Automated merge of MTK Keystone code for 2020_03_30 am: 02567000bb am: 1a824b3844
Change-Id: I206c31dedd6ee53bc8555b9932a58caf383ab2ee
diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te
index 1231a55..e5d7aad 100644
--- a/non_plat/aee_aedv.te
+++ b/non_plat/aee_aedv.te
@@ -435,3 +435,5 @@
# Purpose: Allow aee_aedv to write /proc/sys/vm/drop_caches
allow aee_aedv proc_drop_caches:file rw_file_perms;
+
+allow aee_aedv proc_wmt_aee:file r_file_perms;
diff --git a/non_plat/aee_core_forwarder.te b/non_plat/aee_core_forwarder.te
index 43e97fe..2619bf6 100644
--- a/non_plat/aee_core_forwarder.te
+++ b/non_plat/aee_core_forwarder.te
@@ -5,14 +5,14 @@
# MTK Policy Rule
# ==============================================
-allow aee_core_forwarder aee_exp_data_file:dir { write add_name search };
-allow aee_core_forwarder aee_exp_data_file:file { write create open getattr };
+allow aee_core_forwarder aee_exp_data_file:dir rw_dir_perms;
+allow aee_core_forwarder aee_exp_data_file:file create_file_perms;
get_prop(aee_core_forwarder, hwservicemanager_prop)
# Date: 2019/06/14
# Operation : Migration
# Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder
wakelock_use(aee_core_forwarder)
-allow aee_core_forwarder aee_aed:unix_stream_socket connectto;
+allow aee_core_forwarder crash_dump:unix_stream_socket connectto;
allow aee_core_forwarder aee_core_data_file:dir r_dir_perms;
hwbinder_use(aee_core_forwarder)
diff --git a/non_plat/aee_hidl.te b/non_plat/aee_hidl.te
index 347cbdc..5bc639b 100644
--- a/non_plat/aee_hidl.te
+++ b/non_plat/aee_hidl.te
@@ -5,7 +5,7 @@
type aee_hal_exec, exec_type, file_type, vendor_file_type;
typeattribute aee_hal mlstrustedsubject;
# Purpose : for create hidl server
-hal_server_domain(aee_hal, mtk_hal_log)
+hal_server_domain(aee_hal, mtk_hal_aee)
# ==============================================
# MTK Policy Rule
# ==============================================
diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te
index af1e683..e55c5a8 100644
--- a/non_plat/atci_service.te
+++ b/non_plat/atci_service.te
@@ -114,10 +114,7 @@
allow atci_service sysfs_batteryinfo:file { read getattr open };
allow atci_service system_file:dir { read open };
allow atci_service camera_pipemgr_device:chr_file { read ioctl open };
-#allow atci_service media_rw_data_file:dir { read getattr open };
-#allow atci_service media_rw_data_file:file { getattr setattr };
allow atci_service mtkcam_prop:file { read getattr open };
-#allow atci_service hal_camera_hwservice:hwservice_manager find;
allow atci_service mtk_hal_camera:binder call;
allow atci_service debugfs_ion:dir search;
allow atci_service sysfs_tpd_setting:file { read write open getattr };
diff --git a/non_plat/attributes b/non_plat/attributes
index e00aa73..3c2632a 100644
--- a/non_plat/attributes
+++ b/non_plat/attributes
@@ -52,12 +52,6 @@
attribute mtk_hal_log_client;
attribute mtk_hal_log_server;
-# Date: 2018/06/26
-# em hidl
-attribute mtk_hal_em;
-attribute mtk_hal_em_client;
-attribute mtk_hal_em_server;
-
# Date: 2018/07/02
# MDP HIDL
attribute hal_mms;
@@ -87,4 +81,6 @@
attribute mtk_hal_bgs_client;
attribute mtk_hal_bgs_server;
-
+attribute mtk_hal_aee;
+attribute mtk_hal_aee_client;
+attribute mtk_hal_aee_server;
diff --git a/non_plat/audioserver.te b/non_plat/audioserver.te
index e4451c8..71f7b4f 100644
--- a/non_plat/audioserver.te
+++ b/non_plat/audioserver.te
@@ -50,7 +50,7 @@
# Date : WK16.48
# Purpose: Allow to trigger AEE dump
-allow audioserver aee_aed:unix_stream_socket connectto;
+allow audioserver crash_dump:unix_stream_socket connectto;
# Date: 2019/06/14
# Operation : Migration
diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te
index 318cf2e..428afa0 100644
--- a/non_plat/cameraserver.te
+++ b/non_plat/cameraserver.te
@@ -28,22 +28,6 @@
# -----------------------------------
allow cameraserver mtkcam_prop:file { open read getattr };
-# Date : WK14.31
-# Operation : Migration
-# Purpose : camera devices access.
-# allow cameraserver camera_isp_device:chr_file rw_file_perms;
-# allow cameraserver ccu_device:chr_file rw_file_perms;
-# allow cameraserver vpu_device:chr_file rw_file_perms;
-# allow cameraserver kd_camera_hw_device:chr_file rw_file_perms;
-# allow cameraserver seninf_device:chr_file rw_file_perms;
-# allow cameraserver self:capability { setuid ipc_lock sys_nice };
-# allow cameraserver sysfs_wake_lock:file rw_file_perms;
-# allow cameraserver MTK_SMI_device:chr_file r_file_perms;
-# allow cameraserver camera_pipemgr_device:chr_file r_file_perms;
-# allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms;
-# allow cameraserver lens_device:chr_file rw_file_perms;
-# allow cameraserver nvdata_file:lnk_file read;
-
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)
diff --git a/non_plat/crash_dump.te b/non_plat/crash_dump.te
new file mode 100644
index 0000000..3dda418
--- /dev/null
+++ b/non_plat/crash_dump.te
@@ -0,0 +1,73 @@
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+
+allow crash_dump aee_exp_data_file:file rw_file_perms;
+allow crash_dump aee_exp_data_file:dir r_dir_perms;
+
+# Date : WK14.32
+# Operation : AEE UT
+# Purpose : for AEE module
+allow crash_dump aed_device:chr_file rw_file_perms;
+allow crash_dump expdb_device:chr_file rw_file_perms;
+allow crash_dump expdb_block_device:blk_file rw_file_perms;
+allow crash_dump etb_device:chr_file rw_file_perms;
+
+# open/dev/mtd/mtd12 failed(expdb)
+allow crash_dump mtd_device:dir create_dir_perms;
+allow crash_dump mtd_device:chr_file rw_file_perms;
+
+# NE flow: /dev/RT_Monitor
+allow crash_dump RT_Monitor_device:chr_file r_file_perms;
+
+#data/aee_exp
+allow crash_dump aee_exp_data_file:dir create_dir_perms;
+allow crash_dump aee_exp_data_file:file create_file_perms;
+
+#data/dumpsys
+allow crash_dump aee_dumpsys_data_file:dir create_dir_perms;
+allow crash_dump aee_dumpsys_data_file:file create_file_perms;
+
+#/data/core
+allow crash_dump aee_core_data_file:dir create_dir_perms;
+allow crash_dump aee_core_data_file:file create_file_perms;
+
+# /data/data_tmpfs_log
+allow crash_dump data_tmpfs_log_file:dir create_dir_perms;
+allow crash_dump data_tmpfs_log_file:file create_file_perms;
+
+# Purpose: crash_dump set property
+set_prop(crash_dump, persist_mtk_aee_prop);
+set_prop(crash_dump, persist_aee_prop);
+set_prop(crash_dump, debug_mtk_aee_prop);
+
+# /proc/lk_env
+allow crash_dump proc_lk_env:file rw_file_perms;
+
+# Purpose: Allow crash_dump to read /proc/pid/exe
+#allow crash_dump exec_type:file r_file_perms;
+
+# Purpose: Allow crash_dump to read /proc/cpu/alignment
+allow crash_dump proc_cpu_alignment:file { write open };
+
+# Purpose: Allow crash_dump to access /sys/devices/virtual/timed_output/vibrator/enable
+allow crash_dump sysfs_vibrator_setting:dir search;
+allow crash_dump sysfs_vibrator_setting:file w_file_perms;
+allow crash_dump sysfs_vibrator:dir search;
+allow crash_dump sysfs_leds:dir search;
+
+# Purpose: Allow crash_dump to read /proc/kpageflags
+allow crash_dump proc_kpageflags:file r_file_perms;
+
+# temp solution
+get_prop(crash_dump, vendor_default_prop)
+
+hal_client_domain(crash_dump, mtk_hal_aee)
+
+# Purpose: create /data/aee_exp at runtime
+allow crash_dump file_contexts_file:file r_file_perms;
+allow crash_dump aee_exp_data_file:dir relabelto;
+
+allow crash_dump proc_ppm:dir r_dir_perms;
+allow crash_dump proc_ppm:file rw_file_perms;
+allow crash_dump selinuxfs:file r_file_perms;
diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te
index 01343a5..badbe56 100644
--- a/non_plat/dumpstate.te
+++ b/non_plat/dumpstate.te
@@ -60,8 +60,8 @@
# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker"
# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0
# tcontext=u:r:aee_aed:s0 tclass=fd permissive=0
-allow dumpstate aee_aed:fd use;
-allow dumpstate aee_aed:unix_stream_socket { read write ioctl };
+allow dumpstate crash_dump:fd use;
+allow dumpstate crash_dump:unix_stream_socket { read write ioctl connectto };
# private define
# allow dumpstate config_gz:file read;
@@ -178,4 +178,7 @@
# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990):
# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0
# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0
-allow dumpstate mnt_expand_file:dir search;
+allow dumpstate mnt_expand_file:dir { search getattr };
+
+#Purpose: Allow dumpstate to read /dev/usb-ffs
+allow dumpstate functionfs:file { getattr };
diff --git a/non_plat/emdlogger.te b/non_plat/emdlogger.te
index a026832..58cc8ca 100644
--- a/non_plat/emdlogger.te
+++ b/non_plat/emdlogger.te
@@ -75,7 +75,7 @@
#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:emdlogger:s0
#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
#security issue control
-allow emdlogger aee_aed:unix_stream_socket connectto;
+allow emdlogger crash_dump:unix_stream_socket connectto;
# For dynamic CCB buffer feature
#avc: denied { read write } for name="lk_env" dev="proc" ino=4026532192
diff --git a/non_plat/file.te b/non_plat/file.te
index 5c12bb3..62bdd7e 100644
--- a/non_plat/file.te
+++ b/non_plat/file.te
@@ -128,7 +128,7 @@
type aee_core_vendor_file, file_type, data_file_type;
# AEE exp
-type aee_exp_data_file, file_type, data_file_type, core_data_file_type;
+type aee_exp_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type aee_exp_vendor_file, file_type, data_file_type;
type aee_dumpsys_data_file, file_type, data_file_type, core_data_file_type;
type aee_dumpsys_vendor_file, file_type, data_file_type;
@@ -442,3 +442,11 @@
# Date : 2019/12/12
# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
type sysfs_concurrency_scenario, fs_type, sysfs_type;
+
+type proc_wmt_aee, fs_type, proc_type;
+
+# Date : WK20.07
+# Operation: R migration
+# Purpose : Add permission for new device node.
