From b9bf9bca148a7e835123a2fc07b8a69c825a242c Mon Sep 17 00:00:00 2001
From: Deokgyu Yang <secugyu@gmail.com>
Date: Tue, 8 Feb 2022 17:26:06 +0900
Subject: [PATCH] gts3l-common: sepolicy: Add some missing policies and add
 genfs_contexts

Temporarility

Signed-off-by: Deokgyu Yang <secugyu@gmail.com>
Change-Id: I4611d613a38f64fb0156f329983d1d6248f0b37b
---
 sepolicy/charger.te                 |  2 ++
 sepolicy/device.te                  |  1 +
 sepolicy/file.te                    |  5 +++++
 sepolicy/file_contexts              |  1 +
 sepolicy/genfs_contexts             | 27 +++++++++++++++++++++++++++
 sepolicy/hal_fingerprint_default.te | 10 ++++++++++
 sepolicy/hal_gnss_qti.te            |  2 +-
 sepolicy/hal_sensors_default.te     |  2 +-
 sepolicy/init.te                    |  7 +++++--
 sepolicy/location.te                |  2 ++
 sepolicy/mm-qcamerad.te             |  1 +
 sepolicy/netmgrd.te                 |  1 +
 sepolicy/qmuxd.te                   |  2 ++
 sepolicy/rild.te                    |  2 +-
 sepolicy/rmt_storage.te             |  7 +++++++
 sepolicy/sensors.te                 |  2 ++
 sepolicy/system_server.te           |  2 ++
 sepolicy/tee.te                     |  3 +++
 sepolicy/time_daemon.te             |  2 ++
 sepolicy/ueventd.te                 |  1 +
 sepolicy/vendor_init.te             |  1 +
 sepolicy/vendor_per_mgr.te          |  1 +
 sepolicy/vold.te                    |  9 ++++++++-
 sepolicy/wcnss_service.te           |  2 ++
 24 files changed, 89 insertions(+), 6 deletions(-)
 create mode 100644 sepolicy/genfs_contexts
 create mode 100644 sepolicy/netmgrd.te
 create mode 100644 sepolicy/rmt_storage.te
 create mode 100644 sepolicy/ueventd.te

diff --git a/sepolicy/charger.te b/sepolicy/charger.te
index 954588b..6e11ac1 100644
--- a/sepolicy/charger.te
+++ b/sepolicy/charger.te
@@ -22,4 +22,6 @@ allow charger efs_file:file create_file_perms;
 allow charger sec_efs_file:dir rw_dir_perms;
 allow charger sec_efs_file:file create_file_perms;
 
+allow charger proc_reset_reason:file r_file_perms;
+
 set_prop(charger, powerctl_prop)
\ No newline at end of file
diff --git a/sepolicy/device.te b/sepolicy/device.te
index b1670ca..1a7f164 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -11,3 +11,4 @@ type paramblk_device, dev_type;
 type sec_efsblk_device, dev_type;
 type steady_block_device, dev_type;
 type tz_device, dev_type;
+type emmcblk_device, file_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 40bac24..ce10bff 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -40,6 +40,8 @@ type wifi_efs_file, file_type, mlstrustedobject;
 type proc_default_smp_affinity, fs_type, proc_type;
 type proc_simslot_count, fs_type, proc_type;
 type proc_swappiness, fs_type, proc_type;
+type proc_last_kmsg, fs_type, proc_type;
+type proc_reset_reason, fs_type, proc_type;
 
