9ef4675f68
[ 12.536452] .(1)[399:logd.auditd]type=1400 audit(1262323310.848:231): avc: denied { search } for comm="audio@5.0-servi" name="clients" dev="debugfs" ino=3111 scontext=u:r:mtk_hal_audio:s0 tcontext=u:object_r:debugfs_ion:s0 tclass=dir permissive=1
[ 59.661176] .(0)[399:logd.auditd]type=1400 audit(1609417550.280:331): avc: denied { search } for comm="RenderThread" name="clients" dev="debugfs" ino=3111 scontext=u:r:system_app:s0 tcontext=u:object_r:debugfs_ion:s0 tclass=dir permissive=1
[ 50.275600] .(4)[399:logd.auditd]type=1400 audit(1609417547.748:325): avc: denied { search } for comm="RenderThread" name="clients" dev="debugfs" ino=3111 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:debugfs_ion:s0 tclass=dir permissive=1 app=com.android.launcher3
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Ib8c7e944e95851d5ceef42bb3ea88c77c3cc7e0b
34 lines
1.4 KiB
Plaintext
34 lines
1.4 KiB
Plaintext
# ==============================================
|
|
# MTK Policy Rule
|
|
# ==============================================
|
|
|
|
# Grant read access to mtk core property type which represents all
|
|
# mtk properties except those with ctl_xxx prefix.
|
|
# Align Google change: f01453ad453b29dd723838984ea03978167491e5
|
|
get_prop(domain, mtk_core_property_type)
|
|
|
|
# Allow all processes to search /sys/kernel/debug/binder/ since it's has been
|
|
# labeled with specific debugfs label and many violations to dir search debugfs_binder
|
|
# are observed. Grant domain to suppress the violations as originally "debugfs:dir search"
|
|
# is also allowed to domain as well in Google default domain.te
|
|
allow domain debugfs_binder:dir search;
|
|
|
|
# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
|
|
# as it is a public interface for all processes to read some OTP data.
|
|
allow {
|
|
domain
|
|
-isolated_app
|
|
} sysfs_devinfo:file r_file_perms;
|
|
|
|
# Date:20170630
|
|
# Purpose: allow trusted process to connect aee daemon
|
|
#allow {
|
|
# coredomain
|
|
# -untrusted_app_all
|
|
#} aee_aed:unix_stream_socket connectto;
|
|
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;
|
|
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_exp_vendor_file:file w_file_perms;
|
|
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:fd use;
|
|
|
|
allow domain debugfs_ion:dir search;
|