non_plat/update_engine.te - device/mediatek/wembley-sepolicy - Git at Google

 # MTK Add policy for update_engine
 # Add for update_engine update block device
 allow update_engine preloader_block_device:blk_file rw_file_perms;
 allow update_engine lk_block_device:blk_file rw_file_perms;
 allow update_engine dtbo_block_device:blk_file rw_file_perms;
 allow update_engine tee_block_device:blk_file rw_file_perms;
 allow update_engine vendor_block_device:blk_file rw_file_perms;
 allow update_engine odm_block_device:blk_file rw_file_perms;
 allow update_engine oem_block_device:blk_file rw_file_perms;
 allow update_engine md_block_device:blk_file rw_file_perms;
 allow update_engine dsp_block_device:blk_file rw_file_perms;
 allow update_engine scp_block_device:blk_file rw_file_perms;
 allow update_engine sspm_block_device:blk_file rw_file_perms;
 allow update_engine spmfw_block_device:blk_file rw_file_perms;
 allow update_engine mcupmfw_block_device:blk_file rw_file_perms;
 allow update_engine loader_ext_block_device:blk_file rw_file_perms;
 allow update_engine cam_vpu_block_device:blk_file rw_file_perms;
 allow update_engine para_block_device:blk_file rw_file_perms;
 allow update_engine vbmeta_block_device:blk_file rw_file_perms;
 allow update_engine proc_filesystems:file r_file_perms;

 # Add for update_engine call by system_app
 allow update_engine system_app:binder { call transfer };

 # Add for update_engine with postinstall
 allow update_engine postinstall_mnt_dir:dir { search getattr open read write search unlink};

 # Add for AVB20
 allow update_engine tmpfs:lnk_file read;

 allow update_engine metadata_file:dir { getattr mounton };
 allow update_engine devpts:chr_file rw_file_perms;
 allow update_engine kmsg_device:chr_file w_file_perms;
	# MTK Add policy for update_engine
	# Add for update_engine update block device
	allow update_engine preloader_block_device:blk_file rw_file_perms;
	allow update_engine lk_block_device:blk_file rw_file_perms;
	allow update_engine dtbo_block_device:blk_file rw_file_perms;
	allow update_engine tee_block_device:blk_file rw_file_perms;
	allow update_engine vendor_block_device:blk_file rw_file_perms;
	allow update_engine odm_block_device:blk_file rw_file_perms;
	allow update_engine oem_block_device:blk_file rw_file_perms;
	allow update_engine md_block_device:blk_file rw_file_perms;
	allow update_engine dsp_block_device:blk_file rw_file_perms;
	allow update_engine scp_block_device:blk_file rw_file_perms;
	allow update_engine sspm_block_device:blk_file rw_file_perms;
	allow update_engine spmfw_block_device:blk_file rw_file_perms;
	allow update_engine mcupmfw_block_device:blk_file rw_file_perms;
	allow update_engine loader_ext_block_device:blk_file rw_file_perms;
	allow update_engine cam_vpu_block_device:blk_file rw_file_perms;
	allow update_engine para_block_device:blk_file rw_file_perms;
	allow update_engine vbmeta_block_device:blk_file rw_file_perms;
	allow update_engine proc_filesystems:file r_file_perms;

	# Add for update_engine call by system_app
	allow update_engine system_app:binder { call transfer };

	# Add for update_engine with postinstall
	allow update_engine postinstall_mnt_dir:dir { search getattr open read write search unlink};

	# Add for AVB20
	allow update_engine tmpfs:lnk_file read;

	allow update_engine metadata_file:dir { getattr mounton };
	allow update_engine devpts:chr_file rw_file_perms;
	allow update_engine kmsg_device:chr_file w_file_perms;