plat_private/aee_core_forwarder.te - device/mediatek/wembley-sepolicy - Git at Google

 # ==============================================
 # Policy File of /system/bin/aee_core_forwarder Executable File

 # ==============================================
 # Type Declaration
 # ==============================================
 type aee_core_forwarder_exec, system_file_type, exec_type, file_type;
 typeattribute aee_core_forwarder coredomain;

 # ==============================================
 # MTK Policy Rule
 # ==============================================
 init_daemon_domain(aee_core_forwarder)

 #mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip
 allow aee_core_forwarder sdcard_type:dir create_dir_perms;
 allow aee_core_forwarder sdcard_type:file create_file_perms;
 allow aee_core_forwarder self:capability { fsetid setgid };

 #read STDIN_FILENO
 allow aee_core_forwarder kernel:fifo_file read;

 #read /proc/<pid>/cmdline
 allow aee_core_forwarder domain:dir r_dir_perms;
 allow aee_core_forwarder domain:file r_file_perms;

 #get wake_lock to avoid system suspend when coredump is generating
 allow aee_core_forwarder sysfs_wake_lock:file rw_file_perms;

 # Date : 2015/07/11
 # Operation : Migration
 # Purpose : for mtk debug mechanism
 allow aee_core_forwarder self:capability2 block_suspend;

 # Date : 2015/07/21
 # Operation : Migration
 # Purpose : for generating core dump on sdcard
 allow aee_core_forwarder mnt_user_file:dir search;
 allow aee_core_forwarder mnt_user_file:lnk_file read;
 allow aee_core_forwarder storage_file:dir search;
 allow aee_core_forwarder storage_file:lnk_file read;

 # Date : 2016/03/05
 # Operation : selinux waring fix
 # Purpose : avc:  denied  { search } for  pid=15909 comm="aee_core_forwar"
 #                 name="15493" dev="proc" ino=112310 scontext=u:r:aee_core_forwarder:s0
 #                 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
 dontaudit aee_core_forwarder untrusted_app:dir search;

 # Date : 2016/04/18
 # Operation : N0 Migration
 # Purpose : access for pipefs
 allow aee_core_forwarder kernel:fd use;

 # Purpose: search root dir "/"
 allow aee_core_forwarder tmpfs:dir search;
 # Purpose : read /selinux_version
 allow aee_core_forwarder rootfs:file r_file_perms;

 # Data : 2016/06/13
 # Operation : fix sys_ptrace selinux warning
 # Purpose : type=1400 audit(1420070409.080:177): avc: denied { sys_ptrace } for pid=3136
 #           comm="aee_core_forwar" capability=19 scontext=u:r:aee_core_forwarder:s0
 #           tcontext=u:r:aee_core_forwarder:s0  tclass=capability permissive=0
 dontaudit aee_core_forwarder self:capability sys_ptrace;

 # Data : 2016/06/24
 # Operation : fix media_rw_data_file access selinux warning
 # Purpose :
 # type=1400 audit(0.0:6511): avc: denied { search } for name="db.p08JgF"
 # dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
 # tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
 # type=1400 audit(0.0:6512): avc: denied { write } for name="db.p08JgF"
 # dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
 # tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
 # type=1400 audit(0.0:6513): avc: denied { add_name } for name="CURRENT.dbg"
 # scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
 # tclass=dir permissive=1
 # type=1400 audit(0.0:6514): avc: denied { create } for name="CURRENT.dbg"
 # scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
 # tclass=file permissive=1
 # type=1400 audit(0.0:6515): avc: denied { write open } for
 # path="/data/media/0/mtklog/aee_exp/temp/db.p08JgF/CURRENT.dbg" dev="dm-0"
 # ino=540952 scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
 # tclass=file permissive=1
 allow aee_core_forwarder media_rw_data_file:dir w_dir_perms;
 allow aee_core_forwarder media_rw_data_file:file { create open write };

 # Data : 2017/08/04
 # Operation : fix sys_nice selinux warning
 # Purpose : type=1400 audit(0.0:50): avc: denied { sys_nice } for capability=23
 #           scontext=u:r:aee_core_forwarder:s0 tcontext=u:r:aee_core_forwarder:s0
 #           tclass=capability permissive=0
 allow aee_core_forwarder self:capability sys_nice;

 # Purpose : allow aee_core_forwarder to access hwservicemanager_prop
 get_prop(aee_core_forwarder, hwservicemanager_prop)

