diff options
| author | Mister Oyster <oysterized@gmail.com> | 2017-01-02 12:44:35 +0100 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-01-02 12:44:35 +0100 |
| commit | a184d985bf43d3fe6eeba971bc6b32f79ea38b37 (patch) | |
| tree | 6f6e56e090777cc149bc1ab39e5987cc2b03e867 /sepolicy | |
initial releasecm-13.0
Diffstat (limited to 'sepolicy')
160 files changed, 8040 insertions, 0 deletions
diff --git a/sepolicy/BGW.te b/sepolicy/BGW.te new file mode 100644 index 0000000..d9ecfcd --- /dev/null +++ b/sepolicy/BGW.te @@ -0,0 +1,23 @@ +# ============================================== +# Policy File of /system/xbin/BGW Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type BGW_exec , exec_type, file_type; +type BGW ,domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== + +# permissive BGW; +init_daemon_domain(BGW) + +#============= BGW ============== +allow BGW ccci_device:chr_file { read write open }; +allow BGW self:netlink_socket { read bind create write }; +allow BGW stpwmt_device:chr_file { read write open }; diff --git a/sepolicy/GoogleOtaBinder.te b/sepolicy/GoogleOtaBinder.te new file mode 100644 index 0000000..8112e7f --- /dev/null +++ b/sepolicy/GoogleOtaBinder.te @@ -0,0 +1,41 @@ +# ============================================== +# Policy File of /system/binGoogleOtaBinder Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type GoogleOtaBinder_exec , exec_type, file_type; +type GoogleOtaBinder ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive GoogleOtaBinder; +init_daemon_domain(GoogleOtaBinder) +#unconfined_domain(GoogleOtaBinder) + +# Date : 2014/09/10 +# Operation : Migration +# Purpose : allow Binder IPC +binder_use(GoogleOtaBinder) +binder_service(GoogleOtaBinder) + +allow GoogleOtaBinder ota_agent_service:service_manager add; +# /dev/block/mmcblko +allow GoogleOtaBinder platformblk_device:blk_file { write read open }; + +allow GoogleOtaBinder block_device:dir search; +allow GoogleOtaBinder platformblk_device:dir search; +#/dev/misc +allow GoogleOtaBinder misc_device:chr_file { write read open }; diff --git a/sepolicy/MtkCodecService.te b/sepolicy/MtkCodecService.te new file mode 100644 index 0000000..f373487 --- /dev/null +++ b/sepolicy/MtkCodecService.te @@ -0,0 +1,36 @@ +# ============================================== +# Policy File of /system/bin/MtkCodecService Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type MtkCodecService_exec , exec_type, file_type; +type MtkCodecService ,domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== + + +# Date : 2014/09/10 +# Operation : Migration +# Purpose : allow Binder IPC +binder_use(MtkCodecService) + +# Date : +# Operation : Migration +# Purpose : allow Binder IPC + +# Date : W14.43 +# Operation : selinux inforce +# Purpose : for L : add for ape playback + +init_daemon_domain(MtkCodecService) +allow MtkCodecService mediaserver:binder call; +allow MtkCodecService mediaserver:fd use; +allow MtkCodecService mtk_codec_service_service:service_manager add; +allow MtkCodecService self:capability{setuid sys_nice}; +allow MtkCodecService dumpstate:fd use;
\ No newline at end of file diff --git a/sepolicy/aal.te b/sepolicy/aal.te new file mode 100644 index 0000000..bbaa1bb --- /dev/null +++ b/sepolicy/aal.te @@ -0,0 +1,40 @@ +# ============================================== +# Policy File of /system/binaal Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type aal_exec , exec_type, file_type; +type aal ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +# permissive aal; +init_daemon_domain(aal) +# unconfined_domain(aal) + +# Date : 2014/09/09 (or WK14.37) +# Operation : Migration +# Purpose : allow Binder IPC +binder_use(aal) +binder_call(aal, binderservicedomain) +binder_service(aal) + +# Date : WK14.41 +# Operation : Migration +# Purpose : All enforing mode +allow aal aal_als_device:chr_file { read open ioctl }; +allow aal graphics_device:chr_file { read open ioctl }; +allow aal graphics_device:dir search; +allow aal aal_service:service_manager add; diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te new file mode 100644 index 0000000..e11c9ed --- /dev/null +++ b/sepolicy/adbd.te @@ -0,0 +1,51 @@ +# ============================================== +# MTK Policy Rule +# ============ + + +#violate neverallow rule +#allow adbd block_device:blk_file { read ioctl open }; + +#violate neverallow rule +#allow adbd labeledfs:filesystem remount; + +# Date : WK14.27 +# Operation : KK.AOSP SQC +# Purpose : MTK snapshot-related mechanism +allow adbd graphics_device:chr_file { read ioctl open }; + +# Date : WK14.27 +# Operation : KK.AOSP SQC +# Purpose : A process wants to access a specific path. For example : shell:ls -l /data/data/ +allow adbd platform_app_data_file:dir { write getattr add_name }; +allow adbd platform_app_data_file:file { read create open }; +allow adbd radio_data_file:file { read open }; + +# Date : WK14.27 +# Operation : KK.AOSP SQC +# Purpose : shell:logcat -v threadtime +allow adbd self:capability2 syslog; + +allow adbd block_device:dir search; +allow adbd kernel:process setsched; +allow adbd self:capability { net_raw ipc_lock dac_override }; +allow adbd system_data_file:dir { write remove_name add_name }; +allow adbd tmpfs:lnk_file read; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow adbd qemu_pipe_device:chr_file rw_file_perms; + +# user load adb pull /data/aee_exp db +allow adbd aee_exp_data_file:dir r_dir_perms; +allow adbd aee_exp_data_file:file r_file_perms; + +# call screencap by DDMS +allow adbd surfaceflinger:dir search; +allow adbd surfaceflinger:file r_file_perms; + +# Date : WK14.48 +# Operation : L0 SQC +# Purpose : push/pull files to specific folders +allow adbd sf_rtt_file:dir getattr;
\ No newline at end of file diff --git a/sepolicy/aee_core_forwarder.te b/sepolicy/aee_core_forwarder.te new file mode 100644 index 0000000..b7f0b5c --- /dev/null +++ b/sepolicy/aee_core_forwarder.te @@ -0,0 +1,52 @@ +# ============================================== +# Policy File of /system/binaee_core_forwarder Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type aee_core_forwarder_exec , exec_type, file_type; +type aee_core_forwarder ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(aee_core_forwarder) + +#/data/core/zcorexxx.zip +allow aee_core_forwarder aee_core_data_file:dir relabelto; +allow aee_core_forwarder aee_core_data_file:dir create_dir_perms; +allow aee_core_forwarder aee_core_data_file:file create_file_perms; +allow aee_core_forwarder system_data_file:dir { write relabelfrom create add_name }; + +#mkdir /sdcard/mtklog/aee_exp£¬and write /sdcard/mtklog/aee_exp/zcorexxx.zip +allow aee_core_forwarder fuse:dir create_dir_perms; +allow aee_core_forwarder fuse:file create_file_perms; +allow aee_core_forwarder tmpfs:lnk_file read; +allow aee_core_forwarder self:capability fsetid; +allow aee_core_forwarder aee_exp_data_file:dir create_dir_perms; +allow aee_core_forwarder aee_exp_data_file:file create_file_perms; + +#mkdir(path, mode) +allow aee_core_forwarder self:capability dac_override; + +#read STDIN_FILENO +allow aee_core_forwarder kernel:fifo_file read; + +#read /proc/<pid>/cmdline +allow aee_core_forwarder domain:dir r_dir_perms; +allow aee_core_forwarder domain:file r_file_perms; + +#read +allow aee_core_forwarder sysfs_wake_lock:file { read write open }; + diff --git a/sepolicy/akmd8963.te b/sepolicy/akmd8963.te new file mode 100644 index 0000000..699d0bd --- /dev/null +++ b/sepolicy/akmd8963.te @@ -0,0 +1,37 @@ +# ============================================== +# Policy File of /system/binakmd8963 Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type akmd8963_exec , exec_type, file_type; +type akmd8963 ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive akmd8963; +init_daemon_domain(akmd8963) +#unconfined_domain(akmd8963) +# Data : WK14.43 +# Operation : Migration +# Purpose : M-sensor daemon for access driver node +allow akmd8963 msensor_device:chr_file { open ioctl read write }; +allow akmd8963 gsensor_device:chr_file { open ioctl read write }; +allow akmd8963 input_device:dir { search open read write }; +allow akmd8963 input_device:file { open read }; +allow akmd8963 akmd8963_access_file1:file { open read write }; +allow akmd8963 akmd8963_access_file2:file { open read write}; +# Operate data partation directly, need modify later,e.g. use "data/misc/sensor". +allow akmd8963 system_data_file:dir { write add_name create setattr }; diff --git a/sepolicy/akmd8975.te b/sepolicy/akmd8975.te new file mode 100644 index 0000000..539a030 --- /dev/null +++ b/sepolicy/akmd8975.te @@ -0,0 +1,17 @@ +# ============================================== +# Policy File of /system/binakmd8975 Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type akmd8975_exec , exec_type, file_type; +type akmd8975 ,domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(akmd8975) diff --git a/sepolicy/ami304d.te b/sepolicy/ami304d.te new file mode 100644 index 0000000..cd45837 --- /dev/null +++ b/sepolicy/ami304d.te @@ -0,0 +1,16 @@ +# ============================================== +# Policy File of /system/binami304d Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type ami304d_exec , exec_type, file_type; +type ami304d ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(ami304d) diff --git a/sepolicy/app.te b/sepolicy/app.te new file mode 100644 index 0000000..eb509b2 --- /dev/null +++ b/sepolicy/app.te @@ -0,0 +1,13 @@ + + +# ============================================== +# MTK Policy Rule +# ============================================== + + +# Date: wk14.40 +# Operation : SQC +# Purpose : [ALPS01756200] wwop boot up fail +allow appdomain custom_file:dir { search getattr open read }; +allow appdomain custom_file:file { read open getattr}; + diff --git a/sepolicy/atci_service.te b/sepolicy/atci_service.te new file mode 100644 index 0000000..b98a146 --- /dev/null +++ b/sepolicy/atci_service.te @@ -0,0 +1,72 @@ +# ============================================== +# Policy File of /system/binatci_service Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type atci_service_exec , exec_type, file_type; +type atci_service ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(atci_service) + +# Date : 2014/09/09 (or WK14.37) +# Operation : Migration +# Purpose : allow Binder IPC +# atci_pq_cmd.cpp will call aal for runtime tuning +binder_use(atci_service) +binder_call(atci_service, aal) +binder_service(atci_service) +allow atci_service block_device:dir search; +allow atci_service platformblk_device:dir search; +allow atci_service platformblk_device:blk_file { open read write }; +allow atci_service system_data_file:dir write; +allow atci_service system_data_file:dir add_name; +allow atci_service system_data_file:sock_file create; +allow atci_service system_data_file:sock_file setattr; +allow atci_service self:capability chown; +allow atci_service system_data_file:dir remove_name; +allow atci_service system_data_file:sock_file unlink; +allow atci_service system_server:unix_dgram_socket sendto; +allow atci_service system_data_file:sock_file write; +allow atci_service misc2_device:chr_file { open read write }; +allow atci_service mt6605_device:chr_file { read write ioctl open getattr }; +allow atci_service nfc_socket:dir { write add_name remove_name search }; +allow atci_service nfc_socket:sock_file { create write unlink setattr }; +allow atci_service system_file:file execute_no_trans; + +allow atci_service self:capability { dac_read_search dac_override net_raw chown fsetid sys_nice net_admin fowner sys_admin }; +allow atci_service camera_isp_device:chr_file { read write ioctl open }; +allow atci_service graphics_device:chr_file { read write ioctl open }; +allow atci_service graphics_device:dir search; +allow atci_service kd_camera_hw_device:chr_file { read write ioctl open }; +allow atci_service self:capability { sys_nice ipc_lock }; +allow atci_service nvram_data_file:dir { write read open add_name remove_name search create getattr setattr }; +allow atci_service nvram_data_file:file { setattr read create write getattr unlink open append }; +allow atci_service nvram_device:chr_file { read write open ioctl }; +allow atci_service camera_isp_device:chr_file { read write ioctl open }; +allow atci_service camera_sysram_device:chr_file { read ioctl open }; +allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open }; +allow atci_service MTK_SMI_device:chr_file { open read write ioctl }; +allow atci_service system_server:binder call; +allow atci_service system_data_file:dir { write remove_name add_name }; +allow atci_service DW9714AF_device:chr_file { read write ioctl open }; +allow atci_service devmap_device:chr_file { open read write ioctl }; +allow atci_service fuse:dir { search write read open add_name remove_name create getattr setattr }; +allow atci_service fuse:file { setattr read create write getattr unlink open append }; +allow atci_service mediaserver:binder call; +allow atci_service sysfs:file write; +allow atci_service system_server:unix_stream_socket { read write }; +allow atci_service self:capability sys_boot;
\ No newline at end of file diff --git a/sepolicy/atcid.te b/sepolicy/atcid.te new file mode 100644 index 0000000..864d1d7 --- /dev/null +++ b/sepolicy/atcid.te @@ -0,0 +1,50 @@ +# ============================================== +# Policy File of /system/binatcid Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type atcid_exec , exec_type, file_type; +type atcid ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(atcid) +allow atcid self:capability dac_override; +allow atcid init:unix_stream_socket connectto; +allow atcid property_socket:sock_file write; +allow atcid ttyGS_device:chr_file { read write ioctl open }; +allow atcid atci_service:unix_stream_socket connectto; +allow atcid atci_service_socket:sock_file write; +allow atcid mtkrild:unix_stream_socket connectto; +allow atcid rild_atci_socket:sock_file write; +allow atcid atci_audio_socket:sock_file write; +allow atcid audiocmdservice_atci:unix_stream_socket connectto; +allow atcid system_prop:property_service set; +allow atcid persist_service_atci_prop:property_service set; +allow atcid misc2_device:chr_file { read write open }; +allow atcid wmtWifi_device:chr_file { write open }; +allow atcid block_device:dir search; +allow atcid platformblk_device:blk_file { read write open }; +allow atcid self:capability { net_admin net_raw }; +allow atcid self:udp_socket { create ioctl }; +allow atcid shell_exec:file execute; +allow atcid socket_device:sock_file write; +allow atcid shell_exec:file { read open }; +allow atcid statusd:unix_stream_socket connectto; +allow atcid shell_exec:file execute_no_trans; +allow atcid system_file:file execute_no_trans; +allow atcid self:rawip_socket create; +allow atcid self:rawip_socket getopt; +allow atcid self:rawip_socket setopt; diff --git a/sepolicy/audiocmdservice_atci.te b/sepolicy/audiocmdservice_atci.te new file mode 100644 index 0000000..498267e --- /dev/null +++ b/sepolicy/audiocmdservice_atci.te @@ -0,0 +1,49 @@ +# ============================================== +# Policy File of /system/binaudiocmdservice_atci Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type audiocmdservice_atci_exec , exec_type, file_type; +type audiocmdservice_atci ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +allow audiocmdservice_atci mediaserver:binder call; +allow audiocmdservice_atci mediaserver:chr_file { read write ioctl open create setattr append }; +allow audiocmdservice_atci mediaserver:dir { write add_name search }; +allow audiocmdservice_atci platformblk_device:blk_file { read write open }; + +allow audiocmdservice_atci fuse:file { create read write open }; +allow audiocmdservice_atci fuse:dir { search write add_name }; + +allow audiocmdservice_atci tmpfs:lnk_file read; +allow audiocmdservice_atci block_device:dir { write search }; +allow audiocmdservice_atci nvram_data_file:dir { add_name write search }; +allow audiocmdservice_atci nvdata_file:dir { add_name write search }; +allow audiocmdservice_atci nvram_device:chr_file { open read write }; +allow audiocmdservice_atci nvram_data_file:file { write getattr setattr read create open }; +allow audiocmdservice_atci nvram_data_file:lnk_file read; +allow audiocmdservice_atci nvdata_file:file { write getattr setattr read create open }; +allow audiocmdservice_atci self:capability { dac_override }; + +# ============================================== +# Data: 2014/09/24 +# Operation: Migration +# Purpose: allow Binder IPC for audio tuning tool +# ============================================== +binder_use(audiocmdservice_atci) +binder_call(audiocmdservice_atci, mediaserver) + +init_daemon_domain(audiocmdservice_atci)
\ No newline at end of file diff --git a/sepolicy/autokd.te b/sepolicy/autokd.te new file mode 100644 index 0000000..2711dbd --- /dev/null +++ b/sepolicy/autokd.te @@ -0,0 +1,42 @@ +# ============================================== +# Policy File of /system/bin/autokd Executable File + +# ============================================== +# Type Declaration +# ============================================== +type autokd, domain; +type autokd_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +# Date : WK14.43 +# Operation : Migration +# Purpose : Start autokd +init_daemon_domain(autokd) +allow init self:tcp_socket create; + +# Date : WK14.43 +# Operation : Migration +# Purpose : Interact with kernel to perform autok +allow autokd debugfs:file read; +allow autokd init:unix_stream_socket connectto; +allow autokd property_socket:sock_file write; +allow autokd self:netlink_kobject_uevent_socket { read bind create setopt }; +allow autokd self:tcp_socket create; +allow autokd shell_exec:file { read execute open execute_no_trans }; + +# Date : WK14.43 +# Operation : Migration +# Purpose : Read/Write autok result in data paritition +# To do: Consider to move files into a sub-directory in /data, said, /data/autokd +allow autokd sysfs:file write; +allow autokd system_data_file:dir { read write open add_name remove_name }; +allow autokd system_data_file:file { open }; +allow autokd system_file:file execute_no_trans; +allow autokd block_device:dir search; +allow autokd nvram_data_file:dir {search read write getattr add_name remove_name }; +allow autokd nvram_data_file:file { read write getattr create open }; +allow autokd platformblk_device:dir search; +allow autokd platformblk_device:blk_file { open read write }; + diff --git a/sepolicy/batterywarning.te b/sepolicy/batterywarning.te new file mode 100644 index 0000000..d1f1062 --- /dev/null +++ b/sepolicy/batterywarning.te @@ -0,0 +1,34 @@ +# ============================================== +# Policy File of /system/binbatterywarning Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type batterywarning_exec , exec_type, file_type; +type batterywarning ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(batterywarning) + +# Date : 2014/10/15 +# Operation : Migration +# Purpose : all Binder IPC for battery warning to call IActivityManager to send broadcast +binder_use(batterywarning) + +# Date : 2014/10/16 +# Operation : Migration +# Purpose : allow battery warning use AMS to send broadcast through binder call +allow batterywarning system_server:binder call; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..2ed77ad --- /dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,32 @@ + +# ============================================== +# MTK Policy Rule +# ============ + + +# Data : WK14.36 +# Operation : Migration +# Purpose : IPC communication between bluetooth and mtkbt (BT host), and bluetooth and mediaserver +allow bluetooth bt_int_adp_socket:sock_file write; +allow bluetooth mediaserver:unix_dgram_socket sendto; +allow bluetooth mtkbt:unix_dgram_socket sendto; +allow bluetooth mtkbt:unix_stream_socket connectto; +allow bluetooth mtkbt:fd use; +allow bluetooth init:unix_dgram_socket sendto; + +# Data : WK14.36 +# Operation : Migration +# Purpose : BT host stack cached data access +allow bluetooth bt_data_file:dir { write add_name remove_name search}; +allow bluetooth bt_data_file:file { open read write create setattr getattr append unlink rename}; + +# Data : WK14.44 +# Operation : Migration +# IPC communication between bluetooth and mtkbt +binder_call(bluetooth, mtkbt) +#============= mediaserver ============== +allow mediaserver bt_data_file:file read; + +#============= bluetooth ============== +allow bluetooth platform_app_tmpfs:file write; + diff --git a/sepolicy/bmm050d.te b/sepolicy/bmm050d.te new file mode 100644 index 0000000..574d1c5 --- /dev/null +++ b/sepolicy/bmm050d.te @@ -0,0 +1,50 @@ +# ============================================== +# Policy File of /system/binbmm050d Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type bmm050d_exec , exec_type, file_type; +type bmm050d ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive bmm050d; +init_daemon_domain(bmm050d) +#unconfined_domain(bmm050d) + +# Data : WK14.43 +# Operation : Migration +# Purpose : M-sensor daemon for access driver node + +allow bmm050d msensor_device:chr_file { open read write ioctl }; +allow bmm050d msensor_device:chr_file { open read write ioctl }; +allow bmm050d input_device:dir { search open read write }; +allow bmm050d input_device:file { open read write ioctl }; +allow bmm050d mtk_agpsd:dir search; +allow bmm050d sensor_data_file:dir {search open read write create getattr setattr }; +allow bmm050d sensor_data_file:file { open read write create append unlink ioctl getattr setattr }; +allow bmm050d system_sensor_data_file:dir { search open read create }; +allow bmm050d system_sensor_data_file:file { open read create write }; +allow bmm050d bmm050_sensor_log_file:file { open create read write }; +allow bmm050d sysfs:file write; +allow bmm050d sysfs_gsensor_file:dir { search open read create }; +allow bmm050d sysfs_gsensor_file:file { open read create write }; +allow bmm050d sysfs_gsensor_file:lnk_file read; +allow bmm050d sysfs_msensor_file:dir { search open read create }; +allow bmm050d sysfs_msensor_file:file { open read create write }; +allow bmm050d sysfs_msensor_file:lnk_file read; +# Operate data partation directly, need modify later,e.g. use "data/misc/sensor". +allow bmm050d system_data_file:dir { write add_name create setattr};
\ No newline at end of file diff --git a/sepolicy/boot_logo_updater.te b/sepolicy/boot_logo_updater.te new file mode 100644 index 0000000..2cf0064 --- /dev/null +++ b/sepolicy/boot_logo_updater.te @@ -0,0 +1,49 @@ +# ============================================== +# Policy File of /system/binboot_logo_updater Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type boot_logo_updater_exec , exec_type, file_type; +type boot_logo_updater ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(boot_logo_updater) + + +# Date : WK14.31 +# Operation : Migration +# Purpose : for L early bring up. +allow boot_logo_updater mmcblk_device:blk_file { read open }; +allow boot_logo_updater platformblk_device:blk_file { read open }; + +# Date : WK14.32 +# Operation : Migration +# Puration : set boot reason +allow boot_logo_updater system_prop:property_service set; + +# Date : WK14.43 +# Operation : Migration +# Puration : for policy migration +allow boot_logo_updater graphics_device:chr_file { read write ioctl open }; +allow boot_logo_updater init:unix_stream_socket connectto; +allow boot_logo_updater logo_device:chr_file { read open }; +allow boot_logo_updater platformblk_device:dir search; +allow boot_logo_updater property_socket:sock_file write; +allow boot_logo_updater self:capability dac_override; +allow boot_logo_updater sysfs:file write; +allow boot_logo_updater block_device:dir search; +allow boot_logo_updater graphics_device:dir search; diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te new file mode 100644 index 0000000..4dfc6ba --- /dev/null +++ b/sepolicy/bootanim.te @@ -0,0 +1,43 @@ +# ============================================== +# MTK Policy Rule +# ============ + + +# Date : WK14.31 +# Operation : Migration +# Purpose : for L early bring up +allow bootanim self:netlink_socket { read bind create write}; +allow bootanim proc_secmem:file { read open}; + +# Date : WK14.32 +# Operation : Migration +# Purpose : for playing boot tone +allow bootanim mediaserver:binder call; +allow bootanim mediaserver:binder transfer; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for ui +allow bootanim guiext-server:binder call; +allow bootanim guiext-server:binder transfer; + +# Date : WK14.37 +# Operation : Migration +# Purpose : for op +allow bootanim terservice:binder call; +allow bootanim property_socket:sock_file write; +allow bootanim init:unix_stream_socket connectto; +allow bootanim custom_file:dir search; +allow bootanim custom_file:file open; +allow bootanim custom_file:file read; +allow bootanim bootani_prop:property_service set; + +# Date : WK14.43 +# Operation : Migration +# Purpose : for policy migration +allow bootanim debug_prop:property_service set; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow bootanim qemu_pipe_device:chr_file rw_file_perms;
\ No newline at end of file diff --git a/sepolicy/br_app_data_service.te b/sepolicy/br_app_data_service.te new file mode 100644 index 0000000..44f621f --- /dev/null +++ b/sepolicy/br_app_data_service.te @@ -0,0 +1,19 @@ +# ============================================== +# Policy File of /system/br_app_data_service Executable File + +# ============================================== +# Type Declaration +# ============================================== +type br_app_data_service_exec , exec_type, file_type; +type br_app_data_service ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +#permissive br_app_data_service; +init_daemon_domain(br_app_data_service) + +#============= br_app_data_service ============== +allow br_app_data_service app_data_file:dir create_dir_perms; +allow br_app_data_service self:capability { chown dac_override }; +allow br_app_data_service app_data_file:file create_file_perms; diff --git a/sepolicy/ccci_fsd.te b/sepolicy/ccci_fsd.te new file mode 100644 index 0000000..2703f56 --- /dev/null +++ b/sepolicy/ccci_fsd.te @@ -0,0 +1,48 @@ +# ============================================== +# Policy File of /system/binccci_fsd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type ccci_fsd_exec, exec_type, file_type; +type ccci_fsd, domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive ccci_fsd; +init_daemon_domain(ccci_fsd) +#unconfined_domain(ccci_fsd) + +wakelock_use(ccci_fsd) + +allow ccci_fsd nvram_data_file:dir create_dir_perms; +allow ccci_fsd nvram_data_file:file create_file_perms; +allow ccci_fsd nvram_data_file:lnk_file read; +allow ccci_fsd nvdata_file:dir create_dir_perms; +allow ccci_fsd nvdata_file:file create_file_perms; +allow ccci_fsd ccci_device:chr_file rw_file_perms; +allow ccci_fsd ccci_cfg_file:dir create_dir_perms; +allow ccci_fsd ccci_cfg_file:file create_file_perms; +#============= ccci_fsd ============== +allow ccci_fsd protect_f_data_file:dir create_dir_perms; +allow ccci_fsd protect_f_data_file:file create_file_perms; + +allow ccci_fsd protect_s_data_file:dir create_dir_perms; +allow ccci_fsd protect_s_data_file:file create_file_perms; + +allow ccci_fsd otp_device:chr_file rw_file_perms; +allow ccci_fsd block_device:dir search; +allow ccci_fsd platformblk_device:blk_file { read write open ioctl }; +allow ccci_fsd platformblk_device:dir { search };
\ No newline at end of file diff --git a/sepolicy/ccci_mdinit.te b/sepolicy/ccci_mdinit.te new file mode 100644 index 0000000..af256e7 --- /dev/null +++ b/sepolicy/ccci_mdinit.te @@ -0,0 +1,86 @@ +# ============================================== +# Policy File of /system/binccci_mdinit Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type ccci_mdinit_exec , exec_type, file_type; +type ccci_mdinit ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive ccci_mdinit; +init_daemon_domain(ccci_mdinit) +#unconfined_domain(ccci_mdinit) +wakelock_use(ccci_mdinit) +#=============allow ccci_mdinit to start gsm0710muxd============== +allow ccci_mdinit ctl_gsm0710muxd_prop:property_service set; +#=============allow ccci_mdinit to start emcsmdlogger============== +allow ccci_mdinit ctl_mdlogger_prop:property_service set; + +unix_socket_connect(ccci_mdinit, property, init) +#allow ccci_mdinit ctl_mdlogger_prop:property_service set; +allow ccci_mdinit { ctl_mdlogger_prop ctl_emdlogger1_prop ctl_emdlogger2_prop ctl_dualmdlogger_prop }:property_service set; + +#allow ccci_mdinit ctl_gsm0710muxd_prop:property_service set; +allow ccci_mdinit { ctl_gsm0710muxd_prop ctl_gsm0710muxd-s_prop ctl_gsm0710muxd-d_prop ctl_gsm0710muxdmd2_prop}:property_service set; + +#allow ccci_mdinit ctl_ril-daemon-mtk_prop:property_service set; +allow ccci_mdinit { ctl_rildaemon_prop ctl_ril-daemon-mtk_prop ctl_ril-daemon-s_prop ctl_ril-daemon-d_prop ctl_ril-daemon-md2_prop }:property_service set; + +allow ccci_mdinit ril_active_md_prop:property_service set; +allow ccci_mdinit mtk_md_prop:property_service set; +allow ccci_mdinit radio_prop:property_service set; + +allow ccci_mdinit { ctl_ccci_fsd_prop ctl_ccci2_fsd_prop }:property_service set; +allow ccci_mdinit { ctl_ccci_rpcd_prop ctl_ccci2_rpcd_prop }:property_service set; + +allow ccci_mdinit ccci_device:chr_file rw_file_perms; +allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms; + +# TODO: Do not allow write access to all of /sys +allow ccci_mdinit sysfs:file write; + +allow ccci_mdinit nvram_data_file:dir rw_dir_perms; +allow ccci_mdinit nvram_data_file:file create_file_perms; +allow ccci_mdinit nvram_data_file:lnk_file read; +allow ccci_mdinit nvdata_file:dir rw_dir_perms; +allow ccci_mdinit nvdata_file:file create_file_perms; +allow ccci_mdinit nvram_device:chr_file rw_file_perms; + +allow ccci_mdinit protect_f_data_file:dir rw_dir_perms; +allow ccci_mdinit protect_f_data_file:file create_file_perms; + +allow ccci_mdinit protect_s_data_file:dir rw_dir_perms; +allow ccci_mdinit protect_s_data_file:file create_file_perms; +allow ccci_mdinit platformblk_device:blk_file { read write open }; + +allow ccci_mdinit ril_mux_report_case_prop:property_service set; + +allow ccci_mdinit mdlog_data_file:dir search; +allow ccci_mdinit mdlog_data_file:file { read open }; +allow ccci_mdinit platformblk_device:dir search; + +allow ccci_mdinit ccci_cfg_file:dir create_dir_perms; +allow ccci_mdinit ccci_cfg_file:file create_file_perms; +allow ccci_mdinit block_device:dir search; + +allow ccci_mdinit preloader_device:chr_file rw_file_perms; +allow ccci_mdinit misc_sd_device:chr_file { read open }; +allow ccci_mdinit sec_ro_device:chr_file { read open }; + +allow ccci_mdinit custom_file:dir { search }; +allow ccci_mdinit custom_file:file { open read getattr }; +allow ccci_mdinit mtk_tele_prop:property_service set; diff --git a/sepolicy/ccci_rpcd.te b/sepolicy/ccci_rpcd.te new file mode 100644 index 0000000..accd85f --- /dev/null +++ b/sepolicy/ccci_rpcd.te @@ -0,0 +1,34 @@ +# ============================================== +# Policy File of /system/binccci_fsd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type ccci_rpcd_exec, exec_type, file_type; +type ccci_rpcd, domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive ccci_rpcd; +init_daemon_domain(ccci_rpcd) +#unconfined_domain(ccci_rpcd) + +wakelock_use(ccci_rpcd) +#============= ccci_rpcd ============== +allow ccci_rpcd ccci_device:chr_file rw_file_perms; +allow ccci_rpcd block_device:dir search; +allow ccci_rpcd platformblk_device:dir search; +allow ccci_rpcd platformblk_device:blk_file { open read write }; +allow ccci_rpcd misc2_device:chr_file { open read write }; diff --git a/sepolicy/clatd.te b/sepolicy/clatd.te new file mode 100644 index 0000000..7b20973 --- /dev/null +++ b/sepolicy/clatd.