path: root/sepolicy/system_app.te

# ==============================================
# MTK Policy Rule
# ==============================================

# permissive system_app;


# Date : 2014/07/31
# Stage: BaseUT
# Purpose :[CdsInfo][CdsInfo uses net shell commands to get network information and write WI-FI MAC address by NVRAM]
# Package Name: com.mediatek.connectivity
allow system_app nvram_agent_binder:binder call;

# Date: 2014/08/01
# Operation: BaseUT
# Purpose: [Settings][Settings used list views need velocity tracker access touch dev]
# Package: com.android.settings
allow system_app touch_device:chr_file { read ioctl open };

# Date: 2014/08/04
# Stage: BaseUT
# Purpose: [MTKThermalManager][View thermal zones and coolers, and change thermal policies]
# Package Name: com.mediatek.mtkthermalmanager
allow system_app apk_private_data_file:dir getattr;
allow system_app asec_image_file:dir getattr;
allow system_app dontpanic_data_file:dir getattr;
allow system_app drm_data_file:dir getattr;
allow system_app install_data_file:file getattr;
allow system_app lost_found_data_file:dir getattr;
allow system_app media_data_file:dir getattr;
allow system_app property_data_file:dir getattr;
allow system_app shell_data_file:dir search;
allow system_app thermal_manager_exec:file { read execute open execute_no_trans };
allow system_app proc_thermal:dir search;
allow system_app proc_thermal:file { read getattr open write };
allow system_app proc_mtkcooler:dir search;
allow system_app proc_mtkcooler:file { read getattr open write };
allow system_app proc_mtktz:dir search;
allow system_app proc_mtktz:file  { read getattr open write };
allow system_app proc_slogger:file { read getattr open write };

# Date: 2014/08/21
# Stage: BaseUT
# Purpose: [AtciService][Atci Service will use atci_serv_fw_socket to connect to atci_service which in native layer]
# Package Name: com.mediatek.atci.service
allow system_app atci_serv_fw_socket:sock_file write;
allow system_app atci_service:unix_stream_socket connectto;

# Date: 2014/08/29
# Stage: BaseUT
# Purpose: [BatteryWarning][View update graphics]
# Package Name: com.mediatek.batterywarning
allow system_app guiext-server:binder { transfer call };

# Date: 2014/09/02
# Operation: BaseUT
# Purpose: [HotKnot][HotKnot service will use hoknot device node]
# Package: com.mediatek.hotknot.service
allow system_app hotknot_device:chr_file { read write ioctl open };

# Date: 2014/09/02
# Operation: BaseUT
# Purpose: [HotKnot][HotKnot service will use devmap_device device node]
# Package: com.mediatek.hotknot.service
allow system_app devmap_device:chr_file { read ioctl open };

# Date: 2014/09/02
# Operation: BaseUT
# Purpose: [HotKnot][HotKnot service will use mtkfb device node]
# Package: com.mediatek.hotknot.service
allow system_app graphics_device:chr_file { read write ioctl open };
allow system_app graphics_device:dir search;

# Data : 2014/09/09
# Operation : Migration
# Purpose : [Privacy protection lock][com.mediatek.ppl need to bind ppl_agent service to read/write nvram file]
# Package name : com.mediatek.ppl

allow system_app ppl_agent:binder call;

# Date: 2014/10/7
# Operation: SQC
# Purpose: [sysoper][sysoper will create folder /cache/recovery]
# Package: com.mediatek.systemupdate.sysoper
allow system_app cache_file:dir { write create add_name };
allow system_app cache_file:file { write create open };

# Date : 2014/10/08
# Operation : BaseUT
# Purpose : [op01 agps setting][mtk_agpsd establishes the local socket as agpsd for all A-GPS 
#           application to do something with mtk_agpsd in system app]
# Package: com.mediatek.op01.plugin
unix_socket_connect(system_app, agpsd, mtk_agpsd);

# Date : 2014/10/28
# Operation: SQC
# Purpose : ALPS01761930
# Package: com.android.settings
allow system_app asec_apk_file:file r_file_perms;

# Date : WK14.46
# Operation : Migration
# Purpose : for MTK Emulator HW GPU
allow system_app qemu_pipe_device:chr_file rw_file_perms;

# Date : WK14.46
# Operation : Migration
# Package: org.simalliance.openmobileapi.service
# Purpose : ALPS01820916, for SmartcardService
allow system_app system_app_data_file:file execute;

# Date : 2014/11/17
# Operation: SQC
# Purpose : [Settings][Battery module will call batterystats API, and it will read /sys/kernel/debug/wakeup_sources]
# Package: com.android.settings
allow system_app debugfs:file r_file_perms;

# Date : 2014/11/18
# Operation : SQC
# Purpose : for oma dm fota recovery update
allow system_app ctl_rbfota_prop:property_service set;

# Date : 2014/11/19
# Operation: SQC
# Purpose: [Settings][RenderThread][operate device file failed]
# Package: com.android.settings
allow system_app proc_secmem:file rw_file_perms;

# Date : 2014/11/20
# Operation: SQC
# Purpose: [Settings][Developer options module will communicate with all Services through binder call]
# Package: com.android.settings
binder_call(system_app, mtkbt)
binder_call(system_app, MtkCodecService)

# Date : 2014/11/26
# Operation: SQC
# Purpose: [Settings][Browser][warning kernel API'selinux enforce violation:sdcardd' when do stress test with ' AT_ST_Browser_Test.rar']
# Package: com.android.settings
allow system_app platform_app_tmpfs:file write;

# Date : 2015/01/13
# Operation: SQC
# Purpose: access ashmem of isolated_app
# Package: com.fw.upgrade.sysoper
dontaudit system_app isolated_app_tmpfs:file write;

# Date : 2015/01/14
# Operation: SQC
# Purpose: access ashmem of untrusted_app
# Package: android.ui
dontaudit system_app untrusted_app_tmpfs:file write;

# Date : 2015/01/27
# Operation: SQC
# Purpose: It's not normal behavior, that system_app want to access radio_file_data
# Package: android.ui
dontaudit system_app radio_data_file:dir search;