topaz: sepolicy: Address sepolicy denials

* grep -i "avc: denied" logcat.log > avc.txt

Change-Id: Icb6ac8f3da8de9d9bd80e8bea030edd23214ff48

sepolicy/private/property_contexts

@@ -1,6 +1,9 @@
 # Camera
 ro.camera.                     u:object_r:exported_default_prop:s0
 
+# Fingerprint
+gf.debug.                      u:object_r:vendor_fp_prop:s0
+
 # GLobal
 ro.boot.hwc                    u:object_r:exported_default_prop:s0
 ro.boot.hwname                 u:object_r:exported_default_prop:s0
@@ -16,3 +19,8 @@ ro.miui.                       u:object_r:exported_system_prop:s0
 ro.fota.oem                    u:object_r:exported_system_prop:s0
 ro.product.mod_device          u:object_r:build_prop:s0
 ro.product.marketname          u:object_r:build_prop:s0
+
+# WiFi
+ro.wlan.bdf                    u:object_r:vendor_public_vendor_default_prop:s0
+ro.wlan.chip                   u:object_r:vendor_public_vendor_default_prop:s0
+ro.ril.oem.wifimac             u:object_r:vendor_wifimac_prop:s0

sepolicy/private/system_suspend.te

@@ -0,0 +1 @@
+allow system_suspend sysfs:dir r_dir_perms;

sepolicy/vendor/file_contexts

@@ -40,6 +40,12 @@
 /(odm|vendor/odm|system/vendor)/bin/mtd@1.2 u:object_r:hal_mtdservice_default_exec:s0
 /(odm|vendor/odm|system/vendor)/bin/mtd@1.3 u:object_r:hal_mtdservice_default_exec:s0
 
+# NFC
+/vendor/bin/STFlashTool                                                 u:object_r:stflashtool_exec:s0
+/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st                  u:object_r:hal_nfc_default_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service           u:object_r:hal_secure_element_default_exec:s0
+/dev/st21nfc                                                            u:object_r:nfc_device:s0
+
 # Thermal
 /(vendor|system/vendor)/bin/mi_thermald u:object_r:mi_thermald_exec:s0
 /data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0

sepolicy/vendor/hal_health_default.te

@@ -0,0 +1 @@
+allow hal_health_default sysfs:file { read };

sepolicy/vendor/hal_nfc_default.te

@@ -1,3 +1,6 @@
 allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
 allow hal_nfc_default vendor_data_file:dir rw_dir_perms;
 allow hal_nfc_default vendor_data_file:file { create rw_file_perms };
+
+get_prop(hal_nfc_default, vendor_nfc_prop)
+set_prop(hal_nfc_default, vendor_nfc_prop)

sepolicy/vendor/hal_sensors_default.te

@@ -1,5 +1,6 @@
 allow hal_sensors_default audio_socket:sock_file rw_file_perms;
 allow hal_sensors_default hal_audio_default:unix_stream_socket connectto;
 allow hal_sensors_default sound_device:chr_file rw_file_perms;
+allow hal_sensors_default sysfs:file { read };
 allow hal_sensors_default vendor_sysfs_graphics:dir r_dir_perms;
 allow hal_sensors_default vendor_sysfs_graphics:file r_file_perms;

sepolicy/vendor/init.te

@@ -1,17 +1,3 @@
 allow init debugfs_tracing_debug:dir mounton;
-allow vendor_init cgroup:file getattr;
-allow vendor_init hal_fingerprint_default:process { ptrace };
-allow vendor_init hwservicemanager:binder { transfer };
-allow vendor_init tee_device:chr_file { ioctl };
-allow vendor_init tee_device:chr_file rw_file_perms;
-allow vendor_init vendor_dmabuf_qseecom_heap_device:chr_file ioctl;
-allow vendor_init vendor_dmabuf_qseecom_heap_device:chr_file rw_file_perms;
-allow vendor_init vendor_dmabuf_qseecom_ta_heap_device:chr_file ioctl;
-allow vendor_init vendor_dmabuf_qseecom_ta_heap_device:chr_file rw_file_perms;
-allow vendor_init vendor_qce_device:chr_file ioctl;
-allow vendor_init vendor_qce_device:chr_file rw_file_perms;
-
-set_prop(vendor_init, vendor_fp_prop)
-set_prop(vendor_init, vendor_fp_info_prop)
-set_prop(vendor_init, vendor_thermal_normal_prop)
-set_prop(vendor_init, vendor_displayfeature_prop)
+allow init hal_fingerprint_default:process { ptrace };
+allow init proc:file { setattr };

sepolicy/vendor/property.te

@@ -19,3 +19,6 @@ vendor_public_prop(vendor_payment_security_prop)
 
