msm8226-common: sepolicy: Import common sepolicy from 8974-common

* The bulk of the device family policy was common and applicable
  to all Samsung msm8974-devices. Move that common stuff here to
  ease maintenance.

* Also adjust it for msm8226 use case

Change-Id: I86516adfb1b9c55a6959a7faf4ee424a4b3385c8

BoardConfigCommon.mk

@@ -71,6 +71,9 @@ TARGET_QCOM_NO_FM_FIRMWARE := true
 # Fonts
 EXTENDED_FONT_FOOTPRINT := true
 
+# SELinux
+include device/samsung/msm8226-common/sepolicy/sepolicy.mk
+
 # Init
 TARGET_INIT_VENDOR_LIB := libinit_msm
 
@@ -103,10 +106,6 @@ ifeq ($(HOST_OS),linux)
   endif
 endif
 
-# SELinux
--include device/qcom/sepolicy/sepolicy.mk
-BOARD_SEPOLICY_DIRS += $(VENDOR_PATH)/sepolicy
-
 # Wifi
 BOARD_HAS_QCOM_WLAN              := true
 BOARD_HAS_QCOM_WLAN_SDK          := true

sepolicy/bluetooth.te

@@ -1 +0,0 @@
-allow bluetooth bluetooth_efs_file:file read;

sepolicy/common/bluetooth.te

@@ -0,0 +1,6 @@
+allow bluetooth bluetooth_device:chr_file rw_file_perms;
+allow bluetooth bt_fw_file:file r_file_perms;
+allow bluetooth firmware_file:dir r_dir_perms;
+allow bluetooth proc_bt_sleep:dir search;
+allow bluetooth proc_bt_sleep:file w_file_perms;
+allow bluetooth wifi_data_file:file r_file_perms;

sepolicy/common/cameraserver.te

@@ -0,0 +1,2 @@
+allow cameraserver camera_socket:sock_file w_file_perms;
+allow cameraserver vendor_file:file execmod;

sepolicy/common/device.te

@@ -1,2 +1,2 @@
-type io_device, dev_type;
+type bluetooth_device, dev_type;
 type efs_block_device, dev_type;

sepolicy/common/file.te

@@ -0,0 +1,11 @@
+type proc_bt_sleep, fs_type;
+
+type sysfs_camera, fs_type, sysfs_type;
+type sysfs_hal_pwr, fs_type, sysfs_type;
+type sysfs_mdnie, fs_type, sysfs_type;
+type sysfs_sec, fs_type, sysfs_type;
+type sysfs_wifi_writeable, fs_type, sysfs_type;
+
+type bt_fw_file, file_type;
+type nfc_fw_file, file_type;
+type wifi_efs_file, file_type;

sepolicy/common/file_contexts

@@ -0,0 +1,40 @@
+# block devices
+/dev/block/platform/msm_sdcc\.1/by-name/efs             u:object_r:efs_block_device:s0
+/dev/block/platform/msm_sdcc\.1/by-name/fota            u:object_r:misc_block_device:s0
+
+# data files
+/data/.cid.info                                         u:object_r:wifi_data_file:s0
+/data/.wifiver.info                                     u:object_r:wifi_data_file:s0
+
+# device nodes
+/dev/batch_io                                           u:object_r:sensors_device:s0
+/dev/bcm2079x                                           u:object_r:nfc_device:s0
+/dev/btlock                                             u:object_r:bluetooth_device:s0
+/dev/pn547                                              u:object_r:nfc_device:s0
+/dev/rfkill                                             u:object_r:wlan_device:s0
+/dev/sec-nfc                                            u:object_r:nfc_device:s0
+# this should be needed but it says it is already defined
+#/dev/keychord                                           u:object_r:keychord_device:s0
+
+# efs files
+/efs/bluetooth(/.*)?                                    u:object_r:bluetooth_efs_file:s0
+/efs/wifi(/.*)?                                         u:object_r:wifi_efs_file:s0
+
+# firmware
+/system/vendor/firmware/bcm(.*).hcd                     u:object_r:bt_fw_file:s0
+/system/vendor/firmware/bcm2079x(.*).ncd                u:object_r:nfc_fw_file:s0
+/system/vendor/firmware/libpn547_fw.so                  u:object_r:nfc_fw_file:s0
+
+# sockets
+/data/cam_socket3                                       u:object_r:camera_socket:s0
+
+# sysfs
+/sys/devices/battery.[0-9]+/power_supply/battery(/.*)?           u:object_r:sysfs_batteryinfo:s0
+/sys/module/dhd/parameters/firmware_path                         u:object_r:sysfs_wifi_writeable:s0
+/sys/module/dhd/parameters/nvram_path                            u:object_r:sysfs_wifi_writeable:s0
+/sys/devices/platform/bcm[0-9]+_bluetooth/rfkill/rfkill0/state   u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/virtual/camera(/.*)?                                u:object_r:sysfs_camera:s0
+/sys/devices/virtual/sec/sec_key/hall_irq_ctrl                   u:object_r:sysfs_sec:s0
+/sys/devices/.*bcl.*(/.*)?                                       u:object_r:sysfs_thermal:s0
+
+

