# ==============================================
# MTK Policy Rule
# ==============================================

# Do not allow access to the generic sysfs label. This is too broad.
# Instead, if access to part of sysfs is desired, it should have a
# more specific label.
# TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations.
#   allow hal_usb sysfs:file write;
#   hal_server_domain(mtk_hal_usb, hal_usb)
#
#   r_dir_file(hal_wifi, sysfs_type)
#   hal_server_domain(mtk_hal_wifi, hal_wifi)
#
full_treble_only(`
  neverallow ~{
    init
    merged_hal_service
    mtk_hal_bluetooth
    # TODO(b/152082918) Remove mtk_hal_camera line when permissions are fixed.
    mtk_hal_camera
    mtk_hal_power
    mtk_hal_usb
    mtk_hal_wifi
    hal_bluetooth_btlinux
    hal_bluetooth_default
    hal_drm_clearkey
    hal_drm_default
    hal_drm_widevine
    hal_fingerprint_default
    hal_radio_config_default
    hal_radio_default
    hal_usb_default
    hal_wifi_default
    hal_wifi_supplicant_default
    rild
    tee
    ueventd
    vendor_init
    vold
    } sysfs:file *;

  neverallow {
    merged_hal_service
    mtk_hal_bluetooth
    mtk_hal_power
    mtk_hal_wifi
    hal_bluetooth_btlinux
    hal_bluetooth_default
    hal_drm_clearkey
    hal_drm_default
    hal_drm_widevine
    hal_fingerprint_default
    hal_radio_config_default
    hal_radio_default
    hal_wifi_default
    hal_wifi_supplicant_default
    rild
    tee
  } sysfs:file ~r_file_perms;

  neverallow {
    hal_usb_default
    init
    mtk_hal_usb
    ueventd
    vendor_init
    vold
  } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
')

# Do not allow access to the generic proc label. This is too broad.
# Instead, if access to part of proc is desired, it should have a
# more specific label.
# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
#
#   r_dir_file(hal_audio, proc)
#   hal_server_domain(mtk_hal_audio, hal_audio)
#   hal_client_domain(audioserver, hal_audio)
#
full_treble_only(`
  neverallow ~{
    audiocmdservice_atci
    audioserver
    bluetooth
    hal_audio_default
    hal_graphics_allocator_default
    init
    merged_hal_service
    mtk_hal_audio
    rild
    system_server
    vendor_init
    vold
    } proc:file *;

  neverallow {
    audiocmdservice_atci
    audioserver
    bluetooth
    hal_audio_default
    hal_graphics_allocator_default
    init
    merged_hal_service
    mtk_hal_audio
    rild
    system_server
    vold
    } proc:file ~r_file_perms;

  neverallow vendor_init proc:file ~{ r_file_perms setattr };

  neverallow ~{
    audiocmdservice_atci
    audioserver
    bluetooth
    hal_audio_default
    init
    mtk_hal_audio
    rild
    system_server
    } proc:lnk_file ~{ read getattr };

  neverallow {
    audiocmdservice_atci
    audioserver
    bluetooth
    hal_audio_default
    init
    mtk_hal_audio
    rild
    system_server
    } proc:lnk_file ~r_file_perms;
')


# Do not allow access to the generic system_data_file label. This is
# too broad.
# Instead, if access to part of system_data_file is desired, it should
# have a more specific label.
# TODO: Remove merged_hal_service and so on once there are no violations.
#
#   allow hal_drm system_data_file:file { getattr read };
#   hal_server_domain(merged_hal_service, hal_drm)
#
full_treble_only(`
  neverallow {
    domain
    -coredomain
    -appdomain
    -hal_cas_default
    -hal_drm_clearkey
    -hal_drm_default
    -hal_drm_widevine
    -merged_hal_service
    -tee
    } system_data_file:file *;

  neverallow ~{
    appdomain
    app_zygote
    hal_drm_clearkey
    hal_drm_default
    hal_drm_widevine
    init
    installd
    iorap_prefetcherd
    mediadrmserver
    mediaextractor
    mediaserver
    merged_hal_service
    system_server
    tee
    toolbox
    vold
    vold_prepare_subdirs
    with_asan(`asan_extract')
    } system_data_file:file ~r_file_perms;

  neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };

  neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };

  neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };

  neverallow iorap_prefetcherd system_data_file:file ~{ open read };

  neverallow {
    hal_drm_clearkey
    hal_drm_default
    hal_drm_widevine
    mediadrmserver
    mediaextractor
    mediaserver
    merged_hal_service
    tee
    } system_data_file:file ~{ getattr read };

  neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };

  neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };

  neverallow vold system_data_file:file ~read;
')

# Do not allow access to the generic device label. This is too broad.
# Instead, if access to part of device is desired, it should have a
# more specific label.
# TODO: Remove hal_camera and so on once there are no violations.
#
#   allow hal_camera device:dir r_dir_perms;
#   hal_client_domain(cameraserver, hal_camera)
#
full_treble_only(`
  neverallow ~{
    cameraserver
    fastbootd
    hal_camera
    hal_camera_default
    init
    mtk_hal_camera
    otapreopt_chroot
    recovery
    shell
    slideshow
    system_server
    vendor_init
    vold
    ueventd
    } device:dir ~{ search getattr };

  neverallow {
    cameraserver
    fastbootd
    hal_camera
    hal_camera_default
    mtk_hal_camera
    system_server
    shell
    slideshow
    recovery
    } device:dir ~r_dir_perms;

  neverallow init device:dir ~{ create_dir_perms mounton relabelto };

  neverallow vendor_init device:dir ~{ create_dir_perms mounton };

  neverallow vold device:dir ~{ search getattr write };

  neverallow ueventd device:dir ~create_dir_perms;
')