mtk-sepolicy: Initial SEPolicy rules

BoardSEPolicyConfig.mk

@@ -0,0 +1,32 @@
+
+# SELinux Policy File Configuration
+BOARD_SEPOLICY_DIRS += \
+    device/mediatek/sepolicy/basic/non_plat \
+    device/mediatek/sepolicy/bsp/non_plat
+
+ifneq ($(call math_lt,$(PRODUCT_SHIPPING_API_LEVEL),28),)
+BOARD_SEPOLICY_DIRS += $(wildcard device/mediatek/sepolicy/bsp/ota_upgrade)
+endif
+
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \
+    device/mediatek/sepolicy/basic/plat_private \
+    device/mediatek/sepolicy/bsp/plat_private
+
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
+    device/mediatek/sepolicy/basic/plat_public \
+    device/mediatek/sepolicy/bsp/plat_public
+
+# MTK Debug Rules Configuration
+ifeq ($(strip $(HAVE_MTK_DEBUG_SEPOLICY)), yes)
+BOARD_SEPOLICY_DIRS += \
+    device/mediatek/sepolicy/basic/debug/non_plat \
+    device/mediatek/sepolicy/bsp/debug/non_plat
+
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
+    device/mediatek/sepolicy/basic/debug/plat_public \
+    device/mediatek/sepolicy/bsp/debug/plat_public
+
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \
+    device/mediatek/sepolicy/basic/debug/plat_private \
+    device/mediatek/sepolicy/bsp/debug/plat_private
+endif

basic/debug/non_plat/aee_aedv.te

@@ -0,0 +1,500 @@
+# ==============================================
+# Policy File of /vendor/bin/aee_aedv Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type aee_aedv, domain;
+
+type aee_aedv_exec, exec_type, file_type, vendor_file_type;
+typeattribute aee_aedv mlstrustedsubject;
+
+init_daemon_domain(aee_aedv)
+
+# Date : WK14.32
+# Operation : AEE UT
+# Purpose : for AEE module
+allow aee_aedv aed_device:chr_file rw_file_perms;
+allow aee_aedv expdb_device:chr_file rw_file_perms;
+allow aee_aedv expdb_block_device:blk_file rw_file_perms;
+allow aee_aedv bootdevice_block_device:blk_file rw_file_perms;
+allow aee_aedv etb_device:chr_file rw_file_perms;
+
+# AED start: /dev/block/expdb
+allow aee_aedv block_device:dir search;
+
+# NE flow: /dev/RT_Monitor
+allow aee_aedv RT_Monitor_device:chr_file r_file_perms;
+
+#data/aee_exp
+allow aee_aedv aee_exp_vendor_file:dir create_dir_perms;
+allow aee_aedv aee_exp_vendor_file:file create_file_perms;
+
+#data/dumpsys
+allow aee_aedv aee_dumpsys_vendor_file:dir create_dir_perms;
+allow aee_aedv aee_dumpsys_vendor_file:file create_file_perms;
+
+#/data/core
+allow aee_aedv aee_core_vendor_file:dir create_dir_perms;
+allow aee_aedv aee_core_vendor_file:file create_file_perms;
+
+# /data/data_tmpfs_log
+allow aee_aedv vendor_tmpfs_log_file:dir create_dir_perms;
+allow aee_aedv vendor_tmpfs_log_file:file create_file_perms;
+
+allow aee_aedv domain:process { sigkill getattr getsched};
+
+#core-pattern
+allow aee_aedv usermodehelper:file r_file_perms;
+
+# Date: W15.34
+# Operation: Migration
+# Purpose: For pagemap & pageflags information in NE DB
+# /proc/pid/
+# pre-allocation
+allow aee_aedv self:capability {
+ chown
+ fowner
+ fsetid
+ kill
+ linux_immutable
+ net_admin
+ sys_admin
+ sys_nice
+ sys_resource
+ sys_module
+};
+
+# Purpose: aee_aedv set property
+set_prop(aee_aedv, vendor_mtk_persist_mtk_aeev_prop)
+set_prop(aee_aedv, vendor_mtk_persist_aeev_prop)
+set_prop(aee_aedv, vendor_mtk_debug_mtk_aeev_prop)
+set_prop(aee_aedv, vendor_mtk_aeev_dynamic_switch_prop)
+
+# Purpose: mnt/user/*
+allow aee_aedv mnt_user_file:dir search;
+allow aee_aedv mnt_user_file:lnk_file r_file_perms;
+
+allow aee_aedv storage_file:dir search;
+allow aee_aedv storage_file:lnk_file r_file_perms;
+
+userdebug_or_eng(`
+  allow aee_aedv su:dir r_dir_perms;
+  allow aee_aedv su:file r_file_perms;
+')
+
+# PROCESS_FILE_STATE
+allow aee_aedv dumpstate:unix_stream_socket { read write ioctl };
+allow aee_aedv dumpstate:dir search;
+allow aee_aedv dumpstate:file r_file_perms;
+
+allow aee_aedv logdr_socket:sock_file write;
+allow aee_aedv logd:unix_stream_socket connectto;
+
+# vibrator
+allow aee_aedv sysfs_vibrator:file w_file_perms;
+
+# /proc/lk_env
+allow aee_aedv proc_lk_env:file rw_file_perms;
+
+# Data : 2017/03/22
+# Operation : add NE flow rule for Android O
+# Purpose : make aee_aedv can get specific process NE info
+allow aee_aedv domain:dir r_dir_perms;
+allow aee_aedv domain:{ file lnk_file } r_file_perms;
+
+# Data : 2017/04/06
+# Operation : add selinux rule for crash_dump notify aee_aedv
+# Purpose : make aee_aedv can get notify from crash_dump
+allow aee_aedv crash_dump:dir search;
+allow aee_aedv crash_dump:file r_file_perms;
+
+# Date : 20170512
+# Operation : fix aee_archive can't execute issue
+# Purpose : type=1400 audit(0.0:97916): avc: denied { execute_no_trans } for
+#           path="/system/vendor/bin/aee_archive" dev="mmcblk0p26" ino=2355
+#           scontext=u:r:aee_aedv:s0 tcontext=u:object_r:vendor_file:s0
+#           tclass=file permissive=0
+allow aee_aedv vendor_file:file x_file_perms;
+
+# Purpose: debugfs files
+allow aee_aedv procfs_blockio:file r_file_perms;
+no_debugfs_restriction(`
+  userdebug_or_eng(`
+    allow aee_aedv debugfs_cam_dbg:file r_file_perms;
+    allow aee_aedv debugfs_cam_exception:file r_file_perms;
+   ')
+')
+
+# Purpose:
+# 01-01 17:59:14.440  7664  7664 I aee_dumpstate: type=1400 audit(0.0:63497):
+# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
+# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
+# tracing_shell_writable:s0 tclass=file permissive=1
+allow aee_aedv debugfs_tracing:file rw_file_perms;
+
+# Purpose:
+# 01-01 00:05:17.720  3567  3567 W ps      : type=1400 audit(0.0:5192): avc:
+# denied { getattr } for path="/proc/3421" dev="proc" ino=78975 scontext=u:r:
+# aee_aedv:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
+allow aee_aedv platform_app:dir r_dir_perms;
+allow aee_aedv platform_app:file r_file_perms;
+
+# Purpose:
+# 01-01 00:05:17.750  3567  3567 W ps      : type=1400 audit(0.0:5193): avc:
+# denied { getattr } for path="/proc/3461" dev="proc" ino=11013 scontext=u:r:
+# aee_aedv:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=dir permissive=0
+allow aee_aedv untrusted_app_25:dir getattr;
+
+# Purpose:
+# 01-01 00:05:17.650  3567  3567 W ps      : type=1400 audit(0.0:5179): avc:
+# denied { getattr } for path="/proc/2712" dev="proc" ino=65757 scontext=u:r:
+# aee_aedv:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
+allow aee_aedv untrusted_app:dir getattr;
+
+# Purpose:
+# 01-01 00:05:17.650  3567  3567 W ps      : type=1400 audit(0.0:5180): avc:
+# denied { getattr } for path="/proc/2747" dev="proc" ino=66659 scontext=u:r:
+# aee_aedv:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0
+allow aee_aedv priv_app:dir getattr;
+
+# Purpose:
+# 01-01 00:05:16.270  3554  3554 W aee_dumpstatev: type=1400 audit(0.0:5153):
+# avc: denied { open } for path="/proc/interrupts" dev="proc" ino=4026533608
+# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file
+# permissive=0
+allow aee_aedv proc_interrupts:file r_file_perms;
+
+# Purpose:
+# 01-01 00:05:17.840  3554  3554 W aee_dumpstatev: type=1400 audit(0.0:5200):
+# avc: denied { search } for name="leds" dev="sysfs" ino=6217 scontext=u:r:
+# aee_aedv:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0
+allow aee_aedv sysfs_leds:dir search;
+allow aee_aedv sysfs_leds:file r_file_perms;
+
+# Purpose:
+# 01-01 00:03:45.790  3651  3651 I aee_dumpstatev: type=1400 audit(0.0:5592): avc: denied
+# { search } for name="ccci" dev="sysfs" ino=6026 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
+# sysfs_ccci:s0 tclass=dir permissive=1
+# 01-01 00:03:45.790  3651  3651 I aee_dumpstatev: type=1400 audit(0.0:5593): avc: denied { read }
+# for name="md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:sysfs_ccci:s0
+# tclass=file permissive=1
+# 01-01 00:03:45.790  3651  3651 I aee_dumpstatev: type=1400 audit(0.0:5594): avc: denied { open }
+# for path="/sys/kernel/ccci/md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:
+# object_r:sysfs_ccci:s0 tclass=file permissive=1
+allow aee_aedv sysfs_ccci:dir search;
+allow aee_aedv sysfs_ccci:file r_file_perms;
+
+# Purpose:
+# 01-01 00:03:44.330  3658  3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied
+# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r:
+# aee_aedv:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1
+allow aee_aedv vendor_toolbox_exec:file rx_file_perms;
+
+# Purpose:
+# 01-01 00:12:06.320000  4145  4145 W dmesg   : type=1400 audit(0.0:826): avc: denied { open } for
+# path="/dev/kmsg" dev="tmpfs" ino=10875 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:kmsg_device:
+# s0 tclass=chr_file permissive=0
+# 01-01 00:42:33.070000  4171  4171 W dmesg   : type=1400 audit(0.0:1343): avc: denied
+# { syslog_read } for scontext=u:r:aee_aedv:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
+allow aee_aedv kmsg_device:chr_file r_file_perms;
+allow aee_aedv kernel:system syslog_read;
+
+# Purpose:
+# 01-01 00:12:37.890000  4162  4162 W aee_dumpstatev: type=1400 audit(0.0:914): avc: denied
+# { read } for name="meminfo" dev="proc" ino=4026533612 scontext=u:r:aee_aedv:s0 tcontext=u:
+# object_r:proc_meminfo:s0 tclass=file permissive=0
+allow aee_aedv proc_meminfo:file r_file_perms;
+
+# Purpose:
+# 01-01 00:08:39.900000  3833  3833 W aee_dumpstatev: type=1400 audit(0.0:371): avc: denied
+# { open } for path="/proc/3833/net/route" dev="proc" ino=4026533632 scontext=u:r:aee_aedv:s0
+# tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
+allow aee_aedv proc_net:file r_file_perms;
+
+# Purpose:
+# 01-01 00:08:39.880000  3833  3833 W aee_dumpstatev: type=1400 audit(0.0:370): avc: denied
+# { open } for path="/proc/zoneinfo" dev="proc" ino=4026533663 scontext=u:r:aee_aedv:s0 tcontext=
+# u:object_r:proc_zoneinfo:s0 tclass=file permissive=0
+allow aee_aedv proc_zoneinfo:file r_file_perms;
+
+# Purpose:
+# 01-01 00:33:27.750000   338   338 W aee_aedv: type=1400 audit(0.0:98): avc: denied { read }
+# for name="fstab.mt6755" dev="rootfs" ino=1082 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
+# rootfs:s0 tclass=file permissive=0
+allow aee_aedv rootfs:file r_file_perms;
+
+# Purpose:
+# [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read }
+# for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0
+# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
+allow aee_aedv sysfs_mrdump:file rw_file_perms;
+allow aee_aedv sysfs_memory:file r_file_perms;
+
+# Purpose: Allow aee_aedv access to vendor/bin/mtkcam-debug, which in turn invokes ICameraProvider
+# - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956
+#   scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
+# - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED)
+hal_client_domain(aee_aedv, hal_camera)
+allow aee_aedv hal_camera_hwservice:hwservice_manager { find };
+binder_call(aee_aedv, mtk_hal_camera)
+
+# Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status
+allow aee_aedv selinuxfs:file r_file_perms;
+
+# Purpose: mrdump db flow and pre-allocation
+# mrdump db flow
+allow aee_aedv sysfs_dt_firmware_android:dir search;
+allow aee_aedv sysfs_dt_firmware_android:file r_file_perms;
+allow aee_aedv kernel:system module_request;
+allow aee_aedv metadata_file:dir search;
+
+allow aee_aedv userdata_block_device:blk_file rw_file_perms;
+allow aee_aedv para_block_device:blk_file rw_file_perms;
+allow aee_aedv mrdump_device:blk_file rw_file_perms;
+allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl {
+  FS_IOC_GETFLAGS
+  FS_IOC_SETFLAGS
+  F2FS_IOC_GET_PIN_FILE
+  F2FS_IOC_SET_PIN_FILE
+  FS_IOC_FIEMAP
+};
+
+# Purpose: allow vendor aee read lowmemorykiller logs
+# file path: /sys/module/lowmemorykiller/parameters/
+allow aee_aedv sysfs_lowmemorykiller:dir search;
+allow aee_aedv sysfs_lowmemorykiller:file r_file_perms;
+
+# Purpose: Allow aee read /sys/class/misc/scp/scp_dump
+allow aee_aedv sysfs_scp:dir r_dir_perms;
+allow aee_aedv sysfs_scp:file r_file_perms;
+
+# Purpose: Allow aee read /sys/class/misc/adsp/adsp_dump
+allow aee_aedv sysfs_adsp:dir r_dir_perms;
+allow aee_aedv sysfs_adsp:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/buddyinfo
+allow aee_aedv proc_buddyinfo:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/cmdline
+allow aee_aedv proc_cmdline:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/bootconfig
+allow aee_aedv proc_bootconfig:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/slabinfo
+allow aee_aedv proc_slabinfo:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/stat
+allow aee_aedv proc_stat:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/version
+allow aee_aedv proc_version:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/vmallocinfo
+allow aee_aedv proc_vmallocinfo:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/vmstat
+allow aee_aedv proc_vmstat:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/cpu/alignment
+allow aee_aedv proc_cpu_alignment:file w_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/gpulog
+allow aee_aedv proc_gpulog:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/chip/hw_ver
+allow aee_aedv proc_chip:file r_file_perms;
+allow aee_aedv proc_chip:dir r_dir_perms;
+
+# Purpose: Allow aee_aedv to read /proc/sched_debug
+allow aee_aedv proc_sched_debug:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/atf_log
+allow aee_aedv proc_atf_log:dir r_dir_perms;
+allow aee_aedv proc_atf_log:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/last_kmsg
+allow aee_aedv proc_last_kmsg:file r_file_perms;
+
+# Purpose: Allow aee_aedv to access /sys/devices/virtual/timed_output/vibrator/enable
+allow aee_aedv sysfs_vibrator_setting:dir search;
+allow aee_aedv sysfs_vibrator_setting:file w_file_perms;
+allow aee_aedv sysfs_vibrator:dir search;
+
+# Purpose: Allow aee_aedv to read /proc/ufs_debug
+allow aee_aedv proc_ufs_debug:file rw_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/msdc_debug
+allow aee_aedv proc_msdc_debug:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/pidmap
+allow aee_aedv proc_pidmap:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /sys/power/vcorefs/vcore_debug
+allow aee_aedv sysfs_vcore_debug:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
+allow aee_aedv sysfs_boot_mode:file r_file_perms;
+
+#Purpose: Allow aee_aedv to read/write /sys/kernel/debug/tracing/buffer_total_size_kb
+userdebug_or_eng(`
+allow aee_aedv debugfs_tracing_debug:file { rw_file_perms };
+')
+
+#Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace
+allow aee_aedv proc_slabtrace:file r_file_perms;
+
+#Purpose: Allow aee_aedv to read /proc/mtk_cmdq_debug/status
+allow aee_aedv proc_cmdq_debug:file r_file_perms;
+
+#data/dipdebug
+allow aee_aedv aee_dipdebug_vendor_file:dir r_dir_perms;
+allow aee_aedv aee_dipdebug_vendor_file:file r_file_perms;
+allow aee_aedv proc_isp_p2:dir r_dir_perms;
+allow aee_aedv proc_isp_p2:file r_file_perms;
+
+allow aee_aedv connsyslog_data_vendor_file:file r_file_perms;
+allow aee_aedv connsyslog_data_vendor_file:dir r_dir_perms;
+
+# Purpose: Allow aee_aedv to read the /proc/*/exe of vendor process
+allow aee_aedv vendor_file_type:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/isp_p2/isp_p2_kedump
+allow aee_aedv proc_isp_p2_kedump:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo
+allow aee_aedv proc_dbg_repo:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/pl_lk
+allow aee_aedv proc_pl_lk:file r_file_perms;
+
+allow aee_aedv proc_aed_reboot_reason:file r_file_perms;
+
+# Purpose: Allow aee_aedv to write /proc/sys/vm/drop_caches
+allow aee_aedv proc_drop_caches:file rw_file_perms;
+
+allow aee_aedv proc_wmt_aee:file r_file_perms;
+
+allow aee_aedv proc_aed:file rw_file_perms;
+allow aee_aedv proc_aed:dir r_dir_perms;
+allow aee_aedv proc_ppm:dir r_dir_perms;
+
+allow aee_aedv dpm_block_device:blk_file r_file_perms;
+allow aee_aedv sspm_block_device:blk_file r_file_perms;
+allow aee_aedv boot_para_block_device:blk_file rw_file_perms;
+
+allow aee_aedv proc_modules:file r_file_perms;
+
+set_prop(aee_aedv, powerctl_prop)
+
+
+allow aee_aedv proc_ccci_dump:file r_file_perms;
+allow aee_aedv proc_log_much:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /sys/kernel/tracing/instances/mmstat/trace
+allow aee_aedv debugfs_tracing_instances:dir r_dir_perms;
+allow aee_aedv debugfs_tracing_instances:file r_file_perms;
+
+allow aee_aedv binderfs_logs:dir r_dir_perms;
+allow aee_aedv binderfs_logs:file r_file_perms;
+
+allow aee_aedv proc_ion:dir r_dir_perms;
+allow aee_aedv proc_ion:file r_file_perms;
+allow aee_aedv proc_m4u_dbg:dir r_dir_perms;
+allow aee_aedv proc_m4u_dbg:file r_file_perms;
+allow aee_aedv proc_mtkfb:file r_file_perms;
+
+allow aee_aedv proc_dmaheap:dir r_dir_perms;
+allow aee_aedv proc_dmaheap:file r_file_perms;
+
+allow aee_aedv proc_iommu_debug:dir r_dir_perms;
+allow aee_aedv proc_iommu_debug:file r_file_perms;
+
+allow aee_aedv sysfs_dvfsrc_dbg:dir r_dir_perms;
+allow aee_aedv sysfs_dvfsrc_dbg:file r_file_perms;
+
+allow aee_aedv sysfs_systracker:dir r_dir_perms;
+allow aee_aedv sysfs_systracker:file r_file_perms;
+
+allow aee_aedv sysfs_aee_enable:file r_file_perms;
+
+#Purpose: Allow aee_aedv to read /data/vendor/gpu_dump
+allow aee_aedv gpu_dump_vendor_file:dir r_dir_perms;
+allow aee_aedv gpu_dump_vendor_file:file r_file_perms;
+
+# Date : 2020/12/14
+# Purpose: allow aee_aedv to read /sys/kernel/mm/mlog/dump
+allow aee_aedv sysfs_mm:file r_file_perms;
+
+#Purpose: Allow aee_aedv to read /sys/bus/scsi/devices/0:0:0:0/vpd_pg80
+allow aee_aedv sysfs_vpd:dir r_dir_perms;
+allow aee_aedv sysfs_vpd:file r_file_perms;
+
+# Date: 2021/05/21
+# Purpose: allow aee_aedv to read /sys/kernel/notes
+allow aee_aedv sysfs_kernel_notes:file r_file_perms;
+
+# Date: 2021/08/09
+# Purpose: Add apusys debug info into db
+allow aee_aedv proc_apusys_rv_coredump_debug:file r_file_perms;
+allow aee_aedv proc_apusys_rv_xfile_debug:file r_file_perms;
+allow aee_aedv proc_apusys_rv_regdump_debug:file r_file_perms;
+allow aee_aedv proc_apusys_logger_seq_log_debug:file r_file_perms;
+
+# Date: 2021/08/10
+# Purpose: Add apusys mdw debug info into db
+allow aee_aedv proc_aputag_mdw_debug:file r_file_perms;
+
+no_debugfs_restriction(`
+  userdebug_or_eng(`
+    allow aee_aedv debugfs_blockio:file r_file_perms;
+    allow aee_aedv debugfs_fb:dir search;
+    allow aee_aedv debugfs_fb:file r_file_perms;
+    allow aee_aedv debugfs_fuseio:dir search;
+    allow aee_aedv debugfs_fuseio:file r_file_perms;
+    allow aee_aedv debugfs_rcu:dir search;
+    allow aee_aedv debugfs_shrinker_debug:file r_file_perms;
+    allow aee_aedv debugfs_dmlog_debug:file r_file_perms;
+    allow aee_aedv debugfs_page_owner_slim_debug:file r_file_perms;
+    allow aee_aedv debugfs_ion_mm_heap:dir search;
+    allow aee_aedv debugfs_ion_mm_heap:file r_file_perms;
+    allow aee_aedv debugfs_ion_mm_heap:lnk_file r_file_perms;
+    allow aee_aedv debugfs_cpuhvfs:dir search;
+    allow aee_aedv debugfs_cpuhvfs:file r_file_perms;
+    allow aee_aedv debugfs_emi_mbw_buf:file r_file_perms;
+
+    # Purpose:
+    # 01-01 00:33:28.340000   338   338 W aee_aedv: type=1400 audit(0.0:104): avc: denied { search }
+    # for name="dynamic_debug" dev="debugfs" ino=8182 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
+    # debugfs_dynamic_debug:s0 tclass=dir permissive=0
+    allow aee_aedv debugfs_dynamic_debug:dir search;
+    allow aee_aedv debugfs_dynamic_debug:file r_file_perms;
+
+    # Purpose: Allow aee_aedv to read /sys/kernel/debug/rcu/rcu_callback_log
+    allow aee_aedv debugfs_rcu:file r_file_perms;
+
+    # Purpose: Allow aee_aedv to read /sys/kernel/debug/smi_mon
+    allow aee_aedv debugfs_smi_mon:file r_file_perms;
+
+    allow aee_aedv debugfs_cmdq:file r_file_perms;
+    allow aee_aedv debugfs_mml:file r_file_perms;
+    allow aee_aedv debugfs_wakeup_sources:file r_file_perms;
+  ')
+')
+
+allow aee_aedv sysfs_cache_status:file r_file_perms;
+
+allow aee_aedv sysfs_emiisu:file r_file_perms;
+
+allow aee_aedv mnt_vendor_file:dir search;
+allow aee_aedv nvdata_file:dir r_dir_perms;
+allow aee_aedv nvdata_file:file r_file_perms;
+allow aee_aedv protect_f_data_file:dir r_dir_perms;
+allow aee_aedv protect_f_data_file:file r_file_perms;
+allow aee_aedv protect_s_data_file:dir r_dir_perms;
+allow aee_aedv protect_s_data_file:file r_file_perms;
+allow aee_aedv proc_vpu_memory:file r_file_perms;
+
+allow aee_aedv proc_lockdep:file r_file_perms;

