| |
| |
| #============= adsprpcd ============== |
| dontaudit adsprpcd mnt_vendor_file:dir read; |
| dontaudit adsprpcd qdsp_device:chr_file ioctl; |
| dontaudit adsprpcd sensors_persist_file:dir search; |
| dontaudit adsprpcd sensors_persist_file:file { getattr read }; |
| |
| #============= cnd ============== |
| dontaudit cnd cnd_data_file:file lock; |
| dontaudit cnd self:qipcrtr_socket read; |
| |
| #============= crash_dump ============== |
| dontaudit crash_dump qcom_ims_prop:file { getattr map open }; |
| |
| #============= firmware_file ============== |
| dontaudit firmware_file self:filesystem associate; |
| |
| #============= flags_health_check ============== |
| dontaudit flags_health_check apexd_prop:file { getattr map open }; |
| dontaudit flags_health_check bluetooth_a2dp_offload_prop:file { getattr map open }; |
| dontaudit flags_health_check bluetooth_audio_hal_prop:file { getattr map open }; |
| dontaudit flags_health_check bluetooth_prop:file { getattr map open }; |
| dontaudit flags_health_check bootloader_boot_reason_prop:file { getattr map open }; |
| dontaudit flags_health_check boottime_prop:file { getattr map open }; |
| dontaudit flags_health_check bpf_progs_loaded_prop:file { getattr map open }; |
| dontaudit flags_health_check camera_prop:file { getattr map open }; |
| dontaudit flags_health_check camera_ro_prop:file { getattr map open }; |
| dontaudit flags_health_check cnd_vendor_prop:file { getattr map open }; |
| dontaudit flags_health_check cpu_variant_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_adbd_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_bootanim_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_bugreport_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_console_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_default_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_dumpstate_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_fuse_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_gsid_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_interface_restart_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_interface_start_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_interface_stop_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_mdnsd_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_restart_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_rildaemon_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_sigstop_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_start_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_stop_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_vendor_rmt_storage_prop:file { getattr map open }; |
| dontaudit flags_health_check device_logging_prop:file { getattr map open }; |
| dontaudit flags_health_check dumpstate_options_prop:file { getattr map open }; |
| dontaudit flags_health_check dynamic_system_prop:file { getattr map open }; |
| dontaudit flags_health_check ecoservice_prop:file { getattr map open }; |
| dontaudit flags_health_check exported_audio_prop:file { getattr map open }; |
| dontaudit flags_health_check exported_bluetooth_prop:file { getattr map open }; |
| dontaudit flags_health_check exported_overlay_prop:file { getattr map open }; |
| dontaudit flags_health_check exported_wifi_prop:file { getattr map open }; |
| dontaudit flags_health_check factory_ota_prop:file { getattr map open }; |
| dontaudit flags_health_check firstboot_prop:file { getattr map open }; |
| dontaudit flags_health_check gsid_prop:file { getattr map open }; |
| dontaudit flags_health_check heapprofd_enabled_prop:file { getattr map open }; |
| dontaudit flags_health_check hwservicemanager_prop:file { getattr map open }; |
| dontaudit flags_health_check last_boot_reason_prop:file { getattr map open }; |
| dontaudit flags_health_check llkd_prop:file { getattr map open }; |
| dontaudit flags_health_check logpersistd_logging_prop:file { getattr map open }; |
| dontaudit flags_health_check lowpan_prop:file { getattr map open }; |
| dontaudit flags_health_check lpdumpd_prop:file { getattr map open }; |
| dontaudit flags_health_check mmc_prop:file { getattr map open }; |
| dontaudit flags_health_check net_dns_prop:file { getattr map open }; |
| dontaudit flags_health_check netd_stable_secret_prop:file { getattr map open }; |
| dontaudit flags_health_check nnapi_ext_deny_product_prop:file { getattr map open }; |
| dontaudit flags_health_check overlay_prop:file { getattr map open }; |
| dontaudit flags_health_check persistent_properties_ready_prop:file { getattr map open }; |
| dontaudit flags_health_check power_prop:file { getattr map open }; |
| dontaudit flags_health_check public_vendor_default_prop:file { getattr map open }; |
| dontaudit flags_health_check public_vendor_system_prop:file { getattr map open }; |
| dontaudit flags_health_check qcom_ims_prop:file { getattr map open }; |
| dontaudit flags_health_check safemode_prop:file { getattr map open }; |
| dontaudit flags_health_check serialno_prop:file { getattr map open }; |
| dontaudit flags_health_check spcomlib_prop:file { getattr map open }; |
| dontaudit flags_health_check system_boot_reason_prop:file { getattr map open }; |
| |
| #============= fsck ============== |
| dontaudit fsck block_device:blk_file { ioctl open read write }; |
| |
| #============= gatekeeperd ============== |
| dontaudit gatekeeperd hal_gatekeeper_qti:binder call; |
| |
| #============= hal_bluetooth_default ============== |
| dontaudit hal_bluetooth_default self:qipcrtr_socket create; |
| |
| #============= hal_bootctl_default ============== |
| dontaudit hal_bootctl_default block_device:blk_file getattr; |
| dontaudit hal_bootctl_default block_device:dir { open read search }; |
| dontaudit hal_bootctl_default gpt_block_device:blk_file { ioctl open read write }; |
| |
| #============= hal_camera_default ============== |
| dontaudit hal_camera_default vndbinder_device:chr_file { ioctl map open read write }; |
| |
| #============= hal_drm_clearkey ============== |
| dontaudit hal_drm_clearkey hwservicemanager:binder { call transfer }; |
| dontaudit hal_drm_clearkey hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_drm_widevine ============== |
| dontaudit hal_drm_widevine hwservicemanager:binder { call transfer }; |
| dontaudit hal_drm_widevine hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_gatekeeper_qti ============== |
| dontaudit hal_gatekeeper_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_gatekeeper_qti hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_gatekeeper_qti ion_device:chr_file { ioctl open read }; |
| dontaudit hal_gatekeeper_qti tee_device:chr_file { ioctl open read write }; |
| dontaudit hal_gatekeeper_qti vendor_tee_listener_prop:file { getattr map open read }; |
| |
| #============= hal_gnss_qti ============== |
| dontaudit hal_gnss_qti hal_health_default:binder { call transfer }; |
| dontaudit hal_gnss_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_gnss_qti hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_graphics_composer_default ============== |
| dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl map open read write }; |
| |
| #============= hal_health_default ============== |
| dontaudit hal_health_default hal_gnss_qti:binder call; |
| dontaudit hal_health_default sysfs:file { getattr open read }; |
| |
| #============= hal_iop_default ============== |
| dontaudit hal_iop_default hwservicemanager:binder call; |
| dontaudit hal_iop_default hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_keymaster_qti ============== |
| dontaudit hal_keymaster_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_keymaster_qti hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_keymaster_qti ion_device:chr_file { ioctl open read }; |
| dontaudit hal_keymaster_qti tee_device:chr_file { ioctl open read write }; |
| dontaudit hal_keymaster_qti vendor_security_patch_level_prop:file { getattr map open read }; |
| dontaudit hal_keymaster_qti vendor_tee_listener_prop:file { getattr map open read }; |
| |
| #============= hal_light_default ============== |
| dontaudit hal_light_default sysfs_msm_subsys:dir search; |
| |
| #============= hal_mirrorlink_qti ============== |
