diff options
29 files changed, 154 insertions, 113 deletions
diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index 29ae395..c23e20d 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -80,7 +80,6 @@ allow aee_aedv dumpstate:unix_stream_socket { read write ioctl }; allow aee_aedv dumpstate:dir search; allow aee_aedv dumpstate:file r_file_perms; -allow aee_aedv proc:file rw_file_perms; allow aee_aedv logdr_socket:sock_file write; allow aee_aedv logd:unix_stream_socket connectto; diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te index 3440cb0..3e4cd58 100644 --- a/non_plat/atci_service.te +++ b/non_plat/atci_service.te @@ -127,7 +127,6 @@ allow atci_service debugfs_ion:dir search; allow atci_service sysfs_tpd_setting:file { read write open getattr }; allow atci_service sysfs_vibrator_setting:file { read write open getattr }; allow atci_service sysfs_leds_setting:file { read write open getattr }; -allow atci_service proc:file getattr; allow atci_service vendor_toolbox_exec:file { read getattr open execute execute_no_trans }; # Date : WK18.21 diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index e2e04d6..a0c9a3a 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -43,7 +43,6 @@ allow cameraserver mtkcam_prop:file { open read getattr }; # allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms; # allow cameraserver lens_device:chr_file rw_file_perms; # allow cameraserver nvdata_file:lnk_file read; -# allow cameraserver proc_meminfo:file { read getattr open }; # Date : WK14.34 # Operation : Migration @@ -201,13 +200,6 @@ allow cameraserver graphics_device:chr_file rw_file_perms; # Purpose : for low SD card latency issue # allow cameraserver sysfs_lowmemorykiller:file { read open }; -# Data: WK14.45 -# Operation : Migration -# Purpose : for change thermal policy when needed -# allow cameraserver proc_mtkcooler:dir search; -# allow cameraserver proc_mtktz:dir search; -# allow cameraserver proc_thermal:dir search; - # Date : WK14.46 # Operation : Migration # Purpose : for MTK Emulator HW GPU @@ -283,7 +275,6 @@ allow cameraserver gpu_device:dir search; # Operation : Migration # Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) # allow cameraserver property_socket:sock_file write; -# allow cameraserver proc:file getattr; # allow cameraserver shell_exec:file { execute read getattr open}; # allow cameraserver init:unix_stream_socket connectto; diff --git a/non_plat/domain.te b/non_plat/domain.te index 6380a6d..d98ce68 100644 --- a/non_plat/domain.te +++ b/non_plat/domain.te @@ -40,6 +40,7 @@ allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:fd us # # r_dir_file(hal_wifi, sysfs_type) # hal_server_domain(mtk_hal_wifi, hal_wifi) +# full_treble_only(` neverallow ~{ init @@ -95,3 +96,67 @@ full_treble_only(` } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto }; ') +# Do not allow access to the generic proc label. This is too broad. +# Instead, if access to part of proc is desired, it should have a +# more specific label. +# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations. +# +# r_dir_file(hal_audio, proc) +# hal_server_domain(mtk_hal_audio, hal_audio) +# hal_client_domain(audioserver, hal_audio) +# +full_treble_only(` + neverallow ~{ + audiocmdservice_atci + audioserver + bluetooth + hal_audio_default + hal_graphics_allocator_default + init + merged_hal_service + mtk_hal_audio + rild + system_server + vendor_init + vold + } proc:file *; + + neverallow { + audiocmdservice_atci + audioserver + bluetooth + hal_audio_default + hal_graphics_allocator_default + init + merged_hal_service + mtk_hal_audio + rild + system_server + vold + } proc:file ~r_file_perms; + + neverallow vendor_init proc:file ~{ r_file_perms setattr }; + + neverallow ~{ + audiocmdservice_atci + audioserver + bluetooth + hal_audio_default + init + mtk_hal_audio + rild + system_server + } proc:lnk_file ~{ read getattr }; + + neverallow { + audiocmdservice_atci + audioserver + bluetooth + hal_audio_default + init + mtk_hal_audio + rild + system_server + } proc:lnk_file ~r_file_perms; +') + diff --git a/non_plat/hal_graphics_composer_default.te b/non_plat/hal_graphics_composer_default.te index 7696f50..a3c4243 100644 --- a/non_plat/hal_graphics_composer_default.te +++ b/non_plat/hal_graphics_composer_default.te @@ -6,7 +6,6 @@ allow hal_graphics_composer_default debugfs_ged:dir search; # Operation : Add sepolicy # Purpose : Add polivy for hwc HIDL -allow hal_graphics_composer_default proc:file { read getattr open ioctl }; allow hal_graphics_composer_default proc_ged:file r_file_perms; allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; @@ -55,4 +54,4 @@ allow hal_graphics_composer_default sysfs_boot_mode:file r_file_perms; # Date : WK19.46 # Purpose: Allow to access ged debug node -allow hal_graphics_composer_default debugfs_ged:file { w_file_perms };
\ No newline at end of file +allow hal_graphics_composer_default debugfs_ged:file { w_file_perms }; diff --git a/non_plat/mediacodec.te b/non_plat/mediacodec.te index 5b15af0..67b4c0d 100644 --- a/non_plat/mediacodec.te +++ b/non_plat/mediacodec.te @@ -16,7 +16,6 @@ allow mediacodec Vcodec_device:chr_file rw_file_perms; # Operation : Migration # Purpose : VP & VR dump and debug allow mediacodec M4U_device_device:chr_file rw_file_perms; -allow mediacodec proc:file r_file_perms; allow mediacodec debugfs_binder:dir search; allow mediacodec MTK_SMI_device:chr_file { ioctl read open }; allow mediacodec storage_file:lnk_file {read write open}; @@ -156,4 +155,4 @@ allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_CONFIG_PORT_ARRAY; # Date : 2019/12/12 # Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* allow mediacodec sysfs_concurrency_scenario:file rw_file_perms; -allow mediacodec sysfs_concurrency_scenario:dir search;
\ No newline at end of file +allow mediacodec sysfs_concurrency_scenario:dir search; diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te index 7f90319..ead7145 100644 --- a/non_plat/meta_tst.te +++ b/non_plat/meta_tst.te @@ -281,7 +281,6 @@ binder_call(meta_tst, mtk_hal_audio) allow meta_tst mtk_hal_audio:binder call; #allow meta_tst hal_audio_hwservice:hwservice_manager find; allow meta_tst mtk_audiohal_data_file:dir {read search open}; -allow meta_tst proc:file {read open}; allow meta_tst audio_device:chr_file rw_file_perms; allow meta_tst audio_device:dir w_dir_perms; allow meta_tst audiohal_prop:property_service set; diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te index a99c770..25e0bb4 100644 --- a/non_plat/mtk_hal_camera.te +++ b/non_plat/mtk_hal_camera.te @@ -64,7 +64,6 @@ hal_client_domain(mtk_hal_camera, hal_graphics_allocator) # ----------------------------------- # Purpose: Camera-related devices (driver) # ----------------------------------- -allow mtk_hal_camera proc:file rw_file_perms; allow mtk_hal_camera proc_mtk_jpeg:file r_file_perms; allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl { JPG_BRIDGE_ENC_IO_INIT diff --git a/non_plat/mtk_hal_mms.te b/non_plat/mtk_hal_mms.te index 972dc9d..a78247c 100644 --- a/non_plat/mtk_hal_mms.te +++ b/non_plat/mtk_hal_mms.te @@ -31,7 +31,6 @@ allow mtk_hal_mms mtk_cmdq_device:chr_file { read open ioctl }; allow mtk_hal_mms mtk_mdp_device:chr_file rw_file_perms; allow mtk_hal_mms sw_sync_device:chr_file rw_file_perms; allow mtk_hal_mms mtk_hal_pq_hwservice:hwservice_manager find; -allow mtk_hal_mms proc:file r_file_perms; # Purpose : Allow to use allocator for JPEG hal_client_domain(mtk_hal_mms, hal_allocator) diff --git a/non_plat/mtkrild.te b/non_plat/mtkrild.te index a1683a5..3e7ec04 100644 --- a/non_plat/mtkrild.te +++ b/non_plat/mtkrild.te @@ -54,7 +54,6 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms; allow mtkrild sdcardfs:dir r_dir_perms; # Violate Android P rule #allow mtkrild system_file:file x_file_perms; -#allow mtkrild proc:file rw_file_perms; allow mtkrild proc_net:file w_file_perms; # Set and get routes directly via netlink. diff --git a/non_plat/rilproxy.te b/non_plat/rilproxy.te index 0f74a36..bf1d79e 100644 --- a/non_plat/rilproxy.te +++ b/non_plat/rilproxy.te @@ -24,7 +24,6 @@ allow rild mtk_agpsd:unix_stream_socket connectto; allow servicemanager rild:dir search; allow servicemanager rild:file { read open }; allow servicemanager rild:process getattr; -allow rild proc:file read; # Allow the socket read/write of netd for rild allow rild netd_socket:sock_file write; diff --git a/non_plat/thermalloadalgod.te b/non_plat/thermalloadalgod.te index 646f48c..e699912 100644 --- a/non_plat/thermalloadalgod.te +++ b/non_plat/thermalloadalgod.te @@ -12,9 +12,6 @@ type thermalloadalgod_exec , exec_type, file_type, vendor_file_type; # ============================================== init_daemon_domain(thermalloadalgod) - - - # Data : WK14.43 # Operation : Migration # Purpose : thermal algorithm daemon for access driver node @@ -31,19 +28,18 @@ allow thermalloadalgod kmsg_device:chr_file write; # Operation : SPA porting # Purpose : thermal algorithm daemon for SPA # For /proc/[pid]/cgroup accessing -typeattribute thermalloadalgod mlstrustedsubject; -allow thermalloadalgod proc:dir {search getattr}; -allow thermalloadalgod proc:file {getattr open read write ioctl}; -allow thermalloadalgod shell:dir search; -allow thermalloadalgod platform_app:dir search; -allow thermalloadalgod platform_app:file {open read getattr}; -allow thermalloadalgod priv_app:dir search; -allow thermalloadalgod priv_app:file {open read getattr}; -allow thermalloadalgod system_app:dir search; -allow thermalloadalgod system_app:file {open read getattr}; -allow thermalloadalgod untrusted_app:dir search; -allow thermalloadalgod untrusted_app:file {open read getattr}; -allow thermalloadalgod mediaserver:dir search; -allow thermalloadalgod mediaserver:file {open read getattr}; -allow thermalloadalgod proc_thermal:dir search; -allow thermalloadalgod proc_thermal:file { open read write getattr }; +typeattribute thermalloadalgod mlstrustedsubject; +allow thermalloadalgod proc:dir { search getattr }; +allow thermalloadalgod shell:dir search; +allow thermalloadalgod platform_app:dir search; +allow thermalloadalgod platform_app:file { open read getattr }; +allow thermalloadalgod priv_app:dir search; +allow thermalloadalgod priv_app:file { open read getattr }; +allow thermalloadalgod system_app:dir search; +allow thermalloadalgod