gta4xl-common: initial working sepolicy
Change-Id: Ifd85b48ca67e409ebe8487a19bef5900ecd79b2a
diff --git a/config/init/init.exynos9611.rc b/config/init/init.exynos9611.rc
index a016bfe..11e47a4 100644
--- a/config/init/init.exynos9611.rc
+++ b/config/init/init.exynos9611.rc
@@ -117,6 +117,20 @@
chown system system /dev/cpuset/cgroup.procs
chmod 0664 /dev/cpuset/tasks
+ # for power hal
+ chown system radio /dev/cluster0_freq_min
+ chown system radio /dev/cluster0_freq_max
+ chown system radio /dev/cluster1_freq_min
+ chown system radio /dev/cluster1_freq_max
+ chown system radio /dev/cpu_dma_latency
+ chown system radio /dev/stune/top-app/schedtune.boost
+ chmod 0664 /dev/cluster0_freq_min
+ chmod 0664 /dev/cluster0_freq_max
+ chmod 0664 /dev/cluster1_freq_min
+ chmod 0664 /dev/cluster1_freq_max
+ chmod 0664 /dev/cpu_dma_latency
+ chmod 0664 /dev/stune/top-app/schedtune.boost
+
#sensor
chmod 0664 /dev/nanohub
chmod 0664 /dev/nanohub_comms
diff --git a/sepolicy/vendor/charger.te b/sepolicy/vendor/charger.te
new file mode 100644
index 0000000..582f746
--- /dev/null
+++ b/sepolicy/vendor/charger.te
@@ -0,0 +1,6 @@
+# charger.te
+
+allow charger proc_last_kmsg:file r_file_perms;
+allow charger device:dir r_file_perms;
+allow charger sysfs_battery:file r_file_perms;
+allow charger sysfs_battery_writable:file r_file_perms;
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
new file mode 100644
index 0000000..d2c9b43
--- /dev/null
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1,4 @@
+# device.te
+
+type cpefs_block_device, dev_type;
+type secmem_device, dev_type;
diff --git a/sepolicy/vendor/domain.te b/sepolicy/vendor/domain.te
new file mode 100644
index 0000000..0e8ede6
--- /dev/null
+++ b/sepolicy/vendor/domain.te
@@ -0,0 +1,5 @@
+# domain.te
+
+allow domain debugfs_mali:dir search;
+allow domain debugfs_mali_mem:dir search;
+allow domain debugfs_ion_dma:dir search;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index ec88178..a6884c6 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -12,3 +12,20 @@
type display_vendor_data_file, file_type, data_file_type;
type media_vendor_data_file, file_type, data_file_type;
type mediadrm_vendor_data_file, file_type, data_file_type;
+
+# DEBUGFS
+type debugfs_mali, fs_type, debugfs_type;
+type debugfs_mali_mem, fs_type, debugfs_type;
+type debugfs_ion, fs_type, debugfs_type;
+type debugfs_ion_dma, fs_type, debugfs_type;
+
+# PROC
+type proc_swappiness, fs_type, proc_type;
+
+# SYSFS
+type sysfs_camera, sysfs_type, r_fs_type, fs_type;
+type sysfs_camera_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_chipid, sysfs_type, r_fs_type, fs_type;
+type sysfs_decon, sysfs_type, r_fs_type, fs_type;
+type sysfs_decon_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_v4l, sysfs_type, r_fs_type, fs_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index ff8e769..67ca878 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -6,10 +6,18 @@
/data/camera(/.*)? u:object_r:camera_data_file:s0
### DEV
+/dev/block/platform/.+/by-name/cpefs u:object_r:cpefs_block_device:s0
+
+# Bluetooth
+/dev/scsc_h4_0 u:object_r:bt_device:s0
+
# Graphics
/dev/mali[0-9] u:object_r:gpu_device:s0
/dev/g2d u:object_r:graphics_device:s0
+# Secmem
+/dev/s5p-smem u:object_r:secmem_device:s0
+
# ZRAM
/dev/block/zram0 u:object_r:swap_block_device:s0
@@ -19,6 +27,18 @@
/optics(/.*)? u:object_r:optics_file:s0
/prism(/.*)? u:object_r:prism_file:s0
+### SYSFS
+
+# Camera
+/sys/devices/virtual/camera/rear/fw_update u:object_r:sysfs_camera_writable:s0
+/sys/devices/virtual/camera/rear/ssrm_camera_info u:object_r:sysfs_camera_writable:s0
+/sys/devices/virtual/camera(/.*) u:object_r:sysfs_camera:s0
+
+# Sensors
+/sys/devices/platform/11980000.contexthub(/.*)/buffer/length u:object_r:sysfs_sensors_writable:s0
+/sys/devices/platform/11980000.contexthub(/.*) u:object_r:sysfs_iio:s0
