aboutsummaryrefslogtreecommitdiff
path: root/sepolicy/debuggerd.te
blob: eba01d1004e312dbd2c99bb87e97e1feae1fc33a (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

# ==============================================
# MTK Policy Rule
# ============

# Date : WK14.32
# Operation : AEE UT 
# Purpose : for AEE module
domain_auto_trans(debuggerd, dmlog_exec, dmlog)

allow debuggerd aed_device:chr_file { read write ioctl open };
allow debuggerd expdb_device:chr_file { read write ioctl open };
allow debuggerd platformblk_device:blk_file { read write ioctl open };
allow debuggerd ccci_device:chr_file { read ioctl open };
allow debuggerd etb_device:chr_file { read write ioctl open };
allow debuggerd graphics_device:dir search;
allow debuggerd graphics_device:chr_file r_file_perms;
allow debuggerd Vcodec_device:chr_file r_file_perms;
allow debuggerd camera_isp_device:chr_file r_file_perms;

# AED start: /dev/block/expdb
allow debuggerd block_device:dir search;
allow debuggerd platformblk_device:dir search;

# NE flow: /dev/RT_Monitor
allow debuggerd RT_Monitor_device:chr_file { read ioctl open };

# /dev/_GPU_  dev/pvrsrvkm
allow debuggerd gpu_device:chr_file rw_file_perms;

# /dev/exm0
allow debuggerd exm0_device:chr_file r_file_perms;

allow debuggerd shell_exec:file { execute execute_no_trans };
allow debuggerd dex2oat_exec:file { execute execute_no_trans };

# aee db dir and db files
allow debuggerd sdcard_internal:dir create_dir_perms;
allow debuggerd sdcard_internal:file create_file_perms;

#data/anr
allow debuggerd anr_data_file:dir create_dir_perms;
allow debuggerd anr_data_file:file create_file_perms;

#data/aee_exp
allow debuggerd aee_exp_data_file:dir { relabelto create_dir_perms };
allow debuggerd aee_exp_data_file:file create_file_perms;

#data/dumpsys
allow debuggerd aee_dumpsys_data_file:dir { relabelto create_dir_perms };
allow debuggerd aee_dumpsys_data_file:file create_file_perms;

#/data/core
allow debuggerd aee_core_data_file:dir create_dir_perms;
allow debuggerd aee_core_data_file:file create_file_perms;

# /data/data_tmpfs_log
allow debuggerd data_tmpfs_log_file:dir create_dir_perms;
allow debuggerd data_tmpfs_log_file:file create_file_perms;

allow debuggerd shell_data_file:dir search;
allow debuggerd shell_data_file:file r_file_perms;

#/data/anr/SF_RTT
allow debuggerd sf_rtt_file:dir search;
allow debuggerd sf_rtt_file:file r_file_perms;

allow debuggerd sysfs:file write;
allow debuggerd proc:file write;
allow debuggerd sysfs_lowmemorykiller:file { read open };
allow debuggerd debugfs:file read;
#allow debuggerd proc_security:file { write open };

allow debuggerd self:capability { fsetid sys_nice sys_resource net_admin sys_module };

allow debuggerd domain:process { sigkill getattr getsched};
allow debuggerd domain:lnk_file getattr;

#core-pattern
allow debuggerd usermodehelper:file { read open };

#suid_dumpable
allow debuggerd proc_security:file { read open };

#kptr_restrict
#allow debuggerd proc_security:file { write open };

#dmesg
allow debuggerd kernel:system syslog_read;

#property
allow debuggerd init:unix_stream_socket connectto;
allow debuggerd property_socket:sock_file write;

# dumpstate ION_MM_HEAP
allow debuggerd debugfs:lnk_file read;

allow debuggerd tmpfs:lnk_file read;


# aed set property
allow debuggerd persist_mtk_aee_prop:property_service set;
allow debuggerd persist_aee_prop:property_service set;
allow debuggerd debug_mtk_aee_prop:property_service set;

# aee_dumpstate set property
allow debuggerd debug_bq_dump_prop:property_service set;

#com.android.settings NE
allow debuggerd system_app_data_file:dir search;

# sogou NE
allow debuggerd app_data_file:dir search;

# open and read /data/data/com.android.settings/databases/search_index.db-journal
allow debuggerd system_app_data_file:file r_file_perms;
allow debuggerd app_data_file:file r_file_perms;

# /system/bin/am
allow debuggerd system_file:file execute_no_trans;
allow debuggerd zygote_exec:file { execute execute_no_trans };

#/proc/driver/storage_logger
allow debuggerd proc_slogger:file { write read open };

# MOTA upgrade from JB->L: aee_dumpstate(ps top df dmesg)
# allow debuggerd unlabeled:lnk_file read;

binder_use(debuggerd)
allow debuggerd system_server:binder call;
allow debuggerd surfaceflinger:binder call;
allow debuggerd surfaceflinger:fd use;
allow debuggerd platform_app:fd use;
allow debuggerd platform_app_tmpfs:file write;

# aed and MTKLogger.apk socket connect
allow debuggerd platform_app:unix_stream_socket connectto;

allow debuggerd self:udp_socket { create ioctl };

allow debuggerd init:process getsched;
allow debuggerd kernel:process getsched;

# for SF_dump
allow debuggerd sf_bqdump_data_file:dir { read write open remove_name search};
allow debuggerd sf_bqdump_data_file:file { read getattr unlink open };


allow debuggerd custom_file:dir search;

# avc:  denied  { read } for  pid=4503 comm="screencap" name="secmem0" dev="proc" 
allow debuggerd proc_secmem:file r_file_perms;
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-14 00:48:49 +0000