bbecfaa68b
[Detail] Google add new neverallows rules on android P, some rule violate the rules [Solution] Remove the rules which violate google new rules MTK-Commit-Id: ff683b4eee0a6dd95ff25fbb6c7d1fc3a79c604d Change-Id: Iead494212c6adcec234eaef14c83d1f8c7a49deb CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
37 lines
1.5 KiB
Plaintext
37 lines
1.5 KiB
Plaintext
# ==============================================
|
|
# MTK Policy Rule
|
|
# ==============================================
|
|
|
|
# Grant read access to mtk core property type which represents all
|
|
# mtk properties except those with ctl_xxx prefix.
|
|
# Align Google change: f01453ad453b29dd723838984ea03978167491e5
|
|
get_prop(domain, mtk_core_property_type)
|
|
|
|
# Allow all processes to search /sys/kernel/debug/binder/ since it's has been
|
|
# labeled with specific debugfs label and many violations to dir search debugfs_binder
|
|
# are observed. Grant domain to suppress the violations as originally "debugfs:dir search"
|
|
# is also allowed to domain as well in Google default domain.te
|
|
allow domain debugfs_binder:dir search;
|
|
|
|
# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
|
|
# as it is a public interface for all processes to read some OTP data.
|
|
#allow domain sysfs_devinfo:file r_file_perms;
|
|
|
|
# Date:20170519
|
|
# Purpose: Full treble bootup issue, coredomain need to access libudf.so where
|
|
# located on /vendor.
|
|
# TODO:: In O MR1 may need to change design
|
|
allow coredomain vendor_file:dir r_dir_perms;
|
|
#allow coredomain vendor_file:file { read open getattr execute };
|
|
allow coredomain vendor_file:lnk_file { getattr read };
|
|
|
|
# Date:20170630
|
|
# Purpose: allow trusted process to connect aee daemon
|
|
allow {
|
|
coredomain
|
|
-untrusted_app_all
|
|
-untrusted_v2_app
|
|
} aee_aed:unix_stream_socket connectto;
|
|
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;
|
|
|