From 4dd3e1e99ee36f091ce473780ea5a1bd2bb15364 Mon Sep 17 00:00:00 2001
From: Tai Kuo <taikuo@google.com>
Date: Wed, 10 Mar 2021 17:00:16 +0800
Subject: [PATCH 1/2] Add touch procfs and sysfs sepolicy

Touch palm sepolicies are not included.

Bug: 173330981
Test: No avc denied log for touch sysfs, procfs access.
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Idf510e4a9c65e5af0885159353ef85d6b6ec553f
---
 whitechapel/vendor/google/genfs_contexts           | 4 +++-
 whitechapel/vendor/google/hal_dumpstate_default.te | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 759f260b..d01b107d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -76,8 +76,10 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup/wakeu
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
 
 # Touch
-genfscon sysfs /class/spi_master/spi11/spi11.0                                  u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0            u:object_r:sysfs_touch:s0
 genfscon proc  /fts/driver_test                                                 u:object_r:proc_touch:s0
+genfscon proc  /fts_ext/driver_test                                             u:object_r:proc_touch:s0
 genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
 
 # EdgeTPU
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 4b3b4e4a..a72f1257 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -44,6 +44,11 @@ allow hal_dumpstate_default aoc_device:chr_file rw_file_perms;
 allow hal_dumpstate_default sysfs_wifi:dir search;
 allow hal_dumpstate_default sysfs_wifi:file r_file_perms;
 
+# Touch sysfs interface
+allow hal_dumpstate_default sysfs_touch:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_touch:file rw_file_perms;
+allow hal_dumpstate_default proc_touch:file rw_file_perms;
+
 allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
 allow hal_dumpstate_default sysfs_thermal:lnk_file read;

From 8cac55487b2da4349c90341e8cda1a4e6098f939 Mon Sep 17 00:00:00 2001
From: Tai Kuo <taikuo@google.com>
Date: Wed, 10 Mar 2021 17:05:47 +0800
Subject: [PATCH 2/2] gs101-sepolicy: Add twoshay permissions

Add twoshay and touch input context library permissions

Bug: 173330899
Bug: 173330981
Test: check boot-time twoshay startup and no denials.
Signed-off-by: Steve Pfetsch <spfetsch@google.com>
Change-Id: I68aace66f49c2af1ebfd4bde7082039f9caf3f64
Signed-off-by: Tai Kuo <taikuo@google.com>
---
 whitechapel/vendor/google/device.te     | 3 +++
 whitechapel/vendor/google/file_contexts | 4 ++++
 whitechapel/vendor/google/twoshay.te    | 8 ++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 whitechapel/vendor/google/twoshay.te

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 375c91c3..9287dd13 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -30,6 +30,9 @@ type cpuctl_device, dev_type;
 # Bt Wifi Coexistence device
 type wb_coexistence_dev, dev_type;
 
+# Touch
+type touch_offload_device, dev_type;
+
 # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
 type lwis_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 68bcf67f..d257d295 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -363,6 +363,10 @@
 /vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
 
+# Touch
+/dev/touch_offload                                                               u:object_r:touch_offload_device:s0
+/vendor/bin/twoshay                                                              u:object_r:twoshay_exec:s0
+
 # Fingerprint
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc           u:object_r:hal_fingerprint_default_exec:s0
diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
new file mode 100644
index 00000000..139294d6
--- /dev/null
+++ b/whitechapel/vendor/google/twoshay.te
@@ -0,0 +1,8 @@
+type twoshay, domain;
+type twoshay_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(twoshay)
+
+allow twoshay touch_offload_device:chr_file rw_file_perms;
+allow twoshay twoshay:capability sys_nice;
+