From a49e28c03ccc7b032b014e59413020fec742670f Mon Sep 17 00:00:00 2001
From: Jens Reidel <adrian@travitia.xyz>
Date: Thu, 15 Feb 2024 14:43:18 +0100
Subject: [PATCH] sm8450-common: Address marble denials

Change-Id: Icb73c862a1da3fa43da1885f7da93f2c71fe9da7
Signed-off-by: Jens Reidel <adrian@travitia.xyz>
---
 sepolicy/vendor/hal_citsensorservice_xiaomi.te | 7 +++++++
 sepolicy/vendor/sensors.te                     | 2 ++
 sepolicy/vendor/system_server.te               | 1 +
 3 files changed, 10 insertions(+)
 create mode 100644 sepolicy/vendor/sensors.te
 create mode 100644 sepolicy/vendor/system_server.te

diff --git a/sepolicy/vendor/hal_citsensorservice_xiaomi.te b/sepolicy/vendor/hal_citsensorservice_xiaomi.te
index bb1579a..d155e54 100644
--- a/sepolicy/vendor/hal_citsensorservice_xiaomi.te
+++ b/sepolicy/vendor/hal_citsensorservice_xiaomi.te
@@ -27,13 +27,20 @@ allow vendor_hal_citsensorservice_xiaomi_default fwk_sensor_hwservice:hwservice_
 allow vendor_hal_citsensorservice_xiaomi_default system_server:binder { call transfer };
 allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:dir search;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:file { open read };
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:dir r_dir_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:file r_file_perms;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_displayfeature_device:chr_file { ioctl open read write };
 allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_mapper_hwservice:hwservice_manager find;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_qdisplay_service:service_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:hwservice_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:binder { call transfer };
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:fd *;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder call;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder transfer;
 allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl msm_sock_ipc_ioctls;
 allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl msm_sock_ipc_ioctls;
 
+r_dir_file(vendor_hal_citsensorservice_xiaomi_default, mnt_vendor_file)
+
 get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_prop)
 userdebug_or_eng(`get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_debug_prop)');
diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te
new file mode 100644
index 0000000..4995955
--- /dev/null
+++ b/sepolicy/vendor/sensors.te
@@ -0,0 +1,2 @@
+allow vendor_sensors vendor_sysfs_displayfeature:dir search;
+allow vendor_sensors vendor_sysfs_displayfeature:file { getattr open read };
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
new file mode 100644
index 0000000..ed07366
--- /dev/null
+++ b/sepolicy/vendor/system_server.te
@@ -0,0 +1 @@
+allow system_server vendor_hal_citsensorservice_xiaomi_default:binder { call transfer };