Merge "allow insmod to set nice and scheduler am: af8c56b929 am: 4548fd7fc2" into rvc-qpr-dev-plus-aosp am: a5d2cfb012
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/google/pixel-sepolicy/+/12172822
Change-Id: I307a63379a6eb6ac1df6f164ccfb75f43df102e9
diff --git a/citadel/README.md b/citadel/README.md
new file mode 100644
index 0000000..40b330b
--- /dev/null
+++ b/citadel/README.md
@@ -0,0 +1,7 @@
+### Citadel SELinux rules
+
+This directory contains all the SELinux rules for communication with the
+apps on Citadel. For more information on Citadel, see
+[go/nugget-os](https://goto.google.com/nugget-os) or the
+[`external/nos`](../../../../external/nos) and
+[`vendor/google_nos`](../../../../vendor/google_nos) directories.
diff --git a/citadel/citadel_provision.te b/citadel/citadel_provision.te
new file mode 100644
index 0000000..5605085
--- /dev/null
+++ b/citadel/citadel_provision.te
@@ -0,0 +1,6 @@
+type citadel_provision, domain;
+type citadel_provision_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(citadel_provision)
+')
diff --git a/citadel/citadeld.te b/citadel/citadeld.te
new file mode 100644
index 0000000..a1b7a6d
--- /dev/null
+++ b/citadel/citadeld.te
@@ -0,0 +1,17 @@
+type citadeld, domain;
+type citadeld_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(citadeld)
+add_service(citadeld, citadeld_service)
+
+allow citadeld citadel_device:chr_file rw_file_perms;
+
+init_daemon_domain(citadeld)
+
+binder_call(citadeld, hal_power_stats_default)
+
+# Let citadeld find and use statsd.
+hwbinder_use(citadeld)
+get_prop(citadeld, hwservicemanager_prop)
+allow citadeld fwk_stats_hwservice:hwservice_manager find;
+binder_call(citadeld, stats_service_server)
diff --git a/citadel/device.te b/citadel/device.te
new file mode 100644
index 0000000..f63186f
--- /dev/null
+++ b/citadel/device.te
@@ -0,0 +1 @@
+type citadel_device, dev_type;
diff --git a/citadel/file.te b/citadel/file.te
new file mode 100644
index 0000000..951393e
--- /dev/null
+++ b/citadel/file.te
@@ -0,0 +1 @@
+type hal_rebootescrow_citadel_data_file, file_type, data_file_type;
diff --git a/citadel/file_contexts b/citadel/file_contexts
new file mode 100644
index 0000000..d749e46
--- /dev/null
+++ b/citadel/file_contexts
@@ -0,0 +1,10 @@
+/data/vendor/rebootescrow(/.*)? u:object_r:hal_rebootescrow_citadel_data_file:s0
+/dev/citadel0 u:object_r:citadel_device:s0
+/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0
+/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
+/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
+/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0
diff --git a/citadel/hal_keymaster_citadel.te b/citadel/hal_keymaster_citadel.te
new file mode 100644
index 0000000..dd0a735
--- /dev/null
+++ b/citadel/hal_keymaster_citadel.te
@@ -0,0 +1,11 @@
+type hal_keymaster_citadel, domain;
+type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_keymaster_citadel)
+binder_call(hal_keymaster_citadel, citadeld)
+allow hal_keymaster_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_keymaster_citadel, hal_keymaster)
+init_daemon_domain(hal_keymaster_citadel)
+
+get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop)
diff --git a/citadel/hal_rebootescrow_citadel.te b/citadel/hal_rebootescrow_citadel.te
new file mode 100644
index 0000000..c85ce20
--- /dev/null
+++ b/citadel/hal_rebootescrow_citadel.te
@@ -0,0 +1,15 @@
+type hal_rebootescrow_citadel, domain;
+type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow)
+
+vndbinder_use(hal_rebootescrow_citadel)
+binder_call(hal_rebootescrow_citadel, citadeld)
+allow hal_rebootescrow_citadel citadeld_service:service_manager find;
+
+hal_client_domain(hal_rebootescrow_citadel, hal_keymaster)
+
+init_daemon_domain(hal_rebootescrow_citadel)
+
+allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms;
+allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms;
diff --git a/citadel/hal_weaver_citadel.te b/citadel/hal_weaver_citadel.te
new file mode 100644
index 0000000..aa16960
--- /dev/null
+++ b/citadel/hal_weaver_citadel.te
@@ -0,0 +1,11 @@
