1# ============================================== 2# Policy File of /system/bin/factory Executable File 3 4# ============================================== 5# Type Declaration 6# ============================================== 7 8# ============================================== 9# MTK Policy Rule 10# ============================================== 11type factory, domain; 12type factory_exec, exec_type, file_type, vendor_file_type; 13init_daemon_domain(factory) 14 15#============= factory ============== 16allow factory MTK_SMI_device:chr_file r_file_perms; 17allow factory ashmem_device:chr_file execute; 18allow factory ebc_device:chr_file rw_file_perms; 19allow factory stpbt_device:chr_file rw_file_perms; 20 21# Date: WK14.47 22# Operation : Migration 23# Purpose : CCCI 24allow factory eemcs_device:chr_file rw_file_perms; 25allow factory ccci_device:chr_file rw_file_perms; 26allow factory gsm0710muxd_device:chr_file rw_file_perms; 27 28#Purpose: file system requirement 29allow factory debugfs_usb_nonplat:file rw_file_perms; 30allow factory debugfs_usb_nonplat:dir search; 31allow factory devpts:chr_file rw_file_perms; 32allow factory vfat:dir w_dir_perms; 33allow factory labeledfs:filesystem unmount; 34allow factory rootfs:dir mounton; 35allow factory vfat:dir { read open search mounton }; 36allow factory vfat:filesystem { mount unmount }; 37 38# Purpose : SDIO 39allow factory ttySDIO_device:chr_file rw_file_perms; 40 41#Purpose: USB 42allow factory ttyMT_device:chr_file rw_file_perms; 43allow factory ttyS_device:chr_file rw_file_perms; 44allow factory ttyGS_device:chr_file rw_file_perms; 45 46# Purpose: OTG 47allow factory usb_device:chr_file rw_file_perms; 48allow factory usb_device:dir r_dir_perms; 49allow factory sysfs_usb_nonplat:file r_file_perms; 50allow factory sysfs_usb_nonplat:dir r_dir_perms; 51 52# Date: WK15.01 53# Purpose : OTG Mount 54allow factory sdcard_type:dir mounton; 55# Date: WK15.07 56# Purpose : use c2k flight mode; 57allow factory vmodem_device:chr_file rw_file_perms; 58 59# Date: WK15.13 60# Purpose: for nand project 61allow factory mtd_device:dir search; 62allow factory mtd_device:chr_file rw_file_perms; 63allow factory self:capability sys_resource; 64allow factory pro_info_device:chr_file rw_file_perms; 65 66# Data: WK15.28 67# Purpose: for mt-ramdump reset 68allow factory proc_mrdump_rst:file w_file_perms; 69 70#Date: WK15.31 71#Purpose: define factory_data_file instead of system_data_file 72# because system_data_file is sensitive partition from M 73wakelock_use(factory); 74allow factory storage_file:dir { write create add_name search mounton }; 75 76# Date: WK15.44 77# Purpose: factory idle current status 78set_prop(factory, vendor_mtk_factory_idle_state_prop) 79 80# Date: WK15.46 81# Purpose: gps factory mode 82allow factory agpsd_data_file:dir search; 83allow factory gps_data_file:dir { write add_name search remove_name unlink}; 84allow factory gps_data_file:file { read write open create getattr append setattr unlink lock}; 85allow factory gps_data_file:lnk_file read; 86allow factory storage_file:lnk_file r_file_perms; 87 88#Date: WK15.48 89#Purpose: capture for factory mode 90allow factory devmap_device:chr_file r_file_perms; 91allow factory sdcard_type:dir create_dir_perms; 92allow factory sdcard_type:file create_file_perms; 93allow factory mnt_user_file:dir search; 94allow factory mnt_user_file:lnk_file read; 95allow factory storage_file:lnk_file read; 96 97#Date: WK16.05 98#Purpose: For access NVRAM 99allow factory factory:capability chown; 100allow factory nvram_data_file:dir create_dir_perms; 101allow factory nvram_data_file:file create_file_perms; 102allow factory nvram_data_file:lnk_file r_file_perms; 103allow factory nvdata_file:lnk_file r_file_perms; 104allow factory nvram_device:chr_file rw_file_perms; 105allow factory nvram_device:blk_file rw_file_perms; 106allow factory nvdata_device:blk_file rw_file_perms; 107 108#Date: WK16.12 109#Purpose: For sensor test 110allow factory hf_manager_device:chr_file rw_file_perms; 111allow factory als_ps_device:chr_file r_file_perms; 112allow factory barometer_device:chr_file r_file_perms; 113allow factory gsensor_device:chr_file r_file_perms; 114allow factory gyroscope_device:chr_file r_file_perms; 115allow factory msensor_device:chr_file r_file_perms; 116allow factory