[ALPS04758557] fix aee high risk rules

1. fix some aee high risk rules MTK-Commit-Id: 4031a4610757debf0aa0de48408c72517fd61bcb Change-Id: I637d723cba54ba7119d15617bd2935a4b00dd6c5 CR-Id: ALPS04758557 Feature: Android Exception Engine(AEE)
2020-01-18 10:21:37 +08:00 · 2020-01-18 10:21:37 +08:00 · cd6459c6ee
commit cd6459c6ee
parent 31121b1e5d
9 changed files with 19 additions and 40 deletions
--- a/non_plat/aee_aed.te
+++ b/non_plat/aee_aed.te
@ -11,7 +11,6 @@
 allow aee_aed aed_device:chr_file rw_file_perms;
 allow aee_aed expdb_device:chr_file rw_file_perms;
 allow aee_aed expdb_block_device:blk_file rw_file_perms;
-allow aee_aed bootdevice_block_device:blk_file rw_file_perms;
 allow aee_aed etb_device:chr_file rw_file_perms;

 # open/dev/mtd/mtd12 failed(expdb)
--- a/non_plat/aee_aedv.te
+++ b/non_plat/aee_aedv.te
@ -5,6 +5,13 @@
 # MTK Policy Rule
 # ==============================================

+type aee_aedv, domain;
+
+type aee_aedv_exec, exec_type, file_type, vendor_file_type;
+typeattribute aee_aedv mlstrustedsubject;
+
+init_daemon_domain(aee_aedv)
+

 # Date : WK14.32
 # Operation : AEE UT
@ -18,17 +25,9 @@ allow aee_aedv etb_device:chr_file rw_file_perms;
 # AED start: /dev/block/expdb
 allow aee_aedv block_device:dir search;

-# open/dev/mtd/mtd12 failed(expdb)
-allow aee_aedv mtd_device:dir create_dir_perms;
-allow aee_aedv mtd_device:chr_file rw_file_perms;
-
 # NE flow: /dev/RT_Monitor
 allow aee_aedv RT_Monitor_device:chr_file r_file_perms;

-# aee db dir and db files
-allow aee_aedv sdcard_type:dir create_dir_perms;
-allow aee_aedv sdcard_type:file create_file_perms;
-
 #data/aee_exp
 allow aee_aedv aee_exp_vendor_file:dir create_dir_perms;
 allow aee_aedv aee_exp_vendor_file:file create_file_perms;
@ -51,13 +50,6 @@ allow aee_aedv domain:lnk_file getattr;
 #core-pattern
 allow aee_aedv usermodehelper:file r_file_perms;

-#property
-allow aee_aedv init:unix_stream_socket connectto;
-allow aee_aedv property_socket:sock_file write;
-
-allow aee_aedv init:process getsched;
-allow aee_aedv kernel:process getsched;
-
 # Date: W15.34
 # Operation: Migration
 # Purpose: For pagemap & pageflags information in NE DB
@ -283,7 +275,8 @@ allow aee_aedv debugfs_dynamic_debug:file r_file_perms;
 # [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read }
 # for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0
 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
-allow aee_aedv sysfs:file { r_file_perms write };
+allow aee_aedv sysfs:file r_file_perms;
+allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms;

 # Purpose: Allow aee_aedv to use HwBinder IPC.
 hwbinder_use(aee_aedv)
--- a/non_plat/aee_core_forwarder.te
+++ b/non_plat/aee_core_forwarder.te
@ -7,12 +7,12 @@

 allow aee_core_forwarder aee_exp_data_file:dir { write add_name search };
 allow aee_core_forwarder aee_exp_data_file:file { write create open getattr };
-allow aee_core_forwarder hwservicemanager_prop:file { read open getattr };
+get_prop(aee_core_forwarder, hwservicemanager_prop)

 # Date: 2019/06/14
 # Operation : Migration
 # Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder
 wakelock_use(aee_core_forwarder)
 allow aee_core_forwarder aee_aed:unix_stream_socket connectto;
-allow aee_core_forwarder aee_core_data_file:dir read;
+allow aee_core_forwarder aee_core_data_file:dir r_dir_perms;
 hwbinder_use(aee_core_forwarder)
--- a/non_plat/file.te
+++ b/non_plat/file.te
@ -427,3 +427,7 @@ type sysfs_pages_shared, fs_type, sysfs_type;
 type sysfs_pages_sharing, fs_type, sysfs_type;
 type sysfs_pages_unshared, fs_type, sysfs_type;
 type sysfs_pages_volatile, fs_type, sysfs_type;
+
+# Date : 2019/10/22
+# Purpose : allow aee_aedv write /sys/module/mrdump/parameters/lbaooo
+type sysfs_mrdump_lbaooo, fs_type, sysfs_type;
--- a/non_plat/genfs_contexts
+++ b/non_plat/genfs_contexts
@ -167,6 +167,10 @@ genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc
 genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0
 genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0

+# Date : 2019/10/22
+# Purpose : mrdump_tool(copy_process by aee_aedv) need to write data to lbaooo
+genfscon sysfs /module/mrdump/parameters/lbaooo u:object_r:sysfs_mrdump_lbaooo:s0
+
 #############################
 # debugfs files
 #
--- a/plat_private/vendor_shell.te
+++ b/plat_private/vendor_shell.te
--- a/plat_private/aee_aed.te
+++ b/plat_private/aee_aed.te
@ -34,10 +34,6 @@ allow aee_aed usermodehelper:file r_file_perms;
 #suid_dumpable. this is neverallow
 #allow aee_aed proc_security:file r_file_perms;

-#property
-allow aee_aed init:unix_stream_socket connectto;
-allow aee_aed property_socket:sock_file write;
-
 #allow aee_aed call binaries labeled "system_file" under /system/bin/
 allow aee_aed system_file:file execute_no_trans;

@ -58,10 +54,6 @@ allow aee_aed system_data_file:file r_file_perms;
 # Purpose: allow aee_aed to access toolbox
 allow aee_aed toolbox_exec:file rx_file_perms;

-# purpose: allow aee_aed to access storage on N version
-allow aee_aed media_rw_data_file:file  { create_file_perms };
-allow aee_aed media_rw_data_file:dir { create_dir_perms };
-
 # Purpose: mnt/user/*
 allow aee_aed mnt_user_file:dir search;
 allow aee_aed mnt_user_file:lnk_file read;
--- a/plat_private/aee_aedv.te
+++ b/plat_private/aee_aedv.te
@ -1,9 +0,0 @@
-# =============================================+
-# Type Declaration
-# ==============================================
-
-type aee_aedv_exec, exec_type, file_type, vendor_file_type;
-typeattribute aee_aedv mlstrustedsubject;
-
-init_daemon_domain(aee_aedv)
-
--- a/plat_public/aee_aedv.te
+++ b/plat_public/aee_aedv.te
@ -1,4 +0,0 @@
-# ==============================================
-# Type Declaration
-# ==============================================
-type aee_aedv, domain;