1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
|
# ==============================================
# MTK Policy Rule
# ==============================================
# Access devices.
allow system_server touch_device:chr_file rw_file_perms;
allow system_server stpant_device:chr_file rw_file_perms;
allow system_server devmap_device:chr_file r_file_perms;
allow system_server irtx_device:chr_file rw_file_perms;
allow system_server qemu_pipe_device:chr_file rw_file_perms;
allow system_server wmtWifi_device:chr_file w_file_perms;
# Add for bootprof
allow system_server proc_bootprof:file rw_file_perms;
# /data/core access.
allow system_server aee_core_data_file:dir r_dir_perms;
# /sys/kernel/debug/ion/clients access
allow system_server debugfs:dir r_dir_perms;
# Perform Binder IPC.
allow system_server zygote:binder impersonate;
# Property service.
allow system_server ctl_bootanim_prop:property_service set;
# For dumpsys.
allow system_server aee_dumpsys_data_file:file w_file_perms;
allow system_server aee_exp_data_file:file w_file_perms;
# Dump native process backtrace.
#allow system_server exec_type:file r_file_perms;
# Querying zygote socket.
allow system_server zygote:unix_stream_socket { getopt getattr };
# Communicate over a socket created by mnld process.
# Allow system_server to read /sys/kernel/debug/wakeup_sources
allow system_server debugfs_wakeup_sources:file r_file_perms;
# Allow system_server to read/write /sys/power/dcm_state
allow system_server sysfs_dcm:file rw_file_perms;
# Date : WK16.36
# Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW
allow system_server log_tag_prop:property_service set;
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
allow system_server surfaceflinger:fifo_file rw_file_perms;
# Date : W16.42
# Operation : Integration
# Purpose : DRM / DRI GPU driver required
allow system_server gpu_device:dir search;
allow system_server debugfs_gpu_img:dir search;
# Date : W16.43
# Operation : Integration
# Purpose : DRM / DRI GPU driver required
allow system_server sw_sync_device:chr_file { read write getattr open ioctl };
# Date : WK16.44
# Purpose: Allow to access UART1 ttyMT1
allow system_server ttyMT_device:chr_file rw_file_perms;
# Date : WK17.52
# Purpose: Allow to access UART1 ttyS
allow system_server ttyS_device:chr_file rw_file_perms;
# Date:W16.46
# Operation : thermal hal Feature developing
# Purpose : thermal hal interface permission
allow system_server proc_mtktz:dir search;
allow system_server proc_mtktz:file r_file_perms;
# Date:W17.02
# Operation : audio hal developing
# Purpose : audio hal interface permission
allow system_server mtk_hal_audio:process { getsched setsched };
# Date:W17.07
# Operation : bt hal
# Purpose : bt hal interface permission
binder_call(system_server, mtk_hal_bluetooth)
# Date:W17.08
# Operation : sensors hal developing
# Purpose : sensors hal interface permission
binder_call(system_server, mtk_hal_sensors)
# Operation : light hal developing
# Purpose : light hal interface permission
binder_call(system_server, mtk_hal_light)
# Date:W17.21
# Operation : gnss hal
# Purpose : gnss hal interface permission
hal_client_domain(system_server, hal_gnss)
# Date : W18.01
# Add for turn on SElinux in enforcing mode
allow system_server vendor_framework_file:dir r_file_perms;
# Fix bootup violation
allow system_server vendor_framework_file:file getattr;
allow system_server wifi_prop:file { read getattr open };
# Date:W17.22
# Operation : add aee_aed socket rule
# Purpose : type=1400 audit(0.0:134519): avc: denied { connectto }
# for comm=4572726F722064756D703A20737973
# path=00636F6D2E6D746B2E6165652E6165645F3634
# scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0
# tclass=unix_stream_socket permissive=0
allow system_server aee_aed:unix_stream_socket connectto;
#Dat: 2017/02/14
#Purpose: allow get telephony Sensitive property
get_prop(system_server, mtk_telephony_sensitive_prop)
# Date: W17.22
# Operation : New Feature
# Purpose : Add for A/B system
allow system_server debugfs_wakeup_sources:file { read getattr open };
# Date:W17.26
# Operation : imsa hal
# Purpose : imsa hal interface permission
binder_call(system_server, mtk_hal_imsa)
# Date:W17.28
# Operation : camera hal developing
# Purpose : camera hal binder_call permission
binder_call(system_server, mtk_hal_camera)
