| # ============================================== |
| # MTK Policy Rule |
| # ============================================== |
| # Access devices. |
| allow system_server touch_device:chr_file rw_file_perms; |
| allow system_server stpant_device:chr_file rw_file_perms; |
| allow system_server devmap_device:chr_file r_file_perms; |
| allow system_server irtx_device:chr_file rw_file_perms; |
| allow system_server qemu_pipe_device:chr_file rw_file_perms; |
| allow system_server wmtWifi_device:chr_file w_file_perms; |
| |
| # Add for bootprof |
| allow system_server proc_bootprof:file rw_file_perms; |
| |
| # /data/core access. |
| allow system_server aee_core_data_file:dir r_dir_perms; |
| |
| # /sys/kernel/debug/ion/clients access |
| allow system_server debugfs:dir r_dir_perms; |
| |
| # Perform Binder IPC. |
| allow system_server zygote:binder impersonate; |
| |
| # Property service. |
| allow system_server ctl_bootanim_prop:property_service set; |
| |
| # For dumpsys. |
| allow system_server aee_dumpsys_data_file:file w_file_perms; |
| allow system_server aee_exp_data_file:file w_file_perms; |
| |
| # Dump native process backtrace. |
| #allow system_server exec_type:file r_file_perms; |
| |
| # Querying zygote socket. |
| allow system_server zygote:unix_stream_socket { getopt getattr }; |
| |
| # Communicate over a socket created by mnld process. |
| |
| # Allow system_server to read /sys/kernel/debug/wakeup_sources |
| allow system_server debugfs_wakeup_sources:file r_file_perms; |
| |
| # Allow system_server to read/write /sys/power/dcm_state |
| allow system_server sysfs_dcm:file rw_file_perms; |
| |
| # Date : WK16.36 |
| # Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW |
| allow system_server log_tag_prop:property_service set; |
| |
| # Data : WK16.42 |
| # Operator: Whitney bring up |
| # Purpose: call surfaceflinger due to powervr |
| allow system_server surfaceflinger:fifo_file rw_file_perms; |
| |
| # Date : W16.42 |
| # Operation : Integration |
| # Purpose : DRM / DRI GPU driver required |
| allow system_server gpu_device:dir search; |
| allow system_server debugfs_gpu_img:dir search; |
| |
| # Date : W16.43 |
| # Operation : Integration |
| # Purpose : DRM / DRI GPU driver required |
| allow system_server sw_sync_device:chr_file { read write getattr open ioctl }; |
| |
| # Date : WK16.44 |
| # Purpose: Allow to access UART1 ttyMT1 |
| allow system_server ttyMT_device:chr_file rw_file_perms; |
| |
| # Date : WK17.52 |
| # Purpose: Allow to access UART1 ttyS |
| allow system_server ttyS_device:chr_file rw_file_perms; |
| |
| # Date:W16.46 |
| # Operation : thermal hal Feature developing |
| # Purpose : thermal hal interface permission |
| allow system_server proc_mtktz:dir search; |
| allow system_server proc_mtktz:file r_file_perms; |
| |
| # Date:W17.02 |
| # Operation : audio hal developing |
| # Purpose : audio hal interface permission |
| allow system_server mtk_hal_audio:process { getsched setsched }; |
| |
| # Date:W17.07 |
| # Operation : bt hal |
| # Purpose : bt hal interface permission |
| binder_call(system_server, mtk_hal_bluetooth) |
| |
| # Date:W17.08 |
| # Operation : sensors hal developing |
| # Purpose : sensors hal interface permission |
| binder_call(system_server, mtk_hal_sensors) |
| |
| # Operation : light hal developing |
| # Purpose : light hal interface permission |
| binder_call(system_server, mtk_hal_light) |
| |
| # Date:W17.21 |
| # Operation : gnss hal |
| # Purpose : gnss hal interface permission |
| hal_client_domain(system_server, hal_gnss) |
| |
| # Date : W18.01 |
| # Add for turn on SElinux in enforcing mode |
| allow system_server vendor_framework_file:dir r_file_perms; |
| |
| # Fix bootup violation |
| allow system_server vendor_framework_file:file getattr; |
| allow system_server wifi_prop:file { read getattr open }; |
| |
| # Date:W17.22 |
| # Operation : add aee_aed socket rule |
| # Purpose : type=1400 audit(0.0:134519): avc: denied { connectto } |
| # for comm=4572726F722064756D703A20737973 |
| # path=00636F6D2E6D746B2E6165652E6165645F3634 |
| # scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0 |
| # tclass=unix_stream_socket permissive=0 |
| allow system_server aee_aed:unix_stream_socket connectto; |
| |
| #Dat: 2017/02/14 |
| #Purpose: allow get telephony Sensitive property |
| get_prop(system_server, mtk_telephony_sensitive_prop) |
| |
| # Date: W17.22 |
| # Operation : New Feature |
| # Purpose : Add for A/B system |
| allow system_server debugfs_wakeup_sources:file { read getattr open }; |
| |
| # Date:W17.26 |
| # Operation : imsa hal |
| # Purpose : imsa hal interface permission |
| binder_call(system_server, mtk_hal_imsa) |
| |
| # Date:W17.28 |
| # Operation : camera hal developing |
| # Purpose : camera hal binder_call permission |
| binder_call(system_server, mtk_hal_camera) |
| |
| # Date:W17.31 |
