1# ============================================== 2# MTK Policy Rule 3# ============================================== 4 5# Purpose: aee_dumpstate set surfaceflinger property 6set_prop(dumpstate, debug_bq_dump_prop); 7 8# Purpose: access dev/aed0 9allow dumpstate aed_device:chr_file { read getattr }; 10 11# Purpose: data/dumpsys/* 12allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms }; 13allow dumpstate aee_dumpsys_data_file:file { create_file_perms }; 14 15# Purpose: data/aee_exp/* 16allow dumpstate aee_exp_data_file:dir { w_dir_perms }; 17allow dumpstate aee_exp_data_file:file { create_file_perms }; 18 19# Purpose: debugfs files 20allow dumpstate debugfs_binder:dir { read open }; 21allow dumpstate debugfs_binder:file { read open }; 22allow dumpstate debugfs_blockio:file { read open }; 23allow dumpstate debugfs_fb:dir search; 24allow dumpstate debugfs_fb:file { read open }; 25allow dumpstate debugfs_fuseio:dir search; 26allow dumpstate debugfs_fuseio:file { read open }; 27allow dumpstate debugfs_ged:dir search; 28allow dumpstate debugfs_ged:file { read open }; 29allow dumpstate debugfs_rcu:dir search; 30allow dumpstate debugfs_shrinker_debug:file { read open }; 31allow dumpstate debugfs_wakeup_sources:file { read open }; 32allow dumpstate debugfs_dmlog_debug:file { read open }; 33allow dumpstate debugfs_page_owner_slim_debug:file { read open }; 34allow dumpstate debugfs_ion_mm_heap:dir search; 35allow dumpstate debugfs_ion_mm_heap:file { read open }; 36allow dumpstate debugfs_ion_mm_heap:lnk_file read; 37allow dumpstate debugfs_cpuhvfs:dir search; 38allow dumpstate debugfs_cpuhvfs:file { read open }; 39allow dumpstate debugfs_vpu_device_dbg:file { read open }; 40 41# Purpose: /sys/kernel/ccci/md_chn 42allow dumpstate sysfs_ccci:dir search; 43allow dumpstate sysfs_ccci:file { read open }; 44 45# Purpose: leds status 46allow dumpstate sysfs_leds:lnk_file read; 47 48# Purpose: /sys/module/lowmemorykiller/parameters/adj 49allow dumpstate sysfs_lowmemorykiller:file { read open }; 50allow dumpstate sysfs_lowmemorykiller:dir search; 51 52# Purpose: /dev/block/mmcblk0p10 53allow dumpstate expdb_block_device:blk_file { read write ioctl open }; 54 55#/data/anr/SF_RTT 56allow dumpstate sf_rtt_file:dir { search getattr }; 57 58# Data : 2017/03/22 59# Operation : add fd use selinux rule 60# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker" 61# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0 62# tcontext=u:r:aee_aed:s0 tclass=fd permissive=0 63allow dumpstate crash_dump:fd use; 64allow dumpstate crash_dump:unix_stream_socket { read write ioctl connectto }; 65 66# private define 67# allow dumpstate config_gz:file read; 68 69allow dumpstate sysfs_leds:dir r_dir_perms; 70 71# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied 72# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r: 73# sf_bqdump_data_file:s0 tclass=dir permissive=0 74allow dumpstate sf_bqdump_data_file:dir r_dir_perms; 75allow dumpstate sf_bqdump_data_file:file r_file_perms; 76 77# Purpose: 78# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): 79# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= 80# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: 81# tracing_shell_writable:s0 tclass=file permissive=1 82allow dumpstate debugfs_tracing:file rw_file_perms; 83 84# Data : WK17.03 85# Purpose: Allow to access gpu 86allow dumpstate gpu_device:dir search; 87 88# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider". 89allow dumpstate mtk_hal_camera:binder { call }; 90 91# Purpose: Allow aee_dumpstate to read /proc/slabinfo 92allow dumpstate proc_slabinfo:file r_file_perms; 93 94# Purpose: Allow aee_dumpstate to read /proc/zraminfo 95allow dumpstate proc_zraminfo:file r_file_perms; 96 97# Purpose: Allow aee_dumpstate to read /proc/gpulog 98allow dumpstate proc_gpulog:file r_file_perms; 99 100# Purpose: Allow aee_dumpstate to read /proc/sched_debug 101allow dumpstate proc_sched_debug:file r_file_perms; 102 103# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver 104allow dumpstate proc_chip:file r_file_perms; 105 106# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable 107allow dumpstate sysfs_vibrator_setting:file write; 108 109# Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log 110allow dumpstate debugfs_rcu:file r_file_perms; 111 112# Purpose: Allow dumpstate to read /proc/ufs_debug 113allow dumpstate proc_ufs_debug:file rw_file_perms; 114 115# Purpose: Allow dumpstate to read /proc/msdc_debug 116allow dumpstate proc_msdc_debug:file r_file_perms; 117 118# Purpose: Allow dumpstate to r/w /proc/pidmap 119allow dumpstate proc_pidmap:file rw_file_perms; 120 121# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug 122allow dumpstate sysfs_vcore_debug:file r_file_perms; 123 124# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt 125allow dumpstate sf_rtt_file:file r_file_perms; 126 127#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace 128allow dumpstate proc_slabtrace:file r_file_perms; 129 130#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status 131allow dumpstate proc_cmdq_debug:file r_file_perms; 132 133#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo 134allow dumpstate proc_dbg_repo:file r_file_perms; 135 136#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_dump 137allow dumpstate proc_isp_p2_dump:file r_file_perms; 138 139#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_kedump 140allow dumpstate proc_isp_p2_kedump:file r_file_perms; 141 142#Purpose: Allow dumpstate to read /proc/mali/memory_usage 143allow dumpstate proc_memory_usage:file r_file_perms; 144 145#Purpose: Allow dumpstate to read /proc/mtk_es_reg_dump 146allow dumpstate proc_mtk_es_reg_dump:file r_file_perms; 147 148#Purpose: Allow dumpstate to read /sys/power/mtkpasr/execstate 149allow dumpstate sysfs_execstate:file r_file_perms; 150 151allow dumpstate proc_isp_p2:dir r_dir_perms; 152allow dumpstate proc_isp_p2:file r_file_perms; 153 154# Date : W19.26 155# Operation : Migration 156# Purpose : fix google dumpstate avc error in xTS 157allow dumpstate debugfs_mmc:dir search; 158allow dumpstate mnt_media_rw_file:dir getattr; 159 160# Date: 19/07/15 161# Purpose: fix google dumpstate avc error in xTs 162allow dumpstate sysfs_devices_block:file r_file_perms; 163allow dumpstate proc_last_kmsg:file r_file_perms; 164 165# Date: 19/07/15 166# Purpose: Allow dumpstate to read /sys/kernel/debug/kmemleak 167allow dumpstate debugfs_kmemleak:file r_file_perms; 168 169#Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log 170allow dumpstate sysfs_adsp:file r_file_perms; 171 172#Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon 173allow dumpstate debugfs_smi_mon:file r_file_perms; 174 175# MTEE Trusty 176allow dumpstate mtee_trusty_file:file rw_file_perms; 177 178# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990): 179# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0 180# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 181allow dumpstate mnt_expand_file:dir { search getattr }; 182 183#Purpose: Allow dumpstate to read /dev/usb-ffs 184allow dumpstate functionfs:file { getattr }; 185