msm8974-common: sepolicy: Label sysfs_sec_* types, resolve denials

* Rename sysfs_sec type to sysfs_sec_key
* Add additional sysfs_sec_* types as appropriate

* avc: denied { read } for name="temp_adc" dev="sysfs" ino=10538
  scontext=u:r:hal_sensors_default:s0
  tcontext=u:object_r:sysfs_sec_thermistor:s0 tclass=file permissive=1
* avc: denied { open } for name="temp_adc" dev="sysfs" ino=10538
  scontext=u:r:hal_sensors_default:s0
  tcontext=u:object_r:sysfs_sec_thermistor:s0 tclass=file permissive=1
* avc: denied { write } for name="ir_send" dev="sysfs" ino=21339
  scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_sec_ir:s0
  tclass=file permissive=1
* avc: denied { write } for name="led_blink" dev="sysfs" ino=25722
  scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_sec_led:s0
  tclass=file permissive=1
* avc: denied { write } for name="brightness" dev="sysfs" ino=23467
  scontext=u:r:system_server:s0
  tcontext=u:object_r:sysfs_sec_touchkey:s0 tclass=file permissive=1
* avc: denied { setattr } for name="ir_send" dev="sysfs" ino=21339
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_ir:s0 tclass=file
  permissive=1
* avc: denied { setattr } for name="hall_irq_ctrl" dev="sysfs"
  ino=29565 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_key:s0
  tclass=file permissive=1
* avc: denied { setattr } for name="epen_firm_update" dev="sysfs"
  ino=23585 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_epen:s0
  tclass=file permissive=1
* avc: denied { setattr } for name="cmd" dev="sysfs" ino=23756
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_tsp:s0
  tclass=file permissive=1
* avc: denied { write } for name="wakeup_keys" dev="sysfs" ino=29568
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_key:s0
  tclass=file permissive=1
* avc: denied { open } for name="wakeup_keys" dev="sysfs" ino=29568
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_key:s0
  tclass=file permissive=1
* avc: denied { read } for name="input" dev="sysfs" ino=24012
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_tsp:s0
  tclass=lnk_file permissive=0
* avc: denied { setattr } for name="waketime" dev="sysfs" ino=29035
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_bamdmux:s0
  tclass=file permissive=0
* avc: denied { setattr } for name="led_r" dev="sysfs" ino=25719
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_led:s0
  tclass=file permissive=0
* avc: denied { setattr } for name="usb_sel" dev="sysfs" ino=28162
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_switch:s0
  tclass=file permissive=0
* avc: denied { setattr } for name="brightness" dev="sysfs" ino=23468
  scontext=u:r:init:s0 tcontext=u:object_r:sysfs_sec_touchkey:s0
  tclass=file permissive=0
* avc: denied { setattr } for name="temperature" dev="sysfs"
  ino=10538 scontext=u:r:init:s0
  tcontext=u:object_r:sysfs_sec_thermistor:s0 tclass=file
  permissive=0
* avc: denied { setattr } for name="barcode_send" dev="sysfs"
  ino=19231 scontext=u:r:init:s0
  tcontext=u:object_r:sysfs_sec_barcode_emul:s0 tclass=file
  permissive=0

Change-Id: I66b6d2aab875a2706f2730be9755e8d9805ffb6e

sepolicy/common/file.te

@@ -5,7 +5,16 @@ type sysfs_hal_pwr, fs_type, sysfs_type;
 type sysfs_iio, fs_type, sysfs_type;
 type sysfs_input, fs_type, sysfs_type;
 type sysfs_mdnie, fs_type, sysfs_type;
-type sysfs_sec, fs_type, sysfs_type;
+type sysfs_sec_bamdmux, fs_type, sysfs_type;
+type sysfs_sec_barcode_emul, fs_type, sysfs_type;
+type sysfs_sec_epen, fs_type, sysfs_type;
+type sysfs_sec_ir, fs_type, sysfs_type;
+type sysfs_sec_key, fs_type, sysfs_type;
+type sysfs_sec_led, fs_type, sysfs_type;
+type sysfs_sec_switch, fs_type, sysfs_type;
+type sysfs_sec_thermistor, fs_type, sysfs_type;
+type sysfs_sec_touchkey, fs_type, sysfs_type;
+type sysfs_sec_tsp, fs_type, sysfs_type;
 type sysfs_wifi_writeable, fs_type, sysfs_type;
 
