Add 'sepolicy/' from tag 'android-15.0.0_r1'

git-subtree-dir: sepolicy
git-subtree-mainline: 6b6bd13dc4
git-subtree-split: bec3b11f79
Change-Id: I3a341668a4b4228ba933a4a291888d979a69b5fb

sepolicy/OWNERS

@@ -0,0 +1,4 @@
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com
+

sepolicy/bluetooth/file_contexts

@@ -0,0 +1,4 @@
+# Bluetooth
+/vendor/bin/hw/android\.hardware\.bluetooth@1\.1-service\.synabtlinux    u:object_r:hal_bluetooth_synabtlinux_exec:s0
+
+/dev/ttySAC18                                   u:object_r:hci_attach_dev:s0

sepolicy/bluetooth/genfs_contexts

@@ -0,0 +1,4 @@
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwrite                                                          u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/lpm                                                              u:object_r:proc_bluetooth_writable:s0

sepolicy/bluetooth/hal_bluetooth_default.te

@@ -0,0 +1,23 @@
+type hal_bluetooth_synabtlinux, domain;
+type hal_bluetooth_synabtlinux_exec, exec_type, file_type, vendor_file_type;
+
+hal_server_domain(hal_bluetooth_synabtlinux, hal_bluetooth)
+init_daemon_domain(hal_bluetooth_synabtlinux)
+
+allow hal_bluetooth_synabtlinux self:socket { create bind read write };
+allow hal_bluetooth_synabtlinux self:bluetooth_socket { create bind read write };
+allow hal_bluetooth_synabtlinux hci_attach_dev:chr_file rw_file_perms;
+allow hal_bluetooth_synabtlinux hal_power_stats_vendor_service:service_manager find;
+add_hwservice(hal_bluetooth_synabtlinux, hal_bluetooth_coexistence_hwservice)
+vndbinder_use(hal_bluetooth_synabtlinux)
+binder_call(hal_bluetooth_synabtlinux, hal_power_stats_default)
+get_prop(hal_bluetooth_synabtlinux, boot_status_prop)
+
+allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+ userdebug_or_eng(`
+  allow hal_bluetooth_synabtlinux logbuffer_device:chr_file r_file_perms;
+  allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:file create_file_perms;
+ ')

sepolicy/bluetooth/hwservice.te

@@ -0,0 +1,2 @@
+# Bluetooth HAL extension
+type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;

sepolicy/bluetooth/hwservice_contexts

@@ -0,0 +1,3 @@
+# Bluetooth HAL extension
+hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0

sepolicy/fingerprint_capacitance/file.te

@@ -0,0 +1 @@
+type sysfs_fingerprint, sysfs_type, fs_type;

sepolicy/fingerprint_capacitance/file_contexts

@@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42    u:object_r:hal_fingerprint_capacitance_exec:s0

sepolicy/fingerprint_capacitance/genfs_contexts

@@ -0,0 +1 @@
+genfscon sysfs /devices/platform/odm/odm:fp_fpc1020     u:object_r:sysfs_fingerprint:s0

sepolicy/fingerprint_capacitance/hal_fingerprint_capacitance.te

@@ -0,0 +1,39 @@
+# hal_fingerprint_capacitance definition
+type hal_fingerprint_capacitance, domain;
+hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint)
+
+type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fingerprint_capacitance)
+
+set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop)
+
+# allow fingerprint to access file
+allow hal_fingerprint_capacitance fingerprint_device:chr_file rw_file_perms;
+allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms;
+
+# allow fingerprint to access power hal
+hal_client_domain(hal_fingerprint_capacitance, hal_power);
+
+# allow fingerprint to find fwk service
+allow hal_fingerprint_capacitance fwk_stats_service:service_manager find;
+
+# allow fingerprint to access sysfs_leds
+allow hal_fingerprint_capacitance sysfs_leds:dir search;
+allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms;
+
+# allow fingerprint to access sysfs_batteryinfo
+allow hal_fingerprint_capacitance sysfs_batteryinfo:dir search;
+allow hal_fingerprint_capacitance sysfs_batteryinfo:file rw_file_perms;
+
+# allow fingerprint to access input_device
+allow hal_fingerprint_capacitance input_device:dir r_dir_perms;
+allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms;
+
+# allow fingerprint to access hwservice
+hwbinder_use(hal_fingerprint_capacitance)
+add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice)
+
+# allow fingerprint to access fwk sensor hwservice
+allow hal_fingerprint_capacitance fwk_sensor_service:service_manager find;

