Android_Device_Mediatek_Sep.../bsp/non_plat/mediaserver.te

# ==============================================
# Common SEPolicy Rule
# ==============================================

# Date : WK14.52
# Operation : WVL1 IT
# Purpose : SVP module operates secmem driver
allow mediaserver mobicore_data_file:file getattr;
allow mediaserver mobicore_data_file:file getattr;

allow mediaserver mobicore_data_file:file { getattr read};
allow mediaserver mobicore_user_device:chr_file { read write open ioctl};

# Date: WK14.45
# Operation : Migration
# Purpose : HDCP
allow mediaserver persist_data_file:file { read write getattr };

# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow mediaserver offloadservice_device:chr_file { read write ioctl open };

# Data : WK14.38
# Operation : Migration
# Purpose : WFD
allow mediaserver surfaceflinger:dir search;
allow mediaserver surfaceflinger:file { read open };

# Date : WK14.49
# Operation : WFD
# Purpose : WFD notifies its status to thermal module
allow mediaserver proc_thermal:file { write getattr open };
allow mediaserver proc_mtkcooler:file { read write open };
allow mediaserver proc_mtktz:file { read write open };
allow mediaserver proc_thermal:file { read write open };

# Date : WK15.44
# Operation : Migration
# Purpose : ancservice
allow mediaserver ancservice_device:chr_file { read write ioctl open };

# Date : WK16.29
# Operation : Migration
# Purpose : Add permission for gpu access
allow mediaserver dri_device:chr_file { read write open ioctl };

# Date : WK17.23
# Stage: O Migration, SQC
# Purpose: Allow to use HAL PQ
hal_client_domain(mediaserver, hal_mtk_pq)

# Date : WK17.23
# Stage: O Migration, SQC
# Purpose: Allow to use shared memory for HAL PQ
hal_client_domain(mediaserver, hal_allocator)

# Date : WK17.31
# Stage: O Migration, SQC
# Purpose: Allow to use ape decoder
hal_client_domain(mediaserver, hal_mtk_codecservice)

# Date : WK17.31
# Operation : ViLTE
# Purpose : for ViLTE - set VTservice has permission to access me
allow mediaserver vtservice:binder { transfer call };
allow mediaserver vtservice:fd use;

# Date : WK17.43
# Operation : OMA DRM
# Purpose : Allow mediaserver to read processname to pass OMA DRM permisson check
allow mediaserver platform_app:dir search;
allow mediaserver platform_app:file { read open };

# Date : WK17.47
# Operation : SQC
# Purpose : Allow mediaserver to read processname of DeskClock to pass OMA DRM permisson check
allow mediaserver mediaprovider:dir search;
allow mediaserver platform_app:file getattr;
allow mediaserver system_app:dir search;
allow mediaserver system_app:file read;
allow mediaserver system_app:file open;

# Date : WK17.49
# Operation : VOW
# Purpose: Allow read and getattr path="/data/data/com.mediatek.voicecommand/training
# /anyone/passwordfile/0.dat"
allow mediaserver system_app_data_file:file { read getattr };

# Date : WK19.16
# Operation : WFD
# Purpose: Allow ioctl
allowxperm mediaserver proc_perfmgr:file ioctl {
  PERFMGR_FPSGO_QUEUE
  PERFMGR_FPSGO_DEQUEUE
};

# Date : WK19.43
# Operation : HDCP
# Purpose : Allow to connect HDCP HIDL server
hal_client_domain(mediaserver, hal_tesiai_hdcp)

# Date : WK21.37
# Operation : HDCP
# Purpose : Allow HDCP to access wv dev to get handle
allow mediaserver widevine_drv_device:chr_file rw_file_perms_no_map;
mtk-sepolicy: Initial SEPolicy rules 2022-08-14 15:07:12 +02:00			`# ==============================================`
			`# Common SEPolicy Rule`
			`# ==============================================`

			`# Date : WK14.52`
			`# Operation : WVL1 IT`
			`# Purpose : SVP module operates secmem driver`
			`allow mediaserver mobicore_data_file:file getattr;`
			`allow mediaserver mobicore_data_file:file getattr;`

