non_plat/init.te - device/mediatek/wembley-sepolicy - Git at Google

 # ==============================================
 # MTK Policy Rule
 # ============

 # Date : WK14.34
 # Operation : Migration
 # Purpose : for L early bring up: add for nvram command in init rc files
 allow init nvram_data_file:dir create_dir_perms;
 allow init nvram_data_file:lnk_file r_file_perms;
 allow init nvdata_file:lnk_file r_file_perms;
 allow init nvdata_file:dir create_file_perms;

 #============= init ==============
 # Date : W14.42
 # Operation : Migration
 # Purpose : for L : add for partition (chown/chmod)
 allow init block_device:blk_file setattr;
 allow init system_block_device:blk_file setattr;
 allow init nvram_device:blk_file setattr;
 allow init seccfg_block_device:blk_file setattr;
 allow init secro_block_device:blk_file setattr;
 allow init frp_block_device:blk_file setattr;
 allow init logo_block_device:blk_file setattr;
 allow init para_block_device:blk_file setattr;
 allow init recovery_block_device:blk_file setattr;

 # Date : WK15.30
 # Operation : Migration
 # Purpose : format wiped partition with "formattable" and "check" flag in fstab file
 allow init protect1_block_device:blk_file rw_file_perms;
 allow init protect2_block_device:blk_file rw_file_perms;
 allow init userdata_block_device:blk_file rw_file_perms;
 allow init cache_block_device:blk_file rw_file_perms;
 allow init nvdata_device:blk_file w_file_perms;
 allow init persist_block_device:blk_file rw_file_perms;
 allow init nvcfg_block_device:blk_file rw_file_perms;
 allow init odm_block_device:blk_file rw_file_perms;
 allow init oem_block_device:blk_file rw_file_perms;
 allow init para_block_device:blk_file w_file_perms;

 # Date : WK15.32
 # Operation : Migration
 # Purpose : disable AT_SECURE for LD_PRELOAD
 #userdebug_or_eng(`
 #  allow init { domain -lmkd -crash_dump -llkd -mediaswcodec }:process noatsecure;
 #')

 # Date : WK16.26
 # Operation : Access dynamic_debug control file
 # Purpose : For MobileLog on/off pr_debug on user/userdebug load
 allow init debugfs_dynamic_debug:file write;

 # Date : W16.28
 # Operation : Migration
 # Purpose : enable modules capability
 allow init self:capability sys_module;
 allow init kernel:system module_request;

 # Date : WK16.35
 # Operation : Migration
 # Purpose : create symbolic link from /mnt/sdcard to /sdcard
 allow init tmpfs:lnk_file create;

 # Date:W17.07
 # Operation : bt hal
 # Purpose : bt hal interface permission
 allow init mtk_hal_bluetooth_exec:file getattr;

 # Date : WK17.02
 # Purpose: Fix audio hal service fail
 allow init mtk_hal_audio_exec:file getattr;

 # Date : W17.20
 # Purpose: Enable PRODUCT_FULL_TREBLE
 allow init vendor_block_device:lnk_file relabelto;

 # Date : WK17.21
 # Purpose: Fix gnss hal service fail
 allow init mtk_hal_gnss_exec:file getattr;

 # Fix boot up violation
 allow init debugfs_tracing_instances:file relabelfrom;

 # Date: W17.22
 # Operation : New Feature
 # Purpose : Add for A/B system
 allow init kernel:system module_request;
 allow init nvdata_file:dir mounton;
 allow init oemfs:dir mounton;
 allow init protect_f_data_file:dir mounton;
 allow init protect_s_data_file:dir mounton;
 allow init nvcfg_file:dir mounton;
 allow init persist_data_file:dir mounton;
 allow init tmpfs:lnk_file create;

 # boot process denial clean up
 allow init debugfs_ged:file w_file_perms;


 # Date : WK17.39
 # Operation : able to relabel mntl block device link
 # Purpose : Correct permission for mntl
 allow init block_device:lnk_file relabelfrom;
 allow init expdb_block_device:lnk_file relabelto;
 allow init mcupmfw_block_device:lnk_file relabelto;
 allow init tee_block_device:lnk_file relabelto;

 # Date : WK17.43
 # Operation : able to insert fpsgo kernel module
 # Purpose : Correct permission for fpsgo
 allow init rootfs:system module_load;

 # Date: W17.43
 # Operation : module load
 # Purpose : insmod LKM under /vendor (connsys module KO)
 allow init vendor_file:system module_load;

 # Date : WK17.46
 # Operation : feature porting
 # Purpose : kernel module verification
 allow init kernel:key search;

 # Date : WK17.50
 # Operation : boost cpu while booting
 # Purpose : enhance boottime
 allow init proc_perfmgr:file write;
 allow init proc_wmtdbg:file w_file_perms;

 # Date : W18.20
 # Operation : mount soc vendor's partition when booting
 allow init mnt_vendor_file:dir mounton;

 # Date : W19.28
 # Purpose: Allow to setattr /proc/last_kmsg
 allow init proc_last_kmsg:file setattr;
 # Purpose: Allow to write /proc/cpu/alignment
 allow init proc_cpu_alignment:file w_file_perms;

 # Purpose: Allow to relabelto for selinux_android_restorecon
 allow init boot_block_device:lnk_file relabelto;
 allow init vbmeta_block_device:lnk_file relabelto;

