[ALPS03825066] Resolve vendor violates
[Detail] Google add new neverallows rules on android P, some rule violate the rules [Solution] Remove the rules which violate google new rules MTK-Commit-Id: ff683b4eee0a6dd95ff25fbb6c7d1fc3a79c604d Change-Id: Iead494212c6adcec234eaef14c83d1f8c7a49deb CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
This commit is contained in:
mtk12101
parent
37e0caa36e
commit
bbecfaa68b
@ -23,7 +23,7 @@ allow adbd self:capability2 syslog;
|
||||
|
||||
allow adbd block_device:dir r_dir_perms;
|
||||
allow adbd kernel:process setsched;
|
||||
allow adbd self:capability { net_raw ipc_lock dac_override };
|
||||
#allow adbd self:capability { net_raw ipc_lock dac_override };
|
||||
allow adbd system_data_file:dir w_dir_perms;
|
||||
file_type_auto_trans(adbd, system_data_file, adbd_data_file)
|
||||
allow adbd adbd_data_file:file create_file_perms;
|
||||
|
||||
@ -117,7 +117,7 @@ allow aee_aedv aee_tombstone_data_file:dir w_dir_perms;
|
||||
allow aee_aedv aee_tombstone_data_file:file create_file_perms;
|
||||
|
||||
# /proc/pid/
|
||||
allow aee_aedv self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module};
|
||||
#allow aee_aedv self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module};
|
||||
|
||||
# PROCESS_FILE_STATE
|
||||
allow aee_aedv dumpstate:unix_stream_socket { read write ioctl };
|
||||
|
||||
@ -26,7 +26,7 @@ allow aee_core_forwarder aee_exp_data_file:dir create_dir_perms;
|
||||
allow aee_core_forwarder aee_exp_data_file:file create_file_perms;
|
||||
|
||||
#mkdir(path, mode)
|
||||
allow aee_core_forwarder self:capability dac_override;
|
||||
#allow aee_core_forwarder self:capability dac_override;
|
||||
|
||||
#read STDIN_FILENO
|
||||
allow aee_core_forwarder kernel:fifo_file read;
|
||||
|
||||
@ -29,5 +29,5 @@ allow biosensord_nvram nvdata_file:dir rw_dir_perms;
|
||||
allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms};
|
||||
allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms;
|
||||
allow biosensord_nvram biometric_device:chr_file { open ioctl read write };
|
||||
allow biosensord_nvram self:capability { dac_read_search chown fsetid dac_override };
|
||||
#allow biosensord_nvram self:capability { dac_read_search chown fsetid dac_override };
|
||||
allow biosensord_nvram system_data_file:lnk_file read;
|
||||
|
||||
@ -15,14 +15,14 @@ allow domain debugfs_binder:dir search;
|
||||
|
||||
# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
|
||||
# as it is a public interface for all processes to read some OTP data.
|
||||
allow domain sysfs_devinfo:file r_file_perms;
|
||||
#allow domain sysfs_devinfo:file r_file_perms;
