From cb448adfc80c32bff0a8561d98909f1174844109 Mon Sep 17 00:00:00 2001
From: Rick Chen <rickctchen@google.com>
Date: Fri, 3 Nov 2023 19:52:54 +0800
Subject: [PATCH] sensors: Move USF related sepolicy to gs-common.

Bug: 305120274
Test: Compile pass. Flash the build to WHI, WHI_PRO, ZUMA devices and no
      sensor related avc denied log.
Change-Id: I5bab78c72849fbdf312a5d088532572dbd6e6c6d
Signed-off-by: Rick Chen <rickctchen@google.com>
---
 sensors/sepolicy/file.te                | 16 ++++++
 sensors/sepolicy/file_contexts          | 13 +++++
 sensors/sepolicy/hal_sensors_default.te | 65 +++++++++++++++++++++++++
 sensors/sepolicy/te_macros              | 14 ++++++
 4 files changed, 108 insertions(+)
 create mode 100644 sensors/sepolicy/hal_sensors_default.te
 create mode 100644 sensors/sepolicy/te_macros

diff --git a/sensors/sepolicy/file.te b/sensors/sepolicy/file.te
index 97084b6..f59381b 100644
--- a/sensors/sepolicy/file.te
+++ b/sensors/sepolicy/file.te
@@ -1,2 +1,18 @@
+#
+# USF file SELinux type enforcements.
+#
+
 type vendor_usf_stats, vendor_file_type, file_type;
 type vendor_usf_reg_edit, vendor_file_type, file_type;
+
+# Declare the sensor registry persist file type. By convention, persist file
+# types begin with "persist_".
+type persist_sensor_reg_file, file_type, vendor_persist_type;
+
+# Declare the sensor registry data file type. By convention, data file types
+# end with "data_file".
+type sensor_reg_data_file, file_type, data_file_type;
+
+# Declare the sensor debug data file type. By convention, data file types
+# end with "data_file".
+type sensor_debug_data_file, file_type, data_file_type;
diff --git a/sensors/sepolicy/file_contexts b/sensors/sepolicy/file_contexts
index 0fbbdf2..d41b33e 100644
--- a/sensors/sepolicy/file_contexts
+++ b/sensors/sepolicy/file_contexts
@@ -1,3 +1,16 @@
+#
+# USF SELinux file security contexts.
+#
+
 /vendor/bin/dump/dump_sensors      u:object_r:dump_sensors_exec:s0
 /vendor/bin/usf_stats              u:object_r:vendor_usf_stats:s0
 /vendor/bin/usf_reg_edit           u:object_r:vendor_usf_reg_edit:s0
+
+# Sensor registry persist files.
+/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
+
+# Sensor registry data files.
+/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
+
+# Sensor debug data files.
+/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0
diff --git a/sensors/sepolicy/hal_sensors_default.te b/sensors/sepolicy/hal_sensors_default.te
new file mode 100644
index 0000000..1d152d4
--- /dev/null
+++ b/sensors/sepolicy/hal_sensors_default.te
@@ -0,0 +1,65 @@
+#
+# USF sensor HAL SELinux type enforcements.
+#
+
+# Allow reading of sensor registry persist files.
+allow hal_sensors_default mnt_vendor_file:dir search;
+allow hal_sensors_default persist_file:dir search;
+allow hal_sensors_default persist_file:file r_file_perms;
+r_dir_file(hal_sensors_default, persist_sensor_reg_file)
+
+# Allow creation and writing of sensor registry data files.
+allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
+allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
+
+userdebug_or_eng(`
+    # Allow creation and writing of sensor debug data files.
+    allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms;
+    allow hal_sensors_default sensor_debug_data_file:file create_file_perms;
+')
+
+# Allow access to the AoC communication driver.
+allow hal_sensors_default aoc_device:chr_file rw_file_perms;
+
+# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
+# to synchronize the AP and AoC clock timestamps.
+allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms;
+
+# Allow access to the sysfs_aoc.
+allow hal_sensors_default sysfs_aoc:dir search;
+allow hal_sensors_default sysfs_aoc:file r_file_perms;
+
+# Allow sensor HAL to reset AOC.
+allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
+
+# Allow sensor HAL to read AoC dumpstate.
+allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
+
+# Allow access for AoC properties.
+get_prop(hal_sensors_default, vendor_aoc_prop)
+
+# Allow create thread to watch AOC's device.
+allow hal_sensors_default device:dir r_dir_perms;
+
+# Allow access to sensor service for sensor_listener.
+binder_call(hal_sensors_default, system_server);
+
+# Allow use of the USF low latency transport.
+usf_low_latency_transport(hal_sensors_default)
+
+# Allow sensor HAL to access to display sysfs.
+allow hal_sensors_default sysfs_display:file r_file_perms;
+
+# Allow display_info_service access to the backlight driver.
+allow hal_sensors_default sysfs_leds:dir search;
+allow hal_sensors_default sysfs_leds:file rw_file_perms;
+
+# Allow SensorSuez to connect AIDL stats.
+binder_use(hal_sensors_default);
+allow hal_sensors_default fwk_stats_service:service_manager find;
+
+# Allow access to CHRE socket to connect to nanoapps.
+unix_socket_connect(hal_sensors_default, chre, chre)
+
+# Allow access to the power supply files for MagCC.
+r_dir_file(hal_sensors_default, sysfs_batteryinfo)
diff --git a/sensors/sepolicy/te_macros b/sensors/sepolicy/te_macros
new file mode 100644
index 0000000..01ac13c
--- /dev/null
+++ b/sensors/sepolicy/te_macros
@@ -0,0 +1,14 @@
+#
+# USF SELinux type enforcement macros.
+#
+
+#
+# usf_low_latency_transport(domain)
+#
+# Allows domain use of the USF low latency transport.
+#
+define(`usf_low_latency_transport', `
+  allow $1 hal_graphics_mapper_hwservice:hwservice_manager find;
+  hal_client_domain($1, hal_graphics_allocator)
+')
+