thermal: move thermal selinux policy to Pixel-wide common
Bug: 146390555
Test: No avc denied and thermal_logd can print when thermal-hal ativates
Change-Id: I974d67866d48aad40ce5bed2715fd0e8f078c61f
diff --git a/thermal/file_contexts b/thermal/file_contexts
new file mode 100644
index 0000000..e88d6f5
--- /dev/null
+++ b/thermal/file_contexts
@@ -0,0 +1,2 @@
+/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0
+/vendor/bin/thermal_logd u:object_r:init-thermal-logging-sh_exec:s0
diff --git a/thermal/genfs_contexts b/thermal/genfs_contexts
new file mode 100644
index 0000000..83f2860
--- /dev/null
+++ b/thermal/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0
+genfscon sysfs /class/thermal u:object_r:sysfs_thermal:s0
diff --git a/thermal/hal_thermal_default.te b/thermal/hal_thermal_default.te
new file mode 100644
index 0000000..55073a9
--- /dev/null
+++ b/thermal/hal_thermal_default.te
@@ -0,0 +1,8 @@
+allow hal_thermal_default sysfs_thermal:dir r_dir_perms;
+allow hal_thermal_default sysfs_thermal:file rw_file_perms;
+allow hal_thermal_default proc_stat:file r_file_perms;
+
+allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# read thermal_config
+get_prop(hal_thermal_default, vendor_thermal_prop)
diff --git a/thermal/init-thermal-logging.sh.te b/thermal/init-thermal-logging.sh.te
new file mode 100644
index 0000000..3da540e
--- /dev/null
+++ b/thermal/init-thermal-logging.sh.te
@@ -0,0 +1,10 @@
+type init-thermal-logging-sh, domain;
+type init-thermal-logging-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-thermal-logging-sh)
+
+userdebug_or_eng(`
+ allow init-thermal-logging-sh vendor_toolbox_exec:file rx_file_perms;
+ allow init-thermal-logging-sh sysfs_thermal:dir r_dir_perms;
+ allow init-thermal-logging-sh sysfs_thermal:file r_file_perms;
+')
diff --git a/thermal/property.te b/thermal/property.te
new file mode 100644
index 0000000..57065a3
--- /dev/null
+++ b/thermal/property.te
@@ -0,0 +1,2 @@
+#thermal HAL
+type vendor_thermal_prop, property_type;
diff --git a/thermal/property_contexts b/thermal/property_contexts
new file mode 100644
index 0000000..62f9d47
--- /dev/null
+++ b/thermal/property_contexts
@@ -0,0 +1 @@
+vendor.thermal.config u:object_r:vendor_thermal_prop:s0
diff --git a/thermal/vendor_init.te b/thermal/vendor_init.te
new file mode 100644
index 0000000..c0f39fd
--- /dev/null
+++ b/thermal/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_thermal_prop)