sm6225-common: Import base sepolicy from moto sm8250-common

- Imported from https://github.com/LineageOS/android_device_motorola_sm8250-common/tree/lineage-19.1/sepolicy HEAD ed02954834ecc70cee043170b1322dff5cd491b8
- Adapted and cleaned up.

Change-Id: I2e8cd6419c740c0e05ecb6fcd4db8b743e5ac229

BoardConfigCommon.mk

@@ -171,6 +171,8 @@ VENDOR_SECURITY_PATCH := 2023-02-01
 
 # Sepolicy
 include device/qcom/sepolicy_vndr/SEPolicy.mk
+BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
+PRODUCT_PRIVATE_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/private
 
 # Verified Boot
 BOARD_AVB_ENABLE := true

sepolicy/private/permissioncontroller_app.te

@@ -0,0 +1 @@
+allow permissioncontroller_app tethering_service:service_manager find;

sepolicy/private/platform_app.te

@@ -0,0 +1 @@
+hal_client_domain(platform_app, vendor_hal_soter);

sepolicy/private/radio.te

@@ -0,0 +1,2 @@
+allow radio mot_radio_service:service_manager { add find };
+allow radio mot_system_service:service_manager find;

sepolicy/private/service.te

@@ -0,0 +1,2 @@
+type mot_radio_service, service_manager_type;
+type mot_system_service, service_manager_type;

sepolicy/private/service_contexts

@@ -0,0 +1,2 @@
+motoexttelephony                          u:object_r:mot_radio_service:s0
+moto_ext_telephony.registry               u:object_r:mot_system_service:s0

sepolicy/private/vendor_qtelephony.te

@@ -0,0 +1,2 @@
+allow vendor_qtelephony mot_radio_service:service_manager find;
+allow vendor_qtelephony mot_system_service:service_manager find;

sepolicy/vendor/device.te

@@ -0,0 +1,10 @@
+# Fingerprint
+type etsd_device, dev_type;
+
+# Moto partitions
+type vendor_hw_block_device, dev_type;
+type vendor_prodpersist_block_device, dev_type;
+type vendor_utags_block_device, dev_type;
+
+# Thermal
+type vendor_thermal_device, dev_type;

sepolicy/vendor/domain.te

@@ -0,0 +1 @@
+get_prop({domain -coredomain -appdomain}, vendor_mot_hw_prop)

sepolicy/vendor/file.te

@@ -0,0 +1,26 @@
+# Camera
+type vendor_persist_camera_file, file_type, vendor_persist_type;
+
+# Cutback
+type cutback_data_file, file_type, data_file_type;
+type cutback_socket, file_type;
+
+# Fingerprint
+type vendor_persist_fps_file, file_type, vendor_persist_type;
+
+# Input Devices
+type vendor_sysfs_input, sysfs_type, fs_type;
+
+# Motorola
+type proc_moto_boot, proc_type, fs_type;
+type vendor_motobox_exec, exec_type, vendor_file_type, file_type;
+type vendor_proc_hw, proc_type, fs_type;
+
+# Partitions
+type fsg_file, file_type, contextmount_type, vendor_file_type;
+
+# Power
+type proc_sched_lib_mask_cpuinfo, proc_type, fs_type;
+
+# Touchscreen
+type vendor_sysfs_touchpanel, fs_type, sysfs_type;

