13 files changed, 64 insertions, 0 deletions

diff --git a/coral-sepolicy.mk b/coral-sepolicy.mk
index 52f7310..4532090 100644
--- a/coral-sepolicy.mk
+++ b/coral-sepolicy.mk
@@ -2,5 +2,6 @@ BOARD_PLAT_PUBLIC_SEPOLICY_DIR := device/google/coral-sepolicy/public
 BOARD_PLAT_PRIVATE_SEPOLICY_DIR := device/google/coral-sepolicy/private
 
 # vendors
+BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/google
 BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/common
 BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/sm8150
diff --git a/vendor/google/citadeld.te b/vendor/google/citadeld.te
new file mode 100644
index 0000000..bd8e4e3
--- /dev/null
+++ b/vendor/google/citadeld.te
@@ -0,0 +1,4 @@
+type citadeld, domain;
+type citadeld_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(citadeld)
diff --git a/vendor/google/device.te b/vendor/google/device.te
new file mode 100644
index 0000000..d4bb97a
--- /dev/null
+++ b/vendor/google/device.te
@@ -0,0 +1,3 @@
+type citadel_device, dev_type;
+type ramoops_device, dev_type;
+type maxfg_device, dev_type;
\ No newline at end of file
diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts
new file mode 100644
index 0000000..66b0d42
--- /dev/null
+++ b/vendor/google/file_contexts
@@ -0,0 +1,19 @@
+# dev nodes
+/dev/citadel0                                                               u:object_r:citadel_device:s0
+/dev/access-metadata                                                        u:object_r:ramoops_device:s0
+/dev/access-ramoops                                                         u:object_r:ramoops_device:s0
+/dev/maxfg_history                                                          u:object_r:maxfg_device:s0
+
+/vendor/bin/hw/android\.hardware\.authsecret@1\.0-service\.citadel          u:object_r:hal_authsecret_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.oemlock@1\.0-service\.citadel             u:object_r:hal_oemlock_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel              u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.citadel            u:object_r:hal_keymaster_citadel_exec:s0
+/vendor/bin/hw/citadeld                                                     u:object_r:citadeld_exec:s0
+/vendor/bin/hw/init_citadel                                                 u:object_r:init_citadel_exec:s0
+/vendor/bin/hw/wait_for_strongbox                                           u:object_r:wait_for_strongbox_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element@1\.0-service-disabled      u:object_r:hal_secure_element_default_exec:s0
+/vendor/bin/hw/android\.hardware\.power@1\.3-service\.crosshatch-libperfmgr u:object_r:hal_power_default_exec:s0
+/vendor/bin/init\.firstboot\.sh                                             u:object_r:init-firstboot_exec:s0
+/vendor/bin/ramoops                                                         u:object_r:ramoops_exec:s0
+/vendor/bin/init\.ramoops\.sh                                               u:object_r:ramoops_exec:s0
+/vendor/bin/init\.insmod\.sh                                                u:object_r:init-insmod-sh_exec:s0
diff --git a/vendor/google/hal_authsecret_citadel.te b/vendor/google/hal_authsecret_citadel.te
new file mode 100644
index 0000000..f8658b8
--- /dev/null
+++ b/vendor/google/hal_authsecret_citadel.te
@@ -0,0 +1,4 @@
+type hal_authsecret_citadel, domain;
+type hal_authsecret_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_authsecret_citadel)
diff --git a/vendor/google/hal_keymaster_citadel.te b/vendor/google/hal_keymaster_citadel.te
new file mode 100644
index 0000000..0a18d52
--- /dev/null
+++ b/vendor/google/hal_keymaster_citadel.te
@@ -0,0 +1,4 @@
+type hal_keymaster_citadel, domain;
+type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_keymaster_citadel)
diff --git a/vendor/google/hal_oemlock_citadel.te b/vendor/google/hal_oemlock_citadel.te
new file mode 100644
index 0000000..4b6273b
--- /dev/null
+++ b/vendor/google/hal_oemlock_citadel.te
@@ -0,0 +1,4 @@
+type hal_oemlock_citadel, domain;
+type hal_oemlock_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_oemlock_citadel)
diff --git a/vendor/google/hal_weaver_citadel.te b/vendor/google/hal_weaver_citadel.te
new file mode 100644
index 0000000..5cd1c6a
--- /dev/null
+++ b/vendor/google/hal_weaver_citadel.te
@@ -0,0 +1,4 @@
+type hal_weaver_citadel, domain;
+type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_weaver_citadel)
diff --git a/vendor/google/init-firstboot.te b/vendor/google/init-firstboot.te
new file mode 100644
index 0000000..a7d5085
--- /dev/null
+++ b/vendor/google/init-firstboot.te
@@ -0,0 +1,4 @@
+type init-firstboot, domain;
+type init-firstboot_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-firstboot)
diff --git a/vendor/google/init-insmod-sh.te b/vendor/google/init-insmod-sh.te
new file mode 100644
index 0000000..ee26bfa
--- /dev/null
+++ b/vendor/google/init-insmod-sh.te
@@ -0,0 +1,4 @@
+type init-insmod-sh, domain;
+type init-insmod-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-insmod-sh)
diff --git a/vendor/google/init_citadel.te b/vendor/google/init_citadel.te
new file mode 100644
index 0000000..2c8246b
--- /dev/null
+++ b/vendor/google/init_citadel.te
@@ -0,0 +1,4 @@
+type init_citadel, domain;
+type init_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_citadel)
diff --git a/vendor/google/ramoops.te b/vendor/google/ramoops.te
new file mode 100644
index 0000000..1085067
--- /dev/null
+++ b/vendor/google/ramoops.te
@@ -0,0 +1,4 @@
+type ramoops, domain;
+type ramoops_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(ramoops);
diff --git a/vendor/google/wait_for_strongbox.te b/vendor/google/wait_for_strongbox.te
new file mode 100644
index 0000000..11e1c45
--- /dev/null
+++ b/vendor/google/wait_for_strongbox.te
@@ -0,0 +1,5 @@
+# wait_for_strongbox service
+type wait_for_strongbox, domain;
+type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wait_for_strongbox)