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + diff --git a/sepolicy/cmddumper.te b/sepolicy/cmddumper.te new file mode 100644 index 0000000..f605d3c --- /dev/null +++ b/sepolicy/cmddumper.te @@ -0,0 +1,35 @@ +# ============================================== +# Policy File of /system/bin/cmddumper Executable File + +# ============================================== +# Type Declaration +# ============================================== +type cmddumper, domain; +type cmddumper_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(cmddumper) + +#============= cmddumper ============== +allow cmddumper mdlog_data_file:fifo_file create_file_perms; +allow cmddumper mdlog_data_file:file create_file_perms; +allow cmddumper mdlog_data_file:dir { create_dir_perms relabelto }; +allow cmddumper ttySDIO_device:chr_file { read write ioctl open }; +allow cmddumper fuse:dir create_dir_perms; +allow cmddumper fuse:file create_file_perms; + +allow cmddumper init:unix_stream_socket connectto; +allow cmddumper property_socket:sock_file { write read }; +allow cmddumper platform_app:unix_stream_socket connectto; + +allow cmddumper shell_exec:file { read execute open execute_no_trans }; +allow cmddumper system_file:file execute_no_trans; + +allow cmddumper debug_mdlogger_prop:property_service set; +allow cmddumper debug_prop:property_service set; + +allow cmddumper tmpfs:lnk_file read; +allow cmddumper system_data_file:dir { write create open add_name relabelfrom relabelto}; + diff --git a/sepolicy/debuggerd.te b/sepolicy/debuggerd.te new file mode 100644 index 0000000..eba01d1 --- /dev/null +++ b/sepolicy/debuggerd.te @@ -0,0 +1,151 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.32 +# Operation : AEE UT +# Purpose : for AEE module +domain_auto_trans(debuggerd, dmlog_exec, dmlog) + +allow debuggerd aed_device:chr_file { read write ioctl open }; +allow debuggerd expdb_device:chr_file { read write ioctl open }; +allow debuggerd platformblk_device:blk_file { read write ioctl open }; +allow debuggerd ccci_device:chr_file { read ioctl open }; +allow debuggerd etb_device:chr_file { read write ioctl open }; +allow debuggerd graphics_device:dir search; +allow debuggerd graphics_device:chr_file r_file_perms; +allow debuggerd Vcodec_device:chr_file r_file_perms; +allow debuggerd camera_isp_device:chr_file r_file_perms; + +# AED start: /dev/block/expdb +allow debuggerd block_device:dir search; +allow debuggerd platformblk_device:dir search; + +# NE flow: /dev/RT_Monitor +allow debuggerd RT_Monitor_device:chr_file { read ioctl open }; + +# /dev/_GPU_ dev/pvrsrvkm +allow debuggerd gpu_device:chr_file rw_file_perms; + +# /dev/exm0 +allow debuggerd exm0_device:chr_file r_file_perms; + +allow debuggerd shell_exec:file { execute execute_no_trans }; +allow debuggerd dex2oat_exec:file { execute execute_no_trans }; + +# aee db dir and db files +allow debuggerd sdcard_internal:dir create_dir_perms; +allow debuggerd sdcard_internal:file create_file_perms; + +#data/anr +allow debuggerd anr_data_file:dir create_dir_perms; +allow debuggerd anr_data_file:file create_file_perms; + +#data/aee_exp +allow debuggerd aee_exp_data_file:dir { relabelto create_dir_perms }; +allow debuggerd aee_exp_data_file:file create_file_perms; + +#data/dumpsys +allow debuggerd aee_dumpsys_data_file:dir { relabelto create_dir_perms }; +allow debuggerd aee_dumpsys_data_file:file create_file_perms; + +#/data/core +allow debuggerd aee_core_data_file:dir create_dir_perms; +allow debuggerd aee_core_data_file:file create_file_perms; + +# /data/data_tmpfs_log +allow debuggerd data_tmpfs_log_file:dir create_dir_perms; +allow debuggerd data_tmpfs_log_file:file create_file_perms; + +allow debuggerd shell_data_file:dir search; +allow debuggerd shell_data_file:file r_file_perms; + +#/data/anr/SF_RTT +allow debuggerd sf_rtt_file:dir search; +allow debuggerd sf_rtt_file:file r_file_perms; + +allow debuggerd sysfs:file write; +allow debuggerd proc:file write; +allow debuggerd sysfs_lowmemorykiller:file { read open }; +allow debuggerd debugfs:file read; +#allow debuggerd proc_security:file { write open }; + +allow debuggerd self:capability { fsetid sys_nice sys_resource net_admin sys_module }; + +allow debuggerd domain:process { sigkill getattr getsched}; +allow debuggerd domain:lnk_file getattr; + +#core-pattern +allow debuggerd usermodehelper:file { read open }; + +#suid_dumpable +allow debuggerd proc_security:file { read open }; + +#kptr_restrict +#allow debuggerd proc_security:file { write open }; + +#dmesg +allow debuggerd kernel:system syslog_read; + +#property +allow debuggerd init:unix_stream_socket connectto; +allow debuggerd property_socket:sock_file write; + +# dumpstate ION_MM_HEAP +allow debuggerd debugfs:lnk_file read; + +allow debuggerd tmpfs:lnk_file read; + + +# aed set property +allow debuggerd persist_mtk_aee_prop:property_service set; +allow debuggerd persist_aee_prop:property_service set; +allow debuggerd debug_mtk_aee_prop:property_service set; + +# aee_dumpstate set property +allow debuggerd debug_bq_dump_prop:property_service set; + +#com.android.settings NE +allow debuggerd system_app_data_file:dir search; + +# sogou NE +allow debuggerd app_data_file:dir search; + +# open and read /data/data/com.android.settings/databases/search_index.db-journal +allow debuggerd system_app_data_file:file r_file_perms; +allow debuggerd app_data_file:file r_file_perms; + +# /system/bin/am +allow debuggerd system_file:file execute_no_trans; +allow debuggerd zygote_exec:file { execute execute_no_trans }; + +#/proc/driver/storage_logger +allow debuggerd proc_slogger:file { write read open }; + +# MOTA upgrade from JB->L: aee_dumpstate(ps top df dmesg) +# allow debuggerd unlabeled:lnk_file read; + +binder_use(debuggerd) +allow debuggerd system_server:binder call; +allow debuggerd surfaceflinger:binder call; +allow debuggerd surfaceflinger:fd use; +allow debuggerd platform_app:fd use; +allow debuggerd platform_app_tmpfs:file write; + +# aed and MTKLogger.apk socket connect +allow debuggerd platform_app:unix_stream_socket connectto; + +allow debuggerd self:udp_socket { create ioctl }; + +allow debuggerd init:process getsched; +allow debuggerd kernel:process getsched; + +# for SF_dump +allow debuggerd sf_bqdump_data_file:dir { read write open remove_name search}; +allow debuggerd sf_bqdump_data_file:file { read getattr unlink open }; + + +allow debuggerd custom_file:dir search; + +# avc: denied { read } for pid=4503 comm="screencap" name="secmem0" dev="proc" +allow debuggerd proc_secmem:file r_file_perms; diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..7901b2c --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,161 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +type devmap_device, dev_type; +type ttyMT_device, dev_type; +type ttySDIO_device, dev_type; +type vmodem_device, dev_type; +type stpwmt_device, dev_type; +type wmtdetect_device, dev_type; +type wmtWifi_device, dev_type; +type stpbt_device, dev_type; +type stpant_device, dev_type; +type fm_device, dev_type; +type stpgps_device, dev_type; +type pmem_multimedia_device, dev_type; +type mt6516_isp_device, dev_type; +type mt6516_IDP_device, dev_type; +type mt9p012_device, dev_type; +type mt6516_jpeg_device, dev_type; +type FM50AF_device, dev_type; +type DW9714AF_device, dev_type; +type AK7345AF_device, dev_type; +type DW9714A_device, dev_type; +type LC898122AF_device, dev_type; +type LC898212AF_device, dev_type; +type BU6429AF_device, dev_type; +type AD5820AF_device, dev_type; +type DW9718AF_device, dev_type; +type BU64745GWZAF_device, dev_type; +# M2N camera +type BU64245_device, dev_type; +type M4U_device_device, dev_type; +type hwmsensor_device, dev_type; +type msensor_device, dev_type; +type gsensor_device, dev_type; +type als_ps_device, dev_type; +type gyroscope_device, dev_type; +type Vcodec_device, dev_type; +type MJC_device, dev_type; +type smartpa_device, dev_type; +type smartpa1_device, dev_type; +type uio0_device, dev_type; +type xt_qtaguid_device, dev_type; +type rfkill_device, dev_type; +type sw_sync_device, dev_type; +type sec_device, dev_type; +type hid_keyboard_device, dev_type; +type btn_device, dev_type; +type uinput_device, dev_type; +type TV_out_device, dev_type; +type camera_sysram_device, dev_type; +type camera_isp_device, dev_type; +type camera_fdvt_device, dev_type; +type camera_pipemgr_device, dev_type; +type mtk_jpeg_device, dev_type; +type kd_camera_hw_device, dev_type; +type kd_camera_flashlight_device, dev_type; +type kd_camera_hw_bus2_device, dev_type; +type MATV_device, dev_type; +type mt_otg_test_device, dev_type; +type mt_mdp_device, dev_type; +type mtkg2d_device, dev_type; +type misc_sd_device, dev_type; +type mtk_sched_device, dev_type; +type ampc0_device, dev_type; +type mmp_device, dev_type; +type ttyGS_device, dev_type; +type CAM_CAL_DRV_device, dev_type; +type MTK_SMI_device, dev_type; +type mtk_rrc_device, dev_type; +type ebc_device, dev_type; +type vow_device, dev_type; +type MT6516_H264_DEC_device, dev_type; +type MT6516_Int_SRAM_device, dev_type; +type MT6516_MM_QUEUE_device, dev_type; +type MT6516_MP4_DEC_device, dev_type; +type MT6516_MP4_ENC_device, dev_type; +type sensor_device, dev_type; +type xlog_device, dev_type; +type aed_device, dev_type; +type ccci_device, dev_type; +type ccci_monitor_device, dev_type; +type gsm0710muxd_device, dev_type; +type eemcs_device, dev_type; +type emd_device, dev_type; +type mt6605_device, dev_type; +type exm0_device, dev_type; +type mmcblk_device, dev_type; +type BOOT_device, dev_type; +type MT_pmic_device, dev_type; +type aal_als_device, dev_type; +type accdet_device, dev_type; +type android_device, dev_type; +type bmtpool_device, dev_type; +type bootimg_device, dev_type; +type btif_device, dev_type; +type cache_device, dev_type; +type cpu_dma_latency_device, dev_type; +type dummy_cam_cal_device, dev_type; +type ebr_device, dev_type; +type expdb_device, dev_type; +type fat_device, dev_type; +type logo_device, dev_type; +type loop-control_device, dev_type; +type m_acc_misc_device, dev_type; +type m_batch_misc_device, dev_type; +type m_mag_misc_device, dev_type; +type mbr_device, dev_type; +type met_device, dev_type; +type misc_device, dev_type; +type misc2_device, dev_type; +type mtfreqhopping_device, dev_type; +type mtgpio_device, dev_type; +type mtk_kpd_device, dev_type; +type network_device, dev_type; +type nvram_device, dev_type; +type pmt_device, dev_type; +type preloader_device, dev_type; +type pro_info_device, dev_type; +type protect_f_device, dev_type; +type protect_s_device, dev_type; +type psaux_device, dev_type; +type ptyp_device, dev_type; +type recovery_device, dev_type; +type sec_ro_device, dev_type; +type seccfg_device, dev_type; +type tee_part_device, dev_type; +type snapshot_device, dev_type; +type tgt_device, dev_type; +type touch_device, dev_type; +type tpd_em_log_device, dev_type; +type ttyp_device, dev_type; +type uboot_device, dev_type; +type uibc_device, dev_type; +type usrdata_device, dev_type; +type voldblk_device, dev_type; +type zram0_device, dev_type; +type platformblk_device, dev_type; +type RT_Monitor_device, dev_type; +type kick_powerkey_device, dev_type; +type agps_device, dev_type; +type mnld_device, dev_type; +type hotknot_device, dev_type; +type mdlog_device, dev_type; +type md32_device, dev_type; +type etb_device, dev_type; +type MT_pmic_adc_cali_device, dev_type; +type mtk-adc-cali_device, dev_type; +type MT_pmic_cali_device,dev_type; +type barometer_device,dev_type; +type otp_device, dev_type; +type qemu_pipe_device, dev_type; +type icusb_device, dev_type; +type irtx_device, dev_type; +type pmic_ftm_device, dev_type; +type shf_device, dev_type; +type keyblock_device, dev_type; +type offloadservice_device, dev_type; +type ttyACM_device, dev_type; +type hrm_device, dev_type; diff --git a/sepolicy/dex2oat.te b/sepolicy/dex2oat.te new file mode 100644 index 0000000..92fbdb1 --- /dev/null +++ b/sepolicy/dex2oat.te @@ -0,0 +1,29 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK14.34 +# Operation : Migration +# Purpose : 6571/6572 LCA external memory access(/dev/exm0) +allow dex2oat exm0_device:chr_file { read write ioctl open }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for CIP project (access /custom partition) +allow dex2oat custom_file:dir { search getattr }; +allow dex2oat custom_file:file { getattr read open }; + +# Date : WK14.38 +# Operation : Sanity Test +# Purpose : avoid SELinux warning after dex2oat execv failed +allow dex2oat dex2oat_exec:file x_file_perms; + +# Date : WK15.03 +# Operation : MTBF Test +# Purpose : for K35V1_64_OP02 project MTBF test (ALPS01905764) +allow dex2oat platform_app:fd use; + +# Date : WK15.04 +# Operation : MTBF Test +# Purpose : for K35V1_64_OP02 project MTBF test (ALPS01920449) +allow dex2oat platform_app_tmpfs:file write; diff --git a/sepolicy/dhcp.te b/sepolicy/dhcp.te new file mode 100644 index 0000000..758715c --- /dev/null +++ b/sepolicy/dhcp.te @@ -0,0 +1,28 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date :WK14.34 +# Operation : Migration +# Purpose: for connecting Wifi +allow dhcp devpts:chr_file { read write ioctl }; + + + +# Date :WK14.41 +# Operation : [Auto Sanity][L.AOSP.EARLY.DEV.BSP][k2v1] +# Purpose: ALPS01757300 +#============= dhcp ============== +allow dhcp kernel:system module_request; + + +# Date :WK14.44 +# Operation : [Rose][82L TK][FTester] +# Purpose: ALPS01798575 +#============= netd ============== +allow dhcp platform_app:fd use; +allow dhcp platform_app_tmpfs:file write; + +#============= dhcp ============== +allow dhcp init:fifo_file { read write }; +allow dhcp init:unix_stream_socket { read write };
\ No newline at end of file diff --git a/sepolicy/dhcp6c.te b/sepolicy/dhcp6c.te new file mode 100644 index 0000000..4dc27ae --- /dev/null +++ b/sepolicy/dhcp6c.te @@ -0,0 +1,77 @@ +# ============================================== +# Policy File of /system/bindhcp6c Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type dhcp6c_exec , exec_type, file_type; +type dhcp6c ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + + +init_daemon_domain(dhcp6c) + + + +# Date : WK14.34 +# Operation : Migration +# Purpose : wifi +allow dhcp6c self:udp_socket { create setopt write bind ioctl read }; + + +# Date : WK14.41 +# Operation : SQC +# Purpose : ALPS01763317 +# After connected to DHCPv6 enabled 6to4 IPv6 AP, +#the ipv6 related values of getprop command are wrong +#============= dhcp6c ============== +allow dhcp6c node:udp_socket node_bind; +allow dhcp6c port:udp_socket name_bind; +allow dhcp6c system_file:file execute_no_trans; +allow dhcp6c dhcp_prop:property_service set; + + +# Date : WK14.42 +# Operation : SQC +# Purpose : L 2nd Migration + +#============= dhcp6c ============== + +allow dhcp6c system_file:file execute_no_trans; + +# Date : WK14.43 +# Operation : SQC +# Purpose : dhcp6c get ip address and ps + +#============= dhcp6c ============== +allow dhcp6c dhcp_data_file:dir { write add_name search}; +allow dhcp6c dhcp_data_file:file { read write create open getattr }; +allow dhcp6c init:unix_stream_socket connectto; +allow dhcp6c property_socket:sock_file write; +allow dhcp6c self:capability { setuid net_admin net_bind_service setgid }; +allow dhcp6c self:netlink_route_socket { write getattr read bind create nlmsg_read }; +allow dhcp6c shell_exec:file { read execute open }; +allow dhcp6c wide_dhcpv6_data_file:dir { write search add_name }; +allow dhcp6c wide_dhcpv6_data_file:file { read write create open getattr }; + + + + + + + + + diff --git a/sepolicy/dm_agent_binder.te b/sepolicy/dm_agent_binder.te new file mode 100644 index 0000000..1218e1f --- /dev/null +++ b/sepolicy/dm_agent_binder.te @@ -0,0 +1,99 @@ +# ============================================== +# Policy File of /system/bin/dm_agent_binder Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type dm_agent_binder_exec , exec_type, file_type; +type dm_agent_binder ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(dm_agent_binder) + +# Date : WK14.37 +# Operation : access DmAgent by binder +# Purpose : ensure can access DmAgent api normally. +allow dm_agent_binder dm_agent_binder_service:service_manager add; + +# Date : WK14.37 +# Operation : access DmAgent by binder +# Purpose : ensure can access DmAgent api normally. +binder_use(dm_agent_binder) +binder_service(dm_agent_binder) + +# Date : WK14.42 +# Operation : Migration +# Purpose : Allow DmAgent access nvram_data_file. +allow dm_agent_binder nvram_data_file:dir { rw_dir_perms }; +allow dm_agent_binder nvdata_file:dir { rw_dir_perms }; + +# Date : WK14.42 +# Operation : Basic UT +# Purpose : Allow DmAgent access nvram_data_file. +allow dm_agent_binder nvram_data_file:file { create_file_perms }; +allow dm_agent_binder nvram_data_file:lnk_file read; +allow dm_agent_binder nvdata_file:file { create_file_perms }; + +# Date : WK14.42 +# Operation : Basic UT +# Purpose : Allow DmAgent access block_device. +allow dm_agent_binder block_device:dir search; + +# Date : WK14.42 +# Operation : Basic UT +# Purpose : Allow DmAgent access platformblk_device. +allow dm_agent_binder platformblk_device:dir search; + +# Date : WK14.42 +# Operation : Basic UT +# Purpose : Allow DmAgent access misc_device. +allow dm_agent_binder misc_device:chr_file { rw_file_perms }; + +# Date : WK14.42 +# Operation : Basic UT +# Purpose : Allow DmAgent write sock_file. +allow dm_agent_binder property_socket:sock_file write; + +# Date : WK14.42 +# Operation : Basic UT +# Purpose : Allow DmAgent connectto unix_stream_socket. +allow dm_agent_binder init:unix_stream_socket connectto; + +# Date : 2014/10/17 +# Operation : QC +# Purpose : [Privacy protection lock][dm_agent_binder call FileOp_BackupToBinRegionForDM to do nvram backup] +allow dm_agent_binder mmcblk_device:blk_file rw_file_perms; +allow dm_agent_binder platformblk_device:blk_file rw_file_perms; + +# Date : WK14.42 +# Operation : Basic UT +# Purpose : Allow DmAgent to set properties. +allow dm_agent_binder persist_dm_prop:property_service set; + +# Date : WK14.43 +# Operation : Basic UT +# Purpose : Allow DmAgent to access cache_file. +allow dm_agent_binder cache_file:dir { w_dir_perms create }; + +# Date : WK14.43 +# Operation : Basic UT +# Purpose : Allow DmAgent to access cache_file. +allow dm_agent_binder cache_file:file { create_file_perms }; + +# Date : WK14.44 +# Operation : Basic UT +# Purpose : Allow DmAgent to access nvram_device. +allow dm_agent_binder nvram_device:chr_file { rw_file_perms }; diff --git a/sepolicy/dmlog.te b/sepolicy/dmlog.te new file mode 100644 index 0000000..ea8f25a --- /dev/null +++ b/sepolicy/dmlog.te @@ -0,0 +1,29 @@ +# ============================================== +# Policy File of /system/bin/dmlog Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type dmlog_exec , exec_type, file_type; +type dmlog ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive dmlog; +init_daemon_domain(dmlog) + +# Date : 2014/09/23 +# Operation : Migration +# Purpose : for mtk debug mechanism +allow dmlog aed_device:chr_file read; +allow dmlog debuggerd:fd use; +allow dmlog debuggerd:unix_stream_socket { read write }; +allow dmlog expdb_device:chr_file { read write }; +allow dmlog fuse:file { write getattr }; +allow dmlog sysfs:file write; +allow dmlog aee_exp_data_file:file write; +allow dmlog platformblk_device:blk_file { read write }; diff --git a/sepolicy/dnsmasq.te b/sepolicy/dnsmasq.te new file mode 100644 index 0000000..5fd790a --- /dev/null +++ b/sepolicy/dnsmasq.te @@ -0,0 +1,6 @@ +# ============================================== +# MTK Policy Rule +# ============ + + +allow dnsmasq netd:file read; diff --git a/sepolicy/domain.te b/sepolicy/domain.te new file mode 100644 index 0000000..a905bb3 --- /dev/null +++ b/sepolicy/domain.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# allow domain anr_data_file:file append; + +# extmem policy for lca debug15 over external memory +allow domain exm0_device:chr_file { read write ioctl open }; diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te new file mode 100644 index 0000000..2403ad3 --- /dev/null +++ b/sepolicy/drmserver.te @@ -0,0 +1,76 @@ +# ============================================== +# MTK Policy Rule +# ============ + +#Add by rui.hu + +# Date : WK14.30 +# Operation : DRM UT +# Purpose : To pass DRM UT + +allow drmserver nvram_agent_binder:binder call; +allow drmserver platform_app:dir search; +allow drmserver platform_app:file { read getattr open }; +allow drmserver property_socket:sock_file write; +allow drmserver radio_data_file:file { read getattr open }; +allow drmserver sdcard_internal:file open; +allow drmserver tmpfs:lnk_file read; + +#Add by rui.hu +# Date : WK14.36 +# Operation : DRM UT +# Purpose : Make drmserver and binder read /proc/pid/cmdline to get process name +#system app to drmserver +allow drmserver system_app:dir search; +allow drmserver system_app:file { read open getattr }; +#Mediaserver to drmserver +allow drmserver mediaserver:dir search; +allow drmserver mediaserver:file { read open getattr }; + +#Add by rui.hu +# Date : WK14.36.5 +# Operation : DRM UT +# Purpose : Make widevine mediacodec mode work +allow drmserver untrusted_app:dir search; +allow drmserver untrusted_app:file { read open getattr }; + +#Add by rui.hu +# Date : WK14.40.1 +# Operation : DRM SQC - play OMA DRM audio file failed +# Purpose : Make OMA DRM audio file can be played +allow drmserver radio_data_file:dir search; + +#Add by rui.hu +# Date : WK14.44.2 +# Operation : DRM SQC - view image failed +# Purpose : To fix ALPS01790300 +allow drmserver surfaceflinger:fd use; + +#Add by rui.hu +# Date : WK14.44.3 +# Operation : MTBF test fail +# Purpose : To fix ALPS01793801 +allow drmserver mediaserver:fifo_file read; + +#Add by rui.hu +# Date : WK14.46.4 +# Operation : DRM SQC - view image failed +# Purpose : To fix ALPS01822176 +allow drmserver mediaserver:fifo_file write; + +# Date : WK14.52 +# Operation : WVL1 IT +# Purpose : SVP module operates secmem driver and SVP module operate tee +allow drmserver mobicore:unix_stream_socket connectto; +allow drmserver mobicore_data_file:file { read getattr open lock}; +allow drmserver mobicore_data_file:dir search; +allow drmserver mobicore_user_device:chr_file { read write ioctl open }; +allow drmserver persist_data_file:file { read getattr open }; +allow drmserver persist_data_file:dir search; +allow drmserver proc_secmem:file { read write ioctl open }; + +# Date : WK15.07 +# Operation : DRM SQC +# Purpose : For gmo project, low memory kill +allow drmserver platform_app_tmpfs:file write; + diff --git a/sepolicy/dualmdlogger.te b/sepolicy/dualmdlogger.te new file mode 100644 index 0000000..01a8cfe --- /dev/null +++ b/sepolicy/dualmdlogger.te @@ -0,0 +1,63 @@ +# ============================================== +# Policy File of /system/bindualmdlogger Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type dualmdlogger_exec , exec_type, file_type; +type dualmdlogger ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive dualmdlogger; +init_daemon_domain(dualmdlogger) + + +#=============allow mdlogger to set ============== +allow dualmdlogger debug_mdlogger_prop:property_service set; +allow dualmdlogger debug_prop:property_service set; +allow dualmdlogger ccci_device:chr_file { read write ioctl open }; +allow dualmdlogger ttyGS_device:chr_file { read write open ioctl}; +allow dualmdlogger fuse:dir { write search create rmdir add_name remove_name read open rename}; +allow dualmdlogger fuse:file { write read create open rename unlink getattr setattr append}; +allow dualmdlogger mdlog_data_file:dir { write search read create open rmdir remove_name add_name relabelto getattr}; +allow dualmdlogger mdlog_data_file:fifo_file { read open create setattr}; +allow dualmdlogger mdlog_data_file:file { write read create open rename unlink getattr setattr}; +allow dualmdlogger mdlog_device:chr_file { read write open ioctl}; +allow dualmdlogger system_data_file:dir { write create open add_name relabelfrom}; + +allow dualmdlogger init:unix_stream_socket connectto; +allow dualmdlogger property_socket:sock_file write; +allow dualmdlogger platform_app:unix_stream_socket connectto; + +allow dualmdlogger shell_exec:file { read execute open execute_no_trans }; +allow dualmdlogger system_file:file execute_no_trans; +allow dualmdlogger zygote_exec:file { read getattr open execute execute_no_trans }; +allow dualmdlogger tmpfs:lnk_file read; + +#============= dualmdlogger usb logging ============== +# Date : 2014/09/26 +# Operation : Migration +# Purpose : [DUALMDLOGGER] [dualmdlogger usb logging tcp_socket] +# Package: system/bin/dualmdlogger + +allow dualmdlogger fuse:dir search; +allow dualmdlogger node:tcp_socket node_bind; +allow dualmdlogger port:tcp_socket name_bind; +allow dualmdlogger self:tcp_socket { write read bind create setopt accept listen }; + + +binder_use(dualmdlogger) +binder_service(dualmdlogger) diff --git a/sepolicy/dumpstate.te b/sepolicy/dumpstate.te new file mode 100644 index 0000000..be4bbfc --- /dev/null +++ b/sepolicy/dumpstate.te @@ -0,0 +1,18 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK14.33 +# Operation : Bugreport UT +# Purpose : add dumpstate policy rule + +#allow dumpstate init:binder call; +allow dumpstate mtkbt:binder call; +allow dumpstate MtkCodecService:binder call; +allow dumpstate nvram_agent_binder:binder call; +allow dumpstate ppl_agent:binder call; +allow dumpstate GoogleOtaBinder:binder call; + +allow dumpstate dontpanic_data_file:dir search; +allow dumpstate guiext-server:binder call; + diff --git a/sepolicy/em_svr.te b/sepolicy/em_svr.te new file mode 100644 index 0000000..36df432 --- /dev/null +++ b/sepolicy/em_svr.te @@ -0,0 +1,69 @@ +# ============================================== +# Policy File of /system/binem_svr Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type em_svr_exec , exec_type, file_type; +type em_svr ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(em_svr) + +# Date: W14.38 2014/09/17 +# Operation : Migration +# Purpose : for em_svr +allow em_svr proc:file write; +allow em_svr sysfs:file write; +allow em_svr platformblk_device:blk_file { read write open }; +allow em_svr platformblk_device:dir search; +allow em_svr shell_exec:file { read execute open execute_no_trans }; +allow em_svr system_file:file execute_no_trans; +allow em_svr block_device:dir search; +allow em_svr graphics_device:chr_file { read write open ioctl}; +allow em_svr graphics_device:dir search; +allow em_svr radio_data_file:dir { search write add_name create }; +allow em_svr radio_data_file:file { create write open read }; +allow em_svr sysfs_devices_system_cpu:file write; +allow em_svr misc_sd_device:chr_file { read open ioctl }; +allow em_svr als_ps_device:chr_file { read ioctl open }; +allow em_svr gsensor_device:chr_file { read ioctl open }; +allow em_svr gyroscope_device:chr_file { read ioctl open }; +allow em_svr nvram_data_file:dir { write read open add_name search }; +allow em_svr nvram_data_file:file { write getattr setattr read create open }; +allow em_svr nvram_data_file:lnk_file read; +allow em_svr nvdata_file:dir { write read open add_name search }; +allow em_svr nvdata_file:file { write getattr setattr read create open }; +allow em_svr nvram_device:chr_file { open read write ioctl }; +allow em_svr thermal_manager_exec:file { getattr execute read open execute_no_trans }; +allow em_svr self:capability { dac_override sys_nice fowner chown fsetid }; +allow em_svr self:process execmem; +allow em_svr proc_mtkcooler:dir search; +allow em_svr proc_mtkcooler:file { read getattr open write }; +allow em_svr proc_thermal:dir search; +allow em_svr proc_thermal:file { read getattr open write }; +allow em_svr proc_mtktz:dir search; +allow em_svr proc_mtktz:file { read getattr open write }; +allow em_svr proc_slogger:file { read getattr open write }; +allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open }; +allow em_svr kernel:system module_request; +allow em_svr fuse:dir create_dir_perms; +allow em_svr fuse:file create_file_perms; +allow em_svr tmpfs:lnk_file read; + +# for use binder +binder_use(em_svr) +binder_call(em_svr, surfaceflinger) diff --git a/sepolicy/emdlogger.te b/sepolicy/emdlogger.te new file mode 100644 index 0000000..f4acc65 --- /dev/null +++ b/sepolicy/emdlogger.te @@ -0,0 +1,72 @@ +# ============================================== +# Policy File of /system/bin/emdlogger[x] Executable File + + +# ============================================== +# Type Declaration +# ============================================== +type emdlogger_exec , exec_type, file_type; +type emdlogger, domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive emdlogger; +init_daemon_domain(emdlogger) + +binder_use(emdlogger) +binder_service(emdlogger) +#=============allow emdlogger to set ============== +allow emdlogger debug_mdlogger_prop:property_service set; +allow emdlogger debug_prop:property_service set; +allow emdlogger persist_mtklog_prop:property_service set; +allow emdlogger system_radio_prop:property_service set; + +#========================================================= +# ccci device for internal modem +#========================================================= +allow emdlogger ccci_device:chr_file { read write ioctl open }; + +#========================================================= +# eemcs device for external modem +#========================================================= +allow emdlogger eemcs_device:chr_file { read write ioctl open }; + +#========================================================= +# usb device ttyGSx for modem logger usb logging +#========================================================= +allow emdlogger ttyGS_device:chr_file { read write open ioctl}; + +#========================================================= +# for modem logging sdcard access +#========================================================= +allow emdlogger fuse:dir { write search create rmdir add_name remove_name read open rename}; +allow emdlogger fuse:file { write read create open rename unlink getattr setattr append}; + +#========================================================= +# modem logger access on /data/mdlog +#========================================================= +allow emdlogger mdlog_data_file:dir { write search read create open rmdir remove_name add_name relabelto getattr}; +allow emdlogger mdlog_data_file:fifo_file { read write open create setattr}; +allow emdlogger mdlog_data_file:file { write read create open rename unlink getattr setattr}; +allow emdlogger system_data_file:dir { write create open add_name relabelfrom}; + +#========================================================= +# modem logger control port access /dev/ttyC1 +#========================================================= +allow emdlogger mdlog_device:chr_file { read write open ioctl}; + +#========================================================= +# modem logger socket access +#========================================================= +allow emdlogger property_socket:sock_file write; +allow emdlogger init:unix_stream_socket connectto; +allow emdlogger platform_app:unix_stream_socket connectto; + +allow emdlogger shell_exec:file { read execute open execute_no_trans }; +allow emdlogger system_file:file execute_no_trans; +allow emdlogger zygote_exec:file { read getattr open execute execute_no_trans }; +allow emdlogger tmpfs:lnk_file read; + diff --git a/sepolicy/enableswap.te b/sepolicy/enableswap.te new file mode 100644 index 0000000..8153fff --- /dev/null +++ b/sepolicy/enableswap.te @@ -0,0 +1,48 @@ +# ============================================== +# Policy File of enableswap.sh + + +# ============================================== +# Type Declaration +# ============================================== + +type enableswap_exec , exec_type, file_type; +type enableswap ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK14.34 +# Operation : Migration +# Purpose : Add new swap areas +init_daemon_domain(enableswap) +allow enableswap block_device:dir search; +allow enableswap self:capability sys_admin; +allow enableswap shell_exec:file { entrypoint read }; +allow enableswap sysfs:file write; +allow enableswap tiny_mkswap_exec:file { read getattr open execute execute_no_trans }; +allow enableswap tiny_swapon_exec:file { read getattr open execute execute_no_trans }; +allow enableswap zram0_device:blk_file { read write getattr open ioctl }; + +# Date : WK14.46 +# Operation : Migration +# Purpose : Allow more operations on swap areas +allow enableswap proc:file write; +allow enableswap system_file:file execute_no_trans; +allow enableswap system_data_file:file { open }; +allow enableswap system_data_file:dir { write add_name }; +allow enableswap self:capability dac_override; + +# Date : WK15.05 +# Operation : Migration +# Purpose : Allow more operations on init_tmpfs +allow enableswap init_tmpfs:file write; diff --git a/sepolicy/epdg_wod.te b/sepolicy/epdg_wod.te new file mode 100644 index 0000000..5accab6 --- /dev/null +++ b/sepolicy/epdg_wod.te @@ -0,0 +1,59 @@ +# ============================================== +# Policy File of /system/bin/epdg_wod Executable File + +# ============================================== +# Type Declaration +# ============================================== +type epdg_wod_exec , exec_type, file_type; +type epdg_wod ,domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(epdg_wod) + +domain_auto_trans(epdg_wod, starter_exec, ipsec) +domain_auto_trans(epdg_wod, charon_exec, ipsec) +domain_auto_trans(epdg_wod, starter_exec, ipsec) +domain_auto_trans(epdg_wod, stroke_exec, ipsec) + +# Date: WK14.52 +# Operation : Feature for ePDG +# Purpose : handle tunnel interface +allow epdg_wod system_file:file { read getattr open execute execute_no_trans }; +allow epdg_wod self:tun_socket { relabelfrom relabelto create }; +allow epdg_wod tun_device:chr_file { read write ioctl open }; +allow epdg_wod self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr }; +allow epdg_wod self:capability { net_admin dac_override kill }; + +# Purpose : update ipsec deamon +allow epdg_wod ipsec_exec:file { read getattr open execute execute_no_trans }; + +# Purpose : send signal to process (ipsec/charon) +allow epdg_wod ipsec:process signal; + +# Purpose : set property for debug messages +allow epdg_wod init:unix_stream_socket connectto; +allow epdg_wod mtk_wod_prop:property_service set; +allow epdg_wod property_socket:sock_file write; + +# Purpose : Query ePDG IP address +allow epdg_wod dnsproxyd_socket:sock_file write; +allow epdg_wod netd:unix_stream_socket connectto; + +# Purpose : removal old charon/starter PID file +allow epdg_wod vpn_data_file:dir { search write remove_name }; +allow epdg_wod vpn_data_file:file { read getattr open unlink }; + +# Purpose : create strongswan config file for IKEv2 Tunnel +allow epdg_wod wod_apn_conf_file:dir { write read open add_name remove_name search }; +allow epdg_wod wod_apn_conf_file:file { write create unlink open getattr }; +allow epdg_wod wod_ipsec_conf_file:file { write create unlink open getattr }; +allow epdg_wod wod_ipsec_conf_file:dir { write read open add_name remove_name search }; + +# +# TODO: NEED PATCH before 20150331, need to remove shell command +# +#allow epdg_wod shell_exec:file { read execute open execute_no_trans }; + diff --git a/sepolicy/factory.te b/sepolicy/factory.te new file mode 100644 index 0000000..c3a105a --- /dev/null +++ b/sepolicy/factory.te @@ -0,0 +1,139 @@ +# ============================================== +# Policy File of /system/binfactory Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type factory_exec , exec_type, file_type; +type factory ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive factory; +init_daemon_domain(factory) +#unconfined_domain(factory) + +#============= factory ============== +allow factory FM50AF_device:chr_file { read write ioctl open }; +allow factory AD5820AF_device:chr_file { read write ioctl open }; +allow factory DW9714AF_device:chr_file { read write ioctl open }; +allow factory DW9714A_device:chr_file { read write ioctl open }; +allow factory LC898122AF_device:chr_file { read write ioctl open }; +allow factory LC898212AF_device:chr_file { read write ioctl open }; +allow factory BU6429AF_device:chr_file { read write ioctl open }; +allow factory DW9718AF_device:chr_file { read write ioctl open }; +allow factory BU64745GWZAF_device:chr_file { read write ioctl open }; +# Camera bu64245 +allow factory BU64245_device:chr_file { read write ioctl open }; +allow factory MTK_SMI_device:chr_file { read ioctl open }; +allow factory accdet_device:chr_file { read ioctl open }; +allow factory als_ps_device:chr_file { read ioctl open }; +allow factory ashmem_device:chr_file execute; +allow factory audio_device:chr_file { read write ioctl open }; +allow factory camera_isp_device:chr_file { read write ioctl open }; +allow factory camera_pipemgr_device:chr_file { read ioctl open }; +allow factory camera_sysram_device:chr_file { read ioctl open }; +allow factory ccci_device:chr_file { read write ioctl open }; +allow factory MT_pmic_cali_device:chr_file { read ioctl open }; +allow factory barometer_device:chr_file { read ioctl open }; +allow factory mtk_kpd_device:chr_file { read ioctl open }; +allow factory ebc_device:chr_file { read write open }; +allow factory fm_device:chr_file { read write ioctl open }; +allow factory fuse:dir { read search open }; +allow factory gps_device:chr_file { read write open }; +allow factory graphics_device:chr_file { read write ioctl open }; +allow factory gsensor_device:chr_file { read ioctl open }; +allow factory gsm0710muxd_device:chr_file { read write ioctl open }; +allow factory gyroscope_device:chr_file { read ioctl open }; +allow factory init:unix_stream_socket connectto; +allow factory input_device:chr_file { read ioctl open }; +allow factory input_device:dir { read open }; +allow factory kd_camera_flashlight_device:chr_file { read write ioctl open }; +allow factory kd_camera_hw_device:chr_file { read write ioctl open }; +allow factory kernel:system module_request; +allow factory misc_sd_device:chr_file { read ioctl open }; +allow factory mnld_device:chr_file { read write ioctl open }; +allow factory mnld_exec:file { read execute open execute_no_trans }; +allow factory msensor_device:chr_file { read ioctl open }; +allow factory mt6605_device:chr_file { read write ioctl open getattr }; +allow factory node:tcp_socket node_bind; +allow factory nvram_data_file:dir { write read open add_name getattr setattr}; +allow factory nvram_data_file:file { write getattr setattr read create open }; +allow factory nvram_device:chr_file { read write ioctl open }; +allow factory platformblk_device:blk_file { read write open ioctl}; +allow factory self:capability sys_boot; +allow factory platformblk_device:dir search; +allow factory port:tcp_socket { name_bind name_connect }; +allow factory property_socket:sock_file write; +allow factory rtc_device:chr_file { read write ioctl open }; +allow factory self:capability { sys_module ipc_lock sys_nice dac_override net_raw fsetid net_admin sys_time }; +allow factory self:netlink_route_socket { bind create }; +allow factory self:process execmem; +allow factory self:tcp_socket { setopt read bind create accept write connect listen }; +allow factory self:udp_socket { create ioctl }; +allow factory stpbt_device:chr_file { read write open }; +allow factory sysfs:file write; +allow factory sysfs_wake_lock:file { read write open }; +allow factory system_data_file:dir { write remove_name add_name }; +allow factory system_data_file:sock_file { write create setattr }; +allow factory system_file:file execute_no_trans; +allow factory tmpfs:lnk_file read; +allow factory ttyGS_device:chr_file { read write open }; +allow factory wmtWifi_device:chr_file { write open }; +allow factory nvram_data_file:dir { create_dir_perms }; +allow factory nvram_data_file:file { create_file_perms }; +allow factory nvram_data_file:lnk_file read; +allow factory nvdata_file:dir { create_dir_perms }; +allow factory nvdata_file:file { create_file_perms }; +allow factory self:capability { sys_nice sys_time }; +allow factory system_data_file:dir { write