common/mmi.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

#integrated process
type mmi, domain;
type mmi_exec, exec_type, vendor_file_type, file_type;

#started by init
init_daemon_domain(mmi)

#self capability
allow mmi self:socket create_socket_perms_no_ioctl;
allow mmi self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
allow mmi self:udp_socket create_socket_perms_no_ioctl;
allow mmi self:capability { sys_nice dac_override setuid setgid fowner chown fsetid kill net_admin sys_module net_raw};
allow mmi self:capability2 wake_alarm;

#For various devices
allow mmi sysfs:file w_file_perms;
allow mmi graphics_device:dir r_dir_perms;
allow mmi graphics_device:chr_file rw_file_perms;
allow mmi input_device:chr_file r_file_perms;
allow mmi input_device:dir r_dir_perms;
allow mmi nfc_device:chr_file rw_file_perms;
allow mmi vendor_shell_exec:file rx_file_perms;
wakelock_use(mmi)

#FTM_AP folder permissions
file_type_auto_trans(mmi, cache_file, mmi_data_file);
allow mmi mmi_data_file:dir rw_dir_perms;
allow mmi mmi_data_file:file create_file_perms;

#socket
allow mmi socket_device:dir w_dir_perms;

#allow mmi set system prop,sensor need write persist
set_prop(mmi, powerctl_prop)
allow mmi persist_file:dir r_dir_perms;
allow mmi sensors_persist_file:dir create_dir_perms;
allow mmi sensors_persist_file:file create_file_perms;

#wifi case
allow mmi system_file:file x_file_perms;
#allow mmi wpa_exec:file rx_file_perms;
allow mmi wcnss_service_exec:file rx_file_perms;
allow mmi kernel:key search;
allow mmi kernel:system module_request;
allow mmi vendor_toolbox_exec:file rx_file_perms;
allow mmi system_file:system module_load;

#audio case
allow mmi audio_device:dir r_dir_perms;
allow mmi audio_device:chr_file rw_file_perms;

#FM case
allow mmi fm_radio_device:chr_file r_file_perms;
allow mmi fm_data_file:file r_file_perms;
set_prop(mmi, fm_prop)
set_prop(mmi, ctl_default_prop)
#bluetooth case
allow mmi bluetooth_data_file:dir rw_dir_perms;
allow mmi bluetooth_data_file:file create_file_perms;
set_prop(mmi, bluetooth_prop)
allow mmi smd_device:chr_file rw_file_perms;
allow mmi persist_bluetooth_file:file r_file_perms;
allow mmi wcnss_filter:unix_stream_socket connectto;

#GPS case
allow mmi location_data_file:fifo_file create_file_perms;
allow mmi location_data_file:dir create_dir_perms;
allow mmi location_data_file:file create_file_perms;
allow mmi mmi_socket:sock_file create_file_perms;
type_transition mmi socket_device:sock_file mmi_socket;
allow mmi location_exec:file rx_file_perms;
allow mmi smem_log_device:chr_file rw_file_perms;
allow mmi ssr_device:chr_file r_file_perms;

#SD card case
allow mmi sd_device:blk_file rw_file_perms;
allow mmi block_device:blk_file getattr;
allow mmi block_device:dir r_dir_perms;

#camera
allow mmi video_device:chr_file rw_file_perms;
allow mmi camera_data_file:sock_file write;
allow mmi camera_data_file:dir r_dir_perms;
allow mmi mm-qcamerad:unix_dgram_socket sendto;

#nfc case
allow mmi nfc_data_file:dir rw_dir_perms;
allow mmi nfc_data_file:file create_file_perms;

#simcard
qmux_socket(mmi);

#allow mmi access chgdiabled prop
set_prop(mmi, chgdiabled_prop)
#Allow mmi operate on surfaceflinger
allow mmi surfaceflinger:fd use;
#allow mmi surfaceflinger_service:service_manager find;

#Allow mmi operate on graphics
hal_client_domain(mmi, hal_graphics_allocator);

#Allow mmi operate on hwservicemanager
hwbinder_use(hwservicemanager);
get_prop(mmi, hwservicemanager_prop);

#Allow mmi operate ion_device
allow mmi ion_device:chr_file r_file_perms;

#Allow mmi operate on graphics
hal_client_domain(mmi, hal_graphics_allocator);

#Allow mmi operate on hwservicemanager
hwbinder_use(hwservicemanager);
get_prop(mmi, hwservicemanager_prop);

#Allow mmi operate ion_device
allow mmi ion_device:chr_file r_file_perms;

#Allow mmi to use IPC
#binder_use(mmi)
binder_call(mmi,surfaceflinger)

#sensor cases
unix_socket_connect(mmi, sensors, sensors);
allow mmi sensors_device:chr_file r_file_perms;

#logcat
#domain_auto_trans(mmi, logcat_exec, logd);

#access kmsg device for logging
allow mmi kmsg_device:chr_file rw_file_perms;

#mmi test
unix_socket_connect(mmi, cnd, cnd);
unix_socket_connect(mmi, netmgrd, netmgrd);
net_domain(mmi);

#mmi to start:mmid/ftmdaemon/mm-audio-ftm application
allow mmi mmi_exec:file execute_no_trans;
allow mmi proc:file r_file_perms;
allow mmi sysfs_battery_supply:dir search;
allow mmi sysfs_battery_supply:file rw_file_perms;
allow mmi sysfs_pon_dev:file rw_file_perms;

#read sysfs to operate LEDs
allow mmi sysfs_leds:dir r_dir_perms;
allow mmi sysfs_leds:lnk_file r_file_perms;
allow mmi sysfs_leds:file rw_file_perms;
allow mmi sysfs_graphics:dir r_dir_perms;
allow mmi sysfs_graphics:file rw_file_perms;

#allow mmi access boot mode switch
set_prop(mmi, boot_mode_prop)
#diag
userdebug_or_eng(`
    diag_use(mmi)
')