op3: Update sepolicy for P blobs

Change-Id: I0a0b7f4bd3720b7b90aaccd94785a14099da6f4b

33 files changed, 98 insertions, 117 deletions

diff --git a/BoardConfig.mk b/BoardConfig.mk
index e4734ddf..d3aa544c 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -215,6 +215,7 @@ TARGET_RELEASETOOLS_EXTENSIONS := $(PLATFORM_PATH)
 # SELinux
 include device/qcom/sepolicy/sepolicy.mk
 
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += $(PLATFORM_PATH)/sepolicy/public
 BOARD_SEPOLICY_DIRS += $(PLATFORM_PATH)/sepolicy
 
 # Shims
diff --git a/sepolicy/dashd.te b/sepolicy/dashd.te
index 1a6f71a0..cf2e4faa 100644
--- a/sepolicy/dashd.te
+++ b/sepolicy/dashd.te
@@ -19,12 +19,14 @@ allow dashd {
     sysfs_usb_supply
 }:file rw_file_perms;
 
+allow dashd self:capability sys_resource;
+
 ###
 ### dashd: charger mode
 ###
 #allow dashd sysfs:file { open read write ioctl };
 allow dashd dash_device:chr_file { open read write ioctl };
-allow dashd rootfs:file { entrypoint read execute };
+allow dashd rootfs:file { entrypoint read execute getattr };
 
 #allow ueventd sysfs:chr_file {create setattr};
 allow sysfs tmpfs:filesystem associate;
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
deleted file mode 100644
index 95e32db2..00000000
--- a/sepolicy/domain.te
+++ /dev/null
@@ -1,8 +0,0 @@
-set_prop({
-  domain
-# Hitting neverallows but not accessing the prop, skip them
-  -appdomain
-  -ueventd
-  -webview_zygote
-  -hal_configstore_server
-}, diag_prop)
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 9b6c83ef..b81049cd 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,4 +1,3 @@
-type camera_socket, file_type, data_file_type, core_data_file_type;
 type debugfs_rmt_storage, debugfs_type, fs_type;
 type proc_touchpanel, fs_type, proc_type;
 type sysfs_fpc, sysfs_type, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index e20778ec..fe5eeee5 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,5 +1,7 @@
+# Alipay
+/(vendor|system/vendor)/bin/hw/vendor\.oneplus\.hardware\.ifaa@2\.0-service                     u:object_r:hal_ifaa_default_exec:s0
+
 # Camera
-/data/camera(/.*)?                                              u:object_r:camera_socket:s0
 /(vendor|system/vendor)/bin/remosaic_daemon                     u:object_r:remosaic_daemon_exec:s0
 
 # Charger
@@ -21,9 +23,6 @@
 /sys/devices/soc/soc:qcom,bcl/power_supply/bcl/type             u:object_r:sysfs_batteryinfo:s0
 /sys/devices/soc/msm-bcl-14/power_supply/fg_adc/type            u:object_r:sysfs_batteryinfo:s0
 
-# IFAA
-/system/bin/ifaadaemon                                          u:object_r:ifaadaemon_exec:s0
-
 # LEDs
 /sys/devices/soc/leds-qpnp-[0-9]+/leds(/.*)?                    u:object_r:sysfs_leds:s0
 
@@ -31,7 +30,11 @@
 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.oneplus3              u:object_r:hal_lineage_livedisplay_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.oneplus3                    u:object_r:hal_lineage_touch_default_exec:s0
 
