common/mmi.te - device/qcom/sepolicy - Gitiles

 #integrated process
 type mmi, domain;
 type mmi_exec, exec_type, vendor_file_type, file_type;

 #started by init
 init_daemon_domain(mmi)

 #self capability
 allow mmi self:socket create_socket_perms_no_ioctl;
 allow mmi self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
 allow mmi self:udp_socket create_socket_perms_no_ioctl;
 allow mmi self:capability { sys_nice dac_override setuid setgid fowner chown fsetid kill net_admin sys_module net_raw};
 allow mmi self:capability2 wake_alarm;

 #For various devices
 allow mmi sysfs:file w_file_perms;
 allow mmi graphics_device:dir r_dir_perms;
 allow mmi graphics_device:chr_file rw_file_perms;
 allow mmi input_device:chr_file r_file_perms;
 allow mmi input_device:dir r_dir_perms;
 allow mmi nfc_device:chr_file rw_file_perms;
 allow mmi vendor_shell_exec:file rx_file_perms;
 wakelock_use(mmi)

 #FTM_AP folder permissions
 file_type_auto_trans(mmi, cache_file, mmi_data_file);
 allow mmi mmi_data_file:dir rw_dir_perms;
 allow mmi mmi_data_file:file create_file_perms;

 #socket
 allow mmi socket_device:dir w_dir_perms;

 #allow mmi set system prop,sensor need write persist
 set_prop(mmi, powerctl_prop)
 allow mmi persist_file:dir r_dir_perms;
 allow mmi sensors_persist_file:dir create_dir_perms;
 allow mmi sensors_persist_file:file create_file_perms;

 #wifi case
 allow mmi system_file:file x_file_perms;
 #allow mmi wpa_exec:file rx_file_perms;
 allow mmi wcnss_service_exec:file rx_file_perms;
 allow mmi kernel:key search;
 allow mmi kernel:system module_request;
 allow mmi vendor_toolbox_exec:file rx_file_perms;
 allow mmi system_file:system module_load;

 #audio case
 allow mmi audio_device:dir r_dir_perms;
 allow mmi audio_device:chr_file rw_file_perms;

 #FM case
 allow mmi fm_radio_device:chr_file r_file_perms;
 allow mmi fm_data_file:file r_file_perms;
 set_prop(mmi, fm_prop)
 set_prop(mmi, ctl_default_prop)
 #bluetooth case
 allow mmi bluetooth_data_file:dir rw_dir_perms;
 allow mmi bluetooth_data_file:file create_file_perms;
 set_prop(mmi, bluetooth_prop)
 allow mmi smd_device:chr_file rw_file_perms;
 allow mmi persist_bluetooth_file:file r_file_perms;
 allow mmi wcnss_filter:unix_stream_socket connectto;

 #GPS case
 allow mmi location_data_file:fifo_file create_file_perms;
 allow mmi location_data_file:dir create_dir_perms;
 allow mmi location_data_file:file create_file_perms;
 allow mmi mmi_socket:sock_file create_file_perms;
 type_transition mmi socket_device:sock_file mmi_socket;
 allow mmi location_exec:file rx_file_perms;
 allow mmi smem_log_device:chr_file rw_file_perms;
 allow mmi ssr_device:chr_file r_file_perms;

 #SD card case
 allow mmi sd_device:blk_file rw_file_perms;
 allow mmi block_device:blk_file getattr;
 allow mmi block_device:dir r_dir_perms;

 #camera
 allow mmi video_device:chr_file rw_file_perms;
 allow mmi camera_data_file:sock_file write;
 allow mmi camera_data_file:dir r_dir_perms;
 allow mmi mm-qcamerad:unix_dgram_socket sendto;

 #nfc case
 allow mmi nfc_data_file:dir rw_dir_perms;
 allow mmi nfc_data_file:file create_file_perms;

 #simcard
 qmux_socket(mmi);

 #allow mmi access chgdiabled prop
 set_prop(mmi, chgdiabled_prop)
 #Allow mmi operate on surfaceflinger
 allow mmi surfaceflinger:fd use;
 #allow mmi surfaceflinger_service:service_manager find;

 #Allow mmi operate on graphics
 hal_client_domain(mmi, hal_graphics_allocator);

 #Allow mmi operate on hwservicemanager
 hwbinder_use(hwservicemanager);
 get_prop(mmi, hwservicemanager_prop);

 #Allow mmi operate ion_device
 allow mmi ion_device:chr_file r_file_perms;

 #Allow mmi operate on graphics
 hal_client_domain(mmi, hal_graphics_allocator);

 #Allow mmi operate on hwservicemanager
 hwbinder_use(hwservicemanager);
 get_prop(mmi, hwservicemanager_prop);

 #Allow mmi operate ion_device
 allow mmi ion_device:chr_file r_file_perms;

 #Allow mmi to use IPC
 #binder_use(mmi)
 binder_call(mmi,surfaceflinger)

 #sensor cases
 unix_socket_connect(mmi, sensors, sensors);
 allow mmi sensors_device:chr_file r_file_perms;

 #logcat
 #domain_auto_trans(mmi, logcat_exec, logd);

 #access kmsg device for logging
 allow mmi kmsg_device:chr_file rw_file_perms;

 #mmi test
 unix_socket_connect(mmi, cnd, cnd);
 unix_socket_connect(mmi, netmgrd, netmgrd);
 net_domain(mmi);

