# ==============================================
# MTK Policy Rule
# ============

# for debug purpose
allow surfaceflinger self:capability { net_admin sys_nice };
allow surfaceflinger self:netlink_socket { read bind create };
allow surfaceflinger debug_prop:property_service set;
allow surfaceflinger guiext-server:binder { transfer call };
allow surfaceflinger system_data_file:dir { write add_name create};
allow surfaceflinger system_data_file:file { open };
allow surfaceflinger proc:file write;
allow surfaceflinger shell_exec:file { read execute open execute_no_trans };
allow surfaceflinger anr_data_file:dir { write search create add_name };
allow surfaceflinger anr_data_file:file { create write};
allow surfaceflinger aee_exp_data_file:file write;
allow surfaceflinger custom_file:dir search;
binder_call(surfaceflinger, debuggerd)
allow surfaceflinger aee_dumpsys_data_file:file write;
allow surfaceflinger RT_Monitor_device:chr_file { read ioctl open };

# for using toolbox
allow surfaceflinger system_file:file x_file_perms;

# for sf_dump
userdebug_or_eng(`
allow surfaceflinger system_data_file:dir {relabelfrom read};
allow surfaceflinger sf_bqdump_data_file:{dir file} {relabelto open create read write getattr };
allow surfaceflinger sf_bqdump_data_file:dir {search add_name};
')

# for driver access
allow surfaceflinger sw_sync_device:chr_file { read write open ioctl };
allow surfaceflinger MTK_SMI_device:chr_file { read write open ioctl };

# for bootanimation
allow surfaceflinger bootanim:dir search;
allow surfaceflinger bootanim:file { read getattr open };
allow surfaceflinger self:capability dac_override;

# for ipo
allow surfaceflinger ipod:dir search;
binder_call(surfaceflinger, ipod)

# for MTK Emulator HW GPU
allow surfaceflinger qemu_pipe_device:chr_file rw_file_perms;

# for SVP secure memory allocation
allow surfaceflinger proc_secmem:file { read write open ioctl };

# for watchdog
allow surfaceflinger anr_data_file:dir { relabelfrom read remove_name getattr };
allow surfaceflinger anr_data_file:file { rename getattr unlink open };
allow surfaceflinger sf_rtt_file:dir { create search write add_name remove_name};
allow surfaceflinger sf_rtt_file:file { open read write create rename append getattr unlink};
allow surfaceflinger sf_rtt_file:dir {relabelto getattr};

# for system shrinks memory pages when low memory
allow surfaceflinger platform_app_tmpfs:file write;
allow surfaceflinger isolated_app_tmpfs:file write;
allow surfaceflinger untrusted_app_tmpfs:file write;

#for BufferQueue check process name of em_svr   
allow surfaceflinger em_svr:dir search;
allow surfaceflinger em_svr:file { read getattr open };

# need to check what is this allowance for
allow surfaceflinger mobicore:unix_stream_socket connectto;
allow surfaceflinger mobicore_data_file:file { read getattr open };
allow surfaceflinger mobicore_user_device:chr_file { read write ioctl open };
allow surfaceflinger mobicore_data_file:dir search;