biometric_device:chr_file r_file_perms; 117 118#Purpose: For camera Test 119allow factory kd_camera_flashlight_device:chr_file rw_file_perms; 120allow factory kd_camera_hw_device:chr_file rw_file_perms; 121allow factory seninf_device:chr_file rw_file_perms; 122allow factory CAM_CAL_DRV_device:chr_file rw_file_perms; 123allow factory camera_eeprom_device:chr_file rw_file_perms; 124 125#Purpose: For reboot the target 126set_prop(factory, powerctl_prop) 127 128#Purpose: For memory card test 129allow factory misc_sd_device:chr_file r_file_perms; 130allow factory mmcblk1_block_device:blk_file rw_file_perms; 131allow factory bootdevice_block_device:blk_file rw_file_perms; 132allow factory mmcblk1p1_block_device:blk_file rw_file_perms; 133allow factory block_device:dir w_dir_perms; 134allowxperm factory mmcblk1_block_device:blk_file ioctl BLKGETSIZE; 135allowxperm factory bootdevice_block_device:blk_file ioctl BLKGETSIZE; 136 137#Purpose: For EMMC test 138allow factory nvdata_file:dir create_dir_perms; 139allow factory nvdata_file:file create_file_perms; 140 141#Purpose: For HRM test 142allow factory hrm_device:chr_file r_file_perms; 143 144#Purpose: For IrTx LED test 145allow factory irtx_device:chr_file rw_file_perms; 146 147#Purpose: For battery test, ext_buck test and ext_vbat_boost test 148allow factory pmic_ftm_device:chr_file rw_file_perms; 149allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms; 150allow factory MT_pmic_cali_device:chr_file r_file_perms; 151allow factory charger_ftm_device:chr_file r_file_perms; 152 153#Purpose: For HDMI test 154allow factory graphics_device:dir w_dir_perms; 155allow factory graphics_device:chr_file rw_file_perms; 156 157#Purpose: For WIFI test 158allow factory wmtWifi_device:chr_file rw_file_perms; 159 160#Purpose: For rtc test 161allow factory rtc_device:chr_file rw_file_perms; 162 163#Purpose: For gps test 164allow factory mnld_device:chr_file rw_file_perms; 165allow factory mnld_exec:file rx_file_perms; 166 167#Purpose: For keypad test 168allow factory mtk_kpd_device:chr_file r_file_perms; 169 170#Purpose: For Humidity test 171allow factory humidity_device:chr_file r_file_perms; 172 173#Purpose: For camera test 174allow factory camera_isp_device:chr_file rw_file_perms; 175allow factory camera_dip_device:chr_file rw_file_perms; 176allow factory camera_pipemgr_device:chr_file r_file_perms; 177allow factory camera_sysram_device:chr_file r_file_perms; 178allow factory ccu_device:chr_file rw_file_perms; 179allow factory vpu_device:chr_file rw_file_perms; 180allow factory MAINAF_device:chr_file rw_file_perms; 181allow factory MAIN2AF_device:chr_file rw_file_perms; 182allow factory MAIN3AF_device:chr_file rw_file_perms; 183allow factory MAIN4AF_device:chr_file rw_file_perms; 184allow factory SUBAF_device:chr_file rw_file_perms; 185allow factory SUB2AF_device:chr_file rw_file_perms; 186allow factory FM50AF_device:chr_file rw_file_perms; 187allow factory AD5820AF_device:chr_file rw_file_perms; 188allow factory DW9714AF_device:chr_file rw_file_perms; 189allow factory DW9714A_device:chr_file rw_file_perms; 190allow factory LC898122AF_device:chr_file rw_file_perms; 191allow factory LC898212AF_device:chr_file rw_file_perms; 192allow factory BU6429AF_device:chr_file rw_file_perms; 193allow factory DW9718AF_device:chr_file rw_file_perms; 194allow factory BU64745GWZAF_device:chr_file rw_file_perms; 195allow factory cct_data_file:dir create_dir_perms; 196allow factory cct_data_file:file create_file_perms; 197allow factory camera_tsf_device:chr_file rw_file_perms; 198allow factory camera_rsc_device:chr_file rw_file_perms; 199allow factory camera_gepf_device:chr_file rw_file_perms; 200allow factory camera_fdvt_device:chr_file rw_file_perms; 201allow factory camera_wpe_device:chr_file rw_file_perms; 202allow factory camera_owe_device:chr_file rw_file_perms; 203allow factory camera_mfb_device:chr_file rw_file_perms; 204hal_client_domain(factory, hal_power) 205get_prop(factory, vendor_mtk_mediatek_prop) 206# Date: 2020/07/20 207# Operation : For M4U security 208allow factory proc_m4u:file r_file_perms; 209allowxperm factory proc_m4u:file ioctl { 210 MTK_M4U_T_SEC_INIT 211 MTK_M4U_T_CONFIG_PORT 212}; 213 214#Purpose: For FM test and headset test 215allow factory accdet_device:chr_file r_file_perms; 216allow factory fm_device:chr_file rw_file_perms; 