From 25e027d85e06a1a5694f5e08bda9cf2c4b53bf21 Mon Sep 17 00:00:00 2001
From: LuK1337 <priv.luk@gmail.com>
Date: Wed, 20 Sep 2017 13:54:48 +0200
Subject: [PATCH] msm8976-common: Initial SELinux updates

* Drop domain_deprecated
* Use proper device block paths as
  symlinks are no longer working.
---
 sepolicy/file.te                           |  2 ++
 sepolicy/file_contexts                     | 30 +++++++++++++---------
 sepolicy/fingerprintd.te                   | 10 --------
 sepolicy/hal_fingerprint_default.te        |  9 +++++++
 sepolicy/hal_graphics_allocator_default.te |  1 +
 sepolicy/hal_wifi_default.te               |  3 +++
 sepolicy/kernel.te                         |  1 +
 sepolicy/mm-qcamerad.te                    |  1 +
 sepolicy/netd.te                           |  3 ---
 sepolicy/peripheral_manager.te             |  4 +++
 sepolicy/qseeproxy.te                      |  4 +++
 sepolicy/rmt_storage.te                    |  3 +++
 sepolicy/service.te                        |  2 ++
 sepolicy/service_contexts                  |  2 ++
 sepolicy/system_server.te                  |  2 ++
 sepolicy/thermal-engine.te                 |  1 +
 sepolicy/timekeep.te                       |  2 +-
 17 files changed, 54 insertions(+), 26 deletions(-)
 delete mode 100644 sepolicy/fingerprintd.te
 create mode 100644 sepolicy/hal_fingerprint_default.te
 create mode 100644 sepolicy/hal_graphics_allocator_default.te
 create mode 100644 sepolicy/hal_wifi_default.te
 create mode 100644 sepolicy/kernel.te
 create mode 100644 sepolicy/mm-qcamerad.te
 delete mode 100644 sepolicy/netd.te
 create mode 100644 sepolicy/peripheral_manager.te
 create mode 100644 sepolicy/qseeproxy.te
 create mode 100644 sepolicy/service.te
 create mode 100644 sepolicy/service_contexts
 create mode 100644 sepolicy/thermal-engine.te

diff --git a/sepolicy/file.te b/sepolicy/file.te
index 5a9d5c1..3948bb2 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,4 +1,6 @@
 type app_efs_file, file_type;
 type biometrics_data_file, file_type, data_file_type;
+type debugfs_rmt, debugfs_type, fs_type;
 type wifi_efs_file, file_type;
 type sysfs_mdnie, fs_type, sysfs_type;
+type sysfs_sec_key, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index f7fbd12..35f2bd4 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,25 +1,31 @@
 # Cache
-/dev/block/bootdevice/by-name/cache          u:object_r:cache_block_device:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/cache         u:object_r:cache_block_device:s0
+
+# Debug
+/sys/kernel/debug/rmt_storage(/.*)?                             u:object_r:debugfs_rmt:s0
 
 # EFS
-/dev/block/bootdevice/by-name/efs            u:object_r:efs_block_device:s0
-/efs/bluetooth(/.*)?                         u:object_r:bluetooth_efs_file:s0
-/efs/FactoryApp(/.*)?                        u:object_r:app_efs_file:s0
-/efs/wifi(/.*)?                              u:object_r:wifi_efs_file:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/efs           u:object_r:efs_block_device:s0
+/efs/bluetooth(/.*)?                                            u:object_r:bluetooth_efs_file:s0
+/efs/FactoryApp(/.*)?                                           u:object_r:app_efs_file:s0
+/efs/wifi(/.*)?                                                 u:object_r:wifi_efs_file:s0
 
 # FRP
-/dev/block/bootdevice/by-name/persistent     u:object_r:frp_block_device:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/persistent    u:object_r:frp_block_device:s0
 
 # Fingerprint
-/dev/vfsspi                                  u:object_r:vfsspi_device:s0
-/data/biometrics(/.*)?                       u:object_r:biometrics_data_file:s0
+/dev/vfsspi                                                     u:object_r:vfsspi_device:s0
+/data/biometrics(/.*)?                                          u:object_r:biometrics_data_file:s0
 
 # mDNIe
-/sys/devices/virtual/mdnie/mdnie/mode        u:object_r:sysfs_mdnie:s0
-/sys/devices/virtual/mdnie/mdnie/scenario    u:object_r:sysfs_mdnie:s0
+/sys/devices/virtual/mdnie/mdnie/mode                           u:object_r:sysfs_mdnie:s0
+/sys/devices/virtual/mdnie/mdnie/scenario                       u:object_r:sysfs_mdnie:s0
+
+# SEC
+/sys/devices/virtual/sec/sec_key(/.*)?                          u:object_r:sysfs_sec_key:s0
 
 # TimeKeep
-/system/bin/timekeep                         u:object_r:timekeep_exec:s0
+/system/bin/timekeep                                            u:object_r:timekeep_exec:s0
 