 # rootfs
 type firmware-modem_file, file_type, contextmount_type, vendor_file_type;
@@ -57,3 +59,6 @@ type sysfs_tsp, fs_type, sysfs_type;
 type sysfs_wifi, fs_type, sysfs_type;
 type sysfs_touchkey, fs_type, sysfs_type;
 type dsp_file, fs_type, contextmount_type;
+
+# debugfs
+type debugfs_rmt, debugfs_type, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 5216c4d..f6f1c4b 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,4 +1,5 @@
 # Block devices
+/dev/block/mmcblk0p[0-9]*                                   u:object_r:emmcblk_device:s0
 /dev/block/platform/soc/624000\.sdhci/by-name/bota          u:object_r:botablk_device:s0
 /dev/block/platform/soc/624000\.sdhci/by-name/config        u:object_r:frp_block_device:s0
 /dev/block/platform/soc/624000\.sdhci/by-name/debug         u:object_r:debug_block_device:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..0b09ed1
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,27 @@
+genfscon debugfs /rmt_storage    u:object_r:debugfs_rmt:s0
+
+genfscon proc /irq/default_smp_affinity                    u:object_r:proc_default_smp_affinity:s0
+genfscon proc /last_kmsg                                   u:object_r:proc_last_kmsg:s0
+genfscon proc /reset_reason                                u:object_r:proc_reset_reason:s0
+genfscon proc /schedstat                                   u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_cfs_bandwidth_slice_us     u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_cfs_boost                  u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_cstate_aware               u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_migration_cost_ns          u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_min_granularity_ns         u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_nr_migrate                 u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rr_timeslice_ms            u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_shares_window_ns           u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_sync_hint_enable           u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_time_avg_ms                u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_use_walt_cpu_util          u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_use_walt_task_util         u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_walt_cpu_high_irqload      u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_walt_init_task_load_pct    u:object_r:proc_sched:s0
+genfscon proc /sys/vm/swappiness                           u:object_r:proc_swappiness:s0
+
+genfscon sysfs /devices/soc/6a00000.ssusb/6a00000.dwc3/gadget/lun0/                u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/soc/6a00000.ssusb/power_supply                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/soc/soc:i2c@11/i2c-1/1-0071/power_supply                   u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/soc/soc:i2c@13/i2c-0/0-0049/sm5705-charger/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/virtual/lcd/panel                                          u:object_r:sysfs_lcd_writable:s0
\ No newline at end of file
diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
index f242995..becaa1f 100644
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
@@ -1,3 +1,9 @@
+binder_call(hal_fingerprint_default, qfp-daemon)
+binder_use(hal_fingerprint_default)
+
+# Allow hal_fingerprint_default to open firmware images
+r_dir_file(hal_fingerprint_default, firmware_file)
+
 allow hal_fingerprint_default fp_sensor_device:chr_file rw_file_perms;
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
 
@@ -20,4 +26,8 @@ allow hal_fingerprint_default biometrics_vendor_data_file:file create_file_perms
 allow hal_fingerprint_default vendor_data_file:dir create_dir_perms;
 allow hal_fingerprint_default vendor_data_file:file create_file_perms;
 
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
 allow hal_fingerprint_default fingerprintd_data_file:dir write;
+
+# Ignore all logging requests
+dontaudit hal_fingerprint_default storage_file:dir search;
diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te
index e01d464..1a34f65 100644
--- a/sepolicy/hal_gnss_qti.te
+++ b/sepolicy/hal_gnss_qti.te
@@ -14,4 +14,4 @@ allow hal_gnss_qti qmuxd:unix_stream_socket connectto;
 allow hal_gnss_qti qmuxd_socket:dir { add_name write };
 allow hal_gnss_qti qmuxd_socket:sock_file { create write };
 
-allow hal_gnss_qti sysfs:file { getattr open write };
+allow hal_gnss_qti sysfs:file { getattr open write read };
diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
index 3803fee..a116e09 100644
--- a/sepolicy/hal_sensors_default.te
+++ b/sepolicy/hal_sensors_default.te
@@ -2,7 +2,7 @@ allow hal_sensors_default input_device:dir r_dir_perms;
 allow hal_sensors_default input_device:chr_file rw_file_perms;
 
 allow hal_sensors_default sysfs:dir { open read };
-allow hal_sensors_default sysfs:file { open getattr write };
+allow hal_sensors_default sysfs:file { open getattr write read };
 
 allow hal_sensors_default sysfs_sensors:dir r_dir_perms;
 allow hal_sensors_default sysfs_sensors:file rw_file_perms;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 04f77a3..5c7e411 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -24,11 +24,14 @@ allow init node:tcp_socket node_bind;
 
 allow init proc:file setattr;
 
+allow init proc_last_kmsg:file { r_file_perms setattr };
+
 allow init self:netlink_socket { create read bind };
 allow init self:tcp_socket { bind create };
 
 allow init sysfs:dir create;
-
-allow init sysfs:file { open setattr write };
+allow init sysfs:file { open setattr write open };
 
 allow init sysfs_touchkey:lnk_file read;
+
+allow init emmcblk_device:blk_file { ioctl open read };
diff --git a/sepolicy/location.te b/sepolicy/location.te
index 0d468f8..2930b10 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -1 +1,3 @@
 allow location csc_prop:file { getattr open read };
+
+allow location sysfs:file { open read };
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
index 6a19323..9755fa2 100644
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@@ -7,6 +7,7 @@ allow mm-qcamerad camera_socket:sock_file { create unlink write };
 allow mm-qcamerad sysfs_camera_writable:dir search;
 allow mm-qcamerad sysfs_camera_writable:file { read write open getattr };
 allow mm-qcamerad sysfs_leds:dir search;
+allow mm-qcamerad sysfs:file { open read };
 
