Move gxp sepolicies to gs-common
This change moves all gxp sepolicies to common. This eliminates the
need for having these policies in sepolicy folder of all P22+ devices.
Tested:
Created private builds and found no selinux violations for P22 & P23 devices.
Bug: 288368306
Change-Id: Iec5dfe01dd9088a117f549cc999b9ee2aa2c4484
Signed-off-by: Dinesh Yadav <dkyadav@google.com>
diff --git a/gxp/dump.mk b/gxp/dump.mk
deleted file mode 100644
index c1f6300..0000000
--- a/gxp/dump.mk
+++ /dev/null
@@ -1,4 +0,0 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gxp/sepolicy/
-
-PRODUCT_PACKAGES_DEBUG += dump_gxp
-
diff --git a/gxp/gxp.mk b/gxp/gxp.mk
new file mode 100644
index 0000000..45b0f08
--- /dev/null
+++ b/gxp/gxp.mk
@@ -0,0 +1,13 @@
+# GXP logging service
+PRODUCT_PACKAGES += \
+ android.hardware.gxp.logging@service-gxp-logging
+# GXP metrics logger library
+PRODUCT_PACKAGES += \
+ gxp_metrics_logger
+# GXP C-API library
+PRODUCT_PACKAGES += libgxp
+# GXP Debug dump.
+PRODUCT_PACKAGES_DEBUG += dump_gxp
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gxp/sepolicy
+
diff --git a/gxp/sepolicy/device.te b/gxp/sepolicy/device.te
new file mode 100644
index 0000000..382bc9d
--- /dev/null
+++ b/gxp/sepolicy/device.te
@@ -0,0 +1,2 @@
+# GXP device
+type gxp_device, dev_type, mlstrustedobject;
diff --git a/gxp/sepolicy/dump_gxp.te b/gxp/sepolicy/dump_gxp.te
index 61a0482..8d285c5 100644
--- a/gxp/sepolicy/dump_gxp.te
+++ b/gxp/sepolicy/dump_gxp.te
@@ -7,5 +7,7 @@
allow dump_gxp sscoredump_vendor_data_coredump_file:file r_file_perms;
allow dump_gxp sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
allow dump_gxp sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+ # Allow dump_gxp to access gxp properties.
+ get_prop(google_camera_app, vendor_gxp_prop)
')
diff --git a/gxp/sepolicy/file.te b/gxp/sepolicy/file.te
new file mode 100644
index 0000000..278cdd9
--- /dev/null
+++ b/gxp/sepolicy/file.te
@@ -0,0 +1,2 @@
+# Gxp sysfs file
+type sysfs_gxp, sysfs_type, fs_type;
diff --git a/gxp/sepolicy/file_contexts b/gxp/sepolicy/file_contexts
index 80420f4..08bef12 100644
--- a/gxp/sepolicy/file_contexts
+++ b/gxp/sepolicy/file_contexts
@@ -1,2 +1,12 @@
-/vendor/bin/dump/dump_gxp u:object_r:dump_gxp_exec:s0
+# GXP Vendor library
+/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0
+
+# GXP logging service
+/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0
+
+# GXP Metrics Collection Library
+/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0
+
+# Allow collection of debug dump.
+/vendor/bin/dump/dump_gxp u:object_r:dump_gxp_exec:s0
diff --git a/gxp/sepolicy/gxp_logging.te b/gxp/sepolicy/gxp_logging.te
new file mode 100644
index 0000000..fd1af7f
--- /dev/null
+++ b/gxp/sepolicy/gxp_logging.te
@@ -0,0 +1,21 @@
+type gxp_logging, domain;
+type gxp_logging_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(gxp_logging)
+
+# The logging service accesses /dev/gxp
+allow gxp_logging gxp_device:chr_file rw_file_perms;
+
+# Allow logging service to access /sys/class/gxp
+allow gxp_logging sysfs_gxp:dir search;
+allow gxp_logging sysfs_gxp:file rw_file_perms;
+
+# Allow logging service to log to stats service for reporting metrics.
+allow gxp_logging fwk_stats_service:service_manager find;
+binder_call(gxp_logging, system_server);
+binder_use(gxp_logging)
+
+# Allow logging service to read gxp properties.
+get_prop(gxp_logging, vendor_gxp_prop)
+
+# Allow gxp tracing service to send packets to Perfetto
+userdebug_or_eng(`perfetto_producer(gxp_logging)')
diff --git a/gxp/sepolicy/hal_camera_default.te b/gxp/sepolicy/hal_camera_default.te
new file mode 100644
index 0000000..5570a2e
--- /dev/null
+++ b/gxp/sepolicy/hal_camera_default.te
@@ -0,0 +1,3 @@
+# Allow the camera hal to access the GXP device and Properties.
+allow hal_camera_default gxp_device:chr_file rw_file_perms;
+get_prop(hal_camera_default, vendor_gxp_prop)
diff --git a/gxp/sepolicy/property.te b/gxp/sepolicy/property.te
new file mode 100644
index 0000000..b9741f0
--- /dev/null
+++ b/gxp/sepolicy/property.te
@@ -0,0 +1,3 @@
+# Gxp Android properties
+system_vendor_config_prop(vendor_gxp_prop)
+
diff --git a/gxp/sepolicy/property_contexts b/gxp/sepolicy/property_contexts
new file mode 100644
index 0000000..6093c7c
--- /dev/null
+++ b/gxp/sepolicy/property_contexts
@@ -0,0 +1,3 @@
+# GXP Android Property.
+vendor.gxp. u:object_r:vendor_gxp_prop:s0
+
diff --git a/gxp/sepolicy/vendor_init.te b/gxp/sepolicy/vendor_init.te
new file mode 100644
index 0000000..ec6ceab
--- /dev/null
+++ b/gxp/sepolicy/vendor_init.te
@@ -0,0 +1,3 @@
+# Gxp Android Properties.
+set_prop(vendor_init, vendor_gxp_prop)
+