From 25748e9d9394f4e7ada0e0199748e3b8823a350b Mon Sep 17 00:00:00 2001
From: Kuen-Han Tsai <khtsai@google.com>
Date: Fri, 2 Feb 2024 17:35:39 +0800
Subject: [PATCH] Set SEPolicy for the disable_contaminant_detection script

This patch ports Zuma project SEPolicy and corrects the platform device
name.

init    : Command 'exec /vendor/bin/hw/disable_contaminant_detection.sh'
action=vendor.usb.contaminantdisable=true (/vendor/etc/init/hw/
init.zumapro.usb.rc:288) took 5ms and failed: Could not start exec
service: File /vendor/bin/hw/disable_contaminant_detection.sh(labeled
"u:object_r:vendor_file:s0") has incorrect label or no domain transition
from u:r:init:s0 to another SELinux domain defined. Have you configured
your service correctly?
https://source.android.com/security/selinux/device-policy#
label_new_services_and_address_denials. Note: this error shows up even
in permissive mode in order to make auditing denials possible.

Bug: 295127978
Test: manual test
Change-Id: I4269127f0101250615aad9218a9e2684579a653b
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
---
 vendor/disable-contaminant-detection-sh.te | 7 +++++++
 vendor/file_contexts                       | 1 +
 vendor/genfs_contexts                      | 3 +++
 3 files changed, 11 insertions(+)
 create mode 100644 vendor/disable-contaminant-detection-sh.te

diff --git a/vendor/disable-contaminant-detection-sh.te b/vendor/disable-contaminant-detection-sh.te
new file mode 100644
index 0000000..95845a1
--- /dev/null
+++ b/vendor/disable-contaminant-detection-sh.te
@@ -0,0 +1,7 @@
+type disable-contaminant-detection-sh, domain;
+type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(disable-contaminant-detection-sh)
+
+allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans;
+allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms;
+allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 6613742..3cec364 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -26,6 +26,7 @@
 /vendor/bin/hw/qfp-daemon                                                   u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix  u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix   u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/disable_contaminant_detection\.sh                            u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # Vendor libraries
 /vendor/lib64/libdrm\.so                                                 u:object_r:same_process_hal_file:s0
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index f0f09b2..3331ac0 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -2,6 +2,9 @@
 genfscon sysfs /devices/soc0/machine                                           u:object_r:sysfs_soc:s0
 genfscon sysfs /devices/soc0/revision                                          u:object_r:sysfs_soc:s0
 
+# disable contaminant detection
+genfscon sysfs /devices/platform/108d0000.hsi2c                                         u:object_r:sysfs_batteryinfo:s0
+
 # Battery
 genfscon sysfs /devices/platform/google,charger                                         u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-006e/chg_stats                  u:object_r:sysfs_pca:s0