/dev/tee* are accessed by domains that interact with TEE and thus
require access to them too.
Test: Boot and observe that denials are not visible in logs anymore
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I7b0944a1063da8561d2928e4110674ce4845ecea
TEE stores its file in /data/vendor/thh/. Allow it required permissions
to do so.
Denials observed without this change:
12-28 16:42:11.556 416 416 I teei_daemon: type=1400 audit(0.0:394): avc: denied { open } for path="/data/vendor/thh/7778c03fc30c4dd0a319ea29643d4d4b." dev="sdc46" ino=2490455 scontext=u:r:tee:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=1
Test: Boot and notice that denials have resolved
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I1a608ebac628c8ce9c35ece1566e049236321a4b
/dev/*rpmb* devices are accessed by tee. Label it and allow tee required
permissions to manage it.
Denial observed without this change:
[ 46.559953] .(2)[399:logd.auditd]type=1400 audit(1609128921.644:391): avc: denied { ioctl } for comm="teei_daemon" path="/dev/rpmb0" dev="tmpfs" ino=17454 ioctlcmd=0x6 scontext=u:r:init:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and observe that denial no longer appears
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I3499e2a3ba177b8e69d8cdbb76939daf3f8bbc7b
/dev/ut_keymaster is used by keymaster. Label it and allow relevant permissions
which domains using it (vold, tee and keymaster) requires.
Denial observed without this change:
[ 46.666247] .(2)[399:logd.auditd]type=1400 audit(1609128921.744:392): avc: denied { ioctl } for comm="keymaster@3.0-s" path="/dev/ut_keymaster" dev="tmpfs" ino=17464 ioctlcmd=0x5402 scontext=u:r:hal_keymaster_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and notice that denial no longer appears
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Iee0126d637a139397db8857d8a780277c3ea4576
/dev/teei_fp is used by fingerprint to communicate with Microtrust TEE drivers to
store fingerprint data on the device. Label it and allow relevant source required
permissions.
Denial observed without this change:
[ 17.672144] .(4)[397:logd.auditd]type=1400 audit(1608975801.860:326): avc: denied { ioctl } for comm="fingerprint@2.1" path="/dev/teei_fp" dev="tmpfs" ino=15742 ioctlcmd=0x5402 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and notice denials have disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I8a7445400be241e81f8bf21347967b85381ed3ec
Thermal binary is used to load, throttle, manage thermal profiles on MediaTek devices.
Label it and grant required permissions for it to operate without any issues.
Test: Boot and notice thermal has now a proper domain and works without an issues
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Ibbc7e0ce907cd5eedd7826c658e7ef9c2d7a907d
CONNAC is MediaTek's Connectivity Combo Chip Driver, generate sysfs_net
context for it
Denial observed without this change:
[ 59.165685] .(2)[399:logd.auditd]type=1400 audit(1609128934.244:404): avc: denied { open } for comm="Binder:4098_1" path="/sys/devices/platform/CONNAC/net/wlan0/address" dev="sysfs" ino=43157 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.gms
Test: Boot and notice that path now has a proper context
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I0c76124e953b80d06714340ab4413eee84e6f2ef
Camera data files are store in /data/vendor/camera/ by camera hal on
treble devices. Label and allow mtk_hal_camera to manage it.
Denial observed without this change:
[ 17.686535] .(4)[399:logd.auditd]type=1400 audit(1609114842.280:303): avc: denied { getattr } for comm="camerahalserver" path="/data/vendor/camera/back_dual_camera_caldata_wt.bin" dev="sdc46" ino=2490446 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=file permissive=1
Test: Boot and notice denial has disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I98d0ddcce95cccdb9e86c4d36cb692e1f1ff41cb
During init, vold needs rw permissions in order to manage block devices.
This change allows the required permissions.
