non_plat/dumpstate.te - device/mediatek/wembley-sepolicy - Git at Google

 # ==============================================
 # MTK Policy Rule
 # ==============================================

 # Purpose: aee_dumpstate set surfaceflinger property
 set_prop(dumpstate, debug_bq_dump_prop);

 # Purpose: access dev/aed0
 allow dumpstate aed_device:chr_file { read getattr };

 # Purpose: data/dumpsys/*
 allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms };
 allow dumpstate aee_dumpsys_data_file:file { create_file_perms };

 # Purpose: data/aee_exp/*
 allow dumpstate aee_exp_data_file:dir { w_dir_perms };
 allow dumpstate aee_exp_data_file:file { create_file_perms };

 # Purpose: debugfs files
 allow dumpstate debugfs:lnk_file read;
 allow dumpstate debugfs_binder:dir { read open };
 allow dumpstate debugfs_binder:file { read open };
 allow dumpstate debugfs_blockio:file { read open };
 allow dumpstate debugfs_fb:dir search;
 allow dumpstate debugfs_fb:file { read open };
 allow dumpstate debugfs_fuseio:dir search;
 allow dumpstate debugfs_fuseio:file { read open };
 allow dumpstate debugfs_ged:dir search;
 allow dumpstate debugfs_ged:file { read open };
 allow dumpstate debugfs_rcu:dir search;
 allow dumpstate debugfs_shrinker_debug:file { read open };
 allow dumpstate debugfs_wakeup_sources:file { read open };
 allow dumpstate debugfs_dmlog_debug:file { read open };
 allow dumpstate debugfs_page_owner_slim_debug:file { read open };
 allow dumpstate debugfs_ion_mm_heap:dir search;
 allow dumpstate debugfs_ion_mm_heap:file { read open };
 allow dumpstate debugfs_ion_mm_heap:lnk_file read;
 allow dumpstate debugfs_cpuhvfs:dir search;
 allow dumpstate debugfs_cpuhvfs:file { read open };
 allow dumpstate debugfs_vpu_device_dbg:file { read open };

 # Purpose: /sys/kernel/ccci/md_chn
 allow dumpstate sysfs_ccci:dir search;
 allow dumpstate sysfs_ccci:file { read open };

 # Purpose: leds status
 allow dumpstate sysfs_leds:lnk_file read;

 # Purpose: /sys/module/lowmemorykiller/parameters/adj
 allow dumpstate sysfs_lowmemorykiller:file { read open };
 allow dumpstate sysfs_lowmemorykiller:dir search;

 # Purpose: /dev/block/mmcblk0p10
 allow dumpstate expdb_block_device:blk_file { read write ioctl open };

 #/data/anr/SF_RTT
 allow dumpstate sf_rtt_file:dir search;
 allow dumpstate sf_rtt_file:file r_file_perms;

 # Data : 2017/03/22
 # Operation : add fd use selinux rule
 # Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker"
 #           dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0
 #           tcontext=u:r:aee_aed:s0 tclass=fd permissive=0
 allow dumpstate aee_aed:fd use;
 allow dumpstate aee_aed:unix_stream_socket { read write ioctl };

 # private define
 # allow dumpstate config_gz:file read;

 allow dumpstate sysfs_leds:dir r_dir_perms;

 # Purpose: 01-01 08:30:57.260  3070  3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied
 # { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
 # sf_bqdump_data_file:s0 tclass=dir permissive=0
 allow dumpstate sf_bqdump_data_file:dir r_dir_perms;
 allow dumpstate sf_bqdump_data_file:file r_file_perms;

 # Purpose:
 # 01-01 17:59:14.440  7664  7664 I aee_dumpstate: type=1400 audit(0.0:63497):
 # avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
 # "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
 # tracing_shell_writable:s0 tclass=file permissive=1
 allow dumpstate debugfs_tracing:file { write read open };

 # Data : WK17.03
 # Purpose: Allow to access gpu
 allow dumpstate gpu_device:dir search;

 # Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
 allow dumpstate mtk_hal_camera:binder { call };

 # Purpose: Allow aee_dumpstate to read /proc/slabinfo
 allow dumpstate proc_slabinfo:file r_file_perms;

 # Purpose: Allow aee_dumpstate to read /proc/zraminfo
 allow dumpstate proc_zraminfo:file r_file_perms;

 # Purpose: Allow aee_dumpstate to read /proc/gpulog
 allow dumpstate proc_gpulog:file r_file_perms;

 # Purpose: Allow aee_dumpstate to read /proc/sched_debug
 allow dumpstate proc_sched_debug:file r_file_perms;

 # Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver
 allow dumpstate proc_chip:file r_file_perms;

 # Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable
 allow dumpstate sysfs_vibrator_setting:file write;

 # Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log
 allow dumpstate debugfs_rcu:file r_file_perms;

 # Purpose: Allow dumpstate to read /proc/msdc_debug
 allow dumpstate proc_msdc_debug:file r_file_perms;

 # Purpose: Allow dumpstate to r/w /proc/pidmap
 allow dumpstate proc_pidmap:file rw_file_perms;

 # Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug
 allow dumpstate sysfs_vcore_debug:file r_file_perms;

 # Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt
 allow dumpstate sf_rtt_file:file r_file_perms;

 #Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace
 allow dumpstate proc_slabtrace:file r_file_perms;

