1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
|
# ==============================================
# Policy File of /system/bin/factory Executable File
# ==============================================
# Type Declaration
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
type factory, domain;
type factory_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(factory)
#============= factory ==============
allow factory MTK_SMI_device:chr_file r_file_perms;
allow factory ashmem_device:chr_file execute;
allow factory ebc_device:chr_file rw_file_perms;
allow factory stpbt_device:chr_file rw_file_perms;
# Date: WK14.47
# Operation : Migration
# Purpose : CCCI
allow factory eemcs_device:chr_file rw_file_perms;
allow factory ccci_device:chr_file rw_file_perms;
allow factory gsm0710muxd_device:chr_file rw_file_perms;
#Purpose: file system requirement
allow factory debugfs_usb:file rw_file_perms;
allow factory debugfs_usb:dir search;
allow factory devpts:chr_file rw_file_perms;
allow factory vfat:dir w_dir_perms;
allow factory labeledfs:filesystem unmount;
allow factory rootfs:dir mounton;
allow factory vfat:dir { read open search mounton };
allow factory vfat:filesystem { mount unmount };
# Purpose : SDIO
allow factory ttySDIO_device:chr_file rw_file_perms;
#Purpose: USB
allow factory ttyMT_device:chr_file rw_file_perms;
allow factory ttyS_device:chr_file rw_file_perms;
allow factory ttyGS_device:chr_file rw_file_perms;
# Purpose: OTG
allow factory usb_device:chr_file rw_file_perms;
allow factory usb_device:dir r_dir_perms;
# Date: WK15.01
# Purpose : OTG Mount
allow factory sdcard_type:dir mounton;
# Date: WK15.07
# Purpose : use c2k flight mode;
allow factory vmodem_device:chr_file rw_file_perms;
# Date: WK15.13
# Purpose: for nand project
allow factory mtd_device:dir search;
allow factory mtd_device:chr_file rw_file_perms;
allow factory self:capability sys_resource;
allow factory pro_info_device:chr_file rw_file_perms;
# Data: WK15.28
# Purpose: for mt-ramdump reset
allow factory proc_mrdump_rst:file w_file_perms;
#Date: WK15.31
#Purpose: define factory_data_file instead of system_data_file
# because system_data_file is sensitive partition from M
wakelock_use(factory);
allow factory storage_file:dir { write create add_name search mounton };
# Date: WK15.44
# Purpose: factory idle current status
allow factory vendor_factory_idle_state_prop:property_service set;
# Date: WK15.46
# Purpose: gps factory mode
allow factory agpsd_data_file:dir search;
allow factory gps_data_file:dir { write add_name search remove_name unlink};
allow factory gps_data_file:file { read write open create getattr append setattr unlink lock};
allow factory gps_data_file:lnk_file read;
allow factory storage_file:lnk_file r_file_perms;
#Date: WK15.48
#Purpose: capture for factory mode
allow factory devmap_device:chr_file r_file_perms;
allow factory sdcard_type:dir create_dir_perms;
allow factory sdcard_type:file create_file_perms;
allow factory mnt_user_file:dir search;
allow factory mnt_user_file:lnk_file read;
allow factory storage_file:lnk_file read;
#Date: WK16.05
#Purpose: For access NVRAM
allow factory factory:capability chown;
allow factory nvram_data_file:dir create_dir_perms;
allow factory nvram_data_file:file create_file_perms;
allow factory nvram_data_file:lnk_file r_file_perms;
allow factory nvdata_file:lnk_file r_file_perms;
allow factory nvram_device:chr_file rw_file_perms;
allow factory nvram_device:blk_file rw_file_perms;
allow factory nvdata_device:blk_file rw_file_perms;
#Date: WK16.12
#Purpose: For sensor test
allow factory als_ps_device:chr_file r_file_perms;
allow factory barometer_device:chr_file r_file_perms;
allow factory gsensor_device:chr_file r_file_perms;
allow factory gyroscope_device:chr_file r_file_perms;
