b46f5159b8
[Detail] 1.Google neverallow to modify the /proc and /sys folder 2.vendor & system process can not access each file [Solution] 1.Change the type of sysfs_file to common file 2.Mark the rules which violate the neverallow rules MTK-Commit-Id: 326790e7af9c782f3dace5c667b4b07860370933 Change-Id: Ifa61d2561078d3b6cde612806607d35d6cfdc4d6 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
76 lines
3.5 KiB
Plaintext
76 lines
3.5 KiB
Plaintext
# ==============================================================================
|
|
# Type Declaration
|
|
# ==============================================================================
|
|
type merged_hal_service, domain;
|
|
#type merged_hal_service, domain;
|
|
type merged_hal_service_exec, exec_type, file_type, vendor_file_type;
|
|
|
|
init_daemon_domain(merged_hal_service)
|
|
|
|
hwbinder_use(merged_hal_service)
|
|
hal_server_domain(merged_hal_service, hal_vibrator)
|
|
hal_server_domain(merged_hal_service, hal_light)
|
|
hal_server_domain(merged_hal_service, hal_power)
|
|
hal_server_domain(merged_hal_service, hal_thermal)
|
|
hal_server_domain(merged_hal_service, hal_memtrack)
|
|
|
|
#adjust light brightness
|
|
allow merged_hal_service sysfs:file write;
|
|
|
|
#mtk libs_hidl_service permissions
|
|
hal_server_domain(merged_hal_service, mtk_hal_lbs)
|
|
vndbinder_use(merged_hal_service)
|
|
r_dir_file(merged_hal_service, system_file)
|
|
unix_socket_connect(merged_hal_service, agpsd, mtk_agpsd);
|
|
allow merged_hal_service mtk_agpsd:unix_dgram_socket sendto;
|
|
|
|
#mtk_gnss permissions
|
|
hal_server_domain(merged_hal_service, hal_gnss);
|
|
allow merged_hal_service mnld_data_file:sock_file create_file_perms;
|
|
allow merged_hal_service mnld_data_file:sock_file rw_file_perms;
|
|
allow merged_hal_service mnld_data_file:dir create_file_perms;
|
|
allow merged_hal_service mnld_data_file:dir rw_dir_perms;
|
|
allow merged_hal_service mnld:unix_dgram_socket sendto;
|
|
|
|
#graphics allocator permissions
|
|
hal_server_domain(merged_hal_service, hal_graphics_allocator)
|
|
allow merged_hal_service gpu_device:dir search;
|
|
allow merged_hal_service sw_sync_device:chr_file { open read write getattr ioctl };
|
|
allow merged_hal_service debugfs_ion:dir search;
|
|
allow merged_hal_service debugfs_tracing:file write;
|
|
allow merged_hal_service debugfs_tracing:file open;
|
|
|
|
#for ape hidl permissions
|
|
hal_server_domain(merged_hal_service,hal_mtkcodecservice)
|
|
allow merged_hal_service hidl_allocator_hwservice:hwservice_manager find;
|
|
allow merged_hal_service hidl_memory_hwservice:hwservice_manager find;
|
|
hal_client_domain(merged_hal_service, hal_allocator)
|
|
|
|
#for default drm permissions
|
|
hal_server_domain(merged_hal_service, hal_drm)
|
|
allow merged_hal_service mediacodec:fd use;
|
|
allow merged_hal_service { appdomain -isolated_app }:fd use;
|
|
allow merged_hal_service debugfs_tracing:file write;
|
|
|
|
#power permissions
|
|
allow merged_hal_service proc:dir {search getattr};
|
|
allow merged_hal_service proc:file {getattr open read write ioctl};
|
|
allow merged_hal_service debugfs_ged:dir search;
|
|
allow merged_hal_service debugfs_ged:file { getattr open read write };
|
|
allow merged_hal_service debugfs_fpsgo:dir search;
|
|
allow merged_hal_service debugfs_fpsgo:file { getattr open write read };
|
|
#allow merged_hal_service system_data_file:dir { create write add_name };
|
|
allow merged_hal_service proc_thermal:file { write open };
|
|
allow merged_hal_service proc_thermal:dir search;
|
|
allow merged_hal_service sysfs:file {open write read};
|
|
allow merged_hal_service proc_perfmgr:dir search;
|
|
allow merged_hal_service proc_perfmgr:file { getattr open read write ioctl };
|
|
allow merged_hal_service sdcard_type:dir create_dir_perms;
|
|
allow merged_hal_service sdcard_type:file create_file_perms;
|
|
allow merged_hal_service eemcs_device:chr_file rw_file_perms;
|
|
allow merged_hal_service mnt_user_file:dir create_dir_perms;
|
|
|
|
allow merged_hal_service mtk_powerhal_data_file:dir {create_dir_perms rw_dir_perms};
|
|
allow merged_hal_service mtk_powerhal_data_file:file {create_file_perms rw_file_perms};
|
|
allow merged_hal_service mtk_powerhal_data_file:sock_file {create_file_perms rw_file_perms};
|