basic/debug/non_plat/aee_core_forwarder.te

@@ -0,0 +1,19 @@
+# ==============================================
+# Policy File of /system/bin/aee_core_forwarder Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow aee_core_forwarder aee_exp_data_file:dir rw_dir_perms;
+allow aee_core_forwarder aee_exp_data_file:file create_file_perms;
+
+# Date: 2019/06/14
+# Operation : Migration
+# Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder
+wakelock_use(aee_core_forwarder)
+allow aee_core_forwarder crash_dump:unix_stream_socket connectto;
+allow aee_core_forwarder aee_core_data_file:dir r_dir_perms;
+allow aee_core_forwarder crash_dump:lnk_file r_file_perms;
+allow aee_core_forwarder crash_dump:process {getattr};
+allow aee_core_forwarder sysfs_aee_enable:file r_file_perms;

basic/debug/non_plat/aee_hal.te

@@ -0,0 +1,25 @@
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type aee_hal,domain;
+type aee_hal_exec, exec_type, file_type, vendor_file_type;
+typeattribute aee_hal mlstrustedsubject;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(aee_hal)
+
+hal_server_domain(aee_hal, hal_mtk_aee)
+
+allow aee_hal aee_exp_vendor_file:dir w_dir_perms;
+allow aee_hal aee_exp_vendor_file:file create_file_perms;
+allow aee_hal aee_exp_data_file:file { read write };
+
+set_prop(aee_hal, vendor_mtk_persist_mtk_aeev_prop)
+set_prop(aee_hal, vendor_mtk_persist_aeev_prop)
+set_prop(aee_hal, vendor_mtk_debug_mtk_aeev_prop)
+
+binder_call(aee_hal, system_app);

basic/debug/non_plat/atcid.te

@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK21.33
+# Purpose: Add policy to support get modem status
+
+allow atcid ccci_device:chr_file rw_file_perms_no_map;
+allow atcid self:unix_stream_socket ioctl;
+allowxperm atcid self:unix_stream_socket ioctl unpriv_tty_ioctls;

basic/debug/non_plat/audioserver.te

@@ -0,0 +1,3 @@
+# Date : WK16.48
+# Purpose: Allow to trigger AEE dump
+allow audioserver crash_dump:unix_stream_socket connectto;

basic/debug/non_plat/ccci_mdinit.te

@@ -0,0 +1 @@
+get_prop(ccci_mdinit, system_mtk_init_svc_aee_aedv_prop)

basic/debug/non_plat/connsyslogger.te

@@ -0,0 +1,75 @@
+# ==============================================
+# Policy File of /system/bin/connsyslogger Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#for logging sdcard access
+allow connsyslogger fuse:dir create_dir_perms;
+allow connsyslogger fuse:file create_file_perms;
+
+#consys logger access on /data/consyslog
+allow connsyslogger consyslog_data_file:dir { create_dir_perms relabelto };
+allow connsyslogger consyslog_data_file:fifo_file create_file_perms;
+allow connsyslogger consyslog_data_file:file create_file_perms;
+
+allow connsyslogger tmpfs:lnk_file create_file_perms;
+
+# purpose: avc: denied { read } for name="plat_file_contexts"
+allow connsyslogger file_contexts_file:file r_file_perms;
+
+#logger SD logging in factory mode
+allow connsyslogger vfat:dir create_dir_perms;
+allow connsyslogger vfat:file create_file_perms;
+
+#logger permission in storage in android M version
+allow connsyslogger mnt_user_file:dir search;
+allow connsyslogger mnt_user_file:lnk_file r_file_perms;
+allow connsyslogger storage_file:lnk_file r_file_perms;
+
+#permission for use SELinux API
+allow connsyslogger rootfs:file r_file_perms;
+
+#permission for storage access storage
+allow connsyslogger storage_file:dir create_dir_perms;
+allow connsyslogger storage_file:file create_file_perms;
+
+#permission for read boot mode
+allow connsyslogger sysfs_boot_mode:file r_file_perms;
+
+allow connsyslogger fw_log_wifi_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_bt_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_gps_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_wmt_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_ics_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_wifimcu_device:chr_file rw_file_perms_no_map;
+allow connsyslogger fw_log_btmcu_device:chr_file rw_file_perms_no_map;
+
+allow connsyslogger sdcardfs:dir create_dir_perms;
+allow connsyslogger sdcardfs:file create_file_perms;
+allow connsyslogger rootfs:lnk_file getattr;
+
+allow connsyslogger media_rw_data_file:file create_file_perms;
+allow connsyslogger media_rw_data_file:dir create_dir_perms;
+
+#permission to get driver ready status
+get_prop(connsyslogger, vendor_mtk_wmt_prop)
+
+#Date:2019/03/25
+# purpose: allow connsyslogger to access persist.meta.connecttype
+get_prop(connsyslogger, vendor_mtk_meta_connecttype_prop)
+
+
+#Date:2019/03/25
+# purpose: allow emdlogger to create socket
+allow connsyslogger port:tcp_socket { name_connect name_bind };
+allow connsyslogger connsyslogger:tcp_socket create_stream_socket_perms;
+allow connsyslogger node:tcp_socket node_bind;
+
+#Date:2019/03/25
+# usb device ttyGSx for modem logger usb logging
+allow connsyslogger ttyGS_device:chr_file rw_file_perms;
+
+# Add permission to access new bootmode file
+allow connsyslogger sysfs_boot_info:file r_file_perms;

basic/debug/non_plat/crash_dump.te

@@ -0,0 +1,27 @@
+#data/aee_exp
+allow crash_dump aee_exp_data_file:dir { create_dir_perms relabelto };
+allow crash_dump aee_exp_data_file:file create_file_perms;
+
+hal_client_domain(crash_dump, hal_mtk_aee)
+
+allow crash_dump aed_device:chr_file rw_file_perms;
+
+# Date : 2020/12/14
+# Purpose: allow aee_aed to read /sys/kernel/mm/mlog/dump
+allow crash_dump sysfs_mm:file r_file_perms;
+
+# Purpose: Allow crash_dump to write /proc/aed/generate-kernel-notify
+allow crash_dump proc_aed:dir r_dir_perms;
+allow crash_dump proc_aed:file rw_file_perms;
+
+no_debugfs_restriction(`
+  userdebug_or_eng(`
+    allow crash_dump debugfs_blockio:file r_file_perms;
+    allow crash_dump debugfs_ion_mm_heap:dir search;
+    allow crash_dump debugfs_ion_mm_heap:file r_file_perms;
+    allow crash_dump debugfs_ion_mm_heap:lnk_file r_file_perms;
+    allow crash_dump debugfs_dmlog_debug:file r_file_perms;
+  ')
+')
+
+allow crash_dump sysfs_aee_enable:file r_file_perms;

basic/debug/non_plat/device.te

@@ -0,0 +1,6 @@
+type aed_device, dev_type;
+
+# Date:2021/07/27
+# Purpose: permission for emdlogger
+type ccci_mdl_device, dev_type;
+

basic/debug/non_plat/domain.te

@@ -0,0 +1,5 @@
+# Date:20170630
+# Purpose: allow trusted process to connect aee daemon
+allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;
+allow { domain -coredomain -hal_configstore_server -vendor_init } aee_exp_vendor_file:file w_file_perms;
+allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:fd use;

basic/debug/non_plat/dumpstate.te

@@ -0,0 +1,126 @@
+# Purpose: data/aee_exp/*
+allow dumpstate aee_exp_data_file:dir rw_dir_perms;
+allow dumpstate aee_exp_data_file:file create_file_perms;
+
+# Data : 2017/03/22
+# Operation : add fd use selinux rule
+# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker"
+#           dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0
+#           tcontext=u:r:crash_dump:s0 tclass=fd permissive=0
+allow dumpstate crash_dump:fd use;
+allow dumpstate crash_dump:unix_stream_socket { rw_socket_perms connectto };
+
+# Purpose: access dev/aed0
+allow dumpstate aed_device:chr_file r_file_perms;
+allow dumpstate vcp_device:chr_file r_file_perms_no_map;
+
+# Purpose: 01-01 08:30:57.260  3070  3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied
+# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
+# sf_bqdump_data_file:s0 tclass=dir permissive=0
+allow dumpstate sf_bqdump_data_file:dir r_dir_perms;
+allow dumpstate sf_bqdump_data_file:file r_file_perms;
+
+# Purpose:
+# 01-01 17:59:14.440  7664  7664 I aee_dumpstate: type=1400 audit(0.0:63497):
+# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
+# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
+# tracing_shell_writable:s0 tclass=file permissive=1
+allow dumpstate debugfs_tracing:file rw_file_perms;
+
+# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
+allow dumpstate mtk_hal_camera:binder call;
+
+# Purpose: Allow aee_dumpstate to read /proc/slabinfo
+allow dumpstate proc_slabinfo:file r_file_perms;
+
+# Purpose: Allow aee_dumpstate to read /proc/zraminfo
+allow dumpstate proc_zraminfo:file r_file_perms;
+
+# Purpose: Allow aee_dumpstate to read /proc/gpulog
+allow dumpstate proc_gpulog:file r_file_perms;
+
+# Purpose: Allow aee_dumpstate to read /proc/sched_debug
+allow dumpstate proc_sched_debug:file r_file_perms;
+
+# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver
+allow dumpstate proc_chip:file r_file_perms;
+allow dumpstate proc_chip:dir r_dir_perms;
+
+# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable
+allow dumpstate sysfs_vibrator_setting:file w_file_perms;
+
+# Date : 2020/12/14
+# Purpose: allow aee_dumpstate to read /sys/kernel/mm/mlog/dump
+allow dumpstate sysfs_mm:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /sys/bus/scsi/devices/0:0:0:0/vpd_pg80
+allow dumpstate sysfs_vpd:dir r_dir_perms;
+allow dumpstate sysfs_vpd:file r_file_perms;
+
+#Purpose: Alloc dumpstate to read /proc/dma_heap/
+allow dumpstate proc_dmaheap:dir r_dir_perms;
+allow dumpstate proc_dmaheap:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/iommu_debug/
+allow dumpstate proc_iommu_debug:dir r_dir_perms;
+allow dumpstate proc_iommu_debug:file r_file_perms;
+
+#Date: 2020/07/23
+#Purpose: Allow dumpstate to read /sys/kernel/notes
+allow dumpstate sysfs_kernel_notes:file r_file_perms;
+
+no_debugfs_restriction(`
+  userdebug_or_eng(`
+    allow dumpstate debugfs_blockio:file r_file_perms;
+    allow dumpstate debugfs_fb:dir search;
+    allow dumpstate debugfs_fb:file r_file_perms;
+    allow dumpstate debugfs_fuseio:dir search;
+    allow dumpstate debugfs_fuseio:file r_file_perms;
+    allow dumpstate debugfs_rcu:dir search;
+    allow dumpstate debugfs_shrinker_debug:file r_file_perms;
+    allow dumpstate debugfs_dmlog_debug:file r_file_perms;
+    allow dumpstate debugfs_page_owner_slim_debug:file r_file_perms;
+    allow dumpstate debugfs_ion_mm_heap:dir search;
+    allow dumpstate debugfs_ion_mm_heap:file r_file_perms;
+    allow dumpstate debugfs_ion_mm_heap:lnk_file r_file_perms;
+    allow dumpstate debugfs_cpuhvfs:dir search;
+    allow dumpstate debugfs_cpuhvfs:file r_file_perms;
+
+    # Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log
+    allow dumpstate debugfs_rcu:file r_file_perms;
+
+    # Date: 19/07/15
+    # Purpose: Allow dumpstate to read /sys/kernel/debug/kmemleak
+    allow dumpstate debugfs_kmemleak:file r_file_perms;
+
+    #Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon
+    allow dumpstate debugfs_smi_mon:file r_file_perms;
+
+    allow dumpstate debugfs_cmdq:file r_file_perms;
+    allow dumpstate debugfs_mml:file r_file_perms;
+    allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+  ')
+')
+
+#Date: 2021/08/24
+#Purpose: debugfs files
+no_debugfs_restriction(`
+  userdebug_or_eng(`
+    allow dumpstate debugfs_cam_dbg:file r_file_perms;
+    allow dumpstate debugfs_cam_exception:file r_file_perms;
+   ')
+')
+
+allow dumpstate sysfs_dvfsrc_dbg:dir r_dir_perms;
+allow dumpstate sysfs_dvfsrc_dbg:file r_file_perms;
+#Purpose: Allow dumpstate to read /proc/apusys_rv/apusys_rv_xfile and /proc/apusys_logger/seq_log
+allow dumpstate proc_apusys_rv_xfile_debug:file r_file_perms;
+allow dumpstate proc_apusys_logger_seq_log_debug:file r_file_perms;
+allow dumpstate sysfs_emiisu:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/vpu/vpu_memory
+allow dumpstate proc_vpu_memory:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/mtk_mali/gpu_memory
+allow dumpstate proc_gpu_memory:file r_file_perms;
+

basic/debug/non_plat/emdlogger.te

@@ -0,0 +1,124 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# ccci device for internal modem
+allow emdlogger ccci_mdl_device:chr_file rw_file_perms;
+allow emdlogger ccci_ccb_device:chr_file rw_file_perms;
+#add for read /dev/ccci_md1_sta
+allow emdlogger ccci_device:chr_file rw_file_perms;
+
+# eemcs device for external modem
+allow emdlogger eemcs_device:chr_file rw_file_perms;
+
+# C2K project SDIO device for external modem ttySDIO2 control port, ttySDIO8 log port
+allow emdlogger ttySDIO_device:chr_file rw_file_perms;
+
+# C2K project modem device for external modem vmodem start/stop/ioctl modem
+allow emdlogger vmodem_device:chr_file rw_file_perms;
+
+# usb device ttyGSx for modem logger usb logging
+allow emdlogger ttyGS_device:chr_file rw_file_perms;
+
+# for modem logging sdcard access
+allow emdlogger sdcard_type:dir create_dir_perms;
+allow emdlogger sdcard_type:file create_file_perms;
+
+# modem logger access on /data/mdlog
+allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto };
+allow emdlogger mdlog_data_file:fifo_file create_file_perms;
+allow emdlogger mdlog_data_file:file create_file_perms;
+
+# modem logger control port access /dev/ttyC1
+allow emdlogger mdlog_device:chr_file rw_file_perms;
+
+# modem logger SD logging in factory mode
+allow emdlogger vfat:dir create_dir_perms;
+allow emdlogger vfat:file create_file_perms;
+
+# modem logger permission in storage in android M version
+allow emdlogger mnt_user_file:dir search;
+allow emdlogger mnt_user_file:lnk_file r_file_perms;
+allow emdlogger storage_file:lnk_file r_file_perms;
+
+# permission for storage link access in vzw Project
+allow emdlogger mnt_media_rw_file:dir search;
+
+# permission for use SELinux API
+# avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs"
+allow emdlogger rootfs:file r_file_perms;
+
+# permission for storage access storage
+allow emdlogger storage_file:dir create_dir_perms;
+allow emdlogger tmpfs:lnk_file r_file_perms;
+allow emdlogger storage_file:file create_file_perms;
+
+# permission for read boot mode
+# avc: denied { open }  path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
+allow emdlogger sysfs_boot_mode:file r_file_perms;
+
+# Allow read to sys/kernel/ccci/* files
+allow emdlogger sysfs_ccci:dir search;
+allow emdlogger sysfs_ccci:file r_file_perms;
+
+allow emdlogger sysfs_mdinfo:file r_file_perms;
+allow emdlogger sysfs_mdinfo:dir search;
+
+# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
+# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
+allow emdlogger system_file:dir r_dir_perms;
+
+# purpose: allow emdlogger to access storage in N version
+allow emdlogger media_rw_data_file:file create_file_perms;
+allow emdlogger media_rw_data_file:dir create_dir_perms;
+
+# For dynamic CCB buffer feature
+# avc: denied { read write } for name="lk_env" dev="proc" ino=4026532192
+# scontext=u:r:emdlogger:s0 tcontext=u:object_r:proc_lk_env:s0 tclass=file permissive=0
+# avc: denied { read } for name="mmcblk0p3" dev="tmpfs" ino=8493 scontext=u:r:emdlogger:s0
+# tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0
+allow emdlogger para_block_device:blk_file rw_file_perms;
+allow emdlogger proc_lk_env:file rw_file_perms;
+
+allow emdlogger block_device:dir search;
+allow emdlogger md_block_device:blk_file r_file_perms;
+allow emdlogger self:capability chown;
+
+# purpose: allow emdlogger to access persist.meta.connecttype
+get_prop(emdlogger, vendor_mtk_meta_connecttype_prop)
+
+# purpose: allow emdlogger to create socket
+allow emdlogger port:tcp_socket { name_connect name_bind };
+allow emdlogger emdlogger:tcp_socket {create_stream_socket_perms};
+allow emdlogger node:tcp_socket node_bind;
+allow emdlogger fwmarkd_socket:sock_file {write};
+allow emdlogger netd:unix_stream_socket {connectto};
+allow emdlogger self:tcp_socket {ioctl};
+
+
+# Android P migration
+get_prop(emdlogger, vendor_mtk_usb_prop)
+
+# Date : WK19.12
+# Operation: add permission to catch logs
+# Purpose : get kernel and radio logs when modem exception
+allow emdlogger kernel:system syslog_read;
+allow emdlogger logcat_exec:file rx_file_perms;
+allow emdlogger logdr_socket:sock_file w_file_perms;
+
+# Add permission to access new bootmode file
+allow emdlogger sysfs_boot_info:file r_file_perms;
+
+# avc: denied { connectto } for path=006165653A72747464 scontext=u:r:emdlogger:s0
+# tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
+# security issue control
+allow emdlogger crash_dump:unix_stream_socket connectto;
+# Allow ReadDefaultFstab().
+read_fstab(emdlogger)
+
+# Date : 2021/07/06
+# Purpose: add permission to access devie tree to get ccb gear info
+allow emdlogger sysfs_soc_ccb_gear:file r_file_perms;
+allow emdlogger sysfs_ccb_gear:file r_file_perms;
+
+get_prop(emdlogger, vendor_mtk_atm_ipaddr_prop)

