rosemary: sepolicy: Initial vendor SEpolicy

Co-authored-by: Vaisakh Murali <mvaisakh@statixos.com>
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Change-Id: If2f65d3bd9b5849557b911fa2cbfcc2392d568c9

BoardConfig.mk

@@ -135,6 +135,10 @@ TARGET_RECOVERY_PIXEL_FORMAT := "RGBX_8888"
 # RIL
 ENABLE_VENDOR_RIL_SERVICE := true
 
+# Sepolicy
+include device/mediatek/sepolicy_vndr/SEPolicy.mk
+BOARD_VENDOR_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor
+
 # SPL
 VENDOR_SECURITY_PATCH := 2021-10-01
 

sepolicy/vendor/file.te

@@ -0,0 +1,3 @@
+# Fingerprint
+type vendor_fingerprint_data_file, data_file_type, file_type;
+type vendor_fingerprint_device, dev_type;

sepolicy/vendor/file_contexts

@@ -0,0 +1,10 @@
+# Fingerprint
+/mnt/vendor/persist/goodix(/.*)? 									u:object_r:vendor_fingerprint_data_file:s0
+/mnt/vendor/persist/fpc(/.*)?    									u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpdump(/.*)?        									u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/goodix(/.*)?        									u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpc(/.*)?           									u:object_r:vendor_fingerprint_data_file:s0
+/data/gf_data(/.*)?              									u:object_r:vendor_fingerprint_data_file:s0
+
+# Lights
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light-service\.rosemary                          	u:object_r:hal_light_default_exec:s0

sepolicy/vendor/hal_fingerprint_default.te

@@ -0,0 +1,13 @@
+# Allow fingerprint HAL to read and write fingerprint node
+allow hal_fingerprint_default vendor_fingerprint_device:chr_file rw_file_perms;
+
+# Allow fingerprint HAL to setup fingerprint database files
+allow hal_fingerprint_default vendor_fingerprint_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms;
+
+# Create fingerprint HAL entrypoint
+allow hal_fingerprint_default hal_fingerprint_default_exec:file entrypoint;
+
+# Allow fingerprint HAL to get and set its props
+get_prop(hal_fingerprint_default, vendor_fingerprint_prop)
+set_prop(hal_fingerprint_default, vendor_fingerprint_prop)

sepolicy/vendor/hal_light_default.te

@@ -0,0 +1,3 @@
+# Grant read perms to hal_light_default for sysfs_leds
+allow hal_light_default sysfs_leds:file rw_file_perms;
+r_dir_file(hal_light_default, sysfs_leds)

sepolicy/vendor/hal_secure_element_default.te

@@ -0,0 +1,3 @@
+# Allow SE HAL to rw nfc_device
+allow hal_secure_element_default nfc_device:file rw_file_perms;
+allow hal_secure_element_default nfc_device:chr_file rw_file_perms;

sepolicy/vendor/hal_wifi_default.te

@@ -0,0 +1,5 @@
+# Set fw prop
+set_prop(hal_wifi_default, vendor_mtk_wifi_hal_prop)
+
+# Get hotspot prop
+get_prop(hal_wifi_default, vendor_mtk_wifi_hotspot_prop)

sepolicy/vendor/property.te

@@ -0,0 +1 @@
+vendor_restricted_prop(vendor_fingerprint_prop);

sepolicy/vendor/property_contexts

@@ -0,0 +1,18 @@
+# Audio
+audio.adm.buffering.ms                                  u:object_r:vendor_mtk_audiohal_prop:s0
+audio_hal.period_multiplier                             u:object_r:vendor_mtk_audiohal_prop:s0
+vendor.audio.spkcal.copy.inhal                          u:object_r:vendor_mtk_audiohal_prop:s0
+
+# Camera
+vendor.camera.sensor.                                   u:object_r:vendor_mtk_camera_prop:s0
+persist.vendor.camera.                                  u:object_r:vendor_mtk_camera_prop:s0
+demo.hole                                               u:object_r:vendor_mtk_camera_prop:s0
+demo.near                                               u:object_r:vendor_mtk_camera_prop:s0
+demo.far                                                u:object_r:vendor_mtk_camera_prop:s0
+demo.fb                                                 u:object_r:vendor_mtk_camera_prop:s0
+
+# Fingerprint
+gf.debug.dump_bigdata_data                              u:object_r:vendor_fingerprint_prop:s0
+persist.sys.fp.goodix.                                  u:object_r:vendor_fingerprint_prop:s0
+persist.vendor.sys.fp.                                  u:object_r:vendor_fingerprint_prop:s0
+vendor.fps_hal.                                         u:object_r:vendor_fingerprint_prop:s0

sepolicy/vendor/vendor_init.te

@@ -0,0 +1 @@
+get_prop(vendor_init, vts_status_prop)