161 lines
5.6 KiB
Plaintext
Executable File
161 lines
5.6 KiB
Plaintext
Executable File
# ==============================================
|
|
# MTK Policy Rule
|
|
# ==============================================
|
|
|
|
# permissive system_app;
|
|
|
|
|
|
# Date : 2014/07/31
|
|
# Stage: BaseUT
|
|
# Purpose :[CdsInfo][CdsInfo uses net shell commands to get network information and write WI-FI MAC address by NVRAM]
|
|
# Package Name: com.mediatek.connectivity
|
|
allow system_app nvram_agent_binder:binder call;
|
|
|
|
# Date: 2014/08/01
|
|
# Operation: BaseUT
|
|
# Purpose: [Settings][Settings used list views need velocity tracker access touch dev]
|
|
# Package: com.android.settings
|
|
allow system_app touch_device:chr_file { read ioctl open };
|
|
|
|
# Date: 2014/08/04
|
|
# Stage: BaseUT
|
|
# Purpose: [MTKThermalManager][View thermal zones and coolers, and change thermal policies]
|
|
# Package Name: com.mediatek.mtkthermalmanager
|
|
allow system_app apk_private_data_file:dir getattr;
|
|
allow system_app asec_image_file:dir getattr;
|
|
allow system_app dontpanic_data_file:dir getattr;
|
|
allow system_app drm_data_file:dir getattr;
|
|
allow system_app install_data_file:file getattr;
|
|
allow system_app lost_found_data_file:dir getattr;
|
|
allow system_app media_data_file:dir getattr;
|
|
allow system_app property_data_file:dir getattr;
|
|
allow system_app shell_data_file:dir search;
|
|
allow system_app thermal_manager_exec:file { read execute open execute_no_trans };
|
|
allow system_app proc_thermal:dir search;
|
|
allow system_app proc_thermal:file { read getattr open write };
|
|
allow system_app proc_mtkcooler:dir search;
|
|
allow system_app proc_mtkcooler:file { read getattr open write };
|
|
allow system_app proc_mtktz:dir search;
|
|
allow system_app proc_mtktz:file { read getattr open write };
|
|
allow system_app proc_slogger:file { read getattr open write };
|
|
|
|
# Date: 2014/08/21
|
|
# Stage: BaseUT
|
|
# Purpose: [AtciService][Atci Service will use atci_serv_fw_socket to connect to atci_service which in native layer]
|
|
# Package Name: com.mediatek.atci.service
|
|
allow system_app atci_serv_fw_socket:sock_file write;
|
|
allow system_app atci_service:unix_stream_socket connectto;
|
|
|
|
# Date: 2014/08/29
|
|
# Stage: BaseUT
|
|
# Purpose: [BatteryWarning][View update graphics]
|
|
# Package Name: com.mediatek.batterywarning
|
|
allow system_app guiext-server:binder { transfer call };
|
|
|
|
# Date: 2014/09/02
|
|
# Operation: BaseUT
|
|
# Purpose: [HotKnot][HotKnot service will use hoknot device node]
|
|
# Package: com.mediatek.hotknot.service
|
|
allow system_app hotknot_device:chr_file { read write ioctl open };
|
|
|
|
# Date: 2014/09/02
|
|
# Operation: BaseUT
|
|
# Purpose: [HotKnot][HotKnot service will use devmap_device device node]
|
|
# Package: com.mediatek.hotknot.service
|
|
allow system_app devmap_device:chr_file { read ioctl open };
|
|
|
|
# Date: 2014/09/02
|
|
# Operation: BaseUT
|
|
# Purpose: [HotKnot][HotKnot service will use mtkfb device node]
|
|
# Package: com.mediatek.hotknot.service
|
|
allow system_app graphics_device:chr_file { read write ioctl open };
|
|
allow system_app graphics_device:dir search;
