msm8976-common: Make it enforcing :3

BoardConfigCommon.mk

@@ -50,7 +50,6 @@ TARGET_NO_BOOTLOADER := true
 # Kernel
 BOARD_KERNEL_BASE := 0x80000000
 BOARD_KERNEL_CMDLINE := console=null androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk
-BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
 BOARD_KERNEL_IMAGE_NAME := Image.gz
 BOARD_KERNEL_PAGESIZE := 2048
 BOARD_KERNEL_SEPARATED_DT := true

rootdir/etc/init.qcom.rc

@@ -1534,6 +1534,7 @@ service hci_filter_root /system/bin/wcnss_filter
 service config_bluetooth /system/bin/sh /system/etc/init.qcom.bt.sh "onboot"
     class core
     user root
+    seclabel u:r:bluetooth_loader:s0
     oneshot
 
 service hciattach /system/bin/sh /system/etc/init.qcom.bt.sh
@@ -1541,6 +1542,7 @@ service hciattach /system/bin/sh /system/etc/init.qcom.bt.sh
     user bluetooth
     group bluetooth net_bt_admin
     disabled
+    seclabel u:r:bluetooth_loader:s0
     oneshot
 
 on property:bluetooth.hciattach=true

sepolicy/device.te

@@ -0,0 +1 @@
+type efs_block_device, dev_type;

sepolicy/file.te

@@ -0,0 +1,2 @@
+type app_efs_file, file_type;
+type sysfs_mdnie, fs_type, sysfs_type;

sepolicy/file_contexts

@@ -1 +1,17 @@
-/system/bin/timekeep                     u:object_r:timekeep_exec:s0
+# Cache
+/dev/block/bootdevice/by-name/cache          u:object_r:cache_block_device:s0
+
+# EFS
+/dev/block/bootdevice/by-name/efs            u:object_r:efs_block_device:s0
+/efs/bluetooth(/.*)?                         u:object_r:bluetooth_efs_file:s0
+/efs/FactoryApp(/.*)?                        u:object_r:app_efs_file:s0
+
+# FRP
+/dev/block/bootdevice/by-name/persistent     u:object_r:frp_block_device:s0
+
+# mDNIe
+/sys/devices/virtual/mdnie/mdnie/mode        u:object_r:sysfs_mdnie:s0
+/sys/devices/virtual/mdnie/mdnie/scenario    u:object_r:sysfs_mdnie:s0
+
+# TimeKeep
+/system/bin/timekeep                         u:object_r:timekeep_exec:s0

sepolicy/fsck.te

@@ -0,0 +1 @@
+allow fsck efs_block_device:blk_file rw_file_perms;

sepolicy/netd.te

@@ -0,0 +1,2 @@
+r_dir_file(netd, efs_file)
+r_dir_file(netd, firmware_file)

sepolicy/perm_mgr.te

@@ -0,0 +1 @@
+allow per_mgr self:capability net_raw;

sepolicy/property.te

@@ -1 +1,2 @@
 type timekeep_prop, property_type;
+type rmt_storage_prop, property_type;

sepolicy/property_contexts

@@ -1 +1,3 @@
-persist.sys.timeadjust     u:object_r:timekeep_prop:s0
+persist.sys.timeadjust         u:object_r:timekeep_prop:s0
+service.camera.hdmi_preview    u:object_r:camera_prop:s0
+storage.efs_sync.done          u:object_r:rmt_storage_prop:s0

sepolicy/rmt_storage.te

@@ -0,0 +1 @@
+set_prop(rmt_storage, rmt_storage_prop)

sepolicy/system_app.te

@@ -1,3 +1,5 @@
+allow system_app sysfs_mdnie:file rw_file_perms;
+
 allow system_app time_data_file:file rw_file_perms;
 
 set_prop(system_app, timekeep_prop)

sepolicy/system_server.te

@@ -0,0 +1,3 @@
+allow system_server sysfs_mdnie:file rw_file_perms;
+
+r_dir_file(system_server, app_efs_file)

sepolicy/wcnss_service.te

@@ -0,0 +1 @@
+allow wcnss_service self:capability { setgid setuid };