diff options
38 files changed, 726 insertions, 704 deletions
diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index 1231a55..e5d7aad 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -435,3 +435,5 @@ allow aee_aedv proc_aed_reboot_reason:file r_file_perms; # Purpose: Allow aee_aedv to write /proc/sys/vm/drop_caches allow aee_aedv proc_drop_caches:file rw_file_perms; + +allow aee_aedv proc_wmt_aee:file r_file_perms; diff --git a/non_plat/aee_core_forwarder.te b/non_plat/aee_core_forwarder.te index 43e97fe..2619bf6 100644 --- a/non_plat/aee_core_forwarder.te +++ b/non_plat/aee_core_forwarder.te @@ -5,14 +5,14 @@ # MTK Policy Rule # ============================================== -allow aee_core_forwarder aee_exp_data_file:dir { write add_name search }; -allow aee_core_forwarder aee_exp_data_file:file { write create open getattr }; +allow aee_core_forwarder aee_exp_data_file:dir rw_dir_perms; +allow aee_core_forwarder aee_exp_data_file:file create_file_perms; get_prop(aee_core_forwarder, hwservicemanager_prop) # Date: 2019/06/14 # Operation : Migration # Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder wakelock_use(aee_core_forwarder) -allow aee_core_forwarder aee_aed:unix_stream_socket connectto; +allow aee_core_forwarder crash_dump:unix_stream_socket connectto; allow aee_core_forwarder aee_core_data_file:dir r_dir_perms; hwbinder_use(aee_core_forwarder) diff --git a/non_plat/aee_hidl.te b/non_plat/aee_hidl.te index 347cbdc..5bc639b 100644 --- a/non_plat/aee_hidl.te +++ b/non_plat/aee_hidl.te @@ -5,7 +5,7 @@ type aee_hal,domain; type aee_hal_exec, exec_type, file_type, vendor_file_type; typeattribute aee_hal mlstrustedsubject; # Purpose : for create hidl server -hal_server_domain(aee_hal, mtk_hal_log) +hal_server_domain(aee_hal, mtk_hal_aee) # ============================================== # MTK Policy Rule # ============================================== diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te index af1e683..e55c5a8 100644 --- a/non_plat/atci_service.te +++ b/non_plat/atci_service.te @@ -114,10 +114,7 @@ allow atci_service sysfs_batteryinfo:dir search; allow atci_service sysfs_batteryinfo:file { read getattr open }; allow atci_service system_file:dir { read open }; allow atci_service camera_pipemgr_device:chr_file { read ioctl open }; -#allow atci_service media_rw_data_file:dir { read getattr open }; -#allow atci_service media_rw_data_file:file { getattr setattr }; allow atci_service mtkcam_prop:file { read getattr open }; -#allow atci_service hal_camera_hwservice:hwservice_manager find; allow atci_service mtk_hal_camera:binder call; allow atci_service debugfs_ion:dir search; allow atci_service sysfs_tpd_setting:file { read write open getattr }; diff --git a/non_plat/attributes b/non_plat/attributes index e00aa73..3c2632a 100644 --- a/non_plat/attributes +++ b/non_plat/attributes @@ -52,12 +52,6 @@ attribute mtk_hal_log; attribute mtk_hal_log_client; attribute mtk_hal_log_server; -# Date: 2018/06/26 -# em hidl -attribute mtk_hal_em; -attribute mtk_hal_em_client; -attribute mtk_hal_em_server; - # Date: 2018/07/02 # MDP HIDL attribute hal_mms; @@ -87,4 +81,6 @@ attribute mtk_hal_bgs; attribute mtk_hal_bgs_client; attribute mtk_hal_bgs_server; - +attribute mtk_hal_aee; +attribute mtk_hal_aee_client; +attribute mtk_hal_aee_server; diff --git a/non_plat/audioserver.te b/non_plat/audioserver.te index e4451c8..71f7b4f 100644 --- a/non_plat/audioserver.te +++ b/non_plat/audioserver.te @@ -50,7 +50,7 @@ allow audioserver proc_ged:file rw_file_perms; # Date : WK16.48 # Purpose: Allow to trigger AEE dump -allow audioserver aee_aed:unix_stream_socket connectto; +allow audioserver crash_dump:unix_stream_socket connectto; # Date: 2019/06/14 # Operation : Migration diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index 318cf2e..428afa0 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -28,22 +28,6 @@ allow cameraserver self:process { ptrace }; # ----------------------------------- allow cameraserver mtkcam_prop:file { open read getattr }; -# Date : WK14.31 -# Operation : Migration -# Purpose : camera devices access. -# allow cameraserver camera_isp_device:chr_file rw_file_perms; -# allow cameraserver ccu_device:chr_file rw_file_perms; -# allow cameraserver vpu_device:chr_file rw_file_perms; -# allow cameraserver kd_camera_hw_device:chr_file rw_file_perms; -# allow cameraserver seninf_device:chr_file rw_file_perms; -# allow cameraserver self:capability { setuid ipc_lock sys_nice }; -# allow cameraserver sysfs_wake_lock:file rw_file_perms; -# allow cameraserver MTK_SMI_device:chr_file r_file_perms; -# allow cameraserver camera_pipemgr_device:chr_file r_file_perms; -# allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms; -# allow cameraserver lens_device:chr_file rw_file_perms; -# allow cameraserver nvdata_file:lnk_file read; - # Date : WK14.34 # Operation : Migration # Purpose : nvram access (dumchar case for nand and legacy chip) diff --git a/non_plat/crash_dump.te b/non_plat/crash_dump.te new file mode 100644 index 0000000..3dda418 --- /dev/null +++ b/non_plat/crash_dump.te @@ -0,0 +1,73 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +allow crash_dump aee_exp_data_file:file rw_file_perms; +allow crash_dump aee_exp_data_file:dir r_dir_perms; + +# Date : WK14.32 +# Operation : AEE UT +# Purpose : for AEE module +allow crash_dump aed_device:chr_file rw_file_perms; +allow crash_dump expdb_device:chr_file rw_file_perms; +allow crash_dump expdb_block_device:blk_file rw_file_perms; +allow crash_dump etb_device:chr_file rw_file_perms; + +# open/dev/mtd/mtd12 failed(expdb) +allow crash_dump mtd_device:dir create_dir_perms; +allow crash_dump mtd_device:chr_file rw_file_perms; + +# NE flow: /dev/RT_Monitor +allow crash_dump RT_Monitor_device:chr_file r_file_perms; + +#data/aee_exp +allow crash_dump aee_exp_data_file:dir create_dir_perms; +allow crash_dump aee_exp_data_file:file create_file_perms; + +#data/dumpsys +allow crash_dump aee_dumpsys_data_file:dir create_dir_perms; +allow crash_dump aee_dumpsys_data_file:file create_file_perms; + +#/data/core +allow crash_dump aee_core_data_file:dir create_dir_perms; +allow crash_dump aee_core_data_file:file create_file_perms; + +# /data/data_tmpfs_log +allow crash_dump data_tmpfs_log_file:dir create_dir_perms; +allow crash_dump data_tmpfs_log_file:file create_file_perms; + +# Purpose: crash_dump set property +set_prop(crash_dump, persist_mtk_aee_prop); +set_prop(crash_dump, persist_aee_prop); +set_prop(crash_dump, debug_mtk_aee_prop); + +# /proc/lk_env +allow crash_dump proc_lk_env:file rw_file_perms; + +# Purpose: Allow crash_dump to read /proc/pid/exe +#allow crash_dump exec_type:file r_file_perms; + +# Purpose: Allow crash_dump to read /proc/cpu/alignment +allow crash_dump proc_cpu_alignment:file { write open }; + +# Purpose: Allow crash_dump to access /sys/devices/virtual/timed_output/vibrator/enable +allow crash_dump sysfs_vibrator_setting:dir search; +allow crash_dump sysfs_vibrator_setting:file w_file_perms; +allow crash_dump sysfs_vibrator:dir search; +allow crash_dump sysfs_leds:dir search; + +# Purpose: Allow crash_dump to read /proc/kpageflags +allow crash_dump proc_kpageflags:file r_file_perms; + +# temp solution +get_prop(crash_dump, vendor_default_prop) + +hal_client_domain(crash_dump, mtk_hal_aee) + +# Purpose: create /data/aee_exp at runtime +allow crash_dump file_contexts_file:file r_file_perms; +allow crash_dump aee_exp_data_file:dir relabelto; + +allow crash_dump proc_ppm:dir r_dir_perms; +allow crash_dump proc_ppm:file rw_file_perms; +allow crash_dump selinuxfs:file r_file_perms; diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te index 01343a5..badbe56 100644 --- a/non_plat/dumpstate.te +++ b/non_plat/dumpstate.te @@ -60,8 +60,8 @@ allow dumpstate sf_rtt_file:dir { search getattr }; # Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker" # dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0 # tcontext=u:r:aee_aed:s0 tclass=fd permissive=0 -allow dumpstate aee_aed:fd use; -allow dumpstate aee_aed:unix_stream_socket { read write ioctl }; +allow dumpstate crash_dump:fd use; +allow dumpstate crash_dump:unix_stream_socket { read write ioctl connectto }; # private define # allow dumpstate config_gz:file read; @@ -178,4 +178,7 @@ allow dumpstate mtee_trusty_file:file rw_file_perms; # 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990): # avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0 # tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 -allow dumpstate mnt_expand_file:dir search; +allow dumpstate mnt_expand_file:dir { search getattr }; + +#Purpose: Allow dumpstate to read /dev/usb-ffs +allow dumpstate functionfs:file { getattr }; diff --git a/non_plat/emdlogger.te b/non_plat/emdlogger.te index a026832..58cc8ca 100644 --- a/non_plat/emdlogger.te +++ b/non_plat/emdlogger.te @@ -75,7 +75,7 @@ allow emdlogger media_rw_data_file:dir { create_dir_perms }; #avc: denied { connectto } for path=006165653A72747464 scontext=u:r:emdlogger:s0 #tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0 #security issue control -allow emdlogger aee_aed:unix_stream_socket connectto; +allow emdlogger crash_dump:unix_stream_socket connectto; # For dynamic CCB buffer feature #avc: denied { read write } for name="lk_env" dev="proc" ino=4026532192 diff --git a/non_plat/file.te b/non_plat/file.te index 5c12bb3..62bdd7e 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -128,7 +128,7 @@ type aee_core_data_file, file_type, data_file_type, core_data_file_type; type aee_core_vendor_file, file_type, data_file_type; # AEE exp -type aee_exp_data_file, file_type, data_file_type, core_data_file_type; +type aee_exp_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; type aee_exp_vendor_file, file_type, data_file_type; type aee_dumpsys_data_file, file_type, data_file_type, core_data_file_type; type aee_dumpsys_vendor_file, file_type, data_file_type; @@ -442,3 +442,11 @@ type sysfs_chipid, fs_type, sysfs_type; # Date : 2019/12/12 # Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* type sysfs_concurrency_scenario, fs_type, sysfs_type; + +type proc_wmt_aee, fs_type, proc_type; + +# Date : WK20.07 +# Operation: R migration +# Purpose : Add permission for new device node. +type sysfs_meta_info, fs_type, sysfs_type; + diff --git a/non_plat/file_contexts b/non_plat/file_contexts index c17da3a..051b949 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -537,6 +537,7 @@ /(system\/vendor|vendor)/bin/slpd u:object_r:slpd_exec:s0 /(system\/vendor|vendor)/bin/thermal_manager u:object_r:thermal_manager_exec:s0 /(system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mtk u:object_r:hal_thermal_default_exec:s0 /(system\/vendor|vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0 /(system\/vendor|vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0 /(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0 @@ -642,7 +643,7 @@ /vendor/lib(64)?