From 0dbbbc376cc55c302f5b535e52a960e8ed22704c Mon Sep 17 00:00:00 2001
From: Michael Bestas <mkbestas@gmail.com>
Date: Sat, 21 Jun 2025 19:44:10 +0300
Subject: [PATCH] gs-common: sepolicy: Import missing rules from BP2A

Change-Id: I70ebc8a2bce09d2590c24fc919b2804cef256568
---
 audio/sepolicy/aidl/hal_sensors_default.te        | 3 +++
 gps/pixel/sepolicy/hal_gnss_pixel.te              | 4 ++++
 gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te      | 1 +
 modem/dump_modemlog/sepolicy/dump_modem.te        | 2 ++
 modem/modem_svc_sit/sepolicy/modem_svc_sit.te     | 1 +
 nfc/nfc.mk                                        | 1 +
 nfc/sepolicy/file.te                              | 1 +
 nfc/sepolicy/file_contexts                        | 1 +
 nfc/sepolicy/hal_nfc_default.te                   | 2 ++
 nfc/sepolicy/nfc.te                               | 1 +
 performance/sepolicy/hal_power_default.te         | 2 ++
 wireless_charger/sepolicy/hal_wireless_charger.te | 1 +
 wireless_charger/sepolicy/property_contexts       | 1 +
 13 files changed, 21 insertions(+)
 create mode 100644 audio/sepolicy/aidl/hal_sensors_default.te
 create mode 100644 nfc/nfc.mk
 create mode 100644 nfc/sepolicy/file.te
 create mode 100644 nfc/sepolicy/file_contexts
 create mode 100644 nfc/sepolicy/hal_nfc_default.te
 create mode 100644 nfc/sepolicy/nfc.te

diff --git a/audio/sepolicy/aidl/hal_sensors_default.te b/audio/sepolicy/aidl/hal_sensors_default.te
new file mode 100644
index 0000000..ca738ea
--- /dev/null
+++ b/audio/sepolicy/aidl/hal_sensors_default.te
@@ -0,0 +1,3 @@
+# Allow access to audio HAL.
+binder_call(hal_sensors_default, hal_audio_default)
+allow hal_sensors_default hal_audio_ext_service:service_manager find;
diff --git a/gps/pixel/sepolicy/hal_gnss_pixel.te b/gps/pixel/sepolicy/hal_gnss_pixel.te
index b9e1bd4..8d8e8ee 100644
--- a/gps/pixel/sepolicy/hal_gnss_pixel.te
+++ b/gps/pixel/sepolicy/hal_gnss_pixel.te
@@ -17,6 +17,10 @@ get_prop(hal_gnss_pixel, vendor_gps_prop)
 binder_call(hal_gnss_pixel, hal_contexthub_default)
 allow hal_gnss_pixel hal_contexthub_service:service_manager find;
 
+# Allow binder to fwk stats.
+binder_call(hal_gnss_pixel, fwk_stats_service)
+allow hal_gnss_pixel fwk_stats_service:service_manager find;
+
 # Allow connect to gnss service
 allow hal_gnss_pixel vendor_gps_file:dir create_dir_perms;
 allow hal_gnss_pixel vendor_gps_file:fifo_file create_file_perms;
diff --git a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te
index 68dd397..bac255e 100644
--- a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te
+++ b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te
@@ -30,4 +30,5 @@ allow hal_aidl_radio_ext sysfs_leds:dir search;
 allow hal_aidl_radio_ext sysfs_leds:file rw_file_perms;
 
