[ALPS04700799] Align keymanager sepolicy with p0.mp6
Align keymanager sepolicy with p0.mp6 MTK-Commit-Id: 24a187bc32e2be7663abb880c07659834d71f4b0 Change-Id: Ia98525be2155dcf3261633d1e6c25a775426068d CR-Id: ALPS04700799 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
This commit is contained in:
Yifei Qiao
parent
8ae5f3bd2c
commit
9708912e27
@ -230,6 +230,8 @@ type vbmeta_block_device, dev_type;
|
|||||||
type alarm_device, dev_type;
|
type alarm_device, dev_type;
|
||||||
type mdp_device, dev_type;
|
type mdp_device, dev_type;
|
||||||
type mrdump_device, dev_type;
|
type mrdump_device, dev_type;
|
||||||
|
type kb_block_device,dev_type;
|
||||||
|
type dkb_block_device,dev_type;
|
||||||
|
|
||||||
##########################
|
##########################
|
||||||
# Sensor common Devices Start
|
# Sensor common Devices Start
|
||||||
|
|||||||
@ -357,6 +357,10 @@ type sysfs_power_off_vol, fs_type, sysfs_type;
|
|||||||
type sysfs_fg_disable, fs_type, sysfs_type;
|
type sysfs_fg_disable, fs_type, sysfs_type;
|
||||||
type sysfs_dis_nafg, fs_type, sysfs_type;
|
type sysfs_dis_nafg, fs_type, sysfs_type;
|
||||||
|
|
||||||
|
# drm key manager
|
||||||
|
type provision_file, file_type, data_file_type;
|
||||||
|
type key_install_data_file, file_type, data_file_type;
|
||||||
|
|
||||||
# Date : WK18.16
|
# Date : WK18.16
|
||||||
# Purpose: Android Migration
|
# Purpose: Android Migration
|
||||||
type sysfs_mmcblk, fs_type, sysfs_type;
|
type sysfs_mmcblk, fs_type, sysfs_type;
|
||||||
|
|||||||
@ -65,6 +65,7 @@
|
|||||||
/data/vendor/stp_dump(/.*)? u:object_r:stp_dump_data_file:s0
|
/data/vendor/stp_dump(/.*)? u:object_r:stp_dump_data_file:s0
|
||||||
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
|
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
|
||||||
/data/vendor/dipdebug(/.*)? u:object_r:aee_dipdebug_vendor_file:s0
|
/data/vendor/dipdebug(/.*)? u:object_r:aee_dipdebug_vendor_file:s0
|
||||||
|
/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0
|
||||||
|
|
||||||
# Misc data
|
# Misc data
|
||||||
#/data/misc/acdapi(/.*)? u:object_r:acdapi_data_file:s0
|
#/data/misc/acdapi(/.*)? u:object_r:acdapi_data_file:s0
|
||||||
@ -479,6 +480,12 @@
|
|||||||
/dev/block/platform/bootdevice/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0
|
/dev/block/platform/bootdevice/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0
|
||||||
/dev/block/platform/bootdevice/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0
|
/dev/block/platform/bootdevice/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0
|
||||||
|
|
||||||
|
# Key manager
|
||||||
|
/dev/block/platform/bootdevice/by-name/kb u:object_r:kb_block_device:s0
|
||||||
|
/dev/block/platform/bootdevice/by-name/dkb u:object_r:dkb_block_device:s0
|
||||||
|
/dev/kb u:object_r:kb_block_device:s0
|
||||||
|
/dev/dkb u:object_r:dkb_block_device:s0
|
||||||
|
|
||||||
# W19.23 Q new feature - Userdata Checkpoint
|
# W19.23 Q new feature - Userdata Checkpoint
|
||||||
/dev/block/by-name/md_udc u:object_r:metadata_block_device:s0
|
/dev/block/by-name/md_udc u:object_r:metadata_block_device:s0
|
||||||
|
|
||||||
@ -549,6 +556,7 @@
|
|||||||
/(system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0
|
/(system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0
|
/(system\/vendor|vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0
|
/(system\/vendor|vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0
|
||||||
|
/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
|
||||||
|
|
||||||
/(system\/vendor|vendor)/bin/fm_hidl_service u:object_r:fm_hidl_service_exec:s0
|
/(system\/vendor|vendor)/bin/fm_hidl_service u:object_r:fm_hidl_service_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/wlan_assistant u:object_r:wlan_assistant_exec:s0
|
/(system\/vendor|vendor)/bin/wlan_assistant u:object_r:wlan_assistant_exec:s0
|
||||||
|
|||||||
@ -6,6 +6,7 @@
|
|||||||
# Type Declaration
|
# Type Declaration
|
||||||
# ==============================================
|
# ==============================================
|
||||||
|
|
||||||
|
type kisd ,domain;
|
||||||
type kisd_exec, exec_type, file_type, vendor_file_type;
|
type kisd_exec, exec_type, file_type, vendor_file_type;
|
||||||
typeattribute kisd mlstrustedsubject;
|
typeattribute kisd mlstrustedsubject;
|
