non_plat/ccci_mdinit.te - device/mediatek/wembley-sepolicy - Git at Google

 # ==============================================
 # Policy File of /system/bin/ccci_mdinit Executable File

 # ==============================================
 # Type Declaration
 # ==============================================
 type ccci_mdinit_exec , exec_type, file_type, vendor_file_type;
 type ccci_mdinit ,domain;

 # ==============================================
 # MTK Policy Rule
 # ==============================================
 init_daemon_domain(ccci_mdinit)
 wakelock_use(ccci_mdinit)

 #=============allow ccci_mdinit to start c2krild==============
 set_prop(ccci_mdinit, vendor_mtk_ctl_viarild_prop)
 #=============allow ccci_mdinit to start/stop rild, mdlogger==============
 set_prop(ccci_mdinit, system_mtk_ctl_mdlogger_prop)
 set_prop(ccci_mdinit, system_mtk_ctl_emdlogger1_prop)
 set_prop(ccci_mdinit, system_mtk_ctl_emdlogger2_prop)
 set_prop(ccci_mdinit, system_mtk_ctl_emdlogger3_prop)
 set_prop(ccci_mdinit, vendor_mtk_ctl_gsm0710muxd_prop)
 set_prop(ccci_mdinit, vendor_mtk_ctl_ril-daemon-mtk_prop)
 set_prop(ccci_mdinit, vendor_mtk_ctl_fusion_ril_mtk_prop)
 set_prop(ccci_mdinit, vendor_mtk_ctl_ril-proxy_prop)
 set_prop(ccci_mdinit, vendor_mtk_ril_active_md_prop)
 set_prop(ccci_mdinit, vendor_mtk_md_prop)
 set_prop(ccci_mdinit, vendor_mtk_net_cdma_mdmstat_prop)
 set_prop(ccci_mdinit, ctl_start_prop)
 #=============allow ccci_mdinit to get vendor_mtk_tel_switch_prop==============
 get_prop(ccci_mdinit, vendor_mtk_tel_switch_prop)

 #=============allow ccci_mdinit to start/stop fsd==============
 set_prop(ccci_mdinit, vendor_mtk_ctl_ccci_fsd_prop)
 set_prop(ccci_mdinit, vendor_mtk_ctl_ccci2_fsd_prop)
 set_prop(ccci_mdinit, vendor_mtk_ctl_ccci3_fsd_prop)

 # GOOGLE: Commented out for b/169606103
 #get_prop(ccci_mdinit, vendor_default_prop)
 get_prop(ccci_mdinit, system_mtk_init_svc_emdlogger1_prop)
 get_prop(ccci_mdinit, system_mtk_init_svc_aee_aedv_prop)

 allow ccci_mdinit ccci_device:chr_file rw_file_perms;
 allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms;

 #=============allow ccci_mdinit to access MD NVRAM==============
 allow ccci_mdinit nvram_data_file:dir rw_dir_perms;
 allow ccci_mdinit nvram_data_file:file create_file_perms;
 allow ccci_mdinit nvram_data_file:lnk_file read;
 allow ccci_mdinit nvdata_file:lnk_file read;
 allow ccci_mdinit nvdata_file:dir rw_dir_perms;
 allow ccci_mdinit nvdata_file:file create_file_perms;
 allow ccci_mdinit nvram_device:chr_file rw_file_perms;

 #=============allow ccci_mdinit to access ccci config==============
 allow ccci_mdinit protect_f_data_file:dir rw_dir_perms;
 allow ccci_mdinit protect_f_data_file:file create_file_perms;
 #=============allow ccci_mdinit to property==============
 allow ccci_mdinit protect_s_data_file:dir rw_dir_perms;
 allow ccci_mdinit protect_s_data_file:file create_file_perms;
 allow ccci_mdinit nvram_device:blk_file rw_file_perms;
 allow ccci_mdinit nvdata_device:blk_file rw_file_perms;

 set_prop(ccci_mdinit, vendor_mtk_ril_mux_report_case_prop)

 allow ccci_mdinit ccci_cfg_file:dir create_dir_perms;
 allow ccci_mdinit ccci_cfg_file:file create_file_perms;
 #===============security relate ==========================
 allow ccci_mdinit preloader_device:chr_file rw_file_perms;
 allow ccci_mdinit misc_sd_device:chr_file r_file_perms;
 allow ccci_mdinit sec_ro_device:chr_file r_file_perms;

 allow ccci_mdinit custom_file:dir r_dir_perms;
 allow ccci_mdinit custom_file:file r_file_perms;