 #Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status
 allow dumpstate proc_cmdq_debug:file r_file_perms;

 #Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo
 allow dumpstate proc_dbg_repo:file r_file_perms;
	# ==============================================
	# MTK Policy Rule
	# ==============================================

	# Purpose: aee_dumpstate set surfaceflinger property
	set_prop(dumpstate, debug_bq_dump_prop);

	# Purpose: access dev/aed0
	allow dumpstate aed_device:chr_file { read getattr };

	# Purpose: data/dumpsys/*
	allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms };
	allow dumpstate aee_dumpsys_data_file:file { create_file_perms };

	# Purpose: data/aee_exp/*
	allow dumpstate aee_exp_data_file:dir { w_dir_perms };
	allow dumpstate aee_exp_data_file:file { create_file_perms };

	# Purpose: debugfs files
	allow dumpstate debugfs:lnk_file read;
	allow dumpstate debugfs_binder:dir { read open };
	allow dumpstate debugfs_binder:file { read open };
	allow dumpstate debugfs_blockio:file { read open };
	allow dumpstate debugfs_fb:dir search;
	allow dumpstate debugfs_fb:file { read open };
	allow dumpstate debugfs_fuseio:dir search;
	allow dumpstate debugfs_fuseio:file { read open };
	allow dumpstate debugfs_ged:dir search;
	allow dumpstate debugfs_ged:file { read open };
	allow dumpstate debugfs_rcu:dir search;
	allow dumpstate debugfs_shrinker_debug:file { read open };
	allow dumpstate debugfs_wakeup_sources:file { read open };
	allow dumpstate debugfs_dmlog_debug:file { read open };
	allow dumpstate debugfs_page_owner_slim_debug:file { read open };
	allow dumpstate debugfs_ion_mm_heap:dir search;
	allow dumpstate debugfs_ion_mm_heap:file { read open };
	allow dumpstate debugfs_ion_mm_heap:lnk_file read;
	allow dumpstate debugfs_cpuhvfs:dir search;
	allow dumpstate debugfs_cpuhvfs:file { read open };
	allow dumpstate debugfs_vpu_device_dbg:file { read open };

	# Purpose: /sys/kernel/ccci/md_chn
	allow dumpstate sysfs_ccci:dir search;
	allow dumpstate sysfs_ccci:file { read open };

	# Purpose: leds status
	allow dumpstate sysfs_leds:lnk_file read;

	# Purpose: /sys/module/lowmemorykiller/parameters/adj
	allow dumpstate sysfs_lowmemorykiller:file { read open };
	allow dumpstate sysfs_lowmemorykiller:dir search;

	# Purpose: /dev/block/mmcblk0p10
	allow dumpstate expdb_block_device:blk_file { read write ioctl open };

	#/data/anr/SF_RTT
	allow dumpstate sf_rtt_file:dir search;
	allow dumpstate sf_rtt_file:file r_file_perms;

	# Data : 2017/03/22
	# Operation : add fd use selinux rule
	# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker"
	# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0
	# tcontext=u:r:aee_aed:s0 tclass=fd permissive=0
	allow dumpstate aee_aed:fd use;
	allow dumpstate aee_aed:unix_stream_socket { read write ioctl };

	# private define
	# allow dumpstate config_gz:file read;

	allow dumpstate sysfs_leds:dir r_dir_perms;

	# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied
	# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
	# sf_bqdump_data_file:s0 tclass=dir permissive=0
	allow dumpstate sf_bqdump_data_file:dir r_dir_perms;
	allow dumpstate sf_bqdump_data_file:file r_file_perms;

	# Purpose:
	# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497):
	# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
	# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
	# tracing_shell_writable:s0 tclass=file permissive=1
	allow dumpstate debugfs_tracing:file { write read open };

	# Data : WK17.03
	# Purpose: Allow to access gpu
	allow dumpstate gpu_device:dir search;

	# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
	allow dumpstate mtk_hal_camera:binder { call };

	# Purpose: Allow aee_dumpstate to read /proc/slabinfo
	allow dumpstate proc_slabinfo:file r_file_perms;

	# Purpose: Allow aee_dumpstate to read /proc/zraminfo
	allow dumpstate proc_zraminfo:file r_file_perms;

	# Purpose: Allow aee_dumpstate to read /proc/gpulog
	allow dumpstate proc_gpulog:file r_file_perms;

	# Purpose: Allow aee_dumpstate to read /proc/sched_debug
	allow dumpstate proc_sched_debug:file r_file_perms;

	# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver
	allow dumpstate proc_chip:file r_file_perms;

	# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable
	allow dumpstate sysfs_vibrator_setting:file write;

	# Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log
	allow dumpstate debugfs_rcu:file r_file_perms;

	# Purpose: Allow dumpstate to read /proc/msdc_debug
	allow dumpstate proc_msdc_debug:file r_file_perms;

	# Purpose: Allow dumpstate to r/w /proc/pidmap
	allow dumpstate proc_pidmap:file rw_file_perms;

	# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug
	allow dumpstate sysfs_vcore_debug:file r_file_perms;

	# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt
	allow dumpstate sf_rtt_file:file r_file_perms;

	#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace
	allow dumpstate proc_slabtrace:file r_file_perms;

	#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status
	allow dumpstate proc_cmdq_debug:file r_file_perms;

	#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo
	allow dumpstate proc_dbg_repo:file r_file_perms;