cd6459c6ee
1. fix some aee high risk rules MTK-Commit-Id: 4031a4610757debf0aa0de48408c72517fd61bcb Change-Id: I637d723cba54ba7119d15617bd2935a4b00dd6c5 CR-Id: ALPS04758557 Feature: Android Exception Engine(AEE)
139 lines
4.4 KiB
Plaintext
139 lines
4.4 KiB
Plaintext
# ==============================================
|
|
# Policy File of /system/bin/aee_aed Executable File
|
|
|
|
# ==============================================
|
|
# Type Declaration
|
|
# ==============================================
|
|
type aee_aed_exec, system_file_type, exec_type, file_type;
|
|
typeattribute aee_aed coredomain;
|
|
typeattribute aee_aed mlstrustedsubject;
|
|
|
|
init_daemon_domain(aee_aed)
|
|
|
|
# ==============================================
|
|
# MTK Policy Rule
|
|
# ==============================================
|
|
|
|
# AED start: /dev/block/expdb
|
|
allow aee_aed block_device:dir search;
|
|
|
|
# aee db dir and db files
|
|
allow aee_aed sdcard_type:dir create_dir_perms;
|
|
allow aee_aed sdcard_type:file create_file_perms;
|
|
|
|
#data/anr
|
|
allow aee_aed anr_data_file:dir create_dir_perms;
|
|
allow aee_aed anr_data_file:file create_file_perms;
|
|
|
|
allow aee_aed domain:process { sigkill getattr getsched signal };
|
|
allow aee_aed domain:lnk_file getattr;
|
|
|
|
#core-pattern
|
|
allow aee_aed usermodehelper:file r_file_perms;
|
|
|
|
#suid_dumpable. this is neverallow
|
|
#allow aee_aed proc_security:file r_file_perms;
|
|
|
|
#allow aee_aed call binaries labeled "system_file" under /system/bin/
|
|
allow aee_aed system_file:file execute_no_trans;
|
|
|
|
allow aee_aed init:process getsched;
|
|
allow aee_aed kernel:process getsched;
|
|
|
|
# Date: W15.34
|
|
# Operation: Migration
|
|
# Purpose: For pagemap & pageflags information in NE DB
|
|
userdebug_or_eng(`allow aee_aed self:capability sys_admin;')
|
|
|
|
# Date: W16.17
|
|
# Operation: N0 Migeration
|
|
# Purpose: creat dir "aee_exp" under /data
|
|
allow aee_aed system_data_file:dir { write create add_name };
|
|
allow aee_aed system_data_file:file r_file_perms;
|
|
|
|
# Purpose: allow aee_aed to access toolbox
|
|
allow aee_aed toolbox_exec:file rx_file_perms;
|
|
|
|
# Purpose: mnt/user/*
|
|
allow aee_aed mnt_user_file:dir search;
|
|
allow aee_aed mnt_user_file:lnk_file read;
|
|
|
|
allow aee_aed storage_file:dir search;
|
|
allow aee_aed storage_file:lnk_file read;
|
|
|
|
# Date : WK17.09
|
|
# Operation : AEE UT for Android O
|
|
# Purpose : for AEE module to dump files
|
|
domain_auto_trans(aee_aed, dumpstate_exec, dumpstate)
|
|
|
|
# Purpose : aee_aed communicate with aee_core_forwarder
|
|
# allow aee_aed aee_core_forwarder:dir search;
|
|
# allow aee_aed aee_core_forwarder:file { read getattr open };
|
|
|
|
userdebug_or_eng(`
|
|
allow aee_aed su:dir {search read open };
|
|
allow aee_aed su:file { read getattr open };
|
|
')
|
|
|
|
# /data/tombstone
|
|
allow aee_aed tombstone_data_file:dir w_dir_perms;
|
|
allow aee_aed tombstone_data_file:file create_file_perms;
|
|
|
|
# /proc/pid/
|
|
allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };
|
|
|
|
# system(cmd) aee_dumpstate aee_archive
|
|
allow aee_aed shell_exec:file rx_file_perms;
|
|
|
|
# PROCESS_FILE_STATE
|
|
allow aee_aed dumpstate:unix_stream_socket { read write ioctl };
|
|
allow aee_aed dumpstate:dir search;
|
|
allow aee_aed dumpstate:file r_file_perms;
|
|
|
|
allow aee_aed logdr_socket:sock_file write;
|
|
allow aee_aed logd:unix_stream_socket connectto;
|
|
#allow aee_aed system_ndebug_socket:sock_file write;
|
|
|
|
# vibrator
|
|
allow aee_aed sysfs_vibrator:file w_file_perms;
|
|
|
|
# Data : 2017/03/22
|
|
# Operation : add NE flow rule for Android O
|
|
# Purpose : make aee_aed can get specific process NE info
|
|
allow aee_aed domain:dir r_dir_perms;
|
|
allow aee_aed domain:{ file lnk_file } r_file_perms;
|
|
|
|
allow aee_aed dalvikcache_data_file:dir r_dir_perms;
|
|
#allow aee_aed zygote_exec:file r_file_perms;
|
|
#allow aee_aed init_exec:file r_file_perms;
|
|
|
|
# Data : 2017/04/06
|
|
# Operation : add selinux rule for crash_dump notify aee_aed
|
|
# Purpose : make aee_aed can get notify from crash_dump
|
|
allow aee_aed crash_dump:dir search;
|
|
allow aee_aed crash_dump:file r_file_perms;
|
|
|
|
# Purpose : allow aee_aed to read /proc/version
|
|
allow aee_aed proc_version:file { read open };
|
|
|
|
# Purpose : allow aee_aed self to sys_nice/chown/kill
|
|
allow aee_aed self:capability { sys_nice chown fowner kill };
|
|
|
|
# Purpose: Allow aee_aed to write /sys/kernel/debug/tracing/snapshot
|
|
userdebug_or_eng(`allow aee_aed debugfs_tracing_debug:file { write open };')
|
|
|
|
# Purpose: Allow aee_aed to read/write /sys/kernel/debug/tracing/tracing_on
|
|
#userdebug_or_eng(` allow aee_aed debugfs_tracing:file { r_file_perms write };')
|
|
|
|
# Purpose: receive dropbox message
|
|
allow aee_aed dropbox_data_file:file {getattr read};
|
|
allow aee_aed dropbox_service:service_manager find;
|
|
allow aee_aed servicemanager:binder call;
|
|
allow aee_aed system_server:binder call;
|
|
|
|
# Purpose: allow aee_aed to read packages.list
|
|
allow aee_aed packages_list_file:file r_file_perms;
|
|
|
|
# Purpose: Allow aee_aed to read /proc/*/exe
|
|
allow aee_aed system_file_type:file r_file_perms;
|