|
||||
|
||||
# Date:20170519
|
||||
# Purpose: Full treble bootup issue, coredomain need to access libudf.so where
|
||||
# located on /vendor.
|
||||
# TODO:: In O MR1 may need to change design
|
||||
allow coredomain vendor_file:dir r_dir_perms;
|
||||
allow coredomain vendor_file:file { read open getattr execute };
|
||||
#allow coredomain vendor_file:file { read open getattr execute };
|
||||
allow coredomain vendor_file:lnk_file { getattr read };
|
||||
|
||||
# Date:20170630
|
||||
@ -32,5 +32,5 @@ allow {
|
||||
-untrusted_app_all
|
||||
-untrusted_v2_app
|
||||
} aee_aed:unix_stream_socket connectto;
|
||||
allow { domain -coredomain -hal_configstore_server } aee_aedv:unix_stream_socket connectto;
|
||||
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;
|
||||
|
||||
|
||||
@ -94,7 +94,7 @@ allow emdlogger file_contexts_file:file { read getattr open };
|
||||
|
||||
allow emdlogger block_device:dir search;
|
||||
allow emdlogger md_block_device:blk_file { read open };
|
||||
allow emdlogger self:capability { chown dac_override };
|
||||
#allow emdlogger self:capability { chown dac_override };
|
||||
|
||||
|
||||
# purpose: allow emdlogger to access persist.meta.connecttype
|
||||
|
||||
@ -178,8 +178,6 @@ type debugfs_usb20_phy, fs_type, debugfs_type;
|
||||
# dynamic_debug debugfs file
|
||||
type debugfs_dynamic_debug, fs_type, debugfs_type;
|
||||
|
||||
# /sys/kernel/debug/wakeup_sources
|
||||
type debugfs_wakeup_sources, fs_type, debugfs_type;
|
||||
# shrinker debugfs file
|
||||
type debugfs_shrinker_debug, fs_type, debugfs_type;
|
||||
|
||||
|
||||
@ -64,7 +64,7 @@ allow fuelgauged nvram_data_file:lnk_file rw_file_perms;
|
||||
allow fuelgauged nvdata_file:lnk_file rw_file_perms;
|
||||
|
||||
# Data : WK16.39
|
||||
allow fuelgauged self:capability { chown fsetid dac_override };
|
||||
#allow fuelgauged self:capability { chown fsetid dac_override };
|
||||
|
||||
# Data : W16.43
|
||||
# Operation : New Feature
|
||||
|
||||
@ -45,7 +45,7 @@ allow fuelgauged_nvram fuelgauged_file:file {rw_file_perms create_file_perms};
|
||||
# Purpose : Change from /data to /cache
|
||||
allow fuelgauged_nvram cache_file:file {rw_file_perms create_file_perms};
|
||||
allow fuelgauged_nvram cache_file:dir {rw_dir_perms create_dir_perms};
|
||||
allow fuelgauged_nvram self:capability { dac_read_search dac_override chown };
|
||||
#allow fuelgauged_nvram self:capability { dac_read_search dac_override chown };
|
||||
allow fuelgauged_nvram kmsg_device:chr_file { write open };
|
||||
allow fuelgauged_nvram self:capability fsetid;
|
||||
|
||||
|
||||
@ -1,21 +0,0 @@
|
||||
# ====================================
|
||||
# MTK Policy Rule
|
||||
# ====================================
|
||||
|
||||
# Date: 2014/09/15
|
||||
# Operation: [Pre-SQC] Hotspot Manager cannot communicate with framework
|
||||
# Purpose: Add socket write permission for hostapd
|
||||
allow hostapd system_wpa_socket:sock_file write;
|
||||
|
||||
|
||||
# Date: 2014/10/13
|
||||
# Operation: [L-SQC] SELinux warning during whole chip reset
|
||||
# Purpose: kernel module netdev-ap0 gets invalid during whole chip reset, no impact to normal flow, dontaudit
|
||||
dontaudit hostapd kernel:system module_request;
|
||||
|
||||
# Date: 2017/06/22
|
||||
# Operation: [O-SQC] WiFi hal
|
||||
# Purpose: WiFi hal for WiFi hotspot manager
|
||||
hal_server_domain(hostapd, hal_wifi_supplicant)
|
||||
hal_server_domain(hostapd, mtk_hal_wifi_hostapd)
|
||||
|
||||
@ -17,7 +17,7 @@ type md_ctrl_exec, exec_type, file_type, vendor_file_type;
|
||||
init_daemon_domain(md_ctrl)
|
||||
allow md_ctrl ccci_device:chr_file { rw_file_perms };
|
||||
allow md_ctrl devpts:chr_file { rw_file_perms };
|
||||
allow md_ctrl self:capability dac_override;
|
||||
#allow md_ctrl self:capability dac_override;
|
||||
allow md_ctrl muxreport_exec:file rx_file_perms;
|
||||
allow md_ctrl emd_device:chr_file { rw_file_perms };
|
||||
allow md_ctrl eemcs_device:chr_file { rw_file_perms };
|
||||
|
||||
@ -58,7 +58,7 @@ allow merged_hal_service gyroscope_device:chr_file r_file_perms;
