NekoSakura/android_device_mediatek_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_device_mediatek_sep.../plat_private/emdlogger.te
Light Hsieh f798441035 [ALPS03957630] Selinux: rules for meta_clr_emmc and mke2fs 
[Detail]
Because Android P impose so many restrictions, it is difficult for
meta mode or factory mode to format partitions. A new design is
adopted as follows:
1. Meta mode or factory mode write all 0 to first 4KB of target
   partition.
2. When entering kernel booting, the partition mount process in the
   original init flow find that XXX partition is wiped and automatically
   format XXX partition.
In step-1 described above, selinux rules shall be added for meta_tst or
  factory.
In step-2 described above, selinux rules shall be added for mke2fs.

MTK-Commit-Id: 7e9bbd418ca6353ba89ecffdc016c78504583bf3

Change-Id: I3dd869c57107b0ebebf3134f69c50744df8f8ff9
CR-Id: ALPS03957630
Feature: SP META Tool
2020-01-18 10:00:04 +08:00

79 lines
3.0 KiB
Plaintext
Executable File
Raw Blame History

# ==============================================
# MTK Policy Rule
# ==============================================
# New added for move to /system
type emdlogger_exec , exec_type, file_type;
typeattribute emdlogger coredomain;
init_daemon_domain(emdlogger)
binder_use(emdlogger)
binder_service(emdlogger)
# for modem logging sdcard access
allow emdlogger sdcard_type:dir { create_dir_perms };
allow emdlogger sdcard_type:file { create_file_perms };
# modem logger socket access
allow emdlogger property_socket:sock_file write;
allow emdlogger init:unix_stream_socket connectto;
allow emdlogger platform_app:unix_stream_socket connectto;
allow emdlogger shell_exec:file { rx_file_perms };
allow emdlogger system_file:file execute_no_trans;
allow emdlogger zygote_exec:file { rx_file_perms };
#modem logger SD logging in factory mode
allow emdlogger vfat:dir create_dir_perms;
allow emdlogger vfat:file create_file_perms;
#modem logger permission in storage in android M version
#allow emdlogger log_device:chr_file { write open };
allow emdlogger mnt_user_file:dir search;
allow emdlogger mnt_user_file:lnk_file read;
allow emdlogger storage_file:lnk_file read;
#permission for storage link access in vzw Project
allow emdlogger mnt_media_rw_file:dir search;
#permission for use SELinux API
#avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs"
allow emdlogger rootfs:file r_file_perms;
#permission for storage access storage
allow emdlogger storage_file:dir { create_dir_perms };
allow emdlogger tmpfs:lnk_file read;
allow emdlogger storage_file:file { create_file_perms };
#permission for read boot mode
#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
#allow emdlogger sysfs:file { read open };
# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
allow emdlogger system_file:dir read;
# permission for android N policy
allow emdlogger toolbox_exec:file rx_file_perms;
# purpose: allow emdlogger to access storage in N version
allow emdlogger media_rw_data_file:file { create_file_perms };
allow emdlogger media_rw_data_file:dir { create_dir_perms };
## purpose: avc: denied { read } for name="plat_file_contexts"
allow emdlogger file_contexts_file:file { read getattr open };
## Android P migration
## purpose: denied { read } for name="cmdline" dev="proc"
#denied { search } for name="android" dev="sysfs"
#for name="compatible" dev="sysfs" ino=2985 scontext=u
#:r:emdlogger:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0
#avc: denied { open } for path="/system/etc/mddb"
#avc: denied { read } for name="u:object_r:vendor_default_prop:s0"
allow emdlogger proc_cmdline:file { read getattr open };
allow emdlogger sysfs_dt_firmware_android:dir search;
allow emdlogger sysfs_dt_firmware_android:file { read open getattr };
allow emdlogger system_file:dir open;
allow emdlogger vendor_default_prop:file { read getattr open };
Reference in New Issue View Git Blame Copy Permalink