[Detail] For android Q, we need to add more policy for secure video playback
MTK-Commit-Id: 49b4ab8e0047f4a5002c82af075c77e8bc4e790f
Change-Id: Ib81885e40b14416b57e0776c56cb85591509501a
CR-Id: ALPS04428522
Feature: Trustonic TEE (Trusted Execution Environment)
IMSI belongs to sensitive information and is not allowed to print.
Add IMSI property to sensitive group and it is not printed in
mtklogger property files.
MTK-Commit-Id: 9c0bde9784ce5f9f4a88ee6827faf864c248682a
Change-Id: If3721c66fc69f86424ed98193aecd600019071f8
CR-Id: ALPS04607956
Feature: SIM
Add file & dir permission on gpu, proc_ged, and debugfs_ion
MTK-Commit-Id: b27f71d9a9c557042c7844b034d26c5a58895204
Change-Id: Ie0dce4d5fba5cfdce1b76cdd8706d81f010a3771
CR-Id: ALPS04669482
Feature: Video Player
1. Add codes to handling to NR cell in SUPL task.
2. Avoid AVC messages due to gps_data_file
MTK-Commit-Id: aa1f052111fecc95e8af838f16a34cf2f2695f60
Change-Id: Id47d9ab2999ca482f4ec077a0d0d38f4060135ca
CR-Id: ALPS04671051
Feature: A-GPS
[Detail]
mtk_em_tel_log_prop is defined in bsp/, the rule in basic/ will
cause error while building basic project.
[Solution]
Move the rule of mtk_em_tel_log_prop from basic/ to bsp/.
MTK-Commit-Id: 0d04d80f653343466407bd1dd3b260bfdd0859a9
Change-Id: Ibb01bd54502f5178fc35429c5df128a6c319e812
CR-Id: ALPS04668349
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
There are some selinux violation for app in MTBF,
need to add some sepolicy for them.
[Solution]
1.Add sepolicy
2.Move sepolicy of untrusted_app_* to untrusted_app_*.te
3.Modify sepolicy
MTK-Commit-Id: 62b5c74c6d1d85acf0184fc18fca0b40c4a8e60c
Change-Id: Icac33ccc54b691ee0e4ab7088f77adb1c1a4a549
CR-Id: ALPS04640303
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
add recovery.te to grant the permission under
recovery of basic function
MTK-Commit-Id: 5484785e1a1d5a45616e8b75b7bf42274314b042
Change-Id: I8bdfb2bc847154fb5b1c3ce4515541047c6df3b4
CR-Id: ALPS04658973
Feature: [Android Default] SIU (SD Image Update)
[Detail]
There is a workaround for bring-up,
now it needs to be modified.
[Solution]
1.Split workaround to sepcial *.te
2.Modify ged sepolicy
3.Modify mistake
4.Add sepolicy
MTK-Commit-Id: 5a2b7e3fdc826a7ca6bc70a3810f14c1661e7d79
Change-Id: I0894de45e014a5eae754e35b57fbc9b21bc4bf90
CR-Id: ALPS04639771
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
md_monitor will build to vendor image, now it will use HIDL to connect
with JAVA user.
device.mk, SELinux policy about md_monitor need change from system to
vendor, and add relate contents for HILD service.
MDML change:
PlainDataDecoder now need use new constructor with a context, old
constructor will throw an Exception.
For single modem bin:
layout and filter bin file will move from /data/md_mon to
/data/vendor/md_mon. JAVA user shall get layout file via HIDL, then
save a temp file in its cache folder.
For non-single modem bin:
layout file move from /system/etc/mddb/ to /vendor/etc/mddb/, filter bin
file move from /system/etc/firmware/ to /vendor/etc/firmware/. And
system process can access /vendor/etc/. So dont need other change.
MTK-Commit-Id: be91b65d9497e3190ea1127bc71ed2abcb32ed98
Change-Id: I5c99f81c4be7a9f41d3b955156ab3e50ec655d97
CR-Id: ALPS04660543
Feature: Modem Monitor(MDM) Framework
New feature:
Add selinux of HIDL service and client.
Use HIDL copy modem db and filter from vendor image
to data partition for modem log tool.
MTK-Commit-Id: 7fadaf0f2a60d05d7464264ef9e23a75ca27bb66
Change-Id: I12cc8614537f30e90a1717f9838c52283342eb55
CR-Id: ALPS04532537
Feature: Modem Log Tool
[Detail]
For Andorid Q, there is a more stringent restriction
for ioctl, app need to access pipe by ioctlcmd=0x5402.
avc: denied { ioctl } for comm="kd" path="pipe:[7173861]"
dev="pipefs" ino=7173861 ioctlcmd=0x5402
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:r:untrusted_app_25:s0:c512,c768
tclass=fifo_file permissive=0 app=com.tencent.qqpimsecure
[Solution]
Add sepolicy for app to access pipe by ioctlcmd=0x5402
MTK-Commit-Id: d38b9f7f97aab7b23d80d0f3aac8e25a790c8c91
Change-Id: I5ac20bf2dffa0c297b32aaebd75db9e04c35cc79
CR-Id: ALPS04654001
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
In kernel 4.14, selinux security need to check if the process has the
map permission of mmap inode. App need the map permission to
read radio_data_file.
[Solution]
Add map permission for app to read radio_data_file.
MTK-Commit-Id: 698e603818ff37a59212a37a41ecbec8e8e30233
Change-Id: I8982ddbff40cfd7280c0a3dc5e8d2f6b6394e747
CR-Id: ALPS04653992
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Feature - Userdata Checkpoint
We will format the metadata partition(md_udc) in first boot-up,
because it is a RAW data part, so giving the permission grant
to e2fs.
MTK-Commit-Id: de837a8e097cad8067f5d653370545b51f8d457e
Change-Id: Iaebc665979ab36422b6df846a2f05450c222d1f5
CR-Id: ALPS04304578
Feature: [Android Default] F2FS File System
