Add sensor boot-to-home required policy

Test: boot-to-home
Fix: 261105336
Change-Id: I772ff7a294cc5d2448361c164d4e671a41c92c8d

legacy/whitechapel_pro/file.te

@@ -4,7 +4,6 @@ type tcpdump_vendor_data_file, file_type, data_file_type;
 type vendor_camera_data_file, file_type, data_file_type;
 type vendor_media_data_file, file_type, data_file_type;
 type vendor_misc_data_file, file_type, data_file_type;
-type sensor_reg_data_file, file_type, data_file_type;
 type per_boot_file, file_type, data_file_type, core_data_file_type;
 type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
 type uwb_data_vendor, file_type, data_file_type;
@@ -21,21 +20,15 @@ type sysfs_wifi, sysfs_type, fs_type;
 type sysfs_bcmdhd, sysfs_type, fs_type;
 type sysfs_chargelevel, sysfs_type, fs_type;
 type sysfs_camera, sysfs_type, fs_type;
-type sysfs_write_leds, sysfs_type, fs_type;
 
 # debugfs
 type vendor_regmap_debugfs, fs_type, debugfs_type;
 type vendor_dri_debugfs, fs_type, debugfs_type;
 
 # persist
-type persist_camera_file, file_type, vendor_persist_type;
-type persist_sensor_reg_file, file_type, vendor_persist_type;
 type persist_ss_file, file_type, vendor_persist_type;
 type persist_uwb_file, file_type, vendor_persist_type;
 
-# CHRE
-type chre_socket, file_type;
-
 # Storage Health HAL
 type proc_f2fs, proc_type, fs_type;
 

legacy/whitechapel_pro/genfs_contexts

@@ -80,21 +80,3 @@ genfscon sysfs /devices/platform/2bd40000.etm    u:object_r:sysfs_devices_cs_etm
 genfscon sysfs /devices/platform/2be40000.etm    u:object_r:sysfs_devices_cs_etm:s0
 genfscon sysfs /devices/platform/2bf40000.etm    u:object_r:sysfs_devices_cs_etm:s0
 
-# AOC
-genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0
-genfscon sysfs /devices/platform/17000000.aoc/firmware                      u:object_r:sysfs_aoc_firmware:s0
-genfscon sysfs /devices/platform/17000000.aoc                               u:object_r:sysfs_aoc:s0
-genfscon sysfs /devices/platform/17000000.aoc/reset                         u:object_r:sysfs_aoc_reset:s0
-genfscon sysfs /devices/platform/17000000.aoc/services                      u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/restart_count                 u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/coredump_count                u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/control/ring_buffer_wakeup    u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/control/host_ipc_wakeup       u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/control/usf_wakeup            u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/control/audio_wakeup          u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/control/logging_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception      u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32      u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1      u:object_r:sysfs_aoc_dumpstate:s0
-

legacy/whitechapel_pro/property.te

@@ -11,8 +11,5 @@ vendor_internal_prop(vendor_display_prop)
 # UWB calibration
 system_vendor_config_prop(vendor_uwb_calibration_prop)
 
-# Dynamic sensor
-vendor_internal_prop(vendor_dynamic_sensor_prop)
-
 # Trusty storage FS ready
 vendor_internal_prop(vendor_trusty_storage_prop)

legacy/whitechapel_pro/property_contexts

@@ -18,8 +18,5 @@ persist.vendor.sys.                        u:object_r:vendor_persist_sys_default
 #uwb
 ro.vendor.uwb.calibration.                 u:object_r:vendor_uwb_calibration_prop:s0 exact string
 
