| type diag, domain; |
| type diag_exec, exec_type, vendor_file_type, file_type; |
| userdebug_or_eng(` |
| domain_auto_trans(shell, diag_exec, diag) |
| #domain_auto_trans(adbd, diag_exec, diag) |
| file_type_auto_trans(diag, system_data_file, diag_data_file); |
| allow diag { |
| diag_device |
| devpts |
| console_device |
| # allow access to qseecom for drmdiagapp |
| tee_device |
| }:chr_file rw_file_perms; |
| allow diag { |
| shell |
| su |
| }:fd use; |
| |
| allow diag { |
| cgroup |
| fuse |
| persist_drm_file |
| }:dir create_dir_perms; |
| |
| allow diag port:tcp_socket name_connect; |
| allow diag self:capability { setuid net_raw sys_admin setgid dac_override }; |
| allow diag self:capability2 syslog; |
| allow diag self:tcp_socket { create connect setopt}; |
| wakelock_use(diag) |
| allow diag kernel:system syslog_mod; |
| # allow drmdiagapp access to drm related paths |
| allow diag persist_file:dir r_dir_perms; |
| r_dir_file(diag, persist_data_file) |
| # Write to drm related pieces of persist partition |
| allow diag persist_drm_file:file create_file_perms; |
| ') |