| # ============================================== |
| # MTK Policy Rule |
| # ============ |
| |
| # Date : WK14.32 |
| # Operation : AEE UT |
| # Purpose : for AEE module |
| domain_auto_trans(debuggerd, dmlog_exec, dmlog) |
| |
| allow debuggerd aed_device:chr_file { read write ioctl open }; |
| allow debuggerd expdb_device:chr_file { read write ioctl open }; |
| allow debuggerd expdb_block_device:blk_file { read write ioctl open }; |
| allow debuggerd mmcblk0_block_device:blk_file { read write ioctl open }; |
| allow debuggerd ccci_device:chr_file { read ioctl open }; |
| allow debuggerd etb_device:chr_file { read write ioctl open }; |
| allow debuggerd graphics_device:dir search; |
| allow debuggerd graphics_device:chr_file r_file_perms; |
| allow debuggerd Vcodec_device:chr_file r_file_perms; |
| allow debuggerd camera_isp_device:chr_file r_file_perms; |
| |
| # AED start: /dev/block/expdb |
| allow debuggerd block_device:dir search; |
| |
| # debuggerd open/dev/mtd/mtd12 failed(expdb) |
| allow debuggerd mtd_device:dir create_dir_perms; |
| allow debuggerd mtd_device:chr_file { read write ioctl open }; |
| |
| allow debuggerd userdata_block_device:blk_file create_file_perms; |
| # NE flow: /dev/RT_Monitor |
| allow debuggerd RT_Monitor_device:chr_file { read ioctl open }; |
| |
| # /dev/_GPU_ dev/pvrsrvkm |
| allow debuggerd gpu_device:chr_file rw_file_perms; |
| |
| # /dev/exm0 |
| allow debuggerd exm0_device:chr_file r_file_perms; |
| |
| allow debuggerd shell_exec:file { execute execute_no_trans }; |
| allow debuggerd dex2oat_exec:file { execute execute_no_trans }; |
| |
| # aee db dir and db files |
| allow debuggerd fuse:dir create_dir_perms; |
| allow debuggerd fuse:file create_file_perms; |
| |
| #data/anr |
| allow debuggerd anr_data_file:dir create_dir_perms; |
| allow debuggerd anr_data_file:file create_file_perms; |
| |
| #data/aee_exp |
| allow debuggerd aee_exp_data_file:dir { relabelto create_dir_perms }; |
| allow debuggerd aee_exp_data_file:file create_file_perms; |
| |
| #data/dumpsys |
| allow debuggerd aee_dumpsys_data_file:dir { relabelto create_dir_perms }; |
| allow debuggerd aee_dumpsys_data_file:file create_file_perms; |
| |
| #/data/core |
| allow debuggerd aee_core_data_file:dir create_dir_perms; |
| allow debuggerd aee_core_data_file:file create_file_perms; |
| |
| # /data/data_tmpfs_log |
| allow debuggerd data_tmpfs_log_file:dir create_dir_perms; |
| allow debuggerd data_tmpfs_log_file:file create_file_perms; |
| |
| allow debuggerd shell_data_file:dir search; |
| allow debuggerd shell_data_file:file r_file_perms; |
| |
| #/data/anr/SF_RTT |
| allow debuggerd sf_rtt_file:dir search; |
| allow debuggerd sf_rtt_file:file r_file_perms; |
| |
| allow debuggerd sysfs:file write; |
| allow debuggerd proc:file write; |
| allow debuggerd sysfs_lowmemorykiller:file { read open }; |
| allow debuggerd debugfs:file read; |
| #allow debuggerd proc_security:file { write open }; |
| |
| allow debuggerd self:capability { fsetid sys_nice sys_resource net_admin sys_module }; |
| |
| allow debuggerd domain:process { sigkill getattr getsched}; |
| allow debuggerd domain:lnk_file getattr; |
| |
| #core-pattern |
| allow debuggerd usermodehelper:file { read open }; |
| |
| #file_type_auto_trans(debuggerd, system_data_file, debuggerd_data_file); |
| #allow debuggerd debuggerd_data_file:file rw_file_perms; |
| |
| #suid_dumpable |
| allow debuggerd proc_security:file { read open }; |
| |
| #kptr_restrict |
| #allow debuggerd proc_security:file { write open }; |
| |
| #dmesg |
| allow debuggerd kernel:system syslog_read; |
| |
| #property |
| allow debuggerd init:unix_stream_socket connectto; |
| allow debuggerd property_socket:sock_file write; |
| |
| # dumpstate ION_MM_HEAP |
| allow debuggerd debugfs:lnk_file read; |
| |
| #allow debuggerd tmpfs:lnk_file read; |
| |
| |
| # aed set property |
| allow debuggerd persist_mtk_aee_prop:property_service set; |
| allow debuggerd persist_aee_prop:property_service set; |
| allow debuggerd debug_mtk_aee_prop:property_service set; |
| |
| # aee_dumpstate set property |
| allow debuggerd debug_bq_dump_prop:property_service set; |
| |
| #com.android.settings NE |
| allow debuggerd system_app_data_file:dir search; |
| |
| # sogou NE |
| allow debuggerd app_data_file:dir search; |
| |
| # open and read /data/data/com.android.settings/databases/search_index.db-journal |
| allow debuggerd system_app_data_file:file r_file_perms; |
| allow debuggerd app_data_file:file r_file_perms; |
| |
| # /system/bin/am |
| allow debuggerd system_file:file execute_no_trans; |
| allow debuggerd zygote_exec:file { execute execute_no_trans }; |
| |
| #/proc/driver/storage_logger |
| allow debuggerd proc_slogger:file { write read open }; |
| |
| # MOTA upgrade from JB->L: aee_dumpstate(ps top df dmesg) |
| # allow debuggerd unlabeled:lnk_file read; |
| |
| #allow debuggerd dalvikcache_data_file:dir { write add_name remove_name}; |
| #allow debuggerd dalvikcache_data_file:file { write create setattr }; |
| |
| binder_use(debuggerd) |
| allow debuggerd system_server:binder call; |
| allow debuggerd surfaceflinger:binder call; |
| allow debuggerd surfaceflinger:fd use; |
| allow debuggerd platform_app:fd use; |
| allow debuggerd platform_app_tmpfs:file write; |
| |
| # aed and MTKLogger.apk socket connect |
| allow debuggerd platform_app:unix_stream_socket connectto; |
| |
| allow debuggerd self:udp_socket { create ioctl }; |
| |
| allow debuggerd init:process getsched; |
| allow debuggerd kernel:process getsched; |
| |
| # for SF_dump |
| allow debuggerd sf_bqdump_data_file:dir { read write open remove_name search}; |
| allow debuggerd sf_bqdump_data_file:file { read getattr unlink open }; |
| |
| |
| allow debuggerd custom_file:dir search; |
| |
| # avc: denied { read } for pid=4503 comm="screencap" name="secmem0" dev="proc" |
| allow debuggerd proc_secmem:file r_file_perms; |
| |
| #add debuggerd policy |
| allow debuggerd mnt_user_file:dir search; |
| allow debuggerd mnt_user_file:lnk_file read; |
| #allow debuggerd storage_file:dir search; |
| allow debuggerd storage_file:lnk_file read; |
| |
| # Date : WK15.30 |
| # Operation : Migration |
| # Purpose : for device bring up, not to block early migration/sanity |
| allow debuggerd log_device:chr_file read; |
| |
| # Date: W15.34 |
| # Operation: Migration |
| # Purpose: For pagemap & pageflags information in NE DB |
| userdebug_or_eng(`allow debuggerd self:capability sys_admin;') |
| |
| # Date: W15.35 |
| # Operation: Android M Daily Sanity |
| # Purpose: Add rules for Violation |
| allow debuggerd activity_service:service_manager find; |
| allow debuggerd dbinfo_service:service_manager find; |
| allow debuggerd meminfo_service:service_manager find; |
| allow debuggerd self:capability sys_admin; |
| allow debuggerd surfaceflinger_service:service_manager find; |
| allow debuggerd window_service:service_manager find; |
| |
| # Date: W15.37 |
| # Operation: daily build violation on branch trunk-m0.tk |
| # Purpose: Add rules for Violation |
| allow debuggerd proc_lk_env:file { read write ioctl open }; |
| |
| # Date: W15.39 |
| # Operation: daily build violation on branch trunk-m0.tk |
| # Purpose: Allow debuggerd to find gfxinfo_service |
| allow debuggerd gfxinfo_service:service_manager find; |
| |
| # Date : 2015/06/12 |
| # Operation: TEEI integration |
| # Purpose: access for fp device and client device of TEEI |
| allow debuggerd teei_fp_device:chr_file rw_file_perms; |
| allow debuggerd teei_client_device:chr_file rw_file_perms; |
| |
| #scp file dumpstate |
| allow debuggerd sysfs_scp:dir search; |
| allow debuggerd sysfs_scp:file { read open }; |
| |
| #android log much file |
| allow debuggerd logmuch_data_file:dir search; |
| allow debuggerd logmuch_data_file:file { read open }; |
| |
| # Date: W15.53 |
| # Operation: add DUMPSYS_DISPLAY to db |
| # Purpose: Allow debuggerd to find gfxinfo_service |
| allow debuggerd display_service:service_manager find; |
| |
| # Date : WK16.04 |
| # Operation : direct coredump enhancement |
| # Purpose : support abort message dumping |
| userdebug_or_eng(` |
| allow debuggerd aee_interim_data_file:dir { remove_name }; |
| allow debuggerd aee_interim_data_file:file { unlink }; |
| ') |
| |