 # Thermal
 vendor_public_prop(vendor_thermal_normal_prop)
+
+# WiFi
+vendor_internal_prop(vendor_wifimac_prop)

sepolicy/vendor/property_contexts

@@ -49,6 +49,9 @@ persist.vendor.sys.provision.status      u:object_r:vendor_payment_security_prop
 vendor.sys.feature_state                 u:object_r:vendor_payment_security_prop:s0
 vendor.sys.rpmb_state                    u:object_r:vendor_payment_security_prop:s0
 
+# NFC
+persist.vendor.nfc.                             u:object_r:vendor_nfc_prop:s0
+
 # Radio
 ro.vendor.ril.svlte1x  u:object_r:vendor_radio_prop:s0
 ro.vendor.ril.svdo  u:object_r:vendor_radio_prop:s0

sepolicy/vendor/stflashtool.te

@@ -0,0 +1,10 @@
+type stflashtool, domain;
+type stflashtool_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(stflashtool)
+
+allow stflashtool nfc_device:chr_file {ioctl read write getattr lock append map open watch watch_reads};
+
+get_prop(stflashtool, vendor_radio_prop)
+get_prop(stflashtool, vendor_nfc_prop)
+set_prop(stflashtool, vendor_nfc_prop)

sepolicy/vendor/tee.te

@@ -1,3 +1,5 @@
 allow tee vendor_fingerprint_data_file:dir rw_dir_perms;
 allow tee vendor_fingerprint_data_file:file rw_file_perms;
 allow tee vendor_fingerprint_data_file:file create_file_perms;
+allow tee vendor_gpt_block_device:blk_file { read };
+allow tee vendor_xbl_block_device:blk_file { read };

sepolicy/vendor/toolbox.te

@@ -0,0 +1 @@
+allow toolbox unlabeled:dir { getattr };

sepolicy/vendor/vendor_init.te

@@ -0,0 +1,18 @@
+allow vendor_init block_device:lnk_file { setattr };
+allow vendor_init cgroup:file getattr;
+allow vendor_init hwservicemanager:binder { transfer };
+allow vendor_init tee_device:chr_file { ioctl };
+allow vendor_init tee_device:chr_file rw_file_perms;
+
+allow vendor_init vendor_dmabuf_qseecom_heap_device:chr_file ioctl;
+allow vendor_init vendor_dmabuf_qseecom_heap_device:chr_file rw_file_perms;
+allow vendor_init vendor_dmabuf_qseecom_ta_heap_device:chr_file ioctl;
+allow vendor_init vendor_dmabuf_qseecom_ta_heap_device:chr_file rw_file_perms;
+allow vendor_init vendor_qce_device:chr_file ioctl;
+allow vendor_init vendor_qce_device:chr_file rw_file_perms;
+
+set_prop(vendor_init, vendor_fp_prop)
+set_prop(vendor_init, vendor_fp_info_prop)
+set_prop(vendor_init, vendor_nfc_prop)
+set_prop(vendor_init, vendor_thermal_normal_prop)
+set_prop(vendor_init, vendor_displayfeature_prop)

sepolicy/vendor/vendor_modprobe.te

@@ -2,5 +2,6 @@ allow vendor_modprobe block_device:dir search;
 allow vendor_modprobe self:capability sys_module;
 allow vendor_modprobe self:cap_userns sys_module;
 allow vendor_modprobe vendor_file:system module_load;
+allow vendor_modprobe vendor_modprobe:key { write };
 
 r_dir_file(vendor_modprobe, vendor_file)

sepolicy/vendor/vendor_qcc_trd.te

@@ -0,0 +1 @@
+allow vendor_qcc_trd vendor_sysfs_microdump:dir { search };

sepolicy/vendor/vendor_qti_init_shell.te

@@ -2,6 +2,7 @@ allow vendor_qti_init_shell configfs:dir { add_name create write };
 # NECESSARY?
 allow vendor_qti_init_shell configfs:dir setattr;
 # END
+allow vendor_qti_init_shell device:dir r_dir_perms;
 allow vendor_qti_init_shell sysfs_dm:file rw_file_perms;
 allow vendor_qti_init_shell sysfs_dm:dir r_dir_perms;
 allow vendor_qti_init_shell vendor_sysfs_msm_perf:file w_file_perms;

sepolicy/vendor/vendor_subsystem_ramdump.te

@@ -0,0 +1 @@
+allow vendor_subsystem_ramdump vendor_subsystem_ramdump:capability { net_admin };

sepolicy/vendor/vendor_wcnss_service.te

@@ -14,6 +14,7 @@ allow vendor_wcnss_service vendor_proc_wifi_dbg:file { create getattr open read
 
 get_prop(vendor_wcnss_service, vendor_bluetooth_prop)
 set_prop(vendor_wcnss_service, vendor_radio_prop)
+set_prop(vendor_wcnss_service, vendor_wifimac_prop)
 set_prop(vendor_wcnss_service, vendor_public_vendor_default_prop)
 
 unix_socket_connect(vendor_wcnss_service, property, init)

sepolicy/vendor/vndservicemanager.te

@@ -0,0 +1 @@
+binder_call(vndservicemanager vendor_cnd)