NekoSakura/android_device_mediatek_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_device_mediatek_sep.../non_plat/factory.te
Light Hsieh f798441035 [ALPS03957630] Selinux: rules for meta_clr_emmc and mke2fs 
[Detail]
Because Android P impose so many restrictions, it is difficult for
meta mode or factory mode to format partitions. A new design is
adopted as follows:
1. Meta mode or factory mode write all 0 to first 4KB of target
   partition.
2. When entering kernel booting, the partition mount process in the
   original init flow find that XXX partition is wiped and automatically
   format XXX partition.
In step-1 described above, selinux rules shall be added for meta_tst or
  factory.
In step-2 described above, selinux rules shall be added for mke2fs.

MTK-Commit-Id: 7e9bbd418ca6353ba89ecffdc016c78504583bf3

Change-Id: I3dd869c57107b0ebebf3134f69c50744df8f8ff9
CR-Id: ALPS03957630
Feature: SP META Tool
2020-01-18 10:00:04 +08:00

366 lines
14 KiB
Plaintext
Raw Blame History

# ==============================================
# Policy File of /system/bin/factory Executable File
# ==============================================
# Type Declaration
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
#file_type_auto_trans(factory, system_data_file, factory_data_file)
type factory, domain;
type factory_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(factory)
#============= factory ==============
allow factory MTK_SMI_device:chr_file r_file_perms;
allow factory ashmem_device:chr_file execute;
allow factory ebc_device:chr_file rw_file_perms;
allow factory stpbt_device:chr_file rw_file_perms;
# Date: WK14.47
# Operation : Migration
# Purpose : CCCI
allow factory eemcs_device:chr_file rw_file_perms;
allow factory ccci_device:chr_file rw_file_perms;
allow factory gsm0710muxd_device:chr_file rw_file_perms;
#Purpose: file system requirement
allow factory debugfs_usb:file rw_file_perms;
allow factory debugfs_usb:dir search;
allow factory devpts:chr_file rw_file_perms;
allow factory vfat:dir w_dir_perms;
allow factory labeledfs:filesystem unmount;
allow factory rootfs:dir mounton;
allow factory vfat:dir { read open search mounton };
allow factory vfat:filesystem { mount unmount };
# Purpose : SDIO
allow factory ttySDIO_device:chr_file rw_file_perms;
#Purpose: USB
allow factory ttyMT_device:chr_file rw_file_perms;
allow factory ttyS_device:chr_file rw_file_perms;
allow factory ttyGS_device:chr_file rw_file_perms;
# Date: WK15.01
# Purpose : OTG Mount
allow factory sdcard_type:dir mounton;
# Date: WK15.07
# Purpose : use c2k flight mode;
allow factory vmodem_device:chr_file rw_file_perms;
# Date: WK15.13
# Purpose: for nand project
allow factory mtd_device:dir search;
allow factory mtd_device:chr_file rw_file_perms;
allow factory self:capability sys_resource;
allow factory pro_info_device:chr_file rw_file_perms;
# Data: WK15.28
# Purpose: for mt-ramdump reset
allow factory proc_mrdump_rst:file w_file_perms;
#Date: WK15.31
#Purpose: define factory_data_file instead of system_data_file
# because system_data_file is sensitive partition from M
#allow factory self:capability2 block_suspend;
wakelock_use(factory);
allow factory storage_file:dir { write create add_name search mounton };
#allow factory factory_data_file:file create_file_perms;
#allow factory shell_exec:file r_file_perms;
# Date: WK15.44
# Purpose: factory idle current status
typeattribute factory system_writes_vendor_properties_violators;
allow factory vendor_factory_idle_state_prop:property_service set;
# Date: WK15.46
# Purpose: gps factory mode
allow factory agpsd_data_file:dir search;
#allow factory apk_data_file:dir write;
#allow factory gps_data_file:dir r_dir_perms;
#allow factory gps_data_file:dir { write open };
#allow factory gps_data_file:file { read write };
allow factory gps_data_file:dir { write add_name search remove_name unlink};
allow factory gps_data_file:file { read write open create getattr append setattr unlink lock};
allow factory gps_data_file:lnk_file read;
# allow factory gps_emi_device:chr_file { read write };
#allow factory shell_exec:file x_file_perms;
allow factory storage_file:lnk_file r_file_perms;
#Date: WK15.48
#Purpose: capture for factory mode
allow factory devmap_device:chr_file r_file_perms;
allow factory sdcard_type:dir create_dir_perms;
allow factory sdcard_type:file create_file_perms;
allow factory mnt_user_file:dir search;
allow factory mnt_user_file:lnk_file read;
allow factory storage_file:lnk_file read;
#Date: WK16.05
#Purpose: For access NVRAM
allow factory factory:capability chown;
allow factory nvram_data_file:dir create_dir_perms;
allow factory nvram_data_file:file create_file_perms;
allow factory nvram_data_file:lnk_file r_file_perms;
allow factory nvdata_file:lnk_file r_file_perms;
allow factory nvram_device:chr_file rw_file_perms;
allow factory nvram_device:blk_file rw_file_perms;
allow factory nvdata_device:blk_file rw_file_perms;
