Evolution-X-Devices/device_mediatek_sepolicy_vndr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
136 Commits 1 Branch 0 Tags
bka
Commit Graph

136 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Sarthak Roy
5e65e958c8 basic: non_plat: Drop duplicate proc_dirty label 
- 6c174897d8%5E%21/#F0

Signed-off-by: Sarthak Roy <sarthakroy2002@gmail.com>
Change-Id: Id728838ae47fe86a98e46a15e6c8875cd60010ef
 2026-01-18 13:00:51 +00:00
Sarthak Roy
eccbac7a11 basic: non_plat: Drop system_server neverallow 
* 7a398c0bbd%5E%21/#F0

Signed-off-by: Sarthak Roy <sarthakroy2002@gmail.com>
Change-Id: I8f08d47d6d1fc2ed3d0218a8e05dcdf2dbb25eee
Signed-off-by: Saikrishna1504 <saikrishna26918@gmail.com>
 2025-12-09 22:15:05 +05:30
Yumi Yukimura
9bc99b2fd0 basic: non_plat: Rename proc_vm_dirty to proc_dirty 
AOSP 16 QPR2 Beta GSI has labeled the path as `proc_dirty`.
Labeling the same path with different label breaks booting.

Change-Id: Ie2cb2b5ac15a3ce731bda72d7a33e911eecf4803
 2025-10-10 12:09:27 +05:30
Erfan Abdi
5a6829050c basic: non_plat: Allow update_engine to write to bootdevice 
Change-Id: I9c0f8276e212fea2992daacf491675a4b8e98410
Signed-off-by: Cyber Knight <cyberknight755@gmail.com>
Signed-off-by: Sarthak Roy <sarthakroy2002@gmail.com>
 2025-10-10 12:08:49 +05:30
Mashopy
dd2e76aaee basic: non_plat: Label OSS bluetooth AIDL service 
Change-Id: Iec2e800f5368e17c4ba2df60dcca4e65d6a4ca6e
 2025-09-22 02:46:11 +05:30
Sarthak Roy
f5c49c44b4 bsp: non_plat: Remove unused drmserver getpidcon policy 
* 1c90bcff16%5E%21/

Signed-off-by: Sarthak Roy <sarthakroy2002@gmail.com>
Change-Id: I634ca20beab29ca354af6034a4b75c2f49cc9240
 2025-09-22 02:46:11 +05:30
bengris32
331a6724d9 basic: non_plat: Label AIDL NXP NFC service 
This doesn't really make sense to keep as a device specific label
so add it here.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I411cf6e14aec4b58b63785cd41e6a87ed025a2b7
 2025-09-22 02:46:10 +05:30
bengris32
22d564be27 basic: non_plat: Allow charger_vendor to access drm/fb device nodes 
Change-Id: Id7f386b46015ef4ad2b7c6af54ba0c149c7080fb
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2025-09-22 02:46:10 +05:30
bengris32
2bb87dddbe basic: non_plat: Remove mtk_hal_sensors type 
* Use hal_sensors_default instead, and remove system_file
  access since it's only used for debugging.

Change-Id: I265d77c9248671bdb2430f09ea9d3440599ba76c
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2025-09-22 02:46:09 +05:30
Dhina17
6fcc55b754 debug: Avoid accessing binderfs logs 
Fixes neverallows errors in 15.

Change-Id: I9b9b0c95198144b54424a1c6738639f6ae3e8545
 2025-09-22 02:46:09 +05:30
Matsvei Niaverau
7a087664de basic: non_plat: Drop duplicate declaration of iso9660 
* 70ed191f2b

Change-Id: Iacc498152225f70207dc5e19bc03ca71d81df4c9
 2025-09-22 02:46:08 +05:30
Aaron Kling
30d5c6176d basic: plat_private: Drop duplicate declaration of ro.audio.usb.period_us 
This is now labelled by aosp policy

