common/wfdservice.te - fp2-dev/device/qcom/sepolicy - Gitiles

 type wfdservice, domain;
 type wfdservice_exec, exec_type, file_type;

 #Allow for transition from init domain to wfdservice
 init_daemon_domain(wfdservice)

 #Inherit base socket permissions from netd domain
 net_domain(wfdservice)

 #Allow wfdservice to use Binder IPC
 binder_use(wfdservice)

 #Allow for interaction with Display HAL
 binder_call(wfdservice, surfaceflinger)
 binder_call(surfaceflinger, wfdservice)

 #Allow apps to interact with wfdservice
 binder_call(wfdservice, platform_app)
 binder_call(platform_app, wfdservice)
 binder_call(wfdservice, system_app)
 binder_call(system_app, wfdservice)

 #Allow access to Audio Flinger APIs
 binder_call(wfdservice, mediaserver)

 #Allow access to Permission Controller in System Server
 binder_call(wfdservice, system_server)

 # Mark wfdservice as a Binder service domain
 binder_service(wfdservice)

 #Allow wfdservice to be registered with service manager
 allow wfdservice wfdservice_service:service_manager add;

 #Allow access to PCM sound card
 allow wfdservice audio_device:chr_file rw_file_perms;
 allow wfdservice audio_device:dir r_dir_perms;

 #Allow access to /dev/graphics/fb* for screen capture
 allow wfdservice graphics_device:chr_file rw_file_perms;

 #Allow communication with init over property server
 unix_socket_connect(wfdservice, property, init);

 #Allow access to /dev/video/* devices for encoding/decoding
 allow wfdservice video_device:chr_file rw_file_perms;
 allow wfdservice video_device:dir r_dir_perms;

 #Allow access to tee device for HDCP sessions
 allow wfdservice tee_device:chr_file rw_file_perms;

 #Allow access to uhid driver for HID event injection
 allow wfdservice uhid_device:chr_file rw_file_perms;

 #Allow PROT_EXEC for 3rd party library loaded by wfdservice
 allow wfdservice self:process execmem;

 #Allow access to read mmosal_logmask file in /data partition
 userdebug_or_eng(`
   allow wfdservice system_data_file:file r_file_perms;
 ')

 #Allow access to firmware files for HDCP session
 allow wfdservice firmware_file:file r_file_perms;
 allow wfdservice firmware_file:dir r_dir_perms;

 #Allow access to /data/media for dumping
 allow wfdservice media_rw_data_file:dir create_dir_perms;
 allow wfdservice media_rw_data_file:file create_file_perms;
	type wfdservice, domain;
	type wfdservice_exec, exec_type, file_type;

	#Allow for transition from init domain to wfdservice
	init_daemon_domain(wfdservice)

	#Inherit base socket permissions from netd domain
	net_domain(wfdservice)

	#Allow wfdservice to use Binder IPC
	binder_use(wfdservice)

	#Allow for interaction with Display HAL
	binder_call(wfdservice, surfaceflinger)
	binder_call(surfaceflinger, wfdservice)

	#Allow apps to interact with wfdservice
	binder_call(wfdservice, platform_app)
	binder_call(platform_app, wfdservice)
	binder_call(wfdservice, system_app)
	binder_call(system_app, wfdservice)

	#Allow access to Audio Flinger APIs
	binder_call(wfdservice, mediaserver)

	#Allow access to Permission Controller in System Server
	binder_call(wfdservice, system_server)

	# Mark wfdservice as a Binder service domain
	binder_service(wfdservice)

	#Allow wfdservice to be registered with service manager
	allow wfdservice wfdservice_service:service_manager add;

	#Allow access to PCM sound card
	allow wfdservice audio_device:chr_file rw_file_perms;
	allow wfdservice audio_device:dir r_dir_perms;

	#Allow access to /dev/graphics/fb* for screen capture
	allow wfdservice graphics_device:chr_file rw_file_perms;

	#Allow communication with init over property server
	unix_socket_connect(wfdservice, property, init);

	#Allow access to /dev/video/* devices for encoding/decoding
	allow wfdservice video_device:chr_file rw_file_perms;
	allow wfdservice video_device:dir r_dir_perms;

	#Allow access to tee device for HDCP sessions
	allow wfdservice tee_device:chr_file rw_file_perms;

	#Allow access to uhid driver for HID event injection
	allow wfdservice uhid_device:chr_file rw_file_perms;

	#Allow PROT_EXEC for 3rd party library loaded by wfdservice
	allow wfdservice self:process execmem;

	#Allow access to read mmosal_logmask file in /data partition
	userdebug_or_eng(`
	allow wfdservice system_data_file:file r_file_perms;
	')

	#Allow access to firmware files for HDCP session
	allow wfdservice firmware_file:file r_file_perms;
	allow wfdservice firmware_file:dir r_dir_perms;

	#Allow access to /data/media for dumping
	allow wfdservice media_rw_data_file:dir create_dir_perms;
	allow wfdservice media_rw_data_file:file create_file_perms;