Add 'sepolicy/' from tag 'android-15.0.0_r2'

git-subtree-dir: sepolicy git-subtree-mainline: e3b10c7b99 git-subtree-split: b533a0a66d Change-Id: Ib092346a141d5b4455aaade3be274f75c98f40cf
2024-10-28 07:07:04 +02:00 · 2024-10-28 07:07:04 +02:00 · bfc5da8a23
commit bfc5da8a23
parent e3b10c7b99 b533a0a66d
23 changed files with 158 additions and 0 deletions
--- a/sepolicy/OWNERS
+++ b/sepolicy/OWNERS
@ -0,0 +1,4 @@
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com
+
--- a/sepolicy/comet-sepolicy.mk
+++ b/sepolicy/comet-sepolicy.mk
@ -0,0 +1,6 @@
+# sepolicy exclusively for comet.
+BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor
+
+# system_ext
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/private
--- a/sepolicy/system_ext/private/gmscore_app.te
+++ b/sepolicy/system_ext/private/gmscore_app.te
@ -0,0 +1,2 @@
+# Allow to read setupwizard_feature_prop
+get_prop(gmscore_app, setupwizard_feature_prop)
--- a/sepolicy/system_ext/private/priv_app.te
+++ b/sepolicy/system_ext/private/priv_app.te
@ -0,0 +1,2 @@
+# Allow to read setupwizard_feature_prop
+get_prop(priv_app, setupwizard_feature_prop)
--- a/sepolicy/system_ext/private/property_contexts
+++ b/sepolicy/system_ext/private/property_contexts
@ -0,0 +1,2 @@
+# setupwizard
+setupwizard.feature.provisioning_profile_mode    u:object_r:setupwizard_feature_prop:s0
--- a/sepolicy/system_ext/public/property.te
+++ b/sepolicy/system_ext/public/property.te
@ -0,0 +1,2 @@
+# setupwizard
+system_public_prop(setupwizard_feature_prop)
--- a/sepolicy/tracking_denials/README.txt
+++ b/sepolicy/tracking_denials/README.txt
@ -0,0 +1,2 @@
+This folder stores known errors detected by PTS. Be sure to remove relevant
+files to reproduce error log on latest ROMs.
--- a/sepolicy/tracking_denials/bug_map
+++ b/sepolicy/tracking_denials/bug_map
@ -0,0 +1 @@
+
--- a/sepolicy/vendor/README.txt
+++ b/sepolicy/vendor/README.txt
@ -0,0 +1,2 @@
+This folder holds sepolicy exclusively for one device. For example, genfs_contexts
+paths that are affected by device tree.
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@ -0,0 +1 @@
+type sysfs_fingerprint, sysfs_type, fs_type;
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@ -0,0 +1,29 @@
+# Devices
+/dev/lwis-act-cornerfolk                                                    u:object_r:lwis_device:s0
+/dev/lwis-act-jotnar                                                        u:object_r:lwis_device:s0
+/dev/lwis-act-nessie                                                        u:object_r:lwis_device:s0
+/dev/lwis-eeprom-jotnar                                                     u:object_r:lwis_device:s0
+/dev/lwis-eeprom-nessie                                                     u:object_r:lwis_device:s0
+/dev/lwis-eeprom-smaug-imentet                                              u:object_r:lwis_device:s0
+/dev/lwis-eeprom-smaug-svarog                                               u:object_r:lwis_device:s0
+/dev/lwis-eeprom-smaug-svarog-outer                                         u:object_r:lwis_device:s0
+/dev/lwis-flash-lm3644                                                      u:object_r:lwis_device:s0
+/dev/lwis-ois-jotnar                                                        u:object_r:lwis_device:s0
+/dev/lwis-ois-nessie                                                        u:object_r:lwis_device:s0
+/dev/lwis-sensor-dokkaebi-tele                                              u:object_r:lwis_device:s0
+/dev/lwis-sensor-imentet                                                    u:object_r:lwis_device:s0
+/dev/lwis-sensor-oksoko                                                     u:object_r:lwis_device:s0
+/dev/lwis-sensor-svarog                                                     u:object_r:lwis_device:s0
+/dev/lwis-sensor-svarog-outer                                               u:object_r:lwis_device:s0
+/dev/lwis-tof-tarasque                                                      u:object_r:lwis_device:s0
+
+# Services
+/vendor/bin/init_thermal_config                                u:object_r:init_thermal_config_exec:s0
+# FPC AIDL HAL
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42_fw49    u:object_r:hal_fingerprint_capacitance_exec:s0
+
+# FPC HIDL HAL
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0
+
+# Touch
+/dev/touch_offload_outer                                                    u:object_r:touch_offload_device:s0
--- a/sepolicy/vendor/fingerprint_factory_service.te
+++ b/sepolicy/vendor/fingerprint_factory_service.te
@ -0,0 +1,3 @@
+type fingerprint_factory_service, service_manager_type;
+type fingerprint_factory_service_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(fingerprint_factory_service)
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@ -0,0 +1,44 @@
+# Display
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/available_disp_stats                 u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/gamma                                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/min_vrefresh                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/idle_delay_ms                        u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_idle                           u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_need_handle_idle_exit          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/op_hz                                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/hs_clock                                                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight                            u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/power_state                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extinfo                        u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name                           u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number                        u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/refresh_rate                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/refresh_ctrl                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/time_in_state                        u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_model                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count_te                       u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count_unknown                  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19471000.drmdecon/dqe1/atc                                               u:object_r:sysfs_display:s0