+type sysfs_meta_info, fs_type, sysfs_type;
+
diff --git a/non_plat/file_contexts b/non_plat/file_contexts
index c17da3a..051b949 100644
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@@ -537,6 +537,7 @@
/(system\/vendor|vendor)/bin/slpd u:object_r:slpd_exec:s0
/(system\/vendor|vendor)/bin/thermal_manager u:object_r:thermal_manager_exec:s0
/(system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0
+/(system\/vendor|vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mtk u:object_r:hal_thermal_default_exec:s0
/(system\/vendor|vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0
/(system\/vendor|vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0
/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
@@ -642,7 +643,7 @@
/vendor/lib(64)?/libtflite_mtk.so u:object_r:same_process_hal_file:s0
-/vendor/bin/hw/vendor\.mediatek\.hardware\.log@1\.0-service u:object_r:aee_hal_exec:s0
+/vendor/bin/hw/vendor\.mediatek\.hardware\.aee@1\.0-service u:object_r:aee_hal_exec:s0
/vendor/bin/loghidlvendorservice u:object_r:loghidlvendorservice_exec:s0
diff --git a/non_plat/genfs_contexts b/non_plat/genfs_contexts
index 86453af..1d11eb3 100644
--- a/non_plat/genfs_contexts
+++ b/non_plat/genfs_contexts
@@ -64,6 +64,8 @@
# Purpose: Android Migration for SVP
genfscon proc /m4u u:object_r:proc_m4u:s0
+genfscon proc /driver/wmt_aee u:object_r:proc_wmt_aee:s0
+
#############################
# sysfs files
@@ -88,9 +90,12 @@
genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_express:s0
genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0
genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/mt6370_pmu_charger/power_supply u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0
genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0
genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0
@@ -279,3 +284,9 @@
# Date : 2019/12/12
# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
genfscon sysfs /bus/platform/drivers/mem_bw_ctrl/concurrency_scenario u:object_r:sysfs_concurrency_scenario:s0
+
+# Date : WK20.07
+# Operation: R migration
+# Purpose : Add permission for new device node.
+genfscon sysfs /firmware/devicetree/base/chosen/atag,meta u:object_r:sysfs_meta_info:s0
+
diff --git a/non_plat/hal_thermal_default.te b/non_plat/hal_thermal_default.te
index 2a648fb..50e069c 100644
--- a/non_plat/hal_thermal_default.te
+++ b/non_plat/hal_thermal_default.te
@@ -6,3 +6,11 @@
allow hal_thermal_default proc_mtktz:dir search;
allow hal_thermal_default proc_mtktz:file {open read getattr};
allow hal_thermal_default proc_stat:file {open read getattr };
+
+#for uevent handle
+allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+#for thermal sysfs
+allow hal_thermal_default sysfs_therm:file w_file_perms;
+allow hal_thermal_default sysfs_therm:file r_file_perms;
+allow hal_thermal_default sysfs_therm:dir search;
\ No newline at end of file
diff --git a/non_plat/hwservice.te b/non_plat/hwservice.te
index 6a7304a..88933c8 100644
--- a/non_plat/hwservice.te
+++ b/non_plat/hwservice.te
@@ -61,3 +61,5 @@
# Date: 2019/09/06
# BGService HIDL
type mtk_hal_bgs_hwservice, hwservice_manager_type;
+
+type mtk_hal_aee_hwservice, hwservice_manager_type;
diff --git a/non_plat/hwservice_contexts b/non_plat/hwservice_contexts
index 614e502..f91c880 100644
--- a/non_plat/hwservice_contexts
+++ b/non_plat/hwservice_contexts
@@ -75,3 +75,5 @@
#Date: 2019/09/02
# ATMs hidl
vendor.mediatek.hardware.camera.atms::IATMs u:object_r:hal_camera_hwservice:s0
+
+vendor.mediatek.hardware.aee::IAee u:object_r:mtk_hal_aee_hwservice:s0
diff --git a/non_plat/mdlogger.te b/non_plat/mdlogger.te
index 4d3cf3e..55f524a 100644
--- a/non_plat/mdlogger.te
+++ b/non_plat/mdlogger.te
@@ -42,7 +42,7 @@
#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:mdlogger:s0
#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
#security issue control
-allow mdlogger aee_aed:unix_stream_socket connectto;
+allow mdlogger crash_dump:unix_stream_socket connectto;
## purpose: avc: denied { read } for name="plat_file_contexts"
allow emdlogger file_contexts_file:file { read getattr open};
diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te
index ead7145..4ebfcbc 100644
--- a/non_plat/meta_tst.te
+++ b/non_plat/meta_tst.te
@@ -417,3 +417,10 @@
# Operation: P migration
# Purpose : audio scp recovery
allow meta_tst audio_scp_device:chr_file r_file_perms;
+
+# Date : WK20.07
+# Operation: R migration
+# Purpose : Add permission for new device node.
+allow meta_tst sysfs_boot_info:file r_file_perms;
+allow meta_tst proc_bootprof:file getattr;
+allow meta_tst sysfs_meta_info:file r_file_perms;
diff --git a/non_plat/mobile_log_d.te b/non_plat/mobile_log_d.te
index 0caa870..36bbf63 100644
--- a/non_plat/mobile_log_d.te
+++ b/non_plat/mobile_log_d.te
@@ -43,7 +43,7 @@
# Date: 2016/11/11
# purpose: allow MobileLog to access aee socket
-allow mobile_log_d aee_aed:unix_stream_socket connectto;
+allow mobile_log_d crash_dump:unix_stream_socket connectto;
# purpose: send log to com port
allow mobile_log_d ttyGS_device:chr_file { read write ioctl open };
diff --git a/non_plat/mtk_hal_aee.te b/non_plat/mtk_hal_aee.te
new file mode 100644
index 0000000..9cbc548
--- /dev/null
+++ b/non_plat/mtk_hal_aee.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(mtk_hal_aee_client, mtk_hal_aee_server)
+binder_call(mtk_hal_aee_server, mtk_hal_aee_client)
+
+add_hwservice(mtk_hal_aee_server, mtk_hal_aee_hwservice)
+allow mtk_hal_aee_client mtk_hal_aee_hwservice:hwservice_manager find;
diff --git a/non_plat/property.te b/non_plat/property.te
index 3abf8df..5a920c3 100644
--- a/non_plat/property.te
+++ b/non_plat/property.te
@@ -2,323 +2,252 @@
# MTK Policy Rule
# ==============================================
-# MTK properties, allow all system/vendor processes to read.
-type mtk_default_prop, property_type, mtk_core_property_type;
+# system_internal_prop -- Properties used only in /system
+# system_restricted_prop -- Properties which can't be written outside system
+# system_public_prop -- Properties with no restrictions
+# system_vendor_config_prop -- Properties which can be written only by vendor_init
+# vendor_internal_prop -- Properties used only in /vendor
+# vendor_restricted_prop -- Properties which can't be written outside vendor
+# vendor_public_prop -- Properties with no restrictions
-# Date: W14.32
-# Operation: Migration
-# Purpose: don't allow to use default_prop
-### TBD
-#neverallow { domain -init } default_prop:property_service set;
-#neverallow { domain -init -system_server -recovery -system_app} ctl_default_prop:property_service set;
+# Properties used only in /vendor
+vendor_internal_prop(ctl_gsm0710muxd_prop)
+vendor_internal_prop(ctl_gsm0710muxd-s_prop)
+vendor_internal_prop(ctl_gsm0710muxd-d_prop)
+vendor_internal_prop(ctl_viarild_prop)
+vendor_internal_prop(ctl_ril-daemon-mtk_prop)
+vendor_internal_prop(ctl_fusion_ril_mtk_prop)
+vendor_internal_prop(ctl_ril-daemon-s_prop)
+vendor_internal_prop(ctl_ril-daemon-d_prop)
+vendor_internal_prop(ctl_ril-proxy_prop)
+vendor_internal_prop(ctl_ccci_fsd_prop)
+vendor_internal_prop(ctl_ccci2_fsd_prop)
+vendor_internal_prop(ctl_ccci3_fsd_prop)
+vendor_internal_prop(ctl_muxreport-daemon_prop)
+vendor_internal_prop(ctl_emcsmdlogger_prop)
+vendor_internal_prop(ctl_eemcs_fsd_prop)
+vendor_internal_prop(mtk_powerhal_prop)
+vendor_internal_prop(mtk_wfc_serv_prop)
+vendor_internal_prop(ctl_mdlogger_prop)
+vendor_internal_prop(ctl_emdlogger1_prop)
+vendor_internal_prop(ctl_emdlogger2_prop)
+vendor_internal_prop(ctl_emdlogger3_prop)
+vendor_internal_prop(ctl_dualmdlogger_prop)
+vendor_internal_prop(init_svc_emdlogger1_prop)
+vendor_internal_prop(init_svc_aee_aedv_prop)
-#=============allow ccci_mdinit to start gsm0710muxd==============
-type ctl_gsm0710muxd_prop, property_type;
-type ctl_gsm0710muxd-s_prop, property_type;
-type ctl_gsm0710muxd-d_prop, property_type;
+# Properties which can't be written outside vendor
+vendor_restricted_prop(mtk_nn_option_prop)
+vendor_restricted_prop(mtk_volte_prop)
+vendor_restricted_prop(mtk_cxp_vendor_prop)
+vendor_restricted_prop(mtk_antutu_prop)
+vendor_restricted_prop(mtk_ss_vendor_prop)
+vendor_restricted_prop(atm_ipaddr_prop)
+vendor_restricted_prop(mtkcam_prop)
+vendor_restricted_prop(graphics_hwc_hdr_prop)
+vendor_restricted_prop(graphics_hwc_latch_unsignaled_prop)
+vendor_restricted_prop(graphics_hwc_pid_prop)
+vendor_restricted_prop(mtk_thermal_config_prop)
+vendor_restricted_prop(mtk_telephony_sensitive_prop)
+vendor_restricted_prop(meta_connecttype_prop)
+vendor_restricted_prop(mtk_debug_md_reset_prop)
+vendor_restricted_prop(wmt_prop)
+vendor_restricted_prop(ril_active_md_prop)
+vendor_restricted_prop(vendor_usb_prop)
+vendor_restricted_prop(tel_switch_prop)
+vendor_restricted_prop(mtk_nvram_ready_prop)
+vendor_restricted_prop(mtk_wifi_hotspot_prop)
+vendor_restricted_prop(mtk_hdmi_prop)
