From 72dc78222f8db9806bf97baaa48afbdb4d9e256c Mon Sep 17 00:00:00 2001
From: linpeter <linpeter@google.com>
Date: Thu, 6 Jan 2022 16:36:12 +0800
Subject: [PATCH] update display sepolicy

Bug: 205073165
Bug: 205656937
Bug: 205779906
Bug: 205904436
Bug: 207062172
Bug: 208721526
Bug: 204718757
Bug: 205904380
Bug: 213133646

test: check avc denied with hal_graphics_composer_default, hbmsvmanager_app
Change-Id: I964a62fa6570fd9056b420efae7bf2fcbbe9fc9f
---
 tracking_denials/hal_dumpstate_default.te     |  1 -
 .../hal_graphics_composer_default.te          | 32 ---------------
 tracking_denials/hbmsvmanager_app.te          |  4 --
 whitechapel_pro/file.te                       |  1 +
 whitechapel_pro/file_contexts                 |  1 +
 whitechapel_pro/genfs_contexts                | 20 ++++++++--
 whitechapel_pro/hal_dumpstate_default.te      |  3 ++
 .../hal_graphics_composer_default.te          | 40 +++++++++++++++++++
 whitechapel_pro/hbmsvmanager_app.te           | 11 +++++
 whitechapel_pro/property.te                   |  1 +
 whitechapel_pro/property_contexts             |  3 ++
 11 files changed, 76 insertions(+), 41 deletions(-)
 delete mode 100644 tracking_denials/hal_graphics_composer_default.te
 delete mode 100644 tracking_denials/hbmsvmanager_app.te

diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
index ced4632a..e0535f63 100644
--- a/tracking_denials/hal_dumpstate_default.te
+++ b/tracking_denials/hal_dumpstate_default.te
@@ -42,7 +42,6 @@ dontaudit hal_dumpstate_default sysfs_thermal:file { read };
 dontaudit hal_dumpstate_default sysfs_wifi:dir { search };
 dontaudit hal_dumpstate_default sysfs_wifi:file { open };
 dontaudit hal_dumpstate_default sysfs_wifi:file { read };
-dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find };
 dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open };
 dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read };
 dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans };
diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
deleted file mode 100644
index a8333447..00000000
--- a/tracking_denials/hal_graphics_composer_default.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# b/205073165
-dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { getattr };
-dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { map };
-dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { open };
-dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { read };
-# b/205656937
-dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl };
-dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map };
-dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open };
-dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read };
-dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write };
-# b/205779906
-dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search };
-dontaudit hal_graphics_composer_default persist_file:dir { search };
-# b/205904436
-dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { bind };
-dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { create };
-dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read };
-dontaudit hal_graphics_composer_default vndservicemanager:binder { call };
-dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer };
-# b/207062172
-dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
-dontaudit hal_graphics_composer_default boot_status_prop:file { map };
-dontaudit hal_graphics_composer_default boot_status_prop:file { open };
-dontaudit hal_graphics_composer_default boot_status_prop:file { read };
-dontaudit hal_graphics_composer_default sysfs:file { getattr };
-dontaudit hal_graphics_composer_default sysfs:file { open };
-dontaudit hal_graphics_composer_default sysfs:file { read };
-dontaudit hal_graphics_composer_default sysfs:file { write };
-# b/208721526
-dontaudit hal_graphics_composer_default dumpstate:fd { use };
-dontaudit hal_graphics_composer_default dumpstate:fifo_file { write };
diff --git a/tracking_denials/hbmsvmanager_app.te b/tracking_denials/hbmsvmanager_app.te
deleted file mode 100644
index e015fa9b..00000000
--- a/tracking_denials/hbmsvmanager_app.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/204718757
-dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find };
-# b/205904380
-dontaudit hbmsvmanager_app hal_graphics_composer_default:binder { call };
diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te
index 1bf69ad1..c72cba22 100644
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@@ -64,6 +64,7 @@ type persist_modem_file, file_type, vendor_persist_type;
 type persist_sensor_reg_file, file_type, vendor_persist_type;
 type persist_ss_file, file_type, vendor_persist_type;
 type persist_uwb_file, file_type, vendor_persist_type;
+type persist_display_file, file_type, vendor_persist_type;
 
 # CHRE
 type chre_socket, file_type;
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 233614f2..47fbb359 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -200,6 +200,7 @@
 /mnt/vendor/persist/sensors/registry(/.*)?                                  u:object_r:persist_sensor_reg_file:s0
 /mnt/vendor/persist/ss(/.*)?                                                u:object_r:persist_ss_file:s0
 /mnt/vendor/persist/uwb(/.*)?                                               u:object_r:persist_uwb_file:s0
+/mnt/vendor/persist/display(/.*)?                                           u:object_r:persist_display_file:s0
 
