diff options
author | mtk12101 <shan.zhang@mediatek.com> | 2018-06-21 14:54:37 +0800 |
---|---|---|
committer | mtk12101 <shan.zhang@mediatek.com> | 2018-06-21 15:44:16 +0800 |
commit | 49685f1299d990a7195a2d54b955517d8f2cc699 (patch) | |
tree | 5b37b80c5360042114ff27d8b5fd4e4f0c62978f /prebuilts/api/26.0 | |
parent | 31147b1027de480ab0b3379a008813351049e342 (diff) | |
download | device_mediatek_wembley-sepolicy-49685f1299d990a7195a2d54b955517d8f2cc699.tar.gz device_mediatek_wembley-sepolicy-49685f1299d990a7195a2d54b955517d8f2cc699.tar.bz2 device_mediatek_wembley-sepolicy-49685f1299d990a7195a2d54b955517d8f2cc699.zip |
[ALPS03982747] Remove unused sepolicy rules
Some rules is no need any more, need to remove it.
Change-Id: I4a590ad781589cf94989ce72c88751ac10b82eae
CR-Id: ALPS03982747
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Diffstat (limited to 'prebuilts/api/26.0')
-rwxr-xr-x | prebuilts/api/26.0/plat_private/aee_aed.te | 11 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/audiocmdservice_atci.te | 3 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/boot_logo_updater.te | 3 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/bootanim.te | 14 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/cmddumper.te | 5 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/em_svr.te | 21 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/emdlogger.te | 4 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/fuelgauged_static.te | 9 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/mdlogger.te | 4 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/meta_tst.te | 3 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/mobile_log_d.te | 3 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/netdiag.te | 7 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/ppp.te | 3 | ||||
-rwxr-xr-x | prebuilts/api/26.0/plat_private/thermalindicator.te | 3 |
14 files changed, 6 insertions, 87 deletions
diff --git a/prebuilts/api/26.0/plat_private/aee_aed.te b/prebuilts/api/26.0/plat_private/aee_aed.te index dbf639e..1ba4f0a 100755 --- a/prebuilts/api/26.0/plat_private/aee_aed.te +++ b/prebuilts/api/26.0/plat_private/aee_aed.te @@ -17,8 +17,6 @@ init_daemon_domain(aee_aed) # AED start: /dev/block/expdb allow aee_aed block_device:dir search; -#allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow - # aee db dir and db files allow aee_aed sdcard_type:dir create_dir_perms; allow aee_aed sdcard_type:file create_file_perms; @@ -40,7 +38,6 @@ allow aee_aed usermodehelper:file r_file_perms; allow aee_aed init:unix_stream_socket connectto; allow aee_aed property_socket:sock_file write; -#allow aee_aed call binaries labeled "system_file" under /system/bin/ allow aee_aed system_file:file execute_no_trans; allow aee_aed init:process getsched; @@ -90,7 +87,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms; allow aee_aed tombstone_data_file:file create_file_perms; # /proc/pid/ -#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module}; +allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module}; # system(cmd) aee_dumpstate aee_archive allow aee_aed shell_exec:file rx_file_perms; @@ -127,9 +124,3 @@ allow aee_aed init_exec:file r_file_perms; # Purpose : make aee_aed can get notify from crash_dump allow aee_aed crash_dump:dir search; allow aee_aed crash_dump:file r_file_perms; - -# Purpose: -# [ 217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read } -# for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0 -# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -#allow aee_aed sysfs:file r_file_perms; diff --git a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te index 19f37e1..d907260 100755 --- a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te +++ b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te @@ -14,13 +14,11 @@ init_daemon_domain(audiocmdservice_atci) # Perform Binder IPC for audio tuning tool and access to mediaserver binder_use(audiocmdservice_atci) binder_call(audiocmdservice_atci, mediaserver) -#allow audiocmdservice_atci mediaserver:chr_file create_file_perms; allow audiocmdservice_atci mediaserver:dir w_dir_perms; allow audiocmdservice_atci mediaserver_service:service_manager find; # Since Android N, google separates mediaserver to audioserver and cameraserver binder_call(audiocmdservice_atci, audioserver) -#allow audiocmdservice_atci audioserver:chr_file create_file_perms; allow audiocmdservice_atci audioserver:dir w_dir_perms; allow audiocmdservice_atci audioserver_service:service_manager find; @@ -49,4 +47,3 @@ allow radio audiocmdservice_atci_exec:file getattr; #Android O porting hwbinder_use(audiocmdservice_atci) get_prop(audiocmdservice_atci, hwservicemanager_prop); -#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms; diff --git a/prebuilts/api/26.0/plat_private/boot_logo_updater.te b/prebuilts/api/26.0/plat_private/boot_logo_updater.te index 52c38f0..a55a3ca 100755 --- a/prebuilts/api/26.0/plat_private/boot_logo_updater.te +++ b/prebuilts/api/26.0/plat_private/boot_logo_updater.te @@ -21,9 +21,6 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms; # For IPC communication allow boot_logo_updater init:unix_stream_socket connectto; allow boot_logo_updater property_socket:sock_file write; -#allow boot_logo_updater self:capability dac_override; -# To access some boot_mode infornation -#allow boot_logo_updater sysfs:file rw_file_perms; # To access directory /dev/block/mmcblk0 or /dev/block/sdc allow boot_logo_updater block_device:dir search; allow boot_logo_updater graphics_device:dir search; diff --git a/prebuilts/api/26.0/plat_private/bootanim.te b/prebuilts/api/26.0/plat_private/bootanim.te index edad4f0..a7c07a1 100755 --- a/prebuilts/api/26.0/plat_private/bootanim.te +++ b/prebuilts/api/26.0/plat_private/bootanim.te @@ -2,12 +2,6 @@ # MTK Policy Rule # ============ -# Date : WK14.31 -# Operation : Migration -# Purpose : For IPC communication -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow bootanim self:netlink_socket create_socket_perms; - # Date : WK14.32 # Operation : Migration # Purpose : for playing boot tone @@ -40,11 +34,3 @@ allow bootanim surfaceflinger:fifo_file rw_file_perms; # Purpose : DRM / DRI GPU driver required allow bootanim gpu_device:dir search; - - - -#============= bootanim ============== -#allow bootanim debugfs_tracing:file write; - -#============= bootanim ============== -#allow bootanim debugfs_tracing:file open; diff --git a/prebuilts/api/26.0/plat_private/cmddumper.te b/prebuilts/api/26.0/plat_private/cmddumper.te index 7ae391a..405bebe 100755 --- a/prebuilts/api/26.0/plat_private/cmddumper.te +++ b/prebuilts/api/26.0/plat_private/cmddumper.te @@ -31,11 +31,6 @@ allow cmddumper system_file:file x_file_perms; allow cmddumper media_rw_data_file:file { create_file_perms }; allow cmddumper media_rw_data_file:dir { create_dir_perms }; -# purpose: access vmodem device -#allow cmddumper vmodem_device:chr_file { create_file_perms }; - # purpose: access plat_file_contexts allow cmddumper file_contexts_file:file { read getattr open }; -# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode -#allow cmddumper sysfs:file { read open };
\ No newline at end of file diff --git a/prebuilts/api/26.0/plat_private/em_svr.te b/prebuilts/api/26.0/plat_private/em_svr.te index ed42b5d..a061bfa 100755 --- a/prebuilts/api/26.0/plat_private/em_svr.te +++ b/prebuilts/api/26.0/plat_private/em_svr.te @@ -48,7 +48,7 @@ allow em_svr sysfs_leds:dir search; # Date: WK1812 # Purpose: add for sensor calibration -#allow em_svr self:capability { dac_read_search dac_override chown fsetid }; +allow em_svr self:capability { chown fsetid }; # Date: WK1812 # Purpose: add for shell cmd @@ -60,23 +60,4 @@ allow em_svr toolbox_exec:file { getattr execute read open execute_no_trans }; # Date: WK1812 # Purpose: sys file access -#allow em_svr sysfs:file { getattr read write open }; allow em_svr sysfs:dir { open read }; - -# Date: WK1812 -# Purpose: proc file access -#allow em_svr proc:file { getattr open read write }; - - - - - - - - - - - - - - diff --git a/prebuilts/api/26.0/plat_private/emdlogger.te b/prebuilts/api/26.0/plat_private/emdlogger.te index 92facb8..c73c775 100755 --- a/prebuilts/api/26.0/plat_private/emdlogger.te +++ b/prebuilts/api/26.0/plat_private/emdlogger.te @@ -47,10 +47,6 @@ allow emdlogger storage_file:dir { create_dir_perms }; allow emdlogger tmpfs:lnk_file read; allow emdlogger storage_file:file { create_file_perms }; -#permission for read boot mode -#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -#allow emdlogger sysfs:file { read open }; - # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 allow emdlogger system_file:dir read; diff --git a/prebuilts/api/26.0/plat_private/fuelgauged_static.te b/prebuilts/api/26.0/plat_private/fuelgauged_static.te index fdbf7c1..19e1f2a 100755 --- a/prebuilts/api/26.0/plat_private/fuelgauged_static.te +++ b/prebuilts/api/26.0/plat_private/fuelgauged_static.te @@ -27,13 +27,6 @@ init_daemon_domain(fuelgauged_static) allow fuelgauged_static input_device:dir rw_dir_perms; allow fuelgauged_static input_device:file r_file_perms; - -# Data : WK14.43 -# Operation : Migration -# Purpose : For fg daemon can comminucate with kernel -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow fuelgauged_static fuelgauged_static:netlink_kobject_uevent_socket create_socket_perms; -#allow fuelgauged_static fuelgauged_static:netlink_socket create_socket_perms; # Data : WK16.21 # Operation : New Feature # Purpose : For fg daemon can access /data/FG folder @@ -47,4 +40,4 @@ allow fuelgauged_static system_data_file:dir rw_dir_perms; allow fuelgauged_static rootfs:file entrypoint; # Data : WK16.39 -#allow fuelgauged_static self:capability { chown fsetid dac_override }; +allow fuelgauged_static self:capability { chown fsetid }; diff --git a/prebuilts/api/26.0/plat_private/mdlogger.te