sepolicy/vendor/file_contexts

@@ -0,0 +1,46 @@
+# A/B partitions
+/dev/block/platform/soc/4804000\.ufshc/by-name/fsg_[ab]         u:object_r:vendor_modem_efs_partition_device:s0
+/dev/block/platform/soc/4804000\.ufshc/by-name/logo_[ab]        u:object_r:vendor_custom_ab_block_device:s0
+/dev/block/platform/soc/4804000\.ufshc/by-name/prov_[ab]        u:object_r:vendor_custom_ab_block_device:s0
+/dev/block/platform/soc/4804000\.ufshc/by-name/storsec_[ab]     u:object_r:vendor_custom_ab_block_device:s0
+/dev/block/platform/soc/4804000\.ufshc/by-name/vendor_boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/platform/soc/4804000\.ufshc/sd[df]                   u:object_r:vendor_gpt_block_device:s0
+
+# UFS Devices
+/dev/block/platform/soc/4804000\.ufshc/by-name/hw               u:object_r:vendor_hw_block_device:s0
+/dev/block/platform/soc/4804000\.ufshc/by-name/prodpersist      u:object_r:vendor_prodpersist_block_device:s0
+/dev/block/platform/soc/4804000\.ufshc/by-name/utags            u:object_r:vendor_utags_block_device:s0
+/dev/block/platform/soc/4804000\.ufshc/by-name/utagsBackup      u:object_r:vendor_utags_block_device:s0
+
+# Partition Mountpoints
+/(vendor|system/vendor)/fsg                             u:object_r:fsg_file:s0
+
+# Camera
+/(mnt/vendor/persist|persist)/camera(/.*)?              u:object_r:vendor_persist_camera_file:s0
+/(vendor|system/vendor)/lib64/libipebpsstriping\.so     u:object_r:same_process_hal_file:s0
+/data/vendor/misc/imager                                u:object_r:vendor_camera_data_file:s0
+/sys/devices/platform/soc/soc:qcom,cam-req-mgr/video4linux/video[0-33]/name(/.*)?       u:object_r:vendor_sysfs_jpeg:s0
+
+# Fingerprint
+/(mnt/vendor/persist|persist)/egis(/.*)?                u:object_r:vendor_persist_fps_file:s0
+/(mnt/vendor/persist|persist)/fps(/.*)?                 u:object_r:vendor_persist_fps_file:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service-ets              u:object_r:hal_fingerprint_default_exec:s0
+/data/vendor/.fps(/.*)?                                 u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/fpc(/.*)?                                  u:object_r:fingerprint_vendor_data_file:s0
+/dev/esfp0                                              u:object_r:etsd_device:s0
+
+# Motobox
+/(vendor|system/vendor)/bin/motobox                     u:object_r:vendor_motobox_exec:s0
+
+# Radio
+/data/vendor/misc/cutback(/.*)?                         u:object_r:cutback_data_file:s0
+/dev/socket/cutback                                     u:object_r:cutback_socket:s0
+
+# Thermal
+/dev/mmi_sys_temp                                       u:object_r:vendor_thermal_device:s0
+
+# Vendor init scripts
+/(vendor|system/vendor)/bin/init\.mmi\.laser\.sh                u:object_r:vendor_mmi_laser_exec:s0
+/(vendor|system/vendor)/bin/init\.mmi\.touch\.sh                u:object_r:vendor_init_touch_exec:s0
+/(vendor|system/vendor)/bin/init\.oem\.fingerprint2\.sh         u:object_r:vendor_init_fingerprint_exec:s0
+/(vendor|system/vendor)/bin/init\.oem\.hw\.sh                   u:object_r:vendor_init_hw_exec:s0

sepolicy/vendor/genfs_contexts

@@ -0,0 +1,17 @@
+# Camera
+genfscon sysfs /devices/platform/cam_sync/video4linux/video1/name               u:object_r:sysfs_graphics:s0
+
+# Input Devices
+genfscon sysfs /devices/virtual/input                                           u:object_r:vendor_sysfs_input:s0
+
+# Motorola
+genfscon proc /bootinfo                                                         u:object_r:proc_moto_boot:s0
+genfscon proc /config                                                           u:object_r:vendor_proc_hw:s0
+genfscon proc /hw                                                               u:object_r:vendor_proc_hw:s0
+
+# PowerHal
+genfscon proc /sys/kernel/sched_lib_name                                        u:object_r:proc_sched_lib_mask_cpuinfo:s0
+genfscon proc /sys/kernel/sched_lib_mask_force                                  u:object_r:proc_sched_lib_mask_cpuinfo:s0
+
+# Touchscreen
+genfscon sysfs /class/touchscreen                                               u:object_r:vendor_sysfs_touchpanel:s0