| dontaudit hal_mirrorlink_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_mirrorlink_qti hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_mirrorlink_qti vndbinder_device:chr_file { ioctl map open read write }; |
| |
| #============= hal_neuralnetworks_default ============== |
| dontaudit hal_neuralnetworks_default hwservicemanager:binder { call transfer }; |
| dontaudit hal_neuralnetworks_default hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_nfc_default ============== |
| dontaudit hal_nfc_default vendor_modem_prop:file { getattr map open read }; |
| dontaudit hal_nfc_default vendor_modem_prop:property_service set; |
| |
| #============= hal_perf_default ============== |
| dontaudit hal_perf_default hwservicemanager:binder { call transfer }; |
| dontaudit hal_perf_default hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_perf_default proc:file { open read }; |
| |
| #============= hal_power_default ============== |
| dontaudit hal_power_default power_prop:file { getattr map open read }; |
| |
| #============= hal_power_stats_default ============== |
| dontaudit hal_power_stats_default vndbinder_device:chr_file { ioctl map open read write }; |
| dontaudit hal_power_stats_default vndservicemanager:binder { call transfer }; |
| |
| #============= hal_qteeconnector_qti ============== |
| dontaudit hal_qteeconnector_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_qteeconnector_qti hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_rcsservice ============== |
| dontaudit hal_rcsservice init:unix_stream_socket connectto; |
| dontaudit hal_rcsservice property_socket:sock_file write; |
| dontaudit hal_rcsservice qcom_ims_prop:file { getattr map open read }; |
| dontaudit hal_rcsservice qcom_ims_prop:property_service set; |
| |
| #============= hal_sensors_default ============== |
| dontaudit hal_sensors_default mnt_vendor_file:dir search; |
| dontaudit hal_sensors_default persist_file:dir search; |
| dontaudit hal_sensors_default self:qipcrtr_socket { create getattr read setopt write }; |
| dontaudit hal_sensors_default sensors_persist_file:dir search; |
| dontaudit hal_sensors_default sensors_persist_file:file { getattr open read }; |
| dontaudit hal_sensors_default sysfs:file { open read }; |
| dontaudit hal_sensors_default sysfs_msm_subsys:dir { open read search }; |
| dontaudit hal_sensors_default sysfs_msm_subsys:file { open read }; |
| |
| #============= hal_sensorscalibrate_qti_default ============== |
| dontaudit hal_sensorscalibrate_qti_default hwservicemanager:binder { call transfer }; |
| dontaudit hal_sensorscalibrate_qti_default hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_sensorscalibrate_qti_default self:qipcrtr_socket create; |
| dontaudit hal_sensorscalibrate_qti_default sysfs:file { open read }; |
| dontaudit hal_sensorscalibrate_qti_default sysfs_msm_subsys:dir { open read search }; |
| dontaudit hal_sensorscalibrate_qti_default sysfs_msm_subsys:file { open read }; |
| |
| #============= hal_tetheroffload_default ============== |
| dontaudit hal_tetheroffload_default ipa_dev:chr_file { ioctl open read write }; |
| dontaudit hal_tetheroffload_default ipa_vendor_data_file:dir { add_name search write }; |
| dontaudit hal_tetheroffload_default ipa_vendor_data_file:file { create lock open read write }; |
| dontaudit hal_tetheroffload_default self:netlink_route_socket { bind create getopt read setopt }; |
| dontaudit hal_tetheroffload_default self:udp_socket { create ioctl }; |
| |
| #============= hal_thermal_default ============== |
| dontaudit hal_thermal_default self:netlink_kobject_uevent_socket { bind create getopt read setopt }; |
| dontaudit hal_thermal_default sysfs:dir { open read }; |
| dontaudit hal_thermal_default sysfs:file { getattr open read }; |
| dontaudit hal_thermal_default vendor_thermal_prop:file { getattr map open read }; |
| |
| #============= hal_tui_comm_qti ============== |
| dontaudit hal_tui_comm_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_tui_comm_qti hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_usb_impl ============== |
| dontaudit hal_usb_impl configfs:dir { add_name open read remove_name search write }; |
| dontaudit hal_usb_impl configfs:file { create open unlink write }; |
| dontaudit hal_usb_impl configfs:lnk_file read; |
| dontaudit hal_usb_impl functionfs:dir search; |
| dontaudit hal_usb_impl functionfs:file read; |
| dontaudit hal_usb_impl hwservicemanager:binder { call transfer }; |
| dontaudit hal_usb_impl hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_vibrator_default ============== |
| dontaudit hal_vibrator_default mnt_vendor_file:dir search; |
| dontaudit hal_vibrator_default persist_file:dir search; |
| dontaudit hal_vibrator_default persist_haptics_file:dir search; |
| dontaudit hal_vibrator_default sysfs:file { getattr open read write }; |
| dontaudit hal_vibrator_default sysfs_leds:dir search; |
| |
| #============= hwservicemanager ============== |
| dontaudit hwservicemanager hal_gnss_qti:binder transfer; |
| dontaudit hwservicemanager pixelstats_vendor:binder transfer; |
| |
| #============= ims ============== |
| dontaudit ims init:unix_stream_socket connectto; |
| dontaudit ims property_socket:sock_file write; |
| dontaudit ims qcom_ims_prop:property_service set; |
| dontaudit ims self:qipcrtr_socket read; |
| dontaudit ims sysfs_soc:dir search; |
| dontaudit ims sysfs_soc:file { getattr open read }; |
| |
| #============= init ============== |
| dontaudit init firmware_file:dir mounton; |
| dontaudit init firmware_file:filesystem { getattr mount relabelfrom }; |
| dontaudit init socket_device:sock_file { create setattr unlink }; |
| dontaudit init sysfs:file { open setattr write }; |
| dontaudit init tmpfs:lnk_file create; |
| |
| #============= init-insmod-sh ============== |
| dontaudit init-insmod-sh debugfs_ipc:dir search; |
| dontaudit init-insmod-sh init:unix_stream_socket connectto; |
| dontaudit init-insmod-sh proc_modules:file { getattr open read }; |
| dontaudit init-insmod-sh property_socket:sock_file write; |
| dontaudit init-insmod-sh self:capability sys_module; |
| dontaudit init-insmod-sh self:process execmem; |
| dontaudit init-insmod-sh sysfs_msm_boot:file { open write }; |
| dontaudit init-insmod-sh vendor_device_prop:property_service set; |
| dontaudit init-insmod-sh vendor_file:system module_load; |
| dontaudit init-insmod-sh vendor_toolbox_exec:file execute_no_trans; |
| |
| #============= init_radio ============== |
| dontaudit init_radio vendor_radio_data_file:dir { add_name create getattr open read remove_name rmdir search setattr write }; |
| dontaudit init_radio vendor_radio_data_file:file { getattr open setattr write }; |
| dontaudit init_radio vendor_toolbox_exec:file execute_no_trans; |
| |
| #============= irsc_util ============== |
| dontaudit irsc_util kernel:system module_request; |
| dontaudit irsc_util self:socket create; |
| |
| #============= kernel ============== |
| dontaudit kernel debugfs_ipc:dir search; |
| dontaudit kernel self:qipcrtr_socket create; |
| |
| #============= location ============== |
| dontaudit location diag_device:chr_file { ioctl open read write }; |
| dontaudit location location_data_file:dir getattr; |
| dontaudit location location_data_file:file lock; |
| dontaudit location location_exec:file execute_no_trans; |
| dontaudit location location_socket:dir { add_name search write }; |
| dontaudit location location_socket:sock_file { create write }; |
| dontaudit location self:capability setgid; |
| dontaudit location self:netlink_route_socket { bind create read }; |
| dontaudit location self:qipcrtr_socket { create read }; |
| dontaudit location self:udp_socket { create ioctl }; |
| dontaudit location sysfs:file { open read }; |
| dontaudit location sysfs_msm_subsys:dir { open read search }; |
| dontaudit location sysfs_msm_subsys:file { open read }; |
| dontaudit location sysfs_soc:dir search; |
| dontaudit location sysfs_soc:file { open read }; |
| |
| #============= netd ============== |
| dontaudit netd kernel:system module_request; |
| |
| #============= netmgrd ============== |
| dontaudit netmgrd diag_device:chr_file { ioctl open read write }; |
| dontaudit netmgrd kernel:system module_request; |
| dontaudit netmgrd proc_net:file { getattr open read write }; |
| dontaudit netmgrd self:capability { net_admin setpcap setuid }; |
| dontaudit netmgrd self:netlink_generic_socket { bind create }; |
