zenfone7: Enforcing
Change-Id: Ib7d996a469a0193ba8810523dc61e197aca468cc
diff --git a/sepolicy/vendor/asus_sensors.te b/sepolicy/vendor/asus_sensors.te
new file mode 100644
index 0000000..5fea4b4
--- /dev/null
+++ b/sepolicy/vendor/asus_sensors.te
@@ -0,0 +1,5 @@
+allow asus_sensors property_socket:sock_file write;
+allow asus_sensors vendor_shell_exec:file entrypoint;
+
+get_prop(asus_sensors, asus_sensors_prop)
+set_prop(asus_sensors, asus_sensors_prop)
diff --git a/sepolicy/vendor/asus_sp.te b/sepolicy/vendor/asus_sp.te
new file mode 100644
index 0000000..39a442c
--- /dev/null
+++ b/sepolicy/vendor/asus_sp.te
@@ -0,0 +1,6 @@
+allow asus_sp property_socket:sock_file write;
+allow asus_sp block_device:dir search;
+allow asus_sp proc:file r_file_perms;
+
+get_prop(asus_sp, asus_sp_system_prop)
+set_prop(asus_sp, asus_sp_system_prop)
diff --git a/sepolicy/vendor/asus_touch.te b/sepolicy/vendor/asus_touch.te
new file mode 100644
index 0000000..1253420
--- /dev/null
+++ b/sepolicy/vendor/asus_touch.te
@@ -0,0 +1,32 @@
+# Policy for Asus SP HAL service
+type asus_touch, domain;
+type asus_touch_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(asus_touch)
+
+dontaudit init asus_touch:process { noatsecure };
+
+allow init asus_touch_exec:file { read getattr map execute open };
+allow init asus_touch:process { transition };
+allow init asus_touch:process { siginh rlimitinh };
+
+allow asus_touch asus_touch_exec:file { read getattr map execute open entrypoint };
+allow asus_touch ctl_default_prop:property_service { set };
+allow asus_touch asus_touch_exec:file { read getattr open execute_no_trans };
+allow asus_touch vendor_file:file { execute_no_trans };
+allow asus_touch vendor_shell_exec:file { read getattr map execute_no_trans entrypoint };
+allow asus_touch sysfs_leds:dir { search };
+allow asus_touch sysfs_leds:lnk_file { read };
+allow asus_touch sysfs:file rw_file_perms;
+allow asus_touch vendor_toolbox_exec:file { execute_no_trans };
+allow asus_touch asus_touch:capability { sys_module };
+allow asus_touch vendor_file:system { module_load };
+allow asus_touch kernel:key { search };
+allow asus_touch kmsg_device:chr_file rw_file_perms;
+allow asus_touch property_socket:sock_file write;
+allow asus_touch init:unix_stream_socket { connectto };
+
+get_prop(asus_touch, exported_system_prop)
+get_prop(asus_touch, vendor_asus_prop)
+get_prop(asus_touch, vendor_default_prop)
diff --git a/sepolicy/vendor/attributes b/sepolicy/vendor/attributes
new file mode 100644
index 0000000..bc48c47
--- /dev/null
+++ b/sepolicy/vendor/attributes
@@ -0,0 +1,4 @@
+# Pixelworks (display)
+attribute hal_display_iris;
+attribute hal_display_iris_client;
+attribute hal_display_iris_server;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
new file mode 100644
index 0000000..5bc3844
--- /dev/null
+++ b/sepolicy/vendor/file.te
@@ -0,0 +1,5 @@
+# Asus Display
+type asus_display_proc_exec, fs_type, proc_type;
+
+# Hal Sensor
+type asus_halls_sysfs, fs_type, sysfs_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 4fd5d35..76298f5 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -1,3 +1,14 @@
+# Asus Sp
+/(vendor|system/vendor)/bin/adrt_service u:object_r:asus_sp_exec:s0
+/(vendor|system/vendor)/bin/change_aps u:object_r:asus_sp_exec:s0
+
+# Display
+/(vendor|system/vendor)/bin/irisConfig u:object_r:iris_config_exec:s0
+
# Files in rootfs
-/motor_fw1(/.*)? u:object_r:log_file:s0
-/motor_fw2(/.*)? u:object_r:log_file:s0
+/motor_fw1(/.*)? u:object_r:log_file:s0
+/motor_fw2(/.*)? u:object_r:log_file:s0
+
+# Touch
+/(vendor|system/vendor)/bin/init.asus.gamemode.sh u:object_r:asus_touch_exec:s0
+/(vendor|system/vendor)/bin/touch_ver.sh u:object_r:asus_touch_exec:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
new file mode 100644
index 0000000..b4dcfa7
