Label vtservice binary, hidl, and service and grant required permissions
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com> Change-Id: I2bc48a03416807b9d0403a3a25bd9f7fd5952389
This commit is contained in:
Aayush Gupta
parent
c076d39750
commit
8d01032f5f
@ -718,6 +718,7 @@
|
|||||||
/dev/socket/volte_imcb(/.*)? u:object_r:volte_imcb_socket:s0
|
/dev/socket/volte_imcb(/.*)? u:object_r:volte_imcb_socket:s0
|
||||||
/dev/socket/wfca(/.*)? u:object_r:wfca_socket:s0
|
/dev/socket/wfca(/.*)? u:object_r:wfca_socket:s0
|
||||||
/dev/socket/volte_imsvt1(/.*)? u:object_r:volte_imsvt1_socket:s0
|
/dev/socket/volte_imsvt1(/.*)? u:object_r:volte_imsvt1_socket:s0
|
||||||
|
/system/bin/vtservice u:object_r:vtservice_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/bip u:object_r:bip_exec:s0
|
/(system\/vendor|vendor)/bin/bip u:object_r:bip_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/epdg_wod u:object_r:epdg_wod_exec:s0
|
/(system\/vendor|vendor)/bin/epdg_wod u:object_r:epdg_wod_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/stroke u:object_r:stroke_exec:s0
|
/(system\/vendor|vendor)/bin/stroke u:object_r:stroke_exec:s0
|
||||||
@ -727,6 +728,7 @@
|
|||||||
/(system\/vendor|vendor)/bin/volte_imcb u:object_r:volte_imcb_exec:s0
|
/(system\/vendor|vendor)/bin/volte_imcb u:object_r:volte_imcb_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/wfca u:object_r:wfca_exec:s0
|
/(system\/vendor|vendor)/bin/wfca u:object_r:wfca_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/xcap u:object_r:xcap_exec:s0
|
/(system\/vendor|vendor)/bin/xcap u:object_r:xcap_exec:s0
|
||||||
|
/(system\/vendor|vendor)/bin/hw/vtservice_hidl u:object_r:vtservice_hidl_exec:s0
|
||||||
|
|
||||||
# VPU
|
# VPU
|
||||||
/dev/vcu u:object_r:vcu_device:s0
|
/dev/vcu u:object_r:vcu_device:s0
|
||||||
|
|||||||
@ -61,3 +61,6 @@ type mtk_hal_hdmi_hwservice, hwservice_manager_type;
|
|||||||
# Date: 2019/09/06
|
# Date: 2019/09/06
|
||||||
# BGService HIDL
|
# BGService HIDL
|
||||||
type mtk_hal_bgs_hwservice, hwservice_manager_type;
|
type mtk_hal_bgs_hwservice, hwservice_manager_type;
|
||||||
|
|
||||||
|
# vtservice
|
||||||
|
type mtk_hal_videotelephony_hwservice, hwservice_manager_type;
|
||||||
|
|||||||
@ -75,3 +75,6 @@ vendor.mediatek.hardware.hdmi::IMtkHdmiService u:object_r:mtk_hal_hdmi_hwservice
|
|||||||
#Date: 2019/09/02
|
#Date: 2019/09/02
|
||||||
# ATMs hidl
|
# ATMs hidl
|
||||||
vendor.mediatek.hardware.camera.atms::IATMs u:object_r:hal_camera_hwservice:s0
|
vendor.mediatek.hardware.camera.atms::IATMs u:object_r:hal_camera_hwservice:s0
|
||||||
|
|
||||||
|
# vtservice
|
||||||
|
vendor.mediatek.hardware.videotelephony::IVideoTelephony u:object_r:mtk_hal_videotelephony_hwservice:s0
|
||||||
|
|||||||
180
non_plat/vtservice.te
Normal file
180
non_plat/vtservice.te
Normal file
@ -0,0 +1,180 @@
|
|||||||
|
type vtservice_exec, system_file_type, exec_type, file_type;
|
||||||
|
type vtservice ,domain;
|
||||||
|
typeattribute vtservice coredomain;
|
||||||
|
|
||||||
|