sepolicy/vendor/hal_bootctl_default.te

@@ -0,0 +1,8 @@
+allow hal_bootctl_default vendor_uefi_block_device:blk_file getattr;
+allow hal_bootctl_default {
+    vendor_efs_boot_dev
+    vendor_modem_efs_partition_device
+}:blk_file rw_file_perms;
+
+# We never apply OTAs when GSI is running
+dontaudit hal_bootctl_default gsi_metadata_file:dir search;

sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,20 @@
+# Allow hal_camera_default to read to mnt/vendor/persist
+allow hal_camera_default mnt_vendor_file:dir search;
+
+# Allow hal_camera_default to call system_server
+binder_call(hal_camera_default, system_server)
+
+# STM Prox Sensor
+allow hal_camera_default vendor_sysfs_laser:file rw_file_perms;
+allow hal_camera_default input_device:chr_file r_file_perms;
+allow hal_camera_default input_device:dir r_dir_perms;
+
+r_dir_file(hal_camera_default, vendor_sysfs_input)
+r_dir_file(hal_camera_default, vendor_persist_camera_file)
+r_dir_file(hal_camera_default, vendor_sysfs_battery_supply)
+
+# (X)DSP
+allow hal_camera_default vendor_xdsp_device:chr_file r_file_perms;
+
+# QSPM hal service for accessing camera info
+hal_client_domain(hal_camera_default, vendor_hal_qspmhal)

sepolicy/vendor/hal_fingerprint_default.te

@@ -0,0 +1,12 @@
+allow hal_fingerprint_default {
+  etsd_device
+  tee_device
+}: chr_file rw_file_perms;
+
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+r_dir_file(hal_fingerprint_default, firmware_file)
+get_prop(hal_fingerprint_default, build_bootimage_prop)
+set_prop(hal_fingerprint_default, vendor_mot_fingerprint_prop)
+allow hal_fingerprint_default vendor_sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_default vendor_sysfs_fingerprint:file rw_file_perms;
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;

sepolicy/vendor/hal_nfc_default.te

@@ -0,0 +1,4 @@
+add_hwservice(hal_nfc_default, nxpese_hwservice)
+add_hwservice(hal_nfc_default, nxpnfc_hwservice)
+allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms;

sepolicy/vendor/hal_power_default.te

@@ -0,0 +1,2 @@
+allow hal_power_default vendor_sysfs_touchpanel:dir search;
+allow hal_power_default vendor_sysfs_touchpanel:file rw_file_perms;

sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1,5 @@
+allow hal_sensors_default vendor_sysfs_laser:dir r_dir_perms;
+allow hal_sensors_default vendor_sysfs_laser:file { setattr rw_file_perms };
+
+allow hal_sensors_default vendor_sysfs_input:dir r_dir_perms;
+allow hal_sensors_default vendor_sysfs_input:file rw_file_perms;

sepolicy/vendor/hwservice.te

@@ -0,0 +1,2 @@
+type nxpese_hwservice, hwservice_manager_type;
+type nxpnfc_hwservice, hwservice_manager_type;

sepolicy/vendor/hwservice_contexts

@@ -0,0 +1,7 @@
+# Fingerprint
+com.motorola.hardware.biometric.fingerprint::IMotoFingerPrint           u:object_r:hal_fingerprint_hwservice:s0
+com.motorola.hardware.biometric.fingerprint::IMotoFingerPrintSensorTest u:object_r:hal_fingerprint_hwservice:s0
+
+# NFC
+vendor.nxp.nxpese::INxpEse                                              u:object_r:nxpese_hwservice:s0
+vendor.nxp.nxpnfc::INxpNfc                                              u:object_r:nxpnfc_hwservice:s0

sepolicy/vendor/init.te

@@ -0,0 +1,23 @@
+# Super modem mounting
+allow fsg_file self:filesystem associate;
+allow init fsg_file:dir mounton;
+allow init fsg_file:filesystem { getattr mount relabelfrom unmount };
+allow init firmware_file:filesystem unmount;
+
+# Allow init to access loop devices
+allow init loop_device:blk_file { create setattr unlink };
+allowxperm init loop_device:blk_file ioctl {
+  LOOP_GET_STATUS64
+  LOOP_GET_STATUS
+  LOOP_SET_STATUS64
+  LOOP_SET_STATUS
+  BLKFLSBUF
+};
+
+# Product persist
+allow init mnt_product_file:dir mounton;
+
+recovery_only(`
+  allow init self:capability sys_module;
+  allow init rootfs:system module_load;
+')

