sepolicy/atci_service.te - device/mediatek/common - Gitiles

 # ==============================================
 # Policy File of /system/binatci_service Executable File


 # ==============================================
 # Type Declaration
 # ==============================================

 type atci_service_exec , exec_type, file_type;
 type atci_service ,domain;

 # ==============================================
 # Android Policy Rule
 # ==============================================

 # ==============================================
 # NSA Policy Rule
 # ==============================================

 # ==============================================
 # MTK Policy Rule
 # ==============================================
 init_daemon_domain(atci_service)

 # Date : 2014/09/09 (or WK14.37)
 # Operation : Migration
 # Purpose : allow Binder IPC
 # atci_pq_cmd.cpp will call aal for runtime tuning
 binder_use(atci_service)
 binder_call(atci_service, aal)

 # Date : 2015/09/04
 # Operation : Migration
 # Purpose : to find AAL service
 allow atci_service aal_service:service_manager { find };

 binder_service(atci_service)
 allow atci_service block_device:dir search;
 allow atci_service misc2_block_device:blk_file { open read write };
 file_type_auto_trans(atci_service, system_data_file, atci_data_file)
 allow atci_service atci_data_file:dir write;
 allow atci_service atci_data_file:dir add_name;
 allow atci_service atci_data_file:sock_file create;
 allow atci_service atci_data_file:sock_file setattr;
 allow atci_service self:capability chown;
 allow atci_service atci_data_file:dir remove_name;
 allow atci_service atci_data_file:sock_file unlink;
 allow atci_service system_server:unix_dgram_socket sendto;
 #allow atci_service system_data_file:file rw_file_perms;
 allow atci_service atci_data_file:sock_file write;
 allow atci_service misc2_device:chr_file { open read write };
 allow atci_service mmcblk0_block_device:blk_file { open read write };
 allow atci_service mt6605_device:chr_file { read write ioctl open getattr };
 allow atci_service nfc_socket:dir { write add_name remove_name search };
 allow atci_service nfc_socket:sock_file { create write unlink setattr };
 allow atci_service system_file:file execute_no_trans;

 allow atci_service self:capability { dac_read_search dac_override net_raw chown fsetid sys_nice net_admin fowner sys_admin };
 allow atci_service camera_isp_device:chr_file { read write ioctl open };
 allow atci_service graphics_device:chr_file { read write ioctl open };
 allow atci_service graphics_device:dir search;
 allow atci_service kd_camera_hw_device:chr_file { read write ioctl open };
 allow atci_service self:capability { sys_nice ipc_lock };
 allow atci_service nvram_data_file:dir { write read open add_name remove_name search create getattr setattr };
 allow atci_service nvram_data_file:file { setattr read create write getattr unlink open append };
 allow atci_service nvram_device:chr_file { read write open ioctl };
 allow atci_service camera_isp_device:chr_file { read write ioctl open };
 allow atci_service camera_sysram_device:chr_file { read ioctl open };
 allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open };
 allow atci_service MTK_SMI_device:chr_file { open read write ioctl };
 allow atci_service system_server:binder call;
 allow atci_service system_data_file:dir { write remove_name add_name };
 #allow atci_service system_data_file:file { write create unlink open };
 allow atci_service DW9714AF_device:chr_file { read write ioctl open };
 allow atci_service devmap_device:chr_file { open read write ioctl };
 allow atci_service fuse:dir { search write read open add_name remove_name create getattr setattr };
 allow atci_service fuse:file { setattr read create write getattr unlink open append };
 allow atci_service mediaserver:binder call;
 allow atci_service sysfs:file write;
 allow atci_service system_server:unix_stream_socket { read write };
 allow atci_service self:capability sys_boot;

 # Date : 2015/09/17
 # Operation : M-Migration
 # Purpose : to operation CCT tool
 allow atci_service nvram_device:blk_file { open read write };
 allow atci_service nvdata_file:dir { open read write add_name search };
 allow atci_service nvdata_file:file { create read write setattr open };
 allow atci_service input_device:dir { open read search };
 allow atci_service input_device:file { open read write ioctl };
 allow atci_service input_device:chr_file { open read write ioctl };
 #allow atci_service BU6429AF_device:chr_file { open read write ioctl };
 #allow atci_service BU6424AF_device:chr_file { open read write ioctl };
 allow atci_service MAINAF_device:chr_file { open read write ioctl };
 allow atci_service SUBAF_device:chr_file { open read write ioctl };
 allow atci_service tmpfs:lnk_file read;
 allow atci_service self:capability2 block_suspend;

 # Date : 2015/10/01
 # Operation : Add PQ service
 # Purpose : Support PQ tuning
 binder_call(atci_service, pq)
 allow atci_service pq_service:service_manager { find };

 # Date : 2015/10/13
 # Operation : M-Migration
 # Purpose : to operation CCT tool
 allow atci_service mediaserver_service:service_manager find;
 allow atci_service mnt_user_file:dir search;
 allow atci_service mnt_user_file:lnk_file read;
 allow atci_service mtk_perf_service:service_manager find;
 allow atci_service nvdata_file:file getattr;
 allow atci_service sensorservice_service:service_manager find;
 allow atci_service storage_file:lnk_file read;

 # Date : 2015/11/03
 # Operation : Change the file path from /data/ tp /data/cct
 # Purpose : to operation CCT tool
 allow atci_service cct_data_file:dir { write read open add_name remove_name search create getattr setattr };
 allow atci_service cct_data_file:file { setattr read create write getattr unlink open append };

 #============= atci_service ==============
 allow atci_service nvcfg_file:dir { search write open read add_name create };
 allow atci_service nvcfg_file:file { read write getattr open create };
	# ==============================================
	# Policy File of /system/binatci_service Executable File


