From b11cda4bfd90baaadc43a747f3163a8095fb775b Mon Sep 17 00:00:00 2001 From: Shanshan Guo Date: Sat, 18 Jan 2020 10:15:38 +0800 Subject: [PATCH] [ALPS04640303] SEPolicy: Fix app violation [Detail] There are some selinux violation for app in MTBF, need to add some sepolicy for them. [Solution] 1.Add sepolicy 2.Move sepolicy of untrusted_app_* to untrusted_app_*.te 3.Modify sepolicy MTK-Commit-Id: 62b5c74c6d1d85acf0184fc18fca0b40c4a8e60c Change-Id: Icac33ccc54b691ee0e4ab7088f77adb1c1a4a549 CR-Id: ALPS04640303 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK --- non_plat/app.te | 5 +++++ non_plat/platform_app.te | 5 ----- non_plat/system_app.te | 8 ++++++-- non_plat/untrusted_app.te | 16 ---------------- non_plat/untrusted_app_25.te | 19 +++++++++++++++++++ 5 files changed, 30 insertions(+), 23 deletions(-) create mode 100644 non_plat/untrusted_app_25.te diff --git a/non_plat/app.te b/non_plat/app.te index ed037b0..b151f4b 100644 --- a/non_plat/app.te +++ b/non_plat/app.te @@ -41,3 +41,8 @@ allow { appdomain -isolated_app } radio_data_file:file rw_file_perms; # Operation : Migration # Purpose : For app com.tencent.qqpimsecure allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START; + +# Date: 2019/06/17 +# Operation : Migration +# Purpose : appdomain need get mtk_amslog_prop +get_prop(appdomain, mtk_amslog_prop) diff --git a/non_plat/platform_app.te b/non_plat/platform_app.te index 40d108a..32b2e8a 100644 --- a/non_plat/platform_app.te +++ b/non_plat/platform_app.te @@ -108,8 +108,3 @@ get_prop(platform_app, vendor_connsysfw_prop) # Purpose : JPEG need to use PQ via MMS HIDL allow platform_app mtk_hal_mms_hwservice:hwservice_manager find; allow platform_app mtk_hal_mms:binder call; - -# Date: 2019/06/14 -# Operation : Migration -# Purpose : platform_app need get mtk_amslog_prop -get_prop(platform_app, mtk_amslog_prop) diff --git a/non_plat/system_app.te b/non_plat/system_app.te index 91bcf0b..8a88e6b 100644 --- a/non_plat/system_app.te +++ b/non_plat/system_app.te @@ -37,6 +37,10 @@ allow system_app mtk_hal_mms:binder call; # Date: 2019/06/14 # Operation : Migration -# Purpose : system_app need get mtk_amslog_prop -get_prop(system_app, mtk_amslog_prop) +# Purpose : system_app need vendor_default_prop get_prop(system_app, vendor_default_prop) + +# Date: 2019/06/17 +# Operation : Migration +# Purpose :allow system_app to read mtk_em_tel_log_prop +get_prop(system_app, mtk_em_tel_log_prop) diff --git a/non_plat/untrusted_app.te b/non_plat/untrusted_app.te index 3d3c42a..040d47f 100644 --- a/non_plat/untrusted_app.te +++ b/non_plat/untrusted_app.te @@ -10,19 +10,3 @@ # from MTK kernel modules for thermal tests at OEM/ODM. allow untrusted_app proc_mtktz:dir search; allow untrusted_app proc_mtktz:file r_file_perms; - -# Date : 2017/08/01 -# Operation: SQC -# Purpose : Allow Whatstemp, a MTK thermal logging tool, to log thermal related information -# properly for thermal tests at OEM/ODM. -allow untrusted_app_25 proc_mtktz:dir search; -allow untrusted_app_25 proc_mtktz:file { getattr open read }; -allow untrusted_app_25 proc_thermal:dir search; -allow untrusted_app_25 proc_thermal:file { getattr open read }; - -allow untrusted_app_25 sysfs_fps:dir search; -allow untrusted_app_25 sysfs_fps:file { getattr open read }; -allow untrusted_app_25 sysfs_batteryinfo:dir search; -#allow untrusted_app_25 sysfs_batteryinfo:file { getattr open read }; -allow untrusted_app_25 sysfs_therm:dir { open read search }; -allow untrusted_app_25 sysfs_therm:file { getattr open read }; diff --git a/non_plat/untrusted_app_25.te b/non_plat/untrusted_app_25.te new file mode 100644 index 0000000..76310d7 --- /dev/null +++ b/non_plat/untrusted_app_25.te @@ -0,0 +1,19 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : 2017/08/01 +# Operation: SQC +# Purpose : Allow Whatstemp, a MTK thermal logging tool, to log thermal related information +# properly for thermal tests at OEM/ODM. +allow untrusted_app_25 proc_mtktz:dir search; +allow untrusted_app_25 proc_mtktz:file r_file_perms; +allow untrusted_app_25 proc_thermal:dir search; +allow untrusted_app_25 proc_thermal:file r_file_perms; + +allow untrusted_app_25 sysfs_fps:dir search; +allow untrusted_app_25 sysfs_fps:file r_file_perms; +allow untrusted_app_25 sysfs_batteryinfo:dir search; +#allow untrusted_app_25 sysfs_batteryinfo:file { getattr open read }; +allow untrusted_app_25 sysfs_therm:dir r_dir_perms; +allow untrusted_app_25 sysfs_therm:file r_file_perms;