type vtservice_hidl_exec , exec_type, file_type, vendor_file_type;
|
||||||
|
type vtservice_hidl ,domain, mtkimsapdomain;
|
||||||
|
|
||||||
|
init_daemon_domain(vtservice)
|
||||||
|
binder_use(vtservice)
|
||||||
|
binder_call(vtservice, mediaserver)
|
||||||
|
binder_service(vtservice)
|
||||||
|
|
||||||
|
init_daemon_domain(vtservice_hidl)
|
||||||
|
|
||||||
|
allow vtservice soc_vt_svc_socket:sock_file write;
|
||||||
|
allow vtservice soc_vt_tcv_socket:sock_file write;
|
||||||
|
allow vtservice rild_oem_socket:sock_file write;
|
||||||
|
allow vtservice platform_app:binder call;
|
||||||
|
allow vtservice system_server:binder call;
|
||||||
|
allow vtservice sdcard_type:dir write;
|
||||||
|
allow vtservice sdcard_type:dir add_name;
|
||||||
|
allow vtservice sdcard_type:dir create;
|
||||||
|
allow vtservice sdcard_type:file create;
|
||||||
|
allow vtservice sdcard_type:file getattr;
|
||||||
|
allow vtservice surfaceflinger:fd use;
|
||||||
|
allow vtservice tmpfs:lnk_file read;
|
||||||
|
allow vtservice radio:binder call;
|
||||||
|
|
||||||
|
allow vtservice vtservice_service:service_manager add;
|
||||||
|
allow vtservice sdcard_type:dir search;
|
||||||
|
allow vtservice sdcard_type:file { read write open };
|
||||||
|
allow vtservice radio_service:service_manager find;
|
||||||
|
allow vtservice mediaserver_service:service_manager find;
|
||||||
|
allow vtservice power_service:service_manager find;
|
||||||
|
allow vtservice batterystats_service:service_manager find;
|
||||||
|
|
||||||
|
allow vtservice_hidl vtservice_service:service_manager add;
|
||||||
|
unix_socket_connect(vtservice_hidl, rild_oem, mtkrild)
|
||||||
|
allow vtservice_hidl mtkrild:unix_stream_socket connectto;
|
||||||
|
|
||||||
|
allow vtservice ccci_device:chr_file { read write open ioctl };
|
||||||
|
|
||||||
|
allow vtservice Vcodec_device:chr_file { read write ioctl open };
|
||||||
|
|
||||||
|
allow vtservice_hidl MTK_SMI_device:chr_file { read write ioctl open };
|
||||||
|
allow vtservice_hidl fwmarkd_socket:sock_file write;
|
||||||
|
allow vtservice_hidl netd:unix_stream_socket connectto;
|
||||||
|
allow vtservice_hidl untrusted_app:binder call;
|
||||||
|
allow vtservice_hidl proc:file open;
|
||||||
|
|
||||||
|
allow vtservice audioserver_service:service_manager find;
|
||||||
|
allow vtservice mnt_user_file:dir search;
|
||||||
|
allow vtservice property_socket:sock_file write;
|
||||||
|
allow vtservice surfaceflinger:binder call;
|
||||||
|
allow vtservice system_data_file:dir write;
|
||||||
|
|
||||||
|
allow vtservice audioserver:binder call;
|
||||||
|
allow vtservice init:unix_stream_socket connectto;
|
||||||
|
allow vtservice mnt_user_file:lnk_file read;
|
||||||
|
allow vtservice system_data_file:dir add_name;
|
||||||
|
|
||||||
|
allow vtservice media_rw_data_file:dir create_dir_perms;
|
||||||
|
allow vtservice media_rw_data_file:file { write create open };
|
||||||
|
|
||||||
|
allow vtservice proc_ged:file r_file_perms;
|
||||||
|
