# ==============================================
# MTK Policy Rule
# ==============================================

# Rules for all domains.

# Do not allow access to the generic sysfs label. This is too broad.
# Instead, if access to part of sysfs is desired, it should have a
# more specific label.
full_treble_only(`
  neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *;

  neverallow {
    coredomain
    -apexd
    -init
    -ueventd
    -vold
    } sysfs:file *;

  neverallow {
    init
    ueventd
    vold
    } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };

  neverallow ~{
    init
    ueventd
    } sysfs:lnk_file ~r_file_perms;

  neverallow {
    init
    ueventd
    } sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto };

  neverallow ~{
    init
    otapreopt_chroot
    ueventd
    vendor_init
    } sysfs:dir ~r_dir_perms;

  neverallow {
    init
    otapreopt_chroot
    ueventd
    vendor_init
    } sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr };
')


# Do not allow access to the generic proc label. This is too broad.
# Instead, if access to part of proc is desired, it should have a
# more specific label.
# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
#
#   r_dir_file(hal_audio, proc)
#   hal_server_domain(mtk_hal_audio, hal_audio)
#   hal_client_domain(audioserver, hal_audio)
#
full_treble_only(`
  neverallow * proc:{ chr_file blk_file sock_file fifo_file } *;

  neverallow {
    coredomain
    -audioserver
    -bluetooth
    -init
    -system_server
    -vold
    } proc:file *;

  neverallow {
    audioserver
    bluetooth
    init
    system_server
    vold
    } proc:file ~r_file_perms;

  neverallow vendor_init proc:file ~{ read setattr map open };

  neverallow {
    coredomain
    -audioserver
    -bluetooth
    -init
    -system_server
    } proc:lnk_file ~{ read getattr };

  neverallow {
    audioserver
    bluetooth
    init
    system_server
    } proc:lnk_file ~r_file_perms;

  neverallow ~{
    init
    vendor_init
    } proc:dir ~{ r_file_perms search };

  neverallow {
    init
    vendor_init
    } proc:dir ~{ r_file_perms search setattr };
')


# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
full_treble_only(`
  neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *;

  neverallow ~{
    dumpstate
    init
    vendor_init
    } debugfs:file *;

  neverallow dumpstate debugfs:file ~r_file_perms;

  neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto };

  neverallow vendor_init debugfs:file ~{ read setattr open map };

  neverallow ~init debugfs:lnk_file *;

  neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto };

  neverallow ~{
    init
    vendor_init
    } debugfs:dir ~{ search getattr };

  neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto userdebug_or_eng(`mounton') };

  neverallow vendor_init debugfs:dir ~{ search getattr read setattr open };
')


# Do not allow access to the generic system_data_file label. This is
# too broad.
# Instead, if access to part of system_data_file is desired, it should
# have a more specific label.
# TODO: Remove merged_hal_service and so on once there are no violations.
#
#   allow hal_drm system_data_file:file { getattr read };
#   hal_server_domain(merged_hal_service, hal_drm)
#
full_treble_only(`
  neverallow ~{
    init
    installd
    system_server
    } system_data_file:{ chr_file blk_file sock_file fifo_file } *;

  neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };

  neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };

  neverallow installd system_data_file:{ chr_file blk_file } *;

  neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink };

  neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms;

  neverallow {
    coredomain
    -appdomain
    -app_zygote
    -init
    -installd
    -iorap_prefetcherd
    -iorap_inode2filename
    -system_server
    -toolbox
    -vold
    -vold_prepare_subdirs
    with_asan(`-asan_extract')
    } system_data_file:file ~r_file_perms;

  neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };

  neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };

  neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };

  neverallow iorap_inode2filename system_data_file:file ~getattr;

  neverallow iorap_prefetcherd system_data_file:file ~{ open read };

  neverallow {
    mediadrmserver
    mediaextractor
    mediaserver
   } system_data_file:file ~{ read getattr };

  neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };

  neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };

  neverallow vold system_data_file:file ~read;

  with_asan(`
    neverallow asan_extract system_data_file:file ~{ create_file_perms relabelfrom execute };
   ')

