From 1473a277b84d1d9a6529163a5065fb534b9c8673 Mon Sep 17 00:00:00 2001
From: Jason Chiu <jasoncschiu@google.com>
Date: Mon, 27 Nov 2023 16:58:15 +0800
Subject: [PATCH] gs-common: move sepolicy related to bootctrl hal aidl to
 gs-common

Bug: 265063384
Change-Id: Id9e1f4f7bc9fc5754f7ebadb97f7443f1117e961
Signed-off-by: Jason Chiu <jasoncschiu@google.com>
---
 bootctrl/bootctrl_aidl.mk                     | 1 +
 bootctrl/sepolicy/aidl/device.te              | 5 +++++
 bootctrl/sepolicy/aidl/file.te                | 2 ++
 bootctrl/sepolicy/aidl/file_contexts          | 1 +
 bootctrl/sepolicy/aidl/hal_bootctl_default.te | 8 ++++++++
 5 files changed, 17 insertions(+)
 create mode 100644 bootctrl/sepolicy/aidl/device.te
 create mode 100644 bootctrl/sepolicy/aidl/file.te
 create mode 100644 bootctrl/sepolicy/aidl/file_contexts
 create mode 100644 bootctrl/sepolicy/aidl/hal_bootctl_default.te

diff --git a/bootctrl/bootctrl_aidl.mk b/bootctrl/bootctrl_aidl.mk
index ca136ba..e9d7051 100644
--- a/bootctrl/bootctrl_aidl.mk
+++ b/bootctrl/bootctrl_aidl.mk
@@ -3,3 +3,4 @@ PRODUCT_PACKAGES += \
 	android.hardware.boot-service.default_recovery-pixel
 
 PRODUCT_SOONG_NAMESPACES += device/google/gs-common/bootctrl/aidl
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bootctrl/sepolicy/aidl
diff --git a/bootctrl/sepolicy/aidl/device.te b/bootctrl/sepolicy/aidl/device.te
new file mode 100644
index 0000000..4fd0240
--- /dev/null
+++ b/bootctrl/sepolicy/aidl/device.te
@@ -0,0 +1,5 @@
+# devinfo block device
+type devinfo_block_device, dev_type;
+
+# OTA
+type sda_block_device, dev_type;
diff --git a/bootctrl/sepolicy/aidl/file.te b/bootctrl/sepolicy/aidl/file.te
new file mode 100644
index 0000000..5357fa9
--- /dev/null
+++ b/bootctrl/sepolicy/aidl/file.te
@@ -0,0 +1,2 @@
+# sysfs
+type sysfs_ota, sysfs_type, fs_type;
diff --git a/bootctrl/sepolicy/aidl/file_contexts b/bootctrl/sepolicy/aidl/file_contexts
new file mode 100644
index 0000000..339896f
--- /dev/null
+++ b/bootctrl/sepolicy/aidl/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.boot-service\.default-pixel                u:object_r:hal_bootctl_default_exec:s0
diff --git a/bootctrl/sepolicy/aidl/hal_bootctl_default.te b/bootctrl/sepolicy/aidl/hal_bootctl_default.te
new file mode 100644
index 0000000..2ffeb27
--- /dev/null
+++ b/bootctrl/sepolicy/aidl/hal_bootctl_default.te
@@ -0,0 +1,8 @@
+allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
+allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
+allow hal_bootctl_default sysfs_ota:file rw_file_perms;
+allow hal_bootctl_default tee_device:chr_file rw_file_perms;
+
+recovery_only(`
+  allow hal_bootctl_default rootfs:dir r_dir_perms;
+')