			`allow mediaserver mobicore_data_file:file { getattr read};`
			`allow mediaserver mobicore_user_device:chr_file { read write open ioctl};`

			`# Date: WK14.45`
			`# Operation : Migration`
			`# Purpose : HDCP`
			`allow mediaserver persist_data_file:file { read write getattr };`

			`# Date : WK15.03`
			`# Operation : Migration`
			`# Purpose : offloadservice`
			`allow mediaserver offloadservice_device:chr_file { read write ioctl open };`

			`# Data : WK14.38`
			`# Operation : Migration`
			`# Purpose : WFD`
			`allow mediaserver surfaceflinger:dir search;`
			`allow mediaserver surfaceflinger:file { read open };`

			`# Date : WK14.49`
			`# Operation : WFD`
			`# Purpose : WFD notifies its status to thermal module`
			`allow mediaserver proc_thermal:file { write getattr open };`
			`allow mediaserver proc_mtkcooler:file { read write open };`
			`allow mediaserver proc_mtktz:file { read write open };`
			`allow mediaserver proc_thermal:file { read write open };`

			`# Date : WK15.44`
			`# Operation : Migration`
			`# Purpose : ancservice`
			`allow mediaserver ancservice_device:chr_file { read write ioctl open };`

			`# Date : WK16.29`
			`# Operation : Migration`
			`# Purpose : Add permission for gpu access`
			`allow mediaserver dri_device:chr_file { read write open ioctl };`

			`# Date : WK17.23`
			`# Stage: O Migration, SQC`
			`# Purpose: Allow to use HAL PQ`
			`hal_client_domain(mediaserver, hal_mtk_pq)`

			`# Date : WK17.23`
			`# Stage: O Migration, SQC`
			`# Purpose: Allow to use shared memory for HAL PQ`
			`hal_client_domain(mediaserver, hal_allocator)`

			`# Date : WK17.31`
			`# Stage: O Migration, SQC`
			`# Purpose: Allow to use ape decoder`
			`hal_client_domain(mediaserver, hal_mtk_codecservice)`

			`# Date : WK17.31`
			`# Operation : ViLTE`
			`# Purpose : for ViLTE - set VTservice has permission to access me`
			`allow mediaserver vtservice:binder { transfer call };`
			`allow mediaserver vtservice:fd use;`

			`# Date : WK17.43`
			`# Operation : OMA DRM`
			`# Purpose : Allow mediaserver to read processname to pass OMA DRM permisson check`
			`allow mediaserver platform_app:dir search;`
			`allow mediaserver platform_app:file { read open };`

			`# Date : WK17.47`
			`# Operation : SQC`
			`# Purpose : Allow mediaserver to read processname of DeskClock to pass OMA DRM permisson check`
			`allow mediaserver mediaprovider:dir search;`
			`allow mediaserver platform_app:file getattr;`
			`allow mediaserver system_app:dir search;`
			`allow mediaserver system_app:file read;`
			`allow mediaserver system_app:file open;`

			`# Date : WK17.49`
			`# Operation : VOW`
			`# Purpose: Allow read and getattr path="/data/data/com.mediatek.voicecommand/training`
			`# /anyone/passwordfile/0.dat"`
			`allow mediaserver system_app_data_file:file { read getattr };`

			`# Date : WK19.16`
			`# Operation : WFD`
			`# Purpose: Allow ioctl`
			`allowxperm mediaserver proc_perfmgr:file ioctl {`
			`PERFMGR_FPSGO_QUEUE`
			`PERFMGR_FPSGO_DEQUEUE`
			`};`

			`# Date : WK19.43`
			`# Operation : HDCP`
			`# Purpose : Allow to connect HDCP HIDL server`
			`hal_client_domain(mediaserver, hal_tesiai_hdcp)`

			`# Date : WK21.37`
			`# Operation : HDCP`
			`# Purpose : Allow HDCP to access wv dev to get handle`
			`allow mediaserver widevine_drv_device:chr_file rw_file_perms_no_map;`