diff --git a/non_plat/aee_aed.te b/non_plat/aee_aed.te index 4e0a8a2..c845ce2 100644 --- a/non_plat/aee_aed.te +++ b/non_plat/aee_aed.te @@ -11,7 +11,6 @@ allow aee_aed aed_device:chr_file rw_file_perms; allow aee_aed expdb_device:chr_file rw_file_perms; allow aee_aed expdb_block_device:blk_file rw_file_perms; -allow aee_aed bootdevice_block_device:blk_file rw_file_perms; allow aee_aed etb_device:chr_file rw_file_perms; # open/dev/mtd/mtd12 failed(expdb) diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index 3793d2e..267e358 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -5,6 +5,13 @@ # MTK Policy Rule # ============================================== +type aee_aedv, domain; + +type aee_aedv_exec, exec_type, file_type, vendor_file_type; +typeattribute aee_aedv mlstrustedsubject; + +init_daemon_domain(aee_aedv) + # Date : WK14.32 # Operation : AEE UT @@ -18,17 +25,9 @@ allow aee_aedv etb_device:chr_file rw_file_perms; # AED start: /dev/block/expdb allow aee_aedv block_device:dir search; -# open/dev/mtd/mtd12 failed(expdb) -allow aee_aedv mtd_device:dir create_dir_perms; -allow aee_aedv mtd_device:chr_file rw_file_perms; - # NE flow: /dev/RT_Monitor allow aee_aedv RT_Monitor_device:chr_file r_file_perms; -# aee db dir and db files -allow aee_aedv sdcard_type:dir create_dir_perms; -allow aee_aedv sdcard_type:file create_file_perms; - #data/aee_exp allow aee_aedv aee_exp_vendor_file:dir create_dir_perms; allow aee_aedv aee_exp_vendor_file:file create_file_perms; @@ -51,13 +50,6 @@ allow aee_aedv domain:lnk_file getattr; #core-pattern allow aee_aedv usermodehelper:file r_file_perms; -#property -allow aee_aedv init:unix_stream_socket connectto; -allow aee_aedv property_socket:sock_file write; - -allow aee_aedv init:process getsched; -allow aee_aedv kernel:process getsched; - # Date: W15.34 # Operation: Migration # Purpose: For pagemap & pageflags information in NE DB @@ -283,7 +275,8 @@ allow aee_aedv debugfs_dynamic_debug:file r_file_perms; # [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read } # for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -allow aee_aedv sysfs:file { r_file_perms write }; +allow aee_aedv sysfs:file r_file_perms; +allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms; # Purpose: Allow aee_aedv to use HwBinder IPC. hwbinder_use(aee_aedv) diff --git a/non_plat/aee_core_forwarder.te b/non_plat/aee_core_forwarder.te index 2a6d951..43e97fe 100644 --- a/non_plat/aee_core_forwarder.te +++ b/non_plat/aee_core_forwarder.te @@ -7,12 +7,12 @@ allow aee_core_forwarder aee_exp_data_file:dir { write add_name search }; allow aee_core_forwarder aee_exp_data_file:file { write create open getattr }; -allow aee_core_forwarder hwservicemanager_prop:file { read open getattr }; +get_prop(aee_core_forwarder, hwservicemanager_prop) # Date: 2019/06/14 # Operation : Migration # Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder wakelock_use(aee_core_forwarder) allow aee_core_forwarder aee_aed:unix_stream_socket connectto; -allow aee_core_forwarder aee_core_data_file:dir read; +allow aee_core_forwarder aee_core_data_file:dir r_dir_perms; hwbinder_use(aee_core_forwarder) diff --git a/non_plat/file.te b/non_plat/file.te index 411f14f..ab973a7 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -427,3 +427,7 @@ type sysfs_pages_shared, fs_type, sysfs_type; type sysfs_pages_sharing, fs_type, sysfs_type; type sysfs_pages_unshared, fs_type, sysfs_type; type sysfs_pages_volatile, fs_type, sysfs_type; + +# Date : 2019/10/22 +# Purpose : allow aee_aedv write /sys/module/mrdump/parameters/lbaooo +type sysfs_mrdump_lbaooo, fs_type, sysfs_type; diff --git a/non_plat/genfs_contexts b/non_plat/genfs_contexts index b10d6ec..65fc010 100644 --- a/non_plat/genfs_contexts +++ b/non_plat/genfs_contexts @@ -167,6 +167,10 @@ genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0 genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0 +# Date : 2019/10/22 +# Purpose : mrdump_tool(copy_process by aee_aedv) need to write data to lbaooo +genfscon sysfs /module/mrdump/parameters/lbaooo u:object_r:sysfs_mrdump_lbaooo:s0 + ############################# # debugfs files # diff --git a/plat_private/vendor_shell.te b/non_plat/vendor_shell.te similarity index 100% rename from plat_private/vendor_shell.te rename to non_plat/vendor_shell.te diff --git a/plat_private/aee_aed.te b/plat_private/aee_aed.te index fe92aa0..6665088 100644 --- a/plat_private/aee_aed.te +++ b/plat_private/aee_aed.te @@ -34,10 +34,6 @@ allow aee_aed usermodehelper:file r_file_perms; #suid_dumpable. this is neverallow #allow aee_aed proc_security:file r_file_perms; -#property -allow aee_aed init:unix_stream_socket connectto; -allow aee_aed property_socket:sock_file write; - #allow aee_aed call binaries labeled "system_file" under /system/bin/ allow aee_aed system_file:file execute_no_trans; @@ -58,10 +54,6 @@ allow aee_aed system_data_file:file r_file_perms; # Purpose: allow aee_aed to access toolbox allow aee_aed toolbox_exec:file rx_file_perms; -# purpose: allow aee_aed to access storage on N version -allow aee_aed media_rw_data_file:file { create_file_perms }; -allow aee_aed media_rw_data_file:dir { create_dir_perms }; - # Purpose: mnt/user/* allow aee_aed mnt_user_file:dir search; allow aee_aed mnt_user_file:lnk_file read; diff --git a/plat_private/aee_aedv.te b/plat_private/aee_aedv.te deleted file mode 100644 index c5f82da..0000000 --- a/plat_private/aee_aedv.te +++ /dev/null @@ -1,9 +0,0 @@ -# =============================================+ -# Type Declaration -# ============================================== - -type aee_aedv_exec, exec_type, file_type, vendor_file_type; -typeattribute aee_aedv mlstrustedsubject; - -init_daemon_domain(aee_aedv) - diff --git a/plat_public/aee_aedv.te b/plat_public/aee_aedv.te deleted file mode 100644 index fe413f8..0000000 --- a/plat_public/aee_aedv.te +++ /dev/null @@ -1,4 +0,0 @@ -# ============================================== -# Type Declaration -# ============================================== -type aee_aedv, domain;