android_device_mediatek_sepolicy/non_plat/mtk_hal_mms.te

# ==============================================
# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.mms@1.0-service Executable File

# ==============================================
# Type Declaration
# ==============================================

type mtk_hal_mms, domain;
type mtk_hal_mms_exec, exec_type, file_type, vendor_file_type;

# ==============================================
# MTK Policy Rule
# ==============================================

# Setup for domain transition
init_daemon_domain(mtk_hal_mms)

# Allow to use HWBinder IPC
hwbinder_use(mtk_hal_mms);

# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
hal_server_domain(mtk_hal_mms, hal_mms)

# add/find permission rule to hwservicemanager
add_hwservice(hal_mms_server, mtk_hal_mms_hwservice)

# Purpose : Allow to use kernel driver
allow mtk_hal_mms graphics_device:chr_file { read write open ioctl };
allow mtk_hal_mms ion_device:chr_file { read open ioctl };
allow mtk_hal_mms mtk_cmdq_device:chr_file { read open ioctl };
allow mtk_hal_mms mtk_mdp_device:chr_file rw_file_perms;
allow mtk_hal_mms sw_sync_device:chr_file rw_file_perms;
allow mtk_hal_mms mtk_hal_pq_hwservice:hwservice_manager find;
allow mtk_hal_mms proc:file r_file_perms;

# Purpose : Allow to use allocator for JPEG
hal_client_domain(mtk_hal_mms, hal_allocator)
allow mtk_hal_mms mtk_hal_pq:binder call;

# Purpose : Allow to use graphics allocator fd for gralloc_extra
allow mtk_hal_mms hal_graphics_allocator_default:fd use;
allow mtk_hal_mms debugfs_ion:dir search;

# Purpose : VDEC/VENC device node
allow mtk_hal_mms Vcodec_device:chr_file rw_file_perms;
allow mtk_hal_mms proc_mtk_jpeg:file r_file_perms;
allowxperm mtk_hal_mms proc_mtk_jpeg:file ioctl {
     JPG_BRIDGE_ENC_IO_INIT
     JPG_BRIDGE_ENC_IO_CONFIG
     JPG_BRIDGE_ENC_IO_WAIT
     JPG_BRIDGE_ENC_IO_DEINIT
     JPG_BRIDGE_ENC_IO_START
     };