/dev/tee* are accessed by domains that interact with TEE and thus
require access to them too.
Test: Boot and observe that denials are not visible in logs anymore
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I7b0944a1063da8561d2928e4110674ce4845ecea
TEE stores its file in /data/vendor/thh/. Allow it required permissions
to do so.
Denials observed without this change:
12-28 16:42:11.556 416 416 I teei_daemon: type=1400 audit(0.0:394): avc: denied { open } for path="/data/vendor/thh/7778c03fc30c4dd0a319ea29643d4d4b." dev="sdc46" ino=2490455 scontext=u:r:tee:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=1
Test: Boot and notice that denials have resolved
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I1a608ebac628c8ce9c35ece1566e049236321a4b
/dev/*rpmb* devices are accessed by tee. Label it and allow tee required
permissions to manage it.
Denial observed without this change:
[ 46.559953] .(2)[399:logd.auditd]type=1400 audit(1609128921.644:391): avc: denied { ioctl } for comm="teei_daemon" path="/dev/rpmb0" dev="tmpfs" ino=17454 ioctlcmd=0x6 scontext=u:r:init:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and observe that denial no longer appears
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I3499e2a3ba177b8e69d8cdbb76939daf3f8bbc7b
/dev/ut_keymaster is used by keymaster. Label it and allow relevant permissions
which domains using it (vold, tee and keymaster) requires.
Denial observed without this change:
[ 46.666247] .(2)[399:logd.auditd]type=1400 audit(1609128921.744:392): avc: denied { ioctl } for comm="keymaster@3.0-s" path="/dev/ut_keymaster" dev="tmpfs" ino=17464 ioctlcmd=0x5402 scontext=u:r:hal_keymaster_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and notice that denial no longer appears
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Iee0126d637a139397db8857d8a780277c3ea4576
/dev/teei_fp is used by fingerprint to communicate with Microtrust TEE drivers to
store fingerprint data on the device. Label it and allow relevant source required
permissions.
Denial observed without this change:
[ 17.672144] .(4)[397:logd.auditd]type=1400 audit(1608975801.860:326): avc: denied { ioctl } for comm="fingerprint@2.1" path="/dev/teei_fp" dev="tmpfs" ino=15742 ioctlcmd=0x5402 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and notice denials have disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I8a7445400be241e81f8bf21347967b85381ed3ec
Thermal binary is used to load, throttle, manage thermal profiles on MediaTek devices.
Label it and grant required permissions for it to operate without any issues.
Test: Boot and notice thermal has now a proper domain and works without an issues
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Ibbc7e0ce907cd5eedd7826c658e7ef9c2d7a907d
Camera data files are store in /data/vendor/camera/ by camera hal on
treble devices. Label and allow mtk_hal_camera to manage it.
Denial observed without this change:
[ 17.686535] .(4)[399:logd.auditd]type=1400 audit(1609114842.280:303): avc: denied { getattr } for comm="camerahalserver" path="/data/vendor/camera/back_dual_camera_caldata_wt.bin" dev="sdc46" ino=2490446 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=file permissive=1
Test: Boot and notice denial has disappeared
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I98d0ddcce95cccdb9e86c4d36cb692e1f1ff41cb
[Detail]
set the same as trusty-ipc-dev0
MTK-Commit-Id: e5f995940b04d6bfde3760214f560d7458012700
Change-Id: I2cd96a5f196e3b1f7987e2b44ca708462e03ad06
CR-Id: ALPS04859387
Feature: GenieZone
Signed-off-by: Nixy Hsu <nixy.hsu@mediatek.com>
NE DB is created by /system/bin/aee_aed* on Q,
so remove selinux rules about /data/vendor/tombstones.
MTK-Commit-Id: f3b5da9438aa0fe4cc6e96bcafe0b253da475fee
Change-Id: I875ed2f4c62413e4b438b36945cda9ec7933f9b3
CR-Id: ALPS04754945
Feature: Android Exception Engine(AEE)
[Detail]
add sepolicy for ion cache api
MTK-Commit-Id: 86e313906832c12901114ba414334902b8d99353
Change-Id: I64c867ab4a59c93b51c72e1d4ce362f039d6c26b
CR-Id: ALPS04748405
Feature: System Performance
Signed-off-by: Hanks Chen <hanks.chen@mediatek.com>
Basic project which need clearkey and widevine will fail to
launch clearkey and widevine process, so we need move clearkey
and widevine related sepolicy to basic repo
MTK-Commit-Id: 889fb14b0d049c0fb53e1f2a45b43a1ba6700f9f
Change-Id: I7b9154b9dcee05be01a2d5f1c7a5f8d365ce4da6
CR-Id: ALPS04737987
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
DoRestoreCon will spent more time in Coldboot for sys,proc & debugfs
if their contexts in file_contexts.
Genfscon can reduces time consumption.
[Solution]
Move contexts of sys,proc & debugfs from file_contexts to
genfs_contexts.
MTK-Commit-Id: a5b022f46a3285fa5ab48d418762497d49739948
Change-Id: I4619946e9f7f8f0bcb7503b737bdfac4c014edd1
CR-Id: ALPS04696074
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
[Detail]
New ST NFC stack for Android compatible with native SecureElement service.
Added also SE HAL for ST54H (SPI) support.
SE HAL files are for internal reference only.
MTK-Commit-Id: 1ad8ab131a2acbdf66133db290e4206627a5f50b
Change-Id: Ief43e503b7147ab96185100ae3c02ecb2ce82640
CR-Id: ALPS04709027
Feature: NFC Chipset Capability
[Detail]
Update for the ST NFC HAL version to 1.2.
MTK-Commit-Id: 7c7f8db4cc98b778cddfddae6679947a6b663270
Change-Id: I1c3544d570631d9d46a617203e68466ed529820b
CR-Id: ALPS04707214
Feature: NFC Chipset Capability
Refactoring hdmi service as hidl service,so that
other process can call hdmi services API.
Add Selinux permission for hdmi hidl service.
MTK-Commit-Id: 0ecef9e52ce92b52413fbecd2b5be492806b8f53
Change-Id: I7f1c5f48d4ae9777acc80436a4af801f32969fac
CR-Id: ALPS04707246
Feature: [Module]Settings
These policies are for system process, as a result,
move it to plat_private folder.
MTK-Commit-Id: 46e87002024d5675d566dd59f77cbde9c69bdd37
Change-Id: I9c2b72136d1f1c3062f0ac6b174c8334b1965e80
CR-Id: ALPS04649268
Feature: Mobile Log Tool