sepolicy/fingerprint_capacitance/hwservice.te

@@ -0,0 +1 @@
+type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type;

sepolicy/fingerprint_capacitance/hwservice_contexts

@@ -0,0 +1,2 @@
+com.fingerprints42.extension::IFingerprintEngineering  u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0
+com.fingerprints42.extension::IFingerprintSensorTest   u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0

sepolicy/fingerprint_capacitance/servicemanager.te

@@ -0,0 +1 @@
+binder_call(servicemanager, hal_fingerprint_capacitance)

sepolicy/fingerprint_capacitance/system_app.te

@@ -0,0 +1,3 @@
+# TODO (b/264266705) Remove this and make it specific to the app
+# allow SystemUIGoogle to access fingerprint hal
+hal_client_domain(system_app, hal_fingerprint)

sepolicy/system_ext/private/platform_app.te

@@ -0,0 +1,2 @@
+# Allow platform apps to access system_update_service (e.g. check if update info is available).
+allow platform_app system_update_service:service_manager find;

sepolicy/system_ext/private/property_contexts

@@ -0,0 +1,6 @@
+# TODO(b/246793311): Clean up a temporary property once pa/2342172 lands
+debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool
+
+# Default orienation for boot animation counted from natural orienation of the device
+# Id at the end corresponds to the display id on the device. See b/246793311 for context.
+ro.bootanim.set_orientation_4619827677550801152 u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_90 ORIENTATION_180 ORIENTATION_270

sepolicy/tangorpro-sepolicy.mk

@@ -0,0 +1,13 @@
+# sepolicy that are shared among devices using whitechapel
+BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/vendor
+BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/tracking_denials
+
+# fingerprint
+BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance
+
+# for mediashell
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor
+
+# system_ext
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private

sepolicy/tracking_denials/README.txt

@@ -0,0 +1,2 @@
+This folder stores known errors detected by PTS. Be sure to remove relevant
+files to reproduce error log on latest ROMs.

sepolicy/tracking_denials/bug_map

@@ -0,0 +1,5 @@
+
+audioserver vendor_file file b/312069156
+platform_app system_data_file dir b/289358324
+shell sysfs_touch dir b/264823366
+system_app proc_pagetypeinfo file b/312375728

sepolicy/vendor/README.txt

@@ -0,0 +1,2 @@
+This folder holds sepolicy exclusively for one device. For example, genfs_contexts
+paths that are affected by device tree.

sepolicy/vendor/device.te

@@ -0,0 +1,2 @@
+# Wifi
+type vendor_wlan_device, dev_type;

sepolicy/vendor/file.te

@@ -0,0 +1,8 @@
+#Pogo USB control & status
+type sysfs_pogo_usb, sysfs_type, fs_type;
+
+# Cast device certificate
+type device_cert_file, file_type, vendor_persist_type;
+
+# Avoid GPS se failed
+type sysfs_gps, sysfs_type, fs_type;

sepolicy/vendor/file_contexts

@@ -0,0 +1,15 @@
+# Devices
+/dev/lwis-eeprom-smaug-front                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-smaug-rear                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-medusa-front                                               u:object_r:lwis_device:s0
+/dev/lwis-sensor-medusa-rear                                                u:object_r:lwis_device:s0
+
+# Wifi
+/dev/wlan                               u:object_r:vendor_wlan_device:s0
+
+# Privacy LED
+/vendor/bin/hw/android\.hardware\.lights-service\.tangorpro          u:object_r:hal_light_default_exec:s0
+
+# Cast Factory Credentials
+/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0
+/mnt/vendor/persist/nest/cast_auth\.crt                u:object_r:device_cert_file:s0

