/dev/teei_fp is used by fingerprint to communicate with Microtrust TEE drivers to store fingerprint data on the device. Label it and allow relevant source required permissions. Denial observed without this change: [ 17.672144] .(4)[397:logd.auditd]type=1400 audit(1608975801.860:326): avc: denied { ioctl } for comm="fingerprint@2.1" path="/dev/teei_fp" dev="tmpfs" ino=15742 ioctlcmd=0x5402 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 Test: Boot and notice denials have disappeared Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com> Change-Id: I8a7445400be241e81f8bf21347967b85381ed3ec
282 lines
8.8 KiB
Plaintext
282 lines
8.8 KiB
Plaintext
# ==============================================
|
|
# MTK Policy Rule
|
|
# ==============================================
|
|
# Access devices.
|
|
allow system_server touch_device:chr_file rw_file_perms;
|
|
allow system_server stpant_device:chr_file rw_file_perms;
|
|
allow system_server devmap_device:chr_file r_file_perms;
|
|
allow system_server irtx_device:chr_file rw_file_perms;
|
|
allow system_server qemu_pipe_device:chr_file rw_file_perms;
|
|
allow system_server wmtWifi_device:chr_file w_file_perms;
|
|
|
|
# Add for bootprof
|
|
allow system_server proc_bootprof:file rw_file_perms;
|
|
|
|
# /data/core access.
|
|
allow system_server aee_core_data_file:dir r_dir_perms;
|
|
|
|
# /sys/kernel/debug/ion/clients access
|
|
allow system_server debugfs:dir r_dir_perms;
|
|
|
|
# Perform Binder IPC.
|
|
allow system_server zygote:binder impersonate;
|
|
|
|
# Property service.
|
|
allow system_server ctl_bootanim_prop:property_service set;
|
|
|
|
# For dumpsys.
|
|
allow system_server aee_dumpsys_data_file:file w_file_perms;
|
|
allow system_server aee_exp_data_file:file w_file_perms;
|
|
|
|
# Dump native process backtrace.
|
|
#allow system_server exec_type:file r_file_perms;
|
|
|
|
# Querying zygote socket.
|
|
allow system_server zygote:unix_stream_socket { getopt getattr };
|
|
|
|
# Communicate over a socket created by mnld process.
|
|
|
|
# Allow system_server to read /sys/kernel/debug/wakeup_sources
|
|
allow system_server debugfs_wakeup_sources:file r_file_perms;
|
|
|
|
# Allow system_server to read/write /sys/power/dcm_state
|
|
allow system_server sysfs_dcm:file rw_file_perms;
|
|
|
|
# Date : WK16.36
|
|
# Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW
|
|
allow system_server log_tag_prop:property_service set;
|
|
|
|
# Data : WK16.42
|
|
# Operator: Whitney bring up
|
|
# Purpose: call surfaceflinger due to powervr
|
|
allow system_server surfaceflinger:fifo_file rw_file_perms;
|
|
|
|
# Date : W16.42
|
|
# Operation : Integration
|
|
# Purpose : DRM / DRI GPU driver required
|
|
allow system_server gpu_device:dir search;
|
|
allow system_server debugfs_gpu_img:dir search;
|
|
|
|
# Date : W16.43
|
|
# Operation : Integration
|
|
# Purpose : DRM / DRI GPU driver required
|
|
allow system_server sw_sync_device:chr_file { read write getattr open ioctl };
|
|
|
|
# Date : WK16.44
|
|
# Purpose: Allow to access UART1 ttyMT1
|
|
allow system_server ttyMT_device:chr_file rw_file_perms;
|
|
|
|
# Date : WK17.52
|
|
# Purpose: Allow to access UART1 ttyS
|
|
allow system_server ttyS_device:chr_file rw_file_perms;
|
|
|
|
# Date:W16.46
|
|
# Operation : thermal hal Feature developing
|
|
# Purpose : thermal hal interface permission
|
|
allow system_server proc_mtktz:dir search;
|
|
allow system_server proc_mtktz:file r_file_perms;
|
|
|
|
# Date:W17.02
|
|
# Operation : audio hal developing
|
