# ==============================================
# MTK Policy Rule
# ==============================================

# Grant read access to mtk core property type which represents all
# mtk properties except those with ctl_xxx prefix.
# Align Google change: f01453ad453b29dd723838984ea03978167491e5
get_prop(domain, mtk_core_property_type)

# Allow all processes to search /sys/kernel/debug/binder/ since it's has been
# labeled with specific debugfs label and many violations to dir search debugfs_binder
# are observed. Grant domain to suppress the violations as originally "debugfs:dir search"
# is also allowed to domain as well in Google default domain.te
allow domain debugfs_binder:dir search;

# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
# as it is a public interface for all processes to read some OTP data.
allow {
  domain
  -isolated_app
} sysfs_devinfo:file r_file_perms;

# Date:20170630
# Purpose: allow trusted process to connect aee daemon
#allow {
#  coredomain
#  -untrusted_app_all
#} aee_aed:unix_stream_socket connectto;
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_exp_vendor_file:file w_file_perms;
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:fd use;


# Do not allow access to the generic sysfs label. This is too broad.
# Instead, if access to part of sysfs is desired, it should have a
# more specific label.
# TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations.
#   allow hal_usb sysfs:file write;
#   hal_server_domain(mtk_hal_usb, hal_usb)
#
#   r_dir_file(hal_wifi, sysfs_type)
#   hal_server_domain(mtk_hal_wifi, hal_wifi)
#
full_treble_only(`
  neverallow ~{
    init
    merged_hal_service
    mtk_hal_bluetooth
    mtk_hal_power
    mtk_hal_usb
    mtk_hal_wifi
    hal_bluetooth_btlinux
    hal_bluetooth_default
    hal_drm_clearkey
    hal_drm_default
    hal_drm_widevine
    hal_fingerprint_default
    hal_radio_config_default
    hal_radio_default
    hal_usb_default
    hal_wifi_default
    hal_wifi_supplicant_default
    rild
    tee
    ueventd
    vendor_init
    vold
    } sysfs:file *;

  neverallow {
    merged_hal_service
    mtk_hal_bluetooth
    mtk_hal_power
    mtk_hal_wifi
    hal_bluetooth_btlinux
    hal_bluetooth_default
    hal_drm_clearkey
    hal_drm_default
    hal_drm_widevine
    hal_fingerprint_default
    hal_radio_config_default
    hal_radio_default
    hal_wifi_default
    hal_wifi_supplicant_default
    rild
    tee
  } sysfs:file ~r_file_perms;

  neverallow {
    hal_usb_default
    init
    mtk_hal_usb
    ueventd
    vendor_init
    vold
  } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
')

# Do not allow access to the generic proc label. This is too broad.
# Instead, if access to part of proc is desired, it should have a
# more specific label.
# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
#
#   r_dir_file(hal_audio, proc)
#   hal_server_domain(mtk_hal_audio, hal_audio)
#   hal_client_domain(audioserver, hal_audio)
#
full_treble_only(`
  neverallow ~{
    audiocmdservice_atci
    audioserver
    bluetooth
    hal_audio_default
    hal_graphics_allocator_default
    init
    merged_hal_service
    mtk_hal_audio
    rild
    system_server
    vendor_init
    vold
    } proc:file *;

  neverallow {
    audiocmdservice_atci
    audioserver
    bluetooth
    hal_audio_default
    hal_graphics_allocator_default
    init
    merged_hal_service
    mtk_hal_audio
    rild
    system_server
    vold
    } proc:file ~r_file_perms;

  neverallow vendor_init proc:file ~{ r_file_perms setattr };

  neverallow ~{
    audiocmdservice_atci
    audioserver
    bluetooth
    hal_audio_default
    init
    mtk_hal_audio
    rild
    system_server
    } proc:lnk_file ~{ read getattr };

  neverallow {
    audiocmdservice_atci
    audioserver
    bluetooth
    hal_audio_default
    init
    mtk_hal_audio
    rild
    system_server
    } proc:lnk_file ~r_file_perms;
')


# Do not allow access to the generic system_data_file label. This is
# too broad.
# Instead, if access to part of system_data_file is desired, it should
# have a more specific label.
# TODO: Remove merged_hal_service and so on once there are no violations.
#
#   allow hal_drm system_data_file:file { getattr read };
#   hal_server_domain(merged_hal_service, hal_drm)
#
full_treble_only(`
  neverallow {
    domain
    -coredomain
    -appdomain
    -hal_cas_default
    -hal_drm_clearkey
    -hal_drm_default
    -hal_drm_widevine
    -merged_hal_service
    -tee
    } system_data_file:file *;

  neverallow ~{
    appdomain
    app_zygote
    hal_drm_clearkey
    hal_drm_default
    hal_drm_widevine
    init
    installd
    iorap_prefetcherd
    mediadrmserver
    mediaextractor
    mediaserver
    merged_hal_service
    system_server
    tee
    toolbox
    vold
    vold_prepare_subdirs
    } system_data_file:file ~r_file_perms;

  neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };

  neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };

  neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };

  neverallow iorap_prefetcherd system_data_file:file ~{ open read };

  neverallow {
    hal_drm_clearkey
    hal_drm_default
    hal_drm_widevine
    mediadrmserver
    mediaextractor
    mediaserver
    merged_hal_service
    tee
    } system_data_file:file ~{ getattr read };

  neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };

  neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };

  neverallow vold system_data_file:file ~read;
')