waydroid.te

module waydroid 1.0;

require {
	type unconfined_t;
	type unconfined_service_t;
	type device_t;
	type init_t;
	type spc_t;
	class capability2 mac_admin;
	class binder { call set_context_mgr transfer };
	class chr_file map;
}

#============= init_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow init_t device_t:chr_file map;
allow init_t spc_t:binder { call transfer };

#============= spc_t ==============
allow spc_t self:binder { call set_context_mgr transfer };
allow spc_t self:capability2 mac_admin;
allow spc_t unconfined_service_t:binder call;
allow spc_t unconfined_t:binder { call transfer };

#============= unconfined_service_t ==============
allow unconfined_service_t spc_t:binder { call transfer };

#============= unconfined_t ==============
allow unconfined_t spc_t:binder { call transfer };