| # ============================================== |
| # MTK Policy Rule |
| # ============================================== |
| |
| # Do not allow access to the generic sysfs label. This is too broad. |
| # Instead, if access to part of sysfs is desired, it should have a |
| # more specific label. |
| # TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations. |
| # allow hal_usb sysfs:file write; |
| # hal_server_domain(mtk_hal_usb, hal_usb) |
| # |
| # r_dir_file(hal_wifi, sysfs_type) |
| # hal_server_domain(mtk_hal_wifi, hal_wifi) |
| # |
| full_treble_only(` |
| neverallow ~{ |
| apexd |
| init |
| merged_hal_service |
| mtk_hal_bluetooth |
| # TODO(b/152082918) Remove mtk_hal_camera line when permissions are fixed. |
| mtk_hal_camera |
| mtk_hal_power |
| mtk_hal_usb |
| mtk_hal_wifi |
| hal_bluetooth_btlinux |
| hal_bluetooth_default |
| hal_drm_clearkey |
| hal_drm_clearkey_aidl |
| hal_drm_default |
| hal_drm_widevine |
| hal_fingerprint_default |
| hal_radio_config_default |
| hal_radio_default |
| hal_usb_default |
| hal_wifi_default |
| hal_wifi_supplicant_default |
| rild |
| tee |
| ueventd |
| vendor_init |
| vold |
| } sysfs:file *; |
| |
| neverallow { |
| merged_hal_service |
| mtk_hal_bluetooth |
| mtk_hal_power |
| mtk_hal_wifi |
| hal_bluetooth_btlinux |
| hal_bluetooth_default |
| hal_drm_clearkey |
| hal_drm_clearkey_aidl |
| hal_drm_default |
| hal_drm_widevine |
| hal_fingerprint_default |
| hal_radio_config_default |
| hal_radio_default |
| hal_wifi_default |
| hal_wifi_supplicant_default |
| rild |
| tee |
| } sysfs:file ~r_file_perms; |
| |
| neverallow { |
| hal_usb_default |
| init |
| mtk_hal_usb |
| ueventd |
| vendor_init |
| vold |
| } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto }; |
| ') |
| |
| # Do not allow access to the generic proc label. This is too broad. |
| # Instead, if access to part of proc is desired, it should have a |
| # more specific label. |
| # TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations. |
| # |
| # r_dir_file(hal_audio, proc) |
| # hal_server_domain(mtk_hal_audio, hal_audio) |
| # hal_client_domain(audioserver, hal_audio) |
| # |
| full_treble_only(` |
| neverallow ~{ |
| audiocmdservice_atci |
| audioserver |
| bluetooth |
| hal_audio_default |
| hal_graphics_allocator_default |
| init |
| merged_hal_service |
| mtk_hal_audio |
| rild |
| system_server |
| vendor_init |
| vold |
| } proc:file *; |
| |
| neverallow { |
| audiocmdservice_atci |
| audioserver |
| bluetooth |
| hal_audio_default |
| hal_graphics_allocator_default |
| init |
| merged_hal_service |
| mtk_hal_audio |
| rild |
| system_server |
| vold |
| } proc:file ~r_file_perms; |
| |
| neverallow vendor_init proc:file ~{ r_file_perms setattr }; |
| |
| neverallow ~{ |
| audiocmdservice_atci |
| audioserver |
| bluetooth |
| hal_audio_default |
| init |
| mtk_hal_audio |
| rild |
| system_server |
| } proc:lnk_file ~{ read getattr }; |
| |
| neverallow { |
| audiocmdservice_atci |
| audioserver |
| bluetooth |
| hal_audio_default |
| init |
| mtk_hal_audio |
| rild |
| system_server |
| } proc:lnk_file ~r_file_perms; |
| ') |
| |
| |
| # Do not allow access to the generic system_data_file label. This is |
| # too broad. |
| # Instead, if access to part of system_data_file is desired, it should |
| # have a more specific label. |
| # TODO: Remove merged_hal_service and so on once there are no violations. |
| # |
| # allow hal_drm system_data_file:file { getattr read }; |
| # hal_server_domain(merged_hal_service, hal_drm) |
| # |
| full_treble_only(` |
| neverallow { |
| domain |
| -coredomain |
| -appdomain |
| -hal_cas_default |
| -hal_drm_clearkey |
| -hal_drm_clearkey_aidl |
| -hal_drm_default |
| -hal_drm_widevine |
| -merged_hal_service |
| -tee |
| } system_data_file:file *; |
| |
| neverallow ~{ |
| appdomain |
| app_zygote |
| hal_drm_clearkey |
| hal_drm_clearkey_aidl |
| hal_drm_default |
| hal_drm_widevine |
| init |
| installd |
| iorap_prefetcherd |
| mediadrmserver |
| mediaextractor |
| mediaserver |
| merged_hal_service |
| system_server |
| tee |
| toolbox |
| vold |
| vold_prepare_subdirs |
| with_asan(`asan_extract') |
| } system_data_file:file ~r_file_perms; |
| |
| neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; |
| |
| neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; |
| |
| neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; |
| |
| neverallow iorap_prefetcherd system_data_file:file ~{ open read }; |
| |
| neverallow { |
| hal_drm_clearkey |
| hal_drm_clearkey_aidl |
| hal_drm_default |
| hal_drm_widevine |
| mediadrmserver |
| mediaextractor |
| mediaserver |
| merged_hal_service |
| tee |
| } system_data_file:file ~{ getattr read }; |
| |
| neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; |
| |
| neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; |
| |
| neverallow vold system_data_file:file ~read; |
| ') |
| |
| # Do not allow access to the generic device label. This is too broad. |
| # Instead, if access to part of device is desired, it should have a |
| # more specific label. |
| # TODO: Remove hal_camera and so on once there are no violations. |
| # |
| # allow hal_camera device:dir r_dir_perms; |
| # hal_client_domain(cameraserver, hal_camera) |
| # |
| full_treble_only(` |
| neverallow ~{ |
| apexd |
| cameraserver |
| fastbootd |
| hal_camera |
| hal_camera_default |
| init |
| mtk_hal_camera |
| otapreopt_chroot |
| recovery |
| shell |
| slideshow |
| system_server |
| vendor_init |
| vold |
| ueventd |
| } device:dir ~{ search getattr }; |
| |
| neverallow { |
| cameraserver |
| fastbootd |
| hal_camera |
| hal_camera_default |
| mtk_hal_camera |
| system_server |
| shell |
| slideshow |
| recovery |
| } device:dir ~r_dir_perms; |
| |
| neverallow init device:dir ~{ create_dir_perms mounton relabelto }; |
| |
| neverallow vendor_init device:dir ~{ create_dir_perms mounton }; |
| |
| neverallow vold device:dir ~{ search getattr write }; |
| |
| neverallow ueventd device:dir ~create_dir_perms; |
| ') |