bsp/non_plat/vtservice.te - LeafOS-Devices/android_device_mediatek_sepolicy - Gitiles

 # ==============================================
 # Policy File of /system/bin/vtservice Executable File

 # ==============================================
 # Common SEPolicy Rule
 # ==============================================

 # Date : WK15.33
 # Purpose : Add vtservice to support video telephony functionality
 #           3G VT/ViLTE both use this service which will also communication with IMCB/Rild
 allow vtservice sdcard_type:dir search;
 allow vtservice sdcard_type:file { read write open };
 allow vtservice radio_service:service_manager find;
 allow vtservice mediaserver_service:service_manager find;
 allow vtservice power_service:service_manager find;
 allow vtservice batterystats_service:service_manager find;

 # Date : 2015/08/13
 # Purpose : for access ccci device
 allow vtservice ccci_device:chr_file { read write open ioctl };

 # Purpose : VDEC/VENC device node
 allow vtservice Vcodec_device:chr_file { read write ioctl open };

 # Date: 2016/06/27
 # This part is for both 3G VT/ViLTE
 # Purpose: add in N migration for access audioflinger etc.
 allow vtservice audioserver_service:service_manager find;
 allow vtservice mnt_user_file:dir search;
 allow vtservice surfaceflinger:binder call;

 # Date: 2016/06/30
 # This part is for both 3G VT/ViLTE
 # Purpose: add in N migration for access SDcard etc.
 allow vtservice audioserver:binder call;
 allow vtservice mnt_user_file:lnk_file read;

 # Date: 2016/07/01
 # This part is for both 3G VT/ViLTE
 # Purpose: add in N migration for write SDcard etc.
 allow vtservice media_rw_data_file:dir create_dir_perms;
 allow vtservice media_rw_data_file:file { write create open };

 # Date: 2016/07/26
 # Purpose: add for cleanup thread's AF_UNIX socket
 allow vtservice proc_ged:file r_file_perms;
 allowxperm vtservice proc_ged:file ioctl { proc_ged_ioctls };

 # for debug dump data
 allow vtservice storage_file:lnk_file read;
 allow vtservice devmap_device:chr_file read;

 allow vtservice devmap_device:chr_file open;
 allow vtservice devmap_device:chr_file ioctl;

 # for using surfaceflinger
 allow vtservice surfaceflinger_service:service_manager find;

 # for using camera
 allow vtservice cameraserver_service:service_manager find;
 allow vtservice cameraserver:binder call;
 allow vtservice cameraserver:fd use;

 # Change VTS uid to media
 allow vtservice mediacodec:binder call;
 allow vtservice qtaguid_device:chr_file r_file_perms;
 allow vtservice priv_app:binder call;

 # For loopback mode
 allow vtservice self:capability net_admin;

 # For vendro GPU
 allow vtservice gpu_device:dir search;
 allow vtservice dri_device:chr_file { open read write ioctl getattr};
 allow vtservice gpu_device:chr_file rw_file_perms;

 # Date : WK17.23
 # Stage: O Migration, SQC
 # Purpose: Allow to use HAL PQ
 hal_client_domain(vtservice, hal_mtk_pq)

 # Date : WK17.23
 # Stage: O Migration, SQC
 # Purpose: Allow to use shared memory for HAL PQ
 hal_client_domain(vtservice, hal_allocator)

 # 2017/07/
 # HiDL porting
 allow vtservice hwservicemanager:binder call;
 allow vtservice system_file:dir read;
 allow vtservice system_file:dir open;

 # give permission for hal client
 allow vtservice mtk_hal_videotelephony_hwservice:hwservice_manager find;

 # Date : 2017/08/14
 # Operation : VT development
 # Purpose : Add vtservice to support video telephony functionality
 #           3G VT/ViLTE both use this service which will also communication with IMCB/Rild
 allow vtservice soc_vt_svc_socket:sock_file write;
 allow vtservice soc_vt_tcv_socket:sock_file write;
 allow vtservice rild_oem_socket:sock_file write;
 allow vtservice platform_app:binder call;
 allow vtservice system_server:binder call;
 allow vtservice sdcard_type:dir write;
 allow vtservice sdcard_type:dir add_name;
 allow vtservice sdcard_type:dir create;
 allow vtservice sdcard_type:file create;
 allow vtservice sdcard_type:file getattr;
 allow vtservice surfaceflinger:fd use;
 allow vtservice tmpfs:lnk_file read;
 allow vtservice radio:binder call;

