1# ============================================== 2# Policy File of /vendor/bin/aee_aedv Executable File 3 4# ============================================== 5# MTK Policy Rule 6# ============================================== 7 8type aee_aedv, domain; 9 10type aee_aedv_exec, exec_type, file_type, vendor_file_type; 11typeattribute aee_aedv mlstrustedsubject; 12 13init_daemon_domain(aee_aedv) 14 15 16# Date : WK14.32 17# Operation : AEE UT 18# Purpose : for AEE module 19allow aee_aedv aed_device:chr_file rw_file_perms; 20allow aee_aedv expdb_device:chr_file rw_file_perms; 21allow aee_aedv expdb_block_device:blk_file rw_file_perms; 22allow aee_aedv bootdevice_block_device:blk_file rw_file_perms; 23allow aee_aedv etb_device:chr_file rw_file_perms; 24 25# AED start: /dev/block/expdb 26allow aee_aedv block_device:dir search; 27 28# NE flow: /dev/RT_Monitor 29allow aee_aedv RT_Monitor_device:chr_file r_file_perms; 30 31#data/aee_exp 32allow aee_aedv aee_exp_vendor_file:dir create_dir_perms; 33allow aee_aedv aee_exp_vendor_file:file create_file_perms; 34 35#data/dumpsys 36allow aee_aedv aee_dumpsys_vendor_file:dir create_dir_perms; 37allow aee_aedv aee_dumpsys_vendor_file:file create_file_perms; 38 39#/data/core 40allow aee_aedv aee_core_vendor_file:dir create_dir_perms; 41allow aee_aedv aee_core_vendor_file:file create_file_perms; 42 43# /data/data_tmpfs_log 44allow aee_aedv vendor_tmpfs_log_file:dir create_dir_perms; 45allow aee_aedv vendor_tmpfs_log_file:file create_file_perms; 46 47allow aee_aedv domain:process { sigkill getattr getsched}; 48allow aee_aedv domain:lnk_file getattr; 49 50#core-pattern 51allow aee_aedv usermodehelper:file r_file_perms; 52 53# Date: W15.34 54# Operation: Migration 55# Purpose: For pagemap & pageflags information in NE DB 56userdebug_or_eng(`allow aee_aedv self:capability sys_admin;') 57 58# Purpose: aee_aedv set property 59set_prop(aee_aedv, persist_mtk_aeev_prop); 60set_prop(aee_aedv, persist_aeev_prop); 61set_prop(aee_aedv, debug_mtk_aeev_prop); 62 63# Purpose: mnt/user/* 64allow aee_aedv mnt_user_file:dir search; 65allow aee_aedv mnt_user_file:lnk_file read; 66 67allow aee_aedv storage_file:dir search; 68allow aee_aedv storage_file:lnk_file read; 69 70userdebug_or_eng(` 71 allow aee_aedv su:dir {search read open }; 72 allow aee_aedv su:file { read getattr open }; 73') 74 75# /proc/pid/ 76allow aee_aedv self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module}; 77 78# PROCESS_FILE_STATE 79allow aee_aedv dumpstate:unix_stream_socket { read write ioctl }; 80allow aee_aedv dumpstate:dir search; 81allow aee_aedv dumpstate:file r_file_perms; 82 83allow aee_aedv logdr_socket:sock_file write; 84allow aee_aedv logd:unix_stream_socket connectto; 85 86# vibrator 87allow aee_aedv sysfs_vibrator:file w_file_perms; 88 89# /proc/lk_env 90allow aee_aedv proc_lk_env:file rw_file_perms; 91 92# Data : 2017/03/22 93# Operation : add NE flow rule for Android O 94# Purpose : make aee_aedv can get specific process NE info 95allow aee_aedv domain:dir r_dir_perms; 96allow aee_aedv domain:{ file lnk_file } r_file_perms; 97#allow aee_aedv { 98# domain 99# -logd 100# -keystore 101# -init 102#}:process ptrace; 103#allow aee_aedv zygote_exec:file r_file_perms; 104#allow aee_aedv init_exec:file r_file_perms; 105 106# Data : 2017/04/06 107# Operation : add selinux rule for crash_dump notify aee_aedv 108# Purpose : make aee_aedv can get notify from crash_dump 109allow aee_aedv crash_dump:dir search; 110allow aee_aedv crash_dump:file r_file_perms; 111 112# Date : 20170512 113# Operation : fix aee_archive can't execute issue 114# Purpose : type=1400 audit(0.0:97916): avc: denied { execute_no_trans } for 115# path="/system/vendor/bin/aee_archive" dev="mmcblk0p26" ino=2355 116# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:vendor_file:s0 117# tclass=file permissive=0 118allow aee_aedv vendor_file:file execute_no_trans; 119 120# Purpose: debugfs files 121allow aee_aedv debugfs_binder:dir { read open }; 122allow aee_aedv debugfs_binder:file { read open }; 123allow aee_aedv debugfs_blockio:file { read open }; 124allow aee_aedv debugfs_fb:dir search; 125allow aee_aedv debugfs_fb:file { read open }; 126allow aee_aedv debugfs_fuseio:dir search; 127allow aee_aedv debugfs_fuseio:file { read open }; 128allow aee_aedv debugfs_ged:dir search; 129allow aee_aedv debugfs_ged:file { read open }; 130allow aee_aedv debugfs_rcu:dir search; 131allow aee_aedv debugfs_shrinker_debug:file { read open }; 132allow aee_aedv debugfs_wakeup_sources:file { read open }; 133allow aee_aedv debugfs_dmlog_debug:file { read open }; 134allow aee_aedv debugfs_page_owner_slim_debug:file { read open }; 135allow aee_aedv debugfs_ion_mm_heap:dir search; 136allow aee_aedv debugfs_ion_mm_heap:file r_file_perms; 137allow aee_aedv debugfs_ion_mm_heap:lnk_file read; 138allow aee_aedv debugfs_cpuhvfs:dir search; 139allow aee_aedv debugfs_cpuhvfs:file { read open }; 140allow aee_aedv debugfs_emi_mbw_buf:file { read open }; 141allow aee_aedv debugfs_vpu_device_dbg:file { read open }; 142 143# Purpose: 144# 01-01 00:02:46.390 3315 3315 W aee_dumpstatev: type=1400 audit(0.0:4728): 145# avc: denied { read } for name="interrupts" dev="proc" ino=4026533608 scontext= 146# u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file permissive=0 147allow aee_aedv proc_interrupts:file read; 148 149# Purpose: 150# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): 151# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= 152# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: 153# tracing_shell_writable:s0 tclass=file permissive=1 154allow aee_aedv debugfs_tracing:file rw_file_perms; 155 156# Purpose: 157# 01-01 00:05:16.730 3566 3566 W dmesg : type=1400 audit(0.0:5173): avc: 158# denied { read } for name="kmsg" dev="tmpfs" ino=12292 scontext=u:r:aee_aedv: 159# s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 160allow aee_aedv kmsg_device:chr_file read; 161 162# Purpose: 163# 01-01 00:05:17.720 3567 3567 W ps : type=1400 audit(0.0:5192): avc: 164# denied { getattr } for path="/proc/3421" dev="proc" ino=78975 scontext=u:r: 165# aee_aedv:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0 166allow aee_aedv platform_app:dir r_dir_perms; 167allow aee_aedv platform_app:file r_file_perms; 168 169# Purpose: 170# 01-01 00:05:17.750 3567 3567 W ps : type=1400 audit(0.0:5193): avc: 171# denied { getattr } for path="/proc/3461" dev="proc" ino=11013 scontext=u:r: 172# aee_aedv:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=dir permissive=0 173allow aee_aedv untrusted_app_25:dir getattr; 174 175# Purpose: 176# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5179): avc: 177# denied { getattr } for path="/proc/2712" dev="proc" ino=65757 scontext=u:r: 178# aee_aedv:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0 179allow aee_aedv untrusted_app:dir getattr; 180 181# Purpose: 182# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5180): avc: 183# denied { getattr } for path="/proc/2747" dev="proc" ino=66659 scontext=u:r: 184# aee_aedv:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0 185allow aee_aedv priv_app:dir getattr; 186 187# Purpose: 188# 01-01 00:05:16.270 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5153): 189# avc: denied { open } for path="/proc/interrupts" dev="proc" ino=4026533608 190# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file 191# permissive=0 192allow aee_aedv proc_interrupts:file r_file_perms; 193 194# Purpose: 195# 01-01 00:05:16.620 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5171): 196# avc: denied { read } for name="route" dev="proc" ino=4026533633 scontext=u:r: 197# aee_aedv:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 198allow aee_aedv proc_net:file read; 199 200# Purpose: 201# 01-01 00:05:16.610 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5168): 202# avc: denied { read } for name="zoneinfo" dev="proc" ino=4026533664 scontext= 203# u:r:aee_aedv:s0 tcontext=u:object_r:proc_zoneinfo:s0 tclass=file permissive=0 204allow aee_aedv proc_zoneinfo:file read; 205 206# Purpose: 207# 01-01 00:05:17.840 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5200): 208# avc: denied { search } for name="leds" dev="sysfs" ino=6217 scontext=u:r: 209# aee_aedv:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0 210allow aee_aedv sysfs_leds:dir search; 211allow aee_aedv sysfs_leds:file r_file_perms; 212 213# Purpose: 214# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5592): avc: denied 215# { search } for name="ccci" dev="sysfs" ino=6026 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: 216# sysfs_ccci:s0 tclass=dir permissive=1 217# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5593): avc: denied { read } 218# for name="md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:sysfs_ccci:s0 219# tclass=file permissive=1 220# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5594): avc: denied { open } 221# for path="/sys/kernel/ccci/md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u: 222# object_r:sysfs_ccci:s0 tclass=file permissive=1 223allow aee_aedv sysfs_ccci:dir search; 224allow aee_aedv sysfs_ccci:file r_file_perms; 225 226# Purpose: 227# 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied 228# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r: 229# aee_aedv:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1 230allow aee_aedv vendor_toolbox_exec:file rx_file_perms; 231 232# Purpose: 233# 01-01 00:12:06.320000 4145 4145 W dmesg : type=1400 audit(0.0:826): avc: denied { open } for 234# path="/dev/kmsg" dev="tmpfs" ino=10875 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:kmsg_device: 235# s0 tclass=chr_file permissive=0 236# 01-01 00:42:33.070000 4171 4171 W dmesg : type=1400 audit(0.0:1343): avc: denied 237# { syslog_read } for scontext=u:r:aee_aedv:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 238allow aee_aedv kmsg_device:chr_file r_file_perms; 239allow aee_aedv kernel:system syslog_read; 240 241# Purpose: 242# 01-01 00:12:37.890000 4162 4162 W aee_dumpstatev: type=1400 audit(0.0:914): avc: denied 243# { read } for name="meminfo" dev="proc" ino=4026533612 scontext=u:r:aee_aedv:s0 tcontext=u: 244# object_r:proc_meminfo:s0 tclass=file permissive=0 245allow aee_aedv proc_meminfo:file r_file_perms; 246 247# Purpose: 248# 01-01 00:08:39.900000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:371): avc: denied 249# { open } for path="/proc/3833/net/route" dev="proc" ino=4026533632 scontext=u:r:aee_aedv:s0 250# tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 251allow aee_aedv proc_net:file r_file_perms; 252 253# Purpose: 254# 01-01 00:08:39.880000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:370): avc: denied 255# { open } for path="/proc/zoneinfo" dev="proc" ino=4026533663 scontext=u:r:aee_aedv:s0 tcontext= 256# u:object_r:proc_zoneinfo:s0 tclass=file permissive=0 257allow aee_aedv proc_zoneinfo:file r_file_perms; 258 259# Purpose: 260# 01-01 