/libtflite_mtk.so u:object_r:same_process_hal_file:s0 -/vendor/bin/hw/vendor\.mediatek\.hardware\.log@1\.0-service u:object_r:aee_hal_exec:s0 +/vendor/bin/hw/vendor\.mediatek\.hardware\.aee@1\.0-service u:object_r:aee_hal_exec:s0 /vendor/bin/loghidlvendorservice u:object_r:loghidlvendorservice_exec:s0 diff --git a/non_plat/genfs_contexts b/non_plat/genfs_contexts index 86453af..1d11eb3 100644 --- a/non_plat/genfs_contexts +++ b/non_plat/genfs_contexts @@ -64,6 +64,8 @@ genfscon proc /isp_p2 u:object_r:proc_isp_p2:s0 # Purpose: Android Migration for SVP genfscon proc /m4u u:object_r:proc_m4u:s0 +genfscon proc /driver/wmt_aee u:object_r:proc_wmt_aee:s0 + ############################# # sysfs files @@ -88,9 +90,12 @@ genfscon sysfs /devices/platform/battery/ADC_Charger_Voltage u:object_r:sysfs_vb genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_express:s0 genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0 genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/mt6370_pmu_charger/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/rtc u:object_r:sysfs_rtc:s0 genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0 genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0 @@ -279,3 +284,9 @@ genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/cmode u:object_r:sysfs_ # Date : 2019/12/12 # Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* genfscon sysfs /bus/platform/drivers/mem_bw_ctrl/concurrency_scenario u:object_r:sysfs_concurrency_scenario:s0 + +# Date : WK20.07 +# Operation: R migration +# Purpose : Add permission for new device node. +genfscon sysfs /firmware/devicetree/base/chosen/atag,meta u:object_r:sysfs_meta_info:s0 + diff --git a/non_plat/hal_thermal_default.te b/non_plat/hal_thermal_default.te index 2a648fb..50e069c 100644 --- a/non_plat/hal_thermal_default.te +++ b/non_plat/hal_thermal_default.te @@ -6,3 +6,11 @@ allow hal_thermal_default proc_mtktz:dir search; allow hal_thermal_default proc_mtktz:file {open read getattr}; allow hal_thermal_default proc_stat:file {open read getattr }; + +#for uevent handle +allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +#for thermal sysfs +allow hal_thermal_default sysfs_therm:file w_file_perms; +allow hal_thermal_default sysfs_therm:file r_file_perms; +allow hal_thermal_default sysfs_therm:dir search;
\ No newline at end of file diff --git a/non_plat/hwservice.te b/non_plat/hwservice.te index 6a7304a..88933c8 100644 --- a/non_plat/hwservice.te +++ b/non_plat/hwservice.te @@ -61,3 +61,5 @@ type mtk_hal_hdmi_hwservice, hwservice_manager_type; # Date: 2019/09/06 # BGService HIDL type mtk_hal_bgs_hwservice, hwservice_manager_type; + +type mtk_hal_aee_hwservice, hwservice_manager_type; diff --git a/non_plat/hwservice_contexts b/non_plat/hwservice_contexts index 614e502..f91c880 100644 --- a/non_plat/hwservice_contexts +++ b/non_plat/hwservice_contexts @@ -75,3 +75,5 @@ vendor.mediatek.hardware.hdmi::IMtkHdmiService u:object_r:mtk_hal_hdmi_hwservice #Date: 2019/09/02 # ATMs hidl vendor.mediatek.hardware.camera.atms::IATMs u:object_r:hal_camera_hwservice:s0 + +vendor.mediatek.hardware.aee::IAee u:object_r:mtk_hal_aee_hwservice:s0 diff --git a/non_plat/mdlogger.te b/non_plat/mdlogger.te index 4d3cf3e..55f524a 100644 --- a/non_plat/mdlogger.te +++ b/non_plat/mdlogger.te @@ -42,7 +42,7 @@ allow mdlogger media_rw_data_file:dir { create_dir_perms }; #avc: denied { connectto } for path=006165653A72747464 scontext=u:r:mdlogger:s0 #tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0 #security issue control -allow mdlogger aee_aed:unix_stream_socket connectto; +allow mdlogger crash_dump:unix_stream_socket connectto; ## purpose: avc: denied { read } for name="plat_file_contexts" allow emdlogger file_contexts_file:file { read getattr open}; diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te index ead7145..4ebfcbc 100644 --- a/non_plat/meta_tst.te +++ b/non_plat/meta_tst.te @@ -417,3 +417,10 @@ allow meta_tst adsp_device:chr_file rw_file_perms; # Operation: P migration # Purpose : audio scp recovery allow meta_tst audio_scp_device:chr_file r_file_perms; + +# Date : WK20.07 +# Operation: R migration +# Purpose : Add permission for new device node. +allow meta_tst sysfs_boot_info:file r_file_perms; +allow meta_tst proc_bootprof:file getattr; +allow meta_tst sysfs_meta_info:file r_file_perms; diff --git a/non_plat/mobile_log_d.te b/non_plat/mobile_log_d.te index 0caa870..36bbf63 100644 --- a/non_plat/mobile_log_d.te +++ b/non_plat/mobile_log_d.te @@ -43,7 +43,7 @@ set_prop(mobile_log_d, mobile_log_prop) # Date: 2016/11/11 # purpose: allow MobileLog to access aee socket -allow mobile_log_d aee_aed:unix_stream_socket connectto; +allow mobile_log_d crash_dump:unix_stream_socket connectto; # purpose: send log to com port allow mobile_log_d ttyGS_device:chr_file { read write ioctl open }; diff --git a/non_plat/mtk_hal_aee.te b/non_plat/mtk_hal_aee.te new file mode 100644 index 0000000..9cbc548 --- /dev/null +++ b/non_plat/mtk_hal_aee.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_aee_client, mtk_hal_aee_server) +binder_call(mtk_hal_aee_server, mtk_hal_aee_client) + +add_hwservice(mtk_hal_aee_server, mtk_hal_aee_hwservice) +allow mtk_hal_aee_client mtk_hal_aee_hwservice:hwservice_manager find; diff --git a/non_plat/property.te b/non_plat/property.te index 3abf8df..5a920c3 100644 --- a/non_plat/property.te +++ b/non_plat/property.te @@ -2,323 +2,252 @@ # MTK Policy Rule # ============================================== -# MTK properties, allow all system/vendor processes to read. -type mtk_default_prop, property_type, mtk_core_property_type; - -# Date: W14.32 -# Operation: Migration -# Purpose: don't allow to use default_prop -### TBD -#neverallow { domain -init } default_prop:property_service set; -#neverallow { domain -init -system_server -recovery -system_app} ctl_default_prop:property_service set; - -#=============allow ccci_mdinit to start gsm0710muxd============== -type ctl_gsm0710muxd_prop, property_type; -type ctl_gsm0710muxd-s_prop, property_type; -type ctl_gsm0710muxd-d_prop, property_type; - -#=============allow viarild to start property============== -type ctl_viarild_prop, property_type; -#=============allow mtkrild to set persist.ril property============== -type vendor_ril_ipo_prop, property_type, mtk_core_property_type; - -#=============allow gsm0710muxd to set mux property============== -type gsm0710muxd_prop, property_type, mtk_core_property_type; - -#=============allow netlog running============== -type debug_mtklog_prop, property_type, extended_core_property_type; -type persist_mtklog_prop, property_type, extended_core_property_type; -type debug_netlog_prop, property_type, extended_core_property_type; - -#=============allow netd to set mtk_wifi.