##
# Trustonic TEE (mobicore) daemon
#

# ==============================================
# Type Declaration
# ==============================================
type mobicore, domain;
type mobicore_exec, exec_type, file_type;
type mobicore_admin_device, dev_type;
type mobicore_user_device, dev_type;
type mobicore_tui_device, dev_type;
type mobicore_data_file, file_type, data_file_type;

# ==============================================
# Type Declaration for secmem
# ==============================================
type proc_secmem, fs_type;
# genfscon proc /secmem0 u:object_r:proc_secmem:s0;

# ==============================================
# MTK Policy Rule
# ==============================================
# permissive mobicore;
init_daemon_domain(mobicore)
allow mobicore self:capability { dac_override };
allow mobicore mobicore_admin_device:chr_file rw_file_perms;
allow mobicore mobicore_user_device:chr_file rw_file_perms;
allow mobicore mobicore_data_file:dir rw_dir_perms;
allow mobicore mobicore_data_file:file create_file_perms;
allow mobicore self:netlink_socket create_socket_perms;
allow mobicore apk_data_file:dir write;
allow mobicore mobicore_data_file:dir create;
allow mobicore mobicore_data_file:file rw_file_perms;