• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# ==============================================
2# MTK Policy Rule
3# ==============================================
4
5# Access devices.
6allow system_server touch_device:chr_file rw_file_perms;
7allow system_server stpant_device:chr_file rw_file_perms;
8allow system_server devmap_device:chr_file r_file_perms;
9allow system_server irtx_device:chr_file rw_file_perms;
10allow system_server qemu_pipe_device:chr_file rw_file_perms;
11allow system_server wmtWifi_device:chr_file w_file_perms;
12
13# Add for bootprof
14allow system_server proc_bootprof:file rw_file_perms;
15
16# /data/core access.
17allow system_server aee_core_data_file:dir r_dir_perms;
18
19# Perform Binder IPC.
20allow system_server zygote:binder impersonate;
21
22# For dumpsys.
23allow system_server aee_dumpsys_data_file:file w_file_perms;
24allow system_server aee_exp_data_file:file w_file_perms;
25
26# Dump native process backtrace.
27#allow system_server exec_type:file r_file_perms;
28
29# Querying zygote socket.
30allow system_server zygote:unix_stream_socket { getopt getattr };
31
32# Communicate over a socket created by mnld process.
33
34# Allow system_server to read /sys/kernel/debug/wakeup_sources
35allow system_server debugfs_wakeup_sources:file r_file_perms;
36
37# Allow system_server to read/write /sys/power/dcm_state
38allow system_server sysfs_dcm:file rw_file_perms;
39
40# Data : WK16.42
41# Operator: Whitney bring up
42# Purpose: call surfaceflinger due to powervr
43allow system_server surfaceflinger:fifo_file rw_file_perms;
44
45# Date : W16.42
46# Operation : Integration
47# Purpose : DRM / DRI GPU driver required
48allow system_server gpu_device:dir search;
49allow system_server debugfs_gpu_img:dir search;
50
51# Date : W16.43
52# Operation : Integration
53# Purpose : DRM / DRI GPU driver required
54allow system_server sw_sync_device:chr_file { read write getattr open ioctl };
55
56# Date : WK16.44
57# Purpose: Allow to access UART1 ttyMT1
58allow system_server ttyMT_device:chr_file rw_file_perms;
59
60# Date : WK17.52
61# Purpose: Allow to access UART1 ttyS
62allow system_server ttyS_device:chr_file rw_file_perms;
63
64# Date:W16.46
65# Operation : thermal hal Feature developing
66# Purpose : thermal hal interface permission
67allow system_server proc_mtktz:dir search;
68allow system_server proc_mtktz:file r_file_perms;
69
70# Date:W17.02
71# Operation : audio hal developing
72# Purpose : audio hal interface permission
73allow system_server mtk_hal_audio:process { getsched setsched };
74
75#Dat: 2017/02/14
76#Purpose: allow get telephony Sensitive property
77get_prop(system_server, vendor_mtk_telephony_sensitive_prop)
78
79# Date:W17.07
80# Operation : bt hal
81# Purpose : bt hal interface permission
82binder_call(system_server, mtk_hal_bluetooth)
83
84# Date:W17.08
85# Operation : sensors hal developing
86# Purpose : sensors hal interface permission
87binder_call(system_server, mtk_hal_sensors)
88
89# Operation : light hal developing
90# Purpose : light hal interface permission
91binder_call(system_server, mtk_hal_light)
92
93# Date:W17.21
94# Operation : gnss hal
95# Purpose : gnss hal interface permission
96hal_client_domain(system_server, hal_gnss)
97
98# Date : W18.01
99# Add for turn on SElinux in enforcing mode
100allow system_server vendor_framework_file:dir r_file_perms;
101
102# Fix bootup violation
103allow system_server vendor_framework_file:file getattr;
104
105# Date:W17.22
106# Operation : add aee_aed socket rule
107# Purpose : type=1400 audit(0.0:134519): avc: denied { connectto }
108#           for comm=4572726F722064756D703A20737973
109#           path=00636F6D2E6D746B2E6165652E6165645F3634
110#           scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0
111#           tclass=unix_stream_socket permissive=0
112allow system_server crash_dump:unix_stream_socket connectto;
113
114# Date: W17.22
115# Operation : New Feature
116# Purpose : Add for A/B system
117allow system_server debugfs_wakeup_sources:file { read getattr open };
118
119# Date:W17.26
120# Operation : imsa hal
121# Purpose : imsa hal interface permission
122binder_call(system_server, mtk_hal_imsa)
123
124# Date:W17.28
125# Operation : camera hal developing
126# Purpose : camera hal binder_call permission
127binder_call(system_server, mtk_hal_camera)
128
129# Date:W17.31
130# Operation : mpe sensor hidl developing
131# Purpose : mpe sensor hidl permission
132binder_call(system_server, mnld)
