NekoSakura/android_device_mediatek_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_device_mediatek_sep.../non_plat/vold.te
Aayush Gupta 22380a4614 non_plat: Label /dev/tee* and grant required perms to domains 
/dev/tee* are accessed by domains that interact with TEE and thus
require access to them too.

Test: Boot and observe that denials are not visible in logs anymore

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I7b0944a1063da8561d2928e4110674ce4845ecea
2020-12-30 17:00:34 +05:30

53 lines
1.8 KiB
Plaintext
Raw Permalink Blame History

# ==============================================
# MTK Policy Rule
# ==============================================
# volume manager
# Date : WK16.19
# Operation : Migration
# Purpose : unmount /mnt/cd-rom. It causes by unmountAll() when VolumeManager starts
allow vold iso9660:filesystem unmount;
# Date : WK16.19
# Operation : Migration
# Purpose : vold will traverse /proc when remountUid().
# It will trigger violation if mtk customize some label in /proc.
# However, we should ignore the violation if the processes never access the storage.
dontaudit vold proc_battery_cmd:dir { read open };
dontaudit vold proc_mtkcooler:dir { read open };
dontaudit vold proc_mtktz:dir { read open };
dontaudit vold proc_thermal:dir { read open };
# Date : WK18.30
# Operation : Migration
# Purpose : vold create mdlog folder in data for meta mode.
allow vold mdlog_data_file:dir { create_dir_perms };
allow vold mtd_device:blk_file rw_file_perms;
# dontaudit for fstrim on 'vendor' folder
dontaudit vold nvdata_file:dir r_dir_perms;
dontaudit vold nvcfg_file:dir r_dir_perms;
dontaudit vold protect_f_data_file:dir r_dir_perms;
dontaudit vold protect_s_data_file:dir r_dir_perms;
# execute mke2fs when format as internal
allow vold cache_block_device:blk_file getattr;
allowxperm vold dm_device:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
allow vold nvcfg_block_device:blk_file getattr;
allow vold nvdata_device:blk_file getattr;
allow vold proc_swaps:file r_file_perms;
allow vold protect1_block_device:blk_file getattr;
allow vold protect2_block_device:blk_file getattr;
allow vold proc_swaps:file getattr;
allow vold swap_block_device:blk_file getattr;
allow vold sysfs_mmcblk:file rw_file_perms;
allow vold ut_keymaster_device:chr_file { read write open ioctl};
allow vold teei_client_device:chr_file { read write open ioctl};
Reference in New Issue View Git Blame Copy Permalink