blob: 2bf37add886188785d6969f7d611ed6ca77fd1db (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
# ==============================================
# Policy File of /system/bin/aee_aed Executable File
# ==============================================
# Type Declaration
# ==============================================
type aee_aed_exec, exec_type, file_type;
typeattribute aee_aed coredomain;
typeattribute aee_aed mlstrustedsubject;
init_daemon_domain(aee_aed)
# ==============================================
# MTK Policy Rule
# ==============================================
# AED start: /dev/block/expdb
allow aee_aed block_device:dir search;
# aee db dir and db files
allow aee_aed sdcard_type:dir create_dir_perms;
allow aee_aed sdcard_type:file create_file_perms;
#data/anr
allow aee_aed anr_data_file:dir create_dir_perms;
allow aee_aed anr_data_file:file create_file_perms;
allow aee_aed domain:process { sigkill getattr getsched signal };
allow aee_aed domain:lnk_file getattr;
#core-pattern
allow aee_aed usermodehelper:file r_file_perms;
#suid_dumpable. this is neverallow
# allow aee_aed proc_security:file r_file_perms;
#property
allow aee_aed init:unix_stream_socket connectto;
allow aee_aed property_socket:sock_file write;
#allow aee_aed call binaries labeled "system_file" under /system/bin/
allow aee_aed system_file:file execute_no_trans;
allow aee_aed init:process getsched;
allow aee_aed kernel:process getsched;
# Date: W15.34
# Operation: Migration
# Purpose: For pagemap & pageflags information in NE DB
userdebug_or_eng(`allow aee_aed self:capability sys_admin;')
# Date: W16.17
# Operation: N0 Migeration
# Purpose: creat dir "aee_exp" under /data
allow aee_aed system_data_file:dir { write create add_name };
allow aee_aed system_data_file:file r_file_perms;
# Purpose: allow aee_aed to access toolbox
allow aee_aed toolbox_exec:file rx_file_perms;
# purpose: allow aee_aed to access storage on N version
allow aee_aed media_rw_data_file:file { create_file_perms };
allow aee_aed media_rw_data_file:dir { create_dir_perms };
# Purpose: mnt/user/*
allow aee_aed mnt_user_file:dir search;
allow aee_aed mnt_user_file:lnk_file read;
allow aee_aed storage_file:dir search;
allow aee_aed storage_file:lnk_file read;
# Date : WK17.09
# Operation : AEE UT for Android O
# Purpose : for AEE module to dump files
domain_auto_trans(aee_aed, dumpstate_exec, dumpstate)
# Purpose : aee_aed communicate with aee_core_forwarder
# allow aee_aed aee_core_forwarder:dir search;
# allow aee_aed aee_core_forwarder:file { read getattr open };
userdebug_or_eng(`
allow aee_aed su:dir {search read open };
allow aee_aed su:file { read getattr open };
')
# /data/tombstone
allow aee_aed tombstone_data_file:dir w_dir_perms;
allow aee_aed tombstone_data_file:file create_file_perms;
# /proc/pid/
allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };
# system(cmd) aee_dumpstate aee_archive
allow aee_aed shell_exec:file rx_file_perms;
# PROCESS_FILE_STATE
allow aee_aed dumpstate:unix_stream_socket { read write ioctl };
allow aee_aed dumpstate:dir search;
allow aee_aed dumpstate:file r_file_perms;
allow aee_aed logdr_socket:sock_file write;
allow aee_aed logd:unix_stream_socket connectto;
# allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule
# vibrator
allow aee_aed sysfs_vibrator:file w_file_perms;
# Data : 2017/03/22
# Operation : add NE flow rule for Android O
# Purpose : make aee_aed can get specific process NE info
allow aee_aed domain:dir r_dir_perms;
allow aee_aed domain:{ file lnk_file } r_file_perms;
allow aee_aed {
domain
-logd
-keystore
-init
}:process ptrace;
allow aee_aed dalvikcache_data_file:dir r_dir_perms;
allow aee_aed zygote_exec:file r_file_perms;
allow aee_aed init_exec:file r_file_perms;
# Data : 2017/04/06
# Operation : add selinux rule for crash_dump notify aee_aed
# Purpose : make aee_aed can get notify from crash_dump
allow aee_aed crash_dump:dir search;
allow aee_aed crash_dump:file r_file_perms;
# Purpose : allow aee_aed to read /proc/version
allow aee_aed proc_version:file { read open };
# Purpose : allow aee_aed self to sys_nice/chown/kill
allow aee_aed self:capability { sys_nice chown fowner kill };
# Purpose: Allow aee_aed to write /sys/kernel/debug/tracing/snapshot
userdebug_or_eng(`allow aee_aed debugfs_tracing_debug:file { write open };')
# Purpose: Allow aee_aed self to sys_ptrace/dac_override/dac_read_search
userdebug_or_eng(`
allow aee_aed self:capability { sys_ptrace dac_override dac_read_search };
')
# Purpose: Allow aee_aed to read/write /sys/kernel/debug/tracing/tracing_on
userdebug_or_eng(` allow aee_aed debugfs_tracing:file { r_file_perms write };')
|