+vendor_restricted_prop(mtk_default_prop)
+vendor_restricted_prop(vendor_ril_ipo_prop)
+vendor_restricted_prop(gsm0710muxd_prop)
+vendor_restricted_prop(mtk_wifi_prop)
+vendor_restricted_prop(persist_mtk_aeev_prop)
+vendor_restricted_prop(persist_aeev_prop)
+vendor_restricted_prop(debug_mtk_aeev_prop)
+vendor_restricted_prop(ro_mtk_aee_prop)
+vendor_restricted_prop(ril_mux_report_case_prop)
+vendor_restricted_prop(ril_cdma_report_prop)
+vendor_restricted_prop(mtk_md_prop)
+vendor_restricted_prop(mnld_prop)
+vendor_restricted_prop(audiohal_prop)
+vendor_restricted_prop(coredump_prop)
+vendor_restricted_prop(net_cdma_mdmstat)
+vendor_restricted_prop(persist_bt_prop)
+vendor_restricted_prop(vendor_factory_idle_state_prop)
+vendor_restricted_prop(service_nvram_init_prop)
+vendor_restricted_prop(wifi_5g_prop)
+vendor_restricted_prop(mtk_em_prop)
+vendor_restricted_prop(mediatek_prop)
+vendor_restricted_prop(mtk_em_hidl_prop)
+vendor_restricted_prop(mtk_operator_id_prop)
+vendor_restricted_prop(mtk_simswitch_emmode_prop)
+vendor_restricted_prop(mtk_dsbp_support_prop)
+vendor_restricted_prop(mtk_imstestmode_prop)
+vendor_restricted_prop(mtk_smsformat_prop)
+vendor_restricted_prop(mtk_gprs_prefer_prop)
+vendor_restricted_prop(mtk_testsim_cardtype_prop)
+vendor_restricted_prop(mtk_ct_ir_engmode_prop)
+vendor_restricted_prop(mtk_disable_c2k_cap_prop)
+vendor_restricted_prop(mtk_omx_log_prop)
+vendor_restricted_prop(mtk_vdec_log_prop)
+vendor_restricted_prop(mtk_vdectlc_log_prop)
+vendor_restricted_prop(mtk_venc_h264_showlog_prop)
+vendor_restricted_prop(mtk_modem_warning_prop)
+vendor_restricted_prop(ctl_mobile_log_d_prop)
+vendor_restricted_prop(ctl_mnld_prop)
+vendor_restricted_prop(ctl_mobicore_prop)
+vendor_restricted_prop(atm_mdmode_prop)
+vendor_restricted_prop(vendor_radio_prop)
+vendor_restricted_prop(mtk_ct_volte_prop)
+vendor_restricted_prop(mtk_ril_mode_prop)
+vendor_restricted_prop(mtk_gps_support_prop)
+vendor_restricted_prop(mtk_rat_config_prop)
+vendor_restricted_prop(mtk_aal_ro_prop)
+vendor_restricted_prop(mtk_pq_ro_prop)
+vendor_restricted_prop(mtk_pq_prop)
+vendor_restricted_prop(mtk_emmc_support_prop)
+vendor_restricted_prop(vendor_em_usb_prop)
+vendor_restricted_prop(vendor_usb_otg_switch)
+vendor_restricted_prop(mtk_anr_support_prop)
+vendor_restricted_prop(mtk_appresolutiontuner_prop)
+vendor_restricted_prop(mtk_fullscreenswitch_prop)
+vendor_restricted_prop(mtk_malloc_debug_backtrace_prop)
+vendor_restricted_prop(mtk_voicerecgnize_prop)
+vendor_restricted_prop(persist_service_atci_prop)
+vendor_restricted_prop(mtk_atci_prop)
+vendor_restricted_prop(mtk_net_ipv6_prop)
+vendor_restricted_prop(usp_prop)
+vendor_restricted_prop(mtk_md_version_prop)
+vendor_restricted_prop(mtk_bt_sap_enable_prop)
-#=============allow viarild to start property==============
-type ctl_viarild_prop, property_type;
-#=============allow mtkrild to set persist.ril property==============
-type vendor_ril_ipo_prop, property_type, mtk_core_property_type;
+# Properties used only in /system
+system_internal_prop(debug_mtklog_prop)
+system_internal_prop(persist_mtklog_prop)
+system_internal_prop(debug_netlog_prop)
+system_internal_prop(debug_mdlogger_prop)
+system_internal_prop(vendor_mdl_prop)
+system_internal_prop(vendor_mdl_start_prop)
+system_internal_prop(persist_mdlog_prop)
+system_internal_prop(vendor_mdl_pulllog_prop)
+system_internal_prop(persist_aee_prop)
+system_internal_prop(debug_mtk_aee_prop)
+system_internal_prop(debug_bq_dump_prop)
+system_internal_prop(bootani_prop)
+system_internal_prop(mobile_log_prop)
+system_internal_prop(mtk_em_sys_prop)
+system_internal_prop(mtk_em_net_auto_tethering_prop)
+system_internal_prop(mtk_bgdata_disabled)
+system_internal_prop(mtk_telecom_vibrate)
+system_internal_prop(mtk_gprs_attach_type)
+system_internal_prop(mtk_power_off_md_type)
+system_internal_prop(vendor_connsysfw_prop)
+system_internal_prop(vendor_bluetooth_prop)
+system_internal_prop(vendor_sim_system_prop)
+system_internal_prop(persist_xcap_rawurl_prop)
+system_internal_prop(usp_srv_prop)
+system_internal_prop(logmuch_prop)
-#=============allow gsm0710muxd to set mux property==============
-type gsm0710muxd_prop, property_type, mtk_core_property_type;
+# Properties with no restrictions
+system_public_prop(persist_mtk_aee_prop)
+system_public_prop(mtk_amslog_prop)
-#=============allow netlog running==============
-type debug_mtklog_prop, property_type, extended_core_property_type;
-type persist_mtklog_prop, property_type, extended_core_property_type;
-type debug_netlog_prop, property_type, extended_core_property_type;
+# Properties with can be read by all domains
+typeattribute mtk_default_prop mtk_core_property_type;
+typeattribute vendor_ril_ipo_prop mtk_core_property_type;
+typeattribute gsm0710muxd_prop mtk_core_property_type;
+typeattribute mtk_wifi_prop mtk_core_property_type;
+typeattribute persist_mtk_aeev_prop mtk_core_property_type;
+typeattribute persist_aeev_prop mtk_core_property_type;
+typeattribute debug_mtk_aeev_prop mtk_core_property_type;
+typeattribute ro_mtk_aee_prop mtk_core_property_type;
+typeattribute ril_active_md_prop mtk_core_property_type;
+typeattribute ril_mux_report_case_prop mtk_core_property_type;
+typeattribute ril_cdma_report_prop mtk_core_property_type;
+typeattribute mtk_md_prop mtk_core_property_type;
+typeattribute tel_switch_prop mtk_core_property_type;
+typeattribute mnld_prop mtk_core_property_type;
+typeattribute audiohal_prop mtk_core_property_type;
+typeattribute wmt_prop mtk_core_property_type;
+typeattribute coredump_prop mtk_core_property_type;
+typeattribute net_cdma_mdmstat mtk_core_property_type;
+typeattribute persist_bt_prop mtk_core_property_type;
+typeattribute vendor_factory_idle_state_prop mtk_core_property_type;
+typeattribute service_nvram_init_prop mtk_core_property_type;
+typeattribute wifi_5g_prop mtk_core_property_type;
+typeattribute mtk_em_prop mtk_core_property_type;
+typeattribute mediatek_prop mtk_core_property_type;
+typeattribute mtk_em_hidl_prop mtk_core_property_type;
+typeattribute mtk_operator_id_prop mtk_core_property_type;
+typeattribute mtk_simswitch_emmode_prop mtk_core_property_type;
+typeattribute mtk_dsbp_support_prop mtk_core_property_type;
+typeattribute mtk_imstestmode_prop mtk_core_property_type;
+typeattribute mtk_smsformat_prop mtk_core_property_type;
+typeattribute mtk_gprs_prefer_prop mtk_core_property_type;
+typeattribute mtk_testsim_cardtype_prop mtk_core_property_type;
+typeattribute mtk_ct_ir_engmode_prop mtk_core_property_type;
+typeattribute mtk_disable_c2k_cap_prop mtk_core_property_type;
+typeattribute mtk_debug_md_reset_prop mtk_core_property_type;
+typeattribute mtk_omx_log_prop mtk_core_property_type;
+typeattribute mtk_vdec_log_prop mtk_core_property_type;
+typeattribute mtk_vdectlc_log_prop mtk_core_property_type;
+typeattribute mtk_venc_h264_showlog_prop mtk_core_property_type;
+typeattribute mtk_modem_warning_prop mtk_core_property_type;
+typeattribute vendor_radio_prop mtk_core_property_type;
+typeattribute mtk_ct_volte_prop mtk_core_property_type;
+typeattribute mtk_ril_mode_prop mtk_core_property_type;
+typeattribute mtk_ss_vendor_prop mtk_core_property_type;
+typeattribute mtk_gps_support_prop mtk_core_property_type;
+typeattribute mtk_rat_config_prop mtk_core_property_type;
+typeattribute mtk_aal_ro_prop mtk_core_property_type;
+typeattribute mtk_pq_ro_prop mtk_core_property_type;
+typeattribute mtk_pq_prop mtk_core_property_type;
+typeattribute mtk_emmc_support_prop mtk_core_property_type;
+typeattribute vendor_em_usb_prop mtk_core_property_type;
+typeattribute vendor_usb_otg_switch mtk_core_property_type;
+typeattribute mtk_anr_support_prop mtk_core_property_type;
+typeattribute mtk_appresolutiontuner_prop mtk_core_property_type;
+typeattribute mtk_fullscreenswitch_prop mtk_core_property_type;
+typeattribute mtk_antutu_prop mtk_core_property_type;
+typeattribute mtk_malloc_debug_backtrace_prop mtk_core_property_type;
+typeattribute mtk_voicerecgnize_prop mtk_core_property_type;
+typeattribute persist_service_atci_prop mtk_core_property_type;
+typeattribute mtk_atci_prop mtk_core_property_type;
+typeattribute mtk_net_ipv6_prop mtk_core_property_type;
+typeattribute usp_prop mtk_core_property_type;
+typeattribute mtk_cxp_vendor_prop mtk_core_property_type;
+typeattribute mtk_md_version_prop mtk_core_property_type;
+typeattribute mtk_volte_prop mtk_core_property_type;
+typeattribute mtk_bt_sap_enable_prop mtk_core_property_type;
+typeattribute mtk_nvram_ready_prop mtk_core_property_type;
+typeattribute mtk_wifi_hotspot_prop mtk_core_property_type;
+typeattribute mtk_hdmi_prop mtk_core_property_type;
-#=============allow netd to set mtk_wifi.*=========================
-type mtk_wifi_prop, property_type, mtk_core_property_type;
-
-#=============allow mdlogger==============