--- /dev/null
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,43 @@
+# Display
+genfscon proc /hbm_mode u:object_r:asus_display_proc_exec:s0
+genfscon proc /lcd_brightness u:object_r:asus_display_proc_exec:s0
+genfscon proc /lcd_dimming_speed u:object_r:asus_display_proc_exec:s0
+genfscon proc /lcd_stage u:object_r:asus_display_proc_exec:s0
+genfscon proc /lcd_unique_id u:object_r:asus_display_proc_exec:s0
+
+# Hall Sensor
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-000d/hall_sensor2/trigger_update u:object_r:asus_halls_sysfs:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-000d/hall_sensor2/X1_threshold u:object_r:asus_halls_sysfs:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-000d/hall_sensor2/X2_threshold u:object_r:asus_halls_sysfs:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-000d/hall_sensor2/Y1_threshold u:object_r:asus_halls_sysfs:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-000d/hall_sensor2/status u:object_r:asus_halls_sysfs:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-000d/hall_sensor2/state u:object_r:asus_halls_sysfs:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-000d/hall_sensor2/X u:object_r:asus_halls_sysfs:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-000d/hall_sensor2/Y u:object_r:asus_halls_sysfs:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-000d/hall_sensor2/Z u:object_r:asus_halls_sysfs:s0
+
+# Motor
+genfscon proc /driver/motor_probe_status u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_atd_status u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_tk_angle u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_manual u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_angle u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_param u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_power u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_state u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_stop u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_akm u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_drv u:object_r:vendor_motor_camera:s0
+genfscon proc /driver/motor_k u:object_r:vendor_motor_camera:s0
+
+# Usb
+genfscon sysfs /devices/platform/soc/884000.i2c/i2c-5/5-0010/884000.i2c:qcom,smb1390@10:qcom,charge_pump/power_supply/charge_pump_master/cp_die_temp u:object_r:vendor_sysfs_usb_supply:s0
+
+# Wakeup
+genfscon sysfs /devices/platform/soc/884000.i2c/i2c-5/5-0010/884000.i2c:qcom,smb1390@10:qcom,charge_pump/power_supply/charge_pump_master/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,pm8150_rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/994000.spi/spi_master/spi0/spi0.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/0.goodix_gf3626/goodix_fp/goodix_fp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/88c000.qcom,qup_uart/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c08000.qcom,pcie/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_uc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
new file mode 100644
index 0000000..32d9928
--- /dev/null
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -0,0 +1,7 @@
+get_prop(hal_camera_default, asus_sensors_prop)
+
+# Allow camera to read/write to proc files into bin/Camera_OIS-* and bin/q_af_cali
+allow hal_camera_default proc:file rw_file_perms;
+
+# Camera for ParameterDB.db
+allow hal_camera_default system_lib_file:file { getattr lock open read };
diff --git a/sepolicy/vendor/hal_display_iris.te b/sepolicy/vendor/hal_display_iris.te
new file mode 100644
index 0000000..43d5c75
--- /dev/null
+++ b/sepolicy/vendor/hal_display_iris.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_display_iris_client, hal_display_iris_server)
+binder_call(hal_display_iris_server, hal_display_iris_client)
+
+add_hwservice(hal_display_iris, hal_display_iris_hwservice)
