1# ============================================== 2# MTK Policy Rule 3# ============================================== 4 5# Purpose: access dev/aed0 6allow dumpstate aed_device:chr_file { read getattr }; 7 8# Purpose: data/dumpsys/* 9allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms }; 10allow dumpstate aee_dumpsys_data_file:file { create_file_perms }; 11 12# Purpose: data/aee_exp/* 13allow dumpstate aee_exp_data_file:dir { w_dir_perms }; 14allow dumpstate aee_exp_data_file:file { create_file_perms }; 15 16# Purpose: debugfs files 17allow dumpstate debugfs_binder:dir r_dir_perms; 18allow dumpstate debugfs_binder:file r_file_perms; 19allow dumpstate debugfs_blockio:file r_file_perms; 20allow dumpstate debugfs_fb:dir search; 21allow dumpstate debugfs_fb:file r_file_perms; 22allow dumpstate debugfs_fuseio:dir search; 23allow dumpstate debugfs_fuseio:file r_file_perms; 24allow dumpstate debugfs_ged:dir search; 25allow dumpstate debugfs_ged:file r_file_perms; 26allow dumpstate debugfs_rcu:dir search; 27allow dumpstate debugfs_shrinker_debug:file r_file_perms; 28allow dumpstate debugfs_wakeup_sources:file r_file_perms; 29allow dumpstate debugfs_dmlog_debug:file r_file_perms; 30allow dumpstate debugfs_page_owner_slim_debug:file r_file_perms; 31allow dumpstate debugfs_ion_mm_heap:dir search; 32allow dumpstate debugfs_ion_mm_heap:file r_file_perms; 33allow dumpstate debugfs_ion_mm_heap:lnk_file read; 34allow dumpstate debugfs_cpuhvfs:dir search; 35allow dumpstate debugfs_cpuhvfs:file r_file_perms; 36allow dumpstate debugfs_vpu_device_dbg:file r_file_perms; 37 38# Purpose: /sys/kernel/ccci/md_chn 39allow dumpstate sysfs_ccci:dir search; 40allow dumpstate sysfs_ccci:file r_file_perms; 41 42# Purpose: leds status 43allow dumpstate sysfs_leds:lnk_file read; 44 45# Purpose: /sys/module/lowmemorykiller/parameters/adj 46allow dumpstate sysfs_lowmemorykiller:file r_file_perms; 47allow dumpstate sysfs_lowmemorykiller:dir search; 48 49# Purpose: /dev/block/mmcblk0p10 50allow dumpstate expdb_block_device:blk_file { read write ioctl open }; 51 52#/data/anr/SF_RTT 53allow dumpstate sf_rtt_file:dir { search getattr }; 54 55# Data : 2017/03/22 56# Operation : add fd use selinux rule 57# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker" 58# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0 59# tcontext=u:r:aee_aed:s0 tclass=fd permissive=0 60allow dumpstate crash_dump:fd use; 61allow dumpstate crash_dump:unix_stream_socket { read write ioctl connectto }; 62 63# private define 64# allow dumpstate config_gz:file read; 65 66allow dumpstate sysfs_leds:dir r_dir_perms; 67 68# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied 69# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r: 70# sf_bqdump_data_file:s0 tclass=dir permissive=0 71allow dumpstate sf_bqdump_data_file:dir r_dir_perms; 72allow dumpstate sf_bqdump_data_file:file r_file_perms; 73 74# Purpose: 75# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): 76# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= 77# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: 78# tracing_shell_writable:s0 tclass=file permissive=1 79allow dumpstate debugfs_tracing:file rw_file_perms; 80 81# Data : WK17.03 82# Purpose: Allow to access gpu 83allow dumpstate gpu_device:dir search; 84 85# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider". 