+# OTA
+/system/bin/move_time_data\.sh                                  u:object_r:move-time-data-sh_exec:s0
+
 # Ril
-/data/oemnvitems(/.*)?                                          u:object_r:radio_data_file:s0
+/data/vendor/oemnvitems(/.*)?                                   u:object_r:vendor_radio_data_file:s0
 /dev/block/platform/soc/624000.ufshc/by-name/oem_dycnvbk        u:object_r:modem_efs_partition_device:s0
 /dev/block/platform/soc/624000.ufshc/by-name/oem_stanvbk        u:object_r:modem_efs_partition_device:s0
+/(vendor|system/vendor)/bin/hw/vendor\.oneplus\.hardware\.param@1\.0-service                    u:object_r:hal_param_default_exec:s0
diff --git a/sepolicy/hal_bluetooth_qti.te b/sepolicy/hal_bluetooth_qti.te
new file mode 100644
index 00000000..00fc4ee1
--- /dev/null
+++ b/sepolicy/hal_bluetooth_qti.te
@@ -0,0 +1 @@
+r_dir_file(hal_bluetooth_qti, vendor_radio_data_file)
diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
index 34e24444..078b2e5a 100644
--- a/sepolicy/hal_camera_default.te
+++ b/sepolicy/hal_camera_default.te
@@ -1,13 +1,2 @@
-allow hal_camera_default camera_data_file:sock_file rw_file_perms;
 allow hal_camera_default camera_data_file:dir search;
-allow hal_camera_default qdsp_device:chr_file r_file_perms;
-allow hal_camera_default system_server:unix_stream_socket rw_socket_perms;
-allow hal_camera_default sensorservice_service:service_manager find;
-allow hal_camera_default permission_service:service_manager find;
-allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-allow hal_camera_default hal_graphics_allocator_hwservice:hwservice_manager find;
-r_dir_file(hal_camera_default, adsprpcd_file);
-binder_call(hal_camera_default, servicemanager);
-binder_call(hal_camera_default, hal_configstore_default);
-binder_call(hal_camera_default, hal_graphics_allocator_default);
-binder_use(hal_camera_default);
+allow hal_camera_default camera_data_file:sock_file write;
diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
index efd4f01a..097d5a67 100644
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
@@ -9,7 +9,4 @@ allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
 allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
 allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
 
