sepolicy: fix avc denial

fix avc denial

Test: bott passed and no avc log after boot
Bug: 260769063
Bug: 261105028
Bug: 260366126
Bug: 261650934
Bug: 262178497
Bug: 262315567
Bug: 262633072
Change-Id: I926d535fe6871726b5cd0602e436f6b5a3a9e736
Signed-off-by: Chungkai Mei <chungkai@google.com>

legacy/whitechapel_pro/file.te

@@ -18,7 +18,6 @@ userdebug_or_eng(`
 # sysfs
 type sysfs_ota, sysfs_type, fs_type;
 type bootdevice_sysdev, dev_type;
-type sysfs_fabric, sysfs_type, fs_type;
 type sysfs_acpm_stats, sysfs_type, fs_type;
 type sysfs_wifi, sysfs_type, fs_type;
 type sysfs_exynos_bts, sysfs_type, fs_type;

tracking_denials/hal_power_default.te

@@ -1,36 +0,0 @@
-# b/260366126
-dontaudit hal_power_default sysfs:file { open };
-dontaudit hal_power_default sysfs:file { write };
-dontaudit hal_power_default sysfs_camera:file { open };
-dontaudit hal_power_default sysfs_camera:file { write };
-dontaudit hal_power_default sysfs_display:file { open };
-dontaudit hal_power_default sysfs_display:file { write };
-dontaudit hal_power_default sysfs_fabric:file { open };
-dontaudit hal_power_default sysfs_fabric:file { write };
-dontaudit hal_power_default vendor_camera_prop:property_service { set };
-# b/260769063
-dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };
-# b/261105028
-dontaudit hal_power_default hal_fingerprint_default:binder { transfer };
-# b/261650934
-dontaudit hal_power_default hal_camera_default:binder { transfer };
-# b/262178497
-dontaudit hal_power_default sysfs_fabric:file { read };
-# b/262315567
-dontaudit hal_power_default sysfs:file { getattr };
-dontaudit hal_power_default sysfs:file { read };
-dontaudit hal_power_default sysfs_display:file { getattr };
-dontaudit hal_power_default sysfs_display:file { read };
-dontaudit hal_power_default sysfs_fabric:file { getattr };
-# b/262633072
-dontaudit hal_power_default hal_power_default:capability { dac_read_search };
-dontaudit hal_power_default sysfs_camera:file { getattr };
-dontaudit hal_power_default sysfs_camera:file { read };
-dontaudit hal_power_default vendor_camera_prop:file { getattr };
-dontaudit hal_power_default vendor_camera_prop:file { map };
-dontaudit hal_power_default vendor_camera_prop:file { open };
-dontaudit hal_power_default vendor_camera_prop:file { read };
-# b/264489779
-userdebug_or_eng(`
-  permissive hal_power_default;
-')

vendor/file.te

@@ -15,3 +15,11 @@ allow bootdevice_sysdev sysfs:filesystem associate;
 
 # WLC
 type sysfs_wlc, sysfs_type, fs_type;
+
+# Vendor sched files
+userdebug_or_eng(`
+    typeattribute proc_vendor_sched mlstrustedobject;
+')
+
+type sysfs_fabric, sysfs_type, fs_type;
+type sysfs_em_profile, sysfs_type, fs_type;

vendor/genfs_contexts

@@ -334,3 +334,9 @@ genfscon sysfs /devices/virtual/wakeup/wakeup
 # Trusty
 genfscon sysfs /module/trusty_virtio/parameters/use_high_wq               u:object_r:sysfs_trusty:s0
 genfscon sysfs /module/trusty_core/parameters/use_high_wq                 u:object_r:sysfs_trusty:s0
+
+# EM Profile
+genfscon sysfs /kernel/pixel_em/active_profile                            u:object_r:sysfs_em_profile:s0
+
+# GPU
+genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq              u:object_r:sysfs_gpu:s0

vendor/hal_power_default.te

@@ -0,0 +1,6 @@
+allow hal_power_default sysfs_gpu:file rw_file_perms;
+allow hal_power_default sysfs_fabric:file rw_file_perms;
+allow hal_power_default sysfs_camera:file rw_file_perms;
+allow hal_power_default sysfs_em_profile:file rw_file_perms;
+allow hal_power_default sysfs_display:file rw_file_perms;
+set_prop(hal_power_default, vendor_camera_prop);