bsp/non_plat/system_server.te - LeafOS-Devices/android_device_mediatek_sepolicy - Gitiles

 # ==============================================
 # Common SEPolicy Rule
 # ==============================================

 # Date: WK14.43
 # Operation : Migration
 # Purpose : for bring up
 allow system_server sf_rtt_file:dir { relabelto r_dir_perms };

 # Date: WK14.47
 # Operation : MTBF
 # Purpose : for debug
 allow system_server sf_rtt_file:file r_file_perms;

 # Date: WK14.47
 # Operation : Sanity
 # Purpose : for /proc/secmem (TEE enable)
 allow system_server proc_secmem:file rw_file_perms;

 # Date: WK16.30
 # Operation : Migration
 # Purpose : for system_server operate /dev/RT_Monitor when enable hang detect
 allow system_server RT_Monitor_device:chr_file r_file_perms;

 # Date : WK15.24
 # Operation: TEEI integration
 # Purpose: access for fp device
 allow system_server teei_fp_device:chr_file rw_file_perms;
 allow system_server teei_client_device:chr_file r_file_perms;

 # Date : 2016/07/11
 # Operation : Migration
 # Purpose : Add permission for gpu access
 allow system_server dri_device:chr_file rw_file_perms;

 # Date : W17.24
 # Purpose: Allow to use HAL PQ
 hal_client_domain(system_server, hal_mtk_pq)

 # Date : W17.31
 # Purpose: Allow to use Ape swip decoder
 hal_client_domain(system_server, hal_mtk_codecservice)

 # Date:W17.33
 # Operation : camera hal developing
 # Purpose : camera hal binder_call permission
 binder_call(system_server, mtk_hal_camera)

 # Date:W17.36
 # Operation : Migration
 # Purpose : Allow to send signal
 allow system_server netd:process signal;

 # Date:W17.07
 # Operation : dfps hal
 # Purpose : dfps hal interface permission
 hal_client_domain(system_server, hal_dfps)

 allow system_server audioserver:file w_file_perms;

 # Date : 2018/03/06
 # Purpose : Add mtk_hal_netdagent_hwservice for EM firewall usage
 allow system_server mtk_hal_netdagent_hwservice:hwservice_manager find;
 allow system_server netdagent:binder call;

 # Date : W18.20
 # Operation : Migration
 # Purpose : for mobicore (Trustonic TEE)
 allow system_server mobicore_vendor_file:dir r_file_perms;

 # Date : 6/20/2018
 # Operation : MTK fm hal migration
 # Purpose : MTK fm hal interface permission
 hal_client_domain(system_server, hal_mtk_fm)

 # Date : W19.12
 # Operation : For DuraSpeed Migration
 allow system_server proc_cpu_loading:file rw_file_perms;
 allow system_server proc_low_memory_hit:file rw_file_perms;
 allow system_server duraspeed_data_file:dir create_dir_perms;
 allow system_server duraspeed_data_file:file create_file_perms;

 # Date : WK18.36
 # Operation : omadm hidl
 # Purpose : hidl interface permission
 hal_client_domain(system_server, hal_mtk_omadm)

 # Date : WK19.29
 # Operation : nwk_opt hal
 # Purpose : nwk_opt hal permission
 hal_client_domain(system_server, hal_nwk_opt)

 # Date:2020/08/07
 # Operation:R Migration
 userdebug_or_eng(` allow system_server md_monitor:process signal; ')

 # Date:2020/08/26
 # Operation:kill hal_drm_widevine permission when ANR happened
 allow system_server hal_drm_widevine:process signal;

 # Date:2020/09/03
 # Operation:R Migration
 allow system_server proc_ion:dir search;

 # Date:2020/09/07
 # Operation:R Migration
 allow system_server proc_m4u_dbg:dir search;

 # Date:2020/09/08
 # Operation:R Migration
 allow system_server proc_displowpower:dir search;
 allow system_server proc_freqhopping:file getattr;

 # Date:2020/09/11
 # Operation:R Migration
 allow system_server proc_freqhopping:dir search;

 # Date:2020/09/18
 # Operation:R Migration
 allow system_server procfs_gpu_img:dir { search getattr };

 # Date:2020/09/30
 # Operation:R Migration
 allow system_server procfs_gpu_img:file getattr;

 # Read/Write /proc/pressure/cpu
 allow system_server proc_pressure_cpu:file rw_file_perms;

 # Search /proc/usb/plat
 allow system_server proc_usb_plat:dir search;

 # Search /proc/gpufreqv2
 allow system_server proc_gpufreqv2:dir search;

 # Search /proc/mtkfb
 allow system_server proc_mtkfb:dir search;

 # Search /proc/stat
 allow system_server proc_stat:dir search;

 # Date: 2021/08/10
 # Operation: S Migration
 # Purpose: InputReader read files under power_supply to detect battery device
 allow system_server sysfs_power_supply:dir {r_dir_perms};
 allow system_server sysfs_power_supply:file r_file_perms;
	# ==============================================
	# Common SEPolicy Rule
	# ==============================================