sepolicy/common/fsck.te

@@ -0,0 +1,2 @@
+allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;

sepolicy/common/fsck_untrusted.te

@@ -0,0 +1,2 @@
+# /data/media
+allow fsck_untrusted media_rw_data_file:dir getattr;

sepolicy/common/genfs_contexts

@@ -0,0 +1 @@
+genfscon proc /bluetooth/sleep u:object_r:proc_bt_sleep:s0

sepolicy/common/hal_power_default.te

@@ -0,0 +1 @@
+allow hal_power_default sysfs_hal_pwr:file w_file_perms;

sepolicy/common/hal_wifi_default.te

@@ -0,0 +1,5 @@
+r_dir_file(hal_wifi_default, wifi_efs_file)
+
+allow hal_wifi_default efs_file:dir search;
+allow hal_wifi_default sysfs_wifi_writeable:file w_file_perms;
+allow hal_wifi_default wifi_data_file:file r_file_perms;

sepolicy/common/hal_wifi_supplicant_default.te

@@ -0,0 +1 @@
+allow hal_wifi_supplicant_default wlan_device:chr_file r_file_perms;

sepolicy/common/hostapd.te

@@ -0,0 +1 @@
+allow hostapd wlan_device:chr_file r_file_perms;

sepolicy/common/mediaextractor.te

@@ -0,0 +1,4 @@
+allow mediaextractor fuse:file r_file_perms;
+allow mediaextractor sdcard_posix:file r_file_perms;
+allow mediaextractor sdcardfs:file r_file_perms;
+allow mediaextractor vfat:file r_file_perms;

sepolicy/common/mediaprovider.te

@@ -0,0 +1,2 @@
+allow mediaprovider cache_private_backup_file:dir getattr;
+allow mediaprovider cache_recovery_file:dir r_dir_perms;

sepolicy/common/mediaserver.te

@@ -0,0 +1,7 @@
+allow mediaserver camera_socket:sock_file write;
+allow mediaserver hal_camera_hwservice:hwservice_manager find;
+allow mediaserver mm-qcamerad:unix_dgram_socket sendto;
+allow mediaserver sysfs_camera:dir search;
+allow mediaserver sysfs_camera:file r_file_perms;
+allow mediaserver thermal-engine:unix_stream_socket connectto;
+allow mediaserver vendor_file:file execmod;

sepolicy/common/mm-qcamerad.te

@@ -1,6 +1,10 @@
-allow mm-qcamerad media_rw_data_file:dir search;
+type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket3";
+
+#allow mm-qcamerad camera_socket:sock_file create_file_perms;
+
+# Allow mm-qcamera-daemon to create the socket camera_socket
+allow mm-qcamerad system_data_file:dir w_dir_perms;
+
 allow mm-qcamerad sysfs_camera:dir search;
 allow mm-qcamerad sysfs_camera:file rw_file_perms;
-allow mm-qcamerad system_data_file:dir w_dir_perms;
-allow mm-qcamerad system_file:file execmod;
-type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket3";
+allow mm-qcamerad vendor_file:file execmod;

sepolicy/common/mpdecision.te

@@ -0,0 +1,2 @@
+allow mpdecision mpctl_data_file:dir w_dir_perms;
+allow mpdecision mpctl_data_file:sock_file create_file_perms;

sepolicy/common/nfc.te

@@ -0,0 +1 @@
+allow nfc nfc_fw_file:file rx_file_perms;

sepolicy/common/priv_app.te

@@ -0,0 +1,5 @@
+get_prop(priv_app, camera_prop)
+get_prop(priv_app, qemu_hw_mainkeys_prop)
+
+allow priv_app device:dir r_dir_perms;
+allow priv_app proc_interrupts:file r_file_perms;

sepolicy/common/property_contexts

@@ -0,0 +1 @@
+service.camera.hdmi_preview                      u:object_r:camera_prop:s0

sepolicy/common/rild.te

@@ -0,0 +1,8 @@
+set_prop(rild, net_radio_prop)
+
+allow rild radio_data_file:dir rw_dir_perms;
+allow rild radio_data_file:file create_file_perms;
+allow rild radio_data_file:lnk_file read;
+
+allow rild proc_net:file w_file_perms;
+allow rild sysfs_sec:file rw_file_perms;

sepolicy/common/system_app.te

@@ -0,0 +1 @@
+allow system_app sysfs_mdnie:file rw_file_perms;

