mtk-sepolicy: Import zirconia modem sepolicy rules

2022-08-14 15:08:06 +02:00 · 2022-08-14 15:08:06 +02:00 · 49214eec48
commit 49214eec48
parent 961041ba3e
15 changed files with 590 additions and 1 deletions
--- a/BoardSEPolicyConfig.mk
+++ b/BoardSEPolicyConfig.mk
@ -2,7 +2,8 @@
 # SELinux Policy File Configuration
 BOARD_SEPOLICY_DIRS += \
    device/mediatek/sepolicy/basic/non_plat \
-    device/mediatek/sepolicy/bsp/non_plat
+    device/mediatek/sepolicy/bsp/non_plat \
+    device/mediatek/sepolicy/modem

 ifneq ($(call math_lt,$(PRODUCT_SHIPPING_API_LEVEL),28),)
 BOARD_SEPOLICY_DIRS += $(wildcard device/mediatek/sepolicy/bsp/ota_upgrade)
--- a/modem/bip.te
+++ b/modem/bip.te
@ -0,0 +1,47 @@
+# ==============================================
+# Policy File of /system/bin/bip Executable File 
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type bip, domain, mtkimsmddomain, netdomain;
+type bip_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# permissive bip;
+init_daemon_domain(bip)
+net_domain(bip)
+
+# Date : WK14.42
+# Operation : Migration 
+# Purpose : for bip send RTP/RTCP
+allow bip self:capability { net_raw setuid setgid net_admin};
+allow bip self:udp_socket { create write bind read setopt ioctl getattr shutdown connect };
+allow bip node:udp_socket node_bind;
+allow bip port:udp_socket name_bind;
+allow bip fwmarkd_socket:sock_file write;
+allow bip self:tcp_socket { create setopt ioctl bind listen accept read write connect };
+allow bip port:tcp_socket name_connect;
+allow bip self:netlink_route_socket read;
+allow bip bip_socket:sock_file write;
+allow bip vendor_bip_socket:sock_file write;
+
+#get_prop(bip, net_radio_prop)
+set_prop(bip, vendor_mtk_ril_mux_report_case_prop)
+set_prop(bip, vendor_mtk_ctl_muxreport-daemon_prop)
+
+# Purpose : for access ccci device
+allow bip ccci_device:chr_file { read write open ioctl };
+
+# Purpose : for raw socket
+allow bip self:rawip_socket { create write bind setopt read getattr};
+allow bip node:rawip_socket {node_bind}; 
+
+allow bip netd:unix_stream_socket connectto;
+allow bip netd_socket:sock_file write;
+
+allow netd bip:fd use;
+allow netd bip:tcp_socket { read write setopt getopt };
+allow netd bip:udp_socket {read write setopt getopt};
--- a/modem/epdg_wod.te
+++ b/modem/epdg_wod.te
@ -0,0 +1,94 @@
+# ==============================================
+# Policy File of /system/bin/epdg_wod Executable File 
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type epdg_wod_exec, exec_type, file_type, vendor_file_type;
+type epdg_wod, domain, mtkimsmddomain;
+
+
+#20141222 Add EPDG socket usage
+type wod_ipsec_conf_file, file_type, data_file_type;
+type wod_apn_conf_file, file_type, data_file_type;
+type wod_action_socket, file_type;
+type wod_sim_socket, file_type;
+type wod_ipsec_socket, file_type;
+type wod_dns_socket, file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(epdg_wod)
+net_domain(epdg_wod)
+
+domain_auto_trans(epdg_wod, starter_exec, ipsec)
+domain_auto_trans(epdg_wod, charon_exec, ipsec)
+domain_auto_trans(epdg_wod, starter_exec, ipsec)
+domain_auto_trans(epdg_wod, stroke_exec, ipsec)
+
+# Date: WK14.52
+# Operation : Feature for ePDG
+# Purpose :  handle tunnel interface
+allow epdg_wod self:tun_socket { relabelfrom relabelto create };
+allow epdg_wod tun_device:chr_file { read write ioctl open getattr };
+allow epdg_wod self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
+allow epdg_wod self:capability { net_admin kill };
+
+
+# Purpose :  update ipsec deamon
+allow epdg_wod ipsec_exec:file { read getattr open execute execute_no_trans lock};
+
+# Purpose : send signal to process (ipsec/charon)
+allow epdg_wod ipsec:process { signal sigkill signull };
+