Change-Id: Idc0b535922ec0fd40ae20655393c554748e1aac4
 2025-09-22 02:46:08 +05:30
bengris32
ff40c184bf basic: non_plat: Use rw_dir_file macro 
Change-Id: I307ef2c9cc26def9f08ddec6b6aa5b66bb49891d
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2025-09-22 02:46:07 +05:30
bengris32
05f90a1102 basic: non_plat: Allow libperfmgr to access PPM nodes 
Change-Id: I89dfbd939737e184bb5d454fa29620b47e35de9a
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2025-09-22 02:46:07 +05:30
techyminati
0d10533a25 basic: Allow nvram_daemon to get/set vendor_mtk_service_nvram_restore_prop 
* Fixes:-
12-11 21:10:56.876     1     1 W /system/bin/init: type=1107 audit(0.0:206): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.service.nvram_restore pid=775 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:vendor_mtk_service_nvram_restore_prop:s0 tclass=property_service permissive=0

* When the nvram_daemon is denied to get/set the vendor.service.nvram_restore property, the baseband and RIL fail to initialize correctly. This results in the device showing an "unknown baseband" status and the RIL being non-functional. This sepolicy rule addresses this issue.

* Test: m, verify that Baseband is not Unknown & RIL works fine.

Change-Id: Ib8ce7399fb24f55a9f5020d51a388d0b90fd7dd2
Signed-off-by: techyminati <sinha.aryan03@gmail.com>
 2025-09-22 02:45:51 +05:30
ZiadTamer
7dd07597c1 basic: non_plat: Address more nvram_daemon denial 
u: r:init:s0 msg='avc:  denied  { set } for property=vendor.service.nvram_restore pid=934 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=1'

Change-Id: Iede282d64b6d6894c106dd83e0b03870e0f218a7
 2024-06-01 20:34:28 +03:00
bengris32
7cb40986f9 basic: Allow power HAL to access mtk devfreq node 
Change-Id: I787e88ff3bd72703cfb3c09c771f1c79106a68f5
 2024-05-20 15:45:05 +02:00
bengris32
ed72d0212d basic: Allow power HAL to access gpufreqv2 node 
Change-Id: I3cb246626d0c7af15b56cec14a6b44c599531a33
 2024-05-20 15:44:33 +02:00
Giovanni Ricca
b0d0eb3154 sepolicy: Inherit common lineage power sepolicy 
Change-Id: I355daa448454cd52a84f48cbb8bd44bfd67d0c9d
 2024-05-20 14:57:32 +02:00
Abhinav Kumar
9db6f1e8a0 basic: non_plat: Allow mtk_hal_usb to create file and directory in configfs 
* This commit adds permissions to allow the mtk_hal_usb module to create files and directories in the configfs filesystem. Specifically, the following permissions are added:
   - configfs:file create_file_perms: Allows mtk_hal_usb to create files in configfs.
   - configfs:dir create_dir_perms: Allows mtk_hal_usb to create directories in configfs.

* These permissions are necessary for support of USB Tethering in some devices and also fixed the fillowing error
   type=1400 audit(0.0:7353): avc:  denied  { create } for  name="rndis.gs4" scontext=u:r:mtk_hal_usb:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=0

Change-Id: I0ef8e06098aa07490e8055e7178233f5d5a09442
Signed-off-by: Abhinav Kumar <abhinav.115260@gmail.com>
 2024-04-29 17:02:22 +00:00
SamarV-121
209e8c8f10 sepolicy: Exclude debug sepolicies on user build 
also move system_server binderfs_logs rule to debug sepolicy
causes neverallow for:
      (allow system_server binderfs_logs_proc (file (ioctl read getattr lock map open watch watch_reads)))
      (allow system_server binderfs_logs (file (ioctl read getattr lock map open watch watch_reads)))
      (allow aee_aedv binderfs_logs (file (ioctl read getattr lock map open watch watch_reads)))