add_name }; +allow factory rootfs:dir mounton; +allow factory vfat:dir { read open search mounton }; +allow factory vfat:filesystem { mount unmount }; +allow factory block_device:dir search; +allow factory graphics_device:dir search; +allow factory input_device:dir search; +allow factory self:capability sys_admin; +allow factory self:capability sys_boot; +allow factory labeledfs:filesystem unmount; +allow factory platformblk_device:blk_file { getattr ioctl }; +allow factory shell_exec:file execute; +allow factory MT_pmic_adc_cali_device:chr_file { read write ioctl open}; +allow factory audio_device:dir search; +allow factory nvram_data_file:dir search; +allow factory audiohal_prop:property_service set; +allow factory pmic_ftm_device:chr_file { read write ioctl open}; +allow factory powerctl_prop:property_service set; +allow factory ttyGS_device:chr_file { read write open ioctl}; +allow factory ttyMT_device:chr_file { read write open ioctl}; +allow factory irtx_device:chr_file { read write ioctl open }; +allow factory devpts:chr_file { read write getattr ioctl }; +allow factory vfat:dir search; +allow factory hrm_device:chr_file { read ioctl open }; + +# Date: WK14.47 +# Operation : Migration +# Purpose : CCCI +allow factory eemcs_device:chr_file { read write ioctl open }; + +# Purpose : SDIO +allow factory ttySDIO_device:chr_file { read write ioctl open }; + +# Date: WK15.01 +# Purpose : OTG Mount +allow factory fuse:dir mounton; +# Date: WK15.07 +# Purpose : use c2k flight mode; +allow factory vmodem_device:chr_file { read write ioctl open }; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..264f973 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,146 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +type custom_file, file_type, data_file_type; +type lost_found_data_file, file_type, data_file_type; +type dontpanic_data_file, file_type, data_file_type; +type resource_cache_data_file, file_type, data_file_type; +type http_proxy_cfg_data_file, file_type, data_file_type; +type acdapi_data_file, file_type, data_file_type; +type ppp_data_file, file_type, data_file_type; +type wide_dhcpv6_data_file, file_type, data_file_type; +type wpa_supplicant_data_file, file_type, data_file_type; +type radvd_data_file, file_type, data_file_type; +# Date : WK14.37 +# Operation : Migration +# Purpose : SF rtt dump +type sf_rtt_file, file_type, data_file_type; + +type dfo_socket, file_type; +type rild2_socket, file_type; +type rild3_socket, file_type; +type rild4_socket, file_type; +type rild_ims_socket, file_type; +type rild_oem_socket, file_type; +type rild_mtk_ut_socket, file_type; +type rild_mtk_ut_2_socket, file_type; +type rild_mtk_modem_socket, file_type; +type rild_atci_socket, file_type; +type rild_md2_socket, file_type; +type rild2_md2_socket, file_type; +type rild_debug_md2_socket, file_type; +type rild_oem_md2_socket, file_type; +type rild_mtk_ut_md2_socket, file_type; +type rild_mtk_ut_2_md2_socket, file_type; +type rild_mtk_modem_md2_socket, file_type; +type rild_atci_md2_socket, file_type; +type netdiag_socket, file_type; +type atci_service_socket, file_type; +type atci_serv_fw_socket, file_type; +type atci_audio_socket, file_type; +type wpa_wlan0_socket, file_type; +type soc_vt_tcv_socket, file_type; +type soc_vt_stk_socket, file_type; +type soc_vt_svc_socket, file_type; +type dbus_bluetooth_socket, file_type; +type bt_int_adp_socket, file_type; +type bt_a2dp_stream_socket, file_type; +type bt_data_file, file_type, data_file_type; +type proc_thermal, fs_type; +type proc_mtkcooler, fs_type; +type proc_mtktz, fs_type; +type proc_slogger, fs_type; +type proc_lk_env, fs_type; +type sysfs_vcorefs_pwrctrl, fs_type, sysfs_type; + +type agpsd_socket, file_type; +type agpsd_data_file, file_type, data_file_type; +type mnld_socket, file_type; +type mnld_data_file, file_type, data_file_type; +type sysctl_socket, file_type; + +type backuprestore_socket, file_type; +type nfc_socket, file_type; + +type protect_f_data_file, file_type, data_file_type; +type protect_s_data_file, file_type, data_file_type; +type persist_data_file, file_type, data_file_type; +type nvram_data_file, file_type, data_file_type; +type nvdata_file, file_type, data_file_type; +type mediaserver_data_file, file_type, data_file_type; + +# 20131213 KKMR1_CQ_CTS_02 +allow asec_apk_file rootfs:filesystem associate; + + +# 20131213 KKMR1_CQ_CTS_02 +allow cache_file rootfs:filesystem associate; + + +allow custom_file rootfs:filesystem associate; + +# Modem Log folder +type mdlog_data_file, file_type, data_file_type; + +#mobilelog data/misc/mblog +type logmisc_data_file, file_type, data_file_type; + +#mobilelog data/log_temp +type logtemp_data_file, file_type, data_file_type; + +# NE core_forwarder +type aee_core_data_file, file_type, data_file_type; + +# AEE exp +type aee_exp_data_file, file_type, data_file_type; +type aee_dumpsys_data_file, file_type, data_file_type; + +# SF bqdump +type sf_bqdump_data_file, file_type, data_file_type; + +#for 3Gdongle +type rild-dongle_socket, file_type; + +type ccci_cfg_file, file_type, data_file_type; +#For sensor +type msensord_daemon, fs_type,sysfs_type; +type msensord_daemon2, fs_type,sysfs_type; +type akmd8963_access_file1, file_type,data_file_type; +type akmd8963_access_file2, file_type,data_file_type; +type gyroscope_mpud6050_chipinfo, fs_type,sysfs_type; +type gyroscope_mpud6050_status, fs_type,sysfs_type; +type gyroscope_mpud6050_use, fs_type,sysfs_type; +type gyroscope_mpud6050_file, fs_type,sysfs_type; +type sensor_data_file, file_type,data_file_type; +type system_sensor_data_file, file_type; +type bmm050_sensor_log_file, file_type,data_file_type; +type sysfs_gsensor_file, file_type,sysfs_type; +type sysfs_msensor_file, file_type,sysfs_type; +type sysfs_keypad_file, file_type,sysfs_type; +type istd8303_access_file1, file_type,data_file_type; +type istd8303_access_file2, file_type,data_file_type; + + +type rild_via_socket, file_type; +type rpc_socket, file_type; +type rild_ctclient_socket, file_type; +type rild_atci_c2k_socket, file_type; +type statusd_socket, file_type; +#For icusb +type proc_icusb, fs_type; + +#for drm key install +type provision_file, file_type, data_file_type; +#20141222 Add EPDG socket usage +type wod_ipsec_conf_file, file_type, data_file_type; +type wod_apn_conf_file, file_type, data_file_type; +type wod_action_socket, file_type; +type wod_sim_socket, file_type; +type wod_ipsec_socket, file_type; + +# for labeling /mnt/cd-rom as iso9660 +type iso9660, fs_type; + +# data_tmpfs_log +type data_tmpfs_log_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..37ee87b --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,411 @@ +# +############################# +# Custom files +/custom(/.*)? u:object_r:custom_file:s0 + + +############################# +# Data files +# +/data/aee_exp(/.*)? u:object_r:aee_exp_data_file:s0 +/data/agps_supl(/.*)? u:object_r:agpsd_data_file:s0 +/data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0 +/data/app/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0 +/data/@btmtk(/.*)? u:object_r:bt_data_file:s0 +/data/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0 +/data/core(/.*)? u:object_r:aee_core_data_file:s0 +/data/dontpanic(/.*)? u:object_r:dontpanic_data_file:s0 +/data/dumpsys(/.*)? u:object_r:aee_dumpsys_data_file:s0 +/data/extmdl(/.*)? u:object_r:mdlog_data_file:s0 +/data/http-proxy-cfg(/.*)? u:object_r:http_proxy_cfg_data_file:s0 +/data/log_temp(/.*)? u:object_r:logtemp_data_file:s0 +/data/lost\+found(/.*)? u:object_r:lost_found_data_file:s0 +/data/mdlog(/.*)? u:object_r:mdlog_data_file:s0 +/data/mdl(/.*)? u:object_r:mdlog_data_file:s0 +/data/mdl3(/.*)? u:object_r:mdlog_data_file:s0 +/data/mediaserver(/.*)? u:object_r:mediaserver_data_file:s0 +/data/misc/acdapi(/.*)? u:object_r:acdapi_data_file:s0 +/data/misc/akmd_set.txt u:object_r:akmd8963_access_file1:s0 +/data/misc/mblog(/.*)? u:object_r:logmisc_data_file:s0 +/data/misc/PDC.ini u:object_r:akmd8963_access_file2:s0 +/data/misc/ppp(/.*)? u:object_r:ppp_data_file:s0 +/data/misc/radvd(/.*)? u:object_r:radvd_data_file:s0 +/data/misc/sensor.log u:object_r:bmm050_sensor_log_file:s0 +/data/misc/sensor(/.*)? u:object_r:sensor_data_file:s0 +/data/misc/wide-dhcpv6(/.*)? u:object_r:wide_dhcpv6_data_file:s0 +/data/misc/wpa_supplicant(/.*)? u:object_r:wpa_supplicant_data_file:s0 +/data/nfc_socket(/.*)? u:object_r:nfc_socket:s0 +/data/nvram(/.*)? u:object_r:nvram_data_file:s0 +/nvdata(/.*)? u:object_r:nvdata_file:s0 +/data/SF_dump(./*)? u:object_r:sf_bqdump_data_file:s0 +/data/ipsec(./*)? u:object_r:wod_ipsec_conf_file:s0 +/data/ipsec/wo(./*)? u:object_r:wod_apn_conf_file:s0 +/data/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 +/data/tmp_mnt/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 + +########################## +# Devices +# +/dev/aal_als(/.*)? u:object_r:aal_als_device:s0 +/dev/accdet(/.*)? u:object_r:accdet_device:s0 +/dev/AD5820AF(/.*)? u:object_r:AD5820AF_device:s0 +/dev/aed[0-9]+ u:object_r:aed_device:s0 +/dev/als_ps(/.*)? u:object_r:als_ps_device:s0 +/dev/ampc0(/.*)? u:object_r:ampc0_device:s0 +/dev/android(/.*)? u:object_r:android_device:s0 +/dev/barometer(/.*)? u:object_r:barometer_device:s0 +/dev/block/mmcblk[0-9a-z]* u:object_r:mmcblk_device:s0 +/dev/block/platform(/.*)? u:object_r:platformblk_device:s0 +/dev/block/vold(/.*)? u:object_r:voldblk_device:s0 +/dev/block/zram0(/.*)? u:object_r:zram0_device:s0 +/dev/bmtpool(/.*)? u:object_r:bmtpool_device:s0 +/dev/bootimg(/.*)? u:object_r:bootimg_device:s0 +/dev/BOOT(/.*)? u:object_r:BOOT_device:s0 +/dev/btif(/.*)? u:object_r:btif_device:s0 +/dev/btn(/.*)? u:object_r:btn_device:s0 +/dev/BU6429AF(/.*)? u:object_r:BU6429AF_device:s0 +/dev/BU64745GWZAF(/.*)? u:object_r:BU64745GWZAF_device:s0 +/dev/cache(/.*)? u:object_r:cache_device:s0 +/dev/CAM_CAL_DRV(/.*)? u:object_r:CAM_CAL_DRV_device:s0 +/dev/camera-fdvt(/.*)? u:object_r:camera_fdvt_device:s0 +/dev/camera-isp(/.*)? u:object_r:camera_isp_device:s0 +/dev/camera-pipemgr(/.*)? u:object_r:camera_pipemgr_device:s0 +/dev/camera-sysram(/.*)? u:object_r:camera_sysram_device:s0 +/dev/ccci_monitor u:object_r:ccci_monitor_device:s0 +/dev/ccci.* u:object_r:ccci_device:s0 +/dev/cpu_dma_latency(/.*)? u:object_r:cpu_dma_latency_device:s0 +/dev/devmap(/.*)? u:object_r:devmap_device:s0 +/dev/dummy_cam_cal(/.*)? u:object_r:dummy_cam_cal_device:s0 +/dev/DW9714AF(/.*)? u:object_r:DW9714AF_device:s0 +/dev/AK7345AF(/.*)? u:object_r:AK7345AF_device:s0 +/dev/DW9714A(/.*)? u:object_r:DW9714A_device:s0 +/dev/DW9718AF(/.*)? u:object_r:DW9718AF_device:s0 +/dev/ebc(/.*)? u:object_r:ebc_device:s0 +/dev/ebr[0-9]+ u:object_r:ebr_device:s0 +/dev/eemcs.* u:object_r:eemcs_device:s0 +/dev/emd.* u:object_r:emd_device:s0 +/dev/etb u:object_r:etb_device:s0 +/dev/exm0(/.*)? u:object_r:exm0_device:s0 +/dev/expdb(/.*)? u:object_r:expdb_device:s0 +/dev/fat(/.*)? u:object_r:fat_device:s0 +/dev/FM50AF(/.*)? u:object_r:FM50AF_device:s0 +/dev/fm(/.*)? u:object_r:fm_device:s0 +/dev/gps(/.*)? u:object_r:gps_device:s0 +/dev/gsensor(/.*)? u:object_r:gsensor_device:s0 +/dev/gyroscope(/.*)? u:object_r:gyroscope_device:s0 +/dev/hdmitx(/.*)? u:object_r:graphics_device:s0 +/dev/hid-keyboard(/.*)? u:object_r:hid_keyboard_device:s0 +/dev/hotknot(/.*)? u:object_r:hotknot_device:s0 +/dev/hwmsensor(/.*)? u:object_r:hwmsensor_device:s0 +/dev/ion(/.*)? u:object_r:ion_device:s0 +/dev/kd_camera_flashlight(/.*)? u:object_r:kd_camera_flashlight_device:s0 +/dev/kd_camera_hw_bus2(/.*)? u:object_r:kd_camera_hw_bus2_device:s0 +/dev/kd_camera_hw(/.*)? u:object_r:kd_camera_hw_device:s0 +/dev/LC898122AF(/.*)? u:object_r:LC898122AF_device:s0 +/dev/LC898212AF(/.*)? u:object_r:LC898212AF_device:s0 +/dev/logo(/.*)? u:object_r:logo_device:s0 +/dev/loop-control(/.*)? u:object_r:loop-control_device:s0 +/dev/M4U_device(/.*)? u:object_r:M4U_device_device:s0 +/dev/m_acc_misc(/.*)? u:object_r:m_acc_misc_device:s0 +/dev/mali.* u:object_r:gpu_device:s0 +/dev/MATV(/.*)? u:object_r:MATV_device:s0 +/dev/m_batch_misc(/.*)? u:object_r:m_batch_misc_device:s0 +/dev/mbr(/.*)? u:object_r:mbr_device:s0 +/dev/md32(/.*)? u:object_r:md32_device:s0 +/dev/met(/.*)? u:object_r:met_device:s0 +/dev/misc-sd(/.*)? u:object_r:misc_sd_device:s0 +/dev/misc(/.*)? u:object_r:misc_device:s0 +/dev/misc2(/.*)? u:object_r:misc2_device:s0 +/dev/MJC(/.*)? u:object_r:MJC_device:s0 +/dev/m_mag_misc(/.*)? u:object_r:m_mag_misc_device:s0 +/dev/mmp(/.*)? u:object_r:mmp_device:s0 +/dev/mobicore u:object_r:mobicore_admin_device:s0 +/dev/mobicore-user u:object_r:mobicore_user_device:s0 +/dev/t-base-tui u:object_r:mobicore_tui_device:s0 +/dev/msensor(/.*)? u:object_r:msensor_device:s0 +/dev/MT6516_H264_DEC(/.*)? u:object_r:MT6516_H264_DEC_device:s0 +/dev/mt6516-IDP(/.*)? u:object_r:mt6516_IDP_device:s0 +/dev/MT6516_Int_SRAM(/.*)? u:object_r:MT6516_Int_SRAM_device:s0 +/dev/mt6516-isp(/.*)? u:object_r:mt6516_isp_device:s0 +/dev/mt6516_jpeg(/.*)? u:object_r:mt6516_jpeg_device:s0 +/dev/MT6516_MM_QUEUE(/.*)? u:object_r:MT6516_MM_QUEUE_device:s0 +/dev/MT6516_MP4_DEC(/.*)? u:object_r:MT6516_MP4_DEC_device:s0 +/dev/MT6516_MP4_ENC(/.*)? u:object_r:MT6516_MP4_ENC_device:s0 +/dev/mt6605 u:object_r:mt6605_device:s0 +/dev/mt9p012(/.*)? u:object_r:mt9p012_device:s0 +/dev/mtfreqhopping(/.*)? u:object_r:mtfreqhopping_device:s0 +/dev/mtgpio(/.*)? u:object_r:mtgpio_device:s0 +/dev/mtk-adc-cali(/.*)? u:object_r:mtk-adc-cali_device:s0 +/dev/mtk_disp.* u:object_r:graphics_device:s0 +/dev/mtkfb_vsync(/.*)? u:object_r:graphics_device:s0 +/dev/mtkg2d(/.*)? u:object_r:mtkg2d_device:s0 +/dev/mtk_jpeg(/.*)? u:object_r:mtk_jpeg_device:s0 +/dev/mtk-kpd(/.*)? u:object_r:mtk_kpd_device:s0 +/dev/mtk_sched(/.*)? u:object_r:mtk_sched_device:s0 +/dev/MTK_SMI(/.*)? u:object_r:MTK_SMI_device:s0 +/dev/mtk_rrc(/.*)? u:object_r:mtk_rrc_device:s0 +/dev/mt-mdp(/.*)? u:object_r:mt_mdp_device:s0 +/dev/mt_otg_test(/.*)? u:object_r:mt_otg_test_device:s0 +/dev/MT_pmic_adc_cali u:object_r:MT_pmic_adc_cali_device:s0 +/dev/MT_pmic_adc_cali(/.*)? u:object_r:MT_pmic_cali_device:s0 +/dev/MT_pmic(/.*)? u:object_r:MT_pmic_device:s0 +/dev/network.* u:object_r:network_device:s0 +/dev/nvram(/.*)? u:object_r:nvram_device:s0 +/dev/nxpspk(/.*)? u:object_r:smartpa_device:s0 +/dev/otp u:object_r:otp_device:s0 +/dev/pmem_multimedia(/.*)? u:object_r:pmem_multimedia_device:s0 +/dev/pmt(/.*)? u:object_r:pmt_device:s0 +/dev/preloader(/.*)? u:object_r:preloader_device:s0 +/dev/pro_info(/.*)? u:object_r:pro_info_device:s0 +/dev/protect_f(/.*)? u:object_r:protect_f_device:s0 +/dev/protect_s(/.*)? u:object_r:protect_s_device:s0 +/dev/psaux(/.*)? u:object_r:psaux_device:s0 +/dev/ptmx(/.*)? u:object_r:ptmx_device:s0 +/dev/ptyp.* u:object_r:ptyp_device:s0 +/dev/pvr_sync(/.*)? u:object_r:gpu_device:s0 +/dev/qemu_pipe(/.*)? u:object_r:qemu_pipe_device:s0 +/dev/recovery(/.*)? u:object_r:recovery_device:s0 +/dev/rfkill(/.*)? u:object_r:rfkill_device:s0 +/dev/rtc[0-9]+ u:object_r:rtc_device:s0 +/dev/RT_Monitor(/.*)? u:object_r:RT_Monitor_device:s0 +/dev/kick_powerkey(/.*)? u:object_r:kick_powerkey_device:s0 +/dev/seccfg(/.*)? u:object_r:seccfg_device:s0 +/dev/sec_ro(/.*)? u:object_r:sec_ro_device:s0 +/dev/sec(/.*)? u:object_r:sec_device:s0 +/dev/tee1 u:object_r:tee_part_device:s0 +/dev/tee2 u:object_r:tee_part_device:s0 +/dev/sensor(/.*)? u:object_r:sensor_device:s0 +/dev/smartpa_i2c(/.*)? u:object_r:smartpa1_device:s0 +/dev/snapshot(/.*)? u:object_r:snapshot_device:s0 +/dev/socket/adbd(/.*)? u:object_r:adbd_socket:s0 +/dev/socket/agpsd2(/.*)? u:object_r:agpsd_socket:s0 +/dev/socket/agpsd3(/.*)? u:object_r:agpsd_socket:s0 +/dev/socket/agpsd(/.*)? u:object_r:agpsd_socket:s0 +/dev/socket/atci-audio(/.*)? u:object_r:atci_audio_socket:s0 +/dev/socket/atci-serv-fw(/.*)? u:object_r:atci_serv_fw_socket:s0 +/dev/socket/atci-service(/.*)? u:object_r:atci_service_socket:s0 +/dev/socket/backuprestore(/.*)? u:object_r:backuprestore_socket:s0 +/dev/socket/bluetooth(/.*)? u:object_r:bluetooth_socket:s0 +/dev/socket/bt.a2dp.stream(/.*)? u:object_r:bt_a2dp_stream_socket:s0 +/dev/socket/bt.int.adp(/.*)? u:object_r:bt_int_adp_socket:s0 +/dev/socket/dbus_bluetooth(/.*)? u:object_r:dbus_bluetooth_socket:s0 +/dev/socket/dfo(/.*)? u:object_r:dfo_socket:s0 +/dev/socket/dnsproxyd(/.*)? u:object_r:dnsproxyd_socket:s0 +/dev/socket/dumpstate(/.*)? u:object_r:dumpstate_socket:s0 +/dev/socket/installd(/.*)? u:object_r:installd_socket:s0 +/dev/socket/mdnsd(/.*)? u:object_r:mdnsd_socket:s0 +/dev/socket/mdns(/.*)? u:object_r:mdns_socket:s0 +/dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0 +/dev/socket/mtpd(/.*)? u:object_r:mtpd_socket:s0 +/dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0 +/dev/socket/netd(/.*)? u:object_r:netd_socket:s0 +/dev/socket/racoon(/.*)? u:object_r:racoon_socket:s0 +/dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0 +/dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0 +/dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0 +/dev/socket/rild4(/.*)? u:object_r:rild4_socket:s0 +/dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0 +/dev/socket/rild-atci-md2(/.*)? u:object_r:rild_atci_md2_socket:s0 +/dev/socket/rild-atci(/.*)? u:object_r:rild_atci_socket:s0 +/dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0 +/dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0 +/dev/socket/rild-debug(/.*)? u:object_r:rild_debug_socket:s0 +/dev/socket/rild-dongle(/.*)? u:object_r:rild-dongle_socket:s0 +/dev/socket/rild-md2(/.*)? u:object_r:rild_md2_socket:s0 +/dev/socket/rild-mtk-modem-md2(/.*)? u:object_r:rild_mtk_modem_md2_socket:s0 +/dev/socket/rild-mtk-modem(/.*)? u:object_r:rild_mtk_modem_socket:s0 +/dev/socket/rild-mtk-ut-2-md2(/.*)? u:object_r:rild_mtk_ut_2_md2_socket:s0 +/dev/socket/rild-mtk-ut-2(/.*)? u:object_r:rild_mtk_ut_2_socket:s0 +/dev/socket/rild-mtk-ut-md2(/.*)? u:object_r:rild_mtk_ut_md2_socket:s0 +/dev/socket/rild-mtk-ut(/.*)? u:object_r:rild_mtk_ut_socket:s0 +/dev/socket/rild-oem-md2(/.*)? u:object_r:rild_oem_md2_socket:s0 +/dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0 +/dev/socket/rild(/.*)? u:object_r:rild_socket:s0 +/dev/socket/rild-via u:object_r:rild_via_socket:s0 +/dev/socket/rild-atci-c2k(/.*)? u:object_r:rild_atci_c2k_socket:s0 +/dev/socket/rpc u:object_r:rpc_socket:s0 +/dev/socket/soc_vt_stk(/.*)? u:object_r:soc_vt_stk_socket:s0 +/dev/socket/soc_vt_svc(/.*)? u:object_r:soc_vt_svc_socket:s0 +/dev/socket/soc_vt_tcv(/.*)? u:object_r:soc_vt_tcv_socket:s0 +/dev/socket/statusd u:object_r:statusd_socket:s0 +/dev/socket/sysctl(/.*)? u:object_r:sysctl_socket:s0 +/dev/socket/vold(/.*)? u:object_r:vold_socket:s0 +/dev/socket/volte_imsa1(/.*)? u:object_r:volte_imsa1_socket:s0 +/dev/socket/wpa_wlan0(/.*)? u:object_r:wpa_wlan0_socket:s0 +/dev/socket/zygote(/.*)? u:object_r:zygote_socket:s0 +/dev/socket/wod_action(/.*)? u:object_r:wod_action_socket:s0 +/dev/socket/wod_sim(/.*)? u:object_r:wod_sim_socket:s0 +/dev/socket/wod_ipsec(/.*)? u:object_r:wod_ipsec_socket:s0 +/dev/socket/tunman(/.*)? u:object_r:tunman_socket:s0 +/dev/stpant(/.*)? u:object_r:stpant_device:s0 +/dev/stpbt(/.*)? u:object_r:stpbt_device:s0 +/dev/stpgps u:object_r:mnld_device:s0 +/dev/stpgps(/.*)? u:object_r:stpgps_device:s0 +/dev/stpwmt(/.*)? u:object_r:stpwmt_device:s0 +/dev/sw_sync(/.*)? u:object_r:sw_sync_device:s0 +/dev/tgt(/.*)? u:object_r:tgt_device:s0 +/dev/touch(/.*)? u:object_r:touch_device:s0 +/dev/tpd_em_log(/.*)? u:object_r:tpd_em_log_device:s0 +/dev/ttyC0 u:object_r:gsm0710muxd_device:s0 +/dev/ttyC1 u:object_r:mdlog_device:s0 +/dev/ttyC2 u:object_r:agps_device:s0 +/dev/ttyC3 u:object_r:icusb_device:s0 +/dev/ttyGS.* u:object_r:ttyGS_device:s0 +/dev/ttyMT.* u:object_r:ttyMT_device:s0 +/dev/ttyp.* u:object_r:ttyp_device:s0 +/dev/ttySDIO.* u:object_r:ttySDIO_device:s0 +/dev/ttyUSB0 u:object_r:tty_device:s0 +/dev/ttyUSB1 u:object_r:tty_device:s0 +/dev/ttyUSB2 u:object_r:tty_device:s0 +/dev/ttyUSB3 u:object_r:tty_device:s0 +/dev/ttyUSB4 u:object_r:tty_device:s0 +/dev/TV-out(/.*)? u:object_r:TV_out_device:s0 +/dev/uboot(/.*)? u:object_r:uboot_device:s0 +/dev/uibc(/.*)? u:object_r:uibc_device:s0 +/dev/uinput(/.*)? u:object_r:uinput_device:s0 +/dev/uio0(/.*)? u:object_r:uio0_device:s0 +/dev/usrdata(/.*)? u:object_r:usrdata_device:s0 +/dev/Vcodec(/.*)? u:object_r:Vcodec_device:s0 +/dev/vmodem u:object_r:vmodem_device:s0 +/dev/vow(/.*)? u:object_r:vow_device:s0 +/dev/wmtdetect(/.*)? u:object_r:wmtdetect_device:s0 +/dev/wmtWifi(/.*)? u:object_r:wmtWifi_device:s0 +/dev/xlog u:object_r:xlog_device:s0 +/dev/offloadservice(/.*)? u:object_r:offloadservice_device:s0 +/dev/irtx u:object_r:irtx_device:s0 + +/dev/xt_qtaguid(/.*)? u:object_r:xt_qtaguid_device:s0 +/dev/pmic_ftm(/.*)? u:object_r:pmic_ftm_device:s0 +/dev/shf u:object_r:shf_device:s0 +/protect_f(/.*)? u:object_r:protect_f_data_file:s0 +/protect_s(/.*)? u:object_r:protect_s_data_file:s0 +/persist(/.*)? u:object_r:persist_data_file:s0 +/dev/ttyACM0 u:object_r:ttyACM_device:s0 +/dev/hrm u:object_r:hrm_device:s0 + +############################# +# sysfs files +# +/sys/bus/platform/drivers/gyrocope/chipinfo u:object_r:gyroscope_mpud6050_chipinfo:s0 +/sys/bus/platform/drivers/gyrocope/status u:object_r:gyroscope_mpud6050_status:s0 +/sys/bus/platform/drivers/msensor/daemon2 u:object_r:msensord_daemon2:s0 +/sys/bus/platform/drivers/msensor/daemon u:object_r:msensord_daemon:s0 +/sys/class/i2c-adapter/(/.*)? u:object_r:gyroscope_mpud6050_use:s0 +/sys/class/invensense_daemon_class/invensense_daemon_device(/.*)? u:object_r:gyroscope_mpud6050_file:s0 +/sys/devices/platform/gsensor/driver(/.*)? u:object_r:sysfs_gsensor_file:s0 +/sys/devices/platform/msensor/driver(/.*)? u:object_r:sysfs_msensor_file:s0 +/sys/bus/platform/drivers/mtk-kpd(/.*)? u:object_r:sysfs_keypad_file:s0 +/sys/power/vcorefs/pwr_ctrl -- u:object_r:sysfs_vcorefs_pwrctrl:s0 + + +############################# +# System files +# +/system/app/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0 +/system/bin/6620_launcher u:object_r:mtk_6620_launcher_exec:s0 +/system/bin/aal u:object_r:aal_exec:s0 +/system/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0 +/system/bin/akmd8963 u:object_r:akmd8963_exec:s0 +/system/bin/akmd8975 u:object_r:akmd8975_exec:s0 +/system/bin/ami304d u:object_r:ami304d_exec:s0 +/system/bin/atcid u:object_r:atcid_exec:s0 +/system/bin/atci_service u:object_r:atci_service_exec:s0 +/system/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0 +/system/bin/autokd u:object_r:autokd_exec:s0 +/system/bin/batterywarning u:object_r:batterywarning_exec:s0 +/system/bin/bmm050d u:object_r:bmm050d_exec:s0 +/system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0 +/system/bin/br_app_data_service u:object_r:br_app_data_service_exec:s0 +/system/bin/ccci_fsd u:object_r:ccci_fsd_exec:s0 +/system/bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0 +/system/bin/ccci_rpcd u:object_r:ccci_rpcd_exec:s0 +/system/bin/dhcp6c u:object_r:dhcp6c_exec:s0 +/system/bin/dm_agent_binder u:object_r:dm_agent_binder_exec:s0 +/system/bin/dmlog u:object_r:dmlog_exec:s0 +/system/bin/dongled u:object_r:usbdongled_exec:s0 +/system/bin/dualmdlogger u:object_r:dualmdlogger_exec:s0 +/system/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0 +/system/bin/em_svr u:object_r:em_svr_exec:s0 +/system/bin/factory u:object_r:factory_exec:s0 +/system/bin/flashlessd u:object_r:flashlessd_exec:s0 +/system/bin/fuelgauged u:object_r:fuelgauged_exec:s0 +/system/bin/geomagneticd u:object_r:geomagneticd_exec:s0 +/system/bin/GoogleOtaBinder u:object_r:GoogleOtaBinder_exec:s0 +/system/bin/gsm0710muxdmd2 u:object_r:gsm0710muxdmd2_exec:s0 +/system/bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0 +/system/bin/guiext-server u:object_r:guiext-server_exec:s0 +/system/bin/icusbd u:object_r:icusbd_exec:s0 +/system/bin/init.gprs-pppd u:object_r:zpppd_gprs_exec:s0 +/system/bin/ipod u:object_r:ipod_exec:s0 +/system/bin/launchpppoe u:object_r:launchpppoe_exec:s0 +/system/bin/matv u:object_r:matv_exec:s0 +/system/bin/mc6420d u:object_r:mc6420d_exec:s0 +/system/bin/mcDriverDaemon u:object_r:mobicore_exec:s0 +/system/bin/mdlogger u:object_r:mdlogger_exec:s0 +/system/bin/memsicd3416x u:object_r:memsicd3416x_exec:s0 +/system/bin/memsicd u:object_r:memsicd_exec:s0 +/system/bin/meta_tst u:object_r:meta_tst_exec:s0 + +/system/bin/mmp u:object_r:mmp_exec:s0 +/system/bin/mobile_log_d u:object_r:mobile_log_d_exec:s0 +/system/bin/mpud6050 u:object_r:mpud6050_exec:s0 +/system/bin/msensord u:object_r:msensord_exec:s0 +/system/bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0 +/system/bin/mtkbt u:object_r:mtkbt_exec:s0 +/system/bin/MtkCodecService u:object_r:MtkCodecService_exec:s0 +/system/bin/mtkrildmd2 u:object_r:mtkrildmd2_exec:s0 +/system/bin/mtkrild u:object_r:mtkrild_exec:s0 +/system/bin/muxreport u:object_r:muxreport_exec:s0 +/system/bin/netdiag u:object_r:netdiag_exec:s0 +/system/bin/nvram_agent_binder u:object_r:nvram_agent_binder_exec:s0 +/system/bin/nvram_daemon u:object_r:nvram_daemon_exec:s0 +/system/bin/orientationd u:object_r:orientationd_exec:s0 +/system/bin/permission_check u:object_r:permission_check_exec:s0 +/system/bin/poad u:object_r:poad_exec:s0 +/system/bin/ppl_agent u:object_r:ppl_agent_exec:s0 +/system/bin/pppd_dt u:object_r:pppd_dt_exec:s0 +/system/bin/pppd_via u:object_r:pppd_via_exec:s0 +/system/bin/pq u:object_r:pq_exec:s0 +/system/bin/resmon u:object_r:resmon_exec:s0 +/system/bin/rild_dongle u:object_r:ril-3gddaemon_exec:s0 +/system/bin/s62xd u:object_r:s62xd_exec:s0 +/system/bin/sn u:object_r:sn_exec:s0 +/system/bin/statusd u:object_r:statusd_exec:s0 +/system/bin/terservice u:object_r:terservice_exec:s0 +/system/bin/thermald u:object_r:thermald_exec:s0 +/system/bin/thermal_manager u:object_r:thermal_manager_exec:s0 +/system/bin/thermal u:object_r:thermal_exec:s0 +/system/bin/tiny_mkswap u:object_r:tiny_mkswap_exec:s0 +/system/bin/tiny_swapon u:object_r:tiny_swapon_exec:s0 +/system/bin/viarild u:object_r:viarild_exec:s0 +/system/bin/volte_imcb u:object_r:volte_imcb_exec:s0 +/system/bin/volte_stack u:object_r:volte_stack_exec:s0 +/system/bin/volte_ua u:object_r:volte_ua_exec:s0 +/system/bin/wifi2agps u:object_r:wifi2agps_exec:s0 +/system/bin/wmt_loader u:object_r:wmt_loader_exec:s0 +/system/bin/xlog u:object_r:xlog_exec:s0 +/system/bin/sbchk u:object_r:sbchk_exec:s0 +/system/bin/OperaMaxSystem u:object_r:tunman_exec:s0 +/system/etc/sensor(/.*)? u:object_r:system_sensor_data_file:s0 +/system/vendor/bin/pvrsrvctl u:object_r:pvrsrvctl_exec:s0 +/system/xbin/BGW u:object_r:BGW_exec:s0 +/system/xbin/mnld u:object_r:mnld_exec:s0 +/system/bin/md_ctrl u:object_r:md_ctrl_exec:s0 +/system/bin/cmddumper u:object_r:cmddumper_exec:s0 +/system/bin/epdg_wod u:object_r:epdg_wod_exec:s0 +/system/bin/ipsec u:object_r:ipsec_exec:s0 +/system/bin/charon u:object_r:charon_exec:s0 +/system/bin/starter u:object_r:starter_exec:s0 +/system/bin/stroke u:object_r:stroke_exec:s0 +/system/bin/mmc3524xd u:object_r:mmc3524xd_exec:s0 +/system/bin/vtservice u:object_r:vtservice_exec:s0 + +# Wallpaper file for smartbook +/data/system/users/[0-9]+/smartbook_wallpaper u:object_r:wallpaper_file:s0 + +# Camera stuff +/dev/BU64245(/.*)? u:object_r:BU64245_device:s0 + +# Live Display +/sys/devices/platform/mtk_disp_mgr.0/rgb u:object_r:livedisplay_sysfs:s0 + diff --git a/sepolicy/flashlessd.te b/sepolicy/flashlessd.te new file mode 100644 index 0000000..f9e8a58 --- /dev/null +++ b/sepolicy/flashlessd.te @@ -0,0 +1,10 @@ +# ============================================== +# Policy File of /system/bin/flashlessd Executable File + +type flashlessd_exec, exec_type, file_type; +type flashlessd, domain; + + +# permissive flashlessd; + +init_daemon_domain(flashlessd) diff --git a/sepolicy/fota1.te b/sepolicy/fota1.te new file mode 100644 index 0000000..3d0e06d --- /dev/null +++ b/sepolicy/fota1.te @@ -0,0 +1,23 @@ +# ============================================== +# Policy File of /system/bin/fota1 Executable File + +# ============================================== +# Type Declaration +# ============================================== +type fota1, domain; +type fota1_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(fota1) + +# Date : WK14.46 +# Operation : Migration +# Purpose : For recovery and tee1 upgrade +allow fota1 cache_file:file append; +allow fota1 misc_device:chr_file { write open }; +allow fota1 platformblk_device:blk_file { read write open }; +allow fota1 platformblk_device:dir search; +allow fota1 recovery_device:chr_file { read write open }; diff --git a/sepolicy/fs_use b/sepolicy/fs_use new file mode 100644 index 0000000..e04b587 --- /dev/null +++ b/sepolicy/fs_use @@ -0,0 +1,2 @@ +#Add support for ubifs +fs_use_xattr ubifs u:object_r:labeledfs:s0; diff --git a/sepolicy/fuelgauged.te b/sepolicy/fuelgauged.te new file mode 100644 index 0000000..4cb2827 --- /dev/null +++ b/sepolicy/fuelgauged.te @@ -0,0 +1,47 @@ +# ============================================== +# Policy File of /system/bin/fuelgauged Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type fuelgauged_exec , exec_type, file_type; +type fuelgauged ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive fuelgauged; +init_daemon_domain(fuelgauged) +#unconfined_domain(fuelgauged) +#write_klog(fuelgauged) + +# Data : WK14.43 +# Operation : Migration +# Purpose : Fuel Gauge daemon for access driver node +allow fuelgauged input_device:dir { search open read write }; +allow fuelgauged input_device:file { open read }; +allow fuelgauged mtk-adc-cali_device:chr_file { open ioctl read write }; + +#add by xiaoqin +allow fuelgauged kmsg_device:chr_file { open write }; +allow fuelgauged fuelgauged:netlink_kobject_uevent_socket { write create bind read}; +allow fuelgauged fuelgauged:netlink_socket { create bind write read}; +#add by xiaoqin + +allow fuelgauged input_device:dir { search open read write }; +allow fuelgauged input_device:file { open read }; +#allow fuelgauged fuelgauged_access_file1:file { open read write }; +#allow fuelgauged fuelgauged_access_file2:file { open read write}; +# Operate data partation directly, need modify later,e.g. use "data/misc/sensor". +allow fuelgauged system_data_file:dir { write add_name create setattr }; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..977c6d5 --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,11 @@ + +genfscon proc /secmem0 u:object_r:proc_secmem:s0 + +genfscon proc /driver/thermal u:object_r:proc_thermal:s0 +genfscon proc /mtkcooler u:object_r:proc_mtkcooler:s0 +genfscon proc /mtktz u:object_r:proc_mtktz:s0 +genfscon proc /lk_env u:object_r:proc_lk_env:s0 +genfscon proc /driver/storage_logger u:object_r:proc_slogger:s0 +genfscon proc /driver/icusb u:object_r:proc_icusb:s0 + +genfscon iso9660 / u:object_r:iso9660:s0 diff --git a/sepolicy/geomagneticd.te b/sepolicy/geomagneticd.te new file mode 100644 index 0000000..07b86aa --- /dev/null +++ b/sepolicy/geomagneticd.te @@ -0,0 +1,26 @@ +# ============================================== +# Policy File of /system/bingeomagneticd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type geomagneticd_exec , exec_type, file_type; +type geomagneticd ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive geomagneticd; +init_daemon_domain(geomagneticd) +#unconfined_domain(geomagneticd) + +# Date : WK14.43 +# Operation : Migration +# Purpose : access sensor data and do calibration +allow geomagneticd input_device:chr_file { read ioctl open }; +allow geomagneticd input_device:dir { read search open }; +allow geomagneticd sysfs:file write; +allow geomagneticd system_data_file:dir { write remove_name add_name }; diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te new file mode 100644 index 0000000..0ab2fdc --- /dev/null +++ b/sepolicy/gpsd.te @@ -0,0 +1,5 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + + diff --git a/sepolicy/gsm0710muxd.te b/sepolicy/gsm0710muxd.te new file mode 100644 index 0000000..d9d9b54 --- /dev/null +++ b/sepolicy/gsm0710muxd.te @@ -0,0 +1,42 @@ +# ============================================== +# Policy File of /system/bingsm0710muxd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type gsm0710muxd_exec , exec_type, file_type; +type gsm0710muxd ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(gsm0710muxd) +allow gsm0710muxd gsm0710muxd_device:chr_file open; +allow gsm0710muxd gsm0710muxd_device:chr_file { read write }; +allow gsm0710muxd ctl_rildaemon_prop:property_service set; +allow gsm0710muxd ctl_ril-daemon-mtk_prop:property_service set; +allow gsm0710muxd gsm0710muxd_prop:property_service set; +allow gsm0710muxd devpts:chr_file setattr; +allow gsm0710muxd device:dir write; +allow gsm0710muxd self:capability chown; +allow gsm0710muxd self:capability fowner; +allow gsm0710muxd device:dir add_name; +allow gsm0710muxd device:lnk_file create; +allow gsm0710muxd init:unix_stream_socket connectto; +allow gsm0710muxd property_socket:sock_file write; +allow gsm0710muxd self:capability setuid; +allow gsm0710muxd device:dir remove_name; +allow gsm0710muxd device:lnk_file unlink; +allow gsm0710muxd eemcs_device:chr_file open; +allow gsm0710muxd eemcs_device:chr_file { read write }; diff --git a/sepolicy/gsm0710muxdmd2.te b/sepolicy/gsm0710muxdmd2.te new file mode 100644 index 0000000..7ce2937 --- /dev/null +++ b/sepolicy/gsm0710muxdmd2.te @@ -0,0 +1,45 @@ +# ============================================== +# Policy File of /system/bingsm0710muxdmd2 Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type gsm0710muxdmd2_exec , exec_type, file_type; +type gsm0710muxdmd2 ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(gsm0710muxdmd2) +allow gsm0710muxdmd2 gsm0710muxd_device:chr_file open; +allow gsm0710muxdmd2 gsm0710muxd_device:chr_file { read write }; +allow gsm0710muxdmd2 ctl_ril-daemon-md2_prop:property_service set; +allow gsm0710muxdmd2 ril_mux_report_case_prop:property_service set; +allow gsm0710muxdmd2 ctl_muxreport-daemon_prop:property_service set; +allow gsm0710muxdmd2 gsm0710muxd_prop:property_service set; +allow gsm0710muxdmd2 devpts:chr_file setattr; +allow gsm0710muxdmd2 device:dir write; +allow gsm0710muxdmd2 self:capability chown; +allow gsm0710muxdmd2 self:capability fowner; +allow gsm0710muxdmd2 device:dir add_name; +allow gsm0710muxdmd2 device:lnk_file create; +allow gsm0710muxdmd2 init:unix_stream_socket connectto; +allow gsm0710muxdmd2 property_socket:sock_file write; +allow gsm0710muxdmd2 self:capability setuid; +allow gsm0710muxdmd2 device:dir remove_name; +allow gsm0710muxdmd2 device:lnk_file unlink; +allow gsm0710muxdmd2 eemcs_device:chr_file open; +allow gsm0710muxdmd2 eemcs_device:chr_file { read write }; +allow gsm0710muxdmd2 ctl_ril-daemon-md2_prop:property_service set; +allow gsm0710muxdmd2 emd_device:chr_file { read write open }; diff --git a/sepolicy/guiext-server.te b/sepolicy/guiext-server.te new file mode 100644 index 0000000..c961d31 --- /dev/null +++ b/sepolicy/guiext-server.te @@ -0,0 +1,31 @@ +# ============================================== +# Policy File of /system/bin/guiext-server Executable File + +# ============================================== +# Type Declaration +# ============================================== +type guiext-server, domain; +type guiext-server_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(guiext-server) + +# to allocate GraphicBuffer +allow guiext-server surfaceflinger:binder call; +allow guiext-server surfaceflinger:fd use; +allow guiext-server gpu_device:chr_file { open read write ioctl }; + +# to be a service +allow guiext-server guiext-server_service:service_manager add; + +# for dump +allow guiext-server system_server:binder call; + +# for MiraVision +allow guiext-server graphics_device:chr_file { open read write ioctl }; + +# for CTS +allow guiext-server platform_app:binder call; +allow guiext-server app_data_file:file write; diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te new file mode 100644 index 0000000..79b118a --- /dev/null +++ b/sepolicy/hci_attach.te @@ -0,0 +1,3 @@ +# ============================================== +# MTK Policy Rule +# ============ diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te new file mode 100644 index 0000000..69904f5 --- /dev/null +++ b/sepolicy/healthd.te @@ -0,0 +1,11 @@ +# ============================================== +# MTK Policy Rule +# ============ + +#============= healthd ============== +allow healthd self:capability dac_override; +allow healthd mtkrild:unix_stream_socket connectto; +allow healthd rild_oem_socket:sock_file write; +allow healthd sysfs_vcorefs_pwrctrl:file write; +allow healthd app_data_file:file write; + diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te new file mode 100644 index 0000000..bca40bb --- /dev/null +++ b/sepolicy/hostapd.te @@ -0,0 +1,15 @@ +# ==================================== +# MTK Policy Rule +# ==================================== + +# Date: 2014/09/15 +# Operation: [Pre-SQC] Hotspot Manager cannot communicate with framework +# Purpose: Add socket write permission for hostapd +allow hostapd system_wpa_socket:sock_file write; + + +# Date: 2014/10/13 +# Operation: [L-SQC] SELinux warning during whole chip reset +# Purpose: kernel module netdev-ap0 gets invalid during whole chip reset, no impact to normal flow, dontaudit +dontaudit hostapd kernel:system module_request; + diff --git a/sepolicy/icusbd.te b/sepolicy/icusbd.te new file mode 100644 index 0000000..4a8773b --- /dev/null +++ b/sepolicy/icusbd.te @@ -0,0 +1,35 @@ +# ============================================== +# Policy File of /system/binicusbd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type icusbd_exec , exec_type, file_type; +type icusbd ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + + +init_daemon_domain(icusbd) + +allow icusbd vdc_exec:file execute_no_trans; +allow icusbd icusb_device:chr_file rw_file_perms; +allow icusbd ccci_device:chr_file { read write ioctl open }; +allow icusbd proc_icusb:file { read write open }; +allow icusbd proc_icusb:dir search; +allow icusbd self:capability dac_override; +allow icusbd self:netlink_socket create_socket_perms; +allow icusbd usb_device:chr_file { read write ioctl open }; +allow icusbd usb_device:dir { read open search}; diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..e6374dc --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,15 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.34 +# Operation : Migration +# Purpose : for L early bring up: add for nvram command in init rc files +allow init nvram_data_file:dir { write search setattr read create open add_name }; +allow init nvdata_file:dir { write search setattr read create open add_name }; + +#============= init ============== +# Date : W14.42 +# Operation : Migration +# Purpose : for L : add for partition +allow init platformblk_device:blk_file setattr; diff --git a/sepolicy/init_shell.te b/sepolicy/init_shell.te new file mode 100644 index 0000000..4b5a0be --- /dev/null +++ b/sepolicy/init_shell.