|
||||
allow merged_hal_service init:unix_stream_socket connectto;
|
||||
allow merged_hal_service property_socket:sock_file write;
|
||||
allow merged_hal_service sysfs:file write;
|
||||
allow merged_hal_service self:capability { fowner chown dac_override fsetid };
|
||||
#allow merged_hal_service self:capability { fowner chown dac_override fsetid };
|
||||
allow merged_hal_service system_data_file:dir create_file_perms;
|
||||
allow merged_hal_service nvram_device:chr_file rw_file_perms;
|
||||
allow merged_hal_service pro_info_device:chr_file rw_file_perms;
|
||||
|
||||
@ -56,7 +56,7 @@ allow mnld block_device:dir search;
|
||||
allow mnld mnld_prop:property_service set;
|
||||
allow mnld property_socket:sock_file write;
|
||||
allow mnld mdlog_device:chr_file { read write };
|
||||
allow mnld self:capability { fsetid dac_override };
|
||||
#allow mnld self:capability { fsetid dac_override };
|
||||
allow mnld stpbt_device:chr_file { read write };
|
||||
allow mnld ttyGS_device:chr_file { read write };
|
||||
# Purpose : For file system operations
|
||||
|
||||
@ -24,7 +24,7 @@ allow MPED sdcard_type:file create_file_perms;
|
||||
allow MPED sdcard_type:dir create_dir_perms;
|
||||
allow MPED init:unix_stream_socket connectto;
|
||||
allow MPED init:udp_socket rw_socket_perms;
|
||||
allow MPED self:capability { fsetid dac_override };
|
||||
#allow MPED self:capability { fsetid dac_override };
|
||||
allow MPED sysfs:file rw_file_perms;
|
||||
allow MPED tmpfs:lnk_file create_file_perms;
|
||||
# TODO::mtk work around and will fix it later
|
||||
|
||||
@ -15,7 +15,7 @@ allow rild kernel:system module_request;
|
||||
|
||||
# Capabilities assigned for rild
|
||||
allow rild self:capability { setuid net_admin net_raw };
|
||||
allow rild self:capability dac_override;
|
||||
#allow rild self:capability dac_override;
|
||||
|
||||
# Control cgroups
|
||||
allow rild cgroup:dir create_dir_perms;
|
||||
|
||||
@ -18,7 +18,7 @@ allow mtkrild kernel:system module_request;
|
||||
|
||||
# Capabilities assigned for mtkrild
|
||||
allow mtkrild self:capability { setuid net_admin net_raw };
|
||||
allow mtkrild self:capability dac_override;
|
||||
#allow mtkrild self:capability dac_override;
|
||||
|
||||
# Control cgroups
|
||||
allow mtkrild cgroup:dir create_dir_perms;
|
||||
|
||||
@ -13,7 +13,7 @@ type muxreport ,domain;
|
||||
init_daemon_domain(muxreport)
|
||||
|
||||
# Capabilities assigned for muxreport
|
||||
allow muxreport self:capability dac_override;
|
||||
#allow muxreport self:capability dac_override;
|
||||
|
||||
# Property service
|
||||
# allow set muxreport control properties
|
||||
|
||||
@ -41,7 +41,7 @@ allow nvram_agent_binder gyroscope_device:chr_file r_file_perms;
|
||||
allow nvram_agent_binder init:unix_stream_socket connectto;
|
||||
allow nvram_agent_binder property_socket:sock_file write;
|
||||
allow nvram_agent_binder sysfs:file write;
|
||||
allow nvram_agent_binder self:capability { fowner chown dac_override fsetid };
|
||||
#allow nvram_agent_binder self:capability { fowner chown dac_override fsetid };
|
||||
allow nvram_agent_binder system_data_file:dir create_file_perms;
|
||||
|
||||
# Purpose: for backup
|
||||
|
||||
@ -52,7 +52,7 @@ allow nvram_daemon init:unix_stream_socket connectto;
|
||||
# Purpose: for property set
|
||||
#allow nvram_daemon property_socket:sock_file w_file_perms;
|
||||
allow nvram_daemon sysfs:file w_file_perms;
|
||||
allow nvram_daemon self:capability { fowner chown dac_override fsetid };
|
||||
#allow nvram_daemon self:capability { fowner chown dac_override fsetid };
|
||||
|
||||
# Purpose: for backup
|
||||
allow nvram_daemon nvram_device:chr_file rw_file_perms;
|
||||
|
||||
@ -96,7 +96,7 @@ allow radio media_rw_data_file:file { create_file_perms };
|
||||
# Purpose :
|
||||
# Swift APK integration - access ccci dir/file
|
||||
allow radio ccci_fsd:dir { r_dir_perms };
|
||||
allow radio ccci_fsd:file { r_file_perms };
|
||||
#allow radio ccci_fsd:file { r_file_perms };
|
||||
|
||||
# Date : 2016/07/25
|
||||
