/dev/tee* are accessed by domains that interact with TEE and thus
require access to them too.
Test: Boot and observe that denials are not visible in logs anymore
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I7b0944a1063da8561d2928e4110674ce4845ecea
/dev/teei_fp is used by fingerprint to communicate with Microtrust TEE drivers to
store fingerprint data on the device. Label it and allow relevant source required
permissions.
Denial observed without this change:
[ 17.672144] .(4)[397:logd.auditd]type=1400 audit(1608975801.860:326): avc: denied { ioctl } for comm="fingerprint@2.1" path="/dev/teei_fp" dev="tmpfs" ino=15742 ioctlcmd=0x5402 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and notice denials have disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I8a7445400be241e81f8bf21347967b85381ed3ec
Add search rule for proc_chip and setsched rule for zygote in system_server.
MTK-Commit-Id: e6b2c39860f7cb83d54f1c01b9fe90969d8ede3b
Change-Id: If7fb47b1873a688b047a919eb726e18f4daadc19
CR-Id: ALPS04855246
Feature: [Module]SystemServer
[Detail]
There is SE Linux warning when system server
uses perf lock api
[Solution]
Add sysfs_boot_mode permission
MTK-Commit-Id: ab3e875f72f0ec5a55cb7682d6ac4a21f6dfe6dc
Change-Id: Ifd9c2acb54022de9297f7c7b62516a58fdf1c25b
CR-Id: ALPS04838812
Feature: [Module]PowerHAL
Add rules for proc_wlan_status and sysfs_pages_shared and
sysfs_pages_sharing and sysfs_pages_unshared and sysfs_pages_volatile.
MTK-Commit-Id: 7c7249f4597a69f068100da07e2773962c0bdba7
Change-Id: I6a3d7823295fd19b934ac0a28bef1f14ca8de2fa
CR-Id: ALPS04821191
Feature: [Module]SystemServer
[Detail]
There is a workaround for bring-up,
now it needs to be modified.
[Solution]
1.Split workaround to sepcial *.te
2.Modify ged sepolicy
3.Modify mistake
4.Add sepolicy
MTK-Commit-Id: 5a2b7e3fdc826a7ca6bc70a3810f14c1661e7d79
Change-Id: I0894de45e014a5eae754e35b57fbc9b21bc4bf90
CR-Id: ALPS04639771
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
For Android Q, there is a more stringent restriction for ioctl,
system_server need some permission to access proc_ged by ioctlcmd
in MTBF.
MTK-Commit-Id: d79045e8bfe072a3125efa56cf5012cfb84e416b
Change-Id: Ic82c4ff92333077d9260f931c67453b9e53d305e
CR-Id: ALPS04525727
Feature: [Module]SystemServer
For Android Q, there is a more stringent restriction for ioctl,
system_server need some permission to access proc_ged by ioctlcmd
in MTBF.
MTK-Commit-Id: b3250e2378854b801fd8602b5369b48d91268993
Change-Id: I46d46e62dfb7fcc8a5675cc7584fd8f8e069238f
CR-Id: ALPS04462320
Feature: [Module]SystemServer
For Android Q, there is a more stringent restriction for ioctl,
system_server need some permission to access proc_ged by ioctlcmd
in MTBF.
MTK-Commit-Id: 6fe037cc18f278a95a919bb3188ae50fb880a36e
Change-Id: I4f4a3b13f3ee49920ebb588ed5e7094ae0065494
CR-Id: ALPS04462320
Feature: [Module]SystemServer
For Android Q, there is a more stringent restriction for ioctl,
system_server need some permissoin to access proc_ged by ioctlcmd
in MTBF.
MTK-Commit-Id: f4a14dea0b118232234da13c860c66e1b31b3c5d
Change-Id: Idd1b3376f8980273f5e91985d91729c1ab50dd59
CR-Id: ALPS04424750
Feature: [Module]SystemServer
system_writes_vendor_properties_violators is only workaround,
and will cause *TS test fail, so remove the workaround and
corresponding rules that cause build fail.
MTK-Commit-Id: f637c1416b591c821bc9c18fd3dbf3aa5f9038af
Change-Id: If09922120de0742ec47d7c0522168d4e78a4e74f
CR-Id: ALPS03878175
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Some rules is no need any more, need to remove it.
MTK-Commit-Id: 49685f1299d990a7195a2d54b955517d8f2cc699
Change-Id: I4a590ad781589cf94989ce72c88751ac10b82eae
CR-Id: ALPS03982747
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail] Because "ro.vendor.net.upload.benchmark.default"
is unlabeled property, so all use it will have name of
vendor_default_prop
[Solution] Need owner to relabel the property of
"ro.vendor.net.upload.benchmark.default"
MTK-Commit-Id: 3a772e2b252536c9bbe9829b75f3464c2df68248
Change-Id: I42f341bf01cea16a16a0e73d13e0c03b5c270dad
CR-Id: ALPS03825066
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail] System processes have no permission to access
vendor_default_prop
[Solution] Add get vendor_default_prop rule for system
processes
MTK-Commit-Id: ad4fb4d8ae4fb38767c16b82ce9d8351f5f59702
Change-Id: I31cf13db6b50a3cff193aa0a34bc1130e5b18942
CR-Id: ALPS03825066
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Restore the policies accessing files labeled
as proc_xxx or sysfs_xxx, but there are some
exceptions for coredomain process, such as
meta_tst,dump_state,kpoc_charger
MTK-Commit-Id: 7953b5203bb3cac099c3326d330643b4cd73746d
Change-Id: I4b16c09c352891783e837bea370c264966ca6d13
CR-Id: ALPS03825066
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