basic/debug/non_plat/file.te

@@ -0,0 +1,86 @@
+# AEE exp
+type aee_exp_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type aee_exp_vendor_file, file_type, data_file_type;
+
+# Date : 2019/08/29
+# Purpose: Allow rild access proc/aed/reboot-reason
+type proc_aed_reboot_reason, fs_type, proc_type;
+
+# Date : 2021/06/24
+# Operation: S development
+# Purpose: Add permission for access /proc/iommu_debug
+type proc_iommu_debug, fs_type, proc_type;
+
+type proc_aed, fs_type, proc_type;
+
+type sysfs_soc_ccb_gear, sysfs_type, fs_type;
+type sysfs_ccb_gear, sysfs_type, fs_type;
+
+# Date : 2021/08/09
+# Purpose: Add apusys debug info into db
+type proc_apusys_rv_coredump_debug, fs_type, proc_type;
+type proc_apusys_rv_xfile_debug, fs_type, proc_type;
+type proc_apusys_rv_regdump_debug, fs_type, proc_type;
+type proc_apusys_logger_seq_log_debug, fs_type, proc_type;
+
+# Date : 2021/08/10
+# Purpose: Add apusys MDW debug info into db
+type proc_aputag_mdw_debug, fs_type, proc_type;
+
+# Date : 2021/10/13
+type proc_mtmon, fs_type, proc_type;
+
+# Date : 2022/01/19
+# Purpose: Add lockdep debug info into db
+type proc_lockdep, fs_type, proc_type;
+
+# blockio procfs file
+type debugfs_blockio, fs_type, debugfs_type;
+
+# fuseio debugfs file
+type debugfs_fuseio, fs_type, debugfs_type;
+
+# cpuhvfs debugfs file
+type debugfs_cpuhvfs, fs_type, debugfs_type;
+
+# dynamic_debug debugfs file
+type debugfs_dynamic_debug, fs_type, debugfs_type;
+
+# shrinker debugfs file
+type debugfs_shrinker_debug, fs_type, debugfs_type;
+
+# dmlog debugfs file
+type debugfs_dmlog_debug, fs_type, debugfs_type;
+
+# page_owner_slim debugfs file
+type debugfs_page_owner_slim_debug, fs_type, debugfs_type;
+
+# rcu debugfs file
+type debugfs_rcu, fs_type, debugfs_type;
+
+# /sys/kernel/debug/ion/ion_mm_heap
+type debugfs_ion_mm_heap, fs_type, debugfs_type;
+
+# /sys/kernel/debug/emi_mbw/dump_buf
+type debugfs_emi_mbw_buf, fs_type, debugfs_type;
+
+# /sys/devices/platform/emiisu/emi_isu_buf
+type sysfs_emiisu, sysfs_type, fs_type;
+
+# /sys/kernel/debug/kmemleak
+type debugfs_kmemleak, fs_type, debugfs_type;
+
+# Date : 2019/08/15
+type debugfs_smi_mon, fs_type, debugfs_type;
+
+type debugfs_cmdq, fs_type, debugfs_type;
+type debugfs_mml, fs_type, debugfs_type;
+
+# Date : 2021/08/24
+# camsys debugfs file
+type debugfs_cam_dbg, fs_type, debugfs_type;
+type debugfs_cam_exception, fs_type, debugfs_type;
+
+#vpu proc file
+type proc_vpu_memory, fs_type, proc_type;
+

basic/debug/non_plat/file_contexts

@@ -0,0 +1,37 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# Data files
+#
+/data/connsyslog(/.*)?              u:object_r:consyslog_data_file:s0
+##########################
+# Devices
+#
+/dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0
+##########################
+# Vendor files
+#
+/vendor/bin/loghidlvendorservice    u:object_r:loghidlvendorservice_exec:s0
+
+/data/aee_exp(/.*)?                 u:object_r:aee_exp_data_file:s0
+/data/vendor/aee_exp(/.*)?          u:object_r:aee_exp_vendor_file:s0
+
+/(vendor|system/vendor)/bin/aee_aedv         u:object_r:aee_aedv_exec:s0
+/(vendor|system/vendor)/bin/aee_aedv64       u:object_r:aee_aedv_exec:s0
+/(vendor|system/vendor)/bin/aee_aedv64_v2    u:object_r:aee_aedv_exec:s0
+
+/vendor/bin/hw/vendor\.mediatek\.hardware\.aee@1\.0-service u:object_r:aee_hal_exec:s0
+/vendor/bin/hw/vendor\.mediatek\.hardware\.aee@1\.1-service u:object_r:aee_hal_exec:s0
+
+/dev/aed[0-9]+      u:object_r:aed_device:s0
+
+# Date:2021/07/27
+# Purpose: permission for emdlogger
+/dev/ccci_md_log_ctrl  u:object_r:ccci_mdl_device:s0
+/dev/ccci_ccb_dhl      u:object_r:ccci_mdl_device:s0
+/dev/ccci_raw_dhl      u:object_r:ccci_mdl_device:s0
+# Purpose: permission for mdlogger
+/dev/ccci_md_log_tx    u:object_r:ccci_mdl_device:s0
+/dev/ccci_md_log_rx    u:object_r:ccci_mdl_device:s0

basic/debug/non_plat/genfs_contexts

@@ -0,0 +1,72 @@
+genfscon proc /aed       u:object_r:proc_aed:s0
+# Date : 2019/08/29
+# Purpose: allow rild to access /proc/aed/reboot-reason
+genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0
+
+# 2021/06/24
+# Purpose: add iommu debug info into db
+genfscon proc /iommu_debug u:object_r:proc_iommu_debug:s0
+
+# Date : 2021/07/06
+# Purpose: allow emdlogger to access /proc/device-tree/soc/mddriver
+genfscon sysfs /firmware/devicetree/base/soc/mddriver/md1_ccb_gear_list u:object_r:sysfs_soc_ccb_gear:s0
+genfscon sysfs /firmware/devicetree/base/soc/mddriver/md1_ccb_cap_gear u:object_r:sysfs_soc_ccb_gear:s0
+
+# Date : 2021/07/06
+# Purpose: allow emdlogger to access /proc/device-tree/mddriver
+genfscon sysfs /firmware/devicetree/base/mddriver/md1_ccb_cap_gear u:object_r:sysfs_ccb_gear:s0
+genfscon sysfs /firmware/devicetree/base/mddriver/md1_ccb_gear_list u:object_r:sysfs_ccb_gear:s0
+
+# Date : 2021/08/09
+# Purpose: add apusys debug info into db
+genfscon proc /apusys_rv/apusys_rv_coredump u:object_r:proc_apusys_rv_coredump_debug:s0
+genfscon proc /apusys_rv/apusys_rv_xfile u:object_r:proc_apusys_rv_xfile_debug:s0
+genfscon proc /apusys_rv/apusys_regdump u:object_r:proc_apusys_rv_regdump_debug:s0
+genfscon proc /apusys_logger/seq_log u:object_r:proc_apusys_logger_seq_log_debug:s0
+
+# Date : 2021/08/10
+# Purpose: add apusys MDW debug info into db
+genfscon proc /aputag/mdw u:object_r:proc_aputag_mdw_debug:s0
+
+# Date : 2021/10/13
+# Purpose: allow vendor_init to access /proc/mtmon
+genfscon proc /mtmon u:object_r:proc_mtmon:s0
+
+# Date : 2022/01/19
+# Purpose: add lockdep debug info into db
+genfscon proc /lockdep u:object_r:proc_lockdep:s0
+genfscon proc /lockdep_chains u:object_r:proc_lockdep:s0
+genfscon proc /lockdep_stats u:object_r:proc_lockdep:s0
+
+genfscon debugfs /blockio            u:object_r:debugfs_blockio:s0
+genfscon debugfs /cpuhvfs            u:object_r:debugfs_cpuhvfs:s0
+genfscon debugfs /dmlog              u:object_r:debugfs_dmlog_debug:s0
+genfscon debugfs /dynamic_debug      u:object_r:debugfs_dynamic_debug:s0
+genfscon debugfs /emi_mbw/dump_buf   u:object_r:debugfs_emi_mbw_buf:s0
+genfscon debugfs /fuseio             u:object_r:debugfs_fuseio:s0
+genfscon debugfs /ion/client_history u:object_r:debugfs_ion_mm_heap:s0
+genfscon debugfs /ion/heaps          u:object_r:debugfs_ion_mm_heap:s0
+genfscon debugfs /ion/ion_mm_heap    u:object_r:debugfs_ion_mm_heap:s0
+genfscon debugfs /kmemleak           u:object_r:debugfs_kmemleak:s0
+genfscon debugfs /page_owner_slim    u:object_r:debugfs_page_owner_slim_debug:s0
+genfscon debugfs /rcu                u:object_r:debugfs_rcu:s0
+genfscon debugfs /shrinker           u:object_r:debugfs_shrinker_debug:s0
+# 2019/08/15
+genfscon debugfs /smi_mon u:object_r:debugfs_smi_mon:s0
+
+genfscon debugfs /cmdq/cmdq-status u:object_r:debugfs_cmdq:s0
+genfscon debugfs /cmdq/cmdq-record u:object_r:debugfs_cmdq:s0
+
+genfscon debugfs /mml/mml-record u:object_r:debugfs_mml:s0
+genfscon debugfs /mml/mml-frame-dump-in u:object_r:debugfs_mml:s0
+
+# Date: 2021/08/24
+# allow aee to get camsys dump
+genfscon debugfs /mtk_cam_dbg_dump u:object_r:debugfs_cam_dbg:s0
+genfscon debugfs /mtk_cam_exp_dump u:object_r:debugfs_cam_exception:s0
+
+genfscon sysfs /devices/platform/emiisu/emi_isu_buf u:object_r:sysfs_emiisu:s0
+genfscon sysfs /devices/platform/soc/soc:emiisu/emi_isu_buf u:object_r:sysfs_emiisu:s0
+
+genfscon proc  /vpu/vpu_memory u:object_r:proc_vpu_memory:s0
+

basic/debug/non_plat/hal_mtk_aee.te

@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_aee, mtk_hal_aee_hwservice)
+
+binder_call(hal_mtk_aee_client, hal_mtk_aee_server)
+binder_call(hal_mtk_aee_server, hal_mtk_aee_client)
+allow hal_mtk_aee_server aee_exp_vendor_file:dir {r_dir_perms rmdir};
+allow hal_mtk_aee_server aee_exp_vendor_file:file r_file_perms;

basic/debug/non_plat/hal_mtk_log.te

@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_log, mtk_hal_log_hwservice)
+
+binder_call(hal_mtk_log_client, hal_mtk_log_server)
+binder_call(hal_mtk_log_server, hal_mtk_log_client)

basic/debug/non_plat/hwservice.te

@@ -0,0 +1 @@
+type mtk_hal_aee_hwservice, hwservice_manager_type;

basic/debug/non_plat/hwservice_contexts

@@ -0,0 +1 @@
+vendor.mediatek.hardware.aee::IAee u:object_r:mtk_hal_aee_hwservice:s0

basic/debug/non_plat/loghidlsysservice.te

@@ -0,0 +1,10 @@
+# ==============================================
+# Policy File of /system/bin/loghidlsysservice Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Purpose : for create hidl server
+hal_client_domain(loghidlsysservice, hal_mtk_log)
+allow loghidlsysservice connsyslogger:unix_stream_socket connectto;

basic/debug/non_plat/loghidlvendorservice.te

@@ -0,0 +1,30 @@
+# ==============================================
+# Policy File of /vendor/bin/loghidlvendorservice Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type loghidlvendorservice, domain;
+type loghidlvendorservice_exec, exec_type, file_type, vendor_file_type;
+typeattribute loghidlvendorservice mlstrustedsubject;
+
+init_daemon_domain(loghidlvendorservice)
+
+hal_server_domain(loghidlvendorservice, hal_mtk_log)
+allow loghidlvendorservice system_app:binder call;
+
+#============= r/w video log properties ==============
+set_prop(loghidlvendorservice, vendor_mtk_c2_log_prop)
+
+#============= r/w gpud properties ==============
+set_prop(loghidlvendorservice, vendor_mtk_gpu_prop)
+
+# allow loghidlvendorservice can access video node
+allow loghidlvendorservice video_device:chr_file rw_file_perms_no_map;
+
+#============= r/w display debug log properties ==============
+set_prop(loghidlvendorservice, vendor_mtk_hwc_debug_log_prop)
+set_prop(loghidlvendorservice, vendor_mtk_mdp_debug_log_prop)
+set_prop(loghidlvendorservice, vendor_mtk_em_dy_debug_ctrl_prop)
+set_prop(loghidlvendorservice, vendor_debug_logger_prop)

basic/debug/non_plat/mdlogger.te

@@ -0,0 +1,58 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# ccci device for internal modem
+allow mdlogger ccci_device:chr_file rw_file_perms;
+allow mdlogger ccci_mdl_device:chr_file rw_file_perms;
+
+# usb device ttyGSx for modem logger usb logging
+allow mdlogger ttyGS_device:chr_file rw_file_perms;
+
+# modem logger access on /data/mdlog
+allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto};
+allow mdlogger mdlog_data_file:fifo_file create_file_perms;
+allow mdlogger mdlog_data_file:file create_file_perms;
+
+# modem logger control port access /dev/ttyC1
+allow mdlogger mdlog_device:chr_file rw_file_perms;
+
+#modem logger SD logging in factory mode
+allow mdlogger vfat:dir create_dir_perms;
+allow mdlogger vfat:file create_file_perms;
+
+#mdlogger for read /sdcard
+allow mdlogger tmpfs:lnk_file r_file_perms;
+allow mdlogger storage_file:lnk_file rw_file_perms;
+allow mdlogger storage_file:dir create_dir_perms;
+allow mdlogger storage_file:file create_file_perms;
+allow mdlogger mnt_user_file:dir search;
+allow mdlogger mnt_user_file:lnk_file rw_file_perms;
+allow mdlogger sdcard_type:file create_file_perms;
+allow mdlogger sdcard_type:dir create_dir_perms;
+
+# Allow read to sys/kernel/ccci/* files
+allow mdlogger sysfs_ccci:dir search;
+allow mdlogger sysfs_ccci:file r_file_perms;
+
+# purpose: allow mdlogger to access storage in new version
+allow mdlogger media_rw_data_file:file create_file_perms;
+allow mdlogger media_rw_data_file:dir create_dir_perms;
+
+## purpose: avc: denied { read } for name="plat_file_contexts"
+allow emdlogger file_contexts_file:file r_file_perms;
+
+#permission for read boot mode
+#avc: denied { open }  path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
+allow mdlogger sysfs_boot_mode:file r_file_perms;
+
+# avc: denied { open } for path="system/etc/mddb" dev="mmcblk0p21" scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
+allow mdlogger system_file:dir r_dir_perms;
+
+# Add permission to access new bootmode file
+allow mdlogger sysfs_boot_info:file r_file_perms;
+
+#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:mdlogger:s0
+#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
+#security issue control
+allow mdlogger crash_dump:unix_stream_socket connectto;

basic/debug/non_plat/meta_tst.te

@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /vendor/bin/meta_tst Executable File
+
+# Date: W18.29
+# Operation: Catch log
+# Purpose : meta connect with loghidlserver by socket.
+allow meta_tst loghidlvendorservice:unix_stream_socket connectto;

basic/debug/non_plat/mobile_log_d.te

@@ -0,0 +1,73 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# boot_mdoe file access
+allow mobile_log_d sysfs_boot_mode:file r_file_perms;
+
+#proc/ access
+allow mobile_log_d proc_kmsg:file r_file_perms;
+allow mobile_log_d proc_cmdline:file r_file_perms;
+allow mobile_log_d proc_atf_log:dir search;
+allow mobile_log_d proc_atf_log:file r_file_perms;
+allow mobile_log_d proc_gz_log:file r_file_perms;
+allow mobile_log_d proc_last_kmsg:file r_file_perms;
+allow mobile_log_d proc_bootprof:file r_file_perms;
+allow mobile_log_d proc_pl_lk:file r_file_perms;
+
+#apusys
+allow mobile_log_d proc_apusys_up_seq_logl:file r_file_perms;
+
+#scp
+allow mobile_log_d sysfs_scp:file w_file_perms;
+allow mobile_log_d sysfs_scp:dir search;
+allow mobile_log_d scp_device:chr_file r_file_perms;
+
+#vcp
+allow mobile_log_d sysfs_vcp:file w_file_perms;
+allow mobile_log_d sysfs_vcp:dir search;
+allow mobile_log_d vcp_device:chr_file r_file_perms_no_map;
+
+#adsp
+allow mobile_log_d sysfs_adsp:file w_file_perms;
+allow mobile_log_d sysfs_adsp:dir search;
+allow mobile_log_d adsp_device:chr_file r_file_perms;
+
+#sspm
+allow mobile_log_d sysfs_sspm:file w_file_perms;
+allow mobile_log_d sysfs_sspm:dir search;
+allow mobile_log_d sspm_device:chr_file r_file_perms;
+
+#data/misc/mblog
+allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms };
+allow mobile_log_d logmisc_data_file:file create_file_perms;
+
+#data/log_temp
+allow mobile_log_d logtemp_data_file:dir { relabelto create_dir_perms };
+allow mobile_log_d logtemp_data_file:file create_file_perms;
+
+#data/data_tmpfs_log
+allow mobile_log_d data_tmpfs_log_file:dir create_dir_perms;
+allow mobile_log_d data_tmpfs_log_file:file create_file_perms;
+
+# purpose: send log to com port
+allow mobile_log_d ttyGS_device:chr_file rw_file_perms;
+
+# purpose: allow mobile_log_d to access persist.meta.connecttype
+get_prop(mobile_log_d, vendor_mtk_meta_connecttype_prop)
+
+# purpose: allow mobile_log_d to create socket
+allow mobile_log_d port:tcp_socket { name_connect name_bind };
+allow mobile_log_d mobile_log_d:tcp_socket create_stream_socket_perms;
+allow mobile_log_d node:tcp_socket node_bind;
+
+# purpose: allow mobile_log_d to write dev/wmtWifi.
+allow mobile_log_d wmtWifi_device:chr_file rw_file_perms;
+
+# Date: 2016/11/11
+# purpose: allow MobileLog to access aee socket
+allow mobile_log_d crash_dump:unix_stream_socket connectto;
+
+# Date : WK21.31
+# Purpose: Add permission to access new bootmode file
+allow mobile_log_d sysfs_boot_info:file r_file_perms;

basic/debug/non_plat/modemdbfilter_service.te

@@ -0,0 +1,19 @@
+# ==============================================
+# Policy File of /vendor/bin/hw/modemdbfilter_service Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type modemdbfilter_service, domain;
+type modemdbfilter_service_exec, exec_type, file_type, vendor_file_type;
+typeattribute modemdbfilter_service mlstrustedsubject;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(modemdbfilter_service)
+
+#Purpose : for create hidl server
+hal_server_domain(modemdbfilter_service, hal_mtk_md_dbfilter)

basic/debug/non_plat/mtk_hal_camera.te

@@ -0,0 +1,26 @@
+# callback to /vendor/bin/aee_aedv for aee debugging
+binder_call(mtk_hal_camera, aee_aedv)
+
+# -----------------------------------
+# Android O
+# Purpose: AEE Debugging
+# -----------------------------------
+# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
+allow mtk_hal_camera dumpstate:binder { call };
+allow mtk_hal_camera dumpstate:unix_stream_socket { read write };
+allow mtk_hal_camera dumpstate:fd { use };
+allow mtk_hal_camera dumpstate:fifo_file w_file_perms;
+
+# Purpose: Allow camerahalserver to dump debug info to SYS_DEBUG_MTKCAM via aee_aedv.
+# avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.9oRG8O/SYS_DEBUG_MTKCAM"
+# dev="dm-2" ino=1458278 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_vendor_file:s0
+# tclass=file permissive=0
+allow mtk_hal_camera aee_exp_vendor_file:dir w_dir_perms;
+allow mtk_hal_camera aee_exp_vendor_file:file create_file_perms;
+
+# Date : WK18.01
+# Operation : label aee_aed sockets
+# Purpose : Engineering mode need access for aee commmand
+userdebug_or_eng(`
+allow mtk_hal_camera aee_aedv:unix_stream_socket connectto;
+')

basic/debug/non_plat/mtkrild.te

@@ -0,0 +1,2 @@
+#For Kryptowire mtklog issue
+allow mtkrild aee_aedv:unix_stream_socket connectto;

basic/debug/non_plat/netd.te

@@ -0,0 +1,22 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.39
+# Operation : Migration
+# Purpose :  MDLogger USB logging
+# Owner : Bo shang
+allow netd mdlogger:fd use;
+allow netd mdlogger:tcp_socket rw_socket_perms_no_ioctl;
+
+# Date : WK14.41
+# Operation : Migration
+# Purpose :  network logging
+# Owner : Bo shang
+allow netd netdiag:fd use;
+allow netd netdiag:udp_socket rw_socket_perms_no_ioctl;
+
+userdebug_or_eng(`
+  allow netd mobile_log_d:fd use;
+  allow netd mobile_log_d:tcp_socket rw_socket_perms_no_ioctl;
+')

