android_device_mediatek_sep.../non_plat/domain.te

# ==============================================
# MTK Policy Rule
# ==============================================

# Grant read access to mtk core property type which represents all
# mtk properties except those with ctl_xxx prefix.
# Align Google change: f01453ad453b29dd723838984ea03978167491e5
get_prop(domain, mtk_core_property_type)

# Allow all processes to search /sys/kernel/debug/binder/ since it's has been
# labeled with specific debugfs label and many violations to dir search debugfs_binder
# are observed. Grant domain to suppress the violations as originally "debugfs:dir search"
# is also allowed to domain as well in Google default domain.te
allow domain debugfs_binder:dir search;

# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
# as it is a public interface for all processes to read some OTP data.
allow {
  domain
  -isolated_app
} sysfs_devinfo:file r_file_perms;

# Date:20170519
# Purpose: Full treble bootup issue, coredomain need to access libudf.so where
# located on /vendor.
# TODO:: In O MR1 may need to change design
allow coredomain vendor_file:dir r_dir_perms;
#allow coredomain vendor_file:file { read open getattr execute };
allow coredomain vendor_file:lnk_file { getattr read };

# Date:20170630
# Purpose: allow trusted process to connect aee daemon
allow {
  coredomain
  -untrusted_app_all
  -untrusted_v2_app
} aee_aed:unix_stream_socket connectto;
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00			`# ==============================================`
			`# MTK Policy Rule`
			`# ==============================================`

			`# Grant read access to mtk core property type which represents all`
			`# mtk properties except those with ctl_xxx prefix.`
			`# Align Google change: f01453ad453b29dd723838984ea03978167491e5`
			`get_prop(domain, mtk_core_property_type)`

			`# Allow all processes to search /sys/kernel/debug/binder/ since it's has been`
			`# labeled with specific debugfs label and many violations to dir search debugfs_binder`
			`# are observed. Grant domain to suppress the violations as originally "debugfs:dir search"`
			`# is also allowed to domain as well in Google default domain.te`
			`allow domain debugfs_binder:dir search;`

			`# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info`
			`# as it is a public interface for all processes to read some OTP data.`
[ALPS03825066] Mark file context to fix build fails Restore the policies accessing files labeled as proc_xxx or sysfs_xxx, but there are some exceptions for coredomain process, such as meta_tst,dump_state,kpoc_charger MTK-Commit-Id: 7953b5203bb3cac099c3326d330643b4cd73746d Change-Id: I4b16c09c352891783e837bea370c264966ca6d13 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 09:29:41 +08:00			`allow {`
			`domain`
			`-isolated_app`
			`} sysfs_devinfo:file r_file_perms;`
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00
			`# Date:20170519`
			`# Purpose: Full treble bootup issue, coredomain need to access libudf.so where`
			`# located on /vendor.`
			`# TODO:: In O MR1 may need to change design`
			`allow coredomain vendor_file:dir r_dir_perms;`
[ALPS03825066] Resolve vendor violates [Detail] Google add new neverallows rules on android P, some rule violate the rules [Solution] Remove the rules which violate google new rules MTK-Commit-Id: ff683b4eee0a6dd95ff25fbb6c7d1fc3a79c604d Change-Id: Iead494212c6adcec234eaef14c83d1f8c7a49deb CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 09:29:34 +08:00			`#allow coredomain vendor_file:file { read open getattr execute };`
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00			`allow coredomain vendor_file:lnk_file { getattr read };`

			`# Date:20170630`
			`# Purpose: allow trusted process to connect aee daemon`
			`allow {`
			`coredomain`
			`-untrusted_app_all`
			`-untrusted_v2_app`
			`} aee_aed:unix_stream_socket connectto;`
[ALPS03825066] Resolve vendor violates [Detail] Google add new neverallows rules on android P, some rule violate the rules [Solution] Remove the rules which violate google new rules MTK-Commit-Id: ff683b4eee0a6dd95ff25fbb6c7d1fc3a79c604d Change-Id: Iead494212c6adcec234eaef14c83d1f8c7a49deb CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 09:29:34 +08:00			`allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;`
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00