133
134# Date : WK17.32
135# Operation : Migration
136# Purpose : for network log dumpsys setting/netd information
137#           audit(0.0:914): avc: denied { write } for path="pipe:[46088]"
138#           dev="pipefs" ino=46088 scontext=u:r:system_server:s0
139#           tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1
140allow system_server netdiag:fifo_file write;
141
142# Date : WK17.32
143# Operation : Migration
144# Purpose : for DHCP Client ip recover functionality
145allow system_server dhcp_data_file:dir search;
146allow system_server dhcp_data_file:dir rw_dir_perms;
147allow system_server dhcp_data_file:file create_file_perms;
148
149# Date:W17.35
150# Operation : lbs hal
151# Purpose : lbs hidl interface permission
152hal_client_domain(system_server, mtk_hal_lbs)
153
154# Date : WK17.12
155# Operation : MT6799 SQC
156# Purpose : Change thermal config
157get_prop(system_server, vendor_mtk_thermal_config_prop)
158
159# Date : WK17.43
160# Operation : Migration
161# Purpose : perfmgr permission
162allow system_server proc_perfmgr:dir {read search};
163allow system_server proc_perfmgr:file {open read ioctl};
164allowxperm system_server proc_perfmgr:file ioctl {
165  PERFMGR_FPSGO_QUEUE
166  PERFMGR_FPSGO_DEQUEUE
167  PERFMGR_FPSGO_QUEUE_CONNECT
168  PERFMGR_FPSGO_BQID
169};
170
171# Date : W18.22
172# Operation : MTK wifi hal migration
173# Purpose : MTK wifi hal interface permission
174binder_call(system_server, mtk_hal_wifi)
175
176# Date : W19.15
177# Operation : alarm device permission
178# Purpose : support power-off alarm
179allow system_server alarm_device:chr_file rw_file_perms;
180
181# Date : WK19.7
182# Operation: Q migration
183# Purpose : Allow system_server to use ioctl/ioctlcmd
184allow system_server proc_ged:file rw_file_perms;
185allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls };
186
187# Date: 2019/06/14
188# Operation : when WFD turnning on, turn off hdmi
189allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find;
190allow system_server mtk_hal_hdmi:binder call;
191
192#Date:2019/10/09
193#Operation:Q Migration
194allow system_server proc_cmdq_debug:file getattr;
195allow system_server proc_last_kmsg:file r_file_perms;
196allow system_server proc_cm_mgr:dir search;
197allow system_server proc_isp_p2:dir search;
198allow system_server proc_thermal:dir search;
199allow system_server proc_atf_log:dir search;
200allow system_server proc_cpufreq:dir search;
201allow system_server proc_mtkcooler:dir search;
202allow system_server proc_ppm:dir search;
203
204# Date : 2019/10/11
205# Operation : Q Migration
206allow system_server proc_wlan_status:file getattr;
207
208# Date : 2019/10/11
209# Operation : Q Migration
210allow system_server sysfs_pages_shared:file r_file_perms;
211allow system_server sysfs_pages_sharing:file r_file_perms;
212allow system_server sysfs_pages_unshared:file r_file_perms;
213allow system_server sysfs_pages_volatile:file r_file_perms;
214
215# Date:2019/10/14
216# Operation: Q Migration
217# Purpose : power_hal_mgr_service may use libmtkperf_client
218allow system_server sysfs_boot_mode:file r_file_perms;
219
220# Date : 2019/10/22
221# Operation : Q Migration
222allow system_server self:capability sys_module;
223
224# Date : 2019/10/22
225# Operation : Q Migration
226dontaudit system_server sdcardfs:file r_file_perms;
227
228# Date : 2019/10/26
229# Operation : Q Migration
230allow system_server mtk_hal_camera:process sigkill;
231allow system_server kernel:system syslog_read;
232
233# Date : 2019/10/30
234# Operation : Q Migration
235allow system_server proc_chip:dir search;
236allow system_server zygote:process setsched;
237
238# Date : 2019/11/21
239# Operation : Q Migration
240allow system_server sf_rtt_file:dir rmdir;
241
242# Date : 2019/11/29
243# Operation : Q Migration
244allow system_server storage_stub_file:dir getattr;
245
246#Date : 2020/05/12
247#Operation : R Migration
248allow system_server proc_ppm:file r_file_perms;
249
250# Date: 2019/11/12
251# Purpose: Allow system server to access mtk jpeg
252allow system_server proc_mtk_jpeg:file rw_file_perms;
253allowxperm system_server proc_mtk_jpeg:file ioctl {
254      JPG_BRIDGE_DEC_IO_LOCK
255      JPG_BRIDGE_DEC_IO_WAIT
256      JPG_BRIDGE_DEC_IO_UNLOCK
257};
258
259#Date : 2020/06/30
260#Operation : R Migration
261dontaudit system_server kernel:process sigkill;
262
263#Date:2020/07/23
264#Operation:R Migration
265dontaudit system_server iorapd:process setsched;
266