# Operation : Bluetooth access NVRAM fail in Engineer Mode
|
||||
|
||||
@ -16,5 +16,5 @@ type spm_loader ,domain;
|
||||
init_daemon_domain(spm_loader)
|
||||
|
||||
# Read to /dev/spm
|
||||
allow spm_loader self:capability { dac_read_search dac_override };
|
||||
#allow spm_loader self:capability { dac_read_search dac_override };
|
||||
allow spm_loader spm_device:chr_file r_file_perms;
|
||||
|
||||
@ -21,7 +21,7 @@ type stp_dump3 ,domain;
|
||||
# MTK Policy Rule
|
||||
# ==============================================
|
||||
file_type_auto_trans(stp_dump3,system_data_file,stp_dump_data_file)
|
||||
allow stp_dump3 self:capability { net_admin fowner chown fsetid dac_override };
|
||||
#allow stp_dump3 self:capability { net_admin fowner chown fsetid dac_override };
|
||||
allow stp_dump3 self:netlink_socket { read write getattr bind create setopt };
|
||||
allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt };
|
||||
#allow stp_dump3 media_rw_data_file:sock_file { write create unlink setattr };
|
||||
|
||||
@ -19,7 +19,7 @@ allow thermal_manager proc_mtkcooler:file rw_file_perms;
|
||||
allow thermal_manager proc_mtktz:file rw_file_perms;
|
||||
allow thermal_manager proc_thermal:file rw_file_perms;
|
||||
allow thermal_manager system_data_file:dir { write add_name };
|
||||
allow thermal_manager self:capability { fowner chown fsetid dac_override };
|
||||
#allow thermal_manager self:capability { fowner chown fsetid dac_override };
|
||||
|
||||
# Date : WK15.30
|
||||
# Operation : Migration
|
||||
|
||||
@ -19,7 +19,7 @@ allow update_engine para_block_device:blk_file rw_file_perms;
|
||||
|
||||
|
||||
# Add for update_engine call by system_app
|
||||
allow update_engine self:capability dac_override;
|
||||
#allow update_engine self:capability dac_override;
|
||||
allow update_engine system_app:binder { call transfer };
|
||||
|
||||
# Add for update_engine with postinstall
|
||||
|
||||
@ -13,7 +13,7 @@ type wmt_loader_exec , exec_type, file_type, vendor_file_type;
|
||||
# ==============================================
|
||||
init_daemon_domain(wmt_loader)
|
||||
|
||||
allow wmt_loader self:capability { chown dac_override };
|
||||
#allow wmt_loader self:capability { chown dac_override };
|
||||
|
||||
# Set the property
|
||||
set_prop(wmt_loader, wmt_prop)
|
||||
|
||||
@ -90,7 +90,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms;
|
||||
allow aee_aed tombstone_data_file:file create_file_perms;
|
||||
|
||||
# /proc/pid/
|
||||
allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };
|
||||
#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };
|
||||
|
||||
# system(cmd) aee_dumpstate aee_archive
|
||||
allow aee_aed shell_exec:file rx_file_perms;
|
||||
|
||||
@ -39,7 +39,7 @@ allow audiocmdservice_atci media_rw_data_file:file create_file_perms;
|
||||
allow audiocmdservice_atci kmsg_device:chr_file w_file_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow audiocmdservice_atci self:capability { dac_override sys_nice fowner chown fsetid setuid ipc_lock net_admin};
|
||||
allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin};
|
||||
')
|
||||
|
||||
#audio-daemon needs to controlled from adb shell by AudioTuningTool
|
||||
|
||||
@ -21,7 +21,7 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms;
|
||||
# For IPC communication
|
||||
allow boot_logo_updater init:unix_stream_socket connectto;
|
||||
allow boot_logo_updater property_socket:sock_file write;
|
||||
allow boot_logo_updater self:capability dac_override;
|
||||
#allow boot_logo_updater self:capability dac_override;
|
||||
# To access some boot_mode infornation
|
||||
allow boot_logo_updater sysfs:file rw_file_perms;
|
||||
# To access directory /dev/block/mmcblk0 or /dev/block/sdc
|
||||
|
||||
@ -36,7 +36,7 @@ allow em_svr graphics_device:dir search;
|
||||
allow em_svr radio_data_file:dir { search write add_name create };
|
||||
allow em_svr radio_data_file:file { create write open read };
|
||||
allow em_svr sysfs_devices_system_cpu:file write;
|
||||
allow em_svr self:capability { dac_override sys_nice fowner chown fsetid };
