Add sepolicy bits needed for Treble

Credit for this patch goes to Vishal Bhoj <vishal.bhoj@linaro.org>
who basically was the original author and magician
who got things working.

I've only refactored and split up his changes to help
with the submissions.

Change-Id: Ie621f199ef3cdf53c3005b345a040d641060cc24
Signed-off-by: John Stultz <john.stultz@linaro.org>

8 files changed, 18 insertions, 5 deletions

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index d9658d3f..a356e0b0 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -14,12 +14,16 @@
 /dev/hi_vdec	       u:object_r:video_device:s0
 /dev/hi_venc	       u:object_r:video_device:s0
 
+/dev/graphics/fb0      u:object_r:graphics_device:s0
 
 # files in /vendor
 /(vendor|system/vendor)/bin/uim  u:object_r:hci_attach_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.hikey      u:object_r:hal_bluetooth_hikey_exec:s0
 /(vendor|system/vendor)/bin/nanoapp_cmd  u:object_r:nanoapp_cmd_exec:s0
 
+/(vendor|system/vendor)/lib(64)?/hw/gralloc\.hikey960\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/gralloc\.hikey\.so u:object_r:same_process_hal_file:s0
+
 # /data
 /data/vendor/sensor(/.*)?        u:object_r:sensor_vendor_data_file:s0
 
diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te
new file mode 100644
index 00000000..b17dc7d4
--- /dev/null
+++ b/sepolicy/hal_graphics_allocator_default.te
@@ -0,0 +1,2 @@
+allow hal_graphics_allocator_default graphics_device:dir search;
+allow hal_graphics_allocator_default graphics_device:chr_file { open read write ioctl map rw_file_perms};
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644
index 00000000..d7715de2
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,2 @@
+vndbinder_use(hal_graphics_composer_default)
+
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 16d3a3e1..7f18b9b2 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -4,3 +4,6 @@ allow init configfs:file write;
 allow init configfs:lnk_file { create unlink };
 # for symlink /sdcard /mnt/sdcard
 allow init tmpfs:lnk_file create;
+allow init configfs:lnk_file create;
+
+dontaudit init kernel:system module_request;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
deleted file mode 100644
index f53f2b46..00000000
--- a/sepolicy/surfaceflinger.te
+++ /dev/null
@@ -1 +0,0 @@
-hal_server_domain(surfaceflinger, hal_graphics_allocator)
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 00000000..335bfe33
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,5 @@
+# TODO(b/73123675): BatterySaver needs access to cpufreq. Remove this access
+# once cpufreq functionality is hidden behind a HAL.
+allow system_server sysfs_devices_system_cpu:file w_file_perms;
+
+dontaudit system_server self:capability sys_module;
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
deleted file mode 100644
index 733a112c..00000000
--- a/sepolicy/vendor_init.te
+++ /dev/null
@@ -1,4 +0,0 @@
-allow vendor_init {
-  hostapd_socket
-  wifi_data_file
-}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
diff --git a/ueventd.common.rc b/ueventd.common.rc
index b76dd4ca..ff82f70c 100644
--- a/ueventd.common.rc
+++ b/ueventd.common.rc
@@ -11,6 +11,8 @@ subsystem usbmisc
 /dev/hifi_misc   0666 system audio
 /dev/hi_vdec     0660 system camera
 /dev/hi_venc     0660 system camera
+/dev/ion	 0666 system graphics
+/dev/graphics/fb0	0666 system graphics
 
 /sys/devices/platform/ddr_devfreq/devfreq/ddr_devfreq		min_freq	0644	system	system
 /sys/devices/platform/e82c0000.mali/devfreq/e82c0000.mali	min_freq	0644	system	system