From 28754e355a847ce62b4e465c7afaa0f61e90b865 Mon Sep 17 00:00:00 2001
From: Super Liu <supercjliu@google.com>
Date: Tue, 26 Mar 2024 00:50:43 +0000
Subject: [PATCH 1/3] touch: init service to access gti interactive_calibrate
 sysfs

Write usage: setprop vendor.touch.gti0.ical VALUE

Any VALUE(e.g. 20X or 30X) set through this property will write
into gti interactive_calibrate sysfs except for the VALUE `read`.

Read usage: setprop vendor.touch.gti0.ical read
            getprop vendor.touch.gti0.ical.result
setprop with VALUE `read` will read the gti
interactive_calibrate sysfs and save the result to
vendor.touch.gti0.ical.result.

Besides, please add your DOMAIN to access vendor_gti_prop.
set_prop(DOMAIN, vendor_gti_prop)

Bug: 331139251
Test: Manually verify the result.
Change-Id: I6296b9533dd0209e66832bfbbed6030a30077b96
Signed-off-by: Super Liu <supercjliu@google.com>
---
 touch/gti/Android.bp                          |  16 +++
 touch/gti/gti.mk                              |   1 +
 touch/gti/init.touch.gti0.rc                  |  12 +++
 touch/gti/init.touch.gti1.rc                  |  12 +++
 touch/gti/sepolicy/file_contexts              |   2 +-
 touch/gti/sepolicy/gti_ical.te                |   8 ++
 touch/gti/sepolicy/property.te                |   1 +
 touch/gti/sepolicy/property_contexts          |   1 +
 touch/gti/sepolicy/vendor_init.te             |   1 +
 touch/gti/sepolicy_gti_dual/property_contexts |   1 +
 touch/gti/touch_gti_ical.cpp                  | 101 ++++++++++++++++++
 11 files changed, 155 insertions(+), 1 deletion(-)
 create mode 100644 touch/gti/sepolicy/gti_ical.te
 create mode 100644 touch/gti/sepolicy/property.te
 create mode 100644 touch/gti/sepolicy/property_contexts
 create mode 100644 touch/gti/sepolicy/vendor_init.te
 create mode 100644 touch/gti/sepolicy_gti_dual/property_contexts
 create mode 100644 touch/gti/touch_gti_ical.cpp

diff --git a/touch/gti/Android.bp b/touch/gti/Android.bp
index c066d0d..7f2eb66 100644
--- a/touch/gti/Android.bp
+++ b/touch/gti/Android.bp
@@ -17,3 +17,19 @@ sh_binary {
     vendor: true,
     sub_dir: "dump",
 }
+
+cc_binary {
+    name: "touch_gti_ical",
+    srcs: ["touch_gti_ical.cpp"],
+    cflags: [
+        "-Wall",
+        "-Wextra",
+        "-Werror",
+    ],
+    shared_libs: [
+        "libbase",
+        "libcutils",
+        "liblog",
+    ],
+    vendor: true,
+}
diff --git a/touch/gti/gti.mk b/touch/gti/gti.mk
index 171534f..a2c7cf7 100644
--- a/touch/gti/gti.mk
+++ b/touch/gti/gti.mk
@@ -1,3 +1,4 @@
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/gti/sepolicy
 