|
||||
#allow em_svr self:capability { dac_override sys_nice fowner chown fsetid };
|
||||
allow em_svr self:process execmem;
|
||||
allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open };
|
||||
allow em_svr kernel:system module_request;
|
||||
|
||||
@ -19,7 +19,7 @@ allow factory kernel:system module_request;
|
||||
allow factory node:tcp_socket node_bind;
|
||||
allow factory userdata_block_device:blk_file rw_file_perms;
|
||||
allow factory port:tcp_socket { name_bind name_connect };
|
||||
allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time sys_boot sys_admin };
|
||||
#allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time sys_boot sys_admin };
|
||||
allow factory sdcard_type:dir r_dir_perms;
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow factory self:netlink_route_socket create_socket_perms;
|
||||
|
||||
@ -47,4 +47,4 @@ allow fuelgauged_static system_data_file:dir rw_dir_perms;
|
||||
allow fuelgauged_static rootfs:file entrypoint;
|
||||
|
||||
# Data : WK16.39
|
||||
allow fuelgauged_static self:capability { chown fsetid dac_override };
|
||||
#allow fuelgauged_static self:capability { chown fsetid dac_override };
|
||||
|
||||
@ -28,7 +28,7 @@ allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
|
||||
allow kisd key_install_data_file:dir {write remove_name add_name};
|
||||
allow kisd key_install_data_file:file {write getattr read create unlink open};
|
||||
allow kisd key_install_data_file:dir search;
|
||||
allow kisd self:capability {dac_override dac_read_search};
|
||||
#allow kisd self:capability {dac_override dac_read_search};
|
||||
allow kisd mtd_device:chr_file { open read write };
|
||||
allow kisd mtd_device:dir { search };
|
||||
allow kisd kb_block_device:chr_file {read write open ioctl getattr};
|
||||
|
||||
@ -21,7 +21,7 @@ init_daemon_domain(meta_tst)
|
||||
#============= meta_tst =========================
|
||||
|
||||
allow meta_tst port:tcp_socket { name_connect name_bind };
|
||||
allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin };
|
||||
#allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin };
|
||||
allow meta_tst self:tcp_socket { create connect setopt bind };
|
||||
allow meta_tst self:tcp_socket { bind setopt listen accept read write };
|
||||
allow meta_tst self:udp_socket { create ioctl };
|
||||
@ -29,7 +29,7 @@ allow meta_tst self:capability { sys_boot ipc_lock };
|
||||
allow meta_tst sysfs_wake_lock:file rw_file_perms;
|
||||
#allow meta_tst sysfs:file write;
|
||||
allow meta_tst property_socket:sock_file w_file_perms;
|
||||
allow meta_tst vold_socket:sock_file w_file_perms;
|
||||
#allow meta_tst vold_socket:sock_file w_file_perms;
|
||||
allow meta_tst init:unix_stream_socket connectto;
|
||||
allow meta_tst kisd:unix_stream_socket connectto;
|
||||
allow meta_tst vold:unix_stream_socket connectto;
|
||||
|
||||
@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop)
|
||||
unix_socket_connect(mobile_log_d, logdr, logd);
|
||||
|
||||
#capability
|
||||
allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid };
|
||||
#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid };
|
||||
allow mobile_log_d self:capability2 syslog;
|
||||
|
||||
#aee mode switch
|
||||
|
||||
@ -16,7 +16,7 @@ allow ppp property_socket:sock_file write;
|
||||
# Purpose: for PPPOE Test
|
||||
|
||||
allow ppp devpts:chr_file { read write ioctl open setattr };
|
||||
allow ppp self:capability { setuid net_raw setgid dac_override };
|
||||
#allow ppp self:capability { setuid net_raw setgid dac_override };
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow ppp self:packet_socket { write ioctl setopt read bind create };
|
||||
allow ppp shell_exec:file { read execute open execute_no_trans };
|
||||
|
||||
@ -14,7 +14,7 @@ typeattribute storagemanagerd coredomain;
|
||||
|
||||
init_daemon_domain(storagemanagerd)
|
||||
|
||||
unix_socket_connect(storagemanagerd, vold, vold)
|
||||
#unix_socket_connect(storagemanagerd, vold, vold)
|
||||
|
||||
