sdm710-common: sepolicy: Address selinux denials

Signed-off-by: SamarV-121 <samarvispute121@gmail.com>

BoardConfigCommon.mk

@@ -86,13 +86,13 @@ TARGET_RELEASETOOLS_EXTENSIONS := $(COMMON_PATH)
 # Sepolicy
 # PRIVATE_EXCLUDE_BUILD_TEST := true
 BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private
-# BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \
-#     device/qcom/sepolicy/generic/private \
+    device/qcom/sepolicy/generic/private \
-#     device/qcom/sepolicy/qva/private
+    device/qcom/sepolicy/qva/private
 
-# BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
-#     device/qcom/sepolicy/generic/public \
+    device/qcom/sepolicy/generic/public \
-#     device/qcom/sepolicy/qva/public
+    device/qcom/sepolicy/qva/public
 
 # Treble
 BOARD_VNDK_VERSION := current

sepolicy/private/app.te

@@ -0,0 +1,2 @@
+# Allow appdomain to get vendor_camera_prop
+get_prop(appdomain, vendor_camera_prop)

sepolicy/private/file.te

@@ -2,3 +2,4 @@ type adsprpcd_file, file_type;
 type bt_firmware_file, file_type;
 type firmware_file, file_type;
 type persist_file, file_type;
+type proc_touchpanel, fs_type, proc_type;

sepolicy/private/file_contexts

@@ -3,3 +3,16 @@
 /dsp(/.*)?               u:object_r:adsprpcd_file:s0
 /firmware(/.*)?          u:object_r:firmware_file:s0
 /persist(/.*)?           u:object_r:persist_file:s0
+
+# HALs
+/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.realme_sdm710    u:object_r:hal_fingerprint_sdm710_exec:s0
+/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/android\.hardware\.light@2\.0-service    u:object_r:hal_light_default_exec:s0
+/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/android\.hardware\.usb@1\.0-service    u:object_r:hal_usb_default_exec:s0
+
+# Vendor overlay
+/(product|system/product)/vendor_overlay/[0-9]+/etc(/.*)?        u:object_r:vendor_configs_file:s0
+/(product|system/product)/vendor_overlay/[0-9]+/etc/wifi(/.*)?   u:object_r:vendor_configs_file:s0
+/(product|system/product)/vendor_overlay/[0-9]+/etc/vintf(/.*)?  u:object_r:vendor_configs_file:s0
+/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/hw      u:object_r:vendor_hal_file:s0
+/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/soundfx u:object_r:vendor_hal_file:s0
+/(product|system/product)/vendor_overlay/[0-9]+/overlay(/.*)?    u:object_r:vendor_overlay_file:s0

sepolicy/private/genfs_contexts

@@ -0,0 +1 @@
+genfscon proc /touchpanel    u:object_r:proc_touchpanel:s0

sepolicy/private/hal_fingerprint_sdm710.te

@@ -0,0 +1,6 @@
+type hal_fingerprint_sdm710, coredomain, domain;
+hal_client_domain(hal_fingerprint_sdm710, hal_fingerprint)
+hal_server_domain(hal_fingerprint_sdm710, hal_fingerprint)
+
+type hal_fingerprint_sdm710_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_fingerprint_sdm710)

sepolicy/private/hal_power.te

@@ -0,0 +1,2 @@
+allow hal_power proc_touchpanel:dir search;
+allow hal_power proc_touchpanel:file w_file_perms;

sepolicy/private/init.te

@@ -0,0 +1,5 @@
+allow init proc_touchpanel:dir search;
+allow init proc_touchpanel:file { write setattr open};
+
+# Allow init to mount vendor configs
+allow init vendor_configs_file:dir mounton;

sepolicy/private/property.te

@@ -0,0 +1 @@
+type vendor_camera_prop, property_type;

sepolicy/private/qti_init_shell.te

@@ -0,0 +1,4 @@
+type qti_init_shell, domain;
+
+allow qti_init_shell sysfs_io_sched_tuneable:file w_file_perms;
+dontaudit qti_init_shell self:capability { dac_override dac_read_search };

sepolicy/private/system_server.te

@@ -0,0 +1 @@
+get_prop(system_server, vendor_camera_prop)