From 890796a8893eec5629ffae1ec3cab91544a5e506 Mon Sep 17 00:00:00 2001
From: Chia-Chi Teng <ccteng@google.com>
Date: Mon, 11 Mar 2024 19:01:57 +0000
Subject: [PATCH 1/2] sepolicy: Allow PixelGnss implement PPS function

avc:  denied  { read } for  name="u:object_r:vendor_chre_hal_prop:s0" dev="tmpfs" ino=401 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_chre_hal_prop:s0 tclass=file
avc:  denied  { find } for pid=900 uid=1021 name=android.hardware.contexthub.IContextHub/default scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:hal_contexthub_service:s0 tclass=service_manager
avc:  denied  { call } for  scontext=u:r:hal_gnss_pixel:s0 tcontext=u:r:hal_contexthub_default:s0 tclass=binder
avc:  denied  { call } for  scontext=u:r:hal_contexthub_default:s0 tcontext=u:r:hal_gnss_pixel:s0 tclass=binder
avc:  denied  { search } for  name="gps" dev="dm-54" ino=380 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc:  denied  { write } for  name="gps" dev="dm-54" ino=380 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc:  denied  { add_name } for  name=".pps_pipe" scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc:  denied  { create } for  name=".pps_pipe" scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc:  denied  { read } for  name=".pps_pipe" dev="dm-54" ino=11418 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc:  denied  { open } for  path="/data/vendor/gps/.pps_pipe" dev="dm-54" ino=11418 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file permissive=1
avc:  denied  { write } for  name=".pps_pipe" dev="dm-54" ino=11418 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc:  denied  { search } for  name="gps" dev="dm-49" ino=380 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc:  denied  { write } for  name=".ppspipe" dev="dm-49" ino=18610 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc:  denied  { write } for  name="gps" dev="dm-54" ino=380 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc:  denied  { open } for  path="/data/vendor/gps/.ppspipe" dev="dm-49" ino=18610 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file
avc:  denied  { remove_name } for  name=".pps_pipe" dev="dm-54" ino=11712 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=dir
avc:  denied  { unlink } for  name=".pps_pipe" dev="dm-59" ino=6600 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_file:s0 tclass=fifo_file

Bug: 330120749
Test: Verify PixelGnss HAL can connect to Chre HAL.
Test: Function test verification b/330120749.
Test: b/330120749#comment24 health boot check.
Test: b/330120749#comment25 health boot check.
Change-Id: I100ae061cfcbba17a26ece79eb552d60aa782d79
---
 gps/lsi/sepolicy/hal_gnss_default.te |  3 +++
 gps/pixel/sepolicy/hal_gnss_pixel.te | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/gps/lsi/sepolicy/hal_gnss_default.te b/gps/lsi/sepolicy/hal_gnss_default.te
index 7d363f0..0294a93 100644
--- a/gps/lsi/sepolicy/hal_gnss_default.te
+++ b/gps/lsi/sepolicy/hal_gnss_default.te
@@ -11,3 +11,6 @@ get_prop(hal_gnss_default, vendor_gps_prop)
 
 #IPC between pixel and vendor HAL
 binder_call(hal_gnss_default, hal_gnss_pixel)
+
+# Allow connect to gnss service
+allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms;
diff --git a/gps/pixel/sepolicy/hal_gnss_pixel.te b/gps/pixel/sepolicy/hal_gnss_pixel.te
index 512ecc9..9a0b648 100644
--- a/gps/pixel/sepolicy/hal_gnss_pixel.te
+++ b/gps/pixel/sepolicy/hal_gnss_pixel.te
@@ -12,3 +12,15 @@ allow hal_gnss_pixel sysfs_modem_state:file r_file_perms;
 
 #Toggle coredump node
 allow hal_gnss_pixel sysfs_gps:file rw_file_perms;
+
+# Allow access to CHRE multiclient HAL.
+get_prop(hal_gnss_pixel, vendor_chre_hal_prop)
+
+# Allow binder to CHRE.
+binder_call(hal_gnss_pixel, hal_contexthub_default)
+allow hal_gnss_pixel hal_contexthub_service:service_manager find;
+
+# Allow connect to gnss service
+allow hal_gnss_pixel vendor_gps_file:dir create_dir_perms;
+allow hal_gnss_pixel vendor_gps_file:fifo_file create_file_perms;
+

From a19ae3354b03f5a86585af4168e9975a8f3ecc3b Mon Sep 17 00:00:00 2001
From: Philip Quinn <pquinn@google.com>
Date: Tue, 30 Apr 2024 22:11:25 -0700
Subject: [PATCH 2/2] Include vendor/google/interfaces as a transitive
 dependency of twoshay.

Bug: 278909669
Test: presubmit
Change-Id: Ie9f2f76777407183e9e9e3792265cf00c3ecc204
---
 touch/twoshay/twoshay.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/touch/twoshay/twoshay.mk b/touch/twoshay/twoshay.mk
index 20bf1ba..bae0975 100644
--- a/touch/twoshay/twoshay.mk
+++ b/touch/twoshay/twoshay.mk
@@ -1,3 +1,3 @@
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/twoshay/sepolicy
 PRODUCT_PACKAGES += twoshay
-PRODUCT_SOONG_NAMESPACES += vendor/google/input/twoshay
+PRODUCT_SOONG_NAMESPACES += vendor/google/interfaces vendor/google/input/twoshay