 PRODUCT_PACKAGES += dump_gti0.sh
+PRODUCT_PACKAGES += touch_gti_ical
diff --git a/touch/gti/init.touch.gti0.rc b/touch/gti/init.touch.gti0.rc
index 31856ea..5f8318e 100644
--- a/touch/gti/init.touch.gti0.rc
+++ b/touch/gti/init.touch.gti0.rc
@@ -24,3 +24,15 @@ on property:sys.boot_completed=1
     chown system system /proc/goog_touch_interface/gti.0/ss_base
     chown system system /proc/goog_touch_interface/gti.0/ss_diff
     chown system system /proc/goog_touch_interface/gti.0/ss_raw
+
+on property:vendor.touch.gti0.ical=*
+    setprop vendor.touch.gti0.ical.state init
+    start touch_gti0_ical
+    wait_for_prop vendor.touch.gti0.ical.state done
+
+service touch_gti0_ical /vendor/bin/touch_gti_ical 0 ${vendor.touch.gti0.ical}
+    class main
+    user system
+    group system shell
+    disabled
+    oneshot
diff --git a/touch/gti/init.touch.gti1.rc b/touch/gti/init.touch.gti1.rc
index a4de328..ba99210 100644
--- a/touch/gti/init.touch.gti1.rc
+++ b/touch/gti/init.touch.gti1.rc
@@ -24,3 +24,15 @@ on property:sys.boot_completed=1
     chown system system /proc/goog_touch_interface/gti.1/ss_base
     chown system system /proc/goog_touch_interface/gti.1/ss_diff
     chown system system /proc/goog_touch_interface/gti.1/ss_raw
+
+on property:vendor.touch.gti1.ical=*
+    setprop vendor.touch.gti1.ical.state init
+    start touch_gti1_ical
+    wait_for_prop vendor.touch.gti1.ical.state done
+
+service touch_gti1_ical /vendor/bin/touch_gti_ical 1 ${vendor.touch.gti1.ical}
+    class main
+    user system
+    group system shell
+    disabled
+    oneshot
diff --git a/touch/gti/sepolicy/file_contexts b/touch/gti/sepolicy/file_contexts
index 5c429b7..37e3733 100644
--- a/touch/gti/sepolicy/file_contexts
+++ b/touch/gti/sepolicy/file_contexts
@@ -1,2 +1,2 @@
 /vendor/bin/dump/dump_gti0\.sh      u:object_r:dump_gti_exec:s0
-
+/vendor/bin/touch_gti_ical          u:object_r:gti_ical_exec:s0
diff --git a/touch/gti/sepolicy/gti_ical.te b/touch/gti/sepolicy/gti_ical.te
new file mode 100644
index 0000000..228782c
--- /dev/null
+++ b/touch/gti/sepolicy/gti_ical.te
@@ -0,0 +1,8 @@
+type gti_ical, domain;
+type gti_ical_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(gti_ical)
+
+allow gti_ical sysfs_touch_gti:file rw_file_perms;
+allow gti_ical sysfs_touch_gti:dir search;
+
+set_prop(gti_ical, vendor_gti_prop)
diff --git a/touch/gti/sepolicy/property.te b/touch/gti/sepolicy/property.te
new file mode 100644
index 0000000..2a71d74
--- /dev/null
+++ b/touch/gti/sepolicy/property.te
@@ -0,0 +1 @@
+system_public_prop(vendor_gti_prop)
diff --git a/touch/gti/sepolicy/property_contexts b/touch/gti/sepolicy/property_contexts
new file mode 100644
index 0000000..e3badcd
--- /dev/null
+++ b/touch/gti/sepolicy/property_contexts
@@ -0,0 +1 @@
+vendor.touch.gti0.     u:object_r:vendor_gti_prop:s0
diff --git a/touch/gti/sepolicy/vendor_init.te b/touch/gti/sepolicy/vendor_init.te
new file mode 100644
index 0000000..ed0ebda
--- /dev/null
+++ b/touch/gti/sepolicy/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_gti_prop)
diff --git a/touch/gti/sepolicy_gti_dual/property_contexts b/touch/gti/sepolicy_gti_dual/property_contexts
new file mode 100644
index 0000000..c3530ff
--- /dev/null
+++ b/touch/gti/sepolicy_gti_dual/property_contexts
@@ -0,0 +1 @@
