# ==============================================
# Policy File of /vendor/bin/mnld Executable File

# ==============================================
# Type Declaration
# ==============================================
type mnld, domain;
type mnld_exec, exec_type, file_type, vendor_file_type;
typeattribute mnld mlstrustedsubject;

# ==============================================
# MTK Policy Rule
# ==============================================
# STOPSHIP: Permissive is not allowed. CTS violation!
init_daemon_domain(mnld)

net_domain(mnld)
# Purpose : For communicate with AGPSD by socket
allow mnld agpsd_data_file:dir create_dir_perms;
allow mnld agpsd_data_file:sock_file create_file_perms;
allow mnld mtk_agpsd:unix_dgram_socket sendto;
allow mnld sysfs_wake_lock:file rw_file_perms;
# Purpose : For access NVRAM data
allow mnld nvram_data_file:dir create_dir_perms;
allow mnld nvram_data_file:file create_file_perms;
allow mnld nvram_data_file:lnk_file read;
allow mnld nvdata_file:lnk_file read;
allow mnld nvram_device:blk_file rw_file_perms;
allow mnld nvram_device:chr_file rw_file_perms;
allow mnld nvdata_file:dir create_dir_perms;
allow mnld nvdata_file:file create_file_perms;
# Purpose : For access kernel device
allow mnld mnld_data_file:dir rw_dir_perms;
allow mnld mnld_data_file:sock_file create_file_perms;
allow mnld mnld_device:chr_file rw_file_perms;
allow mnld mnld_data_file:file rw_file_perms;
allow mnld mnld_data_file:file create_file_perms;
allow mnld mnld_data_file:fifo_file create_file_perms;
# Purpose : For init process
allow mnld init:udp_socket { read write };

# Send the message to the LBS HIDL Service to forward to applications
allow mnld lbs_hidl_service:unix_dgram_socket sendto;

# Send the message to the merged hal Service to forward to applications
allow mnld merged_hal_service:unix_dgram_socket sendto;

# Purpose : For access system data
allow mnld block_device:dir search;
set_prop(mnld, vendor_mtk_mnld_prop)
allow mnld mdlog_device:chr_file { read write };
allow mnld self:capability { fsetid };
allow mnld stpbt_device:chr_file { read write };
allow mnld gpsdl_device:chr_file { read write };
allow mnld ttyGS_device:chr_file { read write };
# Purpose : For file system operations
allow mnld sdcard_type:dir search;
allow mnld sdcard_type:dir write;
allow mnld sdcard_type:dir add_name;
allow mnld sdcard_type:file create;
allow mnld sdcard_type:file rw_file_perms;
allow mnld sdcard_type:file create_file_perms;
allow mnld sdcard_type:dir { read remove_name create open };
allow mnld tmpfs:lnk_file { read create open };
allow mnld mtd_device:dir search;
allow mnld mnt_user_file:lnk_file read;
allow mnld mnt_user_file:dir search;
allow mnld gps_data_file:dir { create_dir_perms unlink };
allow mnld gps_data_file:file { read write open create getattr append setattr unlink lock rename };
allow mnld gps_data_file:lnk_file read;

allow mnld storage_file:lnk_file read;

# Date : WK15.30
# Operation : Migration
# Purpose : for device bring up, not to block early migration/sanity
allow mnld proc_lk_env:file rw_file_perms;

# For HIDL, communicate mtk_hal_gnss instead of system_server
allow mnld mtk_hal_gnss:unix_dgram_socket sendto;

# Purpose : MPE sensor HIDL policy
hwbinder_use(mnld);
binder_call(mnld, system_server)
allow mnld fwk_sensor_hwservice:hwservice_manager find;
get_prop(mnld, hwservicemanager_prop)
allow mnld debugfs_tracing:file { open write };

allow mnld mnt_vendor_file:dir search;

#get waks_alarm timer create prop
allow mnld mnld:capability2 wake_alarm;

# Date : WK18.26
# Purpose : for atci gps test
allow mnld atci_service:unix_dgram_socket sendto;

allow mnld sysfs_boot_mode:file { read open };

set_prop(mnld, vendor_mtk_radio_prop)

allow mnld proc_cmdline:file r_file_perms;
allow mnld sysfs_dt_firmware_android:dir search;
allow mnld sysfs_dt_firmware_android:file r_file_perms;
allow mnld metadata_file:dir search;
#for mnld get screen on/off
allow mnld sysfs_leds:dir search;
allow mnld sysfs_leds:file r_file_perms;
#Add for /nvcfg/almanac.dat
allow mnld nvcfg_file:dir w_dir_perms;
allow mnld nvcfg_file:file create_file_perms;

allow mnld self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };