From bc525e1a497c0e71e25469505a3173a6799bd472 Mon Sep 17 00:00:00 2001
From: Peter Csaszar <pcsaszar@google.com>
Date: Fri, 7 May 2021 16:50:00 -0700
Subject: [PATCH] pixel-selinux: add SJTAG policies

These are the SELinux policies for the DebugFS files of the SJTAG
kernel interface.

Bug: 184768605
Signed-off-by: Peter Csaszar <pcsaszar@google.com>
Change-Id: I36996d6fd5fe09adb7a36be573cf57f15ea35756
---
 whitechapel/vendor/google/file.te         | 1 +
 whitechapel/vendor/google/genfs_contexts  | 1 +
 whitechapel/vendor/google/shell.te        | 6 ++++++
 whitechapel/vendor/google/ssr_detector.te | 2 ++
 4 files changed, 10 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 4fae37ae..5868a14a 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -34,6 +34,7 @@ type vendor_maxfg_debugfs, fs_type, debugfs_type, sysfs_type;
 type vendor_charger_debugfs, fs_type, debugfs_type, sysfs_type;
 type vendor_votable_debugfs, fs_type, debugfs_type, sysfs_type;
 type vendor_battery_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_sjtag_debugfs, fs_type, debugfs_type, sysfs_type;
 
 # Exynos sysfs
 type sysfs_exynos_bts, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 45ec1595..1aeee8bb 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -284,6 +284,7 @@ genfscon debugfs /usb
 genfscon debugfs /google_charger                                                                          u:object_r:vendor_charger_debugfs:s0
 genfscon debugfs /gvotables                                                                               u:object_r:vendor_votable_debugfs:s0
 genfscon debugfs /google_battery                                                                          u:object_r:vendor_battery_debugfs:s0
+genfscon debugfs /sjtag                                                                                   u:object_r:vendor_sjtag_debugfs:s0
 
 # tracefs
 genfscon tracefs /events/dmabuf_heap/dma_heap_stat                                                        u:object_r:debugfs_tracing:s0
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index 29274f5f..484e1501 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -1 +1,7 @@
 allow shell eco_service:service_manager find;
+
+# Allow access to the SJTAG kernel interface from the shell
+userdebug_or_eng(`
+  allow shell vendor_sjtag_debugfs:dir r_dir_perms;
+  allow shell vendor_sjtag_debugfs:file rw_file_perms;
+')
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index ff3c40f9..37f571cd 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -12,6 +12,8 @@ userdebug_or_eng(`
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
   get_prop(ssr_detector_app, vendor_aoc_prop)
+  allow ssr_detector_app vendor_sjtag_debugfs:dir r_dir_perms;
+  allow ssr_detector_app vendor_sjtag_debugfs:file rw_file_perms;
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)