Denial observed without this change:
[ 7.574441] .(1)[397:logd.auditd]type=1400 audit(1608975791.836:9): avc: denied { write } for comm="Binder:379_2" name="uevent" dev="sysfs" ino=35884 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_mmcblk:s0 tclass=file permissive=1
Test: Boot and observe that denial has disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I3fa256cf5957f0af3fa2628833820f0f9fcf298b
DSBP property is set by multiple mediatek devices to declare support
for the same. It is already labeled in property_contexts but seems to
missing permission for vendor_init to actually set it.
Denial observed without this change:
[ 4.713173] .(7)[1:init]selinux: avc: denied { set } for property=persist.vendor.radio.mtk_dsbp_support pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:mtk_dsbp_support_prop:s0 tclass=property_service permissive=1\x0a
Test: Boot and observe that propery is set without any denial
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I0cc0c2cadbf9edb3fb205b9e52074f852fe08658
wlan driver/fw version are set at property at enforcing mode.
Add rules to allow to set wlan driver/fw version info
CRs-Fixed: 2460816
Change-Id: Ic0bb570cd53fe450512496c5864f432ce3219bbe
Missing newline causes compile-time error when sepolicy squashes all given
service-contexts into single file to pack into the build. This change
fixes that issue.
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
These types are already defined in system/sepolicy and gives compile-time
errors. Remove them to resolve the issues.
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
[Detail]
The mode of sepolicy files should be -rw-r--r--,
and the type should be ASCII text with Unix/Linux format.
[Solution]
1.Use chmod 0644 to change sepolicy files mode.
2.Use iconv -t ASCII and dos2unix to change sepolicy files
type and format.
MTK-Commit-Id: ee386fd7ca89105f70b96f6b58c5f0e372fe9a4b
Change-Id: Iac13b1ea8a4546168f68a7918acdcdb0588f6630
CR-Id: ALPS04968083
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
BASIC and BSP project should have same sepolicies in basic/.
[Solution]
1.Modify SEPolicies in non_plat/ by comparing with r_non_plat/ .
2.Remove r_non_plat/ .
Change-Id: I24d3df00255779bd73f4075c1c4062176d5b6047
CR-Id: ALPS05009976
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Add permission to concurrency_scenario node for mediacodec
MTK-Commit-Id: df9f4afc7ecdf7a62b3bd7b79de24d2cde4ebd6a
Change-Id: I3b98ddd5d5b28c9f8f46df1a5089088edc5e4991
CR-Id: ALPS04925594
Feature: DRAM
[Detail]
set the same as trusty-ipc-dev0
MTK-Commit-Id: e5f995940b04d6bfde3760214f560d7458012700
Change-Id: I2cd96a5f196e3b1f7987e2b44ca708462e03ad06
CR-Id: ALPS04859387
Feature: GenieZone
Signed-off-by: Nixy Hsu <nixy.hsu@mediatek.com>
AEE_Warning Infinite-loop due to bootanim se_linux warning
System is in the terrible slow status, it is always reproduce
and cannot be recover when restarting system
MTK-Commit-Id: 4b2baa60941648e69063ecad0018e9c91c71253c
Change-Id: Ib80ee53ae09de42439a1851008a9884c006b707e
CR-Id: ALPS04888892
Feature: Boot Animation
[Detail]
Add selinux policy for gpuservice for gts issue
GtsGraphicsHostTestCases---com.google.android.graphics.gts.VulkanTest#checkVulkan1_1Requirements
This reverts commit b36a0ce9d20b7e39b4c932335842a861b00f676e.
Reason for revert: The GTS fail is not caused by sepolicy.
MTK-Commit-Id: 11cd557fb681b511edfbbf9bd363d75856a7dc2d
Change-Id: Iae1618bf7d91b324444affd3b11037a0340fc369
Feature: Vulkan
CR-Id: ALPS04870741
Because teei_client_device and mobicore_user_device belong to BSP project,
we need to move SELinux sepolicy from BASIC to BSP project as well.
MTK-Commit-Id: f33102728ebc2c0969605800d73558741c3f0732
Change-Id: Ib9f8a68bde615593d971220655edb3bb9e83e3af
CR-Id: ALPS04879324
Feature: Secure Facial Recognition - 2D Sensor