system_app:file { open read getattr }; +allow thermalloadalgod untrusted_app:dir search; +allow thermalloadalgod untrusted_app:file { open read getattr }; +allow thermalloadalgod mediaserver:dir search; +allow thermalloadalgod mediaserver:file {open read getattr}; +allow thermalloadalgod proc_thermal:dir search; +allow thermalloadalgod proc_thermal:file { open read write getattr }; diff --git a/non_plat/vendor_init.te b/non_plat/vendor_init.te index 6c3afb7..d0bc030 100644 --- a/non_plat/vendor_init.te +++ b/non_plat/vendor_init.te @@ -12,7 +12,6 @@ allow vendor_init coredump_prop:property_service set; allow vendor_init proc_wmtdbg:file w_file_perms; #allow vendor_init vold_prop:property_service set; -allow vendor_init proc:file write; allow vendor_init proc_cpufreq:file w_file_perms; allow vendor_init proc_bootprof:file write; allow vendor_init rootfs:dir { write add_name setattr }; diff --git a/plat_private/hal_graphics_allocator.te b/plat_private/hal_graphics_allocator.te deleted file mode 100644 index e713f4f..0000000 --- a/plat_private/hal_graphics_allocator.te +++ /dev/null @@ -1,5 +0,0 @@ -# Date : WK17.13 -# Operation : Add sepolicy -# Purpose : Add policy for gralloc HIDL - -allow hal_graphics_allocator proc:file { read getattr open ioctl };
\ No newline at end of file diff --git a/plat_public/domain.te b/plat_public/domain.te index 6375d48..32af4d4 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -47,11 +47,66 @@ full_treble_only(` ') - # Do not allow access to the generic proc label. This is too broad. # Instead, if access to part of proc is desired, it should have a # more specific label. -#neverallow * proc:dir_file_class_set *; +# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations. +# +# r_dir_file(hal_audio, proc) +# hal_server_domain(mtk_hal_audio, hal_audio) +# hal_client_domain(audioserver, hal_audio) +# +full_treble_only(` + neverallow * proc:{ chr_file blk_file sock_file fifo_file } *; + + neverallow { + coredomain + -audioserver + -bluetooth + -init + -system_server + -vold + } proc:file *; + + neverallow { + audioserver + bluetooth + init + system_server + vold + } proc:file ~r_file_perms; + + neverallow vendor_init proc:file ~{ read setattr map open }; + + neverallow { + coredomain + -audioserver + -bluetooth + -init + -system_server + } proc:lnk_file ~{ read getattr }; + + neverallow { + audioserver + bluetooth + init + system_server + } proc:lnk_file ~r_file_perms; + + neverallow ~{ + init + vendor_init + } proc:dir ~{ r_file_perms search }; + + neverallow { + init + vendor_init + } proc:dir ~{ r_file_perms search setattr }; +') + + + + # Do not allow access to the generic debugfs label. This is too broad. # Instead, if access to part of debugfs is desired, it should have a diff --git a/r_non_plat/aee_aedv.te b/r_non_plat/aee_aedv.te index 2c8bc56..289162e 100644 --- a/r_non_plat/aee_aedv.te +++ b/r_non_plat/aee_aedv.te @@ -79,7 +79,6 @@ allow aee_aedv dumpstate:unix_stream_socket { read write ioctl }; allow aee_aedv dumpstate:dir search; allow aee_aedv dumpstate:file r_file_perms; -allow aee_aedv proc:file rw_file_perms; allow aee_aedv logdr_socket:sock_file write; allow aee_aedv logd:unix_stream_socket connectto; diff --git a/r_non_plat/atci_service.te b/r_non_plat/atci_service.te index 3440cb0..3e4cd58 100644 --- a/r_non_plat/atci_service.te +++ b/r_non_plat/atci_service.te @@ -127,7 +127,6 @@ allow atci_service debugfs_ion:dir search; allow