|
# Purpose : audio hal interface permission
|
|
allow system_server mtk_hal_audio:process { getsched setsched };
|
|
|
|
# Date:W17.07
|
|
# Operation : bt hal
|
|
# Purpose : bt hal interface permission
|
|
binder_call(system_server, mtk_hal_bluetooth)
|
|
|
|
# Date:W17.08
|
|
# Operation : sensors hal developing
|
|
# Purpose : sensors hal interface permission
|
|
binder_call(system_server, mtk_hal_sensors)
|
|
|
|
# Operation : light hal developing
|
|
# Purpose : light hal interface permission
|
|
binder_call(system_server, mtk_hal_light)
|
|
|
|
# Date:W17.21
|
|
# Operation : gnss hal
|
|
# Purpose : gnss hal interface permission
|
|
hal_client_domain(system_server, hal_gnss)
|
|
|
|
# Date : W18.01
|
|
# Add for turn on SElinux in enforcing mode
|
|
allow system_server vendor_framework_file:dir r_file_perms;
|
|
|
|
# Fix bootup violation
|
|
allow system_server vendor_framework_file:file getattr;
|
|
allow system_server wifi_prop:file { read getattr open };
|
|
|
|
# Date:W17.22
|
|
# Operation : add aee_aed socket rule
|
|
# Purpose : type=1400 audit(0.0:134519): avc: denied { connectto }
|
|
# for comm=4572726F722064756D703A20737973
|
|
# path=00636F6D2E6D746B2E6165652E6165645F3634
|
|
# scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0
|
|
# tclass=unix_stream_socket permissive=0
|
|
allow system_server aee_aed:unix_stream_socket connectto;
|
|
|
|
#Dat: 2017/02/14
|
|
#Purpose: allow get telephony Sensitive property
|
|
get_prop(system_server, mtk_telephony_sensitive_prop)
|
|
|
|
# Date: W17.22
|
|
# Operation : New Feature
|
|
# Purpose : Add for A/B system
|
|
allow system_server debugfs_wakeup_sources:file { read getattr open };
|
|
|
|
# Date:W17.26
|
|
# Operation : imsa hal
|
|
# Purpose : imsa hal interface permission
|
|
binder_call(system_server, mtk_hal_imsa)
|
|
|
|
# Date:W17.28
|
|
# Operation : camera hal developing
|
|
# Purpose : camera hal binder_call permission
|
|
binder_call(system_server, mtk_hal_camera)
|
|
|
|
# Date:W17.31
|
|
# Operation : mpe sensor hidl developing
|
|
# Purpose : mpe sensor hidl permission
|
|
binder_call(system_server, mnld)
|
|
|
|
# Date : WK17.32
|
|
# Operation : Migration
|
|
# Purpose : for network log dumpsys setting/netd information
|
|
# audit(0.0:914): avc: denied { write } for path="pipe:[46088]"
|
|
# dev="pipefs" ino=46088 scontext=u:r:system_server:s0
|
|
# tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1
|
|
allow system_server netdiag:fifo_file write;
|
|
|
|
# Date : WK17.32
|
|
# Operation : Migration
|
|
# Purpose : for DHCP Client ip recover functionality
|
|
allow system_server dhcp_data_file:dir search;
|
|
allow system_server dhcp_data_file:dir rw_dir_perms;
|
|
allow system_server dhcp_data_file:file create_file_perms;
|
|
|
|
# Date:W17.35
|
|
# Operation : lbs hal
|
|
# Purpose : lbs hidl interface permission
|
|
hal_client_domain(system_server, mtk_hal_lbs)
|
|
|
|
# Date : WK17.12
|
|
# Operation : MT6799 SQC
|
|
# Purpose : Change thermal config
|
|
allow system_server mtk_thermal_config_prop:file { getattr open read };
|
|
|
|
|
|
# Date : WK17.43
|
|
# Operation : Migration
|
|
# Purpose : perfmgr permission
|
|
allow system_server mtk_hal_power_hwservice:hwservice_manager find;
|
|
allow system_server proc_perfmgr:dir {read search};
|
|
allow system_server proc_perfmgr:file {open read ioctl};
|
|
allowxperm system_server proc_perfmgr:file ioctl {
|
|
PERFMGR_FPSGO_QUEUE
|
|
PERFMGR_FPSGO_DEQUEUE
|
|
PERFMGR_FPSGO_QUEUE_CONNECT
|
|
PERFMGR_FPSGO_BQID
