# ==============================================
# MTK Policy Rule
# ==============================================

# Rules for all domains.

# Do not allow access to the generic system_data_file label. This is
# too broad.
# Instead, if access to part of system_data_file is desired, it should
# have a more specific label.
# TODO: Remove merged_hal_service and so on once there are no violations.
#
#   allow hal_drm system_data_file:file { getattr read };
#   hal_server_domain(merged_hal_service, hal_drm)
#
full_treble_only(`
  neverallow {
    coredomain
    -appdomain
    -app_zygote
    -dumpstate
    -init
    -installd
    -iorap_prefetcherd
    -iorap_inode2filename
    -logd
    -mediadrmserver
    -mediaextractor
    -mediaserver
    -runas
    -sdcardd
    -simpleperf_app_runner
    -storaged
    -system_server
    -toolbox
    -vold
    -vold_prepare_subdirs
    -zygote
    } system_data_file:file *;

  neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };

  neverallow {
    dumpstate
    logd
    runas
    sdcardd
    simpleperf_app_runner
    storaged
    zygote
    } system_data_file:file ~r_file_perms;

  neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };

  neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };

  neverallow iorap_prefetcherd system_data_file:file ~{ open read };
  neverallow iorap_inode2filename system_data_file:file ~getattr;

  neverallow {
    mediadrmserver
    mediaextractor
    mediaserver
   } system_data_file:file ~{ read getattr };

  neverallow  system_server system_data_file:file ~{ create_file_perms relabelfrom link };

  neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };

  neverallow vold system_data_file:file ~read;

  neverallow ~{
    appdomain
    app_zygote
    dexoptanalyzer
    init
    installd
    iorap_prefetcherd
    iorap_inode2filename
    logd
    rs
    runas
    simpleperf_app_runner
    system_server
    tee
    vold
    webview_zygote
    zygote
    } system_data_file:lnk_file *;

  neverallow {
    appdomain
    app_zygote
    logd
    webview_zygote
    } system_data_file:lnk_file ~r_file_perms;

  neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr;

  neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };

  neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };

  neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };

  neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };

  neverallow rs system_data_file:lnk_file ~{ read };

  neverallow {
    runas
    simpleperf_app_runner
    tee
    } system_data_file:lnk_file ~{ read getattr };

  neverallow system_server system_data_file:lnk_file ~create_file_perms;
')