bsp/non_plat/mediaserver.te - LeafOS-Devices/android_device_mediatek_sepolicy_vndr - Gitiles

 # ==============================================
 # Common SEPolicy Rule
 # ==============================================

 # Date : WK14.52
 # Operation : WVL1 IT
 # Purpose : SVP module operates secmem driver
 allow mediaserver mobicore_data_file:file getattr;
 allow mediaserver mobicore_data_file:file getattr;

 allow mediaserver mobicore_data_file:file { getattr read};
 allow mediaserver mobicore_user_device:chr_file { read write open ioctl};

 # Date: WK14.45
 # Operation : Migration
 # Purpose : HDCP
 allow mediaserver persist_data_file:file { read write getattr };

 # Date : WK15.03
 # Operation : Migration
 # Purpose : offloadservice
 allow mediaserver offloadservice_device:chr_file { read write ioctl open };

 # Data : WK14.38
 # Operation : Migration
 # Purpose : WFD
 allow mediaserver surfaceflinger:dir search;
 allow mediaserver surfaceflinger:file { read open };

 # Date : WK14.49
 # Operation : WFD
 # Purpose : WFD notifies its status to thermal module
 allow mediaserver proc_thermal:file { write getattr open };
 allow mediaserver proc_mtkcooler:file { read write open };
 allow mediaserver proc_mtktz:file { read write open };
 allow mediaserver proc_thermal:file { read write open };

 # Date : WK15.44
 # Operation : Migration
 # Purpose : ancservice
 allow mediaserver ancservice_device:chr_file { read write ioctl open };

 # Date : WK16.29
 # Operation : Migration
 # Purpose : Add permission for gpu access
 allow mediaserver dri_device:chr_file { read write open ioctl };

 # Date : WK17.23
 # Stage: O Migration, SQC
 # Purpose: Allow to use HAL PQ
 hal_client_domain(mediaserver, hal_mtk_pq)

 # Date : WK17.23
 # Stage: O Migration, SQC
 # Purpose: Allow to use shared memory for HAL PQ
 hal_client_domain(mediaserver, hal_allocator)

 # Date : WK17.31
 # Stage: O Migration, SQC
 # Purpose: Allow to use ape decoder
 hal_client_domain(mediaserver, hal_mtk_codecservice)

 # Date : WK17.31
 # Operation : ViLTE
 # Purpose : for ViLTE - set VTservice has permission to access me
 allow mediaserver vtservice:binder { transfer call };
 allow mediaserver vtservice:fd use;

 # Date : WK17.43
 # Operation : OMA DRM
 # Purpose : Allow mediaserver to read processname to pass OMA DRM permisson check
 allow mediaserver platform_app:dir search;
 allow mediaserver platform_app:file { read open };

 # Date : WK17.47
 # Operation : SQC
 # Purpose : Allow mediaserver to read processname of DeskClock to pass OMA DRM permisson check
 allow mediaserver mediaprovider:dir search;
 allow mediaserver platform_app:file getattr;
 allow mediaserver system_app:dir search;
 allow mediaserver system_app:file read;
 allow mediaserver system_app:file open;

 # Date : WK17.49
 # Operation : VOW
 # Purpose: Allow read and getattr path="/data/data/com.mediatek.voicecommand/training
 # /anyone/passwordfile/0.dat"
 allow mediaserver system_app_data_file:file { read getattr };

 # Date : WK19.16
 # Operation : WFD
 # Purpose: Allow ioctl
 allowxperm mediaserver proc_perfmgr:file ioctl {
   PERFMGR_FPSGO_QUEUE
   PERFMGR_FPSGO_DEQUEUE
 };

 # Date : WK19.43
 # Operation : HDCP
 # Purpose : Allow to connect HDCP HIDL server
 hal_client_domain(mediaserver, hal_tesiai_hdcp)

