basic: non_plat: Kang pixel thermal SEPolicy

* From hardware/google/pixel-sepolicy/thermal [Woomymy]: Fix conflicts with mediatek common sepolicy Change-Id: Ida6d12314cc81d11df33111472b08c71e62a96b5 Signed-off-by: Woomymy <woomy@woomy.be>
2023-09-04 23:05:11 +01:00 · 2023-09-04 23:05:11 +01:00 · 5deeb70766
commit 5deeb70766
parent 572ec1ab71
8 changed files with 52 additions and 1 deletions
--- a/basic/non_plat/file.te
+++ b/basic/non_plat/file.te
@ -482,6 +482,9 @@ type thermal_manager_data_file, file_type, data_file_type;
 # thermal core config file
 type thermal_core_data_file, file_type, data_file_type;

+# Thermal link device
+type thermal_link_device, dev_type;
+
 #autokd data file
 type autokd_data_file, file_type, data_file_type;

--- a/basic/non_plat/file_contexts
+++ b/basic/non_plat/file_contexts
@ -671,6 +671,7 @@
 /(vendor|system/vendor)/bin/frs64 u:object_r:thermal_core_exec:s0
 /(vendor|system/vendor)/bin/thermalloadalgod                                       u:object_r:thermalloadalgod_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mtk        u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mediatek   u:object_r:hal_thermal_default_exec:s0
 /(vendor|system/vendor)/bin/lbs_hidl_service                                       u:object_r:lbs_hidl_service_exec:s0
 /(vendor|system/vendor)/bin/meta_tst                                               u:object_r:meta_tst_exec:s0
 /(vendor|system/vendor)/bin/kisd                                                   u:object_r:kisd_exec:s0
@ -732,6 +733,11 @@
 # Trustonic TEE
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service\.trustonic u:object_r:hal_keymint_default_exec:s0

+# Thermal
+/vendor/bin/thermal_logd_mediatek     u:object_r:init-thermal-logging-sh_exec:s0
+/vendor/bin/thermal_symlinks_mediatek u:object_r:init-thermal-symlinks-sh_exec:s0
+/dev/thermal(/.*)?                    u:object_r:thermal_link_device:s0
+
 # Microtrust SE
 /(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.se@1\.0-service   u:object_r:hal_secure_element_default_exec:s0

--- a/basic/non_plat/hal_thermal_default.te
+++ b/basic/non_plat/hal_thermal_default.te
@ -2,12 +2,18 @@
 # Common SEPolicy Rule
 # ==============================================

+r_dir_file(hal_thermal_default, sysfs_therm)
+allow hal_thermal_default sysfs_therm:file w_file_perms;
+
+allow hal_thermal_default thermal_link_device:dir r_dir_perms;
+
 allow hal_thermal_default proc_mtktz:dir search;
 allow hal_thermal_default proc_mtktz:file r_file_perms;
 allow hal_thermal_default proc_stat:file r_file_perms;

 #for uevent handle
 allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow hal_thermal_default self:netlink_generic_socket create_socket_perms_no_ioctl;

 #for thermal sysfs
 allow hal_thermal_default sysfs_therm:file rw_file_perms;
@ -15,4 +21,9 @@ allow hal_thermal_default sysfs_therm:dir search;

 #for thermal hal socket
 allow hal_thermal_default thermal_hal_socket:dir { rw_dir_perms setattr};
-allow hal_thermal_default thermal_hal_socket:sock_file create_file_perms;
+allow hal_thermal_default thermal_hal_socket:sock_file create_file_perms;
+
+hal_client_domain(hal_thermal_default, hal_power);
+
+# read thermal_config
+get_prop(hal_thermal_default, vendor_thermal_prop)
--- a/basic/non_plat/init-thermal-logging.sh.te
+++ b/basic/non_plat/init-thermal-logging.sh.te
@ -0,0 +1,10 @@
+type init-thermal-logging-sh, domain;
+type init-thermal-logging-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-thermal-logging-sh)
+
+userdebug_or_eng(`
+  allow init-thermal-logging-sh vendor_toolbox_exec:file rx_file_perms;
+  allow init-thermal-logging-sh sysfs_therm:dir r_dir_perms;
+  allow init-thermal-logging-sh sysfs_therm:file r_file_perms;
+')
--- a/basic/non_plat/init-thermal-symlinks.sh.te
+++ b/basic/non_plat/init-thermal-symlinks.sh.te
@ -0,0 +1,12 @@
+type init-thermal-symlinks-sh, domain;
+type init-thermal-symlinks-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-thermal-symlinks-sh)
+
+allow init-thermal-symlinks-sh vendor_toolbox_exec:file rx_file_perms;
+allow init-thermal-symlinks-sh thermal_link_device:dir rw_dir_perms;
+allow init-thermal-symlinks-sh thermal_link_device:lnk_file create_file_perms;
+
+r_dir_file(init-thermal-symlinks-sh, sysfs_therm)
+
+set_prop(init-thermal-symlinks-sh, vendor_thermal_prop)
--- a/basic/non_plat/property.te
+++ b/basic/non_plat/property.te
@ -25,6 +25,7 @@ vendor_internal_prop(vendor_mtk_factory_prop)
 vendor_internal_prop(vendor_mtk_factory_start_prop)
 vendor_internal_prop(vendor_mtk_eara_io_prop)
 vendor_internal_prop(vendor_power_prop)
+vendor_internal_prop(vendor_thermal_prop)

 # Properties which can't be written outside vendor
 vendor_restricted_prop(vendor_mtk_aal_ro_prop)
--- a/basic/non_plat/property_contexts
+++ b/basic/non_plat/property_contexts
@ -406,3 +406,6 @@ persist.vendor.xfrm_support u:object_r:vendor_mtk_xfrm_support_prop:s0
 mtk.vendor.omx.core.log         u:object_r:vendor_mtk_omx_core_prop:s0
 ro.mtk_crossmount_support       u:object_r:vendor_mtk_crossmount_prop:s0
 ro.mtk_deinterlace_support      u:object_r:vendor_mtk_deinterlace_prop:s0
+
+# Thermal
+vendor.thermal. u:object_r:vendor_thermal_prop:s0
--- a/basic/non_plat/vendor_init.te
+++ b/basic/non_plat/vendor_init.te
@ -169,3 +169,8 @@ set_prop(vendor_init, vendor_power_prop)

 # Allow vendor_init to write to sysfs_devices_block
 allow vendor_init sysfs_devices_block:file w_file_perms;
+
+# Thermal
+allow vendor_init thermal_link_device:dir r_dir_perms;
+allow vendor_init thermal_link_device:lnk_file r_file_perms;
+set_prop(vendor_init, vendor_thermal_prop)