# Date:W17.31
# Operation : mpe sensor hidl developing
# Purpose : mpe sensor hidl permission
binder_call(system_server, mnld)
# Date : WK17.32
# Operation : Migration
# Purpose : for network log dumpsys setting/netd information
# audit(0.0:914): avc: denied { write } for path="pipe:[46088]"
# dev="pipefs" ino=46088 scontext=u:r:system_server:s0
# tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1
allow system_server netdiag:fifo_file write;
# Date : WK17.32
# Operation : Migration
# Purpose : for DHCP Client ip recover functionality
allow system_server dhcp_data_file:dir search;
allow system_server dhcp_data_file:dir rw_dir_perms;
allow system_server dhcp_data_file:file create_file_perms;
# Date:W17.35
# Operation : lbs hal
# Purpose : lbs hidl interface permission
hal_client_domain(system_server, mtk_hal_lbs)
# Date : WK17.12
# Operation : MT6799 SQC
# Purpose : Change thermal config
allow system_server mtk_thermal_config_prop:file { getattr open read };
# Date : WK17.43
# Operation : Migration
# Purpose : perfmgr permission
allow system_server mtk_hal_power_hwservice:hwservice_manager find;
allow system_server proc_perfmgr:dir {read search};
allow system_server proc_perfmgr:file {open read ioctl};
allowxperm system_server proc_perfmgr:file ioctl {
PERFMGR_FPSGO_QUEUE
PERFMGR_FPSGO_DEQUEUE
PERFMGR_FPSGO_QUEUE_CONNECT
PERFMGR_FPSGO_BQID
};
# Date : W18.22
# Operation : MTK wifi hal migration
# Purpose : MTK wifi hal interface permission
binder_call(system_server, mtk_hal_wifi)
# Date : WK18.33
# Purpose : type=1400 audit(0.0:1592): avc: denied { read }
# for comm=4572726F722064756D703A20646174 name=
# "u:object_r:persist_mtk_aee_prop:s0" dev="tmpfs"
# ino=10312 scontext=u:r:system_server:s0 tcontext=
# u:object_r:persist_mtk_aee_prop:s0 tclass=file permissive=0
get_prop(system_server, persist_mtk_aee_prop);
# Date : W19.15
# Operation : alarm device permission
# Purpose : support power-off alarm
allow system_server alarm_device:chr_file rw_file_perms;
# Date : WK19.7
# Operation: Q migration
# Purpose : Allow system_server to use ioctl/ioctlcmd
allow system_server proc_ged:file rw_file_perms;
allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls };
# Date: 2019/06/14
# Operation : Migration
get_prop(system_server, vendor_default_prop)
# Date: 2019/06/14
# Operation : when WFD turnning on, turn off hdmi
allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find;
allow system_server mtk_hal_hdmi:binder call;
#Date:2019/10/08
#Operation:Q Migration
allow system_server proc_battery_cmd:dir search;
#Date:2019/10/09
#Operation:Q Migration
get_prop(system_server, debug_mtk_aee_prop)
#Date:2019/10/09
#Operation:Q Migration
get_prop(system_server, debug_bq_dump_prop)
get_prop(system_server, mtk_telecom_vibrate)
allow system_server proc_cmdq_debug:file getattr;
allow system_server proc_freqhop:file getattr;
allow system_server proc_last_kmsg:file r_file_perms;
allow system_server proc_cm_mgr:dir search;
allow system_server proc_isp_p2:dir search;
allow system_server proc_thermal:dir search;
allow system_server proc_atf_log:dir search;
allow system_server proc_cpufreq:dir search;
allow system_server proc_mtkcooler:dir search;
allow system_server proc_ppm:dir search;
# Date : 2019/10/11
# Operation : Q Migration
allow system_server proc_wlan_status:file getattr;
# Date : 2019/10/11
# Operation : Q Migration
allow system_server sysfs_pages_shared:file r_file_perms;
allow system_server sysfs_pages_sharing:file r_file_perms;
allow system_server sysfs_pages_unshared:file r_file_perms;
allow system_server sysfs_pages_volatile:file r_file_perms;
# Date:2019/10/14
# Operation: Q Migration
# Purpose : power_hal_mgr_service may use libmtkperf_client
allow system_server sysfs_boot_mode:file r_file_perms;
# Date : 2019/10/22
# Operation : Q Migration
allow system_server self:capability sys_module;
# Date : 2019/10/22
# Operation : Q Migration
dontaudit system_server sdcardfs:file r_file_perms;
# Date : 2019/10/26
# Operation : Q Migration
allow system_server mtk_hal_camera:process sigkill;
allow system_server kernel:system syslog_read;
# Date : 2019/10/30
# Operation : Q Migration
allow system_server proc_chip:dir search;
allow system_server zygote:process setsched;
# Date : 2019/11/21
# Operation : Q Migration
allow system_server sf_rtt_file:dir rmdir;
# Date : 2019/11/29
# Operation : Q Migration
allow system_server storage_stub_file:dir getattr;
|