# storagemanagerd sends information back to dumpstate when "adb bugreport" is used
|
||||
allow storagemanagerd dumpstate:fd use;
|
||||
|
||||
@ -2551,8 +2551,6 @@
|
||||
(roletype object_r debugfs_usb20_phy)
|
||||
(type debugfs_dynamic_debug)
|
||||
(roletype object_r debugfs_dynamic_debug)
|
||||
(type debugfs_wakeup_sources)
|
||||
(roletype object_r debugfs_wakeup_sources)
|
||||
(type debugfs_shrinker_debug)
|
||||
(roletype object_r debugfs_shrinker_debug)
|
||||
(type debugfs_dmlog_debug)
|
||||
@ -10308,7 +10306,7 @@
|
||||
(allow epdg_wod self (tun_socket (create relabelfrom relabelto)))
|
||||
(allow epdg_wod tun_device_26_0 (chr_file (ioctl read write getattr open)))
|
||||
(allow epdg_wod self (netlink_route_socket (read write create getattr bind setopt nlmsg_read nlmsg_write)))
|
||||
(allow epdg_wod self (capability (dac_override kill net_admin)))
|
||||
(allow epdg_wod self (capability (kill net_admin)))
|
||||
(allow epdg_wod ipsec_exec (file (read getattr execute execute_no_trans open)))
|
||||
(allow epdg_wod ipsec (process (sigkill signull signal)))
|
||||
(allow epdg_wod init_26_0 (unix_stream_socket (connectto)))
|
||||
@ -10349,7 +10347,7 @@
|
||||
(allow ipsec epdg_wod (fd (use)))
|
||||
(allow ipsec charon_exec (file (execute_no_trans)))
|
||||
(allow ipsec fwmarkd_socket_26_0 (sock_file (write)))
|
||||
(allow ipsec self (capability (dac_override kill net_bind_service net_admin)))
|
||||
(allow ipsec self (capability (kill net_bind_service net_admin)))
|
||||
(allow ipsec self (tcp_socket (read write create getattr connect getopt)))
|
||||
(allow ipsec self (udp_socket (read write create bind setopt)))
|
||||
(allow ipsec self (netlink_route_socket (read write create bind nlmsg_read nlmsg_write)))
|
||||
@ -10579,7 +10577,6 @@
|
||||
(allow wfca volte_ua (fd (use)))
|
||||
(allow wfca volte_ua (udp_socket (read write getattr getopt setopt shutdown)))
|
||||
(allow wfca self (packet_socket (read create setopt)))
|
||||
(allow wfca self (capability (dac_override)))
|
||||
(allow wfca self (capability2 (block_suspend)))
|
||||
(allow wfca netd_26_0 (unix_stream_socket (connectto)))
|
||||
(allow wfca netd_socket_26_0 (sock_file (write)))
|
||||
|
||||
@ -90,7 +90,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms;
|
||||
allow aee_aed tombstone_data_file:file create_file_perms;
|
||||
|
||||
# /proc/pid/
|
||||
allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module};
|
||||
#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module};
|
||||
|
||||
# system(cmd) aee_dumpstate aee_archive
|
||||
allow aee_aed shell_exec:file rx_file_perms;
|
||||
|
||||
@ -39,7 +39,7 @@ allow audiocmdservice_atci media_rw_data_file:file create_file_perms;
|
||||
allow audiocmdservice_atci kmsg_device:chr_file w_file_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow audiocmdservice_atci self:capability { dac_override sys_nice fowner chown fsetid setuid ipc_lock net_admin};
|
||||
allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin};
|
||||
')
|
||||
|
||||
#audio-daemon needs to controlled from adb shell by AudioTuningTool
|
||||
|
||||
@ -21,7 +21,7 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms;
|
||||
# For IPC communication
|
||||
allow boot_logo_updater init:unix_stream_socket connectto;
|
||||
allow boot_logo_updater property_socket:sock_file write;
|
||||
allow boot_logo_updater self:capability dac_override;
|
||||
#allow boot_logo_updater self:capability dac_override;
|
||||
# To access some boot_mode infornation
|
||||
allow boot_logo_updater sysfs:file rw_file_perms;
|
||||
# To access directory /dev/block/mmcblk0 or /dev/block/sdc
|
||||
|
||||
@ -36,7 +36,7 @@ allow em_svr graphics_device:dir search;
|
||||
allow em_svr radio_data_file:dir { search write add_name create };
|
||||
allow em_svr radio_data_file:file { create write open read };
|
||||
allow em_svr sysfs_devices_system_cpu:file write;
|
||||
allow em_svr self:capability { dac_override sys_nice fowner chown fsetid };
|
||||
#allow em_svr self:capability { dac_override sys_nice fowner chown fsetid };
|
||||