 allow mm-qcamerad sec_camera_prop:file { read open getattr };
 allow mm-qcamerad sec_camera_prop:property_service set;
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
new file mode 100644
index 0000000..4da9ab7
--- /dev/null
+++ b/sepolicy/netmgrd.te
@@ -0,0 +1 @@
+allow netmgrd sysfs:file { open read };
diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te
index 6034540..665f1ff 100644
--- a/sepolicy/qmuxd.te
+++ b/sepolicy/qmuxd.te
@@ -1 +1,3 @@
 allow qmuxd vendor_radio_prop:file { getattr open read };
+
+allow qmuxd sysfs:file { open read };
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 7b6c213..5a09b90 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -13,6 +13,6 @@ allow rild default_prop:property_service set;
 allow rild imei_efs_file:file { open read setattr getattr write };
 
 allow rild system_data_file:dir { write add_name };
-allow rild system_data_file:file { create open write };
+allow rild system_data_file:file { create open write setattr };
 
 get_prop(rild, csc_prop)
diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
new file mode 100644
index 0000000..ab302ce
--- /dev/null
+++ b/sepolicy/rmt_storage.te
@@ -0,0 +1,7 @@
+# debugfs access
+userdebug_or_eng(`
+  allow rmt_storage debugfs_rmt:dir search;
+  allow rmt_storage debugfs_rmt:file rw_file_perms;
+')
+
+allow rmt_storage sysfs:file { open read };
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
index 9103344..c462dcc 100644
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -1,2 +1,4 @@
 allow sensors app_efs_file:dir { getattr open read search };
 allow sensors app_efs_file:file { getattr open read write };
+
+allow sensors sysfs:file { open read };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index dec4141..424378f 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -2,3 +2,5 @@ allow system_server init:binder call;
 
 allow system_server userspace_reboot_config_prop:file { getattr open read };
 allow system_server userspace_reboot_exported_prop:file { getattr open read };
+
+allow system_server proc_last_kmsg:file r_file_perms;
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index 59ecde4..e72debd 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -41,5 +41,8 @@ allow tee vaultkeeper_efs_file:file rw_file_perms;
 allow tee vendor_data_file:dir create_dir_perms;
 allow tee vendor_data_file:file create_file_perms;
 
+allow tee gatekeeper_data_file:dir read;
+allow tee gatekeeper_data_file:file getattr;
+
 get_prop(tee, hwservicemanager_prop)
 set_prop(tee, vendor_qseecomd_prop)
diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te
index 7b922ed..ba9ecac 100644
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@@ -1 +1,3 @@
 r_dir_file(time_daemon, timeservice_app)
+
+allow time_daemon sysfs:file { open read };
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
new file mode 100644
index 0000000..3c14fa4
--- /dev/null
+++ b/sepolicy/ueventd.te
@@ -0,0 +1 @@
+allow ueventd emmcblk_device:blk_file { getattr setattr };
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
index fb87fab..af7237a 100644
--- a/sepolicy/vendor_init.te
+++ b/sepolicy/vendor_init.te
@@ -17,6 +17,7 @@ allow vendor_init persist_file:lnk_file read;
 allow vendor_init self:capability sys_rawio;
 allow vendor_init system_data_file:dir { add_name create setattr write };
 allow vendor_init tombstone_data_file:dir getattr;
+allow vendor_init emmcblk_device:blk_file getattr;
 
 set_prop(vendor_init, camera_prop)
 set_prop(vendor_init, config_prop)
diff --git a/sepolicy/vendor_per_mgr.te b/sepolicy/vendor_per_mgr.te
index 2ce01f4..5ece2c4 100644
--- a/sepolicy/vendor_per_mgr.te
+++ b/sepolicy/vendor_per_mgr.te
@@ -1 +1,2 @@
 allow vendor_per_mgr self:capability net_raw;
+allow vendor_per_mgr sysfs:file { open read };
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index b6e9c24..0680766 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -1,5 +1,12 @@
 allow vold hal_bootctl_hwservice:hwservice_manager find;
 
-allow vold rootfs:dir setattr;
+allow vold rootfs:dir { setattr add_name create write };
 
 allow vold sysfs_mmc_host:file write;
+
+# /efs
+allow vold efs_file:dir r_dir_perms;
+
+# /dev/block/mmcblk0p[0-9]
+allow vold emmcblk_device:dir create_dir_perms;
+allow vold emmcblk_device:blk_file create_file_perms;
diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te
index 2afd80d..23771d6 100644
--- a/sepolicy/wcnss_service.te
+++ b/sepolicy/wcnss_service.te
@@ -1 +1,3 @@
 r_dir_file(wcnss_service, vendor_convergence_data_file)
+
+allow wcnss_service sysfs:file { open read };