sepolicy/vendor/genfs_contexts

@@ -0,0 +1,23 @@
+# Dock
+genfscon sysfs /devices/platform/google,dock/power_supply/dock         u:object_r:sysfs_batteryinfo:s0
+
+# Touch
+genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0   u:object_r:sysfs_touch:s0
+
+# system suspend wakeup files
+genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup                                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/nvt-pen-battery/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/USI_Stylus_Battery/wakeup               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/input/input2/wakeup                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/wakeup                                               u:object_r:sysfs_wakeup:s0
+
+# Pogo usb control & status
+genfscon sysfs /devices/platform/google,pogo/pogo_usb_active           u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/pogo_usb_capable          u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/pogo_docked               u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/equal_priority            u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/move_data_to_usb          u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/extcon                    u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/google,pogo/hall1_s                   u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/hall1_n                   u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/hall2_s                   u:object_r:sysfs_pogo_usb:s0

sepolicy/vendor/grilservice_app.te

@@ -0,0 +1,2 @@
+# setBluetoothModeBasedTxPowerCap for SAR
+binder_call(grilservice_app, hal_bluetooth_synabtlinux)

sepolicy/vendor/hal_drm_cast.te

@@ -0,0 +1,9 @@
+type hal_drm_cast, domain;
+type hal_drm_cast_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_cast)
+hal_server_domain(hal_drm_cast, hal_drm)
+
+allow hal_drm_cast mnt_vendor_file:dir search;
+allow hal_drm_cast persist_file:dir search;
+allow hal_drm_cast device_cert_file:file r_file_perms;

sepolicy/vendor/hal_health_default.te

@@ -0,0 +1 @@
+dontaudit hal_health_default sysfs_touch:dir *;

sepolicy/vendor/hal_lights.te

@@ -0,0 +1,7 @@
+allow hal_light_default sysfs_leds:dir search;
+allow hal_light_default sysfs_leds:file rw_file_perms;
+allow hal_light_default mnt_vendor_file:dir search;
+allow hal_light_default persist_file:dir search;
+allow hal_light_default hal_pixel_display_service:service_manager find;
+binder_call(hal_light_default, hal_graphics_composer_default);
+r_dir_file(hal_light_default, persist_leds_file);

sepolicy/vendor/hal_power_stats_default.te

@@ -0,0 +1,2 @@
+# getStateResidency AIDL callback for Bluetooth HAL
+binder_call(hal_power_stats_default, hal_bluetooth_synabtlinux)

sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1,9 @@
+#
+# USF sensor HAL SELinux type enforcements.
+#
+
+# Allow sensor HAL to access pogo driver hall file node.
+allow hal_sensors_default sysfs_pogo_usb:file rw_file_perms;
+
+# Allow access to the uhid devices.
+allow hal_sensors_default uhid_device:chr_file rw_file_perms;

sepolicy/vendor/hal_usb_impl.te

@@ -0,0 +1,2 @@
+# For Pogo usb management
+allow hal_usb_impl sysfs_pogo_usb:file rw_file_perms;

sepolicy/vendor/hal_wifi_ext.te

@@ -0,0 +1 @@
+allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms;

sepolicy/vendor/service_contexts

@@ -0,0 +1,2 @@
+# Cast Factory Credentials
+android.hardware.drm.IDrmFactory/castkey                         u:object_r:hal_drm_service:s0

sepolicy/vendor/system_server.te

@@ -0,0 +1 @@
+allow system_server sysfs_touch_gti:file r_file_perms;

sepolicy/vendor/vendor_init.te

@@ -0,0 +1 @@
+get_prop(vendor_init, gesture_prop)