[ALPS04967419] SEPolicy: Add neverallow rule for sysfs

[Detail] Do not allow access to the generic sysfs label. This is too broad. Instead, if access to part of sysfs is desired, it should have a more specific label. TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations. EX. allow hal_usb sysfs:file write; hal_server_domain(mtk_hal_usb, hal_usb) r_dir_file(hal_wifi, sysfs_type) hal_server_domain(mtk_hal_wifi, hal_wifi) [Solution] 1.Add neverallow rule for sysfs. 2.Remove the conflicting SEPolicies. Change-Id: I304a1a87b23623e320ff7346da9d10a09264152b CR-Id: ALPS04967419 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
author: Shanshan Guo <Shanshan.Guo@mediatek.com> 2020-01-10 16:22:03 +0800
committer: Shanshan Guo <Shanshan.Guo@mediatek.com> 2020-01-10 17:40:44 +0800
commit: 86296cf74da59aa881bb2ae8ad868195b67079d5 (patch)
tree: 74f3d7b383742c40b0869b9702ceabd94f227258
parent: 053b034ad55c86133fa7d13d4d65016e2e4bd480 (diff)
download: device_mediatek_wembley-sepolicy-86296cf74da59aa881bb2ae8ad868195b67079d5.tar.gz
device_mediatek_wembley-sepolicy-86296cf74da59aa881bb2ae8ad868195b67079d5.tar.bz2
device_mediatek_wembley-sepolicy-86296cf74da59aa881bb2ae8ad868195b67079d5.zip
39 files changed, 198 insertions, 86 deletions
diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te
index 864d5dd..29ae395 100644
--- a/non_plat/aee_aedv.te
+++ b/non_plat/aee_aedv.te
@@ -275,7 +275,6 @@ allow aee_aedv debugfs_dynamic_debug:file r_file_perms;
 # [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read }
 # for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0
 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
-allow aee_aedv sysfs:file r_file_perms;
 allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms;
 
 # Purpose: Allow aee_aedv to use HwBinder IPC.
diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te
index c3a4c81..3440cb0 100644
--- a/non_plat/atci_service.te
+++ b/non_plat/atci_service.te
@@ -38,7 +38,6 @@ allow atci_service devmap_device:chr_file { open read write ioctl };
 allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr };
 allow atci_service sdcard_type:file { setattr read create write getattr unlink open append };
 allow atci_service mediaserver:binder call;
-#allow atci_service sysfs:file write;
 #allow atci_service system_server:unix_stream_socket { read write };
 allow atci_service self:capability sys_boot;
 
diff --git a/non_plat/ccci_fsd.te b/non_plat/ccci_fsd.te
index 4f5e6a6..1adab51 100644
--- a/non_plat/ccci_fsd.te
+++ b/non_plat/ccci_fsd.te
@@ -41,7 +41,6 @@ allow ccci_fsd c2k_file:dir create_dir_perms;
 allow ccci_fsd c2k_file:file create_file_perms;
 allow ccci_fsd otp_part_block_device:blk_file rw_file_perms;
 allow ccci_fsd otp_device:chr_file rw_file_perms;
-allow ccci_fsd sysfs:file r_file_perms;
 allow ccci_fsd sysfs_boot_type:file { read open };
 #============= ccci_fsd MD block data==============
 ##restore>NVM_GetDeviceInfo>open  /dev/block/platform/bootdevice/by-name/nvram
diff --git a/non_plat/ccci_mdinit.te b/non_plat/ccci_mdinit.te
index eb1e6ef..dcbfa79 100644
--- a/non_plat/ccci_mdinit.te
+++ b/non_plat/ccci_mdinit.te
@@ -96,7 +96,6 @@ allow ccci_mdinit sysfs_ccci:dir search;
 allow ccci_mdinit sysfs_ccci:file rw_file_perms;
 allow ccci_mdinit sysfs_ssw:dir search;
 allow ccci_mdinit sysfs_ssw:file r_file_perms;
-allow ccci_mdinit sysfs:file r_file_perms;
 allow ccci_mdinit sysfs_boot_mode:file { read open };
 
 # Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof
diff --git a/non_plat/domain.te b/non_plat/domain.te
index 13111b9..6380a6d 100644
--- a/non_plat/domain.te
+++ b/non_plat/domain.te
@@ -30,3 +30,68 @@ allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_
 allow { domain -coredomain -hal_configstore_server -vendor_init } aee_exp_vendor_file:file w_file_perms;
 allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:fd use;
 