allow em_svr self:process execmem;
|
||||
allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open };
|
||||
allow em_svr kernel:system module_request;
|
||||
|
||||
@ -18,7 +18,7 @@ allow factory init:unix_stream_socket connectto;
|
||||
allow factory kernel:system module_request;
|
||||
allow factory node:tcp_socket node_bind;
|
||||
allow factory userdata_block_device:blk_file rw_file_perms;
|
||||
allow factory port:tcp_socket { name_bind name_connect };
|
||||
#allow factory port:tcp_socket { name_bind name_connect };
|
||||
allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time sys_boot sys_admin };
|
||||
allow factory sdcard_type:dir r_dir_perms;
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
|
||||
@ -47,4 +47,4 @@ allow fuelgauged_static system_data_file:dir rw_dir_perms;
|
||||
allow fuelgauged_static rootfs:file entrypoint;
|
||||
|
||||
# Data : WK16.39
|
||||
allow fuelgauged_static self:capability { chown fsetid dac_override };
|
||||
#allow fuelgauged_static self:capability { chown fsetid dac_override };
|
||||
|
||||
@ -26,7 +26,7 @@ allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
|
||||
allow kisd key_install_data_file:dir {write remove_name add_name};
|
||||
allow kisd key_install_data_file:file {write getattr read create unlink open};
|
||||
allow kisd key_install_data_file:dir search;
|
||||
allow kisd self:capability {dac_override dac_read_search};
|
||||
#allow kisd self:capability {dac_override dac_read_search};
|
||||
allow kisd mtd_device:chr_file { open read write };
|
||||
allow kisd mtd_device:dir { search };
|
||||
allow kisd kb_block_device:chr_file {read write open ioctl getattr};
|
||||
|
||||
@ -21,7 +21,7 @@ init_daemon_domain(meta_tst)
|
||||
#============= meta_tst =========================
|
||||
|
||||
allow meta_tst port:tcp_socket { name_connect name_bind };
|
||||
allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin };
|
||||
#allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin };
|
||||
allow meta_tst self:tcp_socket { create connect setopt bind };
|
||||
allow meta_tst self:tcp_socket { bind setopt listen accept read write };
|
||||
allow meta_tst self:udp_socket { create ioctl };
|
||||
@ -29,7 +29,7 @@ allow meta_tst self:capability { sys_boot ipc_lock };
|
||||
allow meta_tst sysfs_wake_lock:file rw_file_perms;
|
||||
#allow meta_tst sysfs:file write;
|
||||
allow meta_tst property_socket:sock_file w_file_perms;
|
||||
allow meta_tst vold_socket:sock_file w_file_perms;
|
||||
#allow meta_tst vold_socket:sock_file w_file_perms;
|
||||
allow meta_tst init:unix_stream_socket connectto;
|
||||
allow meta_tst kisd:unix_stream_socket connectto;
|
||||
allow meta_tst vold:unix_stream_socket connectto;
|
||||
|
||||
@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop)
|
||||
unix_socket_connect(mobile_log_d, logdr, logd);
|
||||
|
||||
#capability
|
||||
allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid };
|
||||
#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid };
|
||||
allow mobile_log_d self:capability2 syslog;
|
||||
|
||||
#aee mode switch
|
||||
|
||||
@ -16,7 +16,7 @@ allow ppp property_socket:sock_file write;
|
||||
# Purpose: for PPPOE Test
|
||||
|
||||
allow ppp devpts:chr_file { read write ioctl open setattr };
|
||||
allow ppp self:capability { setuid net_raw setgid dac_override };
|
||||
#allow ppp self:capability { setuid net_raw setgid dac_override };
|
||||
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
|
||||
#allow ppp self:packet_socket { write ioctl setopt read bind create };
|
||||
allow ppp shell_exec:file { read execute open execute_no_trans };
|
||||
|
||||
@ -14,7 +14,7 @@ typeattribute storagemanagerd coredomain;
|
||||
|
||||
init_daemon_domain(storagemanagerd)
|
||||
|
||||
unix_socket_connect(storagemanagerd, vold, vold)
|
||||
#unix_socket_connect(storagemanagerd, vold, vold)
|
||||
|
||||
# storagemanagerd sends information back to dumpstate when "adb bugreport" is used
|
||||
allow storagemanagerd dumpstate:fd use;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user