# Date : WK14.31 -# Operation : Migration -# Purpose : For IPC communication -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow bootanim self:netlink_socket create_socket_perms; - # Date : WK14.32 # Operation : Migration # Purpose : for playing boot tone diff --git a/plat_private/cmddumper.te b/plat_private/cmddumper.te index e1d8f6a..405bebe 100644 --- a/plat_private/cmddumper.te +++ b/plat_private/cmddumper.te @@ -31,12 +31,6 @@ allow cmddumper system_file:file x_file_perms; allow cmddumper media_rw_data_file:file { create_file_perms }; allow cmddumper media_rw_data_file:dir { create_dir_perms }; -# purpose: access vmodem device -#allow cmddumper vmodem_device:chr_file { create_file_perms }; - # purpose: access plat_file_contexts allow cmddumper file_contexts_file:file { read getattr open }; -# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode -#allow cmddumper sysfs:file { read open }; - diff --git a/plat_private/dumpstate.te b/plat_private/dumpstate.te index 6365be7..43b0f00 100644 --- a/plat_private/dumpstate.te +++ b/plat_private/dumpstate.te @@ -14,7 +14,6 @@ allow dumpstate mnt_user_file:lnk_file read; allow dumpstate storage_file:lnk_file read; # Purpose: timer_intval. this is neverallow -#allow dumpstate sysfs:file r_file_perms; allow dumpstate app_data_file:dir search; allow dumpstate kmsg_device:chr_file r_file_perms; diff --git a/plat_private/em_svr.te b/plat_private/em_svr.te index a504d9a..cd5e887 100644 --- a/plat_private/em_svr.te +++ b/plat_private/em_svr.te @@ -48,7 +48,7 @@ allow em_svr sysfs_leds:dir search; # Date: WK1812 # Purpose: add for sensor calibration -#allow em_svr self:capability { dac_read_search dac_override chown fsetid }; +allow em_svr self:capability { chown fsetid }; # Date: WK1812 # Purpose: add for shell cmd diff --git a/plat_private/emdlogger.te b/plat_private/emdlogger.te index af01e0d..b0d21e2 100755 --- a/plat_private/emdlogger.te +++ b/plat_private/emdlogger.te @@ -29,7 +29,6 @@ allow emdlogger vfat:dir create_dir_perms; allow emdlogger vfat:file create_file_perms; #modem logger permission in storage in android M version -#allow emdlogger log_device:chr_file { write open }; allow emdlogger mnt_user_file:dir search; allow emdlogger mnt_user_file:lnk_file read; allow emdlogger storage_file:lnk_file read; @@ -47,10 +46,6 @@ allow emdlogger storage_file:dir { create_dir_perms }; allow emdlogger tmpfs:lnk_file read; allow emdlogger storage_file:file { create_file_perms }; -#permission for read boot mode -#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -#allow emdlogger sysfs:file { read open }; - # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 allow emdlogger system_file:dir read; @@ -76,4 +71,4 @@ allow emdlogger proc_cmdline:file { read getattr open }; allow emdlogger sysfs_dt_firmware_android:dir search; allow emdlogger sysfs_dt_firmware_android:file { read open getattr }; allow emdlogger system_file:dir open; -allow emdlogger vendor_default_prop:file { read getattr open }; \ No newline at end of file +allow emdlogger vendor_default_prop:file { read getattr open }; diff --git a/plat_private/mdlogger.te b/plat_private/mdlogger.te index 48172de..ba5559f 100644 --- a/plat_private/mdlogger.te +++ b/plat_private/mdlogger.te @@ -27,8 +27,6 @@ allow mdlogger self:tcp_socket { create_stream_socket_perms }; allow mdlogger vfat:dir create_dir_perms; allow mdlogger vfat:file create_file_perms; -#mdlogger for read /sdcard -#allow mdlogger log_device:chr_file w_file_perms; allow mdlogger tmpfs:lnk_file read; allow mdlogger storage_file:lnk_file rw_file_perms; allow mdlogger mnt_user_file:dir search; diff --git a/plat_private/mobile_log_d.te b/plat_private/mobile_log_d.te index a2ee26d..39f6e0b 100644 --- a/plat_private/mobile_log_d.te +++ b/plat_private/mobile_log_d.te @@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop) unix_socket_connect(mobile_log_d, logdr, logd); #capability -#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid }; +allow mobile_log_d self:capability { setuid setgid chown fowner fsetid }; allow mobile_log_d self:capability { setuid chown setgid }; allow mobile_log_d self:capability2 syslog; diff --git a/plat_private/mtkbootanimation.te b/plat_private/mtkbootanimation.te index dfcab81..2eb64a4 100644 --- a/plat_private/mtkbootanimation.te +++ b/plat_private/mtkbootanimation.te @@ -46,11 +46,6 @@ r_dir_file(mtkbootanimation, cgroup) # System file accesses. allow mtkbootanimation system_file:dir r_dir_perms; -# Date : WK14.31 -# Operation : Migration -# Purpose : For IPC communication -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow mtkbootanimation self:netlink_socket create_socket_perms; # Date : WK14.32 # Operation : Migration @@ -86,10 +81,3 @@ allow mtkbootanimation surfaceflinger:fifo_file rw_file_perms; allow mtkbootanimation gpu_device:dir search; - - -#============= bootanim ============== -#allow mtkbootanimation debugfs_tracing:file write; - -#============= bootanim ============== -#allow mtkbootanimation debugfs_tracing:file open; diff --git a/plat_private/netdiag.te b/plat_private/netdiag.te index 6a2e306..f793e4d 100755 --- a/plat_private/netdiag.te +++ b/plat_private/netdiag.te @@ -59,13 +59,6 @@ allow netdiag netpolicy_service:service_manager find; allow netdiag network_management_service:service_manager find; allow netdiag settings_service:service_manager find; - - -# Purpose : for socket with MTKLogger -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow netdiag self:socket_class_set { create_socket_perms }; -#allow netdiag self:netlink_route_socket { create_socket_perms nlmsg_read }; - # Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop allow netdiag device_logging_prop:file { getattr open }; allow netdiag mmc_prop:file { getattr open }; @@ -97,10 +90,6 @@ allow netdiag self:udp_socket { ioctl create }; #avc: denied { open } for path="/dev/__properties__/u:object_r:atm_ipaddr_prop:s0" #avc: denied { getattr } for path="/dev/__properties__/u:object_r:atm_ipaddr_prop:s0" #avc: denied { open } for path="/dev/__properties__/u:object_r:atm_mdmode_prop:s0" -#allow netdiag atm_ipaddr_prop:file { getattr open }; -#allow netdiag atm_mdmode_prop:file { getattr open }; -#allow netdiag bluetooth_a2dp_offload_prop:file { getattr open }; -#allow netdiag bluetooth_prop:file open; allow netdiag proc_qtaguid_stat:dir { read open search }; allow netdiag proc_qtaguid_stat:file { read getattr open }; allow netdiag vendor_default_prop:file { read getattr open }; diff --git a/plat_private/ppp.te b/plat_private/ppp.te index 5b3376f..1e7a34b 100644 --- a/plat_private/ppp.te +++ b/plat_private/ppp.te @@ -16,9 +16,7 @@ allow ppp property_socket:sock_file write; # Purpose: for PPPOE Test allow ppp devpts:chr_file { read write ioctl open setattr }; -#allow ppp self:capability { setuid net_raw setgid dac_override }; -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow ppp self:packet_socket { write ioctl setopt read bind create }; +allow ppp self:capability { setuid net_raw setgid }; allow ppp shell_exec:file { read execute open execute_no_trans }; diff --git a/plat_private/shell.te b/plat_private/shell.te deleted file mode 100755 index 79b118a..0000000 --- a/plat_private/shell.te +++ /dev/null @@ -1,3 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ diff --git a/plat_private/storagemanagerd.te b/plat_private/storagemanagerd.te deleted file mode 100644 index a7dee58..0000000 --- a/plat_private/storagemanagerd.te +++ /dev/null @@ -1,12 +0,0 @@ -# ============================================== -# Policy File of storagemanagerd Executable File - -# ============================================== -# Type Declaration -# ============================================== - -# Act as 'vold' context to mount storages - -# ============================================== -# MTK Policy Rule -# ============================================== diff --git a/plat_private/thermalindicator.te b/plat_private/thermalindicator.te index 8a9131d..735f3ca 100644 --- a/plat_private/thermalindicator.te +++ b/plat_private/thermalindicator.te @@ -31,11 +31,10 @@ allow servicemanager thermalindicator:process { getattr }; typeattribute thermalindicator mlstrustedsubject; allow thermalindicator proc:dir {search getattr}; -#allow thermalindicator proc:file read; allow thermalindicator shell:dir search; allow thermalindicator platform_app:dir search; allow thermalindicator platform_app:file {open read getattr}; allow thermalindicator untrusted_app:dir search; allow thermalindicator untrusted_app:file {open read getattr}; allow thermalindicator mediaserver:dir search; -allow thermalindicator mediaserver:file {open read