 # Uncrypt
-/dev/block/bootdevice/by-name/fota           u:object_r:misc_block_device:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/fota          u:object_r:misc_block_device:s0
diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te
deleted file mode 100644
index 671c097..0000000
--- a/sepolicy/fingerprintd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-allow fingerprintd tee_device:chr_file rw_file_perms;
-allow fingerprintd vfsspi_device:chr_file rw_file_perms;
-
-allow fingerprintd firmware_file:dir search;
-allow fingerprintd firmware_file:file r_file_perms;
-
-type_transition fingerprintd system_data_file:{ dir file } biometrics_data_file;
-allow fingerprintd system_data_file:dir { add_name write };
-allow fingerprintd biometrics_data_file:dir create_dir_perms;
-allow fingerprintd biometrics_data_file:file create_file_perms;
diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
new file mode 100644
index 0000000..9625b12
--- /dev/null
+++ b/sepolicy/hal_fingerprint_default.te
@@ -0,0 +1,9 @@
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default vfsspi_device:chr_file rw_file_perms;
+
+type_transition hal_fingerprint_default system_data_file:{ dir file } biometrics_data_file;
+allow hal_fingerprint_default system_data_file:dir { add_name write };
+allow hal_fingerprint_default biometrics_data_file:dir create_dir_perms;
+allow hal_fingerprint_default biometrics_data_file:file create_file_perms;
+
+r_dir_file(hal_fingerprint_default, firmware_file)
diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..3ba4b55
--- /dev/null
+++ b/sepolicy/hal_graphics_allocator_default.te
@@ -0,0 +1 @@
+allow hal_graphics_allocator_default sysfs_graphics:file r_file_perms;
diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te
new file mode 100644
index 0000000..9d07ac4
--- /dev/null
+++ b/sepolicy/hal_wifi_default.te
@@ -0,0 +1,3 @@
+r_dir_file(hal_wifi_default, efs_file)
+r_dir_file(hal_wifi_default, firmware_file)
+r_dir_file(hal_wifi_default, wifi_efs_file)
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..1e3b953
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1 @@
+r_dir_file(kernel, sysfs_sec_key)
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
new file mode 100644
index 0000000..2deee18
--- /dev/null
+++ b/sepolicy/mm-qcamerad.te
@@ -0,0 +1 @@
+allow mm-qcamerad camera_data_file:sock_file { create unlink };
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
deleted file mode 100644
index f6acfe8..0000000
--- a/sepolicy/netd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-r_dir_file(netd, efs_file)
-r_dir_file(netd, wifi_efs_file)
-r_dir_file(netd, firmware_file)
diff --git a/sepolicy/peripheral_manager.te b/sepolicy/peripheral_manager.te
new file mode 100644
index 0000000..8ebfd40
--- /dev/null
+++ b/sepolicy/peripheral_manager.te
@@ -0,0 +1,4 @@
+binder_use(per_mgr)
+binder_service(per_mgr)
+
+allow per_mgr binder_per_mgr_service:service_manager { add find };
diff --git a/sepolicy/qseeproxy.te b/sepolicy/qseeproxy.te
new file mode 100644
index 0000000..fa315d1
--- /dev/null
+++ b/sepolicy/qseeproxy.te
@@ -0,0 +1,4 @@
+binder_use(qseeproxy)
+binder_service(qseeproxy)
+
+allow qseeproxy binder_qseeproxy_service:service_manager add;
diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
index 2fc2dac..6bb28f0 100644
--- a/sepolicy/rmt_storage.te
+++ b/sepolicy/rmt_storage.te
@@ -1,3 +1,6 @@
+allow rmt_storage debugfs_rmt:dir search;
+allow rmt_storage debugfs_rmt:file rw_file_perms;
+
 allow rmt_storage self:capability net_raw;
 
 set_prop(rmt_storage, rmt_storage_prop)
diff --git a/sepolicy/service.te b/sepolicy/service.te
new file mode 100644
index 0000000..e4d5cfe
--- /dev/null
+++ b/sepolicy/service.te
@@ -0,0 +1,2 @@
+type binder_per_mgr_service, service_manager_type;
+type binder_qseeproxy_service, service_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
new file mode 100644
index 0000000..d4ee735
--- /dev/null
+++ b/sepolicy/service_contexts
@@ -0,0 +1,2 @@
+com.qualcomm.qti.qseeproxy                     u:object_r:binder_qseeproxy_service:s0
+vendor.qcom.PeripheralManager                  u:object_r:binder_per_mgr_service:s0
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 11212b2..dd3379b 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,3 +1,5 @@
+allow system_server binder_per_mgr_service:service_manager find;
+
 allow system_server efs_file:dir search;
 
 allow system_server sysfs_mdnie:file rw_file_perms;
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
new file mode 100644
index 0000000..90b9ff9
--- /dev/null
+++ b/sepolicy/thermal-engine.te
@@ -0,0 +1 @@
+type_transition thermal-engine socket_device:sock_file thermal_socket;
diff --git a/sepolicy/timekeep.te b/sepolicy/timekeep.te
index a7c39d8..b6fef7b 100644
--- a/sepolicy/timekeep.te
+++ b/sepolicy/timekeep.te
@@ -1,4 +1,4 @@
-type timekeep, domain, domain_deprecated;
+type timekeep, domain;
 type timekeep_exec, exec_type, file_type;
 
 # Started by init