00:33:27.750000 338 338 W aee_aedv: type=1400 audit(0.0:98): avc: denied { read } 261# for name="fstab.mt6755" dev="rootfs" ino=1082 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: 262# rootfs:s0 tclass=file permissive=0 263allow aee_aedv rootfs:file r_file_perms; 264 265# Purpose: 266# 01-01 00:33:28.340000 338 338 W aee_aedv: type=1400 audit(0.0:104): avc: denied { search } 267# for name="dynamic_debug" dev="debugfs" ino=8182 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: 268# debugfs_dynamic_debug:s0 tclass=dir permissive=0 269allow aee_aedv debugfs_dynamic_debug:dir search; 270allow aee_aedv debugfs_dynamic_debug:file r_file_perms; 271 272# Purpose: 273# [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read } 274# for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0 275# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 276allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms; 277 278# Purpose: Allow aee_aedv to use HwBinder IPC. 279hwbinder_use(aee_aedv) 280get_prop(aee_aedv, hwservicemanager_prop) 281 282# Purpose: Allow aee_aedv access to vendor/bin/mtkcam-debug, which in turn invokes ICameraProvider 283# - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956 284# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager 285# - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED) 286hal_client_domain(aee_aedv, hal_camera) 287allow aee_aedv hal_camera_hwservice:hwservice_manager { find }; 288binder_call(aee_aedv, mtk_hal_camera) 289 290# Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status 291allow aee_aedv selinuxfs:file r_file_perms; 292 293# Purpose: Allow aee_aedv to read /proc/pid/exe 294#allow aee_aedv exec_type:file r_file_perms; 295 296# Purpose: mrdump db flow and pre-allocation 297# mrdump db flow 298allow aee_aedv sysfs_dt_firmware_android:dir search; 299allow aee_aedv sysfs_dt_firmware_android:file r_file_perms; 300allow aee_aedv kernel:system module_request; 301allow aee_aedv metadata_file:dir search; 302# pre-allocation 303allow aee_aedv self:capability linux_immutable; 304allow aee_aedv userdata_block_device:blk_file { read write open }; 305allow aee_aedv para_block_device:blk_file rw_file_perms; 306allow aee_aedv mrdump_device:blk_file rw_file_perms; 307allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl { 308 FS_IOC_GETFLAGS 309 FS_IOC_SETFLAGS 310 F2FS_IOC_GET_PIN_FILE 311 F2FS_IOC_SET_PIN_FILE 312 FS_IOC_FIEMAP 313}; 314 315# Purpose: allow vendor aee read lowmemorykiller logs 316# file path: /sys/module/lowmemorykiller/parameters/ 317allow aee_aedv sysfs_lowmemorykiller:dir search; 318allow aee_aedv sysfs_lowmemorykiller:file r_file_perms; 319 320# Purpose: Allow aee read /sys/class/misc/scp/scp_dump 321allow aee_aedv sysfs_scp:dir r_dir_perms; 322allow aee_aedv sysfs_scp:file r_file_perms; 323 324# Purpose: Allow aee read /sys/class/misc/adsp/adsp_dump 325allow aee_aedv sysfs_adsp:dir r_dir_perms; 326allow aee_aedv sysfs_adsp:file r_file_perms; 327 328# Purpose: allow aee_aedv self to fsetid/sys_nice/chown/fowner/kill 329allow aee_aedv self:capability { fsetid sys_nice chown fowner kill }; 330 331# Purpose: allow aee_aedv to read /proc/buddyinfo 332allow aee_aedv proc_buddyinfo:file r_file_perms; 333 334# Purpose: allow aee_aedv to read /proc/cmdline 335allow aee_aedv proc_cmdline:file r_file_perms; 336 337# Purpose: allow aee_aedv to read /proc/slabinfo 338allow aee_aedv proc_slabinfo:file r_file_perms; 339 340# Purpose: allow aee_aedv to read /proc/stat 341allow aee_aedv proc_stat:file r_file_perms; 342 343# Purpose: allow aee_aedv to read /proc/version 344allow aee_aedv proc_version:file r_file_perms; 345 