allow factory msensor_device:chr_file r_file_perms;
allow factory biometric_device:chr_file r_file_perms;
#Purpose: For camera Test
allow factory kd_camera_flashlight_device:chr_file rw_file_perms;
allow factory kd_camera_hw_device:chr_file rw_file_perms;
allow factory seninf_device:chr_file rw_file_perms;
allow factory CAM_CAL_DRV_device:chr_file rw_file_perms;
#Purpose: For reboot the target
allow factory powerctl_prop:property_service set;
#Purpose: For memory card test
allow factory misc_sd_device:chr_file r_file_perms;
allow factory mmcblk1_block_device:blk_file rw_file_perms;
allow factory bootdevice_block_device:blk_file rw_file_perms;
allow factory mmcblk1p1_block_device:blk_file rw_file_perms;
allow factory block_device:dir w_dir_perms;
allowxperm factory mmcblk1_block_device:blk_file ioctl BLKGETSIZE;
allowxperm factory bootdevice_block_device:blk_file ioctl BLKGETSIZE;
#Purpose: For EMMC test
allow factory nvdata_file:dir create_dir_perms;
allow factory nvdata_file:file create_file_perms;
#Purpose: For HRM test
allow factory hrm_device:chr_file r_file_perms;
#Purpose: For IrTx LED test
allow factory irtx_device:chr_file rw_file_perms;
#Purpose: For battery test, ext_buck test and ext_vbat_boost test
allow factory pmic_ftm_device:chr_file rw_file_perms;
allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms;
allow factory MT_pmic_cali_device:chr_file r_file_perms;
allow factory charger_ftm_device:chr_file r_file_perms;
#Purpose: For HDMI test
allow factory graphics_device:dir w_dir_perms;
allow factory graphics_device:chr_file rw_file_perms;
#Purpose: For WIFI test
allow factory wmtWifi_device:chr_file rw_file_perms;
#Purpose: For rtc test
allow factory rtc_device:chr_file rw_file_perms;
#Purpose: For nfc test
allow factory mt6605_device:chr_file rwx_file_perms;
#Purpose: For gps test
allow factory mnld_device:chr_file rw_file_perms;
allow factory mnld_exec:file rx_file_perms;
#Purpose: For keypad test
allow factory mtk_kpd_device:chr_file r_file_perms;
#Purpose: For Humidity test
allow factory humidity_device:chr_file r_file_perms;
#Purpose: For camera test
allow factory camera_isp_device:chr_file rw_file_perms;
allow factory camera_dip_device:chr_file rw_file_perms;
allow factory camera_pipemgr_device:chr_file r_file_perms;
allow factory camera_sysram_device:chr_file r_file_perms;
allow factory ccu_device:chr_file rw_file_perms;
allow factory vpu_device:chr_file rw_file_perms;
allow factory MAINAF_device:chr_file rw_file_perms;
allow factory MAIN2AF_device:chr_file rw_file_perms;
allow factory SUBAF_device:chr_file rw_file_perms;
allow factory FM50AF_device:chr_file rw_file_perms;
allow factory AD5820AF_device:chr_file rw_file_perms;
allow factory DW9714AF_device:chr_file rw_file_perms;
allow factory DW9714A_device:chr_file rw_file_perms;
allow factory LC898122AF_device:chr_file rw_file_perms;
allow factory LC898212AF_device:chr_file rw_file_perms;
allow factory BU6429AF_device:chr_file rw_file_perms;
allow factory DW9718AF_device:chr_file rw_file_perms;
allow factory BU64745GWZAF_device:chr_file rw_file_perms;
allow factory cct_data_file:dir create_dir_perms;
allow factory cct_data_file:file create_file_perms;
allow factory camera_tsf_device:chr_file rw_file_perms;
allow factory camera_rsc_device:chr_file rw_file_perms;
allow factory camera_gepf_device:chr_file rw_file_perms;
allow factory camera_fdvt_device:chr_file rw_file_perms;
allow factory camera_wpe_device:chr_file rw_file_perms;
allow factory camera_owe_device:chr_file rw_file_perms;
allow factory camera_mfb_device:chr_file rw_file_perms;
allow factory mtk_hal_power_hwservice:hwservice_manager find;
allow factory vendor_data_file:file getattr;
allow factory mtk_hal_power:binder call;
get_prop(factory,mediatek_prop);