+
+# Do not allow access to the generic sysfs label. This is too broad.
+# Instead, if access to part of sysfs is desired, it should have a
+# more specific label.
+# TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations.
+#   allow hal_usb sysfs:file write;
+#   hal_server_domain(mtk_hal_usb, hal_usb)
+#
+#   r_dir_file(hal_wifi, sysfs_type)
+#   hal_server_domain(mtk_hal_wifi, hal_wifi)
+full_treble_only(`
+  neverallow ~{
+    init
+    merged_hal_service
+    mtk_hal_bluetooth
+    mtk_hal_power
+    mtk_hal_usb
+    mtk_hal_wifi
+    hal_bluetooth_btlinux
+    hal_bluetooth_default
+    hal_drm_clearkey
+    hal_drm_default
+    hal_drm_widevine
+    hal_fingerprint_default
+    hal_radio_config_default
+    hal_radio_default
+    hal_usb_default
+    hal_wifi_default
+    hal_wifi_supplicant_default
+    rild
+    tee
+    ueventd
+    vendor_init
+    vold
+    } sysfs:file *;
+
+  neverallow {
+    merged_hal_service
+    mtk_hal_bluetooth
+    mtk_hal_power
+    mtk_hal_wifi
+    hal_bluetooth_btlinux
+    hal_bluetooth_default
+    hal_drm_clearkey
+    hal_drm_default
+    hal_drm_widevine
+    hal_fingerprint_default
+    hal_radio_config_default
+    hal_radio_default
+    hal_wifi_default
+    hal_wifi_supplicant_default
+    rild
+    tee
+  } sysfs:file ~r_file_perms;
+
+  neverallow {
+    hal_usb_default
+    init
+    mtk_hal_usb
+    ueventd
+    vendor_init
+    vold
+  } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
+')
+
diff --git a/non_plat/factory.te b/non_plat/factory.te
index aed32e7..065e5a8 100644
--- a/non_plat/factory.te
+++ b/non_plat/factory.te
@@ -338,7 +338,6 @@ allow factory proc_asound:file { read open getattr write };
 allow factory audiohal_prop:property_service set;
 
 # For Accdet data permission
-allow factory sysfs:file { read open };
 allow factory sysfs_headset:file { read open };
 
 # For touch auto test
diff --git a/non_plat/fuelgauged_nvram.te b/non_plat/fuelgauged_nvram.te
index 1bf2585..96862d9 100644
--- a/non_plat/fuelgauged_nvram.te
+++ b/non_plat/fuelgauged_nvram.te
@@ -1,5 +1,5 @@
 # ==============================================
-# Policy File of /system/bin/fuelgauged_nvram Executable File 
+# Policy File of /system/bin/fuelgauged_nvram Executable File
 
 # ==============================================
 # Type Declaration
@@ -48,8 +48,7 @@ allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms;
 # Date: W18.03
 # Operation : change fuelgagued_nvram access from cache to nvcfg
 # Purpose : add fuelgauged to nvcfg read write permit
-# need add label 
-allow fuelgauged_nvram sysfs:file { read open };
+# need add label
 allow fuelgauged_nvram nvcfg_file:dir { search write open read add_name create getattr};
 allow fuelgauged_nvram nvcfg_file:file { read write getattr open create };
 
diff --git a/non_plat/gsm0710muxd.te b/non_plat/gsm0710muxd.te
index 8dbc795..2596e18 100644
--- a/non_plat/gsm0710muxd.te
+++ b/non_plat/gsm0710muxd.te
@@ -31,7 +31,6 @@ allow gsm0710muxd device:dir rw_dir_perms;
 allow gsm0710muxd device:lnk_file { create unlink };
 allow gsm0710muxd devpts:chr_file setattr;
 allow gsm0710muxd eemcs_device:chr_file rw_file_perms;
-allow gsm0710muxd sysfs:file r_file_perms;
 
 # Allow read to sys/kernel/ccci/* files
 allow gsm0710muxd sysfs_ccci:dir search;
diff --git a/non_plat/merged_hal_service.te b/non_plat/merged_hal_service.te
index 23d76a5..c2d8db4 100644
--- a/non_plat/merged_hal_service.te
+++ b/non_plat/merged_hal_service.te
@@ -14,9 +14,6 @@ hal_server_domain(merged_hal_service, hal_power)
 hal_server_domain(merged_hal_service, hal_thermal)
 hal_server_domain(merged_hal_service, hal_memtrack)
 
-#adjust light brightness
-allow merged_hal_service sysfs:file write;
-
 #mtk libs_hidl_service permissions
 hal_server_domain(merged_hal_service, mtk_hal_lbs)
 vndbinder_use(merged_hal_service)
diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te
index 3e1858c..7f90319 100644
--- a/non_plat/meta_tst.te
+++ b/non_plat/meta_tst.te
@@ -361,7 +361,6 @@ allow meta_tst proc_asound:dir { read search open };
 allow meta_tst proc_asound:file { read open getattr write };
 allow meta_tst mtk_audiohal_data_file:dir { read search open };
 allow meta_tst audiohal_prop:property_service set;
-allow meta_tst sysfs:file { read open };
 allow meta_tst sysfs_headset:file { read open };
 
