sdm660-common: Build vendor variant of tinymix

* Avoid SELinux neverallows, vendor services should use vendor tools

Change-Id: I2a97658db9a31dd0403f1b62386db2987bd9749c

sdm660.mk

@@ -131,7 +131,7 @@ PRODUCT_PACKAGES += \
     libqcomvisualizer \
     libqcomvoiceprocessing \
     libvolumelistener \
-    tinymix
+    tinymix.vendor
 
 PRODUCT_COPY_FILES += \
     $(COMMON_PATH)/audio/audio_effects.xml:$(TARGET_COPY_OUT_VENDOR)/etc/audio_effects.xml \

sepolicy/vendor/file_contexts

@@ -22,6 +22,9 @@
 /firmware                                                     u:object_r:firmware_file:s0
 /bt_firmware                                                  u:object_r:bt_firmware_file:s0
 
+# Amplifier
+/(vendor|system/vendor)/bin/tinymix                           u:object_r:vendor_tinyalsa_exec:s0
+
 # HVDCP
 /sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
 

sepolicy/vendor/vendor_tinyalse.te

@@ -0,0 +1,16 @@
+# Tinyalsa installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_tinyalsa_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor tinyalsa
+# or read, execute the vendor_tinyalsa file.
+full_treble_only(`
+    # Do not allow non-vendor domains to transition
+    # to vendor tinyalsa except for the whitelisted domains.
+    neverallow {
+        coredomain
+        -init
+        -modprobe
+    } vendor_tinyalsa_exec:file { entrypoint execute execute_no_trans };
+')