basic/debug/non_plat/netdiag.te

@@ -0,0 +1,26 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Purpose : for access storage file
+allow netdiag sdcard_type:dir create_dir_perms;
+allow netdiag sdcard_type:file create_file_perms;
+allow netdiag net_data_file:file r_file_perms;
+allow netdiag net_data_file:dir search;
+allow netdiag storage_file:dir search;
+allow netdiag storage_file:lnk_file r_file_perms;
+allow netdiag mnt_user_file:dir search;
+allow netdiag mnt_user_file:lnk_file r_file_perms;
+allow netdiag platform_app:dir search;
+allow netdiag untrusted_app:dir search;
+allow netdiag mnt_media_rw_file:dir search;
+allow netdiag vfat:dir create_dir_perms;
+allow netdiag vfat:file create_file_perms;
+allow netdiag tmpfs:lnk_file r_file_perms;
+
+# purpose: allow netdiag to access storage in new version
+allow netdiag media_rw_data_file:file create_file_perms;
+allow netdiag media_rw_data_file:dir create_dir_perms;
+
+# purpose: read ip address
+allow netdiag self:netlink_route_socket nlmsg_readpriv;

basic/debug/non_plat/platform_app.te

@@ -0,0 +1,100 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2017/07/03
+# Operation : Migration
+# Purpose : get/set agps configuration via hal_mtk_lbs
+hal_client_domain(platform_app, hal_mtk_lbs)
+
+# Date : 2014/08/21
+# Operation : Migration
+# Purpose : FMRadio enable driver access permission for fmradio hardware device
+# Package: com.mediatek.fmradio
+allow platform_app fm_device:chr_file rw_file_perms;
+
+# Date : 2014/09/11
+# Operation : Migration
+# Purpose : MTKLogger need setup local socket with native daemon:mobile_logd,
+# netdialog,mdlogger,emdlogger,cmddumper
+# Package: com.mediatek.mtklogger
+allow platform_app mobile_log_d:unix_stream_socket connectto;
+allow platform_app mdlogger:unix_stream_socket connectto;
+allow platform_app emdlogger:unix_stream_socket connectto;
+allow platform_app cmddumper:unix_stream_socket connectto;
+allow platform_app connsyslogger:unix_stream_socket connectto;
+unix_socket_connect(platform_app, netdiag, netdiag)
+
+# Date: 2018/11/17
+# purpose: allow MTKLogger to control Bluetooth HCI log via socket
+allow platform_app bluetooth:unix_stream_socket connectto;
+
+# Date : 2014/10/17
+# Operation : Migration
+# Purpose :Make MTKLogger or VIASaber apk can Access TTYSDIO_device
+# Package: com.mediatek.mtklogger
+allow platform_app ttySDIO_device:chr_file rw_file_perms;
+
+# Date : 2014/10/17
+# Operation : Migration
+# Purpose :Make MTKLogger or VIASaber apk can Access storage
+# Package: com.mediatek.mtklogger
+allow platform_app sdcard_type:file create_file_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+
+# Date : 2014/11/12
+# Operation : Migration
+# Purpose : MTKLogger need copy exception db from data folder
+# Package: com.mediatek.mtklogger
+allow platform_app aee_exp_data_file:file r_file_perms;
+allow platform_app aee_exp_data_file:dir r_dir_perms;
+
+# Date : 2014/11/14
+# Operation : Migration
+# Purpose : MTKLogger need update md config file in data for mode changed
+# Package: com.mediatek.mtklogger
+allow platform_app mdlog_data_file:file rw_file_perms;
+allow platform_app mdlog_data_file:dir rw_dir_perms;
+
+# Date : WK17.46
+# Operation : Migration
+# Purpose : allow MTKLogger to read KE DB
+allow platform_app aee_dumpsys_data_file:file r_file_perms;
+
+# Date: 2018/03/23
+# Operation : Migration
+# Purpose : MTKLogger need connect to log hidl server
+# Package: com.mediatek.mtklogger
+hal_client_domain(platform_app, hal_mtk_log)
+
+# Date : 2020/09/15
+# Operation : Migration
+# Purpose : DebugLoggerUI need copy proc/ccci_sib to storage
+# Package: com.debug.loggerui
+allow platform_app proc_ccci_sib:file r_file_perms;
+
+# Date : 2021/03/05
+# Operation : Migration
+# Purpose : DebugLoggerUI need call wifi JNI set wifi level
+# Package: com.debug.loggerui
+allow platform_app self:udp_socket { create ioctl };
+allowxperm platform_app self:udp_socket ioctl {
+  SIOCIWFIRSTPRIV_0B
+  SIOCIWFIRSTPRIV_0F
+  SIOCSIWMODE SIOCIWFIRSTPRIV_01
+  SIOCIWFIRSTPRIV_09
+  SIOCDEVPRIVATE_2
+};
+
+# Date : WK18.17
+# Operation : P Migration
+# Purpose: allow platform_app to read /data/vendor/mtklog/aee_exp
+allow platform_app aee_exp_vendor_file:dir r_dir_perms;
+allow platform_app aee_exp_vendor_file:file r_file_perms;
+
+# Date : 2021/06/01
+# Operation : Migration
+# Purpose : DebugLoggerUI need copy & delete /data/vendor/vcodec/ folder
+# Package: com.debug.loggerui
+allow platform_app vcodec_file:dir {rw_dir_perms rmdir};
+allow platform_app vcodec_file:file rw_file_perms;

basic/debug/non_plat/property.te

@@ -0,0 +1,11 @@
+vendor_restricted_prop(vendor_mtk_debug_mtk_aeev_prop)
+vendor_restricted_prop(vendor_mtk_persist_aeev_prop)
+vendor_restricted_prop(vendor_mtk_persist_mtk_aeev_prop)
+vendor_restricted_prop(vendor_mtk_ro_aee_prop)
+vendor_restricted_prop(vendor_mtk_aeev_dynamic_switch_prop)
+
+typeattribute vendor_mtk_debug_mtk_aeev_prop         mtk_core_property_type;
+typeattribute vendor_mtk_persist_aeev_prop           mtk_core_property_type;
+typeattribute vendor_mtk_persist_mtk_aeev_prop       mtk_core_property_type;
+typeattribute vendor_mtk_ro_aee_prop                 mtk_core_property_type;
+typeattribute vendor_mtk_aeev_dynamic_switch_prop    mtk_core_property_type;

basic/debug/non_plat/property_contexts

@@ -0,0 +1,9 @@
+persist.vendor.mtk.aeev. u:object_r:vendor_mtk_persist_mtk_aeev_prop:s0
+persist.vendor.aeev.     u:object_r:vendor_mtk_persist_aeev_prop:s0
+vendor.debug.mtk.aeev    u:object_r:vendor_mtk_debug_mtk_aeev_prop:s0
+
+ro.vendor.aee.build.info      u:object_r:vendor_mtk_ro_aee_prop:s0
+ro.vendor.aee.enforcing       u:object_r:vendor_mtk_ro_aee_prop:s0
+ro.vendor.have_aee_feature    u:object_r:vendor_mtk_ro_aee_prop:s0
+ro.vendor.aeev.dynamic.switch u:object_r:vendor_mtk_aeev_dynamic_switch_prop:s0
+ro.vendor.aee.convert64       u:object_r:vendor_mtk_ro_aee_prop:s0

basic/debug/non_plat/rild.te

@@ -0,0 +1,3 @@
+# Date : 2019/08/29
+# Purpose: Allow rild to access proc/aed/reboot-reason
+allow rild proc_aed_reboot_reason:file rw_file_perms;

basic/debug/non_plat/shell.te

@@ -0,0 +1,3 @@
+# Date : WK16.46
+# Purpose : allow shell to switch aee mode
+allow shell crash_dump:unix_stream_socket connectto;

basic/debug/non_plat/system_app.te

@@ -0,0 +1,6 @@
+# Date : 2017/11/07
+# Operation : Migration
+# Purpose : CAT need copy exception db file from data folder
+# Package: CAT tool
+allow system_app aee_exp_data_file:file r_file_perms;
+allow system_app aee_exp_data_file:dir r_dir_perms;

basic/debug/non_plat/system_server.te

@@ -0,0 +1,12 @@
+allow system_server aee_exp_data_file:file w_file_perms;
+# Date:W17.22
+# Operation : add aee_aed socket rule
+# Purpose : type=1400 audit(0.0:134519): avc: denied { connectto }
+#           for comm=4572726F722064756D703A20737973
+#           path=00636F6D2E6D746B2E6165652E6165645F3634
+#           scontext=u:r:system_server:s0 tcontext=u:r:crash_dump:s0
+#           tclass=unix_stream_socket permissive=0
+allow system_server crash_dump:unix_stream_socket connectto;
+
+# Search /proc/proc_mtmon
+allow system_server proc_mtmon:dir search;

basic/debug/non_plat/vendor_init.te

@@ -0,0 +1,5 @@
+set_prop(vendor_init, system_mtk_persist_mtk_aee_prop)
+set_prop(vendor_init, vendor_mtk_ro_aee_prop)
+set_prop(vendor_init, vendor_mtk_persist_aeev_prop)
+
+allow vendor_init proc_mtmon:file w_file_perms;

basic/debug/non_plat/vendor_shell.te

@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# =============================================
+# Purpose : allow vendor_shell to run aeev
+allow vendor_shell aee_aedv_exec:file x_file_perms;

basic/debug/plat_private/aee_core_forwarder.te

@@ -0,0 +1,91 @@
+# ==============================================
+# Policy File of /system/bin/aee_core_forwarder Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type aee_core_forwarder_exec, system_file_type, exec_type, file_type;
+typeattribute aee_core_forwarder coredomain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(aee_core_forwarder)
+
+#mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip
+allow aee_core_forwarder sdcard_type:dir create_dir_perms;
+allow aee_core_forwarder sdcard_type:file create_file_perms;
+allow aee_core_forwarder self:capability { fsetid setgid sys_nice sys_admin };
+
+#read STDIN_FILENO
+allow aee_core_forwarder kernel:fifo_file r_file_perms;
+
+#read /proc/<pid>/cmdline
+allow aee_core_forwarder domain:dir r_dir_perms;
+allow aee_core_forwarder domain:file r_file_perms;
+
+#get wake_lock to avoid system suspend when coredump is generating
+allow aee_core_forwarder sysfs_wake_lock:file rw_file_perms;
+
+# Date : 2015/07/11
+# Operation : Migration
+# Purpose : for mtk debug mechanism
+allow aee_core_forwarder self:capability2 block_suspend;
+
+# Date : 2015/07/21
+# Operation : Migration
+# Purpose : for generating core dump on sdcard
+allow aee_core_forwarder mnt_user_file:dir search;
+allow aee_core_forwarder mnt_user_file:lnk_file r_file_perms;
+allow aee_core_forwarder storage_file:dir search;
+allow aee_core_forwarder storage_file:lnk_file r_file_perms;
+
+# Date : 2016/03/05
+# Operation : selinux waring fix
+# Purpose : avc:  denied  { search } for  pid=15909 comm="aee_core_forwar"
+#                 name="15493" dev="proc" ino=112310 scontext=u:r:aee_core_forwarder:s0
+#                 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
+dontaudit aee_core_forwarder untrusted_app:dir search;
+
+# Date : 2016/04/18
+# Operation : N0 Migration
+# Purpose : access for pipefs
+allow aee_core_forwarder kernel:fd use;
+
+# Purpose: search root dir "/"
+allow aee_core_forwarder tmpfs:dir search;
+
+# Purpose : read /selinux_version
+allow aee_core_forwarder rootfs:file r_file_perms;
+
+# Data : 2016/06/13
+# Operation : fix sys_ptrace selinux warning
+# Purpose : type=1400 audit(1420070409.080:177): avc: denied { sys_ptrace } for pid=3136
+#           comm="aee_core_forwar" capability=19 scontext=u:r:aee_core_forwarder:s0
+#           tcontext=u:r:aee_core_forwarder:s0  tclass=capability permissive=0
+dontaudit aee_core_forwarder self:capability sys_ptrace;
+
+# Data : 2016/06/24
+# Operation : fix media_rw_data_file access selinux warning
+# Purpose :
+# type=1400 audit(0.0:6511): avc: denied { search } for name="db.p08JgF"
+# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
+# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
+# type=1400 audit(0.0:6512): avc: denied { write } for name="db.p08JgF"
+# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
+# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
+# type=1400 audit(0.0:6513): avc: denied { add_name } for name="CURRENT.dbg"
+# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
+# tclass=dir permissive=1
+# type=1400 audit(0.0:6514): avc: denied { create } for name="CURRENT.dbg"
+# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
+# tclass=file permissive=1
+# type=1400 audit(0.0:6515): avc: denied { write open } for
+# path="/data/media/0/mtklog/aee_exp/temp/db.p08JgF/CURRENT.dbg" dev="dm-0"
+# ino=540952 scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
+# tclass=file permissive=1
+allow aee_core_forwarder media_rw_data_file:dir w_dir_perms;
+allow aee_core_forwarder media_rw_data_file:file create_file_perms;
+
+# Purpose : allow aee_core_forwarder to connect aee_aed socket
+allow aee_core_forwarder crash_dump:unix_stream_socket connectto;

basic/debug/plat_private/connsyslogger.te

@@ -0,0 +1,15 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute connsyslogger coredomain;
+typeattribute connsyslogger mlstrustedsubject;
+type connsyslogger_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(connsyslogger)
+
+set_prop(connsyslogger, system_mtk_connsysfw_prop)
+
+#Date:2019/06/27
+#access data/debuglog
+allow connsyslogger debuglog_data_file:dir {relabelto create_dir_perms};
+allow connsyslogger debuglog_data_file:file create_file_perms;

basic/debug/plat_private/crash_dump.te

@@ -0,0 +1,29 @@
+# Purpose: crash_dump set property
+set_prop(crash_dump, system_mtk_persist_mtk_aee_prop)
+set_prop(crash_dump, system_mtk_persist_aee_prop)
+set_prop(crash_dump, system_mtk_debug_mtk_aee_prop)
+get_prop(crash_dump, system_mtk_aee_basic_prop)
+
+# Date : WK17.09
+# Operation : AEE UT for Android O
+# Purpose : for AEE module to dump files
+domain_auto_trans(crash_dump, dumpstate_exec, dumpstate)
+
+# aee db dir and db files
+allow crash_dump sdcard_type:dir create_dir_perms;
+allow crash_dump sdcard_type:file create_file_perms;
+
+# system(cmd) aee_dumpstate aee_archive
+allow crash_dump shell_exec:file rx_file_perms;
+
+# Purpose: dump bugreport into NE DB
+allow crash_dump dumpstate_socket:sock_file w_file_perms;
+allow crash_dump dumpstate:unix_stream_socket connectto;
+set_prop(crash_dump, ctl_start_prop)
+
+# Purpose: Allow crash_dump to get mobile log prop
+get_prop(crash_dump, system_mtk_mobile_log_prop)
+
+# Purpose: Allow crash_dump to write /data/debuglogger/mobilelog
+allow crash_dump debuglog_data_file:dir create_dir_perms;
+allow crash_dump debuglog_data_file:file create_file_perms;

basic/debug/plat_private/dumpstate.te

@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# 01-01 17:59:14.440  7664  7664 I aee_dumpstate: type=1400 audit(0.0:63497):
+# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
+# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
+# tracing_shell_writable:s0 tclass=file permissive=1
+allow dumpstate debugfs_tracing:file rw_file_perms;
+
+# Purpose: aee_dumpstate set surfaceflinger property
+set_prop(dumpstate, system_mtk_debug_bq_dump_prop)
+
+# Date: W1826
+# Purpose : mobile_log_d exec 'logcat -L' via dumpstate
+allow dumpstate mobile_log_d:fd use;
+allow dumpstate mobile_log_d:fifo_file w_file_perms;
+allow dumpstate mobile_log_d:unix_stream_socket rw_socket_perms_no_ioctl;

basic/debug/plat_private/emdlogger.te

@@ -0,0 +1,87 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type emdlogger_exec, system_file_type, exec_type, file_type;
+typeattribute emdlogger coredomain;
+typeattribute emdlogger mlstrustedsubject;
+
+init_daemon_domain(emdlogger)
+binder_use(emdlogger)
+binder_service(emdlogger)
+
+# for modem logging sdcard access
+allow emdlogger sdcard_type:dir create_dir_perms;
+allow emdlogger sdcard_type:file create_file_perms;
+
+# modem logger socket access
+allow emdlogger platform_app:unix_stream_socket connectto;
+allow emdlogger shell_exec:file rx_file_perms;
+allow emdlogger system_file:file x_file_perms;
+allow emdlogger zygote_exec:file rx_file_perms;
+
+#modem logger SD logging in factory mode
+allow emdlogger vfat:dir create_dir_perms;
+allow emdlogger vfat:file create_file_perms;
+
+#modem logger permission in storage in android M version
+allow emdlogger mnt_user_file:dir search;
+allow emdlogger mnt_user_file:lnk_file r_file_perms;
+allow emdlogger storage_file:lnk_file r_file_perms;
+
+#permission for storage link access in vzw Project
+allow emdlogger mnt_media_rw_file:dir search;
+
+
+#permission for use SELinux API
+#avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs"
+allow emdlogger rootfs:file r_file_perms;
+
+#permission for storage access storage
+allow emdlogger storage_file:dir create_dir_perms;
+allow emdlogger tmpfs:lnk_file r_file_perms;
+allow emdlogger storage_file:file create_file_perms;
+
+# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
+# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
+allow emdlogger system_file:dir r_dir_perms;
+
+# permission for android N policy
+allow emdlogger toolbox_exec:file rx_file_perms;
+
+# purpose: allow emdlogger to access storage in N version
+allow emdlogger media_rw_data_file:file create_file_perms;
+allow emdlogger media_rw_data_file:dir create_dir_perms;
+
+## Android P migration
+## purpose:  denied { read } for name="cmdline" dev="proc"
+#denied { search } for name="android" dev="sysfs"
+#for name="compatible" dev="sysfs" ino=2985 scontext=u
+#:r:emdlogger:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0
+#avc: denied { open } for path="/system/etc/mddb"
+#avc: denied { read } for name="u:object_r:vendor_default_prop:s0"
+allow emdlogger proc_cmdline:file r_file_perms;
+allow emdlogger sysfs_dt_firmware_android:dir r_dir_perms;
+allow emdlogger tmpfs:dir w_dir_perms;
+allow emdlogger sysfs_dt_firmware_android:file r_file_perms;
+set_prop(emdlogger, system_mtk_persist_mtklog_prop)
+set_prop(emdlogger, system_mtk_mdl_prop)
+set_prop(emdlogger, system_mtk_mdl_start_prop)
+set_prop(emdlogger, system_mtk_debug_mdlogger_prop)
+set_prop(emdlogger, system_mtk_persist_mdlog_prop)
+set_prop(emdlogger, system_mtk_mdl_pulllog_prop)
+set_prop(emdlogger, usb_prop)
+set_prop(emdlogger, debug_prop)
+set_prop(emdlogger, usb_control_prop)
+
+## Android Q migration
+## purpose:  read modem db and filter folder and file
+allow emdlogger mddb_filter_data_file:dir r_dir_perms;
+allow emdlogger mddb_filter_data_file:file r_file_perms;
+
+# save log into /data/debuglogger
+allow emdlogger debuglog_data_file:dir {relabelto create_dir_perms};
+allow emdlogger debuglog_data_file:file create_file_perms;
+
+# get persist.sys. proeprty
+get_prop(emdlogger, system_prop)

basic/debug/plat_private/file_contexts

@@ -0,0 +1,29 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# System files
+#
+/system/bin/mobile_log_d         u:object_r:mobile_log_d_exec:s0
+/system/bin/modemdbfilter_client u:object_r:modemdbfilter_client_exec:s0
+/system/bin/netdiag              u:object_r:netdiag_exec:s0
+/system/bin/loghidlsysservice    u:object_r:loghidlsysservice_exec:s0
+/system/bin/connsyslogger        u:object_r:connsyslogger_exec:s0
+
+##########################
+# SystemExt files
+#
+/(system_ext|system/system_ext)/bin/mdlogger           u:object_r:mdlogger_exec:s0
+/(system_ext|system/system_ext)/bin/emdlogger[0-9]+    u:object_r:emdlogger_exec:s0
+
+/(system_ext|system/system_ext)/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0
+/(system_ext|system/system_ext)/bin/aeedb              u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_aed            u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_aed64          u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_dumpstate      u:object_r:dumpstate_exec:s0
+/(system_ext|system/system_ext)/bin/aee_aed64_v2          u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_core_forwarder_v2 u:object_r:aee_core_forwarder_exec:s0
+/(system_ext|system/system_ext)/bin/aee_v2                u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aeedb_v2              u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_dumpstate_v2      u:object_r:dumpstate_exec:s0

basic/debug/plat_private/init.te

@@ -0,0 +1 @@
+domain_trans(init, crash_dump_exec, shell)

basic/debug/plat_private/kernel.te

@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+domain_auto_trans(kernel, aee_core_forwarder_exec, aee_core_forwarder)
+

basic/debug/plat_private/loghidlsysservice.te

@@ -0,0 +1,16 @@
+# ==============================================
+# Policy File of /system/bin/loghidlsysservice Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type loghidlsysservice_exec, system_file_type, exec_type, file_type;
+typeattribute loghidlsysservice coredomain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(loghidlsysservice)
+
+allow loghidlsysservice emdlogger:unix_stream_socket connectto;
+allow loghidlsysservice mobile_log_d:unix_stream_socket connectto;