 # Date: W18.05
@@ -370,7 +369,7 @@ allow meta_tst meta_tst:netlink_kobject_uevent_socket { read bind create setopt
 
 # Date : WK18.28
 # Operation: P migration
-# Purpose : 
+# Purpose :
 set_prop(meta_tst, vendor_usb_prop);
 
 # Date: W18.29
@@ -381,7 +380,7 @@ allow meta_tst loghidlvendorservice:unix_stream_socket connectto;
 # Date: W18.32
 # Operation: Android P migration
 # Purpose : Allow meta_tst to set powerctl property
-# avc:  denied  { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0 
+# avc:  denied  { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0
 # tcontext=u:object_r:powerctl_prop:s0 tclass=property_service permissive=0
 set_prop(meta_tst, powerctl_prop);
 
diff --git a/non_plat/mnld.te b/non_plat/mnld.te
index 6abb5ce..11fe7a4 100644
--- a/non_plat/mnld.te
+++ b/non_plat/mnld.te
@@ -19,7 +19,6 @@ net_domain(mnld)
 allow mnld agpsd_data_file:dir create_dir_perms;
 allow mnld agpsd_data_file:sock_file create_file_perms;
 allow mnld mtk_agpsd:unix_dgram_socket sendto;
-allow mnld sysfs:file rw_file_perms;
 allow mnld sysfs_wake_lock:file rw_file_perms;
 # Purpose : For access NVRAM data
 allow mnld nvram_data_file:dir create_dir_perms;
diff --git a/non_plat/mtk_hal_bluetooth.te b/non_plat/mtk_hal_bluetooth.te
index e08fb56..340a908 100644
--- a/non_plat/mtk_hal_bluetooth.te
+++ b/non_plat/mtk_hal_bluetooth.te
@@ -15,7 +15,6 @@ r_dir_file(mtk_hal_bluetooth, bluetooth_efs_file)
 allow mtk_hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
 
 # sysfs access.
-r_dir_file(mtk_hal_bluetooth, sysfs_type)
 allow mtk_hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow mtk_hal_bluetooth self:capability2 wake_alarm;
 
diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te
index 9bf5adc..a99c770 100644
--- a/non_plat/mtk_hal_camera.te
+++ b/non_plat/mtk_hal_camera.te
@@ -73,7 +73,6 @@ allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl {
      JPG_BRIDGE_ENC_IO_DEINIT
      JPG_BRIDGE_ENC_IO_START
      };
-allow mtk_hal_camera sysfs:file { read write open getattr };
 
 allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms;
 allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms;
@@ -355,4 +354,4 @@ MTK_M4U_T_SEC_INIT
 # Date: 2019/08/27
 # Operation : For android Q allowing ioctl
 allow mtk_hal_camera mtk_hal_camera:unix_stream_socket { ioctl };
-allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF;
-\ No newline at end of file
+allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF;
diff --git a/non_plat/mtkrild.te b/non_plat/mtkrild.te
index dda5f2f..a1683a5 100644
--- a/non_plat/mtkrild.te
+++ b/non_plat/mtkrild.te
@@ -100,10 +100,6 @@ vndbinder_use(mtkrild)
 # Allow to trigger IPv6 RS
 allow mtkrild node:rawip_socket node_bind;
 
-# Allow to use sysenv
-allow mtkrild sysfs:file open;
-allow mtkrild sysfs:file read;
-
 #Date : W18.15
 #Purpose: allow rild access to vendor.ril.ipo system property
 set_prop(mtkrild, vendor_ril_ipo_prop)
diff --git a/non_plat/nvram_agent_binder.te b/non_plat/nvram_agent_binder.te
index 5dc888a..6655e6e 100644
--- a/non_plat/nvram_agent_binder.te
+++ b/non_plat/nvram_agent_binder.te
@@ -47,9 +47,6 @@ allow nvram_agent_binder mtd_device:chr_file rw_file_perms;
 #for nvram agent hidl
 get_prop(nvram_agent_binder, hwservicemanager_prop)
 
-#for nvram hidl client support
-allow nvram_agent_binder sysfs:file { read open };
-
 # Allow to use HWBinder IPC
 hwbinder_use(nvram_agent_binder);
 
diff --git a/non_plat/nvram_daemon.te b/non_plat/nvram_daemon.te
index 7ed8bfa..71db04c 100644
--- a/non_plat/nvram_daemon.te
+++ b/non_plat/nvram_daemon.te
@@ -1,5 +1,5 @@
 # ==============================================
-# Policy File of /vendor/binnvram_daemon Executable File 
+# Policy File of /vendor/binnvram_daemon Executable File
 