+vendor.touch.gti1.     u:object_r:vendor_gti_prop:s0
diff --git a/touch/gti/touch_gti_ical.cpp b/touch/gti/touch_gti_ical.cpp
new file mode 100644
index 0000000..0aabd9e
--- /dev/null
+++ b/touch/gti/touch_gti_ical.cpp
@@ -0,0 +1,101 @@
+/*
+ ** Copyright 2024, The Android Open Source Project
+ **
+ ** Licensed under the Apache License, Version 2.0 (the "License");
+ ** you may not use this file except in compliance with the License.
+ ** You may obtain a copy of the License at
+ **
+ **     http://www.apache.org/licenses/LICENSE-2.0
+ **
+ ** Unless required by applicable law or agreed to in writing, software
+ ** distributed under the License is distributed on an "AS IS" BASIS,
+ ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ** See the License for the specific language governing permissions and
+ ** limitations under the License.
+ */
+#define LOG_TAG "touch_gti_ical"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef __ANDROID__
+#include <cutils/properties.h>
+#include <cutils/log.h>
+#else
+#define property_set
+#define property_get
+#define ALOGI printf
+#define ALOGW printf
+#endif
+
+int main(int argc, char *argv[])
+{
+	char *line = NULL;
+	size_t len = 0;
+	FILE *ical_fd;
+	const char *ical_state_prop[2] = {
+		[0] = "vendor.touch.gti0.ical.state",
+		[1] = "vendor.touch.gti1.ical.state",
+	};
+	const char *ical_result_prop[2] = {
+		[0] = "vendor.touch.gti0.ical.result",
+		[1] = "vendor.touch.gti1.ical.result",
+	};
+	const char *ical_sysfs[2] = {
+		[0] = "/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate",
+		[1] = "/sys/devices/virtual/goog_touch_interface/gti.1/interactive_calibrate",
+	};
+	const char *ical_state_prop_path = ical_state_prop[0];
+	const char *ical_result_prop_path = ical_result_prop[0];
+	const char *ical_sysfs_path = ical_sysfs[0];
+
+	if (argc < 3) {
+		ALOGW("No target dev or command for interactive_calibrate sysfs.\n");
+		property_set(ical_state_prop[0], "done");
+		property_set(ical_state_prop[1], "done");
+		return 0;
+	}
+
+	if (strncmp(argv[1], "1", strlen(argv[1])) == 0 ||
+		strncmp(argv[1], "gti1", strlen(argv[1])) == 0 ||
+		strncmp(argv[1], "gti.1", strlen(argv[1])) == 0) {
+		ical_state_prop_path = ical_state_prop[1];
+		ical_result_prop_path = ical_result_prop[1];
+		ical_sysfs_path = ical_sysfs[1];
+	}
+
+	property_set(ical_result_prop_path, "na");
+	property_set(ical_state_prop_path, "running");
+	if (access(ical_sysfs_path, F_OK | R_OK | W_OK)) {
+		ALOGW("Can't access %s\n", ical_sysfs_path);
+		property_set(ical_state_prop_path, "done");
+		return 0;
+	}
+
+	ical_fd = fopen(ical_sysfs_path, "r+");
+	if (ical_fd == NULL) {
+		ALOGW("Can't fopen %s\n", ical_sysfs_path);
+		property_set(ical_state_prop_path, "done");
+		return 0;
+	}
+
+	if (strncmp(argv[2], "read", strlen(argv[2])) == 0) {
+		getline(&line, &len, ical_fd);
+		if (line != NULL) {
+			property_set(ical_state_prop_path, "read");
+			property_set(ical_result_prop_path, line);
+			ALOGI("read: %s => %s", ical_sysfs_path, line);
+			free(line);
+		}
+	} else {
+		property_set(ical_state_prop_path, argv[2]);
+		fwrite(argv[2], 1, strlen(argv[2]), ical_fd);
+		ALOGI("write: %s => %s\n", argv[2], ical_sysfs_path);
+	}
+	property_set(ical_state_prop_path, "done");
+
+	fclose(ical_fd);
+	return 0;
+}
+

