1# ============================================== 2# MTK Policy Rule 3# ============================================== 4 5# Do not allow access to the generic sysfs label. This is too broad. 6# Instead, if access to part of sysfs is desired, it should have a 7# more specific label. 8# TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations. 9# allow hal_usb sysfs:file write; 10# hal_server_domain(mtk_hal_usb, hal_usb) 11# 12# r_dir_file(hal_wifi, sysfs_type) 13# hal_server_domain(mtk_hal_wifi, hal_wifi) 14# 15full_treble_only(` 16 neverallow ~{ 17 init 18 merged_hal_service 19 mtk_hal_bluetooth 20 # TODO(b/152082918) Remove mtk_hal_camera line when permissions are fixed. 21 mtk_hal_camera 22 mtk_hal_power 23 mtk_hal_usb 24 mtk_hal_wifi 25 hal_bluetooth_btlinux 26 hal_bluetooth_default 27 hal_drm_clearkey 28 hal_drm_default 29 hal_drm_widevine 30 hal_fingerprint_default 31 hal_radio_config_default 32 hal_radio_default 33 hal_usb_default 34 hal_wifi_default 35 hal_wifi_supplicant_default 36 rild 37 tee 38 ueventd 39 vendor_init 40 vold 41 } sysfs:file *; 42 43 neverallow { 44 merged_hal_service 45 mtk_hal_bluetooth 46 mtk_hal_power 47 mtk_hal_wifi 48 hal_bluetooth_btlinux 49 hal_bluetooth_default 50 hal_drm_clearkey 51 hal_drm_default 52 hal_drm_widevine 53 hal_fingerprint_default 54 hal_radio_config_default 55 hal_radio_default 56 hal_wifi_default 57 hal_wifi_supplicant_default 58 rild 59 tee 60 } sysfs:file ~r_file_perms; 61 62 neverallow { 63 hal_usb_default 64 init 65 mtk_hal_usb 66 ueventd 67 vendor_init 68 vold 69 } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto }; 70') 71 72# Do not allow access to the generic proc label. This is too broad. 73# Instead, if access to part of proc is desired, it should have a 74# more specific label. 75# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations. 76# 77# r_dir_file(hal_audio, proc) 78# hal_server_domain(mtk_hal_audio, hal_audio) 79# hal_client_domain(audioserver, hal_audio) 80# 81full_treble_only(` 82 neverallow ~{ 83 audiocmdservice_atci 84 audioserver 85 bluetooth 86 hal_audio_default 87 hal_graphics_allocator_default 88 init 89 merged_hal_service 90 mtk_hal_audio 91 rild 92 system_server 93 vendor_init 94 vold 95 } proc:file *; 96 97 neverallow { 98 audiocmdservice_atci 99 audioserver 100 bluetooth 101 hal_audio_default 102 hal_graphics_allocator_default 103 init 104 merged_hal_service 105 mtk_hal_audio 106 rild 107 system_server 108 vold 109 } proc:file ~r_file_perms; 110 111 neverallow vendor_init proc:file ~{ r_file_perms setattr }; 112 113 neverallow ~{ 114 audiocmdservice_atci 115 audioserver 116 bluetooth 117 hal_audio_default 118 init 119 mtk_hal_audio 120 rild 121 system_server 122 } proc:lnk_file ~{ read getattr }; 123 124 neverallow { 125 audiocmdservice_atci 126 audioserver 127 bluetooth 128 hal_audio_default 129 init 130 mtk_hal_audio 131 rild 132 system_server 133 } proc:lnk_file ~r_file_perms; 134') 135 136 137# Do not allow access to the generic system_data_file label. This is 138# too broad. 139# Instead, if access to part of system_data_file is desired, it should 140# have a more specific label. 141# TODO: Remove merged_hal_service and so on once there are no violations. 142# 143# allow hal_drm system_data_file:file { getattr read }; 144# hal_server_domain(merged_hal_service, hal_drm) 145# 146full_treble_only(` 147 neverallow { 148 domain 149 -coredomain 150 -appdomain 151 -hal_cas_default 152 -hal_drm_clearkey 153 -hal_drm_default 154 -hal_drm_widevine 155 -merged_hal_service 156 -tee 157 } system_data_file:file *; 158 159 neverallow ~{ 160 appdomain 161 app_zygote 162 hal_drm_clearkey 163 hal_drm_default 164 hal_drm_widevine 165 init 166 installd 167 iorap_prefetcherd 168 mediadrmserver 169 mediaextractor 170 mediaserver 171 merged_hal_service 172 system_server 173 tee 174 toolbox 175 vold 176 vold_prepare_subdirs 177 with_asan(`asan_extract') 178 } system_data_file:file ~r_file_perms; 179 180 neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; 181 182 neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; 183 184 neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; 185 186 neverallow iorap_prefetcherd system_data_file:file ~{ open read }; 187 188 neverallow { 189 hal_drm_clearkey 190 hal_drm_default 191 hal_drm_widevine 192 mediadrmserver 193 mediaextractor 194 mediaserver 195 merged_hal_service 196 tee 197 } system_data_file:file ~{ getattr read }; 198 199 neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; 200 201 neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; 202 203 neverallow vold system_data_file:file ~read; 204') 205 206# Do not allow access to the generic device label. This is too broad. 207# Instead, if access to part of device is desired, it should have a 208# more specific label. 209# TODO: Remove hal_camera and so on once there are no violations. 210# 211# allow hal_camera device:dir r_dir_perms; 212# hal_client_domain(cameraserver, hal_camera) 213# 214full_treble_only(` 215 neverallow ~{ 216 cameraserver 217 fastbootd 218 hal_camera 219 hal_camera_default 220 init 221 mtk_hal_camera 222 otapreopt_chroot 223 recovery 224 shell 225 slideshow 226 system_server 227 vendor_init 228 vold 229 ueventd 230 } device:dir ~{ search getattr }; 231 232 neverallow { 233 cameraserver 234 fastbootd 235 hal_camera 236 hal_camera_default 237 mtk_hal_camera 238 system_server 239 shell 240 slideshow 241 recovery 242 } device:dir ~r_dir_perms; 243 244 neverallow init device:dir ~{ create_dir_perms mounton relabelto }; 245 246 neverallow vendor_init device:dir ~{ create_dir_perms mounton }; 247 248 neverallow vold device:dir ~{ search getattr write }; 249 250 neverallow ueventd device:dir ~create_dir_perms; 251') 252