From c947a234d9b9ac7d1f2f0d5ffb626124c1ae27a5 Mon Sep 17 00:00:00 2001 From: Ian-Y Chen Date: Sat, 18 Jan 2020 10:20:20 +0800 Subject: [PATCH] [ALPS04760762] power: remove high risk policy [Detail] Remove procfs and sysfs root permission MTK-Commit-Id: 1af6e86e9f71ef919ec46a7eda2f2901a5c63a80 Change-Id: I3ddea266511017eba1b51d7879be3a5a81b497e6 CR-Id: ALPS04760762 Feature: [Module]PowerHAL --- non_plat/file.te | 13 ++++++++++++- non_plat/genfs_contexts | 13 ++++++++++++- non_plat/mtk_hal_power.te | 22 +++++++++++++++++----- 3 files changed, 41 insertions(+), 7 deletions(-) diff --git a/non_plat/file.te b/non_plat/file.te index b1e5760..8750284 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -392,4 +392,15 @@ type mtee_trusty_file, fs_type, sysfs_type; # Date : 2019/08/29 # Purpose: Allow rild access proc/aed/reboot-reason -type proc_aed_reboot_reason, fs_type, proc_type; \ No newline at end of file +type proc_aed_reboot_reason, fs_type, proc_type; + +# Date : 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +type proc_ppm, fs_type, proc_type; +type proc_cpufreq, fs_type, proc_type; +type proc_hps, fs_type, proc_type; +type proc_cm_mgr, fs_type, proc_type; +type proc_ca_drv, fs_type, proc_type; +type sysfs_ged, fs_type, sysfs_type; +type sysfs_fbt_cpu, fs_type, sysfs_type; +type sysfs_fbt_fteh, fs_type, sysfs_type; diff --git a/non_plat/genfs_contexts b/non_plat/genfs_contexts index 1c93c29..4750746 100644 --- a/non_plat/genfs_contexts +++ b/non_plat/genfs_contexts @@ -225,4 +225,15 @@ genfscon sysfs /devices/platform/trusty u:object_r:mtee_trusty_file:s0 # Date : 2019/08/29 # Purpose: allow rild to access /proc/aed/reboot-reason -genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0 \ No newline at end of file +genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0 + +# 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +genfscon proc /ppm u:object_r:proc_ppm:s0 +genfscon proc /cpufreq u:object_r:proc_cpufreq:s0 +genfscon proc /hps u:object_r:proc_hps:s0 +genfscon proc /cm_mgr u:object_r:proc_cm_mgr:s0 +genfscon proc /ca_drv u:object_r:proc_ca_drv:s0 +genfscon sysfs /module/ged u:object_r:sysfs_ged:s0 +genfscon sysfs /module/fbt_cpu u:object_r:sysfs_fbt_cpu:s0 +genfscon sysfs /module/fbt_fteh u:object_r:sysfs_fbt_fteh:s0 diff --git a/non_plat/mtk_hal_power.te b/non_plat/mtk_hal_power.te index d987d93..fa52542 100644 --- a/non_plat/mtk_hal_power.te +++ b/non_plat/mtk_hal_power.te @@ -18,10 +18,6 @@ allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find; hal_server_domain(mtk_hal_power, hal_power); hal_server_domain(mtk_hal_power, hal_wifi); -# proc fs -allow mtk_hal_power proc:dir r_dir_perms; -allow mtk_hal_power proc:file rw_file_perms; - # sysfs allow mtk_hal_power sysfs_devices_system_cpu:file rw_file_perms; @@ -62,7 +58,6 @@ allow mtk_hal_power mtk_hal_camera:file r_file_perms; # Operation: SQC # Purpose : Allow powerHAL to access thermal allow mtk_hal_power proc_thermal:dir r_dir_perms; -allow mtk_hal_power sysfs:file rw_file_perms; allow mtk_hal_power debugfs_fpsgo:dir r_dir_perms; allow mtk_hal_power debugfs_fpsgo:file rw_file_perms; @@ -147,3 +142,20 @@ allowxperm mtk_hal_power self:udp_socket ioctl priv_sock_ioctls; # Purpose : MTK power hal interface permission set_prop(mtk_hal_power, mtk_powerhal_prop) +# Date : 2019/09/05 +# Operation: SQC +# Purpose : Add procfs, sysfs policy +allow mtk_hal_power proc_ppm:dir r_dir_perms; +allow mtk_hal_power proc_ppm:file rw_file_perms; +allow mtk_hal_power proc_cpufreq:dir r_dir_perms; +allow mtk_hal_power proc_cpufreq:file rw_file_perms; +allow mtk_hal_power proc_hps:dir r_dir_perms; +allow mtk_hal_power proc_hps:file rw_file_perms; +allow mtk_hal_power proc_cm_mgr:dir r_dir_perms; +allow mtk_hal_power proc_cm_mgr:file rw_file_perms; +allow mtk_hal_power sysfs_ged:dir r_dir_perms; +allow mtk_hal_power sysfs_ged:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_cpu:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_cpu:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_fteh:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_fteh:file rw_file_perms;