vendor/common/domain.te - device/qcom/sepolicy - Gitiles

 r_dir_file({domain - isolated_app}, sysfs_socinfo);
 r_dir_file({domain - isolated_app}, sysfs_esoc);
 r_dir_file({domain - isolated_app}, sysfs_ssr);

 dontaudit domain kernel:system module_request;

 # Allow all domains read access to sysfs_thermal
 r_dir_file({domain - isolated_app}, sysfs_thermal);

 # Allow domain to read /vendor -> /system/vendor
 allow domain system_file:lnk_file getattr;

 allow domain vendor_gralloc_prop:file r_file_perms;

 allow domain vendor_configs_file:file r_file_perms;

 not_full_treble(`allow domain vendor_file:dir r_dir_perms;')

 # Added now for smoother UI
 # Remove this after HIDL implementation
 userdebug_or_eng(`
 allow domain hal_graphics_composer:fd use;
 ')
 dontaudit domain persist_dpm_prop:file r_file_perms;

 neverallow {
     coredomain
     -init
     -ueventd
     -platform_app
     -system_app
     -vold
     } vendor_persist_type: { dir file } *;

 allow { domain - coredomain } mnt_vendor_file:lnk_file r_file_perms;

 allowxperm domain domain:icmp_socket ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

 # For compliance testing test suite reads vendor_security_path_level
 # Which is the public readable property “ ro.vendor.build.security_patch
 get_prop(domain, vendor_security_patch_level_prop)
 get_prop(domain, public_vendor_default_prop)

 allow domain qti_debugfs:dir search;

 allow { domain - isolated_app } sysfs_kgsl_gpuclk:file r_file_perms;
 allow { domain - isolated_app } sysfs_kgsl_gpuclk:lnk_file r_file_perms;

 # Latest versions of linux kernel do a check for dac_read_search before
 # verifying dac_override capability. So adding a dont audit rule for
 # dac_read_search for domains that already have dac_override exceptions
 # will address denials of dac_read_search from these domains.
 # kernel commit: https://github.com/torvalds/linux/commit/2a4c22426955d4fc04069811997b7390c0fb858e

 dontaudit {
     dnsmasq
     dumpstate
     init
     installd
     install_recovery
     lmkd
     netd
     perfprofd
     postinstall_dexopt
     recovery
     sdcardd
     tee
     ueventd
     uncrypt
     vendor_init
     vold
     vold_prepare_subdirs
     zygote
 } self:capability dac_read_search;
	r_dir_file({domain - isolated_app}, sysfs_socinfo);
	r_dir_file({domain - isolated_app}, sysfs_esoc);
	r_dir_file({domain - isolated_app}, sysfs_ssr);

	dontaudit domain kernel:system module_request;

	# Allow all domains read access to sysfs_thermal
	r_dir_file({domain - isolated_app}, sysfs_thermal);

	# Allow domain to read /vendor -> /system/vendor
	allow domain system_file:lnk_file getattr;

	allow domain vendor_gralloc_prop:file r_file_perms;

	allow domain vendor_configs_file:file r_file_perms;

	not_full_treble(`allow domain vendor_file:dir r_dir_perms;')

	# Added now for smoother UI
	# Remove this after HIDL implementation
	userdebug_or_eng(`
	allow domain hal_graphics_composer:fd use;
	')
	dontaudit domain persist_dpm_prop:file r_file_perms;

	neverallow {
	coredomain
	-init
	-ueventd
	-platform_app
	-system_app
	-vold
	} vendor_persist_type: { dir file } *;

	allow { domain - coredomain } mnt_vendor_file:lnk_file r_file_perms;

	allowxperm domain domain:icmp_socket ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

	# For compliance testing test suite reads vendor_security_path_level
	# Which is the public readable property “ ro.vendor.build.security_patch
	get_prop(domain, vendor_security_patch_level_prop)
	get_prop(domain, public_vendor_default_prop)

	allow domain qti_debugfs:dir search;

	allow { domain - isolated_app } sysfs_kgsl_gpuclk:file r_file_perms;
	allow { domain - isolated_app } sysfs_kgsl_gpuclk:lnk_file r_file_perms;

	# Latest versions of linux kernel do a check for dac_read_search before
	# verifying dac_override capability. So adding a dont audit rule for
	# dac_read_search for domains that already have dac_override exceptions
	# will address denials of dac_read_search from these domains.
	# kernel commit: https://github.com/torvalds/linux/commit/2a4c22426955d4fc04069811997b7390c0fb858e

	dontaudit {
	dnsmasq
	dumpstate
	init
	installd
	install_recovery
	lmkd
	netd
	perfprofd
	postinstall_dexopt
	recovery
	sdcardd
	tee
	ueventd
	uncrypt
	vendor_init
	vold
	vold_prepare_subdirs
	zygote
	} self:capability dac_read_search;