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============ + diff --git a/sepolicy/inputflinger.te b/sepolicy/inputflinger.te new file mode 100644 index 0000000..4b5a0be --- /dev/null +++ b/sepolicy/inputflinger.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============ + diff --git a/sepolicy/install_recovery.te b/sepolicy/install_recovery.te new file mode 100644 index 0000000..73e64c7 --- /dev/null +++ b/sepolicy/install_recovery.te @@ -0,0 +1,10 @@ +# Date : WK14.41 +# Operation : Migration +# Purpose : update recovery image +allow install_recovery bootimg_device:chr_file { open read write }; +allow install_recovery recovery_device:chr_file { open read write }; +allow install_recovery platformblk_device:dir search; +allow install_recovery platformblk_device:blk_file { open read write }; +allow install_recovery sysfs:file { open read write }; +allow install_recovery tee_part_device:chr_file *; +dontaudit install_recovery system_file:file entrypoint; diff --git a/sepolicy/installd.te b/sepolicy/installd.te new file mode 100644 index 0000000..79796be --- /dev/null +++ b/sepolicy/installd.te @@ -0,0 +1,57 @@ +# ============================================== +# MTK Policy Rule + +# Date : WK14.34 +# Operation : Migration +# Purpose : 6571/6572 GMO external memory access(/dev/exm0) +allow installd exm0_device:chr_file { read write ioctl open }; + +# Date : WK14.34 +# Operation : Migration +# Purpose : Move app to phone storage +# 1. Enter Settings->Apps +# 2. Select Downloaded tab +# 3. Choose the application and move to phone storage +# 4. Check the application in Phone storage tab +allow installd apk_tmp_file:dir getattr; +allow installd vfat:file getattr; + +# Date : WK14.34 +# Operation : Migration +# Purpose : for CIP project (access /custom partition) +allow installd custom_file:file { getattr read open }; +allow installd custom_file:dir search; + +# Date : WK14.34 +# Operation : Development GMO Feature "Move OAT to SD Card" +# Purpose : for GMO ROM Size Slim +allow installd dalvikcache_data_file:lnk_file { read getattr setattr unlink create }; +allow installd fuse:dir { write read remove_name search create add_name getattr setattr }; +allow installd fuse:file { write getattr setattr read create unlink open }; + +# Date : WK14.40 +# Operation : SQC1 +# Purpose : for access .android_secure +allow installd vfat:dir search; + +# Date : WK14.44 +# Operation : SQC1 +# Purpose : for phone encrypted +# Disabled 20150109 for bad policy review (ALPS01902735) +#allow installd unlabeled:fifo_file write; +#allow installd unlabeled:sock_file write; + +# Date : WK14.46 +# Operation : SQC1 +# Purpose : MOTA update KK to L, workaround for access /data/.layout_version +allow installd system_data_file:file open; + +# Date : WK15.02 +# Operation : SQC0 +# Purpose : ALPS01889518 (MTK MTBF) +allow installd platform_app:fd use; + +# Date : WK15.03 +# Operation : SQC1 +# Purpose : ALPS01911340 (MTK MTBF for GMO project) +allow installd platform_app_tmpfs:file { open read write getattr };
\ No newline at end of file diff --git a/sepolicy/ipod.te b/sepolicy/ipod.te new file mode 100644 index 0000000..ca37c28 --- /dev/null +++ b/sepolicy/ipod.te @@ -0,0 +1,88 @@ +# ============================================== +# Policy File of /system/binipod Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type ipod_exec , exec_type, file_type; +type ipod ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +# permissive ipod; +init_daemon_domain(ipod) +# unconfined_domain(ipod) + +# date: 2014/09/19 +# operation : migration +# purpose : allow ipod to perform binder IPC to control screen on/off via PowerManager +binder_use(ipod) +binder_service(ipod) +binder_call(ipod, system_server) +binder_call(ipod, surfaceflinger) + +allow ipod ctl_bootanim_prop:property_service set; +allow ipod ctl_ipod_prop:property_service set; +allow ipod ipod_prop:property_service set; +allow ipod powerctl_prop:property_service set; +allow ipod audiohal_prop:property_service set; +allow ipod system_prop:property_service set; +allow ipod shell_exec:file { read open execute_no_trans execute }; +allow ipod system_file:file execute_no_trans; + +# permissions for IPO with phone encrypted +# removed due to IPO will be disabled when phone is encrypted +# allow ipod vdc_exec:file { getattr execute read open execute_no_trans }; +# allow ipod vold_socket:sock_file write; +# allow ipod vold:unix_stream_socket connectto; + +allow ipod platformblk_device:blk_file { read open write }; +allow ipod platformblk_device:dir search; + +allow ipod self:capability dac_override; +allow ipod self:capability net_admin; +allow ipod kmsg_device:chr_file { open write }; +allow ipod property_socket:sock_file write; + +allow ipod init:dir getattr; +allow ipod init:unix_stream_socket connectto; +allow ipod sysfs_wake_lock:file { read write open getattr }; +allow ipod block_device:dir search; +allow ipod gpu_device:chr_file { read write open ioctl }; +allow ipod ipod:netlink_kobject_uevent_socket { create bind read setopt }; +allow ipod input_device:dir { open read search }; +allow ipod input_device:file { open read write ioctl }; +allow ipod input_device:chr_file { open read write ioctl }; +allow ipod rtc_device:chr_file { open read write ioctl }; +allow ipod sysfs:file { open read write getattr }; +allow ipod alarm_device:chr_file write; +allow ipod system_server:unix_stream_socket connectto; +allow ipod proc:file { open read write }; +allow ipod proc:dir { search getattr }; +allow ipod logo_device:chr_file { open read }; + +# reboot syscall to switch to recovery/factory mode instantly +allow ipod self:capability sys_boot; +allow ipod proc_sysrq:file { open write }; + +allow ipod debugfs:file { open read getattr }; + +# IPOH +allow ipod system_data_file:dir { open read write add_name create remove_name }; +allow ipod cache_file:dir { open read write add_name create remove_name }; +allow ipod cache_file:file { create open write ioctl setattr }; +allow ipod proc_lk_env:file { open read write }; +allow ipod misc_device:chr_file { open read write }; +allow ipod self:capability { chown sys_admin }; diff --git a/sepolicy/ipsec.te b/sepolicy/ipsec.te new file mode 100644 index 0000000..c4b2163 --- /dev/null +++ b/sepolicy/ipsec.te @@ -0,0 +1,75 @@ +# ============================================== +# Policy File of /system/bin/ipsec Executable File + +# ============================================== +# Type Declaration +# ============================================== +type starter_exec , exec_type, file_type; +type charon_exec , exec_type, file_type; +type ipsec_exec , exec_type, file_type; +type stroke_exec , exec_type, file_type; +type ipsec ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date: WK14.52 +# Operation : Feature developing for ePDG + +# Purpose : access xfrm +allow ipsec proc_net:file write; + +# Purpose : set property for ip address with epdg_wod +allow ipsec mtk_wod_prop:property_service set; +allow ipsec property_socket:sock_file write; + +# Purpose : send command to epdg_wod +allow ipsec wod_ipsec_socket:sock_file write; + +# Purpose : create socket for IKEv2 protocol +allow ipsec node:udp_socket node_bind; +allow ipsec port:tcp_socket name_connect; +allow ipsec port:udp_socket name_bind; + +# Purpose : Query DNS address +allow ipsec netd:unix_stream_socket connectto; +allow ipsec dnsproxyd_socket:sock_file write; + +# Purpose : access property socket +allow ipsec init:unix_stream_socket connectto; + +# Purpose : access socket of wod and property +allow ipsec epdg_wod:unix_stream_socket { read write connectto }; + +# Purpose : output to /dev/null +allow ipsec epdg_wod:fd use; + +# Purpose : starter invoke charon +allow ipsec charon_exec:file execute_no_trans; + +# Purpose : charon set fwmark +allow ipsec fwmarkd_socket:sock_file write; + +# Purpose : kernel ip/route operations +allow ipsec self:capability { net_admin net_bind_service dac_override kill }; + +# Purpose : send/receive packet to/from peer +allow ipsec self:tcp_socket { write getattr connect read getopt create }; +allow ipsec self:udp_socket { write bind create read setopt }; + +# Purpose : kernel ip/route operations +allow ipsec self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read }; +allow ipsec self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read }; + +# Purpose : charon/starter PID file +allow ipsec vpn_data_file:dir { write remove_name add_name search }; +allow ipsec vpn_data_file:file { write create open getattr setattr read unlink }; +allow ipsec vpn_data_file:sock_file { write create unlink setattr }; + +# Purpose : read strongswan config file for IKEv2 Tunnel +allow ipsec wod_apn_conf_file:dir search; +allow ipsec wod_apn_conf_file:file { read ioctl open getattr }; +allow ipsec wod_ipsec_conf_file:file { read ioctl open getattr }; +allow ipsec wod_ipsec_conf_file:dir search; + diff --git a/sepolicy/isolated_app.te b/sepolicy/isolated_app.te new file mode 100644 index 0000000..86cbf61 --- /dev/null +++ b/sepolicy/isolated_app.te @@ -0,0 +1,5 @@ +# ============================================== +# MTK Policy Rule +# ============ + + diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..6112da4 --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,24 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.31 +# Operation : Migration +# Purpose : transit from kernel to aee_core_forwarder domain when executing aee_core_forwarder +domain_auto_trans(kernel, aee_core_forwarder_exec, aee_core_forwarder) + +# Date : WK14.38 +# Operation : Migration +# Purpose : run guitar_update for touch F/W upgrade. +allow kernel fuse:dir search; + +# Date : WK14.39 +# Operation : Migration +# Purpose : ums driver can access blk_file +allow kernel block_device:blk_file { read write }; +allow kernel loop_device:blk_file { read }; + +# Date : WK14.43 +# Operation : Migration +# Purpose : Access to TC1 partition for reading MAC +allow kernel platformblk_device:blk_file { open read write }; diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te new file mode 100644 index 0000000..1c6acb8 --- /dev/null +++ b/sepolicy/keystore.te @@ -0,0 +1,14 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.40 2014/10/3 +# Operation : keystore CTS +# Purpose : Open MobiCore access permission for keystore CTS hardware-backed solution +allow keystore mobicore:unix_stream_socket { connectto read write }; +allow keystore mobicore_user_device:chr_file { read write open ioctl}; + +# Date : WK14.40 2014/12/26 +# Operation : CTS 5.0_r1 +# Purpose : allow access to /data/data/com.android.cts.security/cache/CTS_DUMP for full CTS +allow keystore app_data_file:file write;
\ No newline at end of file diff --git a/sepolicy/launchpppoe.te b/sepolicy/launchpppoe.te new file mode 100644 index 0000000..fc877a4 --- /dev/null +++ b/sepolicy/launchpppoe.te @@ -0,0 +1,19 @@ +# ============================================== +# Policy File of /system/bin/launchpppoe Executable File + +# ============================================== +# Type Declaration +# ============================================== +type launchpppoe, domain; +type launchpppoe_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== + + +# Date : WK14.38 +# Operation : Migration +# Purpose : transit to ppp directly since the resource are shared and serve the same purpose +domain_auto_trans(init, launchpppoe_exec, ppp) + diff --git a/sepolicy/lmkd.te b/sepolicy/lmkd.te new file mode 100644 index 0000000..2eab8cc --- /dev/null +++ b/sepolicy/lmkd.te @@ -0,0 +1,11 @@ +# ============================================== +# MTK Policy Rule +# ============ + + +# Data : 2015/01/14 +# Operation : MT6735 SQC bug fix +# Purpose : ALPS01905960 - selinux_warning: audit(1420845354.752:91): avc: denied { search } +# for pid=194 comm="lmkd" name="23573" dev="proc" +# ino=915740 scontext=u:r:lmkd:s0 tcontext=u:r:zygote:s0 tclass=dir permissive=0 +dontaudit lmkd zygote:dir *; diff --git a/sepolicy/logd.te b/sepolicy/logd.te new file mode 100644 index 0000000..379cdbc --- /dev/null +++ b/sepolicy/logd.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============ +dontaudit logd unlabeled:dir search; diff --git a/sepolicy/matv.te b/sepolicy/matv.te new file mode 100644 index 0000000..3f83ad9 --- /dev/null +++ b/sepolicy/matv.te @@ -0,0 +1,27 @@ +# ============================================== +# Policy File of /system/binmatv Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type matv_exec , exec_type, file_type; +type matv ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +binder_use(matv) + +#permissive matv; +init_daemon_domain(matv) +#unconfined_domain(matv) diff --git a/sepolicy/mc6420d.te b/sepolicy/mc6420d.te new file mode 100644 index 0000000..427536c --- /dev/null +++ b/sepolicy/mc6420d.te @@ -0,0 +1,26 @@ +# ============================================== +# Policy File of /system/binmc6420d Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mc6420d_exec , exec_type, file_type; +type mc6420d ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive mc6420d; +init_daemon_domain(mc6420d) +#unconfined_domain(mc6420d) diff --git a/sepolicy/md_ctrl.te b/sepolicy/md_ctrl.te new file mode 100644 index 0000000..b286493 --- /dev/null +++ b/sepolicy/md_ctrl.te @@ -0,0 +1,23 @@ +# ============================================== +# Policy File of /system/bin/md_ctrl Executable File + +# ============================================== +# Type Declaration +# ============================================== +type md_ctrl, domain; +type md_ctrl_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +# Date : WK14.46 +# Operation : Migration +# Purpose : Start md_ctrl + +init_daemon_domain(md_ctrl) +allow md_ctrl ccci_device:chr_file { read write ioctl open }; +allow md_ctrl devpts:chr_file { read write getattr open ioctl }; +allow md_ctrl muxreport_exec:file { read execute open execute_no_trans }; +allow md_ctrl self:capability dac_override; +allow md_ctrl emd_device:chr_file { read write open }; + diff --git a/sepolicy/mdlogger.te b/sepolicy/mdlogger.te new file mode 100644 index 0000000..67bd14e --- /dev/null +++ b/sepolicy/mdlogger.te @@ -0,0 +1,62 @@ +# ============================================== +# Policy File of /system/binmdlogger Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mdlogger_exec , exec_type, file_type; +type mdlogger ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive mdlogger; +init_daemon_domain(mdlogger) + +binder_use(mdlogger) +binder_service(mdlogger) + +#=============allow mdlogger to set ============== +allow mdlogger debug_mdlogger_prop:property_service set; +allow mdlogger debug_prop:property_service set; +allow mdlogger ccci_device:chr_file { read write ioctl open }; +allow mdlogger ttyGS_device:chr_file { read write open ioctl}; +allow mdlogger fuse:dir { write search create rmdir add_name remove_name read open rename}; +allow mdlogger fuse:file { write read create open rename unlink getattr setattr append}; +allow mdlogger mdlog_data_file:dir { write search read create open rmdir remove_name add_name relabelto getattr}; +allow mdlogger mdlog_data_file:fifo_file { read open create setattr}; +allow mdlogger mdlog_data_file:file { write read create open rename unlink getattr setattr}; +allow mdlogger mdlog_device:chr_file { read write open ioctl}; +allow mdlogger system_data_file:dir { write create open add_name relabelfrom}; + +allow mdlogger init:unix_stream_socket connectto; +allow mdlogger property_socket:sock_file write; +allow mdlogger platform_app:unix_stream_socket connectto; + +allow mdlogger shell_exec:file { read execute open execute_no_trans }; +allow mdlogger system_file:file execute_no_trans; +allow mdlogger zygote_exec:file { read getattr open }; +allow mdlogger tmpfs:lnk_file read; + +#============= mdlogger usb logging ============== +# Date : 2014/09/26 +# Operation : Migration +# Purpose : [MDLOGGER] [mdlogger usb logging tcp_socket] +# Package: system/bin/mdlogger + +allow mdlogger fuse:dir search; +allow mdlogger node:tcp_socket node_bind; +allow mdlogger port:tcp_socket name_bind; +allow mdlogger self:tcp_socket { write read bind create setopt accept listen }; + diff --git a/sepolicy/mdnsd.te b/sepolicy/mdnsd.te new file mode 100644 index 0000000..7b20973 --- /dev/null +++ b/sepolicy/mdnsd.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..b1b4508 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,361 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK15.02 +# Operation : 120Hz Feature SQC +# Purpose : for 120Hz Smart Switch +allow mediaserver mtk_rrc_device:chr_file { read write ioctl open }; + +# Date : WK14.31 +# Operation : Migration +# Purpose : for L early bring up. +allow mediaserver camera_isp_device:chr_file { read write ioctl open }; +allow mediaserver kd_camera_hw_device:chr_file { read write ioctl open }; +allow mediaserver self:capability { setuid ipc_lock }; +allow mediaserver sysfs_wake_lock:file { read write open }; +allow mediaserver MTK_SMI_device:chr_file { read ioctl open }; +allow mediaserver camera_pipemgr_device:chr_file { read ioctl open }; +allow mediaserver kd_camera_flashlight_device:chr_file { read write ioctl open }; +allow mediaserver self:capability sys_nice; + + +# Date : WK14.32 +# Operation : Migration +# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam. +allow mediaserver sdcard_internal:dir { write create add_name }; +allow mediaserver sdcard_internal:file create; +allow mediaserver nvram_data_file:dir { add_name write search }; +allow mediaserver nvram_data_file:file { write getattr setattr read create open }; +allow mediaserver nvram_data_file:lnk_file read; +allow mediaserver nvdata_file:dir { add_name write search }; +allow mediaserver nvdata_file:file { write getattr setattr read create open }; +allow mediaserver fuse:dir remove_name; +allow mediaserver fuse:file unlink; + +# Date : WK14.34 +# Operation : Migration +# Purpose : for bring up +allow mediaserver platformblk_device:dir { search }; +allow mediaserver nvram_device:chr_file { open read write }; +allow mediaserver self:netlink_kobject_uevent_socket { create setopt bind }; +allow mediaserver self:capability { net_admin dac_override }; + +# Date : WK14.34 +# Operation : Migration +# Purpose : VP/VR +allow mediaserver devmap_device:chr_file { ioctl }; + +# Date : WK14.34 +# Operation : Migration +# Purpose : Smartcard Service +allow mediaserver self:netlink_kobject_uevent_socket read; +allow mediaserver system_data_file:file open; + +# Date : WK14.36 +# Operation : Migration +# Purpose : guiext service for VP +allow mediaserver guiext-server:binder { transfer call }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : media server and bt process communication for A2DP data.and other control flow +allow mediaserver bluetooth:unix_dgram_socket sendto; +allow mediaserver bt_a2dp_stream_socket:sock_file write; +allow mediaserver bt_int_adp_socket:sock_file write; +allow mediaserver mtkbt:unix_dgram_socket sendto; + +# Date : WK14.37 +# Operation : Migration +# Purpose : WFD and MET Latency measurement +allow mediaserver media_wfd_prop:property_service set; + +# Date : WK14.37 +# Operation : Migration +# Purpose : camera ioctl +allow mediaserver camera_sysram_device:chr_file { read ioctl open }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : VDEC/VENC device node +allow mediaserver Vcodec_device:chr_file { read write ioctl open }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : MMProfile debug +# userdebug_or_eng(` +allow mediaserver debugfs:file {read ioctl}; +# ') + +# Date : WK14.36 +# Operation : Migration +# Purpose : bring up +allow mediaserver MtkCodecService:binder call; +allow mediaserver ccci_device:chr_file { read write ioctl open }; +allow mediaserver eemcs_device:chr_file { read write ioctl open }; +allow mediaserver devmap_device:chr_file { read open }; +allow mediaserver ebc_device:chr_file { read write ioctl open }; +allow mediaserver platformblk_device:blk_file { read write open }; +#allow mediaserver nvram_data_file:dir { write search }; +#allow mediaserver system_data_file:dir { write add_name }; +#allow mediaserver system_data_file:file { write create setattr }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for SW codec VP/VR +#allow mediaserver mtk_device:chr_file { read write ioctl open }; +allow mediaserver mtk_sched_device:chr_file { read write ioctl open }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for DRM VP +allow mediaserver platform_app:dir search; +allow mediaserver platform_app:file { read getattr open }; + + +# Date : WK14.38 +# Operation : Migration +# Purpose : NVRam access +allow mediaserver block_device:dir { write search }; + +# Date : WK14.38 +# Operation : Migration +# Purpose : FM driver access +allow mediaserver fm_device:chr_file { read write ioctl open }; + +# Data : WK14.38 +# Operation : Migration +# Purpose : for VP/VR +allow mediaserver block_device:dir search; +allow mediaserver FM50AF_device:chr_file { read write ioctl open }; +allow mediaserver AD5820AF_device:chr_file { read write ioctl open }; +allow mediaserver DW9714AF_device:chr_file { read write ioctl open }; +allow mediaserver AK7345AF_device:chr_file { read write ioctl open }; +allow mediaserver DW9714A_device:chr_file { read write ioctl open }; +allow mediaserver LC898122AF_device:chr_file { read write ioctl open }; +allow mediaserver LC898212AF_device:chr_file { read write ioctl open }; +allow mediaserver BU6429AF_device:chr_file { read write ioctl open }; +allow mediaserver DW9718AF_device:chr_file { read write ioctl open }; +allow mediaserver BU64745GWZAF_device:chr_file { read write ioctl open }; +allow mediaserver BU64245_device:chr_file { read write ioctl open }; + +# Data : WK14.38 +# Operation : Migration +# Purpose : WFD +allow mediaserver surfaceflinger:dir search; +allow mediaserver surfaceflinger:file { read open }; + +# Data : WK14.38 +# Operation : Migration +# Purpose : bring up +allow mediaserver bootanim:binder { transfer call }; +allow mediaserver tmpfs:lnk_file read; +#allow mediaserver default_android_service:service_manager { add }; + +# Data : WK14.38 +# Operation : Migration +# Purpose : bring up +allow mediaserver bt_data_file:dir { write add_name search}; +allow mediaserver bt_data_file:file { open write create setattr append }; + +# Data : WK14.38 +# Operation : Migration +# Purpose : dump for debug +allow mediaserver fuse:file append; + +# Date : WK14.39 +# Operation : Migration +# Purpose : FDVT Driver +allow mediaserver camera_fdvt_device:chr_file { read write ioctl open }; + +# Date : WK14.39 +# Operation : Migration +# Purpose : MJC Driver +allow mediaserver MJC_device:chr_file { read write ioctl open }; + +# Date : WK14.39 +# Operation : Migration +# Purpose : APE PLAYBACK +binder_call(mediaserver,MtkCodecService) + +# Data : WK14.39 +# Operation : Migration +# Purpose : dump for debug +allow mediaserver audiohal_prop:property_service set; + +# Data : WK14.39 +# Operation : Migration +# Purpose : HW encrypt SW codec +allow mediaserver mediaserver_data_file:file { create open read write setattr }; +allow mediaserver mediaserver_data_file:dir { search getattr open read write setattr add_name }; +allow mediaserver sec_device:chr_file { read open ioctl }; + +# Date : WK14.39 +# Operation : Migration +# Purpose : WFD UIBC Driver +allow mediaserver uibc_device:chr_file { read write getattr ioctl open }; + +# Date : WK14.40 +# Operation : Migration +# Purpose : HDMI driver access +allow mediaserver graphics_device:chr_file { read write ioctl open }; + +# Date : WK14.40 +# Operation : Migration +# Purpose : Smartpa +allow mediaserver smartpa_device:chr_file { read write ioctl open }; + +# Date : WK14.40 +# Operation : Migration +# Purpose : Smartpa +allow mediaserver smartpa1_device:chr_file { read write ioctl open }; + +# Data : WK14.40 +# Operation : Migration +# Purpose : permit 'call' by audio tunning tool audiocmdservice_atci +allow mediaserver audiocmdservice_atci:binder call; +binder_call(mediaserver,audiocmdservice_atci) + +# Date : WK14.40 +# Operation : Migration +# Purpose : mtk_jpeg +allow mediaserver mtk_jpeg_device:chr_file { read ioctl open }; + +# Date : WK14.41 +# Operation : Migration +# Purpose : Lossless BT audio +allow mediaserver shell_exec:file { read open execute execute_no_trans }; +allow mediaserver system_file:file execute_no_trans; +allow mediaserver zygote_exec:file execute_no_trans; + +# Date : WK14.41 +# Operation : Migration +# Purpose : WFD HID Driver +allow mediaserver uhid_device:chr_file { read write ioctl open }; + +# Date : WK14.41 +# Operation : Migration +# Purpose : Camera EEPROM Calibration +allow mediaserver CAM_CAL_DRV_device:chr_file { read write ioctl open }; + +# Date : WK14.43 +# Operation : Migration +# Purpose : VOW +allow mediaserver vow_device:chr_file { read write ioctl open }; + +# Date: WK14.44 +# Operation : Migration +# Purpose : EVDO +allow mediaserver rpc_socket:sock_file write; +allow mediaserver statusd:unix_stream_socket connectto; +allow mediaserver ttySDIO_device:chr_file { read write }; +allow mediaserver ttySDIO_device:chr_file open; + +# Data: WK14.44 +# Operation : Migration +# Purpose : VP +allow mediaserver surfaceflinger:file getattr; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +allow mediaserver sysfs_lowmemorykiller:file { read open }; + +# Date: WK14.45 +# Operation : Migration +# Purpose : HDCP +allow mediaserver mobicore:unix_stream_socket connectto; +allow mediaserver mobicore_data_file:dir search; +allow mediaserver mobicore_data_file:file { getattr read open lock}; +allow mediaserver mobicore_user_device:chr_file { read write open ioctl}; +allow mediaserver persist_data_file:dir { create write add_name search}; +allow mediaserver persist_data_file:file { read write create open getattr }; + +# Data: WK14.45 +# Operation : Migration +# Purpose : for change thermal policy when needed +allow mediaserver proc_mtkcooler:dir search; +allow mediaserver proc_mtktz:dir search; +allow mediaserver proc_thermal:dir search; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow mediaserver qemu_pipe_device:chr_file rw_file_perms; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for camera init +allow mediaserver system_server:unix_stream_socket { read write }; + +# Data : WK14.46 +# Operation : Migration +# Purpose : for SMS app +allow mediaserver radio_data_file:dir search; +allow mediaserver radio_data_file:file open; + +# Data : WK14.47 +# Operation : Migration +# Purpose : for WFD looper +allow mediaserver custom_file:dir search; + +# Data : WK14.47 +# Operation : OMA DRM SQC +# Purpose : for OMA DRM - set OMA DRM file to ringtone +allow mediaserver system_app:dir search; + +# Data : WK14.47 +# Operation : Audio playback +# Purpose : Music as ringtone +allow mediaserver radio:dir { search read }; +allow mediaserver radio:file { read getattr open }; + +# Data : WK14.47 +# Operation : Launch camcorder from MMS +# Purpose : Camcorder +allow mediaserver radio_data_file:file open; + +# Data : WK14.47 +# Operation : CTS +# Purpose : cts search strange app +allow mediaserver untrusted_app:dir search; + +# Data : 2014/11/25 +# Operation : OMA DRM SQC +# Purpose : for OMA DRM - set OMA DRM file to ringtone and play OMA DRM file +allow mediaserver system_app:file { read open getattr }; + +# Data : 2014/11/25 +# Operation : OMA DRM SQC +# Purpose : for OMA DRM - set OMA DRM file to ringtone and play DRM ringtone +allow mediaserver untrusted_app:file { read open getattr }; + +# Data : 2014/11/26 +# Operation : Camera display client +# Purpose : for access proc_secmem +allow mediaserver proc_secmem:file { read write open}; + +# Data : WK14.48 +# Operation : WFD +# Purpose : For WFD scenario +allow mediaserver untrusted_app_tmpfs:file write; + +# Date : WK14.49 +# Operation : WFD +# Purpose : WFD notifies its status to thermal module +allow mediaserver proc_thermal:file { write getattr open }; +allow mediaserver thermal_manager_exec:file { getattr execute read open execute_no_trans }; +allow mediaserver proc_mtkcooler:file { read write open }; +allow mediaserver proc_mtktz:file { read write open }; +allow mediaserver proc_thermal:file { read write open }; + +# Date : WK14.52 +# Operation : WVL1 IT +# Purpose : SVP module operates secmem driver +allow mediaserver mobicore_data_file:file getattr; +allow mediaserver proc_secmem:file ioctl; + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +allow mediaserver offloadservice_device:chr_file { read write ioctl open }; diff --git a/sepolicy/memsicd.te b/sepolicy/memsicd.te new file mode 100644 index 0000000..39466b8 --- /dev/null +++ b/sepolicy/memsicd.te @@ -0,0 +1,16 @@ +# ============================================== +# Policy File of /system/binmemsicd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type memsicd_exec , exec_type, file_type; +type memsicd ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(memsicd) diff --git a/sepolicy/memsicd3416x.te b/sepolicy/memsicd3416x.te new file mode 100644 index 0000000..dc33eed --- /dev/null +++ b/sepolicy/memsicd3416x.te @@ -0,0 +1,16 @@ +# ============================================== +# Policy File of /system/binmemsicd3416x Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type memsicd3416x_exec , exec_type, file_type; +type memsicd3416x ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(memsicd3416x) diff --git a/sepolicy/meta_tst.te b/sepolicy/meta_tst.te new file mode 100644 index 0000000..4a4c215 --- /dev/null +++ b/sepolicy/meta_tst.te @@ -0,0 +1,149 @@ +# ============================================== +# Policy File of /system/bin/meta_tst Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type meta_tst_exec , exec_type, file_type; +type meta_tst ,domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(meta_tst) + +# Date : WK14.42 +# Operation : L Migration +# Purpose : for meta mode driver module operation +#============= meta_tst ============== +allow meta_tst audio_device:chr_file { read write ioctl open }; +allow meta_tst audio_device:dir search; +allow meta_tst nvram_data_file:dir search; +allow meta_tst audiohal_prop:property_service set; +allow meta_tst ccci_device:chr_file { read write ioctl open }; +allow meta_tst fm_device:chr_file { read write ioctl open }; +allow meta_tst graphics_device:chr_file { read write ioctl open }; +allow meta_tst graphics_device:dir search; +allow meta_tst mdlog_device:chr_file { read write open }; +allow meta_tst nvram_data_file:dir { write read open add_name remove_name search create getattr setattr }; +allow meta_tst nvram_data_file:file { setattr read create write getattr unlink open append }; +allow meta_tst nvram_data_file:lnk_file read; +allow meta_tst nvdata_file:dir { write read open add_name remove_name search create getattr setattr }; +allow meta_tst nvdata_file:file { setattr read create write getattr unlink open append }; +allow meta_tst nvram_device:chr_file { read write open ioctl }; +allow meta_tst platformblk_device:blk_file { read write open }; +allow meta_tst platformblk_device:dir search; +allow meta_tst port:tcp_socket { name_connect name_bind }; +allow meta_tst rootfs:file entrypoint; +allow meta_tst rtc_device:chr_file { read ioctl open }; +allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin }; +allow meta_tst self:tcp_socket { create connect setopt bind }; +allow meta_tst self:udp_socket { create ioctl }; +allow meta_tst stpbt_device:chr_file { read write open }; +allow meta_tst sysfs:file write; +allow meta_tst system_data_file:dir { write remove_name add_name }; +allow meta_tst system_data_file:sock_file unlink; +allow meta_tst ttyGS_device:chr_file { read write ioctl open }; +allow meta_tst wmtWifi_device:chr_file { write open }; +allow meta_tst FM50AF_device:chr_file { read write ioctl open }; +allow meta_tst AD5820AF_device:chr_file { read write ioctl open }; +allow meta_tst DW9714AF_device:chr_file { read write ioctl open }; +allow meta_tst DW9714A_device:chr_file { read write ioctl open }; +allow meta_tst LC898122AF_device:chr_file { read write ioctl open }; +allow meta_tst LC898212AF_device:chr_file { read write ioctl open }; +allow meta_tst BU6429AF_device:chr_file { read write ioctl open }; +allow meta_tst DW9718AF_device:chr_file { read write ioctl open }; +allow meta_tst BU64745GWZAF_device:chr_file { read write ioctl open }; +allow meta_tst als_ps_device:chr_file { read ioctl open }; +allow meta_tst camera_isp_device:chr_file { read write ioctl open }; +allow meta_tst camera_sysram_device:chr_file { read ioctl open }; +allow meta_tst gsensor_device:chr_file { read ioctl open }; +allow meta_tst kd_camera_flashlight_device:chr_file { read write ioctl open }; +allow meta_tst kd_camera_hw_device:chr_file { read write ioctl open }; +allow meta_tst msensor_device:chr_file { read ioctl open }; +allow meta_tst mt6605_device:chr_file { read write open ioctl getattr }; +allow meta_tst self:capability { sys_boot ipc_lock }; +allow meta_tst sysfs_wake_lock:file { read write open }; +allow meta_tst system_data_file:sock_file { write create setattr }; +allow meta_tst system_file:file execute_no_trans; +allow meta_tst MT_pmic_adc_cali_device:chr_file { read write ioctl open }; +allow meta_tst block_device:dir search; +allow meta_tst gyroscope_device:chr_file { read ioctl open }; +allow meta_tst mnld_exec:file { execute read open }; +allow meta_tst ttyMT_device:chr_file { read write ioctl open }; +allow meta_tst mnld_exec:file execute_no_trans; +allow meta_tst mnld_device:chr_file { open read write ioctl }; +allow meta_tst property_socket:sock_file write; +allow meta_tst vold_socket:sock_file write; +allow meta_tst init:unix_stream_socket connectto; +allow meta_tst vold:unix_stream_socket connectto; +allow meta_tst gps_device:chr_file { read write open }; +allow meta_tst mnld_prop:property_service set; +allow meta_tst agpsd_data_file:dir search; +allow meta_tst self:tcp_socket { bind setopt listen accept read write }; +allow meta_tst agpsd_data_file:sock_file write; +allow meta_tst node:tcp_socket node_bind; +allow meta_tst powerctl_prop:property_service set; +allow meta_tst labeledfs:filesystem unmount; +allow meta_tst platformblk_device:blk_file { getattr ioctl }; +allow meta_tst shell_exec:file execute; + +# Date: WK14.45 +# Operation : Migration +# Purpose : HDCP +allow meta_tst mobicore:unix_stream_socket connectto; +allow meta_tst mobicore_data_file:dir search; +allow meta_tst mobicore_data_file:file { getattr read open lock}; +allow meta_tst mobicore_user_device:chr_file { read write open ioctl}; +allow meta_tst persist_data_file:dir { create setattr write add_name search}; +allow meta_tst persist_data_file:file { read write create open getattr setattr}; + +# Date: WK14.46 +# Operation : Migration +# Purpose : Camera +allow meta_tst devmap_device:chr_file { open read write ioctl }; +allow meta_tst camera_pipemgr_device:chr_file { open read write ioctl }; +allow meta_tst MTK_SMI_device:chr_file { open read write ioctl }; +allow meta_tst tmpfs:lnk_file read; + +# Date: WK14.47 +# Operation : Migration +# Purpose : CCCI +allow meta_tst eemcs_device:chr_file { read write ioctl open }; + +#Date WK14.49 +#Operation : Migration +#Purpose : DRM key installation +allow meta_tst mobicore_data_file:file getattr; +allow meta_tst shell_exec:file { read open execute_no_trans }; +allow meta_tst system_data_file:dir create; + +# Date: WK14.51 +# Purpose : set/get cryptfs cfg in sys env +allow meta_tst misc_device:chr_file { read write open }; +allow meta_tst proc_lk_env:file { read write ioctl open }; + +# Date: WK14.51 +# Purpose : CCCI +allow meta_tst emd_device:chr_file { read write ioctl open }; +allow meta_tst ttyACM_device:chr_file { read write ioctl open }; + +# Purpose : FT_EMMC_OP_FORMAT_TCARD +allow meta_tst block_device:blk_file getattr; +allow meta_tst fuse_device:chr_file getattr; +allow meta_tst shell_exec:file { read open }; + +# Date: WK15.52 +# Purpose : NVRAM related LID +allow meta_tst pro_info_device:chr_file { open read write ioctl }; +# Data: WK15.07 +# Purpose : SDIO +allow meta_tst ttySDIO_device:chr_file { read write ioctl open }; + +# Camera M2 Note +allow meta_tst BU64245_device:chr_file { read write ioctl open }; + diff --git a/sepolicy/mmc3524xd.te b/sepolicy/mmc3524xd.te new file mode 100644 index 0000000..54e8f1a --- /dev/null +++ b/sepolicy/mmc3524xd.te @@ -0,0 +1,17 @@ +# ============================================== +# Policy File of /system/bin/mmc3524xd Executable File + + +# ============================================== +# Type Declaration +# ============================================== +type mmc3524xd_exec , exec_type, file_type; +type mmc3524xd ,domain; + +#permissive mmc3524xd; +init_daemon_domain(mmc3524xd) + +#add permission +allow mmc3524xd gsensor_device:chr_file {open ioctl read write}; +allow mmc3524xd msensor_device:chr_file {open ioctl read write}; + diff --git a/sepolicy/mmp.te b/sepolicy/mmp.te new file mode 100644 index 0000000..d956366 --- /dev/null +++ b/sepolicy/mmp.