msm8976-common: Initial SELinux updates

* Drop domain_deprecated
* Use proper device block paths as
  symlinks are no longer working.

sepolicy/file.te

@@ -1,4 +1,6 @@
 type app_efs_file, file_type;
 type biometrics_data_file, file_type, data_file_type;
+type debugfs_rmt, debugfs_type, fs_type;
 type wifi_efs_file, file_type;
 type sysfs_mdnie, fs_type, sysfs_type;
+type sysfs_sec_key, fs_type, sysfs_type;

sepolicy/file_contexts

@@ -1,25 +1,31 @@
 # Cache
-/dev/block/bootdevice/by-name/cache          u:object_r:cache_block_device:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/cache         u:object_r:cache_block_device:s0
+
+# Debug
+/sys/kernel/debug/rmt_storage(/.*)?                             u:object_r:debugfs_rmt:s0
 
 # EFS
-/dev/block/bootdevice/by-name/efs            u:object_r:efs_block_device:s0
-/efs/bluetooth(/.*)?                         u:object_r:bluetooth_efs_file:s0
-/efs/FactoryApp(/.*)?                        u:object_r:app_efs_file:s0
-/efs/wifi(/.*)?                              u:object_r:wifi_efs_file:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/efs           u:object_r:efs_block_device:s0
+/efs/bluetooth(/.*)?                                            u:object_r:bluetooth_efs_file:s0
+/efs/FactoryApp(/.*)?                                           u:object_r:app_efs_file:s0
+/efs/wifi(/.*)?                                                 u:object_r:wifi_efs_file:s0
 
 # FRP
-/dev/block/bootdevice/by-name/persistent     u:object_r:frp_block_device:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/persistent    u:object_r:frp_block_device:s0
 
 # Fingerprint
-/dev/vfsspi                                  u:object_r:vfsspi_device:s0
-/data/biometrics(/.*)?                       u:object_r:biometrics_data_file:s0
+/dev/vfsspi                                                     u:object_r:vfsspi_device:s0
+/data/biometrics(/.*)?                                          u:object_r:biometrics_data_file:s0
 
 # mDNIe
-/sys/devices/virtual/mdnie/mdnie/mode        u:object_r:sysfs_mdnie:s0
-/sys/devices/virtual/mdnie/mdnie/scenario    u:object_r:sysfs_mdnie:s0
+/sys/devices/virtual/mdnie/mdnie/mode                           u:object_r:sysfs_mdnie:s0
+/sys/devices/virtual/mdnie/mdnie/scenario                       u:object_r:sysfs_mdnie:s0
+
+# SEC
+/sys/devices/virtual/sec/sec_key(/.*)?                          u:object_r:sysfs_sec_key:s0
 
 # TimeKeep
-/system/bin/timekeep                         u:object_r:timekeep_exec:s0
+/system/bin/timekeep                                            u:object_r:timekeep_exec:s0
 
 # Uncrypt
-/dev/block/bootdevice/by-name/fota           u:object_r:misc_block_device:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/fota          u:object_r:misc_block_device:s0

sepolicy/fingerprintd.te

@@ -1,10 +0,0 @@
-allow fingerprintd tee_device:chr_file rw_file_perms;
-allow fingerprintd vfsspi_device:chr_file rw_file_perms;
-
-allow fingerprintd firmware_file:dir search;
-allow fingerprintd firmware_file:file r_file_perms;
-
-type_transition fingerprintd system_data_file:{ dir file } biometrics_data_file;
-allow fingerprintd system_data_file:dir { add_name write };
-allow fingerprintd biometrics_data_file:dir create_dir_perms;
-allow fingerprintd biometrics_data_file:file create_file_perms;

sepolicy/hal_fingerprint_default.te

@@ -0,0 +1,9 @@
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default vfsspi_device:chr_file rw_file_perms;
+
+type_transition hal_fingerprint_default system_data_file:{ dir file } biometrics_data_file;
+allow hal_fingerprint_default system_data_file:dir { add_name write };
+allow hal_fingerprint_default biometrics_data_file:dir create_dir_perms;
+allow hal_fingerprint_default biometrics_data_file:file create_file_perms;
+
+r_dir_file(hal_fingerprint_default, firmware_file)

sepolicy/hal_graphics_allocator_default.te

@@ -0,0 +1 @@
+allow hal_graphics_allocator_default sysfs_graphics:file r_file_perms;

sepolicy/hal_wifi_default.te

@@ -0,0 +1,3 @@
+r_dir_file(hal_wifi_default, efs_file)
+r_dir_file(hal_wifi_default, firmware_file)
+r_dir_file(hal_wifi_default, wifi_efs_file)

sepolicy/kernel.te

@@ -0,0 +1 @@
+r_dir_file(kernel, sysfs_sec_key)

sepolicy/mm-qcamerad.te

@@ -0,0 +1 @@
+allow mm-qcamerad camera_data_file:sock_file { create unlink };

sepolicy/netd.te

@@ -1,3 +0,0 @@
-r_dir_file(netd, efs_file)
-r_dir_file(netd, wifi_efs_file)
-r_dir_file(netd, firmware_file)

sepolicy/peripheral_manager.te

@@ -0,0 +1,4 @@
+binder_use(per_mgr)
+binder_service(per_mgr)
+
+allow per_mgr binder_per_mgr_service:service_manager { add find };

sepolicy/qseeproxy.te

@@ -0,0 +1,4 @@
+binder_use(qseeproxy)
+binder_service(qseeproxy)
+
+allow qseeproxy binder_qseeproxy_service:service_manager add;

sepolicy/rmt_storage.te

@@ -1,3 +1,6 @@
+allow rmt_storage debugfs_rmt:dir search;
+allow rmt_storage debugfs_rmt:file rw_file_perms;
+
 allow rmt_storage self:capability net_raw;
 
 set_prop(rmt_storage, rmt_storage_prop)

sepolicy/service.te

@@ -0,0 +1,2 @@
+type binder_per_mgr_service, service_manager_type;
+type binder_qseeproxy_service, service_manager_type;

sepolicy/service_contexts

@@ -0,0 +1,2 @@
+com.qualcomm.qti.qseeproxy                     u:object_r:binder_qseeproxy_service:s0
+vendor.qcom.PeripheralManager                  u:object_r:binder_per_mgr_service:s0

sepolicy/system_server.te

@@ -1,3 +1,5 @@
+allow system_server binder_per_mgr_service:service_manager find;
+
 allow system_server efs_file:dir search;
 
 allow system_server sysfs_mdnie:file rw_file_perms;

sepolicy/thermal-engine.te

@@ -0,0 +1 @@
+type_transition thermal-engine socket_device:sock_file thermal_socket;

sepolicy/timekeep.te

@@ -1,4 +1,4 @@
-type timekeep, domain, domain_deprecated;
+type timekeep, domain;
 type timekeep_exec, exec_type, file_type;
 
 # Started by init