besides, why even include include these on user build

Change-Id: I76a43816185c98e08e0439cd29d3f7a3325ca795
 2024-04-23 13:41:29 +00:00
Matsvei Niaverau
4428c661ba basic: non_plat: Allow update_engine to write to logo partition 
Change-Id: Icfbf72c9313248ba529f69d9bc80b34ebc58752d
 2024-04-22 13:52:41 +02:00
Matsvei Niaverau
c33742f894 basic: non_plat: Label logo partition as A/B 
Change-Id: Ibc6576b7b665cbef5bc8dd37cfbf252b91a9cf30
 2024-04-11 12:16:26 +02:00
bengris32
d2d073ce17 basic: non_plat: Label MediaTek USB Gadget HAL 
Change-Id: I0ddb15426453b880777235ae614d8b8b988dfac6
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2024-03-26 14:53:21 +01:00
Yifan Hong
18632d849e basic: non_plat: Allow binder services to r/w su:tcp_socket 
Test: binderHostDeviceTest
Bug: 182914638
Change-Id: Ie3d3b575d256a84e2dd31dcfab3ba305f54d02a6
 2024-03-22 16:26:04 +00:00
Sarthak Roy
c148d3271a basic: Drop dtbo_block_device duplicate declaration 
* 1b2d9de08d%5E%21/#F2

Signed-off-by: Sarthak Roy <sarthakroy2002@gmail.com>
Change-Id: Ibaa813bd61be3080818c533f28dc74374bf1e90f
 2024-03-20 22:48:01 +05:30
bengris32
850b3d36fd basic: non_plat: Unlabel preloader_raw block devices 
Change-Id: Ice2b087fc78ef9decba27f6b0fc2e20400ff09ff
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2024-03-01 15:12:56 +00:00
bengris32
d6e1e340cc basic: plat_private: Label create_pl_dev 
Change-Id: Ia69ffe6264bef39554b708fa8bb3c70375431e2f
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2024-02-29 23:44:13 +00:00
bengris32
b2b0b1bb8f basic: non_plat: Label PELT multiplier node 
Change-Id: If65e215fc819608bc9558a844884a3596a94c32b
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2024-02-28 21:03:15 +00:00
Matsvei Niaverau
1263da2195 basic: non_plat: Label AIDL MediaTek USB legacy service 
Change-Id: I0256c49668526104fa742592b15084a1076cf568
 2024-02-16 15:50:43 +01:00
bengris32
d22a2ab888 basic: non_plat: Address OSS USB gadget HAL denials 
Change-Id: Ie5ca5a229d145a84e940d9f29205cf3e9282531a
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2024-02-15 12:45:19 +00:00
Woomymy
ab2549b89a basic: non_plat: Address init.insmod.sh denials 
Change-Id: I2b858d17db6b8edf07f34f12f38342ae519056c8
Signed-off-by: Woomymy <woomy@woomy.be>
 2024-02-15 12:02:05 +00:00
Adam Shih
40ea9e1bf7 basic: non_plat: Let GPU reload 
02-22 12:59:47.955    15    15 I mali 28000000.mali: reloading firmware
02-22 12:59:47.955    15    15 W mali 28000000.mali: loading /vendor/firmware/mali_csffw.bin failed with error -13
02-22 12:59:47.955    15    15 W mali 28000000.mali: Direct firmware load for mali_csffw.bin failed with error -2
02-22 12:59:47.955    15    15 E mali 28000000.mali: Failed to reload firmware image 'mali_csffw.bin'
02-22 12:59:47.920    15    15 W kworker/0:1: type=1400 audit(0.0:10): avc: denied { read } for name="mali_csffw.bin" dev="dm-4" ino=5689716 scontext=u:r:kernel:s0 tcontext=u:object_r:same_process_hal_file:s0 tclass=file permissive=0