+
+# Battery
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply                               u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply                               u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply                                      u:object_r:sysfs_batteryinfo:s0
+
+# wake up nodes
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/power/wakeup         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply/maxfg_secondary/power/wakeup  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply/maxfg_secondary/wakeup        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/wakeup                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/110f0000.drmdp/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/power/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/power/wakeup                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/wakeup                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:fp_fpc1020/wakeup                                                u:object_r:sysfs_wakeup:s0
+# WLC
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061                                            u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/odm/odm:fp_fpc1020     u:object_r:sysfs_fingerprint:s0
--- a/sepolicy/vendor/grilservice_app.te
+++ b/sepolicy/vendor/grilservice_app.te
@ -0,0 +1,2 @@
+allow grilservice_app gril_antenna_tuning_service:service_manager find;
+binder_call(grilservice_app, twoshay)
--- a/sepolicy/vendor/hal_fingerprint_capacitance.te
+++ b/sepolicy/vendor/hal_fingerprint_capacitance.te
@ -0,0 +1,36 @@
+# hal_fingerprint_capacitance definition
+type hal_fingerprint_capacitance, domain;
+hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint)
+
+type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fingerprint_capacitance)
+
+# allow fingerprint to access file
+allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms;
+
+# allow fingerprint to access wakeup node
+allow hal_fingerprint_capacitance sysfs_wakeup:file rw_file_perms;
+
+# allow fingerprint to access power hal
+hal_client_domain(hal_fingerprint_capacitance, hal_power);
+
+# allow fingerprint to find fwk service
+allow hal_fingerprint_capacitance fwk_stats_service:service_manager find;
+
+# allow fingerprint to access input_device
+allow hal_fingerprint_capacitance input_device:dir r_dir_perms;
+allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms;
+
+# allow fingerprint to access hwservice
+add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice)
+
+# allow fingerprint to access servicemanager
+binder_call(hal_fingerprint_capacitance, servicemanager)
+
+# allow fingerprint to access fwk sensor hwservice
+allow hal_fingerprint_capacitance fwk_sensor_service:service_manager find;
+
+# allow fingerprint to access fingerprint property
+set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop)
--- a/sepolicy/vendor/hwservice.te
+++ b/sepolicy/vendor/hwservice.te
@ -0,0 +1 @@
+type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type;
--- a/sepolicy/vendor/hwservice_contexts
+++ b/sepolicy/vendor/hwservice_contexts
@ -0,0 +1,2 @@
+com.fingerprints42.extension::IFingerprintEngineering  u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0
+com.fingerprints42.extension::IFingerprintSensorTest   u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0
--- a/sepolicy/vendor/init_thermal_config.te
+++ b/sepolicy/vendor/init_thermal_config.te
@ -0,0 +1,5 @@
+type init_thermal_config, domain;
+type init_thermal_config_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(init_thermal_config);
+
+set_prop(init_thermal_config, vendor_thermal_prop)
--- a/sepolicy/vendor/service_contexts
+++ b/sepolicy/vendor/service_contexts
@ -0,0 +1 @@
+com.google.hardware.pixel.display.IDisplay/secondary       u:object_r:hal_pixel_display_service:s0
--- a/sepolicy/vendor/servicemanager.te
+++ b/sepolicy/vendor/servicemanager.te
@ -0,0 +1 @@
+#binder_call(servicemanager, hal_fingerprint_capacitance)
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@ -0,0 +1,2 @@
+# TODO (b/306087355) Remove this and make it specific to the app
+hal_client_domain(system_app, hal_fingerprint)
--- a/sepolicy/vendor/systemui_app.te
+++ b/sepolicy/vendor/systemui_app.te
@ -0,0 +1,3 @@
+# TODO (b/264266705) Remove this and make it specific to the app
+# allow SystemUIGoogle to access fingerprint hal
+hal_client_domain(systemui_app, hal_fingerprint)
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@ -0,0 +1,5 @@
+# Camera vendor property
+set_prop(vendor_init, vendor_camera_debug_prop)
+
+# setupwizard
+set_prop(vendor_init, setupwizard_feature_prop)
				`@ -0,0 +1 @@`
				`type sysfs_fingerprint, sysfs_type, fs_type;`
				`@ -0,0 +1 @@`
				`type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type;`
				`@ -0,0 +1 @@`
				`com.google.hardware.pixel.display.IDisplay/secondary u:object_r:hal_pixel_display_service:s0`
				`@ -0,0 +1 @@`
				`#binder_call(servicemanager, hal_fingerprint_capacitance)`