 # Purpose: Allow to write /proc/mtprintk
 allow init proc_mtprintk:file w_file_perms;
	# ==============================================
	# MTK Policy Rule
	# ============

	# Date : WK14.34
	# Operation : Migration
	# Purpose : for L early bring up: add for nvram command in init rc files
	allow init nvram_data_file:dir create_dir_perms;
	allow init nvram_data_file:lnk_file r_file_perms;
	allow init nvdata_file:lnk_file r_file_perms;
	allow init nvdata_file:dir create_file_perms;

	#============= init ==============
	# Date : W14.42
	# Operation : Migration
	# Purpose : for L : add for partition (chown/chmod)
	allow init block_device:blk_file setattr;
	allow init system_block_device:blk_file setattr;
	allow init nvram_device:blk_file setattr;
	allow init seccfg_block_device:blk_file setattr;
	allow init secro_block_device:blk_file setattr;
	allow init frp_block_device:blk_file setattr;
	allow init logo_block_device:blk_file setattr;
	allow init para_block_device:blk_file setattr;
	allow init recovery_block_device:blk_file setattr;

	# Date : WK15.30
	# Operation : Migration
	# Purpose : format wiped partition with "formattable" and "check" flag in fstab file
	allow init protect1_block_device:blk_file rw_file_perms;
	allow init protect2_block_device:blk_file rw_file_perms;
	allow init userdata_block_device:blk_file rw_file_perms;
	allow init cache_block_device:blk_file rw_file_perms;
	allow init nvdata_device:blk_file w_file_perms;
	allow init persist_block_device:blk_file rw_file_perms;
	allow init nvcfg_block_device:blk_file rw_file_perms;
	allow init odm_block_device:blk_file rw_file_perms;
	allow init oem_block_device:blk_file rw_file_perms;
	allow init para_block_device:blk_file w_file_perms;

	# Date : WK15.32
	# Operation : Migration
	# Purpose : disable AT_SECURE for LD_PRELOAD
	#userdebug_or_eng(`
	# allow init { domain -lmkd -crash_dump -llkd -mediaswcodec }:process noatsecure;
	#')

	# Date : WK16.26
	# Operation : Access dynamic_debug control file
	# Purpose : For MobileLog on/off pr_debug on user/userdebug load
	allow init debugfs_dynamic_debug:file write;

	# Date : W16.28
	# Operation : Migration
	# Purpose : enable modules capability
	allow init self:capability sys_module;
	allow init kernel:system module_request;

	# Date : WK16.35
	# Operation : Migration
	# Purpose : create symbolic link from /mnt/sdcard to /sdcard
	allow init tmpfs:lnk_file create;

	# Date:W17.07
	# Operation : bt hal
	# Purpose : bt hal interface permission
	allow init mtk_hal_bluetooth_exec:file getattr;

	# Date : WK17.02
	# Purpose: Fix audio hal service fail
	allow init mtk_hal_audio_exec:file getattr;

	# Date : W17.20
	# Purpose: Enable PRODUCT_FULL_TREBLE
	allow init vendor_block_device:lnk_file relabelto;

	# Date : WK17.21
	# Purpose: Fix gnss hal service fail
	allow init mtk_hal_gnss_exec:file getattr;

	# Fix boot up violation
	allow init debugfs_tracing_instances:file relabelfrom;

	# Date: W17.22
	# Operation : New Feature
	# Purpose : Add for A/B system
	allow init kernel:system module_request;
	allow init nvdata_file:dir mounton;
	allow init oemfs:dir mounton;
	allow init protect_f_data_file:dir mounton;
	allow init protect_s_data_file:dir mounton;
	allow init nvcfg_file:dir mounton;
	allow init persist_data_file:dir mounton;
	allow init tmpfs:lnk_file create;

	# boot process denial clean up
	allow init debugfs_ged:file w_file_perms;



	# Date : WK17.39
	# Operation : able to relabel mntl block device link
	# Purpose : Correct permission for mntl
	allow init block_device:lnk_file relabelfrom;
	allow init expdb_block_device:lnk_file relabelto;
	allow init mcupmfw_block_device:lnk_file relabelto;
	allow init tee_block_device:lnk_file relabelto;

	# Date : WK17.43
	# Operation : able to insert fpsgo kernel module
	# Purpose : Correct permission for fpsgo
	allow init rootfs:system module_load;

	# Date: W17.43
	# Operation : module load
	# Purpose : insmod LKM under /vendor (connsys module KO)
	allow init vendor_file:system module_load;

	# Date : WK17.46
	# Operation : feature porting
	# Purpose : kernel module verification
	allow init kernel:key search;

	# Date : WK17.50
	# Operation : boost cpu while booting
	# Purpose : enhance boottime
	allow init proc_perfmgr:file write;
	allow init proc_wmtdbg:file w_file_perms;

	# Date : W18.20
	# Operation : mount soc vendor's partition when booting
	allow init mnt_vendor_file:dir mounton;

	# Date : W19.28
	# Purpose: Allow to setattr /proc/last_kmsg
	allow init proc_last_kmsg:file setattr;
	# Purpose: Allow to write /proc/cpu/alignment
	allow init proc_cpu_alignment:file w_file_perms;

	# Purpose: Allow to relabelto for selinux_android_restorecon
	allow init boot_block_device:lnk_file relabelto;
	allow init vbmeta_block_device:lnk_file relabelto;

	# Purpose: Allow to write /proc/mtprintk
	allow init proc_mtprintk:file w_file_perms;