Merge "Revert "sepolicy: Allow PixelGnss to connect to Chre HAL"" into 24D1-dev
diff --git a/pixelsupport/pixelsupport.mk b/pixelsupport/pixelsupport.mk
new file mode 100644
index 0000000..068c94f
--- /dev/null
+++ b/pixelsupport/pixelsupport.mk
@@ -0,0 +1,5 @@
+PRODUCT_PACKAGES += PixelSupportPrebuilt
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/vendor
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/product/private
diff --git a/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem b/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
new file mode 100644
index 0000000..40c874d
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIGBzCCA++gAwIBAgIVAJriiL3+mR75mIC8e0Xqoz59LduNMA0GCSqGSIb3DQEBCwUAMIGSMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
+MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxLjAsBgNVBAMMJWNvbV9nb29n
+bGVfYW5kcm9pZF9hcHBzX3BpeGVsX3N1cHBvcnQwIBcNMjIxMjEyMTM1MDA3WhgPMjA1MjEyMTIx
+MzUwMDdaMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91
+bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxLjAsBgNV
+BAMMJWNvbV9nb29nbGVfYW5kcm9pZF9hcHBzX3BpeGVsX3N1cHBvcnQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCSWvRumhZOIAZmWKcuVjc1l3OIIWc/nSRVnsfdzeRqK0jwVFcTqMDs
+kmZtEj/UTW+N91ExRzWvAQ027AcE7TGF3X2iKKAfpSB0fpVQato5RIzOrRbwgAzsIvBdVtExqSNk
+5vh8xJ0azHt6Jn77gW03Mq7AL55Si5q3vU1meeGBPD/YWeqd/oNhPfe0kAHdNnnTOnN6SBxSeO8r
+YukV4XYJ3BxgWD1sm2NI8kZ+OGAooBFflZYXoY6NVfLXm6jsqWnooAok7CrNxZc/wstiwd8yYX6f
+6R1Trox3a9xOy7E+6Rig0XhbWm4pbp3Zu0OLArUalbQ1cjd1qFy6q9maieBn14ad+UtLNOUjCx91
+hLWg/mdpYCvArQb3bBDJdjYfdoo7Q8F9QW3JrFrbIeBezM4TTdK9v/sM4+1OxEo6vwMKQM9Ata/H
+Mn89a4nFHgRqGIMKK8zh0Eob+OwiBakviVhAI1o7IONujcJ2hfuyHNPZb8sT0Rewxtw2fD/Jwj+l
+ADmlXWw553geFcwP1SqOC6j/XOeazSvV4ccCME2VZqIE4pmL+RUr+cgAyQHXPZnet74C7K9sNRV6
+JluS6inqP4lKp7gSFuVrQNYHawNPVinbeTLYEu+df3m3yrHAUpaSvsSUC6qQVWCs0sI8PC6A1+bV
+DXMsIYRvrSnmtN75vOECaQIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTODyZ1S/is
+Y/2ZuMl8B1M6kFiJwDAfBgNVHSMEGDAWgBTODyZ1S/isY/2ZuMl8B1M6kFiJwDANBgkqhkiG9w0B
+AQsFAAOCAgEAL26IGjeu8Q5tn/b4vfYa+7bRUwozAJA9Buyduw/4wVG6rIAkpEsghkgnoOvyjD72
+ncbCkDoBV3a1PLw2W/bMQWfZvYScOzc2yFwcR9LdQIiEYmtgnwuJHnqc2MDsh+MDeclblyBYfIQQ
+bpZ0JArKalSmDyul0QIcfHq+RKmGAzC3bx0xigclIZJxXEG4tyQylttnqNodAEqYdhMMRajI3w9t
+61QwqNv1KTGJt1sC2Q7NyzbZJo02Kwu711Dw6KnVgHaGKC2sRIixsvjm2s6f9/CcVasuLopkJnyl
+epPeD2jHwHdE4/c2K5ZVQeZ+R0pIOEBKwg1AVkn+/UTbhpjYCkEGP09e8T45Y+//eMlrbORJAbji
+H5cfD9aSO2z4slN4B4w+Fw9Kn+a7bsN2xhv7lvAgQ92aq9g/YS1YysZ7kSoCpmKl7rN+0V/RGRVP
+ab2Cb0C3+JewTnOAF30e7zVs9Vaq3oTAV4XFYNiDRUBU/rvv8EIZKcBdufFJmCGYUpmm1EQQdsTt
+mFMPEh5I4Qd0sy+HKvLjThcMGHqDX0bCeXkbFZdj0GXPOOt5LX8NZBdnsbVgENrZml318uLEj3ZU
+DlojsfsTlVcs5eIPX6Dkx0OdgVcMAXnLF+vjP/ygWuLqiPFPCrZD1b+2g2P9Yip3e221tuyca42b
+q3bvQEBwOsA=
+-----END CERTIFICATE-----
diff --git a/pixelsupport/sepolicy/product/private/keys.conf b/pixelsupport/sepolicy/product/private/keys.conf
new file mode 100644
index 0000000..eff6067
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/keys.conf
@@ -0,0 +1,2 @@
+[@PIXELSUPPORT]
+ALL : device/google/gs-common/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
diff --git a/pixelsupport/sepolicy/product/private/mac_permissions.xml b/pixelsupport/sepolicy/product/private/mac_permissions.xml
new file mode 100644
index 0000000..cb8d42a
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/mac_permissions.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+ * A signature is a hex encoded X.509 certificate or a tag defined in
+ keys.conf and is required for each signer tag.