 # Extra mount images
 /mnt/vendor/modem_img(/.*)?                                                 u:object_r:modem_img_file:s0
diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts
index a37d03ce..bf63687c 100644
--- a/whitechapel_pro/genfs_contexts
+++ b/whitechapel_pro/genfs_contexts
@@ -60,14 +60,26 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled           u
 
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma     u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table       u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/brightness      u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode  u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/state           u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                     u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup                u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup                u:object_r:sysfs_display:s0
 
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc                                     u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc                                     u:object_r:sysfs_display:s0
+
+genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/exynos-drm/tui_status                                         u:object_r:sysfs_display:s0
+
+
 # mediacodec_samsung
 genfscon sysfs /devices/platform/mfc/video4linux/video                         u:object_r:sysfs_mfc:s0
 
diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te
index e3e503b2..228cf2ba 100644
--- a/whitechapel_pro/hal_dumpstate_default.te
+++ b/whitechapel_pro/hal_dumpstate_default.te
@@ -6,3 +6,6 @@ allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
 
 allow hal_dumpstate_default sysfs_touch:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_touch:file rw_file_perms;
+
+allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
+binder_call(hal_dumpstate_default, hal_graphics_composer_default);
diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te
index 84d923f6..5d596037 100644
--- a/whitechapel_pro/hal_graphics_composer_default.te
+++ b/whitechapel_pro/hal_graphics_composer_default.te
@@ -1,9 +1,49 @@
+# allow HWC to access power hal
 hal_client_domain(hal_graphics_composer_default, hal_power)
 
 # allow HWC to access vendor_displaycolor_service
 add_service(hal_graphics_composer_default, vendor_displaycolor_service)
+
 add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
+
 add_service(hal_graphics_composer_default, hal_pixel_display_service)
 
+# access sysfs R/W
 allow hal_graphics_composer_default sysfs_display:dir search;
 allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
+
+userdebug_or_eng(`
+# allow HWC to access vendor log file
+    allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms;
+    allow hal_graphics_composer_default vendor_log_file:file create_file_perms;
+# For HWC/libdisplaycolor to generate calibration file.
+    allow hal_graphics_composer_default persist_display_file:file create_file_perms;
+    allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms;
+')
+
+# allow HWC/libdisplaycolor to read calibration data
+allow hal_graphics_composer_default mnt_vendor_file:dir search;
+allow hal_graphics_composer_default persist_file:dir search;
+allow hal_graphics_composer_default persist_display_file:file r_file_perms;
+allow hal_graphics_composer_default persist_display_file:dir search;
+
+# allow HWC to r/w backlight
+allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
+
+# allow HWC to get vendor_persist_sys_default_prop
+get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
+
+# allow HWC to get vendor_display_prop
+get_prop(hal_graphics_composer_default, vendor_display_prop)
+
+# boot stauts prop
+get_prop(hal_graphics_composer_default, boot_status_prop);
+
+# allow HWC to output to dumpstate via pipe fd
+allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write };
+allow hal_graphics_composer_default hal_dumpstate_default:fd use;
+
+# socket / vnd service
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+vndbinder_use(hal_graphics_composer_default)
diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te
index 06bfed6c..b8f6a6be 100644
--- a/whitechapel_pro/hbmsvmanager_app.te
+++ b/whitechapel_pro/hbmsvmanager_app.te
@@ -1,3 +1,14 @@
 type hbmsvmanager_app, domain;
+
 app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app sysfs_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app sysfs_vendor_sched:file w_file_perms;
+
+allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
+binder_call(hbmsvmanager_app, hal_graphics_composer_default)
+
+# Standard system services
 allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te
index 4cc19982..f3e0c86d 100644
--- a/whitechapel_pro/property.te
+++ b/whitechapel_pro/property.te
@@ -20,6 +20,7 @@ vendor_internal_prop(vendor_gps_prop)
 vendor_internal_prop(vendor_ro_sys_default_prop)
 vendor_internal_prop(vendor_persist_sys_default_prop)
 vendor_internal_prop(vendor_logger_prop)
+vendor_internal_prop(vendor_display_prop)
 
 # Fingerprint
 vendor_internal_prop(vendor_fingerprint_prop)
diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts
index f07c0112..64880da5 100644
--- a/whitechapel_pro/property_contexts
+++ b/whitechapel_pro/property_contexts
@@ -67,6 +67,9 @@ persist.vendor.se.                         u:object_r:vendor_secure_element_prop
 vendor.wlan.driver.version                 u:object_r:vendor_wifi_version:s0
 vendor.wlan.firmware.version               u:object_r:vendor_wifi_version:s0
 
+# for display
+ro.vendor.hwc.drm.device                   u:object_r:vendor_display_prop:s0
+
 # Camera
 vendor.camera.                             u:object_r:vendor_camera_prop:s0