 
 # ==============================================
@@ -18,14 +18,14 @@ init_daemon_domain(nvram_daemon)
 
 
 # Date : WK14.31
-# Operation : Migration 
-# Purpose : the device is used to store Nvram backup data that can not be lost. 
+# Operation : Migration
+# Purpose : the device is used to store Nvram backup data that can not be lost.
 allow nvram_daemon nvram_device:blk_file rw_file_perms;
 allow nvram_daemon nvdata_device:blk_file rw_file_perms;
 
 # Date : WK14.35
-# Operation : chown folder and file permission 
-# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L. 
+# Operation : chown folder and file permission
+# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L.
 allow nvram_daemon nvram_data_file:dir create_dir_perms;
 allow nvram_daemon nvram_data_file:file create_file_perms;
 allow nvram_daemon nvram_data_file:lnk_file read;
@@ -71,10 +71,9 @@ allow nvram_daemon nvram_data_file:lnk_file unlink;
 # denied  { set } for property=ro.wlan.mtk.wifi.5g pid=242 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
 set_prop(nvram_daemon, service_nvram_init_prop)
 set_prop(nvram_daemon, wifi_5g_prop)
- 
+
 #WK17.26 camera 8163
 allow nvram_daemon sysfs:dir read;
-allow nvram_daemon sysfs:file read;
 
 # Date : WK18.16
 # Operation: P migration
diff --git a/non_plat/rild.te b/non_plat/rild.te
index 6af2759..29c1c9b 100644
--- a/non_plat/rild.te
+++ b/non_plat/rild.te
@@ -100,12 +100,6 @@ allow rild mtk_agpsd:unix_stream_socket connectto;
 #allow rild toolbox_exec:file getattr;
 allow rild mtk_net_ipv6_prop:property_service set;
 
-#Dat: 2017/10/17
-# Allow to use sysenv & persist.radio.multisim.config
-# for dynamic feature switch between ss & dsds
-allow rild sysfs:file open;
-allow rild sysfs:file read;
-
 #Date: 2017/12/6
 #Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations
 allow rild vendor_shell_exec:file {execute_no_trans};
diff --git a/non_plat/wlan_assistant.te b/non_plat/wlan_assistant.te
index f5aa5c2..9a440c7 100644
--- a/non_plat/wlan_assistant.te
+++ b/non_plat/wlan_assistant.te
@@ -34,7 +34,6 @@ allow wlan_assistant self:udp_socket { create ioctl };
 # allow wlan_assistant wifi_data_file:dir { read search getattr open };
 allow wlan_assistant nvdata_file:dir { search read getattr open };
 allow wlan_assistant nvdata_file:file { read getattr open };
-allow wlan_assistant sysfs:file { open read };
 allow wlan_assistant wmtWifi_device:chr_file { read write getattr open };
 
 # allow wlan_assistant to read file under /data/vendor
diff --git a/plat_private/mtkbootanimation.te b/plat_private/mtkbootanimation.te
index bcb7456..857b86d 100644
--- a/plat_private/mtkbootanimation.te
+++ b/plat_private/mtkbootanimation.te
@@ -41,7 +41,6 @@ allow mtkbootanimation hal_graphics_composer:fd use;
 # Read access to pseudo filesystems.
 #r_dir_file(mtkbootanimation, proc)
 allow mtkbootanimation proc_meminfo:file r_file_perms;
-#r_dir_file(mtkbootanimation, sysfs)
 r_dir_file(mtkbootanimation, cgroup)
 