From 58b64ca3fbde21cb470a178b2cf43df472dc61cb Mon Sep 17 00:00:00 2001
From: Super Liu <supercjliu@google.com>
Date: Tue, 26 Mar 2024 00:50:43 +0000
Subject: [PATCH 2/3] touch: init service to access gti interactive_calibrate
 sysfs

Write usage: setprop vendor.touch.gti0.ical VALUE

Any VALUE(e.g. 20X or 30X) set through this property will write
into gti interactive_calibrate sysfs except for the VALUE `read`.

Read usage: setprop vendor.touch.gti0.ical read
            getprop vendor.touch.gti0.ical.result
setprop with VALUE `read` will read the gti
interactive_calibrate sysfs and save the result to
vendor.touch.gti0.ical.result.

Besides, please add your DOMAIN to access vendor_gti_prop.
set_prop(DOMAIN, vendor_gti_prop)

Bug: 331139251
Test: Manually verify the result.
Change-Id: I6296b9533dd0209e66832bfbbed6030a30077b96
Merged-In: I6296b9533dd0209e66832bfbbed6030a30077b96
Signed-off-by: Super Liu <supercjliu@google.com>
(cherry picked from commit 28754e355a847ce62b4e465c7afaa0f61e90b865)
---
 touch/gti/Android.bp                          |  16 +++
 touch/gti/gti.mk                              |   1 +
 touch/gti/init.touch.gti0.rc                  |  12 +++
 touch/gti/init.touch.gti1.rc                  |  12 +++
 touch/gti/sepolicy/file_contexts              |   2 +-
 touch/gti/sepolicy/gti_ical.te                |   8 ++
 touch/gti/sepolicy/property.te                |   1 +
 touch/gti/sepolicy/property_contexts          |   1 +
 touch/gti/sepolicy/vendor_init.te             |   1 +
 touch/gti/sepolicy_gti_dual/property_contexts |   1 +
 touch/gti/touch_gti_ical.cpp                  | 101 ++++++++++++++++++
 11 files changed, 155 insertions(+), 1 deletion(-)
 create mode 100644 touch/gti/sepolicy/gti_ical.te
 create mode 100644 touch/gti/sepolicy/property.te
 create mode 100644 touch/gti/sepolicy/property_contexts
 create mode 100644 touch/gti/sepolicy/vendor_init.te
 create mode 100644 touch/gti/sepolicy_gti_dual/property_contexts
 create mode 100644 touch/gti/touch_gti_ical.cpp

diff --git a/touch/gti/Android.bp b/touch/gti/Android.bp
index c066d0d..7f2eb66 100644
--- a/touch/gti/Android.bp
+++ b/touch/gti/Android.bp
@@ -17,3 +17,19 @@ sh_binary {
     vendor: true,
     sub_dir: "dump",
 }
+
+cc_binary {
+    name: "touch_gti_ical",
+    srcs: ["touch_gti_ical.cpp"],
+    cflags: [
+        "-Wall",
+        "-Wextra",
+        "-Werror",
+    ],
+    shared_libs: [
+        "libbase",
+        "libcutils",
+        "liblog",
+    ],
+    vendor: true,
+}
diff --git a/touch/gti/gti.mk b/touch/gti/gti.mk
index 171534f..a2c7cf7 100644
--- a/touch/gti/gti.mk
+++ b/touch/gti/gti.mk
@@ -1,3 +1,4 @@
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/gti/sepolicy
 
