1# ============================================== 2# Policy File of /system/bin/factory Executable File 3 4# ============================================== 5# Type Declaration 6# ============================================== 7 8# ============================================== 9# MTK Policy Rule 10# ============================================== 11type factory, domain; 12type factory_exec, exec_type, file_type, vendor_file_type; 13init_daemon_domain(factory) 14 15#============= factory ============== 16allow factory MTK_SMI_device:chr_file r_file_perms; 17allow factory ashmem_device:chr_file execute; 18allow factory ebc_device:chr_file rw_file_perms; 19allow factory stpbt_device:chr_file rw_file_perms; 20 21# Date: WK14.47 22# Operation : Migration 23# Purpose : CCCI 24allow factory eemcs_device:chr_file rw_file_perms; 25allow factory ccci_device:chr_file rw_file_perms; 26allow factory gsm0710muxd_device:chr_file rw_file_perms; 27 28#Purpose: file system requirement 29allow factory debugfs_usb:file rw_file_perms; 30allow factory debugfs_usb:dir search; 31allow factory devpts:chr_file rw_file_perms; 32allow factory vfat:dir w_dir_perms; 33allow factory labeledfs:filesystem unmount; 34allow factory rootfs:dir mounton; 35allow factory vfat:dir { read open search mounton }; 36allow factory vfat:filesystem { mount unmount }; 37 38# Purpose : SDIO 39allow factory ttySDIO_device:chr_file rw_file_perms; 40 41#Purpose: USB 42allow factory ttyMT_device:chr_file rw_file_perms; 43allow factory ttyS_device:chr_file rw_file_perms; 44allow factory ttyGS_device:chr_file rw_file_perms; 45 46# Purpose: OTG 47allow factory usb_device:chr_file rw_file_perms; 48allow factory usb_device:dir r_dir_perms; 49 50# Date: WK15.01 51# Purpose : OTG Mount 52allow factory sdcard_type:dir mounton; 53# Date: WK15.07 54# Purpose : use c2k flight mode; 55allow factory vmodem_device:chr_file rw_file_perms; 56 57# Date: WK15.13 58# Purpose: for nand project 59allow factory mtd_device:dir search; 60allow factory mtd_device:chr_file rw_file_perms; 61allow factory self:capability sys_resource; 62allow factory pro_info_device:chr_file rw_file_perms; 63 64# Data: WK15.28 65# Purpose: for mt-ramdump reset 66allow factory proc_mrdump_rst:file w_file_perms; 67 68#Date: WK15.31 69#Purpose: define factory_data_file instead of system_data_file 70# because system_data_file is sensitive partition from M 71wakelock_use(factory); 72allow factory storage_file:dir { write create add_name search mounton }; 73 74# Date: WK15.44 75# Purpose: factory idle current status 76allow factory vendor_factory_idle_state_prop:property_service set; 77 78# Date: WK15.46 79# Purpose: gps factory mode 80allow factory agpsd_data_file:dir search; 81allow factory gps_data_file:dir { write add_name search remove_name unlink}; 82allow factory gps_data_file:file { read write open create getattr append setattr unlink lock}; 83allow factory gps_data_file:lnk_file read; 84allow factory storage_file:lnk_file r_file_perms; 85 86#Date: WK15.48 87#Purpose: capture for factory mode 88allow factory devmap_device:chr_file r_file_perms; 89allow factory sdcard_type:dir create_dir_perms; 90allow factory sdcard_type:file create_file_perms; 91allow factory mnt_user_file:dir search; 92allow factory mnt_user_file:lnk_file read; 93allow factory storage_file:lnk_file read; 94 95#Date: WK16.05 96#Purpose: For access NVRAM 97allow factory factory:capability chown; 98allow factory nvram_data_file:dir create_dir_perms; 99allow factory nvram_data_file:file create_file_perms; 100allow factory nvram_data_file:lnk_file r_file_perms; 101allow factory nvdata_file:lnk_file r_file_perms; 102allow factory nvram_device:chr_file rw_file_perms; 103allow factory nvram_device:blk_file rw_file_perms; 104allow factory nvdata_device:blk_file rw_file_perms; 105 106#Date: WK16.12 107#Purpose: For sensor test 108allow factory als_ps_device:chr_file r_file_perms; 109allow factory barometer_device:chr_file r_file_perms; 110allow factory gsensor_device:chr_file