1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
|
# ==============================================
# Policy File of /vendor/bin/aee_aedv Executable File
# ==============================================
# MTK Policy Rule
# ==============================================
type aee_aedv, domain;
type aee_aedv_exec, exec_type, file_type, vendor_file_type;
typeattribute aee_aedv mlstrustedsubject;
init_daemon_domain(aee_aedv)
# Date : WK14.32
# Operation : AEE UT
# Purpose : for AEE module
allow aee_aedv aed_device:chr_file rw_file_perms;
allow aee_aedv expdb_device:chr_file rw_file_perms;
allow aee_aedv expdb_block_device:blk_file rw_file_perms;
allow aee_aedv bootdevice_block_device:blk_file rw_file_perms;
allow aee_aedv etb_device:chr_file rw_file_perms;
# AED start: /dev/block/expdb
allow aee_aedv block_device:dir search;
# NE flow: /dev/RT_Monitor
allow aee_aedv RT_Monitor_device:chr_file r_file_perms;
#data/aee_exp
allow aee_aedv aee_exp_vendor_file:dir create_dir_perms;
allow aee_aedv aee_exp_vendor_file:file create_file_perms;
#data/dumpsys
allow aee_aedv aee_dumpsys_vendor_file:dir create_dir_perms;
allow aee_aedv aee_dumpsys_vendor_file:file create_file_perms;
#/data/core
allow aee_aedv aee_core_vendor_file:dir create_dir_perms;
allow aee_aedv aee_core_vendor_file:file create_file_perms;
# /data/data_tmpfs_log
allow aee_aedv vendor_tmpfs_log_file:dir create_dir_perms;
allow aee_aedv vendor_tmpfs_log_file:file create_file_perms;
allow aee_aedv domain:process { sigkill getattr getsched};
allow aee_aedv domain:lnk_file getattr;
#core-pattern
allow aee_aedv usermodehelper:file r_file_perms;
# Date: W15.34
# Operation: Migration
# Purpose: For pagemap & pageflags information in NE DB
userdebug_or_eng(`allow aee_aedv self:capability sys_admin;')
# Purpose: aee_aedv set property
set_prop(aee_aedv, persist_mtk_aeev_prop);
set_prop(aee_aedv, persist_aeev_prop);
set_prop(aee_aedv, debug_mtk_aeev_prop);
# Purpose: mnt/user/*
allow aee_aedv mnt_user_file:dir search;
allow aee_aedv mnt_user_file:lnk_file read;
allow aee_aedv storage_file:dir search;
allow aee_aedv storage_file:lnk_file read;
userdebug_or_eng(`
allow aee_aedv su:dir {search read open };
allow aee_aedv su:file { read getattr open };
')
# /proc/pid/
allow aee_aedv self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module};
# PROCESS_FILE_STATE
allow aee_aedv dumpstate:unix_stream_socket { read write ioctl };
allow aee_aedv dumpstate:dir search;
allow aee_aedv dumpstate:file r_file_perms;
allow aee_aedv logdr_socket:sock_file write;
allow aee_aedv logd:unix_stream_socket connectto;
# vibrator
allow aee_aedv sysfs_vibrator:file w_file_perms;
# /proc/lk_env
allow aee_aedv proc_lk_env:file rw_file_perms;
# Data : 2017/03/22
# Operation : add NE flow rule for Android O
# Purpose : make aee_aedv can get specific process NE info
allow aee_aedv domain:dir r_dir_perms;
allow aee_aedv domain:{ file lnk_file } r_file_perms;
#allow aee_aedv {
# domain
# -logd
# -keystore
# -init
#}:process ptrace;
#allow aee_aedv zygote_exec:file r_file_perms;
#allow aee_aedv init_exec:file r_file_perms;
# Data : 2017/04/06
# Operation : add selinux rule for crash_dump notify aee_aedv
# Purpose : make aee_aedv can get notify from crash_dump
allow aee_aedv crash_dump:dir search;
allow aee_aedv crash_dump:file r_file_perms;
# Date : 20170512
# Operation : fix aee_archive can't execute issue
# Purpose : type=1400 audit(0.0:97916): avc: denied { execute_no_trans } for
# path="/system/vendor/bin/aee_archive" dev="mmcblk0p26" ino=2355
# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:vendor_file:s0
# tclass=file permissive=0
allow aee_aedv vendor_file:file execute_no_trans;
# Purpose: debugfs files
# allow aee_aedv debugfs:lnk_file read;
allow aee_aedv debugfs_binder:dir { read open };
allow aee_aedv debugfs_binder:file { read open };
allow aee_aedv debugfs_blockio:file { read open };
allow aee_aedv debugfs_fb:dir search;
allow aee_aedv debugfs_fb:file { read open };
allow aee_aedv debugfs_fuseio:dir search;
allow aee_aedv debugfs_fuseio:file { read open };
allow aee_aedv debugfs_ged:dir search;