 # for codec acces dev/ion
 allow vtservice ion_device:chr_file { open read };

 # for MA socket rebind
 hal_client_domain(vtservice, hal_omx)
 allow vtservice mediametrics_service:service_manager find;
 allow vtservice mediametrics:binder call;

 allow vtservice self:udp_socket create_socket_perms_no_ioctl;
 allow vtservice node:udp_socket node_bind;

 allow vtservice fwmarkd_socket:sock_file write;
 allow vtservice hal_graphics_allocator_default:binder call;
 allow vtservice hal_graphics_allocator_default:fd use;
 hal_client_domain(vtservice, hal_graphics_allocator);
 allow vtservice hal_graphics_mapper_hwservice:hwservice_manager find;
 allow vtservice netd:unix_stream_socket connectto;
 allow vtservice ion_device:chr_file ioctl;
 allow vtservice MTK_SMI_device:chr_file { read write ioctl open };
 allow vtservice mtk_cmdq_device:chr_file r_file_perms;
 allow vtservice mtk_mdp_device:chr_file r_file_perms;
 allow vtservice mtk_mdp_sync_device:chr_file r_file_perms;
 allow vtservice merged_hal_service:fd use;
 allow vtservice merged_hal_service:binder call;

 # Date : WK17.43
 # Operation : Migration
 # Purpose : DISP access
 allow vtservice graphics_device:chr_file { ioctl open read };
 allow vtservice graphics_device:dir search;

 # Date : WK18.10
 # Operation : SQC
 # Purpose : Allow perfmgr FPSGO access
 allow vtservice proc_perfmgr:dir {read search};
 allow vtservice proc_perfmgr:file r_file_perms;
 allowxperm vtservice proc_perfmgr:file ioctl {
   PERFMGR_FPSGO_QUEUE
   PERFMGR_FPSGO_DEQUEUE
   PERFMGR_FPSGO_QUEUE_CONNECT
   PERFMGR_FPSGO_BQID
 };

 # Date: 2018/07/19
 # Operation: P Migration
 get_prop(vtservice, vendor_mtk_vendor_vt_prop)

 # Date: 2018/08/24
 # Operation: add mdp
 hal_client_domain(vtservice, hal_mtk_mms)
 allow vtservice cameraserver:dir search;
 allow vtservice cameraserver:file { getattr open read };
 allow vtservice proc_uptime:file read;

 # Date: 2018/11/07
 # Operation: gen97
 allow vtservice port:udp_socket name_bind;
 allow vtservice self:capability net_raw;

 # Date: 2019/08/29
 # Operation: support c2 sw codec
 hal_client_domain(vtservice, hal_codec2)

 # Date: 2021/05/29
 # Operation: VT c2 for dmabuf heap
 allow vtservice dmabuf_system_heap_device:chr_file r_file_perms;
	# ==============================================
	# Policy File of /system/bin/vtservice Executable File

	# ==============================================
	# Common SEPolicy Rule
	# ==============================================

	# Date : WK15.33
	# Purpose : Add vtservice to support video telephony functionality
	# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild
	allow vtservice sdcard_type:dir search;
	allow vtservice sdcard_type:file { read write open };
	allow vtservice radio_service:service_manager find;
	allow vtservice mediaserver_service:service_manager find;
	allow vtservice power_service:service_manager find;
	allow vtservice batterystats_service:service_manager find;

	# Date : 2015/08/13
	# Purpose : for access ccci device
	allow vtservice ccci_device:chr_file { read write open ioctl };

	# Purpose : VDEC/VENC device node
	allow vtservice Vcodec_device:chr_file { read write ioctl open };

	# Date: 2016/06/27
	# This part is for both 3G VT/ViLTE
	# Purpose: add in N migration for access audioflinger etc.
	allow vtservice audioserver_service:service_manager find;
	allow vtservice mnt_user_file:dir search;
	allow vtservice surfaceflinger:binder call;

	# Date: 2016/06/30
	# This part is for both 3G VT/ViLTE
	# Purpose: add in N migration for access SDcard etc.
	allow vtservice audioserver:binder call;
	allow vtservice mnt_user_file:lnk_file read;

	# Date: 2016/07/01
	# This part is for both 3G VT/ViLTE
	# Purpose: add in N migration for write SDcard etc.
	allow vtservice media_rw_data_file:dir create_dir_perms;
	allow vtservice media_rw_data_file:file { write create open };

	# Date: 2016/07/26
	# Purpose: add for cleanup thread's AF_UNIX socket
	allow vtservice proc_ged:file r_file_perms;
	allowxperm vtservice proc_ged:file ioctl { proc_ged_ioctls };

	# for debug dump data
	allow vtservice storage_file:lnk_file read;
	allow vtservice devmap_device:chr_file read;

	allow vtservice devmap_device:chr_file open;
	allow vtservice devmap_device:chr_file ioctl;

	# for using surfaceflinger
	allow vtservice surfaceflinger_service:service_manager find;

	# for using camera
	allow vtservice cameraserver_service:service_manager find;
	allow vtservice cameraserver:binder call;
	allow vtservice cameraserver:fd use;