atci_service sysfs_tpd_setting:file { read write open getattr }; allow atci_service sysfs_vibrator_setting:file { read write open getattr }; allow atci_service sysfs_leds_setting:file { read write open getattr }; -allow atci_service proc:file getattr; allow atci_service vendor_toolbox_exec:file { read getattr open execute execute_no_trans }; # Date : WK18.21 diff --git a/r_non_plat/cameraserver.te b/r_non_plat/cameraserver.te index e2e04d6..ed076a5 100644 --- a/r_non_plat/cameraserver.te +++ b/r_non_plat/cameraserver.te @@ -28,23 +28,6 @@ allow cameraserver self:process { ptrace }; # ----------------------------------- allow cameraserver mtkcam_prop:file { open read getattr }; -# Date : WK14.31 -# Operation : Migration -# Purpose : camera devices access. -# allow cameraserver camera_isp_device:chr_file rw_file_perms; -# allow cameraserver ccu_device:chr_file rw_file_perms; -# allow cameraserver vpu_device:chr_file rw_file_perms; -# allow cameraserver kd_camera_hw_device:chr_file rw_file_perms; -# allow cameraserver seninf_device:chr_file rw_file_perms; -# allow cameraserver self:capability { setuid ipc_lock sys_nice }; -# allow cameraserver sysfs_wake_lock:file rw_file_perms; -# allow cameraserver MTK_SMI_device:chr_file r_file_perms; -# allow cameraserver camera_pipemgr_device:chr_file r_file_perms; -# allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms; -# allow cameraserver lens_device:chr_file rw_file_perms; -# allow cameraserver nvdata_file:lnk_file read; -# allow cameraserver proc_meminfo:file { read getattr open }; - # Date : WK14.34 # Operation : Migration # Purpose : nvram access (dumchar case for nand and legacy chip) @@ -201,13 +184,6 @@ allow cameraserver graphics_device:chr_file rw_file_perms; # Purpose : for low SD card latency issue # allow cameraserver sysfs_lowmemorykiller:file { read open }; -# Data: WK14.45 -# Operation : Migration -# Purpose : for change thermal policy when needed -# allow cameraserver proc_mtkcooler:dir search; -# allow cameraserver proc_mtktz:dir search; -# allow cameraserver proc_thermal:dir search; - # Date : WK14.46 # Operation : Migration # Purpose : for MTK Emulator HW GPU @@ -279,14 +255,6 @@ allow cameraserver system_file:dir { read open }; allow cameraserver gpu_device:chr_file rw_file_perms; allow cameraserver gpu_device:dir search; -# Date : WK16.30 -# Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) -# allow cameraserver property_socket:sock_file write; -# allow cameraserver proc:file getattr; -# allow cameraserver shell_exec:file { execute read getattr open}; -# allow cameraserver init:unix_stream_socket connectto; - # Date : WK16.32 # Operation : Migration # Purpose : RSC Driver diff --git a/r_non_plat/hal_graphics_composer_default.te b/r_non_plat/hal_graphics_composer_default.te index 242c062..6f54e9f 100644 --- a/r_non_plat/hal_graphics_composer_default.te +++ b/r_non_plat/hal_graphics_composer_default.te @@ -6,7 +6,6 @@ allow hal_graphics_composer_default debugfs_ged:dir search; # Operation : Add sepolicy # Purpose : Add polivy for hwc HIDL -allow hal_graphics_composer_default proc:file { read getattr open ioctl }; allow hal_graphics_composer_default proc_ged:file r_file_perms; allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; diff --git a/r_non_plat/mediacodec.te b/r_non_plat/mediacodec.te index ba1305c..48c14d7 100644 --- a/r_non_plat/mediacodec.te +++ b/r_non_plat/mediacodec.te @@ -16,7 +16,6 @@ allow