1# ============================================== 2# Policy File of /system/bin/aee_aed Executable File 3 4# ============================================== 5# Type Declaration 6# ============================================== 7type aee_aed_exec, system_file_type, exec_type, file_type; 8typeattribute aee_aed coredomain; 9typeattribute aee_aed mlstrustedsubject; 10 11init_daemon_domain(aee_aed) 12 13# ============================================== 14# MTK Policy Rule 15# ============================================== 16 17# AED start: /dev/block/expdb 18allow aee_aed block_device:dir search; 19 20# aee db dir and db files 21allow aee_aed sdcard_type:dir create_dir_perms; 22allow aee_aed sdcard_type:file create_file_perms; 23 24#data/anr 25allow aee_aed anr_data_file:dir create_dir_perms; 26allow aee_aed anr_data_file:file create_file_perms; 27 28allow aee_aed domain:process { sigkill getattr getsched signal }; 29allow aee_aed domain:lnk_file getattr; 30 31#core-pattern 32allow aee_aed usermodehelper:file r_file_perms; 33 34#suid_dumpable. this is neverallow 35#allow aee_aed proc_security:file r_file_perms; 36 37#allow aee_aed call binaries labeled "system_file" under /system/bin/ 38allow aee_aed system_file:file execute_no_trans; 39 40allow aee_aed init:process getsched; 41allow aee_aed kernel:process getsched; 42 43# Date: W15.34 44# Operation: Migration 45# Purpose: For pagemap & pageflags information in NE DB 46userdebug_or_eng(`allow aee_aed self:capability sys_admin;') 47 48# Purpose: allow aee_aed to access toolbox 49allow aee_aed toolbox_exec:file rx_file_perms; 50 51# Purpose: mnt/user/* 52allow aee_aed mnt_user_file:dir search; 53allow aee_aed mnt_user_file:lnk_file read; 54 55allow aee_aed storage_file:dir search; 56allow aee_aed storage_file:lnk_file read; 57 58# Date : WK17.09 59# Operation : AEE UT for Android O 60# Purpose : for AEE module to dump files 61domain_auto_trans(aee_aed, dumpstate_exec, dumpstate) 62 63# Purpose : aee_aed communicate with aee_core_forwarder 64# allow aee_aed aee_core_forwarder:dir search; 65# allow aee_aed aee_core_forwarder:file { read getattr open }; 66 67userdebug_or_eng(` 68 allow aee_aed su:dir {search read open }; 69 allow aee_aed su:file { read getattr open }; 70') 71 72# /data/tombstone 73allow aee_aed tombstone_data_file:dir w_dir_perms; 74allow aee_aed tombstone_data_file:file create_file_perms; 75 76# /proc/pid/ 77allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill }; 78 79# system(cmd) aee_dumpstate aee_archive 80allow aee_aed shell_exec:file rx_file_perms; 81 82# PROCESS_FILE_STATE 83allow aee_aed dumpstate:unix_stream_socket { read write ioctl }; 84allow aee_aed dumpstate:dir search; 85allow aee_aed dumpstate:file r_file_perms; 86 87allow aee_aed logdr_socket:sock_file write; 88allow aee_aed logd:unix_stream_socket connectto; 89#allow aee_aed system_ndebug_socket:sock_file write; 90 91# vibrator 92allow aee_aed sysfs_vibrator:file w_file_perms; 93 94# Data : 2017/03/22 95# Operation : add NE flow rule for Android O 96# Purpose : make aee_aed can get specific process NE info 97allow aee_aed domain:dir r_dir_perms; 98allow aee_aed domain:{ file lnk_file } r_file_perms; 99 100allow aee_aed dalvikcache_data_file:dir r_dir_perms; 101#allow aee_aed zygote_exec:file r_file_perms; 102#allow aee_aed init_exec:file r_file_perms; 103 104# Data : 2017/04/06 105# Operation : add selinux rule for crash_dump notify aee_aed 106# Purpose : make aee_aed can get notify from crash_dump 107allow aee_aed crash_dump:dir search; 108allow aee_aed crash_dump:file r_file_perms; 109 110# Purpose : allow aee_aed to read /proc/version 111allow aee_aed proc_version:file { read open }; 112 113# Purpose : allow aee_aed self to sys_nice/chown/kill 114allow aee_aed self:capability { sys_nice chown fowner kill }; 115 116# Purpose: Allow aee_aed to write /sys/kernel/debug/tracing/snapshot 117userdebug_or_eng(`allow aee_aed debugfs_tracing_debug:file { write open };') 118 119# Purpose: Allow aee_aed to read/write /sys/kernel/debug/tracing/tracing_on 120#userdebug_or_eng(` allow aee_aed debugfs_tracing:file { r_file_perms write };') 121 122# Purpose: receive dropbox message 123allow aee_aed dropbox_data_file:file {getattr read}; 124allow aee_aed dropbox_service:service_manager find; 125allow aee_aed servicemanager:binder call; 126allow aee_aed system_server:binder call; 127 128# Purpose: allow aee_aed to read packages.list 129allow aee_aed packages_list_file:file r_file_perms; 130 131# Purpose: Allow aee_aed to read /proc/*/exe 132allow aee_aed system_file_type:file r_file_perms; 133