From 91919e0bf04be974475ea0c12b90a2f3bbfddd0c Mon Sep 17 00:00:00 2001
From: Fabian Leutenegger <fabian.leutenegger@bluewin.ch>
Date: Tue, 3 Oct 2023 15:26:20 +0200
Subject: [PATCH] vermeer: sepolicy: Add xiaomi citsensorservice and
 sensorcommunicate policies

Change-Id: I759b9402ac5b2faf666bb62b499924a639585764
---
 sepolicy/vendor/attributes                    |  8 ++++
 sepolicy/vendor/device.te                     |  1 +
 sepolicy/vendor/file_contexts                 |  4 ++
 .../vendor/hal_citsensorservice_xiaomi.te     | 48 +++++++++++++++++++
 sepolicy/vendor/hal_display_config.te         |  1 +
 sepolicy/vendor/hal_graphics_composer.te      |  5 ++
 sepolicy/vendor/hal_sensorcommunicate.te      | 24 ++++++++++
 sepolicy/vendor/hwservice_contexts            |  3 ++
 sepolicy/vendor/property.te                   |  6 +++
 sepolicy/vendor/property_contexts             |  3 ++
 sepolicy/vendor/system_server.te              |  3 ++
 11 files changed, 106 insertions(+)
 create mode 100644 sepolicy/vendor/attributes
 create mode 100644 sepolicy/vendor/device.te
 create mode 100644 sepolicy/vendor/file_contexts
 create mode 100644 sepolicy/vendor/hal_citsensorservice_xiaomi.te
 create mode 100644 sepolicy/vendor/hal_display_config.te
 create mode 100644 sepolicy/vendor/hal_graphics_composer.te
 create mode 100644 sepolicy/vendor/hal_sensorcommunicate.te
 create mode 100644 sepolicy/vendor/hwservice_contexts
 create mode 100644 sepolicy/vendor/property.te
 create mode 100644 sepolicy/vendor/property_contexts
 create mode 100644 sepolicy/vendor/system_server.te

diff --git a/sepolicy/vendor/attributes b/sepolicy/vendor/attributes
new file mode 100644
index 0000000..a1ad1f2
--- /dev/null
+++ b/sepolicy/vendor/attributes
@@ -0,0 +1,8 @@
+# Sensors
+attribute vendor_hal_citsensorservice_xiaomi;
+attribute vendor_hal_citsensorservice_xiaomi_client;
+attribute vendor_hal_citsensorservice_xiaomi_server;
+
+attribute vendor_hal_sensorcommunicate;
+attribute vendor_hal_sensorcommunicate_client;
+attribute vendor_hal_sensorcommunicate_server;
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
new file mode 100644
index 0000000..5fe11fa
--- /dev/null
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1 @@
+type vendor_displayfeature_device, dev_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
new file mode 100644
index 0000000..357d4e6
--- /dev/null
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,4 @@
+# Sensors
+/(vendor|system/vendor|odm|vendor/odm)/bin/hw/vendor.xiaomi.sensor.citsensorservice@1.1-service u:object_r:vendor_hal_citsensorservice_xiaomi_default_exec:s0
+/(vendor|system/vendor|odm|vendor/odm)/bin/hw/vendor.xiaomi.sensor.citsensorservice@2.0-service u:object_r:vendor_hal_citsensorservice_xiaomi_default_exec:s0
+/(vendor|system/vendor|odm|vendor/odm)/bin/hw/vendor.xiaomi.sensor.communicate@1.0-service u:object_r:vendor_hal_sensorcommunicate_default_exec:s0
diff --git a/sepolicy/vendor/hal_citsensorservice_xiaomi.te b/sepolicy/vendor/hal_citsensorservice_xiaomi.te
new file mode 100644
index 0000000..6c8dd55
--- /dev/null
+++ b/sepolicy/vendor/hal_citsensorservice_xiaomi.te
@@ -0,0 +1,48 @@
+type vendor_hal_citsensorservice_xiaomi_default, domain;
+type vendor_hal_citsensorservice_xiaomi_default_exec, exec_type, file_type, vendor_file_type;
+type vendor_hal_citsensorservice_xiaomi_hwservice, hwservice_manager_type;
+
+allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder { call transfer };
+allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder transfer;
+allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:fd *;
+allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
+allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder transfer;
+allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder { call transfer };
+allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:fd *;
+allow vendor_hal_citsensorservice_xiaomi_default input_device:dir rw_dir_perms;
+allow vendor_hal_citsensorservice_xiaomi_default input_device:chr_file rw_file_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_data:file r_file_perms;
+allow vendor_hal_citsensorservice_xiaomi_default self:socket create_socket_perms;
+allow vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket create_socket_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:dir r_dir_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:file r_file_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:dir create_dir_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:file create_file_perms;
+allow vendor_hal_citsensorservice_xiaomi_default fwk_sensor_hwservice:hwservice_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default system_server:binder call;
+allow vendor_hal_citsensorservice_xiaomi_default system_server:binder transfer;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:dir search;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:file { getattr open read };
+allow vendor_hal_citsensorservice_xiaomi_default vendor_displayfeature_device:chr_file { ioctl open read write };
+allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_mapper_hwservice:hwservice_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:hwservice_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:binder { call transfer };
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:fd *;
+allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:binder { call transfer };
+allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:fd *;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_qdisplay_service:service_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer_default:binder transfer;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder call;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder transfer;
+allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 };
+allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 };
+init_daemon_domain(vendor_hal_citsensorservice_xiaomi_default)
+r_dir_file(vendor_hal_citsensorservice_xiaomi_default, mnt_vendor_file)
+get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_displayfeature_prop)
+get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_prop)
+get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_parsedalgo_prop)
+set_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_cct_prop)
+vndbinder_use(vendor_hal_citsensorservice_xiaomi)
+hal_server_domain(vendor_hal_citsensorservice_xiaomi_default, vendor_hal_citsensorservice_xiaomi)
+hal_client_domain(vendor_hal_citsensorservice_xiaomi_default, hal_graphics_allocator)
+add_hwservice(vendor_hal_citsensorservice_xiaomi_server, vendor_hal_citsensorservice_xiaomi_hwservice)
diff --git a/sepolicy/vendor/hal_display_config.te b/sepolicy/vendor/hal_display_config.te
new file mode 100644
index 0000000..f4240aa
--- /dev/null
+++ b/sepolicy/vendor/hal_display_config.te
@@ -0,0 +1 @@
+allow vendor_hal_display_config_hwservice vendor_hal_citsensorservice_xiaomi_default:binder transfer;
diff --git a/sepolicy/vendor/hal_graphics_composer.te b/sepolicy/vendor/hal_graphics_composer.te
new file mode 100644
index 0000000..ec5bc83
--- /dev/null
+++ b/sepolicy/vendor/hal_graphics_composer.te
@@ -0,0 +1,5 @@
+allow hal_graphics_composer vendor_hal_citsensorservice_xiaomi_default:binder transfer;
+allow hal_graphics_composer vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
+allow hal_graphics_composer_default vendor_hal_citsensorservice_xiaomi_default:binder call;
+allow hal_graphics_composer_default vendor_hal_citsensorservice_xiaomi_default:binder { call transfer };
+allow hal_graphics_composer_default vendor_hal_citsensorservice_xiaomi_default:fd *;
diff --git a/sepolicy/vendor/hal_sensorcommunicate.te b/sepolicy/vendor/hal_sensorcommunicate.te
new file mode 100644
index 0000000..4f99622
--- /dev/null
+++ b/sepolicy/vendor/hal_sensorcommunicate.te
@@ -0,0 +1,24 @@
+type vendor_hal_sensorcommunicate_default, domain;
+type vendor_hal_sensorcommunicate_default_exec, exec_type, file_type, vendor_file_type;
+type vendor_hal_sensorcommunicate_hwservice, hwservice_manager_type;
+
+allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder { call transfer };
+allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder transfer;
+allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:fd *;
+allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_hwservice:hwservice_manager find;
+allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder transfer;
+allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder { call transfer };
+allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:fd *;
+allow vendor_hal_sensorcommunicate_default fwk_sensor_hwservice:hwservice_manager find;
+allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
+allow vendor_hal_sensorcommunicate_default system_server:binder call;
+allow vendor_hal_sensorcommunicate_default system_server:binder transfer;
+allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder call;
+allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder transfer;
+allow vendor_hal_sensorcommunicate_default mnt_vendor_file:dir search;
+allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:dir search;
+allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:file { getattr open read };
+init_daemon_domain(vendor_hal_sensorcommunicate_default)
+hwbinder_use(vendor_hal_sensorcommunicate_default)
+hal_server_domain(vendor_hal_sensorcommunicate_default, vendor_hal_sensorcommunicate)
+add_hwservice(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_hwservice)
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
new file mode 100644
index 0000000..b84b521
--- /dev/null
+++ b/sepolicy/vendor/hwservice_contexts
@@ -0,0 +1,3 @@
+# Sensors
+vendor.xiaomi.sensor.citsensorservice::ICitSensorService   u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0
+vendor.xiaomi.sensor.communicate::ISensorCommunicate  u:object_r:vendor_hal_sensorcommunicate_hwservice:s0
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..b6f3528
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,6 @@
+# Displayfeature
+vendor_public_prop(vendor_displayfeature_prop)
+
+# Sensors
+vendor_public_prop(vendor_cct_prop)
+vendor_public_prop(vendor_parsedalgo_prop)
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
new file mode 100644
index 0000000..1a401b3
--- /dev/null
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,3 @@
+# Sensors
+persist.vendor.sensors.parsedalgo.              u:object_r:vendor_parsedalgo_prop:s0
+persist.vendor.trigger.cct                      u:object_r:vendor_cct_prop:s0
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
new file mode 100644
index 0000000..9d24cd5
--- /dev/null
+++ b/sepolicy/vendor/system_server.te
@@ -0,0 +1,3 @@
+# Sensors
+allow system_server vendor_hal_citsensorservice_xiaomi_default:binder { call transfer };
+allow system_server vendor_hal_sensorcommunicate_default:binder { call transfer };