 # Date : WK21.37
 # Operation : HDCP
 # Purpose : Allow HDCP to access wv dev to get handle
 allow mediaserver widevine_drv_device:chr_file rw_file_perms_no_map;
	# ==============================================
	# Common SEPolicy Rule
	# ==============================================

	# Date : WK14.52
	# Operation : WVL1 IT
	# Purpose : SVP module operates secmem driver
	allow mediaserver mobicore_data_file:file getattr;
	allow mediaserver mobicore_data_file:file getattr;

	allow mediaserver mobicore_data_file:file { getattr read};
	allow mediaserver mobicore_user_device:chr_file { read write open ioctl};

	# Date: WK14.45
	# Operation : Migration
	# Purpose : HDCP
	allow mediaserver persist_data_file:file { read write getattr };

	# Date : WK15.03
	# Operation : Migration
	# Purpose : offloadservice
	allow mediaserver offloadservice_device:chr_file { read write ioctl open };

	# Data : WK14.38
	# Operation : Migration
	# Purpose : WFD
	allow mediaserver surfaceflinger:dir search;
	allow mediaserver surfaceflinger:file { read open };

	# Date : WK14.49
	# Operation : WFD
	# Purpose : WFD notifies its status to thermal module
	allow mediaserver proc_thermal:file { write getattr open };
	allow mediaserver proc_mtkcooler:file { read write open };
	allow mediaserver proc_mtktz:file { read write open };
	allow mediaserver proc_thermal:file { read write open };

	# Date : WK15.44
	# Operation : Migration
	# Purpose : ancservice
	allow mediaserver ancservice_device:chr_file { read write ioctl open };

	# Date : WK16.29
	# Operation : Migration
	# Purpose : Add permission for gpu access
	allow mediaserver dri_device:chr_file { read write open ioctl };

	# Date : WK17.23
	# Stage: O Migration, SQC
	# Purpose: Allow to use HAL PQ
	hal_client_domain(mediaserver, hal_mtk_pq)

	# Date : WK17.23
	# Stage: O Migration, SQC
	# Purpose: Allow to use shared memory for HAL PQ
	hal_client_domain(mediaserver, hal_allocator)

	# Date : WK17.31
	# Stage: O Migration, SQC
	# Purpose: Allow to use ape decoder
	hal_client_domain(mediaserver, hal_mtk_codecservice)

	# Date : WK17.31
	# Operation : ViLTE
	# Purpose : for ViLTE - set VTservice has permission to access me
	allow mediaserver vtservice:binder { transfer call };
	allow mediaserver vtservice:fd use;

	# Date : WK17.43
	# Operation : OMA DRM
	# Purpose : Allow mediaserver to read processname to pass OMA DRM permisson check
	allow mediaserver platform_app:dir search;
	allow mediaserver platform_app:file { read open };

	# Date : WK17.47
	# Operation : SQC
	# Purpose : Allow mediaserver to read processname of DeskClock to pass OMA DRM permisson check
	allow mediaserver mediaprovider:dir search;
	allow mediaserver platform_app:file getattr;
	allow mediaserver system_app:dir search;
	allow mediaserver system_app:file read;
	allow mediaserver system_app:file open;

	# Date : WK17.49
	# Operation : VOW
	# Purpose: Allow read and getattr path="/data/data/com.mediatek.voicecommand/training
	# /anyone/passwordfile/0.dat"
	allow mediaserver system_app_data_file:file { read getattr };

	# Date : WK19.16
	# Operation : WFD
	# Purpose: Allow ioctl
	allowxperm mediaserver proc_perfmgr:file ioctl {
	PERFMGR_FPSGO_QUEUE
	PERFMGR_FPSGO_DEQUEUE
	};

	# Date : WK19.43
	# Operation : HDCP
	# Purpose : Allow to connect HDCP HIDL server
	hal_client_domain(mediaserver, hal_tesiai_hdcp)

	# Date : WK21.37
	# Operation : HDCP
	# Purpose : Allow HDCP to access wv dev to get handle
	allow mediaserver widevine_drv_device:chr_file rw_file_perms_no_map;