Move euiccpixel_app to vendor

Bug: 312143882
Test: make selinux_policy
Flag: EXEMPT sepolicy refactor
Change-Id: I0f6ac76860c90b8022a85cafb80350a708d278c1

legacy/zuma/vendor/device.te

@@ -11,7 +11,3 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
 type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type;
 type framebuffer_secure_heap_device, dmabuf_heap_device_type, dev_type;
 type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type;
-
-# SecureElement SPI device
-type st54spi_device, dev_type;
-

tracking_denials/keys.conf

@@ -10,5 +10,3 @@ ALL : device/google/zumapro-sepolicy/tracking_denials/certs/camera_fishfood.x509
 [@CAMERASERVICES]
 ALL : device/google/zumapro-sepolicy/tracking_denials/certs/com_google_android_apps_camera_services.x509.pem
 
-[@EUICCSUPPORTPIXEL]
-ALL : device/google/zumapro-sepolicy/tracking_denials/certs/EuiccSupportPixel.x509.pem

tracking_denials/mac_permissions.xml

@@ -33,7 +33,4 @@
     <signer signature="@CAMERASERVICES" >
       <seinfo value="CameraServices" />
     </signer>
-    <signer signature="@EUICCSUPPORTPIXEL" >
-        <seinfo value="EuiccSupportPixel" />
-    </signer>
 </policy>

tracking_denials/seapp_contexts

@@ -1,6 +1,3 @@
-# Domain for EuiccSupportPixel
-user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
-
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
 

vendor/device.te

@@ -1,4 +1,8 @@
+# Device types
 type lwis_device, dev_type;
 type tee_persist_block_device, dev_type;
 type tee_userdata_block_device, dev_type;
 type hw_jpg_device, dev_type, mlstrustedobject;
+
+# SecureElement SPI device
+type st54spi_device, dev_type;

vendor/euiccpixel_app.te

@@ -1,3 +1,4 @@
+# Euiccpixel_app
 type euiccpixel_app, domain;
 app_domain(euiccpixel_app)
 
@@ -18,4 +19,4 @@ userdebug_or_eng(`
 ')
 
 # b/265286368 framework UI rendering properties
-dontaudit euiccpixel_app default_prop:file { read };
+dontaudit euiccpixel_app default_prop:file { read };

vendor/keys.conf

@@ -0,0 +1,3 @@
+[@EUICCSUPPORTPIXEL]
+ALL : device/google/zumapro-sepolicy/vendor/certs/EuiccSupportPixel.x509.pem
+

vendor/mac_permissions.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@EUICCSUPPORTPIXEL" >
+        <seinfo value="EuiccSupportPixel" />
+    </signer>
+</policy>

vendor/seapp_contexts

@@ -0,0 +1,3 @@
+# Domain for EuiccSupportPixel
+user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
+