common/rfs_access.te - platform_device_qcom_sepolicy - Gitiles

 # rfs_access - rfs_access daemon
 type rfs_access, domain, domain_deprecated;
 type rfs_access_exec, exec_type, file_type;
 init_daemon_domain(rfs_access)

 #The files created by rfs_access process in the /data folder will have type rfs_file
 type_transition rfs_access system_data_file:{ dir file } rfs_file;
 type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";

 #The files created by rfs_access process in the /persist folder will have type rfs_file
 type_transition rfs_access persist_file:{ dir file } rfs_file;
 type_transition rfs_access persist_file:dir rfs_shared_hlos_file "hlos_rfs";

 allow rfs_access {
     #To read the uio char device
     uio_device
     #To read the smem log char device
     smem_log_device
 }:chr_file rw_file_perms;

 #For QMI sockets and IPCR Sockets
 allow rfs_access self:socket create_socket_perms;

 #For Wakelocks
 wakelock_use(rfs_access)

 #To create the folders in /data
 allow rfs_access system_data_file:dir create_dir_perms;

 #To create the folders in /persist
 allow rfs_access persist_file:dir create_dir_perms;

 #For system folder entries
 r_dir_file(rfs_access, rfs_system_file)
 allow rfs_access rfs_system_file:lnk_file r_file_perms;

 #For data folder entries
 allow rfs_access rfs_file:dir create_dir_perms;
 allow rfs_access rfs_file:file create_file_perms;

 allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
 allow rfs_access rfs_shared_hlos_file:file create_file_perms;

 #For ramdump entries in /data/tombstones.
 allow rfs_access tombstone_data_file:dir create_dir_perms;
 allow rfs_access tombstone_data_file:file create_file_perms;

 #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
 r_dir_file(rfs_access, firmware_file)

 #For dropping permisions from root and wakelock
 allow rfs_access self:capability {
     setuid
     setgid
     setpcap
     net_raw
 };

 # RFS UID and GIDs were changed and moved from old values to new ones OEM range.
 # The below permissions are required to recursively update the folder ownership
 # to the new values in the OEM range.

 allow rfs_access self:capability { dac_read_search chown dac_override };

 #Prevent other domains from accessing RFS data files.
 neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms;
 neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms;
	# rfs_access - rfs_access daemon
	type rfs_access, domain, domain_deprecated;
	type rfs_access_exec, exec_type, file_type;
	init_daemon_domain(rfs_access)

	#The files created by rfs_access process in the /data folder will have type rfs_file
	type_transition rfs_access system_data_file:{ dir file } rfs_file;
	type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";

	#The files created by rfs_access process in the /persist folder will have type rfs_file
	type_transition rfs_access persist_file:{ dir file } rfs_file;
	type_transition rfs_access persist_file:dir rfs_shared_hlos_file "hlos_rfs";

	allow rfs_access {
	#To read the uio char device
	uio_device
	#To read the smem log char device
	smem_log_device
	}:chr_file rw_file_perms;

	#For QMI sockets and IPCR Sockets
	allow rfs_access self:socket create_socket_perms;

	#For Wakelocks
	wakelock_use(rfs_access)

	#To create the folders in /data
	allow rfs_access system_data_file:dir create_dir_perms;

	#To create the folders in /persist
	allow rfs_access persist_file:dir create_dir_perms;

	#For system folder entries
	r_dir_file(rfs_access, rfs_system_file)
	allow rfs_access rfs_system_file:lnk_file r_file_perms;

	#For data folder entries
	allow rfs_access rfs_file:dir create_dir_perms;
	allow rfs_access rfs_file:file create_file_perms;

	allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
	allow rfs_access rfs_shared_hlos_file:file create_file_perms;

	#For ramdump entries in /data/tombstones.
	allow rfs_access tombstone_data_file:dir create_dir_perms;
	allow rfs_access tombstone_data_file:file create_file_perms;

	#For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
	r_dir_file(rfs_access, firmware_file)

	#For dropping permisions from root and wakelock
	allow rfs_access self:capability {
	setuid
	setgid
	setpcap
	net_raw
	};

	# RFS UID and GIDs were changed and moved from old values to new ones OEM range.
	# The below permissions are required to recursively update the folder ownership
	# to the new values in the OEM range.

	allow rfs_access self:capability { dac_read_search chown dac_override };

	#Prevent other domains from accessing RFS data files.
	neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms;
	neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms;