sepolicy/guiext-server.te - device/mediatek/common - Gitiles

 # ==============================================
 # Policy File of /system/bin/guiext-server Executable File

 # ==============================================
 # Type Declaration
 # ==============================================
 type guiext-server, domain;
 type guiext-server_exec, exec_type, file_type;

 # ==============================================
 # MTK Policy Rule
 # ==============================================
 init_daemon_domain(guiext-server)

 # for bqdump and conversion pool
 binder_service(guiext-server)
 binder_use(guiext-server)
 binder_call({domain -init -netd}, guiext-server)
 binder_call(guiext-server, {domain -init -netd})

 # to allocate GraphicBuffer
 allow guiext-server surfaceflinger:binder call;
 allow guiext-server surfaceflinger:fd use;
 allow guiext-server gpu_device:chr_file { open read write ioctl };

 # to be a service
 allow guiext-server guiext-server_service:service_manager add;

 # for dump
 allow guiext-server system_server:binder call;

 # for MiraVision
 allow guiext-server graphics_device:chr_file { open read write ioctl };

 # for CTS
 allow guiext-server platform_app:binder call;
 allow guiext-server app_data_file:file write;

 # for SVP secure memory allocation
 allow guiext-server proc_secmem:file { read write open };

 # need to get display information from SF
 allow guiext-server surfaceflinger_service:service_manager find;

 # allow processes register buffer queue information to gui_ext
 allow {domain -init -isolated_app} guiext-server_service:service_manager find;

 # to check permission when dumpsys
 allow guiext-server permission_service:service_manager find;

 # allow guiext-server to read/write fifo
 allow guiext-server surfaceflinger:fifo_file {read write};

 # for debug purpose
 allow guiext-server aee_exp_data_file:file write;
	# ==============================================
	# Policy File of /system/bin/guiext-server Executable File

	# ==============================================
	# Type Declaration
	# ==============================================
	type guiext-server, domain;
	type guiext-server_exec, exec_type, file_type;

	# ==============================================
	# MTK Policy Rule
	# ==============================================
	init_daemon_domain(guiext-server)

	# for bqdump and conversion pool
	binder_service(guiext-server)
	binder_use(guiext-server)
	binder_call({domain -init -netd}, guiext-server)
	binder_call(guiext-server, {domain -init -netd})

	# to allocate GraphicBuffer
	allow guiext-server surfaceflinger:binder call;
	allow guiext-server surfaceflinger:fd use;
	allow guiext-server gpu_device:chr_file { open read write ioctl };

	# to be a service
	allow guiext-server guiext-server_service:service_manager add;

	# for dump
	allow guiext-server system_server:binder call;

	# for MiraVision
	allow guiext-server graphics_device:chr_file { open read write ioctl };

	# for CTS
	allow guiext-server platform_app:binder call;
	allow guiext-server app_data_file:file write;

	# for SVP secure memory allocation
	allow guiext-server proc_secmem:file { read write open };

	# need to get display information from SF
	allow guiext-server surfaceflinger_service:service_manager find;

	# allow processes register buffer queue information to gui_ext
	allow {domain -init -isolated_app} guiext-server_service:service_manager find;

	# to check permission when dumpsys
	allow guiext-server permission_service:service_manager find;

	# allow guiext-server to read/write fifo
	allow guiext-server surfaceflinger:fifo_file {read write};

	# for debug purpose
	allow guiext-server aee_exp_data_file:file write;