beckham: Add mods sepolicy to device tree

* Moved from sdm660-common * Kanged from Nash: Seperate mods sepolicy from device Change-Id: I30a347a32d471b50631eea3e4fe0b71b869f896e Signed-off-by: Joshua Blanchard <joshua.lee.bbg@gmail.com>

beckham: Add mods sepolicy to device tree
780db147 · Erfan Abdi · Joshua Blanchard · 970d64b6 · 780db147 · 780db147
Unverified Commit 780db147 authored 5 years ago by Erfan Abdi Committed by Joshua Blanchard 4 years ago
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -43,5 +43,9 @@ TARGET_HAS_NO_WLAN_STATS := true
 # RIL
 ENABLE_VENDOR_RIL_SERVICE := false
+# SELinux
+BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy-mods/vendor
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(DEVICE_PATH)/sepolicy-mods/private
 # inherit from the proprietary version
 -include vendor/motorola/beckham/BoardConfigVendor.mk
--- a/sepolicy-mods/private/cameraserver.te
+++ b/sepolicy-mods/private/cameraserver.te
+allow cameraserver mods_service:service_manager find;
--- a/sepolicy-mods/private/platform_app.te
+++ b/sepolicy-mods/private/platform_app.te
+allow platform_app mods_service:service_manager find;
+allow platform_app mods_service:service_manager add;
--- a/sepolicy-mods/private/service.te
+++ b/sepolicy-mods/private/service.te
+type mods_service,                 service_manager_type;
+type mot_app_service,              service_manager_type;
+type mot_panel_service,            service_manager_type;
+type mot_system_service,           service_manager_type;
--- a/sepolicy-mods/private/service_contexts
+++ b/sepolicy-mods/private/service_contexts
+ModService                           u:object_r:mods_service:s0
--- a/sepolicy-mods/vendor/device.te
+++ b/sepolicy-mods/vendor/device.te
+type greybus_raw_device, dev_type, mlstrustedobject;
+type mods_camd_device, dev_type, mlstrustedobject;
--- a/sepolicy-mods/vendor/file.te
+++ b/sepolicy-mods/vendor/file.te
+# Greybus
+type sysfs_greybus, fs_type, sysfs_type, mlstrustedobject;
+type gbfirmware_file, file_type, core_data_file_type, data_file_type, mlstrustedobject;
+type sysfs_mods_camd, fs_type, sysfs_type, mlstrustedobject;
--- a/sepolicy-mods/vendor/file_contexts
+++ b/sepolicy-mods/vendor/file_contexts
+/(vendor|system/vendor)/bin/init\.gbmods\.sh                u:object_r:init-gbmods-sh_exec:s0
+/(vendor|system/vendor)/bin/mods_camd                       u:object_r:mods_exec:s0
+# Greybus (Mods)
+/data/gbfirmware(/.*)?                                      u:object_r:gbfirmware_file:s0
+/dev/gbraw[0-9]*                                            u:object_r:greybus_raw_device:s0
+/sys/bus/greybus(/.*)?                                      u:object_r:sysfs_greybus:s0
+/sys/class/i2c-adapter/i2c-7/7-002d/enable                  u:object_r:sysfs_greybus:s0
+/sys/devices/virtual/video4linux                            u:object_r:sysfs_greybus:s0
+/sys/module/uvcvideo/parameters/quirks                      u:object_r:sysfs_greybus:s0
+/dev/mot_camera_ext[0-9]*                                         u:object_r:mods_camd_device:s0
+/sys/devices/soc/(.+)hsusb(.+)/uevent                             u:object_r:sysfs_mods_camd:s0
+/sys/devices/soc/(.+)ssusb/power_supply/usb/type                  u:object_r:sysfs_mods_camd:s0
+/sys/devices/soc/(.+)ssusb/power_supply/usb/online                u:object_r:sysfs_mods_camd:s0
+/sys/devices/soc/(.+)fd/video4linux/video([0-9])+/name            u:object_r:sysfs_mods_camd:s0
+/sys/devices/soc/(.+)msm-cam/video4linux/video([0-9])+/name       u:object_r:sysfs_mods_camd:s0
+/sys/devices/soc/(.+)cci/(.+)/video4linux/video([0-9])+/name      u:object_r:sysfs_mods_camd:s0
+/sys/devices/soc/(.+)hsusb(.+)/video4linux/video([0-9])+/name     u:object_r:sysfs_mods_camd:s0
+/sys/module/usb3813_hub/parameters/ignore_typec                   u:object_r:sysfs_mods_camd:s0
+/dev/v4l-subdev[0-9]*	                                          u:object_r:video_device:s0
+/sys/devices/virtual/video4linux/mot_camera_ext([0-9])+/name		u:object_r:sysfs_mods_camd:s0
+/sys/devices/virtual/video4linux/mot_camera_ext([0-9])+/uevent		u:object_r:sysfs_mods_camd:s0
+/sys/devices/virtual/video4linux/mot_camera_ext([0-9])+/open_mode	u:object_r:sysfs_mods_camd:s0
+/sys/devices/virtual/video4linux/video([0-9])+/name			u:object_r:sysfs_mods_camd:s0
+/sys/devices/virtual/video4linux/video([0-9])+/uevent			u:object_r:sysfs_mods_camd:s0
+/sys/devices/virtual/video4linux/video([0-9])+/open_mode		u:object_r:sysfs_mods_camd:s0
--- a/sepolicy-mods/vendor/genfs_contexts
+++ b/sepolicy-mods/vendor/genfs_contexts
+genfscon sysfs /devices/platform/mods_ap                 u:object_r:sysfs_greybus:s0