+/sys/devices/platform/11c30000.adc(/.*) u:object_r:sysfs_iio:s0
+
### VENDOR
/(vendor|system/vendor)/bin/argosd u:object_r:argosd_exec:s0
/(vendor|system/vendor)/bin/wlbtd u:object_r:wlbtd_exec:s0
@@ -35,3 +55,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@[0-9]\.[0-9]-service\.samsung u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.camera\.provider@[0-9]\.[0-9]-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
+
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/gralloc\.exynos[0-9]*\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libion_exynos\.so u:object_r:same_process_hal_file:s0
diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te
index 319e31b..f65a8c6 100644
--- a/sepolicy/vendor/fsck.te
+++ b/sepolicy/vendor/fsck.te
@@ -1,3 +1,6 @@
# fsck.te
allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck cpefs_block_device:blk_file rw_file_perms;
+
+allow fsck sysfs_battery:dir search;
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
new file mode 100644
index 0000000..3ebf180
--- /dev/null
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,33 @@
+# genfs_contexts
+
+# DEBUGFS
+genfscon debugfs /mali/ u:object_r:debugfs_mali:s0
+genfscon debugfs /mali/mem/ u:object_r:debugfs_mali_mem:s0
+genfscon debugfs /ion u:object_r:debugfs_ion:s0
+genfscon debugfs /dma_buf u:object_r:debugfs_ion_dma:s0
+
+# PROC
+genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0
+
+# SYSFS
+
+# class
+genfscon sysfs /class/video4linux u:object_r:sysfs_v4l:s0
+
+# devices
+genfscon sysfs /devices/platform/148e0000.dsim/backlight/panel/max_brightness u:object_r:sysfs_backlight_writable:s0
+genfscon sysfs /devices/platform/148e0000.dsim/backlight/panel/brightness u:object_r:sysfs_backlight_writable:s0
+genfscon sysfs /devices/platform/13900000.spi/spi_master/spi6/spi6.0/input/input0/enabled u:object_r:sysfs_touchscreen_writable:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-1/1-0049/sm5713-fuelgauge/power_supply/sm5713-fuelgauge/type u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-1/1-0049/sm5713-charger/power_supply/sm5713-charger/type u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-1/1-0049/sm5713-charger/power_supply/otg/type u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/139b0000.pinctrl/gpiochip43/gpio/gpio138/value u:object_r:sysfs_gps_writable:s0
+genfscon sysfs /devices/platform/148b0000.decon_f/psr_info u:object_r:sysfs_decon:s0
+genfscon sysfs /devices/platform/148b0000.decon_f/vsync u:object_r:sysfs_decon_writable:s0
+genfscon sysfs /devices/platform/12c30000.mfc0/video4linux/video6/name u:object_r:sysfs_v4l:s0
+genfscon sysfs /devices/platform/12c30000.mfc0/video4linux/video7/name u:object_r:sysfs_v4l:s0
+genfscon sysfs /devices/platform/11a10000.speedy/i2c-12/12-0000/s2mpu09-rtc/rtc/rtc0/hctosys u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chipid:s0
+
+# module
+genfscon sysfs /module/scsc_bt/parameters/bluetooth_address u:object_r:sysfs_bt_writable:s0
diff --git a/sepolicy/vendor/gpsd.te b/sepolicy/vendor/gpsd.te
new file mode 100644
index 0000000..7f9cd9c
--- /dev/null
+++ b/sepolicy/vendor/gpsd.te
@@ -0,0 +1,6 @@
+# gpsd.te
+
+allow gpsd sysfs_sec_gps:dir search;
+allow gpsd sysfs_gps_writable:file rw_file_perms;
+
+allow gpsd bt_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
new file mode 100644
index 0000000..9505989
--- /dev/null
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -0,0 +1,9 @@
+# hal_audio_default.te
+
+allow hal_audio_default efs_file:dir search;
+allow hal_audio_default imei_efs_file:dir search;
+allow hal_audio_default imei_efs_file:file r_file_perms;
+
+allow hal_audio_default omr_file:dir search;
+
+get_prop(hal_audio_default, vendor_radio_prop);
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
index c1ed7e5..dabf2fa 100644
--- a/sepolicy/vendor/hal_camera_default.te
