sdm660: sepolicy: Start Q Bringup

BoardConfigCommon.mk

@@ -277,10 +277,9 @@ BOARD_USES_QC_TIME_SERVICES := true
 
 # SELinux
 include device/qcom/sepolicy-legacy-um/sepolicy.mk
-# BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
-# BOARD_PLAT_PUBLIC_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/public
-# BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private
-BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy-minimal
+BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/public
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private
 
 # Telephony
 TARGET_USES_ALTERNATIVE_MANUAL_NETWORK_SELECT := true

sepolicy-minimal/file.te

@@ -1,4 +0,0 @@
-type adsprpcd_file, file_type;
-type bt_firmware_file, file_type;
-type firmware_file, file_type;
-type persist_file, file_type;

sepolicy-minimal/file_contexts

@@ -1,5 +0,0 @@
-# Root Symlinks
-/bt_firmware(/.*)?       u:object_r:bt_firmware_file:s0
-/dsp(/.*)?               u:object_r:adsprpcd_file:s0
-/firmware(/.*)?          u:object_r:firmware_file:s0
-/persist(/.*)?           u:object_r:persist_file:s0

sepolicy/vendor/app.te

@@ -1,6 +1,5 @@
 # Allow appdomain to get vendor_camera_prop
 get_prop(appdomain, vendor_camera_prop)
-allow { appdomain -isolated_app } hal_mlipay_hwservice:hwservice_manager find;
 binder_call({ appdomain -isolated_app }, hal_mlipay_default)
 get_prop({ appdomain -isolated_app }, mlipay_prop)
 get_prop({ appdomain -isolated_app }, hal_fingerprint_prop)

sepolicy/vendor/hal_camera_default.te

@@ -2,7 +2,6 @@ binder_call(hal_camera_default, hal_configstore_default)
 binder_call(hal_camera_default, hal_graphics_allocator_default)
 typeattribute hal_camera_default data_between_core_and_vendor_violators;
 
-allow hal_camera_default { hal_configstore_ISurfaceFlingerConfigs hal_graphics_allocator_hwservice }:hwservice_manager find;
 allow hal_camera_default sysfs:file { getattr open read };
 allow hal_camera_default sysfs_kgsl:file { getattr open read };
 

sepolicy/vendor/hwservice.te

@@ -1,2 +1,2 @@
 type goodixhw_service, hwservice_manager_type;
-type hal_mlipay_hwservice, hwservice_manager_type, untrusted_app_visible_hwservice;
+type hal_mlipay_hwservice, hwservice_manager_type;

sepolicy/vendor/init.te

@@ -3,7 +3,6 @@ allow init ipa_dev:chr_file open;
 allow init ion_device:chr_file ioctl;
 allow init property_socket:sock_file write;
 allow init sysfs_dm:file { open write };
-allow init tee_device:chr_file { write ioctl };
 allow init vendor_default_prop:property_service set;
 allow init sysfs_info:file { open read };
 allow init sysfs:file setattr;

sepolicy/vendor/property.te

@@ -2,6 +2,7 @@ type hal_fingerprint_prop, property_type;
 type mlipay_prop, property_type;
 type vendor_fp_prop, property_type;
 type ifaa_prop, property_type;
+type vendor_camera_prop, property_type;
 
 # Thermal engine
 type thermal_engine_prop, property_type;

sepolicy/vendor/system_app.te

@@ -1,6 +1,5 @@
 allow system_app vendor_default_prop:file { getattr open read };
 allow system_app wificond:binder call;
-allow system_app hal_mlipay_hwservice:hwservice_manager find;
 allow system_app hal_mlipay_default:binder call;
 allow system_app kcal_dev:file rw_file_perms;
 allow system_app kcal_dev:dir search;