+# Purpose :  set property for debug messages
+set_prop(epdg_wod, vendor_mtk_wod_prop)
+set_prop(epdg_wod, vendor_mtk_persist_wod_prop)
+
+# Purpose :  create strongswan config file for IKEv2 Tunnel
+allow epdg_wod wod_apn_conf_file:dir { write read open add_name remove_name search };
+allow epdg_wod wod_apn_conf_file:file { write read create unlink open getattr };
+allow epdg_wod wod_ipsec_conf_file:file { write read create unlink open getattr };
+allow epdg_wod wod_ipsec_conf_file:dir { write read open add_name remove_name search };
+
+# tear_xfrm_policy
+allow epdg_wod self:netlink_xfrm_socket { write getattr setopt nlmsg_write read bind create };
+
+# Purpose : check tun device is ready
+allow epdg_wod self:udp_socket { create ioctl };
+allow epdg_wod self:capability sys_module;
+
+
+# Purpose: Kill Process, removed these permissions as security concerns
+#allow epdg_wod system_server:process { signal signull };
+#allow epdg_wod kernel:process signal;
+
+# Purpose: access iptables for mss
+allow epdg_wod self:capability net_raw;
+allow epdg_wod self:rawip_socket { getopt create setopt };
+
+# Purpose: communicate with NETD
+unix_socket_connect(epdg_wod,netd,netd);
+allow netd epdg_wod:fd use;
+allow netd epdg_wod:tcp_socket { read write setopt getopt };
+allow netd epdg_wod:udp_socket {read write setopt getopt};
+
+# Purpose: use netutils-wrapper 
+domain_auto_trans(epdg_wod, netutils_wrapper_exec, netutils_wrapper)
+allow netutils_wrapper epdg_wod:fd use;
+allow netutils_wrapper epdg_wod:unix_stream_socket { read write };
+
+#Purpose: use ccci device
+allow epdg_wod ccci_device:chr_file {open read write ioctl};
+
+# Purpose :  starter daemon charon
+allow epdg_wod starter_exec:file { read getattr open execute execute_no_trans lock};
+
+# Purpose :  stroke daemon charon
+allow epdg_wod stroke_exec:file { read getattr open execute execute_no_trans lock};
+
+# Purpose :  starter invoke charon
+allow epdg_wod charon_exec:file { read getattr open execute execute_no_trans lock};
+
+
--- a/modem/file.te
+++ b/modem/file.te
@ -0,0 +1,8 @@
+type volte_imcb_socket, file_type;
+type volte_ut_socket, file_type;
+type volte_ua_socket, file_type;
+type volte_stack_socket, file_type;
+type wfca_socket, file_type;
+type bip_socket, file_type;
+type vendor_bip_socket, file_type;
+
--- a/modem/file_contexts
+++ b/modem/file_contexts
@ -0,0 +1,31 @@
+/(system\/vendor|vendor)/bin/epdg_wod u:object_r:epdg_wod_exec:s0
+/(system\/vendor|vendor)/bin/wfca u:object_r:wfca_exec:s0
+/(system\/vendor|vendor)/bin/ipsec u:object_r:ipsec_exec:s0
+/(system\/vendor|vendor)/bin/charon u:object_r:charon_exec:s0
+/(system\/vendor|vendor)/bin/starter u:object_r:starter_exec:s0
+/(system\/vendor|vendor)/bin/stroke u:object_r:stroke_exec:s0
+/(system\/vendor|vendor)/bin/bip u:object_r:bip_exec:s0
+/data/vendor/ipsec(/.*)? u:object_r:wod_ipsec_conf_file:s0
+/data/vendor/ipsec/wo(/.*)? u:object_r:wod_apn_conf_file:s0
+/dev/socket/wod_action(/.*)? u:object_r:wod_action_socket:s0
+/dev/socket/wod_sim(/.*)? u:object_r:wod_sim_socket:s0
+/dev/socket/wod_ipsec(/.*)? u:object_r:wod_ipsec_socket:s0
+/dev/socket/wod_dns(/.*)? u:object_r:wod_dns_socket:s0
+
+/dev/socket/volte_imsm(/.*)? u:object_r:rild_imsm_socket:s0
+/dev/socket/volte_imsa[0-9](/.*)? u:object_r:volte_imsa_socket:s0
+/dev/socket/volte_imsvt[0-9](/.*)? u:object_r:volte_imsvt_socket:s0
+/dev/socket/volte_imcb(/.*)? u:object_r:volte_imcb_socket:s0
+/dev/socket/volte_ut(/.*)? u:object_r:volte_ut_socket:s0
+/dev/socket/volte_ua(/.*)? u:object_r:volte_ua_socket:s0
+/dev/socket/volte_stack(/.*)? u:object_r:volte_stack_socket:s0
+/dev/socket/wfca(/.*)? u:object_r:wfca_socket:s0
+/dev/socket/bip(/.*)? u:object_r:bip_socket:s0