  neverallow ~{
    appdomain
    app_zygote
    init
    installd
    iorap_prefetcherd
    iorap_inode2filename
    logd
    rs
    runas
    simpleperf_app_runner
    system_server
    tee
    vold
    webview_zygote
    with_asan(`asan_extract')
    zygote
    } system_data_file:lnk_file ~getattr;

  neverallow {
    appdomain
    app_zygote
    logd
    webview_zygote
    } system_data_file:lnk_file ~r_file_perms;

  neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };

  neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };

  neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };

  neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };

  neverallow rs system_data_file:lnk_file ~{ read };

  neverallow {
    runas
    simpleperf_app_runner
    tee
    } system_data_file:lnk_file ~{ read getattr };

  neverallow system_server system_data_file:lnk_file ~create_file_perms;

  with_asan(`
    neverallow asan_extract system_data_file:lnk_file ~create_file_perms ;
   ')

  neverallow ~{
    artd
    apexd
    init
    installd
    iorap_prefetcherd
    iorap_inode2filename
    system_server
    toolbox
    traced_probes
    vold
    vold_prepare_subdirs
    with_asan(`asan_extract')
    zygote
    } system_data_file:dir ~{ search getattr };

  neverallow artd system_data_file:dir ~r_dir_perms;

  neverallow apexd system_data_file:dir ~r_dir_perms;

  neverallow init system_data_file:dir ~{
    create search getattr open read setattr ioctl
    mounton
    relabelto
    write add_name remove_name rmdir relabelfrom
    };

  neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms };

  neverallow {
    iorap_prefetcherd
    iorap_inode2filename
    traced_probes
    } system_data_file:dir ~{ open read search getattr };

  neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms };

  neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms };

  neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir };

  with_asan(`
    neverallow asan_extract system_data_file:dir ~{ create_dir_perms relabelfrom };
   ')

  neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto };
')


# Do not allow access to the generic vendor_data_file label. This is
# too broad.
# Instead, if access to part of vendor_data_file is desired, it should
# have a more specific label.
full_treble_only(`
  neverallow ~{
    init
    vendor_init
    } vendor_data_file:file_class_set *;

  neverallow {
    init
    vendor_init
    } vendor_data_file:{ chr_file blk_file } ~{ relabelto };

  neverallow {
    init
    vendor_init
    } vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };

  neverallow {
    init
    vendor_init
    } vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto };

  neverallow {
    init
    vendor_init
    } vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto };

  neverallow ~{
    init
    vendor_init
    vold
    vold_prepare_subdirs
    } vendor_data_file:dir ~{ getattr search };

  neverallow {
    init
    vendor_init
    } vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto };

  neverallow vold vendor_data_file:dir ~create_dir_perms;

  neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom };
')

# Do not allow access to the generic app_data_file label. This is too broad.
# Instead, if access to part of app_data_file is desired, it should have a
# more specific label.
#full_treble_only(`
#  neverallow * app_data_file:dir_file_class_set *;
#')

# Do not allow access to the generic default_prop label. This is too broad.
# Instead, if access to part of default_prop is desired, it should have a
# more specific label.
#full_treble_only(`
#  neverallow * default_prop:dir_file_class_set *;
#')

# Do not allow access to the generic vendor_default_prop label. This is
# too broad.
# Instead, if access to part of vendor_default_prop is desired, it should
# have a more specific label.
#full_treble_only(`
#  neverallow * vendor_default_prop:dir_file_class_set *;
#')

