gta4xl-common: start working on sepolicy
Change-Id: I725e3ed87e842824137b3ae1e7fac4b129c1e9d7
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 19c8e01..ec88178 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -8,4 +8,7 @@
type prism_file, file_type;
# DATA
+type camera_vendor_data_file, file_type, data_file_type;
type display_vendor_data_file, file_type, data_file_type;
+type media_vendor_data_file, file_type, data_file_type;
+type mediadrm_vendor_data_file, file_type, data_file_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index fc49e14..9b69e54 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -1,5 +1,36 @@
+### DATA
+/data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0
+/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0
+/data/vendor/media(/.*)? u:object_r:media_vendor_data_file:s0
+/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
+/data/camera(/.*)? u:object_r:camera_data_file:s0
+
+### DEV
+# Graphics
+/dev/mali[0-9] u:object_r:gpu_device:s0
+/dev/g2d u:object_r:graphics_device:s0
+
+# ZRAM
+/dev/block/zram0 u:object_r:swap_block_device:s0
+
### ROOT
/dqmdbg(/.*)? u:object_r:dqmdbg_file:s0
/omr(/.*)? u:object_r:omr_file:s0
/optics(/.*)? u:object_r:optics_file:s0
/prism(/.*)? u:object_r:prism_file:s0
+
+### VENDOR
+/(vendor|system/vendor)/bin/argosd u:object_r:argosd_exec:s0
+
+/(vendor|system/vendor)/bin/vendor\.samsung\.hardware\.security\.widevine\.keyprovisioning@[0-9]\.[0-9]-service u:object_r:hal_drm_widevine_exec:s0
+
+/(vendor|system/vendor)/bin/hw/gpsd u:object_r:gpsd_exec:s0
+/(vendor|system/vendor)/bin/hw/macloader u:object_r:macloader_exec:s0
+
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.widevine u:object_r:hal_drm_widevine_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@[0-9]\.[0-9]-service\.samsung u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@[0-9]\.[0-9]-service\.exynos9611 u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@[0-9]\.[0-9]-service\.samsung u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.camera\.provider@[0-9]\.[0-9]-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te
new file mode 100644
index 0000000..319e31b
--- /dev/null
+++ b/sepolicy/vendor/fsck.te
@@ -0,0 +1,3 @@
+# fsck.te
+
+allow fsck efs_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
new file mode 100644
index 0000000..c1ed7e5
--- /dev/null
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -0,0 +1,3 @@
+# hal_camera_default.te
+
+vndbinder_use(hal_camera_default);
diff --git a/sepolicy/vendor/hal_drm_clearkey.te b/sepolicy/vendor/hal_drm_clearkey.te
new file mode 100644
index 0000000..4135646
--- /dev/null
+++ b/sepolicy/vendor/hal_drm_clearkey.te
@@ -0,0 +1,7 @@
+# hal_drm_clearkey.te
+
+type hal_drm_clearkey, domain;
+hal_server_domain(hal_drm_clearkey, hal_drm);
+
+type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_clearkey);
diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te
new file mode 100644
index 0000000..0e23e84
--- /dev/null
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -0,0 +1,7 @@
+# hal_drm_widevine.te
+
+type hal_drm_widevine, domain;
+hal_server_domain(hal_drm_widevine, hal_drm);
+
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_widevine);
diff --git a/sepolicy/vendor/hal_gatekeeper_default.te b/sepolicy/vendor/hal_gatekeeper_default.te
new file mode 100644
index 0000000..b239f59
--- /dev/null
+++ b/sepolicy/vendor/hal_gatekeeper_default.te
@@ -0,0 +1,3 @@
+# hal_gatekeeper_default.te
+
+teegris_use(hal_gatekeeper_default);
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
new file mode 100644
index 0000000..5be6394
--- /dev/null
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -0,0 +1,10 @@
+# hal_graphics_composer_default.te
+
+vndbinder_use(hal_graphics_composer_default);
+
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket read;
+
+allow hal_graphics_composer_default graphics_device:chr_file rw_file_perms;
+
+allow hal_graphics_composer_default log_vendor_data_file:dir rw_file_perms;
+allow hal_graphics_composer_default log_vendor_data_file:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te
new file mode 100644
index 0000000..abe62a2
--- /dev/null
+++ b/sepolicy/vendor/hal_health_default.te
@@ -0,0 +1,3 @@
+# hal_health_default.te
+
+r_dir_file(hal_health_default, sysfs_battery);
diff --git a/sepolicy/vendor/hal_keymaster_default.te b/sepolicy/vendor/hal_keymaster_default.te
new file mode 100644
index 0000000..df7ee38
--- /dev/null
+++ b/sepolicy/vendor/hal_keymaster_default.te
@@ -0,0 +1,3 @@
+# hal_keymaster_default.te
+
+teegris_use(hal_keymaster_default);
diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te
new file mode 100644
index 0000000..0a712a6
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_default.te
@@ -0,0 +1,3 @@
+# hal_wifi_default.te
+
+allow hal_wifi_default conn_vendor_data_file:file rw_file_perms;
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
new file mode 100644
index 0000000..902b0e3
--- /dev/null
+++ b/sepolicy/vendor/init.te
@@ -0,0 +1,7 @@
+# init.te
+
+allow init omr_file:dir mounton;
+allow init efs_file:dir mounton;
+allow init mnt_vendor_file:dir mounton;
+
+allow init tmpfs:lnk_file create;
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
new file mode 100644
index 0000000..6198ece
--- /dev/null
+++ b/sepolicy/vendor/kernel.te
@@ -0,0 +1,8 @@
+# kernel.te
+
+allow kernel self:capability mknod;
+
+r_dir_file(kernel, sysfs_sec_key);
+
+allow kernel device:dir { add_name write };
+allow kernel device:chr_file { create setattr };
diff --git a/sepolicy/vendor/tzdaemon.te b/sepolicy/vendor/tzdaemon.te
new file mode 100644
index 0000000..20adaa5
--- /dev/null
+++ b/sepolicy/vendor/tzdaemon.te
@@ -0,0 +1,4 @@
+# tzdaemon.te
+
+allow tzdaemon efs_file:dir search;
+allow tzdaemon tee_efs_file:dir search;
diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te
new file mode 100644
index 0000000..2f78e0d
--- /dev/null
+++ b/sepolicy/vendor/ueventd.te
@@ -0,0 +1,3 @@
+# ueventd.te
+
+allow ueventd self:capability sys_nice;
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
new file mode 100644
index 0000000..b52d2c3
--- /dev/null
+++ b/sepolicy/vendor/vendor_init.te
@@ -0,0 +1,7 @@
+# vendor_init.te
+
+set_prop(vendor_init, vold_prop);
+
+allow vendor_init cgroup:file getattr;
+allow vendor_init tmpfs:dir { write add_name };
+allow vendor_init tmpfs:lnk_file create;