| dontaudit netmgrd self:netlink_route_socket { bind create read }; |
| dontaudit netmgrd self:netlink_xfrm_socket { bind create }; |
| dontaudit netmgrd self:qipcrtr_socket read; |
| dontaudit netmgrd self:udp_socket { create ioctl }; |
| dontaudit netmgrd sysfs_msm_subsys:dir search; |
| dontaudit netmgrd sysfs_soc:dir search; |
| dontaudit netmgrd sysfs_soc:file { getattr open read }; |
| |
| #============= pixelstats_vendor ============== |
| dontaudit pixelstats_vendor self:netlink_kobject_uevent_socket { bind create getopt read setopt }; |
| |
| #============= port-bridge ============== |
| dontaudit port-bridge sysfs_msm_subsys:dir search; |
| |
| #============= qlogd ============== |
| dontaudit qlogd diag_device:chr_file { ioctl open read write }; |
| dontaudit qlogd mnt_user_file:dir search; |
| dontaudit qlogd storage_file:dir search; |
| dontaudit qlogd storage_file:lnk_file read; |
| |
| #============= qrtr ============== |
| dontaudit qrtr self:qipcrtr_socket { bind create getattr read setopt write }; |
| |
| #============= qti_init_shell ============== |
| dontaudit qti_init_shell init:unix_stream_socket connectto; |
| dontaudit qti_init_shell property_socket:sock_file write; |
| dontaudit qti_init_shell system_prop:property_service set; |
| dontaudit qti_init_shell vendor_toolbox_exec:file execute_no_trans; |
| |
| #============= ramdump ============== |
| dontaudit ramdump block_device:blk_file { getattr open read write }; |
| dontaudit ramdump block_device:dir search; |
| dontaudit ramdump gsi_metadata_file:dir search; |
| dontaudit ramdump init:unix_stream_socket connectto; |
| dontaudit ramdump metadata_file:dir search; |
| dontaudit ramdump proc_cmdline:file { getattr open read }; |
| dontaudit ramdump property_socket:sock_file write; |
| dontaudit ramdump public_vendor_default_prop:file { getattr map open read }; |
| dontaudit ramdump ramdump_vendor_data_file:dir { remove_name search write }; |
| dontaudit ramdump ramdump_vendor_data_file:file { getattr open read unlink write }; |
| dontaudit ramdump sysfs_dt_firmware_android:dir { open read search }; |
| dontaudit ramdump sysfs_dt_firmware_android:file { getattr open read }; |
| dontaudit ramdump vendor_ramdump_prop:file { getattr map open read }; |
| dontaudit ramdump vendor_ramdump_prop:property_service set; |
| |
| #============= rfs_access ============== |
| dontaudit rfs_access mnt_vendor_file:dir search; |
| dontaudit rfs_access persist_file:dir search; |
| dontaudit rfs_access persist_rfs_file:dir { open read search setattr }; |
| dontaudit rfs_access persist_rfs_file:file { getattr open read setattr }; |
| dontaudit rfs_access persist_rfs_shared_hlos_file:dir { open read search setattr }; |
| dontaudit rfs_access rfs_tombstone_data_file:dir { search setattr }; |
| dontaudit rfs_access self:capability { chown setgid setpcap setuid }; |
| dontaudit rfs_access self:capability2 block_suspend; |
| dontaudit rfs_access self:qipcrtr_socket { create read }; |
| dontaudit rfs_access sysfs_wake_lock:file { append open }; |
| |
| #============= rild ============== |
| dontaudit rild qmuxd_socket:dir { add_name search write }; |
| dontaudit rild qmuxd_socket:sock_file create; |
| dontaudit rild self:qipcrtr_socket { create getattr read write }; |
| dontaudit rild vendor_per_mgr:binder { call transfer }; |
| dontaudit rild vendor_radio_data_file:dir { add_name getattr search write }; |
| dontaudit rild vendor_radio_data_file:file create; |
| dontaudit rild vendor_radio_prop:property_service set; |
| dontaudit rild vndbinder_device:chr_file { ioctl map open read write }; |
| dontaudit rild vndservicemanager:binder call; |
| |
| #============= rmt_storage ============== |
| dontaudit rmt_storage block_device:blk_file { open read write }; |
| dontaudit rmt_storage block_device:dir search; |
| dontaudit rmt_storage kmsg_device:chr_file { open write }; |
| dontaudit rmt_storage self:capability { setgid setpcap setuid }; |
| dontaudit rmt_storage self:qipcrtr_socket { create getattr read write }; |
| dontaudit rmt_storage sysfs:file { open read }; |
| dontaudit rmt_storage sysfs_msm_subsys:dir { open read search }; |
| dontaudit rmt_storage sysfs_msm_subsys:file { open read }; |
| dontaudit rmt_storage sysfs_rmtfs:dir search; |
| dontaudit rmt_storage sysfs_rmtfs:file { getattr open read }; |
| dontaudit rmt_storage sysfs_uio:dir { open read search }; |
| dontaudit rmt_storage sysfs_wake_lock:file { append open }; |
| dontaudit rmt_storage uio_device:chr_file { map open read write }; |
| |
| #============= sensors ============== |
| dontaudit sensors diag_device:chr_file { ioctl open read write }; |
| dontaudit sensors mnt_vendor_file:dir search; |
| dontaudit sensors persist_file:dir search; |
| dontaudit sensors self:qipcrtr_socket create; |
| dontaudit sensors sensors_persist_file:dir search; |
| dontaudit sensors sysfs:file { open read }; |
| dontaudit sensors sysfs_msm_subsys:dir { open read search }; |
| dontaudit sensors sysfs_msm_subsys:file { open read }; |
| |
| #============= surfaceflinger ============== |
| dontaudit surfaceflinger sysfs:file { getattr open read }; |
| dontaudit surfaceflinger vendor_display_prop:file { getattr map open read }; |
| dontaudit surfaceflinger vendor_file:file { execute getattr map open read }; |
| |
| #============= tee ============== |
| dontaudit tee block_device:blk_file { open read write }; |
| dontaudit tee block_device:dir { getattr search }; |
| dontaudit tee device:dir { open read }; |
| dontaudit tee init:unix_stream_socket connectto; |
| dontaudit tee mnt_vendor_file:dir search; |
| dontaudit tee persist_drm_file:dir { open read }; |
| dontaudit tee persist_file:dir search; |
| dontaudit tee persist_file:lnk_file read; |
| dontaudit tee property_socket:sock_file write; |
| dontaudit tee self:capability { chown setgid setuid }; |
| dontaudit tee sg_device:chr_file { ioctl open read setattr write }; |
| dontaudit tee sysfs_wake_lock:file append; |
| dontaudit tee vendor_tee_listener_prop:property_service set; |
| dontaudit tee vndbinder_device:chr_file { ioctl map open read write }; |
| |
| #============= thermal-engine ============== |
| dontaudit thermal-engine self:netlink_kobject_uevent_socket { bind create read setopt }; |
| dontaudit thermal-engine self:qipcrtr_socket { create getattr read write }; |
| dontaudit thermal-engine sysfs:dir { open read }; |
| dontaudit thermal-engine sysfs:file { getattr open read write }; |
| dontaudit thermal-engine sysfs_leds:dir search; |
| dontaudit thermal-engine sysfs_msm_subsys:dir { open read search }; |
| dontaudit thermal-engine sysfs_msm_subsys:file { open read }; |
| dontaudit thermal-engine sysfs_soc:dir search; |
| dontaudit thermal-engine sysfs_soc:file { getattr open read }; |
| |
| #============= time_daemon ============== |
| dontaudit time_daemon rtc_device:chr_file { ioctl open read }; |
| dontaudit time_daemon self:capability { dac_read_search sys_time }; |
| dontaudit time_daemon self:qipcrtr_socket { create getattr read setopt write }; |
| dontaudit time_daemon sysfs:file { open read }; |
| dontaudit time_daemon sysfs_msm_subsys:dir { open read search }; |
| dontaudit time_daemon sysfs_msm_subsys:file { open read }; |
| dontaudit time_daemon sysfs_soc:dir search; |
| dontaudit time_daemon sysfs_soc:file { getattr open read }; |
| dontaudit time_daemon time_data_file:dir search; |
| |
| #============= usbd ============== |
| dontaudit usbd hal_usb_impl:binder call; |
| |
| #============= vendor_init ============== |
| dontaudit vendor_init camera_prop:property_service set; |
| dontaudit vendor_init cnd_vendor_prop:property_service set; |
| dontaudit vendor_init debugfs_clk:file write; |
| dontaudit vendor_init debugfs_sched_features:file write; |
| dontaudit vendor_init default_prop:property_service set; |
| dontaudit vendor_init ipa_dev:chr_file { open write }; |
| dontaudit vendor_init kernel:system module_request; |
| dontaudit vendor_init logpersistd_logging_prop:property_service set; |
| dontaudit vendor_init public_vendor_default_prop:file { getattr map open read }; |
| dontaudit vendor_init radio_prop:property_service set; |
| dontaudit vendor_init system_data_file:dir setattr; |
| dontaudit vendor_init system_prop:property_service set; |
| dontaudit vendor_init vendor_audio_prop:property_service set; |
