[ALPS03825066] Fix boot fail

[Detail] System processes have no permission to access vendor_default_prop [Solution] Add get vendor_default_prop rule for system processes MTK-Commit-Id: 412119fb578fc32e9f046c09a13817cf3c755515 Change-Id: I791997e6bb44c61b69d32c6da0cc80c6f2a9759e CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
2020-01-18 09:47:42 +08:00 · 2020-01-18 09:47:42 +08:00 · 78d7f51370
commit 78d7f51370
parent 9ac183515e
26 changed files with 159 additions and 2 deletions
--- a/non_plat/aee_aed.te
+++ b/non_plat/aee_aed.te
@ -50,3 +50,8 @@ allow aee_aed exec_type:file r_file_perms;
 # Purpose: Allow aee_aedv to read /proc/cpu/alignment
 allow aee_aed proc_cpu_alignment:file { write open };
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(aee_aed, vendor_default_prop)
--- a/non_plat/aee_aedv.te
+++ b/non_plat/aee_aedv.te
@ -392,3 +392,8 @@ allow aee_aedv proc_hw_ver:file { read open };
 # Purpose: Allow aee_aedv to read /proc/sched_debug
 allow aee_aedv proc_sched_debug:file { read open };
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(aee_aedv, vendor_default_prop)
--- a/non_plat/audioserver.te
+++ b/non_plat/audioserver.te
@ -64,3 +64,7 @@ allow audioserver aee_aed:unix_stream_socket connectto;
 allow audioserver mtk_thermal_config_prop:file { getattr open read };
 allow audioserver mtk_thermal_config_prop:property_service set;
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(audioserver, vendor_default_prop)
--- a/non_plat/boot_logo_updater.te
+++ b/non_plat/boot_logo_updater.te
@ -21,3 +21,7 @@ allow boot_logo_updater proc_lk_env:file rw_file_perms;
 # Purpose : for it to read-write SysEnv data
 allow boot_logo_updater para_block_device:blk_file rw_file_perms;
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(boot_logo_updater, vendor_default_prop)
--- a/non_plat/cameraserver.te
+++ b/non_plat/cameraserver.te
@ -394,3 +394,8 @@ allow cameraserver camera_mfb_device:chr_file rw_file_perms;
 # Purpose: Allow permgr access
 allow cameraserver proc_perfmgr:dir {read search};
 allow cameraserver proc_perfmgr:file {open read ioctl};
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(cameraserver, vendor_default_prop)
--- a/non_plat/crash_dump.te
+++ b/non_plat/crash_dump.te
@ -0,0 +1,9 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(crash_dump, vendor_default_prop)
--- a/non_plat/drmserver.te
+++ b/non_plat/drmserver.te
@ -5,3 +5,8 @@
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
 allow drmserver proc_ged:file {open read write ioctl getattr};
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(drmserver, vendor_default_prop)
--- a/non_plat/em_svr.te
+++ b/non_plat/em_svr.te
@ -31,3 +31,7 @@ allow em_svr nvram_device:blk_file { open read write };
 # Purpose: add for Gyroscope sensor
 allow em_svr gyroscope_device:chr_file { read ioctl open };
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(em_svr, vendor_default_prop)
--- a/non_plat/gatekeeperd.te
+++ b/non_plat/gatekeeperd.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(gatekeeperd, vendor_default_prop)
--- a/non_plat/hwservicemanager.te
+++ b/non_plat/hwservicemanager.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(hwservicemanager, vendor_default_prop)
--- a/non_plat/lmkd.te
+++ b/non_plat/lmkd.te
@ -17,3 +17,8 @@ dontaudit lmkd zygote:dir rw_dir_perms;
 #           path=2F6465762F6173686D656D2F4469736361726461626C654D656D6F72794173686D656D416C6C6F6361746F72202864656C6574656429
 #           dev="tmpfs" ino=14475 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=fd permissive=0
 dontaudit lmkd platform_app:fd use;
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(lmkd, vendor_default_prop)
--- a/non_plat/logd.te
+++ b/non_plat/logd.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(logd, vendor_default_prop)
--- a/non_plat/mediaserver.te
+++ b/non_plat/mediaserver.te
@ -391,3 +391,8 @@ allow mediaserver  mtk_hal_keymanage:binder call;
 # Purpose : Allow mediadrmserver  to call vendor.mediatek.hardware.keymanage@1.0-service.
 hal_client_domain(mediaserver , hal_keymaster)
 allow mediaserver mtk_hal_keymanage_hwservice:hwservice_manager find;
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(mediaserver, vendor_default_prop)
--- a/non_plat/netd.te
+++ b/non_plat/netd.te
@ -61,4 +61,7 @@ allow netd untrusted_app:fd use;
 allow netd untrusted_app:unix_stream_socket { read write getopt setopt};
 allow netd isolated_app:fd use;
-
+# Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(netd, vendor_default_prop)
--- a/non_plat/servicemanager.te
+++ b/non_plat/servicemanager.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(servicemanager, vendor_default_prop)
--- a/non_plat/surfaceflinger.te
+++ b/non_plat/surfaceflinger.te
@ -59,3 +59,8 @@ allow surfaceflinger proc_perfmgr:file {open read ioctl};
 get_prop(surfaceflinger, graphics_hwc_pid_prop)
 allow surfaceflinger hal_graphics_composer_default:dir search;
 allow surfaceflinger hal_graphics_composer_default:lnk_file read;
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(surfaceflinger, vendor_default_prop)
--- a/non_plat/thermalserviced.te
+++ b/non_plat/thermalserviced.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(thermalserviced, vendor_default_prop)
--- a/non_plat/tzdatacheck.te
+++ b/non_plat/tzdatacheck.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(tzdatacheck, vendor_default_prop)
--- a/non_plat/vdc.te
+++ b/non_plat/vdc.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ============
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(atcid, vendor_default_prop)
--- a/non_plat/vndservicemanager.te
+++ b/non_plat/vndservicemanager.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(vndservicemanager, vendor_default_prop)
--- a/non_plat/vold.te
+++ b/non_plat/vold.te
@ -20,3 +20,8 @@ dontaudit vold proc_mtktz:dir { read open };
 dontaudit vold proc_thermal:dir { read open };
 allow vold mtd_device:blk_file rw_file_perms;
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(vold, vendor_default_prop)
--- a/non_plat/vold_prepare_subdirs.te
+++ b/non_plat/vold_prepare_subdirs.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(vold_prepare_subdirs, vendor_default_prop)
--- a/non_plat/wificond.te
+++ b/non_plat/wificond.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : wificond
 get_prop(wificond, vendor_default_prop)
--- a/non_plat/zygote.te
+++ b/non_plat/zygote.te
@ -10,3 +10,8 @@ allow zygote proc_ged:file {open read write ioctl getattr};
 # Purpose: Allow to access gpu for memtrack functions
 allow zygote gpu_device:dir search;
 allow zygote gpu_device:chr_file { open read write ioctl getattr};
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(zygote, vendor_default_prop)
--- a/plat_private/hal_allocator_default.te
+++ b/plat_private/hal_allocator_default.te
@ -0,0 +1,8 @@
 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Date : WK18.20
 # Operation : Migration
 # Purpose : no permission for vendor_default_prop
 get_prop(hal_allocator_default, vendor_default_prop)