allow system_server self:capability sys_module; # allow system_server to communicate with cnd process over cnd_socket unix_socket_connect(system_server, cnd, cnd) # allow system/framework applications to update the cnd configuration files allow system_server cnd_data_file:dir rw_dir_perms; allow system_server cnd_data_file:file create_file_perms; # Access to sensors socket unix_socket_connect(system_server, sensors, sensors) unix_socket_send(system_server, sensors, sensors) allow system_server sensors:unix_stream_socket sendto; allow system_server sensors_socket:sock_file r_file_perms; qmux_socket(system_server); # access to perflock allow system_server mpctl_socket:dir r_dir_perms; unix_socket_send(system_server, mpctl, mpdecision) unix_socket_connect(system_server, mpctl, mpdecision) #access to gamed unix_socket_connect(system_server, gamed, gamed) allow system_server { # For wifistatemachine wbc_service # Allow system_server to add digital pen system service usf_service dpmservice }:service_manager add; allow system_server qtitetherservices_service:service_manager{add find}; #For ANT tty communication and to set wc_transport prop allow system_server { bluetooth_prop usf_prop }:property_service set; # required for ANT App to connectto wcnss_filter sockets allow system_server bluetooth:unix_stream_socket connectto; # access to iop allow system_server iop_socket:dir r_dir_perms; unix_socket_send(system_server, iop, dumpstate) unix_socket_connect(system_server, iop, dumpstate) # allow system/framework applications to update the dpmd configuration files unix_socket_connect(system_server, dpmd, dpmd); allow system_server { dpmd_socket socket_device }:sock_file w_file_perms; allow system_server dpmd_data_file:dir create_dir_perms; allow system_server dpmd_data_file:file create_file_perms; unix_socket_send(system_server, mpctl, perfd) unix_socket_connect(system_server, mpctl, perfd) # For location type_transition system_server location_data_file:sock_file location_socket "location-mq-s"; type_transition system_server location_data_file:sock_file location_socket "alarm_svc"; allow system_server location:unix_stream_socket connectto; allow system_server location_data_file:{ file fifo_file } create_file_perms; allow system_server location_data_file:dir create_dir_perms; allow system_server { dpmd_app_data_file location_app_data_file mdtp_svc_app_data_file qtitetherservice_app_data_file } :file rw_file_perms; allow system_server { dpmd_app_data_file location_app_data_file mdtp_svc_app_data_file qtitetherservice_app_data_file } :dir r_dir_perms; allow system_server location_socket:sock_file create_file_perms; allow system_server location_prop:property_service set; #For wifistatemachine allow system_server kernel:key search; #For ssr allow system_server ssr_device:chr_file r_file_perms; allow system_server { fuse persist_file }:dir search; allow system_server { serial_device smd_device # graphics_device, audio_device, tee_device is for WFD graphics_device audio_device tee_device }:chr_file rw_file_perms; #For firmware r_dir_file(system_server, bt_firmware_file) #For BT firmware r_dir_file(system_server, firmware_file) # Allow system server access to usf resources allow system_server usf:process signal; allow system_server usf:unix_stream_socket connectto; allow system_server usf_data_file:sock_file write; allow system_server usf_data_file:dir rw_dir_perms; allow system_server usf_data_file:file r_file_perms; allow system_server usf_data_file:lnk_file create_file_perms; allow system_server usf_data_file:fifo_file w_file_perms; # For WFD allow system_server graphics_device:dir r_dir_perms; # Allow Izat service allow system_server izat_service:service_manager add; # For QSEE Svc Apps allow system_server qsee_svc_app_data_file:file rw_file_perms; allow system_server qsee_svc_app_data_file:dir r_dir_perms; #Allow access to netmgrd socket netmgr_socket(system_server); # So init can manage our process allow system_server RIDL:fd use; allow system_server RIDL:fifo_file write; #Rules for system server to talk to peripheral manager use_per_mgr(system_server); #allow binder calls binder_call(system_server, seempd) # Allow system server access to qfp daemon binder_call(system_server, qfp-daemon); allow system_server iqfp_service:service_manager find; #for seemp unix_socket_send(system_server, seempdw, seempd) # allow tethering to access dhcp leases r_dir_file(system_server, dhcp_data_file)