+/dev/socket/vendor\.bip(/.*)? u:object_r:vendor_bip_socket:s0
+
+/(system\/vendor|vendor)/bin/volte_imcb u:object_r:volte_imcb_exec:s0
+/(system\/vendor|vendor)/bin/volte_stack u:object_r:volte_stack_exec:s0
+/(system\/vendor|vendor)/bin/volte_ua u:object_r:volte_ua_exec:s0
+/(system\/vendor|vendor)/bin/volte_imsm_93 u:object_r:volte_imsm_93_exec:s0
+
+/(system\/vendor|vendor)/bin/volte_md_status u:object_r:volte_md_status_exec:s0
--- a/modem/ipsec.te
+++ b/modem/ipsec.te
@ -0,0 +1,88 @@
+# ==============================================
+# Policy File of /system/bin/ipsec Executable File 
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type starter_exec , exec_type, file_type, vendor_file_type;
+type charon_exec , exec_type, file_type, vendor_file_type;
+type ipsec_exec , exec_type, file_type, vendor_file_type;
+type stroke_exec , exec_type, file_type, vendor_file_type;
+type ipsec, domain;
+
+net_domain(ipsec)
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: WK14.52
+# Operation : Feature developing for ePDG
+
+# Purpose :  access xfrm 
+allow ipsec proc_net:file write;
+
+# Purpose :  set property for ip address with epdg_wod
+set_prop(ipsec, vendor_mtk_wod_prop)
+
+# Purpose :  create socket for IKEv2 protocol
+allow ipsec node:udp_socket node_bind;
+allow ipsec port:tcp_socket name_connect;
+allow ipsec port:udp_socket name_bind;
+
+# Purpose :  Query DNS address
+allow ipsec netd:unix_stream_socket connectto;
+allow ipsec dnsproxyd_socket:sock_file write;
+
+
+# Purpose :  access socket of wod and property
+allow ipsec epdg_wod:unix_stream_socket { read write connectto };
+
+# Purpose :  output to /dev/null
+allow ipsec epdg_wod:fd use;
+
+# Purpose :  starter invoke charon
+allow ipsec charon_exec:file execute_no_trans;
+
+# Purpose :  charon set fwmark 
+allow ipsec fwmarkd_socket:sock_file write;
+
+# Purpose :  kernel ip/route operations
+allow ipsec self:capability { net_admin net_bind_service kill };
+
+# Purpose :  send/receive packet to/from peer
+allow ipsec self:tcp_socket { write getattr connect read getopt create };
+allow ipsec self:udp_socket { write bind create read setopt };
+
+# Purpose :  kernel ip/route operations
+allow ipsec self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read };
+allow ipsec self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read };
+
+# Purpose :  charon read certs
+allow ipsec custom_file:dir { read open search };
+allow ipsec custom_file:file { read getattr open };
+
+# Purpose :  read strongswan config file for IKEv2 Tunnel
+allow ipsec wod_apn_conf_file:dir { write read open search remove_name add_name create};
+allow ipsec wod_apn_conf_file:file { write read ioctl open getattr };
+allow ipsec wod_ipsec_conf_file:file { write read ioctl open getattr create append unlink };
+allow ipsec wod_ipsec_conf_file:dir { write read open search remove_name add_name };
+
+# Purpose : set alarm for DPD
+allow ipsec self:capability2 wake_alarm;
+
+allow ipsec devpts:chr_file { open read write };
+
+# to NETD
+unix_socket_connect(ipsec,netd,netd);
+allow netd ipsec:fd use;
+allow netd ipsec:tcp_socket { read write setopt getopt };
+allow netd ipsec:udp_socket {read write setopt getopt};
+
+# Propose: access configuration files
+allow ipsec wod_ipsec_conf_file:sock_file { write create unlink setattr };
+allow ipsec proc_modules:file getattr;
+allow ipsec proc_net:file getattr;
+allow ipsec vendor_configs_file:file ioctl;
+
+
--- a/modem/mtk_ims_ap_domain.te
+++ b/modem/mtk_ims_ap_domain.te
@ -0,0 +1,10 @@
+unix_socket_connect(mtkimsapdomain, volte_imsvt, volte_imcb)
+allow mtkimsapdomain volte_vt_socket:dir { read write ioctl open remove_name add_name };
+allow mtkimsapdomain volte_vt_socket:dir write;
