[Detail] For android Q, we need to add more policy for secure video playback
MTK-Commit-Id: 49b4ab8e0047f4a5002c82af075c77e8bc4e790f
Change-Id: Ib81885e40b14416b57e0776c56cb85591509501a
CR-Id: ALPS04428522
Feature: Trustonic TEE (Trusted Execution Environment)
[Detail]
In xTS, testNoBugreportDenials will check if there are any
avc denied log of dumpstate.
https://android-review.googlesource.com/c/platform/cts/+/667966
[Solution]
add dumpstate allow rules as workaround for google
dumpstate avc error.
MTK-Commit-Id: 98f2dcd0a8011ce5892a25bf40e3e94efe87e302
Change-Id: I12d8d197a815791be942336d6c951e38a3278d2c
CR-Id: ALPS04661377
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
IMSI belongs to sensitive information and is not allowed to print.
Add IMSI property to sensitive group and it is not printed in
mtklogger property files.
MTK-Commit-Id: 9c0bde9784ce5f9f4a88ee6827faf864c248682a
Change-Id: If3721c66fc69f86424ed98193aecd600019071f8
CR-Id: ALPS04607956
Feature: SIM
Add file & dir permission on gpu, proc_ged, and debugfs_ion
MTK-Commit-Id: b27f71d9a9c557042c7844b034d26c5a58895204
Change-Id: Ie0dce4d5fba5cfdce1b76cdd8706d81f010a3771
CR-Id: ALPS04669482
Feature: Video Player
1. Add codes to handling to NR cell in SUPL task.
2. Avoid AVC messages due to gps_data_file
MTK-Commit-Id: aa1f052111fecc95e8af838f16a34cf2f2695f60
Change-Id: Id47d9ab2999ca482f4ec077a0d0d38f4060135ca
CR-Id: ALPS04671051
Feature: A-GPS
[Detail]
mtk_em_tel_log_prop is defined in bsp/, the rule in basic/ will
cause error while building basic project.
[Solution]
Move the rule of mtk_em_tel_log_prop from basic/ to bsp/.
MTK-Commit-Id: 0d04d80f653343466407bd1dd3b260bfdd0859a9
Change-Id: Ibb01bd54502f5178fc35429c5df128a6c319e812
CR-Id: ALPS04668349
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
There are some selinux violation for app in MTBF,
need to add some sepolicy for them.
[Solution]
1.Add sepolicy
2.Move sepolicy of untrusted_app_* to untrusted_app_*.te
3.Modify sepolicy
MTK-Commit-Id: 62b5c74c6d1d85acf0184fc18fca0b40c4a8e60c
Change-Id: Icac33ccc54b691ee0e4ab7088f77adb1c1a4a549
CR-Id: ALPS04640303
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
add recovery.te to grant the permission under
recovery of basic function
MTK-Commit-Id: 5484785e1a1d5a45616e8b75b7bf42274314b042
Change-Id: I8bdfb2bc847154fb5b1c3ce4515541047c6df3b4
CR-Id: ALPS04658973
Feature: [Android Default] SIU (SD Image Update)
[Detail]
There is a workaround for bring-up,
now it needs to be modified.
[Solution]
1.Split workaround to sepcial *.te
2.Modify ged sepolicy
3.Modify mistake
4.Add sepolicy
MTK-Commit-Id: 5a2b7e3fdc826a7ca6bc70a3810f14c1661e7d79
Change-Id: I0894de45e014a5eae754e35b57fbc9b21bc4bf90
CR-Id: ALPS04639771
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
md_monitor will build to vendor image, now it will use HIDL to connect
with JAVA user.
device.mk, SELinux policy about md_monitor need change from system to
vendor, and add relate contents for HILD service.
MDML change:
PlainDataDecoder now need use new constructor with a context, old
constructor will throw an Exception.
For single modem bin:
layout and filter bin file will move from /data/md_mon to
/data/vendor/md_mon. JAVA user shall get layout file via HIDL, then
save a temp file in its cache folder.
For non-single modem bin:
layout file move from /system/etc/mddb/ to /vendor/etc/mddb/, filter bin
file move from /system/etc/firmware/ to /vendor/etc/firmware/. And
system process can access /vendor/etc/. So dont need other change.
MTK-Commit-Id: be91b65d9497e3190ea1127bc71ed2abcb32ed98
Change-Id: I5c99f81c4be7a9f41d3b955156ab3e50ec655d97
CR-Id: ALPS04660543
Feature: Modem Monitor(MDM) Framework
New feature:
Add selinux of HIDL service and client.
Use HIDL copy modem db and filter from vendor image
to data partition for modem log tool.
MTK-Commit-Id: 7fadaf0f2a60d05d7464264ef9e23a75ca27bb66
Change-Id: I12cc8614537f30e90a1717f9838c52283342eb55
CR-Id: ALPS04532537
Feature: Modem Log Tool
[Detail]
For Andorid Q, there is a more stringent restriction
for ioctl, app need to access pipe by ioctlcmd=0x5402.
avc: denied { ioctl } for comm="kd" path="pipe:[7173861]"
dev="pipefs" ino=7173861 ioctlcmd=0x5402
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:r:untrusted_app_25:s0:c512,c768
tclass=fifo_file permissive=0 app=com.tencent.qqpimsecure
[Solution]
Add sepolicy for app to access pipe by ioctlcmd=0x5402
MTK-Commit-Id: d38b9f7f97aab7b23d80d0f3aac8e25a790c8c91
Change-Id: I5ac20bf2dffa0c297b32aaebd75db9e04c35cc79
CR-Id: ALPS04654001
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
In kernel 4.14, selinux security need to check if the process has the
map permission of mmap inode. App need the map permission to
read radio_data_file.
[Solution]
Add map permission for app to read radio_data_file.
MTK-Commit-Id: 698e603818ff37a59212a37a41ecbec8e8e30233
Change-Id: I8982ddbff40cfd7280c0a3dc5e8d2f6b6394e747
CR-Id: ALPS04653992
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
