Sync sepolicy from qcom-au091 for keymaster daemon

init: Could not start service 'keymaster-4-1' as part of class 'early_hal':
File /vendor/bin/hw/android.hardware.keymaster@4.1-service-qti(labeled "u:object_r:vendor_file:s0")
has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined.

reference to qcom/lito/platform/vendor/qcom/sepolicy_vndr:fefbf6b185221bb37b24ae8eea74862a97389650

cherry-pick from 6903a0fa10f95bec2d05608a20b2d6164177846d

Bug: 185598142
Bug: 178358917
Change-Id: I77c6a6cda6b2772d4ff81a3bb6a0fc819cc47f49

4 files changed, 45 insertions, 0 deletions

diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts
index 816596d..0e99310 100644
--- a/vendor/qcom/common/file_contexts
+++ b/vendor/qcom/common/file_contexts
@@ -67,6 +67,8 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti u:object_r:hal_keymaster_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:hal_keymaster_qti_exec:s0
+/(vendor|system/vendor)/bin/init\.qti\.keymaster\.sh u:object_r:init-qti-keymaster-sh_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0
 /(vendor|system/vendor)/bin/imsrcsd             u:object_r:hal_rcsservice_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0
diff --git a/vendor/qcom/common/init-qti-keymaster-sh.te b/vendor/qcom/common/init-qti-keymaster-sh.te
new file mode 100644
index 0000000..bb974c2
--- /dev/null
+++ b/vendor/qcom/common/init-qti-keymaster-sh.te
@@ -0,0 +1,38 @@
+# Copyright (c) 2020, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#    * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type init-qti-keymaster-sh, domain;
+type init-qti-keymaster-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-qti-keymaster-sh)
+
+# Set vendor.keymaster.strongbox.version to 40 or 41
+set_prop(init-qti-keymaster-sh, vendor_km_strongbox_version_prop);
+set_prop(init-qti-keymaster-sh, vendor_disable_spu_prop)
+
+allow init-qti-keymaster-sh vendor_shell_exec:file rx_file_perms;
+allow init-qti-keymaster-sh vendor_toolbox_exec:file rx_file_perms;
diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te
index 5f08525..fb6f433 100644
--- a/vendor/qcom/common/property.te
+++ b/vendor/qcom/common/property.te
@@ -60,4 +60,6 @@ vendor_internal_prop(ctl_vendor_rmt_storage_prop)
 vendor_internal_prop(vendor_wifi_version)
 vendor_internal_prop(vendor_cnss_diag_prop)
 vendor_internal_prop(vendor_modem_diag_prop)
+vendor_internal_prop(vendor_disable_spu_prop)
 vendor_restricted_prop(vendor_hvdcp_opti_prop)
+vendor_restricted_prop(vendor_km_strongbox_version_prop)
diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts
index 9ce9ac9..eebfb81 100644
--- a/vendor/qcom/common/property_contexts
+++ b/vendor/qcom/common/property_contexts
@@ -86,3 +86,6 @@ persist.vendor.data.shsusr_load                 u:object_r:vendor_radio_prop:s0
 persist.vendor.data.perf_ko_load                u:object_r:vendor_radio_prop:s0
 persist.vendor.data.qmipriod_load               u:object_r:vendor_radio_prop:s0
 persist.vendor.data.offload_ko_load             u:object_r:vendor_radio_prop:s0
+
+#keymaster strongbox service
+vendor.keymaster.strongbox.version u:object_r:vendor_km_strongbox_version_prop:s0