-# Dynamic sensor
-vendor.dynamic_sensor.                     u:object_r:vendor_dynamic_sensor_prop:s0
-
 # Trusty
 ro.vendor.trusty.storage.fs_ready          u:object_r:vendor_trusty_storage_prop:s0

tracking_denials/hal_sensors_default.te

@@ -1,51 +1,3 @@
-# b/261105336
-dontaudit hal_sensors_default aoc_device:chr_file { getattr };
-dontaudit hal_sensors_default aoc_device:chr_file { open };
-dontaudit hal_sensors_default aoc_device:chr_file { read write };
-dontaudit hal_sensors_default chre:unix_stream_socket { connectto };
-dontaudit hal_sensors_default chre_socket:sock_file { write };
-dontaudit hal_sensors_default device:dir { open };
-dontaudit hal_sensors_default device:dir { read };
-dontaudit hal_sensors_default device:dir { watch };
-dontaudit hal_sensors_default fwk_stats_service:service_manager { find };
-dontaudit hal_sensors_default hal_graphics_composer_default:binder { call };
-dontaudit hal_sensors_default hal_pixel_display_service:service_manager { find };
-dontaudit hal_sensors_default mnt_vendor_file:dir { search };
-dontaudit hal_sensors_default persist_file:dir { search };
-dontaudit hal_sensors_default persist_sensor_reg_file:dir { getattr };
-dontaudit hal_sensors_default persist_sensor_reg_file:dir { open };
-dontaudit hal_sensors_default persist_sensor_reg_file:dir { read };
-dontaudit hal_sensors_default persist_sensor_reg_file:dir { search };
-dontaudit hal_sensors_default persist_sensor_reg_file:file { getattr };
-dontaudit hal_sensors_default persist_sensor_reg_file:file { open };
-dontaudit hal_sensors_default persist_sensor_reg_file:file { read };
-dontaudit hal_sensors_default sensor_reg_data_file:dir { getattr };
-dontaudit hal_sensors_default sensor_reg_data_file:dir { open };
-dontaudit hal_sensors_default sensor_reg_data_file:dir { read };
-dontaudit hal_sensors_default sensor_reg_data_file:dir { search };
-dontaudit hal_sensors_default sensor_reg_data_file:file { getattr };
-dontaudit hal_sensors_default sensor_reg_data_file:file { open };
-dontaudit hal_sensors_default sensor_reg_data_file:file { read };
-dontaudit hal_sensors_default sysfs_aoc:dir { search };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { open };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { read };
-dontaudit hal_sensors_default sysfs_chosen:dir { search };
-dontaudit hal_sensors_default sysfs_chosen:file { open };
-dontaudit hal_sensors_default sysfs_chosen:file { read };
-dontaudit hal_sensors_default sysfs_display:file { getattr };
-dontaudit hal_sensors_default sysfs_display:file { open };
-dontaudit hal_sensors_default sysfs_display:file { read };
-dontaudit hal_sensors_default sysfs_leds:dir { search };
-dontaudit hal_sensors_default sysfs_leds:file { open };
-dontaudit hal_sensors_default sysfs_leds:file { read };
-dontaudit hal_sensors_default sysfs_write_leds:file { open };
-dontaudit hal_sensors_default sysfs_write_leds:file { write };
-dontaudit hal_sensors_default system_server:binder { call };
-dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { getattr };
-dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { map };
-dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { open };
-dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { read };
 # b/264489637
 userdebug_or_eng(`
   permissive hal_sensors_default;

vendor/file.te

@@ -1,11 +1,14 @@
 # persist
 type persist_display_file, file_type, vendor_persist_type;
 type persist_battery_file, file_type, vendor_persist_type;
+type persist_camera_file, file_type, vendor_persist_type;
+type persist_sensor_reg_file, file_type, vendor_persist_type;
 
 #sysfs
 type sysfs_mfc, sysfs_type, fs_type;
 type sysfs_power_dump, sysfs_type, fs_type;
 type sysfs_acpm_stats, sysfs_type, fs_type;
+type sysfs_write_leds, sysfs_type, fs_type;
 
 # Trusty
 type sysfs_trusty, sysfs_type, fs_type;
@@ -26,6 +29,12 @@ type vendor_cma_debugfs, fs_type, debugfs_type;
 # WLC
 type sysfs_wlc, sysfs_type, fs_type;
 
+# CHRE
+type chre_socket, file_type;
+
+# Data
+type sensor_reg_data_file, file_type, data_file_type;
+
 # Vendor sched files
 userdebug_or_eng(`
     typeattribute proc_vendor_sched mlstrustedobject;

vendor/genfs_contexts

@@ -398,3 +398,21 @@ genfscon sysfs /kernel/pixel_em/active_profile                            u:obje
 