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /system/binmmp Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mmp_exec , exec_type, file_type; +type mmp ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(mmp) + diff --git a/sepolicy/mnld.te b/sepolicy/mnld.te new file mode 100644 index 0000000..993cfb9 --- /dev/null +++ b/sepolicy/mnld.te @@ -0,0 +1,49 @@ +type mnld, domain; +type mnld_exec, exec_type, file_type; + +# STOPSHIP: Permissive is not allowed. CTS violation! + +init_daemon_domain(mnld) + +net_domain(mnld) +allow mnld agpsd_data_file:dir create_dir_perms; +allow mnld agpsd_data_file:sock_file create_file_perms; +allow mnld mtk_agpsd:unix_dgram_socket sendto; +allow mnld sysfs:file rw_file_perms; +allow mnld sysfs_wake_lock:file rw_file_perms; +allow mnld nvram_data_file:dir create_dir_perms; +allow mnld nvram_data_file:file create_file_perms; +allow mnld nvram_data_file:lnk_file read; +allow mnld nvdata_file:dir create_dir_perms; +allow mnld nvdata_file:file create_file_perms; +allow mnld mnld_data_file:dir rw_dir_perms; +allow mnld mnld_data_file:sock_file create_file_perms; +allow mnld mnld_device:chr_file rw_file_perms; +allow mnld gps_device:chr_file rw_file_perms; +allow mnld init:unix_stream_socket connectto; +allow mnld property_socket:sock_file rw_file_perms; +allow mnld system_data_file:dir rw_dir_perms; +allow mnld system_data_file:dir create_dir_perms; +allow mnld system_server:unix_dgram_socket sendto; +allow mnld system_data_file:sock_file create_file_perms; +allow mnld platformblk_device:blk_file rw_file_perms; +allow mnld block_device:dir search; +allow mnld platformblk_device:dir search; +allow mnld nvram_device:chr_file{read write}; +allow mnld mnld_prop:property_service set; +allow mnld nvram_device:chr_file open; +allow mnld init:udp_socket { read write }; +allow mnld mdlog_device:chr_file { read write }; +allow mnld self:capability { fsetid dac_override }; +allow mnld stpbt_device:chr_file { read write }; +allow mnld ttyGS_device:chr_file { read write }; +allow mnld fuse:dir search; +allow mnld fuse:dir write; +allow mnld fuse:dir add_name; +allow mnld fuse:file create; +allow mnld fuse:file rw_file_perms; +allow mnld fuse:file create_file_perms; +allow mnld nvram_device:chr_file ioctl; +allow mnld fuse:dir { read remove_name create open }; +allow mnld tmpfs:lnk_file { read create open }; +allow mnld platform_app:unix_stream_socket connectto; diff --git a/sepolicy/mobicore.te b/sepolicy/mobicore.te new file mode 100644 index 0000000..dc602f8 --- /dev/null +++ b/sepolicy/mobicore.te @@ -0,0 +1,34 @@ +## +# Trustonic TEE (mobicore) daemon +# + +# ============================================== +# Type Declaration +# ============================================== +type mobicore, domain; +type mobicore_exec, exec_type, file_type; +type mobicore_admin_device, dev_type; +type mobicore_user_device, dev_type; +type mobicore_tui_device, dev_type; +type mobicore_data_file, file_type, data_file_type; + +# ============================================== +# Type Declaration for secmem +# ============================================== +type proc_secmem, fs_type; +# genfscon proc /secmem0 u:object_r:proc_secmem:s0; + +# ============================================== +# MTK Policy Rule +# ============================================== +# permissive mobicore; +init_daemon_domain(mobicore) +allow mobicore self:capability { dac_override }; +allow mobicore mobicore_admin_device:chr_file rw_file_perms; +allow mobicore mobicore_user_device:chr_file rw_file_perms; +allow mobicore mobicore_data_file:dir rw_dir_perms; +allow mobicore mobicore_data_file:file create_file_perms; +allow mobicore self:netlink_socket create_socket_perms; +allow mobicore apk_data_file:dir write; +allow mobicore mobicore_data_file:dir create; +allow mobicore mobicore_data_file:file rw_file_perms; diff --git a/sepolicy/mobile_log_d.te b/sepolicy/mobile_log_d.te new file mode 100644 index 0000000..3849a79 --- /dev/null +++ b/sepolicy/mobile_log_d.te @@ -0,0 +1,75 @@ +# ============================================== +# Policy File of /system/binmobile_log_d Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mobile_log_d_exec , exec_type, file_type; +type mobile_log_d ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(mobile_log_d) + +# Date : WK14.31 +# Operation : Migration +# Purpose : for L early bring-up +allow mobile_log_d kernel:system syslog_mod; +allow mobile_log_d sdcard_internal:dir create_dir_perms; +allow mobile_log_d sdcard_internal:file create_file_perms; +allow mobile_log_d platform_app:fd use; +allow mobile_log_d platform_app_tmpfs:file write; +#allow mobile_log_d unlabeled:lnk_file read; + +#GMO project +dontaudit mobile_log_d untrusted_app:fd use; +dontaudit mobile_log_d isolated_app:fd use; + +#md32 +#sysfs label need to be changed later +allow mobile_log_d sysfs:file write; +allow mobile_log_d md32_device:chr_file { read open }; + +#debug.MB.running +allow mobile_log_d debug_prop:property_service set; + +allow mobile_log_d fuse:dir create_dir_perms; +allow mobile_log_d fuse:file create_file_perms; +allow mobile_log_d init:unix_stream_socket connectto; +allow mobile_log_d property_socket:sock_file write; +allow mobile_log_d system_file:file x_file_perms; +allow mobile_log_d tmpfs:lnk_file read; + +allow mobile_log_d logd:unix_stream_socket connectto; +allow mobile_log_d logdr_socket:sock_file write; +allow mobile_log_d mtkbt:unix_stream_socket connectto; +allow mobile_log_d self:capability { setuid setgid }; +allow mobile_log_d self:capability2 syslog; +allow mobile_log_d shell_exec:file rx_file_perms; + +#factory mode +allow mobile_log_d vfat:dir create_dir_perms; +allow mobile_log_d vfat:file create_file_perms; + +#data/misc/mblog +allow mobile_log_d system_data_file:dir { relabelfrom create_dir_perms }; +allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms }; +allow mobile_log_d logmisc_data_file:file create_file_perms; +#data/log_temp +allow mobile_log_d logtemp_data_file:dir { relabelto create_dir_perms }; +allow mobile_log_d logtemp_data_file:file create_file_perms; +#data/data_tmpfs_log +allow mobile_log_d data_tmpfs_log_file:dir create_dir_perms; +allow mobile_log_d data_tmpfs_log_file:file create_file_perms; diff --git a/sepolicy/mpud6050.te b/sepolicy/mpud6050.te new file mode 100644 index 0000000..f786b6b --- /dev/null +++ b/sepolicy/mpud6050.te @@ -0,0 +1,39 @@ +# ============================================== +# Policy File of /system/bin/mpud6050 Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mpud6050_exec , exec_type, file_type; +type mpud6050 ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive mpud6050; +init_daemon_domain(mpud6050) +#unconfined_domain(mpud6050) + + +# Data : WK14.43 +# Operation : Migration +# Purpose : Gyroscope daemon for access driver node +allow mpud6050 gyroscope_device:chr_file { open ioctl read write}; + +allow mpud6050 gyroscope_mpud6050_chipinfo:file { open read }; +allow mpud6050 gyroscope_mpud6050_status:file { open read }; +allow mpud6050 gyroscope_mpud6050_use:dir { open read search}; +allow mpud6050 gyroscope_mpud6050_use:file { open read }; +allow mpud6050 gyroscope_mpud6050_file:dir { open read search}; +allow mpud6050 gyroscope_mpud6050_file:file { open read write};
\ No newline at end of file diff --git a/sepolicy/msensord.te b/sepolicy/msensord.te new file mode 100644 index 0000000..58f1f73 --- /dev/null +++ b/sepolicy/msensord.te @@ -0,0 +1,52 @@ +# ============================================== +# Policy File of /system/bin/msensord Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type msensord_exec , exec_type, file_type; +type msensord ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive msensord; +init_daemon_domain(msensord) +#unconfined_domain(msensord) + +# Data : WK14.43 +# Operation : Migration +# Purpose : M-sensor daemon for access driver node +allow msensord msensord_daemon:file { read open }; +allow msensord msensord_daemon2:file { read open }; + + +# Data : WK14.43 +# Operation : Migration +# Purpose : M-sensor daemon for property operation +allow msensord ctl_msensord_prop:property_service set; +unix_socket_connect(msensord,property,init) + +allow msensord ctl_akmd8963_prop:property_service set; +allow msensord ctl_akmd09911_prop:property_service set; +allow msensord ctl_bmm050d_prop:property_service set; +allow msensord ctl_bmm056d_prop:property_service set; +allow msensord ctl_geomagneticd_prop:property_service set; +allow msensord ctl_orientationd_prop:property_service set; +allow msensord ctl_istd8303_prop:property_service set; +allow msensord ctl_st480_prop:property_service set; +allow msensord ctl_mmc3524xd_prop:property_service set; +allow msensord ctl_mc6470d_prop:property_service set; +allow msensord ctl_qmcX983d_prop:property_service set; +allow msensord ctl_af7133e_prop:property_service set;
\ No newline at end of file diff --git a/sepolicy/mtk_6620_launcher.te b/sepolicy/mtk_6620_launcher.te new file mode 100644 index 0000000..064e4f5 --- /dev/null +++ b/sepolicy/mtk_6620_launcher.te @@ -0,0 +1,29 @@ +# ============================================== +# Policy File of /system/binmtk_6620_launcher Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_6620_launcher_exec , exec_type, file_type; +type mtk_6620_launcher ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +allow mtk_6620_launcher wmt_prop:property_service set; +allow mtk_6620_launcher init:unix_stream_socket connectto; +allow mtk_6620_launcher property_socket:sock_file write; +allow mtk_6620_launcher stpwmt_device:chr_file { read write ioctl open }; +allow mtk_6620_launcher devpts:chr_file { read write }; +init_daemon_domain(mtk_6620_launcher) diff --git a/sepolicy/mtk_agpsd.te b/sepolicy/mtk_agpsd.te new file mode 100644 index 0000000..be84baf --- /dev/null +++ b/sepolicy/mtk_agpsd.te @@ -0,0 +1,39 @@ +# ============================================== +# Policy File of /system/binmtk_agpsd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_agpsd_exec , exec_type, file_type; +type mtk_agpsd ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(mtk_agpsd) + +# Date : WK14.31 +# Operation : Migration +# Purpose : for L bring-up +net_domain(mtk_agpsd) +allow mtk_agpsd mnld:unix_dgram_socket sendto; +allow mtk_agpsd agps_device:chr_file rw_file_perms; +allow mtk_agpsd agpsd_data_file:dir create_dir_perms; +allow mtk_agpsd agpsd_data_file:file create_file_perms; +allow mtk_agpsd agpsd_data_file:sock_file create_file_perms; +allow mtk_agpsd fuse:dir create_dir_perms; +allow mtk_agpsd fuse:file create_file_perms; +allow mtk_agpsd ttySDIO_device:chr_file create_file_perms; +allow mtk_agpsd eemcs_device:chr_file rw_file_perms; +allow mtk_agpsd tmpfs:lnk_file create_file_perms;
\ No newline at end of file diff --git a/sepolicy/mtkbt.te b/sepolicy/mtkbt.te new file mode 100644 index 0000000..1de109d --- /dev/null +++ b/sepolicy/mtkbt.te @@ -0,0 +1,174 @@ +# ============================================== +# Policy File of /system/binmtkbt Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mtkbt_exec , exec_type, file_type; +type mtkbt ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +# permissive mtkbt; +init_daemon_domain(mtkbt) +# unconfined_domain(mtkbt) + +# Data : WK14.36 +# Operation : Migration +# Purpose : Bt host stack files access & IPC mechanism +allow mtkbt platformblk_device:blk_file { read write open }; +allow mtkbt self:udp_socket { create ioctl }; +# Date : WK14.37 +# Operation : Migration +# Purpose : Bt host stack binder access & IPC mechanism +binder_use(mtkbt) +# Date : WK14.43 +# Operation : Migration +# Purpose : Bt host stack binder access & IPC mechanism +allow mtkbt bluetooth_service:service_manager add; + +# result of audit2allow +allow mtkbt nvram_data_file:file { create setattr read write getattr open }; +allow mtkbt nvram_data_file:lnk_file read; +allow mtkbt nvram_data_file:dir { write add_name search}; +allow mtkbt nvdata_file:file { create setattr read write getattr open }; +allow mtkbt nvdata_file:dir { write add_name search }; + +allow mtkbt block_device:dir search; +allow mtkbt bt_data_file:dir search; +allow mtkbt bt_int_adp_socket:sock_file write; +allow mtkbt platformblk_device:dir search; +allow mtkbt self:netlink_socket { write bind create setopt }; +allow mtkbt sn:dir search; +allow mtkbt sn:file { read getattr open }; +allow mtkbt sysfs_wake_lock:file { read write open }; +allow mtkbt MtkCodecService:dir search; +allow mtkbt MtkCodecService:file { read getattr open }; +allow mtkbt aal:dir search; +allow mtkbt aal:file { read getattr open }; +allow mtkbt atci_service:dir search; +allow mtkbt atci_service:file { read getattr open }; +allow mtkbt atcid:dir search; +allow mtkbt atcid:file { read getattr open }; +allow mtkbt autokd:dir search; +allow mtkbt autokd:file { read getattr open }; +allow mtkbt batterywarning:dir search; +allow mtkbt batterywarning:file { read getattr open }; +allow mtkbt bluetooth:unix_dgram_socket sendto; +allow mtkbt bt_data_file:dir { write getattr read remove_name open add_name }; +allow mtkbt bt_data_file:file { write getattr read create unlink open append}; +allow mtkbt bluetooth:binder transfer; +allow mtkbt bt_data_file:dir create; +allow mtkbt bluetooth_data_file:dir search; +allow mtkbt system_data_file:dir write; +allow mtkbt system_data_file:dir add_name; +allow mtkbt ccci_fsd:dir search; +allow mtkbt ccci_fsd:file { read getattr open }; +allow mtkbt ccci_mdinit:dir search; +allow mtkbt ccci_mdinit:file { read getattr open }; +allow mtkbt debuggerd:dir search; +allow mtkbt debuggerd:file { read getattr open }; +allow mtkbt drmserver:dir search; +allow mtkbt drmserver:file { read getattr open }; +allow mtkbt em_svr:dir search; +allow mtkbt em_svr:file { read getattr open }; +allow mtkbt geomagneticd:dir search; +allow mtkbt geomagneticd:file { read getattr open }; +allow mtkbt guiext-server:dir search; +allow mtkbt guiext-server:file { read getattr open }; +allow mtkbt healthd:dir search; +allow mtkbt healthd:file { read getattr open }; +allow mtkbt init:dir search; +allow mtkbt init:file { read getattr open }; +allow mtkbt init:unix_stream_socket connectto; +allow mtkbt installd:dir search; +allow mtkbt installd:file { read getattr open }; +allow mtkbt kernel:dir search; +allow mtkbt kernel:file { read getattr open }; +allow mtkbt keystore:dir search; +allow mtkbt keystore:file { read getattr open }; +allow mtkbt lmkd:dir search; +allow mtkbt lmkd:file { read getattr open }; +allow mtkbt logd:dir search; +allow mtkbt logd:file { read getattr open }; +allow mtkbt mediaserver:dir search; +allow mtkbt mediaserver:file { read getattr open }; +allow mtkbt mnld:dir search; +allow mtkbt mnld:file { read getattr open }; +allow mtkbt mobile_log_d:dir search; +allow mtkbt mobile_log_d:file { read getattr open }; +allow mtkbt mtk_6620_launcher:dir search; +allow mtkbt mtk_6620_launcher:file { read getattr open }; +allow mtkbt mtk_agpsd:dir search; +allow mtkbt mtk_agpsd:file { read getattr open }; +allow mtkbt netd:dir search; +allow mtkbt netd:file { read getattr open }; +allow mtkbt netdiag:dir search; +allow mtkbt netdiag:file { read getattr open }; +allow mtkbt nvram_agent_binder:dir search; +allow mtkbt nvram_agent_binder:file { read getattr open }; +allow mtkbt orientationd:dir search; +allow mtkbt orientationd:file { read getattr open }; +allow mtkbt ppl_agent:dir search; +allow mtkbt ppl_agent:file { read getattr open }; +allow mtkbt proc_mtkcooler:dir search; +allow mtkbt proc_mtktz:dir search; +allow mtkbt property_socket:sock_file write; +allow mtkbt resmon:dir search; +allow mtkbt resmon:file { read getattr open }; +allow mtkbt self:capability net_admin; +allow mtkbt self:netlink_socket read; +allow mtkbt self:tun_socket create; +allow mtkbt servicemanager:dir search; +allow mtkbt servicemanager:file { read getattr open }; +allow mtkbt shell:dir search; +allow mtkbt shell:file { read getattr open }; +allow mtkbt stpbt_device:chr_file { read write ioctl getattr open }; +allow mtkbt surfaceflinger:dir search; +allow mtkbt surfaceflinger:file { read getattr open }; +allow mtkbt thermal:dir search; +allow mtkbt thermal:file { read getattr open }; +allow mtkbt thermald:dir search; +allow mtkbt thermald:file { read getattr open }; +allow mtkbt tun_device:chr_file { read write ioctl open }; +allow mtkbt ueventd:dir search; +allow mtkbt ueventd:file { read getattr open }; +allow mtkbt uhid_device:chr_file { read write open }; +allow mtkbt vold:dir search; +allow mtkbt vold:file { read getattr open }; +allow mtkbt wifi2agps:dir search; +allow mtkbt wifi2agps:file { read getattr open }; +allow mtkbt zygote:dir search; +allow mtkbt zygote:file { read getattr open }; +userdebug_or_eng(` +allow mtkbt su:dir search; +allow mtkbt su:file { read getattr open }; +') + +# prop +allow mtkbt bt_prop:property_service set; +allow mtkbt persist_bt_prop:property_service set; + +# add for ftp to create file on sdcard +allow mtkbt tmpfs:lnk_file read; + +# add for BPP +allow mtkbt bluetooth_data_file:file { read open getattr}; +allow mtkbt system_data_file:dir create; +allow mtkbt fuse:dir { search write add_name write getattr read remove_name open }; +allow mtkbt fuse:file { read open getattr write create unlink }; + +allow mtkbt system_data_file:dir { read remove_name }; +allow mtkbt nvram_device:chr_file open;
\ No newline at end of file diff --git a/sepolicy/mtkrild.te b/sepolicy/mtkrild.te new file mode 100644 index 0000000..65c6e73 --- /dev/null +++ b/sepolicy/mtkrild.te @@ -0,0 +1,88 @@ +# ============================================== +# Policy File of /system/bin/mtkrild Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mtkrild_exec , exec_type, file_type; +type mtkrild ,domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(mtkrild) +net_domain(mtkrild) +allow mtkrild self:netlink_route_socket nlmsg_write; +allow mtkrild kernel:system module_request; +unix_socket_connect(mtkrild, property, init) +allow mtkrild self:capability { setuid net_admin net_raw }; +allow mtkrild alarm_device:chr_file rw_file_perms; +allow mtkrild cgroup:dir create_dir_perms; +allow mtkrild radio_device:chr_file rw_file_perms; +allow mtkrild radio_device:blk_file r_file_perms; +allow mtkrild mtd_device:dir search; +allow mtkrild efs_file:dir create_dir_perms; +allow mtkrild efs_file:file create_file_perms; +allow mtkrild shell_exec:file rx_file_perms; +allow mtkrild bluetooth_efs_file:file r_file_perms; +allow mtkrild bluetooth_efs_file:dir r_dir_perms; +allow mtkrild radio_data_file:dir rw_dir_perms; +allow mtkrild radio_data_file:file create_file_perms; +allow mtkrild sdcard_type:dir r_dir_perms; +allow mtkrild system_data_file:dir r_dir_perms; +allow mtkrild system_data_file:file r_file_perms; +allow mtkrild system_file:file x_file_perms; +allow mtkrild proc:file write; +allow mtkrild proc_net:file write; +allow mtkrild eemcs_device:chr_file { read write }; +allow mtkrild eemcs_device:chr_file open; +allow mtkrild eemcs_device:chr_file ioctl; + +# property service +allow mtkrild radio_prop:property_service set; +allow mtkrild net_radio_prop:property_service set; +allow mtkrild system_radio_prop:property_service set; +allow mtkrild persist_ril_prop:property_service set; +auditallow mtkrild net_radio_prop:property_service set; +auditallow mtkrild system_radio_prop:property_service set; + +# Read/Write to uart driver (for GPS) +allow mtkrild gps_device:chr_file rw_file_perms; + +allow mtkrild tty_device:chr_file rw_file_perms; + +# Allow mtkrild to create and use netlink sockets. +allow mtkrild self:netlink_socket create_socket_perms; +allow mtkrild self:netlink_kobject_uevent_socket create_socket_perms; + +# Access to wake locks +wakelock_use(mtkrild) + +allow mtkrild self:socket create_socket_perms; +allow mtkrild Vcodec_device:chr_file { read write open }; +allow mtkrild devmap_device:chr_file { read ioctl open }; +allow mtkrild devpts:chr_file { read write open }; +allow mtkrild self:capability dac_override; + +allow mtkrild ccci_device:chr_file { read write ioctl open }; +allow mtkrild devpts:chr_file ioctl; +allow mtkrild misc_device:chr_file { read write open }; +allow mtkrild platformblk_device:blk_file { read write open }; +allow mtkrild proc_lk_env:file rw_file_perms; +allow mtkrild sysfs_vcorefs_pwrctrl:file { open write }; +allow mtkrild ril_active_md_prop:property_service set; +allow mtkrild ril_mux_report_case_prop:property_service set; +allow mtkrild ctl_muxreport-daemon_prop:property_service set; +allow mtkrild persist_service_atci_prop:property_service set; +allow mtkrild block_device:dir search; +allow mtkrild platformblk_device:dir search; +allow mtkrild platform_app:fd use; +allow mtkrild radio:fd use; + +# For emulator +allow mtkrild qemu_pipe_device:chr_file rw_file_perms; +allow mtkrild socket_device:sock_file write; diff --git a/sepolicy/mtkrildmd2.te b/sepolicy/mtkrildmd2.te new file mode 100644 index 0000000..030e329 --- /dev/null +++ b/sepolicy/mtkrildmd2.te @@ -0,0 +1,94 @@ +# ============================================== +# Policy File of /system/bin/mtkrildmd2 Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type mtkrildmd2_exec , exec_type, file_type; +type mtkrildmd2 ,domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(mtkrildmd2) +net_domain(mtkrildmd2) +allow mtkrildmd2 self:netlink_route_socket nlmsg_write; +allow mtkrildmd2 kernel:system module_request; +unix_socket_connect(mtkrildmd2, property, init) +allow mtkrildmd2 self:capability { setuid net_admin net_raw }; +allow mtkrildmd2 alarm_device:chr_file rw_file_perms; +allow mtkrildmd2 cgroup:dir create_dir_perms; +allow mtkrildmd2 radio_device:chr_file rw_file_perms; +allow mtkrildmd2 radio_device:blk_file r_file_perms; +allow mtkrildmd2 mtd_device:dir search; +allow mtkrildmd2 efs_file:dir create_dir_perms; +allow mtkrildmd2 efs_file:file create_file_perms; +allow mtkrildmd2 shell_exec:file rx_file_perms; +allow mtkrildmd2 bluetooth_efs_file:file r_file_perms; +allow mtkrildmd2 bluetooth_efs_file:dir r_dir_perms; +allow mtkrildmd2 radio_data_file:dir rw_dir_perms; +allow mtkrildmd2 radio_data_file:file create_file_perms; +allow mtkrildmd2 sdcard_type:dir r_dir_perms; +allow mtkrildmd2 system_data_file:dir r_dir_perms; +allow mtkrildmd2 system_data_file:file r_file_perms; +allow mtkrildmd2 system_file:file x_file_perms; +allow mtkrildmd2 proc:file write; +allow mtkrildmd2 proc_net:file write; +allow mtkrildmd2 eemcs_device:chr_file { read write }; +allow mtkrildmd2 eemcs_device:chr_file open; +allow mtkrildmd2 eemcs_device:chr_file ioctl; + +# property service +allow mtkrildmd2 radio_prop:property_service set; +allow mtkrildmd2 net_radio_prop:property_service set; +allow mtkrildmd2 system_radio_prop:property_service set; +allow mtkrildmd2 persist_ril_prop:property_service set; +auditallow mtkrildmd2 net_radio_prop:property_service set; +auditallow mtkrildmd2 system_radio_prop:property_service set; + +# Read/Write to uart driver (for GPS) +allow mtkrildmd2 gps_device:chr_file rw_file_perms; + +allow mtkrildmd2 tty_device:chr_file rw_file_perms; + +# Allow mtkrildmd2 to create and use netlink sockets. +allow mtkrildmd2 self:netlink_socket create_socket_perms; +allow mtkrildmd2 self:netlink_kobject_uevent_socket create_socket_perms; + +# Access to wake locks +wakelock_use(mtkrildmd2) + +allow mtkrildmd2 self:socket create_socket_perms; + +allow mtkrildmd2 Vcodec_device:chr_file { read write open }; +allow mtkrildmd2 devmap_device:chr_file { read ioctl open }; +allow mtkrildmd2 devpts:chr_file { read write open }; +allow mtkrildmd2 self:capability dac_override; + +allow mtkrildmd2 ccci_device:chr_file { read write ioctl open }; +allow mtkrildmd2 devpts:chr_file ioctl; +allow mtkrildmd2 misc_device:chr_file { read write open }; +allow mtkrildmd2 platformblk_device:blk_file { read write open }; +allow mtkrildmd2 proc_lk_env:file rw_file_perms; +allow mtkrildmd2 sysfs_vcorefs_pwrctrl:file { open write }; +allow mtkrildmd2 ril_active_md_prop:property_service set; +allow mtkrildmd2 ril_mux_report_case_prop:property_service set; +allow mtkrildmd2 ctl_muxreport-daemon_prop:property_service set; +allow mtkrildmd2 persist_service_atci_prop:property_service set; +allow mtkrildmd2 block_device:dir search; +allow mtkrildmd2 platformblk_device:dir search; +allow mtkrildmd2 emd_device:chr_file { read write open }; +allow mtkrildmd2 emd_device:chr_file ioctl; +allow mtkrildmd2 platform_app:fd use; +allow mtkrildmd2 radio:fd use; + +# For emulator +allow mtkrildmd2 qemu_pipe_device:chr_file { read write }; +allow mtkrildmd2 socket_device:sock_file write; + +allow mtkrildmd2 ttyACM_device:chr_file { read write ioctl open }; +allow mtkrildmd2 pppd_gprs_prop:property_service set; diff --git a/sepolicy/mtp.te b/sepolicy/mtp.te new file mode 100644 index 0000000..7b20973 --- /dev/null +++ b/sepolicy/mtp.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + diff --git a/sepolicy/muxreport.te b/sepolicy/muxreport.te new file mode 100644 index 0000000..159ff71 --- /dev/null +++ b/sepolicy/muxreport.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /system/binmuxreport Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type muxreport_exec , exec_type, file_type; +type muxreport ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive muxreport; +init_daemon_domain(muxreport) +allow muxreport ccci_device:chr_file { read write ioctl open }; +allow muxreport ril_mux_report_case_prop:property_service set; +allow muxreport init:unix_stream_socket connectto; +allow muxreport property_socket:sock_file write; +allow muxreport devpts:chr_file { read write getattr ioctl }; +allow muxreport self:capability dac_override; +allow muxreport eemcs_device:chr_file { read write ioctl open }; +allow muxreport emd_device:chr_file { read write open }; diff --git a/sepolicy/net.te b/sepolicy/net.te new file mode 100644 index 0000000..9432fd2 --- /dev/null +++ b/sepolicy/net.te @@ -0,0 +1,25 @@ +# ============================================== +# NSA Policy Rule +# ============================================== + +# Network types + +# Use network sockets. +allow netdomain self:{ tcp_socket udp_socket } *; +# Connect to ports. +allow netdomain port_type:tcp_socket name_connect; +# Bind to ports. +allow netdomain node_type:{ tcp_socket udp_socket } node_bind; +allow netdomain port_type:udp_socket name_bind; +allow netdomain port_type:tcp_socket name_bind; +# Get route information. +allow netdomain self:netlink_route_socket { create bind read nlmsg_read }; + +# Talks to netd via dnsproxyd socket. +unix_socket_connect(netdomain, dnsproxyd, netd) + + +# ============================================== +# MTK Policy Rule +# ============================================== + diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..a94eaee --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,120 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +type dhcp6s_exec,exec_type,file_type; + + +# Date : WK14.34 +# Operation : Migration +# Purpose : wifi +allow netd wmtWifi_device:chr_file { write open }; + +allow netd kernel:system module_request; +allow netd self:capability sys_module; +allow netd self:capability fsetid; + + +# Date : WK14.34 +# Operation : Migration +# Purpose : property_service for wifi +allow netd mtk_wifi_prop:property_service set; + + +# Date : WK14.34 +# Operation : Migration +# Purpose : APP +allow netd platform_app:fd use; +allow netd platform_app_tmpfs:file write; + + +# Date : WK14.37 +# Operation : Migration +# Purpose : PPPOE Test +allow netd ppp:process sigkill; + +# Date : WK14.39 +# Operation : Migration +# Purpose : MDLogger USB logging +allow netd mdlogger:fd use; +allow netd mdlogger:tcp_socket { read write }; +allow netd mdlogger:tcp_socket { getopt setopt }; + +# Date : WK14.41 +# Operation : Migration +# Purpose : network logging +allow netd netdiag:fd use; +allow netd netdiag:udp_socket { read write getopt setopt}; + + +# Date : WK14.41 +# Operation : Migration +# Purpose : ipv6 Tethering Test +#============= netd ============== +allow netd dhcp6s_exec:file execute; +allow netd dhcp_data_file:dir { read search write add_name remove_name }; +allow netd dhcp_data_file:file { read write create open getattr unlink}; + +allow netd radvd_data_file:dir { read write search add_name remove_name}; +allow netd radvd_data_file:file { read write create open unlink}; + +allow netd self:capability { setuid net_bind_service setgid }; +allow netd wide_dhcpv6_data_file:dir { read search write add_name remove_name}; +allow netd wide_dhcpv6_data_file:file { read write create open getattr unlink}; + +# Date : WK14.42 +# Operation : Migration +# Purpose : for VoLTE L early bring up and first call +allow netd volte_stack:fd use; +allow netd volte_stack:tcp_socket { read write setopt getopt }; +allow netd volte_stack:udp_socket { read write setopt getopt }; + +# Date : WK14.42 +# Operation : Migration +# Purpose : ALPS01774455[Need Patch] [Sanity Fail][95E2 L][WFD][EE]EE occur when connect dongle1 +allow netd device:file { open write }; + + +# Date : WK14.44 +# Operation : Migration +# Purpose : ALPS01789552 +#============= netd ============== +allow netd self:capability { setuid setgid }; + + +#============= netd ============== +allow netd isolated_app_tmpfs:file write; + +# Date : W14.52 +# Operation : Migration +# Purpose : add ePDG support +allow netd ipsec:fd use; +allow netd ipsec:tcp_socket { read write setopt getopt }; + +#============= netd ============== +allow netd untrusted_app:fd use; +allow netd untrusted_app_tmpfs:file write; + +#============= netd ============== +# Date : W14.53 +# Operation : Migration +# Purpose : For volte_imcb ut +allow netd volte_imcb:fd use; +allow netd volte_imcb:tcp_socket { read write }; +allow netd volte_imcb:tcp_socket getopt; +allow netd volte_imcb:tcp_socket setopt; + + +# Date : W15.02 +# Operation : SQC +# Purpose : CTS for wifi +allow netd untrusted_app:unix_stream_socket { read write getopt setopt}; + +allow netd isolated_app:fd use; + + +#============= netd ============== +allow netd radio_tmpfs:file write; + + + diff --git a/sepolicy/netdiag.te b/sepolicy/netdiag.te new file mode 100644 index 0000000..71da394 --- /dev/null +++ b/sepolicy/netdiag.te @@ -0,0 +1,72 @@ +# ============================================== +# Policy File of /system/binnetdiag Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type netdiag_exec , exec_type, file_type; +type netdiag ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive netdiag; +init_daemon_domain(netdiag) +#unconfined_domain(netdiag) + + +# Date : WK14.31 +# Operation : Migration +# Purpose : for L early bring-up +allow netdiag shell_exec:file execute_no_trans; +allow netdiag sdcard_internal:dir { write search read create open add_name }; +allow netdiag sdcard_internal:file { write create open getattr }; +allow netdiag self:packet_socket { write ioctl setopt read getopt create }; +allow netdiag fuse:dir { remove_name write search read remove_name open add_name create}; +allow netdiag fuse:file { rename write getattr read create open unlink}; + +allow netdiag init:unix_stream_socket connectto; +allow netdiag property_socket:sock_file write; +allow netdiag self:capability { setuid net_raw setgid }; +allow netdiag shell_exec:file { read execute open }; +allow netdiag tmpfs:lnk_file read; +allow netdiag domain:dir search; +allow netdiag domain:file { read open }; +#/proc/3523/net/xt_qtaguid/ctrl & /proc +allow netdiag qtaguid_proc:file { read getattr open }; + +allow netdiag self:capability net_admin; +allow netdiag self:udp_socket create; +allow netdiag system_file:file execute_no_trans; +#/system/bin/aee +#allow netdiag aee_exec:file { read getattr open execute execute_no_trans }; + +#ping +allow netdiag dnsproxyd_socket:sock_file write; +allow netdiag fwmarkd_socket:sock_file write; +allow netdiag netd:unix_stream_socket connectto; + +#ip +allow netdiag self:netlink_route_socket { write getattr setopt read bind create nlmsg_read }; + +allow netdiag net_data_file:file { read getattr open }; +allow netdiag net_data_file:dir search; +allow