#Purpose: For FM test and headset test
allow factory accdet_device:chr_file r_file_perms;
allow factory fm_device:chr_file rw_file_perms;
#Purpose: For audio test
allow factory audio_device:chr_file rw_file_perms;
allow factory audio_device:dir w_dir_perms;
allow factory audiohal_prop:property_service set;
allow factory audio_ipi_device:chr_file { read write ioctl open };
allow factory audio_scp_device:chr_file r_file_perms;
#Purpose: For key and touch event
allow factory input_device:chr_file r_file_perms;
allow factory input_device:dir rw_dir_perms;
# Date: WK16.17
# Purpose: N Migration For ccci sysfs node
# Allow read to sys/kernel/ccci/* files
allow factory sysfs_ccci:dir search;
allow factory sysfs_ccci:file r_file_perms;
# Date: WK16.18
# Purpose: N Migration For boot_mode
# Allow to read boot mode
# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117
# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0
# tclass=file permissive=0
allow factory sysfs_boot_mode:file { read open };
allow factory sysfs_boot_type:file { read open };
#TODO:: MTK need to remove later
not_full_treble(`
allow factory mnld:unix_dgram_socket sendto;
')
# Date: WK16.31
#Purpose: For gps test
allow factory mnld_prop:property_service set;
# Date: WK16.33
#Purpose: for unmount sdcardfs and stop services which are using data partition
allow factory sdcard_type:filesystem unmount;
allow factory ctl_default_prop:property_service set;
# Date : WK16.35
# Operation : Migration
# Purpose : Update camera flashlight driver device file
allow factory flashlight_device:chr_file rw_file_perms;
# Date: WK15.25
#Purpose: for unmount sdcardfs and stop services which are using data partition
allow factory ctl_emdlogger1_prop:property_service set;
# Date: WK17.07
# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs
allow factory tmpfs:filesystem unmount;
allow factory sysfs:dir { read open };
allow factory sysfs_leds:dir search;
allow factory sysfs_leds:lnk_file read;
allow factory sysfs_leds:file rw_file_perms;
allow factory sysfs_leds:dir r_dir_perms;
allow factory sysfs_power:file rw_file_perms;
allow factory sysfs_power:dir r_dir_perms;
allow factory self:capability2 {block_suspend};
allow factory sysfs_vibrator:file {open read write};
allow factory ion_device:chr_file { read open ioctl };
allow factory debugfs_ion:dir search;
# Date: WK17.27
# Purpose: STMicro NFC solution integration
allow factory st21nfc_device:chr_file { open read getattr write ioctl };
set_prop(factory,hwservicemanager_prop);
hwbinder_use(factory);
hal_client_domain(factory, hal_nfc);
# Date : WK17.32
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow factory mtk_cmdq_device:chr_file { read ioctl open };
allow factory mtk_mdp_device:chr_file rw_file_perms;
allow factory sw_sync_device:chr_file rw_file_perms;
# Date: WK1733
# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode
set_prop(factory,ctl_ccci_fsd_prop);
# Date : WK17.38
# Operation : O Migration
# Purpose: Allow to access sysfs
allow factory sysfs_therm:dir search;
allow factory sysfs_therm:file {open read write};
#Date: W18.22
# Purpose: P Migration for factory get com port type and uart port info
# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10):
#avc: denied { read } for pid=203 comm="factory" name="meta_com_type_info" dev=
#"sysfs" ino=11073 scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
allow factory sysfs_comport_type:file rw_file_perms;
allow factory sysfs_uart_info:file rw_file_perms;
# from private
allow factory property_socket:sock_file write;
allow factory init:unix_stream_socket connectto;
allow factory kernel:system module_request;
allow factory node:tcp_socket node_bind;
allow factory userdata_block_device:blk_file rw_file_perms;