 # System file accesses.
diff --git a/plat_public/domain.te b/plat_public/domain.te
new file mode 100644
index 0000000..6375d48
--- /dev/null
+++ b/plat_public/domain.te
@@ -0,0 +1,109 @@
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+
+# Rules for all domains.
+
+# Do not allow access to the generic sysfs label. This is too broad.
+# Instead, if access to part of sysfs is desired, it should have a
+# more specific label.
+full_treble_only(`
+  neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *;
+
+  neverallow {
+    coredomain
+    -init
+    -ueventd
+    -vold
+    } sysfs:file *;
+
+  neverallow {
+    init
+    ueventd
+    vold
+    } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
+
+  neverallow ~{
+    init
+    ueventd
+    } sysfs:lnk_file ~r_file_perms;
+
+  neverallow {
+    init
+    ueventd
+    } sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto };
+
+  neverallow ~{
+    init
+    ueventd
+    vendor_init
+    } sysfs:dir ~r_dir_perms;
+
+  neverallow {
+    init
+    ueventd
+    vendor_init
+    } sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr };
+')
+
+
+
+# Do not allow access to the generic proc label. This is too broad.
+# Instead, if access to part of proc is desired, it should have a
+# more specific label.
+#neverallow * proc:dir_file_class_set *;
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+#neverallow * debugfs:dir_file_class_set *;
+
+# Do not allow access to the generic system_data_file label. This is
+# too broad.
+# Instead, if access to part of system_data_file is desired, it should
+# have a more specific label.
+#neverallow * system_data_file:dir_file_class_set *;
+
+# Do not allow access to the generic vendor_data_file label. This is
+# too broad.
+# Instead, if access to part of vendor_data_file is desired, it should
+# have a more specific label.
+#neverallow * vendor_data_file:dir_file_class_set *;
+
+# Do not allow access to the generic app_data_file label. This is too broad.
+# Instead, if access to part of app_data_file is desired, it should have a
+# more specific label.
+#neverallow * app_data_file:dir_file_class_set *;
+
+# Do not allow access to the generic default_prop label. This is too broad.
+# Instead, if access to part of default_prop is desired, it should have a
+# more specific label.
+#neverallow * default_prop:dir_file_class_set *;
+
+# Do not allow access to the generic vendor_default_prop label. This is
+# too broad.
+# Instead, if access to part of vendor_default_prop is desired, it should
+# have a more specific label.
+#neverallow * vendor_default_prop:dir_file_class_set *;
+
+# Do not allow access to the generic device label. This is too broad.
+# Instead, if access to part of device is desired, it should have a
+# more specific label.
+#neverallow * device:dir_file_class_set *;
+
+# Do not allow access to the generic socket_device label. This is too broad.
+# Instead, if access to part of socket_device is desired, it should have a
+# more specific label.
+#neverallow * socket_device:dir_file_class_set *;
+
+# Do not allow access to the generic block_device label. This is too broad.
+# Instead, if access to part of block_device is desired, it should have a
+# more specific label.
+#neverallow * block_device:dir_file_class_set *;
+
+# Do not allow access to the generic bootdevice_block_device label. This is
+# too broad.
+# Instead, if access to part of bootdevice_block_device is desired, it should
+# have a more specific label.
+#neverallow * bootdevice_block_device:dir_file_class_set *;
+
diff --git a/r_non_plat/aee_aedv.te b/r_non_plat/aee_aedv.te
index 13d96f4..2c8bc56 100644
--- a/r_non_plat/aee_aedv.te
+++ b/r_non_plat/aee_aedv.te
@@ -274,7 +274,6 @@ allow aee_aedv debugfs_dynamic_debug:file r_file_perms;
 # [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read }
 # for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0
 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
-allow aee_aedv sysfs:file r_file_perms;
 allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms;
 
 # Purpose: Allow aee_aedv to use HwBinder IPC.
diff --git a/r_non_plat/atci_service.te b/r_non_plat/atci_service.te
index c3a4c81..3440cb0 100644
--- a/r_non_plat/atci_service.te
+++ b/r_non_plat/atci_service.te
@@ -38,7 +38,6 @@ allow atci_service devmap_device:chr_file { open read write ioctl };
 allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr };
 allow atci_service sdcard_type:file { setattr read create write getattr unlink open append };
 allow atci_service mediaserver:binder call;
-#allow atci_service sysfs:file write;
 #allow atci_service system_server:unix_stream_socket { read write };
 allow atci_service self:capability sys_boot;
 
diff --git a/r_non_plat/ccci_fsd.te b/r_non_plat/ccci_fsd.te
index 4f5e6a6..1adab51 100644
--- a/r_non_plat/ccci_fsd.te
+++ b/r_non_plat/ccci_fsd.te
@@ -41,7 +41,6 @@ allow ccci_fsd c2k_file:dir create_dir_perms;
 allow ccci_fsd c2k_file:file create_file_perms;
 allow ccci_fsd otp_part_block_device:blk_file rw_file_perms;
 allow ccci_fsd otp_device:chr_file rw_file_perms;
-allow ccci_fsd sysfs:file r_file_perms;
 allow ccci_fsd sysfs_boot_type:file { read open };
 #============= ccci_fsd MD block data==============
 ##restore>NVM_GetDeviceInfo>open  /dev/block/platform/bootdevice/by-name/nvram
diff --git a/r_non_plat/ccci_mdinit.te b/r_non_plat/ccci_mdinit.te
index 3245459..dad124b 100644
--- a/r_non_plat/ccci_mdinit.te
+++ b/r_non_plat/ccci_mdinit.te
@@ -96,7 +96,6 @@ allow ccci_mdinit sysfs_ccci:dir search;
 allow ccci_mdinit sysfs_ccci:file rw_file_perms;
 allow ccci_mdinit sysfs_ssw:dir search;
 allow ccci_mdinit sysfs_ssw:file r_file_perms;
-allow ccci_mdinit sysfs:file r_file_perms;
 allow ccci_mdinit sysfs_boot_mode:file { read open };
 
 # Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof
diff --git a/r_non_plat/factory.te b/r_non_plat/factory.te
index b1593fb..2292369 100644
--- a/r_non_plat/factory.te
+++ b/r_non_plat/factory.te
@@ -338,7 +338,6 @@ allow factory proc_asound:file { read open getattr write };
 allow factory audiohal_prop:property_service set;
 