*========================= -type mtk_wifi_prop, property_type, mtk_core_property_type; - -#=============allow mdlogger============== -type debug_mdlogger_prop, property_type, extended_core_property_type; -type vendor_mdl_prop, property_type, extended_core_property_type; -type vendor_mdl_start_prop, property_type, extended_core_property_type; -type vendor_usb_prop, property_type; -type persist_mdlog_prop, property_type, extended_core_property_type; -type vendor_mdl_pulllog_prop, property_type, extended_core_property_type; - -#=============allow AEE============== -type persist_mtk_aee_prop, property_type, extended_core_property_type; -type persist_aee_prop, property_type, extended_core_property_type; -type debug_mtk_aee_prop, property_type, extended_core_property_type; - -type persist_mtk_aeev_prop, property_type, mtk_core_property_type; -type persist_aeev_prop, property_type, mtk_core_property_type; -type debug_mtk_aeev_prop, property_type, mtk_core_property_type; -type ro_mtk_aee_prop, property_type, mtk_core_property_type; - -#=============allow aee_dumpstate============== -type debug_bq_dump_prop, property_type, extended_core_property_type; - -#=============allow ccci_mdinit to stop rild============== -type ctl_ril-daemon-mtk_prop, property_type; -type ctl_fusion_ril_mtk_prop, property_type; -type ctl_ril-daemon-s_prop, property_type; -type ctl_ril-daemon-d_prop, property_type; -type ctl_ril-proxy_prop, property_type; - -#=============allow ccci_mdinit to start ccci_fsd============== -type ctl_ccci_fsd_prop, property_type; -type ctl_ccci2_fsd_prop, property_type; -type ctl_ccci3_fsd_prop, property_type; - -#=============allow ccci_mdinit to set ril_active_md_prop============== -type ril_active_md_prop, property_type, mtk_core_property_type; - -#=============allow ccci_mdinit to stop rild============== -type ril_mux_report_case_prop, property_type, mtk_core_property_type; -type ril_cdma_report_prop, property_type, mtk_core_property_type; - -#=============allow ccci_mdinit to mtk_md_prop============== -type mtk_md_prop, property_type, mtk_core_property_type; - -#=============allow mtkrild to start muxreport============== -type ctl_muxreport-daemon_prop, property_type; - -#=============allow telephony modules to set tel_switch_prop============== -type tel_switch_prop, property_type, mtk_core_property_type; - -#=============allow bootanim============== -type bootani_prop, property_type, extended_core_property_type; - -#=============allow mnld_prop============== -type mnld_prop, property_type, mtk_core_property_type; - -#=============allow audiohal============== -type audiohal_prop, property_type, mtk_core_property_type; - -#=============allow wmt============== -type wmt_prop, property_type, mtk_core_property_type; -type coredump_prop, property_type, mtk_core_property_type; - -#=============allow sensor============== -type ctl_emcsmdlogger_prop, property_type; -type ctl_eemcs_fsd_prop, property_type; - -#=============allow statusd============== -type net_cdma_mdmstat, property_type, mtk_core_property_type; - -#=============allow bt============== -type persist_bt_prop, property_type, mtk_core_property_type; - -#============= allow factory idle current prop ============== -type vendor_factory_idle_state_prop, property_type, mtk_core_property_type; - -#============= allow mobile log property =============== -type mobile_log_prop, property_type, extended_core_property_type; - -#============= allow service.nvram_init property =============== -type service_nvram_init_prop, property_type, mtk_core_property_type; - -#============= allow ro.wlan.mtk.wifi.5g property =============== -type wifi_5g_prop, property_type, mtk_core_property_type; - -#=============allow em to set client.appmode ============== -type mtk_em_prop, property_type, mtk_core_property_type; - -#=============allow mediatek_prop ============== -type mediatek_prop, property_type, mtk_core_property_type; - -#=============Property set by EM, for test/debug purpose========= -type mtk_em_sys_prop, property_type, extended_core_property_type; -type mtk_em_hidl_prop, property_type, mtk_core_property_type; - -#============= allow em set protocol =============== -type mtk_em_net_auto_tethering_prop, property_type, extended_core_property_type; - -#=============allow em set property============= -type mtk_operator_id_prop, property_type, mtk_core_property_type; - -#=============allow em set testsim.cardtype property=========== -type mtk_simswitch_emmode_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_dsbp_support_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_imstestmode_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_smsformat_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_gprs_prefer_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_testsim_cardtype_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_ct_ir_engmode_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_disable_c2k_cap_prop, property_type, mtk_core_property_type; - -#=============allow em to set modem reset delay property================ -type mtk_debug_md_reset_prop, property_type, mtk_core_property_type; - -#=============allow em to set video log omx.* property================ -type mtk_omx_log_prop, property_type, mtk_core_property_type; - -#=============allow em to set vdec log property================ -type mtk_vdec_log_prop, property_type, mtk_core_property_type; - -#=============allow em to set vdectlc log property================ -type mtk_vdectlc_log_prop, property_type, mtk_core_property_type; - -#=============allow em to set venc h264 showlog property================ -type mtk_venc_h264_showlog_prop, property_type, mtk_core_property_type; - -#=============allow em to set modem warning_prop property================ -type mtk_modem_warning_prop, property_type, mtk_core_property_type; - -#=============allow em to set bgdata disabled property================ -type mtk_bgdata_disabled, property_type, extended_core_property_type; - -#=============allow em to set telecom vibrate property================ -type mtk_telecom_vibrate, property_type, extended_core_property_type; - -#=============allow em to set gprs attach type property================ -type mtk_gprs_attach_type, property_type, extended_core_property_type; - -#=============allow em to set poweroffmd property================ -type mtk_power_off_md_type, property_type, extended_core_property_type; - -#=============allow meta_tst to stop specific service =============== -type ctl_mobile_log_d_prop, property_type; -type ctl_mnld_prop, property_type; -type ctl_mobicore_prop, property_type; - -#=============allow system server to set meta_connecttype property ============== -type meta_connecttype_prop, property_type; - -#=============Telephony Sensitive property============== -type mtk_telephony_sensitive_prop, property_type; - -#=============allow processes to change thermal config================ -type mtk_thermal_config_prop, property_type; - -#=============allow composer set property ============================ -type graphics_hwc_pid_prop, property_type; -type graphics_hwc_latch_unsignaled_prop, property_type; -type graphics_hwc_hdr_prop, property_type; - -#============= mtkcam property ============================ -type mtkcam_prop, property_type; - -#============= atm modem mode property ============== -type atm_mdmode_prop, property_type; - -#============= atm ip address property ============== -type atm_ipaddr_prop, property_type; - -#=============allow consyslogger============== -type vendor_connsysfw_prop, property_type, extended_core_property_type; - -#=============radio group property============= -type vendor_radio_prop, property_type, mtk_core_property_type; - -#=============allow bluetooth============== -type vendor_bluetooth_prop, property_type, extended_core_property_type; - -#=============allow ct volte============== -type mtk_ct_volte_prop, property_type, mtk_core_property_type; - -#=============mtk ril mode property============= -type mtk_ril_mode_prop, property_type, mtk_core_property_type; -type mtk_ss_vendor_prop, property_type, mtk_core_property_type; - -#=============GPS support properties============== -type mtk_gps_support_prop, property_type, mtk_core_property_type; - -#=============mtk rat config property============= -type mtk_rat_config_prop, property_type, mtk_core_property_type; - -#=============mtk aal property============= -type mtk_aal_ro_prop, property_type, mtk_core_property_type; - -#=============mtk pq property============= -type mtk_pq_ro_prop, property_type, mtk_core_property_type; -type mtk_pq_prop, property_type, mtk_core_property_type; - -#=============mtk emmc property============= -type mtk_emmc_support_prop, property_type, mtk_core_property_type; - -#=============sim system property============= -type vendor_sim_system_prop, property_type, extended_core_property_type; - -#=============em usb property============== -type vendor_em_usb_prop, property_type, mtk_core_property_type; - -#=============allow em to set usb otg enable property ============== -type vendor_usb_otg_switch, property_type, mtk_core_property_type; - -#=============mtk anr property============= -type mtk_anr_support_prop, property_type, mtk_core_property_type; - -#=============mtk app resolution tuner property============= -type mtk_appresolutiontuner_prop, property_type, mtk_core_property_type; - -#=============mtk fullscreen switch============= -type mtk_fullscreenswitch_prop, property_type, mtk_core_property_type; - -# MTK Antutu feature -type mtk_antutu_prop, property_type, mtk_core_property_type; - -#=============mtk malloc debug switch unwind backtrace property============= -type mtk_malloc_debug_backtrace_prop, property_type, mtk_core_property_type; - -#=============MTK Voice Recognize property=========== -type mtk_voicerecgnize_prop, property_type, mtk_core_property_type; - -#=============allow radio to set/get xcap rawurl config================ -type persist_xcap_rawurl_prop, property_type, extended_core_property_type; - -#=============allow atcid============== -type persist_service_atci_prop, property_type, mtk_core_property_type; -type mtk_atci_prop, property_type, mtk_core_property_type; - -#=============allow Netd property============== -type mtk_net_ipv6_prop, property_type, mtk_core_property_type; - -#============= allow carrier express (cxp) ============== -type usp_prop, property_type, mtk_core_property_type; -type usp_srv_prop, property_type, extended_core_property_type; -type mtk_cxp_vendor_prop, property_type, mtk_core_property_type; - -#=============allow MD to set mtk_md_version_prop============== -type mtk_md_version_prop, property_type, mtk_core_property_type; - -#=============allow radio to set mtk_volte_enable property============== -type mtk_volte_prop, property_type, mtk_core_property_type; - -#=============allow AMS dynamic enable log property=========== -type mtk_amslog_prop, property_type, extended_core_property_type; - -#=============allow