||||||
|
|
||||||
@ -18,7 +19,6 @@ init_daemon_domain(kisd)
|
|||||||
allow kisd tee_device:chr_file {read write open ioctl};
|
allow kisd tee_device:chr_file {read write open ioctl};
|
||||||
allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
|
allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
|
||||||
allow kisd provision_file:file {create read write open getattr unlink};
|
allow kisd provision_file:file {create read write open getattr unlink};
|
||||||
#allow kisd system_file:file {execute_no_trans};
|
|
||||||
allow kisd block_device:dir {read write open ioctl search};
|
allow kisd block_device:dir {read write open ioctl search};
|
||||||
allow kisd kb_block_device:blk_file {read write open ioctl getattr};
|
allow kisd kb_block_device:blk_file {read write open ioctl getattr};
|
||||||
allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
|
allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
|
||||||
@ -26,6 +26,7 @@ allow kisd key_install_data_file:dir {write remove_name add_name};
|
|||||||
allow kisd key_install_data_file:file {write getattr read create unlink open};
|
allow kisd key_install_data_file:file {write getattr read create unlink open};
|
||||||
allow kisd key_install_data_file:dir search;
|
allow kisd key_install_data_file:dir search;
|
||||||
allow kisd mtd_device:chr_file { open read write };
|
allow kisd mtd_device:chr_file { open read write };
|
||||||
|
allow kisd mtd_device:blk_file { open read write ioctl getattr};
|
||||||
allow kisd mtd_device:dir { search };
|
allow kisd mtd_device:dir { search };
|
||||||
allow kisd kb_block_device:chr_file {read write open ioctl getattr};
|
allow kisd kb_block_device:chr_file {read write open ioctl getattr};
|
||||||
allow kisd dkb_block_device:chr_file {read write open ioctl getattr};
|
allow kisd dkb_block_device:chr_file {read write open ioctl getattr};
|
||||||
@ -25,7 +25,6 @@
|
|||||||
/system/bin/aee_aed u:object_r:aee_aed_exec:s0
|
/system/bin/aee_aed u:object_r:aee_aed_exec:s0
|
||||||
/system/bin/aee_aed64 u:object_r:aee_aed_exec:s0
|
/system/bin/aee_aed64 u:object_r:aee_aed_exec:s0
|
||||||
/system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0
|
/system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
|
|
||||||
/system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0
|
/system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0
|
||||||
|
|
||||||
# google suggest that move aee_aedv_exec to platform @google_issue_id:64130120
|
# google suggest that move aee_aedv_exec to platform @google_issue_id:64130120
|
||||||
@ -33,9 +32,6 @@
|
|||||||
/(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0
|
/(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0
|
||||||
/vendor/bin/aeev u:object_r:aee_aedv_exec:s0
|
/vendor/bin/aeev u:object_r:aee_aedv_exec:s0
|
||||||
|
|
||||||
# kisd for Key Manager
|
|
||||||
/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0
|
|
||||||
|
|
||||||
# storagemanager daemon
|
# storagemanager daemon
|
||||||
# it is used to mount all storages in meta/factory mode
|
# it is used to mount all storages in meta/factory mode
|
||||||
/system/bin/storagemanagerd u:object_r:vold_exec:s0
|
/system/bin/storagemanagerd u:object_r:vold_exec:s0
|
||||||
|
|||||||
@ -2,6 +2,4 @@
|
|||||||
# MTK Policy Rule
|
# MTK Policy Rule
|
||||||
# ==============================================
|
# ==============================================
|
||||||
|
|
||||||
type kb_block_device,dev_type;
|
|
||||||
type dkb_block_device,dev_type;
|
|
||||||
type mtd_device, dev_type;
|
type mtd_device, dev_type;
|
||||||
|
|||||||
@ -2,9 +2,5 @@
|
|||||||
# MTK Policy Rule
|
# MTK Policy Rule
|
||||||
# ==============================================
|
# ==============================================
|
||||||
|
|
||||||
#for drm key install
|
|
||||||
type provision_file, file_type, data_file_type;
|
|
||||||
type key_install_data_file, file_type, data_file_type;
|
|
||||||
|
|
||||||
# lbs debug file
|
# lbs debug file
|
||||||
type lbs_dbg_data_file, file_type, data_file_type, core_data_file_type;
|
type lbs_dbg_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|||||||
@ -1,9 +0,0 @@
|
|||||||
# ==============================================
|
|
||||||
# Policy File of /vendor/bin/kisd Executable File
|
|
||||||
|
|
||||||