basic/debug/plat_private/mdlogger.te

@@ -0,0 +1,65 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mdlogger_exec , system_file_type, exec_type, file_type;
+typeattribute mdlogger coredomain;
+typeattribute mdlogger mlstrustedsubject;
+
+init_daemon_domain(mdlogger)
+
+binder_use(mdlogger)
+
+binder_service(mdlogger)
+
+# modem logger socket access
+allow mdlogger platform_app:unix_stream_socket connectto;
+allow mdlogger shell_exec:file rx_file_perms;
+allow mdlogger system_file:file x_file_perms;
+allow mdlogger zygote_exec:file r_file_perms;
+allow mdlogger node:tcp_socket node_bind;
+allow mdlogger port:tcp_socket name_bind;
+allow mdlogger self:tcp_socket create_stream_socket_perms;
+
+#modem logger SD logging in factory mode
+allow mdlogger vfat:dir create_dir_perms;
+allow mdlogger vfat:file create_file_perms;
+
+allow mdlogger tmpfs:lnk_file r_file_perms;
+allow mdlogger storage_file:lnk_file rw_file_perms;
+allow mdlogger mnt_user_file:dir search;
+allow mdlogger mnt_user_file:lnk_file rw_file_perms;
+allow mdlogger sdcard_type:file create_file_perms;
+allow mdlogger sdcard_type:dir create_dir_perms;
+
+# purpose: allow mdlogger to access storage in new version
+allow mdlogger media_rw_data_file:file create_file_perms;
+allow mdlogger media_rw_data_file:dir create_dir_perms;
+
+allow mdlogger storage_file:dir create_dir_perms;
+allow mdlogger storage_file:file create_file_perms;
+
+## purpose: avc: denied { read } for name="plat_file_contexts"
+allow mdlogger file_contexts_file:file r_file_perms;
+
+# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
+# scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
+allow mdlogger system_file:dir r_dir_perms;
+
+# Android P migration
+set_prop(mdlogger, system_mtk_mdl_prop)
+set_prop(mdlogger, system_mtk_persist_mdlog_prop)
+set_prop(mdlogger, system_mtk_persist_mtklog_prop)
+
+## Android Q migration
+## purpose:  read modem db and filter folder and file
+allow mdlogger mddb_filter_data_file:dir r_dir_perms;
+allow mdlogger mddb_filter_data_file:file r_file_perms;
+
+## Save modem log into data
+allow mdlogger debuglog_data_file:dir {relabelto create_dir_perms};
+allow mdlogger debuglog_data_file:file create_file_perms;
+
+#allow mdlogger to set property
+set_prop(mdlogger, system_mtk_debug_mdlogger_prop)
+set_prop(mdlogger, debug_prop)

basic/debug/plat_private/mobile_log_d.te

@@ -0,0 +1,105 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mobile_log_d_exec, system_file_type, exec_type, file_type;
+typeattribute mobile_log_d coredomain;
+typeattribute mobile_log_d mlstrustedsubject;
+
+init_daemon_domain(mobile_log_d)
+
+#syslog module
+allow mobile_log_d kernel:system syslog_mod;
+
+#GMO project
+dontaudit mobile_log_d untrusted_app:fd use;
+dontaudit mobile_log_d isolated_app:fd use;
+
+#debug property set
+set_prop(mobile_log_d, debug_prop)
+
+#socket connect and write
+unix_socket_connect(mobile_log_d, logdr, logd);
+
+#capability
+allow mobile_log_d self:capability { setuid setgid chown fowner fsetid };
+allow mobile_log_d self:capability2 syslog;
+
+#aee mode switch
+allow mobile_log_d system_file:file x_file_perms;
+
+#shell command
+allow mobile_log_d shell_exec:file rx_file_perms;
+
+# execute logcat command
+allow mobile_log_d logcat_exec:file rx_file_perms;
+
+# execute 'logcat -L' via dumpstate
+domain_auto_trans(mobile_log_d, logcat_exec, dumpstate)
+
+#general storage access
+allow mobile_log_d storage_file:dir create_dir_perms;
+allow mobile_log_d storage_file:file create_file_perms;
+allow mobile_log_d storage_file:lnk_file create_file_perms;
+allow mobile_log_d mnt_user_file:dir create_dir_perms;
+allow mobile_log_d mnt_user_file:lnk_file create_file_perms;
+allow mobile_log_d sdcard_type:dir create_dir_perms;
+allow mobile_log_d sdcard_type:file create_file_perms;
+
+#factory mode vfat access
+allow mobile_log_d vfat:dir create_dir_perms;
+allow mobile_log_d vfat:file create_file_perms;
+
+#chiptest mode storage access
+allow mobile_log_d mnt_media_rw_file:dir create_dir_perms;
+allow mobile_log_d mnt_media_rw_file:lnk_file create_file_perms;
+
+#system/bin/toybox for using 'sh' command
+allow mobile_log_d toolbox_exec:file rx_file_perms;
+
+#selinux_version access
+allow mobile_log_d rootfs:file r_file_perms;
+
+#dev/__properties__ access
+get_prop(mobile_log_d, device_logging_prop)
+get_prop(mobile_log_d, mmc_prop)
+get_prop(mobile_log_d, safemode_prop)
+
+# purpose: allow MobileLog to access storage in N version
+allow mobile_log_d media_rw_data_file:file create_file_perms;
+allow mobile_log_d media_rw_data_file:dir create_dir_perms;
+
+# access debugfs/tracing/instances/
+allow mobile_log_d debugfs_tracing:dir create_dir_perms;
+allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
+allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
+
+#data/debuglog
+allow mobile_log_d debuglog_data_file:dir {relabelto create_dir_perms};
+allow mobile_log_d debuglog_data_file:file create_file_perms;
+
+#mcupm
+allow mobile_log_d mcupm_device:chr_file r_file_perms;
+allow mobile_log_d sysfs_mcupm:file w_file_perms;
+allow mobile_log_d sysfs_mcupm:dir search;
+
+#for logpost feature
+userdebug_or_eng(`
+  allow mobile_log_d domain:dir r_dir_perms;
+  allow mobile_log_d domain:{file lnk_file} r_file_perms;
+  allow mobile_log_d dnsproxyd_socket:sock_file w_file_perms;
+  allow mobile_log_d self:udp_socket create_socket_perms_no_ioctl;
+  allow mobile_log_d netd:unix_stream_socket connectto;
+  allow mobile_log_d self:tcp_socket getopt;
+  allow mobile_log_d fwmarkd_socket:sock_file w_file_perms;
+  set_prop(mobile_log_d, system_mtk_mobile_log_post_prop)
+')
+
+#mobile itself property
+set_prop(mobile_log_d, system_mtk_mobile_log_prop)
+
+#wifi driver log property
+get_prop(mobile_log_d, system_mtk_wifisa_log_prop)
+
+# purpose: allow mobile_log_d to read persist.vendor.mtk.aee
+get_prop(mobile_log_d, system_mtk_persist_mtk_aee_prop)

basic/debug/plat_private/modemdbfilter_client.te

@@ -0,0 +1,20 @@
+# ==============================================
+# Policy File of /system/bin/modemdbfilter_client Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type modemdbfilter_client_exec, exec_type, system_file_type, file_type;
+typeattribute modemdbfilter_client coredomain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(modemdbfilter_client)
+
+# Purpose : for create hidl client
+hal_client_domain(modemdbfilter_client, hal_mtk_md_dbfilter)
+allow modemdbfilter_client mddb_filter_data_file:dir { create_dir_perms relabelto };
+allow modemdbfilter_client mddb_filter_data_file:file create_file_perms;

basic/debug/plat_private/netdiag.te

@@ -0,0 +1,102 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type netdiag_exec, system_file_type, exec_type, file_type;
+typeattribute netdiag coredomain;
+typeattribute netdiag mlstrustedsubject;
+
+init_daemon_domain(netdiag)
+
+# Purpose : for access storage file
+allow netdiag sdcard_type:dir create_dir_perms;
+allow netdiag sdcard_type:file create_file_perms;
+allow netdiag domain:dir search;
+allow netdiag domain:file r_file_perms;
+allow netdiag net_data_file:file r_file_perms;
+allow netdiag net_data_file:dir search;
+allow netdiag storage_file:dir search;
+allow netdiag storage_file:lnk_file r_file_perms;
+allow netdiag mnt_user_file:dir search;
+allow netdiag mnt_user_file:lnk_file r_file_perms;
+allow netdiag platform_app:dir search;
+allow netdiag untrusted_app:dir search;
+allow netdiag mnt_media_rw_file:dir search;
+allow netdiag vfat:dir create_dir_perms;
+allow netdiag vfat:file create_file_perms;
+allow netdiag tmpfs:lnk_file r_file_perms;
+allow netdiag system_file:file rx_file_perms;
+
+# Purpose : for shell, set uid and gid
+allow netdiag self:capability { net_admin setuid net_raw setgid};
+allow netdiag shell_exec:file rx_file_perms;
+
+#access /proc/318/net/psched
+allow netdiag proc_net:file r_file_perms;
+
+# Purpose : for ping
+allow netdiag dnsproxyd_socket:sock_file w_file_perms;
+allow netdiag fwmarkd_socket:sock_file w_file_perms;
+allow netdiag netd:unix_stream_socket connectto;
+allow netdiag self:udp_socket create_socket_perms;
+
+# Purpose : for service permission
+allow netdiag connectivity_service:service_manager find;
+allow netdiag netstats_service:service_manager find;
+allow netdiag system_server:binder call;
+allow netdiag servicemanager:binder call;
+binder_use(netdiag)
+
+# Purpose : for dumpsys permission
+allow netdiag connmetrics_service:service_manager find;
+allow netdiag netpolicy_service:service_manager find;
+allow netdiag network_management_service:service_manager find;
+allow netdiag settings_service:service_manager find;
+
+# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
+get_prop(netdiag, device_logging_prop)
+get_prop(netdiag, mmc_prop)
+allow netdiag proc_net:dir r_dir_perms;
+get_prop(netdiag, safemode_prop)
+allow netdiag toolbox_exec:file rx_file_perms;
+
+# purpose: allow netdiag to access storage in new version
+allow netdiag media_rw_data_file:file create_file_perms;
+allow netdiag media_rw_data_file:dir create_dir_perms;
+
+# Purpose : for ip spec output
+allow netdiag self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Purpose: for socket error of tcpdump
+allow netdiag self:packet_socket create_socket_perms;
+allowxperm netdiag self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP};
+allow netdiag proc_net_tcp_udp:file r_file_perms;
+
+# Purpose: for ip
+allow netdiag self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Purpose: for iptables
+allow netdiag kernel:system module_request;
+allow netdiag self:rawip_socket create_socket_perms_no_ioctl;
+
+#Purpose : for network log property
+set_prop(netdiag, system_mtk_debug_netlog_prop)
+set_prop(netdiag, system_mtk_persist_mtklog_prop)
+set_prop(netdiag, system_mtk_debug_mtklog_prop)
+
+## Android P migration
+allow netdiag proc_qtaguid_stat:dir r_dir_perms;
+allow netdiag proc_qtaguid_stat:file r_file_perms;
+allow netdiag netd:binder call;
+get_prop(netdiag, apexd_prop)
+
+# Q save log into /data/debuglogger
+allow netdiag debuglog_data_file:dir {relabelto create_dir_perms};
+allow netdiag debuglog_data_file:file create_file_perms;
+
+# add for dump network_stack
+allow netdiag network_stack:binder call;
+allow netdiag network_stack_service:service_manager find;
+
+# add for unlink file_tree.txt
+allow netdiag debuglog_data_file:lnk_file { getattr unlink };

basic/debug/plat_private/network_stack.te

@@ -0,0 +1,3 @@
+# add for netdiag dump network_stack
+allow network_stack netdiag:fd use;
+allow network_stack netdiag:fifo_file w_file_perms;

basic/debug/plat_private/platform_app.te

@@ -0,0 +1,37 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow platform_app system_app_service:service_manager find;
+
+# Date : WK17.29
+# Stage: O Migration, SQC
+# Purpose: Allow to use selinux for hal_power
+hal_client_domain(platform_app, hal_power)
+
+# Date: 2018/06/08
+# Operation : Migration
+# Purpose : MTKLogger need get netlog/mdlog/mobilelog property for property change
+# Package: com.mediatek.mtklogger
+get_prop(platform_app, system_mtk_debug_mdlogger_prop)
+get_prop(platform_app, system_mtk_debug_mtklog_prop)
+get_prop(platform_app, system_mtk_vendor_bluetooth_prop)
+get_prop(platform_app, system_mtk_mobile_log_prop)
+
+get_prop(platform_app, system_mtk_connsysfw_prop)
+
+# Date: 2019/07/18
+# Operation : Migration
+# Purpose : DebugLoggerUI access data/debuglogger/ folder
+# Package: com.debug.loggerui
+allow platform_app debuglog_data_file:dir create_dir_perms;
+allow platform_app debuglog_data_file:file create_file_perms;
+
+#For tel log settings
+set_prop(platform_app, log_tag_prop)
+
+#For audio log settings
+set_prop(platform_app, system_mtk_audio_prop)
+
+#For display debug log settings
+set_prop(platform_app, system_mtk_sf_debug_prop)

basic/debug/plat_private/property.te

@@ -0,0 +1,8 @@
+system_internal_prop(system_mtk_debug_mtk_aee_prop)
+system_internal_prop(system_mtk_persist_aee_prop)
+system_internal_prop(system_mtk_aee_basic_prop)
+
+typeattribute system_mtk_debug_mtk_aee_prop         extended_core_property_type;
+typeattribute system_mtk_persist_aee_prop           extended_core_property_type;
+typeattribute system_mtk_aee_basic_prop             extended_core_property_type;
+typeattribute system_mtk_persist_mtk_aee_prop       extended_core_property_type;

basic/debug/plat_private/property_contexts

@@ -0,0 +1,5 @@
+persist.vendor.mtk.aee. u:object_r:system_mtk_persist_mtk_aee_prop:s0
+persist.vendor.aee.     u:object_r:system_mtk_persist_aee_prop:s0
+vendor.debug.mtk.aee.   u:object_r:system_mtk_debug_mtk_aee_prop:s0
+ro.vendor.aee.basic     u:object_r:system_mtk_aee_basic_prop:s0
+init.svc.aee_aedv   u:object_r:system_mtk_init_svc_aee_aedv_prop:s0

basic/debug/plat_private/radio.te

@@ -0,0 +1,5 @@
+#Date : 2021/08/01
+# Operation : Allow radio read write data/debuglogger folder
+# Purpose : Add for ATG app
+allow radio debuglog_data_file:dir create_dir_perms;
+allow radio debuglog_data_file:file create_file_perms;

basic/debug/plat_private/shell.te

@@ -0,0 +1,3 @@
+get_prop(shell, system_mtk_persist_mtk_aee_prop)
+get_prop(shell, system_mtk_persist_aee_prop)
+get_prop(shell, system_mtk_debug_mtk_aee_prop)

basic/debug/plat_private/system_server.te

@@ -0,0 +1,9 @@
+# Date : WK18.33
+# Purpose : type=1400 audit(0.0:1592): avc: denied { read }
+#           for comm=4572726F722064756D703A20646174 name=
+#           "u:object_r:system_mtk_persist_mtk_aee_prop:s0" dev="tmpfs"
+#           ino=10312 scontext=u:r:system_server:s0 tcontext=
+#           u:object_r:system_mtk_persist_mtk_aee_prop:s0 tclass=file permissive=0
+get_prop(system_server, system_mtk_persist_mtk_aee_prop)
+
+get_prop(system_server, system_mtk_debug_mtk_aee_prop)

basic/debug/plat_public/aee_core_forwarder.te

@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/aee_core_forwarder Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type aee_core_forwarder, domain;

basic/debug/plat_public/attributes

@@ -0,0 +1,13 @@
+# ==============================================
+# MTK Attribute declarations
+# ==============================================
+
+# Date: 2018/03/23
+# log hidl
+attribute hal_mtk_log;
+attribute hal_mtk_log_client;
+attribute hal_mtk_log_server;
+
+attribute hal_mtk_aee;
+attribute hal_mtk_aee_client;
+attribute hal_mtk_aee_server;

basic/debug/plat_public/connsyslogger.te

@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/connsyslogger Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type connsyslogger, domain;

basic/debug/plat_public/emdlogger.te

@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/emdlogger[x] Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type emdlogger, domain;

basic/debug/plat_public/loghidlsysservice.te

@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/loghidlsysservice Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type loghidlsysservice, domain;

basic/debug/plat_public/mdlogger.te

@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/mdlogger Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mdlogger, domain;

basic/debug/plat_public/mobile_log_d.te

@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/mobile_log_d Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mobile_log_d, domain;

basic/debug/plat_public/modemdbfilter_client.te

@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/modemdbfilter_client Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type modemdbfilter_client, domain;

basic/debug/plat_public/property.te

@@ -0,0 +1,2 @@
+system_public_prop(system_mtk_init_svc_aee_aedv_prop)
+system_public_prop(system_mtk_persist_mtk_aee_prop)

basic/non_plat/DcxoSetCap.te

@@ -0,0 +1,26 @@
+# ==============================================
+# Policy File of /vendor/bin/DcxoSetCap Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type DcxoSetCap, domain;
+type DcxoSetCap_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(DcxoSetCap)
+
+#============= DcxoSetCap ==============
+allow DcxoSetCap nvdata_file:dir rw_dir_perms;
+allow DcxoSetCap nvdata_file:file rw_file_perms;
+allow DcxoSetCap proc_cmdline:file r_file_perms;
+allow DcxoSetCap sysfs_dcxo:file rw_file_perms;
+allow DcxoSetCap sysfs_boot_mode:file r_file_perms;
+allow DcxoSetCap sysfs_dt_firmware_android:dir r_dir_perms;
+allow DcxoSetCap sysfs_dt_firmware_android:file r_file_perms;
+
+allow DcxoSetCap metadata_file:dir search;
+allow DcxoSetCap gsi_metadata_file:dir search;
+allow DcxoSetCap mnt_vendor_file:dir search;

basic/non_plat/adbd.te

@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Data : WK17.46
+# Operator: Migration
+# Purpose: Allow adbd to read KE DB
+allow adbd aee_dumpsys_data_file:file r_file_perms;
+allow adbd gpu_device:dir search;

basic/non_plat/app.te

@@ -0,0 +1,56 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow appdomain proc_ged:file rw_file_perms;
+allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls };
+
+# Data : WK16.42
+# Operator: Whitney bring up
+# Purpose: call surfaceflinger due to powervr
+allow appdomain surfaceflinger:fifo_file rw_file_perms;
+
+# Date : W16.42
+# Operation : Integration
+# Purpose : DRM / DRI GPU driver required
+allow appdomain gpu_device:dir search;
+
+# Date : W17.41
+# Operation: SQC
+# Purpose : Allow HWUI to access perfmgr
+allow appdomain proc_perfmgr:dir search;
+allow appdomain proc_perfmgr:file r_file_perms;
+allowxperm appdomain proc_perfmgr:file ioctl {
+  PERFMGR_FPSGO_QUEUE
+  PERFMGR_FPSGO_DEQUEUE
+  PERFMGR_FPSGO_QUEUE_CONNECT
+  PERFMGR_FPSGO_BQID
+  PERFMGR_FPSGO_SWAP_BUFFER
+  PERFMGR_FPSGO_SBE_RESCUE
+};
+
+# Date : W19.23
+# Operation : Migration
+# Purpose : For platform app com.android.gallery3d
+allow { appdomain -isolated_app } radio_data_file:file rw_file_perms;
+
+# Date : W19.23
+# Operation : Migration
+# Purpose : For app com.tencent.qqpimsecure
+allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START;
+
+# Date : W20.26
+# Operation : Migration
+# Purpose : For apps other than isolated_app call hidl
+hwbinder_use({ appdomain -isolated_app })
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop)
+allow { appdomain -isolated_app } hidl_manager_hwservice:hwservice_manager find;
+binder_call({ appdomain -isolated_app }, mtk_safe_halserverdomain_type)
+allow { appdomain -isolated_app } mtk_safe_hwservice_manager_type:hwservice_manager find;
+
+# Date : 2021/04/24
+# Operation: addwindow
+# Purpose: Get the variable value of touch report rate
+get_prop(appdomain, vendor_mtk_input_report_rate_prop)