| dontaudit vendor_init vendor_bluetooth_prop:property_service set; |
| dontaudit vendor_init vendor_build_type_prop:property_service set; |
| dontaudit vendor_init vendor_disable_spu_prop:property_service set; |
| dontaudit vendor_init vendor_modem_diag_prop:file { getattr map open read }; |
| dontaudit vendor_init vendor_modem_diag_prop:property_service set; |
| dontaudit vendor_init vendor_radio_prop:property_service set; |
| dontaudit vendor_init vendor_ssr_prop:property_service set; |
| dontaudit vendor_init vendor_thermal_prop:property_service set; |
| |
| #============= vendor_pd_mapper ============== |
| dontaudit vendor_pd_mapper self:qipcrtr_socket read; |
| dontaudit vendor_pd_mapper sysfs_msm_subsys:dir search; |
| |
| #============= vendor_per_mgr ============== |
| dontaudit vendor_per_mgr init:unix_stream_socket connectto; |
| dontaudit vendor_per_mgr modem_ssr_device:chr_file { open read }; |
| dontaudit vendor_per_mgr property_socket:sock_file write; |
| dontaudit vendor_per_mgr self:binder { call transfer }; |
| dontaudit vendor_per_mgr self:qipcrtr_socket { create getattr read write }; |
| dontaudit vendor_per_mgr sysfs:file { open read }; |
| dontaudit vendor_per_mgr sysfs_msm_subsys:dir { open read search }; |
| dontaudit vendor_per_mgr sysfs_msm_subsys:file { open read }; |
| dontaudit vendor_per_mgr vendor_per_mgr_state_prop:property_service set; |
| dontaudit vendor_per_mgr vndbinder_device:chr_file { ioctl map open read write }; |
| dontaudit vendor_per_mgr vndservicemanager:binder { call transfer }; |
| |
| #============= vendor_ssr_setup ============== |
| dontaudit vendor_ssr_setup sysfs:file { open read write }; |
| dontaudit vendor_ssr_setup sysfs_msm_subsys:dir { open read search }; |
| dontaudit vendor_ssr_setup sysfs_msm_subsys:file { open read write }; |
| dontaudit vendor_ssr_setup vendor_ssr_prop:file { getattr map open read }; |
| |
| #============= vendor_subsystem_ramdump ============== |
| dontaudit vendor_subsystem_ramdump device:dir { open read }; |
| dontaudit vendor_subsystem_ramdump init:unix_stream_socket connectto; |
| dontaudit vendor_subsystem_ramdump property_socket:sock_file write; |
| dontaudit vendor_subsystem_ramdump ramdump_device:chr_file { open read }; |
| dontaudit vendor_subsystem_ramdump ramdump_vendor_data_file:dir { add_name getattr open read remove_name search write }; |
| dontaudit vendor_subsystem_ramdump ramdump_vendor_data_file:file { create getattr open unlink write }; |
| dontaudit vendor_subsystem_ramdump ssr_log_file:dir search; |
| dontaudit vendor_subsystem_ramdump ssr_log_file:file { append getattr open }; |
| dontaudit vendor_subsystem_ramdump sysfs:file { open read }; |
| dontaudit vendor_subsystem_ramdump sysfs_msm_subsys:dir { open read search }; |
| dontaudit vendor_subsystem_ramdump sysfs_msm_subsys:file { open read }; |
| dontaudit vendor_subsystem_ramdump vendor_ssr_prop:property_service set; |
| |
| #============= vold ============== |
| dontaudit vold public_vendor_default_prop:file { getattr map open read }; |
| |
| #============= wcnss_service ============== |
| dontaudit wcnss_service self:netlink_route_socket read; |
| dontaudit wcnss_service self:qipcrtr_socket read; |
| dontaudit wcnss_service self:udp_socket { create ioctl }; |
| dontaudit wcnss_service sysfs_msm_subsys:dir { open read search }; |
| dontaudit wcnss_service vndbinder_device:chr_file ioctl; |
| |
| #============= zygote ============== |
| dontaudit zygote vendor_display_prop:file { getattr map open read }; |
| |
| |
| #============= adsprpcd ============== |
| dontaudit adsprpcd mnt_vendor_file:dir read; |
| dontaudit adsprpcd qdsp_device:chr_file ioctl; |
| dontaudit adsprpcd sensors_persist_file:dir search; |
| dontaudit adsprpcd sensors_persist_file:file { getattr read }; |
| |
| #============= cnd ============== |
| dontaudit cnd cnd_data_file:file lock; |
| dontaudit cnd hal_datafactory_hwservice:hwservice_manager add; |
| dontaudit cnd hidl_base_hwservice:hwservice_manager add; |
| dontaudit cnd self:qipcrtr_socket read; |
| |
| #============= crash_dump ============== |
| dontaudit crash_dump qcom_ims_prop:file { getattr map open }; |
| |
| #============= firmware_file ============== |
| dontaudit firmware_file self:filesystem associate; |
| |
| #============= flags_health_check ============== |
| dontaudit flags_health_check apexd_prop:file { getattr map open }; |
| dontaudit flags_health_check bluetooth_a2dp_offload_prop:file { getattr map open }; |
| dontaudit flags_health_check bluetooth_audio_hal_prop:file { getattr map open }; |
| dontaudit flags_health_check bluetooth_prop:file { getattr map open }; |
| dontaudit flags_health_check bootloader_boot_reason_prop:file { getattr map open }; |
| dontaudit flags_health_check boottime_prop:file { getattr map open }; |
| dontaudit flags_health_check bpf_progs_loaded_prop:file { getattr map open }; |
| dontaudit flags_health_check camera_prop:file { getattr map open }; |
| dontaudit flags_health_check camera_ro_prop:file { getattr map open }; |
| dontaudit flags_health_check cnd_vendor_prop:file { getattr map open }; |
| dontaudit flags_health_check cpu_variant_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_adbd_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_bootanim_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_bugreport_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_console_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_default_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_dumpstate_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_fuse_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_gsid_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_interface_restart_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_interface_start_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_interface_stop_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_mdnsd_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_restart_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_rildaemon_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_sigstop_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_start_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_stop_prop:file { getattr map open }; |
| dontaudit flags_health_check ctl_vendor_rmt_storage_prop:file { getattr map open }; |
| dontaudit flags_health_check device_logging_prop:file { getattr map open }; |
| dontaudit flags_health_check dumpstate_options_prop:file { getattr map open }; |
| dontaudit flags_health_check dynamic_system_prop:file { getattr map open }; |
| dontaudit flags_health_check ecoservice_prop:file { getattr map open }; |
| dontaudit flags_health_check exported_audio_prop:file { getattr map open }; |
| dontaudit flags_health_check exported_bluetooth_prop:file { getattr map open }; |
| dontaudit flags_health_check exported_overlay_prop:file { getattr map open }; |
| dontaudit flags_health_check exported_wifi_prop:file { getattr map open }; |
| dontaudit flags_health_check factory_ota_prop:file { getattr map open }; |
| dontaudit flags_health_check firstboot_prop:file { getattr map open }; |
| dontaudit flags_health_check gsid_prop:file { getattr map open }; |
| dontaudit flags_health_check heapprofd_enabled_prop:file { getattr map open }; |
| dontaudit flags_health_check hwservicemanager_prop:file { getattr map open }; |
| dontaudit flags_health_check last_boot_reason_prop:file { getattr map open }; |
| dontaudit flags_health_check llkd_prop:file { getattr map open }; |
| dontaudit flags_health_check logpersistd_logging_prop:file { getattr map open }; |
| dontaudit flags_health_check lowpan_prop:file { getattr map open }; |
| dontaudit flags_health_check lpdumpd_prop:file { getattr map open }; |
| dontaudit flags_health_check mmc_prop:file { getattr map open }; |
| dontaudit flags_health_check net_dns_prop:file { getattr map open }; |
| dontaudit flags_health_check netd_stable_secret_prop:file { getattr map open }; |
| dontaudit flags_health_check nnapi_ext_deny_product_prop:file { getattr map open }; |
| dontaudit flags_health_check overlay_prop:file { getattr map open }; |
| dontaudit flags_health_check persistent_properties_ready_prop:file { getattr map open }; |
| dontaudit flags_health_check power_prop:file { getattr map open }; |
