# ============================================== # MTK Policy Rule # ============================================== # Access devices. allow system_server touch_device:chr_file rw_file_perms; allow system_server stpant_device:chr_file rw_file_perms; allow system_server devmap_device:chr_file r_file_perms; allow system_server irtx_device:chr_file rw_file_perms; allow system_server qemu_pipe_device:chr_file rw_file_perms; allow system_server wmtWifi_device:chr_file w_file_perms; # Add for bootprof allow system_server proc_bootprof:file rw_file_perms; # /data/core access. allow system_server aee_core_data_file:dir r_dir_perms; # Perform Binder IPC. allow system_server zygote:binder impersonate; # Property service. allow system_server ctl_bootanim_prop:property_service set; # For dumpsys. allow system_server aee_dumpsys_data_file:file w_file_perms; allow system_server aee_exp_data_file:file w_file_perms; # Dump native process backtrace. #allow system_server exec_type:file r_file_perms; # Querying zygote socket. allow system_server zygote:unix_stream_socket { getopt getattr }; # Communicate over a socket created by mnld process. # Allow system_server to read /sys/kernel/debug/wakeup_sources allow system_server debugfs_wakeup_sources:file r_file_perms; # Allow system_server to read/write /sys/power/dcm_state allow system_server sysfs_dcm:file rw_file_perms; # Date : WK16.36 # Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW allow system_server log_tag_prop:property_service set; # Data : WK16.42 # Operator: Whitney bring up # Purpose: call surfaceflinger due to powervr allow system_server surfaceflinger:fifo_file rw_file_perms; # Date : W16.42 # Operation : Integration # Purpose : DRM / DRI GPU driver required allow system_server gpu_device:dir search; allow system_server debugfs_gpu_img:dir search; # Date : W16.43 # Operation : Integration # Purpose : DRM / DRI GPU driver required allow system_server sw_sync_device:chr_file { read write getattr open ioctl }; # Date : WK16.44 # Purpose: Allow to access UART1 ttyMT1 allow system_server ttyMT_device:chr_file rw_file_perms; # Date : WK17.52 # Purpose: Allow to access UART1 ttyS allow system_server ttyS_device:chr_file rw_file_perms; # Date:W16.46 # Operation : thermal hal Feature developing # Purpose : thermal hal interface permission allow system_server proc_mtktz:dir search; allow system_server proc_mtktz:file r_file_perms; # Date:W17.02 # Operation : audio hal developing # Purpose : audio hal interface permission allow system_server mtk_hal_audio:process { getsched setsched }; # Date:W17.07 # Operation : bt hal # Purpose : bt hal interface permission binder_call(system_server, mtk_hal_bluetooth) # Date:W17.08 # Operation : sensors hal developing # Purpose : sensors hal interface permission binder_call(system_server, mtk_hal_sensors) # Operation : light hal developing # Purpose : light hal interface permission binder_call(system_server, mtk_hal_light) # Date:W17.21 # Operation : gnss hal # Purpose : gnss hal interface permission hal_client_domain(system_server, hal_gnss) # Date : W18.01 # Add for turn on SElinux in enforcing mode allow system_server vendor_framework_file:dir r_file_perms; # Fix bootup violation allow system_server vendor_framework_file:file getattr; allow system_server wifi_prop:file { read getattr open }; # Date:W17.22 # Operation : add aee_aed socket rule # Purpose : type=1400 audit(0.0:134519): avc: denied { connectto } # for comm=4572726F722064756D703A20737973 # path=00636F6D2E6D746B2E6165652E6165645F3634 # scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0 # tclass=unix_stream_socket permissive=0 allow system_server aee_aed:unix_stream_socket connectto; #Dat: 2017/02/14 #Purpose: allow get telephony Sensitive property get_prop(system_server, mtk_telephony_sensitive_prop) # Date: W17.22 # Operation : New Feature # Purpose : Add for A/B system allow system_server debugfs_wakeup_sources:file { read getattr open }; # Date:W17.26 # Operation : imsa hal # Purpose : imsa hal interface permission binder_call(system_server, mtk_hal_imsa) # Date:W17.28 # Operation : camera hal developing # Purpose : camera hal binder_call permission binder_call(system_server, mtk_hal_camera) # Date:W17.31 # Operation : mpe sensor hidl developing # Purpose : mpe sensor hidl permission