# ==============================================
# MTK Policy Rule
# ==============================================

# permissive system_app;
typeattribute system_app mlstrustedsubject;


# Date : 2014/07/31
# Stage: BaseUT
# Purpose :[CdsInfo][CdsInfo uses net shell commands to get network information and write WI-FI MAC address by NVRAM]
# Package Name: com.mediatek.connectivity
allow system_app nvram_agent_binder:binder call;

# Date: 2014/08/01
# Operation: BaseUT
# Purpose: [Settings][Settings used list views need velocity tracker access touch dev]
# Package: com.android.settings
allow system_app touch_device:chr_file { read ioctl open };

# Date: 2014/08/04
# Stage: BaseUT
# Purpose: [MTKThermalManager][View thermal zones and coolers, and change thermal policies]
# Package Name: com.mediatek.mtkthermalmanager
allow system_app apk_private_data_file:dir getattr;
allow system_app asec_image_file:dir getattr;
allow system_app dontpanic_data_file:dir getattr;
allow system_app drm_data_file:dir getattr;
allow system_app install_data_file:file getattr;
allow system_app lost_found_data_file:dir getattr;
allow system_app media_data_file:dir getattr;
allow system_app property_data_file:dir getattr;
allow system_app shell_data_file:dir search;
allow system_app thermal_manager_exec:file { read execute open execute_no_trans };
allow system_app proc_thermal:dir search;
allow system_app proc_thermal:file { read getattr open write };
allow system_app proc_mtkcooler:dir search;
allow system_app proc_mtkcooler:file { read getattr open write };
allow system_app proc_mtktz:dir search;
allow system_app proc_mtktz:file  { read getattr open write };
allow system_app proc_slogger:file { read getattr open write };

# Date: 2014/08/21
# Stage: BaseUT
# Purpose: [AtciService][Atci Service will use atci_serv_fw_socket to connect to atci_service which in native layer]
# Package Name: com.mediatek.atci.service
allow system_app atci_serv_fw_socket:sock_file write;
allow system_app atci_service:unix_stream_socket connectto;

# Date: 2014/08/29
# Stage: BaseUT
# Purpose: [BatteryWarning][View update graphics]
# Package Name: com.mediatek.batterywarning
allow system_app guiext-server:binder { transfer call };

# Date: 2015/07/24
# Stage: BaseUT
# Purpose: [HotKnot][HotKnot service will add into ServiceManager]
# Package Name: com.mediatek.hotknot.service
allow system_app mtk_hotknot_service:service_manager add;

# Date: 2014/09/02
# Operation: BaseUT
# Purpose: [HotKnot][HotKnot service will use hoknot device node]
# Package: com.mediatek.hotknot.service
allow system_app hotknot_device:chr_file { read write ioctl open };

# Date: 2014/09/02
# Operation: BaseUT
# Purpose: [HotKnot][HotKnot service will use devmap_device device node]
# Package: com.mediatek.hotknot.service
allow system_app devmap_device:chr_file { read ioctl open };

# Date: 2014/09/02
# Operation: BaseUT
# Purpose: [HotKnot][HotKnot service will use mtkfb device node]
# Package: com.mediatek.hotknot.service
allow system_app graphics_device:chr_file { read write ioctl open };
allow system_app graphics_device:dir search;

# Data : 2014/09/09
# Operation : Migration
# Purpose : [Privacy protection lock][com.mediatek.ppl need to bind ppl_agent service to read/write nvram file]
# Package name : com.mediatek.ppl

allow system_app ppl_agent:binder call;

# Date: 2014/10/7
# Operation: SQC
# Purpose: [sysoper][sysoper will create folder /cache/recovery]
# Package: com.mediatek.systemupdate.sysoper
allow system_app cache_file:dir { write create add_name };
allow system_app cache_file:file { write create open };

# Date : 2014/10/08
# Operation : BaseUT
# Purpose : [op01 agps setting][mtk_agpsd establishes the local socket as agpsd for all A-GPS 
#           application to do something with mtk_agpsd in system app]
# Package: com.mediatek.op01.plugin
unix_socket_connect(system_app, agpsd, mtk_agpsd);