 # GPU
 genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq              u:object_r:sysfs_gpu:s0
+
+# AOC
+genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0
+genfscon sysfs /devices/platform/17000000.aoc/firmware                      u:object_r:sysfs_aoc_firmware:s0
+genfscon sysfs /devices/platform/17000000.aoc                               u:object_r:sysfs_aoc:s0
+genfscon sysfs /devices/platform/17000000.aoc/reset                         u:object_r:sysfs_aoc_reset:s0
+genfscon sysfs /devices/platform/17000000.aoc/services                      u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/restart_count                 u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/coredump_count                u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/ring_buffer_wakeup    u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/host_ipc_wakeup       u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/usf_wakeup            u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/audio_wakeup          u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/logging_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception      u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32      u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1      u:object_r:sysfs_aoc_dumpstate:s0

vendor/hal_sensors_default.te

@@ -0,0 +1,58 @@
+# Allow access to the AoC communication driver.
+allow hal_sensors_default aoc_device:chr_file rw_file_perms;
+
+# Allow create thread to watch AOC's device.
+allow hal_sensors_default device:dir r_dir_perms;
+
+# Allow access to CHRE socket to connect to nanoapps.
+allow hal_sensors_default chre:unix_stream_socket connectto;
+allow hal_sensors_default chre_socket:sock_file write;
+
+# Allow SensorSuez to connect AIDL stats.
+allow hal_sensors_default fwk_stats_service:service_manager find;
+
+# Allow sensor HAL to access the graphics composer.
+binder_call(hal_sensors_default, hal_graphics_composer_default);
+
+# Allow sensor HAL to access the display service HAL
+allow hal_sensors_default hal_pixel_display_service:service_manager find;
+
+# Allow reading of sensor registry persist files and camera persist files.
+allow hal_sensors_default mnt_vendor_file:dir search;
+allow hal_sensors_default persist_file:dir search;
+allow hal_sensors_default persist_file:file r_file_perms;
+allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms;
+allow hal_sensors_default persist_sensor_reg_file:file r_file_perms;
+r_dir_file(hal_sensors_default, persist_camera_file)
+
+# Allow creation and writing of sensor registry data files.
+allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
+allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
+
+# Allow access to the sysfs_aoc.
+allow hal_sensors_default sysfs_aoc:dir search;
+allow hal_sensors_default sysfs_aoc:file r_file_perms;
+
+# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
+# to synchronize the AP and AoC clock timestamps.
+allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms;
+
+# Allow display_info_service access to the backlight driver.
+allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
+
+# Allow access to sensor service for sensor_listener.
+binder_call(hal_sensors_default, system_server);
+
+# Allow access for dynamic sensor properties.
+get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
+
+# Allow access to the display info for ALS.
+allow hal_sensors_default sysfs_display:file rw_file_perms;
+
+# Allow access to the files of CDT information.
+allow hal_sensors_default sysfs_chosen:dir search;
+allow hal_sensors_default sysfs_chosen:file r_file_perms;
+
+# Allow display_info_service access to the backlight driver.
+allow hal_sensors_default sysfs_leds:dir search;
+allow hal_sensors_default sysfs_leds:file r_file_perms;

vendor/property.te

@@ -7,3 +7,6 @@ vendor_internal_prop(vendor_shutdown_prop)
 
 # USB
 vendor_internal_prop(vendor_usb_config_prop)
+
+# Dynamic sensor
+vendor_internal_prop(vendor_dynamic_sensor_prop)

vendor/property_contexts

@@ -15,3 +15,6 @@ persist.vendor.shutdown.                   u:object_r:vendor_shutdown_prop:s0
 # USB
 persist.vendor.usb.                        u:object_r:vendor_usb_config_prop:s0
 vendor.usb.                                u:object_r:vendor_usb_config_prop:s0
+
+# Dynamic sensor
+vendor.dynamic_sensor.                     u:object_r:vendor_dynamic_sensor_prop:s0