+ * A signer tag may contain a seinfo tag and multiple package stanzas.
+ * A default tag is allowed that can contain policy for all apps not signed with a
+ previously listed cert. It may not contain any inner package stanzas.
+ * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+ represents additional info that each app can use in setting a SELinux security
+ context on the eventual process.
+ * When a package is installed the following logic is used to determine what seinfo
+ value, if any, is assigned.
+ - All signatures used to sign the app are checked first.
+ - If a signer stanza has inner package stanzas, those stanza will be checked
+ to try and match the package name of the app. If the package name matches
+ then that seinfo tag is used. If no inner package matches then the outer
+ seinfo tag is assigned.
+ - The default tag is consulted last if needed.
+-->
+ <!-- PixelSupport app key -->
+ <signer signature="@PIXELSUPPORT" >
+ <seinfo value="PixelSupport" />
+ </signer>
+</policy>
diff --git a/pixelsupport/sepolicy/product/private/pixelsupport_app.te b/pixelsupport/sepolicy/product/private/pixelsupport_app.te
new file mode 100644
index 0000000..be6f7dd
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/pixelsupport_app.te
@@ -0,0 +1,11 @@
+typeattribute pixelsupport_app coredomain;
+
+app_domain(pixelsupport_app)
+# Access the network.
+net_domain(pixelsupport_app)
+# Access bluetooth.
+bluetooth_domain(pixelsupport_app)
+
+allow pixelsupport_app app_api_service:service_manager find;
+allow pixelsupport_app radio_service:service_manager find;
+
diff --git a/pixelsupport/sepolicy/product/private/seapp_contexts b/pixelsupport/sepolicy/product/private/seapp_contexts
new file mode 100644
index 0000000..f16a054
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/seapp_contexts
@@ -0,0 +1,2 @@
+# Pixel Support App
+user=_app seinfo=PixelSupport name=com.google.android.apps.pixel.support domain=pixelsupport_app type=app_data_file isPrivApp=true levelFrom=user
diff --git a/pixelsupport/sepolicy/product/public/pixelsupport_app.te b/pixelsupport/sepolicy/product/public/pixelsupport_app.te
new file mode 100644
index 0000000..1846ac9
--- /dev/null
+++ b/pixelsupport/sepolicy/product/public/pixelsupport_app.te
@@ -0,0 +1,2 @@
+type pixelsupport_app, domain;
+
diff --git a/pixelsupport/sepolicy/vendor/pixelsupport_app.te b/pixelsupport/sepolicy/vendor/pixelsupport_app.te
new file mode 100644
index 0000000..e3b380c
--- /dev/null
+++ b/pixelsupport/sepolicy/vendor/pixelsupport_app.te
@@ -0,0 +1,2 @@
+set_prop(pixelsupport_app, vendor_gti_prop)
+
diff --git a/touch/gti/Android.bp b/touch/gti/Android.bp
index c066d0d..7f2eb66 100644
--- a/touch/gti/Android.bp
+++ b/touch/gti/Android.bp
@@ -17,3 +17,19 @@
vendor: true,
sub_dir: "dump",
}
+
+cc_binary {
+ name: "touch_gti_ical",
+ srcs: ["touch_gti_ical.cpp"],
+ cflags: [
+ "-Wall",
+ "-Wextra",
+ "-Werror",
+ ],
+ shared_libs: [
+ "libbase",
+ "libcutils",
+ "liblog",
+ ],
+ vendor: true,
+}
diff --git a/touch/gti/gti.mk b/touch/gti/gti.mk
index 171534f..a2c7cf7 100644
--- a/touch/gti/gti.mk
+++ b/touch/gti/gti.mk
@@ -1,3 +1,4 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/gti/sepolicy
PRODUCT_PACKAGES += dump_gti0.sh
+PRODUCT_PACKAGES += touch_gti_ical
diff --git a/touch/gti/init.touch.gti0.rc b/touch/gti/init.touch.gti0.rc
index 31856ea..5f8318e 100644