+type hal_weaver_citadel, domain;
+type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_weaver_citadel)
+binder_call(hal_weaver_citadel, citadeld)
+allow hal_weaver_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_weaver_citadel, hal_weaver)
+hal_server_domain(hal_weaver_citadel, hal_oemlock)
+hal_server_domain(hal_weaver_citadel, hal_authsecret)
+init_daemon_domain(hal_weaver_citadel)
diff --git a/citadel/init_citadel.te b/citadel/init_citadel.te
new file mode 100644
index 0000000..1459ef4
--- /dev/null
+++ b/citadel/init_citadel.te
@@ -0,0 +1,17 @@
+type init_citadel, domain;
+type init_citadel_exec, exec_type, vendor_file_type, file_type;
+type citadel_updater_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_citadel)
+
+# Citadel communication must be via citadeld
+vndbinder_use(init_citadel)
+binder_call(init_citadel, citadeld)
+allow init_citadel citadeld_service:service_manager find;
+
+# Many standard utils are actually vendor_toolbox (like xxd)
+allow init_citadel vendor_toolbox_exec:file rx_file_perms;
+
+# init_citadel needs to invoke citadel_updater
+allow init_citadel citadel_updater_exec:file rx_file_perms;
+allow init_citadel citadel_device:chr_file rw_file_perms;
diff --git a/citadel/recovery.te b/citadel/recovery.te
new file mode 100644
index 0000000..c68244f
--- /dev/null
+++ b/citadel/recovery.te
@@ -0,0 +1,3 @@
+recovery_only(`
+ allow recovery citadel_device:chr_file rw_file_perms;
+')
diff --git a/citadel/vndservice.te b/citadel/vndservice.te
new file mode 100644
index 0000000..880c09c
--- /dev/null
+++ b/citadel/vndservice.te
@@ -0,0 +1 @@
+type citadeld_service, vndservice_manager_type;
diff --git a/citadel/vndservice_contexts b/citadel/vndservice_contexts
new file mode 100644
index 0000000..b4df996
--- /dev/null
+++ b/citadel/vndservice_contexts
@@ -0,0 +1 @@
+android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0
diff --git a/citadel/wait_for_strongbox.te b/citadel/wait_for_strongbox.te
new file mode 100644
index 0000000..960d063
--- /dev/null
+++ b/citadel/wait_for_strongbox.te
@@ -0,0 +1,9 @@
+# wait_for_strongbox service
+type wait_for_strongbox, domain;
+type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wait_for_strongbox)
+
+hal_client_domain(wait_for_strongbox, hal_keymaster)
+
+allow wait_for_strongbox kmsg_device:chr_file w_file_perms;
diff --git a/googlebattery/file.te b/googlebattery/file.te
new file mode 100644
index 0000000..07958e4
--- /dev/null
+++ b/googlebattery/file.te
@@ -0,0 +1 @@
+type sysfs_charge, sysfs_type, fs_type;
diff --git a/googlebattery/file_contexts b/googlebattery/file_contexts
new file mode 100644
index 0000000..f4fc712
--- /dev/null
+++ b/googlebattery/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.google_battery@1\.0-service-vendor u:object_r:hal_googlebattery_exec:s0
diff --git a/googlebattery/genfs_contexts b/googlebattery/genfs_contexts
new file mode 100644
index 0000000..8e93a8a
--- /dev/null
+++ b/googlebattery/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon sysfs /devices/platform/soc/soc:google,battery/power_supply/battery/charge_deadline u:object_r:sysfs_charge:s0
+genfscon sysfs /devices/platform/soc/soc:google,battery/power_supply/battery/charge_stage u:object_r:sysfs_charge:s0
diff --git a/googlebattery/hal_googlebattery.te b/googlebattery/hal_googlebattery.te
new file mode 100644
index 0000000..54ec279
--- /dev/null
+++ b/googlebattery/hal_googlebattery.te
@@ -0,0 +1,13 @@
+type hal_googlebattery, domain;
+type hal_googlebattery_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_googlebattery)
+
+r_dir_file(hal_googlebattery, sysfs_batteryinfo)
+
+allow hal_googlebattery sysfs_charge:file rw_file_perms;
+allow hal_googlebattery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+hwbinder_use(hal_googlebattery)
+add_hwservice(hal_googlebattery, hal_googlebattery_hwservice)
+get_prop(hal_googlebattery, hwservicemanager_prop)
diff --git a/googlebattery/hwservice.te b/googlebattery/hwservice.te
new file mode 100644
index 0000000..40323ef
--- /dev/null
+++ b/googlebattery/hwservice.te