sepolicy/vendor/installd.te

@@ -0,0 +1,3 @@
+allow installd bt_firmware_file:filesystem quotaget;
+allow installd firmware_file:filesystem quotaget;
+allow installd fsg_file:filesystem quotaget;

sepolicy/vendor/kernel.te

@@ -0,0 +1,7 @@
+allow kernel block_device:dir search;
+
+allow kernel kernel:capability kill;
+allow kernel {
+	vendor_hw_block_device
+	vendor_utags_block_device
+}:blk_file rw_file_perms;

sepolicy/vendor/property.te

@@ -0,0 +1,4 @@
+# Motorola
+vendor_internal_prop(vendor_mot_fingerprint_prop);
+vendor_internal_prop(vendor_mot_hw_prop);
+vendor_internal_prop(vendor_mot_touch_prop);

sepolicy/vendor/property_contexts

@@ -0,0 +1,16 @@
+# Radio
+vendor.ril.                u:object_r:vendor_radio_prop:s0
+
+# Motorola
+ro.vendor.hw.              u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.mot.gki.         u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.product.device   u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.product.hardware.sku.variant          u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.product.model    u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.product.name     u:object_r:vendor_mot_hw_prop:s0
+vendor.hw.touch.status     u:object_r:vendor_mot_touch_prop:s0
+
+# Motorola fingerprint
+persist.vendor.hardware.fingerprint            u:object_r:vendor_mot_fingerprint_prop:s0
+vendor.hw.fps.ident                            u:object_r:vendor_mot_fingerprint_prop:s0
+vendor.hw.fingerprint.status                   u:object_r:vendor_mot_fingerprint_prop:s0

sepolicy/vendor/rild.te

@@ -0,0 +1,8 @@
+get_prop(rild, vendor_radio_prop)
+get_prop(rild, wifi_hal_prop)
+allow rild fwk_sensor_hwservice:hwservice_manager find;
+allow rild input_device:chr_file r_file_perms;
+allow rild input_device:dir rw_dir_perms;
+allow rild proc_moto_boot:file r_file_perms;
+allow rild cutback_data_file:dir rw_dir_perms;
+allow rild cutback_data_file:sock_file create_file_perms;

sepolicy/vendor/update_engine_common.te

@@ -0,0 +1,5 @@
+allow update_engine_common fsg_file:filesystem getattr;
+allow update_engine_common {
+    vendor_efs_boot_dev
+    vendor_modem_efs_partition_device
+}:blk_file rw_file_perms;

sepolicy/vendor/vendor_dataservice_app.te

@@ -0,0 +1 @@
+allow vendor_dataservice_app vendor_hal_imsfactory_hwservice:hwservice_manager find;

sepolicy/vendor/vendor_hal_perf_default.te

@@ -0,0 +1 @@
+allow vendor_hal_perf_default proc_sched_lib_mask_cpuinfo:file rw_file_perms;

sepolicy/vendor/vendor_init.te

@@ -0,0 +1,5 @@
+set_prop(vendor_init, vendor_camera_prop)
+set_prop(vendor_init, vendor_ims_prop)
+set_prop(vendor_init, vendor_mot_hw_prop)
+
+allow vendor_init proc_sched_lib_mask_cpuinfo:file w_file_perms;

sepolicy/vendor/vendor_init_fingerprint.te

@@ -0,0 +1,14 @@
+type vendor_init_fingerprint, domain;
+type vendor_init_fingerprint_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_init_fingerprint)
+
+allow vendor_init_fingerprint self:capability { kill sys_module };
+allow vendor_init_fingerprint vendor_file:system module_load;
+allow vendor_init_fingerprint vendor_toolbox_exec:file rx_file_perms;
+allow vendor_init_fingerprint vendor_persist_fps_file:file create_file_perms;
+allow vendor_init_fingerprint vendor_persist_fps_file:dir rw_dir_perms;
+allow vendor_init_fingerprint mnt_vendor_file:dir search;
+allow vendor_init_fingerprint vendor_sysfs_fingerprint:file { getattr setattr };
+
+set_prop(vendor_init_fingerprint, ctl_start_prop)
+set_prop(vendor_init_fingerprint, vendor_mot_fingerprint_prop)