b/prebuilts/api/26.0/plat_private/mdlogger.te index 7a27110..2e9464e 100755 --- a/prebuilts/api/26.0/plat_private/mdlogger.te +++ b/prebuilts/api/26.0/plat_private/mdlogger.te @@ -45,10 +45,6 @@ allow mdlogger storage_file:file { create_file_perms }; ## purpose: avc: denied { read } for name="plat_file_contexts" allow mdlogger file_contexts_file:file { read getattr open }; -#permission for read boot mode -#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -#allow mdlogger sysfs:file { read open }; - # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 allow mdlogger system_file:dir read; diff --git a/prebuilts/api/26.0/plat_private/meta_tst.te b/prebuilts/api/26.0/plat_private/meta_tst.te index edada44..6753ea4 100755 --- a/prebuilts/api/26.0/plat_private/meta_tst.te +++ b/prebuilts/api/26.0/plat_private/meta_tst.te @@ -21,13 +21,12 @@ init_daemon_domain(meta_tst) #============= meta_tst ========================= allow meta_tst port:tcp_socket { name_connect name_bind }; -#allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin }; +allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin }; allow meta_tst self:tcp_socket { create connect setopt bind }; allow meta_tst self:tcp_socket { bind setopt listen accept read write }; allow meta_tst self:udp_socket { create ioctl }; allow meta_tst self:capability { sys_boot ipc_lock }; allow meta_tst sysfs_wake_lock:file rw_file_perms; -#allow meta_tst sysfs:file write; allow meta_tst property_socket:sock_file w_file_perms; allow meta_tst init:unix_stream_socket connectto; allow meta_tst vold:unix_stream_socket connectto; diff --git a/prebuilts/api/26.0/plat_private/mobile_log_d.te b/prebuilts/api/26.0/plat_private/mobile_log_d.te index a2ee26d..aca585f 100755 --- a/prebuilts/api/26.0/plat_private/mobile_log_d.te +++ b/prebuilts/api/26.0/plat_private/mobile_log_d.te @@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop) unix_socket_connect(mobile_log_d, logdr, logd); #capability -#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid }; +allow mobile_log_d self:capability { setuid setgid chown fowner fsetid }; allow mobile_log_d self:capability { setuid chown setgid }; allow mobile_log_d self:capability2 syslog; @@ -66,6 +66,5 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms; # access debugfs/tracing/instances/ allow mobile_log_d debugfs_tracing:dir create_dir_perms; -#allow mobile_log_d debugfs_tracing:file create_file_perms; allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms; allow mobile_log_d debugfs_tracing_instances:file create_file_perms; diff --git a/prebuilts/api/26.0/plat_private/netdiag.te b/prebuilts/api/26.0/plat_private/netdiag.te index 2ab7981..75b630f 100755 --- a/prebuilts/api/26.0/plat_private/netdiag.te +++ b/prebuilts/api/26.0/plat_private/netdiag.te @@ -59,13 +59,6 @@ allow netdiag netpolicy_service:service_manager find; allow netdiag network_management_service:service_manager find; allow netdiag settings_service:service_manager find; - - -# Purpose : for socket with MTKLogger -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow netdiag self:socket_class_set { create_socket_perms }; -#allow netdiag self:netlink_route_socket { create_socket_perms nlmsg_read }; - # Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop allow netdiag device_logging_prop:file { getattr open }; allow netdiag mmc_prop:file { getattr open }; diff --git a/prebuilts/api/26.0/plat_private/ppp.te b/prebuilts/api/26.0/plat_private/ppp.te index 5b3376f..99248c7 100755 --- a/prebuilts/api/26.0/plat_private/ppp.te +++ b/prebuilts/api/26.0/plat_private/ppp.te @@ -16,9 +16,6 @@ allow ppp property_socket:sock_file write; # Purpose: for PPPOE Test allow ppp devpts:chr_file { read write ioctl open setattr }; -#allow ppp self:capability { setuid net_raw setgid dac_override }; -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -#allow ppp self:packet_socket { write ioctl setopt read bind create }; allow ppp shell_exec:file { read execute open execute_no_trans }; diff --git a/prebuilts/api/26.0/plat_private/thermalindicator.te b/prebuilts/api/26.0/plat_private/thermalindicator.te index 8a9131d..735f3ca 100755 --- a/prebuilts/api/26.0/plat_private/thermalindicator.te +++ b/prebuilts/api/26.0/plat_private/thermalindicator.te @@ -31,11 +31,10 @@ allow servicemanager thermalindicator:process { getattr }; typeattribute thermalindicator mlstrustedsubject; allow thermalindicator proc:dir {search getattr}; -#allow thermalindicator proc:file read; allow thermalindicator shell:dir search; allow thermalindicator platform_app:dir search; allow thermalindicator platform_app:file {open read getattr}; allow thermalindicator untrusted_app:dir search; allow thermalindicator untrusted_app:file {open read getattr}; allow thermalindicator mediaserver:dir search; -allow thermalindicator mediaserver:file {open read getattr};
\ No newline at end of file +allow thermalindicator mediaserver:file {open read getattr}; |