allow factory port:tcp_socket { name_bind name_connect };
allow factory self:capability { sys_module ipc_lock sys_nice net_raw fsetid net_admin sys_time sys_boot sys_admin };
allow factory sdcard_type:dir r_dir_perms;
allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
allow factory proc_net:file { read getattr open };
allowxperm factory self:udp_socket ioctl priv_sock_ioctls;
allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID};
allow factory self:process execmem;
allow factory self:tcp_socket create_stream_socket_perms;
allow factory self:udp_socket create_socket_perms;
allow factory sysfs_wake_lock:file rw_file_perms;
#allow factory system_file:file x_file_perms;
# For Light HIDL permission
hal_client_domain(factory, hal_light);
allow factory hal_light_hwservice:hwservice_manager find;
allow factory mtk_hal_light:binder call;
allow factory merged_hal_service:binder call;
# For vibrator test permission
allow factory sysfs_vibrator:file rw_file_perms;
allow factory sysfs_vibrator:dir search;
# For Audio device permission
allow factory proc_asound:dir { read search open };
allow factory proc_asound:file { read open getattr write };
allow factory audiohal_prop:property_service set;
# For Accdet data permission
allow factory sysfs_headset:file { read open };
# For touch auto test
allow factory sysfs_tpd_setting:dir search;
allow factory sysfs_tpd_setting:file { read getattr open };
# Date : WK18.23
# Operation: P migration
# Purpose : Allow factory to unmount partition, stop service, and then erase partition
allow factory vendor_shell_exec:file { read execute open execute_no_trans };
allow factory vendor_toolbox_exec:file { execute_no_trans };
allow factory labeledfs:filesystem { unmount };
allow factory proc_cmdline:file { read open getattr };
allow factory factory:capability { sys_boot sys_admin};
allow factory sysfs_dt_firmware_android:file { read open getattr };
allow factory sysfs_dt_firmware_android:dir { read open search };
# Purpose : Allow factory to communicate with driver thru socket
allow factory factory:capability { sys_module net_admin net_raw };
# For power_supply and switch permission
r_dir_file(factory, sysfs_batteryinfo)
r_dir_file(factory, sysfs_switch)
# Date : WK18.27
# Operation: P migration
# Purpose : Allow factory to save test report to /data/vendor
allow factory vendor_data_file:dir { add_name read write};
allow factory vendor_data_file:file { create read write open };
# Date : WK18.31
# Operation: P migration
# Purpose : Refine policy
allow factory sysfs_devices_block:dir { search };
allow factory sysfs_devices_block:file { read getattr open };
# Date : WK18.37
# Operation: P migration
# Purpose : ADSP SmartPA calibration
allow factory vendor_file:file execute_no_trans;
allow factory mtk_audiohal_data_file:dir create_dir_perms;
allow factory mtk_audiohal_data_file:file { write create unlink r_file_perms };
#Date : WK18.37
# Operation: P migration
# Purpose : Allow factory to open /proc/version
allow factory proc_version:file {read open getattr};
# Purpose : adsp
allow factory adsp_device:chr_file rw_file_perms;
# Purpose : NFC
allow factory vendor_nfc_socket:dir { write add_name remove_name search };
allow factory vendor_nfc_socket:sock_file { create write unlink setattr };
# Allow to get AOSP property persist.radio.multisim.config
get_prop(factory, exported3_radio_prop)
# Date : WK19.38
# Operation : Q Migration
# Purpose: Allow clear eMMC
set_prop(factory, ctl_mdlogger_prop);
# Date : WK19.41
# Operation : Q Migration
# Purpose: allow system_server to access rt5509 param and calib node
allow factory sysfs_rt_param:file rw_file_perms;
allow factory sysfs_rt_calib:file rw_file_perms;
allow factory sysfs_rt_param:dir r_dir_perms;
allow factory sysfs_rt_calib:dir r_dir_perms;
|