	# Date: WK14.43
	# Operation : Migration
	# Purpose : for bring up
	allow system_server sf_rtt_file:dir { relabelto r_dir_perms };

	# Date: WK14.47
	# Operation : MTBF
	# Purpose : for debug
	allow system_server sf_rtt_file:file r_file_perms;

	# Date: WK14.47
	# Operation : Sanity
	# Purpose : for /proc/secmem (TEE enable)
	allow system_server proc_secmem:file rw_file_perms;

	# Date: WK16.30
	# Operation : Migration
	# Purpose : for system_server operate /dev/RT_Monitor when enable hang detect
	allow system_server RT_Monitor_device:chr_file r_file_perms;

	# Date : WK15.24
	# Operation: TEEI integration
	# Purpose: access for fp device
	allow system_server teei_fp_device:chr_file rw_file_perms;
	allow system_server teei_client_device:chr_file r_file_perms;

	# Date : 2016/07/11
	# Operation : Migration
	# Purpose : Add permission for gpu access
	allow system_server dri_device:chr_file rw_file_perms;

	# Date : W17.24
	# Purpose: Allow to use HAL PQ
	hal_client_domain(system_server, hal_mtk_pq)

	# Date : W17.31
	# Purpose: Allow to use Ape swip decoder
	hal_client_domain(system_server, hal_mtk_codecservice)

	# Date:W17.33
	# Operation : camera hal developing
	# Purpose : camera hal binder_call permission
	binder_call(system_server, mtk_hal_camera)

	# Date:W17.36
	# Operation : Migration
	# Purpose : Allow to send signal
	allow system_server netd:process signal;

	# Date:W17.07
	# Operation : dfps hal
	# Purpose : dfps hal interface permission
	hal_client_domain(system_server, hal_dfps)

	allow system_server audioserver:file w_file_perms;

	# Date : 2018/03/06
	# Purpose : Add mtk_hal_netdagent_hwservice for EM firewall usage
	allow system_server mtk_hal_netdagent_hwservice:hwservice_manager find;
	allow system_server netdagent:binder call;

	# Date : W18.20
	# Operation : Migration
	# Purpose : for mobicore (Trustonic TEE)
	allow system_server mobicore_vendor_file:dir r_file_perms;

	# Date : 6/20/2018
	# Operation : MTK fm hal migration
	# Purpose : MTK fm hal interface permission
	hal_client_domain(system_server, hal_mtk_fm)

	# Date : W19.12
	# Operation : For DuraSpeed Migration
	allow system_server proc_cpu_loading:file rw_file_perms;
	allow system_server proc_low_memory_hit:file rw_file_perms;
	allow system_server duraspeed_data_file:dir create_dir_perms;
	allow system_server duraspeed_data_file:file create_file_perms;

	# Date : WK18.36
	# Operation : omadm hidl
	# Purpose : hidl interface permission
	hal_client_domain(system_server, hal_mtk_omadm)

	# Date : WK19.29
	# Operation : nwk_opt hal
	# Purpose : nwk_opt hal permission
	hal_client_domain(system_server, hal_nwk_opt)

	# Date:2020/08/07
	# Operation:R Migration
	userdebug_or_eng(` allow system_server md_monitor:process signal; ')

	# Date:2020/08/26
	# Operation:kill hal_drm_widevine permission when ANR happened
	allow system_server hal_drm_widevine:process signal;

	# Date:2020/09/03
	# Operation:R Migration
	allow system_server proc_ion:dir search;

	# Date:2020/09/07
	# Operation:R Migration
	allow system_server proc_m4u_dbg:dir search;

	# Date:2020/09/08
	# Operation:R Migration
	allow system_server proc_displowpower:dir search;
	allow system_server proc_freqhopping:file getattr;

	# Date:2020/09/11
	# Operation:R Migration
	allow system_server proc_freqhopping:dir search;

	# Date:2020/09/18
	# Operation:R Migration
	allow system_server procfs_gpu_img:dir { search getattr };

	# Date:2020/09/30
	# Operation:R Migration
	allow system_server procfs_gpu_img:file getattr;

	# Read/Write /proc/pressure/cpu
	allow system_server proc_pressure_cpu:file rw_file_perms;

	# Search /proc/usb/plat
	allow system_server proc_usb_plat:dir search;

	# Search /proc/gpufreqv2
	allow system_server proc_gpufreqv2:dir search;

	# Search /proc/mtkfb
	allow system_server proc_mtkfb:dir search;

	# Search /proc/stat
	allow system_server proc_stat:dir search;

	# Date: 2021/08/10
	# Operation: S Migration
	# Purpose: InputReader read files under power_supply to detect battery device
	allow system_server sysfs_power_supply:dir {r_dir_perms};
	allow system_server sysfs_power_supply:file r_file_perms;