From 466adbb2daf58e6a9fc0848191aa4cb10f6c5bc8 Mon Sep 17 00:00:00 2001
From: Peter Csaszar <pcsaszar@google.com>
Date: Mon, 14 Feb 2022 20:29:23 -0800
Subject: [PATCH] pixel-selinux: Port PRO SJTAG policies to tm-dev

These are the SELinux policies for the sysfs files of the SJTAG
kernel interface for WHI-PRO-based devices, now migrated to the
tm-dev branch. The files are in the following directories:

  /sys/devices/platform/sjtag_ap/interface/
  /sys/devices/platform/sjtag_gsa/interface/

Bug: 207571417
Bug: 224022297
Signed-off-by: Peter Csaszar <pcsaszar@google.com>
Merged-in: I5ec50d9ff7cd0e08ade7acce21e73751e93a0aff
Change-Id: I56da5763c31ab098859cbc633660897646fe7f3e
---
 whitechapel_pro/file.te         | 13 ++++++++++++-
 whitechapel_pro/genfs_contexts  |  4 ++++
 whitechapel_pro/shell.te        |  5 +++++
 whitechapel_pro/ssr_detector.te |  5 +++++
 4 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 whitechapel_pro/shell.te

diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te
index 798b1e1f..25b31271 100644
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@@ -96,4 +96,15 @@ type sysfs_gpu, sysfs_type, fs_type;
 type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
 
 # Touch
-type proc_touch, proc_type, fs_type;
\ No newline at end of file
+type proc_touch, proc_type, fs_type;
+
+# Vendor sched files
+userdebug_or_eng(`
+    typeattribute sysfs_vendor_sched mlstrustedobject;
+')
+
+# SJTAG
+type sysfs_sjtag, fs_type, sysfs_type;
+userdebug_or_eng(`
+    typeattribute sysfs_sjtag mlstrustedobject;
+')
diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts
index a2219599..e4c6cb1c 100644
--- a/whitechapel_pro/genfs_contexts
+++ b/whitechapel_pro/genfs_contexts
@@ -223,3 +223,7 @@ genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_t
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time      u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time   u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
+
+# SJTAG
+genfscon sysfs /devices/platform/sjtag_ap/interface                       u:object_r:sysfs_sjtag:s0
+genfscon sysfs /devices/platform/sjtag_gsa/interface                      u:object_r:sysfs_sjtag:s0
diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te
new file mode 100644
index 00000000..978a5426
--- /dev/null
+++ b/whitechapel_pro/shell.te
@@ -0,0 +1,5 @@
+# Allow access to the SJTAG kernel interface from the shell
+userdebug_or_eng(`
+  allow shell sysfs_sjtag:dir r_dir_perms;
+  allow shell sysfs_sjtag:file rw_file_perms;
+')
diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te
index ff3c40f9..793e51b6 100644
--- a/whitechapel_pro/ssr_detector.te
+++ b/whitechapel_pro/ssr_detector.te
@@ -12,6 +12,11 @@ userdebug_or_eng(`
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
   get_prop(ssr_detector_app, vendor_aoc_prop)
+  allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
+  allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
+  allow ssr_detector_app sysfs_vendor_sched:dir search;
+  allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms;
+  allow ssr_detector_app cgroup:file write;
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)