|
|
|
|
# Data : 2014/09/09
|
|
# Operation : Migration
|
|
# Purpose : [Privacy protection lock][com.mediatek.ppl need to bind ppl_agent service to read/write nvram file]
|
|
# Package name : com.mediatek.ppl
|
|
|
|
allow system_app ppl_agent:binder call;
|
|
|
|
# Date: 2014/10/7
|
|
# Operation: SQC
|
|
# Purpose: [sysoper][sysoper will create folder /cache/recovery]
|
|
# Package: com.mediatek.systemupdate.sysoper
|
|
allow system_app cache_file:dir { write create add_name };
|
|
allow system_app cache_file:file { write create open };
|
|
|
|
# Date : 2014/10/08
|
|
# Operation : BaseUT
|
|
# Purpose : [op01 agps setting][mtk_agpsd establishes the local socket as agpsd for all A-GPS
|
|
# application to do something with mtk_agpsd in system app]
|
|
# Package: com.mediatek.op01.plugin
|
|
unix_socket_connect(system_app, agpsd, mtk_agpsd);
|
|
|
|
# Date : 2014/10/28
|
|
# Operation: SQC
|
|
# Purpose : ALPS01761930
|
|
# Package: com.android.settings
|
|
allow system_app asec_apk_file:file r_file_perms;
|
|
|
|
# Date : WK14.46
|
|
# Operation : Migration
|
|
# Purpose : for MTK Emulator HW GPU
|
|
allow system_app qemu_pipe_device:chr_file rw_file_perms;
|
|
|
|
# Date : WK14.46
|
|
# Operation : Migration
|
|
# Package: org.simalliance.openmobileapi.service
|
|
# Purpose : ALPS01820916, for SmartcardService
|
|
allow system_app system_app_data_file:file execute;
|
|
|
|
# Date : 2014/11/17
|
|
# Operation: SQC
|
|
# Purpose : [Settings][Battery module will call batterystats API, and it will read /sys/kernel/debug/wakeup_sources]
|
|
# Package: com.android.settings
|
|
allow system_app debugfs:file r_file_perms;
|
|
|
|
# Date : 2014/11/18
|
|
# Operation : SQC
|
|
# Purpose : for oma dm fota recovery update
|
|
allow system_app ctl_rbfota_prop:property_service set;
|
|
|
|
# Date : 2014/11/19
|
|
# Operation: SQC
|
|
# Purpose: [Settings][RenderThread][operate device file failed]
|
|
# Package: com.android.settings
|
|
allow system_app proc_secmem:file rw_file_perms;
|
|
|
|
# Date : 2014/11/20
|
|
# Operation: SQC
|
|
# Purpose: [Settings][Developer options module will communicate with all Services through binder call]
|
|
# Package: com.android.settings
|
|
binder_call(system_app, mtkbt)
|
|
binder_call(system_app, MtkCodecService)
|
|
|
|
# Date : 2014/11/26
|
|
# Operation: SQC
|
|
# Purpose: [Settings][Browser][warning kernel API'selinux enforce violation:sdcardd' when do stress test with ' AT_ST_Browser_Test.rar']
|
|
# Package: com.android.settings
|
|
allow system_app platform_app_tmpfs:file write;
|
|
|
|
# Date : 2015/01/13
|
|
# Operation: SQC
|
|
# Purpose: access ashmem of isolated_app
|
|
# Package: com.fw.upgrade.sysoper
|
|
dontaudit system_app isolated_app_tmpfs:file write;
|
|
|
|
# Date : 2015/01/14
|
|
# Operation: SQC
|
|
# Purpose: access ashmem of untrusted_app
|
|
# Package: android.ui
|
|
dontaudit system_app untrusted_app_tmpfs:file write;
|
|
|
|
# Date : 2015/01/27
|
|
# Operation: SQC
|
|
# Purpose: It's not normal behavior, that system_app want to access radio_file_data
|
|
# Package: android.ui
|
|
dontaudit system_app radio_data_file:dir search;
|
|
allow system_app sysfs_keypad_file:file { read write getattr ioctl open };
|
|
|