 type bt_fw_file, file_type;

sepolicy/common/file_contexts

@@ -33,7 +33,6 @@
 /sys/devices/platform/bcm[0-9]+_bluetooth/rfkill/rfkill0/state   u:object_r:sysfs_bluetooth_writable:s0
 /sys/devices/virtual/camera(/.*)?                                u:object_r:sysfs_camera:s0
 /sys/devices/virtual/input(/.*)?                                 u:object_r:sysfs_input:s0
-/sys/devices/virtual/sec/sec_key/hall_irq_ctrl                   u:object_r:sysfs_sec:s0
 /sys/module/dhd/parameters/firmware_path                         u:object_r:sysfs_wifi_writeable:s0
 /sys/module/dhd/parameters/nvram_path                            u:object_r:sysfs_wifi_writeable:s0
 
@@ -60,3 +59,15 @@
 
 # sysfs - mdnie
 /sys/devices/virtual/mdnie/mdnie(/.*)?                  u:object_r:sysfs_mdnie:s0
+
+# sysfs - sec
+/sys/devices/platform/sec-thermistor(/.*)?              u:object_r:sysfs_sec_thermistor:s0
+/sys/devices/virtual/sec/bamdmux(/.*)?                  u:object_r:sysfs_sec_bamdmux:s0
+/sys/devices/virtual/sec/led(/.*)?                      u:object_r:sysfs_sec_led:s0
+/sys/devices/virtual/sec/sec_barcode_emul(/.*)?         u:object_r:sysfs_sec_barcode_emul:s0
+/sys/devices/virtual/sec/sec_epen(/.*)?                 u:object_r:sysfs_sec_epen:s0
+/sys/devices/virtual/sec/sec_ir(/.*)?                   u:object_r:sysfs_sec_ir:s0
+/sys/devices/virtual/sec/sec_key(/.*)?                  u:object_r:sysfs_sec_key:s0
+/sys/devices/virtual/sec/sec_touchkey(/.*)?             u:object_r:sysfs_sec_touchkey:s0
+/sys/devices/virtual/sec/switch(/.*)?                   u:object_r:sysfs_sec_switch:s0
+/sys/devices/virtual/sec/tsp(/.*)?                      u:object_r:sysfs_sec_tsp:s0

sepolicy/common/hal_sensors_default.te

@@ -12,6 +12,7 @@ allow hal_sensors_default {
 allow hal_sensors_default {
     sysfs_batteryinfo
     sysfs_graphics
+    sysfs_sec_thermistor
 }:file r_file_perms;
 
 allow hal_sensors_default {

sepolicy/common/init.te

@@ -1,9 +1,14 @@
-allow init sysfs_iio:lnk_file read;
+allow init {
+    sysfs_iio
+    sysfs_sec_tsp
+}:lnk_file read;
 
 allow init sysfs_input:file rw_file_perms;
 
 allow init sysfs_graphics:file r_file_perms;
 
+allow init sysfs_sec_key:file w_file_perms;
+
 allow init {
     sysfs_batteryinfo
     sysfs_graphics
@@ -11,4 +16,14 @@ allow init {
     sysfs_input
     sysfs_leds
     sysfs_mdnie
+    sysfs_sec_bamdmux
+    sysfs_sec_barcode_emul
+    sysfs_sec_epen
+    sysfs_sec_ir
+    sysfs_sec_key
+    sysfs_sec_led
+    sysfs_sec_switch
+    sysfs_sec_thermistor
+    sysfs_sec_touchkey
+    sysfs_sec_tsp
 }:file setattr;

sepolicy/common/rild.te

@@ -5,4 +5,4 @@ allow rild radio_data_file:file create_file_perms;
 allow rild radio_data_file:lnk_file read;
 
 allow rild proc_net:file w_file_perms;
-allow rild sysfs_sec:file rw_file_perms;
+allow rild sysfs_sec_key:file rw_file_perms;

sepolicy/common/system_server.te

@@ -11,3 +11,9 @@ allow system_server qmuxd_socket:sock_file { create setattr write };
 allow system_server qti_debugfs:file r_file_perms;
 allow system_server sensors_device:chr_file r_file_perms;
 allow system_server sysfs_mdnie:file rw_file_perms;
+
+allow system_server {
+    sysfs_sec_ir
+    sysfs_sec_led
+    sysfs_sec_touchkey
+}:file w_file_perms;