android log much property============== -type logmuch_prop, property_type, extended_core_property_type; - -#=============mtk bt enable SAP profile property============= -type mtk_bt_sap_enable_prop, property_type, mtk_core_property_type; - -#=============MTK powerhal property================ -type mtk_powerhal_prop, property_type; - -#=============MTK Wifi wlan_assistant property============= -type mtk_nvram_ready_prop, property_type, mtk_core_property_type; - -#=============allow wifi hotspot to read property=========== -type mtk_wifi_hotspot_prop, property_type, mtk_core_property_type; - -#=============mtk hdmi property============= -type mtk_hdmi_prop, property_type, mtk_core_property_type; - -#=============mtk nn option property============= -type mtk_nn_option_prop, property_type; - -#============system wfc service property=========== -type mtk_wfc_serv_prop, property_type; - +# system_internal_prop -- Properties used only in /system +# system_restricted_prop -- Properties which can't be written outside system +# system_public_prop -- Properties with no restrictions +# system_vendor_config_prop -- Properties which can be written only by vendor_init +# vendor_internal_prop -- Properties used only in /vendor +# vendor_restricted_prop -- Properties which can't be written outside vendor +# vendor_public_prop -- Properties with no restrictions + +# Properties used only in /vendor +vendor_internal_prop(ctl_gsm0710muxd_prop) +vendor_internal_prop(ctl_gsm0710muxd-s_prop) +vendor_internal_prop(ctl_gsm0710muxd-d_prop) +vendor_internal_prop(ctl_viarild_prop) +vendor_internal_prop(ctl_ril-daemon-mtk_prop) +vendor_internal_prop(ctl_fusion_ril_mtk_prop) +vendor_internal_prop(ctl_ril-daemon-s_prop) +vendor_internal_prop(ctl_ril-daemon-d_prop) +vendor_internal_prop(ctl_ril-proxy_prop) +vendor_internal_prop(ctl_ccci_fsd_prop) +vendor_internal_prop(ctl_ccci2_fsd_prop) +vendor_internal_prop(ctl_ccci3_fsd_prop) +vendor_internal_prop(ctl_muxreport-daemon_prop) +vendor_internal_prop(ctl_emcsmdlogger_prop) +vendor_internal_prop(ctl_eemcs_fsd_prop) +vendor_internal_prop(mtk_powerhal_prop) +vendor_internal_prop(mtk_wfc_serv_prop) +vendor_internal_prop(ctl_mdlogger_prop) +vendor_internal_prop(ctl_emdlogger1_prop) +vendor_internal_prop(ctl_emdlogger2_prop) +vendor_internal_prop(ctl_emdlogger3_prop) +vendor_internal_prop(ctl_dualmdlogger_prop) +vendor_internal_prop(init_svc_emdlogger1_prop) +vendor_internal_prop(init_svc_aee_aedv_prop) + +# Properties which can't be written outside vendor +vendor_restricted_prop(mtk_nn_option_prop) +vendor_restricted_prop(mtk_volte_prop) +vendor_restricted_prop(mtk_cxp_vendor_prop) +vendor_restricted_prop(mtk_antutu_prop) +vendor_restricted_prop(mtk_ss_vendor_prop) +vendor_restricted_prop(atm_ipaddr_prop) +vendor_restricted_prop(mtkcam_prop) +vendor_restricted_prop(graphics_hwc_hdr_prop) +vendor_restricted_prop(graphics_hwc_latch_unsignaled_prop) +vendor_restricted_prop(graphics_hwc_pid_prop) +vendor_restricted_prop(mtk_thermal_config_prop) +vendor_restricted_prop(mtk_telephony_sensitive_prop) +vendor_restricted_prop(meta_connecttype_prop) +vendor_restricted_prop(mtk_debug_md_reset_prop) +vendor_restricted_prop(wmt_prop) +vendor_restricted_prop(ril_active_md_prop) +vendor_restricted_prop(vendor_usb_prop) +vendor_restricted_prop(tel_switch_prop) +vendor_restricted_prop(mtk_nvram_ready_prop) +vendor_restricted_prop(mtk_wifi_hotspot_prop) +vendor_restricted_prop(mtk_hdmi_prop) +vendor_restricted_prop(mtk_default_prop) +vendor_restricted_prop(vendor_ril_ipo_prop) +vendor_restricted_prop(gsm0710muxd_prop) +vendor_restricted_prop(mtk_wifi_prop) +vendor_restricted_prop(persist_mtk_aeev_prop) +vendor_restricted_prop(persist_aeev_prop) +vendor_restricted_prop(debug_mtk_aeev_prop) +vendor_restricted_prop(ro_mtk_aee_prop) +vendor_restricted_prop(ril_mux_report_case_prop) +vendor_restricted_prop(ril_cdma_report_prop) +vendor_restricted_prop(mtk_md_prop) +vendor_restricted_prop(mnld_prop) +vendor_restricted_prop(audiohal_prop) +vendor_restricted_prop(coredump_prop) +vendor_restricted_prop(net_cdma_mdmstat) +vendor_restricted_prop(persist_bt_prop) +vendor_restricted_prop(vendor_factory_idle_state_prop) +vendor_restricted_prop(service_nvram_init_prop) +vendor_restricted_prop(wifi_5g_prop) +vendor_restricted_prop(mtk_em_prop) +vendor_restricted_prop(mediatek_prop) +vendor_restricted_prop(mtk_em_hidl_prop) +vendor_restricted_prop(mtk_operator_id_prop) +vendor_restricted_prop(mtk_simswitch_emmode_prop) +vendor_restricted_prop(mtk_dsbp_support_prop) +vendor_restricted_prop(mtk_imstestmode_prop) +vendor_restricted_prop(mtk_smsformat_prop) +vendor_restricted_prop(mtk_gprs_prefer_prop) +vendor_restricted_prop(mtk_testsim_cardtype_prop) +vendor_restricted_prop(mtk_ct_ir_engmode_prop) +vendor_restricted_prop(mtk_disable_c2k_cap_prop) +vendor_restricted_prop(mtk_omx_log_prop) +vendor_restricted_prop(mtk_vdec_log_prop) +vendor_restricted_prop(mtk_vdectlc_log_prop) +vendor_restricted_prop(mtk_venc_h264_showlog_prop) +vendor_restricted_prop(mtk_modem_warning_prop) +vendor_restricted_prop(ctl_mobile_log_d_prop) +vendor_restricted_prop(ctl_mnld_prop) +vendor_restricted_prop(ctl_mobicore_prop) +vendor_restricted_prop(atm_mdmode_prop) +vendor_restricted_prop(vendor_radio_prop) +vendor_restricted_prop(mtk_ct_volte_prop) +vendor_restricted_prop(mtk_ril_mode_prop) +vendor_restricted_prop(mtk_gps_support_prop) +vendor_restricted_prop(mtk_rat_config_prop) +vendor_restricted_prop(mtk_aal_ro_prop) +vendor_restricted_prop(mtk_pq_ro_prop) +vendor_restricted_prop(mtk_pq_prop) +vendor_restricted_prop(mtk_emmc_support_prop) +vendor_restricted_prop(vendor_em_usb_prop) +vendor_restricted_prop(vendor_usb_otg_switch) +vendor_restricted_prop(mtk_anr_support_prop) +vendor_restricted_prop(mtk_appresolutiontuner_prop) +vendor_restricted_prop(mtk_fullscreenswitch_prop) +vendor_restricted_prop(mtk_malloc_debug_backtrace_prop) +vendor_restricted_prop(mtk_voicerecgnize_prop) +vendor_restricted_prop(persist_service_atci_prop) +vendor_restricted_prop(mtk_atci_prop) +vendor_restricted_prop(mtk_net_ipv6_prop) +vendor_restricted_prop(usp_prop) +vendor_restricted_prop(mtk_md_version_prop) +vendor_restricted_prop(mtk_bt_sap_enable_prop) + +# Properties used only in /system +system_internal_prop(debug_mtklog_prop) +system_internal_prop(persist_mtklog_prop) +system_internal_prop(debug_netlog_prop) +system_internal_prop(debug_mdlogger_prop) +system_internal_prop(vendor_mdl_prop) +system_internal_prop(vendor_mdl_start_prop) +system_internal_prop(persist_mdlog_prop) +system_internal_prop(vendor_mdl_pulllog_prop) +system_internal_prop(persist_aee_prop) +system_internal_prop(debug_mtk_aee_prop) +system_internal_prop(debug_bq_dump_prop) +system_internal_prop(bootani_prop) +system_internal_prop(mobile_log_prop) +system_internal_prop(mtk_em_sys_prop) +system_internal_prop(mtk_em_net_auto_tethering_prop) +system_internal_prop(mtk_bgdata_disabled) +system_internal_prop(mtk_telecom_vibrate) +system_internal_prop(mtk_gprs_attach_type) +system_internal_prop(mtk_power_off_md_type) +system_internal_prop(vendor_connsysfw_prop) +system_internal_prop(vendor_bluetooth_prop) +system_internal_prop(vendor_sim_system_prop) +system_internal_prop(persist_xcap_rawurl_prop) +system_internal_prop(usp_srv_prop) +system_internal_prop(logmuch_prop) + +# Properties with no restrictions +system_public_prop(persist_mtk_aee_prop) +system_public_prop(mtk_amslog_prop) + +# Properties with can be read by all domains +typeattribute mtk_default_prop mtk_core_property_type; +typeattribute vendor_ril_ipo_prop mtk_core_property_type; +typeattribute gsm0710muxd_prop mtk_core_property_type; +typeattribute mtk_wifi_prop mtk_core_property_type; +typeattribute persist_mtk_aeev_prop mtk_core_property_type; +typeattribute persist_aeev_prop mtk_core_property_type; +typeattribute debug_mtk_aeev_prop mtk_core_property_type; +typeattribute ro_mtk_aee_prop mtk_core_property_type; +typeattribute ril_active_md_prop mtk_core_property_type; +typeattribute ril_mux_report_case_prop mtk_core_property_type; +typeattribute ril_cdma_report_prop mtk_core_property_type; +typeattribute mtk_md_prop mtk_core_property_type; +typeattribute tel_switch_prop mtk_core_property_type; +typeattribute mnld_prop mtk_core_property_type; +typeattribute audiohal_prop mtk_core_property_type; +typeattribute wmt_prop mtk_core_property_type; +typeattribute coredump_prop mtk_core_property_type; +typeattribute net_cdma_mdmstat mtk_core_property_type; +typeattribute persist_bt_prop mtk_core_property_type; +typeattribute vendor_factory_idle_state_prop mtk_core_property_type; +typeattribute service_nvram_init_prop mtk_core_property_type; +typeattribute wifi_5g_prop mtk_core_property_type; +typeattribute mtk_em_prop mtk_core_property_type; +typeattribute mediatek_prop mtk_core_property_type; +typeattribute mtk_em_hidl_prop mtk_core_property_type; +typeattribute mtk_operator_id_prop mtk_core_property_type; +typeattribute mtk_simswitch_emmode_prop mtk_core_property_type; +typeattribute mtk_dsbp_support_prop mtk_core_property_type; +typeattribute mtk_imstestmode_prop mtk_core_property_type; +typeattribute mtk_smsformat_prop mtk_core_property_type; +typeattribute mtk_gprs_prefer_prop mtk_core_property_type; +typeattribute mtk_testsim_cardtype_prop mtk_core_property_type; +typeattribute mtk_ct_ir_engmode_prop mtk_core_property_type; +typeattribute mtk_disable_c2k_cap_prop mtk_core_property_type; +typeattribute mtk_debug_md_reset_prop mtk_core_property_type; +typeattribute mtk_omx_log_prop mtk_core_property_type; +typeattribute