common/rfs_access.te - fp2-dev/device/qcom/sepolicy - Gitiles

 # rfs_access - rfs_access daemon
 type rfs_access, domain;
 type rfs_access_exec, exec_type, file_type;
 init_daemon_domain(rfs_access)

 #The files created by rfs_access process in the /data folder will have type rfs_file
 type_transition rfs_access system_data_file:{ dir file } rfs_file;
 type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";

 #The files created by rfs_access process in the /persist folder will have type rfs_file
 type_transition rfs_access persist_file:{ dir file } rfs_file;
 type_transition rfs_access persist_file:dir rfs_shared_hlos_file "hlos_rfs";

 #To read the uio char device
 allow rfs_access uio_device:chr_file rw_file_perms;

 #For QMI sockets and IPCR Sockets
 allow rfs_access self:socket create_socket_perms;
 allow rfs_access smem_log_device:chr_file rw_file_perms;

 #For Wakelocks
 wakelock_use(rfs_access)

 #To create the folders in /data
 allow rfs_access system_data_file:dir create_dir_perms;

 #To create the folders in /persist
 allow rfs_access persist_file:dir create_dir_perms;

 #For system folder entries
 allow rfs_access rfs_system_file:dir r_dir_perms;
 allow rfs_access rfs_system_file:lnk_file r_file_perms;
 allow rfs_access rfs_system_file:file r_file_perms;

 #For rfs file entries in all partitions (Private files)
 allow rfs_access rfs_file:dir create_dir_perms;
 allow rfs_access rfs_file:file create_file_perms;

 #For rfs shared hlos file entries in all partitions
 allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
 allow rfs_access rfs_shared_hlos_file:file create_file_perms;

 #For ramdump entries in /data/tombstones.
 allow rfs_access tombstone_data_file:dir create_dir_perms;
 allow rfs_access tombstone_data_file:file create_file_perms;

 #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
 allow rfs_access firmware_file:dir r_dir_perms;
 allow rfs_access firmware_file:file r_file_perms;

 #For dropping permisions from root and wakelock
 allow rfs_access self:capability { setuid setgid setpcap net_raw };

 #Prevent other domains from accessing RFS files.
 neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_file:dir create_dir_perms;
 neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_file:file create_file_perms;
	# rfs_access - rfs_access daemon
	type rfs_access, domain;
	type rfs_access_exec, exec_type, file_type;
	init_daemon_domain(rfs_access)

	#The files created by rfs_access process in the /data folder will have type rfs_file
	type_transition rfs_access system_data_file:{ dir file } rfs_file;
	type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";

	#The files created by rfs_access process in the /persist folder will have type rfs_file
	type_transition rfs_access persist_file:{ dir file } rfs_file;
	type_transition rfs_access persist_file:dir rfs_shared_hlos_file "hlos_rfs";

	#To read the uio char device
	allow rfs_access uio_device:chr_file rw_file_perms;

	#For QMI sockets and IPCR Sockets
	allow rfs_access self:socket create_socket_perms;
	allow rfs_access smem_log_device:chr_file rw_file_perms;

	#For Wakelocks
	wakelock_use(rfs_access)

	#To create the folders in /data
	allow rfs_access system_data_file:dir create_dir_perms;

	#To create the folders in /persist
	allow rfs_access persist_file:dir create_dir_perms;

	#For system folder entries
	allow rfs_access rfs_system_file:dir r_dir_perms;
	allow rfs_access rfs_system_file:lnk_file r_file_perms;
	allow rfs_access rfs_system_file:file r_file_perms;

	#For rfs file entries in all partitions (Private files)
	allow rfs_access rfs_file:dir create_dir_perms;
	allow rfs_access rfs_file:file create_file_perms;

	#For rfs shared hlos file entries in all partitions
	allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
	allow rfs_access rfs_shared_hlos_file:file create_file_perms;

	#For ramdump entries in /data/tombstones.
	allow rfs_access tombstone_data_file:dir create_dir_perms;
	allow rfs_access tombstone_data_file:file create_file_perms;

	#For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
	allow rfs_access firmware_file:dir r_dir_perms;
	allow rfs_access firmware_file:file r_file_perms;

	#For dropping permisions from root and wakelock
	allow rfs_access self:capability { setuid setgid setpcap net_raw };

	#Prevent other domains from accessing RFS files.
	neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_file:dir create_dir_perms;
	neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_file:file create_file_perms;