msm8998-common: sepolicy: Transition pocketmode app to its own domain

Change-Id: Id87176c2430e49851a6c65ab3490ad59ea1764a2

3 files changed, 14 insertions, 3 deletions

diff --git a/sepolicy/private/pocketmode_app.te b/sepolicy/private/pocketmode_app.te
new file mode 100644
index 00000000..159b3ac8
--- /dev/null
+++ b/sepolicy/private/pocketmode_app.te
@@ -0,0 +1,13 @@
+type pocketmode_app, domain;
+
+app_domain(pocketmode_app)
+
+# Allow pocketmode_app to find app_api_service
+allow pocketmode_app app_api_service:service_manager find;
+
+# Allow pocketmode_app read and write /data/data subdirectory
+allow pocketmode_app system_app_data_file:dir create_dir_perms;
+allow pocketmode_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+# Allow pocketmode_app to write to sysfs_fpc_proximity
+allow pocketmode_app sysfs_fps_proximity:file { w_file_perms getattr };
diff --git a/sepolicy/private/seapp_contexts b/sepolicy/private/seapp_contexts
new file mode 100644
index 00000000..d91b70ea
--- /dev/null
+++ b/sepolicy/private/seapp_contexts
@@ -0,0 +1 @@
+user=system seinfo=platform name=org.lineageos.pocketmode domain=pocketmode_app type=system_app_data_file
diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te
index 8b9688e6..e453cfe3 100644
--- a/sepolicy/private/system_app.te
+++ b/sepolicy/private/system_app.te
@@ -1,6 +1,3 @@
 get_prop(system_app, vendor_persist_camera_prop)
 binder_call(system_app, storaged)
 binder_call(system_app, system_suspend)
-
-# Allow PocketMode to work
-allow system_app sysfs_fps_proximity:file rw_file_perms;