getattr}; \ No newline at end of file +allow thermalindicator mediaserver:file {open read getattr}; diff --git a/prebuilts/api/26.0/plat_private/aee_aed.te b/prebuilts/api/26.0/plat_private/aee_aed.te index dbf639e..1ba4f0a 100755 --- a/prebuilts/api/26.0/plat_private/aee_aed.te +++ b/prebuilts/api/26.0/plat_private/aee_aed.te @@ -17,8 +17,6 @@ init_daemon_domain(aee_aed) # AED start: /dev/block/expdb allow aee_aed block_device:dir search; -#allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow - # aee db dir and db files allow aee_aed sdcard_type:dir create_dir_perms; allow aee_aed sdcard_type:file create_file_perms; @@ -40,7 +38,6 @@ allow aee_aed usermodehelper:file r_file_perms; allow aee_aed init:unix_stream_socket connectto; allow aee_aed property_socket:sock_file write; -#allow aee_aed call binaries labeled "system_file" under /system/bin/ allow aee_aed system_file:file execute_no_trans; allow aee_aed init:process getsched; @@ -90,7 +87,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms; allow aee_aed tombstone_data_file:file create_file_perms; # /proc/pid/ -#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module}; +allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module}; # system(cmd) aee_dumpstate aee_archive allow aee_aed shell_exec:file rx_file_perms; @@ -127,9 +124,3 @@ allow aee_aed init_exec:file r_file_perms; # Purpose : make aee_aed can get notify from crash_dump allow aee_aed crash_dump:dir search; allow aee_aed crash_dump:file r_file_perms; - -# Purpose: -# [ 217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read } -# for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0 -# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -#allow aee_aed sysfs:file r_file_perms; diff --git a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te index 19f37e1..d907260 100755 --- a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te +++ b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te @@ -14,13 +14,11 @@ init_daemon_domain(audiocmdservice_atci) # Perform Binder IPC for audio tuning tool and access to mediaserver binder_use(audiocmdservice_atci) binder_call(audiocmdservice_atci, mediaserver) -#allow audiocmdservice_atci mediaserver:chr_file create_file_perms; allow audiocmdservice_atci mediaserver:dir w_dir_perms; allow audiocmdservice_atci mediaserver_service:service_manager find; # Since Android N, google separates mediaserver to audioserver and cameraserver binder_call(audiocmdservice_atci, audioserver) -#allow audiocmdservice_atci audioserver:chr_file create_file_perms; allow audiocmdservice_atci audioserver:dir w_dir_perms; allow audiocmdservice_atci audioserver_service:service_manager find; @@ -49,4 +47,3 @@ allow radio audiocmdservice_atci_exec:file getattr; #Android O porting hwbinder_use(audiocmdservice_atci) get_prop(audiocmdservice_atci, hwservicemanager_prop); -#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms; diff --git a/prebuilts/api/26.0/plat_private/boot_logo_updater.te b/prebuilts/api/26.0/plat_private/boot_logo_updater.te index 52c38f0..a55a3ca 100755 --- a/prebuilts/api/26.0/plat_private/boot_logo_updater.te +++ b/prebuilts/api/26.0/plat_private/boot_logo_updater.te @@ -21,9 +21,6 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms; # For IPC communication allow boot_logo_updater init:unix_stream_socket connectto; allow boot_logo_updater property_socket:sock_file write; -#allow boot_logo_updater self:capability dac_override; -# To access some boot_mode infornation -#allow boot_logo_updater sysfs:file rw_file_perms; # To access directory /dev/block/mmcblk0 or /dev/block/sdc allow boot_logo_updater block_device:dir search; allow boot_logo_updater graphics_device:dir search; diff --git a/prebuilts/api/26.0/plat_private/bootanim.te b/prebuilts/api/26.0/plat_private/bootanim.te index edad4f0..a7c07a1 100755 --- a/prebuilts/api/26.0/plat_private/bootanim.te +++ b/prebuilts/api/26.0/plat_private/bootanim.te @@ -2,12 +2,6 @@ # MTK Policy Rule # ============ -# Date : WK14.31 -# Operation : Migration -# Purpose : For IPC communication -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow bootanim self:netlink_socket create_socket_perms; - # Date : WK14.32 # Operation : Migration # Purpose : for playing boot tone @@ -40,11 +34,3 @@ allow bootanim surfaceflinger:fifo_file