TEE stores its file in /data/vendor/thh/. Allow it required permissions
to do so.
Denials observed without this change:
12-28 16:42:11.556 416 416 I teei_daemon: type=1400 audit(0.0:394): avc: denied { open } for path="/data/vendor/thh/7778c03fc30c4dd0a319ea29643d4d4b." dev="sdc46" ino=2490455 scontext=u:r:tee:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=1
Test: Boot and notice that denials have resolved
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I1a608ebac628c8ce9c35ece1566e049236321a4b
Camera data files are store in /data/vendor/camera/ by camera hal on
treble devices. Label and allow mtk_hal_camera to manage it.
Denial observed without this change:
[ 17.686535] .(4)[399:logd.auditd]type=1400 audit(1609114842.280:303): avc: denied { getattr } for comm="camerahalserver" path="/data/vendor/camera/back_dual_camera_caldata_wt.bin" dev="sdc46" ino=2490446 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=file permissive=1
Test: Boot and notice denial has disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I98d0ddcce95cccdb9e86c4d36cb692e1f1ff41cb
These types are already defined in system/sepolicy and gives compile-time
errors. Remove them to resolve the issues.
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Add permission to concurrency_scenario node for mediacodec
MTK-Commit-Id: df9f4afc7ecdf7a62b3bd7b79de24d2cde4ebd6a
Change-Id: I3b98ddd5d5b28c9f8f46df1a5089088edc5e4991
CR-Id: ALPS04925594
Feature: DRAM
[Detail]
It has risk for allow process to get permission of atag,chipid
by using u:object_rsysfs:s0
To avoid that, need to add specail SELabel for atag,chipid
[Solution]
Add specail SELabel for atag,chipid
MTK-Commit-Id: b727ba4e2b59c1dbe59f5e1d9f6b9c5d94c5ffad
Change-Id: Ibaf69f387015790c657783bb1234e584e56f67aa
CR-Id: ALPS04833608
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Add rules for proc_wlan_status and sysfs_pages_shared and
sysfs_pages_sharing and sysfs_pages_unshared and sysfs_pages_volatile.
MTK-Commit-Id: 7c7249f4597a69f068100da07e2773962c0bdba7
Change-Id: I6a3d7823295fd19b934ac0a28bef1f14ca8de2fa
CR-Id: ALPS04821191
Feature: [Module]SystemServer
[Detail]
Remove the unused sepolicy, which has high risk
MTK-Commit-Id: 93b6fa2d6408dc551867fb24b260b053a9b746a7
Change-Id: Id8ddccde37e766c59b1d258d17db2759da6a3ef9
CR-Id: ALPS04761108
Feature: [Android Default] Backlight
NE DB is created by /system/bin/aee_aed* on Q,
so remove selinux rules about /data/vendor/tombstones.
MTK-Commit-Id: f3b5da9438aa0fe4cc6e96bcafe0b253da475fee
Change-Id: I875ed2f4c62413e4b438b36945cda9ec7933f9b3
CR-Id: ALPS04754945
Feature: Android Exception Engine(AEE)
These policies are for system process, as a result,
move it to plat_private folder.
MTK-Commit-Id: 46e87002024d5675d566dd59f77cbde9c69bdd37
Change-Id: I9c2b72136d1f1c3062f0ac6b174c8334b1965e80
CR-Id: ALPS04649268
Feature: Mobile Log Tool
[Detail] For android Q, we need to add more policy for secure video playback
MTK-Commit-Id: 49b4ab8e0047f4a5002c82af075c77e8bc4e790f
Change-Id: Ib81885e40b14416b57e0776c56cb85591509501a
CR-Id: ALPS04428522
Feature: Trustonic TEE (Trusted Execution Environment)
Add SELINUX policy for mobile_log_d to save log in /data/debuglogger
and for getting log from adb.
MTK-Commit-Id: 8775f10bd89be7ac112cbc56daf422814f0f385f
Change-Id: I39e5e1d0ccb2381ef302c187ff83a9e9cb0fa959
CR-Id: ALPS04649268
Feature: Mobile Log Tool
[Detail]
sysfs_mmcblk is used by vendor & system process,
its type need to be moved to plat_public.
[Solution]
move type sysfs_mmcblk form non_plat to plat_public.
MTK-Commit-Id: 9221eb0ec44290e461e5602f7bfaf08b72994b4d
Change-Id: Ibe9a39e70e2071bfa9c88518fd34e232fc4844d6
CR-Id: ALPS04475279
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
netd_socket is deprecated in a/26f84c6.
The netd_socket used in mulitple modem generation,
for cross modem compatibility we add a dummy label to
prevent splitting new branch.
MTK-Commit-Id: b949378b387f9eb942de90b7475aea4ec711f68c
Change-Id: I5179175d9df973a0da01d4520269468b70f742ce
CR-Id: ALPS04284125
Feature: Modem Interface Driver
add some new rules for not exit files in basic/non_plat/,
allow dumpstate to open/read files
MTK-Commit-Id: 7d8021e582f9c10b7f9574f4fcdadee0be5d3c99
Change-Id: Ifc1ca446ce6cd40e36835acaf52ca5a12efedcdb
CR-Id: ALPS04383536
Feature: Android Exception Engine(AEE)