| # Operation : mpe sensor hidl developing |
| # Purpose : mpe sensor hidl permission |
| binder_call(system_server, mnld) |
| |
| # Date : WK17.32 |
| # Operation : Migration |
| # Purpose : for network log dumpsys setting/netd information |
| # audit(0.0:914): avc: denied { write } for path="pipe:[46088]" |
| # dev="pipefs" ino=46088 scontext=u:r:system_server:s0 |
| # tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1 |
| allow system_server netdiag:fifo_file write; |
| |
| # Date : WK17.32 |
| # Operation : Migration |
| # Purpose : for DHCP Client ip recover functionality |
| allow system_server dhcp_data_file:dir search; |
| allow system_server dhcp_data_file:dir rw_dir_perms; |
| allow system_server dhcp_data_file:file create_file_perms; |
| |
| # Date:W17.35 |
| # Operation : lbs hal |
| # Purpose : lbs hidl interface permission |
| hal_client_domain(system_server, mtk_hal_lbs) |
| |
| # Date : WK17.12 |
| # Operation : MT6799 SQC |
| # Purpose : Change thermal config |
| allow system_server mtk_thermal_config_prop:file { getattr open read }; |
| |
| |
| # Date : WK17.43 |
| # Operation : Migration |
| # Purpose : perfmgr permission |
| allow system_server mtk_hal_power_hwservice:hwservice_manager find; |
| allow system_server proc_perfmgr:dir {read search}; |
| allow system_server proc_perfmgr:file {open read ioctl}; |
| allowxperm system_server proc_perfmgr:file ioctl { |
| PERFMGR_FPSGO_QUEUE |
| PERFMGR_FPSGO_DEQUEUE |
| PERFMGR_FPSGO_QUEUE_CONNECT |
| PERFMGR_FPSGO_BQID |
| }; |
| |
| # Date : W18.22 |
| # Operation : MTK wifi hal migration |
| # Purpose : MTK wifi hal interface permission |
| binder_call(system_server, mtk_hal_wifi) |
| |
| # Date : WK18.33 |
| # Purpose : type=1400 audit(0.0:1592): avc: denied { read } |
| # for comm=4572726F722064756D703A20646174 name= |
| # "u:object_r:persist_mtk_aee_prop:s0" dev="tmpfs" |
| # ino=10312 scontext=u:r:system_server:s0 tcontext= |
| # u:object_r:persist_mtk_aee_prop:s0 tclass=file permissive=0 |
| get_prop(system_server, persist_mtk_aee_prop); |
| |
| # Date : W19.15 |
| # Operation : alarm device permission |
| # Purpose : support power-off alarm |
| allow system_server alarm_device:chr_file rw_file_perms; |
| |
| # Date : WK19.7 |
| # Operation: Q migration |
| # Purpose : Allow system_server to use ioctl/ioctlcmd |
| allow system_server proc_ged:file rw_file_perms; |
| allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls }; |
| |
| # Date: 2019/06/14 |
| # Operation : Migration |
| get_prop(system_server, vendor_default_prop) |
| |
| # Date: 2019/06/14 |
| # Operation : when WFD turnning on, turn off hdmi |
| allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find; |
| allow system_server mtk_hal_hdmi:binder call; |
| |
| #Date:2019/10/08 |
| #Operation:Q Migration |
| allow system_server proc_battery_cmd:dir search; |
| |
| #Date:2019/10/09 |
| #Operation:Q Migration |
| get_prop(system_server, debug_mtk_aee_prop) |
| |
| #Date:2019/10/09 |
| #Operation:Q Migration |
| get_prop(system_server, debug_bq_dump_prop) |
| get_prop(system_server, mtk_telecom_vibrate) |
| allow system_server proc_cmdq_debug:file getattr; |
| allow system_server proc_freqhop:file getattr; |
| allow system_server proc_last_kmsg:file r_file_perms; |
| allow system_server proc_cm_mgr:dir search; |
| allow system_server proc_isp_p2:dir search; |
| allow system_server proc_thermal:dir search; |
| allow system_server proc_atf_log:dir search; |
| allow system_server proc_cpufreq:dir search; |
| allow system_server proc_mtkcooler:dir search; |
| allow system_server proc_ppm:dir search; |
| |
| # Date : 2019/10/11 |
| # Operation : Q Migration |
| allow system_server proc_wlan_status:file getattr; |
| |
| # Date : 2019/10/11 |
| # Operation : Q Migration |
| allow system_server sysfs_pages_shared:file r_file_perms; |
| allow system_server sysfs_pages_sharing:file r_file_perms; |
| allow system_server sysfs_pages_unshared:file r_file_perms; |
| allow system_server sysfs_pages_volatile:file r_file_perms; |
| |
| # Date:2019/10/14 |
| # Operation: Q Migration |
| # Purpose : power_hal_mgr_service may use libmtkperf_client |
| allow system_server sysfs_boot_mode:file r_file_perms; |
| |
| # Date : 2019/10/22 |
| # Operation : Q Migration |
| allow system_server self:capability sys_module; |
| |
| # Date : 2019/10/22 |
| # Operation : Q Migration |
| dontaudit system_server sdcardfs:file r_file_perms; |
| |
| # Date : 2019/10/26 |
| # Operation : Q Migration |
| allow system_server mtk_hal_camera:process sigkill; |
| allow system_server kernel:system syslog_read; |
| |
| # Date : 2019/10/30 |
| # Operation : Q Migration |
| allow system_server proc_chip:dir search; |
| allow system_server zygote:process setsched; |
| |
| # Date : 2019/11/21 |
| # Operation : Q Migration |
| allow system_server sf_rtt_file:dir rmdir; |