 # Purpose : for nand partition access
 allow ccci_mdinit mtd_device:dir search;
 allow ccci_mdinit mtd_device:chr_file rw_file_perms;
 allow ccci_mdinit devmap_device:chr_file r_file_perms;
 # Purpose : for device bring up, not to block early migration/sanity
 allow ccci_mdinit proc_lk_env:file rw_file_perms;
 allow ccci_mdinit para_block_device:blk_file rw_file_perms;
 #============= ccci_mdinit sysfs related ==============
 allow ccci_mdinit sysfs_ccci:dir search;
 allow ccci_mdinit sysfs_ccci:file rw_file_perms;
 allow ccci_mdinit sysfs_ssw:dir search;
 allow ccci_mdinit sysfs_ssw:file r_file_perms;
 allow ccci_mdinit sysfs_boot_info:file r_file_perms;

 # Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof
 allow ccci_mdinit proc_bootprof:file rw_file_perms;

 # Date : WK18.21
 # Operation: P migration
 # Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
 allow ccci_mdinit mnt_vendor_file:dir search;

 # Purpose : Allow ccci_mdinit call sysenv_get and sysenv_set
 allow ccci_mdinit block_device:dir search;
 allow ccci_mdinit metadata_file:dir search;
 allow ccci_mdinit proc_cmdline:file r_file_perms;
 allow ccci_mdinit sysfs_dt_firmware_android:dir search;

 # Date : 2020-07-06
 # Purpose: no trigger avc log when call nvram api
 dontaudit ccci_mdinit gsi_metadata_file:dir search;
	# ==============================================
	# Policy File of /system/bin/ccci_mdinit Executable File

	# ==============================================
	# Type Declaration
	# ==============================================
	type ccci_mdinit_exec , exec_type, file_type, vendor_file_type;
	type ccci_mdinit ,domain;

	# ==============================================
	# MTK Policy Rule
	# ==============================================
	init_daemon_domain(ccci_mdinit)
	wakelock_use(ccci_mdinit)

	#=============allow ccci_mdinit to start c2krild==============
	set_prop(ccci_mdinit, vendor_mtk_ctl_viarild_prop)
	#=============allow ccci_mdinit to start/stop rild, mdlogger==============
	set_prop(ccci_mdinit, system_mtk_ctl_mdlogger_prop)
	set_prop(ccci_mdinit, system_mtk_ctl_emdlogger1_prop)
	set_prop(ccci_mdinit, system_mtk_ctl_emdlogger2_prop)
	set_prop(ccci_mdinit, system_mtk_ctl_emdlogger3_prop)
	set_prop(ccci_mdinit, vendor_mtk_ctl_gsm0710muxd_prop)
	set_prop(ccci_mdinit, vendor_mtk_ctl_ril-daemon-mtk_prop)
	set_prop(ccci_mdinit, vendor_mtk_ctl_fusion_ril_mtk_prop)
	set_prop(ccci_mdinit, vendor_mtk_ctl_ril-proxy_prop)
	set_prop(ccci_mdinit, vendor_mtk_ril_active_md_prop)
	set_prop(ccci_mdinit, vendor_mtk_md_prop)
	set_prop(ccci_mdinit, vendor_mtk_net_cdma_mdmstat_prop)
	set_prop(ccci_mdinit, ctl_start_prop)
	#=============allow ccci_mdinit to get vendor_mtk_tel_switch_prop==============
	get_prop(ccci_mdinit, vendor_mtk_tel_switch_prop)