@@ -0,0 +1 @@
+type hal_googlebattery_hwservice, hwservice_manager_type;
diff --git a/googlebattery/hwservice_contexts b/googlebattery/hwservice_contexts
new file mode 100644
index 0000000..40f1526
--- /dev/null
+++ b/googlebattery/hwservice_contexts
@@ -0,0 +1 @@
+vendor.google.google_battery::IGoogleBattery u:object_r:hal_googlebattery_hwservice:s0
diff --git a/googlebattery/platform_app.te b/googlebattery/platform_app.te
new file mode 100644
index 0000000..0ee586f
--- /dev/null
+++ b/googlebattery/platform_app.te
@@ -0,0 +1,3 @@
+# allow SystemUI to find and bind Google Battery HAL
+allow platform_app hal_googlebattery_hwservice:hwservice_manager find;
+binder_call(platform_app, hal_googlebattery)
diff --git a/googlebattery/system_app.te b/googlebattery/system_app.te
new file mode 100644
index 0000000..05723bf
--- /dev/null
+++ b/googlebattery/system_app.te
@@ -0,0 +1,3 @@
+# To allow Settings to find and bind Google Battery HAL
+allow system_app hal_googlebattery_hwservice:hwservice_manager find;
+binder_call(system_app, hal_googlebattery)
diff --git a/googlebattery/turbo_adapter.te b/googlebattery/turbo_adapter.te
new file mode 100644
index 0000000..33f99cd
--- /dev/null
+++ b/googlebattery/turbo_adapter.te
@@ -0,0 +1,3 @@
+# To find and bind Google Battery HAL
+allow turbo_adapter hal_googlebattery_hwservice:hwservice_manager find;
+binder_call(turbo_adapter, hal_googlebattery)
diff --git a/ramdump/bug_map b/ramdump/bug_map
new file mode 100644
index 0000000..27412d8
--- /dev/null
+++ b/ramdump/bug_map
@@ -0,0 +1,2 @@
+ramdump vendor_hw_plat_prop file 161103878
+ramdump public_vendor_default_prop file 161103878
diff --git a/ramdump/common/file.te b/ramdump/common/file.te
new file mode 100644
index 0000000..e1382df
--- /dev/null
+++ b/ramdump/common/file.te
@@ -0,0 +1,2 @@
+type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject;
diff --git a/ramdump/common/file_contexts b/ramdump/common/file_contexts
new file mode 100644
index 0000000..c0c087f
--- /dev/null
+++ b/ramdump/common/file_contexts
@@ -0,0 +1,2 @@
+/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0
+/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0
diff --git a/ramdump/common/property.te b/ramdump/common/property.te
new file mode 100644
index 0000000..51a37c8
--- /dev/null
+++ b/ramdump/common/property.te
@@ -0,0 +1 @@
+type vendor_ramdump_prop, property_type;
diff --git a/ramdump/common/property_contexts b/ramdump/common/property_contexts
new file mode 100644
index 0000000..25749fa
--- /dev/null
+++ b/ramdump/common/property_contexts
@@ -0,0 +1,2 @@
+ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0
+vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0
diff --git a/ramdump/file.te b/ramdump/file.te
new file mode 100644
index 0000000..3fa2b2f
--- /dev/null
+++ b/ramdump/file.te
@@ -0,0 +1 @@
+allow ramdump_vendor_mnt_file self:filesystem associate;
diff --git a/ramdump/file_contexts b/ramdump/file_contexts
new file mode 100644
index 0000000..590e61b
--- /dev/null
+++ b/ramdump/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/ramdump u:object_r:ramdump_exec:s0
diff --git a/ramdump/ramdump.te b/ramdump/ramdump.te
new file mode 100644
index 0000000..d8f0335
--- /dev/null
+++ b/ramdump/ramdump.te
@@ -0,0 +1,39 @@
+type ramdump_exec, exec_type, vendor_file_type, file_type;
+type ramdump, domain;
+
+userdebug_or_eng(`
+ init_daemon_domain(ramdump)
+
+ set_prop(ramdump, vendor_ramdump_prop)
+
+ # f2fs set pin file requires sys_admin
+ allow ramdump self:capability { sys_admin sys_rawio };
+
+ allow ramdump ramdump_vendor_data_file:dir create_dir_perms;
+ allow ramdump ramdump_vendor_data_file:file create_file_perms;
+ allow ramdump proc_cmdline:file r_file_perms;
+
+ allow ramdump block_device:dir search;
+ allow ramdump misc_block_device:blk_file rw_file_perms;
+ allow ramdump userdata_block_device:blk_file rw_file_perms;
+
+ dontaudit ramdump metadata_file:dir search;
+
+ # read /fstab.${ro.hardware}
+ allow ramdump rootfs:file r_file_perms;
+
+ r_dir_file(ramdump, sysfs_type)
+
+ # To access statsd.
