diff options
| author | mtk12101 <shan.zhang@mediatek.com> | 2019-01-31 14:39:00 +0800 |
|---|---|---|
| committer | mtk12101 <shan.zhang@mediatek.com> | 2019-01-31 14:39:00 +0800 |
| commit | a965753902d201e587bcb756915ccc1de858eb7e (patch) | |
| tree | fc936e4716735c3dab5a53ed5c4205361ece8c91 | |
| parent | 1022b23ee9f9badfea147f0ede294ce699d938ee (diff) | |
| download | device_mediatek_wembley-sepolicy-a965753902d201e587bcb756915ccc1de858eb7e.tar.gz device_mediatek_wembley-sepolicy-a965753902d201e587bcb756915ccc1de858eb7e.tar.bz2 device_mediatek_wembley-sepolicy-a965753902d201e587bcb756915ccc1de858eb7e.zip | |
[ALPS03825066] Fix boot fail
[Detail] System processes have no permission to access
vendor_default_prop
[Solution] Add get vendor_default_prop rule for system
processes
MTK-Commit-Id: 412119fb578fc32e9f046c09a13817cf3c755515
Change-Id: I791997e6bb44c61b69d32c6da0cc80c6f2a9759e
CR-Id: ALPS03825066
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
| -rw-r--r-- | non_plat/aee_aed.te | 5 | ||||
| -rw-r--r-- | non_plat/aee_aedv.te | 5 | ||||
| -rw-r--r-- | non_plat/audioserver.te | 4 | ||||
| -rw-r--r-- | non_plat/boot_logo_updater.te | 4 | ||||
| -rw-r--r-- | non_plat/cameraserver.te | 5 | ||||
| -rw-r--r-- | non_plat/crash_dump.te | 9 | ||||
| -rw-r--r-- | non_plat/drmserver.te | 5 | ||||
| -rw-r--r-- | non_plat/em_svr.te | 4 | ||||
| -rw-r--r-- | non_plat/gatekeeperd.te | 8 | ||||
| -rw-r--r-- | non_plat/hwservicemanager.te | 8 | ||||
| -rw-r--r-- | non_plat/lmkd.te | 5 | ||||
| -rw-r--r-- | non_plat/logd.te | 8 | ||||
| -rw-r--r-- | non_plat/mediadrmserver.te | 2 | ||||
| -rw-r--r-- | non_plat/mediaserver.te | 5 | ||||
| -rw-r--r-- | non_plat/netd.te | 5 | ||||
| -rw-r--r-- | non_plat/servicemanager.te | 8 | ||||
| -rw-r--r-- | non_plat/surfaceflinger.te | 5 | ||||
| -rw-r--r-- | non_plat/thermalserviced.te | 8 | ||||
| -rw-r--r-- | non_plat/tzdatacheck.te | 8 | ||||
| -rw-r--r-- | non_plat/vdc.te | 8 | ||||
| -rw-r--r-- | non_plat/vndservicemanager.te | 8 | ||||
| -rw-r--r-- | non_plat/vold.te | 5 | ||||
| -rw-r--r-- | non_plat/vold_prepare_subdirs.te | 8 | ||||
| -rw-r--r-- | non_plat/wificond.te | 8 | ||||
| -rw-r--r-- | non_plat/zygote.te | 5 | ||||
| -rw-r--r-- | plat_private/hal_allocator_default.te | 8 |
26 files changed, 159 insertions, 2 deletions
diff --git a/non_plat/aee_aed.te b/non_plat/aee_aed.te index f52f00a..492e9a5 100644 --- a/non_plat/aee_aed.te +++ b/non_plat/aee_aed.te @@ -50,3 +50,8 @@ allow aee_aed exec_type:file r_file_perms; # Purpose: Allow aee_aedv to read /proc/cpu/alignment allow aee_aed proc_cpu_alignment:file { write open }; + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(aee_aed, vendor_default_prop) diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index 27bc45f..a3c3aa3 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -392,3 +392,8 @@ allow aee_aedv proc_hw_ver:file { read open }; # Purpose: Allow aee_aedv to read /proc/sched_debug allow aee_aedv proc_sched_debug:file { read open }; + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(aee_aedv, vendor_default_prop) diff --git a/non_plat/audioserver.te b/non_plat/audioserver.te index d0c6303..a7a5a27 100644 --- a/non_plat/audioserver.te +++ b/non_plat/audioserver.te @@ -64,3 +64,7 @@ allow audioserver aee_aed:unix_stream_socket connectto; allow audioserver mtk_thermal_config_prop:file { getattr open read }; allow audioserver mtk_thermal_config_prop:property_service set; +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(audioserver, vendor_default_prop) diff --git a/non_plat/boot_logo_updater.te b/non_plat/boot_logo_updater.te index 00e8613..f9a9961 100644 --- a/non_plat/boot_logo_updater.te +++ b/non_plat/boot_logo_updater.te @@ -21,3 +21,7 @@ allow boot_logo_updater proc_lk_env:file rw_file_perms; # Purpose : for it to read-write SysEnv data