|
|
||||||
# ==============================================
|
|
||||||
# Type Declaration
|
|
||||||
# ==============================================
|
|
||||||
|
|
||||||
type kisd ,domain;
|
|
||||||
@ -22,7 +22,6 @@
|
|||||||
/system/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0
|
/system/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0
|
||||||
/system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0
|
/system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0
|
||||||
/system/bin/meta_tst u:object_r:meta_tst_exec:s0
|
/system/bin/meta_tst u:object_r:meta_tst_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
|
|
||||||
/system/bin/pre_meta u:object_r:pre_meta_exec:s0
|
/system/bin/pre_meta u:object_r:pre_meta_exec:s0
|
||||||
/system/bin/factory u:object_r:factory_exec:s0
|
/system/bin/factory u:object_r:factory_exec:s0
|
||||||
|
|
||||||
@ -30,9 +29,6 @@
|
|||||||
/(system\/vendor|vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0
|
/(system\/vendor|vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0
|
||||||
/(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0
|
/(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0
|
||||||
|
|
||||||
# kisd for Key Manager
|
|
||||||
/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0
|
|
||||||
|
|
||||||
# storagemanager daemon
|
# storagemanager daemon
|
||||||
# it is used to mount all storages in meta/factory mode
|
# it is used to mount all storages in meta/factory mode
|
||||||
/system/bin/storagemanagerd u:object_r:storagemanagerd_exec:s0
|
/system/bin/storagemanagerd u:object_r:storagemanagerd_exec:s0
|
||||||
|
|||||||
@ -1,31 +0,0 @@
|
|||||||
# ==============================================
|
|
||||||
# Policy File of /vendor/bin/kisd Executable File
|
|
||||||
|
|
||||||
|
|
||||||
# ==============================================
|
|
||||||
# Type Declaration
|
|
||||||
# ==============================================
|
|
||||||
|
|
||||||
type kisd_exec, exec_type, file_type, vendor_file_type;
|
|
||||||
typeattribute kisd mlstrustedsubject;
|
|
||||||
|
|
||||||
# ==============================================
|
|
||||||
# MTK Policy Rule
|
|
||||||
# ==============================================
|
|
||||||
|
|
||||||
init_daemon_domain(kisd)
|
|
||||||
|
|
||||||
allow kisd tee_device:chr_file {read write open ioctl};
|
|
||||||
allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
|
|
||||||
allow kisd provision_file:file {create read write open getattr unlink};
|
|
||||||
#allow kisd system_file:file {execute_no_trans};
|
|
||||||
allow kisd block_device:dir {read write open ioctl search};
|
|
||||||
allow kisd kb_block_device:blk_file {read write open ioctl getattr};
|
|
||||||
allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
|
|
||||||
allow kisd key_install_data_file:dir {write remove_name add_name};
|
|
||||||
allow kisd key_install_data_file:file {write getattr read create unlink open};
|
|
||||||
allow kisd key_install_data_file:dir search;
|
|
||||||
allow kisd mtd_device:chr_file { open read write };
|
|
||||||
allow kisd mtd_device:dir { search };
|
|
||||||
allow kisd kb_block_device:chr_file {read write open ioctl getattr};
|
|
||||||
allow kisd dkb_block_device:chr_file {read write open ioctl getattr};
|
|
||||||
@ -1,6 +0,0 @@
|
|||||||
# ==============================================
|
|
||||||
# MTK Policy Rule
|
|
||||||
# ==============================================
|
|
||||||
|
|
||||||
type kb_block_device,dev_type;
|
|
||||||
type dkb_block_device,dev_type;
|
|
||||||
@ -1,7 +0,0 @@
|
|||||||
# ==============================================
|
|
||||||
# MTK Policy Rule
|
|
||||||
# ==============================================
|
|
||||||
|
|
||||||
#for drm key install
|
|
||||||
type provision_file, file_type, data_file_type;
|
|
||||||
type key_install_data_file, file_type, data_file_type;
|
|
||||||
@ -1,9 +0,0 @@
|
|||||||
# ==============================================
|
|
||||||
# Policy File of /vendor/bin/kisd Executable File
|
|
||||||
|
|
||||||
|
|
||||||
# ==============================================
|
|
||||||
# Type Declaration
|
|
||||||
# ==============================================
|
|
||||||
|
|
||||||
type kisd ,domain;
|
|
||||||
Loading…
x
Reference in New Issue
Block a user