|
|
};
|
|
|
|
# Date : W18.22
|
|
# Operation : MTK wifi hal migration
|
|
# Purpose : MTK wifi hal interface permission
|
|
binder_call(system_server, mtk_hal_wifi)
|
|
|
|
# Date : WK18.33
|
|
# Purpose : type=1400 audit(0.0:1592): avc: denied { read }
|
|
# for comm=4572726F722064756D703A20646174 name=
|
|
# "u:object_r:persist_mtk_aee_prop:s0" dev="tmpfs"
|
|
# ino=10312 scontext=u:r:system_server:s0 tcontext=
|
|
# u:object_r:persist_mtk_aee_prop:s0 tclass=file permissive=0
|
|
get_prop(system_server, persist_mtk_aee_prop);
|
|
|
|
# Date : W19.15
|
|
# Operation : alarm device permission
|
|
# Purpose : support power-off alarm
|
|
allow system_server alarm_device:chr_file rw_file_perms;
|
|
|
|
# Date : WK19.7
|
|
# Operation: Q migration
|
|
# Purpose : Allow system_server to use ioctl/ioctlcmd
|
|
allow system_server proc_ged:file rw_file_perms;
|
|
allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls };
|
|
|
|
# Date: 2019/06/14
|
|
# Operation : Migration
|
|
get_prop(system_server, vendor_default_prop)
|
|
|
|
# Date: 2019/06/14
|
|
# Operation : when WFD turnning on, turn off hdmi
|
|
allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find;
|
|
allow system_server mtk_hal_hdmi:binder call;
|
|
|
|
#Date:2019/10/08
|
|
#Operation:Q Migration
|
|
allow system_server proc_battery_cmd:dir search;
|
|
|
|
#Date:2019/10/09
|
|
#Operation:Q Migration
|
|
get_prop(system_server, debug_mtk_aee_prop)
|
|
|
|
#Date:2019/10/09
|
|
#Operation:Q Migration
|
|
get_prop(system_server, debug_bq_dump_prop)
|
|
get_prop(system_server, mtk_telecom_vibrate)
|
|
allow system_server proc_cmdq_debug:file getattr;
|
|
allow system_server proc_freqhop:file getattr;
|
|
allow system_server proc_last_kmsg:file r_file_perms;
|
|
allow system_server proc_cm_mgr:dir search;
|
|
allow system_server proc_isp_p2:dir search;
|
|
allow system_server proc_thermal:dir search;
|
|
allow system_server proc_atf_log:dir search;
|
|
allow system_server proc_cpufreq:dir search;
|
|
allow system_server proc_mtkcooler:dir search;
|
|
allow system_server proc_ppm:dir search;
|
|
|
|
# Date : 2019/10/11
|
|
# Operation : Q Migration
|
|
allow system_server proc_wlan_status:file getattr;
|
|
|
|
# Date : 2019/10/11
|
|
# Operation : Q Migration
|
|
allow system_server sysfs_pages_shared:file r_file_perms;
|
|
allow system_server sysfs_pages_sharing:file r_file_perms;
|
|
allow system_server sysfs_pages_unshared:file r_file_perms;
|
|
allow system_server sysfs_pages_volatile:file r_file_perms;
|
|
|
|
# Date:2019/10/14
|
|
# Operation: Q Migration
|
|
# Purpose : power_hal_mgr_service may use libmtkperf_client
|
|
allow system_server sysfs_boot_mode:file r_file_perms;
|
|
|
|
# Date : 2019/10/22
|
|
# Operation : Q Migration
|
|
allow system_server self:capability sys_module;
|
|
|
|
# Date : 2019/10/22
|
|
# Operation : Q Migration
|
|
dontaudit system_server sdcardfs:file r_file_perms;
|
|
|
|
# Date : 2019/10/26
|
|
# Operation : Q Migration
|
|
allow system_server mtk_hal_camera:process sigkill;
|
|
allow system_server kernel:system syslog_read;
|
|
|
|
# Date : 2019/10/30
|
|
# Operation : Q Migration
|
|
allow system_server proc_chip:dir search;
|
|
allow system_server zygote:process setsched;
|
|
|
|
# Date : 2019/11/21
|
|
# Operation : Q Migration
|
|
allow system_server sf_rtt_file:dir rmdir;
|
|
|
|
# Date : 2019/11/29
|
|
# Operation : Q Migration
|
|
allow system_server storage_stub_file:dir getattr;
|
|
|
|
allow system_server teei_fp_device:chr_file rw_file_perms;
|