-type debug_mdlogger_prop, property_type, extended_core_property_type;
-type vendor_mdl_prop, property_type, extended_core_property_type;
-type vendor_mdl_start_prop, property_type, extended_core_property_type;
-type vendor_usb_prop, property_type;
-type persist_mdlog_prop, property_type, extended_core_property_type;
-type vendor_mdl_pulllog_prop, property_type, extended_core_property_type;
-
-#=============allow AEE==============
-type persist_mtk_aee_prop, property_type, extended_core_property_type;
-type persist_aee_prop, property_type, extended_core_property_type;
-type debug_mtk_aee_prop, property_type, extended_core_property_type;
-
-type persist_mtk_aeev_prop, property_type, mtk_core_property_type;
-type persist_aeev_prop, property_type, mtk_core_property_type;
-type debug_mtk_aeev_prop, property_type, mtk_core_property_type;
-type ro_mtk_aee_prop, property_type, mtk_core_property_type;
-
-#=============allow aee_dumpstate==============
-type debug_bq_dump_prop, property_type, extended_core_property_type;
-
-#=============allow ccci_mdinit to stop rild==============
-type ctl_ril-daemon-mtk_prop, property_type;
-type ctl_fusion_ril_mtk_prop, property_type;
-type ctl_ril-daemon-s_prop, property_type;
-type ctl_ril-daemon-d_prop, property_type;
-type ctl_ril-proxy_prop, property_type;
-
-#=============allow ccci_mdinit to start ccci_fsd==============
-type ctl_ccci_fsd_prop, property_type;
-type ctl_ccci2_fsd_prop, property_type;
-type ctl_ccci3_fsd_prop, property_type;
-
-#=============allow ccci_mdinit to set ril_active_md_prop==============
-type ril_active_md_prop, property_type, mtk_core_property_type;
-
-#=============allow ccci_mdinit to stop rild==============
-type ril_mux_report_case_prop, property_type, mtk_core_property_type;
-type ril_cdma_report_prop, property_type, mtk_core_property_type;
-
-#=============allow ccci_mdinit to mtk_md_prop==============
-type mtk_md_prop, property_type, mtk_core_property_type;
-
-#=============allow mtkrild to start muxreport==============
-type ctl_muxreport-daemon_prop, property_type;
-
-#=============allow telephony modules to set tel_switch_prop==============
-type tel_switch_prop, property_type, mtk_core_property_type;
-
-#=============allow bootanim==============
-type bootani_prop, property_type, extended_core_property_type;
-
-#=============allow mnld_prop==============
-type mnld_prop, property_type, mtk_core_property_type;
-
-#=============allow audiohal==============
-type audiohal_prop, property_type, mtk_core_property_type;
-
-#=============allow wmt==============
-type wmt_prop, property_type, mtk_core_property_type;
-type coredump_prop, property_type, mtk_core_property_type;
-
-#=============allow sensor==============
-type ctl_emcsmdlogger_prop, property_type;
-type ctl_eemcs_fsd_prop, property_type;
-
-#=============allow statusd==============
-type net_cdma_mdmstat, property_type, mtk_core_property_type;
-
-#=============allow bt==============
-type persist_bt_prop, property_type, mtk_core_property_type;
-
-#============= allow factory idle current prop ==============
-type vendor_factory_idle_state_prop, property_type, mtk_core_property_type;
-
-#============= allow mobile log property ===============
-type mobile_log_prop, property_type, extended_core_property_type;
-
-#============= allow service.nvram_init property ===============
-type service_nvram_init_prop, property_type, mtk_core_property_type;
-
-#============= allow ro.wlan.mtk.wifi.5g property ===============
-type wifi_5g_prop, property_type, mtk_core_property_type;
-
-#=============allow em to set client.appmode ==============
-type mtk_em_prop, property_type, mtk_core_property_type;
-
-#=============allow mediatek_prop ==============
-type mediatek_prop, property_type, mtk_core_property_type;
-
-#=============Property set by EM, for test/debug purpose=========
-type mtk_em_sys_prop, property_type, extended_core_property_type;
-type mtk_em_hidl_prop, property_type, mtk_core_property_type;
-
-#============= allow em set protocol ===============
-type mtk_em_net_auto_tethering_prop, property_type, extended_core_property_type;
-
-#=============allow em set property=============
-type mtk_operator_id_prop, property_type, mtk_core_property_type;
-
-#=============allow em set testsim.cardtype property===========
-type mtk_simswitch_emmode_prop, property_type, mtk_core_property_type;
-
-#=============allow em set property=============
-type mtk_dsbp_support_prop, property_type, mtk_core_property_type;
-
-#=============allow em set property=============
-type mtk_imstestmode_prop, property_type, mtk_core_property_type;
-
-#=============allow em set property=============
-type mtk_smsformat_prop, property_type, mtk_core_property_type;
-
-#=============allow em set property=============
-type mtk_gprs_prefer_prop, property_type, mtk_core_property_type;
-
-#=============allow em set property=============
-type mtk_testsim_cardtype_prop, property_type, mtk_core_property_type;
-
-#=============allow em set property=============
-type mtk_ct_ir_engmode_prop, property_type, mtk_core_property_type;
-
-#=============allow em set property=============
-type mtk_disable_c2k_cap_prop, property_type, mtk_core_property_type;
-
-#=============allow em to set modem reset delay property================
-type mtk_debug_md_reset_prop, property_type, mtk_core_property_type;
-
-#=============allow em to set video log omx.* property================
-type mtk_omx_log_prop, property_type, mtk_core_property_type;
-
-#=============allow em to set vdec log property================
-type mtk_vdec_log_prop, property_type, mtk_core_property_type;
-
-#=============allow em to set vdectlc log property================
-type mtk_vdectlc_log_prop, property_type, mtk_core_property_type;
-
-#=============allow em to set venc h264 showlog property================
-type mtk_venc_h264_showlog_prop, property_type, mtk_core_property_type;
-
-#=============allow em to set modem warning_prop property================
-type mtk_modem_warning_prop, property_type, mtk_core_property_type;
-
-#=============allow em to set bgdata disabled property================
-type mtk_bgdata_disabled, property_type, extended_core_property_type;
-
-#=============allow em to set telecom vibrate property================
-type mtk_telecom_vibrate, property_type, extended_core_property_type;
-
-#=============allow em to set gprs attach type property================
-type mtk_gprs_attach_type, property_type, extended_core_property_type;
-
-#=============allow em to set poweroffmd property================
-type mtk_power_off_md_type, property_type, extended_core_property_type;
-
-#=============allow meta_tst to stop specific service ===============
-type ctl_mobile_log_d_prop, property_type;
-type ctl_mnld_prop, property_type;
-type ctl_mobicore_prop, property_type;
-
-#=============allow system server to set meta_connecttype property ==============
-type meta_connecttype_prop, property_type;
-
-#=============Telephony Sensitive property==============
-type mtk_telephony_sensitive_prop, property_type;
-
-#=============allow processes to change thermal config================
-type mtk_thermal_config_prop, property_type;
-
-#=============allow composer set property ============================
-type graphics_hwc_pid_prop, property_type;
-type graphics_hwc_latch_unsignaled_prop, property_type;
-type graphics_hwc_hdr_prop, property_type;
-
-#============= mtkcam property ============================
-type mtkcam_prop, property_type;
-
-#============= atm modem mode property ==============
-type atm_mdmode_prop, property_type;
-
-#============= atm ip address property ==============
-type atm_ipaddr_prop, property_type;
-
-#=============allow consyslogger==============
-type vendor_connsysfw_prop, property_type, extended_core_property_type;
-
-#=============radio group property=============
-type vendor_radio_prop, property_type, mtk_core_property_type;
-
-#=============allow bluetooth==============
-type vendor_bluetooth_prop, property_type, extended_core_property_type;
-
-#=============allow ct volte==============
-type mtk_ct_volte_prop, property_type, mtk_core_property_type;
-
-#=============mtk ril mode property=============
-type mtk_ril_mode_prop, property_type, mtk_core_property_type;
-type mtk_ss_vendor_prop, property_type, mtk_core_property_type;
-
-#=============GPS support properties==============
-type mtk_gps_support_prop, property_type, mtk_core_property_type;
-
-#=============mtk rat config property=============
-type mtk_rat_config_prop, property_type, mtk_core_property_type;
-
-#=============mtk aal property=============
-type mtk_aal_ro_prop, property_type, mtk_core_property_type;
-
-#=============mtk pq property=============
-type mtk_pq_ro_prop, property_type, mtk_core_property_type;
-type mtk_pq_prop, property_type, mtk_core_property_type;
