From 5dbe6b8ff07813c426e041e4ae6401da8e54db0f Mon Sep 17 00:00:00 2001
From: Michael Bestas <mkbestas@lineageos.org>
Date: Tue, 2 Dec 2025 04:18:21 +0200
Subject: [PATCH] bluejay: Rework sepolicy

Change-Id: Idb0636bce2392beb720e420055a7bcb838725a18
---
 bluejay/BoardConfig.mk                        |  5 ++++-
 sepolicy/OWNERS                               |  4 ----
 sepolicy/bluejay-sepolicy.mk                  | 10 ----------
 sepolicy/bluejay/file_contexts                |  3 ---
 sepolicy/bluejay/genfs_contexts               |  4 ----
 sepolicy/bluejay/grilservice_app.te           |  1 -
 sepolicy/bluejay/ufs_firmware_update.te       | 10 ----------
 sepolicy/{tracking_denials => vendor}/bug_map |  0
 sepolicy/{bluejay => vendor}/device.te        |  1 -
 sepolicy/vendor/dump_stm.te                   |  8 ++++++++
 sepolicy/vendor/file.te                       |  1 +
 sepolicy/vendor/file_contexts                 |  3 +++
 sepolicy/vendor/genfs_contexts                |  8 ++++++++
 sepolicy/vendor/init.te                       |  1 +
 sepolicy/vendor/property.te                   |  1 +
 sepolicy/vendor/property_contexts             |  1 +
 sepolicy/vendor/ufs_firmware_update.te        |  3 +++
 17 files changed, 30 insertions(+), 34 deletions(-)
 delete mode 100644 sepolicy/OWNERS
 delete mode 100644 sepolicy/bluejay-sepolicy.mk
 delete mode 100644 sepolicy/bluejay/file_contexts
 delete mode 100644 sepolicy/bluejay/genfs_contexts
 delete mode 100644 sepolicy/bluejay/grilservice_app.te
 delete mode 100644 sepolicy/bluejay/ufs_firmware_update.te
 rename sepolicy/{tracking_denials => vendor}/bug_map (100%)
 rename sepolicy/{bluejay => vendor}/device.te (68%)
 create mode 100644 sepolicy/vendor/dump_stm.te
 create mode 100644 sepolicy/vendor/file.te
 create mode 100644 sepolicy/vendor/file_contexts
 create mode 100644 sepolicy/vendor/genfs_contexts
 create mode 100644 sepolicy/vendor/init.te
 create mode 100644 sepolicy/vendor/property.te
 create mode 100644 sepolicy/vendor/property_contexts
 create mode 100644 sepolicy/vendor/ufs_firmware_update.te

diff --git a/bluejay/BoardConfig.mk b/bluejay/BoardConfig.mk
index 5fa20ed..47281be 100644
--- a/bluejay/BoardConfig.mk
+++ b/bluejay/BoardConfig.mk
@@ -30,7 +30,10 @@ BOARD_VENDOR_KERNEL_RAMDISK_KERNEL_MODULES_LOAD += $(BOARD_VENDOR_KERNEL_RAMDISK
 BOARD_VENDOR_KERNEL_RAMDISK_KERNEL_MODULES += $(addprefix $(KERNEL_MODULE_DIR)/, $(notdir $(BOARD_VENDOR_KERNEL_RAMDISK_KERNEL_MODULES_LOAD_RAW)))
 
 # SEPolicy
-include device/google/bluejay/sepolicy/bluejay-sepolicy.mk
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    $(DEVICE_PATH)/sepolicy/vendor \
+    hardware/google/pixel-sepolicy/vibrator/common \
+    hardware/google/pixel-sepolicy/vibrator/cs40l26
 