 # legacy/zuma/vendor
+allow hal_aidl_radio_ext sysfs_display:dir search;
 allow hal_aidl_radio_ext sysfs_display:file rw_file_perms;
diff --git a/modem/dump_modemlog/sepolicy/dump_modem.te b/modem/dump_modemlog/sepolicy/dump_modem.te
index 2ffa351..a1a9e08 100644
--- a/modem/dump_modemlog/sepolicy/dump_modem.te
+++ b/modem/dump_modemlog/sepolicy/dump_modem.te
@@ -10,3 +10,5 @@ allow dump_modem vendor_rfsd_log_file:file r_file_perms;
 allow dump_modem vendor_toolbox_exec:file execute_no_trans;
 allow dump_modem sysfs_dump_modem:file r_file_perms;
 allow dump_modem logbuffer_device:chr_file r_file_perms;
+allow dump_modem radio_vendor_data_file:dir r_dir_perms;
+allow dump_modem radio_vendor_data_file:file r_file_perms;
diff --git a/modem/modem_svc_sit/sepolicy/modem_svc_sit.te b/modem/modem_svc_sit/sepolicy/modem_svc_sit.te
index b1ed074..71bb442 100644
--- a/modem/modem_svc_sit/sepolicy/modem_svc_sit.te
+++ b/modem/modem_svc_sit/sepolicy/modem_svc_sit.te
@@ -1,2 +1,3 @@
 # Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal.
 hal_server_domain(modem_svc_sit, hal_shared_modem_platform)
+binder_call(hal_shared_modem_platform_server, hal_shared_modem_platform_client)
diff --git a/nfc/nfc.mk b/nfc/nfc.mk
new file mode 100644
index 0000000..e7611af
--- /dev/null
+++ b/nfc/nfc.mk
@@ -0,0 +1 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy
diff --git a/nfc/sepolicy/file.te b/nfc/sepolicy/file.te
new file mode 100644
index 0000000..5b9cba7
--- /dev/null
+++ b/nfc/sepolicy/file.te
@@ -0,0 +1 @@
+type vendor_nfc_vendor_data_file, file_type, data_file_type;
diff --git a/nfc/sepolicy/file_contexts b/nfc/sepolicy/file_contexts
new file mode 100644
index 0000000..121b5c9
--- /dev/null
+++ b/nfc/sepolicy/file_contexts
@@ -0,0 +1 @@
+/data/vendor/nfc(/.*)?                                                      u:object_r:vendor_nfc_vendor_data_file:s0
diff --git a/nfc/sepolicy/hal_nfc_default.te b/nfc/sepolicy/hal_nfc_default.te
new file mode 100644
index 0000000..9486137
--- /dev/null
+++ b/nfc/sepolicy/hal_nfc_default.te
@@ -0,0 +1,2 @@
+allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms;
diff --git a/nfc/sepolicy/nfc.te b/nfc/sepolicy/nfc.te
new file mode 100644
index 0000000..ee361b5
--- /dev/null
+++ b/nfc/sepolicy/nfc.te
@@ -0,0 +1 @@
+allow nfc vendor_nfc_vendor_data_file:dir search;
diff --git a/performance/sepolicy/hal_power_default.te b/performance/sepolicy/hal_power_default.te
index 5b010fc..036e37e 100644
--- a/performance/sepolicy/hal_power_default.te
+++ b/performance/sepolicy/hal_power_default.te
@@ -1,3 +1,5 @@
+hal_client_domain(hal_power_default, hal_thermal)
+
 # allow power hal to access pa kill knobs
 allow hal_power_default sysfs_pakills:file rw_file_perms;
 allow hal_power_default sysfs_pakills:dir r_dir_perms;
diff --git a/wireless_charger/sepolicy/hal_wireless_charger.te b/wireless_charger/sepolicy/hal_wireless_charger.te
index b5ed734..f17703e 100644
--- a/wireless_charger/sepolicy/hal_wireless_charger.te
+++ b/wireless_charger/sepolicy/hal_wireless_charger.te
@@ -7,6 +7,7 @@ allow hal_wireless_charger sysfs_batteryinfo:file rw_file_perms;
 allow hal_wireless_charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow hal_wireless_charger sysfs_wlc:file rw_file_perms;
 
+set_prop(hal_wireless_charger, vendor_wlcservice_prop)
 
 binder_call(hal_wireless_charger, servicemanager)
 add_service(hal_wireless_charger, hal_wireless_charger_service)
diff --git a/wireless_charger/sepolicy/property_contexts b/wireless_charger/sepolicy/property_contexts
index 9055e69..bcc93f1 100644
--- a/wireless_charger/sepolicy/property_contexts
+++ b/wireless_charger/sepolicy/property_contexts
@@ -1,2 +1,3 @@
 vendor.wlcservice.test.authentication       u:object_r:vendor_wlcservice_prop:s0 exact bool
 vendor.wlcservice.fwupdate.tx               u:object_r:vendor_wlcservice_prop:s0 exact enum 0 1 2 3
+vendor.wlcservice.start                     u:object_r:vendor_wlcservice_prop:s0 exact bool