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -1,3 +1,22 @@
# hal_camera_default.te
vndbinder_use(hal_camera_default);
+
+binder_call(hal_camera_default, system_server);
+binder_call(system_server, hal_camera_default);
+
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+
+allow hal_camera_default hal_graphics_composer_default:fd use;
+
+r_dir_file(hal_camera_default, sysfs_camera);
+allow hal_camera_default sysfs_camera_writable:file rw_file_perms;
+
+allow hal_camera_default camera_vendor_data_file:dir search;
+allow hal_camera_default camera_vendor_data_file:file rw_file_perms;
+
+r_dir_file(hal_camera_default, sysfs_battery);
+
+get_prop(hal_camera_default, vendor_factory_prop);
+get_prop(hal_camera_default, exported_camera_prop);
+set_prop(hal_camera_default, vendor_camera_prop);
diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te
index 0e23e84..8383c16 100644
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -5,3 +5,13 @@
type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_widevine);
+
+allow hal_drm_widevine mediadrm_vendor_data_file:dir { r_file_perms search };
+allow hal_drm_widevine mediadrm_vendor_data_file:file rw_file_perms;
+
+allow hal_drm_widevine secmem_device:chr_file rw_file_perms;
+
+teegris_use(hal_drm_widevine);
+
+allow hal_drm_widevine efs_file:dir search;
+allow hal_drm_widevine sec_efs_file:file r_file_perms;
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
index 5be6394..3a84ca7 100644
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -2,9 +2,18 @@
vndbinder_use(hal_graphics_composer_default);
-allow hal_graphics_composer_default self:netlink_kobject_uevent_socket read;
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator);
+
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { create bind read setopt };
allow hal_graphics_composer_default graphics_device:chr_file rw_file_perms;
-allow hal_graphics_composer_default log_vendor_data_file:dir rw_file_perms;
-allow hal_graphics_composer_default log_vendor_data_file:file rw_file_perms;
+allow hal_graphics_composer_default log_vendor_data_file:dir { rw_file_perms add_name };
+allow hal_graphics_composer_default log_vendor_data_file:file { rw_file_perms create };
+
+allow hal_graphics_composer_default sysfs_decon:file r_file_perms;
+allow hal_graphics_composer_default sysfs_decon_writable:file rw_file_perms;
+
+allow hal_graphics_composer_default sysfs_chipid:file r_file_perms;
+
+get_prop(hal_graphics_composer_default, vendor_camera_prop);
diff --git a/sepolicy/vendor/hal_memtrack_default.te b/sepolicy/vendor/hal_memtrack_default.te
new file mode 100644
index 0000000..f8a4a28
--- /dev/null
+++ b/sepolicy/vendor/hal_memtrack_default.te
@@ -0,0 +1,6 @@
+# hal_memtrack_default.te
+
+r_dir_file(hal_memtrack_default, debugfs_mali);
+r_dir_file(hal_memtrack_default, debugfs_mali_mem);
+r_dir_file(hal_memtrack_default, debugfs_ion);
+r_dir_file(hal_memtrack_default, debugfs_ion_dma);
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
new file mode 100644
index 0000000..ba9e1d6
--- /dev/null
+++ b/sepolicy/vendor/hal_power_default.te
@@ -0,0 +1,6 @@
+# hal_power_default.te
+
+allow hal_power_default pm_qos_device:chr_file rw_file_perms;
+
+allow hal_power_default sysfs_battery:dir search;
+allow hal_power_default sysfs_battery_writable:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te
index 0a712a6..83a0ad6 100644
--- a/sepolicy/vendor/hal_wifi_default.te
+++ b/sepolicy/vendor/hal_wifi_default.te
@@ -1,3 +1,5 @@
# hal_wifi_default.te
+allow hal_wifi_default conn_vendor_data_file:dir search;
allow hal_wifi_default conn_vendor_data_file:file rw_file_perms;
+allow hal_wifi_default wifi_vendor_data_file:dir search;
diff --git a/sepolicy/vendor/hal_wifi_supplicant_default.te b/sepolicy/vendor/hal_wifi_supplicant_default.te
new file mode 100644
