msm8974-common: sepolicy: Import common sepolicy from klte-common

* The bulk of the device family policy was common and applicable
  to all Samsung msm8974-devices. Move that common stuff here to
  ease maintenance.

Change-Id: I86516adfb1b9c55a6959a7faf4ee424a4b3385c8

BoardConfigCommon.mk

@@ -66,6 +66,9 @@ TARGET_FS_CONFIG_GEN := device/samsung/msm8974-common/config.fs
 DEVICE_MANIFEST_FILE := device/samsung/msm8974-common/manifest.xml
 DEVICE_MATRIX_FILE := device/samsung/msm8974-common/compatibility_matrix.xml
 
+# SELinux
+include device/samsung/msm8974-common/sepolicy/sepolicy.mk
+
 # Init
 TARGET_INIT_VENDOR_LIB := libinit_msm8974
 TARGET_RECOVERY_DEVICE_MODULES := libinit_msm8974

sepolicy/common/bluetooth.te

@@ -0,0 +1,6 @@
+allow bluetooth bluetooth_device:chr_file rw_file_perms;
+allow bluetooth bt_fw_file:file r_file_perms;
+allow bluetooth firmware_file:dir r_dir_perms;
+allow bluetooth proc_bt_sleep:dir search;
+allow bluetooth proc_bt_sleep:file w_file_perms;
+allow bluetooth wifi_data_file:file r_file_perms;

sepolicy/common/cameraserver.te

@@ -0,0 +1,2 @@
+allow cameraserver camera_socket:sock_file w_file_perms;
+allow cameraserver vendor_file:file execmod;

sepolicy/common/device.te

@@ -0,0 +1,2 @@
+type bluetooth_device, dev_type;
+type efs_block_device, dev_type;

sepolicy/common/file.te

@@ -0,0 +1,8 @@
+type proc_bt_sleep, fs_type;
+
+type sysfs_sec, fs_type, sysfs_type;
+type sysfs_wifi_writeable, fs_type, sysfs_type;
+
+type bt_fw_file, file_type;
+type nfc_fw_file, file_type;
+type wifi_efs_file, file_type;

sepolicy/common/file_contexts

@@ -0,0 +1,37 @@
+# block devices
+/dev/block/platform/msm_sdcc\.1/by-name/efs             u:object_r:efs_block_device:s0
+/dev/block/platform/msm_sdcc\.1/by-name/fota            u:object_r:misc_block_device:s0
+
+# data files
+/data/.cid.info                                         u:object_r:wifi_data_file:s0
+/data/.wifiver.info                                     u:object_r:wifi_data_file:s0
+
+# device nodes
+/dev/batch_io                                           u:object_r:sensors_device:s0
+/dev/bcm2079x                                           u:object_r:nfc_device:s0
+/dev/btlock                                             u:object_r:bluetooth_device:s0
+/dev/pn547                                              u:object_r:nfc_device:s0
+/dev/rfkill                                             u:object_r:wlan_device:s0
+/dev/sec-nfc                                            u:object_r:nfc_device:s0
+
+# efs files
+/efs/bluetooth(/.*)?                                    u:object_r:bluetooth_efs_file:s0
+/efs/wifi(/.*)?                                         u:object_r:wifi_efs_file:s0
+
+# executeables
+/system/vendor/bin/macloader                            u:object_r:macloader_exec:s0
+
+# firmware
+/system/vendor/firmware/bcm(.*).hcd                     u:object_r:bt_fw_file:s0
+/system/vendor/firmware/bcm2079x(.*).ncd                u:object_r:nfc_fw_file:s0
+/system/vendor/firmware/libpn547_fw.so                  u:object_r:nfc_fw_file:s0
+
+# sockets
+/data/cam_socket3                                       u:object_r:camera_socket:s0
+
+# sysfs
+/sys/devices/battery.[0-9]+/power_supply/battery(/.*)?           u:object_r:sysfs_batteryinfo:s0
+/sys/module/dhd/parameters/firmware_path                         u:object_r:sysfs_wifi_writeable:s0
+/sys/module/dhd/parameters/nvram_path                            u:object_r:sysfs_wifi_writeable:s0
+/sys/devices/platform/bcm[0-9]+_bluetooth/rfkill/rfkill0/state   u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/virtual/sec/sec_key/hall_irq_ctrl                   u:object_r:sysfs_sec:s0

sepolicy/common/fsck.te

@@ -0,0 +1,2 @@
+allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;

sepolicy/common/fsck_untrusted.te

@@ -0,0 +1,2 @@
+# /data/media
+allow fsck_untrusted media_rw_data_file:dir getattr;

sepolicy/common/genfs_contexts

@@ -0,0 +1 @@
+genfscon proc /bluetooth/sleep u:object_r:proc_bt_sleep:s0

sepolicy/common/hal_wifi_default.te

@@ -0,0 +1,5 @@
+r_dir_file(hal_wifi_default, wifi_efs_file)
+
+allow hal_wifi_default efs_file:dir search;
+allow hal_wifi_default sysfs_wifi_writeable:file w_file_perms;
+allow hal_wifi_default wifi_data_file:file r_file_perms;

