gts3l-common: sepolicy: Add some missing policies and add genfs_contexts

Temporarility

Signed-off-by: Deokgyu Yang <secugyu@gmail.com>
Change-Id: I4611d613a38f64fb0156f329983d1d6248f0b37b

sepolicy/charger.te

@@ -22,4 +22,6 @@ allow charger efs_file:file create_file_perms;
 allow charger sec_efs_file:dir rw_dir_perms;
 allow charger sec_efs_file:file create_file_perms;
 
+allow charger proc_reset_reason:file r_file_perms;
+
 set_prop(charger, powerctl_prop)

sepolicy/device.te

@@ -11,3 +11,4 @@ type paramblk_device, dev_type;
 type sec_efsblk_device, dev_type;
 type steady_block_device, dev_type;
 type tz_device, dev_type;
+type emmcblk_device, file_type;

sepolicy/file.te

@@ -40,6 +40,8 @@ type wifi_efs_file, file_type, mlstrustedobject;
 type proc_default_smp_affinity, fs_type, proc_type;
 type proc_simslot_count, fs_type, proc_type;
 type proc_swappiness, fs_type, proc_type;
+type proc_last_kmsg, fs_type, proc_type;
+type proc_reset_reason, fs_type, proc_type;
 
 # rootfs
 type firmware-modem_file, file_type, contextmount_type, vendor_file_type;
@@ -56,3 +58,6 @@ type sysfs_tsp, fs_type, sysfs_type;
 type sysfs_wifi, fs_type, sysfs_type;
 type sysfs_touchkey, fs_type, sysfs_type;
 type dsp_file, fs_type, contextmount_type;
+
+# debugfs
+type debugfs_rmt, debugfs_type, fs_type;

sepolicy/file_contexts

@@ -1,4 +1,5 @@
 # Block devices
+/dev/block/mmcblk0p[0-9]*                                   u:object_r:emmcblk_device:s0
 /dev/block/platform/soc/624000\.sdhci/by-name/bota          u:object_r:botablk_device:s0
 /dev/block/platform/soc/624000\.sdhci/by-name/config        u:object_r:frp_block_device:s0
 /dev/block/platform/soc/624000\.sdhci/by-name/debug         u:object_r:debug_block_device:s0

sepolicy/genfs_contexts

@@ -0,0 +1,27 @@
+genfscon debugfs /rmt_storage    u:object_r:debugfs_rmt:s0
+
+genfscon proc /irq/default_smp_affinity                    u:object_r:proc_default_smp_affinity:s0
+genfscon proc /last_kmsg                                   u:object_r:proc_last_kmsg:s0
+genfscon proc /reset_reason                                u:object_r:proc_reset_reason:s0
+genfscon proc /schedstat                                   u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_cfs_bandwidth_slice_us     u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_cfs_boost                  u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_cstate_aware               u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_migration_cost_ns          u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_min_granularity_ns         u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_nr_migrate                 u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rr_timeslice_ms            u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_shares_window_ns           u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_sync_hint_enable           u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_time_avg_ms                u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_use_walt_cpu_util          u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_use_walt_task_util         u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_walt_cpu_high_irqload      u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_walt_init_task_load_pct    u:object_r:proc_sched:s0
+genfscon proc /sys/vm/swappiness                           u:object_r:proc_swappiness:s0
+
+genfscon sysfs /devices/soc/6a00000.ssusb/6a00000.dwc3/gadget/lun0/                u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/soc/6a00000.ssusb/power_supply                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/soc/soc:i2c@11/i2c-1/1-0071/power_supply                   u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/soc/soc:i2c@13/i2c-0/0-0049/sm5705-charger/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/virtual/lcd/panel                                          u:object_r:sysfs_lcd_writable:s0

sepolicy/hal_fingerprint_default.te

@@ -1,3 +1,9 @@
+binder_call(hal_fingerprint_default, qfp-daemon)
+binder_use(hal_fingerprint_default)
+
+# Allow hal_fingerprint_default to open firmware images
+r_dir_file(hal_fingerprint_default, firmware_file)
+
 allow hal_fingerprint_default fp_sensor_device:chr_file rw_file_perms;
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
 
@@ -20,4 +26,8 @@ allow hal_fingerprint_default biometrics_vendor_data_file:file create_file_perms
 allow hal_fingerprint_default vendor_data_file:dir create_dir_perms;
 allow hal_fingerprint_default vendor_data_file:file create_file_perms;
 
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
 allow hal_fingerprint_default fingerprintd_data_file:dir write;
+
+# Ignore all logging requests
+dontaudit hal_fingerprint_default storage_file:dir search;

sepolicy/hal_gnss_qti.te

@@ -14,4 +14,4 @@ allow hal_gnss_qti qmuxd:unix_stream_socket connectto;
 allow hal_gnss_qti qmuxd_socket:dir { add_name write };
 allow hal_gnss_qti qmuxd_socket:sock_file { create write };
 
