From d393577b3038c2fa9db1132fb28c8b1c06d4c008 Mon Sep 17 00:00:00 2001
From: Zinadin Zidan <zidan44@pixelexperience.org>
Date: Sat, 6 Mar 2021 13:27:23 +0600
Subject: [PATCH] rosemary: sepolicy: Address mi_thermald sepolicy denials

This is a squash of the following commits:

cannon: sepolicy: Label mi_thermald and grant required permissions

Change-Id: I9eebb3c911f27aaeb128696c261d902a06c52cef
Co-Authored-By: Azurite <azuritenoah@gmail.com>
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Reviewed-on: https://review.statixos.com/c/android_device_xiaomi_cannon/+/7756
Reviewed-by: Vaisakh Murali <mvaisakh@statixos.com>
Tested-by: Vaisakh Murali <mvaisakh@statixos.com>
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>

cannon: sepolicy: Drop sysfs_battery_supply sepolicy rules

Ref: https://gerrit.pixelexperience.org/c/device_mediatek_sepolicy_vndr/+/12410/1

Change-Id: Id0af2893e4ab4229ab9aa7f91c66359e878616a2
Signed-off-by: Zinadin Zidan <zidan44@pixelexperience.org>
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Reviewed-on: https://review.statixos.com/c/android_device_xiaomi_cannon/+/7757
Reviewed-by: Vaisakh Murali <mvaisakh@statixos.com>
Tested-by: Vaisakh Murali <mvaisakh@statixos.com>
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>

cannon: sepolicy: Allow mi_thermald to read thermal and cpu conf

Change-Id: I3bd838967f40fbbfa149c8aa8258ed8511d9dd50
Signed-off-by: Zinadin Zidan <zidan44@pixelexperience.org>
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Reviewed-on: https://review.statixos.com/c/android_device_xiaomi_cannon/+/7758
Reviewed-by: Vaisakh Murali <mvaisakh@statixos.com>
Tested-by: Vaisakh Murali <mvaisakh@statixos.com>
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>

cannon: sepolicy: Allow mi_thermald to access sysfs_leds

Change-Id: Ie861d1797be99b5b22fb3927f71be388e835a3e8
Signed-off-by: Zinadin Zidan <zidan44@pixelexperience.org>
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Reviewed-on: https://review.statixos.com/c/android_device_xiaomi_cannon/+/7759
Reviewed-by: Vaisakh Murali <mvaisakh@statixos.com>
Tested-by: Vaisakh Murali <mvaisakh@statixos.com>
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
---
 sepolicy/vendor/file_contexts     |  3 +++
 sepolicy/vendor/mi_thermald.te    | 28 ++++++++++++++++++++++++++++
 sepolicy/vendor/property_contexts |  3 +++
 3 files changed, 34 insertions(+)
 create mode 100644 sepolicy/vendor/mi_thermald.te

diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 71e547e..0142755 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -9,5 +9,8 @@
 # Lights
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light-service\.rosemary                          	u:object_r:hal_light_default_exec:s0
 
+# Thermals
+/vendor/bin/mi_thermald       										u:object_r:mi_thermald_exec:s0
+
 # WiFi
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@[0-9]\.[0-9]-service-lazy\.rosemary 		u:object_r:hal_wifi_default_exec:s0
diff --git a/sepolicy/vendor/mi_thermald.te b/sepolicy/vendor/mi_thermald.te
new file mode 100644
index 0000000..62ad5a1
--- /dev/null
+++ b/sepolicy/vendor/mi_thermald.te
@@ -0,0 +1,28 @@
+type mi_thermald, domain;
+type mi_thermald_exec, exec_type, vendor_file_type, file_type;
+type thermal_data_file, data_file_type, file_type;
+
+init_daemon_domain(mi_thermald)
+
+set_prop(mi_thermald, thermal_engine_prop)
+
+allow mi_thermald thermal_data_file:dir rw_dir_perms;
+allow mi_thermald thermal_data_file:file create_file_perms;
+
+allow mi_thermald self:capability { fsetid sys_boot };
+allow mi_thermald mi_thermald:capability { chown fowner };
+allow mi_thermald mi_thermald:capability2 { wake_alarm block_suspend };
+
+r_dir_file(mi_thermald, sysfs_therm)
+allow mi_thermald sysfs_therm:file w_file_perms;
+
+r_dir_file(mi_thermald, sysfs_thermal)
+allow mi_thermald sysfs_thermal:file w_file_perms;
+
+r_dir_file(mi_thermald, sysfs)
+allow mi_thermald sysfs:file w_file_perms;
+
+r_dir_file(mi_thermald, sysfs_leds)
+allow mi_thermald sysfs_leds:file w_file_perms;
+
+allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms;
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index e527d27..90d77f5 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -17,3 +17,6 @@ gf.debug.dump_bigdata_data                              u:object_r:vendor_finger
 persist.sys.fp.goodix.                                  u:object_r:vendor_fingerprint_prop:s0
 persist.vendor.sys.fp.                                  u:object_r:vendor_fingerprint_prop:s0
 vendor.fps_hal.                                         u:object_r:vendor_fingerprint_prop:s0
+
+# Thermal
+vendor.sys.thermal.     				u:object_r:thermal_engine_prop:s0