allowxperm vtservice proc_ged:file ioctl { proc_ged_ioctls };
|
||||||
|
allow vtservice system_data_file:dir remove_name;
|
||||||
|
|
||||||
|
allow vtservice system_data_file:dir { open read create };
|
||||||
|
allow vtservice system_data_file:sock_file { create open read write unlink };
|
||||||
|
|
||||||
|
allow vtservice_hidl self:udp_socket { create bind connect read write setopt getattr getopt shutdown };
|
||||||
|
allow vtservice_hidl node:udp_socket { node_bind };
|
||||||
|
|
||||||
|
allow vtservice storage_file:lnk_file read;
|
||||||
|
allow vtservice devmap_device:chr_file read;
|
||||||
|
|
||||||
|
allow vtservice devmap_device:chr_file open;
|
||||||
|
allow vtservice devmap_device:chr_file ioctl;
|
||||||
|
|
||||||
|
allow vtservice surfaceflinger_service:service_manager find;
|
||||||
|
|
||||||
|
allow vtservice cameraserver_service:service_manager find;
|
||||||
|
allow vtservice cameraserver:binder call;
|
||||||
|
allow vtservice cameraserver:fd use;
|
||||||
|
|
||||||
|
allow vtservice mediacodec_service:service_manager find;
|
||||||
|
allow vtservice mediacodec:binder call;
|
||||||
|
allow vtservice qtaguid_device:chr_file r_file_perms;
|
||||||
|
allow vtservice priv_app:binder call;
|
||||||
|
|
||||||
|
allow vtservice self:capability net_admin;
|
||||||
|
|
||||||
|
allow vtservice debugfs_ged:dir search;
|
||||||
|
allow vtservice debugfs_ged:file { write open };
|
||||||
|
|
||||||
|
allow vtservice gpu_device:dir search;
|
||||||
|
allow vtservice dri_device:chr_file { open read write ioctl getattr};
|
||||||
|
allow vtservice gpu_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
|
|
||||||
|
hal_client_domain(vtservice, hal_pq)
|
||||||
|
|
||||||
|
hal_client_domain(vtservice, hal_allocator)
|
||||||
|
|
||||||
|
allow vtservice vtservice_service:service_manager add;
|
||||||
|
|
||||||
|
allow vtservice hwservicemanager:binder call;
|
||||||
|
allow vtservice hwservicemanager_prop:file { getattr open read };
|
||||||
|
allow vtservice system_file:dir read;
|
||||||
|
allow vtservice system_file:dir open;
|
||||||
|
|
||||||
|
allow vtservice mtk_hal_videotelephony_hwservice :hwservice_manager find;
|
||||||
|
|
||||||
|
add_hwservice(vtservice_hidl, mtk_hal_videotelephony_hwservice)
|
||||||
|
hwbinder_use(vtservice_hidl)
|
||||||
|
binder_call(vtservice, vtservice_hidl)
|
||||||
|
binder_call(vtservice_hidl, vtservice)
|
||||||
|
|
||||||
|
get_prop(vtservice_hidl, hwservicemanager_prop)
|
||||||
|
|
||||||
|
allow vtservice_hidl debugfs_tracing:file open;
|
||||||
|
allow vtservice_hidl debugfs_tracing:file write;
|
||||||
|
allow vtservice_hidl system_file:dir read;
|
||||||
|
allow vtservice_hidl system_file:dir open;
|
||||||
|
allow vtservice_hidl rild:unix_stream_socket connectto;
|
||||||
|
|
||||||
|
net_domain(vtservice_hidl)
|
||||||
|
|
||||||
|
allow vtservice ion_device:chr_file { open read };
|
||||||
|
|
||||||
|
hal_client_domain(vtservice, hal_omx);
|
||||||
|
allow vtservice mediametrics_service:service_manager find;
|