+allow mtkimsapdomain volte_vt_socket:sock_file { create unlink read write };
+allow mtkimsapdomain volte_ua:fd use;
+#allow mtkimsapdomain volte_ua:udp_socket {connect read write setopt getattr getopt shutdown};
+allow mtkimsapdomain volte_stack:unix_stream_socket connectto;
+
+unix_socket_connect(mtkimsapdomain, volte_stack, volte_stack)
+unix_socket_connect(mtkimsapdomain, volte_imsa, volte_imcb)
--- a/modem/property.te
+++ b/modem/property.te
@ -0,0 +1,17 @@
+#=============allow mtkmal to start volte==============
+
+vendor_internal_prop(vendor_mtk_ctl_volte_imcb_prop)
+vendor_internal_prop(vendor_mtk_ctl_volte_stack_prop)
+vendor_internal_prop(vendor_mtk_ctl_volte_ua_prop)
+vendor_restricted_prop(vendor_mtk_md_volte_prop)
+typeattribute vendor_mtk_md_volte_prop mtk_core_property_type;
+
+#=============allow wifi offload deamon  ==============
+vendor_restricted_prop(vendor_mtk_wod_prop)
+vendor_restricted_prop(vendor_mtk_persist_wod_prop)
+
+typeattribute vendor_mtk_wod_prop mtk_core_property_type;
+typeattribute vendor_mtk_persist_wod_prop mtk_core_property_type;
+
+#=============allow volte md status deamon  ==============
+vendor_internal_prop(vendor_mtk_md_status_prop)
--- a/modem/property_contexts
+++ b/modem/property_contexts
@ -0,0 +1,16 @@
+#=============allow wifi offload deamon  ==============
+vendor.wo.   u:object_r:vendor_mtk_wod_prop:s0
+persist.vendor.wo.   u:object_r:vendor_mtk_persist_wod_prop:s0
+
+#=============allow volte deamon  ==============
+ctl.vendor.volte_imcb          u:object_r:vendor_mtk_ctl_volte_imcb_prop:s0
+ctl.vendor.volte_stack         u:object_r:vendor_mtk_ctl_volte_stack_prop:s0
+ctl.vendor.volte_ua            u:object_r:vendor_mtk_ctl_volte_ua_prop:s0
+vendor.ril.volte.              u:object_r:vendor_mtk_md_volte_prop:s0
+
+#=============allow MD APP==============
+ro.vendor.md_apps.             u:object_r:vendor_mtk_default_prop:s0
+vendor.md_apps.                u:object_r:vendor_mtk_default_prop:s0
+
+#=============allow MD status==============
+vendor.volte_md_status         u:object_r:vendor_mtk_md_status_prop:s0
--- a/modem/volte_imcb.te
+++ b/modem/volte_imcb.te
@ -0,0 +1,61 @@
+# ==============================================
+# Policy File of /system/bin/volte_imcb Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type volte_imcb, domain, mtkimsmddomain;
+type volte_imcb_exec, exec_type, file_type, vendor_file_type;
+type volte_imsa_socket, file_type;
+type volte_imsvt_socket, file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+#permissive volte_imcb;
+init_daemon_domain(volte_imcb)
+net_domain(volte_imcb)
+
+# Date : WK14.42
+# Operation : Migration
+# Purpose : for VoLTE L early bring up and first call
+allow volte_imcb node:tcp_socket node_bind;
+allow volte_imcb port:tcp_socket name_bind;
+allow volte_imcb self:tcp_socket { bind create setopt accept listen };
+allow volte_imcb self:tcp_socket { read getattr };
+allow volte_imcb self:tcp_socket write;
+allow volte_imcb self:capability { setuid setgid };
+
+# Date : 2015/8/5
+# Operation : M Migration
+# Purpose : For imcb connect to ua by local socket
+unix_socket_connect(volte_imcb, volte_ua, volte_ua)
+
+allow volte_imcb volte_imcb_socket:sock_file write;
+allow volte_imcb volte_ut_socket:sock_file write;
+
+# Dtae : WK15.42
+# Operation : ViLTE Migration
+# Purpose : For open socket device to vtservice connect
+
+# Date : 2016/12/14
+# Purpose : TRM
+set_prop(volte_imcb, vendor_mtk_md_volte_prop)
+
+# to NETD
+allow volte_imcb netd:unix_stream_socket connectto;
+allow volte_imcb netd_socket:sock_file write;
+allow netd volte_imcb:fd use;
+allow netd volte_imcb:tcp_socket { read write setopt getopt };
+allow netd volte_imcb:udp_socket {read write setopt getopt};