--- a/touch/gti/init.touch.gti0.rc
+++ b/touch/gti/init.touch.gti0.rc
@@ -24,3 +24,15 @@
chown system system /proc/goog_touch_interface/gti.0/ss_base
chown system system /proc/goog_touch_interface/gti.0/ss_diff
chown system system /proc/goog_touch_interface/gti.0/ss_raw
+
+on property:vendor.touch.gti0.ical=*
+ setprop vendor.touch.gti0.ical.state init
+ start touch_gti0_ical
+ wait_for_prop vendor.touch.gti0.ical.state done
+
+service touch_gti0_ical /vendor/bin/touch_gti_ical 0 ${vendor.touch.gti0.ical}
+ class main
+ user system
+ group system shell
+ disabled
+ oneshot
diff --git a/touch/gti/init.touch.gti1.rc b/touch/gti/init.touch.gti1.rc
index a4de328..ba99210 100644
--- a/touch/gti/init.touch.gti1.rc
+++ b/touch/gti/init.touch.gti1.rc
@@ -24,3 +24,15 @@
chown system system /proc/goog_touch_interface/gti.1/ss_base
chown system system /proc/goog_touch_interface/gti.1/ss_diff
chown system system /proc/goog_touch_interface/gti.1/ss_raw
+
+on property:vendor.touch.gti1.ical=*
+ setprop vendor.touch.gti1.ical.state init
+ start touch_gti1_ical
+ wait_for_prop vendor.touch.gti1.ical.state done
+
+service touch_gti1_ical /vendor/bin/touch_gti_ical 1 ${vendor.touch.gti1.ical}
+ class main
+ user system
+ group system shell
+ disabled
+ oneshot
diff --git a/touch/gti/sepolicy/file_contexts b/touch/gti/sepolicy/file_contexts
index 5c429b7..37e3733 100644
--- a/touch/gti/sepolicy/file_contexts
+++ b/touch/gti/sepolicy/file_contexts
@@ -1,2 +1,2 @@
/vendor/bin/dump/dump_gti0\.sh u:object_r:dump_gti_exec:s0
-
+/vendor/bin/touch_gti_ical u:object_r:gti_ical_exec:s0
diff --git a/touch/gti/sepolicy/gti_ical.te b/touch/gti/sepolicy/gti_ical.te
new file mode 100644
index 0000000..228782c
--- /dev/null
+++ b/touch/gti/sepolicy/gti_ical.te
@@ -0,0 +1,8 @@
+type gti_ical, domain;
+type gti_ical_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(gti_ical)
+
+allow gti_ical sysfs_touch_gti:file rw_file_perms;
+allow gti_ical sysfs_touch_gti:dir search;
+
+set_prop(gti_ical, vendor_gti_prop)
diff --git a/touch/gti/sepolicy/property.te b/touch/gti/sepolicy/property.te
new file mode 100644
index 0000000..2a71d74
--- /dev/null
+++ b/touch/gti/sepolicy/property.te
@@ -0,0 +1 @@
+system_public_prop(vendor_gti_prop)
diff --git a/touch/gti/sepolicy/property_contexts b/touch/gti/sepolicy/property_contexts
new file mode 100644
index 0000000..e3badcd
--- /dev/null
+++ b/touch/gti/sepolicy/property_contexts
@@ -0,0 +1 @@
+vendor.touch.gti0. u:object_r:vendor_gti_prop:s0
diff --git a/touch/gti/sepolicy/vendor_init.te b/touch/gti/sepolicy/vendor_init.te
new file mode 100644
index 0000000..ed0ebda
--- /dev/null
+++ b/touch/gti/sepolicy/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_gti_prop)
diff --git a/touch/gti/sepolicy_gti_dual/property_contexts b/touch/gti/sepolicy_gti_dual/property_contexts
new file mode 100644
index 0000000..c3530ff
--- /dev/null
+++ b/touch/gti/sepolicy_gti_dual/property_contexts
@@ -0,0 +1 @@
+vendor.touch.gti1. u:object_r:vendor_gti_prop:s0
diff --git a/touch/gti/touch_gti_ical.cpp b/touch/gti/touch_gti_ical.cpp
new file mode 100644
index 0000000..0aabd9e
--- /dev/null
+++ b/touch/gti/touch_gti_ical.cpp
@@ -0,0 +1,101 @@
+/*
+ ** Copyright 2024, The Android Open Source Project
+ **
+ ** Licensed under the Apache License, Version 2.0 (the "License");
+ ** you may not use this file except in compliance with the License.