mtk_vdec_log_prop mtk_core_property_type; +typeattribute mtk_vdectlc_log_prop mtk_core_property_type; +typeattribute mtk_venc_h264_showlog_prop mtk_core_property_type; +typeattribute mtk_modem_warning_prop mtk_core_property_type; +typeattribute vendor_radio_prop mtk_core_property_type; +typeattribute mtk_ct_volte_prop mtk_core_property_type; +typeattribute mtk_ril_mode_prop mtk_core_property_type; +typeattribute mtk_ss_vendor_prop mtk_core_property_type; +typeattribute mtk_gps_support_prop mtk_core_property_type; +typeattribute mtk_rat_config_prop mtk_core_property_type; +typeattribute mtk_aal_ro_prop mtk_core_property_type; +typeattribute mtk_pq_ro_prop mtk_core_property_type; +typeattribute mtk_pq_prop mtk_core_property_type; +typeattribute mtk_emmc_support_prop mtk_core_property_type; +typeattribute vendor_em_usb_prop mtk_core_property_type; +typeattribute vendor_usb_otg_switch mtk_core_property_type; +typeattribute mtk_anr_support_prop mtk_core_property_type; +typeattribute mtk_appresolutiontuner_prop mtk_core_property_type; +typeattribute mtk_fullscreenswitch_prop mtk_core_property_type; +typeattribute mtk_antutu_prop mtk_core_property_type; +typeattribute mtk_malloc_debug_backtrace_prop mtk_core_property_type; +typeattribute mtk_voicerecgnize_prop mtk_core_property_type; +typeattribute persist_service_atci_prop mtk_core_property_type; +typeattribute mtk_atci_prop mtk_core_property_type; +typeattribute mtk_net_ipv6_prop mtk_core_property_type; +typeattribute usp_prop mtk_core_property_type; +typeattribute mtk_cxp_vendor_prop mtk_core_property_type; +typeattribute mtk_md_version_prop mtk_core_property_type; +typeattribute mtk_volte_prop mtk_core_property_type; +typeattribute mtk_bt_sap_enable_prop mtk_core_property_type; +typeattribute mtk_nvram_ready_prop mtk_core_property_type; +typeattribute mtk_wifi_hotspot_prop mtk_core_property_type; +typeattribute mtk_hdmi_prop mtk_core_property_type; + +# Properties with can't be accessed by device-sepcific domains +typeattribute debug_mtklog_prop extended_core_property_type; +typeattribute persist_mtklog_prop extended_core_property_type; +typeattribute debug_netlog_prop extended_core_property_type; +typeattribute debug_mdlogger_prop extended_core_property_type; +typeattribute vendor_mdl_prop extended_core_property_type; +typeattribute vendor_mdl_start_prop extended_core_property_type; +typeattribute persist_mdlog_prop extended_core_property_type; +typeattribute vendor_mdl_pulllog_prop extended_core_property_type; +typeattribute persist_mtk_aee_prop extended_core_property_type; +typeattribute persist_aee_prop extended_core_property_type; +typeattribute debug_mtk_aee_prop extended_core_property_type; +typeattribute debug_bq_dump_prop extended_core_property_type; +typeattribute bootani_prop extended_core_property_type; +typeattribute mobile_log_prop extended_core_property_type; +typeattribute mtk_em_sys_prop extended_core_property_type; +typeattribute mtk_em_net_auto_tethering_prop extended_core_property_type; +typeattribute mtk_bgdata_disabled extended_core_property_type; +typeattribute mtk_telecom_vibrate extended_core_property_type; +typeattribute mtk_gprs_attach_type extended_core_property_type; +typeattribute mtk_power_off_md_type extended_core_property_type; +typeattribute vendor_connsysfw_prop extended_core_property_type; +typeattribute vendor_bluetooth_prop extended_core_property_type; +typeattribute vendor_sim_system_prop extended_core_property_type; +typeattribute persist_xcap_rawurl_prop extended_core_property_type; +typeattribute usp_srv_prop extended_core_property_type; +typeattribute mtk_amslog_prop extended_core_property_type; +typeattribute logmuch_prop extended_core_property_type; diff --git a/non_plat/property_contexts b/non_plat/property_contexts index aec00cb..60e8c63 100644 --- a/non_plat/property_contexts +++ b/non_plat/property_contexts @@ -1,10 +1,10 @@ # ============================================== # MTK Policy Rule # ============================================== + #=============allow ccci_mdinit to start gsm0710muxd============== ctl.vendor.gsm0710muxd u:object_r:ctl_gsm0710muxd_prop:s0 - #=============allow mtkrild to set persist.ril property============== vendor.ril.ipo u:object_r:vendor_ril_ipo_prop:s0 @@ -22,7 +22,6 @@ persist.vendor.usb. u:object_r:vendor_usb_prop:s0 persist.vendor.mdl u:object_r:persist_mdlog_prop:s0 vendor.pullmdlog u:object_r:vendor_mdl_pulllog_prop:s0 - #=============allow AEE============== # persist.vendor.mtk.aee.mode && persist.vendor.mtk.aee.dal persist.vendor.mtk.aee. u:object_r:persist_mtk_aee_prop:s0 @@ -104,11 +103,9 @@ persist.vendor.connsys.coredump.mode u:object_r:coredump_prop:s0 persist.vendor.connsys. u:object_r:wmt_prop:s0 vendor.connsys. u:object_r:wmt_prop:s0 - #=============allow c2k_prop ============== vendor.net.cdma.mdmstat u:object_r:net_cdma_mdmstat:s0 - #=============allow ccci_mdinit md status ============== vendor.mtk.md u:object_r:mtk_md_prop:s0 #============= allow factory idle current prop ============== @@ -120,7 +117,6 @@ vendor.MB. u:object_r:mobile_log_prop:s0 #=============allow service.nvram_init property================ vendor.service.nvram_init u:object_r:service_nvram_init_prop:s0 - #=============Allow EM To Set Camera APP Mode ============== vendor.client. u:object_r:mtk_em_prop:s0 @@ -192,7 +188,6 @@ persist.vendor.radio.gprs.attach.type u:object_r:mtk_gprs_attach_type:s0 vendor.ril.test.poweroffmd u:object_r:mtk_power_off_md_type:s0 vendor.ril.testmode u:object_r:mtk_power_off_md_type:s0 - #=============allow system server to set meta_connecttype property ============== persist.vendor.meta.connecttype u:object_r:meta_connecttype_prop:s0 @@ -235,7 +230,7 @@ ro.boot.atm u:object_r:mtk_default_prop:s0 #=============allow consyslogger============== vendor.connsysfw u:object_r:vendor_connsysfw_prop:s0 -#============Label telephony property=======# +#============Label telephony property======= vendor.ril. u:object_r:vendor_radio_prop:s0 ro.vendor.ril. u:object_r:vendor_radio_prop:s0 vendor.gsm. u:object_r:vendor_radio_prop:s0 @@ -247,7 +242,7 @@ vendor.bthcisnoop u:object_r:vendor_bluetooth_prop:s0 #=============allow ct volte============== persist.vendor.mtk_ct_volte_support u:object_r:mtk_ct_volte_prop:s0 -#============Label mtk ril mode=======# +#============Label mtk ril mode======= ro.vendor.mtk_ril_mode u:object_r:mtk_ril_mode_prop:s0 #=============GPS support properties============== @@ -256,15 +251,15 @@ ro.vendor.mtk_agps_app u:object_r:mtk_gps_support_prop:s0 ro.vendor.mtk_log_hide_gps u:object_r:mtk_gps_support_prop:s0 ro.vendor.mtk_hidl_consolidation u:object_r:mtk_gps_support_prop:s0 -#============allow rat config=======# +#============allow rat config======= ro.vendor.mtk_protocol1_rat_config u:object_r:mtk_rat_config_prop:s0 -#=============allow mtk aal==============# +#=============allow mtk aal============== ro.vendor.mtk_aal_support u:object_r:mtk_aal_ro_prop:s0 ro.vendor.mtk_ultra_dimming_support u:object_r:mtk_aal_ro_prop:s0 ro.vendor.mtk_dre30_support u:object_r:mtk_aal_ro_prop:s0 -#=============allow mtk pq==============# +#=============allow mtk pq============== persist.vendor.sys.pq. u:object_r:mtk_pq_prop:s0 vendor.debug.pq. u:object_r:mtk_pq_prop:s0 persist.vendor.sys.isp. u:object_r:mtk_pq_prop:s0 @@ -292,7 +287,7 @@ ro.vendor.mtk_disable_cap_switch u:object_r:mtk_default_prop:s0 ro.vendor.mtk_sim_card_onoff u:object_r:mtk_default_prop:s0 ro.vendor.mtk_perf_plus u:object_r:mtk_default_prop:s0 -#============mtk emmc=======# +#============mtk emmc======= ro.vendor.mtk_emmc_support u:object_r:mtk_emmc_support_prop:s0 # MTK connsys log feature @@ -305,7 +300,7 @@ vendor.em.usb. u:object_r:vendor_em_usb_prop:s0 #=============allow em to set usb otg switch property ============== persist.vendor.usb.otg.switch u:object_r:vendor_usb_otg_switch:s0 -#============mtk rsc========# +#============mtk rsc======== ro.boot.rsc u:object_r:mtk_default_prop:s0 #=============mtk anr property============= @@ -326,15 +321,15 @@ persist.vendor.ss. u:object_r:mtk_ss_vendor_prop:s0 # MTK Antutu feature ro.vendor.net.upload.benchmark.default u:object_r:mtk_antutu_prop:s0 -#=============malloc debug unwind backtrace switch property==============# +#=============malloc debug unwind backtrace switch property============== vendor.debug.malloc.bt.switch u:object_r:mtk_malloc_debug_backtrace_prop:s0 -#=============allow gmo====================# +#=============allow gmo==================== ro.vendor.gmo.ram_optimize u:object_r:mtk_default_prop:s0 ro.vendor.gmo.rom_optimize u:object_r:mtk_default_prop:s0 ro.vendor.mtk_config_max_dram_size u:object_r:mtk_default_prop:s0 -#=============MTK Voice Recognize property===========# +#=============MTK Voice Recognize property=========== vendor.voicerecognize.raw u:object_r:mtk_voicerecgnize_prop:s0 vendor.voicerecognize_data.raw u:object_r:mtk_voicerecgnize_prop:s0 vendor.voicerecognize.noDL u:object_r:mtk_voicerecgnize_prop:s0 @@ -342,7 +337,7 @@ vendor.voicerecognize.noDL u:object_r:mtk_voicerecgnize_prop:s0 #=============allow radio to set/get xcap rawurl config================ persist.vendor.mtk.xcap.rawurl u:object_r:persist_xcap_rawurl_prop:s0 -#=============mtk bt enable SAP profile property=============# +#=============mtk bt enable SAP profile property============= ro.vendor.mtk.bt_sap_enable u:object_r:mtk_bt_sap_enable_prop:s0 #=============allow processes to change powerhal config================ @@ -355,12 +350,20 @@ vendor.mtk.nvram.ready u:object_r:mtk_nvram_ready_prop:s0 #=============Wi-Fi