	# ==============================================
	# Type Declaration
	# ==============================================

	type atci_service_exec , exec_type, file_type;
	type atci_service ,domain;

	# ==============================================
	# Android Policy Rule
	# ==============================================

	# ==============================================
	# NSA Policy Rule
	# ==============================================

	# ==============================================
	# MTK Policy Rule
	# ==============================================
	init_daemon_domain(atci_service)

	# Date : 2014/09/09 (or WK14.37)
	# Operation : Migration
	# Purpose : allow Binder IPC
	# atci_pq_cmd.cpp will call aal for runtime tuning
	binder_use(atci_service)
	binder_call(atci_service, aal)

	# Date : 2015/09/04
	# Operation : Migration
	# Purpose : to find AAL service
	allow atci_service aal_service:service_manager { find };

	binder_service(atci_service)
	allow atci_service block_device:dir search;
	allow atci_service misc2_block_device:blk_file { open read write };
	file_type_auto_trans(atci_service, system_data_file, atci_data_file)
	allow atci_service atci_data_file:dir write;
	allow atci_service atci_data_file:dir add_name;
	allow atci_service atci_data_file:sock_file create;
	allow atci_service atci_data_file:sock_file setattr;
	allow atci_service self:capability chown;
	allow atci_service atci_data_file:dir remove_name;
	allow atci_service atci_data_file:sock_file unlink;
	allow atci_service system_server:unix_dgram_socket sendto;
	#allow atci_service system_data_file:file rw_file_perms;
	allow atci_service atci_data_file:sock_file write;
	allow atci_service misc2_device:chr_file { open read write };
	allow atci_service mmcblk0_block_device:blk_file { open read write };
	allow atci_service mt6605_device:chr_file { read write ioctl open getattr };
	allow atci_service nfc_socket:dir { write add_name remove_name search };
	allow atci_service nfc_socket:sock_file { create write unlink setattr };
	allow atci_service system_file:file execute_no_trans;

	allow atci_service self:capability { dac_read_search dac_override net_raw chown fsetid sys_nice net_admin fowner sys_admin };
	allow atci_service camera_isp_device:chr_file { read write ioctl open };
	allow atci_service graphics_device:chr_file { read write ioctl open };
	allow atci_service graphics_device:dir search;
	allow atci_service kd_camera_hw_device:chr_file { read write ioctl open };
	allow atci_service self:capability { sys_nice ipc_lock };
	allow atci_service nvram_data_file:dir { write read open add_name remove_name search create getattr setattr };
	allow atci_service nvram_data_file:file { setattr read create write getattr unlink open append };
	allow atci_service nvram_device:chr_file { read write open ioctl };
	allow atci_service camera_isp_device:chr_file { read write ioctl open };
	allow atci_service camera_sysram_device:chr_file { read ioctl open };
	allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open };
	allow atci_service MTK_SMI_device:chr_file { open read write ioctl };
	allow atci_service system_server:binder call;
	allow atci_service system_data_file:dir { write remove_name add_name };
	#allow atci_service system_data_file:file { write create unlink open };
	allow atci_service DW9714AF_device:chr_file { read write ioctl open };
	allow atci_service devmap_device:chr_file { open read write ioctl };
	allow atci_service fuse:dir { search write read open add_name remove_name create getattr setattr };
	allow atci_service fuse:file { setattr read create write getattr unlink open append };
	allow atci_service mediaserver:binder call;
	allow atci_service sysfs:file write;
	allow atci_service system_server:unix_stream_socket { read write };
	allow atci_service self:capability sys_boot;

	# Date : 2015/09/17
	# Operation : M-Migration
	# Purpose : to operation CCT tool
	allow atci_service nvram_device:blk_file { open read write };
	allow atci_service nvdata_file:dir { open read write add_name search };
	allow atci_service nvdata_file:file { create read write setattr open };
	allow atci_service input_device:dir { open read search };
	allow atci_service input_device:file { open read write ioctl };
	allow atci_service input_device:chr_file { open read write ioctl };
	#allow atci_service BU6429AF_device:chr_file { open read write ioctl };
	#allow atci_service BU6424AF_device:chr_file { open read write ioctl };
	allow atci_service MAINAF_device:chr_file { open read write ioctl };
	allow atci_service SUBAF_device:chr_file { open read write ioctl };
	allow atci_service tmpfs:lnk_file read;
	allow atci_service self:capability2 block_suspend;

	# Date : 2015/10/01
	# Operation : Add PQ service
	# Purpose : Support PQ tuning
	binder_call(atci_service, pq)
	allow atci_service pq_service:service_manager { find };

	# Date : 2015/10/13
	# Operation : M-Migration
	# Purpose : to operation CCT tool
	allow atci_service mediaserver_service:service_manager find;
	allow atci_service mnt_user_file:dir search;
	allow atci_service mnt_user_file:lnk_file read;
	allow atci_service mtk_perf_service:service_manager find;
	allow atci_service nvdata_file:file getattr;
	allow atci_service sensorservice_service:service_manager find;
	allow atci_service storage_file:lnk_file read;

	# Date : 2015/11/03
	# Operation : Change the file path from /data/ tp /data/cct
	# Purpose : to operation CCT tool
	allow atci_service cct_data_file:dir { write read open add_name remove_name search create getattr setattr };
	allow atci_service cct_data_file:file { setattr read create write getattr unlink open append };

	#============= atci_service ==============
	allow atci_service nvcfg_file:dir { search write open read add_name create };
	allow atci_service nvcfg_file:file { read write getattr open create };