+ ** You may obtain a copy of the License at
+ **
+ ** http://www.apache.org/licenses/LICENSE-2.0
+ **
+ ** Unless required by applicable law or agreed to in writing, software
+ ** distributed under the License is distributed on an "AS IS" BASIS,
+ ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ** See the License for the specific language governing permissions and
+ ** limitations under the License.
+ */
+#define LOG_TAG "touch_gti_ical"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef __ANDROID__
+#include <cutils/properties.h>
+#include <cutils/log.h>
+#else
+#define property_set
+#define property_get
+#define ALOGI printf
+#define ALOGW printf
+#endif
+
+int main(int argc, char *argv[])
+{
+ char *line = NULL;
+ size_t len = 0;
+ FILE *ical_fd;
+ const char *ical_state_prop[2] = {
+ [0] = "vendor.touch.gti0.ical.state",
+ [1] = "vendor.touch.gti1.ical.state",
+ };
+ const char *ical_result_prop[2] = {
+ [0] = "vendor.touch.gti0.ical.result",
+ [1] = "vendor.touch.gti1.ical.result",
+ };
+ const char *ical_sysfs[2] = {
+ [0] = "/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate",
+ [1] = "/sys/devices/virtual/goog_touch_interface/gti.1/interactive_calibrate",
+ };
+ const char *ical_state_prop_path = ical_state_prop[0];
+ const char *ical_result_prop_path = ical_result_prop[0];
+ const char *ical_sysfs_path = ical_sysfs[0];
+
+ if (argc < 3) {
+ ALOGW("No target dev or command for interactive_calibrate sysfs.\n");
+ property_set(ical_state_prop[0], "done");
+ property_set(ical_state_prop[1], "done");
+ return 0;
+ }
+
+ if (strncmp(argv[1], "1", strlen(argv[1])) == 0 ||
+ strncmp(argv[1], "gti1", strlen(argv[1])) == 0 ||
+ strncmp(argv[1], "gti.1", strlen(argv[1])) == 0) {
+ ical_state_prop_path = ical_state_prop[1];
+ ical_result_prop_path = ical_result_prop[1];
+ ical_sysfs_path = ical_sysfs[1];
+ }
+
+ property_set(ical_result_prop_path, "na");
+ property_set(ical_state_prop_path, "running");
+ if (access(ical_sysfs_path, F_OK | R_OK | W_OK)) {
+ ALOGW("Can't access %s\n", ical_sysfs_path);
+ property_set(ical_state_prop_path, "done");
+ return 0;
+ }
+
+ ical_fd = fopen(ical_sysfs_path, "r+");
+ if (ical_fd == NULL) {
+ ALOGW("Can't fopen %s\n", ical_sysfs_path);
+ property_set(ical_state_prop_path, "done");
+ return 0;
+ }
+
+ if (strncmp(argv[2], "read", strlen(argv[2])) == 0) {
+ getline(&line, &len, ical_fd);
+ if (line != NULL) {
+ property_set(ical_state_prop_path, "read");
+ property_set(ical_result_prop_path, line);
+ ALOGI("read: %s => %s", ical_sysfs_path, line);
+ free(line);
+ }
+ } else {
+ property_set(ical_state_prop_path, argv[2]);
+ fwrite(argv[2], 1, strlen(argv[2]), ical_fd);
+ ALOGI("write: %s => %s\n", argv[2], ical_sysfs_path);
+ }
+ property_set(ical_state_prop_path, "done");
+
+ fclose(ical_fd);
+ return 0;
+}
+