non_plat/dumpstate.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

# ==============================================
# MTK Policy Rule
# ==============================================

# Purpose: aee_dumpstate set surfaceflinger property
set_prop(dumpstate, debug_bq_dump_prop);

# Purpose: access dev/aed0
allow dumpstate aed_device:chr_file { read getattr };

# Purpose: data/dumpsys/*
allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms };
allow dumpstate aee_dumpsys_data_file:file { create_file_perms };

# Purpose: data/aee_exp/*
allow dumpstate aee_exp_data_file:dir { w_dir_perms };
allow dumpstate aee_exp_data_file:file { create_file_perms };

# Purpose: debugfs files
allow dumpstate debugfs:lnk_file read;
allow dumpstate debugfs_binder:dir { read open };
allow dumpstate debugfs_binder:file { read open };
allow dumpstate debugfs_blockio:file { read open };
allow dumpstate debugfs_fb:dir search;
allow dumpstate debugfs_fb:file { read open };
allow dumpstate debugfs_fuseio:dir search;
allow dumpstate debugfs_fuseio:file { read open };
allow dumpstate debugfs_ged:dir search;
allow dumpstate debugfs_ged:file { read open };
allow dumpstate debugfs_rcu:dir search;
allow dumpstate debugfs_shrinker_debug:file { read open };
allow dumpstate debugfs_wakeup_sources:file { read open };
allow dumpstate debugfs_dmlog_debug:file { read open };
allow dumpstate debugfs_page_owner_slim_debug:file { read open };
allow dumpstate debugfs_ion_mm_heap:dir search;
allow dumpstate debugfs_ion_mm_heap:file { read open };
allow dumpstate debugfs_ion_mm_heap:lnk_file read;
allow dumpstate debugfs_cpuhvfs:dir search;
allow dumpstate debugfs_cpuhvfs:file { read open };
allow dumpstate debugfs_vpu_device_dbg:file { read open };

# Purpose: /sys/kernel/ccci/md_chn
allow dumpstate sysfs_ccci:dir search;
allow dumpstate sysfs_ccci:file { read open };

# Purpose: leds status
allow dumpstate sysfs_leds:lnk_file read;

# Purpose: /sys/module/lowmemorykiller/parameters/adj
allow dumpstate sysfs_lowmemorykiller:file { read open };
allow dumpstate sysfs_lowmemorykiller:dir search;

# Purpose: /dev/block/mmcblk0p10
allow dumpstate expdb_block_device:blk_file { read write ioctl open };

#/data/anr/SF_RTT
allow dumpstate sf_rtt_file:dir { search getattr };

# Data : 2017/03/22
# Operation : add fd use selinux rule
# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker"
#           dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0
#           tcontext=u:r:aee_aed:s0 tclass=fd permissive=0
allow dumpstate aee_aed:fd use;
allow dumpstate aee_aed:unix_stream_socket { read write ioctl };

# private define
# allow dumpstate config_gz:file read;

allow dumpstate sysfs_leds:dir r_dir_perms;

# Purpose: 01-01 08:30:57.260  3070  3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied
# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
# sf_bqdump_data_file:s0 tclass=dir permissive=0
allow dumpstate sf_bqdump_data_file:dir r_dir_perms;
allow dumpstate sf_bqdump_data_file:file r_file_perms;

# Purpose:
# 01-01 17:59:14.440  7664  7664 I aee_dumpstate: type=1400 audit(0.0:63497):
# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
# tracing_shell_writable:s0 tclass=file permissive=1
allow dumpstate debugfs_tracing:file rw_file_perms;

# Data : WK17.03
# Purpose: Allow to access gpu
allow dumpstate gpu_device:dir search;

# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
allow dumpstate mtk_hal_camera:binder { call };

# Purpose: Allow aee_dumpstate to read /proc/slabinfo
allow dumpstate proc_slabinfo:file r_file_perms;

# Purpose: Allow aee_dumpstate to read /proc/zraminfo
allow dumpstate proc_zraminfo:file r_file_perms;

# Purpose: Allow aee_dumpstate to read /proc/gpulog
allow dumpstate proc_gpulog:file r_file_perms;

# Purpose: Allow aee_dumpstate to read /proc/sched_debug
allow dumpstate proc_sched_debug:file r_file_perms;

# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver
allow dumpstate proc_chip:file r_file_perms;

# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable
allow dumpstate sysfs_vibrator_setting:file write;

# Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log
allow dumpstate debugfs_rcu:file r_file_perms;

# Purpose: Allow dumpstate to read /proc/ufs_debug
allow dumpstate proc_ufs_debug:file rw_file_perms;

# Purpose: Allow dumpstate to read /proc/msdc_debug
allow dumpstate proc_msdc_debug:file r_file_perms;

# Purpose: Allow dumpstate to r/w /proc/pidmap
allow dumpstate proc_pidmap:file rw_file_perms;

# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug
allow dumpstate sysfs_vcore_debug:file r_file_perms;

# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt
allow dumpstate sf_rtt_file:file r_file_perms;

#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace
allow dumpstate proc_slabtrace:file r_file_perms;

#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status
allow dumpstate proc_cmdq_debug:file r_file_perms;

#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo
allow dumpstate proc_dbg_repo:file r_file_perms;

#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_dump
allow dumpstate proc_isp_p2_dump:file r_file_perms;

#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_kedump
allow dumpstate proc_isp_p2_kedump:file r_file_perms;

#Purpose: Allow dumpstate to read /proc/mali/memory_usage
allow dumpstate proc_memory_usage:file r_file_perms;

#Purpose: Allow dumpstate to read /proc/mtk_es_reg_dump
allow dumpstate proc_mtk_es_reg_dump:file r_file_perms;

#Purpose: Allow dumpstate to read /sys/power/mtkpasr/execstate
allow dumpstate sysfs_execstate:file r_file_perms;

allow dumpstate proc_isp_p2:dir r_dir_perms;
allow dumpstate proc_isp_p2:file r_file_perms;

# Date : W19.26
# Operation : Migration
# Purpose : fix google dumpstate avc error in xTS
allow dumpstate debugfs:dir r_dir_perms;
allow dumpstate debugfs_mmc:dir search;
allow dumpstate mnt_media_rw_file:dir getattr;

# Date: 19/07/15
# Purpose: fix google dumpstate avc error in xTs
allow dumpstate sysfs_devices_block:file r_file_perms;
allow dumpstate proc_last_kmsg:file r_file_perms;

# Date: 19/07/15
# Purpose: Allow dumpstate to read /sys/kernel/debug/kmemleak
allow dumpstate debugfs_kmemleak:file r_file_perms;

#Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log
allow dumpstate sysfs_adsp:file r_file_perms;

#Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon
allow dumpstate debugfs_smi_mon:file r_file_perms;

# MTEE Trusty
allow dumpstate mtee_trusty_file:file rw_file_perms;

# 09-05 15:58:31.552000  9693  9693 W df      : type=1400 audit(0.0:990):
# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0
# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0
allow dumpstate mnt_expand_file:dir search;