sepolicy/vendor/vendor_init_hw.te

@@ -0,0 +1,16 @@
+type vendor_init_hw, domain;
+type vendor_init_hw_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_init_hw)
+
+allow vendor_init_hw self:capability sys_module;
+allow vendor_init_hw vendor_file:system module_load;
+
+allow vendor_init_hw vendor_proc_hw:dir r_dir_perms;
+allow vendor_init_hw vendor_proc_hw:file rw_file_perms;
+
+allow vendor_init_hw vendor_motobox_exec:file rx_file_perms;
+allow vendor_init_hw vendor_toolbox_exec:file rx_file_perms;
+
+set_prop(vendor_init_hw, vendor_mot_hw_prop)
+set_prop(vendor_init_hw, vendor_mot_touch_prop)
+set_prop(vendor_init_hw, vendor_radio_prop)

sepolicy/vendor/vendor_init_touch.te

@@ -0,0 +1,10 @@
+type vendor_init_touch, domain;
+type vendor_init_touch_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_init_touch)
+
+allow vendor_init_touch vendor_toolbox_exec:file rx_file_perms;
+
+r_dir_file(vendor_init_touch, vendor_sysfs_touchpanel)
+allow vendor_init_touch vendor_sysfs_touchpanel:file setattr;
+
+set_prop(vendor_init_touch, vendor_mot_touch_prop)

sepolicy/vendor/vendor_mdm_helper.te

@@ -0,0 +1,4 @@
+get_prop(vendor_mdm_helper, vendor_radio_prop)
+
+allow vendor_mdm_helper { mnt_vendor_file vendor_persist_rfs_file }:dir search;
+allow vendor_mdm_helper vendor_persist_rfs_file:file rw_file_perms;

sepolicy/vendor/vendor_mmi_laser.te

@@ -0,0 +1,16 @@
+type vendor_mmi_laser, domain;
+type vendor_mmi_laser_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_mmi_laser)
+
+allow vendor_mmi_laser vendor_sysfs_laser:dir r_dir_perms;
+allow vendor_mmi_laser vendor_sysfs_laser:file { setattr rw_file_perms };
+
+allow vendor_mmi_laser self:capability { chown fsetid };
+
+allow vendor_mmi_laser vendor_sysfs_input:dir r_dir_perms;
+
+allow vendor_mmi_laser mnt_vendor_file:dir search;
+allow vendor_mmi_laser vendor_persist_camera_file:dir search;
+allow vendor_mmi_laser vendor_persist_camera_file:file { setattr r_file_perms };
+
+allow vendor_mmi_laser vendor_toolbox_exec:file rx_file_perms;

sepolicy/vendor/vendor_qti_init_shell.te

@@ -0,0 +1,4 @@
+allow vendor_qti_init_shell configfs:dir create_dir_perms;
+allow vendor_qti_init_shell configfs:file create_file_perms;
+allow vendor_qti_init_shell configfs:lnk_file create_file_perms;
+allow vendor_qti_init_shell proc_page_cluster:file w_file_perms;

sepolicy/vendor/vendor_rmt_storage.te

@@ -0,0 +1 @@
+get_prop(vendor_rmt_storage, vendor_radio_prop)

sepolicy/vendor/vendor_thermal-engine.te

@@ -0,0 +1,2 @@
+allow vendor_thermal-engine { proc_stat proc_loadavg }:file r_file_perms;
+allow vendor_thermal-engine vendor_thermal_device:chr_file rw_file_perms;

sepolicy/vendor/vendor_wcnss_service.te

@@ -0,0 +1 @@
+allow vendor_wcnss_service rootfs:dir r_dir_perms;