From 964f9afff1ae97fc765b0d80a9d67d2bb3329502 Mon Sep 17 00:00:00 2001
From: Sabar <31942277+sabarop@users.noreply.github.com>
Date: Thu, 28 Dec 2023 05:15:58 +0700
Subject: [PATCH] sdm660-common: sepolicy: Adjust sepolicy for qti thermal

Co-Authored-By: Clarence K <clarencekuiek@proton.me>
---
 sepolicy/vendor/hal_thermal_default.te | 11 +++++++++++
 sepolicy/vendor/property.te            |  2 +-
 sepolicy/vendor/property_contexts      |  4 ++--
 sepolicy/vendor/thermal-engine.te      |  5 ++++-
 4 files changed, 18 insertions(+), 4 deletions(-)
 create mode 100644 sepolicy/vendor/hal_thermal_default.te

diff --git a/sepolicy/vendor/hal_thermal_default.te b/sepolicy/vendor/hal_thermal_default.te
new file mode 100644
index 00000000..57e499a1
--- /dev/null
+++ b/sepolicy/vendor/hal_thermal_default.te
@@ -0,0 +1,11 @@
+# This is required to access proc stat for fetching CPU usage
+allow hal_thermal_default proc_stat:file { getattr open read };
+
+allow hal_thermal_default sysfs_thermal:dir r_dir_perms;
+allow hal_thermal_default sysfs_thermal:file rw_file_perms;
+allow hal_thermal_default proc_stat:file r_file_perms;
+
+allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# read thermal config
+get_prop(hal_thermal_default, vendor_thermal_prop)
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
index c8db3af6..898d152c 100644
--- a/sepolicy/vendor/property.te
+++ b/sepolicy/vendor/property.te
@@ -4,6 +4,6 @@ vendor_public_prop(mlipay_prop);
 vendor_restricted_prop(vendor_camera_prop);
 vendor_internal_prop(dirac_prop);
 vendor_internal_prop(vendor_power_prop)
-vendor_internal_prop(thermal_engine_prop);
+vendor_internal_prop(vendor_thermal_prop);
 vendor_public_prop(hal_bluetooth_qti_prop);
 vendor_public_prop(vendor_wcnss_service_prop);
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index 5382987c..7a69e0aa 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -106,5 +106,5 @@ ro.miui.                                u:object_r:telephony_status_prop:s0
 rild.libpath				u:object_r:vendor_rild_libpath_prop:s0
 
 # Thermal engine
-persist.sys.thermal.                    u:object_r:thermal_engine_prop:s0
-sys.thermal.                            u:object_r:thermal_engine_prop:s0
+vendor.thermal.config                   u:object_r:vendor_thermal_prop:s0
+
diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te
index 0b26efeb..2909880b 100644
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te
@@ -3,7 +3,10 @@ allow thermal-engine thermal_data_file:file create_file_perms;
 allow thermal-engine sysfs:dir r_dir_perms;
 allow thermal-engine self:capability { chown fowner };
 
-set_prop(thermal-engine, thermal_engine_prop);
+# Rule for thermal-engine to access init process
+unix_socket_connect(thermal-engine, property, init);
+
+set_prop(thermal-engine, vendor_thermal_prop);
 r_dir_file(thermal-engine, sysfs_thermal)
 
 dontaudit thermal-engine self:capability dac_override;