non_plat/mtkfusionrild.te - device/mediatek/wembley-sepolicy - Git at Google

 # ==============================================
 # Policy File of /vendor/bin/rild Executable File

 # ==============================================
 # Type Declaration
 # ==============================================

 # ==============================================
 # MTK Policy Rule
 # ==============================================
 # Access to wake locks
 wakelock_use(rild)
 # Trigger module auto-load.
 allow rild kernel:system module_request;

 # Capabilities assigned for rild
 allow rild self:capability { setuid net_admin net_raw };
 #allow rild self:capability dac_override;

 # Control cgroups
 allow rild cgroup:dir create_dir_perms;

 # Property service
 # allow set RIL related properties (radio./net./system./etc)
 set_prop(rild, radio_prop)
 set_prop(rild, net_radio_prop)
 set_prop(rild, system_radio_prop)
 set_prop(rild, persist_ril_prop)
 auditallow rild net_radio_prop:property_service set;
 auditallow rild system_radio_prop:property_service set;
 set_prop(rild, ril_active_md_prop)
 # allow set muxreport control properties
 set_prop(rild, ril_cdma_report_prop)
 set_prop(rild, ril_mux_report_case_prop)
 set_prop(rild, ctl_muxreport-daemon_prop)

 # Access to wake locks
 wakelock_use(rild)

 # Allow access permission to efs files
 allow rild efs_file:dir create_dir_perms;
 allow rild efs_file:file create_file_perms;
 allow rild bluetooth_efs_file:file r_file_perms;
 allow rild bluetooth_efs_file:dir r_dir_perms;

 # Allow access permission to dir/files
 # (radio data/system data/proc/etc)
 # Violate Android P rule
 #allow rild radio_data_file:dir rw_dir_perms;
 #allow rild radio_data_file:file create_file_perms;
 allow rild sdcard_type:dir r_dir_perms;
 # Violate Android P rule
 #allow rild system_data_file:dir r_dir_perms;
 #allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
 allow rild proc:file rw_file_perms;
 allow rild proc_net:file w_file_perms;

 # Allow rild to create and use netlink sockets.
 ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
 #allow rild self:netlink_socket create_socket_perms;
 #allow rild self:netlink_kobject_uevent_socket create_socket_perms;
 # Set and get routes directly via netlink.
 allow rild self:netlink_route_socket nlmsg_write;

 # Allow rild to create sockets.
 ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
 #allow rild self:socket create_socket_perms;

 # Allow read/write to devices/files
 allow rild alarm_device:chr_file rw_file_perms;
 allow rild radio_device:chr_file rw_file_perms;
 allow rild radio_device:blk_file r_file_perms;
 allow rild mtd_device:dir search;
 # Allow read/write to uart driver (for GPS)
 #allow rild gps_device:chr_file rw_file_perms;
 # Allow read/write to tty devices
 allow rild tty_device:chr_file rw_file_perms;
 allow rild eemcs_device:chr_file { rw_file_perms };

 allow rild Vcodec_device:chr_file { rw_file_perms };
 allow rild devmap_device:chr_file { r_file_perms };
 allow rild devpts:chr_file { rw_file_perms };
 allow rild ccci_device:chr_file { rw_file_perms };
 allow rild misc_device:chr_file { rw_file_perms };
 allow rild proc_lk_env:file rw_file_perms;
 allow rild sysfs_vcorefs_pwrctrl:file { w_file_perms };
 allow rild bootdevice_block_device:blk_file { rw_file_perms };
 allow rild para_block_device:blk_file { rw_file_perms };

 # Allow dir search, fd uses
 allow rild block_device:dir search;
 #allow rild platformblk_device:dir search;
 allow rild platform_app:fd use;
 allow rild radio:fd use;

 # For MAL MFI
 allow rild mal_mfi_socket:sock_file { w_file_perms };

 # For ccci sysfs node
 allow rild sysfs_ccci:dir search;
 allow rild sysfs_ccci:file r_file_perms;

 #Date : W17.18
 #Purpose: Treble SEpolicy denied clean up
 add_hwservice(hal_telephony_server, mtk_hal_rild_hwservice)
 allow hal_telephony_client mtk_hal_rild_hwservice:hwservice_manager find;

 #Date : W17.21
 #Purpose: Grant permission to access binder dev node
 vndbinder_use(rild)

 #Dat: 2017/03/27
 #Purpose: allow set telephony Sensitive property
 set_prop(rild, mtk_telephony_sensitive_prop)

 # For AGPSD
 allow rild mtk_agpsd:unix_stream_socket connectto;

 #Date 2017/10/12
 #Purpose: allow set MTU size
 allow rild toolbox_exec:file getattr;
 #allow rild toolbox_exec:file {execute read open};
 #allow rild toolbox_exec:file {execute_no_trans};
 allow rild mtk_net_ipv6_prop:property_service set;

 #Dat: 2017/10/17
 # Allow to use sysenv & persist.radio.multisim.config
 # for dynamic feature switch between ss & dsds
 allow rild sysfs:file open;
 allow rild sysfs:file read;
 allow rild usp_prop:property_service set;

 #Date: 2017/12/6
 #Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations
 allow rild vendor_shell_exec:file {execute_no_trans};
 allow rild vendor_toolbox_exec:file {execute_no_trans};
	# ==============================================
	# Policy File of /vendor/bin/rild Executable File