+allow hal_display_iris_client hal_display_iris_hwservice:hwservice_manager find;
+allow hal_display_iris_server hal_display_iris_hwservice:hwservice_manager { add find };
\ No newline at end of file
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
new file mode 100644
index 0000000..91b9bde
--- /dev/null
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -0,0 +1,4 @@
+allow hal_graphics_composer_default mnt_vendor_file:file { read getattr open };
+
+allow hal_graphics_composer_default asus_display_proc_exec:file rw_file_perms;
+hal_server_domain(hal_graphics_composer_default, hal_display_iris)
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..adf4d20
--- /dev/null
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -0,0 +1,2 @@
+get_prop(hal_sensors_default, asus_sensors_prop)
+set_prop(hal_sensors_default, asus_sensors_prop)
diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te
new file mode 100644
index 0000000..e9408a1
--- /dev/null
+++ b/sepolicy/vendor/hwservice.te
@@ -0,0 +1,2 @@
+# Pixelworks display
+type hal_display_iris_hwservice, hwservice_manager_type;
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
new file mode 100644
index 0000000..12e7f35
--- /dev/null
+++ b/sepolicy/vendor/hwservice_contexts
@@ -0,0 +1,2 @@
+# Display
+vendor.pixelworks.hardware.display::IIris u:object_r:hal_display_iris_hwservice:s0
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
new file mode 100644
index 0000000..6f6d8bc
--- /dev/null
+++ b/sepolicy/vendor/init.te
@@ -0,0 +1,2 @@
+get_prop(init, asus_sensors_prop)
+
diff --git a/sepolicy/vendor/iris_config.te b/sepolicy/vendor/iris_config.te
new file mode 100644
index 0000000..6d9ec22
--- /dev/null
+++ b/sepolicy/vendor/iris_config.te
@@ -0,0 +1,21 @@
+type iris_config, domain, halclientdomain;
+type iris_config_exec, exec_type, vendor_file_type, file_type;
+hal_client_domain(iris_config, hal_display_iris)
+
+
+# Started by init
+init_daemon_domain(iris_config)
+
+dontaudit shell iris_config:process noatsecure;
+
+allow iris_config hal_display_iris_hwservice:hwservice_manager find;
+allow shell iris_config_exec:file {read getattr map execute open };
+allow shell iris_config:process transition;
+allow iris_config iris_config_exec:file { read getattr map execute open entrypoint };
+allow iris_config shell:process sigchld;
+allow shell iris_config:process { siginh rlimitinh };
+allow iris_config adbd:process sigchld;
+allow iris_config shell:fd use;
+allow iris_config adbd:fd use;
+allow iris_config devpts:chr_file { ioctl read write getattr };
+allow iris_config adbd:unix_stream_socket { read write getattr };
diff --git a/sepolicy/vendor/latch_sensor.te b/sepolicy/vendor/latch_sensor.te
new file mode 100644
index 0000000..e252f8f
--- /dev/null
+++ b/sepolicy/vendor/latch_sensor.te
@@ -0,0 +1,13 @@
+type latch_sensor, domain;
+type latch_sensor_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(latch_sensor)
+
+r_dir_file(latch_sensor, mnt_vendor_file)
+
+allow latch_sensor mnt_vendor_file:file rw_file_perms;
+allow latch_sensor asus_halls_sysfs:file rw_file_perms;
+allow latch_sensor vendor_shell_exec:file entrypoint;
+allow latch_sensor kmsg_device:chr_file { open write };
+allow latch_sensor vendor_toolbox_exec:file execute_no_trans;
diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te
new file mode 100644
index 0000000..0144aea
--- /dev/null
+++ b/sepolicy/vendor/platform_app.te
@@ -0,0 +1,12 @@
+# Camera for ParameterDB.db
+allow platform_app system_lib_file:file { getattr lock open read };
+
+# Hall Sensor
+allow platform_app asus_halls_sysfs:file rw_file_perms;
+
+# Pixelworks
+allow platform_app asus_display_proc_exec:file rw_file_perms;
+hal_client_domain(platform_app, hal_display_iris)
+
+# Motor
+allow platform_app vendor_motor_camera:file rw_file_perms;
diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te
new file mode 100644
index 0000000..4b1c043
--- /dev/null
+++ b/sepolicy/vendor/priv_app.te
@@ -0,0 +1,3 @@
+# Pixelworks
+allow priv_app asus_display_proc_exec:file rw_file_perms;
+hal_client_domain(priv_app, hal_display_iris)
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..8f75383
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,5 @@
+# Ims
+type asus_sp_system_prop, property_type;
+
+# Sensor
+type asus_sensors_prop, property_type;
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
new file mode 100644
index 0000000..54cb62d
--- /dev/null
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,33 @@
+# Audio
+vendor.asus.audiocalibration u:object_r:exported_system_prop:s0
+vendor.audio.calibration.rcv u:object_r:exported_system_prop:s0
+vendor.audio.calibration.spk u:object_r:exported_system_prop:s0
+vendor.audio.calibration.value.range u:object_r:exported_system_prop:s0
+vendor.audio.calibration.rcv.value u:object_r:exported_system_prop:s0
+vendor.audio.calibration.spk.value u:object_r:exported_system_prop:s0
+vendor.use.audio.eu.parameters u:object_r:exported_system_prop:s0
+
+# Camera
+vendor.sys.asus.camprobe u:object_r:vendor_asus_prop:s0
+
+# Fingerprint
+vendor.gf.debug.dump_bigdata_data u:object_r:vendor_gx_fpd_prop:s0
+
+# Ims
+ro.vendor.tc.qkey u:object_r:asus_sp_system_prop:s0
+
+# Sensors
+vendor.asus.rstg2k u:object_r:debug_prop:s0
+vendor.asus.rstgy2k u:object_r:debug_prop:s0
+vendor.asus.rstg2k.result u:object_r:asus_sensors_prop:s0
+vendor.asus.rstgy2k.result u:object_r:asus_sensors_prop:s0
+persist.vendor.asus.gyrosensor2calibx u:object_r:asus_sensors_prop:s0
+persist.vendor.asus.gyrosensor2caliby u:object_r:asus_sensors_prop:s0
+persist.vendor.asus.gyrosensor2calibz u:object_r:asus_sensors_prop:s0
+persist.vendor.asus.gyrosensor2calibtime u:object_r:asus_sensors_prop:s0
+
+# Termal
+persist.vendor.asus.foregroundapp u:object_r:exported_system_prop:s0
+vendor.proximity. u:object_r:vendor_thermal_prop:s0
+vendor.asus.foregroundapp u:object_r:vendor_asus_prop:s0
+vendor.sys.enableDevPerfTHM u:object_r:vendor_asus_prop:s0
diff --git a/sepolicy/vendor/shell.te b/sepolicy/vendor/shell.te
new file mode 100644
index 0000000..e440c7c
--- /dev/null
+++ b/sepolicy/vendor/shell.te
@@ -0,0 +1 @@
+get_prop(shell, asus_sensors_prop)
diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
new file mode 100644
index 0000000..d4d514d
--- /dev/null
+++ b/sepolicy/vendor/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger asus_display_proc_exec:file rw_file_perms;
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
new file mode 100644
index 0000000..5102da2
--- /dev/null
+++ b/sepolicy/vendor/system_app.te
@@ -0,0 +1,9 @@
+# Hall Sensor
+allow system_app asus_halls_sysfs:file rw_file_perms;
+
+# Pixelworks
+allow system_app asus_display_proc_exec:file rw_file_perms;
+hal_client_domain(system_app, hal_display_iris)
+
+# Motor
+allow system_app vendor_motor_camera:file rw_file_perms;
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
new file mode 100644
index 0000000..28c7064
--- /dev/null
+++ b/sepolicy/vendor/system_server.te
@@ -0,0 +1,2 @@
+# Display
+allow system_server asus_display_proc_exec:file rw_file_perms;
diff --git a/sepolicy/vendor/vendor_hal_perf_default.te b/sepolicy/vendor/vendor_hal_perf_default.te
new file mode 100644
index 0000000..68affb8
--- /dev/null
+++ b/sepolicy/vendor/vendor_hal_perf_default.te
@@ -0,0 +1,2 @@
+allow vendor_hal_perf_default sysfs_thermal:file rw_file_perms;
+get_prop(vendor_hal_perf_default, vendor_asus_prop)
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
new file mode 100644
index 0000000..b5f3721
--- /dev/null
+++ b/sepolicy/vendor/vendor_init.te
@@ -0,0 +1 @@
+get_prop(vendor_init, asus_sensors_prop)