From 21f41116164dde6e09859e19828f9f0e4030446d Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 6 Dec 2022 10:34:32 +0800
Subject: [PATCH] restart domains

Bug: 254378739
Test: boot to home
Change-Id: If7264f1a5cdaace0558dbeda986d9c899dd6ac08
---
 legacy/whitechapel_pro/file_contexts          |   3 -
 legacy/whitechapel_pro/hal_camera_default.te  | 104 ------------------
 .../hal_secure_element_uicc.te                |  11 --
 legacy/whitechapel_pro/hal_thermal_default.te |   2 -
 legacy/whitechapel_pro/hal_usb_gadget_impl.te |  17 ---
 legacy/whitechapel_pro/hal_usb_impl.te        |  26 -----
 tracking_denials/permissive.te                |   5 +
 vendor/file_contexts                          |   3 +
 vendor/hal_secure_element_uicc.te             |   5 +
 vendor/hal_usb_gadget_impl.te                 |   5 +
 vendor/hal_usb_impl.te                        |   4 +
 11 files changed, 22 insertions(+), 163 deletions(-)
 delete mode 100644 legacy/whitechapel_pro/hal_camera_default.te
 delete mode 100644 legacy/whitechapel_pro/hal_secure_element_uicc.te
 delete mode 100644 legacy/whitechapel_pro/hal_thermal_default.te
 delete mode 100644 legacy/whitechapel_pro/hal_usb_gadget_impl.te
 delete mode 100644 legacy/whitechapel_pro/hal_usb_impl.te
 create mode 100644 vendor/hal_secure_element_uicc.te
 create mode 100644 vendor/hal_usb_gadget_impl.te
 create mode 100644 vendor/hal_usb_impl.te

diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts
index 0f641549..8408cac4 100644
--- a/legacy/whitechapel_pro/file_contexts
+++ b/legacy/whitechapel_pro/file_contexts
@@ -13,13 +13,10 @@
 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel             u:object_r:hal_graphics_composer_default_exec:s0
 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service                    u:object_r:mediacodec_samsung_exec:s0
 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service                     u:object_r:mediacodec_google_exec:s0
-/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service          u:object_r:hal_secure_element_uicc_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix  u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix   u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.nfc-service\.st                           u:object_r:hal_nfc_default_exec:s0
 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor         u:object_r:hal_wlc_exec:s0
-/vendor/bin/hw/android\.hardware\.usb-service                               u:object_r:hal_usb_impl_exec:s0
-/vendor/bin/hw/android\.hardware\.usb\.gadget-service                       u:object_r:hal_usb_gadget_impl_exec:s0
 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service                       u:object_r:hal_uwb_vendor_default_exec:s0
 /vendor/bin/rlsservice                                                      u:object_r:rlsservice_exec:s0
 
diff --git a/legacy/whitechapel_pro/hal_camera_default.te b/legacy/whitechapel_pro/hal_camera_default.te
deleted file mode 100644
index ba2b5304..00000000
--- a/legacy/whitechapel_pro/hal_camera_default.te
+++ /dev/null
@@ -1,104 +0,0 @@
-type hal_camera_default_tmpfs, file_type;
-
-allow hal_camera_default self:global_capability_class_set sys_nice;
-allow hal_camera_default kernel:process setsched;
-
-binder_use(hal_camera_default);
-vndbinder_use(hal_camera_default);
-
-allow hal_camera_default lwis_device:chr_file rw_file_perms;
-allow hal_camera_default gpu_device:chr_file rw_file_perms;
-allow hal_camera_default sysfs_chip_id:file r_file_perms;
-
-# Face authentication code that is part of the camera HAL needs to allocate
-# dma_bufs and access the Trusted Execution Environment device node
-allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms;
-allow hal_camera_default tee_device:chr_file rw_file_perms;
-
-# Allow the camera hal to access the EdgeTPU service and the
-# Android shared memory allocated by the EdgeTPU service for
-# on-device compilation.
-allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
-allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
-allow hal_camera_default sysfs_edgetpu:file r_file_perms;
-allow hal_camera_default edgetpu_vendor_service:service_manager find;
-binder_call(hal_camera_default, edgetpu_vendor_server)
-
-# Allow the camera hal to access the GXP device.
