From ef7e54bbb0fc5908541fe9768d238b65bc46e5ad Mon Sep 17 00:00:00 2001
From: Michael Bestas <mkbestas@gmail.com>
Date: Sun, 22 Jun 2025 13:53:50 +0300
Subject: [PATCH] tangorpro: sepolicy: Add missing castkey sepolicy

Change-Id: I24045ad4ebd36912d434042ed11d0d4ab5f1af9b
---
 sepolicy/castkey/file.te            |  1 +
 sepolicy/castkey/file_contexts      |  4 ++++
 sepolicy/castkey/hal_drm_castkey.te | 10 ++++++++++
 sepolicy/castkey/service_contexts   |  1 +
 sepolicy/tangorpro-sepolicy.mk      |  3 +++
 5 files changed, 19 insertions(+)
 create mode 100644 sepolicy/castkey/file.te
 create mode 100644 sepolicy/castkey/file_contexts
 create mode 100644 sepolicy/castkey/hal_drm_castkey.te
 create mode 100644 sepolicy/castkey/service_contexts

diff --git a/sepolicy/castkey/file.te b/sepolicy/castkey/file.te
new file mode 100644
index 0000000..190a1ed
--- /dev/null
+++ b/sepolicy/castkey/file.te
@@ -0,0 +1 @@
+type device_cert_file, file_type, vendor_persist_type;
diff --git a/sepolicy/castkey/file_contexts b/sepolicy/castkey/file_contexts
new file mode 100644
index 0000000..a6575eb
--- /dev/null
+++ b/sepolicy/castkey/file_contexts
@@ -0,0 +1,4 @@
+/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0
+
+# Cert
+/mnt/vendor/persist/nest/cast_auth\.crt                u:object_r:device_cert_file:s0
diff --git a/sepolicy/castkey/hal_drm_castkey.te b/sepolicy/castkey/hal_drm_castkey.te
new file mode 100644
index 0000000..ea8815a
--- /dev/null
+++ b/sepolicy/castkey/hal_drm_castkey.te
@@ -0,0 +1,10 @@
+type hal_drm_cast, domain;
+type hal_drm_cast_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_cast)
+
+hal_server_domain(hal_drm_cast, hal_drm)
+
+# Cert
+allow hal_drm_cast mnt_vendor_file:dir search;
+allow hal_drm_cast persist_file:dir search;
+allow hal_drm_cast device_cert_file:file r_file_perms;
diff --git a/sepolicy/castkey/service_contexts b/sepolicy/castkey/service_contexts
new file mode 100644
index 0000000..e3ad58f
--- /dev/null
+++ b/sepolicy/castkey/service_contexts
@@ -0,0 +1 @@
+android.hardware.drm.IDrmFactory/castkey                         u:object_r:hal_drm_service:s0
diff --git a/sepolicy/tangorpro-sepolicy.mk b/sepolicy/tangorpro-sepolicy.mk
index 2c35ab9..dba963c 100644
--- a/sepolicy/tangorpro-sepolicy.mk
+++ b/sepolicy/tangorpro-sepolicy.mk
@@ -2,6 +2,9 @@
 BOARD_SEPOLICY_DIRS += device/google/tangorpro/sepolicy/vendor
 BOARD_SEPOLICY_DIRS += device/google/tangorpro/sepolicy/tracking_denials
 
+# castkey
+BOARD_SEPOLICY_DIRS += device/google/tangorpro/sepolicy/castkey
+
 # fingerprint
 BOARD_SEPOLICY_DIRS += device/google/tangorpro/sepolicy/fingerprint_capacitance