rw_file_perms; # Purpose : DRM / DRI GPU driver required allow bootanim gpu_device:dir search; - - - -#============= bootanim ============== -#allow bootanim debugfs_tracing:file write; - -#============= bootanim ============== -#allow bootanim debugfs_tracing:file open; diff --git a/prebuilts/api/26.0/plat_private/cmddumper.te b/prebuilts/api/26.0/plat_private/cmddumper.te index 7ae391a..405bebe 100755 --- a/prebuilts/api/26.0/plat_private/cmddumper.te +++ b/prebuilts/api/26.0/plat_private/cmddumper.te @@ -31,11 +31,6 @@ allow cmddumper system_file:file x_file_perms; allow cmddumper media_rw_data_file:file { create_file_perms }; allow cmddumper media_rw_data_file:dir { create_dir_perms }; -# purpose: access vmodem device -#allow cmddumper vmodem_device:chr_file { create_file_perms }; - # purpose: access plat_file_contexts allow cmddumper file_contexts_file:file { read getattr open }; -# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode -#allow cmddumper sysfs:file { read open }; \ No newline at end of file diff --git a/prebuilts/api/26.0/plat_private/em_svr.te b/prebuilts/api/26.0/plat_private/em_svr.te index ed42b5d..a061bfa 100755 --- a/prebuilts/api/26.0/plat_private/em_svr.te +++ b/prebuilts/api/26.0/plat_private/em_svr.te @@ -48,7 +48,7 @@ allow em_svr sysfs_leds:dir search; # Date: WK1812 # Purpose: add for sensor calibration -#allow em_svr self:capability { dac_read_search dac_override chown fsetid }; +allow em_svr self:capability { chown fsetid }; # Date: WK1812 # Purpose: add for shell cmd @@ -60,23 +60,4 @@ allow em_svr toolbox_exec:file { getattr execute read open execute_no_trans }; # Date: WK1812 # Purpose: sys file access -#allow em_svr sysfs:file { getattr read write open }; allow em_svr sysfs:dir { open read }; - -# Date: WK1812 -# Purpose: proc file access -#allow em_svr proc:file { getattr open read write }; - - - - - - - - - - - - - - diff --git a/prebuilts/api/26.0/plat_private/emdlogger.te b/prebuilts/api/26.0/plat_private/emdlogger.te index 92facb8..c73c775 100755 --- a/prebuilts/api/26.0/plat_private/emdlogger.te +++ b/prebuilts/api/26.0/plat_private/emdlogger.te @@ -47,10 +47,6 @@ allow emdlogger storage_file:dir { create_dir_perms }; allow emdlogger tmpfs:lnk_file read; allow emdlogger storage_file:file { create_file_perms }; -#permission for read boot mode -#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -#allow emdlogger sysfs:file { read open }; - # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 allow emdlogger system_file:dir read; diff --git a/prebuilts/api/26.0/plat_private/fuelgauged_static.te b/prebuilts/api/26.0/plat_private/fuelgauged_static.te index fdbf7c1..19e1f2a 100755 --- a/prebuilts/api/26.0/plat_private/fuelgauged_static.te +++ b/prebuilts/api/26.0/plat_private/fuelgauged_static.te @@ -27,13 +27,6 @@ init_daemon_domain(fuelgauged_static) allow fuelgauged_static input_device:dir rw_dir_perms; allow fuelgauged_static input_device:file r_file_perms; - -# Data : WK14.43 -# Operation : Migration -# Purpose : For fg daemon can comminucate with kernel -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow fuelgauged_static fuelgauged_static:netlink_kobject_uevent_socket create_socket_perms; -#allow fuelgauged_static fuelgauged_static:netlink_socket create_socket_perms; # Data : WK16.21 # Operation : New Feature # Purpose : For fg daemon can access /data/FG folder @@ -47,4 +40,4 @@ allow fuelgauged_static system_data_file:dir rw_dir_perms; allow fuelgauged_static rootfs:file entrypoint; # Data : WK16.39 -#allow fuelgauged_static self:capability { chown fsetid dac_override }; +allow fuelgauged_static self:capability { chown fsetid }; diff --git a/prebuilts/api/26.0/plat_private/mdlogger.te b/prebuilts/api/26.0/plat_private/mdlogger.te index 7a27110..2e9464e 100755 --- a/prebuilts/api/26.0/plat_private/mdlogger.te +++ b/prebuilts/api/26.0/plat_private/mdlogger.te @@ -45,10 +45,6 @@ allow mdlogger storage_file:file { create_file_perms }; ## purpose: avc: denied { read } for name="plat_file_contexts" allow mdlogger file_contexts_file:file { read getattr open }; -#permission for read boot mode -#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -#allow mdlogger sysfs:file { read open }; - # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 allow mdlogger system_file:dir read; diff --git