Hotspot============== ro.vendor.wifi.sap.interface u:object_r:mtk_wifi_hotspot_prop:s0 -#=============allow mtk hdmi==============# +#=============allow mtk hdmi============== persist.vendor.sys.hdmi_hidl. u:object_r:mtk_hdmi_prop:s0 -#=============mtk nn option==============# +#=============mtk nn option============== ro.vendor.mtk_nn.option u:object_r:mtk_nn_option_prop:s0 #============system wfc service property=========== persist.vendor.wfc. u:object_r:mtk_wfc_serv_prop:s0 +#=============allow ccci_mdinit to ctl. mdlogger============== +ctl.mdlogger u:object_r:ctl_mdlogger_prop:s0 +ctl.emdlogger1 u:object_r:ctl_emdlogger1_prop:s0 +ctl.emdlogger2 u:object_r:ctl_emdlogger2_prop:s0 +ctl.emdlogger3 u:object_r:ctl_emdlogger3_prop:s0 + +init.svc.emdlogger1 u:object_r:init_svc_emdlogger1_prop:s0 +init.svc.aee_aedv u:object_r:init_svc_aee_aedv_prop:s0 diff --git a/non_plat/radio.te b/non_plat/radio.te index 9f6077e..e81853d 100644 --- a/non_plat/radio.te +++ b/non_plat/radio.te @@ -6,40 +6,6 @@ allow radio sysfs_keypad_file:dir { r_dir_perms }; allow radio sysfs_keypad_file:file { w_file_perms }; -# Date : WK15.34 2015/08/21 -# Operation : IT -# Purpose : for engineermode WFD IOT property -allow radio surfaceflinger:fifo_file { rw_file_perms }; - -# Date : 2016/06/11 -# Operation : IT -# Purpose : for engineermode Usb PHY Tuning -allow radio debugfs_usb20_phy:file { read open getattr }; -allow radio debugfs_usb20_phy:dir search; - -# Date : WK14.38 2016/06/28 -# Operation : Migration -# Purpose : for engineermode -allow radio mt_otg_test_device:chr_file { read write ioctl open }; -allow radio mtgpio_device:chr_file { read ioctl open }; -allow radio stpbt_device:chr_file { read write open }; -allow radio stpant_device:chr_file { read write open }; -allow radio bt_int_adp_socket:sock_file write; -allow radio mt6605_device:chr_file { read write ioctl open getattr }; -allow radio nfc_socket:dir { write add_name remove_name search }; -allow radio system_prop:property_service set; - -# Date : WK14.38 2016/06/28 -# Operation : Migration -# Purpose : for engineermode -allow radio em_svr:unix_stream_socket connectto; - -# Date : WK15.25 2016/06/28 -# Operation :N Migration -# Purpose : for engineermode WiFi test mode -# todo: in the feature Google maybe forbid this option,we should use other way -allowxperm radio self:udp_socket ioctl { SIOCIWFIRSTPRIV-SIOCIWFIRSTPRIV_09 SIOCIWFIRSTPRIV_0B SIOCSIWESSID SIOCSIWMODE }; - # Date : 2014/12/13 # Operation : IT # Purpose : for bluetooth relayer mode @@ -60,27 +26,12 @@ allow radio media_rw_data_file:file { create_file_perms }; # Swift APK integration - access ccci dir/file allow radio ccci_fsd:dir { r_dir_perms }; -# Date : 2016/07/25 -# Operation : Bluetooth access NVRAM fail in Engineer Mode -# Purpose : for Bluetooth read NVRAM data -allow radio nvdata_file:dir search; -allow radio nvdata_file:file rw_file_perms; - -#Date : 2016/11/08 -#Operation: IT -#Purpose: for EM set persist.net.auto.tethering -set_prop(radio, mtk_em_net_auto_tethering_prop) # Date : WK17.03 # Operation : O Migration # Purpose : HIDL for rilproxy binder_call(radio, hal_telephony) -# Date : WK17.15 -# Operation : O Migration -# Purpose : for YGPS execution -allow radio hal_graphics_composer_default:fd use; - #Dat: 2017/02/14 #Purpose: allow get telephony Sensitive property get_prop(radio, mtk_telephony_sensitive_prop) @@ -100,79 +51,11 @@ hal_client_domain(radio, hal_imsa) #allow radio hal_audio_hwservice:hwservice_manager find; binder_call(radio,mtk_hal_audio) -# TODO : Will move to plat_private when SEPolicy split done -# Date : WK1727 2017/07/19 -# Operation : Migration -# Purpose : Allow EM set usb property -set_prop(radio, system_radio_prop) - -#Dat: 2017/07/20 -#Purpose: NFC EM -allow radio hal_nfc_hwservice:hwservice_manager find; -binder_call(radio, hal_nfc) -binder_call(hal_nfc, radio) -hwbinder_use(radio); -#hal_client_domain(radio, hal_nfc) -typeattribute radio halclientdomain; -typeattribute radio hal_nfc_client; -allow radio nfc_socket:sock_file { create write unlink setattr }; -set_prop(radio, system_prop) - -# Date : WK1734 2017/08/23 -# Purpose : Allow EM use power HAL -allow radio mtk_hal_power_hwservice:hwservice_manager find; -binder_call(radio, mtk_hal_power) - -# Date : 2017/10/31 -# Purpose: Policy for EM to set wcn coredump property -get_prop(radio, wmt_prop) - # Date : WK18.16 # Operation: P migration # Purpose: Allow radio to get tel_switch_prop get_prop(radio, tel_switch_prop) -# Date : 2018/05/03 -# Operation: P migration -# Purpose: allow EM to set modem reset delay property -get_prop(radio, mtk_debug_md_reset_prop) - -# Date : 2018/06/01 -# Operation : P migration -# Purpose : For EM access battery info -allow radio sysfs_batteryinfo:dir search; -#allow radio sysfs_batteryinfo:file { read write getattr open create}; -allow radio sysfs_vbus:file { read getattr open }; -allow radio sysfs_battery_consumption:file r_file_perms; -allow radio sysfs_power_on_vol:file r_file_perms; -allow radio sysfs_power_off_vol:file r_file_perms; -allow radio sysfs_fg_disable:file w_file_perms; -allow radio sysfs_dis_nafg:file w_file_perms; - -# Date : 2018/06/15 -# Purpose : Allow EM access touchscreen settings -allow radio sysfs_tpd_debug:dir { search read open }; -allow radio sysfs_tpd_setting:dir { search read open }; - -# Date : 2018/06/15 -# Purpose : mtk EM PMU reading/setting -allow radio sysfs_pmu:dir { search }; -allow radio sysfs_pmu:file { read }; -allow radio sysfs_pmu:lnk_file { read }; - -# Date : 2018/06/15 -# Purpose : mtk EM Power debug_log setting -allow radio sysfs_spm:dir { search }; - -# Date : 2018/06/15 -# Purpose: Allow EM detect Audio headset status -allow radio sysfs_headset:file { read open }; - -# Date : 2018/06/26 -# Operation : IT -# Purpose : Allow to use HAL em -hal_client_domain(radio, mtk_hal_em) - # Date : 2018/07/03 # Purpose : Allow sim system to set prop set_prop(radio, vendor_sim_system_prop) @@ -195,42 +78,7 @@ set_prop(radio, mtk_telecom_vibrate) # Purpose : Allow to use mtk_gprs_attach_type set_prop(radio, mtk_gprs_attach_type) -# Date : 2018/07/12 -# Purpose : Allow EM to use Lbs Hidl -binder_call(radio, lbs_hidl_service) -allow radio mtk_hal_lbs_hwservice:hwservice_manager find; - -# Date : 2018/08/12 -# Purpose : Allow EM to set poweroffmd property -set_prop(radio, mtk_power_off_md_type) - -get_prop(radio, persist_mtk_aee_prop); - - -# Date : 2018/08/31 -# Purpose : Allow EM to set sys property -set_prop(radio, mtk_em_sys_prop) - -# Date : 2018/11/01 -# Purpose : mtk EM c2k bypass read usb file -allow radio sys_usb_rawbulk:file { r_file_perms }; -allow radio sys_usb_rawbulk:dir { r_dir_perms }; - #Date : 2018/11/02 # Operation : Allow radio persist_xcap_rawurl_prop:property_service set; # Purpose : for set telephony xcap use raw url property in IMS SS set_prop(radio, persist_xcap_rawurl_prop) - -# Date : 2019/05/08 -# Operation : label aee_aed sockets -# Purpose : Engineering mode need access for aee commmand -allow radio aee_aed:unix_stream_socket connectto; - -# Date : 2019/05/23 -# Operation : Get subpimc reigster status -# Purpose : Engineering mode need get subpimic register status -allow radio debugfs_regmap:dir { search }; - -# Date : 2018/09/29 -# Purpose : Allow get USB Current Speed in Engineer Mode -get_prop(radio, vendor_usb_prop); diff --git a/non_plat/shell.te b/non_plat/shell.te index b292564..5346726 100644 --- a/non_plat/shell.te +++ b/non_plat/shell.te @@ -4,7 +4,7 @@ # Date : WK16.46 # Purpose : allow shell to switch aee mode -allow shell aee_aed:unix_stream_socket connectto; +allow shell crash_dump:unix_stream_socket connectto; # Date : WK17.35 # Purpose : allow shell to dump the debugging information of camera hal. diff --git a/non_plat/stp_dump3.te b/non_plat/stp_dump3.te index d7e7675..0501d29 100644 --- a/non_plat/stp_dump3.te +++ b/non_plat/stp_dump3.te @@ -37,6 +37,7 @@ allow stp_dump3 sdcard_type:file { open read write create setattr getattr append allow stp_dump3 sdcard_type:file create_file_perms; allow stp_dump3 stp_dump_data_file:dir create_dir_perms; allow stp_dump3 stp_dump_data_file:file create_file_perms; +allow stp_dump3 stp_dump_data_file:sock_file { write create unlink setattr }; allow stp_dump3 connsyslog_data_vendor_file:dir create_dir_perms; allow stp_dump3 connsyslog_data_vendor_file:file create_file_perms; get_prop(stp_dump3, coredump_prop) diff --git a/non_plat/system_server.te b/non_plat/system_server.te index beeb30a..919f663 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -112,7 +112,7 @@ allow system_server wifi_prop:file { read getattr open }; # path=00636F6D2E6D746B2E6165652E6165645F3634 # scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0 # tclass=unix_stream_socket permissive=0 -allow system_server aee_aed:unix_stream_socket connectto; +allow system_server crash_dump:unix_stream_socket connectto; #Dat: 2017/02/14 #Purpose: allow get telephony Sensitive property diff --git a/non_plat/uncrypt.te b/non_plat/uncrypt.te index c9b3acb..2684a23 100644 --- a/non_plat/uncrypt.te +++ b/non_plat/uncrypt.te @@ -1,13 +1,13 @@ #====================== uncrypt.te ====================== # uncrypt for mtd -allow uncrypt mtd_device:chr_file { read write open ioctl }; +allow uncrypt mtd_device:chr_file rw_file_perms; allow uncrypt mtd_device:dir search; allow uncrypt misc_device:chr_file ~rename; allow uncrypt userdata_block_device:blk_file w_file_perms; -allow uncrypt para_block_device:blk_file { write open }; +allow uncrypt para_block_device:blk_file w_file_perms; allow uncrypt system_app_data_file:dir { getattr search }; allow uncrypt system_app_data_file:file { read getattr }; allow uncrypt media_rw_data_file:dir { getattr search }; -allow uncrypt media_rw_data_file:file { read getattr open }; +allow uncrypt media_rw_data_file:file r_file_perms; allow uncrypt ota_package_file:file w_file_perms; diff --git a/non_plat/vendor_init.te b/non_plat/vendor_init.te index d0bc030..783f6c9 100644 --- a/non_plat/vendor_init.te +++ b/non_plat/vendor_init.te @@ -1,16 +1,16 @@ -#allow vendor_init exported3_system_prop:property_service set; -#allow vendor_init dalvik_prop:property_service set; - -#allow vendor_init ffs_prop:property_service set; -allow vendor_init mediatek_prop:property_service set; -allow vendor_init mtk_md_version_prop:property_service set; -allow vendor_init mtk_volte_prop:property_service set; -allow vendor_init vendor_radio_prop:property_service set; -allow vendor_init mtk_ril_mode_prop:property_service set; -allow vendor_init wmt_prop:property_service set; -allow vendor_init coredump_prop:property_service set; +# ============================================== +# MTK Policy Rule +# ============================================== + +set_prop(vendor_init, mediatek_prop) +set_prop(vendor_init, mtk_md_version_prop) +set_prop(vendor_init, mtk_volte_prop) +set_prop(vendor_init, vendor_radio_prop) +set_prop(vendor_init, mtk_ril_mode_prop) +set_prop(vendor_init, wmt_prop) +set_prop(vendor_init, coredump_prop) + allow vendor_init proc_wmtdbg:file w_file_perms; -#allow vendor_init vold_prop:property_service set; allow vendor_init proc_cpufreq:file w_file_perms; allow vendor_init proc_bootprof:file write; @@ -33,7 +33,6 @@ set_prop(vendor_init, mtk_aal_ro_prop) set_prop(vendor_init, mtk_pq_ro_prop) set_prop(vendor_init, mtk_default_prop) set_prop(vendor_init, mtk_nn_option_prop) - set_prop(vendor_init, mtk_emmc_support_prop) set_prop(vendor_init, mtk_anr_support_prop) set_prop(vendor_init, mtk_antutu_prop) @@ -70,7 +69,9 @@ allow vendor_init kernel:key search; allow vendor_init expdb_block_device:blk_file rw_file_perms; set_prop(vendor_init, mtk_wifi_hotspot_prop) - set_prop(vendor_init, persist_aeev_prop) - set_prop(vendor_init, mtk_powerhal_prop) + +# mmstat tracer +allow vendor_init debugfs_tracing_instances:dir create_dir_perms; +allow vendor_init debugfs_tracing_instances:file w_file_perms; diff --git a/plat_private/aee_core_forwarder.te b/plat_private/aee_core_forwarder.te index d335d99..961646c 100644 --- a/plat_private/aee_core_forwarder.te +++ b/plat_private/aee_core_forwarder.te @@ -97,4 +97,4 @@ allow aee_core_forwarder self:capability sys_nice; get_prop(aee_core_forwarder, hwservicemanager_prop) # Purpose : allow aee_core_forwarder to connect aee_aed socket -allow aee_core_forwarder aee_aed:unix_stream_socket connectto; +allow aee_core_forwarder crash_dump:unix_stream_socket connectto; diff --git a/plat_private/crash_dump.te b/plat_private/crash_dump.te index bd905cb..98b8cb7 100644 --- a/plat_private/crash_dump.te +++ b/plat_private/crash_dump.te @@ -1,2 +1,120 @@ -allow crash_dump aee_aed:unix_stream_socket connectto; +# ============================================== +# MTK Policy Rule +# ============================================== +# AED start: /dev/block/expdb +allow crash_dump block_device:dir search; + +# aee db dir and db files +allow crash_dump sdcard_type:dir create_dir_perms; +allow crash_dump sdcard_type:file create_file_perms; + +#data/anr +allow crash_dump anr_data_file:dir create_dir_perms; +allow crash_dump anr_data_file:file create_file_perms; + +allow crash_dump domain:process { getattr getsched }; +allow crash_dump domain:lnk_file getattr; + +#core-pattern +allow crash_dump usermodehelper:file r_file_perms; + +#suid_dumpable. this is neverallow +#allow crash_dump proc_security:file r_file_perms; + +#allow crash_dump call binaries labeled "system_file" under /system/bin/ +allow crash_dump system_file:file execute_no_trans; + +allow crash_dump init:process getsched; +allow crash_dump kernel:process getsched; + +# Date: W15.34 +# Operation: Migration +# Purpose: For pagemap & pageflags information in NE DB +userdebug_or_eng(`allow crash_dump self:capability sys_admin;') + +# Purpose: allow crash_dump to access toolbox +allow crash_dump toolbox_exec:file rx_file_perms; + +# Purpose: mnt/user/* +allow crash_dump mnt_user_file:dir search; +allow crash_dump mnt_user_file:lnk_file read; + +allow crash_dump storage_file:dir search; +allow crash_dump storage_file:lnk_file read; + +# Date : WK17.09 +# Operation : AEE UT for Android O +# Purpose : for AEE module to dump files +domain_auto_trans(crash_dump, dumpstate_exec, dumpstate) + +# Purpose : crash_dump communicate with aee_core_forwarder +# allow crash_dump aee_core_forwarder:dir search; +# allow crash_dump aee_core_forwarder:file { read getattr open }; + +userdebug_or_eng(` + allow crash_dump su:dir {search read open }; + allow crash_dump su:file { read getattr open }; +') + +# /data/tombstone +allow crash_dump tombstone_data_file:dir w_dir_perms; +allow crash_dump tombstone_data_file:file create_file_perms; + +# /proc/pid/ +allow crash_dump self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill }; + +# system(cmd) aee_dumpstate aee_archive +allow crash_dump shell_exec:file rx_file_perms; + +# PROCESS_FILE_STATE +allow crash_dump dumpstate:unix_stream_socket { read write ioctl }; +allow crash_dump dumpstate:dir search; +allow crash_dump dumpstate:file r_file_perms; + +allow crash_dump logdr_socket:sock_file write; +allow crash_dump logd:unix_stream_socket connectto; +#allow crash_dump system_ndebug_socket:sock_file write; + +# vibrator +allow crash_dump sysfs_vibrator:file w_file_perms; + +# Data : 2017/03/22 +# Operation : add NE flow rule for Android O +# Purpose : make crash_dump can get specific process NE info +allow crash_dump domain:dir r_dir_perms; +allow crash_dump domain:{ file lnk_file } r_file_perms; + +allow crash_dump dalvikcache_data_file:dir r_dir_perms; +#allow crash_dump zygote_exec:file r_file_perms; +#allow crash_dump init_exec:file r_file_perms; + +# Data : 2017/04/06 +# Operation : add selinux rule for crash_dump notify crash_dump +# Purpose : make crash_dump can get notify from crash_dump +allow crash_dump crash_dump:dir search; +allow crash_dump crash_dump:file r_file_perms; + +# Purpose : allow crash_dump to read /proc/version +allow crash_dump proc_version:file { read open }; + +# Purpose : allow crash_dump self to sys_nice/chown/kill +allow crash_dump self:capability { sys_nice chown fowner kill }; + +# Purpose: Allow crash_dump to write /sys/kernel/debug/tracing/snapshot +userdebug_or_eng(`allow crash_dump debugfs_tracing_debug:file { write open };') + +# Purpose: Allow crash_dump to read/write /sys/kernel/debug/tracing/tracing_on +#userdebug_or_eng(` allow crash_dump debugfs_tracing:file { r_file_perms write };') + +# Purpose: receive dropbox message +allow crash_dump dropbox_data_file:file {getattr read}; +allow crash_dump dropbox_service:service_manager find; +allow crash_dump servicemanager:binder call; +allow crash_dump system_server:binder call; + +# Purpose: allow crash_dump to read packages.list +allow crash_dump packages_list_file:file r_file_perms; + +# Purpose: Allow crash_dump to read /proc/*/exe +allow crash_dump system_file_type:file r_file_perms; diff --git a/plat_private/domain.te b/plat_private/domain.te index 7f95649..4252e23 100644 --- a/plat_private/domain.te +++ b/plat_private/domain.te @@ -21,8 +21,8 @@ full_treble_only(` -dumpstate -init -installd - -iorap_inode2filename -iorap_prefetcherd + -iorap_inode2filename -logd -mediadrmserver -mediaextractor @@ -55,7 +55,7 @@ full_treble_only(` neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; neverallow iorap_prefetcherd system_data_file:file ~{ open read }; - neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; + neverallow iorap_inode2filename system_data_file:file ~getattr; neverallow { mediadrmserver @@ -75,8 +75,8 @@ full_treble_only(` dexoptanalyzer init installd - iorap_inode2filename iorap_prefetcherd + iorap_inode2filename logd rs runas diff --git a/plat_private/file_contexts b/plat_private/file_contexts index 053ebe4..defa023 100644 --- a/plat_private/file_contexts +++ b/plat_private/file_contexts @@ -23,8 +23,8 @@ /system/bin/loghidlsysservice u:object_r:loghidlsysservice_exec:s0 /system/bin/cmddumper u:object_r:cmddumper_exec:s0 /system/bin/em_svr u:object_r:em_svr_exec:s0 -/system/bin/aee_aed u:object_r:aee_aed_exec:s0 -/system/bin/aee_aed64 u:object_r:aee_aed_exec:s0 +/system/bin/aee_aed u:object_r:crash_dump_exec:s0 +/system/bin/aee_aed64 u:object_r:crash_dump_exec:s0 /system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0 /system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0 /system/bin/connsyslogger u:object_r:connsyslogger_exec:s0 diff --git a/plat_private/property_contexts b/plat_private/property_contexts index b85131f..e5bb3c3 100644 --- a/plat_private/property_contexts +++ b/plat_private/property_contexts @@ -1,11 +1,6 @@ -#=============allow ccci_mdinit to ctl. mdlogger============== -ctl.mdlogger u:object_r:ctl_mdlogger_prop:s0 -ctl.emdlogger1 u:object_r:ctl_emdlogger1_prop:s0 -ctl.emdlogger2 u:object_r:ctl_emdlogger2_prop:s0 -ctl.emdlogger3 u:object_r:ctl_emdlogger3_prop:s0 - -init.svc.emdlogger1 u:object_r:init_svc_emdlogger1_prop:s0 -init.svc.aee_aedv u:object_r:init_svc_aee_aedv_prop:s0 +# ============================================== +# MTK Policy Rule +# ============================================== #allow mtk audio hidl service to read "ro.audio.usb.period_us" ro.audio.usb.period_us u:object_r:exported_default_prop:s0 exact int @@ -13,6 +8,5 @@ ro.audio.usb.period_us u:object_r:exported_default_prop:s0 exact int #allow adb daemon to read "persist.adb.nonblocking_ffs" persist.adb.nonblocking_ffs u:object_r:exported_default_prop:s0 exact int -#============system fingerprint property===========# +#============system fingerprint property=========== ro.system.