	# Change VTS uid to media
	allow vtservice mediacodec:binder call;
	allow vtservice qtaguid_device:chr_file r_file_perms;
	allow vtservice priv_app:binder call;

	# For loopback mode
	allow vtservice self:capability net_admin;

	# For vendro GPU
	allow vtservice gpu_device:dir search;
	allow vtservice dri_device:chr_file { open read write ioctl getattr};
	allow vtservice gpu_device:chr_file rw_file_perms;

	# Date : WK17.23
	# Stage: O Migration, SQC
	# Purpose: Allow to use HAL PQ
	hal_client_domain(vtservice, hal_mtk_pq)

	# Date : WK17.23
	# Stage: O Migration, SQC
	# Purpose: Allow to use shared memory for HAL PQ
	hal_client_domain(vtservice, hal_allocator)

	# 2017/07/
	# HiDL porting
	allow vtservice hwservicemanager:binder call;
	allow vtservice system_file:dir read;
	allow vtservice system_file:dir open;

	# give permission for hal client
	allow vtservice mtk_hal_videotelephony_hwservice:hwservice_manager find;

	# Date : 2017/08/14
	# Operation : VT development
	# Purpose : Add vtservice to support video telephony functionality
	# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild
	allow vtservice soc_vt_svc_socket:sock_file write;
	allow vtservice soc_vt_tcv_socket:sock_file write;
	allow vtservice rild_oem_socket:sock_file write;
	allow vtservice platform_app:binder call;
	allow vtservice system_server:binder call;
	allow vtservice sdcard_type:dir write;
	allow vtservice sdcard_type:dir add_name;
	allow vtservice sdcard_type:dir create;
	allow vtservice sdcard_type:file create;
	allow vtservice sdcard_type:file getattr;
	allow vtservice surfaceflinger:fd use;
	allow vtservice tmpfs:lnk_file read;
	allow vtservice radio:binder call;

	# for codec acces dev/ion
	allow vtservice ion_device:chr_file { open read };

	# for MA socket rebind
	hal_client_domain(vtservice, hal_omx)
	allow vtservice mediametrics_service:service_manager find;
	allow vtservice mediametrics:binder call;

	allow vtservice self:udp_socket create_socket_perms_no_ioctl;
	allow vtservice node:udp_socket node_bind;

	allow vtservice fwmarkd_socket:sock_file write;
	allow vtservice hal_graphics_allocator_default:binder call;
	allow vtservice hal_graphics_allocator_default:fd use;
	hal_client_domain(vtservice, hal_graphics_allocator);
	allow vtservice hal_graphics_mapper_hwservice:hwservice_manager find;
	allow vtservice netd:unix_stream_socket connectto;
	allow vtservice ion_device:chr_file ioctl;
	allow vtservice MTK_SMI_device:chr_file { read write ioctl open };
	allow vtservice mtk_cmdq_device:chr_file r_file_perms;
	allow vtservice mtk_mdp_device:chr_file r_file_perms;
	allow vtservice mtk_mdp_sync_device:chr_file r_file_perms;
	allow vtservice merged_hal_service:fd use;
	allow vtservice merged_hal_service:binder call;

	# Date : WK17.43
	# Operation : Migration
	# Purpose : DISP access
	allow vtservice graphics_device:chr_file { ioctl open read };
	allow vtservice graphics_device:dir search;

	# Date : WK18.10
	# Operation : SQC
	# Purpose : Allow perfmgr FPSGO access
	allow vtservice proc_perfmgr:dir {read search};
	allow vtservice proc_perfmgr:file r_file_perms;
	allowxperm vtservice proc_perfmgr:file ioctl {
	PERFMGR_FPSGO_QUEUE
	PERFMGR_FPSGO_DEQUEUE
	PERFMGR_FPSGO_QUEUE_CONNECT
	PERFMGR_FPSGO_BQID
	};

	# Date: 2018/07/19
	# Operation: P Migration
	get_prop(vtservice, vendor_mtk_vendor_vt_prop)

	# Date: 2018/08/24
	# Operation: add mdp
	hal_client_domain(vtservice, hal_mtk_mms)
	allow vtservice cameraserver:dir search;
	allow vtservice cameraserver:file { getattr open read };
	allow vtservice proc_uptime:file read;

	# Date: 2018/11/07
	# Operation: gen97
	allow vtservice port:udp_socket name_bind;
	allow vtservice self:capability net_raw;

	# Date: 2019/08/29
	# Operation: support c2 sw codec
	hal_client_domain(vtservice, hal_codec2)

	# Date: 2021/05/29
	# Operation: VT c2 for dmabuf heap
	allow vtservice dmabuf_system_heap_device:chr_file r_file_perms;