From 4f0e9000c9cd894b34c2a003f762bea66654c120 Mon Sep 17 00:00:00 2001
From: Michael Bestas <mkbestas@lineageos.org>
Date: Tue, 8 Oct 2019 21:35:22 +0300
Subject: [PATCH] sdm660-common: Build vendor variant of tinymix

* Avoid SELinux neverallows, vendor services should use vendor tools

Change-Id: I2a97658db9a31dd0403f1b62386db2987bd9749c
---
 sdm660.mk                          |  2 +-
 sepolicy/vendor/file_contexts      |  3 +++
 sepolicy/vendor/vendor_tinyalse.te | 16 ++++++++++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 sepolicy/vendor/vendor_tinyalse.te

diff --git a/sdm660.mk b/sdm660.mk
index 43f25c47..1983281b 100644
--- a/sdm660.mk
+++ b/sdm660.mk
@@ -131,7 +131,7 @@ PRODUCT_PACKAGES += \
     libqcomvisualizer \
     libqcomvoiceprocessing \
     libvolumelistener \
-    tinymix
+    tinymix.vendor
 
 PRODUCT_COPY_FILES += \
     $(COMMON_PATH)/audio/audio_effects.xml:$(TARGET_COPY_OUT_VENDOR)/etc/audio_effects.xml \
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index cb1a0477..fbb480b0 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -22,6 +22,9 @@
 /firmware                                                     u:object_r:firmware_file:s0
 /bt_firmware                                                  u:object_r:bt_firmware_file:s0
 
+# Amplifier
+/(vendor|system/vendor)/bin/tinymix                           u:object_r:vendor_tinyalsa_exec:s0
+
 # HVDCP
 /sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
 
diff --git a/sepolicy/vendor/vendor_tinyalse.te b/sepolicy/vendor/vendor_tinyalse.te
new file mode 100644
index 00000000..53a61579
--- /dev/null
+++ b/sepolicy/vendor/vendor_tinyalse.te
@@ -0,0 +1,16 @@
+# Tinyalsa installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_tinyalsa_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor tinyalsa
+# or read, execute the vendor_tinyalsa file.
+full_treble_only(`
+    # Do not allow non-vendor domains to transition
+    # to vendor tinyalsa except for the whitelisted domains.
+    neverallow {
+        coredomain
+        -init
+        -modprobe
+    } vendor_tinyalsa_exec:file { entrypoint execute execute_no_trans };
+')