Bug: 220801802
Test: device can resume after an hour of suspend.
Change-Id: Ib252d6b1ac50ba7578a2ebf8cd8745004c385378
 2024-02-12 21:13:18 +00:00
Matsvei Niaverau
4098d11dc5 bsp: plat_private: Label system_ext kpoc_charger 
Change-Id: If9f3fef45a1a99703552efd70a3130d94abac0f6
 2024-02-09 15:45:16 +01:00
bengris32
02bdb90a6e basic: non_plat: Allow vendor_init to set audio/pq properties 
Change-Id: I716b162f4fb25b19af07016af01d4003770b5628
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2024-02-07 22:54:27 +00:00
Giovanni Ricca
66e32b32e1 basic: Allow keymint to set soter props 
Change-Id: I1413f622d6d3d206b780e1ba996b65ab46a9a926
 2024-02-02 19:46:03 +01:00
Giovanni Ricca
508c45b356 basic: Allow mtk_hal_nvramagent access to dts nodes 
Change-Id: Ie890831b4a31d7595bd5bc0d3d48d8af35fb0afb
 2024-01-02 16:10:24 +01:00
Giovanni Ricca
6d2525868e bsp: Allow netutils_wrapper access to misc devices 
Change-Id: I114b30b1a46b7d5ceec1664423e7c25f1be29448
 2024-01-02 16:08:20 +01:00
Giovanni Ricca
ff24786f5a bsp: Label system_ext vtservice 
Change-Id: I792cf32154884ebbdbd4907006a75857e366f1d2
 2024-01-01 22:20:52 +01:00
Giovanni Ricca
532b60ca02 sepolicy: Guard invalid labels 
* MTK devices with R vendor and older still depends on those labels

Change-Id: If2e78d5a22722b0038afbb6f9a651bc073b8f4c8
 2023-12-28 11:50:04 +01:00
Giovanni Ricca
6de1ec34cc bsp: plat_private: Define mtk_hal_sf_service 
Change-Id: I1d3e52b574c09505a77161a5508f4960dad3250f
 2023-12-27 22:33:42 +00:00
Giovanni Ricca
c420b9b98e bsp: non_plat: Remove duplicate labels 
Change-Id: I86f4700a6a2e123f7693eda5daf088011bd2c35a
 2023-12-27 22:31:18 +00:00
bengris32
a55780d6aa bsp: plat_private: Allow radio to get system_mtk_vodata_prop 
Change-Id: Ie95160741a6e7a5c9955992a267163bf733c296f
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2023-12-25 12:14:15 +00:00
Felix
461b31145f sepolicy: Use BOARD_VENDOR_SEPOLICY_DIRS 
BOARD_SEPOLICY_DIRS is deprecated.

Change-Id: I046282b2a2e8c541726fb29cb0044503322d4be9
 2023-12-22 16:31:24 +00:00
bengris32
88ca19b34a basic: non_plat: Label MediaTek audio service 
Change-Id: Ibf4a8bcde2425d30eb809a35501723c9630fd343
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2023-12-21 17:02:20 +00:00
bengris32
c5509c7506 basic: non_plat: Label AIDL thermal service 
Change-Id: I19e9081bb7437ab05100ac21800a452d4f683ea7
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2023-12-19 22:41:31 +00:00
Sarthak Roy
2864204ce0 sepolicy: Drop duplicate declaration of mediaserver64/drmserver64 
Signed-off-by: Sarthak Roy <sarthakroy2002@gmail.com>
Change-Id: I0f0365395d1040febadd533898dce66d001ddcca
 2023-10-29 17:44:17 +00:00
SamarV-121
a58d7459e5 sepolicy: isolated_app -> isolated_app_all 
* neverallow

Change-Id: If7dbddf30472de3b7c04c2e4f9a27e03e6ada619
 2023-10-29 17:44:17 +00:00
Sarthak Roy
d0ef16e8db sepolicy: Drop fuseblk duplicate declaration 
* 30ae427ed0%5E%21/#F7

Signed-off-by: Sarthak Roy <sarthakroy2002@gmail.com>
Change-Id: I502237dc1712bcb8a542ad604d907bd3de363e63
 2023-10-29 17:44:11 +00:00
bengris32
f3e97c194d basic: non_plat: Label AIDL ST NFC service 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2023-10-23 23:25:58 +01:00