217 218#Purpose: For audio test 219allow factory audio_device:chr_file rw_file_perms; 220allow factory audio_device:dir w_dir_perms; 221set_prop(factory, vendor_mtk_audiohal_prop) 222allow factory audio_ipi_device:chr_file { read write ioctl open }; 223allow factory audio_scp_device:chr_file r_file_perms; 224 225#Purpose: For key and touch event 226allow factory input_device:chr_file r_file_perms; 227allow factory input_device:dir rw_dir_perms; 228 229# Date: WK16.17 230# Purpose: N Migration For ccci sysfs node 231# Allow read to sys/kernel/ccci/* files 232allow factory sysfs_ccci:dir search; 233allow factory sysfs_ccci:file r_file_perms; 234 235# Date: WK16.18 236# Purpose: N Migration For boot_mode 237# Allow to read boot mode 238# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117 239# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 240# tclass=file permissive=0 241allow factory sysfs_boot_mode:file { read open }; 242allow factory sysfs_boot_type:file { read open }; 243 244#TODO:: MTK need to remove later 245not_full_treble(` 246 allow factory mnld:unix_dgram_socket sendto; 247') 248 249# Date: WK16.31 250#Purpose: For gps test 251set_prop(factory, vendor_mtk_mnld_prop) 252 253# Date: WK16.33 254#Purpose: for unmount sdcardfs and stop services which are using data partition 255allow factory sdcard_type:filesystem unmount; 256set_prop(factory, ctl_default_prop) 257 258# Date : WK16.35 259# Operation : Migration 260# Purpose : Update camera flashlight driver device file 261allow factory flashlight_device:chr_file rw_file_perms; 262 263 264# Date: WK15.25 265#Purpose: for unmount sdcardfs and stop services which are using data partition 266set_prop(factory, system_mtk_ctl_emdlogger1_prop) 267# Date: WK17.07 268# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs 269allow factory tmpfs:filesystem unmount; 270allow factory sysfs:dir { read open }; 271allow factory sysfs_leds:dir search; 272allow factory sysfs_leds:lnk_file read; 273allow factory sysfs_leds:file rw_file_perms; 274allow factory sysfs_leds:dir r_dir_perms; 275allow factory sysfs_power:file rw_file_perms; 276allow factory sysfs_power:dir r_dir_perms; 277allow factory self:capability2 {block_suspend}; 278allow factory sysfs_vibrator:file {open read write}; 279allow factory ion_device:chr_file { read open ioctl }; 280allow factory debugfs_ion:dir search; 281# Date: WK17.27 282# Purpose: STMicro NFC solution integration 283allow factory st21nfc_device:chr_file { open read getattr write ioctl }; 284set_prop(factory, hwservicemanager_prop) 285hwbinder_use(factory); 286hal_client_domain(factory, hal_nfc); 287 288# Date : WK17.32 289# Operation : O Migration 290# Purpose: Allow to access cmdq driver 291allow factory mtk_cmdq_device:chr_file r_file_perms; 292allow factory mtk_mdp_device:chr_file r_file_perms; 293allow factory mtk_mdp_sync:chr_file r_file_perms; 294allow factory sw_sync_device:chr_file r_file_perms; 295 296# Date: WK1733 297# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode 298set_prop(factory, vendor_mtk_ctl_ccci_fsd_prop) 299 300# Date : WK17.38 301# Operation : O Migration 302# Purpose: Allow to access sysfs 303allow factory sysfs_therm:dir search; 304allow factory sysfs_therm:file {open read write}; 305 306#Date: W18.22 307# Purpose: P Migration for factory get com port type and uart port info 308# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10): 309#avc: denied { read } for pid=203 comm="factory" name="meta_com_type_info" dev= 310#"sysfs" ino=11073 scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 311allow factory sysfs_comport_type:file rw_file_perms; 312allow factory sysfs_uart_info:file rw_file_perms; 313 314 315# from private 316allow factory kernel:system module_request; 317allow factory node:tcp_socket node_bind; 318allow factory userdata_block_device:blk_file rw_file_perms; 319allow factory port:tcp_socket { name_bind name_connect }; 320allow factory self:capability { sys_module ipc_lock sys_nice net_raw fsetid net_admin sys_time sys_boot sys_admin }; 321allow factory sdcard_type:dir r_dir_perms; 322allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; 323allow factory proc_net:file { read getattr open }; 324allowxperm factory self:udp_socket ioctl priv_sock_ioctls; 325allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID}; 326 