Add sepolicy bits needed for Treble
Credit for this patch goes to Vishal Bhoj <vishal.bhoj@linaro.org>
who basically was the original author and magician
who got things working.
I've only refactored and split up his changes to help
with the submissions.
Change-Id: Ie621f199ef3cdf53c3005b345a040d641060cc24
Signed-off-by: John Stultz <john.stultz@linaro.org>
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index d9658d3..a356e0b 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -14,12 +14,16 @@
/dev/hi_vdec u:object_r:video_device:s0
/dev/hi_venc u:object_r:video_device:s0
+/dev/graphics/fb0 u:object_r:graphics_device:s0
# files in /vendor
/(vendor|system/vendor)/bin/uim u:object_r:hci_attach_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.hikey u:object_r:hal_bluetooth_hikey_exec:s0
/(vendor|system/vendor)/bin/nanoapp_cmd u:object_r:nanoapp_cmd_exec:s0
+/(vendor|system/vendor)/lib(64)?/hw/gralloc\.hikey960\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/gralloc\.hikey\.so u:object_r:same_process_hal_file:s0
+
# /data
/data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0
diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..b17dc7d
--- /dev/null
+++ b/sepolicy/hal_graphics_allocator_default.te
@@ -0,0 +1,2 @@
+allow hal_graphics_allocator_default graphics_device:dir search;
+allow hal_graphics_allocator_default graphics_device:chr_file { open read write ioctl map rw_file_perms};
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644
index 0000000..d7715de
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,2 @@
+vndbinder_use(hal_graphics_composer_default)
+
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 16d3a3e..7f18b9b 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -4,3 +4,6 @@
allow init configfs:lnk_file { create unlink };
# for symlink /sdcard /mnt/sdcard
allow init tmpfs:lnk_file create;
+allow init configfs:lnk_file create;
+
+dontaudit init kernel:system module_request;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
deleted file mode 100644
index f53f2b4..0000000
--- a/sepolicy/surfaceflinger.te
+++ /dev/null
@@ -1 +0,0 @@
-hal_server_domain(surfaceflinger, hal_graphics_allocator)
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..335bfe3
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,5 @@
+# TODO(b/73123675): BatterySaver needs access to cpufreq. Remove this access
+# once cpufreq functionality is hidden behind a HAL.
+allow system_server sysfs_devices_system_cpu:file w_file_perms;
+
+dontaudit system_server self:capability sys_module;
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
deleted file mode 100644
index 733a112..0000000
--- a/sepolicy/vendor_init.te
+++ /dev/null
@@ -1,4 +0,0 @@
-allow vendor_init {
- hostapd_socket
- wifi_data_file
-}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
diff --git a/ueventd.common.rc b/ueventd.common.rc
index b76dd4c..ff82f70 100644
--- a/ueventd.common.rc
+++ b/ueventd.common.rc
@@ -11,6 +11,8 @@
/dev/hifi_misc 0666 system audio
/dev/hi_vdec 0660 system camera
/dev/hi_venc 0660 system camera
+/dev/ion 0666 system graphics
+/dev/graphics/fb0 0666 system graphics
/sys/devices/platform/ddr_devfreq/devfreq/ddr_devfreq min_freq 0644 system system
/sys/devices/platform/e82c0000.mali/devfreq/e82c0000.mali min_freq 0644 system system