allow aee_aedv debugfs_ged:file { read open };
allow aee_aedv debugfs_rcu:dir search;
allow aee_aedv debugfs_shrinker_debug:file { read open };
allow aee_aedv debugfs_wakeup_sources:file { read open };
allow aee_aedv debugfs_dmlog_debug:file { read open };
allow aee_aedv debugfs_page_owner_slim_debug:file { read open };
allow aee_aedv debugfs_ion_mm_heap:dir search;
allow aee_aedv debugfs_ion_mm_heap:file r_file_perms;
allow aee_aedv debugfs_ion_mm_heap:lnk_file read;
allow aee_aedv debugfs_cpuhvfs:dir search;
allow aee_aedv debugfs_cpuhvfs:file { read open };
allow aee_aedv debugfs_emi_mbw_buf:file { read open };
allow aee_aedv debugfs_vpu_device_dbg:file { read open };
# Purpose:
# 01-01 00:02:46.390 3315 3315 W aee_dumpstatev: type=1400 audit(0.0:4728):
# avc: denied { read } for name="interrupts" dev="proc" ino=4026533608 scontext=
# u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file permissive=0
allow aee_aedv proc_interrupts:file read;
# Purpose:
# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497):
# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
# tracing_shell_writable:s0 tclass=file permissive=1
allow aee_aedv debugfs_tracing:file rw_file_perms;
# Purpose:
# 01-01 00:05:16.730 3566 3566 W dmesg : type=1400 audit(0.0:5173): avc:
# denied { read } for name="kmsg" dev="tmpfs" ino=12292 scontext=u:r:aee_aedv:
# s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
allow aee_aedv kmsg_device:chr_file read;
# Purpose:
# 01-01 00:05:17.720 3567 3567 W ps : type=1400 audit(0.0:5192): avc:
# denied { getattr } for path="/proc/3421" dev="proc" ino=78975 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv platform_app:dir r_dir_perms;
allow aee_aedv platform_app:file r_file_perms;
# Purpose:
# 01-01 00:05:17.750 3567 3567 W ps : type=1400 audit(0.0:5193): avc:
# denied { getattr } for path="/proc/3461" dev="proc" ino=11013 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv untrusted_app_25:dir getattr;
# Purpose:
# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5179): avc:
# denied { getattr } for path="/proc/2712" dev="proc" ino=65757 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv untrusted_app:dir getattr;
# Purpose:
# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5180): avc:
# denied { getattr } for path="/proc/2747" dev="proc" ino=66659 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv priv_app:dir getattr;
# Purpose:
# 01-01 00:05:16.270 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5153):
# avc: denied { open } for path="/proc/interrupts" dev="proc" ino=4026533608
# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file
# permissive=0
allow aee_aedv proc_interrupts:file r_file_perms;
# Purpose:
# 01-01 00:05:16.620 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5171):
# avc: denied { read } for name="route" dev="proc" ino=4026533633 scontext=u:r:
# aee_aedv:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
allow aee_aedv proc_net:file read;
# Purpose:
# 01-01 00:05:16.610 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5168):
# avc: denied { read } for name="zoneinfo" dev="proc" ino=4026533664 scontext=
# u:r:aee_aedv:s0 tcontext=u:object_r:proc_zoneinfo:s0 tclass=file permissive=0
allow aee_aedv proc_zoneinfo:file read;
# Purpose:
# 01-01 00:05:17.840 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5200):
# avc: denied { search } for name="leds" dev="sysfs" ino=6217 scontext=u:r:
# aee_aedv:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0
allow aee_aedv sysfs_leds:dir search;
allow aee_aedv sysfs_leds:file r_file_perms;
# Purpose:
# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5592): avc: denied
# { search } for name="ccci" dev="sysfs" ino=6026 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
# sysfs_ccci:s0 tclass=dir permissive=1
# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5593): avc: denied { read }
# for name="md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:sysfs_ccci:s0
# tclass=file permissive=1
# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5594): avc: denied { open }