 # For Accdet data permission
-allow factory sysfs:file { read open };
 allow factory sysfs_headset:file { read open };
 
 # For touch auto test
diff --git a/r_non_plat/fuelgauged_nvram.te b/r_non_plat/fuelgauged_nvram.te
index 1bf2585..96862d9 100644
--- a/r_non_plat/fuelgauged_nvram.te
+++ b/r_non_plat/fuelgauged_nvram.te
@@ -1,5 +1,5 @@
 # ==============================================
-# Policy File of /system/bin/fuelgauged_nvram Executable File 
+# Policy File of /system/bin/fuelgauged_nvram Executable File
 
 # ==============================================
 # Type Declaration
@@ -48,8 +48,7 @@ allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms;
 # Date: W18.03
 # Operation : change fuelgagued_nvram access from cache to nvcfg
 # Purpose : add fuelgauged to nvcfg read write permit
-# need add label 
-allow fuelgauged_nvram sysfs:file { read open };
+# need add label
 allow fuelgauged_nvram nvcfg_file:dir { search write open read add_name create getattr};
 allow fuelgauged_nvram nvcfg_file:file { read write getattr open create };
 
diff --git a/r_non_plat/gsm0710muxd.te b/r_non_plat/gsm0710muxd.te
index 65ed983..aeabcc9 100644
--- a/r_non_plat/gsm0710muxd.te
+++ b/r_non_plat/gsm0710muxd.te
@@ -31,7 +31,6 @@ allow gsm0710muxd device:dir rw_dir_perms;
 allow gsm0710muxd device:lnk_file { create unlink };
 allow gsm0710muxd devpts:chr_file setattr;
 allow gsm0710muxd eemcs_device:chr_file rw_file_perms;
-allow gsm0710muxd sysfs:file r_file_perms;
 
 # Allow read to sys/kernel/ccci/* files
 allow gsm0710muxd sysfs_ccci:dir search;
diff --git a/r_non_plat/hal_vibrator.te b/r_non_plat/hal_vibrator.te
index 7f13029..c88619d 100644
--- a/r_non_plat/hal_vibrator.te
+++ b/r_non_plat/hal_vibrator.te
@@ -3,4 +3,3 @@ allow hal_vibrator sysfs_vibrator:dir r_dir_perms;
 allow hal_vibrator sysfs_leds:file rw_file_perms;
 allow hal_vibrator sysfs_leds:dir r_dir_perms;
 allow hal_vibrator sysfs_leds:lnk_file read;
-allow hal_vibrator_default sysfs:file { open write read };
diff --git a/r_non_plat/mediacodec.te b/r_non_plat/mediacodec.te
index 18d7e7e..ba1305c 100644
--- a/r_non_plat/mediacodec.te
+++ b/r_non_plat/mediacodec.te
@@ -17,7 +17,6 @@ allow mediacodec Vcodec_device:chr_file rw_file_perms;
 # Purpose : VP & VR dump and debug
 allow mediacodec M4U_device_device:chr_file rw_file_perms;
 allow mediacodec proc:file r_file_perms;
-allow mediacodec sysfs:file {read write open};
 allow mediacodec debugfs_binder:dir search;
 allow mediacodec MTK_SMI_device:chr_file { ioctl read open };
 allow mediacodec storage_file:lnk_file {read write open};
@@ -152,4 +151,4 @@ allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_SEC_INIT;
 # Date : 2019/12/12
 # Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
 allow mediacodec sysfs_concurrency_scenario:file rw_file_perms;
-allow mediacodec sysfs_concurrency_scenario:dir search;
-\ No newline at end of file
+allow mediacodec sysfs_concurrency_scenario:dir search;
diff --git a/r_non_plat/merged_hal_service.te b/r_non_plat/merged_hal_service.te
index df44f98..9c77899 100644
--- a/r_non_plat/merged_hal_service.te
+++ b/r_non_plat/merged_hal_service.te
@@ -14,9 +14,6 @@ hal_server_domain(merged_hal_service, hal_power)
 hal_server_domain(merged_hal_service, hal_thermal)
 hal_server_domain(merged_hal_service, hal_memtrack)
 
-#adjust light brightness
-allow merged_hal_service sysfs:file write;
-
 #mtk libs_hidl_service permissions
 hal_server_domain(merged_hal_service, mtk_hal_lbs)
 vndbinder_use(merged_hal_service)
@@ -59,7 +56,6 @@ allow merged_hal_service debugfs_ged:dir search;
 allow merged_hal_service debugfs_ged:file { getattr open read write };
 allow merged_hal_service proc_thermal:file { write open };
 allow merged_hal_service proc_thermal:dir search;
-allow merged_hal_service sysfs:file {open write read};
 allow merged_hal_service proc_perfmgr:dir search;
 allow merged_hal_service proc_perfmgr:file rw_file_perms;
 allow merged_hal_service sdcard_type:dir create_dir_perms;
diff --git a/r_non_plat/meta_tst.te b/r_non_plat/meta_tst.te
index 3e1858c..7f90319 100644
--- a/r_non_plat/meta_tst.te
+++ b/r_non_plat/meta_tst.te
@@ -361,7 +361,6 @@ allow meta_tst proc_asound:dir { read search open };
 allow meta_tst proc_asound:file { read open getattr write };
 allow meta_tst mtk_audiohal_data_file:dir { read search open };
 allow meta_tst audiohal_prop:property_service set;
-allow meta_tst sysfs:file { read open };
 allow meta_tst sysfs_headset:file { read open };
 