# Do not allow access to the generic device label. This is too broad.
# Instead, if access to part of device is desired, it should have a
# more specific label.
# TODO: Remove hal_camera and so on once there are no violations.
#
#   allow hal_camera device:dir r_dir_perms;
#   hal_client_domain(cameraserver, hal_camera)
#
full_treble_only(`
  neverallow * device:{ sock_file fifo_file } *;

  neverallow ~{
    init
    shell
    ueventd
    vendor_init
    } device:chr_file *;

  neverallow { init vendor_init } device:chr_file ~setattr;

  neverallow shell device:chr_file ~getattr;

  neverallow ueventd device:chr_file ~{ getattr create setattr unlink };

  neverallow ~{
    apexd
    dumpstate
    e2fs
    fsck
    fsck_untrusted
    init
    recovery
    shell
    ueventd
    vendor_init
    } device:blk_file *;

  neverallow {
    dumpstate
    e2fs
    fsck
    fsck_untrusted
    shell
    vendor_init
    } device:blk_file ~getattr;

  neverallow init device:blk_file ~r_file_perms;

  neverallow recovery device:blk_file ~rw_file_perms;

  neverallow ueventd device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

  neverallow ~{
    init
    vendor_init
    ueventd
    } device:file *;

  neverallow init device:file ~{ create_file_perms relabelfrom };

  neverallow ueventd device:file ~create_file_perms;

  neverallow vendor_init device:file ~{ read setattr map open getattr };

  neverallow ~{
    init
    vendor_init
    ueventd
    } device:lnk_file ~r_file_perms;

  neverallow { init vendor_init } device:lnk_file ~{ r_file_perms create };

  neverallow ueventd device:lnk_file ~{ r_file_perms create unlink };

  neverallow {
    coredomain
    -apexd
    -cameraserver
    -fastbootd
    -hal_camera
    -init
    -otapreopt_chroot
    -recovery
    -shell
    -slideshow
    -system_server
    -vendor_init
    -vold
    -ueventd
    } device:dir ~{ search getattr };

  neverallow {
    cameraserver
    fastbootd
    hal_camera
    system_server
    shell
    slideshow
    recovery
    } device:dir ~r_dir_perms;

  neverallow init device:dir ~{ create_dir_perms mounton relabelto };

  neverallow vendor_init device:dir ~{ create_dir_perms mounton };

  neverallow vold device:dir ~{ search getattr write };

  neverallow ueventd device:dir ~create_dir_perms;
')

# Do not allow access to the generic socket_device label. This is too broad.
# Instead, if access to part of socket_device is desired, it should have a
# more specific label.
full_treble_only(`
  neverallow * socket_device:{ file sock_file fifo_file } *;

  neverallow ~{
    init
    shell
    ueventd
    vendor_init
    } socket_device:chr_file *;

  neverallow {
    init
    vendor_init
    } socket_device:chr_file ~{ setattr };

  neverallow shell socket_device:chr_file ~{ getattr };

  neverallow ueventd socket_device:chr_file ~{ getattr create setattr unlink };

  neverallow ~{
    apexd
    dumpstate
    e2fs
    fsck
    fsck_untrusted
    init
    recovery
    shell
    ueventd
    vendor_init
    } socket_device:blk_file *;

  neverallow {
    apexd
    dumpstate
    e2fs
    fsck
    fsck_untrusted
    shell
    vendor_init
    } socket_device:blk_file ~getattr;

  neverallow init socket_device:blk_file ~r_file_perms;

  neverallow recovery socket_device:blk_file ~rw_file_perms;

  neverallow ueventd socket_device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

  neverallow ~{
    init
    ueventd
    vendor_init
    } socket_device:lnk_file ~r_file_perms;

  neverallow {
    init
    vendor_init
    } socket_device:lnk_file ~{ r_file_perms create };

  neverallow ueventd socket_device:lnk_file ~{ r_file_perms create unlink };

  neverallow ~{
    init
    ueventd
    vendor_init
    } socket_device:dir ~r_dir_perms;

  neverallow init socket_device:dir ~{ create_dir_perms relabelto };

  neverallow {
    ueventd
    vendor_init
    } socket_device:dir ~create_dir_perms;

')

# Do not allow access to the generic block_device label. This is too broad.
# Instead, if access to part of block_device is desired, it should have a
# more specific label.
#full_treble_only(`
#  neverallow * block_device:dir_file_class_set *;
#')

# Do not allow access to the generic bootdevice_block_device label. This is
# too broad.
# Instead, if access to part of bootdevice_block_device is desired, it should
# have a more specific label.
#full_treble_only(`
#  neverallow * bootdevice_block_device:dir_file_class_set *;
#')