From 7e89a679d93ca40be7320e22e737d6cbc3f0bd64 Mon Sep 17 00:00:00 2001
From: Lei Ju <leiju@google.com>
Date: Tue, 23 Jan 2024 11:18:55 -0800
Subject: [PATCH 1/2] Allow sensor hal to connect to CHRE HAL

These policies are required to let DropDetect and IpHeath communicate
with CHRE HAL directly after CHRE multiclient HAL is enabled.

Bug: 324316275
Test: Trigger drop detection and observed corresponding logs
  are generated.
Change-Id: Icc087b59ff594224d7e637212558e68fb3f86437
---
 chre/sepolicy/hal_contexthub_default.te | 3 +++
 sensors/sepolicy/hal_sensors_default.te | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/chre/sepolicy/hal_contexthub_default.te b/chre/sepolicy/hal_contexthub_default.te
index 542d383..87e3a42 100644
--- a/chre/sepolicy/hal_contexthub_default.te
+++ b/chre/sepolicy/hal_contexthub_default.te
@@ -32,3 +32,6 @@ wakelock_use(hal_contexthub_default)
 
 # Allow context hub HAL to block suspend, which is required to use EPOLLWAKEUP
 allow hal_contexthub_default self:global_capability2_class_set block_suspend;
+
+# Allow binder calls with clients
+binder_call(hal_contexthub_default, hal_sensors_default)
diff --git a/sensors/sepolicy/hal_sensors_default.te b/sensors/sepolicy/hal_sensors_default.te
index 85a8262..846b016 100644
--- a/sensors/sepolicy/hal_sensors_default.te
+++ b/sensors/sepolicy/hal_sensors_default.te
@@ -63,6 +63,11 @@ unix_socket_connect(hal_sensors_default, chre, chre)
 ## TODO(b/248615564): Remove above rule after CHRE multiclient HAL is launched.
 unix_socket_connect(hal_sensors_default, chre, hal_contexthub_default)
 
+# Allow access to CHRE multiclient HAL.
+get_prop(hal_sensors_default, vendor_chre_hal_prop)
+binder_call(hal_sensors_default, hal_contexthub_default)
+allow hal_sensors_default hal_contexthub_service:service_manager find;
+
 
 # Allow access to the power supply files for MagCC.
 r_dir_file(hal_sensors_default, sysfs_batteryinfo)

From 2ce657ec4f905873024eb998de7e86653c780b70 Mon Sep 17 00:00:00 2001
From: klinesjiang <klinesjiang@google.com>
Date: Mon, 19 Feb 2024 18:46:31 +0800
Subject: [PATCH 2/2] [Gyotaku] Add the access /data/vendor/gyotaku sepolicy
 for gyotaku_app domain

To prevent the barbet build break, add sepolicy to gyotaku dump folder.

Bug: 310110649

Test: Local build barbet(Pixel 5a) and Husky(Pixel 8), trigger a new bugreport from Husky(Pixel 8) the result passed.

Change-Id: I09a46249644774c679a0cfa687b2b41ba82120c1
---
 gyotaku_app/dump/gyotaku_app.te | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 gyotaku_app/dump/gyotaku_app.te

diff --git a/gyotaku_app/dump/gyotaku_app.te b/gyotaku_app/dump/gyotaku_app.te
new file mode 100644
index 0000000..6816080
--- /dev/null
+++ b/gyotaku_app/dump/gyotaku_app.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+  # For access /data/vendor/gyotaku folder
+  allow gyotaku_app gyotaku_vendor_data_file:dir create_dir_perms;
+  allow gyotaku_app gyotaku_vendor_data_file:file create_file_perms;
+')