r_file_perms; 111allow factory gyroscope_device:chr_file r_file_perms; 112allow factory msensor_device:chr_file r_file_perms; 113allow factory biometric_device:chr_file r_file_perms; 114 115#Purpose: For camera Test 116allow factory kd_camera_flashlight_device:chr_file rw_file_perms; 117allow factory kd_camera_hw_device:chr_file rw_file_perms; 118allow factory seninf_device:chr_file rw_file_perms; 119allow factory CAM_CAL_DRV_device:chr_file rw_file_perms; 120 121#Purpose: For reboot the target 122allow factory powerctl_prop:property_service set; 123 124#Purpose: For memory card test 125allow factory misc_sd_device:chr_file r_file_perms; 126allow factory mmcblk1_block_device:blk_file rw_file_perms; 127allow factory bootdevice_block_device:blk_file rw_file_perms; 128allow factory mmcblk1p1_block_device:blk_file rw_file_perms; 129allow factory block_device:dir w_dir_perms; 130allowxperm factory mmcblk1_block_device:blk_file ioctl BLKGETSIZE; 131allowxperm factory bootdevice_block_device:blk_file ioctl BLKGETSIZE; 132 133#Purpose: For EMMC test 134allow factory nvdata_file:dir create_dir_perms; 135allow factory nvdata_file:file create_file_perms; 136 137#Purpose: For HRM test 138allow factory hrm_device:chr_file r_file_perms; 139 140#Purpose: For IrTx LED test 141allow factory irtx_device:chr_file rw_file_perms; 142 143#Purpose: For battery test, ext_buck test and ext_vbat_boost test 144allow factory pmic_ftm_device:chr_file rw_file_perms; 145allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms; 146allow factory MT_pmic_cali_device:chr_file r_file_perms; 147allow factory charger_ftm_device:chr_file r_file_perms; 148 149#Purpose: For HDMI test 150allow factory graphics_device:dir w_dir_perms; 151allow factory graphics_device:chr_file rw_file_perms; 152 153#Purpose: For WIFI test 154allow factory wmtWifi_device:chr_file rw_file_perms; 155 156#Purpose: For rtc test 157allow factory rtc_device:chr_file rw_file_perms; 158 159#Purpose: For nfc test 160allow factory mt6605_device:chr_file rwx_file_perms; 161 162#Purpose: For gps test 163allow factory mnld_device:chr_file rw_file_perms; 164allow factory mnld_exec:file rx_file_perms; 165 166#Purpose: For keypad test 167allow factory mtk_kpd_device:chr_file r_file_perms; 168 169#Purpose: For Humidity test 170allow factory humidity_device:chr_file r_file_perms; 171 172#Purpose: For camera test 173allow factory camera_isp_device:chr_file rw_file_perms; 174allow factory camera_dip_device:chr_file rw_file_perms; 175allow factory camera_pipemgr_device:chr_file r_file_perms; 176allow factory camera_sysram_device:chr_file r_file_perms; 177allow factory ccu_device:chr_file rw_file_perms; 178allow factory vpu_device:chr_file rw_file_perms; 179allow factory MAINAF_device:chr_file rw_file_perms; 180allow factory MAIN2AF_device:chr_file rw_file_perms; 181allow factory SUBAF_device:chr_file rw_file_perms; 182allow factory FM50AF_device:chr_file rw_file_perms; 183allow factory AD5820AF_device:chr_file rw_file_perms; 184allow factory DW9714AF_device:chr_file rw_file_perms; 185allow factory DW9714A_device:chr_file rw_file_perms; 186allow factory LC898122AF_device:chr_file rw_file_perms; 187allow factory LC898212AF_device:chr_file rw_file_perms; 188allow factory BU6429AF_device:chr_file rw_file_perms; 189allow factory DW9718AF_device:chr_file rw_file_perms; 190allow factory BU64745GWZAF_device:chr_file rw_file_perms; 191allow factory cct_data_file:dir create_dir_perms; 192allow factory cct_data_file:file create_file_perms; 193allow factory camera_tsf_device:chr_file rw_file_perms; 194allow factory camera_rsc_device:chr_file rw_file_perms; 195allow factory camera_gepf_device:chr_file rw_file_perms; 196allow factory camera_fdvt_device:chr_file rw_file_perms; 197allow factory camera_wpe_device:chr_file rw_file_perms; 198allow factory camera_owe_device:chr_file rw_file_perms; 199allow factory camera_mfb_device:chr_file rw_file_perms; 200allow factory mtk_hal_power_hwservice:hwservice_manager find; 201allow