-allow hal_gnss_qti sysfs:file { getattr open write };
+allow hal_gnss_qti sysfs:file { getattr open write read };

sepolicy/hal_sensors_default.te

@@ -2,7 +2,7 @@ allow hal_sensors_default input_device:dir r_dir_perms;
 allow hal_sensors_default input_device:chr_file rw_file_perms;
 
 allow hal_sensors_default sysfs:dir { open read };
-allow hal_sensors_default sysfs:file { open getattr write };
+allow hal_sensors_default sysfs:file { open getattr write read };
 
 allow hal_sensors_default sysfs_sensors:dir r_dir_perms;
 allow hal_sensors_default sysfs_sensors:file rw_file_perms;

sepolicy/init.te

@@ -24,11 +24,14 @@ allow init node:tcp_socket node_bind;
 
 allow init proc:file setattr;
 
+allow init proc_last_kmsg:file { r_file_perms setattr };
+
 allow init self:netlink_socket { create read bind };
 allow init self:tcp_socket { bind create };
 
 allow init sysfs:dir create;
-
-allow init sysfs:file { open setattr write };
+allow init sysfs:file { open setattr write open };
 
 allow init sysfs_touchkey:lnk_file read;
+
+allow init emmcblk_device:blk_file { ioctl open read };

sepolicy/location.te

@@ -1 +1,3 @@
 allow location csc_prop:file { getattr open read };
+
+allow location sysfs:file { open read };

sepolicy/mm-qcamerad.te

@@ -7,6 +7,7 @@ allow mm-qcamerad camera_socket:sock_file { create unlink write };
 allow mm-qcamerad sysfs_camera_writable:dir search;
 allow mm-qcamerad sysfs_camera_writable:file { read write open getattr };
 allow mm-qcamerad sysfs_leds:dir search;
+allow mm-qcamerad sysfs:file { open read };
 
 allow mm-qcamerad sec_camera_prop:file { read open getattr };
 allow mm-qcamerad sec_camera_prop:property_service set;

sepolicy/netmgrd.te

@@ -0,0 +1 @@
+allow netmgrd sysfs:file { open read };

sepolicy/qmuxd.te

@@ -1 +1,3 @@
 allow qmuxd vendor_radio_prop:file { getattr open read };
+
+allow qmuxd sysfs:file { open read };

sepolicy/rild.te

@@ -13,6 +13,6 @@ allow rild default_prop:property_service set;
 allow rild imei_efs_file:file { open read setattr getattr write };
 
 allow rild system_data_file:dir { write add_name };
-allow rild system_data_file:file { create open write };
+allow rild system_data_file:file { create open write setattr };
 
 get_prop(rild, csc_prop)

sepolicy/rmt_storage.te

@@ -0,0 +1,7 @@
+# debugfs access
+userdebug_or_eng(`
+  allow rmt_storage debugfs_rmt:dir search;
+  allow rmt_storage debugfs_rmt:file rw_file_perms;
+')
+
+allow rmt_storage sysfs:file { open read };

sepolicy/sensors.te

@@ -1,2 +1,4 @@
 allow sensors app_efs_file:dir { getattr open read search };
 allow sensors app_efs_file:file { getattr open read write };
+
+allow sensors sysfs:file { open read };

sepolicy/system_server.te

@@ -2,3 +2,5 @@ allow system_server init:binder call;
 
 allow system_server userspace_reboot_config_prop:file { getattr open read };
 allow system_server userspace_reboot_exported_prop:file { getattr open read };
+
+allow system_server proc_last_kmsg:file r_file_perms;

sepolicy/tee.te

@@ -41,5 +41,8 @@ allow tee vaultkeeper_efs_file:file rw_file_perms;
 allow tee vendor_data_file:dir create_dir_perms;
 allow tee vendor_data_file:file create_file_perms;
 
+allow tee gatekeeper_data_file:dir read;
+allow tee gatekeeper_data_file:file getattr;
+
 get_prop(tee, hwservicemanager_prop)
 set_prop(tee, vendor_qseecomd_prop)

sepolicy/time_daemon.te

@@ -1 +1,3 @@
 r_dir_file(time_daemon, timeservice_app)
+
+allow time_daemon sysfs:file { open read };

sepolicy/ueventd.te

@@ -0,0 +1 @@
+allow ueventd emmcblk_device:blk_file { getattr setattr };

sepolicy/vendor_init.te

@@ -17,6 +17,7 @@ allow vendor_init persist_file:lnk_file read;
 allow vendor_init self:capability sys_rawio;
 allow vendor_init system_data_file:dir { add_name create setattr write };
 allow vendor_init tombstone_data_file:dir getattr;
+allow vendor_init emmcblk_device:blk_file getattr;
 
 set_prop(vendor_init, camera_prop)
 set_prop(vendor_init, config_prop)

sepolicy/vendor_per_mgr.te

@@ -1 +1,2 @@
 allow vendor_per_mgr self:capability net_raw;
+allow vendor_per_mgr sysfs:file { open read };

sepolicy/vold.te

@@ -1,5 +1,12 @@
 allow vold hal_bootctl_hwservice:hwservice_manager find;
 
-allow vold rootfs:dir setattr;
+allow vold rootfs:dir { setattr add_name create write };
 
 allow vold sysfs_mmc_host:file write;
+
+# /efs
+allow vold efs_file:dir r_dir_perms;
+
+# /dev/block/mmcblk0p[0-9]
+allow vold emmcblk_device:dir create_dir_perms;
+allow vold emmcblk_device:blk_file create_file_perms;

sepolicy/wcnss_service.te

@@ -1 +1,3 @@
 r_dir_file(wcnss_service, vendor_convergence_data_file)
+
+allow wcnss_service sysfs:file { open read };