| dontaudit flags_health_check public_vendor_default_prop:file { getattr map open }; |
| dontaudit flags_health_check public_vendor_system_prop:file { getattr map open }; |
| dontaudit flags_health_check qcom_ims_prop:file { getattr map open }; |
| dontaudit flags_health_check safemode_prop:file { getattr map open }; |
| dontaudit flags_health_check serialno_prop:file { getattr map open }; |
| dontaudit flags_health_check spcomlib_prop:file { getattr map open }; |
| dontaudit flags_health_check system_boot_reason_prop:file { getattr map open }; |
| |
| #============= fsck ============== |
| dontaudit fsck block_device:blk_file { ioctl open read write }; |
| |
| #============= gatekeeperd ============== |
| dontaudit gatekeeperd hal_gatekeeper_qti:binder call; |
| |
| #============= hal_bluetooth_default ============== |
| dontaudit hal_bluetooth_default hal_bluetooth_sar_hwservice:hwservice_manager { add find }; |
| dontaudit hal_bluetooth_default self:qipcrtr_socket create; |
| |
| #============= hal_bootctl_default ============== |
| dontaudit hal_bootctl_default block_device:blk_file getattr; |
| dontaudit hal_bootctl_default block_device:dir { open read search }; |
| dontaudit hal_bootctl_default gpt_block_device:blk_file { ioctl open read write }; |
| |
| #============= hal_camera_default ============== |
| dontaudit hal_camera_default vndbinder_device:chr_file { ioctl map open read write }; |
| |
| #============= hal_drm_clearkey ============== |
| dontaudit hal_drm_clearkey hal_drm_hwservice:hwservice_manager add; |
| dontaudit hal_drm_clearkey hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_drm_clearkey hwservicemanager:binder { call transfer }; |
| dontaudit hal_drm_clearkey hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_drm_widevine ============== |
| dontaudit hal_drm_widevine hal_drm_hwservice:hwservice_manager add; |
| dontaudit hal_drm_widevine hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_drm_widevine hwservicemanager:binder { call transfer }; |
| dontaudit hal_drm_widevine hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_gatekeeper_qti ============== |
| dontaudit hal_gatekeeper_qti hal_gatekeeper_hwservice:hwservice_manager { add find }; |
| dontaudit hal_gatekeeper_qti hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_gatekeeper_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_gatekeeper_qti hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_gatekeeper_qti ion_device:chr_file { ioctl open read }; |
| dontaudit hal_gatekeeper_qti tee_device:chr_file { ioctl open read write }; |
| dontaudit hal_gatekeeper_qti vendor_tee_listener_prop:file { getattr map open read }; |
| |
| #============= hal_gnss_qti ============== |
| dontaudit hal_gnss_qti hal_gnss_hwservice:hwservice_manager { add find }; |
| dontaudit hal_gnss_qti hal_health_default:binder { call transfer }; |
| dontaudit hal_gnss_qti hal_health_hwservice:hwservice_manager find; |
| dontaudit hal_gnss_qti hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_gnss_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_gnss_qti hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_graphics_composer_default ============== |
| dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl map open read write }; |
| |
| #============= hal_health_default ============== |
| dontaudit hal_health_default hal_gnss_qti:binder call; |
| dontaudit hal_health_default sysfs:file { getattr open read }; |
| |
| #============= hal_iop_default ============== |
| dontaudit hal_iop_default default_android_hwservice:hwservice_manager find; |
| dontaudit hal_iop_default hwservicemanager:binder call; |
| dontaudit hal_iop_default hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_keymaster_qti ============== |
| dontaudit hal_keymaster_qti hal_keymaster_hwservice:hwservice_manager add; |
| dontaudit hal_keymaster_qti hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_keymaster_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_keymaster_qti hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_keymaster_qti ion_device:chr_file { ioctl open read }; |
| dontaudit hal_keymaster_qti tee_device:chr_file { ioctl open read write }; |
| dontaudit hal_keymaster_qti vendor_security_patch_level_prop:file { getattr map open read }; |
| dontaudit hal_keymaster_qti vendor_tee_listener_prop:file { getattr map open read }; |
| |
| #============= hal_light_default ============== |
| dontaudit hal_light_default sysfs_msm_subsys:dir search; |
| |
| #============= hal_mirrorlink_qti ============== |
| dontaudit hal_mirrorlink_qti default_android_hwservice:hwservice_manager add; |
| dontaudit hal_mirrorlink_qti hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_mirrorlink_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_mirrorlink_qti hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_mirrorlink_qti vndbinder_device:chr_file { ioctl map open read write }; |
| |
| #============= hal_neuralnetworks_default ============== |
| dontaudit hal_neuralnetworks_default hal_neuralnetworks_hwservice:hwservice_manager add; |
| dontaudit hal_neuralnetworks_default hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_neuralnetworks_default hwservicemanager:binder { call transfer }; |
| dontaudit hal_neuralnetworks_default hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_nfc_default ============== |
| dontaudit hal_nfc_default vendor_modem_prop:file { getattr map open read }; |
| |
| #============= hal_perf_default ============== |
| dontaudit hal_perf_default default_android_hwservice:hwservice_manager add; |
| dontaudit hal_perf_default hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_perf_default hwservicemanager:binder { call transfer }; |
| dontaudit hal_perf_default hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_perf_default proc:file { open read }; |
| |
| #============= hal_power_default ============== |
| dontaudit hal_power_default power_prop:file { getattr map open read }; |
| |
| #============= hal_power_stats_default ============== |
| dontaudit hal_power_stats_default power_stats_service:service_manager add; |
| dontaudit hal_power_stats_default vndbinder_device:chr_file { ioctl map open read write }; |
| dontaudit hal_power_stats_default vndservicemanager:binder { call transfer }; |
| |
| #============= hal_qteeconnector_qti ============== |
| dontaudit hal_qteeconnector_qti hal_qteeconnector_hwservice:hwservice_manager { add find }; |
| dontaudit hal_qteeconnector_qti hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_qteeconnector_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_qteeconnector_qti hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_rcsservice ============== |
| dontaudit hal_rcsservice init:unix_stream_socket connectto; |
| dontaudit hal_rcsservice property_socket:sock_file write; |
| dontaudit hal_rcsservice qcom_ims_prop:file { getattr map open read }; |
| |
| #============= hal_sensors_default ============== |
| dontaudit hal_sensors_default mnt_vendor_file:dir search; |
| dontaudit hal_sensors_default persist_file:dir search; |
| dontaudit hal_sensors_default self:qipcrtr_socket { create getattr read setopt write }; |
| dontaudit hal_sensors_default sensors_persist_file:dir search; |
| dontaudit hal_sensors_default sensors_persist_file:file { getattr open read }; |
| dontaudit hal_sensors_default sysfs:file { open read }; |
| dontaudit hal_sensors_default sysfs_msm_subsys:dir { open read search }; |
| dontaudit hal_sensors_default sysfs_msm_subsys:file { open read }; |
| |
| #============= hal_sensorscalibrate_qti_default ============== |
| dontaudit hal_sensorscalibrate_qti_default hal_sensorscalibrate_qti_hwservice:hwservice_manager { add find }; |
| dontaudit hal_sensorscalibrate_qti_default hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_sensorscalibrate_qti_default hwservicemanager:binder { call transfer }; |
| dontaudit hal_sensorscalibrate_qti_default hwservicemanager_prop:file { getattr map open read }; |
| dontaudit hal_sensorscalibrate_qti_default self:qipcrtr_socket create; |
| dontaudit hal_sensorscalibrate_qti_default sysfs:file { open read }; |
| dontaudit hal_sensorscalibrate_qti_default sysfs_msm_subsys:dir { open read search }; |
| dontaudit hal_sensorscalibrate_qti_default sysfs_msm_subsys:file { open read }; |