basic/non_plat/atci_service.te

@@ -0,0 +1,130 @@
+# ==============================================
+# Policy File of /vendor/bin/atci_service Executable File
+# ==============================================
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type atci_service, domain;
+type atci_service_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(atci_service)
+
+allow atci_service block_device:dir search;
+allow atci_service misc2_block_device:blk_file rw_file_perms;
+allow atci_service misc2_device:chr_file rw_file_perms;
+allow atci_service camera_isp_device:chr_file rw_file_perms;
+allow atci_service graphics_device:chr_file rw_file_perms;
+allow atci_service graphics_device:dir search;
+allow atci_service kd_camera_hw_device:chr_file rw_file_perms;
+allow atci_service self:capability { sys_nice ipc_lock sys_boot };
+allow atci_service nvram_device:chr_file rw_file_perms;
+allow atci_service camera_sysram_device:chr_file r_file_perms;
+allow atci_service camera_tsf_device:chr_file rw_file_perms;
+allow atci_service camera_rsc_device:chr_file rw_file_perms;
+allow atci_service camera_gepf_device:chr_file rw_file_perms;
+allow atci_service camera_fdvt_device:chr_file rw_file_perms;
+allow atci_service camera_wpe_device:chr_file rw_file_perms;
+allow atci_service camera_owe_device:chr_file rw_file_perms;
+allow atci_service camera_pda_device:chr_file rw_file_perms;
+allow atci_service kd_camera_flashlight_device:chr_file rw_file_perms;
+allow atci_service ccu_device:chr_file rw_file_perms;
+allow atci_service vpu_device:chr_file rw_file_perms;
+allow atci_service MTK_SMI_device:chr_file rw_file_perms;
+allow atci_service DW9714AF_device:chr_file rw_file_perms;
+allow atci_service devmap_device:chr_file rw_file_perms;
+allow atci_service sdcard_type:dir create_dir_perms;
+allow atci_service sdcard_type:file create_file_perms;
+allow atci_service mediaserver:binder call;
+
+# Date : 2015/09/17
+# Operation : M-Migration
+# Purpose : to operation CCT tool
+allow atci_service nvram_device:blk_file rw_file_perms;
+allow atci_service input_device:dir r_dir_perms;
+allow atci_service input_device:file rw_file_perms;
+allow atci_service input_device:chr_file rw_file_perms;
+allow atci_service MAINAF_device:chr_file rw_file_perms;
+allow atci_service MAIN2AF_device:chr_file rw_file_perms;
+allow atci_service MAIN3AF_device:chr_file rw_file_perms;
+allow atci_service MAIN4AF_device:chr_file rw_file_perms;
+allow atci_service SUBAF_device:chr_file rw_file_perms;
+allow atci_service SUB2AF_device:chr_file rw_file_perms;
+allow atci_service tmpfs:lnk_file r_file_perms;
+allow atci_service self:capability2 block_suspend;
+
+# Date : 2015/10/13
+# Operation : M-Migration
+# Purpose : to operation CCT tool
+allow atci_service mnt_user_file:dir search;
+allow atci_service mnt_user_file:lnk_file r_file_perms;
+allow atci_service storage_file:lnk_file r_file_perms;
+
+set_prop(atci_service, vendor_mtk_em_prop)
+
+# Date : 2016/03/02
+# Operation : M-Migration
+# Purpose : to support ATCI touch tool
+allow atci_service vendor_shell_exec:file rx_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow atci_service proc_ged:file rw_file_perms;
+
+# Date : WK16.35
+# Operation : Migration
+# Purpose : Update camera flashlight driver device file
+allow atci_service flashlight_device:chr_file rw_file_perms;
+
+# Date : WK17.01
+# Operation : Migration
+# Purpose : Update AT_Command NFC function
+allow atci_service factory_data_file:sock_file write;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(atci_service, hal_mtk_pq)
+
+# Date : WK17.28
+# Purpose : Allow to execute battery command
+allow atci_service MT_pmic_adc_cali_device:chr_file rw_file_perms;
+
+# Date : WK17.43
+# Purpose : CCT
+allow atci_service CAM_CAL_DRV_device:chr_file rw_file_perms;
+allow atci_service CAM_CAL_DRV1_device:chr_file rw_file_perms;
+allow atci_service CAM_CAL_DRV2_device:chr_file rw_file_perms;
+allow atci_service camera_eeprom_device:chr_file rw_file_perms;
+allow atci_service seninf_n3d_device:chr_file rw_file_perms;
+allow atci_service fwk_sensor_hwservice:hwservice_manager find;
+allow atci_service ion_device:chr_file r_file_perms;
+allow atci_service mtk_cmdq_device:chr_file r_file_perms;
+allow atci_service mtk_mdp_device:chr_file r_file_perms;
+allow atci_service mtk_mdp_sync_device:chr_file r_file_perms;
+allow atci_service sw_sync_device:chr_file r_file_perms;
+hal_client_domain(atci_service, hal_power)
+allow atci_service sysfs_batteryinfo:dir search;
+allow atci_service sysfs_batteryinfo:file r_file_perms;
+allow atci_service system_file:dir r_dir_perms;
+allow atci_service camera_pipemgr_device:chr_file r_file_perms;
+allow atci_service mtk_hal_camera:binder call;
+allow atci_service debugfs_ion:dir search;
+allow atci_service sysfs_tpd_setting:file rw_file_perms;
+allow atci_service sysfs_vibrator_setting:file rw_file_perms;
+allow atci_service sysfs_leds_setting:file rw_file_perms;
+allow atci_service vendor_toolbox_exec:file rx_file_perms;
+
+# Date : WK18.21
+# Purpose: Allow to use HIDL
+hal_client_domain(atci_service, hal_mtk_atci)
+
+# Date : WK18.26
+# Purpose: Allow gps socket sendto
+allow atci_service mnld:unix_dgram_socket sendto;
+
+# Date : WK18.35
+# Purpose : allow CCT to allocate memory
+hal_client_domain(atci_service, hal_allocator)
+
+allow atci_service gpu_device:chr_file rw_file_perms;

basic/non_plat/atcid.te

@@ -0,0 +1,92 @@
+# ==============================================
+# Policy File of /vendor/bin/atcid Executable File
+# ==============================================
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type atcid, domain;
+type atcid_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(atcid)
+set_prop(atcid, vendor_mtk_persist_service_atci_prop)
+allow atcid block_device:dir search;
+allow atcid gsmrild_socket:sock_file w_file_perms;
+
+# Date : WK17.21
+# Purpose: Allow to use HIDL
+hal_client_domain(atcid, hal_telephony)
+
+allow atcid ttyGS_device:chr_file rw_file_perms;
+allow atcid wmtWifi_device:chr_file w_file_perms;
+allow atcid misc2_block_device:blk_file rw_file_perms;
+allow atcid self:capability sys_time;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow atcid proc_ged:file rw_file_perms;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(atcid, hal_mtk_pq)
+
+# Date : WK17.34
+# Purpose: Allow to access meta_tst
+allow atcid meta_tst:unix_stream_socket connectto;
+
+# Date : WK18.15
+# Purpose: Allow to access power_supply in sysfs
+allow atcid sysfs_batteryinfo:file r_file_perms;
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow atcid to get vendor_mtk_tel_switch_prop
+get_prop(atcid, vendor_mtk_tel_switch_prop)
+
+# Date : WK18.21
+# Purpose: Allow to use HIDL
+vndbinder_use(atcid)
+hal_server_domain(atcid, hal_mtk_atci)
+
+# Date : WK18.21
+# Purpose: For special command for customer
+set_prop(atcid, vendor_mtk_atci_prop)
+set_prop(atcid, powerctl_prop)
+allow atcid mnt_vendor_file:dir search;
+allow atcid nvdata_file:dir rw_dir_perms;
+allow atcid nvdata_file:file create_file_perms;
+allow atcid nvram_device:blk_file rw_file_perms;
+allow atcid proc_meminfo:file r_file_perms;
+allow atcid sysfs_batteryinfo:dir search;
+allow atcid sysfs_devices_block:dir search;
+allow atcid sysfs_devices_block:file r_file_perms;
+
+# Date : WK18.35
+# Purpose: Add socket for TelephonyWare ATCI
+unix_socket_connect(atcid, rild_atci, rild)
+unix_socket_connect(atcid, rilproxy_atci, rild)
+unix_socket_connect(atcid, atci_service, atci_service)
+
+# Date : WK19.42
+# Purpose: Add policy to access ATCI sockets
+unix_socket_connect(atcid, atci-audio, audiocmdservice_atci)
+unix_socket_connect(atcid, meta_atci, meta_tst)
+allow atcid adb_atci_socket:sock_file w_file_perms;
+
+# Date : WK21.13
+# Purpose: Add policy to access CCCI
+allow atcid sysfs_ccci:dir search;
+allow atcid sysfs_ccci:file r_file_perms;
+allow atcid gsm0710muxd_device:chr_file rw_file_perms;
+
+# Date : WK21.22
+unix_socket_connect(atcid, factory_atci, factory);
+set_prop(atcid, vendor_mtk_factory_start_prop)
+
+# Date : WK21.31
+# Purpose: Add policy to support uart
+allow atcid sysfs_boot_info:file r_file_perms;
+allow atcid sysfs_meta_info:file r_file_perms;
+allow atcid ttyS_device:chr_file rw_file_perms;
+

basic/non_plat/audiocmdservice_atci.te

@@ -0,0 +1,33 @@
+# ==============================================
+# Policy File of /vendor/bin/audiocmdservice_atci Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type audiocmdservice_atci, domain;
+type audiocmdservice_atci_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(audiocmdservice_atci)
+
+allow audiocmdservice_atci self:unix_stream_socket create_socket_perms;
+
+# Access to storages for audio tuning tool to read/write tuning result
+allow audiocmdservice_atci mnt_user_file:dir rw_dir_perms;
+allow audiocmdservice_atci { mnt_user_file storage_file }:lnk_file rw_file_perms;
+allow audiocmdservice_atci bootdevice_block_device:blk_file rw_file_perms;
+
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(audiocmdservice_atci)
+binder_call(audiocmdservice_atci, mtk_hal_audio)
+
+hal_client_domain(audiocmdservice_atci, hal_audio)
+
+#To access the file at /dev/kmsg
+allow audiocmdservice_atci kmsg_device:chr_file w_file_perms;
+
+userdebug_or_eng(`
+  allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin };
+')

basic/non_plat/audioserver.te

@@ -0,0 +1,48 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: WK14.44
+# Operation : Migration
+# Purpose : EVDO
+allow audioserver rpc_socket:sock_file write;
+allow audioserver ttySDIO_device:chr_file rw_file_perms;
+
+# Data: WK14.44
+# Operation : Migration
+# Purpose : for low SD card latency issue
+allow audioserver sysfs_lowmemorykiller:file r_file_perms;
+
+# Data: WK14.45
+# Operation : Migration
+# Purpose : for change thermal policy when needed
+allow audioserver proc_mtkcooler:dir search;
+allow audioserver proc_mtktz:dir search;
+allow audioserver proc_thermal:dir search;
+
+# Date : WK15.03
+# Operation : Migration
+# Purpose : offloadservice
+allow audioserver offloadservice_device:chr_file rw_file_perms;
+
+# Date : WK16.17
+# Operation : Migration
+# Purpose: read/open sysfs node
+allow audioserver sysfs_ccci:file r_file_perms;
+
+# Date : WK16.18
+# Operation : Migration
+# Purpose: research root dir "/"
+allow audioserver tmpfs:dir search;
+
+# Date : WK16.18
+# Operation : Migration
+# Purpose: access sysfs node
+allow audioserver sysfs_ccci:dir search;
+
+# Purpose: Dump debug info
+allow audioserver fuse:file w_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow audioserver proc_ged:file rw_file_perms;

basic/non_plat/biosensord_nvram.te

@@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of /vendor/bin/biosensord_nvram Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type biosensord_nvram, domain;
+type biosensord_nvram_exec , exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(biosensord_nvram)
+
+# Data : WK16.21
+# Operation : New Feature
+# Purpose : For biosensor daemon can do nvram r/w to save calibration data
+allow biosensord_nvram nvdata_file:dir rw_dir_perms;
+allow biosensord_nvram nvdata_file:file create_file_perms;
+allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms;
+allow biosensord_nvram biometric_device:chr_file rw_file_perms;
+allow biosensord_nvram self:capability { chown fsetid };

basic/non_plat/bip_ap.te

@@ -0,0 +1,34 @@
+# ==============================================
+# Policy File of /vendor/bin/bip_ap Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type bip_ap, domain, mtkimsmddomain;
+type bip_ap_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(bip_ap)
+net_domain(bip_ap)
+
+# Date : WK14.42
+# Operation : Migration
+# Purpose : for bip_ap send RTP/RTCP
+allow bip_ap self:udp_socket create_socket_perms;
+allow bip_ap node:udp_socket node_bind;
+allow bip_ap port:udp_socket name_bind;
+allow bip_ap fwmarkd_socket:sock_file write;
+allow bip_ap self:tcp_socket create_stream_socket_perms;
+allow bip_ap port:tcp_socket name_connect;
+allow bip_ap self:netlink_route_socket read;
+
+# Purpose : for access ccci device
+allow bip_ap ccci_device:chr_file rw_file_perms;
+
+# Purpose : for raw socket
+allow bip_ap self:rawip_socket { create write bind setopt read getattr};
+allow bip_ap node:rawip_socket node_bind;
+
+allow bip_ap netd:unix_stream_socket connectto;
+allow bip_ap netd_socket:sock_file write;
+

basic/non_plat/bluetooth.te

@@ -0,0 +1,32 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date:W17.07
+# Operation : bt hal developing
+# Purpose : bt hal interface permission
+binder_call(bluetooth, mtk_hal_bluetooth)
+
+allow bluetooth storage_stub_file:dir getattr;
+
+# Date: 2018/02/02
+# Major permission allow are in /system/sepoplicy/private/bluetooth.te
+# Add dir create perms for bluetooth on /data/misc/bluetooth/logs
+allow bluetooth bluetooth_logs_data_file:dir { create_dir_perms relabelto };
+allow bluetooth bluetooth_logs_data_file:fifo_file create_file_perms;
+
+# Date: 2019/09/19
+allow bluetooth mtk_hal_bluetooth_audio_hwservice:hwservice_manager find;
+
+# Date :  2020/06/11
+# Operation : allow bt native process to access driver debug node and set kernel thread priority
+# Purpose: allow bt native process to access driver debug node and set kernel thread priority
+allow bluetooth proc_btdbg:file rw_file_perms;
+allow bluetooth kernel:process setsched;
+
+get_prop(bluetooth, vendor_mtk_bt_perf_prop)
+
+# Date : 2021/09/07
+# Operation : allow bluetooth to access mediametrics
+# Purpose: This operation will block A2DP Sink playback
+allow bluetooth mediametrics_service:service_manager find;

basic/non_plat/boot_logo_updater.te

@@ -0,0 +1,27 @@
+# ==============================================
+# Policy File of /system/bin/boot_logo_updater Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.43
+# Operation : Migration
+# Purpose : To access file directories and files like logo.bin
+allow boot_logo_updater logo_block_device:blk_file r_file_perms;
+
+# To access block files at  /dev/block/mmcblk0 ir /dev/block/sdc
+allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms;
+
+#To access file at  /dev/logo
+allow boot_logo_updater logo_device:chr_file r_file_perms;
+
+# To access file at   /proc/lk_env
+allow boot_logo_updater proc_lk_env:file rw_file_perms;
+
+# Date : WK16.25
+# Operation : Global_Device/Uniservice Feature
+# Purpose : for it to read-write SysEnv data
+allow boot_logo_updater para_block_device:blk_file rw_file_perms;
+# Allow ReadDefaultFstab().
+read_fstab(boot_logo_updater)

basic/non_plat/bootanim.te

@@ -0,0 +1,40 @@
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.46
+# Operation : Migration
+# Purpose : For MTK Emulator HW GPU
+allow bootanim qemu_pipe_device:chr_file rw_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow bootanim proc_ged:file rw_file_perms;
+
+# Date : WK17.43
+# Operation : Migration
+# Purpose : For MTK perfmgr
+allow bootanim proc_perfmgr:dir r_dir_perms;
+allow bootanim proc_perfmgr:file r_file_perms;
+
+# Date : WK19.11
+# Operation : Migration
+# Purpose : Allow to access ged for ioctl related functions
+allowxperm bootanim proc_ged:file ioctl { proc_ged_ioctls };
+allowxperm bootanim proc_perfmgr:file ioctl {
+  PERFMGR_FPSGO_QUEUE
+  PERFMGR_FPSGO_DEQUEUE
+  PERFMGR_FPSGO_QUEUE_CONNECT
+  PERFMGR_FPSGO_BQID
+};
+
+# Date : WK19.48
+# Operation : Migration
+# Purpose : Allow to access gpu device search
+allow bootanim gpu_device:dir search;
+
+# Date : WK21.26
+# Operation : Migration
+# Purpose : donotaudit data directory search
+dontaudit bootanim system_data_file:dir search;

basic/non_plat/bp_kmsetkey_ca.te

@@ -0,0 +1 @@
+type bp_kmsetkey_ca, domain;

basic/non_plat/bt_dump.te

@@ -0,0 +1,28 @@
+# ==============================================
+# Policy File of /vendor/bin/bt_dump Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type bt_dump, domain;
+type bt_dump_exec, vendor_file_type, exec_type, file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(bt_dump)
+
+allow bt_dump self:capability net_admin;
+allow bt_dump self:netlink_socket create_socket_perms_no_ioctl;
+allow bt_dump self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow bt_dump conninfra_device:chr_file rw_file_perms;
+allow bt_dump stpwmt_device:chr_file rw_file_perms;
+allow bt_dump tmpfs:lnk_file r_file_perms;
+allow bt_dump mnt_user_file:dir search;
+allow bt_dump mnt_user_file:lnk_file r_file_perms;
+allow bt_dump storage_file:lnk_file r_file_perms;
+allow bt_dump stp_dump_data_file:dir create_dir_perms;
+allow bt_dump stp_dump_data_file:file create_file_perms;
+allow bt_dump connsyslog_data_vendor_file:dir create_dir_perms;
+allow bt_dump connsyslog_data_vendor_file:file create_file_perms;
+get_prop(bt_dump, vendor_mtk_coredump_prop)

basic/non_plat/cameraserver.te

@@ -0,0 +1,63 @@
+# ==============================================================================
+# Policy File of /system/bin/cameraserver Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# -----------------------------------
+# Android O
+# Purpose: Allow cameraserver to perform binder IPC to servers and callbacks.
+# call camerahalserver
+binder_call(cameraserver, mtk_hal_camera)
+
+# call the graphics allocator hal
+binder_call(cameraserver, hal_graphics_allocator)
+
+# -----------------------------------
+# Android O
+# Purpose: adb shell dumpsys media.camera --unreachable
+allow cameraserver self:process ptrace;
+
+# Date : WK14.40
+# Operation : Migration
+# Purpose : HDMI driver access
+allow cameraserver graphics_device:chr_file rw_file_perms;
+
+# Date : WK16.20
+# Operation : Migration
+# Purpose: research root dir "/"
+allow cameraserver tmpfs:dir search;
+
+# Date : WK16.21
+# Operation : Migration
+# Purpose : EGL file access
+allow cameraserver system_file:dir r_dir_perms;
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver gpu_device:dir search;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow cameraserver proc_ged:file rw_file_perms;
+allowxperm cameraserver proc_ged:file ioctl proc_ged_ioctls;
+
+# Date : WK17.25
+# Operation : Migration
+allow cameraserver debugfs_ion:dir search;
+
+# Date : WK17.49
+# Operation : MT6771 SQC
+# Purpose: Allow permgr access
+allow cameraserver proc_perfmgr:dir r_dir_perms;
+allow cameraserver proc_perfmgr:file r_file_perms;
+allowxperm cameraserver proc_perfmgr:file ioctl {
+  PERFMGR_FPSGO_QUEUE
+  PERFMGR_FPSGO_DEQUEUE
+  PERFMGR_FPSGO_QUEUE_CONNECT
+  PERFMGR_FPSGO_BQID
+};
+
+# Date : WK21.25
+# Operation : Migration
+# Purpose : PDA Driver
+allow cameraserver camera_pda_device:chr_file rw_file_perms;