 # Purpose : allow aee_core_forwarder to connect aee_aed socket
 allow aee_core_forwarder aee_aed:unix_stream_socket connectto;
	# ==============================================
	# Policy File of /system/bin/aee_core_forwarder Executable File

	# ==============================================
	# Type Declaration
	# ==============================================
	type aee_core_forwarder_exec, system_file_type, exec_type, file_type;
	typeattribute aee_core_forwarder coredomain;

	# ==============================================
	# MTK Policy Rule
	# ==============================================
	init_daemon_domain(aee_core_forwarder)

	#mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip
	allow aee_core_forwarder sdcard_type:dir create_dir_perms;
	allow aee_core_forwarder sdcard_type:file create_file_perms;
	allow aee_core_forwarder self:capability { fsetid setgid };

	#read STDIN_FILENO
	allow aee_core_forwarder kernel:fifo_file read;

	#read /proc/<pid>/cmdline
	allow aee_core_forwarder domain:dir r_dir_perms;
	allow aee_core_forwarder domain:file r_file_perms;

	#get wake_lock to avoid system suspend when coredump is generating
	allow aee_core_forwarder sysfs_wake_lock:file rw_file_perms;

	# Date : 2015/07/11
	# Operation : Migration
	# Purpose : for mtk debug mechanism
	allow aee_core_forwarder self:capability2 block_suspend;

	# Date : 2015/07/21
	# Operation : Migration
	# Purpose : for generating core dump on sdcard
	allow aee_core_forwarder mnt_user_file:dir search;
	allow aee_core_forwarder mnt_user_file:lnk_file read;
	allow aee_core_forwarder storage_file:dir search;
	allow aee_core_forwarder storage_file:lnk_file read;

	# Date : 2016/03/05
	# Operation : selinux waring fix
	# Purpose : avc: denied { search } for pid=15909 comm="aee_core_forwar"
	# name="15493" dev="proc" ino=112310 scontext=u:r:aee_core_forwarder:s0
	# tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
	dontaudit aee_core_forwarder untrusted_app:dir search;

	# Date : 2016/04/18
	# Operation : N0 Migration
	# Purpose : access for pipefs
	allow aee_core_forwarder kernel:fd use;

	# Purpose: search root dir "/"
	allow aee_core_forwarder tmpfs:dir search;
	# Purpose : read /selinux_version
	allow aee_core_forwarder rootfs:file r_file_perms;

	# Data : 2016/06/13
	# Operation : fix sys_ptrace selinux warning
	# Purpose : type=1400 audit(1420070409.080:177): avc: denied { sys_ptrace } for pid=3136
	# comm="aee_core_forwar" capability=19 scontext=u:r:aee_core_forwarder:s0
	# tcontext=u:r:aee_core_forwarder:s0 tclass=capability permissive=0
	dontaudit aee_core_forwarder self:capability sys_ptrace;

	# Data : 2016/06/24
	# Operation : fix media_rw_data_file access selinux warning
	# Purpose :
	# type=1400 audit(0.0:6511): avc: denied { search } for name="db.p08JgF"
	# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
	# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
	# type=1400 audit(0.0:6512): avc: denied { write } for name="db.p08JgF"
	# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
	# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
	# type=1400 audit(0.0:6513): avc: denied { add_name } for name="CURRENT.dbg"
	# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
	# tclass=dir permissive=1
	# type=1400 audit(0.0:6514): avc: denied { create } for name="CURRENT.dbg"
	# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
	# tclass=file permissive=1
	# type=1400 audit(0.0:6515): avc: denied { write open } for
	# path="/data/media/0/mtklog/aee_exp/temp/db.p08JgF/CURRENT.dbg" dev="dm-0"
	# ino=540952 scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
	# tclass=file permissive=1
	allow aee_core_forwarder media_rw_data_file:dir w_dir_perms;
	allow aee_core_forwarder media_rw_data_file:file { create open write };

	# Data : 2017/08/04
	# Operation : fix sys_nice selinux warning
	# Purpose : type=1400 audit(0.0:50): avc: denied { sys_nice } for capability=23
	# scontext=u:r:aee_core_forwarder:s0 tcontext=u:r:aee_core_forwarder:s0
	# tclass=capability permissive=0
	allow aee_core_forwarder self:capability sys_nice;

	# Purpose : allow aee_core_forwarder to access hwservicemanager_prop
	get_prop(aee_core_forwarder, hwservicemanager_prop)

	# Purpose : allow aee_core_forwarder to connect aee_aed socket
	allow aee_core_forwarder aee_aed:unix_stream_socket connectto;