1 files changed, 36 insertions, 0 deletions

diff --git a/non_plat/domain.te b/non_plat/domain.te
new file mode 100644
index 0000000..677c01c
--- /dev/null
+++ b/non_plat/domain.te
@@ -0,0 +1,36 @@
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+
+# Grant read access to mtk core property type which represents all
+# mtk properties except those with ctl_xxx prefix.
+# Align Google change: f01453ad453b29dd723838984ea03978167491e5
+get_prop(domain, mtk_core_property_type)
+
+# Allow all processes to search /sys/kernel/debug/binder/ since it's has been
+# labeled with specific debugfs label and many violations to dir search debugfs_binder
+# are observed. Grant domain to suppress the violations as originally "debugfs:dir search"
+# is also allowed to domain as well in Google default domain.te
+allow domain debugfs_binder:dir search;
+
+# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
+# as it is a public interface for all processes to read some OTP data.
+allow domain sysfs_devinfo:file r_file_perms;
+
+# Date:20170519
+# Purpose: Full treble bootup issue, coredomain need to access libudf.so where
+# located on /vendor.
+# TODO:: In O MR1 may need to change design
+allow coredomain vendor_file:dir r_dir_perms;
+allow coredomain vendor_file:file { read open getattr execute };
+allow coredomain vendor_file:lnk_file { getattr read };
+
+# Date:20170630
+# Purpose: allow trusted process to connect aee daemon
+allow {
+  coredomain
+  -untrusted_app_all
+  -untrusted_v2_app
+} aee_aed:unix_stream_socket connectto;
+allow { domain -coredomain -hal_configstore_server } aee_aedv:unix_stream_socket connectto;
+