Set up common sepolicy for CHRE

Bug: 248615564
Test: compilation by make sepolicy
Change-Id: I0bde64d26d0c4451343f6f7032aecc20b275feaa
diff --git a/chre/README.txt b/chre/README.txt
new file mode 100644
index 0000000..3bdea2b
--- /dev/null
+++ b/chre/README.txt
@@ -0,0 +1,5 @@
+This folder contains the common settings for CHRE shared by various platforms.
+
+Dependencies among types can happen. For example, hal_contexthub_default
+depends on sysfs_aoc at the moment. When setting up a device with CHRE
+we should make sure rules of dependent types are included too.
diff --git a/chre/hal.mk b/chre/hal.mk
new file mode 100644
index 0000000..13ebb7f
--- /dev/null
+++ b/chre/hal.mk
@@ -0,0 +1,2 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/chre/sepolicy/
+PRODUCT_PACKAGES += android.hardware.contexthub-service.generic
\ No newline at end of file
diff --git a/chre/sepolicy/file_contexts b/chre/sepolicy/file_contexts
new file mode 100644
index 0000000..0659579
--- /dev/null
+++ b/chre/sepolicy/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.contexthub-service\.generic               u:object_r:hal_contexthub_default_exec:s0
diff --git a/chre/sepolicy/hal_contexthub_default.te b/chre/sepolicy/hal_contexthub_default.te
new file mode 100644
index 0000000..de5ca64
--- /dev/null
+++ b/chre/sepolicy/hal_contexthub_default.te
@@ -0,0 +1,29 @@
+# Allow context hub HAL to communicate with daemon via socket
+unix_socket_connect(hal_contexthub_default, chre, chre)
+
+# Permit communication with AoC
+allow hal_contexthub_default aoc_device:chr_file rw_file_perms;
+
+# Allow context hub HAL to determine AoC's current clock
+allow hal_contexthub_default sysfs_aoc:dir search;
+allow hal_contexthub_default sysfs_aoc_boottime:file r_file_perms;
+
+# Allow context hub HAL to create thread to watch AOC's device
+allow hal_contexthub_default aoc_device:dir r_dir_perms;
+
+# Allow context hub HAL to use the USF low latency transport
+usf_low_latency_transport(hal_contexthub_default)
+
+# Allow context hub HAL to talk to the WiFi HAL
+binder_call(hal_contexthub_default, hal_wifi_ext)
+allow hal_contexthub_default hal_wifi_ext_service:service_manager find;
+
+# Allow context hub HAL to talk to stats service
+binder_call(hal_contexthub_default, stats_service_server)
+allow hal_contexthub_default fwk_stats_service:service_manager find;
+
+# Allow context hub HAL to use WakeLock
+wakelock_use(hal_contexthub_default)
+
+# Allow context hub HAL to block suspend, which is required to use EPOLLWAKEUP
+allow hal_contexthub_default self:global_capability2_class_set block_suspend;