-
-#=============mtk emmc property=============
-type mtk_emmc_support_prop, property_type, mtk_core_property_type;
-
-#=============sim system property=============
-type vendor_sim_system_prop, property_type, extended_core_property_type;
-
-#=============em usb property==============
-type vendor_em_usb_prop, property_type, mtk_core_property_type;
-
-#=============allow em to set usb otg enable property ==============
-type vendor_usb_otg_switch, property_type, mtk_core_property_type;
-
-#=============mtk anr property=============
-type mtk_anr_support_prop, property_type, mtk_core_property_type;
-
-#=============mtk app resolution tuner property=============
-type mtk_appresolutiontuner_prop, property_type, mtk_core_property_type;
-
-#=============mtk fullscreen switch=============
-type mtk_fullscreenswitch_prop, property_type, mtk_core_property_type;
-
-# MTK Antutu feature
-type mtk_antutu_prop, property_type, mtk_core_property_type;
-
-#=============mtk malloc debug switch unwind backtrace property=============
-type mtk_malloc_debug_backtrace_prop, property_type, mtk_core_property_type;
-
-#=============MTK Voice Recognize property===========
-type mtk_voicerecgnize_prop, property_type, mtk_core_property_type;
-
-#=============allow radio to set/get xcap rawurl config================
-type persist_xcap_rawurl_prop, property_type, extended_core_property_type;
-
-#=============allow atcid==============
-type persist_service_atci_prop, property_type, mtk_core_property_type;
-type mtk_atci_prop, property_type, mtk_core_property_type;
-
-#=============allow Netd property==============
-type mtk_net_ipv6_prop, property_type, mtk_core_property_type;
-
-#============= allow carrier express (cxp) ==============
-type usp_prop, property_type, mtk_core_property_type;
-type usp_srv_prop, property_type, extended_core_property_type;
-type mtk_cxp_vendor_prop, property_type, mtk_core_property_type;
-
-#=============allow MD to set mtk_md_version_prop==============
-type mtk_md_version_prop, property_type, mtk_core_property_type;
-
-#=============allow radio to set mtk_volte_enable property==============
-type mtk_volte_prop, property_type, mtk_core_property_type;
-
-#=============allow AMS dynamic enable log property===========
-type mtk_amslog_prop, property_type, extended_core_property_type;
-
-#=============allow android log much property==============
-type logmuch_prop, property_type, extended_core_property_type;
-
-#=============mtk bt enable SAP profile property=============
-type mtk_bt_sap_enable_prop, property_type, mtk_core_property_type;
-
-#=============MTK powerhal property================
-type mtk_powerhal_prop, property_type;
-
-#=============MTK Wifi wlan_assistant property=============
-type mtk_nvram_ready_prop, property_type, mtk_core_property_type;
-
-#=============allow wifi hotspot to read property===========
-type mtk_wifi_hotspot_prop, property_type, mtk_core_property_type;
-
-#=============mtk hdmi property=============
-type mtk_hdmi_prop, property_type, mtk_core_property_type;
-
-#=============mtk nn option property=============
-type mtk_nn_option_prop, property_type;
-
-#============system wfc service property===========
-type mtk_wfc_serv_prop, property_type;
-
+# Properties with can't be accessed by device-sepcific domains
+typeattribute debug_mtklog_prop extended_core_property_type;
+typeattribute persist_mtklog_prop extended_core_property_type;
+typeattribute debug_netlog_prop extended_core_property_type;
+typeattribute debug_mdlogger_prop extended_core_property_type;
+typeattribute vendor_mdl_prop extended_core_property_type;
+typeattribute vendor_mdl_start_prop extended_core_property_type;
+typeattribute persist_mdlog_prop extended_core_property_type;
+typeattribute vendor_mdl_pulllog_prop extended_core_property_type;
+typeattribute persist_mtk_aee_prop extended_core_property_type;
+typeattribute persist_aee_prop extended_core_property_type;
+typeattribute debug_mtk_aee_prop extended_core_property_type;
+typeattribute debug_bq_dump_prop extended_core_property_type;
+typeattribute bootani_prop extended_core_property_type;
+typeattribute mobile_log_prop extended_core_property_type;
+typeattribute mtk_em_sys_prop extended_core_property_type;
+typeattribute mtk_em_net_auto_tethering_prop extended_core_property_type;
+typeattribute mtk_bgdata_disabled extended_core_property_type;
+typeattribute mtk_telecom_vibrate extended_core_property_type;
+typeattribute mtk_gprs_attach_type extended_core_property_type;
+typeattribute mtk_power_off_md_type extended_core_property_type;
+typeattribute vendor_connsysfw_prop extended_core_property_type;
+typeattribute vendor_bluetooth_prop extended_core_property_type;
+typeattribute vendor_sim_system_prop extended_core_property_type;
+typeattribute persist_xcap_rawurl_prop extended_core_property_type;
+typeattribute usp_srv_prop extended_core_property_type;
+typeattribute mtk_amslog_prop extended_core_property_type;
+typeattribute logmuch_prop extended_core_property_type;
diff --git a/non_plat/property_contexts b/non_plat/property_contexts
index aec00cb..60e8c63 100644
--- a/non_plat/property_contexts
+++ b/non_plat/property_contexts
@@ -1,10 +1,10 @@
# ==============================================
# MTK Policy Rule
# ==============================================
+
#=============allow ccci_mdinit to start gsm0710muxd==============
ctl.vendor.gsm0710muxd u:object_r:ctl_gsm0710muxd_prop:s0
-
#=============allow mtkrild to set persist.ril property==============
vendor.ril.ipo u:object_r:vendor_ril_ipo_prop:s0
@@ -22,7 +22,6 @@
persist.vendor.mdl u:object_r:persist_mdlog_prop:s0
vendor.pullmdlog u:object_r:vendor_mdl_pulllog_prop:s0
-
#=============allow AEE==============
# persist.vendor.mtk.aee.mode && persist.vendor.mtk.aee.dal
persist.vendor.mtk.aee. u:object_r:persist_mtk_aee_prop:s0
@@ -104,11 +103,9 @@
persist.vendor.connsys. u:object_r:wmt_prop:s0
vendor.connsys. u:object_r:wmt_prop:s0
-
#=============allow c2k_prop ==============
vendor.net.cdma.mdmstat u:object_r:net_cdma_mdmstat:s0
-
#=============allow ccci_mdinit md status ==============
vendor.mtk.md u:object_r:mtk_md_prop:s0
#============= allow factory idle current prop ==============
@@ -120,7 +117,6 @@
#=============allow service.nvram_init property================
vendor.service.nvram_init u:object_r:service_nvram_init_prop:s0
-
#=============Allow EM To Set Camera APP Mode ==============
vendor.client. u:object_r:mtk_em_prop:s0
@@ -192,7 +188,6 @@
vendor.ril.test.poweroffmd u:object_r:mtk_power_off_md_type:s0
vendor.ril.testmode u:object_r:mtk_power_off_md_type:s0
-
#=============allow system server to set meta_connecttype property ==============
persist.vendor.meta.connecttype u:object_r:meta_connecttype_prop:s0
@@ -235,7 +230,7 @@
#=============allow consyslogger==============
vendor.connsysfw u:object_r:vendor_connsysfw_prop:s0
-#============Label telephony property=======#
+#============Label telephony property=======
vendor.ril. u:object_r:vendor_radio_prop:s0
ro.vendor.ril. u:object_r:vendor_radio_prop:s0
vendor.gsm. u:object_r:vendor_radio_prop:s0
@@ -247,7 +242,7 @@
#=============allow ct volte==============
persist.vendor.mtk_ct_volte_support u:object_r:mtk_ct_volte_prop:s0
-#============Label mtk ril mode=======#
+#============Label mtk ril mode=======
ro.vendor.mtk_ril_mode u:object_r:mtk_ril_mode_prop:s0
#=============GPS support properties==============
@@ -256,15 +251,15 @@
ro.vendor.mtk_log_hide_gps u:object_r:mtk_gps_support_prop:s0
ro.vendor.mtk_hidl_consolidation u:object_r:mtk_gps_support_prop:s0
-#============allow rat config=======#
+#============allow rat config=======
ro.vendor.mtk_protocol1_rat_config u:object_r:mtk_rat_config_prop:s0
-#=============allow mtk aal==============#
+#=============allow mtk aal==============
ro.vendor.mtk_aal_support u:object_r:mtk_aal_ro_prop:s0
ro.vendor.mtk_ultra_dimming_support u:object_r:mtk_aal_ro_prop:s0
ro.vendor.mtk_dre30_support u:object_r:mtk_aal_ro_prop:s0
-#=============allow mtk pq==============#
+#=============allow mtk pq==============
persist.vendor.sys.pq. u:object_r:mtk_pq_prop:s0
vendor.debug.pq. u:object_r:mtk_pq_prop:s0
persist.vendor.sys.isp. u:object_r:mtk_pq_prop:s0
@@ -292,7 +287,7 @@
ro.vendor.mtk_sim_card_onoff u:object_r:mtk_default_prop:s0
ro.vendor.mtk_perf_plus u:object_r:mtk_default_prop:s0
-#============mtk emmc=======#
+#============mtk emmc=======
ro.vendor.mtk_emmc_support u:object_r:mtk_emmc_support_prop:s0
# MTK connsys log feature
@@ -305,7 +300,7 @@
#=============allow em to set usb otg switch property ==============
persist.vendor.usb.otg.switch u:object_r:vendor_usb_otg_switch:s0
-#============mtk rsc========#
+#============mtk rsc========
ro.boot.rsc u:object_r:mtk_default_prop:s0
#=============mtk anr property=============
@@ -326,15 +321,15 @@
