Merge "Set up common sepolicy for CHRE" into main

chre/README.txt

@@ -0,0 +1,5 @@
+This folder contains the common settings for CHRE shared by various platforms.
+
+Dependencies among types can happen. For example, hal_contexthub_default
+depends on sysfs_aoc at the moment. When setting up a device with CHRE
+we should make sure rules of dependent types are included too.

chre/hal.mk

@@ -0,0 +1,2 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/chre/sepolicy/
+PRODUCT_PACKAGES += android.hardware.contexthub-service.generic

chre/sepolicy/file_contexts

@@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.contexthub-service\.generic               u:object_r:hal_contexthub_default_exec:s0

chre/sepolicy/hal_contexthub_default.te

@@ -0,0 +1,29 @@
+# Allow context hub HAL to communicate with daemon via socket
+unix_socket_connect(hal_contexthub_default, chre, chre)
+
+# Permit communication with AoC
+allow hal_contexthub_default aoc_device:chr_file rw_file_perms;
+
+# Allow context hub HAL to determine AoC's current clock
+allow hal_contexthub_default sysfs_aoc:dir search;
+allow hal_contexthub_default sysfs_aoc_boottime:file r_file_perms;
+
+# Allow context hub HAL to create thread to watch AOC's device
+allow hal_contexthub_default aoc_device:dir r_dir_perms;
+
+# Allow context hub HAL to use the USF low latency transport
+usf_low_latency_transport(hal_contexthub_default)
+
+# Allow context hub HAL to talk to the WiFi HAL
+binder_call(hal_contexthub_default, hal_wifi_ext)
+allow hal_contexthub_default hal_wifi_ext_service:service_manager find;
+
+# Allow context hub HAL to talk to stats service
+binder_call(hal_contexthub_default, stats_service_server)
+allow hal_contexthub_default fwk_stats_service:service_manager find;
+
+# Allow context hub HAL to use WakeLock
+wakelock_use(hal_contexthub_default)
+
+# Allow context hub HAL to block suspend, which is required to use EPOLLWAKEUP
+allow hal_contexthub_default self:global_capability2_class_set block_suspend;