From f897a71294190decdfc5c768c9c1dd7e36d81dd5 Mon Sep 17 00:00:00 2001
From: Super Liu <supercjliu@google.com>
Date: Thu, 27 Jun 2024 14:18:52 +0000
Subject: [PATCH] Support touch sepolicy for spi20

avc denied logs:
07-02 13:17:48.412     1     1 I auditd  : type=1107 audit(0.0:4): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc:  denied  { read } for property=persist.sys.tap_gesture pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:gesture_prop:s0 tclass=file permissive=0'
07-02 13:17:56.204   315   315 I auditd  : type=1400 audit(0.0:20): avc:  denied  { write } for  comm="init" name="nvt_heatmap" dev="proc" ino=4026536248 scontext=u:r:vendor_init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

vendor_init change to access sysfs_touch from sysfs:
07-02 13:17:56.680     1     1 I init    : Command 'write /sys/devices/virtual/goog_touch_interface/gti.0/vendor_input/nvt_dttw_mode 1' action=vendor.all.modules.ready=1 (/vendor/etc/init/hw/init.rc:127) took 462ms and succeeded
ls -lZ /sys/devices/virtual/goog_touch_interface/gti.0/vendor_input/nvt_dttw_mode
-rw-r--r-- 1 system system u:object_r:sysfs:s0  4096 2024-07-02 13:17 /sys/devices/virtual/goog_touch_interface/gti.0/vendor_input/nvt_dttw_mode

Bug: 335839116
Test: TH pass
Change-Id: If1890defcb9400405071b1c669098d9d62bc56e4
Signed-off-by: Super Liu <supercjliu@google.com>
---
 touch/nvt/nvt-spi20.mk                  |  2 ++
 touch/nvt/sepolicy-spi20/genfs_contexts |  8 ++++++++
 touch/nvt/sepolicy/file.te              |  1 +
 touch/nvt/sepolicy/genfs_contexts       | 12 ++++++++++++
 touch/nvt/sepolicy/vendor_init.te       |  5 +++++
 5 files changed, 28 insertions(+)
 create mode 100644 touch/nvt/nvt-spi20.mk
 create mode 100644 touch/nvt/sepolicy-spi20/genfs_contexts
 create mode 100644 touch/nvt/sepolicy/genfs_contexts
 create mode 100644 touch/nvt/sepolicy/vendor_init.te

diff --git a/touch/nvt/nvt-spi20.mk b/touch/nvt/nvt-spi20.mk
new file mode 100644
index 0000000..ad46fcc
--- /dev/null
+++ b/touch/nvt/nvt-spi20.mk
@@ -0,0 +1,2 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/nvt/sepolicy
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/nvt/sepolicy-spi20
diff --git a/touch/nvt/sepolicy-spi20/genfs_contexts b/touch/nvt/sepolicy-spi20/genfs_contexts
new file mode 100644
index 0000000..05467a3
--- /dev/null
+++ b/touch/nvt/sepolicy-spi20/genfs_contexts
@@ -0,0 +1,8 @@
+# Touch
+genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0   u:object_r:sysfs_touch:s0
+
+# System suspend wakeup files
+genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/power_supply/nvt-pen-battery/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/power_supply/USI_Stylus_Battery/wakeup               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/input/input2/wakeup                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/wakeup                                               u:object_r:sysfs_wakeup:s0
diff --git a/touch/nvt/sepolicy/file.te b/touch/nvt/sepolicy/file.te
index e310df7..05a770b 100644
--- a/touch/nvt/sepolicy/file.te
+++ b/touch/nvt/sepolicy/file.te
@@ -1 +1,2 @@
 type sysfs_touch, sysfs_type, fs_type;
+type proc_touch, proc_type, fs_type;
diff --git a/touch/nvt/sepolicy/genfs_contexts b/touch/nvt/sepolicy/genfs_contexts
new file mode 100644
index 0000000..b120511
--- /dev/null
+++ b/touch/nvt/sepolicy/genfs_contexts
@@ -0,0 +1,12 @@
+genfscon proc  /nvt_baseline                u:object_r:proc_touch:s0
+genfscon proc  /nvt_cc_uniformity           u:object_r:proc_touch:s0
+genfscon proc  /nvt_diff                    u:object_r:proc_touch:s0
+genfscon proc  /nvt_fw_update               u:object_r:proc_touch:s0
+genfscon proc  /nvt_fw_version              u:object_r:proc_touch:s0
+genfscon proc  /nvt_heatmap                 u:object_r:proc_touch:s0
+genfscon proc  /nvt_pen_1d_diff             u:object_r:proc_touch:s0
+genfscon proc  /nvt_pen_2d_baseline         u:object_r:proc_touch:s0
+genfscon proc  /nvt_pen_2d_diff             u:object_r:proc_touch:s0
+genfscon proc  /nvt_pen_2d_raw              u:object_r:proc_touch:s0
+genfscon proc  /nvt_raw                     u:object_r:proc_touch:s0
+genfscon proc  /nvt_selftest                u:object_r:proc_touch:s0
diff --git a/touch/nvt/sepolicy/vendor_init.te b/touch/nvt/sepolicy/vendor_init.te
new file mode 100644
index 0000000..8b844dd
--- /dev/null
+++ b/touch/nvt/sepolicy/vendor_init.te
@@ -0,0 +1,5 @@
+allow vendor_init sysfs_touch:dir r_dir_perms;
+allow vendor_init sysfs_touch:file rw_file_perms;
+allow vendor_init proc_touch:dir r_dir_perms;
+allow vendor_init proc_touch:file rw_file_perms;
+set_prop(vendor_init, gesture_prop)