 # Date: W18.05
@@ -370,7 +369,7 @@ allow meta_tst meta_tst:netlink_kobject_uevent_socket { read bind create setopt
 
 # Date : WK18.28
 # Operation: P migration
-# Purpose : 
+# Purpose :
 set_prop(meta_tst, vendor_usb_prop);
 
 # Date: W18.29
@@ -381,7 +380,7 @@ allow meta_tst loghidlvendorservice:unix_stream_socket connectto;
 # Date: W18.32
 # Operation: Android P migration
 # Purpose : Allow meta_tst to set powerctl property
-# avc:  denied  { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0 
+# avc:  denied  { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0
 # tcontext=u:object_r:powerctl_prop:s0 tclass=property_service permissive=0
 set_prop(meta_tst, powerctl_prop);
 
diff --git a/r_non_plat/mnld.te b/r_non_plat/mnld.te
index 6abb5ce..11fe7a4 100644
--- a/r_non_plat/mnld.te
+++ b/r_non_plat/mnld.te
@@ -19,7 +19,6 @@ net_domain(mnld)
 allow mnld agpsd_data_file:dir create_dir_perms;
 allow mnld agpsd_data_file:sock_file create_file_perms;
 allow mnld mtk_agpsd:unix_dgram_socket sendto;
-allow mnld sysfs:file rw_file_perms;
 allow mnld sysfs_wake_lock:file rw_file_perms;
 # Purpose : For access NVRAM data
 allow mnld nvram_data_file:dir create_dir_perms;
diff --git a/r_non_plat/mtk_hal_bluetooth.te b/r_non_plat/mtk_hal_bluetooth.te
index e08fb56..340a908 100644
--- a/r_non_plat/mtk_hal_bluetooth.te
+++ b/r_non_plat/mtk_hal_bluetooth.te
@@ -15,7 +15,6 @@ r_dir_file(mtk_hal_bluetooth, bluetooth_efs_file)
 allow mtk_hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
 
 # sysfs access.
-r_dir_file(mtk_hal_bluetooth, sysfs_type)
 allow mtk_hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow mtk_hal_bluetooth self:capability2 wake_alarm;
 
diff --git a/r_non_plat/mtk_hal_camera.te b/r_non_plat/mtk_hal_camera.te
index db30551..f7368a0 100644
--- a/r_non_plat/mtk_hal_camera.te
+++ b/r_non_plat/mtk_hal_camera.te
@@ -73,7 +73,6 @@ allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl {
      JPG_BRIDGE_ENC_IO_DEINIT
      JPG_BRIDGE_ENC_IO_START
      };
-allow mtk_hal_camera sysfs:file { read write open getattr };
 
 allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms;
 allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms;
@@ -349,4 +348,4 @@ allowxperm mtk_hal_camera proc_m4u:file ioctl MTK_M4U_T_SEC_INIT;
 # Date: 2019/08/27
 # Operation : For android Q allowing ioctl
 allow mtk_hal_camera mtk_hal_camera:unix_stream_socket { ioctl };
-allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF;
-\ No newline at end of file
+allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF;
diff --git a/r_non_plat/mtkrild.te b/r_non_plat/mtkrild.te
index a134520..4dd1490 100644
--- a/r_non_plat/mtkrild.te
+++ b/r_non_plat/mtkrild.te
@@ -100,10 +100,6 @@ vndbinder_use(mtkrild)
 # Allow to trigger IPv6 RS
 allow mtkrild node:rawip_socket node_bind;
 
-# Allow to use sysenv
-allow mtkrild sysfs:file open;
-allow mtkrild sysfs:file read;
-
 #Date : W18.15
 #Purpose: allow rild access to vendor.ril.ipo system property
 set_prop(mtkrild, vendor_ril_ipo_prop)
diff --git a/r_non_plat/nvram_agent_binder.te b/r_non_plat/nvram_agent_binder.te
index 5dc888a..6655e6e 100644
--- a/r_non_plat/nvram_agent_binder.te
+++ b/r_non_plat/nvram_agent_binder.te
@@ -47,9 +47,6 @@ allow nvram_agent_binder mtd_device:chr_file rw_file_perms;
 #for nvram agent hidl
 get_prop(nvram_agent_binder, hwservicemanager_prop)
 
