• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# ==============================================
2# MTK Policy Rule
3# ==============================================
4# Access devices.
5allow system_server touch_device:chr_file rw_file_perms;
6allow system_server stpant_device:chr_file rw_file_perms;
7allow system_server devmap_device:chr_file r_file_perms;
8allow system_server irtx_device:chr_file rw_file_perms;
9allow system_server qemu_pipe_device:chr_file rw_file_perms;
10allow system_server wmtWifi_device:chr_file w_file_perms;
11
12# Add for bootprof
13allow system_server proc_bootprof:file rw_file_perms;
14
15# /data/core access.
16allow system_server aee_core_data_file:dir r_dir_perms;
17
18# Perform Binder IPC.
19allow system_server zygote:binder impersonate;
20
21# Property service.
22allow system_server ctl_bootanim_prop:property_service set;
23
24# For dumpsys.
25allow system_server aee_dumpsys_data_file:file w_file_perms;
26allow system_server aee_exp_data_file:file w_file_perms;
27
28# Dump native process backtrace.
29#allow system_server exec_type:file r_file_perms;
30
31# Querying zygote socket.
32allow system_server zygote:unix_stream_socket { getopt getattr };
33
34# Communicate over a socket created by mnld process.
35
36# Allow system_server to read /sys/kernel/debug/wakeup_sources
37allow system_server debugfs_wakeup_sources:file r_file_perms;
38
39# Allow system_server to read/write /sys/power/dcm_state
40allow system_server sysfs_dcm:file rw_file_perms;
41
42# Date : WK16.36
43# Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW
44allow system_server log_tag_prop:property_service set;
45
46# Data : WK16.42
47# Operator: Whitney bring up
48# Purpose: call surfaceflinger due to powervr
49allow system_server surfaceflinger:fifo_file rw_file_perms;
50
51# Date : W16.42
52# Operation : Integration
53# Purpose : DRM / DRI GPU driver required
54allow system_server gpu_device:dir search;
55allow system_server debugfs_gpu_img:dir search;
56
57# Date : W16.43
58# Operation : Integration
59# Purpose : DRM / DRI GPU driver required
60allow system_server sw_sync_device:chr_file { read write getattr open ioctl };
61
62# Date : WK16.44
63# Purpose: Allow to access UART1 ttyMT1
64allow system_server ttyMT_device:chr_file rw_file_perms;
65
66# Date : WK17.52
67# Purpose: Allow to access UART1 ttyS
68allow system_server ttyS_device:chr_file rw_file_perms;
69
70# Date:W16.46
71# Operation : thermal hal Feature developing
72# Purpose : thermal hal interface permission
73allow system_server proc_mtktz:dir search;
74allow system_server proc_mtktz:file r_file_perms;
75
76# Date:W17.02
77# Operation : audio hal developing
78# Purpose : audio hal interface permission
79allow system_server mtk_hal_audio:process { getsched setsched };
80
81# Date:W17.07
82# Operation : bt hal
83# Purpose : bt hal interface permission
84binder_call(system_server, mtk_hal_bluetooth)
85
86# Date:W17.08
87# Operation : sensors hal developing
88# Purpose : sensors hal interface permission
89binder_call(system_server, mtk_hal_sensors)
90
91# Operation : light hal developing
92# Purpose : light hal interface permission
93binder_call(system_server, mtk_hal_light)
94
95# Date:W17.21
96# Operation : gnss hal
97# Purpose : gnss hal interface permission
98hal_client_domain(system_server, hal_gnss)
99
100# Date : W18.01
101# Add for turn on SElinux in enforcing mode
102allow system_server vendor_framework_file:dir r_file_perms;
103
104# Fix bootup violation
105allow system_server vendor_framework_file:file getattr;
106allow system_server wifi_prop:file { read getattr open };
107
108# Date:W17.22
109# Operation : add aee_aed socket rule