	# ==============================================
	# Type Declaration
	# ==============================================

	# ==============================================
	# MTK Policy Rule
	# ==============================================
	# Access to wake locks
	wakelock_use(rild)
	# Trigger module auto-load.
	allow rild kernel:system module_request;

	# Capabilities assigned for rild
	allow rild self:capability { setuid net_admin net_raw };
	#allow rild self:capability dac_override;

	# Control cgroups
	allow rild cgroup:dir create_dir_perms;

	# Property service
	# allow set RIL related properties (radio./net./system./etc)
	set_prop(rild, radio_prop)
	set_prop(rild, net_radio_prop)
	set_prop(rild, system_radio_prop)
	set_prop(rild, persist_ril_prop)
	auditallow rild net_radio_prop:property_service set;
	auditallow rild system_radio_prop:property_service set;
	set_prop(rild, ril_active_md_prop)
	# allow set muxreport control properties
	set_prop(rild, ril_cdma_report_prop)
	set_prop(rild, ril_mux_report_case_prop)
	set_prop(rild, ctl_muxreport-daemon_prop)

	# Access to wake locks
	wakelock_use(rild)

	# Allow access permission to efs files
	allow rild efs_file:dir create_dir_perms;
	allow rild efs_file:file create_file_perms;
	allow rild bluetooth_efs_file:file r_file_perms;
	allow rild bluetooth_efs_file:dir r_dir_perms;

	# Allow access permission to dir/files
	# (radio data/system data/proc/etc)
	# Violate Android P rule
	#allow rild radio_data_file:dir rw_dir_perms;
	#allow rild radio_data_file:file create_file_perms;
	allow rild sdcard_type:dir r_dir_perms;
	# Violate Android P rule
	#allow rild system_data_file:dir r_dir_perms;
	#allow rild system_data_file:file r_file_perms;
	allow rild system_file:file x_file_perms;
	allow rild proc:file rw_file_perms;
	allow rild proc_net:file w_file_perms;

	# Allow rild to create and use netlink sockets.
	### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
	#allow rild self:netlink_socket create_socket_perms;
	#allow rild self:netlink_kobject_uevent_socket create_socket_perms;
	# Set and get routes directly via netlink.
	allow rild self:netlink_route_socket nlmsg_write;

	# Allow rild to create sockets.
	### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
	#allow rild self:socket create_socket_perms;

	# Allow read/write to devices/files
	allow rild alarm_device:chr_file rw_file_perms;
	allow rild radio_device:chr_file rw_file_perms;
	allow rild radio_device:blk_file r_file_perms;
	allow rild mtd_device:dir search;
	# Allow read/write to uart driver (for GPS)
	#allow rild gps_device:chr_file rw_file_perms;
	# Allow read/write to tty devices
	allow rild tty_device:chr_file rw_file_perms;
	allow rild eemcs_device:chr_file { rw_file_perms };

	allow rild Vcodec_device:chr_file { rw_file_perms };
	allow rild devmap_device:chr_file { r_file_perms };
	allow rild devpts:chr_file { rw_file_perms };
	allow rild ccci_device:chr_file { rw_file_perms };
	allow rild misc_device:chr_file { rw_file_perms };
	allow rild proc_lk_env:file rw_file_perms;
	allow rild sysfs_vcorefs_pwrctrl:file { w_file_perms };
	allow rild bootdevice_block_device:blk_file { rw_file_perms };
	allow rild para_block_device:blk_file { rw_file_perms };

	# Allow dir search, fd uses
	allow rild block_device:dir search;
	#allow rild platformblk_device:dir search;
	allow rild platform_app:fd use;
	allow rild radio:fd use;

	# For MAL MFI
	allow rild mal_mfi_socket:sock_file { w_file_perms };

	# For ccci sysfs node
	allow rild sysfs_ccci:dir search;
	allow rild sysfs_ccci:file r_file_perms;

	#Date : W17.18
	#Purpose: Treble SEpolicy denied clean up
	add_hwservice(hal_telephony_server, mtk_hal_rild_hwservice)
	allow hal_telephony_client mtk_hal_rild_hwservice:hwservice_manager find;

	#Date : W17.21
	#Purpose: Grant permission to access binder dev node
	vndbinder_use(rild)

	#Dat: 2017/03/27
	#Purpose: allow set telephony Sensitive property
	set_prop(rild, mtk_telephony_sensitive_prop)

	# For AGPSD
	allow rild mtk_agpsd:unix_stream_socket connectto;

	#Date 2017/10/12
	#Purpose: allow set MTU size
	allow rild toolbox_exec:file getattr;
	#allow rild toolbox_exec:file {execute read open};
	#allow rild toolbox_exec:file {execute_no_trans};
	allow rild mtk_net_ipv6_prop:property_service set;

	#Dat: 2017/10/17
	# Allow to use sysenv & persist.radio.multisim.config
	# for dynamic feature switch between ss & dsds
	allow rild sysfs:file open;
	allow rild sysfs:file read;
	allow rild usp_prop:property_service set;

	#Date: 2017/12/6
	#Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations
	allow rild vendor_shell_exec:file {execute_no_trans};
	allow rild vendor_toolbox_exec:file {execute_no_trans};