factory mtk_hal_power:binder call; 202get_prop(factory,mediatek_prop); 203#Purpose: For FM test and headset test 204allow factory accdet_device:chr_file r_file_perms; 205allow factory fm_device:chr_file rw_file_perms; 206 207#Purpose: For audio test 208allow factory audio_device:chr_file rw_file_perms; 209allow factory audio_device:dir w_dir_perms; 210allow factory audiohal_prop:property_service set; 211allow factory audio_ipi_device:chr_file { read write ioctl open }; 212allow factory audio_scp_device:chr_file r_file_perms; 213 214#Purpose: For key and touch event 215allow factory input_device:chr_file r_file_perms; 216allow factory input_device:dir rw_dir_perms; 217 218# Date: WK16.17 219# Purpose: N Migration For ccci sysfs node 220# Allow read to sys/kernel/ccci/* files 221allow factory sysfs_ccci:dir search; 222allow factory sysfs_ccci:file r_file_perms; 223 224# Date: WK16.18 225# Purpose: N Migration For boot_mode 226# Allow to read boot mode 227# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117 228# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 229# tclass=file permissive=0 230allow factory sysfs_boot_mode:file { read open }; 231allow factory sysfs_boot_type:file { read open }; 232 233#TODO:: MTK need to remove later 234not_full_treble(` 235 allow factory mnld:unix_dgram_socket sendto; 236') 237 238# Date: WK16.31 239#Purpose: For gps test 240allow factory mnld_prop:property_service set; 241 242# Date: WK16.33 243#Purpose: for unmount sdcardfs and stop services which are using data partition 244allow factory sdcard_type:filesystem unmount; 245allow factory ctl_default_prop:property_service set; 246 247# Date : WK16.35 248# Operation : Migration 249# Purpose : Update camera flashlight driver device file 250allow factory flashlight_device:chr_file rw_file_perms; 251 252 253# Date: WK15.25 254#Purpose: for unmount sdcardfs and stop services which are using data partition 255allow factory ctl_emdlogger1_prop:property_service set; 256# Date: WK17.07 257# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs 258allow factory tmpfs:filesystem unmount; 259allow factory sysfs:dir { read open }; 260allow factory sysfs_leds:dir search; 261allow factory sysfs_leds:lnk_file read; 262allow factory sysfs_leds:file rw_file_perms; 263allow factory sysfs_leds:dir r_dir_perms; 264allow factory sysfs_power:file rw_file_perms; 265allow factory sysfs_power:dir r_dir_perms; 266allow factory self:capability2 {block_suspend}; 267allow factory sysfs_vibrator:file {open read write}; 268allow factory ion_device:chr_file { read open ioctl }; 269allow factory debugfs_ion:dir search; 270# Date: WK17.27 271# Purpose: STMicro NFC solution integration 272allow factory st21nfc_device:chr_file { open read getattr write ioctl }; 273set_prop(factory,hwservicemanager_prop); 274hwbinder_use(factory); 275hal_client_domain(factory, hal_nfc); 276 277# Date : WK17.32 278# Operation : O Migration 279# Purpose: Allow to access cmdq driver 280allow factory mtk_cmdq_device:chr_file { read ioctl open }; 281allow factory mtk_mdp_device:chr_file rw_file_perms; 282allow factory sw_sync_device:chr_file rw_file_perms; 283 284# Date: WK1733 285# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode 286set_prop(factory,ctl_ccci_fsd_prop); 287 288# Date : WK17.38 289# Operation : O Migration 290# Purpose: Allow to access sysfs 291allow factory sysfs_therm:dir search; 292allow factory sysfs_therm:file {open read write}; 293 294#Date: W18.22 295# Purpose: P Migration for factory get com port type and uart port info 296# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10): 297#avc: denied { read } for pid=203 comm="factory" name="meta_com_type_info" dev= 298#"sysfs" ino=11073 scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 299allow factory sysfs_comport_type:file rw_file_perms; 300allow factory sysfs_uart_info:file rw_file_perms; 301 302 303# from private 304allow factory property_socket:sock_file write; 305allow factory init:unix_stream_socket connectto; 