# Purpose : Allow factory read /data/nvram link
#allow factory system_data_file:lnk_file read;
#Date: WK16.12
#Purpose: For sensor test
allow factory als_ps_device:chr_file r_file_perms;
allow factory barometer_device:chr_file r_file_perms;
allow factory gsensor_device:chr_file r_file_perms;
allow factory gyroscope_device:chr_file r_file_perms;
allow factory msensor_device:chr_file r_file_perms;
allow factory biometric_device:chr_file r_file_perms;
#Purpose: For camera Test
allow factory kd_camera_flashlight_device:chr_file rw_file_perms;
allow factory kd_camera_hw_device:chr_file rw_file_perms;
allow factory seninf_device:chr_file rw_file_perms;
#Purpose: For reboot the target
allow factory powerctl_prop:property_service set;
#Purpose: For memory card test
allow factory misc_sd_device:chr_file r_file_perms;
allow factory mmcblk1_block_device:blk_file rw_file_perms;
allow factory bootdevice_block_device:blk_file rw_file_perms;
allow factory mmcblk1p1_block_device:blk_file rw_file_perms;
allow factory block_device:dir w_dir_perms;
#Purpose: For EMMC test
allow factory nvdata_file:dir create_dir_perms;
allow factory nvdata_file:file create_file_perms;
#Purpose: For HRM test
allow factory hrm_device:chr_file r_file_perms;
#Purpose: For IrTx LED test
allow factory irtx_device:chr_file rw_file_perms;
#Purpose: For battery test, ext_buck test and ext_vbat_boost test
allow factory pmic_ftm_device:chr_file rw_file_perms;
allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms;
allow factory MT_pmic_cali_device:chr_file r_file_perms;
allow factory charger_ftm_device:chr_file r_file_perms;
#Purpose: For HDMI test
allow factory graphics_device:dir w_dir_perms;
allow factory graphics_device:chr_file rw_file_perms;
#Purpose: For WIFI test
allow factory wmtWifi_device:chr_file rw_file_perms;
#Purpose: For rtc test
allow factory rtc_device:chr_file rw_file_perms;
#Purpose: For nfc test
allow factory mt6605_device:chr_file rwx_file_perms;
#Purpose: For gps test
allow factory mnld_device:chr_file rw_file_perms;
#Purpose: For keypad test
allow factory mtk_kpd_device:chr_file r_file_perms;
#Purpose: For Humidity test
allow factory humidity_device:chr_file r_file_perms;
#Purpose: For camera test
allow factory camera_isp_device:chr_file rw_file_perms;
allow factory camera_dip_device:chr_file rw_file_perms;
allow factory camera_pipemgr_device:chr_file r_file_perms;
allow factory camera_sysram_device:chr_file r_file_perms;
allow factory ccu_device:chr_file rw_file_perms;
allow factory vpu_device:chr_file rw_file_perms;
allow factory MAINAF_device:chr_file rw_file_perms;
allow factory MAIN2AF_device:chr_file rw_file_perms;
allow factory SUBAF_device:chr_file rw_file_perms;
allow factory FM50AF_device:chr_file rw_file_perms;
allow factory AD5820AF_device:chr_file rw_file_perms;
allow factory DW9714AF_device:chr_file rw_file_perms;
allow factory DW9714A_device:chr_file rw_file_perms;
allow factory LC898122AF_device:chr_file rw_file_perms;
allow factory LC898212AF_device:chr_file rw_file_perms;
allow factory BU6429AF_device:chr_file rw_file_perms;
allow factory DW9718AF_device:chr_file rw_file_perms;
allow factory BU64745GWZAF_device:chr_file rw_file_perms;
allow factory cct_data_file:dir create_dir_perms;
allow factory cct_data_file:file create_file_perms;
allow factory camera_tsf_device:chr_file rw_file_perms;
allow factory camera_rsc_device:chr_file rw_file_perms;
allow factory camera_gepf_device:chr_file rw_file_perms;
allow factory camera_fdvt_device:chr_file rw_file_perms;
allow factory camera_wpe_device:chr_file rw_file_perms;
allow factory camera_owe_device:chr_file rw_file_perms;
allow factory camera_mfb_device:chr_file rw_file_perms;
#Purpose: For FM test and headset test
allow factory accdet_device:chr_file r_file_perms;
allow factory fm_device:chr_file rw_file_perms;
#Purpose: For audio test
allow factory audio_device:chr_file rw_file_perms;
allow factory audio_device:dir w_dir_perms;
allow factory audiohal_prop:property_service set;
#Purpose: For key and touch event
allow factory input_device:chr_file r_file_perms;
allow factory input_device:dir rw_dir_perms;
#Purpose: For gps test
#allow factory gps_device:chr_file rw_file_perms;
# Date: WK16.17
# Purpose: N Migration For ccci sysfs node
# Allow read to sys/kernel/ccci/* files
allow factory sysfs_ccci:dir search;
allow factory sysfs_ccci:file r_file_perms;
# Date: WK16.18
# Purpose: N Migration For boot_mode
# Allow to read boot mode
# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117
# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0
# tclass=file permissive=0
allow factory sysfs_boot_mode:file { read open };
allow factory sysfs_boot_type:file { read open };
# Date: WK16.30
#Purpose: For gps test
#allow factory media_rw_data_file:dir search;
#allow factory gps_data_file:dir add_name;
#TODO:: MTK need to remove later
not_full_treble(`