346# Purpose: allow aee_aedv to read /proc/vmallocinfo 347allow aee_aedv proc_vmallocinfo:file r_file_perms; 348 349# Purpose: allow aee_aedv to read /proc/vmstat 350allow aee_aedv proc_vmstat:file r_file_perms; 351 352# Purpose: Allow aee_aedv to read /proc/cpu/alignment 353allow aee_aedv proc_cpu_alignment:file w_file_perms; 354 355# Purpose: Allow aee_aedv to read /proc/gpulog 356allow aee_aedv proc_gpulog:file r_file_perms; 357 358# Purpose: Allow aee_aedv to read /proc/chip/hw_ver 359allow aee_aedv proc_chip:file r_file_perms; 360 361# Purpose: Allow aee_aedv to read /proc/sched_debug 362allow aee_aedv proc_sched_debug:file r_file_perms; 363 364# Purpose: Allow aee_aedv to read /proc/atf_log 365allow aee_aedv proc_atf_log:dir search; 366 367# Purpose: Allow aee_aedv to read /proc/last_kmsg 368allow aee_aedv proc_last_kmsg:file r_file_perms; 369 370# Purpose: Allow aee_aedv to access /sys/devices/virtual/timed_output/vibrator/enable 371allow aee_aedv sysfs_vibrator_setting:dir search; 372allow aee_aedv sysfs_vibrator_setting:file w_file_perms; 373allow aee_aedv sysfs_vibrator:dir search; 374 375# Purpose: Allow aee_aedv to read /sys/kernel/debug/rcu/rcu_callback_log 376allow aee_aedv debugfs_rcu:file r_file_perms; 377 378# Purpose: Allow aee_aedv to read /proc/ufs_debug 379allow aee_aedv proc_ufs_debug:file rw_file_perms; 380 381# Purpose: Allow aee_aedv to read /proc/msdc_debug 382allow aee_aedv proc_msdc_debug:file r_file_perms; 383 384# Purpose: Allow aee_aedv to read /proc/pidmap 385allow aee_aedv proc_pidmap:file r_file_perms; 386 387# Purpose: Allow aee_aedv to read /sys/power/vcorefs/vcore_debug 388allow aee_aedv sysfs_vcore_debug:file r_file_perms; 389 390# Purpose: Allow aee_aedv to read /sys/devices/virtual/BOOT/BOOT/boot/boot_mode 391allow aee_aedv sysfs_boot_mode:file r_file_perms; 392 393#Purpose: Allow aee_aedv to read/write /sys/kernel/debug/tracing/buffer_total_size_kb 394userdebug_or_eng(` 395allow aee_aedv debugfs_tracing_debug:file { rw_file_perms }; 396') 397 398#Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace 399allow aee_aedv proc_slabtrace:file r_file_perms; 400 401#Purpose: Allow aee_aedv to read /proc/mtk_cmdq_debug/status 402allow aee_aedv proc_cmdq_debug:file r_file_perms; 403 404# temp solution 405get_prop(aee_aedv, vendor_default_prop) 406 407#data/dipdebug 408allow aee_aedv aee_dipdebug_vendor_file:dir r_dir_perms; 409allow aee_aedv aee_dipdebug_vendor_file:file r_file_perms; 410allow aee_aedv proc_isp_p2:dir r_dir_perms; 411allow aee_aedv proc_isp_p2:file r_file_perms; 412 413allow aee_aedv connsyslog_data_vendor_file:file r_file_perms; 414allow aee_aedv connsyslog_data_vendor_file:dir r_dir_perms; 415 416# Purpose: Allow aee_aedv to read the /proc/*/exe of vendor process 417allow aee_aedv vendor_file_type:file r_file_perms; 418 419# Purpose: Allow aee_aedv to read /sys/kernel/debug/smi_mon 420allow aee_aedv debugfs_smi_mon:file r_file_perms; 421 422# Purpose: Allow aee_aedv to read /proc/isp_p2/isp_p2_kedump 423allow aee_aedv proc_isp_p2_kedump:file r_file_perms; 424 425# Purpose: Allow aee_aedv to read /sys/kernel/debug/vpu/vpu_memory 426allow aee_aedv debugfs_vpu_memory:file r_file_perms; 427 428# Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo 429allow aee_aedv proc_dbg_repo:file r_file_perms; 430 431# Purpose: Allow aee_aedv to read /proc/pl_lk 432allow aee_aedv proc_pl_lk:file r_file_perms; 433 434allow aee_aedv proc_aed_reboot_reason:file r_file_perms; 435 436# Purpose: Allow aee_aedv to write /proc/sys/vm/drop_caches 437allow aee_aedv proc_drop_caches:file rw_file_perms; 438 439allow aee_aedv proc_wmt_aee:file r_file_perms; 440