-
-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathsepolicy.rule
115 lines (94 loc) · 8.01 KB
/
sepolicy.rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
## Dolby
# debug
allow system_server system_file file write
# context
create { system_lib_file vendor_file vendor_configs_file vendor_data_file vendor_media_data_file hal_dms_default_exec }
allow { system_file system_lib_file vendor_file vendor_configs_file vendor_data_file vendor_media_data_file hal_dms_default_exec } labeledfs filesystem associate
allow init { system_file system_lib_file vendor_file vendor_configs_file vendor_data_file vendor_media_data_file } { dir file } relabelfrom
allow init hal_dms_default_exec file relabelfrom
# hwservice_manager
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app hal_audio_default mtk_hal_audio audioserver } { default_android_hwservice hal_dms_hwservice dms_hwservice } hwservice_manager find
# service_manager
allow daxservice_app { permission_checker_service game_service netstats_service content_capture_service } service_manager find
# binder
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } hal_dms_default binder call
# file
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } { hal_dms_default_exec vendor_displayfeature_prop } file getattr
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } { bluetooth_prop vendor_displayfeature_prop qemu_hw_prop } file map
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } { vendor_default_prop vendor_audio_prop debug_mtk_gpud_prop audio_config_prop } file { read open getattr map }
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } qemu_hw_prop file { read open getattr }
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } { vendor_displayfeature_prop mcd_data_file sysfs_migt migt_file } file { read open }
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } proc_mi_log file write
allow { hal_audio_default mtk_hal_audio audioserver } vendor_dolby_loglevel_prop file { read open getattr }
allow zygote { device unlabeled } file write
allow zygote zygote_tmpfs file { create open }
allow init system_file file mounton
allow daxservice_app default_prop file read
# chr_file
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } device chr_file { read write open getattr ioctl }
# dir
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } { migt_file mcd_data_file } dir search
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } system_file dir write
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } data_log_file dir { search getattr }
# unix_stream_socket
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } zygote unix_stream_socket getopt
# capability
allow system_app system_app capability { dac_read_search dac_override sys_resource }
allow platform_app platform_app capability { dac_read_search dac_override sys_resource }
allow priv_app priv_app capability { dac_read_search dac_override sys_resource }
allow untrusted_app_29 untrusted_app_29 capability { dac_read_search dac_override sys_resource }
allow untrusted_app_27 untrusted_app_27 capability { dac_read_search dac_override sys_resource }
allow untrusted_app untrusted_app capability { dac_read_search dac_override sys_resource }
# additional
allow { hal_audio_default mtk_hal_audio audioserver } { system_suspend_hwservice default_android_hwservice } hwservice_manager find
allow { hal_audio_default mtk_hal_audio audioserver } default_android_hwservice hwservice_manager add
allow { hal_audio_default mtk_hal_audio audioserver } hal_system_suspend_service service_manager find
allow { hal_audio_default mtk_hal_audio audioserver } { default_prop boottime_prop audio_prop radio_prop vendor_pd_locater_dbg_prop } file { read open getattr map }
allow { hal_audio_default mtk_hal_audio audioserver } { mnt_vendor_file system_prop vendor_default_prop } file { read open getattr }
allow { hal_audio_default mtk_hal_audio audioserver } sysfs_wake_lock file { write open }
allow { hal_audio_default mtk_hal_audio audioserver } { sysfs sysfs_boot_mode bluetooth_prop } file { read open }
allow { hal_audio_default mtk_hal_audio audioserver } bluetooth_prop file getattr
allow { hal_audio_default mtk_hal_audio audioserver } system_prop file map
allow { hal_audio_default mtk_hal_audio audioserver } boot_status_prop file read
allow { hal_audio_default mtk_hal_audio audioserver } { sysfs_net debugfs_ion } dir search
allow { hal_audio_default mtk_hal_audio audioserver } { sysfs_net sysfs } dir { read open }
allow { hal_audio_default mtk_hal_audio audioserver } logd_socket sock_file write
allow { hal_audio_default mtk_hal_audio audioserver } logd unix_stream_socket connectto
allow { hal_audio_default mtk_hal_audio audioserver } { diag_device vendor_diag_device } chr_file { read write open ioctl getattr }
allow { hal_audio_default mtk_hal_audio audioserver } device chr_file { read write }
allow { hal_audio_default mtk_hal_audio audioserver } system_suspend binder call
allow { hal_audio_default mtk_hal_audio audioserver } { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } fifo_file write
allow hal_audio_default hal_audio_default capability2 block_suspend
allow mtk_hal_audio mtk_hal_audio capability2 block_suspend
allow audioserver audioserver capability2 block_suspend
allow hal_audio_default hal_audio_default capability { sys_nice dac_override sys_admin dac_read_search }
allow mtk_hal_audio mtk_hal_audio capability { sys_nice dac_override sys_admin dac_read_search }
allow audioserver audioserver capability { sys_nice dac_override sys_admin dac_read_search }
allow hal_audio_default hal_audio_default tcp_socket create
allow mtk_hal_audio mtk_hal_audio tcp_socket create
allow audioserver audioserver tcp_socket create
## MiSound
# context
create audio_socket
allow audio_socket labeledfs filesystem associate
allow init audio_socket sock_file relabelfrom
# dir
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } mcd_data_file dir search
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } mqsas_data_file dir { search getattr }
# file
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } { vendor_display_prop vendor_misound_ro_prop } file { read open getattr map }
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } { migt_file mcd_data_file sysfs_migt } file { read open getattr }
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } vendor_displayfeature_prop file map
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } qemu_hw_prop file map
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } proc_mi_log file write
allow { hal_audio_default mtk_hal_audio audioserver } vendor_pd_locater_dbg_prop file { read open getattr map }
# sock_file
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } property_socket sock_file write
allow { hal_audio_default audioserver mtk_hal_audio } { audio_socket property_socket socket_device } sock_file write
allow init { audio_socket property_socket socket_device } sock_file { unlink create setattr }
# unix_stream_socket
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app } zygote unix_stream_socket getopt
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app hal_audio_default audioserver mtk_hal_audio } init unix_stream_socket connectto
allow crash_dump { hal_audio_default audioserver mtk_hal_audio } unix_stream_socket { read write }
# property_service
allow { system_app priv_app platform_app untrusted_app_29 untrusted_app_27 untrusted_app hal_audio_default audioserver mtk_hal_audio } vendor_audio_prop property_service set