bsp/plat_private/aal.te - LeafOS-Devices/android_device_mediatek_sepolicy_vndr - Gitiles

 # ==============================================
 # Policy File of /system/bin/aal Executable File

 # ==============================================
 # Common SEPolicy Rule
 # ==============================================

 typeattribute aal coredomain;
 type aal_exec, system_file_type, exec_type, file_type;

 init_daemon_domain(aal)

 # Date : 2014/09/09 (or WK14.37)
 # Operation : Migration
 # Purpose : allow Binder IPC
 binder_use(aal)
 binder_call(aal, binderservicedomain)
 binder_service(aal)

 # Date : WK14.41
 # Operation : Migration
 # Purpose : All enforing mode
 allow aal graphics_device:chr_file r_file_perms;
 allow aal graphics_device:dir search;
 allow aal aal_service:service_manager add;

 # Date : WK15.37
 # Operation : Migration
 # Purpose : Allow permission check
 allow aal permission_service:service_manager { find };

 # Date : WK17.26
 # Operation : Migration
 # Purpose : Allow permission to get AmbientLux from SensorManager
 # denied  { find } for service=sensorservice pid=441 uid=1000 scontext=u:r:aal:s0
 # tcontext=u:object_r:sensorservice_service:s0 tclass=service_manager
 allow aal sensorservice_service:service_manager { find };

 # denied { read write } for path="socket:[25560]" dev="sockfs" ino=25560 scontext=u:r:aal:s0
 # tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0
 allow aal system_server:unix_stream_socket { read write };

 # Date : WK18.28
 # Operation : P0 Migration
 # Purpose : Allow permission to set property
 set_prop(aal, system_mtk_aal_prop)
	# ==============================================
	# Policy File of /system/bin/aal Executable File

	# ==============================================
	# Common SEPolicy Rule
	# ==============================================

	typeattribute aal coredomain;
	type aal_exec, system_file_type, exec_type, file_type;

	init_daemon_domain(aal)

	# Date : 2014/09/09 (or WK14.37)
	# Operation : Migration
	# Purpose : allow Binder IPC
	binder_use(aal)
	binder_call(aal, binderservicedomain)
	binder_service(aal)

	# Date : WK14.41
	# Operation : Migration
	# Purpose : All enforing mode
	allow aal graphics_device:chr_file r_file_perms;
	allow aal graphics_device:dir search;
	allow aal aal_service:service_manager add;

	# Date : WK15.37
	# Operation : Migration
	# Purpose : Allow permission check
	allow aal permission_service:service_manager { find };

	# Date : WK17.26
	# Operation : Migration
	# Purpose : Allow permission to get AmbientLux from SensorManager
	# denied { find } for service=sensorservice pid=441 uid=1000 scontext=u:r:aal:s0
	# tcontext=u:object_r:sensorservice_service:s0 tclass=service_manager
	allow aal sensorservice_service:service_manager { find };

	# denied { read write } for path="socket:[25560]" dev="sockfs" ino=25560 scontext=u:r:aal:s0
	# tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0
	allow aal system_server:unix_stream_socket { read write };

	# Date : WK18.28
	# Operation : P0 Migration
	# Purpose : Allow permission to set property
	set_prop(aal, system_mtk_aal_prop)