plat_private/aee_aed.te - device/mediatek/wembley-sepolicy - Git at Google

 # ==============================================
 # Policy File of /system/bin/aee_aed Executable File

 # ==============================================
 # Type Declaration
 # ==============================================
 type aee_aed_exec, exec_type, file_type;
 typeattribute aee_aed coredomain;
 typeattribute aee_aed mlstrustedsubject;

 init_daemon_domain(aee_aed)

 # ==============================================
 # MTK Policy Rule
 # ==============================================

 # AED start: /dev/block/expdb
 allow aee_aed block_device:dir search;

 #allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow

 # aee db dir and db files
 allow aee_aed sdcard_type:dir create_dir_perms;
 allow aee_aed sdcard_type:file create_file_perms;

 #data/anr
 allow aee_aed anr_data_file:dir create_dir_perms;
 allow aee_aed anr_data_file:file create_file_perms;

 allow aee_aed domain:process { sigkill getattr getsched signal };
 allow aee_aed domain:lnk_file getattr;

 #core-pattern
 allow aee_aed usermodehelper:file r_file_perms;

 #suid_dumpable. this is neverallow
 # allow aee_aed proc_security:file r_file_perms;

 #property
 allow aee_aed init:unix_stream_socket connectto;
 allow aee_aed property_socket:sock_file write;

 #allow aee_aed call binaries labeled "system_file" under /system/bin/
 allow aee_aed system_file:file execute_no_trans;

 allow aee_aed init:process getsched;
 allow aee_aed kernel:process getsched;

 # Date: W15.34
 # Operation: Migration
 # Purpose: For pagemap & pageflags information in NE DB
 userdebug_or_eng(`allow aee_aed self:capability sys_admin;')

 # Date: W16.17
 # Operation: N0 Migeration
 # Purpose: creat dir "aee_exp" under /data
 allow aee_aed system_data_file:dir { write create add_name };
 allow aee_aed system_data_file:file r_file_perms;

 # Purpose: allow aee_aed to access toolbox
 allow aee_aed toolbox_exec:file rx_file_perms;

 # purpose: allow aee_aed to access storage on N version
 allow aee_aed media_rw_data_file:file  { create_file_perms };
 allow aee_aed media_rw_data_file:dir { create_dir_perms };

 # Purpose: mnt/user/*
 allow aee_aed mnt_user_file:dir search;
 allow aee_aed mnt_user_file:lnk_file read;

 allow aee_aed storage_file:dir search;
 allow aee_aed storage_file:lnk_file read;

 # Date : WK17.09
 # Operation : AEE UT for Android O
 # Purpose : for AEE module to dump files
 domain_auto_trans(aee_aed, dumpstate_exec, dumpstate)

 # Purpose : aee_aed communicate with aee_core_forwarder
 # allow aee_aed aee_core_forwarder:dir search;
 # allow aee_aed aee_core_forwarder:file { read getattr open };

 userdebug_or_eng(`
   allow aee_aed su:dir {search read open };
   allow aee_aed su:file { read getattr open };
 ')

 # /data/tombstone
 allow aee_aed tombstone_data_file:dir w_dir_perms;
 allow aee_aed tombstone_data_file:file create_file_perms;

 # /proc/pid/
 #allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };

 # system(cmd) aee_dumpstate aee_archive
 allow aee_aed shell_exec:file rx_file_perms;

 # PROCESS_FILE_STATE
 allow aee_aed dumpstate:unix_stream_socket { read write ioctl };
 allow aee_aed dumpstate:dir search;
 allow aee_aed dumpstate:file r_file_perms;

 #allow aee_aed proc:file rw_file_perms;
 allow aee_aed logdr_socket:sock_file write;
 allow aee_aed logd:unix_stream_socket connectto;
 # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule

 # vibrator
 allow aee_aed sysfs_vibrator:file w_file_perms;

 # Data : 2017/03/22
 # Operation : add NE flow rule for Android O
 # Purpose : make aee_aed can get specific process NE info
 allow aee_aed domain:dir r_dir_perms;
 allow aee_aed domain:{ file lnk_file } r_file_perms;
 allow aee_aed {
   domain
   -logd
   -keystore
   -init
 }:process ptrace;
 allow aee_aed dalvikcache_data_file:dir r_dir_perms;
 allow aee_aed zygote_exec:file r_file_perms;
 allow aee_aed init_exec:file r_file_perms;

 # Data : 2017/04/06
 # Operation : add selinux rule for crash_dump notify aee_aed
 # Purpose : make aee_aed can get notify from crash_dump
 allow aee_aed crash_dump:dir search;
 allow aee_aed crash_dump:file r_file_perms;

 # Purpose:
 # [  217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read }
 # for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0
 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
 #allow aee_aed sysfs:file r_file_perms;

 # Purpose : allow aee_aed to read /proc/version
 allow aee_aed proc_version:file { read open };

 # Purpose : allow aee_aed self to sys_nice/chown
 allow aee_aed self:capability { sys_nice chown fowner};

 # Purpose: Allow aee_aed to write /sys/kernel/debug/tracing/snapshot
 userdebug_or_eng(`allow aee_aed debugfs_tracing_debug:file { write open };')

