Initial Hikey device configuration
Signed-off-by: Vishal Bhoj <vishal.bhoj@linaro.org>
Change-Id: I2697a8e4aec4991826f7351fd7f41eba324a6869
diff --git a/sepolicy/debuggerd.te b/sepolicy/debuggerd.te
new file mode 100644
index 0000000..308d1b1
--- /dev/null
+++ b/sepolicy/debuggerd.te
@@ -0,0 +1 @@
+allow debuggerd kernel:system module_request;
diff --git a/sepolicy/dex2oat.te b/sepolicy/dex2oat.te
new file mode 100644
index 0000000..c6e8e73
--- /dev/null
+++ b/sepolicy/dex2oat.te
@@ -0,0 +1 @@
+allow dex2oat kernel:system module_request;
diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te
new file mode 100644
index 0000000..b98b158
--- /dev/null
+++ b/sepolicy/drmserver.te
@@ -0,0 +1 @@
+allow drmserver kernel:system module_request;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..45c5117
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1 @@
+type configfs, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..19ea0d4
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,8 @@
+/data/linaro-android-kernel-test(/.*)? u:object_r:shell_data_file:s0
+/data/linaro-android-userspace-test(/.*)? u:object_r:shell_data_file:s0
+/data/nativebenchmark(/.*)? u:object_r:shell_data_file:s0
+/dev/ttyAMA0 u:object_r:console_device:s0
+/dev/ttyAMA3 u:object_r:console_device:s0
+/dev/mali u:object_r:gpu_device:s0
+/dev/dri/card0 u:object_r:gpu_device:s0
+/dev/hci_tty u:object_r:hci_attach_dev:s0
diff --git a/sepolicy/gatord.te b/sepolicy/gatord.te
new file mode 100644
index 0000000..2943a9b
--- /dev/null
+++ b/sepolicy/gatord.te
@@ -0,0 +1,3 @@
+type gatord, domain, mlstrustedsubject;
+
+permissive gatord;
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..50c7cd7
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1 @@
+genfscon configfs / u:object_r:configfs:s0
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..a8cca76
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,7 @@
+userdebug_or_eng(`
+ allow init su:process { transition dyntransition rlimitinh siginh };
+')
+allow init self:capability { sys_module };
+allow init self:tcp_socket create;
+allow init gatord:process { transition rlimitinh siginh };
+allow init kernel:system module_request;
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..9be9fd4
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1 @@
+allow kernel shell_data_file:file { read write };
diff --git a/sepolicy/logd.te b/sepolicy/logd.te
new file mode 100644
index 0000000..a99d8bd
--- /dev/null
+++ b/sepolicy/logd.te
@@ -0,0 +1,2 @@
+allow logd property_socket:sock_file write;
+allow logd init:unix_stream_socket connectto;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..72acfbb
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1 @@
+allow mediaserver debug_prop:property_service set;
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..42717f5
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,5 @@
+allow netd usermodehelper:file r_file_perms;
+allow netd debug_prop:property_service set;
+allow netd kernel:system module_request;
+allow netd gatord:fd use;
+allow netd gatord:tcp_socket rw_socket_perms;
diff --git a/sepolicy/shell.te b/sepolicy/shell.te
new file mode 100644
index 0000000..f62b97a
--- /dev/null
+++ b/sepolicy/shell.te
@@ -0,0 +1,16 @@
+allow shell serial_device:chr_file rw_file_perms;
+
+# allow to use ndc command to enable dns work
+allow shell netd_socket:sock_file write;
+
+# hack for running netcfg eth0 dhcp/ifconfig/ping on console session
+allow shell self:packet_socket create_socket_perms;
+allow shell system_prop:property_service set;
+
+# hack for running start adbd/stop adbd on console session
+allow shell ctl_default_prop:property_service set;
+
+# hack for reading the mkshrc file after lava modified
+allow shell unlabeled:file r_file_perms;
+
+allow shell kernel:system module_request;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..1d54ead
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,3 @@
+allow surfaceflinger self:process execmem;
+allow surfaceflinger debug_prop:property_service set;
+allow surfaceflinger ashmem_device:chr_file execute;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644
index 0000000..04fc7d3
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1 @@
+allow zygote kernel:system module_request;