 PRODUCT_PACKAGES += dump_gti0.sh
+PRODUCT_PACKAGES += touch_gti_ical
diff --git a/touch/gti/init.touch.gti0.rc b/touch/gti/init.touch.gti0.rc
index 31856ea..5f8318e 100644
--- a/touch/gti/init.touch.gti0.rc
+++ b/touch/gti/init.touch.gti0.rc
@@ -24,3 +24,15 @@ on property:sys.boot_completed=1
     chown system system /proc/goog_touch_interface/gti.0/ss_base
     chown system system /proc/goog_touch_interface/gti.0/ss_diff
     chown system system /proc/goog_touch_interface/gti.0/ss_raw
+
+on property:vendor.touch.gti0.ical=*
+    setprop vendor.touch.gti0.ical.state init
+    start touch_gti0_ical
+    wait_for_prop vendor.touch.gti0.ical.state done
+
+service touch_gti0_ical /vendor/bin/touch_gti_ical 0 ${vendor.touch.gti0.ical}
+    class main
+    user system
+    group system shell
+    disabled
+    oneshot
diff --git a/touch/gti/init.touch.gti1.rc b/touch/gti/init.touch.gti1.rc
index a4de328..ba99210 100644
--- a/touch/gti/init.touch.gti1.rc
+++ b/touch/gti/init.touch.gti1.rc
@@ -24,3 +24,15 @@ on property:sys.boot_completed=1
     chown system system /proc/goog_touch_interface/gti.1/ss_base
     chown system system /proc/goog_touch_interface/gti.1/ss_diff
     chown system system /proc/goog_touch_interface/gti.1/ss_raw
+
+on property:vendor.touch.gti1.ical=*
+    setprop vendor.touch.gti1.ical.state init
+    start touch_gti1_ical
+    wait_for_prop vendor.touch.gti1.ical.state done
+
+service touch_gti1_ical /vendor/bin/touch_gti_ical 1 ${vendor.touch.gti1.ical}
+    class main
+    user system
+    group system shell
+    disabled
+    oneshot
diff --git a/touch/gti/sepolicy/file_contexts b/touch/gti/sepolicy/file_contexts
index 5c429b7..37e3733 100644
--- a/touch/gti/sepolicy/file_contexts
+++ b/touch/gti/sepolicy/file_contexts
@@ -1,2 +1,2 @@
 /vendor/bin/dump/dump_gti0\.sh      u:object_r:dump_gti_exec:s0
-
+/vendor/bin/touch_gti_ical          u:object_r:gti_ical_exec:s0
diff --git a/touch/gti/sepolicy/gti_ical.te b/touch/gti/sepolicy/gti_ical.te
new file mode 100644
index 0000000..228782c
--- /dev/null
+++ b/touch/gti/sepolicy/gti_ical.te
@@ -0,0 +1,8 @@
+type gti_ical, domain;
+type gti_ical_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(gti_ical)
+
+allow gti_ical sysfs_touch_gti:file rw_file_perms;
+allow gti_ical sysfs_touch_gti:dir search;
+
+set_prop(gti_ical, vendor_gti_prop)
diff --git a/touch/gti/sepolicy/property.te b/touch/gti/sepolicy/property.te
new file mode 100644
index 0000000..2a71d74
--- /dev/null
+++ b/touch/gti/sepolicy/property.te
@@ -0,0 +1 @@
+system_public_prop(vendor_gti_prop)
diff --git a/touch/gti/sepolicy/property_contexts b/touch/gti/sepolicy/property_contexts
new file mode 100644
index 0000000..e3badcd
--- /dev/null
+++ b/touch/gti/sepolicy/property_contexts
@@ -0,0 +1 @@
+vendor.touch.gti0.     u:object_r:vendor_gti_prop:s0
diff --git a/touch/gti/sepolicy/vendor_init.te b/touch/gti/sepolicy/vendor_init.te
new file mode 100644
index 0000000..ed0ebda
--- /dev/null
+++ b/touch/gti/sepolicy/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_gti_prop)
diff --git a/touch/gti/sepolicy_gti_dual/property_contexts b/touch/gti/sepolicy_gti_dual/property_contexts
new file mode 100644
index 0000000..c3530ff
--- /dev/null
+++ b/touch/gti/sepolicy_gti_dual/property_contexts
@@ -0,0 +1 @@