allow factory mnld:unix_dgram_socket sendto;
')
# Date: WK16.31
#Purpose: For gps test
allow factory mnld_prop:property_service set;
#allow factory media_rw_data_file:dir { read open };
#allow factory gps_data_file:file create_file_perms;
# Date: WK16.33
#Purpose: for unmount sdcardfs and stop services which are using data partition
allow factory sdcard_type:filesystem unmount;
#allow factory toolbox_exec:file { read open getattr execute execute_no_trans };
allow factory ctl_default_prop:property_service set;
# Date : WK16.35
# Operation : Migration
# Purpose : Update camera flashlight driver device file
allow factory flashlight_device:chr_file rw_file_perms;
# Date: WK15.25
#Purpose: for unmount sdcardfs and stop services which are using data partition
allow factory ctl_emdlogger1_prop:property_service set;
# Date: WK17.07
# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs
allow factory tmpfs:filesystem unmount;
allow factory sysfs:dir { read open };
allow factory sysfs_leds:dir search;
allow factory sysfs_leds:lnk_file read;
allow factory sysfs_vibrator:file {open read write};
allow factory ion_device:chr_file { read open ioctl };
allow factory debugfs_ion:dir search;
#allow factory proc:file ioctl;
# Date: WK17.27
# Purpose: STMicro NFC solution integration
allow factory st21nfc_device:chr_file { open read getattr write ioctl };
#allow factory nfc_socket:dir search;
#allow factory vendor_file:file { getattr execute execute_no_trans read open };
set_prop(factory,hwservicemanager_prop);
hwbinder_use(factory);
hal_client_domain(factory, hal_nfc);
#allow factory debugfs_tracing:file { open write };
# Date : WK17.32
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow factory mtk_cmdq_device:chr_file { read ioctl open };
# Date: WK1733
# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode
set_prop(factory,ctl_ccci_fsd_prop);
# Date : WK17.38
# Operation : O Migration
# Purpose: Allow to access sysfs
allow factory sysfs_therm:dir search;
allow factory sysfs_therm:file {open read write};
#Date: W18.22
# Purpose: P Migration for factory get com port type and uart port info
# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10):
#avc: denied { read } for pid=203 comm="factory" name="meta_com_type_info" dev=
#"sysfs" ino=11073 scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
allow factory sysfs_comport_type:file rw_file_perms;
allow factory sysfs_uart_info:file rw_file_perms;
# from private
allow factory property_socket:sock_file write;
allow factory init:unix_stream_socket connectto;
allow factory kernel:system module_request;
allow factory node:tcp_socket node_bind;
allow factory userdata_block_device:blk_file rw_file_perms;
allow factory port:tcp_socket { name_bind name_connect };
#allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time sys_boot sys_admin };
allow factory sdcard_type:dir r_dir_perms;
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
#allow factory self:netlink_route_socket create_socket_perms;
allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
allow factory proc_net:file { read getattr open };
allowxperm factory self:udp_socket ioctl priv_sock_ioctls;
allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID};
allow factory self:process execmem;
allow factory self:tcp_socket create_stream_socket_perms;
allow factory self:udp_socket create_socket_perms;
allow factory sysfs_wake_lock:file rw_file_perms;
##allow factory system_data_file:dir w_dir_perms;
##allow factory system_data_file:sock_file create_file_perms;
allow factory system_file:file x_file_perms;
# For Light HIDL permission
allow factory hal_light_hwservice:hwservice_manager find;
allow factory mtk_hal_light:binder call;
allow factory merged_hal_service:binder call;
# For vibrator test permission
allow factory sysfs_vibrator:file rw_file_perms;
allow factory sysfs_vibrator:dir search;
# For Audio device permission
allow factory proc_asound:dir { read search open };
allow factory proc_asound:file { read open getattr write };
allow factory mtk_audiohal_data_file:dir { read search open };
allow factory audiohal_prop:property_service set;
# For Accdet data permission
allow factory sysfs:file { read open };
# For touch auto test
allow factory sysfs_tpd_setting:dir search;
allow factory sysfs_tpd_setting:file { read getattr open };
# Date : WK18.23
# Operation: P migration
# Purpose : Allow factory to unmount partition, stop service, and then erase partition
allow factory vendor_shell_exec:file { read execute open execute_no_trans };
allow factory vendor_toolbox_exec:file { execute_no_trans };
allow factory labeledfs:filesystem { unmount };
allow factory proc_cmdline:file { read open getattr };
allow factory factory:capability { sys_boot sys_admin};
allow factory sysfs_dt_firmware_android:file { read open getattr };
allow factory sysfs_dt_firmware_android:dir { read open search };
Reference in New Issue View Git Blame Copy Permalink