# for path="/sys/kernel/ccci/md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:
# object_r:sysfs_ccci:s0 tclass=file permissive=1
allow aee_aedv sysfs_ccci:dir search;
allow aee_aedv sysfs_ccci:file r_file_perms;
# Purpose:
# 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied
# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r:
# aee_aedv:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1
allow aee_aedv vendor_toolbox_exec:file rx_file_perms;
# Purpose:
# 01-01 00:12:06.320000 4145 4145 W dmesg : type=1400 audit(0.0:826): avc: denied { open } for
# path="/dev/kmsg" dev="tmpfs" ino=10875 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:kmsg_device:
# s0 tclass=chr_file permissive=0
# 01-01 00:42:33.070000 4171 4171 W dmesg : type=1400 audit(0.0:1343): avc: denied
# { syslog_read } for scontext=u:r:aee_aedv:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
allow aee_aedv kmsg_device:chr_file r_file_perms;
allow aee_aedv kernel:system syslog_read;
# Purpose:
# 01-01 00:12:37.890000 4162 4162 W aee_dumpstatev: type=1400 audit(0.0:914): avc: denied
# { read } for name="meminfo" dev="proc" ino=4026533612 scontext=u:r:aee_aedv:s0 tcontext=u:
# object_r:proc_meminfo:s0 tclass=file permissive=0
allow aee_aedv proc_meminfo:file r_file_perms;
# Purpose:
# 01-01 00:08:39.900000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:371): avc: denied
# { open } for path="/proc/3833/net/route" dev="proc" ino=4026533632 scontext=u:r:aee_aedv:s0
# tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
allow aee_aedv proc_net:file r_file_perms;
# Purpose:
# 01-01 00:08:39.880000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:370): avc: denied
# { open } for path="/proc/zoneinfo" dev="proc" ino=4026533663 scontext=u:r:aee_aedv:s0 tcontext=
# u:object_r:proc_zoneinfo:s0 tclass=file permissive=0
allow aee_aedv proc_zoneinfo:file r_file_perms;
# Purpose:
# 01-01 00:33:27.750000 338 338 W aee_aedv: type=1400 audit(0.0:98): avc: denied { read }
# for name="fstab.mt6755" dev="rootfs" ino=1082 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
# rootfs:s0 tclass=file permissive=0
allow aee_aedv rootfs:file r_file_perms;
# Purpose:
# 01-01 00:33:28.340000 338 338 W aee_aedv: type=1400 audit(0.0:104): avc: denied { search }
# for name="dynamic_debug" dev="debugfs" ino=8182 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
# debugfs_dynamic_debug:s0 tclass=dir permissive=0
allow aee_aedv debugfs_dynamic_debug:dir search;
allow aee_aedv debugfs_dynamic_debug:file r_file_perms;
# Purpose:
# [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read }
# for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0
# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms;
# Purpose: Allow aee_aedv to use HwBinder IPC.
hwbinder_use(aee_aedv)
get_prop(aee_aedv, hwservicemanager_prop)
# Purpose: Allow aee_aedv access to vendor/bin/mtkcam-debug, which in turn invokes ICameraProvider
# - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956
# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
# - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED)
hal_client_domain(aee_aedv, hal_camera)
allow aee_aedv hal_camera_hwservice:hwservice_manager { find };
binder_call(aee_aedv, mtk_hal_camera)
# Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status
allow aee_aedv selinuxfs:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/pid/exe
#allow aee_aedv exec_type:file r_file_perms;
# Purpose: mrdump db flow and pre-allocation
# mrdump db flow
allow aee_aedv sysfs_dt_firmware_android:dir search;
allow aee_aedv sysfs_dt_firmware_android:file r_file_perms;
allow aee_aedv kernel:system module_request;
allow aee_aedv metadata_file:dir search;
# pre-allocation
allow aee_aedv self:capability linux_immutable;
allow aee_aedv userdata_block_device:blk_file { read write open };
allow aee_aedv para_block_device:blk_file rw_file_perms;
allow aee_aedv mrdump_device:blk_file rw_file_perms;
allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl {
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
F2FS_IOC_GET_PIN_FILE
F2FS_IOC_SET_PIN_FILE
FS_IOC_FIEMAP
};