netdiag self:rawip_socket { getopt create }; +allow netdiag self:udp_socket ioctl; + +#for network log property +allow netdiag debug_netlog_prop:property_service set; +allow netdiag persist_mtklog_prop:property_service set; +allow netdiag debug_mtklog_prop:property_service set; + diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te new file mode 100644 index 0000000..00b09d3 --- /dev/null +++ b/sepolicy/nfc.te @@ -0,0 +1,104 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission to access nfc_socket. + +allow nfc nfc_socket:dir { write remove_name add_name search }; +allow nfc nfc_socket:sock_file { write create setattr unlink }; + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission to access custom file. + +allow nfc custom_file:dir getattr; + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission to access mt6605_device ( nfc device node ) . + +allow nfc mt6605_device:chr_file { read write getattr open ioctl }; + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission to access nfc data file. + +allow nfc nfc_data_file:dir { write remove_name add_name search create setattr }; +allow nfc nfc_data_file:file { read getattr open rename write ioctl setattr create unlink }; + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission to access SD card for debug purpose. + +allow nfc sdcard_internal:dir { write remove_name search create add_name }; +allow nfc sdcard_internal:file { read write getattr open rename create }; +allow nfc sdcard_external:dir { write add_name search }; +allow nfc sdcard_external:file { read write getattr open create }; + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission for update screen (activity,dialog,animation, ex: Nfc Beam) + +allow nfc guiext-server:binder call; + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission for WFD + +allow nfc surfaceflinger:dir search; +allow nfc surfaceflinger:file { read getattr open }; + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : For Mdlogger + +allow nfc node:tcp_socket node_bind; +allow nfc port:tcp_socket name_bind; +allow nfc self:tcp_socket { setopt read bind create accept write getattr connect getopt listen }; + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : For NFC-JNI + +allow nfc zygote:unix_stream_socket { getopt getattr }; + + +# ============================================== +# Date : 2014/10/15 +# Operation : Refine +# Purpose : For VPN + +allow nfc init:unix_stream_socket { write read setopt }; + + +# ============================================== +# Date : 2015/03/11 +# Operation : SQC +# Purpose : For platform_app_tmpfs +allow nfc platform_app_tmpfs:file write; + + +# allow nfc init_tmpfs:file read; +# allow nfc adbd:unix_stream_socket setopt; +# allow nfc dumpstate:fd use; +# allow nfc dumpstate:unix_stream_socket { read write getopt getattr }; diff --git a/sepolicy/nvram_agent_binder.te b/sepolicy/nvram_agent_binder.te new file mode 100644 index 0000000..27d5ee2 --- /dev/null +++ b/sepolicy/nvram_agent_binder.te @@ -0,0 +1,70 @@ +# ============================================== +# Policy File of /system/binnvram_agent_binder Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type nvram_agent_binder_exec , exec_type, file_type; +type nvram_agent_binder ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +# permissive nvram_agent_binder; +init_daemon_domain(nvram_agent_binder) + + +# Date : WK14.35 +# Operation : access nvram by binder +# Purpose : ensure nvram user can access nvram file normally. +binder_use(nvram_agent_binder) +binder_service(nvram_agent_binder) + +# Date : WK14.35 +# Operation : access nvram by binder +# Purpose : ensure nvram user can access nvram file normally. +allow nvram_agent_binder nvram_agent_service:service_manager add; + + +# Date : WK14.43 +# Operation : 2rd Selinux Migration +# Purpose : the role of nvram_agent_binder is same with nvram_daemon except property_set & exect permission +allow nvram_agent_binder mmcblk_device:blk_file rw_file_perms; +allow nvram_agent_binder platformblk_device:blk_file rw_file_perms; +allow nvram_agent_binder nvram_data_file:dir create_dir_perms; +allow nvram_agent_binder nvram_data_file:file create_file_perms; +allow nvram_agent_binder nvram_data_file:lnk_file read; +allow nvram_agent_binder nvdata_file:dir create_dir_perms; +allow nvram_agent_binder nvdata_file:file create_file_perms; + +allow nvram_agent_binder system_file:file execute_no_trans; + +allow nvram_agent_binder als_ps_device:chr_file { read ioctl open }; +allow nvram_agent_binder mtk-adc-cali_device:chr_file { read write ioctl open }; +allow nvram_agent_binder gsensor_device:chr_file { read ioctl open }; +allow nvram_agent_binder gyroscope_device:chr_file { read ioctl open }; +allow nvram_agent_binder init:unix_stream_socket connectto; +allow nvram_agent_binder platformblk_device:dir search; +allow nvram_agent_binder property_socket:sock_file write; +allow nvram_agent_binder sysfs:file write; +allow nvram_agent_binder system_data_file:file { open }; +allow nvram_agent_binder self:capability { fowner chown dac_override fsetid }; +allow nvram_agent_binder system_data_file:dir {create write add_name}; + +# Purpose: for backup +allow nvram_agent_binder nvram_device:chr_file {read write open ioctl}; +allow nvram_agent_binder pro_info_device:chr_file {read write open ioctl}; +allow nvram_agent_binder block_device:dir search; + +allow nvram_agent_binder app_data_file:file write; diff --git a/sepolicy/nvram_daemon.te b/sepolicy/nvram_daemon.te new file mode 100644 index 0000000..9e98646 --- /dev/null +++ b/sepolicy/nvram_daemon.te @@ -0,0 +1,73 @@ +# ============================================== +# Policy File of /system/binnvram_daemon Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type nvram_daemon_exec , exec_type, file_type; +type nvram_daemon ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +# permissive nvram_daemon; +init_daemon_domain(nvram_daemon) + + + +# Date : WK14.31 +# Operation : Migration +# Purpose : the device is used to store Nvram backup data that can not be lost. +allow nvram_daemon mmcblk_device:blk_file rw_file_perms; +allow nvram_daemon platformblk_device:blk_file rw_file_perms; + + +# Date : WK14.34 +# Operation : Migration +# Purpose : the option is used to tell that if other processes can access nvram. +allow nvram_daemon system_prop:property_service set; + + +# Date : WK14.35 +# Operation : chown folder and file permission +# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L. +allow nvram_daemon shell_exec:file { x_file_perms read open }; +allow nvram_daemon nvram_data_file:dir create_dir_perms; +allow nvram_daemon nvram_data_file:file create_file_perms; +allow nvram_daemon nvram_data_file:lnk_file read; +allow nvram_daemon nvdata_file:dir create_dir_perms; +allow nvram_daemon nvdata_file:file create_file_perms; + +allow nvram_daemon system_file:file execute_no_trans; + +# Date : WK14.43 +allow nvram_daemon als_ps_device:chr_file { read ioctl open }; +allow nvram_daemon mtk-adc-cali_device:chr_file { read write ioctl open }; +allow nvram_daemon gsensor_device:chr_file { read ioctl open }; +allow nvram_daemon gyroscope_device:chr_file { read ioctl open }; +allow nvram_daemon init:unix_stream_socket connectto; +allow nvram_daemon platformblk_device:dir search; + +# Purpose: for property set +allow nvram_daemon property_socket:sock_file write; +allow nvram_daemon sysfs:file write; +allow nvram_daemon self:capability { fowner chown dac_override fsetid }; + +allow nvram_daemon system_data_file:dir {create write add_name}; + +# Purpose: for backup +allow nvram_daemon nvram_device:chr_file {read write open ioctl}; +allow nvram_daemon pro_info_device:chr_file {read write open ioctl}; + +allow nvram_daemon block_device:dir search; diff --git a/sepolicy/orientationd.te b/sepolicy/orientationd.te new file mode 100644 index 0000000..f4ade22 --- /dev/null +++ b/sepolicy/orientationd.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /system/binorientationd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type orientationd_exec , exec_type, file_type; +type orientationd ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive orientationd; +init_daemon_domain(orientationd) +#unconfined_domain(orientationd) + +# Date : WK14.43 +# Operation : Migration +# Purpose : access sensor data and do calibration +allow orientationd gsensor_device:chr_file { read ioctl open }; +allow orientationd input_device:chr_file { read write ioctl open }; +allow orientationd input_device:dir { read search open };
\ No newline at end of file diff --git a/sepolicy/permission_check.te b/sepolicy/permission_check.te new file mode 100644 index 0000000..05634c6 --- /dev/null +++ b/sepolicy/permission_check.te @@ -0,0 +1,53 @@ +# ============================================== +# Policy File of /system/binpermission_check Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type permission_check_exec , exec_type, file_type; +type permission_check ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive permission_check; +init_daemon_domain(permission_check) +#unconfined_domain(permission_check) + +allow permission_check persist_md_prop: property_service set; + +allow permission_check init:unix_stream_socket connectto; +allow permission_check nvram_data_file:dir { rw_dir_perms setattr }; +allow permission_check nvram_data_file:file { write create open setattr getattr }; +allow permission_check nvram_data_file:lnk_file read; +allow permission_check nvdata_file:dir { rw_dir_perms setattr }; +allow permission_check nvdata_file:file { write create open setattr getattr }; + +allow permission_check property_socket:sock_file write; + +allow permission_check protect_f_data_file:dir { read getattr open setattr search }; +allow permission_check protect_s_data_file:dir { read getattr open setattr search }; +allow permission_check protect_f_data_file:file { getattr setattr }; +allow permission_check protect_s_data_file:file { getattr setattr }; + +allow permission_check self:capability { fowner chown dac_override fsetid }; +allow permission_check shell_exec:file { read execute open execute_no_trans }; +allow permission_check system_file:file { read getattr open execute execute_no_trans }; + +allow permission_check ccci_cfg_file:dir create_dir_perms; +allow permission_check ccci_cfg_file:file create_file_perms; + +allow permission_check mdlog_data_file:dir { read search setattr open }; +allow permission_check mdlog_data_file:fifo_file setattr; +allow permission_check mdlog_data_file:file setattr;
\ No newline at end of file diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te new file mode 100644 index 0000000..00a3db1 --- /dev/null +++ b/sepolicy/platform_app.te @@ -0,0 +1,177 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# permissive platform_app; + +# Date : 2014/07/22 +# Operation : Migration +# Purpose : mtk_agpsd establishes the local socket as agpsd for all A-GPS +# application to do something with mtk_agpsd +unix_socket_connect(platform_app, agpsd, mtk_agpsd); + +# Date : 2014/08/21 +# Operation : Migration +# Purpose : FMRadio enable driver access permission for fmradio hardware device +# Package: com.mediatek.fmradio +allow platform_app fm_device:chr_file rw_file_perms; + +# Date: 2014/08/22 +# Operation: Migration +# Purpose: enable drawing picture/texture in OpenGl environment for gallery3d +# Package: com.android.gallery3d +# add debugfs policy for MMProfile +allow platform_app debugfs:file { read ioctl }; + +# Date: 2014/09/05 +# Operation: FullUT +# Purpose: [SystemUI] [Bind to guiext-server for updating view][path:hardware/gui_ext/] +# Package: com.android.systemui +allow platform_app guiext-server:binder { transfer call }; + +# Date : 2014/09/11 +# Operation : Migration +# Purpose : MTKLogger need setup local socket with netdiag +# Package: com.mediatek.mtklogger +allow platform_app netdiag_socket:sock_file write; + +# Date : 2014/09/11 +# Operation : Migration +# Purpose : MTKLogger need setup local socket with netdiag +# Package: com.mediatek.mtklogger +allow platform_app netdiag:unix_stream_socket connectto; + +# Date : 2014/09/11 +# Operation : Migration +# Purpose : MTKLogger need setup local socket with mobile_log_d +# Package: com.mediatek.mtklogger +allow platform_app mobile_log_d:unix_stream_socket connectto; + +# Date : 2014/09/11 +# Operation : Migration +# Purpose : MTKLogger need setup local socket with mdlogger +# Package: com.mediatek.mtklogger +allow platform_app mdlogger:unix_stream_socket connectto; + +# Date : 2014/09/18 +# Operation : Migration +# Purpose : MTKLogger need setup local socket with emdlogger +# Package: com.mediatek.mtklogger +allow platform_app emdlogger:unix_stream_socket connectto; + + +# Date : 2014/09/23 +# Operation : Migration +# Purpose : camera process need to read cpu temperature from /proc/mtktz/mtktscpu path +# Package: com.android.gallery3d +allow platform_app proc_mtktz:dir search; +allow platform_app proc_mtktz:file read; + +# Date : 2014/09/26 +# Operation : Migration +# Purpose : camera app need to r/w camera_isp_device file for lomo effect +# Package: com.android.gallery3d +allow platform_app camera_isp_device:chr_file rw_file_perms; + +# Date : 2014/10/17 +# Operation : Migration +# Purpose :Make MTKLogger or VIASaber apk can Access TTYSDIO_device +# Package: com.mediatek.mtklogger +allow platform_app ttySDIO_device:chr_file rw_file_perms; + +# Date : 2014/10/21 +# Operation : SQC +# Purpose : [ALPS01772746] Permission denied for backup App data +# Package: com.mediatek.backuprestore +unix_socket_connect(platform_app, backuprestore, br_app_data_service); +# Date : 2014/10/23 +# Operation : Migration +# Purpose : stress suspend resume test +# Package: Suspend Resume +allow platform_app mtk_kpd_device:chr_file rw_file_perms; + +# Date : 2014/10/27 +# Operation : SQC +# Purpose : [ALPS01785313] Permission denied for dump hprof +# Package: com.android.gallery3d +allow platform_app anr_data_file:file rw_file_perms; + +# Date : 2014/10/28 +# Operation : hs_xiangxu +# Purpose : [ALPS01782971]Settings need read&write to system_app_data_file +# Package: com.android.settings +allow platform_app system_app_data_file:file {read write}; + +# Date : 2014/10/28 +# Operation : Migration +# Purpose : [VoiceWakeup][allow VoiceCommand to do something with vow device] +# Package: com.mediatek.voicecommand +allow platform_app vow_device:chr_file rw_file_perms; + +# Date : 2014/11/12 +# Operation : Migration +# Purpose : MTKLogger need copy db from data folder +# Package: com.mediatek.mtklogger +allow platform_app aee_exp_data_file:file r_file_perms; +allow platform_app aee_exp_data_file:dir r_dir_perms; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow platform_app qemu_pipe_device:chr_file rw_file_perms; + +# Date : 2014/11/14 +# Operation: SQC +# Purpose: [ALPS01824827][SystemUI] [RenderThread][open device file failed] +# Package: com.android.systemui +allow platform_app proc_secmem:file r_file_perms; + +# Date : 2014/11/14 +# Operation : Migration +# Purpose : MTKLogger need update md config file in data for mode changed +# Package: com.mediatek.mtklogger +allow platform_app mdlog_data_file:file rw_file_perms; +allow platform_app mdlog_data_file:dir rw_dir_perms; + +# Date : 2014/11/17 +# Operation : Migration +# Purpose : Gallery needs to access video codec to encode motion track video +# Package: com.android.gallery3d +allow platform_app Vcodec_device:chr_file { read write ioctl open }; + +# Date : 2014/11/17 +# Operation : Migration +# Purpose : AALTool to access /dev/als_ps for light sensor calibration +# Package: com.mediatek.aaltool +allow platform_app als_ps_device:chr_file { read open ioctl }; + +# Date : 2014/11/19 +# Operation : Migration +# Purpose : FileManager can access attribute of file execute +# Package: com.mediatek.filemanager +allow platform_app fuse:file execute; + +# Date : 2014/11/21 +# Operation : Migration +# Purpose : Gallery needs to search radio data when send mms +# Package: com.android.gallery3d +allow platform_app radio_data_file:dir search; + +# Date : 2014/12/07 +# Operation : Migration +# Purpose : MTKLogger need setup local socket with cmddumper +# Package: com.mediatek.mtklogger +allow platform_app init:unix_stream_socket connectto; +allow platform_app cmddumper:unix_stream_socket connectto; + +# Date : 2014/12/30 +# Operation : TUI Migration +# Purpose : TUI service need to access tui device driver +# Package: com.trustonic.tuiservice.TuiService +allow platform_app mobicore_tui_device:chr_file { read open ioctl }; + +# Date : 2015/01/13 +# Operation : New feature for GPS Log +# Purpose : MTKLogger need setup local socket with mnld +# Package: com.mediatek.mtklogger +allow platform_app mnld:unix_stream_socket connectto; diff --git a/sepolicy/poad.te b/sepolicy/poad.te new file mode 100644 index 0000000..baf899a --- /dev/null +++ b/sepolicy/poad.te @@ -0,0 +1,26 @@ +# ============================================== +# Policy File of /system/binpoad Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type poad_exec , exec_type, file_type; +type poad ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + + +init_daemon_domain(poad) + diff --git a/sepolicy/ppl_agent.te b/sepolicy/ppl_agent.te new file mode 100644 index 0000000..0bf67df --- /dev/null +++ b/sepolicy/ppl_agent.te @@ -0,0 +1,58 @@ +# ============================================== +# Policy File of /system/bin/ppl_agent Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type ppl_agent_exec , exec_type, file_type; +type ppl_agent ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(ppl_agent) + +# Date : 2014/09/11 +# Operation : Migration +# Purpose : [Privacy protection lock][allow com.mediatek.ppl binder IPC to ppl_agent service] +# Package name : com.mediatek.ppl +binder_use(ppl_agent) +binder_service(ppl_agent) + +# Date : 2014/10/16 +# Operation : QC +# Purpose : [Privacy protection lock][ppl_agent call FileOp_BackupToBinRegionForDM to do nvram backup] +# Package name : com.mediatek.ppl +allow ppl_agent mmcblk_device:blk_file rw_file_perms; +allow ppl_agent platformblk_device:blk_file rw_file_perms; + +# Date : 2014/10/24 +# Operation : Migration +# Purpose : [Privacy protection lock][ppl_agent call FileOp_BackupToBinRegionForDM to do nvram backup] +# Package name : com.mediatek.ppl +allow ppl_agent platformblk_device:dir search; +allow ppl_agent block_device:dir search; + +# Data : 2014/10/24 +# Operation : Migration +# Purpose : [Privacy protection lock][ppl_agent need access nvram data file for backup restore function] +# Package name : com.mediatek.ppl +allow ppl_agent nvram_data_file:dir create_dir_perms; +allow ppl_agent nvram_data_file:file create_file_perms; +allow ppl_agent nvram_data_file:lnk_file read; +allow ppl_agent nvdata_file:dir create_dir_perms; +allow ppl_agent nvdata_file:file create_file_perms; + +# Data : 2014/10/24 +# Operation : Migration +# Purpose : [Privacy protection lock][Allow ServiceManager add this service] +# Package name : ServiceManager +allow ppl_agent ppl_agent_service:service_manager add; +# Data : 2014/10/31 +# Operation : QC +# Purpose : [Privacy protection lock][ppl_agent need access nvram data file for backup restore function on MT6582] +# Package name : ServiceManager +allow ppl_agent nvram_device:chr_file { read write ioctl open };
\ No newline at end of file diff --git a/sepolicy/ppp.te b/sepolicy/ppp.te new file mode 100644 index 0000000..c2c5333 --- /dev/null +++ b/sepolicy/ppp.te @@ -0,0 +1,42 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + + + +# Date : WK14.34 +# Operation : Migration +# Purpose: for VPN + +allow ppp init:unix_stream_socket connectto; +allow ppp property_socket:sock_file write; + +# Date : WK14.37 +# Operation : Migration +# Purpose: for PPPOE Test + +allow ppp devpts:chr_file { read write ioctl open setattr }; +allow ppp self:capability { setuid net_raw setgid dac_override }; +allow ppp self:packet_socket { write ioctl setopt read bind create }; +allow ppp shell_exec:file { read execute open execute_no_trans }; + + +# Date : WK14.37 +# Operation : Migration +# Purpose: for PPPOE Test: Property permission + +allow ppp pppoe_ppp0_prop:property_service set; +allow ppp net_radio_prop:property_service set; +allow ppp system_prop:property_service set; + + +# Date : WK14.38 +# Operation : Migration +# Purpose: for PPPOE Test + +allow ppp ppp_exec:file execute_no_trans; + +# Date : WK14.53 +# Operation : check in +# Purpose: for warning kernel API +allow ppp mtp:file read;
\ No newline at end of file diff --git a/sepolicy/pppd_dt.te b/sepolicy/pppd_dt.te new file mode 100644 index 0000000..9351ec2 --- /dev/null +++ b/sepolicy/pppd_dt.te @@ -0,0 +1,38 @@ +# ============================================== +# Policy File of /system/binpppd_dt Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type pppd_dt_exec , exec_type, file_type; +type pppd_dt ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + + +init_daemon_domain(pppd_dt) +allow pppd_dt self:capability { setgid setuid net_admin }; +allow pppd_dt property_socket:sock_file write; +allow pppd_dt dnsproxyd_socket:sock_file write; +allow pppd_dt init:unix_stream_socket connectto; +allow pppd_dt self:udp_socket { ioctl create }; +allow pppd_dt netd:unix_stream_socket connectto; +allow pppd_dt ttyACM_device:chr_file { read write ioctl open getattr }; +allow pppd_dt ppp_device:chr_file { read write ioctl open }; +allow pppd_dt system_file:file execute_no_trans; +allow pppd_dt shell_exec:file { read open execute }; +allow pppd_dt net_radio_prop:property_service set; +allow pppd_dt pppoe_ppp0_prop:property_service set; +allow pppd_dt system_prop:property_service set; diff --git a/sepolicy/pppd_via.te b/sepolicy/pppd_via.te new file mode 100644 index 0000000..fee7b10 --- /dev/null +++ b/sepolicy/pppd_via.te @@ -0,0 +1,55 @@ +# ============================================== +# Policy File of /system/bin/pppd_via Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type pppd_via_exec , exec_type, file_type; +type pppd_via ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + + +#permissive pppd_via; +init_daemon_domain(pppd_via) +#unconfined_domain(pppd_via) + + +allow pppd_via self:udp_socket create; +allow pppd_via system_file:file execute_no_trans; +allow pppd_via ttySDIO_device:chr_file { read write open setattr getattr ioctl }; +allow pppd_via dnsproxyd_socket:sock_file write; +allow pppd_via init:unix_stream_socket connectto; +allow pppd_via netd:unix_stream_socket connectto; +allow pppd_via ppp_device:chr_file { read write ioctl open }; +allow pppd_via property_socket:sock_file write; +allow pppd_via self:capability { setuid net_admin dac_override }; +allow pppd_via self:udp_socket ioctl; +allow pppd_via system_data_file:file open; +allow pppd_via net_radio_prop:property_service set; + + + + + + + + + + + + + + diff --git a/sepolicy/pq.te b/sepolicy/pq.te new file mode 100644 index 0000000..bc8ae7f --- /dev/null +++ b/sepolicy/pq.te @@ -0,0 +1,40 @@ +# ============================================== +# Policy File of /system/binpq Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type pq_exec , exec_type, file_type; +type pq ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive pq; +init_daemon_domain(pq) +# unconfined_domain(pq) + +# Date : 2014/10/16 +# Operation : Migration +# Purpose : for enforcing +allow pq system_prop:property_service set; +allow pq graphics_device:chr_file { read write open ioctl }; + + +# Date : 2014/10/29 +# Operation : Migration +# Purpose : for enforcing +allow pq init:unix_stream_socket connectto; +allow pq property_socket:sock_file write; +allow pq tmpfs:lnk_file read;
\ No newline at end of file diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..4345d1b --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,157 @@ +# ============================================== +# MTK Policy Rule +# ============================================== +type mtk_default_prop, property_type; + +# Date: W14.32 +# Operation: Migration +# Purpose: don't allow to use default_prop +neverallow { domain -init } default_prop:property_service set; +neverallow { domain -init -system_server -recovery } ctl_default_prop:property_service set; + +#=============allow ccci_mdinit to start gsm0710muxd============== +type ctl_gsm0710muxd_prop, property_type; +type ctl_gsm0710muxd-s_prop, property_type; +type ctl_gsm0710muxd-d_prop, property_type; +type ctl_gsm0710muxdmd2_prop, property_type; +#=============allow ccci_mdinit to ctl. mdlogger============== +type ctl_mdlogger_prop, property_type; +type ctl_emdlogger1_prop, property_type; +type ctl_emdlogger2_prop, property_type; +type ctl_dualmdlogger_prop, property_type; +#=============allow eemcs_mdinit to start mdlogger========== +type ctl_eemcs_fmdl_prop, property_type; +#type ctl_emdlogger5_prop, property_type; + +#=============allow mtkrild to set persist.ril property============== +type persist_ril_prop, property_type; +#=============allow terserver to set terservice property============== +type terservice_prop, property_type; +#=============allow gsm0710muxd to set mux property============== +type gsm0710muxd_prop, property_type; + +#=============allow netlog running============== +type debug_mtklog_prop, property_type; +type persist_mtklog_prop, property_type; +type debug_netlog_prop, property_type; +#=============allow system_server to set media.wfd.*============== +type media_wfd_prop, property_type; + +#=============allow netd to set mtk_wifi.*========================= +type mtk_wifi_prop, property_type; + +#=============allow mdlogger============== +type debug_mdlogger_prop, property_type; + +#=============allow AEE============== +type persist_mtk_aee_prop, property_type; +type persist_aee_prop, property_type; +type debug_mtk_aee_prop, property_type; + +#=============allow aee_dumpstate============== +type debug_bq_dump_prop, property_type; + +#=============allow ccci_mdinit to stop rild============== +type ctl_ril-daemon-mtk_prop, property_type; +type ctl_ril-daemon-s_prop, property_type; +type ctl_ril-daemon-d_prop, property_type; +type ctl_ril-daemon-md2_prop, property_type; + +#=============allow ccci_mdinit to start ccci_fsd============== +type ctl_ccci_fsd_prop, property_type; +type ctl_ccci2_fsd_prop, property_type; + +#=============allow ccci_mdinit to start ccci_rpcd============== +type ctl_ccci_rpcd_prop, property_type; +type ctl_ccci2_rpcd_prop, property_type; + +#=============allow ccci_mdinit to set ril_active_md_prop============== +type ril_active_md_prop, property_type; + +#=============allow ccci_mdinit to stop rild============== +type ril_mux_report_case_prop, property_type; +type ril_cdma_report_prop, property_type; + +#=============allow ccci_mdinit to mtk_md_prop============== +type mtk_md_prop, property_type; + +#=============allow mtkrild to start muxreport============== +type ctl_muxreport-daemon_prop, property_type; + +#=============allow ppp to set pppoe.ppp0============== +type pppoe_ppp0_prop, property_type; + +#=============allow rild to start pppd_via============== +type ctl_pppd_via_prop, property_type; + +#=============allow mediatek_prop ============== +type mediatek_prop, property_type; + +#=============allow bootanim============== +type bootani_prop, property_type; + +#=============allow mnld_prop============== +type mnld_prop, property_type; + +#=============allow audiohal============== +type audiohal_prop, property_type; + +#=============allow contrl ril3gd=========== +type ctl_ril3gd_prop, property_type; + +#=============allow contrl zpppd_gprs=========== +type ctl_zpppdgprs_prop, property_type; + +#=============allow DM============== +type persist_dm_prop, property_type; +type ctl_rbfota_prop, property_type; + +#=============allow ipod============== +type ipod_prop, property_type; +type ctl_ipod_prop, property_type; + +#=============allow wmt============== +type wmt_prop, property_type; + +#=============allow atcid============== +type ctl_atcid-daemon-u_prop, property_type; +type ctl_atci_service_prop, property_type; +type persist_service_atci_prop, property_type; +#============= permission_check ============== +type persist_md_prop, property_type; + +#=============allow sensor============== +type ctl_msensord_prop, property_type; +type ctl_akmd8963_prop, property_type; +type ctl_akmd09911_prop, property_type; +type ctl_bmm050d_prop, property_type; +type ctl_bmm056d_prop, property_type; +type ctl_geomagneticd_prop, property_type; +type ctl_orientationd_prop, property_type; +type ctl_emcsmdlogger_prop, property_type; +type ctl_eemcs_fsd_prop, property_type; +type ctl_istd8303_prop, property_type; +type ctl_st480_prop, property_type; +type ctl_mmc3524xd_prop, property_type; +type ctl_mc6470d_prop, property_type; +type ctl_qmcX983d_prop, property_type; +type ctl_af7133e_prop, property_type; +#=============allow statusd============== +type net_cdma_mdmstat, property_type; +type cdma_prop, property_type; + +#=============allow saveLocale============== +type save_locale_prop, property_type; + +#=============allow bt============== +type bt_prop, property_type; +type persist_bt_prop, property_type; + +#=============allow ccci_mdinit EVDO ============== +type mtk_tele_prop, property_type; + +#=============allow pppd ============== +type pppd_gprs_prop, property_type; + +#=============allow wifi offload deamon ============== +type mtk_wod_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..0e733e7 --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,166 @@ +# ============================================== +# MTK Policy Rule +# ============================================== +#=============allow ccci_mdinit to start gsm0710muxd============== +ctl.gsm0710muxd u:object_r:ctl_gsm0710muxd_prop:s0 +ctl.gsm0710muxd-s u:object_r:ctl_gsm0710muxd-s_prop:s0 +ctl.gsm0710muxd-d u:object_r:ctl_gsm0710muxd-d_prop:s0 +ctl.gsm0710muxdmd2 u:object_r:ctl_gsm0710muxdmd2_prop:s0 + +#=============allow ccci_mdinit to ctl. mdlogger============== +ctl.mdlogger u:object_r:ctl_mdlogger_prop:s0 +ctl.emdlogger1 u:object_r:ctl_emdlogger1_prop:s0 +ctl.emdlogger2 u:object_r:ctl_emdlogger2_prop:s0 +ctl.dualmdlogger u:object_r:ctl_dualmdlogger_prop:s0 +#=============allow eemcs_mdinit to start mdlogger========== +ctl.eemcs_fmdl u:object_r:ctl_eemcs_fmdl_prop:s0 +#ctl.emdlogger5 u:object_r:ctl_emdlogger5_prop:s0 + +#=============allow mtkrild to set persist.ril property============== +persist.ril u:object_r:persist_ril_prop:s0 +#=============allow terservice to set terservice property============== +persist.ter u:object_r:terservice_prop:s0 + +#=============allow netlog============== +#debug.mtklog.init.flag +debug.mtklog u:object_r:debug_mtklog_prop:s0 +#persist.mtklog.log2sd.path +persist.mtklog u:object_r:persist_mtklog_prop:s0 +#debug.netlog.stopreason +debug.netlog u:object_r:debug_netlog_prop:s0 + +#=============allow system_server to set media.wfd.*============== +media.wfd. u:object_r:media_wfd_prop:s0 + +#=============allow netd to set mtk_wifi.*======================== +mtk_wifi. u:object_r:mtk_wifi_prop:s0 + +#=============allow mdlogger============== +debug.mdlogger u:object_r:debug_mdlogger_prop:s0 + +#=============allow AEE============== +# persist.mtk.aee.mode && persist.mtk.aee.dal +persist.mtk.aee u:object_r:persist_mtk_aee_prop:s0 + +# persist.aee.core.dump && persist.aee.core.direct +persist.aee u:object_r:persist_aee_prop:s0 + +# debug.mtk.aee.db +debug.mtk.aee u:object_r:debug_mtk_aee_prop:s0 + +#=============allow AEE_Dumpstate============== +debug.bq.dump u:object_r:debug_bq_dump_prop:s0 + +#=============allow mux============== +ril.mux. u:object_r:gsm0710muxd_prop:s0 + +#=============allow vold============== +persist.vold. u:object_r:vold_prop:s0 +ctl.sdcard u:object_r:ctl_fuse_prop:s0 + +#=============allow mdinit============== +ctl.ril-daemon-mtk u:object_r:ctl_ril-daemon-mtk_prop:s0 +ctl.ril-daemon-s u:object_r:ctl_ril-daemon-s_prop:s0 +ctl.ril-daemon-d u:object_r:ctl_ril-daemon-d_prop:s0 +ctl.ril-daemon-md2 u:object_r:ctl_ril-daemon-md2_prop:s0 + +ctl.ccci_fsd u:object_r:ctl_ccci_fsd_prop:s0 +ctl.ccci2_fsd u:object_r:ctl_ccci2_fsd_prop:s0 +ctl.ccci_rpcd u:object_r:ctl_ccci_rpcd_prop:s0 +ctl.ccci2_rpcd u:object_r:ctl_ccci2_rpcd_prop:s0 +ctl.muxreport-daemon u:object_r:ctl_muxreport-daemon_prop:s0 + +ril.active.md u:object_r:ril_active_md_prop:s0 +ril.mux.report.case u:object_r:ril_mux_report_case_prop:s0 +ril.cdma.report u:object_r:ril_cdma_report_prop:s0 + +#=============allow pppd_via============== +ctl.pppd_via u:object_r:ctl_pppd_via_prop:s0 + +#=============allow ppp to set pppoe.ppp0.*======================== +pppoe.ppp0. u:object_r:pppoe_ppp0_prop:s0 + +#=============allow mediatek_prop ============== +mediatek. u:object_r:mediatek_prop:s0 + +#=============allow bootanim============== +persist.bootanim. u:object_r:bootani_prop:s0 + +#=============allow mnld_prop ============== +gps.clock.type u:object_r:mnld_prop:s0 +gps.gps.version u:object_r:mnld_prop:s0 + +#=============allow audiohal============== +streamout. u:object_r:audiohal_prop:s0 +af. u:object_r:audiohal_prop:s0 +streamin. u:object_r:audiohal_prop:s0 +a2dp. u:object_r:audiohal_prop:s0 +persist.af. u:object_r:audiohal_prop:s0 + +#=============allow tedongle to set tedongle.*============= +tedongle. u:object_r:radio_prop:s0 +ctl.ril-3gddaemon u:object_r:ctl_ril3gd_prop:s0 +ctl.zpppd_gprs u:object_r:ctl_zpppdgprs_prop:s0 + +#=============allow DM============== +# persist.dm.lock +persist.dm. u:object_r:persist_dm_prop:s0 +# dm fota +ctl.rbfota u:object_r:ctl_rbfota_prop:s0 + +#=============allow atcid============== +ctl.atcid-daemon-u u:object_r:ctl_atcid-daemon-u_prop:s0 +ctl.atci_service u:object_r:ctl_atci_service_prop:s0 +persist.service.atci. u:object_r:persist_service_atci_prop:s0 + +#=============allow ipod============== +ctl.ipod u:object_r:ctl_ipod_prop:s0 +ipo.ipoh. u:object_r:ipod_prop:s0 +persist.ipoh. u:object_r:ipod_prop:s0 + +#=============allow wmt ============== +persist.mtk.wcn u:object_r:wmt_prop:s0 +service.wcn u:object_r:wmt_prop:s0 + +#============= permission_check ============== +#persist.md.perm.checked +persist.md u:object_r:persist_md_prop:s0 + +#=============allow sensor daemon============== +ctl.msensord u:object_r:ctl_msensord_prop:s0 +ctl.bmm050d u:object_r:ctl_bmm050d_prop:s0 +ctl.bmm056d u:object_r:ctl_bmm056d_prop:s0 +ctl.akmd8963 u:object_r:ctl_akmd8963_prop:s0 +ctl.akmd09911 u:object_r:ctl_akmd09911_prop:s0 +ctl.geomagneticd u:object_r:ctl_geomagneticd_prop:s0 +ctl.orientationd u:object_r:ctl_orientationd_prop:s0 +ctl.emdlogger5 u:object_r:ctl_emcsmdlogger_prop:s0 +ctl.eemcs_fsd u:object_r:ctl_eemcs_fsd_prop:s0 +ctl.istd8303 u:object_r:ctl_istd8303_prop:s0 +ctl.st480 u:object_r:ctl_st480_prop:s0 +ctl.mmc3524xd u:object_r:ctl_mmc3524xd_prop:s0 +ctl.mc6470d u:object_r:ctl_mc6470d_prop:s0 +ctl.qmcX983d u:object_r:ctl_qmcX983d_prop:s0 +ctl.af7133e u:object_r:ctl_af7133e_prop:s0 +#=============allow statusd============== +net.cdma.mdmstat u:object_r:net_cdma_mdmstat:s0 + +#=============allow c2k_prop ============== +cdma. u:object_r:cdma_prop:s0 + +#=============allow saveLocale============== +user.language u:object_r:save_locale_prop:s0 +user.region u:object_r:save_locale_prop:s0 + +#=============allow bt prop============== +bt. u:object_r:bt_prop:s0 +persist.bt. u:object_r:persist_bt_prop:s0 +#=============allow ccci_mdinit EVDO ============== +mtk_telephony u:object_r:mtk_tele_prop:s0 +#=============allow ccci_mdinit md status ============== +mtk.md u:object_r:mtk_md_prop:s0 +#=============allow pppd ============== +ctl.pppd_gprs u:object_r:pppd_gprs_prop:s0 + +#=============allow wifi offload deamon ============== +net.wo. u:object_r:mtk_wod_prop:s0 diff --git a/sepolicy/pvrsrvctl.te b/sepolicy/pvrsrvctl.te new file mode 100644 index 0000000..84a8ccc --- /dev/null +++ b/sepolicy/pvrsrvctl.te @@ -0,0 +1,18 @@ +# ============================================== +# Policy File of /system/bin/pvrsrvctl Executable File + +# ============================================== +# Type Declaration +# ============================================== +type pvrsrvctl, domain; +type pvrsrvctl_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(pvrsrvctl) + +allow pvrsrvctl self:capability sys_admin; +allow pvrsrvctl gpu_device:chr_file rw_file_perms; +allow pvrsrvctl self:capability sys_module; + diff --git a/sepolicy/racoon.te b/sepolicy/racoon.te new file mode 100644 index 0000000..7b20973 --- /dev/null +++ b/sepolicy/racoon.