a/prebuilts/api/26.0/plat_private/meta_tst.te b/prebuilts/api/26.0/plat_private/meta_tst.te index edada44..6753ea4 100755 --- a/prebuilts/api/26.0/plat_private/meta_tst.te +++ b/prebuilts/api/26.0/plat_private/meta_tst.te @@ -21,13 +21,12 @@ init_daemon_domain(meta_tst) #============= meta_tst ========================= allow meta_tst port:tcp_socket { name_connect name_bind }; -#allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin }; +allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin }; allow meta_tst self:tcp_socket { create connect setopt bind }; allow meta_tst self:tcp_socket { bind setopt listen accept read write }; allow meta_tst self:udp_socket { create ioctl }; allow meta_tst self:capability { sys_boot ipc_lock }; allow meta_tst sysfs_wake_lock:file rw_file_perms; -#allow meta_tst sysfs:file write; allow meta_tst property_socket:sock_file w_file_perms; allow meta_tst init:unix_stream_socket connectto; allow meta_tst vold:unix_stream_socket connectto; diff --git a/prebuilts/api/26.0/plat_private/mobile_log_d.te b/prebuilts/api/26.0/plat_private/mobile_log_d.te index a2ee26d..aca585f 100755 --- a/prebuilts/api/26.0/plat_private/mobile_log_d.te +++ b/prebuilts/api/26.0/plat_private/mobile_log_d.te @@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop) unix_socket_connect(mobile_log_d, logdr, logd); #capability -#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid }; +allow mobile_log_d self:capability { setuid setgid chown fowner fsetid }; allow mobile_log_d self:capability { setuid chown setgid }; allow mobile_log_d self:capability2 syslog; @@ -66,6 +66,5 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms; # access debugfs/tracing/instances/ allow mobile_log_d debugfs_tracing:dir create_dir_perms; -#allow mobile_log_d debugfs_tracing:file create_file_perms; allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms; allow mobile_log_d debugfs_tracing_instances:file create_file_perms; diff --git a/prebuilts/api/26.0/plat_private/netdiag.te b/prebuilts/api/26.0/plat_private/netdiag.te index 2ab7981..75b630f 100755 --- a/prebuilts/api/26.0/plat_private/netdiag.te +++ b/prebuilts/api/26.0/plat_private/netdiag.te @@ -59,13 +59,6 @@ allow netdiag netpolicy_service:service_manager find; allow netdiag network_management_service:service_manager find; allow netdiag settings_service:service_manager find; - - -# Purpose : for socket with MTKLogger -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow netdiag self:socket_class_set { create_socket_perms }; -#allow netdiag self:netlink_route_socket { create_socket_perms nlmsg_read }; - # Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop allow netdiag device_logging_prop:file { getattr open }; allow netdiag mmc_prop:file { getattr open }; diff --git a/prebuilts/api/26.0/plat_private/ppp.te b/prebuilts/api/26.0/plat_private/ppp.te index 5b3376f..99248c7 100755 --- a/prebuilts/api/26.0/plat_private/ppp.te +++ b/prebuilts/api/26.0/plat_private/ppp.te @@ -16,9 +16,6 @@ allow ppp property_socket:sock_file write; # Purpose: for PPPOE Test allow ppp devpts:chr_file { read write ioctl open setattr }; -#allow ppp self:capability { setuid net_raw setgid dac_override }; -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow ppp self:packet_socket { write ioctl setopt read bind create }; allow ppp shell_exec:file { read execute open execute_no_trans }; diff --git a/prebuilts/api/26.0/plat_private/thermalindicator.te b/prebuilts/api/26.0/plat_private/thermalindicator.te index 8a9131d..735f3ca 100755 --- a/prebuilts/api/26.0/plat_private/thermalindicator.te +++ b/prebuilts/api/26.0/plat_private/thermalindicator.te @@ -31,11 +31,10 @@ allow servicemanager thermalindicator:process { getattr }; typeattribute thermalindicator mlstrustedsubject; allow thermalindicator proc:dir {search getattr}; -#allow thermalindicator proc:file read; allow thermalindicator shell:dir search; allow thermalindicator platform_app:dir search; allow thermalindicator platform_app:file {open read getattr}; allow thermalindicator untrusted_app:dir search; allow thermalindicator untrusted_app:file {open read getattr}; allow thermalindicator mediaserver:dir search; -allow thermalindicator mediaserver:file {open read getattr}; \ No newline at end of file +allow thermalindicator mediaserver:file {open read getattr};