 # WiFi
 include device/google/gs101/wifi/BoardConfig-wifi.mk
diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS
deleted file mode 100644
index 5232bc3..0000000
--- a/sepolicy/OWNERS
+++ /dev/null
@@ -1,4 +0,0 @@
-include device/google/gs-common:/sepolicy/OWNERS
-
-adamshih@google.com
-
diff --git a/sepolicy/bluejay-sepolicy.mk b/sepolicy/bluejay-sepolicy.mk
deleted file mode 100644
index 6f0609f..0000000
--- a/sepolicy/bluejay-sepolicy.mk
+++ /dev/null
@@ -1,10 +0,0 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/bluejay/sepolicy/bluejay
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/bluejay/sepolicy/tracking_denials
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bcmbt/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/modem_svc_sit/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/stm/sepolicy
-
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/vibrator/common
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/vibrator/cs40l26
diff --git a/sepolicy/bluejay/file_contexts b/sepolicy/bluejay/file_contexts
deleted file mode 100644
index c3e78a4..0000000
--- a/sepolicy/bluejay/file_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# Devices
-/dev/block/platform/14700000\.ufs/by-name/fips                              u:object_r:fips_block_device:s0
-
diff --git a/sepolicy/bluejay/genfs_contexts b/sepolicy/bluejay/genfs_contexts
deleted file mode 100644
index 829c58d..0000000
--- a/sepolicy/bluejay/genfs_contexts
+++ /dev/null
@@ -1,4 +0,0 @@
-# Storage
-genfscon sysfs /devices/platform/14700000.ufs/vendor                    u:object_r:sysfs_scsi_devices_0000:s0
-genfscon sysfs /devices/platform/14700000.ufs/model                     u:object_r:sysfs_scsi_devices_0000:s0
-genfscon sysfs /devices/platform/14700000.ufs/rev                       u:object_r:sysfs_scsi_devices_0000:s0
diff --git a/sepolicy/bluejay/grilservice_app.te b/sepolicy/bluejay/grilservice_app.te
deleted file mode 100644
index ad0a779..0000000
--- a/sepolicy/bluejay/grilservice_app.te
+++ /dev/null
@@ -1 +0,0 @@
-allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
diff --git a/sepolicy/bluejay/ufs_firmware_update.te b/sepolicy/bluejay/ufs_firmware_update.te
deleted file mode 100644
index f0b801f..0000000
--- a/sepolicy/bluejay/ufs_firmware_update.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# Storage firmware upgrade
-init_daemon_domain(ufs_firmware_update)
-
-# ufs FFU
-allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans;
-allow ufs_firmware_update block_device:dir r_dir_perms;
-allow ufs_firmware_update fips_block_device:blk_file rw_file_perms;
-allow ufs_firmware_update sysfs:dir r_dir_perms;
-allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms;
-
diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/vendor/bug_map
similarity index 100%
rename from sepolicy/tracking_denials/bug_map
rename to sepolicy/vendor/bug_map
diff --git a/sepolicy/bluejay/device.te b/sepolicy/vendor/device.te
similarity index 68%
rename from sepolicy/bluejay/device.te
rename to sepolicy/vendor/device.te
index d2a91db..e524b19 100644
--- a/sepolicy/bluejay/device.te
+++ b/sepolicy/vendor/device.te
@@ -1,2 +1 @@
-# Block Devices
 type fips_block_device, dev_type;
diff --git a/sepolicy/vendor/dump_stm.te b/sepolicy/vendor/dump_stm.te
new file mode 100644
index 0000000..7d0f237
--- /dev/null
+++ b/sepolicy/vendor/dump_stm.te
@@ -0,0 +1,8 @@
+get_prop(dump_stm, vendor_touch_dump_path_prop)
+
+pixel_bugreport(dump_stm)
+
+allow dump_stm proc_touch:file rw_file_perms;
+allow dump_stm sysfs_touch:dir search;
+allow dump_stm sysfs_touch:file rw_file_perms;
+allow dump_stm vendor_toolbox_exec:file execute_no_trans;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
new file mode 100644
index 0000000..fad5452
--- /dev/null
+++ b/sepolicy/vendor/file.te
@@ -0,0 +1 @@
+type proc_touch, fs_type, proc_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
new file mode 100644
index 0000000..0b421e6
--- /dev/null
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,3 @@
+/dev/block/platform/14700000\.ufs/by-name/fips u:object_r:fips_block_device:s0
+/vendor/bin/dump/dump_stm\.sh u:object_r:dump_stm_exec:s0
+/vendor/bin/resku_rescue_kicker u:object_r:tee_exec:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
new file mode 100644
index 0000000..5d9b68d
--- /dev/null
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,8 @@
+genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0
+genfscon proc /fts/driver_test u:object_r:proc_touch:s0
+genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0 u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0 u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/platform/14700000.ufs/vendor u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/model u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/rev u:object_r:sysfs_scsi_devices_0000:s0
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
new file mode 100644
index 0000000..74a6666
--- /dev/null
+++ b/sepolicy/vendor/init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_touch_dump_path_prop)
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..5484690
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_touch_dump_path_prop)
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
new file mode 100644
index 0000000..524cc8b
--- /dev/null
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1 @@
+ro.vendor.touch.dump. u:object_r:vendor_touch_dump_path_prop:s0
diff --git a/sepolicy/vendor/ufs_firmware_update.te b/sepolicy/vendor/ufs_firmware_update.te
new file mode 100644
index 0000000..ca64dce
--- /dev/null
+++ b/sepolicy/vendor/ufs_firmware_update.te
@@ -0,0 +1,3 @@
+allow ufs_firmware_update block_device:dir r_dir_perms;
+allow ufs_firmware_update fips_block_device:blk_file rw_file_perms;
+allow ufs_firmware_update sysfs:dir r_dir_perms;