From 19268ffb20cbd530390bc90f6d399752bf9c5743 Mon Sep 17 00:00:00 2001
From: Hung-Yeh Lee <hungyeh@google.com>
Date: Thu, 26 Dec 2024 14:00:58 +0800
Subject: [PATCH] display-dump: sepolicy for new primary display dump

Bug: 376426334
Test: adb bugreport
Test: adb shell /vendor/bin/dump/dump_*_display
Test: adb shell /vendor/bin/dump/dump_*_second_display
Flag: EXEMPT bugfix
Change-Id: I3b1d1f46ddea4882f028d9314cfd174371039925
---
 display/sepolicy/pixel/dump_display.te            | 15 +++++++++++++++
 display/sepolicy/pixel/dump_display_userdebug.te  | 11 +++++++++++
 display/sepolicy/pixel/file.te                    |  3 +++
 display/sepolicy/pixel/file_contexts              |  5 +++++
 display/sepolicy/pixel/genfs_contexts             |  3 +++
 .../pixel/hal_graphics_composer_default.te        |  3 +++
 display/sepolicy/pixel/vndservice.te              |  2 ++
 display/sepolicy/pixel/vndservice_contexts        |  2 ++
 8 files changed, 44 insertions(+)
 create mode 100644 display/sepolicy/pixel/dump_display.te
 create mode 100644 display/sepolicy/pixel/dump_display_userdebug.te
 create mode 100644 display/sepolicy/pixel/file.te
 create mode 100644 display/sepolicy/pixel/file_contexts
 create mode 100644 display/sepolicy/pixel/genfs_contexts
 create mode 100644 display/sepolicy/pixel/hal_graphics_composer_default.te
 create mode 100644 display/sepolicy/pixel/vndservice.te
 create mode 100644 display/sepolicy/pixel/vndservice_contexts

diff --git a/display/sepolicy/pixel/dump_display.te b/display/sepolicy/pixel/dump_display.te
new file mode 100644
index 0000000..5f7c5c0
--- /dev/null
+++ b/display/sepolicy/pixel/dump_display.te
@@ -0,0 +1,15 @@
+# Display (dump for bugreport)
+pixel_bugreport(dump_pixel_display)
+
+allow dump_pixel_display sysfs_display:file r_file_perms;
+allow dump_pixel_display vendor_displaycolor_service:service_manager find;
+binder_call(dump_pixel_display, hal_graphics_composer_default)
+allow dump_pixel_display vendor_dumpsys:file execute_no_trans;
+allow dump_pixel_display vendor_shell_exec:file execute_no_trans;
+
+userdebug_or_eng(`
+  allow dump_pixel_display vendor_dri_debugfs:dir r_dir_perms;
+  allow dump_pixel_display vendor_dri_debugfs:file r_file_perms;
+')
+vndbinder_use(dump_pixel_display)
+
diff --git a/display/sepolicy/pixel/dump_display_userdebug.te b/display/sepolicy/pixel/dump_display_userdebug.te
new file mode 100644
index 0000000..33b9da6
--- /dev/null
+++ b/display/sepolicy/pixel/dump_display_userdebug.te
@@ -0,0 +1,11 @@
+# Display eng/userdebug (dump for bugreport)
+pixel_bugreport(dump_pixel_display_userdebug)
+
+userdebug_or_eng(`
+  allow dump_pixel_display_userdebug vendor_toolbox_exec:file execute_no_trans;
+  allow dump_pixel_display_userdebug vendor_log_file:dir search;
+  allow dump_pixel_display_userdebug vendor_hwc_log_file:dir r_dir_perms;
+  allow dump_pixel_display_userdebug vendor_hwc_log_file:file r_file_perms;
+  allow dump_pixel_display_userdebug debugfs_tracing_instances:dir search;
+  allow dump_pixel_display_userdebug debugfs_tracing_instances:file r_file_perms;
+')
diff --git a/display/sepolicy/pixel/file.te b/display/sepolicy/pixel/file.te
new file mode 100644
index 0000000..e3f2382
--- /dev/null
+++ b/display/sepolicy/pixel/file.te
@@ -0,0 +1,3 @@
+type vendor_hwc_log_file, file_type, data_file_type;
+type vendor_dri_debugfs, fs_type, debugfs_type;
+
diff --git a/display/sepolicy/pixel/file_contexts b/display/sepolicy/pixel/file_contexts
new file mode 100644
index 0000000..17fb960
--- /dev/null
+++ b/display/sepolicy/pixel/file_contexts
@@ -0,0 +1,5 @@
+/vendor/bin/dump/dump_display_userdebug\.sh      u:object_r:dump_pixel_display_userdebug_exec:s0
+/vendor/bin/dump/dump_pixel_display              u:object_r:dump_pixel_display_exec:s0
+
+/data/vendor/log/hwc(/.*)?                       u:object_r:vendor_hwc_log_file:s0
+
diff --git a/display/sepolicy/pixel/genfs_contexts b/display/sepolicy/pixel/genfs_contexts
new file mode 100644
index 0000000..7c46278
--- /dev/null
+++ b/display/sepolicy/pixel/genfs_contexts
@@ -0,0 +1,3 @@
+
+genfscon debugfs /dri/0/crtc-                                           u:object_r:vendor_dri_debugfs:s0
+genfscon sysfs /module/drm/parameters/debug                             u:object_r:sysfs_display:s0
diff --git a/display/sepolicy/pixel/hal_graphics_composer_default.te b/display/sepolicy/pixel/hal_graphics_composer_default.te
new file mode 100644
index 0000000..9e028a0
--- /dev/null
+++ b/display/sepolicy/pixel/hal_graphics_composer_default.te
@@ -0,0 +1,3 @@
+allow hal_graphics_composer_default dump_pixel_display:fifo_file { append write };
+allow hal_graphics_composer_default dump_pixel_display:fd use;
+
diff --git a/display/sepolicy/pixel/vndservice.te b/display/sepolicy/pixel/vndservice.te
new file mode 100644
index 0000000..5c3693b
--- /dev/null
+++ b/display/sepolicy/pixel/vndservice.te
@@ -0,0 +1,2 @@
+type vendor_displaycolor_service, vndservice_manager_type;
+
diff --git a/display/sepolicy/pixel/vndservice_contexts b/display/sepolicy/pixel/vndservice_contexts
new file mode 100644
index 0000000..9276f97
--- /dev/null
+++ b/display/sepolicy/pixel/vndservice_contexts
@@ -0,0 +1,2 @@
+displaycolor          u:object_r:vendor_displaycolor_service:s0
+