basic/non_plat/ccci_fsd.te

@@ -0,0 +1,77 @@
+# ==============================================
+# Policy File of /system/bin/ccci_fsd Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type ccci_fsd_exec, exec_type, file_type, vendor_file_type;
+type ccci_fsd, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(ccci_fsd)
+
+wakelock_use(ccci_fsd)
+
+#============= ccci_fsd MD NVRAM==============
+allow ccci_fsd nvram_data_file:dir create_dir_perms;
+allow ccci_fsd nvram_data_file:file create_file_perms;
+allow ccci_fsd nvram_data_file:lnk_file read;
+allow ccci_fsd nvdata_file:lnk_file read;
+allow ccci_fsd nvdata_file:dir create_dir_perms;
+allow ccci_fsd nvdata_file:file create_file_perms;
+allow ccci_fsd nvram_device:chr_file rw_file_perms;
+allow ccci_fsd vendor_configs_file:file r_file_perms;
+allow ccci_fsd vendor_configs_file:dir r_dir_perms;
+
+#============= ccci_fsd device/path/data access==============
+allow ccci_fsd ccci_device:chr_file rw_file_perms;
+allow ccci_fsd ccci_cfg_file:dir create_dir_perms;
+allow ccci_fsd ccci_cfg_file:file create_file_perms;
+#============= ccci_fsd MD Data==============
+allow ccci_fsd protect_f_data_file:dir create_dir_perms;
+allow ccci_fsd protect_f_data_file:file create_file_perms;
+
+allow ccci_fsd protect_s_data_file:dir create_dir_perms;
+allow ccci_fsd protect_s_data_file:file create_file_perms;
+#============= ccci_fsd MD3 related==============
+allow ccci_fsd c2k_file:dir create_dir_perms;
+allow ccci_fsd c2k_file:file create_file_perms;
+allow ccci_fsd otp_part_block_device:blk_file rw_file_perms;
+allow ccci_fsd otp_device:chr_file rw_file_perms;
+allow ccci_fsd sysfs_boot_type:file { read open };
+#============= ccci_fsd MD block data==============
+#restore>NVM_GetDeviceInfo>open  /dev/block/by-name/nvram
+allow ccci_fsd block_device:dir search;
+allow ccci_fsd nvram_device:blk_file rw_file_perms;
+allow ccci_fsd nvdata_device:blk_file rw_file_perms;
+allow ccci_fsd nvcfg_file:dir create_dir_perms;
+allow ccci_fsd nvcfg_file:file create_file_perms;
+#============= ccci_fsd cryption related ==============
+allow ccci_fsd rawfs:dir create_dir_perms;
+allow ccci_fsd rawfs:file create_file_perms;
+#============= ccci_fsd sysfs related ==============
+allow ccci_fsd sysfs_ccci:dir search;
+allow ccci_fsd sysfs_ccci:file r_file_perms;
+
+#============= ccci_fsd ==============
+allow ccci_fsd mnt_vendor_file:dir search;
+
+# Purpose: for fstab parser
+allow ccci_fsd kmsg_device:chr_file w_file_perms;
+allow ccci_fsd proc_lk_env:file rw_file_perms;
+
+#============= ccci_fsd MD Low Power Monitor Related ==============
+allow ccci_fsd ccci_data_md1_file:dir create_dir_perms;
+allow ccci_fsd ccci_data_md1_file:file create_file_perms;
+allow ccci_fsd sysfs_devices_block:dir search;
+allow ccci_fsd sysfs_devices_block:file { read getattr open };
+
+#============= ccci_fsd access vendor/etc/md file ==============
+allow ccci_fsd vendor_etc_md_file:dir search;
+allow ccci_fsd vendor_etc_md_file:file r_file_perms;
+
+#============= ccci_fsd access data/vendor_de/md file ==============
+allow ccci_fsd data_vendor_de_md_file:dir create_dir_perms;
+allow ccci_fsd data_vendor_de_md_file:file create_file_perms;

basic/non_plat/ccci_mdinit.te

@@ -0,0 +1,168 @@
+# ==============================================
+# Policy File of /vendor/bin/ccci_mdinit Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type ccci_mdinit, domain;
+type ccci_mdinit_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(ccci_mdinit)
+wakelock_use(ccci_mdinit)
+
+#=============allow ccci_mdinit to start c2krild==============
+set_prop(ccci_mdinit, vendor_mtk_ctl_viarild_prop)
+
+#=============allow ccci_mdinit to start/stop rild, mdlogger==============
+set_prop(ccci_mdinit, system_mtk_ctl_mdlogger_prop)
+set_prop(ccci_mdinit, system_mtk_ctl_emdlogger1_prop)
+set_prop(ccci_mdinit, system_mtk_ctl_emdlogger2_prop)
+set_prop(ccci_mdinit, system_mtk_ctl_emdlogger3_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_gsm0710muxd_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_ril-daemon-mtk_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_fusion_ril_mtk_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_ril-proxy_prop)
+set_prop(ccci_mdinit, vendor_mtk_ril_active_md_prop)
+set_prop(ccci_mdinit, vendor_mtk_md_prop)
+set_prop(ccci_mdinit, vendor_mtk_net_cdma_mdmstat_prop)
+set_prop(ccci_mdinit, ctl_start_prop)
+get_prop(ccci_mdinit, vendor_mtk_tel_switch_prop)
+
+#=============allow ccci_mdinit to start/stop fsd==============
+set_prop(ccci_mdinit, vendor_mtk_ctl_ccci_fsd_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_ccci2_fsd_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_ccci3_fsd_prop)
+
+get_prop(ccci_mdinit, system_mtk_init_svc_emdlogger1_prop)
+
+allow ccci_mdinit ccci_device:chr_file rw_file_perms;
+allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms;
+
+allow ccci_mdinit ccci_ccb_device:chr_file rw_file_perms;
+#=============allow ccci_mdinit to access MD NVRAM==============
+
+allow ccci_mdinit nvram_data_file:file create_file_perms;
+allow ccci_mdinit nvram_data_file:lnk_file r_file_perms;
+allow ccci_mdinit nvdata_file:lnk_file r_file_perms;
+allow ccci_mdinit nvdata_file:file create_file_perms;
+allow ccci_mdinit nvram_device:chr_file rw_file_perms;
+read_fstab(ccci_mdinit)
+get_prop(ccci_mdinit, vendor_mtk_rat_config_prop)
+
+#=============allow ccci_mdinit to access ccci config==============
+allow ccci_mdinit protect_f_data_file:file create_file_perms;
+
+#=============allow ccci_mdinit to property==============
+allow ccci_mdinit protect_s_data_file:file create_file_perms;
+allow ccci_mdinit nvram_device:blk_file rw_file_perms;
+allow ccci_mdinit nvdata_device:blk_file rw_file_perms;
+
+set_prop(ccci_mdinit, vendor_mtk_ril_mux_report_case_prop)
+
+allow ccci_mdinit ccci_cfg_file:dir create_dir_perms;
+allow ccci_mdinit ccci_cfg_file:file create_file_perms;
+
+#===============security relate ==========================
+allow ccci_mdinit preloader_device:chr_file rw_file_perms;
+allow ccci_mdinit misc_sd_device:chr_file r_file_perms;
+allow ccci_mdinit sec_ro_device:chr_file r_file_perms;
+
+allow ccci_mdinit custom_file:dir r_dir_perms;
+allow ccci_mdinit custom_file:file r_file_perms;
+
+# Purpose : for nand partition access
+allow ccci_mdinit mtd_device:dir search;
+allow ccci_mdinit mtd_device:chr_file rw_file_perms;
+allow ccci_mdinit devmap_device:chr_file r_file_perms;
+
+# Purpose : for device bring up, not to block early migration/sanity
+allow ccci_mdinit proc_lk_env:file rw_file_perms;
+allow ccci_mdinit para_block_device:blk_file rw_file_perms;
+
+#============= ccci_mdinit sysfs related ==============
+allow ccci_mdinit sysfs_ccci:dir search;
+allow ccci_mdinit sysfs_ccci:file rw_file_perms;
+allow ccci_mdinit sysfs_ssw:dir search;
+allow ccci_mdinit sysfs_ssw:file r_file_perms;
+allow ccci_mdinit sysfs_boot_info:file r_file_perms;
+
+# Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof
+allow ccci_mdinit proc_bootprof:file rw_file_perms;
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
+allow ccci_mdinit mnt_vendor_file:dir search;
+
+# Purpose : Allow ccci_mdinit call sysenv_get and sysenv_set
+allow ccci_mdinit block_device:dir search;
+allow ccci_mdinit proc_cmdline:file r_file_perms;
+allow ccci_mdinit sysfs_dt_firmware_android:dir search;
+
+# ==============================================
+# Policy File of /vendor/bin/ccci_fs Executable File
+
+#============= ccci_fsd MD NVRAM==============
+allow ccci_mdinit nvram_data_file:dir create_dir_perms;
+allow ccci_mdinit nvdata_file:dir create_dir_perms;
+
+#============= ccci_fsd MD Data==============
+allow ccci_mdinit protect_f_data_file:dir create_dir_perms;
+allow ccci_mdinit protect_s_data_file:dir create_dir_perms;
+
+#============= ccci_fsd MD3 related==============
+allow ccci_mdinit c2k_file:dir create_dir_perms;
+allow ccci_mdinit c2k_file:file create_file_perms;
+allow ccci_mdinit otp_part_block_device:blk_file rw_file_perms;
+allow ccci_mdinit otp_device:chr_file rw_file_perms;
+allow ccci_mdinit sysfs_boot_type:file r_file_perms;
+
+#============= ccci_fsd MD block data==============
+#restore>NVM_GetDeviceInfo>open  /dev/block/by-name/nvram
+allow ccci_mdinit nvcfg_file:dir create_dir_perms;
+allow ccci_mdinit nvcfg_file:file create_file_perms;
+
+#============= ccci_fsd cryption related ==============
+allow ccci_mdinit rawfs:dir create_dir_perms;
+allow ccci_mdinit rawfs:file create_file_perms;
+
+# Purpose: for fstab parser
+allow ccci_mdinit kmsg_device:chr_file w_file_perms;
+
+#============= ccci_fsd MD Low Power Monitor Related ==============
+allow ccci_mdinit ccci_data_md1_file:dir create_dir_perms;
+allow ccci_mdinit ccci_data_md1_file:file create_file_perms;
+allow ccci_mdinit sysfs_devices_block:dir search;
+allow ccci_mdinit sysfs_devices_block:file r_file_perms;
+
+#============= ccci_fsd access vendor/etc/md file ==============
+allow ccci_mdinit vendor_etc_md_file:dir search;
+allow ccci_mdinit vendor_etc_md_file:file r_file_perms;
+
+#============= ccci_fsd access data/vendor_de/md file ==============
+allow ccci_mdinit data_vendor_de_md_file:dir create_dir_perms;
+allow ccci_mdinit data_vendor_de_md_file:file create_file_perms;
+
+allow ccci_mdinit unlabeled:dir rw_dir_perms;
+allow ccci_mdinit unlabeled:file rw_file_perms;
+
+# Date : 2021-04-12
+# Purpose: allow ccci_mdinit to access ccci_dump
+allow ccci_mdinit proc_ccci_dump:file w_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(ccci_mdinit)
+
+allow ccci_mdinit mcf_ota_block_device:dir search;
+
+# Date : 2021-07-30
+# Purpose : change sepolicy for MCF3.0
+allow ccci_mdinit sysfs_dt_firmware_android:file r_file_perms;
+allow ccci_mdinit proc_version:file r_file_perms;
+allow ccci_mdinit mcf_ota_file:dir { getattr search };
+allow ccci_mdinit mcf_ota_file:file rw_file_perms;
+

basic/non_plat/ccci_rpcd.te

@@ -0,0 +1 @@
+type ccci_rpcd, domain;

basic/non_plat/chipinfo.te

@@ -0,0 +1,11 @@
+type chipinfo, domain;
+type chipinfo_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(chipinfo)
+
+allow chipinfo vendor_toolbox_exec:file rx_file_perms;
+allow chipinfo sysfs_device_tree_model:file r_file_perms;
+allow chipinfo sysfs_soc:file r_file_perms;
+allow chipinfo sysfs_soc:dir search;
+
+set_prop(chipinfo, vendor_mtk_soc_prop)

basic/non_plat/cmddumper.te

@@ -0,0 +1,29 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#cmddumper access external modem ttySDIO2
+allow cmddumper ttySDIO_device:chr_file rw_file_perms;
+
+# for modem logging sdcard access
+allow cmddumper sdcard_type:dir create_dir_perms;
+allow cmddumper sdcard_type:file create_file_perms;
+
+# cmddumper  access on /data/mdlog
+allow cmddumper mdlog_data_file:fifo_file create_file_perms;
+allow cmddumper mdlog_data_file:file create_file_perms;
+allow cmddumper mdlog_data_file:dir { create_dir_perms relabelto };
+
+# purpose: allow cmddumper to access storage in N version
+allow cmddumper media_rw_data_file:file create_file_perms;
+allow cmddumper media_rw_data_file:dir create_dir_perms;
+
+# purpose: access plat_file_contexts
+allow cmddumper file_contexts_file:file r_file_perms;
+
+# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
+allow cmddumper sysfs_boot_mode:file r_file_perms;
+
+# Android P migration
+allow cmddumper tmpfs:lnk_file r_file_perms;
+allow cmddumper vmodem_device:chr_file rw_file_perms;

basic/non_plat/conninfra_loader.te

@@ -0,0 +1,20 @@
+# ==============================================
+# Policy File of /vendor/bin/conninfra_loader Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type conninfra_loader, domain;
+type conninfra_loader_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(conninfra_loader)
+
+# Set the property
+set_prop(conninfra_loader, vendor_mtk_wmt_prop)
+
+# add ioctl/open/read/write permission for conninfra_loader with /dev/conninfra_dev
+allow conninfra_loader conninfra_device:chr_file rw_file_perms;
+

basic/non_plat/crash_dump.te

@@ -0,0 +1,58 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.32
+# Operation : AEE UT
+# Purpose : for AEE module
+allow crash_dump expdb_device:chr_file rw_file_perms;
+allow crash_dump expdb_block_device:blk_file rw_file_perms;
+allow crash_dump etb_device:chr_file rw_file_perms;
+
+# open/dev/mtd/mtd12 failed(expdb)
+allow crash_dump mtd_device:dir create_dir_perms;
+allow crash_dump mtd_device:chr_file rw_file_perms;
+
+# NE flow: /dev/RT_Monitor
+allow crash_dump RT_Monitor_device:chr_file r_file_perms;
+
+#data/dumpsys
+allow crash_dump aee_dumpsys_data_file:dir create_dir_perms;
+allow crash_dump aee_dumpsys_data_file:file create_file_perms;
+
+#/data/core
+allow crash_dump aee_core_data_file:dir create_dir_perms;
+allow crash_dump aee_core_data_file:file create_file_perms;
+
+# /data/data_tmpfs_log
+allow crash_dump data_tmpfs_log_file:dir create_dir_perms;
+allow crash_dump data_tmpfs_log_file:file create_file_perms;
+
+# /proc/lk_env
+allow crash_dump proc_lk_env:file rw_file_perms;
+
+# Purpose: Allow crash_dump to read /proc/cpu/alignment
+allow crash_dump proc_cpu_alignment:file w_file_perms;
+
+# Purpose: Allow crash_dump to access /sys/devices/virtual/timed_output/vibrator/enable
+allow crash_dump sysfs_vibrator_setting:dir search;
+allow crash_dump sysfs_vibrator_setting:file w_file_perms;
+allow crash_dump sysfs_vibrator:dir search;
+allow crash_dump sysfs_leds:dir search;
+
+# Purpose: Allow crash_dump to read /proc/kpageflags
+allow crash_dump proc_kpageflags:file r_file_perms;
+
+# Purpose: create /data/aee_exp at runtime
+allow crash_dump file_contexts_file:file r_file_perms;
+
+allow crash_dump proc_ppm:dir r_dir_perms;
+allow crash_dump proc_ppm:file rw_file_perms;
+allow crash_dump selinuxfs:file r_file_perms;
+
+allow crash_dump proc_meminfo:file r_file_perms;
+allow crash_dump procfs_blockio:file r_file_perms;
+
+# Purpose: Allow crash_dump to create/write /sys/kernel/tracing/slog
+allow crash_dump debugfs_tracing_instances:dir create_dir_perms;
+allow crash_dump debugfs_tracing_instances:file create_file_perms;

basic/non_plat/dconfig.te

@@ -0,0 +1 @@
+type mtk_dconfig, domain;

