sepolicy/mtkmal.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

# ==============================================
# Policy File of /system/bin/mtkmal Executable File 

# ==============================================
# Type Declaration
# ==============================================
type mtkmal, domain;
type mtkmal_exec, exec_type, file_type;

# ==============================================
# MTK Policy Rule
# ==============================================
# permissive mtkmal;
init_daemon_domain(mtkmal)

# Date : WK15.33
# Operation : Migration 
# Purpose : for MTKMAL

# Basic
allow mtkmal socket_device:sock_file write;
allow mtkmal device:dir write;
allow mtkmal device:dir add_name;
allow mtkmal device:lnk_file create;
allow mtkmal device:dir remove_name;
allow mtkmal device:lnk_file unlink;
# ==============================================
# TODO: NOT to use device iimmediately, instead of a new label for /dev/radio
# allow mtkmal XXX_radio_device:chr_file { open read write ioctl };
# ==============================================
allow mtkmal radio_tmpfs:file write;
allow mtkmal tmpfs:lnk_file read;

# MAL mode
allow mtkmal persist_mal_prop:property_service set;

# VzW APN table
allow mtkmal system_data_file:dir { read write open add_name remove_name };
allow mtkmal mal_data_file:dir create_dir_perms;
allow mtkmal mal_data_file:file create_file_perms;

# ATCP
allow mtkmal devpts:chr_file { open read write ioctl };
allow mtkmal devpts:chr_file { getattr setattr };

# Netlink
allow mtkmal self:netlink_route_socket { bind create write nlmsg_read };

# RILPROXY
allow mtkmal rilproxy:unix_stream_socket connectto;

# RILD connection
allow mtkmal mtkrild:unix_stream_socket connectto;
allow mtkmal rild_mal_socket:sock_file write;
allow mtkmal rild_mal_at_socket:sock_file write;
allow mtkmal rild_mal_md2_socket:sock_file write;
allow mtkmal rild_mal_at_md2_socket:sock_file write;

# IMCB connection
allow mtkmal volte_imcb:unix_stream_socket connectto;
allow mtkmal volte_imsa1_socket:sock_file write;

# IMSM connection
allow mtkmal mtkmal:unix_stream_socket connectto;
allow mtkmal mal_mfi_socket:sock_file write;

# NETd
allow mtkmal netd:unix_stream_socket connectto;
allow mtkmal netd_socket:sock_file write;

# INIT
allow mtkmal init:unix_stream_socket connectto;
allow mtkmal property_socket:sock_file write;
allow mtkmal ctl_volte_imcb_prop:property_service set;
allow mtkmal ctl_volte_ua_prop:property_service set;
allow mtkmal ctl_volte_stack_prop:property_service set;
allow mtkmal volte_prop:property_service set;
allow mtkmal ril_mux_report_case_prop:property_service set;
allow mtkmal radio_prop:property_service set;

allow mtkmal self:capability { setuid setgid };

allow mtkmal system_file:file execute_no_trans;

allow mtkmal shell_exec:file { read execute open execute_no_trans };

# ePDGa
allow mtkmal devpts:chr_file setattr;
allow mtkmal epdg_wod:unix_stream_socket connectto;
allow mtkmal wod_sim_socket:sock_file write;
allow mtkmal wod_action_socket:sock_file write;
allow mtkmal self:udp_socket { create ioctl };
allow mtkmal device:dir write;
allow mtkmal device:dir add_name;
allow mtkmal self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read };
allow mtkmal device:lnk_file create;

#for RAN access wpa
unix_socket_send(mtkmal, wpa, wpa)
allow mtkmal wpa_socket:dir rw_dir_perms;
allow mtkmal wpa_socket:sock_file create_file_perms;
allow mtkmal wifi_data_file:dir create_dir_perms;
allow mtkmal wifi_data_file:file create_file_perms;
allow mtkmal wpa:unix_dgram_socket sendto;
allow wpa mtkmal:unix_stream_socket connectto;
allow wpa mtkmal:unix_dgram_socket sendto;
allow wpa init:unix_dgram_socket sendto;

#for access to wfca
allow mtkmal wfca:unix_stream_socket connectto;

#for timer
allow mtkmal self:capability2 wake_alarm;