| |
| #============= hal_tetheroffload_default ============== |
| dontaudit hal_tetheroffload_default ipa_dev:chr_file { ioctl open read write }; |
| dontaudit hal_tetheroffload_default ipa_vendor_data_file:dir { add_name search write }; |
| dontaudit hal_tetheroffload_default ipa_vendor_data_file:file { create lock open read write }; |
| dontaudit hal_tetheroffload_default self:netlink_route_socket { bind create getopt read setopt }; |
| dontaudit hal_tetheroffload_default self:udp_socket { create ioctl }; |
| |
| #============= hal_thermal_default ============== |
| dontaudit hal_thermal_default self:netlink_kobject_uevent_socket { bind create getopt read setopt }; |
| dontaudit hal_thermal_default sysfs:dir { open read }; |
| dontaudit hal_thermal_default sysfs:file { getattr open read }; |
| dontaudit hal_thermal_default vendor_thermal_prop:file { getattr map open read }; |
| |
| #============= hal_tui_comm_qti ============== |
| dontaudit hal_tui_comm_qti hal_tui_comm_hwservice:hwservice_manager add; |
| dontaudit hal_tui_comm_qti hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_tui_comm_qti hwservicemanager:binder { call transfer }; |
| dontaudit hal_tui_comm_qti hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_usb_impl ============== |
| dontaudit hal_usb_impl configfs:dir { add_name open read remove_name search write }; |
| dontaudit hal_usb_impl configfs:file { create open unlink write }; |
| dontaudit hal_usb_impl configfs:lnk_file read; |
| dontaudit hal_usb_impl functionfs:dir search; |
| dontaudit hal_usb_impl functionfs:file read; |
| dontaudit hal_usb_impl hal_usb_gadget_hwservice:hwservice_manager add; |
| dontaudit hal_usb_impl hal_usb_hwservice:hwservice_manager add; |
| dontaudit hal_usb_impl hidl_base_hwservice:hwservice_manager add; |
| dontaudit hal_usb_impl hwservicemanager:binder { call transfer }; |
| dontaudit hal_usb_impl hwservicemanager_prop:file { getattr map open read }; |
| |
| #============= hal_vibrator_default ============== |
| dontaudit hal_vibrator_default mnt_vendor_file:dir search; |
| dontaudit hal_vibrator_default persist_file:dir search; |
| dontaudit hal_vibrator_default persist_haptics_file:dir search; |
| dontaudit hal_vibrator_default sysfs:file { getattr open read write }; |
| dontaudit hal_vibrator_default sysfs_leds:dir search; |
| |
| #============= hwservicemanager ============== |
| dontaudit hwservicemanager hal_gnss_qti:binder transfer; |
| dontaudit hwservicemanager pixelstats_vendor:binder transfer; |
| |
| #============= ims ============== |
| dontaudit ims init:unix_stream_socket connectto; |
| dontaudit ims property_socket:sock_file write; |
| dontaudit ims self:qipcrtr_socket read; |
| dontaudit ims sysfs_soc:dir search; |
| dontaudit ims sysfs_soc:file { getattr open read }; |
| |
| #============= init ============== |
| dontaudit init firmware_file:dir mounton; |
| dontaudit init firmware_file:filesystem { getattr mount relabelfrom }; |
| dontaudit init socket_device:sock_file { create setattr unlink }; |
| dontaudit init sysfs:file { open setattr write }; |
| dontaudit init tmpfs:lnk_file create; |
| |
| #============= init-insmod-sh ============== |
| dontaudit init-insmod-sh debugfs_ipc:dir search; |
| dontaudit init-insmod-sh init:unix_stream_socket connectto; |
| dontaudit init-insmod-sh proc_modules:file { getattr open read }; |
| dontaudit init-insmod-sh property_socket:sock_file write; |
| dontaudit init-insmod-sh self:capability sys_module; |
| dontaudit init-insmod-sh self:process execmem; |
| dontaudit init-insmod-sh sysfs_msm_boot:file { open write }; |
| dontaudit init-insmod-sh vendor_file:system module_load; |
| dontaudit init-insmod-sh vendor_toolbox_exec:file execute_no_trans; |
| |
| #============= init_radio ============== |
| dontaudit init_radio vendor_radio_data_file:dir { add_name create getattr open read remove_name rmdir search setattr write }; |
| dontaudit init_radio vendor_radio_data_file:file { getattr open setattr write }; |
| dontaudit init_radio vendor_toolbox_exec:file execute_no_trans; |
| |
| #============= irsc_util ============== |
| dontaudit irsc_util kernel:system module_request; |
| dontaudit irsc_util self:socket create; |
| |
| #============= kernel ============== |
| dontaudit kernel debugfs_ipc:dir search; |
| dontaudit kernel self:qipcrtr_socket create; |
| |
| #============= location ============== |
| dontaudit location diag_device:chr_file { ioctl open read write }; |
| dontaudit location location_data_file:dir getattr; |
| dontaudit location location_data_file:file lock; |
| dontaudit location location_exec:file execute_no_trans; |
| dontaudit location location_socket:dir { add_name search write }; |
| dontaudit location location_socket:sock_file { create write }; |
| dontaudit location self:capability setgid; |
| dontaudit location self:netlink_route_socket { bind create read }; |
| dontaudit location self:qipcrtr_socket { create read }; |
| dontaudit location self:udp_socket { create ioctl }; |
| dontaudit location sysfs:file { open read }; |
| dontaudit location sysfs_msm_subsys:dir { open read search }; |
| dontaudit location sysfs_msm_subsys:file { open read }; |
| dontaudit location sysfs_soc:dir search; |
| dontaudit location sysfs_soc:file { open read }; |
| |
| #============= netd ============== |
| dontaudit netd kernel:system module_request; |
| |
| #============= netmgrd ============== |
| dontaudit netmgrd diag_device:chr_file { ioctl open read write }; |
| dontaudit netmgrd kernel:system module_request; |
| dontaudit netmgrd proc_net:file { getattr open read write }; |
| dontaudit netmgrd self:capability { net_admin setpcap setuid }; |
| dontaudit netmgrd self:netlink_generic_socket { bind create }; |
| dontaudit netmgrd self:netlink_route_socket { bind create read }; |
| dontaudit netmgrd self:netlink_xfrm_socket { bind create }; |
| dontaudit netmgrd self:qipcrtr_socket read; |
| dontaudit netmgrd self:udp_socket { create ioctl }; |
| dontaudit netmgrd sysfs_msm_subsys:dir search; |
| dontaudit netmgrd sysfs_soc:dir search; |
| dontaudit netmgrd sysfs_soc:file { getattr open read }; |
| |
| #============= pixelstats_vendor ============== |
| dontaudit pixelstats_vendor fwk_stats_hwservice:hwservice_manager find; |
| dontaudit pixelstats_vendor self:netlink_kobject_uevent_socket { bind create getopt read setopt }; |
| |
| #============= port-bridge ============== |
| dontaudit port-bridge sysfs_msm_subsys:dir search; |
| |
| #============= qlogd ============== |
| dontaudit qlogd diag_device:chr_file { ioctl open read write }; |
| dontaudit qlogd mnt_user_file:dir search; |
| dontaudit qlogd storage_file:dir search; |
| dontaudit qlogd storage_file:lnk_file read; |
| |
| #============= qrtr ============== |
| dontaudit qrtr self:qipcrtr_socket { bind create getattr read setopt write }; |
| |
| #============= qti_init_shell ============== |
| dontaudit qti_init_shell init:unix_stream_socket connectto; |
| dontaudit qti_init_shell property_socket:sock_file write; |
| dontaudit qti_init_shell vendor_toolbox_exec:file execute_no_trans; |
| |
| #============= ramdump ============== |
| dontaudit ramdump block_device:blk_file { getattr open read write }; |
| dontaudit ramdump block_device:dir search; |
| dontaudit ramdump gsi_metadata_file:dir search; |
| dontaudit ramdump init:unix_stream_socket connectto; |
| dontaudit ramdump metadata_file:dir search; |
| dontaudit ramdump proc_cmdline:file { getattr open read }; |
| dontaudit ramdump property_socket:sock_file write; |
| dontaudit ramdump public_vendor_default_prop:file { getattr map open read }; |
| dontaudit ramdump ramdump_vendor_data_file:dir { remove_name search write }; |
| dontaudit ramdump ramdump_vendor_data_file:file { getattr open read unlink write }; |
| dontaudit ramdump sysfs_dt_firmware_android:dir { open read search }; |
| dontaudit ramdump sysfs_dt_firmware_android:file { getattr open read }; |
| dontaudit ramdump vendor_ramdump_prop:file { getattr map open read }; |
| |
| #============= rfs_access ============== |
| dontaudit rfs_access mnt_vendor_file:dir search; |
| dontaudit rfs_access persist_file:dir search; |
| dontaudit rfs_access persist_rfs_file:dir { open read search setattr }; |
| dontaudit rfs_access persist_rfs_file:file { getattr open read setattr write }; |