 # Purpose: Allow aee_aed self to sys_ptrace
 userdebug_or_eng(`allow aee_aed self:capability sys_ptrace;')
	# ==============================================
	# Policy File of /system/bin/aee_aed Executable File

	# ==============================================
	# Type Declaration
	# ==============================================
	type aee_aed_exec, exec_type, file_type;
	typeattribute aee_aed coredomain;
	typeattribute aee_aed mlstrustedsubject;

	init_daemon_domain(aee_aed)

	# ==============================================
	# MTK Policy Rule
	# ==============================================

	# AED start: /dev/block/expdb
	allow aee_aed block_device:dir search;

	#allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow

	# aee db dir and db files
	allow aee_aed sdcard_type:dir create_dir_perms;
	allow aee_aed sdcard_type:file create_file_perms;

	#data/anr
	allow aee_aed anr_data_file:dir create_dir_perms;
	allow aee_aed anr_data_file:file create_file_perms;

	allow aee_aed domain:process { sigkill getattr getsched signal };
	allow aee_aed domain:lnk_file getattr;

	#core-pattern
	allow aee_aed usermodehelper:file r_file_perms;

	#suid_dumpable. this is neverallow
	# allow aee_aed proc_security:file r_file_perms;

	#property
	allow aee_aed init:unix_stream_socket connectto;
	allow aee_aed property_socket:sock_file write;

	#allow aee_aed call binaries labeled "system_file" under /system/bin/
	allow aee_aed system_file:file execute_no_trans;

	allow aee_aed init:process getsched;
	allow aee_aed kernel:process getsched;

	# Date: W15.34
	# Operation: Migration
	# Purpose: For pagemap & pageflags information in NE DB
	userdebug_or_eng(`allow aee_aed self:capability sys_admin;')

	# Date: W16.17
	# Operation: N0 Migeration
	# Purpose: creat dir "aee_exp" under /data
	allow aee_aed system_data_file:dir { write create add_name };
	allow aee_aed system_data_file:file r_file_perms;

	# Purpose: allow aee_aed to access toolbox
	allow aee_aed toolbox_exec:file rx_file_perms;

	# purpose: allow aee_aed to access storage on N version
	allow aee_aed media_rw_data_file:file { create_file_perms };
	allow aee_aed media_rw_data_file:dir { create_dir_perms };

	# Purpose: mnt/user/*
	allow aee_aed mnt_user_file:dir search;
	allow aee_aed mnt_user_file:lnk_file read;

	allow aee_aed storage_file:dir search;
	allow aee_aed storage_file:lnk_file read;

	# Date : WK17.09
	# Operation : AEE UT for Android O
	# Purpose : for AEE module to dump files
	domain_auto_trans(aee_aed, dumpstate_exec, dumpstate)

	# Purpose : aee_aed communicate with aee_core_forwarder
	# allow aee_aed aee_core_forwarder:dir search;
	# allow aee_aed aee_core_forwarder:file { read getattr open };

	userdebug_or_eng(`
	allow aee_aed su:dir {search read open };
	allow aee_aed su:file { read getattr open };
	')

	# /data/tombstone
	allow aee_aed tombstone_data_file:dir w_dir_perms;
	allow aee_aed tombstone_data_file:file create_file_perms;

	# /proc/pid/
	#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };

	# system(cmd) aee_dumpstate aee_archive
	allow aee_aed shell_exec:file rx_file_perms;

	# PROCESS_FILE_STATE
	allow aee_aed dumpstate:unix_stream_socket { read write ioctl };
	allow aee_aed dumpstate:dir search;
	allow aee_aed dumpstate:file r_file_perms;

	#allow aee_aed proc:file rw_file_perms;
	allow aee_aed logdr_socket:sock_file write;
	allow aee_aed logd:unix_stream_socket connectto;
	# allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule

	# vibrator
	allow aee_aed sysfs_vibrator:file w_file_perms;

	# Data : 2017/03/22
	# Operation : add NE flow rule for Android O
	# Purpose : make aee_aed can get specific process NE info
	allow aee_aed domain:dir r_dir_perms;
	allow aee_aed domain:{ file lnk_file } r_file_perms;
	allow aee_aed {
	domain
	-logd
	-keystore
	-init
	}:process ptrace;
	allow aee_aed dalvikcache_data_file:dir r_dir_perms;
	allow aee_aed zygote_exec:file r_file_perms;
	allow aee_aed init_exec:file r_file_perms;

	# Data : 2017/04/06
	# Operation : add selinux rule for crash_dump notify aee_aed
	# Purpose : make aee_aed can get notify from crash_dump
	allow aee_aed crash_dump:dir search;
	allow aee_aed crash_dump:file r_file_perms;

	# Purpose:
	# [ 217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read }
	# for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0
	# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
	#allow aee_aed sysfs:file r_file_perms;

	# Purpose : allow aee_aed to read /proc/version
	allow aee_aed proc_version:file { read open };

	# Purpose : allow aee_aed self to sys_nice/chown
	allow aee_aed self:capability { sys_nice chown fowner};

	# Purpose: Allow aee_aed to write /sys/kernel/debug/tracing/snapshot
	userdebug_or_eng(`allow aee_aed debugfs_tracing_debug:file { write open };')

	# Purpose: Allow aee_aed self to sys_ptrace
	userdebug_or_eng(`allow aee_aed self:capability sys_ptrace;')