-allow hal_camera_default gxp_device:chr_file rw_file_perms;
-
-# Allow access to data files used by the camera HAL
-allow hal_camera_default mnt_vendor_file:dir search;
-allow hal_camera_default persist_file:dir search;
-allow hal_camera_default persist_camera_file:dir rw_dir_perms;
-allow hal_camera_default persist_camera_file:file create_file_perms;
-allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
-allow hal_camera_default vendor_camera_data_file:file create_file_perms;
-
-# Allow creating dump files for debugging in non-release builds
-userdebug_or_eng(`
-  allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
-  allow hal_camera_default vendor_camera_data_file:file create_file_perms;
-')
-
-# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files
-# compiled into the shared libraries with cc_embed_data rules
-tmpfs_domain(hal_camera_default);
-
-# Allow access to camera-related system properties
-set_prop(hal_camera_default, vendor_camera_prop);
-set_prop(hal_camera_default, log_tag_prop);
-get_prop(hal_camera_default, vendor_camera_debug_prop);
-userdebug_or_eng(`
-  set_prop(hal_camera_default, vendor_camera_fatp_prop);
-  set_prop(hal_camera_default, vendor_camera_debug_prop);
-')
-
-# For camera hal to talk with rlsservice
-allow hal_camera_default rls_service:service_manager find;
-binder_call(hal_camera_default, rlsservice)
-
-hal_client_domain(hal_camera_default, hal_graphics_allocator);
-hal_client_domain(hal_camera_default, hal_graphics_composer)
-hal_client_domain(hal_camera_default, hal_power);
-hal_client_domain(hal_camera_default, hal_thermal);
-
-# Allow access to sensor service for sensor_listener
-binder_call(hal_camera_default, system_server);
-
-# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
-allow hal_camera_default eco_service:service_manager find;
-binder_call(hal_camera_default, mediacodec);
-binder_call(hal_camera_default, mediacodec_samsung);
-
-# Allow camera HAL to query preferred camera frequencies from the radio HAL
-# extensions to avoid interference with cellular antennas.
-allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
-binder_call(hal_camera_default, hal_radioext_default);
-
-# Allow camera HAL to connect to the stats service.
-allow hal_camera_default fwk_stats_service:service_manager find;
-
-# For observing apex file changes
-allow hal_camera_default apex_info_file:file r_file_perms;
-
-# Allow camera HAL to query current device clock frequencies.
-allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
-
-# Allow camera HAL to read backlight of display
-allow hal_camera_default sysfs_leds:dir r_dir_perms;
-allow hal_camera_default sysfs_leds:file r_file_perms;
-
-# Allow camera HAL to send trace packets to Perfetto
-userdebug_or_eng(`perfetto_producer(hal_camera_default)')
-
-# Some file searches attempt to access system data and are denied.
-# This is benign and can be ignored.
-dontaudit hal_camera_default system_data_file:dir { search };
-
-# google3 prebuilts attempt to connect to the wrong trace socket, ignore them.
-dontaudit hal_camera_default traced:unix_stream_socket { connectto };
-dontaudit hal_camera_default traced_producer_socket:sock_file { write };
-
-# Allow access to always-on compute device node
-allow hal_camera_default aoc_device:chr_file rw_file_perms;
diff --git a/legacy/whitechapel_pro/hal_secure_element_uicc.te b/legacy/whitechapel_pro/hal_secure_element_uicc.te
deleted file mode 100644
index fe535320..00000000
--- a/legacy/whitechapel_pro/hal_secure_element_uicc.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type hal_secure_element_uicc, domain;
-type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type;
-
-hal_server_domain(hal_secure_element_uicc, hal_secure_element)
-init_daemon_domain(hal_secure_element_uicc)
-
-# Allow hal_secure_element_uicc to access rild
-binder_call(hal_secure_element_uicc, rild);
-allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find;
-
-
diff --git a/legacy/whitechapel_pro/hal_thermal_default.te b/legacy/whitechapel_pro/hal_thermal_default.te
deleted file mode 100644
index 9852a767..00000000
--- a/legacy/whitechapel_pro/hal_thermal_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms;
-allow hal_thermal_default sysfs_odpm:file r_file_perms;
