Move sepolicy files from hardware/google/pixel-sepolicy.

Bug: 325422902 Test: Manual, system booted without sepolicy denied error. Change-Id: I2146a2b1524d6d5a3d4a17635cce21c29c56c248 Signed-off-by: Mark Chang <changmark@google.com>
2024-02-28 13:33:38 +00:00 · 2024-02-28 13:33:38 +00:00 · 542efdc2b9
commit 542efdc2b9
parent 792837721c
10 changed files with 49 additions and 0 deletions
--- a/touch/twoshay/sepolicy/device.te
+++ b/touch/twoshay/sepolicy/device.te
@ -0,0 +1 @@
+type touch_offload_device, dev_type;
--- a/touch/twoshay/sepolicy/dumpstate.te
+++ b/touch/twoshay/sepolicy/dumpstate.te
@ -0,0 +1,2 @@
+allow dumpstate touch_context_service:service_manager find;
+binder_call(dumpstate, twoshay)
--- a/touch/twoshay/sepolicy/file_contexts
+++ b/touch/twoshay/sepolicy/file_contexts
@ -0,0 +1,2 @@
+/dev/touch_offload                                                               u:object_r:touch_offload_device:s0
+/vendor/bin/twoshay                                                              u:object_r:twoshay_exec:s0
--- a/touch/twoshay/sepolicy/hal_dumpstate_default.te
+++ b/touch/twoshay/sepolicy/hal_dumpstate_default.te
@ -0,0 +1,2 @@
+allow hal_dumpstate_default touch_context_service:service_manager find;
+binder_call(hal_dumpstate_default, twoshay)
--- a/touch/twoshay/sepolicy/platform_app.te
+++ b/touch/twoshay/sepolicy/platform_app.te
@ -0,0 +1,4 @@
+allow platform_app gril_antenna_tuning_service:service_manager find;
+allow platform_app screen_protector_detector_service:service_manager find;
+allow platform_app touch_context_service:service_manager find;
+binder_call(platform_app, twoshay)
--- a/touch/twoshay/sepolicy/service.te
+++ b/touch/twoshay/sepolicy/service.te
@ -0,0 +1,3 @@
+type gril_antenna_tuning_service, service_manager_type, hal_service_type;
+type screen_protector_detector_service, service_manager_type, hal_service_type;
+type touch_context_service, service_manager_type, hal_service_type;
--- a/touch/twoshay/sepolicy/service_contexts
+++ b/touch/twoshay/sepolicy/service_contexts
@ -0,0 +1,3 @@
+com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
+com.google.input.algos.gril.IGrilAntennaTuningService/default              u:object_r:gril_antenna_tuning_service:s0
+com.google.input.algos.spd.IScreenProtectorDetectorService/default u:object_r:screen_protector_detector_service:s0
--- a/touch/twoshay/sepolicy/touchflow_debug/file_contexts
+++ b/touch/twoshay/sepolicy/touchflow_debug/file_contexts
@ -0,0 +1,2 @@
+/vendor/bin/hw/android\.hardware\.input\.processor-reflector     u:object_r:hal_input_processor_default_exec:s0
+/vendor/bin/twoshay_touchflow     u:object_r:twoshay_exec:s0
--- a/touch/twoshay/sepolicy/twoshay.te
+++ b/touch/twoshay/sepolicy/twoshay.te
@ -0,0 +1,27 @@
+type twoshay, domain;
+type twoshay_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(twoshay)
+
+allow twoshay touch_offload_device:chr_file rw_file_perms;
+allow twoshay twoshay:capability sys_nice;
+
+binder_use(twoshay)
+add_service(twoshay, gril_antenna_tuning_service)
+add_service(twoshay, screen_protector_detector_service)
+add_service(twoshay, touch_context_service)
+
+binder_call(twoshay, platform_app)
+
+allow twoshay fwk_stats_service:service_manager find;
+binder_call(twoshay, stats_service_server)
+
+# Allow dumpsys output in bugreports.
+allow twoshay dumpstate:fd use;
+allow twoshay dumpstate:fifo_file write;
+
+# b/198755236
+dontaudit twoshay twoshay:capability dac_override;
+
+# b/226830650
+dontaudit twoshay boot_status_prop:file read;
--- a/touch/twoshay/twoshay.mk
+++ b/touch/twoshay/twoshay.mk
@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/twoshay/sepolicy
+PRODUCT_PACKAGES += twoshay
+PRODUCT_SOONG_NAMESPACES += vendor/google/input/twoshay