306allow factory kernel:system module_request; 307allow factory node:tcp_socket node_bind; 308allow factory userdata_block_device:blk_file rw_file_perms; 309allow factory port:tcp_socket { name_bind name_connect }; 310allow factory self:capability { sys_module ipc_lock sys_nice net_raw fsetid net_admin sys_time sys_boot sys_admin }; 311allow factory sdcard_type:dir r_dir_perms; 312allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; 313allow factory proc_net:file { read getattr open }; 314allowxperm factory self:udp_socket ioctl priv_sock_ioctls; 315allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID}; 316 317allow factory self:process execmem; 318allow factory self:tcp_socket create_stream_socket_perms; 319allow factory self:udp_socket create_socket_perms; 320 321allow factory sysfs_wake_lock:file rw_file_perms; 322#allow factory system_file:file x_file_perms; 323 324# For Light HIDL permission 325hal_client_domain(factory, hal_light); 326allow factory hal_light_hwservice:hwservice_manager find; 327allow factory mtk_hal_light:binder call; 328allow factory merged_hal_service:binder call; 329# For vibrator test permission 330allow factory sysfs_vibrator:file rw_file_perms; 331allow factory sysfs_vibrator:dir search; 332 333# For Audio device permission 334allow factory proc_asound:dir { read search open }; 335allow factory proc_asound:file { read open getattr write }; 336allow factory audiohal_prop:property_service set; 337 338# For Accdet data permission 339allow factory sysfs_headset:file { read open }; 340 341# For touch auto test 342allow factory sysfs_tpd_setting:dir search; 343allow factory sysfs_tpd_setting:file { read getattr open }; 344 345# Date : WK18.23 346# Operation: P migration 347# Purpose : Allow factory to unmount partition, stop service, and then erase partition 348allow factory vendor_shell_exec:file { read execute open execute_no_trans }; 349allow factory vendor_toolbox_exec:file { execute_no_trans }; 350allow factory labeledfs:filesystem { unmount }; 351allow factory proc_cmdline:file { read open getattr }; 352allow factory factory:capability { sys_boot sys_admin}; 353allow factory sysfs_dt_firmware_android:file { read open getattr }; 354allow factory sysfs_dt_firmware_android:dir { read open search }; 355# Purpose : Allow factory to communicate with driver thru socket 356allow factory factory:capability { sys_module net_admin net_raw }; 357 358# For power_supply and switch permission 359r_dir_file(factory, sysfs_batteryinfo) 360r_dir_file(factory, sysfs_switch) 361 362# Date : WK18.31 363# Operation: P migration 364# Purpose : Refine policy 365allow factory sysfs_devices_block:dir { search }; 366allow factory sysfs_devices_block:file { read getattr open }; 367 368# Date : WK18.37 369# Operation: P migration 370# Purpose : ADSP SmartPA calibration 371allow factory vendor_file:file execute_no_trans; 372allow factory mtk_audiohal_data_file:dir create_dir_perms; 373allow factory mtk_audiohal_data_file:file { write create unlink r_file_perms }; 374 375#Date : WK18.37 376# Operation: P migration 377# Purpose : Allow factory to open /proc/version 378allow factory proc_version:file {read open getattr}; 379 380# Purpose : adsp 381allow factory adsp_device:chr_file rw_file_perms; 382 383# Purpose : NFC 384allow factory vendor_nfc_socket:dir { write add_name remove_name search }; 385allow factory vendor_nfc_socket:sock_file { create write unlink setattr }; 386 387# Allow to get AOSP property persist.radio.multisim.config 388get_prop(factory, exported3_radio_prop) 389 390# Date : WK19.38 391# Operation : Q Migration 392# Purpose: Allow clear eMMC 393set_prop(factory, ctl_mdlogger_prop); 394 395# Date : WK19.41 396# Operation : Q Migration 397# Purpose: allow system_server to access rt5509 param and calib node 398allow factory sysfs_rt_param:file rw_file_perms; 399allow factory sysfs_rt_calib:file rw_file_perms; 400allow factory sysfs_rt_param:dir r_dir_perms; 401allow factory sysfs_rt_calib:dir r_dir_perms; 402