initial releasecm-13.0

1 files changed, 71 insertions, 0 deletions

diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..1aa9170
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,71 @@
+# ==============================================
+# MTK Policy Rule
+# ============
+
+# for debug purpose
+allow surfaceflinger self:capability { net_admin sys_nice };
+allow surfaceflinger self:netlink_socket { read bind create };
+allow surfaceflinger debug_prop:property_service set;
+allow surfaceflinger guiext-server:binder { transfer call };
+allow surfaceflinger system_data_file:dir { write add_name create};
+allow surfaceflinger system_data_file:file { open };
+allow surfaceflinger proc:file write;
+allow surfaceflinger shell_exec:file { read execute open execute_no_trans };
+allow surfaceflinger anr_data_file:dir { write search create add_name };
+allow surfaceflinger anr_data_file:file { create write};
+allow surfaceflinger aee_exp_data_file:file write;
+allow surfaceflinger custom_file:dir search;
+binder_call(surfaceflinger, debuggerd)
+allow surfaceflinger aee_dumpsys_data_file:file write;
+allow surfaceflinger RT_Monitor_device:chr_file { read ioctl open };
+
+# for using toolbox
+allow surfaceflinger system_file:file x_file_perms;
+
+# for sf_dump
+userdebug_or_eng(`
+allow surfaceflinger system_data_file:dir {relabelfrom read};
+allow surfaceflinger sf_bqdump_data_file:{dir file} {relabelto open create read write getattr };
+allow surfaceflinger sf_bqdump_data_file:dir {search add_name};
+')
+
+# for driver access
+allow surfaceflinger sw_sync_device:chr_file { read write open ioctl };
+allow surfaceflinger MTK_SMI_device:chr_file { read write open ioctl };
+
+# for bootanimation
+allow surfaceflinger bootanim:dir search;
+allow surfaceflinger bootanim:file { read getattr open };
+allow surfaceflinger self:capability dac_override;
+
+# for ipo
+allow surfaceflinger ipod:dir search;
+binder_call(surfaceflinger, ipod)
+
+# for MTK Emulator HW GPU
+allow surfaceflinger qemu_pipe_device:chr_file rw_file_perms;
+
+# for SVP secure memory allocation
+allow surfaceflinger proc_secmem:file { read write open ioctl };
+
+# for watchdog
+allow surfaceflinger anr_data_file:dir { relabelfrom read remove_name getattr };
+allow surfaceflinger anr_data_file:file { rename getattr unlink open };
+allow surfaceflinger sf_rtt_file:dir { create search write add_name remove_name};
+allow surfaceflinger sf_rtt_file:file { open read write create rename append getattr unlink};
+allow surfaceflinger sf_rtt_file:dir {relabelto getattr};
+
+# for system shrinks memory pages when low memory
+allow surfaceflinger platform_app_tmpfs:file write;
+allow surfaceflinger isolated_app_tmpfs:file write;
+allow surfaceflinger untrusted_app_tmpfs:file write;
+
+#for BufferQueue check process name of em_svr   
+allow surfaceflinger em_svr:dir search;
+allow surfaceflinger em_svr:file { read getattr open };
+
+# need to check what is this allowance for
+allow surfaceflinger mobicore:unix_stream_socket connectto;
+allow surfaceflinger mobicore_data_file:file { read getattr open };
+allow surfaceflinger mobicore_user_device:chr_file { read write ioctl open };
+allow surfaceflinger mobicore_data_file:dir search;