86allow dumpstate mtk_hal_camera:binder { call }; 87 88# Purpose: Allow aee_dumpstate to read /proc/slabinfo 89allow dumpstate proc_slabinfo:file r_file_perms; 90 91# Purpose: Allow aee_dumpstate to read /proc/zraminfo 92allow dumpstate proc_zraminfo:file r_file_perms; 93 94# Purpose: Allow aee_dumpstate to read /proc/gpulog 95allow dumpstate proc_gpulog:file r_file_perms; 96 97# Purpose: Allow aee_dumpstate to read /proc/sched_debug 98allow dumpstate proc_sched_debug:file r_file_perms; 99 100# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver 101allow dumpstate proc_chip:file r_file_perms; 102 103# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable 104allow dumpstate sysfs_vibrator_setting:file write; 105 106# Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log 107allow dumpstate debugfs_rcu:file r_file_perms; 108 109# Purpose: Allow dumpstate to read /proc/ufs_debug 110allow dumpstate proc_ufs_debug:file rw_file_perms; 111 112# Purpose: Allow dumpstate to read /proc/msdc_debug 113allow dumpstate proc_msdc_debug:file r_file_perms; 114 115# Purpose: Allow dumpstate to r/w /proc/pidmap 116allow dumpstate proc_pidmap:file rw_file_perms; 117 118# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug 119allow dumpstate sysfs_vcore_debug:file r_file_perms; 120 121# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt 122allow dumpstate sf_rtt_file:file r_file_perms; 123 124#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace 125allow dumpstate proc_slabtrace:file r_file_perms; 126 127#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status 128allow dumpstate proc_cmdq_debug:file r_file_perms; 129 130#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo 131allow dumpstate proc_dbg_repo:file r_file_perms; 132 133#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_dump 134allow dumpstate proc_isp_p2_dump:file r_file_perms; 135 136#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_kedump 137allow dumpstate proc_isp_p2_kedump:file r_file_perms; 138 139#Purpose: Allow dumpstate to read /proc/mali/memory_usage 140allow dumpstate proc_memory_usage:file r_file_perms; 141 142#Purpose: Allow dumpstate to read /proc/mtk_es_reg_dump 143allow dumpstate proc_mtk_es_reg_dump:file r_file_perms; 144 145#Purpose: Allow dumpstate to read /sys/power/mtkpasr/execstate 146allow dumpstate sysfs_execstate:file r_file_perms; 147 148allow dumpstate proc_isp_p2:dir r_dir_perms; 149allow dumpstate proc_isp_p2:file r_file_perms; 150 151# Date : W19.26 152# Operation : Migration 153# Purpose : fix google dumpstate avc error in xTS 154allow dumpstate debugfs_mmc:dir search; 155allow dumpstate mnt_media_rw_file:dir getattr; 156 157# Date: 19/07/15 158# Purpose: fix google dumpstate avc error in xTs 159allow dumpstate sysfs_devices_block:file r_file_perms; 160allow dumpstate proc_last_kmsg:file r_file_perms; 161 162# Date: 19/07/15 163# Purpose: Allow dumpstate to read /sys/kernel/debug/kmemleak 164allow dumpstate debugfs_kmemleak:file r_file_perms; 165 166#Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log 167allow dumpstate sysfs_adsp:file r_file_perms; 168 169#Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon 170allow dumpstate debugfs_smi_mon:file r_file_perms; 171 172# MTEE Trusty 173allow dumpstate mtee_trusty_file:file rw_file_perms; 174 175# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990): 176# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0 177# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 178allow dumpstate mnt_expand_file:dir { search getattr }; 179 180#Purpose: Allow dumpstate to read /dev/usb-ffs 181allow dumpstate functionfs:file { getattr }; 182 183#Purpose: Allow dumpstate to read /sys/bus/platform/drivers/cache_parity/cache_status 184allow dumpstate sysfs_cache_status:file r_file_perms; 185 186hal_client_domain(dumpstate, hal_light) 187 188#Purpose: Allow dumpstate to read /sys/kernel/tracing/instances/mmstat/trace 189allow dumpstate debugfs_tracing_instances:dir r_dir_perms; 190allow dumpstate debugfs_tracing_instances:file r_file_perms; 191 192allow dumpstate proc_ion:dir r_dir_perms; 193allow dumpstate proc_ion:file r_file_perms; 194allow dumpstate proc_m4u_dbg:dir r_dir_perms; 195allow dumpstate proc_m4u_dbg:file r_file_perms; 196allow dumpstate proc_mtkfb:file r_file_perms; 197 198allow dumpstate debugfs_cmdq:file r_file_perms; 199