gps: refine iGNSS build system - sepolicy

Bug: 318310869
Bug: 315915958
Test: build pass, GPS works and no GPS avc denied error
Change-Id: Ib2aa778a0d0e8a51f4d6733b6a55ccf588a05079

gps/lsi/s5400.mk

@@ -0,0 +1,16 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/lsi/sepolicy
+
+PRODUCT_SOONG_NAMESPACES += \
+    vendor/samsung_slsi/gps/s5400
+
+PRODUCT_PACKAGES += \
+    android.hardware.location.gps.prebuilt.xml \
+    gnssd \
+    android.hardware.gnss-service \
+    ca.pem \
+    gnss_check.sh \
+    kepler.bin
+
+ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
+    PRODUCT_VENDOR_PROPERTIES += vendor.gps.aol.enabled=true
+endif

gps/lsi/sepolicy/file.te

@@ -0,0 +1 @@
+type vendor_gps_file, file_type, data_file_type;

gps/lsi/sepolicy/file_contexts

@@ -0,0 +1,12 @@
+# GPS
+/dev/gnss_ipc                  u:object_r:vendor_gnss_device:s0
+/dev/gnss_boot                 u:object_r:vendor_gnss_device:s0
+/dev/gnss_dump                 u:object_r:vendor_gnss_device:s0
+/vendor/bin/hw/gnssd            u:object_r:gnssd_exec:s0
+/vendor/bin/hw/sctd             u:object_r:sctd_exec:s0
+/vendor/bin/hw/swcnd            u:object_r:swcnd_exec:s0
+/vendor/bin/hw/spad             u:object_r:spad_exec:s0
+/vendor/bin/hw/android.hardware.gnss-service           u:object_r:hal_gnss_default_exec:s0
+/vendor/bin/gnss_check\.sh                                     u:object_r:gnss_check_exec:s0
+# keep only one rule and use eGNSS one
+# /data/vendor/gps(/.*)?             u:object_r:vendor_gps_file:s0

gps/lsi/sepolicy/gnss_check.te

@@ -0,0 +1,9 @@
+type gnss_check, domain;
+type gnss_check_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(gnss_check);
+
+allow gnss_check vendor_toolbox_exec:file { execute_no_trans };
+
+set_prop(gnss_check, ctl_stop_prop);
+set_prop(gnss_check, ctl_start_prop);

gps/lsi/sepolicy/gnssd.te

@@ -0,0 +1,26 @@
+type gnssd, domain;
+type gnssd_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(gnssd);
+
+# Allow gnssd to access rild
+binder_call(gnssd, rild);
+binder_call(gnssd, hwservicemanager)
+allow gnssd hal_exynos_rild_hwservice:hwservice_manager find;
+allow gnssd radio_device:chr_file rw_file_perms;
+
+# Allow gnssd to acess gnss device
+allow gnssd vendor_gnss_device:chr_file rw_file_perms;
+allow gnssd vendor_gps_file:dir create_dir_perms;
+allow gnssd vendor_gps_file:file create_file_perms;
+allow gnssd vendor_gps_file:fifo_file create_file_perms;
+
+# Allow gnssd to obtain wakelock
+wakelock_use(gnssd)
+
+# Allow a base set of permissions required for network access.
+net_domain(gnssd);
+
+# Allow gnssd to get boot complete
+get_prop(gnssd, bootanim_system_prop)
+
+allow gnssd sysfs_soc:file r_file_perms;

gps/lsi/sepolicy/hal_gnss_default.te

@@ -0,0 +1,9 @@
+allow hal_gnss_default fwk_sensor_service:service_manager find;
+allow hal_gnss_default gnssd:unix_stream_socket connectto;
+allow hal_gnss_default vendor_gps_file:dir create_dir_perms;
+allow hal_gnss_default vendor_gps_file:file create_file_perms;
+allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms;
+binder_call(hal_gnss_default, gnssd);
+
+#Read GPS property
+get_prop(hal_gnss_default, vendor_gps_prop)

gps/lsi/sepolicy/rild.te

@@ -0,0 +1 @@
+binder_call(rild, gnssd)

gps/lsi/sepolicy/sctd.te

@@ -0,0 +1,3 @@
+type sctd, domain;
+type sctd_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(sctd);

gps/lsi/sepolicy/spad.te

@@ -0,0 +1,3 @@
+type spad, domain;
+type spad_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(spad);

gps/lsi/sepolicy/swcnd.te

@@ -0,0 +1,3 @@
+type swcnd, domain;
+type swcnd_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(swcnd);

gps/lsi/sepolicy/vendor_init.te

@@ -0,0 +1,2 @@
+# gps vendor property
+set_prop(vendor_init, vendor_gps_prop)