sepolicy/common/system_server.te

@@ -0,0 +1,13 @@
+get_prop(system_server, alarm_boot_prop)
+
+allow system_server efs_file:dir search;
+allow system_server efs_file:file r_file_perms;
+allow system_server mpctl_data_file:dir search;
+allow system_server mpctl_data_file:sock_file w_file_perms;
+allow system_server mpdecision:unix_stream_socket connectto;
+allow system_server qmuxd:unix_stream_socket connectto;
+allow system_server qmuxd_socket:dir w_dir_perms;
+allow system_server qmuxd_socket:sock_file { create setattr write };
+allow system_server qti_debugfs:file r_file_perms;
+allow system_server sensors_device:chr_file r_file_perms;
+allow system_server sysfs_mdnie:file rw_file_perms;

sepolicy/common/thermal-engine.te

@@ -0,0 +1,5 @@
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-send-client";
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-client";
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client";
+
+allow thermal-engine self:capability chown;

sepolicy/common/vold.te

@@ -0,0 +1,6 @@
+allow vold block_device:blk_file getattr;
+allow vold cache_block_device:blk_file getattr;
+allow vold efs_block_device:blk_file getattr;
+allow vold efs_file:dir rw_dir_perms;
+allow vold efs_file:file create;
+allow vold system_block_device:blk_file getattr;

sepolicy/file.te

@@ -1,6 +0,0 @@
-type sensors_efs_file, file_type;
-type sysfs_camera, fs_type, sysfs_type;
-type sysfs_display, fs_type, sysfs_type;
-type sysfs_vibeamp, fs_type, sysfs_type;
-type wifi_efs_file, file_type;
-type vcs_data_file, file_type, data_file_type;

sepolicy/file_contexts

@@ -1,39 +0,0 @@
-# Bluetooth
-/efs/bluetooth/bt_addr                                        u:object_r:bluetooth_efs_file:s0
-
-# Camera
-/data/cam_socket.*                                            u:object_r:camera_socket:s0
-/sys/devices/virtual/camera(/.*)?                             u:object_r:sysfs_camera:s0
-
-# CMHW
-/sys/devices/virtual/timed_output/vibrator(/.*)?              u:object_r:sysfs_vibeamp:s0
-/sys/class/sec/sec_touchkey/keypad_enable                     u:object_r:sysfs_display:s0
-
-# Display
-/sys/devices/fd922800.qcom,mdss_dsi/lcd/panel/power_reduce    u:object_r:sysfs_display:s0
-
-# EFS
-/dev/block/platform/msm_sdcc.1/by-name/efs                   u:object_r:efs_block_device:s0
-
-# Fingerprint
-/system/bin/vcsFPService                                u:object_r:vcs_exec:s0
-/data/validity(/.*)?                                    u:object_r:vcs_data_file:s0
-/dev/validity(/.*)?                                     u:object_r:vcs_device:s0
-/dev/vfsspi                                             u:object_r:vcs_device:s0
-
-# NFC
-/dev/pn547                                                    u:object_r:nfc_device:s0
-
-# Sensors
-/dev/alps_io                                                  u:object_r:io_device:s0
-/dev/iio:device0                                              u:object_r:io_device:s0
-/efs/FactoryApp/baro_delta                                    u:object_r:sensors_efs_file:s0
-/efs/gyro_cal_data                                            u:object_r:sensors_efs_file:s0
-/efs/prox_cal                                                 u:object_r:sensors_efs_file:s0
-
-# Thermal engine
-/system/bin/thermal-engine                                    u:object_r:thermal-engine_exec:s0
-
-# WiFi
-/data/.wifiver.info                                           u:object_r:wifi_data_file:s0
-/efs/wifi/.mac.info                                           u:object_r:wifi_efs_file:s0

sepolicy/fingerprintd.te

@@ -1 +0,0 @@
-allow fingerprintd system_app:unix_stream_socket { connectto read write setopt };

sepolicy/fsck.te

@@ -1 +0,0 @@
-allow fsck efs_block_device:blk_file rw_file_perms;

sepolicy/healthd.te

@@ -1,2 +0,0 @@
-allow healthd device:dir r_dir_perms;
-allow healthd rtc_device:chr_file rw_file_perms;

sepolicy/hostapd.te

@@ -1,2 +0,0 @@
-allow hostapd efs_file:dir search;
-allow hostapd wifi_data_file:sock_file write;

sepolicy/init.te

@@ -1 +0,0 @@
-allow init tmpfs:lnk_file create_file_perms;

sepolicy/kernel.te

@@ -1 +0,0 @@
-allow kernel block_device:blk_file rw_file_perms;