# MTK Antutu feature
ro.vendor.net.upload.benchmark.default u:object_r:mtk_antutu_prop:s0
-#=============malloc debug unwind backtrace switch property==============#
+#=============malloc debug unwind backtrace switch property==============
vendor.debug.malloc.bt.switch u:object_r:mtk_malloc_debug_backtrace_prop:s0
-#=============allow gmo====================#
+#=============allow gmo====================
ro.vendor.gmo.ram_optimize u:object_r:mtk_default_prop:s0
ro.vendor.gmo.rom_optimize u:object_r:mtk_default_prop:s0
ro.vendor.mtk_config_max_dram_size u:object_r:mtk_default_prop:s0
-#=============MTK Voice Recognize property===========#
+#=============MTK Voice Recognize property===========
vendor.voicerecognize.raw u:object_r:mtk_voicerecgnize_prop:s0
vendor.voicerecognize_data.raw u:object_r:mtk_voicerecgnize_prop:s0
vendor.voicerecognize.noDL u:object_r:mtk_voicerecgnize_prop:s0
@@ -342,7 +337,7 @@
#=============allow radio to set/get xcap rawurl config================
persist.vendor.mtk.xcap.rawurl u:object_r:persist_xcap_rawurl_prop:s0
-#=============mtk bt enable SAP profile property=============#
+#=============mtk bt enable SAP profile property=============
ro.vendor.mtk.bt_sap_enable u:object_r:mtk_bt_sap_enable_prop:s0
#=============allow processes to change powerhal config================
@@ -355,12 +350,20 @@
#=============Wi-Fi Hotspot==============
ro.vendor.wifi.sap.interface u:object_r:mtk_wifi_hotspot_prop:s0
-#=============allow mtk hdmi==============#
+#=============allow mtk hdmi==============
persist.vendor.sys.hdmi_hidl. u:object_r:mtk_hdmi_prop:s0
-#=============mtk nn option==============#
+#=============mtk nn option==============
ro.vendor.mtk_nn.option u:object_r:mtk_nn_option_prop:s0
#============system wfc service property===========
persist.vendor.wfc. u:object_r:mtk_wfc_serv_prop:s0
+#=============allow ccci_mdinit to ctl. mdlogger==============
+ctl.mdlogger u:object_r:ctl_mdlogger_prop:s0
+ctl.emdlogger1 u:object_r:ctl_emdlogger1_prop:s0
+ctl.emdlogger2 u:object_r:ctl_emdlogger2_prop:s0
+ctl.emdlogger3 u:object_r:ctl_emdlogger3_prop:s0
+
+init.svc.emdlogger1 u:object_r:init_svc_emdlogger1_prop:s0
+init.svc.aee_aedv u:object_r:init_svc_aee_aedv_prop:s0
diff --git a/non_plat/radio.te b/non_plat/radio.te
index 9f6077e..e81853d 100644
--- a/non_plat/radio.te
+++ b/non_plat/radio.te
@@ -6,40 +6,6 @@
allow radio sysfs_keypad_file:dir { r_dir_perms };
allow radio sysfs_keypad_file:file { w_file_perms };
-# Date : WK15.34 2015/08/21
-# Operation : IT
-# Purpose : for engineermode WFD IOT property
-allow radio surfaceflinger:fifo_file { rw_file_perms };
-
-# Date : 2016/06/11
-# Operation : IT
-# Purpose : for engineermode Usb PHY Tuning
-allow radio debugfs_usb20_phy:file { read open getattr };
-allow radio debugfs_usb20_phy:dir search;
-
-# Date : WK14.38 2016/06/28
-# Operation : Migration
-# Purpose : for engineermode
-allow radio mt_otg_test_device:chr_file { read write ioctl open };
-allow radio mtgpio_device:chr_file { read ioctl open };
-allow radio stpbt_device:chr_file { read write open };
-allow radio stpant_device:chr_file { read write open };
-allow radio bt_int_adp_socket:sock_file write;
-allow radio mt6605_device:chr_file { read write ioctl open getattr };
-allow radio nfc_socket:dir { write add_name remove_name search };
-allow radio system_prop:property_service set;
-
-# Date : WK14.38 2016/06/28
-# Operation : Migration
-# Purpose : for engineermode
-allow radio em_svr:unix_stream_socket connectto;
-
-# Date : WK15.25 2016/06/28
-# Operation :N Migration
-# Purpose : for engineermode WiFi test mode
-# todo: in the feature Google maybe forbid this option,we should use other way
-allowxperm radio self:udp_socket ioctl { SIOCIWFIRSTPRIV-SIOCIWFIRSTPRIV_09 SIOCIWFIRSTPRIV_0B SIOCSIWESSID SIOCSIWMODE };
-
# Date : 2014/12/13
# Operation : IT
# Purpose : for bluetooth relayer mode
@@ -60,27 +26,12 @@
# Swift APK integration - access ccci dir/file
allow radio ccci_fsd:dir { r_dir_perms };
-# Date : 2016/07/25
-# Operation : Bluetooth access NVRAM fail in Engineer Mode
-# Purpose : for Bluetooth read NVRAM data
-allow radio nvdata_file:dir search;
-allow radio nvdata_file:file rw_file_perms;
-
-#Date : 2016/11/08
-#Operation: IT
-#Purpose: for EM set persist.net.auto.tethering
-set_prop(radio, mtk_em_net_auto_tethering_prop)
# Date : WK17.03
# Operation : O Migration
# Purpose : HIDL for rilproxy
binder_call(radio, hal_telephony)
-# Date : WK17.15
-# Operation : O Migration
-# Purpose : for YGPS execution
-allow radio hal_graphics_composer_default:fd use;
-
#Dat: 2017/02/14
#Purpose: allow get telephony Sensitive property
get_prop(radio, mtk_telephony_sensitive_prop)
@@ -100,79 +51,11 @@
#allow radio hal_audio_hwservice:hwservice_manager find;
binder_call(radio,mtk_hal_audio)
-# TODO : Will move to plat_private when SEPolicy split done
-# Date : WK1727 2017/07/19
-# Operation : Migration
-# Purpose : Allow EM set usb property
-set_prop(radio, system_radio_prop)
-
-#Dat: 2017/07/20
-#Purpose: NFC EM
-allow radio hal_nfc_hwservice:hwservice_manager find;
-binder_call(radio, hal_nfc)
-binder_call(hal_nfc, radio)
-hwbinder_use(radio);
-#hal_client_domain(radio, hal_nfc)
-typeattribute radio halclientdomain;
-typeattribute radio hal_nfc_client;
-allow radio nfc_socket:sock_file { create write unlink setattr };
-set_prop(radio, system_prop)
-
-# Date : WK1734 2017/08/23
-# Purpose : Allow EM use power HAL
-allow radio mtk_hal_power_hwservice:hwservice_manager find;
-binder_call(radio, mtk_hal_power)
-
-# Date : 2017/10/31
-# Purpose: Policy for EM to set wcn coredump property
-get_prop(radio, wmt_prop)
-
# Date : WK18.16
# Operation: P migration
# Purpose: Allow radio to get tel_switch_prop
get_prop(radio, tel_switch_prop)
-# Date : 2018/05/03
-# Operation: P migration
-# Purpose: allow EM to set modem reset delay property
-get_prop(radio, mtk_debug_md_reset_prop)
-
-# Date : 2018/06/01
-# Operation : P migration
-# Purpose : For EM access battery info
-allow radio sysfs_batteryinfo:dir search;
-#allow radio sysfs_batteryinfo:file { read write getattr open create};
-allow radio sysfs_vbus:file { read getattr open };
-allow radio sysfs_battery_consumption:file r_file_perms;
-allow radio sysfs_power_on_vol:file r_file_perms;
-allow radio sysfs_power_off_vol:file r_file_perms;
-allow radio sysfs_fg_disable:file w_file_perms;
-allow radio sysfs_dis_nafg:file w_file_perms;
-
-# Date : 2018/06/15
-# Purpose : Allow EM access touchscreen settings
-allow radio sysfs_tpd_debug:dir { search read open };
-allow radio sysfs_tpd_setting:dir { search read open };
-
-# Date : 2018/06/15
-# Purpose : mtk EM PMU reading/setting
-allow radio sysfs_pmu:dir { search };
-allow radio sysfs_pmu:file { read };
-allow radio sysfs_pmu:lnk_file { read };
-
-# Date : 2018/06/15
-# Purpose : mtk EM Power debug_log setting
-allow radio sysfs_spm:dir { search };
-
-# Date : 2018/06/15
-# Purpose: Allow EM detect Audio headset status
-allow radio sysfs_headset:file { read open };
-
-# Date : 2018/06/26
-# Operation : IT
-# Purpose : Allow to use HAL em
-hal_client_domain(radio, mtk_hal_em)
-
# Date : 2018/07/03
# Purpose : Allow sim system to set prop
set_prop(radio, vendor_sim_system_prop)
@@ -195,42 +78,7 @@
# Purpose : Allow to use mtk_gprs_attach_type
set_prop(radio, mtk_gprs_attach_type)
-# Date : 2018/07/12
-# Purpose : Allow EM to use Lbs Hidl
-binder_call(radio, lbs_hidl_service)
-allow radio mtk_hal_lbs_hwservice:hwservice_manager find;
-
-# Date : 2018/08/12
-# Purpose : Allow EM to set poweroffmd property
-set_prop(radio, mtk_power_off_md_type)
-
-get_prop(radio, persist_mtk_aee_prop);
-
-
-# Date : 2018/08/31
-# Purpose : Allow EM to set sys property
-set_prop(radio, mtk_em_sys_prop)
-
-# Date : 2018/11/01
-# Purpose : mtk EM c2k bypass read usb file
-allow radio sys_usb_rawbulk:file { r_file_perms };
-allow radio sys_usb_rawbulk:dir { r_dir_perms };
-
#Date : 2018/11/02
# Operation : Allow radio persist_xcap_rawurl_prop:property_service set;
# Purpose : for set telephony xcap use raw url property in IMS SS
set_prop(radio, persist_xcap_rawurl_prop)
-
-# Date : 2019/05/08
-# Operation : label aee_aed sockets
-# Purpose : Engineering mode need access for aee commmand
-allow radio aee_aed:unix_stream_socket connectto;
-
-# Date : 2019/05/23
-# Operation : Get subpimc reigster status
-# Purpose : Engineering mode need get subpimic register status
-allow radio debugfs_regmap:dir { search };
-
-# Date : 2018/09/29
-# Purpose : Allow get USB Current Speed in Engineer Mode
-get_prop(radio, vendor_usb_prop);
diff --git a/non_plat/shell.te b/non_plat/shell.te
index b292564..5346726 100644
--- a/non_plat/shell.te
+++ b/non_plat/shell.te
@@ -4,7 +4,7 @@
# Date : WK16.46
# Purpose : allow shell to switch aee mode
-allow shell aee_aed:unix_stream_socket connectto;
+allow shell crash_dump:unix_stream_socket connectto;