	#=============allow ccci_mdinit to start/stop fsd==============
	set_prop(ccci_mdinit, vendor_mtk_ctl_ccci_fsd_prop)
	set_prop(ccci_mdinit, vendor_mtk_ctl_ccci2_fsd_prop)
	set_prop(ccci_mdinit, vendor_mtk_ctl_ccci3_fsd_prop)

	# GOOGLE: Commented out for b/169606103
	#get_prop(ccci_mdinit, vendor_default_prop)
	get_prop(ccci_mdinit, system_mtk_init_svc_emdlogger1_prop)
	get_prop(ccci_mdinit, system_mtk_init_svc_aee_aedv_prop)

	allow ccci_mdinit ccci_device:chr_file rw_file_perms;
	allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms;

	#=============allow ccci_mdinit to access MD NVRAM==============
	allow ccci_mdinit nvram_data_file:dir rw_dir_perms;
	allow ccci_mdinit nvram_data_file:file create_file_perms;
	allow ccci_mdinit nvram_data_file:lnk_file read;
	allow ccci_mdinit nvdata_file:lnk_file read;
	allow ccci_mdinit nvdata_file:dir rw_dir_perms;
	allow ccci_mdinit nvdata_file:file create_file_perms;
	allow ccci_mdinit nvram_device:chr_file rw_file_perms;

	#=============allow ccci_mdinit to access ccci config==============
	allow ccci_mdinit protect_f_data_file:dir rw_dir_perms;
	allow ccci_mdinit protect_f_data_file:file create_file_perms;
	#=============allow ccci_mdinit to property==============
	allow ccci_mdinit protect_s_data_file:dir rw_dir_perms;
	allow ccci_mdinit protect_s_data_file:file create_file_perms;
	allow ccci_mdinit nvram_device:blk_file rw_file_perms;
	allow ccci_mdinit nvdata_device:blk_file rw_file_perms;

	set_prop(ccci_mdinit, vendor_mtk_ril_mux_report_case_prop)

	allow ccci_mdinit ccci_cfg_file:dir create_dir_perms;
	allow ccci_mdinit ccci_cfg_file:file create_file_perms;
	#===============security relate ==========================
	allow ccci_mdinit preloader_device:chr_file rw_file_perms;
	allow ccci_mdinit misc_sd_device:chr_file r_file_perms;
	allow ccci_mdinit sec_ro_device:chr_file r_file_perms;

	allow ccci_mdinit custom_file:dir r_dir_perms;
	allow ccci_mdinit custom_file:file r_file_perms;

	# Purpose : for nand partition access
	allow ccci_mdinit mtd_device:dir search;
	allow ccci_mdinit mtd_device:chr_file rw_file_perms;
	allow ccci_mdinit devmap_device:chr_file r_file_perms;
	# Purpose : for device bring up, not to block early migration/sanity
	allow ccci_mdinit proc_lk_env:file rw_file_perms;
	allow ccci_mdinit para_block_device:blk_file rw_file_perms;
	#============= ccci_mdinit sysfs related ==============
	allow ccci_mdinit sysfs_ccci:dir search;
	allow ccci_mdinit sysfs_ccci:file rw_file_perms;
	allow ccci_mdinit sysfs_ssw:dir search;
	allow ccci_mdinit sysfs_ssw:file r_file_perms;
	allow ccci_mdinit sysfs_boot_info:file r_file_perms;

	# Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof
	allow ccci_mdinit proc_bootprof:file rw_file_perms;

	# Date : WK18.21
	# Operation: P migration
	# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
	allow ccci_mdinit mnt_vendor_file:dir search;

	# Purpose : Allow ccci_mdinit call sysenv_get and sysenv_set
	allow ccci_mdinit block_device:dir search;
	allow ccci_mdinit metadata_file:dir search;
	allow ccci_mdinit proc_cmdline:file r_file_perms;
	allow ccci_mdinit sysfs_dt_firmware_android:dir search;

	# Date : 2020-07-06
	# Purpose: no trigger avc log when call nvram api
	dontaudit ccci_mdinit gsi_metadata_file:dir search;