allow boot_logo_updater para_block_device:blk_file rw_file_perms; +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(boot_logo_updater, vendor_default_prop) diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index 92080cb..60a4356 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -394,3 +394,8 @@ allow cameraserver camera_mfb_device:chr_file rw_file_perms; # Purpose: Allow permgr access allow cameraserver proc_perfmgr:dir {read search}; allow cameraserver proc_perfmgr:file {open read ioctl}; + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(cameraserver, vendor_default_prop) diff --git a/non_plat/crash_dump.te b/non_plat/crash_dump.te new file mode 100644 index 0000000..f4bda2d --- /dev/null +++ b/non_plat/crash_dump.te @@ -0,0 +1,9 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(crash_dump, vendor_default_prop) + diff --git a/non_plat/drmserver.te b/non_plat/drmserver.te index 8755b64..8d138a1 100644 --- a/non_plat/drmserver.te +++ b/non_plat/drmserver.te @@ -5,3 +5,8 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions allow drmserver proc_ged:file {open read write ioctl getattr}; + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(drmserver, vendor_default_prop) diff --git a/non_plat/em_svr.te b/non_plat/em_svr.te index 262ea20..321725b 100644 --- a/non_plat/em_svr.te +++ b/non_plat/em_svr.te @@ -31,3 +31,7 @@ allow em_svr nvram_device:blk_file { open read write }; # Purpose: add for Gyroscope sensor allow em_svr gyroscope_device:chr_file { read ioctl open }; +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(em_svr, vendor_default_prop) diff --git a/non_plat/gatekeeperd.te b/non_plat/gatekeeperd.te new file mode 100644 index 0000000..836bd09 --- /dev/null +++ b/non_plat/gatekeeperd.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(gatekeeperd, vendor_default_prop) diff --git a/non_plat/hwservicemanager.te b/non_plat/hwservicemanager.te new file mode 100644 index 0000000..d6074e9 --- /dev/null +++ b/non_plat/hwservicemanager.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(hwservicemanager, vendor_default_prop) diff --git a/non_plat/lmkd.te b/non_plat/lmkd.te index fbf02e7..2e2eb7c 100644 --- a/non_plat/lmkd.te +++ b/non_plat/lmkd.te @@ -17,3 +17,8 @@ dontaudit lmkd zygote:dir rw_dir_perms; # path=2F6465762F6173686D656D2F4469736361726461626C654D656D6F72794173686D656D416C6C6F6361746F72202864656C6574656429 # dev="tmpfs" ino=14475 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=fd permissive=0 dontaudit lmkd platform_app:fd use; + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(lmkd, vendor_default_prop) diff --git a/non_plat/logd.te b/non_plat/logd.te new file mode 100644 index 0000000..1028240 --- /dev/null +++ b/non_plat/logd.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(logd, vendor_default_prop) diff --git a/non_plat/mediadrmserver.te b/non_plat/mediadrmserver.te index 4e7ba72..066a632 100644 --- a/non_plat/mediadrmserver.te +++ b/non_plat/mediadrmserver.te @@ -13,4 +13,4 @@ allow mediadrmserver proc_ged:file {open read write ioctl getattr}; # Operation : MT6757 SQC # Purpose : Change thermal config allow mediaserver mtk_thermal_config_prop:file { getattr open read }; -allow mediaserver mtk_thermal_config_prop:property_service set;