diff --git a/legacy/whitechapel_pro/hal_usb_gadget_impl.te b/legacy/whitechapel_pro/hal_usb_gadget_impl.te
deleted file mode 100644
index 30041467..00000000
--- a/legacy/whitechapel_pro/hal_usb_gadget_impl.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type hal_usb_gadget_impl, domain;
-hal_server_domain(hal_usb_gadget_impl, hal_usb)
-hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget)
-
-type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(hal_usb_gadget_impl)
-
-allow hal_usb_gadget_impl configfs:dir { create rmdir };
-allow hal_usb_gadget_impl functionfs:dir { watch watch_reads };
-set_prop(hal_usb_gadget_impl, vendor_usb_config_prop)
-
-# parser the number of dwc3 irq
-allow hal_usb_gadget_impl proc_interrupts:file r_file_perms;
-
-# change irq to other cores
-allow hal_usb_gadget_impl proc_irq:dir r_dir_perms;
-allow hal_usb_gadget_impl proc_irq:file w_file_perms;
diff --git a/legacy/whitechapel_pro/hal_usb_impl.te b/legacy/whitechapel_pro/hal_usb_impl.te
deleted file mode 100644
index a5da3ce1..00000000
--- a/legacy/whitechapel_pro/hal_usb_impl.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type hal_usb_impl, domain;
-
-type hal_usb_impl_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(hal_usb_impl)
-hal_server_domain(hal_usb_impl, hal_usb)
-hal_server_domain(hal_usb_impl, hal_usb_gadget)
-
-set_prop(hal_usb_impl, vendor_usb_config_prop)
-allow hal_usb_impl functionfs:dir { watch watch_reads };
-
-allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms;
-allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms;
-
-# Needed for reporting Usb Overheat suez event through statsd
-allow hal_usb_impl fwk_stats_service:service_manager find;
-binder_call(hal_usb_impl, servicemanager)
-
-# Needed for monitoring usb port temperature
-allow hal_usb_impl self:capability2 wake_alarm;
-wakelock_use(hal_usb_impl);
-
-# For interfacing with ThermalHAL
-hal_client_domain(hal_usb_impl, hal_thermal);
-
-# For reading the usb-c throttling stats
-allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms;
diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te
index 7f184724..769c26bc 100644
--- a/tracking_denials/permissive.te
+++ b/tracking_denials/permissive.te
@@ -21,4 +21,9 @@ userdebug_or_eng(`
   permissive con_monitor_app;
   permissive hal_secure_element_st54spi;
   permissive ofl_app;
+  permissive hal_thermal_default;
+  permissive hal_secure_element_uicc;
+  permissive hal_usb_gadget_impl;
+  permissive hal_usb_impl;
+  permissive hal_camera_default;
 ')
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 0077ef1c..35a51c88 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -5,6 +5,9 @@
 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging          u:object_r:gxp_logging_exec:s0
 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel               u:object_r:hal_power_stats_default_exec:s0
 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto           u:object_r:hal_secure_element_st54spi_exec:s0
+/vendor/bin/hw/android\.hardware\.usb-service                               u:object_r:hal_usb_impl_exec:s0
+/vendor/bin/hw/android\.hardware\.usb\.gadget-service                       u:object_r:hal_usb_gadget_impl_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service          u:object_r:hal_secure_element_uicc_exec:s0
 
 # Vendor Firmwares
 /vendor/firmware(/.*)?                                                      u:object_r:vendor_fw_file:s0
diff --git a/vendor/hal_secure_element_uicc.te b/vendor/hal_secure_element_uicc.te
new file mode 100644
index 00000000..55975191
--- /dev/null
+++ b/vendor/hal_secure_element_uicc.te
@@ -0,0 +1,5 @@
+type hal_secure_element_uicc, domain;
+type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_secure_element_uicc)
+
diff --git a/vendor/hal_usb_gadget_impl.te b/vendor/hal_usb_gadget_impl.te
new file mode 100644
index 00000000..8c6a872d
--- /dev/null
+++ b/vendor/hal_usb_gadget_impl.te
@@ -0,0 +1,5 @@
+type hal_usb_gadget_impl, domain;
+
+type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_usb_gadget_impl)
+
diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te
new file mode 100644
index 00000000..3caf54a2
--- /dev/null
+++ b/vendor/hal_usb_impl.te
@@ -0,0 +1,4 @@
+type hal_usb_impl, domain;
+
+type hal_usb_impl_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_usb_impl)