# Date : WK17.35
# Purpose : allow shell to dump the debugging information of camera hal.
diff --git a/non_plat/stp_dump3.te b/non_plat/stp_dump3.te
index d7e7675..0501d29 100644
--- a/non_plat/stp_dump3.te
+++ b/non_plat/stp_dump3.te
@@ -37,6 +37,7 @@
allow stp_dump3 sdcard_type:file create_file_perms;
allow stp_dump3 stp_dump_data_file:dir create_dir_perms;
allow stp_dump3 stp_dump_data_file:file create_file_perms;
+allow stp_dump3 stp_dump_data_file:sock_file { write create unlink setattr };
allow stp_dump3 connsyslog_data_vendor_file:dir create_dir_perms;
allow stp_dump3 connsyslog_data_vendor_file:file create_file_perms;
get_prop(stp_dump3, coredump_prop)
diff --git a/non_plat/system_server.te b/non_plat/system_server.te
index beeb30a..919f663 100644
--- a/non_plat/system_server.te
+++ b/non_plat/system_server.te
@@ -112,7 +112,7 @@
# path=00636F6D2E6D746B2E6165652E6165645F3634
# scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0
# tclass=unix_stream_socket permissive=0
-allow system_server aee_aed:unix_stream_socket connectto;
+allow system_server crash_dump:unix_stream_socket connectto;
#Dat: 2017/02/14
#Purpose: allow get telephony Sensitive property
diff --git a/non_plat/uncrypt.te b/non_plat/uncrypt.te
index c9b3acb..2684a23 100644
--- a/non_plat/uncrypt.te
+++ b/non_plat/uncrypt.te
@@ -1,13 +1,13 @@
#====================== uncrypt.te ======================
# uncrypt for mtd
-allow uncrypt mtd_device:chr_file { read write open ioctl };
+allow uncrypt mtd_device:chr_file rw_file_perms;
allow uncrypt mtd_device:dir search;
allow uncrypt misc_device:chr_file ~rename;
allow uncrypt userdata_block_device:blk_file w_file_perms;
-allow uncrypt para_block_device:blk_file { write open };
+allow uncrypt para_block_device:blk_file w_file_perms;
allow uncrypt system_app_data_file:dir { getattr search };
allow uncrypt system_app_data_file:file { read getattr };
allow uncrypt media_rw_data_file:dir { getattr search };
-allow uncrypt media_rw_data_file:file { read getattr open };
+allow uncrypt media_rw_data_file:file r_file_perms;
allow uncrypt ota_package_file:file w_file_perms;
diff --git a/non_plat/vendor_init.te b/non_plat/vendor_init.te
index d0bc030..783f6c9 100644
--- a/non_plat/vendor_init.te
+++ b/non_plat/vendor_init.te
@@ -1,16 +1,16 @@
-#allow vendor_init exported3_system_prop:property_service set;
-#allow vendor_init dalvik_prop:property_service set;
+# ==============================================
+# MTK Policy Rule
+# ==============================================
-#allow vendor_init ffs_prop:property_service set;
-allow vendor_init mediatek_prop:property_service set;
-allow vendor_init mtk_md_version_prop:property_service set;
-allow vendor_init mtk_volte_prop:property_service set;
-allow vendor_init vendor_radio_prop:property_service set;
-allow vendor_init mtk_ril_mode_prop:property_service set;
-allow vendor_init wmt_prop:property_service set;
-allow vendor_init coredump_prop:property_service set;
+set_prop(vendor_init, mediatek_prop)
+set_prop(vendor_init, mtk_md_version_prop)
+set_prop(vendor_init, mtk_volte_prop)
+set_prop(vendor_init, vendor_radio_prop)
+set_prop(vendor_init, mtk_ril_mode_prop)
+set_prop(vendor_init, wmt_prop)
+set_prop(vendor_init, coredump_prop)
+
allow vendor_init proc_wmtdbg:file w_file_perms;
-#allow vendor_init vold_prop:property_service set;
allow vendor_init proc_cpufreq:file w_file_perms;
allow vendor_init proc_bootprof:file write;
@@ -33,7 +33,6 @@
set_prop(vendor_init, mtk_pq_ro_prop)
set_prop(vendor_init, mtk_default_prop)
set_prop(vendor_init, mtk_nn_option_prop)
-
set_prop(vendor_init, mtk_emmc_support_prop)
set_prop(vendor_init, mtk_anr_support_prop)
set_prop(vendor_init, mtk_antutu_prop)
@@ -70,7 +69,9 @@
allow vendor_init expdb_block_device:blk_file rw_file_perms;
set_prop(vendor_init, mtk_wifi_hotspot_prop)
-
set_prop(vendor_init, persist_aeev_prop)
-
set_prop(vendor_init, mtk_powerhal_prop)
+
+# mmstat tracer
+allow vendor_init debugfs_tracing_instances:dir create_dir_perms;
+allow vendor_init debugfs_tracing_instances:file w_file_perms;
diff --git a/plat_private/aee_core_forwarder.te b/plat_private/aee_core_forwarder.te
index d335d99..961646c 100644
--- a/plat_private/aee_core_forwarder.te
+++ b/plat_private/aee_core_forwarder.te
@@ -97,4 +97,4 @@
get_prop(aee_core_forwarder, hwservicemanager_prop)
# Purpose : allow aee_core_forwarder to connect aee_aed socket
-allow aee_core_forwarder aee_aed:unix_stream_socket connectto;
+allow aee_core_forwarder crash_dump:unix_stream_socket connectto;
diff --git a/plat_private/crash_dump.te b/plat_private/crash_dump.te
index bd905cb..98b8cb7 100644
--- a/plat_private/crash_dump.te
+++ b/plat_private/crash_dump.te
@@ -1,2 +1,120 @@
-allow crash_dump aee_aed:unix_stream_socket connectto;
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+# AED start: /dev/block/expdb
+allow crash_dump block_device:dir search;
+
+# aee db dir and db files
+allow crash_dump sdcard_type:dir create_dir_perms;
+allow crash_dump sdcard_type:file create_file_perms;
+
+#data/anr
+allow crash_dump anr_data_file:dir create_dir_perms;
+allow crash_dump anr_data_file:file create_file_perms;
+
+allow crash_dump domain:process { getattr getsched };
+allow crash_dump domain:lnk_file getattr;
+
+#core-pattern
+allow crash_dump usermodehelper:file r_file_perms;
+
+#suid_dumpable. this is neverallow
+#allow crash_dump proc_security:file r_file_perms;
+
+#allow crash_dump call binaries labeled "system_file" under /system/bin/
+allow crash_dump system_file:file execute_no_trans;
+
+allow crash_dump init:process getsched;
+allow crash_dump kernel:process getsched;
+
+# Date: W15.34
+# Operation: Migration
+# Purpose: For pagemap & pageflags information in NE DB
+userdebug_or_eng(`allow crash_dump self:capability sys_admin;')
+
+# Purpose: allow crash_dump to access toolbox
+allow crash_dump toolbox_exec:file rx_file_perms;
+
+# Purpose: mnt/user/*
+allow crash_dump mnt_user_file:dir search;
+allow crash_dump mnt_user_file:lnk_file read;
+
+allow crash_dump storage_file:dir search;
+allow crash_dump storage_file:lnk_file read;
+
+# Date : WK17.09
+# Operation : AEE UT for Android O
+# Purpose : for AEE module to dump files
+domain_auto_trans(crash_dump, dumpstate_exec, dumpstate)
+
+# Purpose : crash_dump communicate with aee_core_forwarder
+# allow crash_dump aee_core_forwarder:dir search;
+# allow crash_dump aee_core_forwarder:file { read getattr open };
+
+userdebug_or_eng(`
+ allow crash_dump su:dir {search read open };
+ allow crash_dump su:file { read getattr open };
+')
+
+# /data/tombstone
+allow crash_dump tombstone_data_file:dir w_dir_perms;
+allow crash_dump tombstone_data_file:file create_file_perms;
+
+# /proc/pid/
+allow crash_dump self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };
+
+# system(cmd) aee_dumpstate aee_archive
+allow crash_dump shell_exec:file rx_file_perms;
+
+# PROCESS_FILE_STATE
+allow crash_dump dumpstate:unix_stream_socket { read write ioctl };
+allow crash_dump dumpstate:dir search;
+allow crash_dump dumpstate:file r_file_perms;
+
+allow crash_dump logdr_socket:sock_file write;
+allow crash_dump logd:unix_stream_socket connectto;
+#allow crash_dump system_ndebug_socket:sock_file write;
+
+# vibrator
+allow crash_dump sysfs_vibrator:file w_file_perms;
+
+# Data : 2017/03/22
+# Operation : add NE flow rule for Android O
+# Purpose : make crash_dump can get specific process NE info
+allow crash_dump domain:dir r_dir_perms;
+allow crash_dump domain:{ file lnk_file } r_file_perms;
+
+allow crash_dump dalvikcache_data_file:dir r_dir_perms;
+#allow crash_dump zygote_exec:file r_file_perms;
+#allow crash_dump init_exec:file r_file_perms;
+
+# Data : 2017/04/06
+# Operation : add selinux rule for crash_dump notify crash_dump
+# Purpose : make crash_dump can get notify from crash_dump
+allow crash_dump crash_dump:dir search;
+allow crash_dump crash_dump:file r_file_perms;
+
+# Purpose : allow crash_dump to read /proc/version
+allow crash_dump proc_version:file { read open };
+
+# Purpose : allow crash_dump self to sys_nice/chown/kill
+allow crash_dump self:capability { sys_nice chown fowner kill };
+
+# Purpose: Allow crash_dump to write /sys/kernel/debug/tracing/snapshot
+userdebug_or_eng(`allow crash_dump debugfs_tracing_debug:file { write open };')
+
+# Purpose: Allow crash_dump to read/write /sys/kernel/debug/tracing/tracing_on
+#userdebug_or_eng(` allow crash_dump debugfs_tracing:file { r_file_perms write };')
+
+# Purpose: receive dropbox message
+allow crash_dump dropbox_data_file:file {getattr read};
+allow crash_dump dropbox_service:service_manager find;
+allow crash_dump servicemanager:binder call;
+allow crash_dump system_server:binder call;
+
+# Purpose: allow crash_dump to read packages.list
+allow crash_dump packages_list_file:file r_file_perms;
+
+# Purpose: Allow crash_dump to read /proc/*/exe
+allow crash_dump system_file_type:file r_file_perms;
diff --git a/plat_private/domain.te b/plat_private/domain.te
index 7f95649..4252e23 100644
--- a/plat_private/domain.te
+++ b/plat_private/domain.te
@@ -21,8 +21,8 @@
-dumpstate
-init
-installd
- -iorap_inode2filename
-iorap_prefetcherd
+ -iorap_inode2filename
-logd
-mediadrmserver
-mediaextractor
@@ -55,7 +55,7 @@
neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
neverallow iorap_prefetcherd system_data_file:file ~{ open read };
- neverallow iorap_inode2filename system_data_file:file ~{ open read getattr };
+ neverallow iorap_inode2filename system_data_file:file ~getattr;
neverallow {
mediadrmserver
@@ -75,8 +75,8 @@
dexoptanalyzer
init
installd
- iorap_inode2filename
iorap_prefetcherd
+ iorap_inode2filename
logd
rs
runas
diff --git a/plat_private/file_contexts b/plat_private/file_contexts
index 053ebe4..defa023 100644
--- a/plat_private/file_contexts
+++ b/plat_private/file_contexts
@@ -23,8 +23,8 @@
/system/bin/loghidlsysservice u:object_r:loghidlsysservice_exec:s0
/system/bin/cmddumper u:object_r:cmddumper_exec:s0
/system/bin/em_svr u:object_r:em_svr_exec:s0
-/system/bin/aee_aed u:object_r:aee_aed_exec:s0
-/system/bin/aee_aed64 u:object_r:aee_aed_exec:s0
+/system/bin/aee_aed u:object_r:crash_dump_exec:s0
+/system/bin/aee_aed64 u:object_r:crash_dump_exec:s0
/system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0