110# Purpose : type=1400 audit(0.0:134519): avc: denied { connectto }
111#           for comm=4572726F722064756D703A20737973
112#           path=00636F6D2E6D746B2E6165652E6165645F3634
113#           scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0
114#           tclass=unix_stream_socket permissive=0
115allow system_server aee_aed:unix_stream_socket connectto;
116
117#Dat: 2017/02/14
118#Purpose: allow get telephony Sensitive property
119get_prop(system_server, mtk_telephony_sensitive_prop)
120
121# Date: W17.22
122# Operation : New Feature
123# Purpose : Add for A/B system
124allow system_server debugfs_wakeup_sources:file { read getattr open };
125
126# Date:W17.26
127# Operation : imsa hal
128# Purpose : imsa hal interface permission
129binder_call(system_server, mtk_hal_imsa)
130
131# Date:W17.28
132# Operation : camera hal developing
133# Purpose : camera hal binder_call permission
134binder_call(system_server, mtk_hal_camera)
135
136# Date:W17.31
137# Operation : mpe sensor hidl developing
138# Purpose : mpe sensor hidl permission
139binder_call(system_server, mnld)
140
141# Date : WK17.32
142# Operation : Migration
143# Purpose : for network log dumpsys setting/netd information
144#           audit(0.0:914): avc: denied { write } for path="pipe:[46088]"
145#           dev="pipefs" ino=46088 scontext=u:r:system_server:s0
146#           tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1
147allow system_server netdiag:fifo_file write;
148
149# Date : WK17.32
150# Operation : Migration
151# Purpose : for DHCP Client ip recover functionality
152allow system_server dhcp_data_file:dir search;
153allow system_server dhcp_data_file:dir rw_dir_perms;
154allow system_server dhcp_data_file:file create_file_perms;
155
156# Date:W17.35
157# Operation : lbs hal
158# Purpose : lbs hidl interface permission
159hal_client_domain(system_server, mtk_hal_lbs)
160
161# Date : WK17.12
162# Operation : MT6799 SQC
163# Purpose : Change thermal config
164allow system_server mtk_thermal_config_prop:file { getattr open read };
165
166
167# Date : WK17.43
168# Operation : Migration
169# Purpose : perfmgr permission
170allow system_server mtk_hal_power_hwservice:hwservice_manager find;
171allow system_server proc_perfmgr:dir {read search};
172allow system_server proc_perfmgr:file {open read ioctl};
173allowxperm system_server proc_perfmgr:file ioctl {
174  PERFMGR_FPSGO_QUEUE
175  PERFMGR_FPSGO_DEQUEUE
176  PERFMGR_FPSGO_QUEUE_CONNECT
177  PERFMGR_FPSGO_BQID
178};
179
180# Date : W18.22
181# Operation : MTK wifi hal migration
182# Purpose : MTK wifi hal interface permission
183binder_call(system_server, mtk_hal_wifi)
184
185# Date : WK18.33
186# Purpose : type=1400 audit(0.0:1592): avc: denied { read }
187#           for comm=4572726F722064756D703A20646174 name=
188#           "u:object_r:persist_mtk_aee_prop:s0" dev="tmpfs"
189#           ino=10312 scontext=u:r:system_server:s0 tcontext=
190#           u:object_r:persist_mtk_aee_prop:s0 tclass=file permissive=0
191get_prop(system_server, persist_mtk_aee_prop);
192
193# Date : W19.15
194# Operation : alarm device permission
195# Purpose : support power-off alarm
196allow system_server alarm_device:chr_file rw_file_perms;
197
198# Date : WK19.7
199# Operation: Q migration
200# Purpose : Allow system_server to use ioctl/ioctlcmd
201allow system_server proc_ged:file rw_file_perms;
202allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls };
203
204# Date: 2019/06/14
205# Operation : Migration
206get_prop(system_server, vendor_default_prop)
207
208# Date: 2019/06/14
209# Operation : when WFD turnning on, turn off hdmi
210allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find;
211allow system_server mtk_hal_hdmi:binder call;
212