 #allow mmi access boot mode switch
 set_prop(mmi, boot_mode_prop)
 #diag
 userdebug_or_eng(`
     diag_use(mmi)
 ')
	#integrated process
	type mmi, domain;
	type mmi_exec, exec_type, vendor_file_type, file_type;

	#started by init
	init_daemon_domain(mmi)

	#self capability
	allow mmi self:socket create_socket_perms_no_ioctl;
	allow mmi self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
	allow mmi self:udp_socket create_socket_perms_no_ioctl;
	allow mmi self:capability { sys_nice dac_override setuid setgid fowner chown fsetid kill net_admin sys_module net_raw};
	allow mmi self:capability2 wake_alarm;

	#For various devices
	allow mmi sysfs:file w_file_perms;
	allow mmi graphics_device:dir r_dir_perms;
	allow mmi graphics_device:chr_file rw_file_perms;
	allow mmi input_device:chr_file r_file_perms;
	allow mmi input_device:dir r_dir_perms;
	allow mmi nfc_device:chr_file rw_file_perms;
	allow mmi vendor_shell_exec:file rx_file_perms;
	wakelock_use(mmi)

	#FTM_AP folder permissions
	file_type_auto_trans(mmi, cache_file, mmi_data_file);
	allow mmi mmi_data_file:dir rw_dir_perms;
	allow mmi mmi_data_file:file create_file_perms;

	#socket
	allow mmi socket_device:dir w_dir_perms;

	#allow mmi set system prop,sensor need write persist
	set_prop(mmi, powerctl_prop)
	allow mmi persist_file:dir r_dir_perms;
	allow mmi sensors_persist_file:dir create_dir_perms;
	allow mmi sensors_persist_file:file create_file_perms;

	#wifi case
	allow mmi system_file:file x_file_perms;
	#allow mmi wpa_exec:file rx_file_perms;
	allow mmi wcnss_service_exec:file rx_file_perms;
	allow mmi kernel:key search;
	allow mmi kernel:system module_request;
	allow mmi vendor_toolbox_exec:file rx_file_perms;
	allow mmi system_file:system module_load;

	#audio case
	allow mmi audio_device:dir r_dir_perms;
	allow mmi audio_device:chr_file rw_file_perms;

	#FM case
	allow mmi fm_radio_device:chr_file r_file_perms;
	allow mmi fm_data_file:file r_file_perms;
	set_prop(mmi, fm_prop)
	set_prop(mmi, ctl_default_prop)
	#bluetooth case
	allow mmi bluetooth_data_file:dir rw_dir_perms;
	allow mmi bluetooth_data_file:file create_file_perms;
	set_prop(mmi, bluetooth_prop)
	allow mmi smd_device:chr_file rw_file_perms;
	allow mmi persist_bluetooth_file:file r_file_perms;
	allow mmi wcnss_filter:unix_stream_socket connectto;

	#GPS case
	allow mmi location_data_file:fifo_file create_file_perms;
	allow mmi location_data_file:dir create_dir_perms;
	allow mmi location_data_file:file create_file_perms;
	allow mmi mmi_socket:sock_file create_file_perms;
	type_transition mmi socket_device:sock_file mmi_socket;
	allow mmi location_exec:file rx_file_perms;
	allow mmi smem_log_device:chr_file rw_file_perms;
	allow mmi ssr_device:chr_file r_file_perms;

	#SD card case
	allow mmi sd_device:blk_file rw_file_perms;
	allow mmi block_device:blk_file getattr;
	allow mmi block_device:dir r_dir_perms;

	#camera
	allow mmi video_device:chr_file rw_file_perms;
	allow mmi camera_data_file:sock_file write;
	allow mmi camera_data_file:dir r_dir_perms;
	allow mmi mm-qcamerad:unix_dgram_socket sendto;

	#nfc case
	allow mmi nfc_data_file:dir rw_dir_perms;
	allow mmi nfc_data_file:file create_file_perms;

	#simcard
	qmux_socket(mmi);

	#allow mmi access chgdiabled prop
	set_prop(mmi, chgdiabled_prop)
	#Allow mmi operate on surfaceflinger
	allow mmi surfaceflinger:fd use;
	#allow mmi surfaceflinger_service:service_manager find;

	#Allow mmi operate on graphics
	hal_client_domain(mmi, hal_graphics_allocator);

	#Allow mmi operate on hwservicemanager
	hwbinder_use(hwservicemanager);
	get_prop(mmi, hwservicemanager_prop);

	#Allow mmi operate ion_device
	allow mmi ion_device:chr_file r_file_perms;

	#Allow mmi operate on graphics
	hal_client_domain(mmi, hal_graphics_allocator);

	#Allow mmi operate on hwservicemanager
	hwbinder_use(hwservicemanager);
	get_prop(mmi, hwservicemanager_prop);

	#Allow mmi operate ion_device
	allow mmi ion_device:chr_file r_file_perms;

	#Allow mmi to use IPC
	#binder_use(mmi)
	binder_call(mmi,surfaceflinger)

	#sensor cases
	unix_socket_connect(mmi, sensors, sensors);
	allow mmi sensors_device:chr_file r_file_perms;

	#logcat
	#domain_auto_trans(mmi, logcat_exec, logd);

	#access kmsg device for logging
	allow mmi kmsg_device:chr_file rw_file_perms;

	#mmi test
	unix_socket_connect(mmi, cnd, cnd);
	unix_socket_connect(mmi, netmgrd, netmgrd);
	net_domain(mmi);

	#allow mmi access boot mode switch
	set_prop(mmi, boot_mode_prop)
	#diag
	userdebug_or_eng(`
	diag_use(mmi)
	')