||||||
|
allow vtservice mediametrics:binder call;
|
||||||
|
|
||||||
|
allow vtservice self:udp_socket create_socket_perms_no_ioctl;
|
||||||
|
allow vtservice node:udp_socket node_bind;
|
||||||
|
|
||||||
|
allow vtservice debugfs_ion:dir search;
|
||||||
|
allow vtservice fwmarkd_socket:sock_file write;
|
||||||
|
allow vtservice hal_graphics_allocator_default:binder call;
|
||||||
|
allow vtservice hal_graphics_allocator_default:fd use;
|
||||||
|
hal_client_domain(vtservice, hal_graphics_allocator);
|
||||||
|
allow vtservice hal_graphics_mapper_hwservice:hwservice_manager find;
|
||||||
|
allow vtservice netd:unix_stream_socket connectto;
|
||||||
|
allow vtservice ion_device:chr_file ioctl;
|
||||||
|
allow vtservice MTK_SMI_device:chr_file { read write ioctl open };
|
||||||
|
allow vtservice proc:file getattr;
|
||||||
|
allow vtservice mtk_cmdq_device:chr_file { read ioctl open };
|
||||||
|
allow vtservice_hidl proc:file read;
|
||||||
|
allow vtservice merged_hal_service:fd use;
|
||||||
|
allow vtservice merged_hal_service:binder call;
|
||||||
|
|
||||||
|
allow vtservice graphics_device:chr_file { ioctl open read };
|
||||||
|
allow vtservice graphics_device:dir search;
|
||||||
|
|
||||||
|
allow vtservice proc_perfmgr:dir {read search};
|
||||||
|
allow vtservice proc_perfmgr:file r_file_perms;
|
||||||
|
allowxperm vtservice proc_perfmgr:file ioctl {
|
||||||
|
PERFMGR_FPSGO_QUEUE
|
||||||
|
PERFMGR_FPSGO_DEQUEUE
|
||||||
|
PERFMGR_FPSGO_QUEUE_CONNECT
|
||||||
|
PERFMGR_FPSGO_BQID
|
||||||
|
};
|
||||||
|
|
||||||
|
get_prop(vtservice, vendor_default_prop)
|
||||||
|
|
||||||
|
allow vtservice mtk_hal_mms_hwservice:hwservice_manager find;
|
||||||
|
allow vtservice cameraserver:dir search;
|
||||||
|
allow vtservice cameraserver:file { getattr open read };
|
||||||
|
allow vtservice debug_bq_dump_prop:file read;
|
||||||
|
allow vtservice mtk_hal_mms:binder call;
|
||||||
|
allow vtservice proc_uptime:file read;
|
||||||
|
|
||||||
|
allow vtservice port:udp_socket name_bind;
|
||||||
|
allow vtservice self:capability net_raw;
|
||||||
|
allow vtservice debug_bq_dump_prop:file open;
|
||||||
|
|
||||||
|
hal_client_domain(vtservice, hal_codec2)
|
||||||
|
|
||||||
@ -10,3 +10,5 @@ memory_dumper u:object_r:mediaserver_service:s0
|
|||||||
imsa u:object_r:radio_service:s0
|
imsa u:object_r:radio_service:s0
|
||||||
mtkIms u:object_r:radio_service:s0
|
mtkIms u:object_r:radio_service:s0
|
||||||
GbaService u:object_r:radio_service:s0
|
GbaService u:object_r:radio_service:s0
|
||||||
|
media.VTS u:object_r:vtservice_service:s0
|
||||||
|
media.VTS.HiDL u:object_r:vtservice_hidl_service:s0
|
||||||
|
|||||||
@ -6,3 +6,5 @@
|
|||||||
|
|
||||||
# Other Services
|
# Other Services
|
||||||
type nvram_agent_service, service_manager_type;
|
type nvram_agent_service, service_manager_type;
|
||||||
|
type vtservice_service, service_manager_type;
|
||||||
|
type vtservice_hidl_service, service_manager_type;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user