1 files changed, 159 insertions, 0 deletions

diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
new file mode 100755
index 0000000..abdf5ca
--- /dev/null
+++ b/sepolicy/system_app.te
@@ -0,0 +1,159 @@
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+
+# permissive system_app;
+
+
+# Date : 2014/07/31
+# Stage: BaseUT
+# Purpose :[CdsInfo][CdsInfo uses net shell commands to get network information and write WI-FI MAC address by NVRAM]
+# Package Name: com.mediatek.connectivity
+allow system_app nvram_agent_binder:binder call;
+
+# Date: 2014/08/01
+# Operation: BaseUT
+# Purpose: [Settings][Settings used list views need velocity tracker access touch dev]
+# Package: com.android.settings
+allow system_app touch_device:chr_file { read ioctl open };
+
+# Date: 2014/08/04
+# Stage: BaseUT
+# Purpose: [MTKThermalManager][View thermal zones and coolers, and change thermal policies]
+# Package Name: com.mediatek.mtkthermalmanager
+allow system_app apk_private_data_file:dir getattr;
+allow system_app asec_image_file:dir getattr;
+allow system_app dontpanic_data_file:dir getattr;
+allow system_app drm_data_file:dir getattr;
+allow system_app install_data_file:file getattr;
+allow system_app lost_found_data_file:dir getattr;
+allow system_app media_data_file:dir getattr;
+allow system_app property_data_file:dir getattr;
+allow system_app shell_data_file:dir search;
+allow system_app thermal_manager_exec:file { read execute open execute_no_trans };
+allow system_app proc_thermal:dir search;
+allow system_app proc_thermal:file { read getattr open write };
+allow system_app proc_mtkcooler:dir search;
+allow system_app proc_mtkcooler:file { read getattr open write };
+allow system_app proc_mtktz:dir search;
+allow system_app proc_mtktz:file  { read getattr open write };
+allow system_app proc_slogger:file { read getattr open write };
+
+# Date: 2014/08/21
+# Stage: BaseUT
+# Purpose: [AtciService][Atci Service will use atci_serv_fw_socket to connect to atci_service which in native layer]
+# Package Name: com.mediatek.atci.service
+allow system_app atci_serv_fw_socket:sock_file write;
+allow system_app atci_service:unix_stream_socket connectto;
+
+# Date: 2014/08/29
+# Stage: BaseUT
+# Purpose: [BatteryWarning][View update graphics]
+# Package Name: com.mediatek.batterywarning
+allow system_app guiext-server:binder { transfer call };
+
+# Date: 2014/09/02
+# Operation: BaseUT
+# Purpose: [HotKnot][HotKnot service will use hoknot device node]
+# Package: com.mediatek.hotknot.service
+allow system_app hotknot_device:chr_file { read write ioctl open };
+
+# Date: 2014/09/02
+# Operation: BaseUT
+# Purpose: [HotKnot][HotKnot service will use devmap_device device node]
+# Package: com.mediatek.hotknot.service
+allow system_app devmap_device:chr_file { read ioctl open };
+
+# Date: 2014/09/02
+# Operation: BaseUT
+# Purpose: [HotKnot][HotKnot service will use mtkfb device node]
+# Package: com.mediatek.hotknot.service
+allow system_app graphics_device:chr_file { read write ioctl open };
+allow system_app graphics_device:dir search;
+
+# Data : 2014/09/09
+# Operation : Migration
+# Purpose : [Privacy protection lock][com.mediatek.ppl need to bind ppl_agent service to read/write nvram file]
+# Package name : com.mediatek.ppl
+
+allow system_app ppl_agent:binder call;
+
+# Date: 2014/10/7
+# Operation: SQC
+# Purpose: [sysoper][sysoper will create folder /cache/recovery]
+# Package: com.mediatek.systemupdate.sysoper
+allow system_app cache_file:dir { write create add_name };
+allow system_app cache_file:file { write create open };
+
+# Date : 2014/10/08
+# Operation : BaseUT
+# Purpose : [op01 agps setting][mtk_agpsd establishes the local socket as agpsd for all A-GPS 
+#           application to do something with mtk_agpsd in system app]
+# Package: com.mediatek.op01.plugin
+unix_socket_connect(system_app, agpsd, mtk_agpsd);
+
+# Date : 2014/10/28
+# Operation: SQC
+# Purpose : ALPS01761930
+# Package: com.android.settings
+allow system_app asec_apk_file:file r_file_perms;
+
+# Date : WK14.46
+# Operation : Migration
+# Purpose : for MTK Emulator HW GPU
+allow system_app qemu_pipe_device:chr_file rw_file_perms;
+
+# Date : WK14.46
+# Operation : Migration
+# Package: org.simalliance.openmobileapi.service
+# Purpose : ALPS01820916, for SmartcardService
+allow system_app system_app_data_file:file execute;
+
+# Date : 2014/11/17
+# Operation: SQC
+# Purpose : [Settings][Battery module will call batterystats API, and it will read /sys/kernel/debug/wakeup_sources]
+# Package: com.android.settings
+allow system_app debugfs:file r_file_perms;
+
+# Date : 2014/11/18
+# Operation : SQC
+# Purpose : for oma dm fota recovery update
+allow system_app ctl_rbfota_prop:property_service set;
+
+# Date : 2014/11/19
+# Operation: SQC
+# Purpose: [Settings][RenderThread][operate device file failed]
+# Package: com.android.settings
+allow system_app proc_secmem:file rw_file_perms;
+
+# Date : 2014/11/20
+# Operation: SQC
+# Purpose: [Settings][Developer options module will communicate with all Services through binder call]
+# Package: com.android.settings
+binder_call(system_app, mtkbt)
+binder_call(system_app, MtkCodecService)
+
+# Date : 2014/11/26
+# Operation: SQC
+# Purpose: [Settings][Browser][warning kernel API'selinux enforce violation:sdcardd' when do stress test with ' AT_ST_Browser_Test.rar']
+# Package: com.android.settings
+allow system_app platform_app_tmpfs:file write;
+
+# Date : 2015/01/13
+# Operation: SQC
+# Purpose: access ashmem of isolated_app
+# Package: com.fw.upgrade.sysoper
+dontaudit system_app isolated_app_tmpfs:file write;
+
+# Date : 2015/01/14
+# Operation: SQC
+# Purpose: access ashmem of untrusted_app
+# Package: android.ui
+dontaudit system_app untrusted_app_tmpfs:file write;
+
+# Date : 2015/01/27
+# Operation: SQC
+# Purpose: It's not normal behavior, that system_app want to access radio_file_data
+# Package: android.ui
+dontaudit system_app radio_data_file:dir search;
+