sepolicy/mediaserver.te

@@ -1,7 +0,0 @@
-allow mediaserver system_prop:property_service set;
-allow mediaserver shell_data_file:dir search;
-allow mediaserver socket_device:sock_file write;
-allow mediaserver sysfs_camera:dir search;
-allow mediaserver sysfs_camera:file { getattr open read };
-allow mediaserver system_file:file execmod;
-

sepolicy/platform_app.te

@@ -1 +0,0 @@
-allow platform_app time_daemon:unix_stream_socket connectto;

sepolicy/property.te

@@ -1 +0,0 @@
-type qseecomd_prop, property_type;

sepolicy/property_contexts

@@ -1,2 +0,0 @@
-persist.sys.camera.preview	u:object_r:camera_prop:s0
-sys.qseecomd.enable		u:object_r:qseecomd_prop:s0

sepolicy/qseecomd.te

@@ -1 +0,0 @@
-allow tee qseecomd_prop:property_service set;

sepolicy/rild.te

@@ -1,7 +0,0 @@
-allow rild proc_net:file rw_file_perms;
-allow rild self:capability { dac_override dac_read_search };
-allow rild radio_data_file:dir r_dir_perms;
-allow rild radio_data_file:file r_file_perms;
-allow rild radio_data_file:lnk_file r_file_perms;
-allow rild system_app_data_file:dir rw_dir_perms;
-allow rild system_app_data_file:file create_file_perms;

sepolicy/sepolicy.mk

@@ -0,0 +1,22 @@
+#
+# Copyright (C) 2018 The LineageOS Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include device/qcom/sepolicy/sepolicy.mk
+include device/qcom/sepolicy/legacy-sepolicy.mk
+
+# Board specific SELinux policy variable definitions
+BOARD_SEPOLICY_DIRS += \
+    device/samsung/msm8226-common/sepolicy/common

sepolicy/system_app.te

@@ -1,7 +0,0 @@
-# For com.validity.fingerprint
-allow system_app vcs:process signull;
-allow system_app vcs_data_file:dir r_dir_perms;
-allow system_app vcs_data_file:file r_file_perms;
-allow system_app vcs_device:dir r_dir_perms;
-allow system_app vcs_device:file r_file_perms;
-allow system_app vcs_device:fifo_file create_file_perms;

sepolicy/system_server.te

@@ -1,7 +0,0 @@
-allow system_server efs_file:dir search;
-allow system_server io_device:chr_file rw_file_perms;
-allow system_server sensors_efs_file:file r_file_perms;
-allow system_server sysfs_display:file rw_file_perms;;
-allow system_server sysfs_vibeamp:dir search;
-allow system_server sysfs_vibeamp:file rw_file_perms;
-allow system_server wifi_data_file:sock_file unlink;

sepolicy/tee.te

@@ -1,2 +0,0 @@
-allow tee vcs_data_file:dir create_dir_perms;
-allow tee vcs_data_file:file create_file_perms;

sepolicy/thermal-engine.te

@@ -1,3 +0,0 @@
-allow thermal-engine init:unix_stream_socket connectto;
-allow thermal-engine sysfs_battery_supply:dir search;
-allow thermal-engine sysfs_battery_supply:file { open read write };

sepolicy/ueventd.te

@@ -1,3 +0,0 @@
-allow ueventd sysfs_camera:file rw_file_perms;
-allow ueventd sysfs_vibeamp:file rw_file_perms;
-allow ueventd vcs_device:chr_file create_file_perms;

sepolicy/vcs.te

@@ -1,22 +0,0 @@
-type vcs, domain;
-type vcs_exec, exec_type, file_type;
-
-# vcs
-init_daemon_domain(vcs)
-binder_use(vcs)
-
-allow vcs system_app:process signull;
-
-allow vcs vcs_data_file:dir create_dir_perms;
-allow vcs vcs_data_file:file create_file_perms;
-
-allow vcs vcs_device:dir create_dir_perms;
-allow vcs vcs_device:file create_file_perms;
-allow vcs vcs_device:fifo_file create_file_perms;
-allow vcs vcs_device:chr_file create_file_perms;
-
-allow vcs tee_device:chr_file rw_file_perms;
-
-allow vcs firmware_file:dir r_dir_perms;
-allow vcs firmware_file:file r_file_perms;
-

sepolicy/vold.te

@@ -1,4 +0,0 @@
-allow vold efs_file:dir r_file_perms;
-allow vold persist_file:dir r_file_perms;
-allow vold firmware_file:dir search;
-allow vold firmware_file:file r_file_perms;

sepolicy/wcnss_service.te

@@ -1,2 +0,0 @@
-allow wcnss_service efs_file:dir search;
-allow wcnss_service wifi_efs_file:file { getattr open read };

sepolicy/wpa.te

@@ -1,3 +0,0 @@
-allow wpa efs_file:dir search;
-allow wpa wifi_efs_file:file r_file_perms;
-allow wpa wifi_data_file:sock_file rw_file_perms;