\ No newline at end of file +allow mediaserver mtk_thermal_config_prop:property_service set; diff --git a/non_plat/mediaserver.te b/non_plat/mediaserver.te index c13cb9c..e17407f 100644 --- a/non_plat/mediaserver.te +++ b/non_plat/mediaserver.te @@ -391,3 +391,8 @@ allow mediaserver mtk_hal_keymanage:binder call; # Purpose : Allow mediadrmserver to call vendor.mediatek.hardware.keymanage@1.0-service. hal_client_domain(mediaserver , hal_keymaster) allow mediaserver mtk_hal_keymanage_hwservice:hwservice_manager find; + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(mediaserver, vendor_default_prop) diff --git a/non_plat/netd.te b/non_plat/netd.te index 0e77f3a..48d3a94 100644 --- a/non_plat/netd.te +++ b/non_plat/netd.te @@ -61,4 +61,7 @@ allow netd untrusted_app:fd use; allow netd untrusted_app:unix_stream_socket { read write getopt setopt}; allow netd isolated_app:fd use; - +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(netd, vendor_default_prop) diff --git a/non_plat/servicemanager.te b/non_plat/servicemanager.te new file mode 100644 index 0000000..0ea7272 --- /dev/null +++ b/non_plat/servicemanager.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(servicemanager, vendor_default_prop) diff --git a/non_plat/surfaceflinger.te b/non_plat/surfaceflinger.te index 4138ac7..7b84ab8 100644 --- a/non_plat/surfaceflinger.te +++ b/non_plat/surfaceflinger.te @@ -59,3 +59,8 @@ allow surfaceflinger proc_perfmgr:file {open read ioctl}; get_prop(surfaceflinger, graphics_hwc_pid_prop) allow surfaceflinger hal_graphics_composer_default:dir search; allow surfaceflinger hal_graphics_composer_default:lnk_file read; + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(surfaceflinger, vendor_default_prop) diff --git a/non_plat/thermalserviced.te b/non_plat/thermalserviced.te new file mode 100644 index 0000000..d64f316 --- /dev/null +++ b/non_plat/thermalserviced.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(thermalserviced, vendor_default_prop) diff --git a/non_plat/tzdatacheck.te b/non_plat/tzdatacheck.te new file mode 100644 index 0000000..450a634 --- /dev/null +++ b/non_plat/tzdatacheck.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(tzdatacheck, vendor_default_prop) diff --git a/non_plat/vdc.te b/non_plat/vdc.te new file mode 100644 index 0000000..37324c8 --- /dev/null +++ b/non_plat/vdc.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(atcid, vendor_default_prop) diff --git a/non_plat/vndservicemanager.te b/non_plat/vndservicemanager.te new file mode 100644 index 0000000..5ec16b5 --- /dev/null +++ b/non_plat/vndservicemanager.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(vndservicemanager, vendor_default_prop) diff --git a/non_plat/vold.te b/non_plat/vold.te index 118033f..7933676 100644 --- a/non_plat/vold.te +++ b/non_plat/vold.te @@ -20,3 +20,8 @@ dontaudit vold proc_mtktz:dir { read open }; dontaudit vold proc_thermal:dir { read open }; allow vold mtd_device:blk_file rw_file_perms; + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(vold, vendor_default_prop) diff --git a/non_plat/vold_prepare_subdirs.te b/non_plat/vold_prepare_subdirs.te new file mode 100644 index 0000000..29f58ff --- /dev/null +++ b/non_plat/vold_prepare_subdirs.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(vold_prepare_subdirs, vendor_default_prop) diff --git a/non_plat/wificond.te b/non_plat/wificond.te new file mode 100644 index 0000000..4e434b2 --- /dev/null +++ b/non_plat/wificond.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : wificond +get_prop(wificond, vendor_default_prop) diff --git a/non_plat/zygote.te b/non_plat/zygote.te index 416727b..e07fdfd 100644 --- a/non_plat/zygote.te +++ b/non_plat/zygote.te @@ -10,3 +10,8 @@ allow zygote proc_ged:file {open read write ioctl getattr}; # Purpose: Allow to access gpu for memtrack functions allow zygote gpu_device:dir search; allow zygote gpu_device:chr_file { open read write ioctl getattr}; + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(zygote, vendor_default_prop) diff --git a/plat_private/hal_allocator_default.te b/plat_private/hal_allocator_default.te new file mode 100644 index 0000000..e09f6e1 --- /dev/null +++ b/plat_private/hal_allocator_default.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK18.20 +# Operation : Migration +# Purpose : no permission for vendor_default_prop +get_prop(hal_allocator_default, vendor_default_prop) |