-#for nvram hidl client support
-allow nvram_agent_binder sysfs:file { read open };
-
 # Allow to use HWBinder IPC
 hwbinder_use(nvram_agent_binder);
 
diff --git a/r_non_plat/nvram_daemon.te b/r_non_plat/nvram_daemon.te
index 7ed8bfa..71db04c 100644
--- a/r_non_plat/nvram_daemon.te
+++ b/r_non_plat/nvram_daemon.te
@@ -1,5 +1,5 @@
 # ==============================================
-# Policy File of /vendor/binnvram_daemon Executable File 
+# Policy File of /vendor/binnvram_daemon Executable File
 
 
 # ==============================================
@@ -18,14 +18,14 @@ init_daemon_domain(nvram_daemon)
 
 
 # Date : WK14.31
-# Operation : Migration 
-# Purpose : the device is used to store Nvram backup data that can not be lost. 
+# Operation : Migration
+# Purpose : the device is used to store Nvram backup data that can not be lost.
 allow nvram_daemon nvram_device:blk_file rw_file_perms;
 allow nvram_daemon nvdata_device:blk_file rw_file_perms;
 
 # Date : WK14.35
-# Operation : chown folder and file permission 
-# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L. 
+# Operation : chown folder and file permission
+# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L.
 allow nvram_daemon nvram_data_file:dir create_dir_perms;
 allow nvram_daemon nvram_data_file:file create_file_perms;
 allow nvram_daemon nvram_data_file:lnk_file read;
@@ -71,10 +71,9 @@ allow nvram_daemon nvram_data_file:lnk_file unlink;
 # denied  { set } for property=ro.wlan.mtk.wifi.5g pid=242 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
 set_prop(nvram_daemon, service_nvram_init_prop)
 set_prop(nvram_daemon, wifi_5g_prop)
- 
+
 #WK17.26 camera 8163
 allow nvram_daemon sysfs:dir read;
-allow nvram_daemon sysfs:file read;
 
 # Date : WK18.16
 # Operation: P migration
diff --git a/r_non_plat/rild.te b/r_non_plat/rild.te
index 67cf3eb..30dc920 100644
--- a/r_non_plat/rild.te
+++ b/r_non_plat/rild.te
@@ -100,12 +100,6 @@ allow rild mtk_agpsd:unix_stream_socket connectto;
 #allow rild toolbox_exec:file getattr;
 allow rild mtk_net_ipv6_prop:property_service set;
 
-#Dat: 2017/10/17
-# Allow to use sysenv & persist.radio.multisim.config
-# for dynamic feature switch between ss & dsds
-allow rild sysfs:file open;
-allow rild sysfs:file read;
-
 #Date: 2017/12/6
 #Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations
 allow rild vendor_shell_exec:file {execute_no_trans};
@@ -157,4 +151,4 @@ allow rild self:netlink_netfilter_socket { create_socket_perms_no_ioctl };
 
 # Date : 2019/08/29
 # Purpose: Allow rild to access proc/aed/reboot-reason
-allow rild proc_aed_reboot_reason:file rw_file_perms;
-\ No newline at end of file
+allow rild proc_aed_reboot_reason:file rw_file_perms;
diff --git a/r_non_plat/wlan_assistant.te b/r_non_plat/wlan_assistant.te
index f5aa5c2..9a440c7 100644
--- a/r_non_plat/wlan_assistant.te
+++ b/r_non_plat/wlan_assistant.te
@@ -34,7 +34,6 @@ allow wlan_assistant self:udp_socket { create ioctl };
 # allow wlan_assistant wifi_data_file:dir { read search getattr open };
 allow wlan_assistant nvdata_file:dir { search read getattr open };
 allow wlan_assistant nvdata_file:file { read getattr open };
-allow wlan_assistant sysfs:file { open read };
 allow wlan_assistant wmtWifi_device:chr_file { read write getattr open };
 
 # allow wlan_assistant to read file under /data/vendor
author	Shanshan Guo <Shanshan.Guo@mediatek.com>	2020-01-10 16:22:03 +0800
committer	Shanshan Guo <Shanshan.Guo@mediatek.com>	2020-01-10 17:40:44 +0800
commit	86296cf74da59aa881bb2ae8ad868195b67079d5 (patch)
tree	74f3d7b383742c40b0869b9702ceabd94f227258
parent	053b034ad55c86133fa7d13d4d65016e2e4bd480 (diff)
download	device_mediatek_wembley-sepolicy-86296cf74da59aa881bb2ae8ad868195b67079d5.tar.gz device_mediatek_wembley-sepolicy-86296cf74da59aa881bb2ae8ad868195b67079d5.tar.bz2 device_mediatek_wembley-sepolicy-86296cf74da59aa881bb2ae8ad868195b67079d5.zip