+genfscon sysfs /devices/soc/0.apba_ctrl                  u:object_r:sysfs_greybus:s0
+genfscon sysfs /devices/soc/0.muc                        u:object_r:sysfs_greybus:s0
+genfscon sysfs /devices/soc/soc:muc_svc@0                u:object_r:sysfs_greybus:s0
+genfscon sysfs /devices/soc/soc:muc                      u:object_r:sysfs_greybus:s0
+genfscon sysfs /devices/platform/mods_codec.0            u:object_r:sysfs_greybus:s0
+genfscon sysfs /devices/virtual/hwmon/hwmon41/subsystem  u:object_r:sysfs_greybus:s0
+genfscon sysfs /class/vendor/mod0                        u:object_r:sysfs_greybus:s0
+genfscon sysfs /class/power_supply/gb_ptp                u:object_r:sysfs_greybus:s0
+genfscon sysfs /module/qpnp_smbcharger_mmi               u:object_r:sysfs_greybus:s0
--- a/sepolicy-mods/vendor/hal_audio_default.te
+++ b/sepolicy-mods/vendor/hal_audio_default.te
+allow hal_audio_default sysfs_greybus:dir { search };
+allow hal_audio_default sysfs_greybus:file { getattr open read };
--- a/sepolicy-mods/vendor/hal_health_default.te
+++ b/sepolicy-mods/vendor/hal_health_default.te
+allow hal_health_default sysfs_greybus:dir r_dir_perms;
+allow hal_health_default sysfs_greybus:file rw_file_perms;
--- a/sepolicy-mods/vendor/healthd.te
+++ b/sepolicy-mods/vendor/healthd.te
+allow healthd sysfs_greybus:dir r_dir_perms;
+allow healthd sysfs_greybus:file rw_file_perms;
+allow healthd sysfs_mods_camd:dir r_dir_perms;
+allow healthd sysfs_mods_camd:file rw_file_perms;
--- a/sepolicy-mods/vendor/init_gbmods.te
+++ b/sepolicy-mods/vendor/init_gbmods.te
+type init-gbmods-sh, domain;
+type init-gbmods-sh_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(init-gbmods-sh)
+allow init-gbmods-sh vendor_shell_exec:file rx_file_perms;
+allow init-gbmods-sh vendor_toolbox_exec:file rx_file_perms;
+# execute grep
+allow init-gbmods-sh vendor_file:file rx_file_perms;
+# Allow insmod
+allow init-gbmods-sh self:capability sys_module;
+allow init-gbmods-sh vendor_file:system module_load;
+set_prop(init-gbmods-sh, ctl_default_prop)
--- a/sepolicy-mods/vendor/mods.te
+++ b/sepolicy-mods/vendor/mods.te
+type mods, domain;
+type mods_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(mods)
+allow mods video_device:{ chr_file file } rw_file_perms;
+allow mods self:netlink_kobject_uevent_socket { bind create read setopt };
+allow mods sysfs_graphics:file rw_file_perms;
+allow mods ion_device:chr_file { open read };
+allow mods sysfs_graphics:dir search;
+allow mods sysfs_mods_camd:file r_file_perms;
+allow mods sysfs_greybus:dir r_dir_perms;
+allow mods sysfs_greybus:file rw_file_perms;
--- a/sepolicy-mods/vendor/mods_camd.te
+++ b/sepolicy-mods/vendor/mods_camd.te
+type mods_camd, domain;
+type mods_camd_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(mods_camd)
+allow mods_camd ion_device:chr_file rw_file_perms;
+allow mods_camd video_device:chr_file rw_file_perms;
+allow mods_camd self:netlink_kobject_uevent_socket { bind create read setopt };
+allow mods_camd sysfs_mods_camd:file rw_file_perms;
+allow mods_camd sysfs_mods_camd:dir r_dir_perms;
+allow mods_camd sysfs:file { getattr read write };
+allow mods_camd sysfs:file { getattr open read write };
+allow mods_camd mods_camd_device:chr_file {getattr ioctl open read write };
+allow mods_camd sysfs_greybus:file rw_file_perms;
+allow mods_camd sysfs_greybus:dir r_dir_perms;
+allow mods_camd cameraserver:fd use;
+allow mods_camd gpu_device:chr_file { ioctl open read write };
+allow mods_camd init:unix_stream_socket connectto;
+allow mods_camd property_socket:sock_file write;
+allow mods_camd surfaceflinger:fd use;
+allow mods_camd camera_prop:property_service set;
--- a/sepolicy-mods/vendor/platform_app.te
+++ b/sepolicy-mods/vendor/platform_app.te
+allow platform_app sysfs_vibrator:file rw_file_perms;
+allow platform_app sysfs_usb_supply:dir search;
+allow platform_app sysfs_vibrator:dir { search r_dir_perms };
+allow platform_app default_android_service:service_manager find;
+allow platform_app greybus_raw_device:chr_file rw_file_perms;
+allow platform_app greybus_raw_device:dir rw_dir_perms;
+allow platform_app input_device:chr_file getattr;
+allow platform_app input_device:dir search;
+allow platform_app self:netlink_kobject_uevent_socket { bind create read setopt };
+allow platform_app sysfs_greybus:dir r_dir_perms;
+allow platform_app sysfs_greybus:file rw_file_perms;
+allow platform_app sysfs_greybus:lnk_file r_file_perms;
+allow platform_app sysfs_mods_camd:file rw_file_perms;
+allow platform_app sysfs_mods_camd:dir r_dir_perms;
+allow platform_app gbfirmware_file:dir create_dir_perms;
+allow platform_app gbfirmware_file:file create_file_perms;