From c186dbd6dbf310688acbac656049656e1e84abc1 Mon Sep 17 00:00:00 2001
From: Amy Hsu <amyhsu@google.com>
Date: Tue, 6 Dec 2022 06:20:23 +0000
Subject: [PATCH] Revise sepolicy because of refactor HbmSvManager

1. Set sepolicy correctly, make it the same as gs201.
2. Rename hbmsvmanager to pixeldisplayservice due to refactor.
3. Add arm_mali_platform_service for pixeldisplayservcice

Bug: 241498235
Bug: 262794939
Bug: 263185136
Bug: 264489797
Test: Verify LBE and shadow compensation functions.
      Make sure there is no avc denied.
Change-Id: I2a4bb5d6b863edc00b789fd6df8d46f90164d9f2
---
 tracking_denials/hbmsvmanager_app.te |  8 --------
 vendor/hbmsvmanager_app.te           |  6 ------
 vendor/pixeldisplayservice_app.te    | 14 ++++++++++++++
 vendor/seapp_contexts                |  4 ++--
 4 files changed, 16 insertions(+), 16 deletions(-)
 delete mode 100644 tracking_denials/hbmsvmanager_app.te
 delete mode 100644 vendor/hbmsvmanager_app.te
 create mode 100644 vendor/pixeldisplayservice_app.te

diff --git a/tracking_denials/hbmsvmanager_app.te b/tracking_denials/hbmsvmanager_app.te
deleted file mode 100644
index 712789ee..00000000
--- a/tracking_denials/hbmsvmanager_app.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# b/262794939
-dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find };
-# b/263185136
-dontaudit hbmsvmanager_app hal_graphics_composer_default:binder { call };
-# b/264489797
-userdebug_or_eng(`
-  permissive hbmsvmanager_app;
-')
\ No newline at end of file
diff --git a/vendor/hbmsvmanager_app.te b/vendor/hbmsvmanager_app.te
deleted file mode 100644
index 0804203c..00000000
--- a/vendor/hbmsvmanager_app.te
+++ /dev/null
@@ -1,6 +0,0 @@
-type hbmsvmanager_app, domain;
-
-app_domain(hbmsvmanager_app);
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
diff --git a/vendor/pixeldisplayservice_app.te b/vendor/pixeldisplayservice_app.te
new file mode 100644
index 00000000..7320d002
--- /dev/null
+++ b/vendor/pixeldisplayservice_app.te
@@ -0,0 +1,14 @@
+type pixeldisplayservice_app, domain, coredomain;
+
+app_domain(pixeldisplayservice_app);
+
+allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms;
+allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms;
+
+allow pixeldisplayservice_app hal_pixel_display_service:service_manager find;
+binder_call(pixeldisplayservice_app, hal_graphics_composer_default)
+
+# Standard system services
+allow pixeldisplayservice_app app_api_service:service_manager find;
+
+allow pixeldisplayservice_app cameraserver_service:service_manager find;
diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts
index 73b3effb..f7c4b8d5 100644
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@@ -10,8 +10,8 @@ user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.omapi_a
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+# PixelDisplayService
+user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all
 
 # Google Camera
 user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all