+vendor.touch.gti1.     u:object_r:vendor_gti_prop:s0
diff --git a/touch/gti/touch_gti_ical.cpp b/touch/gti/touch_gti_ical.cpp
new file mode 100644
index 0000000..0aabd9e
--- /dev/null
+++ b/touch/gti/touch_gti_ical.cpp
@@ -0,0 +1,101 @@
+/*
+ ** Copyright 2024, The Android Open Source Project
+ **
+ ** Licensed under the Apache License, Version 2.0 (the "License");
+ ** you may not use this file except in compliance with the License.
+ ** You may obtain a copy of the License at
+ **
+ **     http://www.apache.org/licenses/LICENSE-2.0
+ **
+ ** Unless required by applicable law or agreed to in writing, software
+ ** distributed under the License is distributed on an "AS IS" BASIS,
+ ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ** See the License for the specific language governing permissions and
+ ** limitations under the License.
+ */
+#define LOG_TAG "touch_gti_ical"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef __ANDROID__
+#include <cutils/properties.h>
+#include <cutils/log.h>
+#else
+#define property_set
+#define property_get
+#define ALOGI printf
+#define ALOGW printf
+#endif
+
+int main(int argc, char *argv[])
+{
+	char *line = NULL;
+	size_t len = 0;
+	FILE *ical_fd;
+	const char *ical_state_prop[2] = {
+		[0] = "vendor.touch.gti0.ical.state",
+		[1] = "vendor.touch.gti1.ical.state",
+	};
+	const char *ical_result_prop[2] = {
+		[0] = "vendor.touch.gti0.ical.result",
+		[1] = "vendor.touch.gti1.ical.result",
+	};
+	const char *ical_sysfs[2] = {
+		[0] = "/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate",
+		[1] = "/sys/devices/virtual/goog_touch_interface/gti.1/interactive_calibrate",
+	};
+	const char *ical_state_prop_path = ical_state_prop[0];
+	const char *ical_result_prop_path = ical_result_prop[0];
+	const char *ical_sysfs_path = ical_sysfs[0];
+
+	if (argc < 3) {
+		ALOGW("No target dev or command for interactive_calibrate sysfs.\n");
+		property_set(ical_state_prop[0], "done");
+		property_set(ical_state_prop[1], "done");
+		return 0;
+	}
+
+	if (strncmp(argv[1], "1", strlen(argv[1])) == 0 ||
+		strncmp(argv[1], "gti1", strlen(argv[1])) == 0 ||
+		strncmp(argv[1], "gti.1", strlen(argv[1])) == 0) {
+		ical_state_prop_path = ical_state_prop[1];
+		ical_result_prop_path = ical_result_prop[1];
+		ical_sysfs_path = ical_sysfs[1];
+	}
+
+	property_set(ical_result_prop_path, "na");
+	property_set(ical_state_prop_path, "running");
+	if (access(ical_sysfs_path, F_OK | R_OK | W_OK)) {
+		ALOGW("Can't access %s\n", ical_sysfs_path);
+		property_set(ical_state_prop_path, "done");
+		return 0;
+	}
+
+	ical_fd = fopen(ical_sysfs_path, "r+");
+	if (ical_fd == NULL) {
+		ALOGW("Can't fopen %s\n", ical_sysfs_path);
+		property_set(ical_state_prop_path, "done");
+		return 0;
+	}
+
+	if (strncmp(argv[2], "read", strlen(argv[2])) == 0) {
+		getline(&line, &len, ical_fd);
+		if (line != NULL) {
+			property_set(ical_state_prop_path, "read");
+			property_set(ical_result_prop_path, line);
+			ALOGI("read: %s => %s", ical_sysfs_path, line);
+			free(line);
+		}
+	} else {
+		property_set(ical_state_prop_path, argv[2]);
+		fwrite(argv[2], 1, strlen(argv[2]), ical_fd);
+		ALOGI("write: %s => %s\n", argv[2], ical_sysfs_path);
+	}
+	property_set(ical_state_prop_path, "done");
+
+	fclose(ical_fd);
+	return 0;
+}
+