mediacodec Vcodec_device:chr_file rw_file_perms; # Operation : Migration # Purpose : VP & VR dump and debug allow mediacodec M4U_device_device:chr_file rw_file_perms; -allow mediacodec proc:file r_file_perms; allow mediacodec debugfs_binder:dir search; allow mediacodec MTK_SMI_device:chr_file { ioctl read open }; allow mediacodec storage_file:lnk_file {read write open}; diff --git a/r_non_plat/merged_hal_service.te b/r_non_plat/merged_hal_service.te index 9c77899..fea6d78 100644 --- a/r_non_plat/merged_hal_service.te +++ b/r_non_plat/merged_hal_service.te @@ -51,7 +51,6 @@ allow merged_hal_service debugfs_tracing:file write; #power permissions allow merged_hal_service proc:dir {search getattr}; -allow merged_hal_service proc:file rw_file_perms; allow merged_hal_service debugfs_ged:dir search; allow merged_hal_service debugfs_ged:file { getattr open read write }; allow merged_hal_service proc_thermal:file { write open }; diff --git a/r_non_plat/meta_tst.te b/r_non_plat/meta_tst.te index 7f90319..ead7145 100644 --- a/r_non_plat/meta_tst.te +++ b/r_non_plat/meta_tst.te @@ -281,7 +281,6 @@ binder_call(meta_tst, mtk_hal_audio) allow meta_tst mtk_hal_audio:binder call; #allow meta_tst hal_audio_hwservice:hwservice_manager find; allow meta_tst mtk_audiohal_data_file:dir {read search open}; -allow meta_tst proc:file {read open}; allow meta_tst audio_device:chr_file rw_file_perms; allow meta_tst audio_device:dir w_dir_perms; allow meta_tst audiohal_prop:property_service set; diff --git a/r_non_plat/mtk_hal_camera.te b/r_non_plat/mtk_hal_camera.te index f7368a0..d74aa64 100644 --- a/r_non_plat/mtk_hal_camera.te +++ b/r_non_plat/mtk_hal_camera.te @@ -64,7 +64,6 @@ hal_client_domain(mtk_hal_camera, hal_graphics_allocator) # ----------------------------------- # Purpose: Camera-related devices (driver) # ----------------------------------- -allow mtk_hal_camera proc:file rw_file_perms; allow mtk_hal_camera proc_mtk_jpeg:file r_file_perms; allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl { JPG_BRIDGE_ENC_IO_INIT diff --git a/r_non_plat/mtk_hal_mms.te b/r_non_plat/mtk_hal_mms.te index d52f12b..5609e97 100644 --- a/r_non_plat/mtk_hal_mms.te +++ b/r_non_plat/mtk_hal_mms.te @@ -31,7 +31,6 @@ allow mtk_hal_mms mtk_cmdq_device:chr_file { read open ioctl }; allow mtk_hal_mms mtk_mdp_device:chr_file rw_file_perms; allow mtk_hal_mms sw_sync_device:chr_file rw_file_perms; allow mtk_hal_mms mtk_hal_pq_hwservice:hwservice_manager find; -allow mtk_hal_mms proc:file r_file_perms; # Purpose : Allow to use allocator for JPEG hal_client_domain(mtk_hal_mms, hal_allocator) diff --git a/r_non_plat/mtkrild.te b/r_non_plat/mtkrild.te index 4dd1490..b064169 100644 --- a/r_non_plat/mtkrild.te +++ b/r_non_plat/mtkrild.te @@ -52,9 +52,6 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms; # (radio data/system data/proc/etc) # Violate Android P rule allow mtkrild sdcardfs:dir r_dir_perms; -# Violate Android P rule -#allow mtkrild system_file:file x_file_perms; -#allow mtkrild proc:file rw_file_perms; allow mtkrild proc_net:file w_file_perms; # Set and get routes directly via netlink. diff --git a/r_non_plat/rilproxy.te b/r_non_plat/rilproxy.te index 0f74a36..bf1d79e 100644 --- a/r_non_plat/rilproxy.te +++ b/r_non_plat/rilproxy.te @@ -24,7 +24,6 @@ allow rild mtk_agpsd:unix_stream_socket connectto; allow servicemanager rild:dir search; allow servicemanager rild:file { read open }; allow servicemanager rild:process getattr; -allow rild proc:file read; # Allow the socket read/write of netd for rild allow rild netd_socket:sock_file write; diff --git a/r_non_plat/thermalloadalgod.te b/r_non_plat/thermalloadalgod.te index 646f48c..a0091b4 100644 --- a/r_non_plat/thermalloadalgod.te +++ b/r_non_plat/thermalloadalgod.te @@ -12,9 +12,6 @@ type thermalloadalgod_exec , exec_type, file_type, vendor_file_type; # ============================================== init_daemon_domain(thermalloadalgod) - - - # Data : WK14.43 # Operation : Migration # Purpose : thermal algorithm daemon for access driver node @@ -31,19 +28,18 @@ allow thermalloadalgod kmsg_device:chr_file write; # Operation : SPA porting # Purpose : thermal algorithm daemon for SPA # For /proc/[pid]/cgroup accessing -typeattribute thermalloadalgod mlstrustedsubject; -allow thermalloadalgod proc:dir {search getattr}; -allow thermalloadalgod proc:file {getattr open read write ioctl}; -allow thermalloadalgod shell:dir search; -allow thermalloadalgod platform_app:dir search; -allow thermalloadalgod platform_app:file {open read getattr}; -allow thermalloadalgod priv_app:dir search; -allow thermalloadalgod priv_app:file {open read getattr}; -allow thermalloadalgod system_app:dir search; -allow thermalloadalgod system_app:file {open read getattr}; -allow thermalloadalgod untrusted_app:dir search; -allow thermalloadalgod untrusted_app:file {open read getattr}; -allow thermalloadalgod mediaserver:dir search; -allow thermalloadalgod mediaserver:file {open read getattr}; -allow thermalloadalgod proc_thermal:dir search; -allow thermalloadalgod proc_thermal:file { open read write getattr }; +typeattribute thermalloadalgod mlstrustedsubject; +allow thermalloadalgod proc:dir { search getattr }; +allow thermalloadalgod shell:dir search; +allow thermalloadalgod platform_app:dir search; +allow thermalloadalgod platform_app:file { open read getattr }; +allow thermalloadalgod priv_app:dir search; +allow thermalloadalgod priv_app:file { open read getattr }; +allow thermalloadalgod system_app:dir search; +allow thermalloadalgod system_app:file { open read getattr }; +allow thermalloadalgod untrusted_app:dir search; +allow thermalloadalgod untrusted_app:file { open read getattr }; +allow thermalloadalgod mediaserver:dir search; +allow thermalloadalgod mediaserver:file { open read getattr }; +allow thermalloadalgod proc_thermal:dir search; +allow thermalloadalgod proc_thermal:file { open read write getattr }; diff --git a/r_non_plat/vendor_init.te b/r_non_plat/vendor_init.te index bba9daf..eef9af4 100644 --- a/r_non_plat/vendor_init.te +++ b/r_non_plat/vendor_init.te @@ -12,7 +12,6 @@ allow vendor_init coredump_prop:property_service set; allow vendor_init proc_wmtdbg:file w_file_perms; #allow vendor_init vold_prop:property_service set; -allow vendor_init proc:file write; allow vendor_init proc_bootprof:file write; allow vendor_init rootfs:dir { write add_name setattr }; allow vendor_init self:capability sys_module; diff --git a/r_non_plat/wmt_loader.te b/r_non_plat/wmt_loader.te index de04ce6..25c9bde 100644 --- a/r_non_plat/wmt_loader.te +++ b/r_non_plat/wmt_loader.te @@ -25,8 +25,6 @@ allow wmt_loader wmtdetect_device:chr_file rw_file_perms; allow wmt_loader stpwmt_device:chr_file rw_file_perms; allow wmt_loader devpts:chr_file rwx_file_perms; -allow wmt_loader proc:file setattr; - # Date: 2019/06/14 # Operation : Migration allow wmt_loader proc_wmtdbg:file setattr; |