index 0000000..d64ba93
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_supplicant_default.te
@@ -0,0 +1,4 @@
+# hal_wifi_supplicant_default.te
+
+allow hal_wifi_supplicant_default conn_vendor_data_file:dir search;
+allow hal_wifi_supplicant_default conn_vendor_data_file:file rw_file_perms;
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
new file mode 100644
index 0000000..3c49dc7
--- /dev/null
+++ b/sepolicy/vendor/hwservice_contexts
@@ -0,0 +1,3 @@
+# hwservice_contexts
+
+vendor.samsung.hardware.camera.provider::ISehCameraProvider u:object_r:hal_camera_hwservice:s0
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
index 6198ece..e467918 100644
--- a/sepolicy/vendor/kernel.te
+++ b/sepolicy/vendor/kernel.te
@@ -6,3 +6,6 @@
allow kernel device:dir { add_name write };
allow kernel device:chr_file { create setattr };
+
+allow kernel efs_file:dir search;
+r_dir_file(kernel, app_efs_file);
diff --git a/sepolicy/vendor/mediacodec.te b/sepolicy/vendor/mediacodec.te
new file mode 100644
index 0000000..cfa6547
--- /dev/null
+++ b/sepolicy/vendor/mediacodec.te
@@ -0,0 +1,5 @@
+# mediacodec.te
+
+hal_client_domain(mediacodec, hal_power);
+
+r_dir_file(mediacodec, sysfs_v4l);
diff --git a/sepolicy/vendor/proc_net.te b/sepolicy/vendor/proc_net.te
new file mode 100644
index 0000000..ead9d1e
--- /dev/null
+++ b/sepolicy/vendor/proc_net.te
@@ -0,0 +1,3 @@
+# proc_net.te
+
+allow proc_net proc:filesystem associate;
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..ea940d3
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,5 @@
+# property.te
+
+type vendor_camera_prop, property_type;
+type vendor_factory_prop, property_type;
+type vendor_wlbtd_prop, property_type;
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
new file mode 100644
index 0000000..bf17c29
--- /dev/null
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,10 @@
+# property_contexts
+
+# CAMERA
+persist.vendor.sys.camera. u:object_r:vendor_camera_prop:s0
+
+# FACTORY
+ro.factory.factory_binary u:object_r:vendor_factory_prop:s0
+
+# WLBTD
+vendor.wlbtd. u:object_r:vendor_wlbtd_prop:s0
diff --git a/sepolicy/vendor/tzdaemon.te b/sepolicy/vendor/tzdaemon.te
index 20adaa5..cc0fc29 100644
--- a/sepolicy/vendor/tzdaemon.te
+++ b/sepolicy/vendor/tzdaemon.te
@@ -2,3 +2,7 @@
allow tzdaemon efs_file:dir search;
allow tzdaemon tee_efs_file:dir search;
+allow tzdaemon mnt_vendor_file:dir search;
+
+allow tzdaemon tee_efs_file:dir { rw_file_perms add_name create remove_name };
+allow tzdaemon tee_efs_file:file { rw_file_perms create rename unlink };
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index b52d2c3..9a58d64 100644
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -5,3 +5,7 @@
allow vendor_init cgroup:file getattr;
allow vendor_init tmpfs:dir { write add_name };
allow vendor_init tmpfs:lnk_file create;
+allow vendor_init functionfs:file getattr;
+allow vendor_init debugfs_trace_marker:file getattr;
+
+allow vendor_init proc_swappiness:file rw_file_perms;
diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te
new file mode 100644
index 0000000..671241d
--- /dev/null
+++ b/sepolicy/vendor/vold.te
@@ -0,0 +1,4 @@
+# vold.te
+
+allow vold efs_file:dir read;
+allow vold mnt_vendor_file:dir read;
diff --git a/sepolicy/vendor/wlbtd.te b/sepolicy/vendor/wlbtd.te
index 94efdc9..bfcc87c 100644
--- a/sepolicy/vendor/wlbtd.te
+++ b/sepolicy/vendor/wlbtd.te
@@ -4,3 +4,14 @@
type wlbtd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(wlbtd);
+
+allow wlbtd conn_vendor_data_file:dir search;
+allow wlbtd conn_vendor_data_file:file rw_file_perms;
+allow wlbtd self:netlink_generic_socket { create setopt bind getattr read write };
+
+allow wlbtd init:unix_stream_socket connectto;
+
+r_dir_file(wlbtd, sysfs_wifi);
+allow wlbtd sysfs_wifi_writable:file rw_file_perms;
+
+set_prop(wlbtd, vendor_wlbtd_prop);