binder_call(system_server, mnld) # Date : WK17.32 # Operation : Migration # Purpose : for network log dumpsys setting/netd information # audit(0.0:914): avc: denied { write } for path="pipe:[46088]" # dev="pipefs" ino=46088 scontext=u:r:system_server:s0 # tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1 allow system_server netdiag:fifo_file write; # Date : WK17.32 # Operation : Migration # Purpose : for DHCP Client ip recover functionality allow system_server dhcp_data_file:dir search; allow system_server dhcp_data_file:dir rw_dir_perms; allow system_server dhcp_data_file:file create_file_perms; # Date:W17.35 # Operation : lbs hal # Purpose : lbs hidl interface permission hal_client_domain(system_server, mtk_hal_lbs) # Date : WK17.12 # Operation : MT6799 SQC # Purpose : Change thermal config allow system_server mtk_thermal_config_prop:file { getattr open read }; # Date : WK17.43 # Operation : Migration # Purpose : perfmgr permission allow system_server mtk_hal_power_hwservice:hwservice_manager find; allow system_server proc_perfmgr:dir {read search}; allow system_server proc_perfmgr:file {open read ioctl}; allowxperm system_server proc_perfmgr:file ioctl { PERFMGR_FPSGO_QUEUE PERFMGR_FPSGO_DEQUEUE PERFMGR_FPSGO_QUEUE_CONNECT PERFMGR_FPSGO_BQID }; # Date : W18.22 # Operation : MTK wifi hal migration # Purpose : MTK wifi hal interface permission binder_call(system_server, mtk_hal_wifi) # Date : WK18.33 # Purpose : type=1400 audit(0.0:1592): avc: denied { read } # for comm=4572726F722064756D703A20646174 name= # "u:object_r:persist_mtk_aee_prop:s0" dev="tmpfs" # ino=10312 scontext=u:r:system_server:s0 tcontext= # u:object_r:persist_mtk_aee_prop:s0 tclass=file permissive=0 get_prop(system_server, persist_mtk_aee_prop); # Date : W19.15 # Operation : alarm device permission # Purpose : support power-off alarm allow system_server alarm_device:chr_file rw_file_perms; # Date : WK19.7 # Operation: Q migration # Purpose : Allow system_server to use ioctl/ioctlcmd allow system_server proc_ged:file rw_file_perms; allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls }; # Date: 2019/06/14 # Operation : Migration get_prop(system_server, vendor_default_prop) # Date: 2019/06/14 # Operation : when WFD turnning on, turn off hdmi allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find; allow system_server mtk_hal_hdmi:binder call; #Date:2019/10/08 #Operation:Q Migration allow system_server proc_battery_cmd:dir search; #Date:2019/10/09 #Operation:Q Migration get_prop(system_server, debug_mtk_aee_prop) #Date:2019/10/09 #Operation:Q Migration get_prop(system_server, debug_bq_dump_prop) get_prop(system_server, mtk_telecom_vibrate) allow system_server proc_cmdq_debug:file getattr; allow system_server proc_freqhop:file getattr; allow system_server proc_last_kmsg:file r_file_perms; allow system_server proc_cm_mgr:dir search; allow system_server proc_isp_p2:dir search; allow system_server proc_thermal:dir search; allow system_server proc_atf_log:dir search; allow system_server proc_cpufreq:dir search; allow system_server proc_mtkcooler:dir search; allow system_server proc_ppm:dir search; # Date : 2019/10/11 # Operation : Q Migration allow system_server proc_wlan_status:file getattr; # Date : 2019/10/11 # Operation : Q Migration allow system_server sysfs_pages_shared:file r_file_perms; allow system_server sysfs_pages_sharing:file r_file_perms; allow system_server sysfs_pages_unshared:file r_file_perms; allow system_server sysfs_pages_volatile:file r_file_perms; # Date:2019/10/14 # Operation: Q Migration # Purpose : power_hal_mgr_service may use libmtkperf_client allow system_server sysfs_boot_mode:file r_file_perms; # Date : 2019/10/22 # Operation : Q Migration allow system_server self:capability sys_module; # Date : 2019/10/22 # Operation : Q Migration dontaudit system_server sdcardfs:file r_file_perms; # Date : 2019/10/26 # Operation : Q Migration allow system_server mtk_hal_camera:process sigkill; allow system_server kernel:system syslog_read; # Date : 2019/10/30 # Operation : Q Migration allow system_server proc_chip:dir search; allow system_server zygote:process setsched; # Date : 2019/11/21 # Operation : Q Migration allow system_server sf_rtt_file:dir rmdir; # Date : 2019/11/29 # Operation : Q Migration allow system_server storage_stub_file:dir getattr;