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 0000000..7af090c --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1,133 @@ +# ============================================== +# MTK Policy Rule +# ============ + +allow radio custom_file:dir getattr; +#violate never allow rule +#allow radio device:chr_file { read write ioctl open getattr }; +allow radio dm_agent_binder:binder call; +allow radio rild2_socket:sock_file write; +allow radio rild3_socket:sock_file write; +allow radio rild4_socket:sock_file write; +allow radio rild_via_socket:sock_file write; +allow radio rild_md2_socket:sock_file write; +allow radio sdcard_internal:dir { write create add_name }; +allow radio sdcard_internal:file { read write getattr open create }; +##violate never allow rule +#allow radio sysfs:file write; +##violate never allow rule +#allow radio system_data_file:file append; +allow radio zygote:unix_stream_socket { getopt getattr }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for mtkrild and viarild +allow radio mtkrild:unix_stream_socket connectto; +allow radio mtkrildmd2:unix_stream_socket connectto; +allow radio statusd:unix_stream_socket connectto; + +# Date : WK14.38 2014/09/16 +# Operation : Migration +# Purpose : for engineermode +allow radio mediatek_prop:property_service set; +allow radio em_svr:unix_stream_socket connectto; +allow radio mt_otg_test_device:chr_file { read write ioctl open }; +allow radio mtgpio_device:chr_file { read ioctl open }; +allow radio platformblk_device:dir search; +allow radio stpbt_device:chr_file { read write open }; +allow radio stpant_device:chr_file { read write open }; +allow radio bt_int_adp_socket:sock_file write; +allow radio mtkbt:unix_dgram_socket sendto; +allow radio guiext-server:binder { transfer call }; +allow radio persist_ril_prop:property_service set; +allow radio mt6605_device:chr_file { read write ioctl open getattr }; +allow radio nfc_socket:dir { write add_name remove_name search }; +allow radio nfc_socket:sock_file { create write unlink setattr }; +allow radio system_prop:property_service set; + +# Date: wk14.40 +# Operation : SQC +# Purpose : [ALPS01756200] wwop boot up fail +allow radio custom_file:dir { search getattr open read }; +allow radio custom_file:file { read open getattr}; + +# C2K System Property +allow radio cdma_prop:property_service set; + +# Date : 2014/10/13 +# Operation : IT +# Purpose : mtk_agpsd establishes the local socket as agpsd for all A-GPS +# application to do something with mtk_agpsd +unix_socket_connect(radio, agpsd, mtk_agpsd) + +# Date : 2014/10/14 +# Operation : IT +# Purpose : for IMSA connect to volte_imsa1 provided by imcb process +unix_socket_connect(radio, volte_imsa1, volte_imcb) + +# Date : 2014/10/16 +# Operation : IT +# Purpose : for TTLIA apk connect to rild_atci by mtkrild process +allow radio rild_atci_socket:sock_file write; + +# Date : 2014/10/17 +# Operation : IT +# Purpose : Talks to ril-3gddaemon via the rild-dongle socket. +unix_socket_connect(radio, rild-dongle, ril-3gddaemon) + +# Date : 2014/10/20 +# Operation : IT +# Purpose : enable ATCId in engineer mode. +allow radio ctl_atcid-daemon-u_prop:property_service set; +allow radio ctl_atci_service_prop:property_service set; +allow radio persist_service_atci_prop:property_service set; + +# Date : 2014/11/05 +# Operation : IT +# Purpose : for IMS_RILA connect to rild_ims provided by mtkrild process +unix_socket_connect(radio, rild_ims, mtkrild) + +# Purpose : allow to access kpd driver file +allow radio sysfs_keypad_file:dir { open write }; +allow radio sysfs_keypad_file:file { open write }; + +# Date : 2014/12/13 +# Operation : IT +# Purpose : for bluetooth relayer mode +allow radio block_device:dir search; +allow radio ttyGS_device:chr_file { open read write ioctl }; + +# Date : 2014/12/26 +# Operation : IT +# Purpose : for engineermode sensor can work normal +allow radio als_ps_device:chr_file { read open ioctl }; + +# Date : 2015/01/20 +# Operation : IT +# Purpose : for engineermode Usb PHY Tuning +allow radio debugfs:file { read getattr }; + +# Date : 2015/01/21 +# Operation : IT +# Purpose : C2K rild +allow radio rild_atci_md2_socket:sock_file write; +allow radio rild_atci_c2k_socket:sock_file write; + +# Date : WK15.05 2015/01/26 +# Operation : IT +# Purpose : for engineermode camera +allow radio debug_prop:property_service set; + +# Date : 2015/04/11 +# Operation : VT development +# Purpose : for VT usage +allow radio vtservice:binder call; +allow radio vtservice:binder transfer; +allow vtservice self:capability dac_override; +allow vtservice soc_vt_svc_socket:sock_file write; +allow vtservice soc_vt_tcv_socket:sock_file write; +allow vtservice platform_app:binder call; +allow vtservice system_server:binder call; +allow vtservice fuse:dir write; +allow vtservice surfaceflinger:fd use; +allow vtservice tmpfs:lnk_file read; diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te new file mode 100644 index 0000000..a4a253f --- /dev/null +++ b/sepolicy/recovery.te @@ -0,0 +1,97 @@ +# ============================================== +# MTK Policy Rule +# ============================================== +# recovery console (used in recovery init.rc for /sbin/recovery) + +# special factory reset & backup/restore needs permissive mode +# permissive recovery; + +# Date : WK14.38 +# Operation : Migration +# Purpose : for recovery operation +allow recovery misc_device:chr_file *; +allow recovery platformblk_device:dir *; +allow recovery platformblk_device:blk_file *; +allow recovery vfat:dir *; +allow recovery misc_sd_device:chr_file *; + +# Date : WK14.39 +# Operation : Migration +# Purpose : for CIP project access /custom partition +allow recovery custom_file:dir *; +allow recovery rootfs:dir *; + +# Date : WK14.41 +# Operation : Migration +# Purpose : Differential update +allow recovery bootimg_device:chr_file *; +allow recovery recovery_device:chr_file *; +allow recovery logo_device:chr_file *; +allow recovery preloader_device:chr_file *; +allow recovery uboot_device:chr_file *; +allow recovery init:dir *; +allow recovery init:file ~{ execute entrypoint }; +allow recovery init:lnk_file *; +allow recovery kernel:dir *; +allow recovery kernel:file ~{ execute entrypoint }; +allow recovery kernel:lnk_file *; + + +# Date : WK14.41 +# Operation : Migration +# Purpose : Block full update +allow recovery healthd:dir *; +allow recovery healthd:file ~{ execute entrypoint }; +allow recovery healthd:lnk_file *; +dontaudit recovery self:capability sys_ptrace; +allow recovery ueventd:dir *; +allow recovery ueventd:file ~{ execute entrypoint }; +allow recovery ueventd:lnk_file *; + +# Date : WK14.42 +# Operation : Migration +# Purpose : for sepcial factory reset +allow recovery system_data_file:dir *; +allow recovery apk_data_file:dir *; + +userdebug_or_eng(` + allow recovery su:dir *; + allow recovery su:file *; + allow recovery su:lnk_file *; +') + +# Date : WK14.43 +# Operation : Migration +# Purpose : JB to L differential OTA +#allow recovery unlabeled:lnk_file *; + +# Date : WK14.45 +# Operation : SQC +# Purpose : partition size changed +allow recovery pmt_device:chr_file *; +allow recovery tee_part_device:chr_file *; + +# Date : WK14.45 +# Operation : Migration +# Purpose : KK->L->L legacy secure OTA +allow recovery proc_sysrq:file { write open }; +allow recovery sec_device:chr_file { read ioctl open }; +allow recovery sec_ro_device:chr_file { read open }; +allow recovery seccfg_device:chr_file { read open }; +allow recovery self:capability sys_boot; + +# Date : WK14.46 +# Operation : Migration +# Purpose : FOTA upgrade +allow recovery app_data_file:dir { write create add_name }; +allow recovery app_data_file:dir { read open }; +allow recovery app_data_file:file { read write create open }; +allow recovery mobicore_data_file:dir { write remove_name search add_name }; +allow recovery mobicore_data_file:file { rename setattr read create write getattr unlink open }; +allow recovery mobicore_data_file:file { relabelfrom relabelto }; + +# Date : WK14.47 +# Operation : Migration +# Purpose : Root Integrity Check +allow recovery md_ctrl:file { read getattr open }; +allow recovery mobicore_data_file:dir { read open }; diff --git a/sepolicy/resmon.te b/sepolicy/resmon.te new file mode 100644 index 0000000..ad7f099 --- /dev/null +++ b/sepolicy/resmon.te @@ -0,0 +1,43 @@ +# ============================================== +# Policy File of /system/binresmon Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type resmon_exec , exec_type, file_type; +type resmon ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +userdebug_or_eng(` + permissive resmon; + init_daemon_domain(resmon) + + # Date : 2014/09/10 + # Operation : Migration + # Purpose : allow Binder IPC for dumpsys windows display + binder_use(resmon) + + # Date : 2014/10/20 + # Operation : Migration + # Purpose : allow resmon to execute shell commands + allow resmon fuse:dir { write search add_name }; + allow resmon fuse:file { read write create open }; + allow resmon shell_exec:file execute_no_trans; + allow resmon system_file:file execute_no_trans; + allow resmon zygote_exec:file execute_no_trans; + + allow untrusted_app resmon:fd use; + +') diff --git a/sepolicy/ril-3gddaemon.te b/sepolicy/ril-3gddaemon.te new file mode 100644 index 0000000..76b302a --- /dev/null +++ b/sepolicy/ril-3gddaemon.te @@ -0,0 +1,52 @@ +# ril-3gddaemon - radio interface layer daemon +type ril-3gddaemon, domain; +type ril-3gddaemon_exec, exec_type, file_type; +init_daemon_domain(ril-3gddaemon) +net_domain(ril-3gddaemon) + +allow ril-3gddaemon self:netlink_route_socket nlmsg_write; +allow ril-3gddaemon kernel:system module_request; +unix_socket_connect(ril-3gddaemon, property, init) +allow ril-3gddaemon self:capability { setuid setgid net_admin net_raw dac_override sys_module }; +allow ril-3gddaemon alarm_device:chr_file rw_file_perms; +allow ril-3gddaemon cgroup:dir create_dir_perms; +allow ril-3gddaemon radio_device:chr_file rw_file_perms; +allow ril-3gddaemon radio_device:blk_file r_file_perms; +allow ril-3gddaemon mtd_device:dir search; +allow ril-3gddaemon efs_file:dir create_dir_perms; +allow ril-3gddaemon efs_file:file create_file_perms; +allow ril-3gddaemon shell_exec:file rx_file_perms; +allow ril-3gddaemon radio_data_file:dir rw_dir_perms; +allow ril-3gddaemon radio_data_file:file create_file_perms; +allow ril-3gddaemon sdcard_type:dir r_dir_perms; +allow ril-3gddaemon system_data_file:dir r_dir_perms; +allow ril-3gddaemon system_data_file:file r_file_perms; +allow ril-3gddaemon system_file:file x_file_perms; + +# property service +allow ril-3gddaemon radio_prop:property_service set; +allow ril-3gddaemon net_radio_prop:property_service set; +allow ril-3gddaemon system_radio_prop:property_service set; +allow ril-3gddaemon system_prop:property_service set; +auditallow ril-3gddaemon net_radio_prop:property_service set; +auditallow ril-3gddaemon system_radio_prop:property_service set; +allow ril-3gddaemon pppoe_ppp0_prop:property_service set; +allow ril-3gddaemon ctl_zpppdgprs_prop:property_service set; + + +# Read/Write to uart driver (for 3gdongle) +allow ril-3gddaemon tty_device:chr_file rw_file_perms; + +# Allow ril-3gddaemon to create and use netlink sockets. +allow ril-3gddaemon self:netlink_socket create_socket_perms; +allow ril-3gddaemon self:netlink_kobject_uevent_socket create_socket_perms; + +allow ril-3gddaemon init:dir { getattr open read search }; +allow ril-3gddaemon ppp_exec:file { read open getattr execute execute_no_trans }; +allow ril-3gddaemon ppp_device:chr_file { read write open ioctl }; +allow ril-3gddaemon device:dir { read open write}; + +# Access to wake locks +wakelock_use(ril-3gddaemon) + +allow ril-3gddaemon self:socket create_socket_perms; diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..86cbf61 --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,5 @@ +# ============================================== +# MTK Policy Rule +# ============ + + diff --git a/sepolicy/runas.te b/sepolicy/runas.te new file mode 100644 index 0000000..4b5a0be --- /dev/null +++ b/sepolicy/runas.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============ + diff --git a/sepolicy/s62xd.te b/sepolicy/s62xd.te new file mode 100644 index 0000000..e053546 --- /dev/null +++ b/sepolicy/s62xd.te @@ -0,0 +1,16 @@ +# ============================================== +# Policy File of /system/bins62xd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type s62xd_exec , exec_type, file_type; +type s62xd ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(s62xd) diff --git a/sepolicy/sbchk.te b/sepolicy/sbchk.te new file mode 100644 index 0000000..6824e92 --- /dev/null +++ b/sepolicy/sbchk.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /system/bin/sbchk Executable File + +# ============================================== +# Type Declaration +# ============================================== +type sbchk, domain; +type sbchk_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(sbchk) + +# Date WK14.46 +# Operation : Migration +# Purpose : for security driver access +allow sbchk misc_sd_device:chr_file { read open }; +allow sbchk platformblk_device:blk_file { read write open }; +allow sbchk platformblk_device:dir search; +allow sbchk preloader_device:chr_file { read open }; +allow sbchk sec_device:chr_file { read ioctl open }; +allow sbchk seccfg_device:chr_file { read write open }; +allow sbchk sec_ro_device:chr_file { open read }; +allow sbchk block_device:dir search; diff --git a/sepolicy/sdcardd.te b/sepolicy/sdcardd.te new file mode 100644 index 0000000..24486a0 --- /dev/null +++ b/sepolicy/sdcardd.te @@ -0,0 +1,36 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.37 +# Operation : Migration +# Purpose : for sdcard daemon to access lk_env +allow sdcardd proc_lk_env:file { read write ioctl open }; +allow sdcardd misc_device:chr_file { read write open }; +allow sdcardd mmcblk_device:blk_file rw_file_perms; +allow sdcardd platformblk_device:blk_file rw_file_perms; +allow sdcardd block_device:dir search; +allow sdcardd platformblk_device:dir search; + +# Date : WK14.47 +# Purpose : create symbolic link from /mnt/shell/emulated to /storage/emulated +allow sdcardd tmpfs:dir {write add_name mounton}; +allow sdcardd tmpfs:lnk_file create; +allow sdcardd tmpfs:filesystem unmount; + +# Date : WK14.48 +# Purpose : invoke vdc for handle_users +allow sdcardd devpts:chr_file { read write getattr open ioctl }; +allow sdcardd vdc_exec:file { read execute open execute_no_trans }; +allow sdcardd vold:unix_stream_socket connectto; +allow sdcardd vold_socket:sock_file write; + + +# Date : WK14.48 +# Purpose : unknown +allow sdcardd platform_app:fd use; +allow sdcardd untrusted_app:fd use; + +# Date : WK15.02 +# Purpose : ashared memory +allow sdcardd platform_app_tmpfs:file write; diff --git a/sepolicy/service.te b/sepolicy/service.te new file mode 100644 index 0000000..e4a31ce --- /dev/null +++ b/sepolicy/service.te @@ -0,0 +1,12 @@ +# ============================================== +# MTK Policy Rule +# ============================================== +type nvram_agent_service, service_manager_type; +type dm_agent_binder_service, service_manager_type; +type terservice_service, service_manager_type; +type ota_agent_service, service_manager_type; +type aal_service, service_manager_type; +type guiext-server_service, service_manager_type; +type mtk_codec_service_service, service_manager_type; +type ppl_agent_service, service_manager_type; +type vtservice_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..c18939b --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,24 @@ +# ============================================== +# MTK Policy Rule +# ============================================== +NvRAMAgent u:object_r:nvram_agent_service:s0 +phoneEx u:object_r:radio_service:s0 +DmAgent u:object_r:dm_agent_binder_service:s0 +hotknot_service u:object_r:system_app_service:s0 +vie_command u:object_r:system_app_service:s0 +terservice u:object_r:terservice_service:s0 +GoogleOtaBinder u:object_r:ota_agent_service:s0 +memory_dumper u:object_r:mediaserver_service:s0 +AAL u:object_r:aal_service:s0 +iphonesubinfotedongle u:object_r:radio_service:s0 +isubtedongle u:object_r:radio_service:s0 +simphonebooktedongle u:object_r:radio_service:s0 +ismstedongle u:object_r:radio_service:s0 +tedongleservice u:object_r:radio_service:s0 +GbaService u:object_r:radio_service:s0 +GuiExtService u:object_r:guiext-server_service:s0 +mtk.codecservice u:object_r:mtk_codec_service_service:s0 +PPLAgent u:object_r:ppl_agent_service:s0 +media.mmsdk u:object_r:mediaserver_service:s0 +multiwindow_service_v1 u:object_r:system_app_service:s0 +media.VTS u:object_r:vtservice_service:s0 diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te new file mode 100644 index 0000000..4b5a0be --- /dev/null +++ b/sepolicy/servicemanager.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============ + diff --git a/sepolicy/shared_relro.te b/sepolicy/shared_relro.te new file mode 100644 index 0000000..79b118a --- /dev/null +++ b/sepolicy/shared_relro.te @@ -0,0 +1,3 @@ +# ============================================== +# MTK Policy Rule +# ============ diff --git a/sepolicy/shell.te b/sepolicy/shell.te new file mode 100644 index 0000000..1aa1ed9 --- /dev/null +++ b/sepolicy/shell.te @@ -0,0 +1,110 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.XX +# Operation : Migration +# Purpose : for exec labels defined by mtk +allow shell mtk_6620_launcher_exec:file rx_file_perms; +allow shell GoogleOtaBinder_exec:file rx_file_perms; +allow shell MtkCodecService_exec:file rx_file_perms; +allow shell aee_core_forwarder_exec:file rx_file_perms; +allow shell akmd8963_exec:file rx_file_perms; +allow shell akmd8975_exec:file rx_file_perms; +allow shell ami304d_exec:file rx_file_perms; +allow shell zygote_exec:file rx_file_perms; +allow shell atci_service_exec:file rx_file_perms; +allow shell atcid_exec:file rx_file_perms; +allow shell audiocmdservice_atci_exec:file rx_file_perms; +allow shell autokd_exec:file rx_file_perms; +allow shell batterywarning_exec:file rx_file_perms; +allow shell bmm050d_exec:file rx_file_perms; +allow shell boot_logo_updater_exec:file rx_file_perms; +allow shell bootanim_exec:file rx_file_perms; +allow shell ccci_fsd_exec:file rx_file_perms; +allow shell ccci_mdinit_exec:file rx_file_perms; +allow shell clatd_exec:file rx_file_perms; +allow shell debuggerd_exec:file rx_file_perms; +allow shell dex2oat_exec:file rx_file_perms; +allow shell dhcp6c_exec:file rx_file_perms; +allow shell dhcp_exec:file rx_file_perms; +allow shell dmlog_exec:file rx_file_perms; +allow shell dnsmasq_exec:file rx_file_perms; +allow shell drmserver_exec:file rx_file_perms; +allow shell dualmdlogger_exec:file rx_file_perms; +allow shell dumpstate_exec:file rx_file_perms; +allow shell em_svr_exec:file rx_file_perms; +allow shell emdlogger_exec:file rx_file_perms; +allow shell factory_exec:file rx_file_perms; +allow shell geomagneticd_exec:file rx_file_perms; +allow shell gsm0710muxd_exec:file rx_file_perms; +allow shell gsm0710muxdmd2_exec:file rx_file_perms; +allow shell hostapd_exec:file rx_file_perms; +allow shell installd_exec:file rx_file_perms; +allow shell keystore_exec:file rx_file_perms; +allow shell lmkd_exec:file rx_file_perms; +allow shell logd_exec:file rx_file_perms; +allow shell matv_exec:file rx_file_perms; +allow shell mc6420d_exec:file rx_file_perms; +allow shell mdlogger_exec:file rx_file_perms; +allow shell mdnsd_exec:file rx_file_perms; +allow shell mediaserver_exec:file rx_file_perms; +allow shell memsicd_exec:file rx_file_perms; +allow shell memsicd3416x_exec:file rx_file_perms; +allow shell mobile_log_d_exec:file rx_file_perms; +allow shell msensord_exec:file rx_file_perms; +allow shell mtk_agpsd_exec:file rx_file_perms; +allow shell mtkbt_exec:file rx_file_perms; +allow shell mtkrild_exec:file rx_file_perms; +allow shell mtkrildmd2_exec:file rx_file_perms; +allow shell mtp_exec:file rx_file_perms; +allow shell muxreport_exec:file rx_file_perms; +allow shell netdiag_exec:file rx_file_perms; +allow shell nvram_agent_binder_exec:file rx_file_perms; +allow shell nvram_daemon_exec:file rx_file_perms; +allow shell orientationd_exec:file rx_file_perms; +allow shell dex2oat_exec:file rx_file_perms; +allow shell ppl_agent_exec:file rx_file_perms; +allow shell ppp_exec:file rx_file_perms; +allow shell pq_exec:file rx_file_perms; +allow shell racoon_exec:file rx_file_perms; +allow shell runas_exec:file rx_file_perms; +allow shell s62xd_exec:file rx_file_perms; +allow shell sdcardd_exec:file rx_file_perms; +allow shell shell_exec:file rx_file_perms; +allow shell sn_exec:file rx_file_perms; +allow shell thermal_exec:file rx_file_perms; +allow shell thermal_manager_exec:file rx_file_perms; +allow shell thermald_exec:file rx_file_perms; +allow shell tiny_mkswap_exec:file rx_file_perms; +allow shell tiny_swapon_exec:file rx_file_perms; +allow shell wifi2agps_exec:file rx_file_perms; +allow shell wmt_loader_exec:file rx_file_perms; +allow shell wpa_exec:file rx_file_perms; +allow shell xlog_exec:file rx_file_perms; + +# Date : WK14.47 +# Operation : Migration +# Purpose : for accessing /storage/emulated/legacy +# It's mounted as tmpfs file. +# CTS: testSyncFiles_extStorageVariable & testSyncFiles_normal +allow shell tmpfs:lnk_file read; +allow shell tmpfs:lnk_file getattr; +allow shell block_device:dir search; + +# Date : WK14.47 +# Operation : Migration +# Purpose : for debugging in user debug load. +# su does't exist on user load. +userdebug_or_eng(` +allow shell su_exec:file rx_file_perms; +') + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow shell qemu_pipe_device:chr_file rw_file_perms; + +# GAT ls /data/aee_exp/db.xxxx +allow shell aee_exp_data_file:dir r_dir_perms; +allow shell aee_exp_data_file:file r_file_perms; diff --git a/sepolicy/sn.te b/sepolicy/sn.te new file mode 100644 index 0000000..474ba72 --- /dev/null +++ b/sepolicy/sn.te @@ -0,0 +1,33 @@ +# ============================================== +# Policy File of /system/binsn Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type sn_exec , exec_type, file_type; +type sn ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(sn) + +# Date : WK14.31 +# Operation : Migration +# Purpose : for L early bring up +allow sn sdcard_internal:dir search; +allow sn fuse:file { read getattr open }; +allow sn sysfs:file write; +allow sn tmpfs:lnk_file read; +allow sn self:capability { dac_read_search dac_override }; diff --git a/sepolicy/statusd.te b/sepolicy/statusd.te new file mode 100644 index 0000000..647512e --- /dev/null +++ b/sepolicy/statusd.te @@ -0,0 +1,49 @@ +# ============================================== +# Policy File of /system/bin/statusd Executable File + +type statusd_exec, exec_type, file_type; +type statusd, domain; + +#permissive statusd; + +init_daemon_domain(statusd) + +allow statusd block_device:dir search; +allow statusd ctl_pppd_via_prop:property_service set; +allow statusd flashlessd_exec:file { read execute open execute_no_trans }; +allow statusd init:unix_stream_socket connectto; +allow statusd mtk_md_prop:property_service set; +allow statusd net_cdma_mdmstat:property_service set; +allow statusd net_radio_prop:property_service set; +allow statusd nvram_data_file:dir { search add_name write remove_name read open}; +allow statusd nvram_data_file:file { create write open read getattr setattr}; +allow statusd nvram_data_file:lnk_file { read}; +allow statusd nvdata_file:dir { search add_name write remove_name read open}; +allow statusd nvdata_file:file { create write open read getattr setattr}; +allow statusd platformblk_device:blk_file { read write open }; +allow statusd platformblk_device:dir search; +allow statusd property_socket:sock_file write; +allow statusd radio_prop:property_service set; +allow statusd ril_cdma_report_prop:property_service set; +allow statusd self:capability net_admin; +allow statusd self:udp_socket { create ioctl }; +allow statusd statusd_socket:sock_file { write setattr }; +allow statusd sysfs_wake_lock:file { read write open }; +allow statusd system_data_file:dir { write add_name }; +allow statusd system_data_file:sock_file { write create setattr }; +allow statusd system_file:file execute_no_trans; +allow statusd ttyMT_device:chr_file { read write ioctl open }; +allow statusd ttySDIO_device:chr_file { read write open setattr ioctl}; +allow statusd viarild_exec:file { read execute open execute_no_trans }; +allow statusd vmodem_device:chr_file { read write open setattr ioctl}; + +# property service +allow statusd system_prop:property_service set; +allow statusd system_radio_prop:property_service set; +allow statusd persist_ril_prop:property_service set; +allow statusd ril_mux_report_case_prop:property_service set; +auditallow statusd net_radio_prop:property_service set; +auditallow statusd system_radio_prop:property_service set; + +#Search permission for findPidByName +allow statusd domain:dir search; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..1aa9170 --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,71 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# for debug purpose +allow surfaceflinger self:capability { net_admin sys_nice }; +allow surfaceflinger self:netlink_socket { read bind create }; +allow surfaceflinger debug_prop:property_service set; +allow surfaceflinger guiext-server:binder { transfer call }; +allow surfaceflinger system_data_file:dir { write add_name create}; +allow surfaceflinger system_data_file:file { open }; +allow surfaceflinger proc:file write; +allow surfaceflinger shell_exec:file { read execute open execute_no_trans }; +allow surfaceflinger anr_data_file:dir { write search create add_name }; +allow surfaceflinger anr_data_file:file { create write}; +allow surfaceflinger aee_exp_data_file:file write; +allow surfaceflinger custom_file:dir search; +binder_call(surfaceflinger, debuggerd) +allow surfaceflinger aee_dumpsys_data_file:file write; +allow surfaceflinger RT_Monitor_device:chr_file { read ioctl open }; + +# for using toolbox +allow surfaceflinger system_file:file x_file_perms; + +# for sf_dump +userdebug_or_eng(` +allow surfaceflinger system_data_file:dir {relabelfrom read}; +allow surfaceflinger sf_bqdump_data_file:{dir file} {relabelto open create read write getattr }; +allow surfaceflinger sf_bqdump_data_file:dir {search add_name}; +') + +# for driver access +allow surfaceflinger sw_sync_device:chr_file { read write open ioctl }; +allow surfaceflinger MTK_SMI_device:chr_file { read write open ioctl }; + +# for bootanimation +allow surfaceflinger bootanim:dir search; +allow surfaceflinger bootanim:file { read getattr open }; +allow surfaceflinger self:capability dac_override; + +# for ipo +allow surfaceflinger ipod:dir search; +binder_call(surfaceflinger, ipod) + +# for MTK Emulator HW GPU +allow surfaceflinger qemu_pipe_device:chr_file rw_file_perms; + +# for SVP secure memory allocation +allow surfaceflinger proc_secmem:file { read write open ioctl }; + +# for watchdog +allow surfaceflinger anr_data_file:dir { relabelfrom read remove_name getattr }; +allow surfaceflinger anr_data_file:file { rename getattr unlink open }; +allow surfaceflinger sf_rtt_file:dir { create search write add_name remove_name}; +allow surfaceflinger sf_rtt_file:file { open read write create rename append getattr unlink}; +allow surfaceflinger sf_rtt_file:dir {relabelto getattr}; + +# for system shrinks memory pages when low memory +allow surfaceflinger platform_app_tmpfs:file write; +allow surfaceflinger isolated_app_tmpfs:file write; +allow surfaceflinger untrusted_app_tmpfs:file write; + +#for BufferQueue check process name of em_svr +allow surfaceflinger em_svr:dir search; +allow surfaceflinger em_svr:file { read getattr open }; + +# need to check what is this allowance for +allow surfaceflinger mobicore:unix_stream_socket connectto; +allow surfaceflinger mobicore_data_file:file { read getattr open }; +allow surfaceflinger mobicore_user_device:chr_file { read write ioctl open }; +allow surfaceflinger mobicore_data_file:dir search; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..abdf5ca --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,159 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# permissive system_app; + + +# Date : 2014/07/31 +# Stage: BaseUT +# Purpose :[CdsInfo][CdsInfo uses net shell commands to get network information and write WI-FI MAC address by NVRAM] +# Package Name: com.mediatek.connectivity +allow system_app nvram_agent_binder:binder call; + +# Date: 2014/08/01 +# Operation: BaseUT +# Purpose: [Settings][Settings used list views need velocity tracker access touch dev] +# Package: com.android.settings +allow system_app touch_device:chr_file { read ioctl open }; + +# Date: 2014/08/04 +# Stage: BaseUT +# Purpose: [MTKThermalManager][View thermal zones and coolers, and change thermal policies] +# Package Name: com.mediatek.mtkthermalmanager +allow system_app apk_private_data_file:dir getattr; +allow system_app asec_image_file:dir getattr; +allow system_app dontpanic_data_file:dir getattr; +allow system_app drm_data_file:dir getattr; +allow system_app install_data_file:file getattr; +allow system_app lost_found_data_file:dir getattr; +allow system_app media_data_file:dir getattr; +allow system_app property_data_file:dir getattr; +allow system_app shell_data_file:dir search; +allow system_app thermal_manager_exec:file { read execute open execute_no_trans }; +allow system_app proc_thermal:dir search; +allow system_app proc_thermal:file { read getattr open write }; +allow system_app proc_mtkcooler:dir search; +allow system_app proc_mtkcooler:file { read getattr open write }; +allow system_app proc_mtktz:dir search; +allow system_app proc_mtktz:file { read getattr open write }; +allow system_app proc_slogger:file { read getattr open write }; + +# Date: 2014/08/21 +# Stage: BaseUT +# Purpose: [AtciService][Atci Service will use atci_serv_fw_socket to connect to atci_service which in native layer] +# Package Name: com.mediatek.atci.service +allow system_app atci_serv_fw_socket:sock_file write; +allow system_app atci_service:unix_stream_socket connectto; + +# Date: 2014/08/29 +# Stage: BaseUT +# Purpose: [BatteryWarning][View update graphics] +# Package Name: com.mediatek.batterywarning +allow system_app guiext-server:binder { transfer call }; + +# Date: 2014/09/02 +# Operation: BaseUT +# Purpose: [HotKnot][HotKnot service will use hoknot device node] +# Package: com.mediatek.hotknot.service +allow system_app hotknot_device:chr_file { read write ioctl open }; + +# Date: 2014/09/02 +# Operation: BaseUT +# Purpose: [HotKnot][HotKnot service will use devmap_device device node] +# Package: com.mediatek.hotknot.service +allow system_app devmap_device:chr_file { read ioctl open }; + +# Date: 2014/09/02 +# Operation: BaseUT +# Purpose: [HotKnot][HotKnot service will use mtkfb device node] +# Package: com.mediatek.hotknot.service +allow system_app graphics_device:chr_file { read write ioctl open }; +allow system_app graphics_device:dir search; + +# Data : 2014/09/09 +# Operation : Migration +# Purpose : [Privacy protection lock][com.mediatek.ppl need to bind ppl_agent service to read/write nvram file] +# Package name : com.mediatek.ppl + +allow system_app ppl_agent:binder call; + +# Date: 2014/10/7 +# Operation: SQC +# Purpose: [sysoper][sysoper will create folder /cache/recovery] +# Package: com.mediatek.systemupdate.sysoper +allow system_app cache_file:dir { write create add_name }; +allow system_app cache_file:file { write create open }; + +# Date : 2014/10/08 +# Operation : BaseUT +# Purpose : [op01 agps setting][mtk_agpsd establishes the local socket as agpsd for all A-GPS +# application to do something with mtk_agpsd in system app] +# Package: com.mediatek.op01.plugin +unix_socket_connect(system_app, agpsd, mtk_agpsd); + +# Date : 2014/10/28 +# Operation: SQC +# Purpose : ALPS01761930 +# Package: com.android.settings +allow system_app asec_apk_file:file r_file_perms; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow system_app qemu_pipe_device:chr_file rw_file_perms; + +# Date : WK14.46 +# Operation : Migration +# Package: org.simalliance.openmobileapi.service +# Purpose : ALPS01820916, for SmartcardService +allow system_app system_app_data_file:file execute; + +# Date : 2014/11/17 +# Operation: SQC +# Purpose : [Settings][Battery module will call batterystats API, and it will read /sys/kernel/debug/wakeup_sources] +# Package: com.android.settings +allow system_app debugfs:file r_file_perms; + +# Date : 2014/11/18 +# Operation : SQC +# Purpose : for oma dm fota recovery update +allow system_app ctl_rbfota_prop:property_service set; + +# Date : 2014/11/19 +# Operation: SQC +# Purpose: [Settings][RenderThread][operate device file failed] +# Package: com.android.settings +allow system_app proc_secmem:file rw_file_perms; + +# Date : 2014/11/20 +# Operation: SQC +# Purpose: [Settings][Developer options module will communicate with all Services through binder call] +# Package: com.android.settings +binder_call(system_app, mtkbt) +binder_call(system_app, MtkCodecService) + +# Date : 2014/11/26 +# Operation: SQC +# Purpose: [Settings][Browser][warning kernel API'selinux enforce violation:sdcardd' when do stress test with ' AT_ST_Browser_Test.rar'] +# Package: com.android.settings +allow system_app platform_app_tmpfs:file write; + +# Date : 2015/01/13 +# Operation: SQC +# Purpose: access ashmem of isolated_app +# Package: com.fw.upgrade.sysoper +dontaudit system_app isolated_app_tmpfs:file write; + +# Date : 2015/01/14 +# Operation: SQC +# Purpose: access ashmem of untrusted_app +# Package: android.ui +dontaudit system_app untrusted_app_tmpfs:file write; + +# Date : 2015/01/27 +# Operation: SQC +# Purpose: It's not normal behavior, that system_app want to access radio_file_data +# Package: android.ui +dontaudit system_app radio_data_file:dir search; + diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..3189f19 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,225 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK15.02 +# Operation : 120Hz Feature SQC +# Purpose : for 120Hz Smart Switch +allow system_server mtk_rrc_device:chr_file { read write ioctl open }; +# Date : WK14.31 +# Operation : Migration +# Purpose : for bring up +allow system_server hwmsensor_device:chr_file { read ioctl open }; +allow system_server m_batch_misc_device:chr_file { read ioctl open }; +allow system_server proc:file write; +allow system_server touch_device:chr_file { read ioctl open }; + +# Date : WK14.32 +# Operation : Migration +# Purpose : for wifi p2p functionality +allow system_server dhcp_data_file:dir { read write remove_name search getattr }; +allow system_server dhcp_data_file:file { read open unlink getattr }; + +# Date : WK14.33 +# Operation : Migration +# Purpose : for wifi functionality +allow system_server wpa_wlan0_socket:sock_file write; +allow system_server hostapd:unix_dgram_socket sendto; +allow hostapd system_server:unix_dgram_socket sendto; + +# Date : WK14.34 +# Operation : Migration +# Purpose : for WFD functionality +allow system_server media_wfd_prop:property_service set; + +# Date : WK14.34 +# Operation : Migration +# Purpose : for idling on homescreen +allow system_server dontpanic_data_file:dir search; +allow system_server mnld:unix_dgram_socket sendto; + +# Date : WK14.34 +# Operation : Migration +# Purpose : for debug +allow system_server debuggerd:fd use; +allow system_server mnld_data_file:sock_file create_file_perms; +allow system_server mnld_data_file:sock_file rw_file_perms; +allow system_server mnld_data_file:dir create_file_perms; +allow system_server mnld_data_file:dir rw_dir_perms; + +# Date : WK14.37 +# Operation : Migration +# Purpose : for idling on homescreen +allow system_server guiext-server:binder { transfer call }; +allow system_server touch_device:chr_file write; + +# Date : WK14.37 +# Operation : Migration +# Purpose : for relabeling files in /data/anr/ created at bootup +allow system_server anr_data_file:file relabelto; + +# Date : WK14.38 +# Operation : Migration +# Purpose : for debug +allow system_server debuggerd:binder call; +allow system_server resmon:fd use; +allow system_server resmon:fifo_file write; + +# Date : WK14.39 +# Operation : Migration +# Purpose : for operate HDMI device +allow system_server graphics_device:chr_file { read ioctl open }; + +# Date : WK14.40 +# Operation : Migration +# Purpose : for operate ANT device driver +allow system_server stpant_device:chr_file { read open write ioctl}; + +# Date: WK14.40 +# Operation : Migration +# Purpose : for ACTION_PREBOOT_IPO intent in ipo boot +binder_call(system_server, ipod) + +# Date: wk14.40 +# Operation : SQC +# Purpose : [ALPS01756200] wwop boot up fail +allow system_server custom_file:dir { read search open getattr}; +allow system_server custom_file:file { read open getattr}; + +# Date: WK14.41 +# Operation : Migration +# Purpose : boost surfaceflinger to RT +allow system_server surfaceflinger:process setsched; + +# Date: WK14.41 +# Operation : Migration +# Purpose : [ALPS01760531] for bring up after auto-merge +allow system_server zygote:binder impersonate; + +# Date: WK14.41 +# Operation : Migration +# Purpose : for system_server operate /dev/RT_Monitor when enable hang detect +allow system_server RT_Monitor_device:chr_file { read ioctl open }; + +# Date: WK14.42 +# Operation : Migration +# Purpose : for system_server to start bootanim +allow system_server ctl_bootanim_prop:property_service set; + + +# Date : WK14.42 +# Operation : SQC +# Purpose : ALPS01763317 +# After connected to DHCPv6 enabled 6to4 IPv6 AP, +#the ipv6 related values of getprop command are wrong +#============= system_server ============== +allow system_server proc_net:file write; +allow system_server wide_dhcpv6_data_file:dir search; +allow system_server wide_dhcpv6_data_file:file { read getattr open }; + +# Date: WK14.41 +# Operation : Migration +# Purpose : allow system_server to start ipod +allow system_server ctl_ipod_prop:property_service set; + +# Date: WK14.43 +# Operation : Migration +# Purpose : access to atcid from system server for GPS AT Command. +allow system_server atci_service:unix_dgram_socket sendto; +allow system_server atci_service:dir write; +allow system_server atci_service:dir add_name; + +# Date: WK14.43 +# Operation : Migration +# Purpose : for bring up +allow system_server anr_data_file:dir relabelfrom; +allow system_server sf_rtt_file:dir relabelto; + +# Date: WK14.43 +# Operation : Migration +# Purpose : for dumpsys +allow system_server aee_dumpsys_data_file:file write; +allow system_server aee_exp_data_file:file write; + +# Date: WK14.44 +# Operation : Migration +# Purpose : for debug +allow system_server sf_rtt_file:dir r_dir_perms; + +# Date: WK14.44 +# Operation : Migration +# Purpose : for mtk gps epos library useage +allow system_server devmap_device:chr_file r_file_perms; + +allow system_server irtx_device:chr_file { read write ioctl open }; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow system_server qemu_pipe_device:chr_file rw_file_perms; + +# Date: WK14.46 +# Operation : Migration +# Purpose : for sensorhubservice +allow system_server shf_device:chr_file rw_file_perms; + +# Date: W14.46 +# Operation : Migration +# Purpose : for GpsLocationProvider.java to check ESUPL status +allow system_server agpsd_data_file:dir search; + +# Date: WK14.46 +# Operation : Migration +# Purpose : for saveLocale to set SystemProperties +allow system_server save_locale_prop:property_service set; + +# Date: WK14.47 +# Operation : Sanity +# Purpose : for /system/app/mcRegistry and /proc/secmem (TEE enable) +allow system_server mobicore_data_file:dir r_dir_perms; +allow system_server proc_secmem:file { rw_file_perms }; + +# Date: WK14.47 +# Operation : Sanity +# Purpose : for avoid SELinux warning after dex2oat execv failed +allow system_server dex2oat_exec:file rx_file_perms; + +# Date: WK14.47 +# Operation : CTS +# Purpose : for executing recovery.dex +allow system_server system_data_file:file execute; + +# Date: WK14.47 +# Operation : MTBF +# Purpose : for debug +allow system_server sf_rtt_file:file r_file_perms; + +# Date: WK14.47 +# Operation : MTBF +# Purpose : for native process backtrace dump +allow system_server exec_type:file r_file_perms; + +# Date: WK14.47 +# Operation : SQC +# Purpose : for debug +allow system_server aee_core_data_file:dir r_dir_perms; + +# Date: WK14.48 +# Operation : SQC +# Purpose : for accessing exm0 tmpfs device +allow system_server exm0_device:chr_file { read write open }; + +# Date: WK14.48 +# Operation : SQC +# Purpose : for querying zygote socket +allow system_server zygote:unix_stream_socket { getopt getattr }; + +# Date: WK14.52 +# Operation : Feature developing +# Purpose : Communicate with native daemon (epdg_wod) +unix_socket_connect(system_server, wod_action, epdg_wod) +unix_socket_connect(system_server, wod_sim, epdg_wod) + +# Date: WK15.05 +# Purpose : for kill-switch should only grant to access frp partition, to be fix +allow system_server platformblk_device:dir search;
\ No newline at end of file diff --git a/sepolicy/te_macros b/sepolicy/te_macros new file mode 100644 index 0000000..e815c29 --- /dev/null +++ b/sepolicy/te_macros @@ -0,0 +1,13 @@ +##################################### +# create_pty(domain) +# Allow domain to create and use a pty, isolated from any other domain ptys. +define(`create_pty', ` +# Each domain gets a unique devpts type. +type $1_devpts, fs_type; +# Label the pty with the unique type when created. +type_transition $1 devpts:chr_file $1_devpts; +# Allow use of the pty after creation. +allow $1 $1_devpts:chr_file { open getattr read write ioctl }; +# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms +# allowed to everyone via domain.te. +') diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..4b5a0be --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,4 @@ +# ============================================== +# MTK Policy Rule +# ============ + diff --git a/sepolicy/terservice.te b/sepolicy/terservice.te new file mode 100644 index 0000000..4c93863 --- /dev/null +++ b/sepolicy/terservice.te @@ -0,0 +1,42 @@ +# ============================================== +# Policy File of /system/binterservice Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type terservice_exec , exec_type, file_type; +type terservice ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(terservice) + +# Date : 2014/09/18 (WK14.38) +# Operation : Migration +# Purpose : allow register terservice service in servicemanager. +allow terservice terservice_service:service_manager add; + +# property service +unix_socket_connect(terservice, property, init) +allow terservice terservice_prop:property_service set; + +# ccci ioctl +allow terservice ccci_device:chr_file { read write ioctl open }; + +# ipc call +binder_use(terservice) +binder_service(terservice) + + diff --git a/sepolicy/thermal.te b/sepolicy/thermal.te new file mode 100644 index 0000000..f35bfcc --- /dev/null +++ b/sepolicy/thermal.te @@ -0,0 +1,33 @@ +# ============================================== +# Policy File of /system/binthermal Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type thermal_exec , exec_type, file_type; +type thermal ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(thermal) + +allow thermal mtkrild:unix_stream_socket connectto; +allow thermal proc_thermal:dir search; +allow thermal proc_thermal:file { read write open }; +allow thermal rild_oem_socket:sock_file write; +allow thermal netd_socket:sock_file write; +allow thermal netd:unix_stream_socket connectto; + + diff --git a/sepolicy/thermal_manager.te b/sepolicy/thermal_manager.te new file mode 100644 index 0000000..08b2468 --- /dev/null +++ b/sepolicy/thermal_manager.te @@ -0,0 +1,38 @@ +# ============================================== +# Policy File of /system/binthermal_manager Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type thermal_manager_exec , exec_type, file_type; +type thermal_manager ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(thermal_manager) + +allow thermal_manager proc_mtkcooler:dir search; +allow thermal_manager proc_mtktz:dir search; +allow thermal_manager proc_thermal:dir search; +allow thermal_manager proc_mtkcooler:file { read getattr open write }; +allow thermal_manager proc_mtktz:file { read getattr open write }; +allow thermal_manager proc_thermal:file { read getattr open write }; +allow thermal_manager system_data_file:dir write; +allow thermal_manager system_data_file:dir add_name; +allow thermal_manager self:capability dac_override; +allow thermal_manager self:capability chown; +allow thermal_manager self:capability fowner; +allow thermal_manager self:capability fsetid; + diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te new file mode 100644 index 0000000..6d7ec00 --- /dev/null +++ b/sepolicy/thermald.te @@ -0,0 +1,35 @@ +# ============================================== +# Policy File of /system/binthermald Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type thermald_exec , exec_type, file_type; +type thermald ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(thermald) + +# Date : WK14.39 +# Operation : SQC +# Purpose : for thermal management to shutdown the phone +binder_use(thermald) +allow thermald proc_thermal:dir search; +allow thermald proc_thermal:file { read getattr open write }; +allow thermald system_server:binder call; + + + diff --git a/sepolicy/tiny_mkswap.te b/sepolicy/tiny_mkswap.te new file mode 100644 index 0000000..103fa6d --- /dev/null +++ b/sepolicy/tiny_mkswap.te @@ -0,0 +1,29 @@ +# ============================================== +# Policy File of /system/bin/tiny_mkswap Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type tiny_mkswap_exec , exec_type, file_type; +type tiny_mkswap ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK14.34 +# Operation : Migration +# Purpose : Add new swap areas +init_daemon_domain(tiny_mkswap) +allow tiny_mkswap zram0_device:blk_file { getattr read write open ioctl }; +allow tiny_mkswap enableswap:fd use; diff --git a/sepolicy/tiny_swapon.te b/sepolicy/tiny_swapon.te new file mode 100644 index 0000000..61d8901 --- /dev/null +++ b/sepolicy/tiny_swapon.te @@ -0,0 +1,29 @@ +# ============================================== +# Policy File of /system/bin/tiny_swapon Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type tiny_swapon_exec , exec_type, file_type; +type tiny_swapon ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK14.34 +# Operation : Migration +# Purpose : Add new swap areas +init_daemon_domain(tiny_swapon) +allow tiny_swapon zram0_device:blk_file { getattr read write open ioctl }; +allow tiny_swapon enableswap:fd use; diff --git a/sepolicy/tunman.te b/sepolicy/tunman.te new file mode 100644 index 0000000..6e86413 --- /dev/null +++ b/sepolicy/tunman.te @@ -0,0 +1,59 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.48 +# Operation : OperaMaxSystem +# Purpose : for MTK_OPERAMAX_SUPPORT + +type tunman, domain; +type tunman_exec, exec_type, file_type; + +type tunman_socket, file_type, mlstrustedobject; + +type tunman_prop, property_type; + +init_daemon_domain(tunman) +net_domain(tunman) + +# Allows connections to /dev/socket/tunman +unix_socket_connect(netdomain, tunman, tunman) + +# Allows us to set 'tunman.protocol' property +unix_socket_connect(tunman, property, init) +allow tunman tunman_prop:property_service set; + +# Allows us to talk to netd +unix_socket_connect(tunman, netd, netd) + +# Multiple instance detection (fs lock) +allow tunman shell_data_file:dir { search write add_name}; +allow tunman shell_data_file:file { create open read write lock }; + +#allow tunman system_data_file:dir { search write add_name}; +#allow tunman system_data_file:file { create open read write lock}; +allow tunman system_data_file:file { open read }; + +# TUN management +allow tunman self:capability { net_admin net_raw dac_override }; +allow tunman tun_device:chr_file rw_file_perms; +allow tunman self:tun_socket create_socket_perms; + +# Allows Max to use the fd received from Tunman +allow appdomain tunman:fd use; + +# Needed for protect() implementation +allow tunman appdomain:fd use; +allow tunman appdomain:{ tcp_socket udp_socket } { read write }; + +# Needed for socket re-tagging +allow tunman qtaguid_proc:file { open write }; + +# +#allow tunman socket_device:dir { search write add_name remove_name}; +#allow tunman socket_device:sock_file { create open read write lock unlink}; +#allow untrusted_app socket_device:sock_file { read write }; + +allow tunman tunman_socket:dir { search write add_name remove_name}; +allow tunman tunman_socket:sock_file { create open read write lock unlink}; +allow untrusted_app tunman_socket:sock_file { read write }; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..2a54b7b --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1,9 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# for early-migration, set as permissive +# permissive ueventd; + +# add for sysfs:leds; pls check it on L official policy +allow ueventd sysfs:file setattr; diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te new file mode 100644 index 0000000..fcefb9d --- /dev/null +++ b/sepolicy/uncrypt.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============ +allow uncrypt misc_device:chr_file *; +allow uncrypt platformblk_device:dir *; +allow uncrypt platformblk_device:blk_file *; +allow uncrypt system_data_file:file { open read }; + diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te new file mode 100644 index 0000000..e6fcdba --- /dev/null +++ b/sepolicy/untrusted_app.te @@ -0,0 +1,46 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# permissive untrusted_app; + +# Date : 2014/09/04 +# Stage: BaseUT +# Purpose :[Launcher2][View update graphics] +# Package Name: com.android.launcher2 +allow untrusted_app guiext-server:binder { transfer call }; + +# Date : 2014/10/27 +# Operation : SQC +# Purpose : [ALPS01785313] Permission denied for dump hprof +# Package: com.android.gallery3d +allow untrusted_app anr_data_file:file rw_file_perms; + +# Date : 2014/09/09 +# Operation : Development LCA Feature "Move OAT to SD Card" +# Purpose : for LCA ROM Size Slim +allow untrusted_app dalvikcache_data_file:lnk_file read; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow untrusted_app qemu_pipe_device:chr_file rw_file_perms; + +# CTS issue +allow untrusted_app proc_lk_env:file getattr; +allow untrusted_app proc_sysrq:file getattr; +allow untrusted_app fuse:file execute; +allow untrusted_app protect_f_data_file:dir getattr; +allow untrusted_app protect_s_data_file:dir getattr; + +# Date : W1452 +# Operation : WVL1 Modular DRM IT +# Purpose : Allow svp client alloc sec mem +allow untrusted_app proc_secmem:file { read ioctl open }; + + +#elephantstress tools for thermal +allow untrusted_app proc_mtktz:dir search; +allow untrusted_app proc_mtktz:file read; +allow untrusted_app proc_mtktz:file open; +allow untrusted_app proc_mtktz:file getattr; diff --git a/sepolicy/usbdongled.te b/sepolicy/usbdongled.te new file mode 100644 index 0000000..33f7a3e --- /dev/null +++ b/sepolicy/usbdongled.te @@ -0,0 +1,24 @@ +# usbdongled - usb auto select daemon +type usbdongled, domain; +type usbdongled_exec, exec_type, file_type; +init_daemon_domain(usbdongled) +net_domain(usbdongled) + +allow usbdongled self:capability { net_admin net_raw dac_override kill }; + +# Allow ril-3gddaemon to create and use netlink sockets. +allow usbdongled self:netlink_socket create_socket_perms; +allow usbdongled self:netlink_kobject_uevent_socket create_socket_perms; +allow usbdongled self:netlink_nflog_socket create_socket_perms; +allow usbdongled netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt}; +allow usbdongled netdomain:fd use; + +# property service +allow usbdongled radio_prop:property_service set; +allow usbdongled ctl_ril3gd_prop:property_service set; + + +allow usbdongled system_file:file x_file_perms; +allow usbdongled shell_exec:file rx_file_perms; + +unix_socket_connect(usbdongled, property, init)
\ No newline at end of file diff --git a/sepolicy/vdc.te b/sepolicy/vdc.te new file mode 100644 index 0000000..fe976d1 --- /dev/null +++ b/sepolicy/vdc.te @@ -0,0 +1,14 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + + +# Date : WK14.37 +# Operation : Migration +# Purpose : property +allow vdc vold_prop:property_service set; + +# Date : WK14.53 +# Purpose : dumpstate +allow vdc dumpstate:file read; + diff --git a/sepolicy/viarild.te b/sepolicy/viarild.te new file mode 100644 index 0000000..4c5bc3e --- /dev/null +++ b/sepolicy/viarild.te @@ -0,0 +1,78 @@ +# ============================================== +# Policy File of /system/bin/viarild Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type viarild_exec , exec_type, file_type; +type viarild ,domain; + + +# ============================================== +# MTK C2K Policy Rule +# ============================================== + +init_daemon_domain(viarild) +net_domain(viarild) +allow viarild self:netlink_route_socket nlmsg_write; +allow viarild kernel:system module_request; +unix_socket_connect(viarild, property, init) +allow viarild self:capability { setuid net_admin net_raw }; +allow viarild alarm_device:chr_file rw_file_perms; +allow viarild cgroup:dir create_dir_perms; +allow viarild radio_device:chr_file rw_file_perms; +allow viarild radio_device:blk_file r_file_perms; +allow viarild mtd_device:dir search; +allow viarild efs_file:dir create_dir_perms; +allow viarild efs_file:file create_file_perms; +allow viarild shell_exec:file rx_file_perms; +allow viarild bluetooth_efs_file:file r_file_perms; +allow viarild bluetooth_efs_file:dir r_dir_perms; +allow viarild radio_data_file:dir rw_dir_perms; +allow viarild radio_data_file:file create_file_perms; +allow viarild sdcard_type:dir r_dir_perms; +allow viarild system_data_file:dir r_dir_perms; +allow viarild system_data_file:file r_file_perms; +allow viarild system_file:file x_file_perms; +allow viarild proc:file write; + +# property service +allow statusd system_prop:property_service set; +allow viarild radio_prop:property_service set; +allow viarild net_radio_prop:property_service set; +allow viarild system_radio_prop:property_service set; +allow viarild persist_ril_prop:property_service set; +auditallow viarild net_radio_prop:property_service set; +auditallow viarild system_radio_prop:property_service set; + +# Read/Write to uart driver (for GPS) +allow viarild gps_device:chr_file rw_file_perms; + +allow viarild tty_device:chr_file rw_file_perms; + +# Allow viarild to create and use netlink sockets. +allow viarild self:netlink_socket create_socket_perms; +allow viarild self:netlink_kobject_uevent_socket create_socket_perms; + +# Access to wake locks +wakelock_use(viarild) + +allow viarild self:socket create_socket_perms; + +allow viarild Vcodec_device:chr_file { read write open }; +allow viarild devmap_device:chr_file { read ioctl open }; +allow viarild devpts:chr_file { read write open }; +allow viarild self:capability dac_override; + +allow viarild ccci_device:chr_file { read write ioctl open }; +allow viarild devpts:chr_file ioctl; +allow viarild misc_device:chr_file { read write open }; +allow viarild platformblk_device:blk_file { read write open }; +allow viarild proc_lk_env:file { read ioctl open }; +allow viarild sysfs_vcorefs_pwrctrl:file { open write }; +allow viarild ril_active_md_prop:property_service set; + +#Search permission for findPidByName +allow statusd domain:dir search; diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..5a94970 --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,96 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK14.37 +# Operation : Migration +# Purpose : Access 'OMADM_USB' nvram +allow vold nvram_data_file:file { read getattr open write create setattr}; +allow vold nvram_data_file:lnk_file read; +allow vold nvram_data_file:dir { read open write add_name create getattr setattr search}; +allow vold nvdata_file:file { read getattr open write create setattr}; +allow vold nvdata_file:dir { read ioctl open write add_name create getattr setattr search}; +allow vold nvram_device:chr_file { read write open }; +allow vold platformblk_device:blk_file { read write open }; +allow vold platformblk_device:dir search; +allow vold proc:file write; + +# Date : WK14.37 +# Operation : Migration +# Purpose : re-init ExternalSD +allow vold misc_sd_device:chr_file { read ioctl open }; + + +# Date : WK14.38 +# Operation : Migration +# Purpose : encrypt phone +allow vold kernel:system module_request; +allow vold misc_device:chr_file { write open }; +allow vold platformblk_device:blk_file { ioctl getattr }; +allow vold zram0_device:blk_file getattr; + +# Date : WK14.38 +# Operation : Migration +# Purpose : symbolic link for /data/ext_sdcard_tool +allow vold system_data_file:lnk_file { create unlink }; + +# Date : WK14.40 +# Operation : Migration +# Purpose : multi partition +allow vold sdcardd_exec:file { read open execute execute_no_trans }; +allow vold self:capability { sys_resource setgid setuid }; +allow vold install_data_file:file { read open }; +allow vold fuse_device:chr_file { read write open }; +allow vold system_data_file:file open; + +# Date : WK14.40 +# Operation : Migration +# Purpose : ptrace process +allow vold mediaserver:process ptrace; + +# Date : WK14.43 +# Purpose : grant permission to /protect_f and /protect_s for the command, fstrim dotrim +allow vold protect_f_data_file:dir { read getattr open ioctl }; +allow vold protect_s_data_file:dir { read getattr open ioctl }; +allow vold persist_data_file:dir { read getattr open ioctl }; + +# Date : WK14.44 +# Operation : Migration +allow vold proc_lk_env:file { read write open ioctl}; +allow vold media_rw_data_file:dir { read open }; + +# Date : WK14.46 +# Operation : allow sdcard create tmpfs link file +allow vold tmpfs:lnk_file create; + +# Date : WK14.46 +# Operation : copy the logs in /data(tmpfs) to real userdata partition +allow vold logtemp_data_file:dir { read open getattr search}; +allow vold logtemp_data_file:file { read getattr open }; +allow vold logmisc_data_file:dir { read open getattr search}; +allow vold logmisc_data_file:file { read getattr open }; +allow vold mdlog_data_file:dir { read open getattr search}; +allow vold mdlog_data_file:file { read getattr open }; +allow vold aee_exp_data_file:dir { read open getattr search}; +allow vold aee_exp_data_file:file { read getattr open }; +allow vold data_tmpfs_log_file:dir { setattr getattr read create write rmdir relabelto remove_name open add_name search}; +allow vold data_tmpfs_log_file:file { write setattr getattr relabelto create unlink open }; +# mount crypto block device to /data/tmp_mnt/data_tmpfs_log and restorecon +allow vold system_data_file:dir { relabelfrom relabelto setattr }; +allow vold system_data_file:file { relabelto }; + +# Date : WK14.49 +# Purpose : ptrace process +allow vold platform_app:process ptrace; +allow vold mobile_log_d:process ptrace; + +# Date : WK14.50 +# Purpose : read/write sys env +allow vold misc_device:chr_file read; + +# Date : WK15.02 +# Purpose : fsck_msdos +allow vold platform_app:fd use; + +#install APK move to SD +allow vold block_device:file create; diff --git a/sepolicy/volte_imcb.te b/sepolicy/volte_imcb.te new file mode 100644 index 0000000..07169ad --- /dev/null +++ b/sepolicy/volte_imcb.te @@ -0,0 +1,29 @@ +# ============================================== +# Policy File of /system/bin/volte_imcb Executable File + +# ============================================== +# Type Declaration +# ============================================== +type volte_imcb, domain; +type volte_imcb_exec, exec_type, file_type; +type volte_imsa1_socket, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +#permissive volte_imcb; +init_daemon_domain(volte_imcb) + +# Date : WK14.42 +# Operation : Migration +# Purpose : for VoLTE L early bring up and first call +allow volte_imcb ccci_device:chr_file { read write open }; +allow volte_imcb node:tcp_socket node_bind; +allow volte_imcb port:tcp_socket name_bind; +allow volte_imcb self:tcp_socket { bind create setopt accept listen }; +allow volte_imcb socket_device:sock_file write; +allow volte_imcb volte_ua:unix_stream_socket connectto; +allow volte_imcb fwmarkd_socket:sock_file write; +allow volte_imcb self:tcp_socket { read getattr }; +allow volte_imcb netd:unix_stream_socket connectto; +allow volte_imcb self:tcp_socket write;
\ No newline at end of file diff --git a/sepolicy/volte_stack.te b/sepolicy/volte_stack.te new file mode 100644 index 0000000..e98fa24 --- /dev/null +++ b/sepolicy/volte_stack.te @@ -0,0 +1,47 @@ +# ============================================== +# Policy File of /system/bin/volte_stack Executable File + +# ============================================== +# Type Declaration +# ============================================== +type volte_stack, domain; +type volte_stack_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +#permissive volte_stack; +init_daemon_domain(volte_stack) + +# Date : WK14.42 +# Operation : Migration +# Purpose : for VoLTE L early bring up and first call +allow volte_stack netd:unix_stream_socket connectto; +allow volte_stack shell_exec:file { read execute open execute_no_trans }; +allow volte_stack socket_device:sock_file write; +allow volte_stack self:key_socket { write read create setopt }; +allow volte_stack self:capability net_admin; +allow volte_stack self:capability { setuid setgid }; +allow volte_stack self:tcp_socket { bind create setopt listen }; +allow volte_stack self:udp_socket { write bind read setopt }; +allow volte_stack self:udp_socket create; +allow volte_stack self:tcp_socket shutdown; +allow volte_stack self:udp_socket shutdown; +allow volte_stack node:tcp_socket node_bind; +allow volte_stack node:udp_socket node_bind; +allow volte_stack port:tcp_socket name_bind; +allow volte_stack port:udp_socket name_bind; +allow volte_stack fwmarkd_socket:sock_file write; +allow volte_stack system_data_file:dir { write remove_name add_name }; +allow volte_stack system_data_file:file { ioctl open }; +allow volte_stack system_file:file execute_no_trans; + +# Date : 2015/01/07 +# Operation : Migration +# Purpose : for VoLTE L Pre-FT test, Pre-FT error show we need add tcp rule +allow volte_stack self:tcp_socket accept; +allow volte_stack self:tcp_socket read; +allow volte_stack self:tcp_socket write; +allow volte_stack self:tcp_socket getattr; +allow volte_stack self:tcp_socket connect; +allow volte_stack port:tcp_socket name_connect; diff --git a/sepolicy/volte_ua.te b/sepolicy/volte_ua.te new file mode 100644 index 0000000..dba7458 --- /dev/null +++ b/sepolicy/volte_ua.te @@ -0,0 +1,23 @@ +# ============================================== +# Policy File of /system/bin/volte_ua Executable File + +# ============================================== +# Type Declaration +# ============================================== +type volte_ua, domain; +type volte_ua_exec, exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +#permissive volte_ua; +init_daemon_domain(volte_ua) + +# Date : WK14.42 +# Operation : Migration +# Purpose : for VoLTE L early bring up and first call +allow volte_ua socket_device:sock_file write; +allow volte_ua volte_stack:unix_stream_socket connectto; +allow volte_ua node:udp_socket node_bind; +allow volte_ua self:udp_socket { bind create }; +allow volte_ua self:udp_socket read; diff --git a/sepolicy/vtservice.te b/sepolicy/vtservice.te new file mode 100644 index 0000000..8cd2600 --- /dev/null +++ b/sepolicy/vtservice.te @@ -0,0 +1,32 @@ +# ============================================== +# Policy File of /system/binvtservice Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type vtservice_exec , exec_type, file_type; +type vtservice ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(vtservice) +binder_use(vtservice) +binder_call(vtservice, mediaserver) +binder_service(vtservice) + +allow vtservice vtservice_service:service_manager add; +#unix_socket_connect(vtservice, volte_imsvt1, volte_imcb) +allow vtservice fuse:dir search; +allow vtservice fuse:file { read write open }; diff --git a/sepolicy/watchdogd.te b/sepolicy/watchdogd.te new file mode 100644 index 0000000..79b118a --- /dev/null +++ b/sepolicy/watchdogd.te @@ -0,0 +1,3 @@ +# ============================================== +# MTK Policy Rule +# ============ diff --git a/sepolicy/wifi2agps.te b/sepolicy/wifi2agps.te new file mode 100644 index 0000000..8a90cec --- /dev/null +++ b/sepolicy/wifi2agps.te @@ -0,0 +1,26 @@ +# ============================================== +# Policy File of /system/bin/wifi2agps Executable File + + +# ============================================== +# Type Declaration +# ============================================== +type wifi2agps_exec , exec_type, file_type; +type wifi2agps ,domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive wifi2agps; +init_daemon_domain(wifi2agps) + +# Date : WK14.34 +# Operation : Migration +# Purpose : for mtk debug mechanism +allow wifi2agps agpsd_data_file:sock_file write; +allow wifi2agps mtk_agpsd:unix_dgram_socket sendto; +allow wifi2agps self:netlink_socket {write getattr setopt read bind create}; +allow wifi2agps self:udp_socket { create ioctl }; +allow wifi2agps agpsd_data_file:dir search; diff --git a/sepolicy/wmt_loader.te b/sepolicy/wmt_loader.te new file mode 100644 index 0000000..6a2fede --- /dev/null +++ b/sepolicy/wmt_loader.te @@ -0,0 +1,32 @@ +# ============================================== +# Policy File of /system/binwmt_loader Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type wmt_loader_exec , exec_type, file_type; +type wmt_loader ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +allow wmt_loader wmt_prop:property_service set; +allow wmt_loader init:unix_stream_socket connectto; +allow wmt_loader proc:file setattr; +allow wmt_loader property_socket:sock_file write; +allow wmt_loader self:capability { chown dac_override }; +allow wmt_loader wmtdetect_device:chr_file { read write ioctl open }; +allow wmt_loader stpwmt_device:chr_file { read write ioctl open }; +allow wmt_loader devpts:chr_file { read write getattr ioctl }; +init_daemon_domain(wmt_loader) diff --git a/sepolicy/wpa.te b/sepolicy/wpa.te new file mode 100644 index 0000000..0f1d1b8 --- /dev/null +++ b/sepolicy/wpa.te @@ -0,0 +1,14 @@ +# ============================================== +# MTK Policy Rule +# ============ + +allow wpa rild_oem_socket:sock_file write; +allow wpa rild_oem_md2_socket:sock_file write; +allow wpa mtkrild:unix_stream_socket connectto; +# if low memory occured, and system try to free more memory, wpa_suppliant may meet a violation like: +# avc: denied { use } for pid=4063 comm="wpa_supplicant" +# path=2F6465762F6173686D656D2F4469736361726461626C654D656D6F72794173686D656D416C6C6F6361746F72202864656C6574656429 +# dev="tmpfs" ino=46425 scontext=u:r:wpa:s0 tcontext=u:r:platform_app:s0 tclass=fd permissive=0 +# this is a issue caused by low memory, so we should add this rule below +allow wpa platform_app:fd use; +allow wpa platform_app_tmpfs:file write;
\ No newline at end of file diff --git a/sepolicy/wpa_supplicant.te b/sepolicy/wpa_supplicant.te new file mode 100644 index 0000000..79b118a --- /dev/null +++ b/sepolicy/wpa_supplicant.te @@ -0,0 +1,3 @@ +# ============================================== +# MTK Policy Rule +# ============ diff --git a/sepolicy/xlog.te b/sepolicy/xlog.te new file mode 100644 index 0000000..fd90144 --- /dev/null +++ b/sepolicy/xlog.te @@ -0,0 +1,28 @@ +# ============================================== +# Policy File of /system/binxlog Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type xlog_exec , exec_type, file_type; +type xlog ,domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +#permissive xlog; +init_daemon_domain(xlog) +#unconfined_domain(xlog) +allow xlog self:capability { fowner chown fsetid dac_override }; +allow xlog system_data_file:dir { write add_name }; diff --git a/sepolicy/zpppd_gprs.te b/sepolicy/zpppd_gprs.te new file mode 100644 index 0000000..1ca2b57 --- /dev/null +++ b/sepolicy/zpppd_gprs.te @@ -0,0 +1,24 @@ +# zpppd_gprs - pppd process for ZTE 3gdongle ppp dail +type zpppd_gprs, domain; +type zpppd_gprs_exec, exec_type, file_type; +init_daemon_domain(zpppd_gprs) +net_domain(zpppd_gprs) + +allow zpppd_gprs self:capability { setuid setgid net_admin net_raw dac_override sys_module }; + +# property service +allow zpppd_gprs radio_prop:property_service set; +allow zpppd_gprs net_radio_prop:property_service set; +allow zpppd_gprs system_radio_prop:property_service set; +allow zpppd_gprs system_prop:property_service set; +allow zpppd_gprs pppoe_ppp0_prop:property_service set; +allow zpppd_gprs ctl_zpppdgprs_prop:property_service set; + +# device and file allow +allow zpppd_gprs tty_device:chr_file rw_file_perms; +allow zpppd_gprs ppp_exec:file { read open getattr execute execute_no_trans }; +allow zpppd_gprs ppp_device:chr_file { read write open ioctl }; +allow zpppd_gprs system_file:file x_file_perms; +allow zpppd_gprs shell_exec:file rx_file_perms; + +unix_socket_connect(zpppd_gprs, property, init) diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..2d4a7ae --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1,72 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + + +# Date : WK14.31 +# Operation : Migration +# Purpose : for MTK boot performance profiling, for access /proc/bootprof +allow zygote devmap_device:chr_file { read ioctl open }; +allow zygote proc:file write; + +# Date : WK14.34 +# Operation : Migration +# Purpose : 6571/6572 LCA external memory access(/dev/exm0) +allow zygote exm0_device:chr_file { read write ioctl open }; + +# Date : WK14.34 +# Operation : Migration +# Purpose : for CIP project (access /custom partition) +allow zygote custom_file:dir rw_dir_perms; +allow zygote custom_file:file create_file_perms; + +# Date : WK14.34 +# Operation : Migration +# Purpose : for untrusted app to use ptrace (e.g. 360Mobile, taobao) +dontaudit zygote untrusted_app:process ptrace; + +# Date : WK14.43 +# Operation : Migration +# Purpose : for dump hprof when OOME +allow zygote anr_data_file:dir *; + +# Date : WK14.43 +# Operation : SQC2 +# Purpose : found in FST Auto Test (ALPS01774709) +allow zygote platform_app:fd use; + +# Date : WK14.44 +# Operation : SQC +# Purpose : found in WLAN test (ALPS01784932) +allow zygote platform_app_tmpfs:file write; + +# Date : WK14.46 +# Operation : SQC +# Purpose : found in sanity test (ALPS01825280) +allow zygote servicemanager:binder call; + +# Date : WK14.49 +# Operation : SQC +# Purpose : for isolated_app to use fd (ex: share image by gmail) +allow zygote isolated_app:fd use; + +# Date : WK15.02 +# Operation : SQC +# Purpose : for Chrome search (ALPS01897864) +allow zygote isolated_app_tmpfs:file write; + +# Date : WK15.02 +# Operation : SQC +# Purpose : for "theScore Sports & Scores" app to play video(ALPS01897019) +allow zygote untrusted_app:fd use; + +# Date : WK15.03 +# Operation : SQC +# Purpose : for FB webpage loading +allow zygote untrusted_app_tmpfs:file write; + +# Date : WK15.08 +# Operation : SQC +# Purpose : for TTLIA +allow zygote radio:fd use; +allow zygote radio_tmpfs:file create_file_perms;
\ No newline at end of file |