/system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0
/system/bin/connsyslogger u:object_r:connsyslogger_exec:s0
diff --git a/plat_private/property_contexts b/plat_private/property_contexts
index b85131f..e5bb3c3 100644
--- a/plat_private/property_contexts
+++ b/plat_private/property_contexts
@@ -1,11 +1,6 @@
-#=============allow ccci_mdinit to ctl. mdlogger==============
-ctl.mdlogger u:object_r:ctl_mdlogger_prop:s0
-ctl.emdlogger1 u:object_r:ctl_emdlogger1_prop:s0
-ctl.emdlogger2 u:object_r:ctl_emdlogger2_prop:s0
-ctl.emdlogger3 u:object_r:ctl_emdlogger3_prop:s0
-
-init.svc.emdlogger1 u:object_r:init_svc_emdlogger1_prop:s0
-init.svc.aee_aedv u:object_r:init_svc_aee_aedv_prop:s0
+# ==============================================
+# MTK Policy Rule
+# ==============================================
#allow mtk audio hidl service to read "ro.audio.usb.period_us"
ro.audio.usb.period_us u:object_r:exported_default_prop:s0 exact int
@@ -13,6 +8,5 @@
#allow adb daemon to read "persist.adb.nonblocking_ffs"
persist.adb.nonblocking_ffs u:object_r:exported_default_prop:s0 exact int
-#============system fingerprint property===========#
+#============system fingerprint property===========
ro.system.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
-
diff --git a/plat_private/system_app.te b/plat_private/system_app.te
index 6d45fbe..08f80fa 100644
--- a/plat_private/system_app.te
+++ b/plat_private/system_app.te
@@ -13,4 +13,4 @@
allow system_app media_rw_data_file:file {r_file_perms w_file_perms};
# Purpose: receive dropbox message
-allow system_app aee_aed:unix_stream_socket connectto;
+allow system_app system_server:unix_stream_socket connectto;
diff --git a/plat_private/system_server.te b/plat_private/system_server.te
index c606c5c..d9b7134 100644
--- a/plat_private/system_server.te
+++ b/plat_private/system_server.te
@@ -5,8 +5,8 @@
allow uncrypt uncrypt:capability fowner;
# Purpose: receive dropbox message
-allow system_server aee_aed:fifo_file w_file_perms;
-allow system_server aee_aed:fd use;
+allow system_server crash_dump:fifo_file w_file_perms;
+allow system_server crash_dump:fd use;
#Date:2019/10/10
#Operation:Q Migration
diff --git a/plat_public/attributes b/plat_public/attributes
index 53ca171..bc8b764 100644
--- a/plat_public/attributes
+++ b/plat_public/attributes
@@ -18,3 +18,9 @@
# modem db filter hidl
attribute mtk_hal_md_dbfilter;
attribute mtk_hal_md_dbfilter_client;
+
+# Date: 2019/11/18
+# em hidl
+attribute mtk_hal_em;
+attribute mtk_hal_em_client;
+attribute mtk_hal_em_server;
diff --git a/plat_public/domain.te b/plat_public/domain.te
index 1478421..3feb681 100644
--- a/plat_public/domain.te
+++ b/plat_public/domain.te
@@ -147,132 +147,143 @@
# allow hal_drm system_data_file:file { getattr read };
# hal_server_domain(merged_hal_service, hal_drm)
#
-# full_treble_only(`
-# neverallow ~{
-# init
-# installd
-# system_server
-# } system_data_file:{ chr_file blk_file sock_file fifo_file } *;
-#
-# neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };;
-#
-# neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
-#
-# neverallow installd system_data_file:{ chr_file blk_file } *;
-#
-# neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink };
-#
-# neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms;
-#
-# neverallow {
-# coredomain
-# -appdomain
-# -app_zygote
-# -init
-# -installd
-# -iorap_prefetcherd
-# -system_server
-# -toolbox
-# -vold
-# -vold_prepare_subdirs
-# } system_data_file:file ~r_file_perms;
-#
-# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
-#
-# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
-#
-# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
-#
-# neverallow iorap_prefetcherd system_data_file:file ~{ open read };
-#
-# neverallow {
-# mediadrmserver
-# mediaextractor
-# mediaserver
-# } system_data_file:file ~{ read getattr };
-#
-# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
-#
-# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
-#
-# neverallow vold system_data_file:file ~read;
-#
-# neverallow ~{
-# appdomain
-# app_zygote
-# init
-# installd
-# iorap_prefetcherd
-# logd
-# rs
-# runas
-# simpleperf_app_runner
-# system_server
-# tee
-# vold
-# webview_zygote
-# zygote
-# } system_data_file:lnk_file ~getattr;
-#
-# neverallow {
-# appdomain
-# app_zygote
-# logd
-# webview_zygote
-# } system_data_file:lnk_file ~r_file_perms;
-#
-# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
-#
-# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
-#
-# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
-#
-# neverallow rs system_data_file:lnk_file ~{ read };
-#
-# neverallow {
-# runas
-# simpleperf_app_runner
-# tee
-# } system_data_file:lnk_file ~{ read getattr };
-#
-# neverallow system_server system_data_file:lnk_file ~create_file_perms;
-#
-# neverallow ~{
-# init
-# installd
-# iorap_prefetcherd
-# system_server
-# toolbox
-# traced_probes
-# vold
-# vold_prepare_subdirs
-# zygote
-# } system_data_file:dir ~{ search getattr };
-#
-# neverallow init system_data_file:dir ~{
-# create search getattr open read setattr ioctl
-# mounton
-# relabelto
-# write add_name remove_name rmdir relabelfrom
-# };
-#
-# neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms };
-#
-# neverallow {
-# iorap_prefetcherd
-# traced_probes
-# } system_data_file:dir ~{ open read search getattr };
-#
-# neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms };
-#
-# neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms };
-#
-# neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir };
-#
-# neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr };
-#
-# neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto };
-# ')
+full_treble_only(`
+ neverallow ~{
+ init
+ installd
+ system_server
+ } system_data_file:{ chr_file blk_file sock_file fifo_file } *;
+
+ neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };;
+
+ neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
+
+ neverallow installd system_data_file:{ chr_file blk_file } *;
+
+ neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink };
+
+ neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms;
+
+ neverallow {
+ coredomain
+ -appdomain
+ -app_zygote
+ -init
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+ -system_server
+ -toolbox
+ -vold
+ -vold_prepare_subdirs
+ } system_data_file:file ~r_file_perms;
+
+ neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
+
+ neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
+
+ neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
+
+ neverallow iorap_inode2filename system_data_file:file ~getattr;
+
+ neverallow iorap_prefetcherd system_data_file:file ~{ open read };
+
+ neverallow {
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ } system_data_file:file ~{ read getattr };
+
+ neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
+
+ neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
+
+ neverallow vold system_data_file:file ~read;
+
+ neverallow ~{
+ appdomain
+ app_zygote
+ init
+ installd
+ iorap_prefetcherd
+ iorap_inode2filename
+ logd
+ rs
+ runas
+ simpleperf_app_runner
+ system_server
+ tee
+ vold
+ webview_zygote
+ zygote
+ } system_data_file:lnk_file ~getattr;
+
+ neverallow {
+ appdomain
+ app_zygote
+ logd
+ webview_zygote
+ } system_data_file:lnk_file ~r_file_perms;
+
+ neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
+
+ neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
+
+ neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
+
+ neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };
+
+ neverallow rs system_data_file:lnk_file ~{ read };
+
+ neverallow {
+ runas
+ simpleperf_app_runner
+ tee
+ } system_data_file:lnk_file ~{ read getattr };
+
+ neverallow system_server system_data_file:lnk_file ~create_file_perms;
+
+ neverallow ~{
+ apexd
+ init
+ installd
+ iorap_prefetcherd
+ iorap_inode2filename
+ system_server
+ toolbox
+ traced_probes
+ vold
+ vold_prepare_subdirs
+ zygote
+ } system_data_file:dir ~{ search getattr };
+
+ neverallow apexd system_data_file:dir ~r_dir_perms;
+
+ neverallow init system_data_file:dir ~{
+ create search getattr open read setattr ioctl
+ mounton
+ relabelto
+ write add_name remove_name rmdir relabelfrom
+ };
+
+ neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms };
+
+ neverallow {
+ iorap_prefetcherd
+ iorap_inode2filename
+ traced_probes
+ } system_data_file:dir ~{ open read search getattr };
+
+ neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms };
+
+ neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms };
+
+ neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir };
+
+ neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr };
+
+ neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto };
+')
# Do not allow access to the generic vendor_data_file label. This is
diff --git a/plat_public/property.te b/plat_public/property.te
index 976018b..03e0d0e 100644
--- a/plat_public/property.te
+++ b/plat_public/property.te
@@ -1,9 +1,20 @@
-#=============allow ccci_mdinit to ctl. mdlogger==============
-type ctl_mdlogger_prop, property_type;
-type ctl_emdlogger1_prop, property_type;
-type ctl_emdlogger2_prop, property_type;
-type ctl_emdlogger3_prop, property_type;
-type ctl_dualmdlogger_prop, property_type;
+# ==============================================
+# MTK Policy Rule
+# ==============================================
-type init_svc_emdlogger1_prop, property_type;
-type init_svc_aee_aedv_prop, property_type;
\ No newline at end of file
+# system_internal_prop -- Properties used only in /system
+# system_restricted_prop -- Properties which can't be written outside system
+# system_public_prop -- Properties with no restrictions
+# system_vendor_config_prop -- Properties which can be written only by vendor_init
+# vendor_internal_prop -- Properties used only in /vendor
+# vendor_restricted_prop -- Properties which can't be written outside vendor
+# vendor_public_prop -- Properties with no restrictions
+
+# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
+#typeattribute vendor_default_prop vendor_property_type;
+#neverallow domain {
+# property_type
+# -system_property_type
+# -product_property_type
+# -vendor_property_type
+#}:file no_rw_file_perms;