-allow hal_fingerprint_default sysfs_leds:dir search;
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
-r_dir_file(hal_fingerprint_default, proc_touchpanel)
-r_dir_file(hal_fingerprint_default, sysfs_graphics)
diff --git a/sepolicy/hal_ifaa.te b/sepolicy/hal_ifaa.te
new file mode 100644
index 00000000..f4f675d6
--- /dev/null
+++ b/sepolicy/hal_ifaa.te
@@ -0,0 +1,21 @@
+type hal_ifaa_default, domain;
+hal_server_domain(hal_ifaa_default, hal_ifaa)
+
+type hal_ifaa_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_ifaa_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_ifaa_client, hal_ifaa_server)
+
+# Add hwservice related rules
+add_hwservice(hal_ifaa_server, hal_ifaa_hwservice)
+allow hal_ifaa_client hal_ifaa_hwservice:hwservice_manager find;
+
+#Allow access to tee device
+allow hal_ifaa_server tee_device:chr_file rw_file_perms;
+
+#Allow access to ion device
+allow hal_ifaa_server ion_device:chr_file r_file_perms;
+
+#Allow access to firmware
+r_dir_file(hal_ifaa_server, firmware_file)
diff --git a/sepolicy/hal_nfc_default.te b/sepolicy/hal_nfc_default.te
index cc6459de..3044f1d5 100644
--- a/sepolicy/hal_nfc_default.te
+++ b/sepolicy/hal_nfc_default.te
@@ -1,6 +1,3 @@
-# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
-# hal_nfc no longer directly accesses /data owned by the nfc app.
-typeattribute hal_nfc_default data_between_core_and_vendor_violators;
 # Data file accesses.
-allow hal_nfc_default nfc_data_file:dir create_dir_perms;
-allow hal_nfc_default nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
+allow hal_nfc_default nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default nfc_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/hal_param.te b/sepolicy/hal_param.te
new file mode 100644
index 00000000..970dc843
--- /dev/null
+++ b/sepolicy/hal_param.te
@@ -0,0 +1,12 @@
+type hal_param_default, domain;
+hal_server_domain(hal_param_default, hal_param)
+
+type hal_param_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_param_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_param_client, hal_param_server)
+
+# Add hwservice related rules
+add_hwservice(hal_param_server, hal_param_hwservice)
+allow hal_param_client hal_param_hwservice:hwservice_manager find;
diff --git a/sepolicy/hal_perf_default.te b/sepolicy/hal_perf_default.te
index 2621261c..2067368d 100644
--- a/sepolicy/hal_perf_default.te
+++ b/sepolicy/hal_perf_default.te
@@ -1,3 +1,2 @@
-allow hal_perf_default hal_camera_default:process signull;
-allow hal_perf_default hal_graphics_composer_default:process signull;
-allow hal_perf_default self:capability kill;
+dontaudit hal_perf_default self:capability dac_override;
+set_prop(hal_perf_default, vendor_mpctl_prop)
diff --git a/sepolicy/hwservice.te b/sepolicy/hwservice.te
new file mode 100644
index 00000000..1b5b2802
--- /dev/null
+++ b/sepolicy/hwservice.te
@@ -0,0 +1,2 @@
+type hal_ifaa_hwservice, hwservice_manager_type;
+type hal_param_hwservice, hwservice_manager_type;
diff --git a/sepolicy/hwservice_contexts b/sepolicy/hwservice_contexts
new file mode 100644
index 00000000..094ba336
--- /dev/null
+++ b/sepolicy/hwservice_contexts
@@ -0,0 +1,3 @@
+vendor.oneplus.fingerprint.extension::IVendorFingerprintExtensions u:object_r:hal_fingerprint_hwservice:s0
+vendor.oneplus.hardware.ifaa::IOneplusIfaa                         u:object_r:hal_ifaa_hwservice:s0
+vendor.oneplus.hardware.param::IOneplusParam                       u:object_r:hal_param_hwservice:s0
diff --git a/sepolicy/ifaadaemon.te b/sepolicy/ifaadaemon.te
deleted file mode 100644
index b78dc39e..00000000
--- a/sepolicy/ifaadaemon.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type ifaadaemon, domain;
-type ifaadaemon_exec, exec_type, vendor_file_type, file_type;
-
-#Allow for transition from init domain to ifaadaemon
-init_daemon_domain(ifaadaemon)
-
-#Allow ifaadaemon to use Binder IPC
-binder_use(ifaadaemon)
-
-#Allow IFAAService to interact with ifaadaemon
-allow platform_app ifaadaemon_service:service_manager find;
-binder_call(platform_app, ifaadaemon)
-
-#Allow ifaadaemon to be registered with service manager
-allow ifaadaemon ifaadaemon_service:service_manager add;
-
-#Allow access to tee device
-allow ifaadaemon tee_device:chr_file rw_file_perms;
-
-#Allow access to ion device
-allow ifaadaemon ion_device:chr_file r_file_perms;
-
-#Allow access to firmware
-r_dir_file(ifaadaemon, firmware_file)
diff --git a/sepolicy/init.te b/sepolicy/init.te
deleted file mode 100644
index 703b8cd4..00000000
--- a/sepolicy/init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow init proc_touchpanel:file rw_file_perms;
-allow init sysfs_leds:lnk_file r_file_perms;
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
index c19cbd42..d9b2af35 100644
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@@ -1,11 +1,3 @@
 allow mm-qcamerad camera_data_file:sock_file { create unlink };
 allow mm-qcamerad camera_data_file:dir rw_dir_perms;
-
-allow mm-qcamerad camera_socket:sock_file { create unlink };
-allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
-allow mm-qcamerad sysfs_graphics:file r_file_perms;
-
-allow mm-qcamerad permission_service:service_manager find;
-allow mm-qcamerad sensorservice_service:service_manager find;
-binder_call(mm-qcamerad, servicemanager);
-binder_use(mm-qcamerad);
+set_prop(mm-qcamerad, vendor_default_prop)
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
deleted file mode 100644
index 6b36af42..00000000
--- a/sepolicy/netmgrd.te
+++ /dev/null
@@ -1 +0,0 @@
-set_prop(netmgrd, vendor_xlat_prop)
diff --git a/sepolicy/ota.te b/sepolicy/ota.te
new file mode 100644
index 00000000..6d66f76d
--- /dev/null
+++ b/sepolicy/ota.te
@@ -0,0 +1,36 @@
+##Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted (subject to the limitations in the
+#disclaimer below) provided that the following conditions are met:
+#
+#* Redistributions of source code must retain the above copyright
+#  notice, this list of conditions and the following disclaimer.
+#
+#* Redistributions in binary form must reproduce the above
+#  copyright notice, this list of conditions and the following
+#  disclaimer in the documentation and/or other materials provided
+#  with the distribution.
+#
+#* Neither the name of The Linux Foundation nor the names of its
+#  contributors may be used to endorse or promote products derived
+#  from this software without specific prior written permission.
+#
+#NO EXPRESS OR IMPLIED LICENSES TO ANY PARTY'S PATENT RIGHTS ARE
+#GRANTED BY THIS LICENSE. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
+#HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+#IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+#ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+#DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+#GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+#INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+#IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+#OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#
+
+# move-time-data-sh for time-service
+coredata_datavendor_migration(move-time-data-sh, time_data_file, vendor_time_data_file);
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
new file mode 100644
index 00000000..b2f4e044
--- /dev/null
+++ b/sepolicy/platform_app.te
@@ -0,0 +1 @@
+hal_client_domain(platform_app, hal_ifaa)
diff --git a/sepolicy/property.te b/sepolicy/property.te
deleted file mode 100644
index 85dcb787..00000000
--- a/sepolicy/property.te
+++ /dev/null
@@ -1 +0,0 @@
-type diag_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
deleted file mode 100644
index 9954b4a9..00000000
--- a/sepolicy/property_contexts
+++ /dev/null
@@ -1,16 +0,0 @@
-# Camera
-persist.vendor.camera.                  u:object_r:camera_prop:s0
-
-# Diag
-persist.sys.diag.max.size               u:object_r:diag_prop:s0
-
-# Perf
-ro.min_freq_0                           u:object_r:freq_prop:s0
-ro.min_freq_4                           u:object_r:freq_prop:s0
-
-# Radio
-oem.device.imeicache                    u:object_r:radio_prop:s0
-persist.net.doxlat                      u:object_r:vendor_xlat_prop:s0
-
-# TEE
-sys.listeners.registered                u:object_r:vendor_tee_listener_prop:s0
diff --git a/sepolicy/public/attributes b/sepolicy/public/attributes
new file mode 100644
index 00000000..60e53bdd
--- /dev/null
+++ b/sepolicy/public/attributes
@@ -0,0 +1,3 @@
+# HALs
+hal_attribute(ifaa)
+hal_attribute(param)
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
deleted file mode 100644
index a78a8ba6..00000000
--- a/sepolicy/qti_init_shell.te
+++ /dev/null
@@ -1 +0,0 @@
-allow qti_init_shell sysfs:file write;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 7a03904e..bfcca7a9 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,12 +1,4 @@
 # qcril.so needs access to /vendor/radio/qcril_database/qcril.db
 allow rild vendor_file:file ioctl;
 
-# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
-# rild no longer directly accesses the radio app's data type.
-typeattribute rild data_between_core_and_vendor_violators;
-# allow rild to access radio data file
-allow rild radio_data_file:dir rw_dir_perms;
-allow rild radio_data_file:file create_file_perms;
-
-allow rild shell_exec:file rx_file_perms;
-allow rild toolbox_exec:file rx_file_perms;
+set_prop(rild, vendor_default_prop)
diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
deleted file mode 100644
index fce7ae7f..00000000
--- a/sepolicy/rmt_storage.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow rmt_storage debugfs_rmt_storage:dir search;
-allow rmt_storage debugfs_rmt_storage:file w_file_perms; 
diff --git a/sepolicy/service.te b/sepolicy/service.te
index 6ad2cff7..936475e7 100644
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -1,2 +1 @@
-type ifaadaemon_service, service_manager_type;
 type remosaic_service, service_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
index 8e490079..6d95323a 100644
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -1,2 +1 @@
-ifaadaemon                           u:object_r:ifaadaemon_service:s0
 android.samsung.IRemosaicDaemon      u:object_r:remosaic_service:s0
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 859b6aa2..241f8851 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -3,6 +3,3 @@ allow system_app proc_touchpanel:file rw_file_perms;
 
 allow system_app sysfs_fpc:dir search;
 allow system_app sysfs_fpc:file rw_file_perms;
-
-binder_call(system_app, ifaadaemon)
-binder_call(system_app, remosaic_daemon)
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 1b19c9f2..c86acf75 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,4 +1,2 @@
-get_prop(system_server, vendor_camera_prop)
-
 # OTA with encrypted f2fs
 allow system_server ota_package_file:dir getattr;
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
index f7fdfea5..3ceb9d77 100644
--- a/sepolicy/vendor_init.te
+++ b/sepolicy/vendor_init.te
@@ -1,13 +1,8 @@
 allow vendor_init {
   camera_data_file
   fingerprintd_data_file
-  media_rw_data_file
-  nfc_data_file
-  radio_data_file
   system_data_file
   tombstone_data_file
-  wifi_data_file
-  wpa_socket
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init proc_touchpanel:file write;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
deleted file mode 100644
index 7ca15f4c..00000000
--- a/sepolicy/vold.te
+++ /dev/null
@@ -1 +0,0 @@
-allow vold mnt_vendor_file:dir r_dir_perms;
diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te
deleted file mode 100644
index aa8f675c..00000000
--- a/sepolicy/webview_zygote.te
+++ /dev/null
@@ -1 +0,0 @@
-allow webview_zygote zygote:unix_dgram_socket write;