+
+# Date : 2020/02/24
+# Purpose : pttyims
+allow volte_imcb mtk_radio_device:dir w_dir_perms;
+allow volte_imcb mtk_radio_device:lnk_file create_file_perms;
+allow volte_imcb devpts:chr_file setattr;
+allow volte_imcb self:capability2 wake_alarm;
+allow volte_imcb sysfs_ccci:dir search;
+allow volte_imcb sysfs_ccci:file r_file_perms;
+allow volte_imcb ccci_device:chr_file rw_file_perms;
+
--- a/modem/volte_imsm_93.te
+++ b/modem/volte_imsm_93.te
@ -0,0 +1,37 @@
+# ==============================================
+# Policy File of volte_imsm_93 Executable File 
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type volte_imsm_93, domain, mtkimsmddomain;
+type volte_imsm_93_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# permissive volte_imsm_93;
+init_daemon_domain(volte_imsm_93)
+net_domain(volte_imsm_93)
+
+allow volte_imsm_93 self:capability { setuid setgid net_admin chown};
+
+allow volte_imsm_93 self:udp_socket { create write bind read setopt ioctl getattr shutdown };
+
+# Prupose: IMCB connection
+allow volte_imsm_93 volte_imcb:unix_stream_socket connectto;
+allow volte_imsm_93 volte_imsa_socket:sock_file write;
+
+# Purpose: CCCI device
+allow volte_imsm_93 ccci_device:chr_file rw_file_perms;
+
+# Purpose: Routing
+allow volte_imsm_93 self:netlink_route_socket { connect write getattr setopt read bind create nlmsg_read nlmsg_write };
+
+# Purpose: Property
+set_prop(volte_imsm_93, vendor_mtk_md_volte_prop)
+set_prop(volte_imsm_93, vendor_mtk_ril_mux_report_case_prop)
+allow volte_imsm_93 mtk_radio_device:dir w_dir_perms;
+allow volte_imsm_93 mtk_radio_device:lnk_file create_file_perms;
+allow volte_imsm_93 devpts:chr_file { rw_file_perms setattr };
+allow volte_imsm_93 self:netlink_generic_socket { connect write getattr setopt read bind create };
--- a/modem/volte_md_status.te
+++ b/modem/volte_md_status.te
@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of volte_md_status Executable File 
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type volte_md_status, domain, mtkimsmddomain;
+type volte_md_status_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# permissive volte_md_status;
+init_daemon_domain(volte_md_status)
+
+# Purpose: CCCI device
+allow volte_md_status ccci_device:chr_file rw_file_perms;
+
+# Purpose: get set property
+allow volte_md_status property_socket:sock_file write;
+set_prop(volte_md_status, vendor_mtk_md_status_prop)
+
--- a/modem/volte_stack.te
+++ b/modem/volte_stack.te
@ -0,0 +1,56 @@
+# ==============================================
+# Policy File of /system/bin/volte_stack Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type volte_stack, domain, mtkimsmddomain;
+type volte_stack_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+#permissive volte_stack;
+init_daemon_domain(volte_stack)
+net_domain(volte_stack)
+
+
+# Date : WK14.42
+# Operation : Migration
+# Purpose : for VoLTE L early bring up and first call
+allow volte_stack self:key_socket { write read create setopt };
+allow volte_stack self:capability net_admin;
+allow volte_stack self:capability { setuid setgid };
+allow volte_stack self:tcp_socket { bind create setopt listen };
+allow volte_stack self:udp_socket { write bind read setopt };
+allow volte_stack self:udp_socket create;
+allow volte_stack self:tcp_socket shutdown;
+allow volte_stack self:udp_socket shutdown;
+allow volte_stack node:tcp_socket node_bind;
+allow volte_stack node:udp_socket node_bind;
+allow volte_stack port:tcp_socket name_bind;
+allow volte_stack port:udp_socket name_bind;
+
+# Date : 2015/01/07
+# Operation : Migration
+# Purpose : for VoLTE L Pre-FT test, Pre-FT error show we need add tcp rule
+allow volte_stack self:tcp_socket accept;