327allow factory self:process execmem; 328allow factory self:tcp_socket create_stream_socket_perms; 329allow factory self:udp_socket create_socket_perms; 330 331allow factory sysfs_wake_lock:file rw_file_perms; 332#allow factory system_file:file x_file_perms; 333 334# For Light HIDL permission 335hal_client_domain(factory, hal_light); 336allow factory hal_light_hwservice:hwservice_manager find; 337allow factory mtk_hal_light:binder call; 338allow factory merged_hal_service:binder call; 339# For vibrator test permission 340allow factory sysfs_vibrator:file rw_file_perms; 341allow factory sysfs_vibrator:dir search; 342 343# For Audio device permission 344allow factory proc_asound:dir { read search open }; 345allow factory proc_asound:file { read open getattr write }; 346 347# For Accdet data permission 348allow factory sysfs_headset:file { read open }; 349 350# For touch auto test 351allow factory sysfs_tpd_setting:dir search; 352allow factory sysfs_tpd_setting:file { read getattr open }; 353 354# For fingerprinto test 355allow factory sysfs_gf_spi_tee:dir search; 356allow factory sysfs_gf_spi_tee:file r_file_perms; 357# Date : WK18.23 358# Operation: P migration 359# Purpose : Allow factory to unmount partition, stop service, and then erase partition 360allow factory vendor_shell_exec:file { read execute open execute_no_trans }; 361allow factory vendor_toolbox_exec:file { execute_no_trans }; 362allow factory labeledfs:filesystem { unmount }; 363allow factory proc_cmdline:file { read open getattr }; 364allow factory factory:capability { sys_boot sys_admin}; 365allow factory sysfs_dt_firmware_android:file { read open getattr }; 366allow factory sysfs_dt_firmware_android:dir { read open search }; 367# Purpose : Allow factory to communicate with driver thru socket 368allow factory factory:capability { sys_module net_admin net_raw }; 369 370# For power_supply and switch permission 371r_dir_file(factory, sysfs_batteryinfo) 372r_dir_file(factory, sysfs_switch) 373 374# Date : WK18.31 375# Operation: P migration 376# Purpose : Refine policy 377allow factory sysfs_devices_block:dir { search }; 378allow factory sysfs_devices_block:file { read getattr open }; 379 380# Date : WK18.37 381# Operation: P migration 382# Purpose : ADSP SmartPA calibration 383allow factory vendor_file:file execute_no_trans; 384allow factory mtk_audiohal_data_file:dir create_dir_perms; 385allow factory mtk_audiohal_data_file:file { write create unlink r_file_perms }; 386 387#Date : WK18.37 388# Operation: P migration 389# Purpose : Allow factory to open /proc/version 390allow factory proc_version:file {read open getattr}; 391 392# Purpose : adsp 393allow factory adsp_device:chr_file rw_file_perms; 394 395# Purpose : NFC 396allow factory vendor_nfc_socket:dir { write add_name remove_name search }; 397allow factory vendor_nfc_socket:sock_file { create write unlink setattr }; 398 399# Allow to get AOSP property persist.radio.multisim.config 400get_prop(factory, radio_control_prop) 401 402# Date : WK19.38 403# Operation : Q Migration 404# Purpose: Allow clear eMMC 405set_prop(factory, system_mtk_ctl_mdlogger_prop) 406 407# Date : WK19.41 408# Operation : Q Migration 409# Purpose: allow system_server to access rt5509 param and calib node 410allow factory sysfs_rt_param:file rw_file_perms; 411allow factory sysfs_rt_calib:file rw_file_perms; 412allow factory sysfs_rt_param:dir r_dir_perms; 413allow factory sysfs_rt_calib:dir r_dir_perms; 414 415# Date : WK20.13 416# Operation: R migration 417# Contains lib to visit file permission 418allow factory ashmem_libcutils_device:chr_file execute; 419 420# Date : WK20.13 421# Operation: R migration 422# Purpose : Add permission for new device node. 423allow factory sysfs_boot_info:file r_file_perms; 424allow factory proc_bootprof:file getattr; 425allow factory sysfs_meta_info:file r_file_perms; 426 427# Date : WK20.17 428# Operation: R migration 429# Purpose : Add permission for acess vendor_de. 430allow factory factory_vendor_file:file {create_file_perms}; 431allow factory factory_vendor_file:dir { w_dir_perms }; 432 433# Date : WK20.20 434# Operation: R migration 435# Purpose : Add permission for health HAL and vbus 436hal_client_domain(factory, hal_health); 437allow factory sysfs_vbus:file r_file_perms; 438allow factory sysfs_chg2_present:file r_file_perms; 439