# Purpose: allow vendor aee read lowmemorykiller logs
# file path: /sys/module/lowmemorykiller/parameters/
allow aee_aedv sysfs_lowmemorykiller:dir search;
allow aee_aedv sysfs_lowmemorykiller:file r_file_perms;
# Purpose: Allow aee read /sys/class/misc/scp/scp_dump
allow aee_aedv sysfs_scp:dir r_dir_perms;
allow aee_aedv sysfs_scp:file r_file_perms;
# Purpose: Allow aee read /sys/class/misc/adsp/adsp_dump
allow aee_aedv sysfs_adsp:dir r_dir_perms;
allow aee_aedv sysfs_adsp:file r_file_perms;
# Purpose: allow aee_aedv self to fsetid/sys_nice/chown/fowner/kill
allow aee_aedv self:capability { fsetid sys_nice chown fowner kill };
# Purpose: allow aee_aedv to read /proc/buddyinfo
allow aee_aedv proc_buddyinfo:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/cmdline
allow aee_aedv proc_cmdline:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/slabinfo
allow aee_aedv proc_slabinfo:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/stat
allow aee_aedv proc_stat:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/version
allow aee_aedv proc_version:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/vmallocinfo
allow aee_aedv proc_vmallocinfo:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/vmstat
allow aee_aedv proc_vmstat:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/cpu/alignment
allow aee_aedv proc_cpu_alignment:file w_file_perms;
# Purpose: Allow aee_aedv to read /proc/gpulog
allow aee_aedv proc_gpulog:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/chip/hw_ver
allow aee_aedv proc_chip:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/sched_debug
allow aee_aedv proc_sched_debug:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/atf_log
allow aee_aedv proc_atf_log:dir search;
# Purpose: Allow aee_aedv to read /proc/last_kmsg
allow aee_aedv proc_last_kmsg:file r_file_perms;
# Purpose: Allow aee_aedv to access /sys/devices/virtual/timed_output/vibrator/enable
allow aee_aedv sysfs_vibrator_setting:dir search;
allow aee_aedv sysfs_vibrator_setting:file w_file_perms;
allow aee_aedv sysfs_vibrator:dir search;
# Purpose: Allow aee_aedv to read /sys/kernel/debug/rcu/rcu_callback_log
allow aee_aedv debugfs_rcu:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/ufs_debug
allow aee_aedv proc_ufs_debug:file rw_file_perms;
# Purpose: Allow aee_aedv to read /proc/msdc_debug
allow aee_aedv proc_msdc_debug:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/pidmap
allow aee_aedv proc_pidmap:file r_file_perms;
# Purpose: Allow aee_aedv to read /sys/power/vcorefs/vcore_debug
allow aee_aedv sysfs_vcore_debug:file r_file_perms;
# Purpose: Allow aee_aedv to read /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
allow aee_aedv sysfs_boot_mode:file r_file_perms;
#Purpose: Allow aee_aedv to read/write /sys/kernel/debug/tracing/buffer_total_size_kb
userdebug_or_eng(`
allow aee_aedv debugfs_tracing_debug:file { rw_file_perms };
')
#Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace
allow aee_aedv proc_slabtrace:file r_file_perms;
#Purpose: Allow aee_aedv to read /proc/mtk_cmdq_debug/status
allow aee_aedv proc_cmdq_debug:file r_file_perms;
# temp solution
get_prop(aee_aedv, vendor_default_prop)
#data/dipdebug
allow aee_aedv aee_dipdebug_vendor_file:dir r_dir_perms;
allow aee_aedv aee_dipdebug_vendor_file:file r_file_perms;
allow aee_aedv proc_isp_p2:dir r_dir_perms;
allow aee_aedv proc_isp_p2:file r_file_perms;
allow aee_aedv connsyslog_data_vendor_file:file r_file_perms;
allow aee_aedv connsyslog_data_vendor_file:dir r_dir_perms;
# Purpose: Allow aee_aedv to read the /proc/*/exe of vendor process
allow aee_aedv vendor_file_type:file r_file_perms;
# Purpose: Allow aee_aedv to read /sys/kernel/debug/smi_mon
allow aee_aedv debugfs_smi_mon:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/isp_p2/isp_p2_kedump
allow aee_aedv proc_isp_p2_kedump:file r_file_perms;
# Purpose: Allow aee_aedv to read /sys/kernel/debug/vpu/vpu_memory
allow aee_aedv debugfs_vpu_memory:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo
allow aee_aedv proc_dbg_repo:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/pl_lk
allow aee_aedv proc_pl_lk:file r_file_perms;
|