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string - diff --git a/plat_private/system_app.te b/plat_private/system_app.te index 6d45fbe..08f80fa 100644 --- a/plat_private/system_app.te +++ b/plat_private/system_app.te @@ -13,4 +13,4 @@ allow system_app media_rw_data_file:dir {r_dir_perms w_dir_perms}; allow system_app media_rw_data_file:file {r_file_perms w_file_perms}; # Purpose: receive dropbox message -allow system_app aee_aed:unix_stream_socket connectto; +allow system_app system_server:unix_stream_socket connectto; diff --git a/plat_private/system_server.te b/plat_private/system_server.te index c606c5c..d9b7134 100644 --- a/plat_private/system_server.te +++ b/plat_private/system_server.te @@ -5,8 +5,8 @@ allow system_server ota_package_file:dir getattr; allow uncrypt uncrypt:capability fowner; # Purpose: receive dropbox message -allow system_server aee_aed:fifo_file w_file_perms; -allow system_server aee_aed:fd use; +allow system_server crash_dump:fifo_file w_file_perms; +allow system_server crash_dump:fd use; #Date:2019/10/10 #Operation:Q Migration diff --git a/plat_public/attributes b/plat_public/attributes index 53ca171..bc8b764 100644 --- a/plat_public/attributes +++ b/plat_public/attributes @@ -18,3 +18,9 @@ attribute mtk_hal_lbs_server; # modem db filter hidl attribute mtk_hal_md_dbfilter; attribute mtk_hal_md_dbfilter_client; + +# Date: 2019/11/18 +# em hidl +attribute mtk_hal_em; +attribute mtk_hal_em_client; +attribute mtk_hal_em_server; diff --git a/plat_public/domain.te b/plat_public/domain.te index 1478421..3feb681 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -147,132 +147,143 @@ full_treble_only(` # allow hal_drm system_data_file:file { getattr read }; # hal_server_domain(merged_hal_service, hal_drm) # -# full_treble_only(` -# neverallow ~{ -# init -# installd -# system_server -# } system_data_file:{ chr_file blk_file sock_file fifo_file } *; -# -# neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; -# -# neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; -# -# neverallow installd system_data_file:{ chr_file blk_file } *; -# -# neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; -# -# neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; -# -# neverallow { -# coredomain -# -appdomain -# -app_zygote -# -init -# -installd -# -iorap_prefetcherd -# -system_server -# -toolbox -# -vold -# -vold_prepare_subdirs -# } system_data_file:file ~r_file_perms; -# -# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; -# -# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; -# -# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; -# -# neverallow iorap_prefetcherd system_data_file:file ~{ open read }; -# -# neverallow { -# mediadrmserver -# mediaextractor -# mediaserver -# } system_data_file:file ~{ read getattr }; -# -# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; -# -# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; -# -# neverallow vold system_data_file:file ~read; -# -# neverallow ~{ -# appdomain -# app_zygote -# init -# installd -# iorap_prefetcherd -# logd -# rs -# runas -# simpleperf_app_runner -# system_server -# tee -# vold -# webview_zygote -# zygote -# } system_data_file:lnk_file ~getattr; -# -# neverallow { -# appdomain -# app_zygote -# logd -# webview_zygote -# } system_data_file:lnk_file ~r_file_perms; -# -# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; -# -# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; -# -# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; -# -# neverallow rs system_data_file:lnk_file ~{ read }; -# -# neverallow { -# runas -# simpleperf_app_runner -# tee -# } system_data_file:lnk_file ~{ read getattr }; -# -# neverallow system_server system_data_file:lnk_file ~create_file_perms; -# -# neverallow ~{ -# init -# installd -# iorap_prefetcherd -# system_server -# toolbox -# traced_probes -# vold -# vold_prepare_subdirs -# zygote -# } system_data_file:dir ~{ search getattr }; -# -# neverallow init system_data_file:dir ~{ -# create search getattr open read setattr ioctl -# mounton -# relabelto -# write add_name remove_name rmdir relabelfrom -# }; -# -# neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; -# -# neverallow { -# iorap_prefetcherd -# traced_probes -# } system_data_file:dir ~{ open read search getattr }; -# -# neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; -# -# neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; -# -# neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; -# -# neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; -# -# neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; -# ') +full_treble_only(` + neverallow ~{ + init + installd + system_server + } system_data_file:{ chr_file blk_file sock_file fifo_file } *; + + neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; + + neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; + + neverallow installd system_data_file:{ chr_file blk_file } *; + + neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; + + neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; + + neverallow { + coredomain + -appdomain + -app_zygote + -init + -installd + -iorap_prefetcherd + -iorap_inode2filename + -system_server + -toolbox + -vold + -vold_prepare_subdirs + } system_data_file:file ~r_file_perms; + + neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; + + neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; + + neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + + neverallow iorap_inode2filename system_data_file:file ~getattr; + + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + + neverallow { + mediadrmserver + mediaextractor + mediaserver + } system_data_file:file ~{ read getattr }; + + neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; + + neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; + + neverallow vold system_data_file:file ~read; + + neverallow ~{ + appdomain + app_zygote + init + installd + iorap_prefetcherd + iorap_inode2filename + logd + rs + runas + simpleperf_app_runner + system_server + tee + vold + webview_zygote + zygote + } system_data_file:lnk_file ~getattr; + + neverallow { + appdomain + app_zygote + logd + webview_zygote + } system_data_file:lnk_file ~r_file_perms; + + neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; + + neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; + + neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + + neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; + + neverallow rs system_data_file:lnk_file ~{ read }; + + neverallow { + runas + simpleperf_app_runner + tee + } system_data_file:lnk_file ~{ read getattr }; + + neverallow system_server system_data_file:lnk_file ~create_file_perms; + + neverallow ~{ + apexd + init + installd + iorap_prefetcherd + iorap_inode2filename + system_server + toolbox + traced_probes + vold + vold_prepare_subdirs + zygote + } system_data_file:dir ~{ search getattr }; + + neverallow apexd system_data_file:dir ~r_dir_perms; + + neverallow init system_data_file:dir ~{ + create search getattr open read setattr ioctl + mounton + relabelto + write add_name remove_name rmdir relabelfrom + }; + + neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; + + neverallow { + iorap_prefetcherd + iorap_inode2filename + traced_probes + } system_data_file:dir ~{ open read search getattr }; + + neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; + + neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; + + neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; + + neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; + + neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; +') # Do not allow access to the generic vendor_data_file label. This is diff --git a/plat_public/property.te b/plat_public/property.te index 976018b..03e0d0e 100644 --- a/plat_public/property.te +++ b/plat_public/property.te @@ -1,9 +1,20 @@ -#=============allow ccci_mdinit to ctl. mdlogger============== -type ctl_mdlogger_prop, property_type; -type ctl_emdlogger1_prop, property_type; -type ctl_emdlogger2_prop, property_type; -type ctl_emdlogger3_prop, property_type; -type ctl_dualmdlogger_prop, property_type; +# ============================================== +# MTK Policy Rule +# ============================================== -type init_svc_emdlogger1_prop, property_type; -type init_svc_aee_aedv_prop, property_type;
\ No newline at end of file +# system_internal_prop -- Properties used only in /system +# system_restricted_prop -- Properties which can't be written outside system +# system_public_prop -- Properties with no restrictions +# system_vendor_config_prop -- Properties which can be written only by vendor_init +# vendor_internal_prop -- Properties used only in /vendor +# vendor_restricted_prop -- Properties which can't be written outside vendor +# vendor_public_prop -- Properties with no restrictions + +# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties +#typeattribute vendor_default_prop vendor_property_type; +#neverallow domain { +# property_type +# -system_property_type +# -product_property_type +# -vendor_property_type +#}:file no_rw_file_perms; |