+allow volte_stack self:tcp_socket read;
+allow volte_stack self:tcp_socket write;
+allow volte_stack self:tcp_socket getattr;
+allow volte_stack self:tcp_socket connect;
+allow volte_stack port:tcp_socket name_connect;
+
+allow volte_stack volte_stack_socket:sock_file write;
+
+# Date : 2016/06/21
+# Operation : ims_ipsec_lib performance
+# Purpose : use netlink
+allow volte_stack self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read};
+
+# to NETD
+allow volte_stack netd:unix_stream_socket connectto;
+allow volte_stack netd_socket:sock_file write;
+allow netd volte_stack:fd use;
+allow netd volte_stack:tcp_socket { read write setopt getopt };
+allow netd volte_stack:udp_socket {read write setopt getopt};
--- a/modem/volte_ua.te
+++ b/modem/volte_ua.te
@ -0,0 +1,51 @@
+# ==============================================
+# Policy File of /system/bin/volte_ua Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type volte_ua, domain, mtkimsmddomain;
+type volte_ua_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+#permissive volte_ua;
+init_daemon_domain(volte_ua)
+net_domain(volte_ua)
+
+# Date : WK14.42
+# Operation : Migration
+# Purpose : for VoLTE L early bring up and first call
+allow volte_ua node:udp_socket node_bind;
+allow volte_ua self:udp_socket { bind create };
+allow volte_ua self:udp_socket read;
+allow volte_ua self:capability { setuid setgid };
+
+# Date : 2015/8/5
+# Operation : M Migration
+# Purpose : For ua connect to stack by local socke
+unix_socket_connect(volte_ua, volte_stack, volte_stack)
+
+allow volte_ua volte_ua_socket:sock_file write;
+
+# Date : 2015/09/30
+# Operation: Permission to use unix domain soccket
+# Purpose: change socket between vtservice and volte_ua
+allow volte_ua self:udp_socket setopt;
+
+#for timer
+allow volte_ua self:capability2 wake_alarm;
+
+# Date: 2016/12/02
+# purpose: allow volte to access aee socket
+
+# to NETD
+allow volte_ua netd:unix_stream_socket connectto;
+allow volte_ua netd_socket:sock_file write;
+allow netd volte_ua:fd use;
+allow netd volte_ua:tcp_socket { read write setopt getopt };
+allow netd volte_ua:udp_socket {read write setopt getopt};
+
+#for wfca socket
+unix_socket_connect(volte_ua, wfca, wfca)
--- a/modem/wfca.te
+++ b/modem/wfca.te
@ -0,0 +1,50 @@
+# ==============================================
+# Policy File of /system/bin/wfca Executable File 
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type wfca, domain, mtkimsmddomain;
+type wfca_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# permissive wfca;
+init_daemon_domain(wfca)
+net_domain(wfca)
+
+# Date : WK14.42
+# Operation : Migration 
+# Purpose : for WFCA send RTP/RTCP
+allow wfca self:capability { net_raw setuid setgid net_admin};
+allow wfca self:udp_socket { create write bind read setopt ioctl getattr shutdown };
+allow wfca node:udp_socket node_bind;
+allow wfca port:udp_socket name_bind;
+allow wfca fwmarkd_socket:sock_file write;
+
+# Date : 2015/03/27
+# Operation : Migration
+# Purpose : for access ccci device
+allow wfca ccci_device:chr_file { read write open ioctl };
+
+# Purpose : for WakeUpLock
+allow wfca sysfs_wake_lock:file { read write open };
+
+# Purpose : for raw socket
+allow wfca self:rawip_socket { create write bind setopt read getattr};
+allow wfca node:rawip_socket {node_bind}; 
+
+# Date : 2015/06/25
+# Purpose : for UA socket pass
+allow wfca volte_ua:fd use;
+allow wfca volte_ua:udp_socket {read write setopt getattr getopt shutdown};
+
+# Purpose : For Ping ICMP feature
+allow wfca self:packet_socket { read create setopt };
+
+# Purpose : add Vinson permission 
+dontaudit wfca self:capability dac_override;
+allow wfca self:capability2 block_suspend;
+
+allow wfca wfca_socket:sock_file write;