From 6561e3b343ec78dd5929fe7e989365a5d0f2e37c Mon Sep 17 00:00:00 2001
From: Samridhi <ssmrid@google.com>
Date: Mon, 18 Mar 2024 06:39:40 +0000
Subject: [PATCH 3/3] Add SEPolicy domain for cavalry app

AVC error logs: https://paste.googleplex.com/4870439005847552
Test: make selinux_policy, flash build and test
Bug: 329276535
Change-Id: I2ccb4d9205125f02f12cc26ea9e6e6e40b8d6ba2
---
 pixelsupport/pixelsupport.mk                  |  5 ++++
 .../private/certs/pixelsupport.x509.pem       | 30 +++++++++++++++++++
 .../sepolicy/product/private/keys.conf        |  2 ++
 .../product/private/mac_permissions.xml       | 27 +++++++++++++++++
 .../product/private/pixelsupport_app.te       | 11 +++++++
 .../sepolicy/product/private/seapp_contexts   |  2 ++
 .../product/public/pixelsupport_app.te        |  2 ++
 .../sepolicy/vendor/pixelsupport_app.te       |  2 ++
 8 files changed, 81 insertions(+)
 create mode 100644 pixelsupport/pixelsupport.mk
 create mode 100644 pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
 create mode 100644 pixelsupport/sepolicy/product/private/keys.conf
 create mode 100644 pixelsupport/sepolicy/product/private/mac_permissions.xml
 create mode 100644 pixelsupport/sepolicy/product/private/pixelsupport_app.te
 create mode 100644 pixelsupport/sepolicy/product/private/seapp_contexts
 create mode 100644 pixelsupport/sepolicy/product/public/pixelsupport_app.te
 create mode 100644 pixelsupport/sepolicy/vendor/pixelsupport_app.te

