blob: 17bacba7cf3db4f2ff5f16c9d69da033dca78325 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
# ==============================================
# Policy File of /vendor/bin/mnld Executable File
# ==============================================
# Type Declaration
# ==============================================
type mnld, domain;
type mnld_exec, exec_type, file_type, vendor_file_type;
typeattribute mnld mlstrustedsubject;
# ==============================================
# MTK Policy Rule
# ==============================================
# STOPSHIP: Permissive is not allowed. CTS violation!
init_daemon_domain(mnld)
net_domain(mnld)
# Purpose : For communicate with AGPSD by socket
allow mnld agpsd_data_file:dir create_dir_perms;
allow mnld agpsd_data_file:sock_file create_file_perms;
allow mnld mtk_agpsd:unix_dgram_socket sendto;
allow mnld sysfs_wake_lock:file rw_file_perms;
# Purpose : For access NVRAM data
allow mnld nvram_data_file:dir create_dir_perms;
allow mnld nvram_data_file:file create_file_perms;
allow mnld nvram_data_file:lnk_file read;
allow mnld nvdata_file:lnk_file read;
allow mnld nvram_device:blk_file rw_file_perms;
allow mnld nvram_device:chr_file rw_file_perms;
allow mnld nvdata_file:dir create_dir_perms;
allow mnld nvdata_file:file create_file_perms;
# Purpose : For access kernel device
allow mnld mnld_data_file:dir rw_dir_perms;
allow mnld mnld_data_file:sock_file create_file_perms;
allow mnld mnld_device:chr_file rw_file_perms;
allow mnld mnld_data_file:file rw_file_perms;
allow mnld mnld_data_file:file create_file_perms;
allow mnld mnld_data_file:fifo_file create_file_perms;
# Purpose : For init process
allow mnld init:udp_socket { read write };
# Send the message to the LBS HIDL Service to forward to applications
allow mnld lbs_hidl_service:unix_dgram_socket sendto;
# Send the message to the merged hal Service to forward to applications
allow mnld merged_hal_service:unix_dgram_socket sendto;
# Purpose : For access system data
allow mnld block_device:dir search;
set_prop(mnld, vendor_mtk_mnld_prop)
allow mnld mdlog_device:chr_file { read write };
allow mnld self:capability { fsetid };
allow mnld stpbt_device:chr_file { read write };
allow mnld gpsdl_device:chr_file { read write };
allow mnld ttyGS_device:chr_file { read write };
# Purpose : For file system operations
allow mnld sdcard_type:dir search;
allow mnld sdcard_type:dir write;
allow mnld sdcard_type:dir add_name;
allow mnld sdcard_type:file create;
allow mnld sdcard_type:file rw_file_perms;
allow mnld sdcard_type:file create_file_perms;
allow mnld sdcard_type:dir { read remove_name create open };
allow mnld tmpfs:lnk_file { read create open };
allow mnld mtd_device:dir search;
allow mnld mnt_user_file:lnk_file read;
allow mnld mnt_user_file:dir search;
allow mnld gps_data_file:dir { create_dir_perms unlink };
allow mnld gps_data_file:file { read write open create getattr append setattr unlink lock rename };
allow mnld gps_data_file:lnk_file read;
allow mnld storage_file:lnk_file read;
# Date : WK15.30
# Operation : Migration
# Purpose : for device bring up, not to block early migration/sanity
allow mnld proc_lk_env:file rw_file_perms;
# For HIDL, communicate mtk_hal_gnss instead of system_server
allow mnld mtk_hal_gnss:unix_dgram_socket sendto;
# Purpose : MPE sensor HIDL policy
hwbinder_use(mnld);
binder_call(mnld, system_server)
allow mnld fwk_sensor_hwservice:hwservice_manager find;
get_prop(mnld, hwservicemanager_prop)
allow mnld debugfs_tracing:file { open write };
allow mnld mnt_vendor_file:dir search;
#get waks_alarm timer create prop
allow mnld mnld:capability2 wake_alarm;
# Date : WK18.26
# Purpose : for atci gps test
allow mnld atci_service:unix_dgram_socket sendto;
allow mnld sysfs_boot_mode:file { read open };
set_prop(mnld, vendor_mtk_radio_prop)
allow mnld proc_cmdline:file r_file_perms;
allow mnld sysfs_dt_firmware_android:dir search;
allow mnld sysfs_dt_firmware_android:file r_file_perms;
allow mnld metadata_file:dir search;
#for mnld get screen on/off
allow mnld sysfs_leds:dir search;
allow mnld sysfs_leds:file r_file_perms;
#Add for /nvcfg/almanac.dat
allow mnld nvcfg_file:dir w_dir_perms;
allow mnld nvcfg_file:file create_file_perms;
allow mnld self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
|