| dontaudit rfs_access persist_rfs_shared_hlos_file:dir { open read search setattr }; |
| dontaudit rfs_access rfs_tombstone_data_file:dir { search setattr }; |
| dontaudit rfs_access self:capability { chown setgid setpcap setuid }; |
| dontaudit rfs_access self:capability2 block_suspend; |
| dontaudit rfs_access self:qipcrtr_socket { connect create read setopt write }; |
| dontaudit rfs_access sysfs_wake_lock:file { append open }; |
| |
| #============= rild ============== |
| dontaudit rild hal_dataconnection_hwservice:hwservice_manager add; |
| dontaudit rild hal_iwlan_hwservice:hwservice_manager add; |
| dontaudit rild hal_secure_element_hwservice:hwservice_manager add; |
| dontaudit rild qmuxd_socket:dir { add_name search write }; |
| dontaudit rild qmuxd_socket:sock_file create; |
| dontaudit rild self:qipcrtr_socket { create getattr read setopt write }; |
| dontaudit rild vendor_per_mgr:binder { call transfer }; |
| dontaudit rild vendor_per_mgr_service:service_manager find; |
| dontaudit rild vendor_radio_data_file:dir { add_name getattr search write }; |
| dontaudit rild vendor_radio_data_file:file create; |
| dontaudit rild vndbinder_device:chr_file { ioctl map open read write }; |
| dontaudit rild vndservicemanager:binder call; |
| |
| #============= rmt_storage ============== |
| dontaudit rmt_storage block_device:blk_file { open read write }; |
| dontaudit rmt_storage block_device:dir search; |
| dontaudit rmt_storage kmsg_device:chr_file { open write }; |
| dontaudit rmt_storage self:capability { setgid setpcap setuid }; |
| dontaudit rmt_storage self:capability2 block_suspend; |
| dontaudit rmt_storage self:qipcrtr_socket { create getattr read write }; |
| dontaudit rmt_storage sysfs:file { open read }; |
| dontaudit rmt_storage sysfs_msm_subsys:dir { open read search }; |
| dontaudit rmt_storage sysfs_msm_subsys:file { open read }; |
| dontaudit rmt_storage sysfs_rmtfs:dir search; |
| dontaudit rmt_storage sysfs_rmtfs:file { getattr open read }; |
| dontaudit rmt_storage sysfs_uio:dir { open read search }; |
| dontaudit rmt_storage sysfs_wake_lock:file { append open }; |
| dontaudit rmt_storage uio_device:chr_file { map open read write }; |
| |
| #============= sensors ============== |
| dontaudit sensors diag_device:chr_file { ioctl open read write }; |
| dontaudit sensors mnt_vendor_file:dir search; |
| dontaudit sensors persist_file:dir search; |
| dontaudit sensors self:qipcrtr_socket create; |
| dontaudit sensors sensors_persist_file:dir search; |
| dontaudit sensors sysfs:file { open read }; |
| dontaudit sensors sysfs_msm_subsys:dir { open read search }; |
| dontaudit sensors sysfs_msm_subsys:file { open read }; |
| |
| #============= surfaceflinger ============== |
| dontaudit surfaceflinger sysfs:file { getattr open read }; |
| dontaudit surfaceflinger vendor_display_prop:file { getattr map open read }; |
| dontaudit surfaceflinger vendor_file:file { execute getattr map open read }; |
| |
| #============= tee ============== |
| dontaudit tee block_device:blk_file { open read write }; |
| dontaudit tee block_device:dir { getattr search }; |
| dontaudit tee device:dir { open read }; |
| dontaudit tee init:unix_stream_socket connectto; |
| dontaudit tee mnt_vendor_file:dir search; |
| dontaudit tee persist_drm_file:dir { open read }; |
| dontaudit tee persist_file:dir search; |
| dontaudit tee persist_file:lnk_file read; |
| dontaudit tee property_socket:sock_file write; |
| dontaudit tee self:capability { chown setgid setuid }; |
| dontaudit tee sg_device:chr_file { ioctl open read setattr write }; |
| dontaudit tee sysfs_wake_lock:file append; |
| dontaudit tee vndbinder_device:chr_file { ioctl map open read write }; |
| |
| #============= thermal-engine ============== |
| dontaudit thermal-engine self:netlink_kobject_uevent_socket { bind create read setopt }; |
| dontaudit thermal-engine self:qipcrtr_socket { create getattr read write }; |
| dontaudit thermal-engine sysfs:dir { open read }; |
| dontaudit thermal-engine sysfs:file { getattr open read write }; |
| dontaudit thermal-engine sysfs_leds:dir search; |
| dontaudit thermal-engine sysfs_msm_subsys:dir { open read search }; |
| dontaudit thermal-engine sysfs_msm_subsys:file { open read }; |
| dontaudit thermal-engine sysfs_soc:dir search; |
| dontaudit thermal-engine sysfs_soc:file { getattr open read }; |
| |
| #============= time_daemon ============== |
| dontaudit time_daemon rtc_device:chr_file { ioctl open read }; |
| dontaudit time_daemon self:capability { dac_read_search sys_time }; |
| dontaudit time_daemon self:qipcrtr_socket { create getattr read setopt write }; |
| dontaudit time_daemon sysfs:file { open read }; |
| dontaudit time_daemon sysfs_msm_subsys:dir { open read search }; |
| dontaudit time_daemon sysfs_msm_subsys:file { open read }; |
| dontaudit time_daemon sysfs_soc:dir search; |
| dontaudit time_daemon sysfs_soc:file { getattr open read }; |
| dontaudit time_daemon time_data_file:dir search; |
| |
| #============= usbd ============== |
| dontaudit usbd hal_usb_impl:binder call; |
| |
| #============= vendor_init ============== |
| dontaudit vendor_init debugfs_clk:file write; |
| dontaudit vendor_init debugfs_sched_features:file write; |
| dontaudit vendor_init ipa_dev:chr_file { open write }; |
| dontaudit vendor_init kernel:system module_request; |
| dontaudit vendor_init public_vendor_default_prop:file { getattr map open read }; |
| dontaudit vendor_init system_data_file:dir setattr; |
| dontaudit vendor_init vendor_modem_diag_prop:file { getattr map open read }; |
| |
| #============= vendor_pd_mapper ============== |
| dontaudit vendor_pd_mapper self:qipcrtr_socket { read write }; |
| dontaudit vendor_pd_mapper sysfs_msm_subsys:dir search; |
| |
| #============= vendor_per_mgr ============== |
| dontaudit vendor_per_mgr init:unix_stream_socket connectto; |
| dontaudit vendor_per_mgr modem_ssr_device:chr_file { open read }; |
| dontaudit vendor_per_mgr property_socket:sock_file write; |
| dontaudit vendor_per_mgr self:binder { call transfer }; |
| dontaudit vendor_per_mgr self:qipcrtr_socket { create getattr read write }; |
| dontaudit vendor_per_mgr sysfs:file { open read }; |
| dontaudit vendor_per_mgr sysfs_msm_subsys:dir { open read search }; |
| dontaudit vendor_per_mgr sysfs_msm_subsys:file { open read }; |
| dontaudit vendor_per_mgr vendor_per_mgr_service:service_manager { add find }; |
| dontaudit vendor_per_mgr vndbinder_device:chr_file { ioctl map open read write }; |
| dontaudit vendor_per_mgr vndservicemanager:binder { call transfer }; |
| |
| #============= vendor_ssr_setup ============== |
| dontaudit vendor_ssr_setup sysfs:file { open read write }; |
| dontaudit vendor_ssr_setup sysfs_msm_subsys:dir { open read search }; |
| dontaudit vendor_ssr_setup sysfs_msm_subsys:file { open read write }; |
| dontaudit vendor_ssr_setup vendor_ssr_prop:file { getattr map open read }; |
| |
| #============= vendor_subsystem_ramdump ============== |
| dontaudit vendor_subsystem_ramdump device:dir { open read }; |
| dontaudit vendor_subsystem_ramdump init:unix_stream_socket connectto; |
| dontaudit vendor_subsystem_ramdump property_socket:sock_file write; |
| dontaudit vendor_subsystem_ramdump ramdump_device:chr_file { open read }; |
| dontaudit vendor_subsystem_ramdump ramdump_vendor_data_file:dir { add_name getattr open read remove_name search write }; |
| dontaudit vendor_subsystem_ramdump ramdump_vendor_data_file:file { create getattr open unlink write }; |
| dontaudit vendor_subsystem_ramdump ssr_log_file:dir search; |
| dontaudit vendor_subsystem_ramdump ssr_log_file:file { append getattr open }; |
| dontaudit vendor_subsystem_ramdump sysfs:file { open read }; |
| dontaudit vendor_subsystem_ramdump sysfs_msm_subsys:dir { open read search }; |
| dontaudit vendor_subsystem_ramdump sysfs_msm_subsys:file { open read }; |
| |
| #============= vold ============== |
| dontaudit vold public_vendor_default_prop:file { getattr map open read }; |
| |
| #============= wcnss_service ============== |
| dontaudit wcnss_service self:netlink_route_socket read; |
| dontaudit wcnss_service self:qipcrtr_socket { create getattr read write }; |
| dontaudit wcnss_service self:udp_socket { create ioctl }; |
| dontaudit wcnss_service sysfs_msm_subsys:dir { open read search }; |