# Date : 2014/10/28
# Operation: SQC
# Purpose : ALPS01761930
# Package: com.android.settings
allow system_app asec_apk_file:file r_file_perms;

# Date : WK14.46
# Operation : Migration
# Purpose : for MTK Emulator HW GPU
allow system_app qemu_pipe_device:chr_file rw_file_perms;

# Date : WK14.46
# Operation : Migration
# Package: org.simalliance.openmobileapi.service
# Purpose : ALPS01820916, for SmartcardService
allow system_app system_app_data_file:file execute;

# Date : 2014/11/17
# Operation: SQC
# Purpose : [Settings][Battery module will call batterystats API, and it will read /sys/kernel/debug/wakeup_sources]
# Package: com.android.settings
allow system_app debugfs:file r_file_perms;

# Date : 2014/11/18
# Operation : SQC
# Purpose : for oma dm fota recovery update
allow system_app ctl_rbfota_prop:property_service set;

# Date: 2015/04/08
# Stage: IT
# Purpose: [RCS][RCS will use rcs_ua_proxy to connect to volte_rcs_ua which in native layer]
# Package Name: com.orangelasb.rcs:core
allow system_app ril_volte_stack_rcsuaproxy_prop:property_service set;
allow system_app rcs_ua_proxy_socket:sock_file write;
allow system_app volte_rcs_ua:unix_stream_socket connectto;


# Date : 2014/11/19
# Operation: SQC
# Purpose: [Settings][RenderThread][operate device file failed]
# Package: com.android.settings
allow system_app proc_secmem:file rw_file_perms;

# Date : 2014/11/20
# Operation: SQC
# Purpose: [Settings][Developer options module will communicate with all Services through binder call]
# Package: com.android.settings
binder_call(system_app, MtkCodecService)

# Date : 2014/11/26
# Operation: SQC
# Purpose: [Settings][Browser][warning kernel API'selinux enforce violation:sdcardd' when do stress test with ' AT_ST_Browser_Test.rar']
# Package: com.android.settings
allow system_app platform_app_tmpfs:file write;

# Date : 2015/01/13
# Operation: SQC
# Purpose: access ashmem of isolated_app
# Package: com.fw.upgrade.sysoper
dontaudit system_app isolated_app_tmpfs:file write;

# Date : 2015/01/14
# Operation: SQC
# Purpose: access ashmem of untrusted_app
# Package: android.ui
dontaudit system_app untrusted_app_tmpfs:file write;

# Date : 2015/01/27
# Operation: SQC
# Purpose: It's not normal behavior, that system_app want to access radio_file_data
# Package: android.ui
dontaudit system_app radio_data_file:dir search;

# Date : WK15.30
# Operation : Migration
# Purpose : for device bring up, not to block early migration/sanity
allow system_app system_app_service:service_manager add;
allow system_app drmserver:drmservice openDecryptSession;

# Date: 2015/07/24
# Stage: Migration
# Purpose: [MTKThermalManager][View thermal zones and coolers, and change thermal policies]
# Package Name: com.mediatek.mtkthermalmanager
allow system_app thermal_manager_data_file:file { open getattr read write create};
allow system_app thermal_manager_data_file:file { open setattr lock };
allow system_app thermal_manager_data_file:dir { search getattr open read write setattr add_name };

# Date: 2015/09/10
# Stage: Migration
# Purpose: [HotKnot] Allow HotKnot service to start/stop hotknot_native_service
allow system_app hotknot_prop:property_service set;

# Date : 2015/06/12
# Operation: TEEI integration
# Purpose: access for fp device and client device of TEEI
# Package: teei
allow system_app teei_fp_device:chr_file rw_file_perms;
allow system_app teei_client_device:chr_file r_file_perms;

# Data: 2015/10/28
# Stage: SQC
# Purpose: [SystemUI] Allow IMG GPU to touch sw_sync
allow system_app sw_sync_device:chr_file { read write getattr open };