basic/non_plat/device.te

@@ -0,0 +1,380 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# Device types
+type devmap_device, dev_type;
+type ttyMT_device, dev_type;
+type ttyS_device, dev_type;
+type ttySDIO_device, dev_type;
+type vmodem_device, dev_type;
+type stpwmt_device, dev_type;
+type conninfra_device, dev_type;
+type conn_pwr_device, dev_type;
+type conn_scp_device, dev_type;
+type wmtdetect_device, dev_type;
+type wmtWifi_device, dev_type;
+type stpbt_device, dev_type;
+type fw_log_bt_device, dev_type;
+type stpant_device, dev_type;
+type fm_device, dev_type, mlstrustedobject;
+type gps_emi_device, dev_type;
+type stpgps_device, dev_type;
+type gps2scp_device, dev_type;
+type gps_pwr_device, dev_type;
+type gpsdl_device, dev_type;
+type connfem_device, dev_type;
+type fw_log_gps_device, dev_type;
+type fw_log_wmt_device, dev_type;
+type fw_log_wifi_device, dev_type;
+type fw_log_ics_device, dev_type;
+type fw_log_wifimcu_device, dev_type;
+type fw_log_btmcu_device, dev_type;
+type pmem_multimedia_device, dev_type;
+type mt6516_isp_device, dev_type;
+type mt6516_IDP_device, dev_type;
+type mt9p012_device, dev_type;
+type mt6516_jpeg_device, dev_type;
+type FM50AF_device, dev_type;
+type DW9714AF_device, dev_type;
+type DW9814AF_device, dev_type;
+type AK7345AF_device, dev_type;
+type DW9714A_device, dev_type;
+type LC898122AF_device, dev_type;
+type LC898212AF_device, dev_type;
+type BU6429AF_device, dev_type;
+type AD5820AF_device, dev_type;
+type DW9718AF_device, dev_type;
+type BU64745GWZAF_device, dev_type;
+type MAINAF_device, dev_type;
+type MAIN2AF_device, dev_type;
+type MAIN3AF_device, dev_type;
+type MAIN4AF_device, dev_type;
+type SUBAF_device, dev_type;
+type SUB2AF_device, dev_type;
+type M4U_device_device, dev_type;
+type Vcodec_device, dev_type;
+type MJC_device, dev_type;
+type smartpa_device, dev_type;
+type smartpa1_device, dev_type;
+type tahiti_device, dev_type;
+type uio0_device, dev_type;
+type xt_qtaguid_device, dev_type;
+type rfkill_device, dev_type;
+type sw_sync_device, dev_type, mlstrustedobject;
+type sec_device, dev_type;
+type hid_keyboard_device, dev_type;
+type btn_device, dev_type;
+type uinput_device, dev_type;
+type TV_out_device, dev_type;
+type gz_device, dev_type;
+type camera_sysram_device, dev_type;
+type camera_mem_device, dev_type;
+type camera_isp_device, dev_type;
+type camera_dip_device, dev_type;
+type camera_dpe_device, dev_type;
+type camera_tsf_device, dev_type;
+type camera_fdvt_device, dev_type;
+type camera_rsc_device, dev_type;
+type camera_gepf_device, dev_type;
+type camera_wpe_device, dev_type;
+type camera_owe_device, dev_type;
+type camera_mfb_device, dev_type;
+type camera_pda_device, dev_type;
+type camera_pipemgr_device, dev_type;
+type mtk_hcp_device, dev_type;
+type mtk_ccd_device, dev_type;
+type mtk_v4l2_media_device, dev_type;
+type ccu_device, dev_type;
+type gpueb_device, dev_type;
+type vcp_device, dev_type;
+type mvpu_algo_device, dev_type;
+type vpu_device, dev_type, mlstrustedobject;
+type mdla_device, dev_type, mlstrustedobject;
+type apusys_device, dev_type;
+type mtk_jpeg_device, dev_type;
+type kd_camera_hw_device, dev_type;
+type seninf_device, dev_type;
+type kd_camera_flashlight_device, dev_type;
+type flashlight_device, dev_type;
+type kd_camera_hw_bus2_device, dev_type;
+type MATV_device, dev_type;
+type mt_otg_test_device, dev_type;
+type mt_mdp_device, dev_type;
+type mtkg2d_device, dev_type;
+type misc_sd_device, dev_type;
+type mtk_sched_device, dev_type;
+type ampc0_device, dev_type;
+type mmp_device, dev_type;
+type ttyGS_device, dev_type;
+type CAM_CAL_DRV_device, dev_type;
+type CAM_CAL_DRV1_device, dev_type;
+type CAM_CAL_DRV2_device, dev_type;
+type camera_eeprom_device, dev_type;
+type seninf_n3d_device, dev_type;
+type MTK_SMI_device, dev_type;
+type mtk_cmdq_device, dev_type;
+type mtk_mdp_device, dev_type;
+type mtk_mdp_sync_device, dev_type;
+type mtk_fmt_sync_device, dev_type;
+type mtk_fmt_device, dev_type;
+type mtk_rrc_device, dev_type;
+type ebc_device, dev_type;
+type vow_device, dev_type;
+type MT6516_H264_DEC_device, dev_type;
+type MT6516_Int_SRAM_device, dev_type;
+type MT6516_MM_QUEUE_device, dev_type;
+type MT6516_MP4_DEC_device, dev_type;
+type MT6516_MP4_ENC_device, dev_type;
+type sensor_device, dev_type;
+type ccci_device, dev_type;
+type ccci_monitor_device, dev_type;
+type gsm0710muxd_device, dev_type;
+type eemcs_device, dev_type;
+type emd_device, dev_type;
+type st21nfc_device, dev_type;
+type st54spi_device, dev_type;
+type mmcblk_device, dev_type;
+type BOOT_device, dev_type;
+type MT_pmic_device, dev_type;
+type aal_als_device, dev_type;
+type accdet_device, dev_type;
+type android_device, dev_type;
+type bmtpool_device, dev_type;
+type bootimg_device, dev_type;
+type btif_device, dev_type;
+type cache_device, dev_type;
+type cpu_dma_latency_device, dev_type;
+type dummy_cam_cal_device, dev_type;
+type ebr_device, dev_type;
+type expdb_device, dev_type;
+type fat_device, dev_type;
+type logo_device, dev_type;
+type loop-control_device, dev_type;
+type mbr_device, dev_type;
+type met_device, dev_type;
+type misc_device, dev_type;
+type misc2_device, dev_type;
+type mtfreqhopping_device, dev_type;
+type mtgpio_device, dev_type;
+type mtk_kpd_device, dev_type;
+type network_device, dev_type;
+type nvram_device, dev_type;
+type pmt_device, dev_type;
+type preloader_device, dev_type;
+type pro_info_device, dev_type;
+type protect_f_device, dev_type;
+type protect_s_device, dev_type;
+type psaux_device, dev_type;
+type ptyp_device, dev_type;
+type recovery_device, dev_type;
+type sec_ro_device, dev_type;
+type seccfg_device, dev_type;
+type tee_part_device, dev_type;
+type snapshot_device, dev_type;
+type tgt_device, dev_type;
+type touch_device, dev_type;
+type tpd_em_log_device, dev_type;
+type ttyp_device, dev_type;
+type uboot_device, dev_type;
+type uibc_device, dev_type;
+type usrdata_device, dev_type;
+type zram0_device, dev_type;
+type hwzram0_device, dev_type;
+type RT_Monitor_device, dev_type;
+type kick_powerkey_device, dev_type;
+type agps_device, dev_type;
+type mnld_device, dev_type;
+type geo_device, dev_type;
+type mdlog_device, dev_type;
+type md32_device, dev_type;
+type scp_device, dev_type;
+type adsp_device, dev_type;
+type audio_scp_device, dev_type;
+type sspm_device, dev_type;
+type etb_device, dev_type;
+type MT_pmic_adc_cali_device, dev_type;
+type mtk-adc-cali_device, dev_type;
+type MT_pmic_cali_device,dev_type;
+type otp_device, dev_type;
+type otp_part_block_device, dev_type;
+type qemu_pipe_device, dev_type;
+type icusb_device, dev_type;
+type nlop_device, dev_type;
+type irtx_device, dev_type;
+type pmic_ftm_device, dev_type;
+type charger_ftm_device, dev_type;
+type shf_device, dev_type;
+type keyblock_device, dev_type;
+type offloadservice_device, dev_type;
+type ttyACM_device, dev_type;
+type hrm_device, dev_type;
+type lens_device, dev_type;
+type nvdata_device, dev_type;
+type mcf_ota_block_device,dev_type;
+type nvcfg_device, dev_type;
+type expdb_block_device, dev_type;
+type misc2_block_device, dev_type;
+type logo_block_device, dev_type;
+type para_block_device, dev_type;
+type tee_block_device, dev_type;
+type seccfg_block_device, dev_type;
+type secro_block_device, dev_type;
+type preloader_block_device, dev_type;
+type lk_block_device, dev_type;
+type protect1_block_device, dev_type;
+type protect2_block_device, dev_type;
+type keystore_block_device, dev_type;
+type oemkeystore_block_device, dev_type;
+type sec1_block_device, dev_type;
+type md1img_block_device, dev_type;
+type md1dsp_block_device, dev_type;
+type md1arm7_block_device, dev_type;
+type md3img_block_device, dev_type;
+type mmcblk1_block_device, dev_type;
+type mmcblk1p1_block_device, dev_type;
+type bootdevice_block_device, dev_type;
+type odm_block_device, dev_type;
+type oem_block_device, dev_type;
+type vendor_block_device, dev_type;
+type dtbo_block_device, dev_type;
+type loader_ext_block_device, dev_type;
+type spm_device, dev_type;
+type persist_block_device, dev_type;
+type md_block_device, dev_type;
+type spmfw_block_device, dev_type;
+type mcupmfw_block_device, dev_type;
+type scp_block_device, dev_type;
+type sspm_block_device, dev_type;
+type dsp_block_device, dev_type;
+type ppl_block_device, dev_type;
+type nvcfg_block_device, dev_type;
+type ancservice_device, dev_type;
+type mbim_device, dev_type;
+type audio_ipi_device, dev_type;
+type cam_vpu_block_device,dev_type;
+type boot_para_block_device,dev_type;
+type mtk_dfrc_device, dev_type;
+type vbmeta_block_device, dev_type;
+type alarm_device, dev_type;
+type mdp_device, dev_type;
+type mrdump_device, dev_type;
+type kb_block_device,dev_type;
+type dkb_block_device,dev_type;
+type mtk_radio_device, dev_type;
+type dpm_block_device, dev_type;
+type audio_dsp_block_device, dev_type;
+type gz_block_device, dev_type;
+type pi_img_device, dev_type;
+type vpud_device, dev_type;
+type vcu_device, dev_type;
+type mml_pq_device, dev_type;
+
+##########################
+# Sensor common Devices Start
+#
+type hwmsensor_device, dev_type;
+type msensor_device, dev_type;
+type gsensor_device, dev_type;
+type als_ps_device, dev_type;
+type gyroscope_device, dev_type;
+type barometer_device,dev_type;
+type humidity_device,dev_type;
+type biometric_device,dev_type;
+type sensorlist_device,dev_type;
+type hf_manager_device,dev_type;
+
+##########################
+# Sensor Devices Start
+#
+type m_batch_misc_device, dev_type;
+
+##########################
+# Sensor bio Devices Start
+#
+type m_als_misc_device, dev_type;
+type m_ps_misc_device, dev_type;
+type m_baro_misc_device, dev_type;
+type m_hmdy_misc_device, dev_type;
+type m_acc_misc_device, dev_type;
+type m_mag_misc_device, dev_type;
+type m_gyro_misc_device, dev_type;
+type m_act_misc_device, dev_type;
+type m_pedo_misc_device, dev_type;
+type m_situ_misc_device, dev_type;
+type m_step_c_misc_device, dev_type;
+type m_fusion_misc_device, dev_type;
+type m_bio_misc_device, dev_type;
+
+# Date : 2016/07/11
+# Operation : Migration
+# Purpose : Add permission for gpu access
+type dri_device, dev_type, mlstrustedobject;
+
+# Date : 2021/07/09
+# Operation : S Migration
+# Purpose : Add permission for ABOTA
+type postinstall_block_device, dev_type;
+
+# Date : 2021/08/27
+# Operation : S Migration
+# Purpose : Add permission for wifi proxy
+type ccci_wifi_proxy_device, dev_type;
+
+# Date : 2016/06/01
+# Operation: TEEI integration
+# Purpose: access for fp device and client device of TEEI
+type teei_fp_device, dev_type;
+type teei_client_device, dev_type, mlstrustedobject;
+type teei_config_device, dev_type;
+type utr_tui_device, dev_type;
+type teei_vfs_device, dev_type;
+type teei_rpmb_device, dev_type;
+type ut_keymaster_device, dev_type;
+
+# Date : 2019/07/19
+# Operation : Add newwork optimization feature
+# Purpose : Add permission for nwk
+type nwkopt_device, dev_type;
+type tx_device, dev_type;
+
+# Date : 2019/11/07
+# Operation : Add thp feature
+# Purpose : Add permission for thp
+type gdix_mt_wrapper_device, dev_type, fs_type;
+type gdix_thp_device, dev_type, fs_type;
+
+type mddp_device, dev_type;
+
+type tkcore_admin_device, dev_type, mlstrustedobject;
+type tkcore_block_device, dev_type;
+
+# mobicore device type
+type mobicore_admin_device, dev_type;
+type mobicore_user_device, dev_type, mlstrustedobject;
+type mobicore_tui_device, dev_type;
+
+# teeperf device type
+type teeperf_device, dev_type, mlstrustedobject;
+
+type rpmb_block_device, dev_type;
+type rpmb_device, dev_type;
+
+type fingerprint_device, dev_type;
+
+# widevine device type
+type widevine_drv_device, dev_type;
+
+# Date:2021/08/05
+# Purpose: permission for audioserver to use ccci node
+type ccci_aud_device, dev_type;
+
+# Date:2021/07/27
+# Purpose: permission for CCB user
+type ccci_ccb_device, dev_type;
+# Purpose: permission for md_monitor
+type ccci_mdmonitor_device, dev_type;
+
+# Date: 2021/09/26
+# Operator: S migration
+# Purpose: Add permission for vilte
+type ccci_vts_device, dev_type;

basic/non_plat/dmc_core.te

@@ -0,0 +1 @@
+type dmc_core, domain;

basic/non_plat/domain.te

@@ -0,0 +1,23 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Grant read access to mtk core property type which represents all
+# mtk properties except those with ctl_xxx prefix.
+# Align Google change: f01453ad453b29dd723838984ea03978167491e5
+get_prop(domain, mtk_core_property_type)
+
+# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
+# as it is a public interface for all processes to read some OTP data.
+allow {
+  domain
+  -isolated_app
+} sysfs_devinfo:file r_file_perms;
+
+# Date : W18.45
+# Operation : MTK gpu enable drvb
+# Purpose : drvb need dgb2 permission
+allow {
+  domain
+  -isolated_app
+} sysfs_gpu:file r_file_perms;

basic/non_plat/drmserver.te

@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow drmserver proc_ged:file rw_file_perms;
+
+# get prop to judge use 64-bit or not
+get_prop(drmserver, vendor_mtk_prefer64_prop)

basic/non_plat/dumpstate.te

@@ -0,0 +1,122 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Purpose: data/dumpsys/*
+allow dumpstate aee_dumpsys_data_file:dir w_dir_perms;
+allow dumpstate aee_dumpsys_data_file:file create_file_perms;
+
+# Purpose: debugfs files
+allow dumpstate procfs_blockio:file r_file_perms;
+
+# Purpose: /sys/kernel/ccci/md_chn
+allow dumpstate sysfs_ccci:dir search;
+allow dumpstate sysfs_ccci:file r_file_perms;
+
+# Purpose: leds status
+allow dumpstate sysfs_leds:lnk_file r_file_perms;
+
+# Purpose: /sys/module/lowmemorykiller/parameters/adj
+allow dumpstate sysfs_lowmemorykiller:file r_file_perms;
+allow dumpstate sysfs_lowmemorykiller:dir search;
+
+# Purpose: /dev/block/mmcblk0p10
+allow dumpstate expdb_block_device:blk_file rw_file_perms;
+
+#/data/anr/SF_RTT
+allow dumpstate sf_rtt_file:dir { search getattr };
+
+allow dumpstate sysfs_leds:dir r_dir_perms;
+
+# Data : WK17.03
+# Purpose: Allow to access gpu
+allow dumpstate gpu_device:dir search;
+
+# Purpose: Allow dumpstate to read /proc/ufs_debug
+allow dumpstate proc_ufs_debug:file rw_file_perms;
+
+# Purpose: Allow dumpstate to read /proc/msdc_debug
+allow dumpstate proc_msdc_debug:file r_file_perms;
+
+# Purpose: Allow dumpstate to r/w /proc/pidmap
+allow dumpstate proc_pidmap:file rw_file_perms;
+
+# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug
+allow dumpstate sysfs_vcore_debug:file r_file_perms;
+
+# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt
+allow dumpstate sf_rtt_file:file r_file_perms;
+
+#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace
+allow dumpstate proc_slabtrace:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status
+allow dumpstate proc_cmdq_debug:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo
+allow dumpstate proc_dbg_repo:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_dump
+allow dumpstate proc_isp_p2_dump:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_kedump
+allow dumpstate proc_isp_p2_kedump:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/mali/memory_usage
+allow dumpstate proc_memory_usage:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/mtk_es_reg_dump
+allow dumpstate proc_mtk_es_reg_dump:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /sys/power/mtkpasr/execstate
+allow dumpstate sysfs_execstate:file r_file_perms;
+
+allow dumpstate proc_isp_p2:dir r_dir_perms;
+allow dumpstate proc_isp_p2:file r_file_perms;
+
+# Data : WK16.42
+# Operator: Whitney bring up
+# Purpose: call surfaceflinger due to powervr
+allow dumpstate surfaceflinger:fifo_file rw_file_perms;
+
+# Date : W19.26
+# Operation : Migration
+# Purpose : fix google dumpstate avc error in xTS
+allow dumpstate debugfs_mmc:dir search;
+allow dumpstate mnt_media_rw_file:dir getattr;
+
+# Date: 19/07/15
+# Purpose: fix google dumpstate avc error in xTs
+allow dumpstate sysfs_devices_block:file r_file_perms;
+allow dumpstate proc_last_kmsg:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log
+allow dumpstate sysfs_adsp:file r_file_perms;
+
+# MTEE Trusty
+allow dumpstate mtee_trusty_file:file rw_file_perms;
+
+# 09-05 15:58:31.552000  9693  9693 W df      : type=1400 audit(0.0:990):
+# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0
+# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0
+allow dumpstate mnt_expand_file:dir { search getattr };
+
+#Purpose: Allow dumpstate to read /dev/usb-ffs
+allow dumpstate functionfs:file getattr;
+
+#Purpose: Allow dumpstate to read /sys/bus/platform/drivers/cache_parity/cache_status
+allow dumpstate sysfs_cache_status:file r_file_perms;
+
+hal_client_domain(dumpstate, hal_light)
+
+#Purpose: Allow dumpstate to read /sys/kernel/tracing/instances/mmstat/trace
+allow dumpstate debugfs_tracing_instances:dir r_dir_perms;
+allow dumpstate debugfs_tracing_instances:file r_file_perms;
+
+allow dumpstate proc_ion:dir r_dir_perms;
+allow dumpstate proc_ion:file r_file_perms;
+allow dumpstate proc_m4u_dbg:dir r_dir_perms;
+allow dumpstate proc_m4u_dbg:file r_file_perms;
+allow dumpstate proc_mtkfb:file r_file_perms;
+
+allow dumpstate proc_ccci_dump:file r_file_perms;

basic/non_plat/e2fs.te

@@ -0,0 +1,34 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.32
+# Operation : Migration
+# Purpose : create ext4 images for protect1/protect2/persist/nvdata/nvcfg block devices.
+allow e2fs protect1_block_device:blk_file rw_file_perms;
+allow e2fs protect2_block_device:blk_file rw_file_perms;
+allow e2fs persist_block_device:blk_file rw_file_perms;
+allow e2fs nvdata_device:blk_file rw_file_perms;
+allow e2fs nvcfg_block_device:blk_file rw_file_perms;
+
+allow e2fs devpts:chr_file rw_file_perms;
+
+# Date : WK18.23
+# Operation: P migration
+# Purpose : Allow mke2fs to format userdata and cache partition
+allow e2fs cache_block_device:blk_file rw_file_perms;
+allow e2fs userdata_block_device:blk_file rw_file_perms;
+
+# Date : WK19.23
+# Operation: Q migration
+# Purpose : Allow format /metadata for UDC
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
+# Date : WK19.34
+# Operation: Q migration
+# Purpose : Allow mke2fs to use ioctl/ioctlcmd
+allowxperm e2fs protect1_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
+allowxperm e2fs protect2_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
+allowxperm e2fs nvdata_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
+allowxperm e2fs nvcfg_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
+allowxperm e2fs persist_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };

basic/non_plat/eara_io.te

@@ -0,0 +1,31 @@
+# ==============================================================================
+# Type Declaration
+# ==============================================================================
+type eara_io, domain;
+type eara_io_exec, vendor_file_type, exec_type, file_type;
+# ==============================================================================
+# Common SEPolicy Rules
+# ==============================================================================
+init_daemon_domain(eara_io)
+
+allow eara_io eara_io_data_file:dir rw_dir_perms;
+allow eara_io eara_io_data_file:fifo_file create_file_perms;
+allow eara_io eara_io_data_file:file create_file_perms;
+allow eara_io proc_earaio:file r_file_perms;
+allow eara_io proc_earaio:dir r_dir_perms;
+allow eara_io proc_perfmgr:file r_file_perms;
+allow eara_io proc_perfmgr:dir r_dir_perms;
+allow eara_io proc_version:file r_file_perms;
+allow eara_io self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow eara_io self:perf_event { open kernel };
+allow eara_io sysfs_boot_mode:file r_file_perms;
+hal_client_domain(eara_io, hal_power)
+allowxperm eara_io proc_earaio:file ioctl {
+    PERFMGR_EARA_GETINDEX
+    PERFMGR_EARA_COLLECT
+};
+allowxperm eara_io proc_perfmgr:file ioctl {
+    PERFMGR_EARA_GETINDEX
+    PERFMGR_EARA_COLLECT
+};
+set_prop(eara_io, vendor_mtk_eara_io_prop)

basic/non_plat/em_hidl.te

@@ -0,0 +1,138 @@
+# ==============================================
+# Policy File of /vendor/bin/em_hidl Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type em_hidl, domain;
+type em_hidl_exec, exec_type, file_type, vendor_file_type;
+
+# Date :  2018/06/28
+init_daemon_domain(em_hidl)
+
+# Date :  2018/06/28
+# Purpose: EM_HILD
+hal_server_domain(em_hidl, hal_mtk_em)
+
+# Date :  2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set ims operator
+set_prop(em_hidl, vendor_mtk_operator_id_prop)
+
+# Date :  2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_simswitch_emmode_prop
+set_prop(em_hidl, vendor_mtk_simswitch_emmode_prop)
+
+# Date :  2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_dsbp_support_prop
+set_prop(em_hidl, vendor_mtk_dsbp_support_prop)
+
+# Date :  2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_imstestmode_prop
+set_prop(em_hidl, vendor_mtk_imstestmode_prop)
+
+# Date :  2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_smsformat_prop
+set_prop(em_hidl, vendor_mtk_smsformat_prop)
+
+# Date :  2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_gprs_prefer_prop
+set_prop(em_hidl, vendor_mtk_gprs_prefer_prop)
+
+# Date :  2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_testsim_cardtype_prop
+set_prop(em_hidl, vendor_mtk_testsim_cardtype_prop)
+
+# Date :  2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_ct_ir_engmode_prop
+set_prop(em_hidl, vendor_mtk_ct_ir_engmode_prop)
+
+# Date :  2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should vendor_mtk_disable_c2k_cap_prop
+set_prop(em_hidl, vendor_mtk_disable_c2k_cap_prop)
+
+# Date :  2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should vendor_mtk_debug_md_reset_prop
+set_prop(em_hidl, vendor_mtk_debug_md_reset_prop)
+
+# Date :  2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_omx_log_prop
+set_prop(em_hidl, vendor_mtk_omx_log_prop)
+
+# Date :  2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_vdec_log_prop
+set_prop(em_hidl, vendor_mtk_vdec_log_prop)
+
+# Date :  2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_vdectlc_log_prop
+set_prop(em_hidl, vendor_mtk_vdectlc_log_prop)
+
+# Date :  2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_venc_h264_showlog_prop
+set_prop(em_hidl, vendor_mtk_venc_h264_showlog_prop)
+
+# Date :  2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_modem_warning_prop
+set_prop(em_hidl, vendor_mtk_modem_warning_prop)
+
+# Date :  2018/07/06
+# Operation : EM DEBUG
+# Purpose: EM allow usb vendor_mtk_em_usb_prop
+set_prop(em_hidl, vendor_mtk_em_usb_prop)
+
+# Date :  2018/07/06
+# Operation : EM DEBUG
+# Purpose: for setting usb otg enable property
+set_prop(em_hidl, vendor_mtk_usb_otg_switch_prop)
+
+# Data : 2018/07/06
+# Purpose : EM MCF read nvdata dir and file
+allow em_hidl nvcfg_file:dir ra_dir_perms;
+allow em_hidl nvcfg_file:file r_file_perms;
+
+# Data : 2018/07/06
+# Purpose : EM MCF search vendor dir
+allow em_hidl mnt_vendor_file:dir search;
+
+# Data : 2018/08/10
+# Purpose : EM BT usage
+allow em_hidl stpbt_device:chr_file rw_file_perms;
+allow em_hidl sysfs_boot_mode:file r_file_perms;
+allow em_hidl ttyGS_device:chr_file rw_file_perms;
+set_prop(em_hidl, vendor_mtk_usb_prop)
+allow em_hidl nvdata_file:file r_file_perms;
+allow em_hidl nvdata_file:dir search;
+
+# Date :  2018/08/28
+# Operation : EM DEBUG
+# Purpose: for em set hidl configure
+set_prop(em_hidl, vendor_mtk_em_hidl_prop)
+
+# Date :  2019/08/22
+# Operation : EM AAL
+# Purpose: for em set aal property
+set_prop(em_hidl, vendor_mtk_pq_prop)
+
+# Date :  2019/09/10
+# Operation : EM wcn coredump
+# Purpose: for em set wcn coredump property
+set_prop(em_hidl, vendor_mtk_coredump_prop)
+
+# Date :  2021/04/15
+# Operation : mdota read
+# Purpose: read mdota files
+allow em_hidl mcf_ota_file:dir r_dir_perms;

basic/non_plat/em_svr.te

@@ -0,0 +1,12 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: WK1812
+# Purpose: add for MD log filter
+allow em_svr md_block_device:blk_file r_file_perms;
+
+# Date: WK1812
+# Purpose: add for SIB capture
+allow em_svr para_block_device:blk_file rw_file_perms;
+allow em_svr proc_lk_env:file rw_file_perms;