| dontaudit wcnss_service vendor_per_mgr_service:service_manager find; |
| dontaudit wcnss_service vndbinder_device:chr_file ioctl; |
| |
| #============= zygote ============== |
| dontaudit zygote vendor_display_prop:file { getattr map open read }; |
| |
| |
| #============= adsprpcd ============== |
| dontaudit adsprpcd ion_device:chr_file { ioctl open read }; |
| dontaudit adsprpcd mnt_vendor_file:dir { open search }; |
| dontaudit adsprpcd persist_file:dir search; |
| dontaudit adsprpcd qdsp_device:chr_file { open read }; |
| dontaudit adsprpcd sensors_persist_file:dir { add_name getattr open read remove_name write }; |
| dontaudit adsprpcd sensors_persist_file:file { create open rename unlink write }; |
| dontaudit adsprpcd sysfs_soc:dir search; |
| dontaudit adsprpcd sysfs_soc:file { getattr open read }; |
| |
| #============= cdsprpcd ============== |
| dontaudit cdsprpcd ion_device:chr_file { ioctl open read }; |
| dontaudit cdsprpcd qdsp_device:chr_file { ioctl open read }; |
| |
| #============= cnd ============== |
| dontaudit cnd cnd_data_file:dir { read search }; |
| dontaudit cnd cnd_data_file:file { getattr ioctl open read write }; |
| dontaudit cnd cnd_vendor_prop:file { getattr map open read }; |
| dontaudit cnd diag_device:chr_file { ioctl open read write }; |
| dontaudit cnd hwservicemanager:binder { call transfer }; |
| dontaudit cnd hwservicemanager_prop:file { getattr map open read }; |
| dontaudit cnd proc_meminfo:file { getattr open read }; |
| dontaudit cnd self:qipcrtr_socket { create getattr write }; |
| dontaudit cnd sysfs:file { open read }; |
| dontaudit cnd sysfs_msm_subsys:dir { open read search }; |
| dontaudit cnd sysfs_msm_subsys:file { open read }; |
| dontaudit cnd sysfs_soc:dir search; |
| dontaudit cnd sysfs_soc:file { getattr open read }; |
| |
| #============= flags_health_check ============== |
| dontaudit flags_health_check system_lmk_prop:file { getattr map open }; |
| dontaudit flags_health_check system_trace_prop:file { getattr map open }; |
| dontaudit flags_health_check test_boot_reason_prop:file { getattr map open }; |
| dontaudit flags_health_check test_harness_prop:file { getattr map open }; |
| dontaudit flags_health_check theme_prop:file { getattr map open }; |
| dontaudit flags_health_check time_prop:file { getattr map open }; |
| dontaudit flags_health_check traced_enabled_prop:file { getattr map open }; |
| dontaudit flags_health_check traced_lazy_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_audio_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_aware_available_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_bluetooth_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_build_type_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_cnss_diag_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_default_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_device_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_disable_spu_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_display_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_faceauth_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_modem_diag_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_modem_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_per_mgr_state_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_radio_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_ramdump_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_ramoops_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_security_patch_level_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_shutdown_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_ssr_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_tcpdump_log_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_tee_listener_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_thermal_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_usb_prop:file { getattr map open }; |
| dontaudit flags_health_check vendor_wifi_version:file { getattr map open }; |
| dontaudit flags_health_check vendor_xlat_prop:file { getattr map open }; |
| dontaudit flags_health_check wifi_prop:file { getattr map open }; |
| |
| #============= hal_memtrack_default ============== |
| dontaudit hal_memtrack_default sysfs_kgsl_proc:dir search; |
| |
| #============= hal_power_stats_default ============== |
| dontaudit hal_power_stats_default exported_wifi_prop:file { getattr map open read }; |
| dontaudit hal_power_stats_default sysfs_power_stats:file { getattr open read }; |
| |
| #============= hal_usb_impl ============== |
| dontaudit hal_usb_impl configfs:lnk_file create; |
| dontaudit hal_usb_impl functionfs:dir read; |
| dontaudit hal_usb_impl vendor_usb_prop:file { getattr map open read }; |
| |
| #============= ims ============== |
| dontaudit ims diag_device:chr_file { ioctl open read write }; |
| dontaudit ims qcom_ims_prop:file { getattr map open read }; |
| dontaudit ims self:qipcrtr_socket { create getattr write }; |
| dontaudit ims sysfs:file { open read }; |
| dontaudit ims sysfs_msm_subsys:dir { open read search }; |
| dontaudit ims sysfs_msm_subsys:file { open read }; |
| |
| #============= init_radio ============== |
| dontaudit init_radio vendor_radio_data_file:file read; |
| |
| #============= keystore ============== |
| dontaudit keystore hal_keymaster_qti:binder call; |
| |
| #============= location ============== |
| dontaudit location location_data_file:dir search; |
| dontaudit location location_data_file:file { getattr ioctl open read write }; |
| dontaudit location location_socket:sock_file setattr; |
| dontaudit location self:qipcrtr_socket { getattr write }; |
| dontaudit location sysfs_soc:file getattr; |
| |
| #============= netmgrd ============== |
| dontaudit netmgrd self:capability setgid; |
| dontaudit netmgrd self:qipcrtr_socket { create getattr write }; |
| dontaudit netmgrd sysfs:file { open read }; |
| dontaudit netmgrd sysfs_msm_subsys:dir { open read }; |
| dontaudit netmgrd sysfs_msm_subsys:file { open read }; |
| |
| #============= pixelstats_vendor ============== |
| dontaudit pixelstats_vendor hwservicemanager:binder call; |
| dontaudit pixelstats_vendor hwservicemanager_prop:file { getattr map open read }; |
| dontaudit pixelstats_vendor statsd:binder call; |
| dontaudit pixelstats_vendor sysfs_scsi_devices_0000:file { getattr open read write }; |
| |
| #============= port-bridge ============== |
| dontaudit port-bridge at_device:chr_file { open read write }; |
| dontaudit port-bridge sysfs:file { open read }; |
| dontaudit port-bridge sysfs_msm_subsys:dir { open read }; |
| dontaudit port-bridge sysfs_msm_subsys:file { open read }; |
| dontaudit port-bridge sysfs_soc:dir search; |
| dontaudit port-bridge sysfs_soc:file { getattr open read }; |
| |
| #============= rfs_access ============== |
| dontaudit rfs_access self:qipcrtr_socket getattr; |
| |
| #============= rild ============== |
| dontaudit rild diag_device:chr_file { ioctl open read write }; |
| dontaudit rild vendor_radio_data_file:file { getattr ioctl lock open read write }; |
| dontaudit rild vendor_radio_prop:file { getattr map open read }; |
| |
| #============= thermal-engine ============== |
| dontaudit thermal-engine self:qipcrtr_socket setopt; |
| |
| #============= vendor_pd_mapper ============== |
| dontaudit vendor_pd_mapper self:qipcrtr_socket { create getattr }; |
| dontaudit vendor_pd_mapper sysfs:file { open read }; |
| dontaudit vendor_pd_mapper sysfs_msm_subsys:dir { open read }; |
| dontaudit vendor_pd_mapper sysfs_msm_subsys:file { open read }; |
| |
| #============= vendor_per_mgr ============== |
| dontaudit vendor_per_mgr debugfs_ipc:dir search; |
| |
| #============= wcnss_service ============== |
| dontaudit wcnss_service self:netlink_generic_socket { bind create getattr read setopt write }; |
| dontaudit wcnss_service self:netlink_route_socket { bind create }; |
| dontaudit wcnss_service sysfs:file { open read }; |
| dontaudit wcnss_service sysfs_msm_subsys:file { open read }; |
| dontaudit wcnss_service sysfs_soc:dir search; |
| dontaudit wcnss_service sysfs_soc:file { getattr open read }; |
| dontaudit wcnss_service vendor_per_mgr:binder { call transfer }; |
| dontaudit wcnss_service vndbinder_device:chr_file { map open read write }; |
| dontaudit wcnss_service vndservicemanager:binder call; |