sepolicy/common/hal_wifi_supplicant_default.te

@@ -0,0 +1 @@
+allow hal_wifi_supplicant_default wlan_device:chr_file r_file_perms;

sepolicy/common/init.te

@@ -0,0 +1,2 @@
+# Required to load shim libraries
+allow init { domain -lmkd -crash_dump }:process noatsecure;

sepolicy/common/macloader.te

@@ -0,0 +1,12 @@
+type macloader, domain;
+type macloader_exec, exec_type, file_type;
+init_daemon_domain(macloader)
+
+type_transition macloader system_data_file:file wifi_data_file ".cid.info";
+
+r_dir_file(macloader, wifi_efs_file)
+
+allow macloader efs_file:dir search;
+allow macloader sysfs_wifi_writeable:file w_file_perms;
+allow macloader system_data_file:dir w_dir_perms;
+allow macloader wifi_data_file:file create_file_perms;

sepolicy/common/mediaextractor.te

@@ -0,0 +1,5 @@
+allow mediaextractor exfat:file r_file_perms;
+allow mediaextractor ntfs:file r_file_perms;
+allow mediaextractor sdcard_posix:file r_file_perms;
+allow mediaextractor sdcardfs:file r_file_perms;
+allow mediaextractor vfat:file r_file_perms;

sepolicy/common/mediaprovider.te

@@ -0,0 +1,2 @@
+allow mediaprovider cache_private_backup_file:dir getattr;
+allow mediaprovider cache_recovery_file:dir r_dir_perms;

sepolicy/common/mediaserver.te

@@ -0,0 +1,4 @@
+allow mediaserver camera_socket:sock_file write;
+allow mediaserver mm-qcamerad:unix_dgram_socket sendto;
+allow mediaserver thermal-engine:unix_stream_socket connectto;
+allow mediaserver vendor_file:file execmod;

sepolicy/common/mm-qcamerad.te

@@ -0,0 +1,8 @@
+type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket3";
+
+#allow mm-qcamerad camera_socket:sock_file create_file_perms;
+
+# Allow mm-qcamera-daemon to create the socket camera_socket
+allow mm-qcamerad system_data_file:dir w_dir_perms;
+
+allow mm-qcamerad vendor_file:file execmod;

sepolicy/common/mpdecision.te

@@ -0,0 +1,2 @@
+allow mpdecision mpctl_data_file:dir w_dir_perms;
+allow mpdecision mpctl_data_file:sock_file create_file_perms;

sepolicy/common/nfc.te

@@ -0,0 +1 @@
+allow nfc nfc_fw_file:file rx_file_perms;

sepolicy/common/priv_app.te

@@ -0,0 +1,5 @@
+get_prop(priv_app, camera_prop)
+get_prop(priv_app, qemu_hw_mainkeys_prop)
+
+allow priv_app device:dir r_dir_perms;
+allow priv_app proc_interrupts:file r_file_perms;

sepolicy/common/property_contexts

@@ -0,0 +1 @@
+service.camera.hdmi_preview                      u:object_r:camera_prop:s0

sepolicy/common/rild.te

@@ -0,0 +1,8 @@
+set_prop(rild, net_radio_prop)
+
+allow rild radio_data_file:dir rw_dir_perms;
+allow rild radio_data_file:file create_file_perms;
+allow rild radio_data_file:lnk_file read;
+
+allow rild proc_net:file w_file_perms;
+allow rild sysfs_sec:file rw_file_perms;

sepolicy/common/system_server.te

@@ -0,0 +1,12 @@
+get_prop(system_server, alarm_boot_prop)
+
+allow system_server efs_file:dir search;
+allow system_server efs_file:file r_file_perms;
+allow system_server mpctl_data_file:dir search;
+allow system_server mpctl_data_file:sock_file w_file_perms;
+allow system_server mpdecision:unix_stream_socket connectto;
+allow system_server qmuxd:unix_stream_socket connectto;
+allow system_server qmuxd_socket:dir w_dir_perms;
+allow system_server qmuxd_socket:sock_file { create setattr write };
+allow system_server qti_debugfs:file r_file_perms;
+allow system_server sensors_device:chr_file r_file_perms;

sepolicy/common/thermal-engine.te

@@ -0,0 +1,3 @@
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-send-client";
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-client";
+type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client";

sepolicy/common/vold.te

@@ -0,0 +1,2 @@
+allow vold efs_file:dir rw_dir_perms;
+allow vold efs_file:file create;

sepolicy/sepolicy.mk

@@ -0,0 +1,22 @@
+#
+# Copyright (C) 2018 The LineageOS Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include device/qcom/sepolicy/sepolicy.mk
+include device/qcom/sepolicy/legacy-sepolicy.mk
+
+# Board specific SELinux policy variable definitions
+BOARD_SEPOLICY_DIRS += \
+    device/samsung/msm8974-common/sepolicy/common