From 171bfb004b47d28372256d3bceb6b2bc8bdf0ed8 Mon Sep 17 00:00:00 2001
From: Chungkai Mei <chungkai@google.com>
Date: Fri, 6 Jan 2023 06:53:45 +0000
Subject: [PATCH] sepolicy: fix avc denial

fix avc denial

Test: bott passed and no avc log after boot
Bug: 260769063
Bug: 261105028
Bug: 260366126
Bug: 261650934
Bug: 262178497
Bug: 262315567
Bug: 262633072
Change-Id: I926d535fe6871726b5cd0602e436f6b5a3a9e736
Signed-off-by: Chungkai Mei <chungkai@google.com>
---
 legacy/whitechapel_pro/file.te        |  1 -
 tracking_denials/hal_power_default.te | 36 ---------------------------
 vendor/file.te                        |  8 ++++++
 vendor/genfs_contexts                 |  6 +++++
 vendor/hal_power_default.te           |  6 +++++
 5 files changed, 20 insertions(+), 37 deletions(-)
 delete mode 100644 tracking_denials/hal_power_default.te
 create mode 100644 vendor/hal_power_default.te

diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te
index 69a5de7d..0d36c7b7 100644
--- a/legacy/whitechapel_pro/file.te
+++ b/legacy/whitechapel_pro/file.te
@@ -18,7 +18,6 @@ userdebug_or_eng(`
 # sysfs
 type sysfs_ota, sysfs_type, fs_type;
 type bootdevice_sysdev, dev_type;
-type sysfs_fabric, sysfs_type, fs_type;
 type sysfs_acpm_stats, sysfs_type, fs_type;
 type sysfs_wifi, sysfs_type, fs_type;
 type sysfs_exynos_bts, sysfs_type, fs_type;
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
deleted file mode 100644
index d3ac8c7b..00000000
--- a/tracking_denials/hal_power_default.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# b/260366126
-dontaudit hal_power_default sysfs:file { open };
-dontaudit hal_power_default sysfs:file { write };
-dontaudit hal_power_default sysfs_camera:file { open };
-dontaudit hal_power_default sysfs_camera:file { write };
-dontaudit hal_power_default sysfs_display:file { open };
-dontaudit hal_power_default sysfs_display:file { write };
-dontaudit hal_power_default sysfs_fabric:file { open };
-dontaudit hal_power_default sysfs_fabric:file { write };
-dontaudit hal_power_default vendor_camera_prop:property_service { set };
-# b/260769063
-dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };
-# b/261105028
-dontaudit hal_power_default hal_fingerprint_default:binder { transfer };
-# b/261650934
-dontaudit hal_power_default hal_camera_default:binder { transfer };
-# b/262178497
-dontaudit hal_power_default sysfs_fabric:file { read };
-# b/262315567
-dontaudit hal_power_default sysfs:file { getattr };
-dontaudit hal_power_default sysfs:file { read };
-dontaudit hal_power_default sysfs_display:file { getattr };
-dontaudit hal_power_default sysfs_display:file { read };
-dontaudit hal_power_default sysfs_fabric:file { getattr };
-# b/262633072
-dontaudit hal_power_default hal_power_default:capability { dac_read_search };
-dontaudit hal_power_default sysfs_camera:file { getattr };
-dontaudit hal_power_default sysfs_camera:file { read };
-dontaudit hal_power_default vendor_camera_prop:file { getattr };
-dontaudit hal_power_default vendor_camera_prop:file { map };
-dontaudit hal_power_default vendor_camera_prop:file { open };
-dontaudit hal_power_default vendor_camera_prop:file { read };
-# b/264489779
-userdebug_or_eng(`
-  permissive hal_power_default;
-')
\ No newline at end of file
diff --git a/vendor/file.te b/vendor/file.te
index 41df26d4..f3fe7cd4 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -15,3 +15,11 @@ allow bootdevice_sysdev sysfs:filesystem associate;
 
 # WLC
 type sysfs_wlc, sysfs_type, fs_type;
+
+# Vendor sched files
+userdebug_or_eng(`
+    typeattribute proc_vendor_sched mlstrustedobject;
+')
+
+type sysfs_fabric, sysfs_type, fs_type;
+type sysfs_em_profile, sysfs_type, fs_type;
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 9f85e5a9..8e53a522 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -334,3 +334,9 @@ genfscon sysfs /devices/virtual/wakeup/wakeup
 # Trusty
 genfscon sysfs /module/trusty_virtio/parameters/use_high_wq               u:object_r:sysfs_trusty:s0
 genfscon sysfs /module/trusty_core/parameters/use_high_wq                 u:object_r:sysfs_trusty:s0
+
+# EM Profile
+genfscon sysfs /kernel/pixel_em/active_profile                            u:object_r:sysfs_em_profile:s0
+
+# GPU
+genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq              u:object_r:sysfs_gpu:s0
\ No newline at end of file
diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te
new file mode 100644
index 00000000..2aed6c2b
--- /dev/null
+++ b/vendor/hal_power_default.te
@@ -0,0 +1,6 @@
+allow hal_power_default sysfs_gpu:file rw_file_perms;
+allow hal_power_default sysfs_fabric:file rw_file_perms;
+allow hal_power_default sysfs_camera:file rw_file_perms;
+allow hal_power_default sysfs_em_profile:file rw_file_perms;
+allow hal_power_default sysfs_display:file rw_file_perms;
+set_prop(hal_power_default, vendor_camera_prop);
\ No newline at end of file