diff --git a/pixelsupport/pixelsupport.mk b/pixelsupport/pixelsupport.mk
new file mode 100644
index 0000000..068c94f
--- /dev/null
+++ b/pixelsupport/pixelsupport.mk
@@ -0,0 +1,5 @@
+PRODUCT_PACKAGES += PixelSupportPrebuilt
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/vendor
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/product/private
diff --git a/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem b/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
new file mode 100644
index 0000000..40c874d
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIGBzCCA++gAwIBAgIVAJriiL3+mR75mIC8e0Xqoz59LduNMA0GCSqGSIb3DQEBCwUAMIGSMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
+MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxLjAsBgNVBAMMJWNvbV9nb29n
+bGVfYW5kcm9pZF9hcHBzX3BpeGVsX3N1cHBvcnQwIBcNMjIxMjEyMTM1MDA3WhgPMjA1MjEyMTIx
+MzUwMDdaMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91
+bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxLjAsBgNV
+BAMMJWNvbV9nb29nbGVfYW5kcm9pZF9hcHBzX3BpeGVsX3N1cHBvcnQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCSWvRumhZOIAZmWKcuVjc1l3OIIWc/nSRVnsfdzeRqK0jwVFcTqMDs
+kmZtEj/UTW+N91ExRzWvAQ027AcE7TGF3X2iKKAfpSB0fpVQato5RIzOrRbwgAzsIvBdVtExqSNk
+5vh8xJ0azHt6Jn77gW03Mq7AL55Si5q3vU1meeGBPD/YWeqd/oNhPfe0kAHdNnnTOnN6SBxSeO8r
+YukV4XYJ3BxgWD1sm2NI8kZ+OGAooBFflZYXoY6NVfLXm6jsqWnooAok7CrNxZc/wstiwd8yYX6f
+6R1Trox3a9xOy7E+6Rig0XhbWm4pbp3Zu0OLArUalbQ1cjd1qFy6q9maieBn14ad+UtLNOUjCx91
+hLWg/mdpYCvArQb3bBDJdjYfdoo7Q8F9QW3JrFrbIeBezM4TTdK9v/sM4+1OxEo6vwMKQM9Ata/H
+Mn89a4nFHgRqGIMKK8zh0Eob+OwiBakviVhAI1o7IONujcJ2hfuyHNPZb8sT0Rewxtw2fD/Jwj+l
+ADmlXWw553geFcwP1SqOC6j/XOeazSvV4ccCME2VZqIE4pmL+RUr+cgAyQHXPZnet74C7K9sNRV6
+JluS6inqP4lKp7gSFuVrQNYHawNPVinbeTLYEu+df3m3yrHAUpaSvsSUC6qQVWCs0sI8PC6A1+bV
+DXMsIYRvrSnmtN75vOECaQIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTODyZ1S/is
+Y/2ZuMl8B1M6kFiJwDAfBgNVHSMEGDAWgBTODyZ1S/isY/2ZuMl8B1M6kFiJwDANBgkqhkiG9w0B
+AQsFAAOCAgEAL26IGjeu8Q5tn/b4vfYa+7bRUwozAJA9Buyduw/4wVG6rIAkpEsghkgnoOvyjD72
+ncbCkDoBV3a1PLw2W/bMQWfZvYScOzc2yFwcR9LdQIiEYmtgnwuJHnqc2MDsh+MDeclblyBYfIQQ
+bpZ0JArKalSmDyul0QIcfHq+RKmGAzC3bx0xigclIZJxXEG4tyQylttnqNodAEqYdhMMRajI3w9t
+61QwqNv1KTGJt1sC2Q7NyzbZJo02Kwu711Dw6KnVgHaGKC2sRIixsvjm2s6f9/CcVasuLopkJnyl
+epPeD2jHwHdE4/c2K5ZVQeZ+R0pIOEBKwg1AVkn+/UTbhpjYCkEGP09e8T45Y+//eMlrbORJAbji
+H5cfD9aSO2z4slN4B4w+Fw9Kn+a7bsN2xhv7lvAgQ92aq9g/YS1YysZ7kSoCpmKl7rN+0V/RGRVP
+ab2Cb0C3+JewTnOAF30e7zVs9Vaq3oTAV4XFYNiDRUBU/rvv8EIZKcBdufFJmCGYUpmm1EQQdsTt
+mFMPEh5I4Qd0sy+HKvLjThcMGHqDX0bCeXkbFZdj0GXPOOt5LX8NZBdnsbVgENrZml318uLEj3ZU
+DlojsfsTlVcs5eIPX6Dkx0OdgVcMAXnLF+vjP/ygWuLqiPFPCrZD1b+2g2P9Yip3e221tuyca42b
+q3bvQEBwOsA=
+-----END CERTIFICATE-----
diff --git a/pixelsupport/sepolicy/product/private/keys.conf b/pixelsupport/sepolicy/product/private/keys.conf
new file mode 100644
index 0000000..eff6067
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/keys.conf
@@ -0,0 +1,2 @@
+[@PIXELSUPPORT]
+ALL : device/google/gs-common/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
diff --git a/pixelsupport/sepolicy/product/private/mac_permissions.xml b/pixelsupport/sepolicy/product/private/mac_permissions.xml
new file mode 100644
index 0000000..cb8d42a
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/mac_permissions.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- PixelSupport app key -->
+    <signer signature="@PIXELSUPPORT" >
+      <seinfo value="PixelSupport" />
+    </signer>
+</policy>
diff --git a/pixelsupport/sepolicy/product/private/pixelsupport_app.te b/pixelsupport/sepolicy/product/private/pixelsupport_app.te
new file mode 100644
index 0000000..be6f7dd
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/pixelsupport_app.te
@@ -0,0 +1,11 @@
+typeattribute pixelsupport_app coredomain;
+
+app_domain(pixelsupport_app)
+# Access the network.
+net_domain(pixelsupport_app)
+# Access bluetooth.
+bluetooth_domain(pixelsupport_app)
+
+allow pixelsupport_app app_api_service:service_manager find;
+allow pixelsupport_app radio_service:service_manager find;
+
diff --git a/pixelsupport/sepolicy/product/private/seapp_contexts b/pixelsupport/sepolicy/product/private/seapp_contexts
new file mode 100644
index 0000000..f16a054
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/seapp_contexts
@@ -0,0 +1,2 @@
+# Pixel Support App
+user=_app seinfo=PixelSupport name=com.google.android.apps.pixel.support domain=pixelsupport_app type=app_data_file isPrivApp=true levelFrom=user
diff --git a/pixelsupport/sepolicy/product/public/pixelsupport_app.te b/pixelsupport/sepolicy/product/public/pixelsupport_app.te
new file mode 100644
index 0000000..1846ac9
--- /dev/null
+++ b/pixelsupport/sepolicy/product/public/pixelsupport_app.te
@@ -0,0 +1,2 @@
+type pixelsupport_app, domain;
+
diff --git a/pixelsupport/sepolicy/vendor/pixelsupport_app.te b/pixelsupport/sepolicy/vendor/pixelsupport_app.te
new file mode 100644
index 0000000..e3b380c
--- /dev/null
+++ b/pixelsupport/sepolicy/vendor/pixelsupport_app.te
@@ -0,0 +1,2 @@
+set_prop(pixelsupport_app, vendor_gti_prop)
+