+ hwbinder_use(ramdump)
+ get_prop(ramdump, hwservicemanager_prop)
+ allow ramdump fwk_stats_hwservice:hwservice_manager find;
+ binder_call(ramdump, stats_service_server)
+
+ # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump.
+ allow ramdump fuse:filesystem relabelfrom;
+ allow ramdump fuse_device:chr_file rw_file_perms;
+ allow ramdump mnt_vendor_file:dir r_dir_perms;
+ allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton };
+ allow ramdump ramdump_vendor_mnt_file:filesystem { mount unmount relabelfrom relabelto };
+')
diff --git a/vibrator/common/file_contexts b/vibrator/common/file_contexts
index 8bdbb99..d1b1060 100644
--- a/vibrator/common/file_contexts
+++ b/vibrator/common/file_contexts
@@ -1 +1,2 @@
-/mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
+/mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
+/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
diff --git a/vibrator/common/property.te b/vibrator/common/property.te
new file mode 100644
index 0000000..3036935
--- /dev/null
+++ b/vibrator/common/property.te
@@ -0,0 +1 @@
+type vendor_vibrator_prop, property_type;
diff --git a/vibrator/drv2624/hal_vibrator_default.te b/vibrator/drv2624/hal_vibrator_default.te
new file mode 100644
index 0000000..e015251
--- /dev/null
+++ b/vibrator/drv2624/hal_vibrator_default.te
@@ -0,0 +1,7 @@
+allow hal_vibrator_default sysfs_leds:dir search;
+
+allow hal_vibrator_default mnt_vendor_file:dir search;
+allow hal_vibrator_default persist_file:dir search;
+r_dir_file(hal_vibrator_default, persist_haptics_file)
+
+get_prop(hal_vibrator_default, vendor_vibrator_prop);
diff --git a/vibrator/drv2624/property_contexts b/vibrator/drv2624/property_contexts
new file mode 100644
index 0000000..f008230
--- /dev/null
+++ b/vibrator/drv2624/property_contexts
@@ -0,0 +1 @@
+ro.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
diff --git a/vibrator/drv2624/vendor_init.te b/vibrator/drv2624/vendor_init.te
new file mode 100644
index 0000000..417a40c
--- /dev/null
+++ b/vibrator/drv2624/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_vibrator_prop)
diff --git a/wifi_ext/file_contexts b/wifi_ext/file_contexts
new file mode 100644
index 0000000..acbd266
--- /dev/null
+++ b/wifi_ext/file_contexts
@@ -0,0 +1,3 @@
+# Wifi
+/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0
+/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0
diff --git a/wifi_ext/hal_wifi_ext.te b/wifi_ext/hal_wifi_ext.te
new file mode 100644
index 0000000..091f211
--- /dev/null
+++ b/wifi_ext/hal_wifi_ext.te
@@ -0,0 +1,8 @@
+type hal_wifi_ext, domain;
+hal_server_domain(hal_wifi_ext, hal_wifi)
+
+type hal_wifi_ext_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_ext)
+
+# Allow to start the IWifi:wifi_ext service
+add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice);
diff --git a/wifi_ext/hwservice.te b/wifi_ext/hwservice.te
new file mode 100644
index 0000000..1fe9148
--- /dev/null
+++ b/wifi_ext/hwservice.te
@@ -0,0 +1,2 @@
+# wifi_ext service
+type hal_wifi_ext_hwservice, hwservice_manager_type;
diff --git a/wifi_ext/hwservice_contexts b/wifi_ext/hwservice_contexts
new file mode 100644
index 0000000..e8de4ce
--- /dev/null
+++ b/wifi_ext/hwservice_contexts
@@ -0,0 +1,2 @@
+# Wifi
+vendor.google.wifi_ext::IWifiExt u:object_r:hal_wifi_ext_hwservice:s0