Snap for 10453563 from e03684088d97dc3cdbba2b5bd81c935245642f43 to mainline-conscrypt-release
Change-Id: I0b27d2fb8ac7e4c032c58f0ba77629acaff23106
diff --git a/bluetooth/device.te b/bluetooth/device.te
deleted file mode 100644
index 7ed13ad..0000000
--- a/bluetooth/device.te
+++ /dev/null
@@ -1 +0,0 @@
-type bt_device, dev_type;
diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts
index da02008..66d690f 100644
--- a/bluetooth/file_contexts
+++ b/bluetooth/file_contexts
@@ -1,5 +1,4 @@
# Bluetooth
-/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0
+/vendor/bin/hw/android\.hardware\.bluetooth@1\.1-service\.synabtlinux u:object_r:hal_bluetooth_synabtlinux_exec:s0
-/dev/btpower u:object_r:bt_device:s0
/dev/ttySAC18 u:object_r:hci_attach_dev:s0
diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts
index 2b2d437..d18d164 100644
--- a/bluetooth/genfs_contexts
+++ b/bluetooth/genfs_contexts
@@ -1 +1,3 @@
-genfscon sysfs /devices/platform/odm/odm:btqcom/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0
diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te
index dcd2b7f..c764133 100644
--- a/bluetooth/hal_bluetooth_default.te
+++ b/bluetooth/hal_bluetooth_default.te
@@ -1,9 +1,23 @@
-allow hal_bluetooth_default bt_device:chr_file rw_file_perms;
+type hal_bluetooth_synabtlinux, domain;
+type hal_bluetooth_synabtlinux_exec, exec_type, file_type, vendor_file_type;
-add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice)
+hal_server_domain(hal_bluetooth_synabtlinux, hal_bluetooth)
+init_daemon_domain(hal_bluetooth_synabtlinux)
-userdebug_or_eng(`
- allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir rw_dir_perms;
- allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file { create_file_perms };
- set_prop(hal_bluetooth_default, vendor_ssrdump_prop)
-')
+allow hal_bluetooth_synabtlinux self:socket { create bind read write };
+allow hal_bluetooth_synabtlinux self:bluetooth_socket { create bind read write };
+allow hal_bluetooth_synabtlinux hci_attach_dev:chr_file rw_file_perms;
+allow hal_bluetooth_synabtlinux hal_power_stats_vendor_service:service_manager find;
+add_hwservice(hal_bluetooth_synabtlinux, hal_bluetooth_coexistence_hwservice)
+vndbinder_use(hal_bluetooth_synabtlinux)
+binder_call(hal_bluetooth_synabtlinux, hal_power_stats_default)
+get_prop(hal_bluetooth_synabtlinux, boot_status_prop)
+
+allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+ userdebug_or_eng(`
+ allow hal_bluetooth_synabtlinux logbuffer_device:chr_file r_file_perms;
+ allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+ allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:file create_file_perms;
+ ')
diff --git a/fingerprint_capacitance/file.te b/fingerprint_capacitance/file.te
new file mode 100644
index 0000000..0218b46
--- /dev/null
+++ b/fingerprint_capacitance/file.te
@@ -0,0 +1 @@
+type sysfs_fingerprint, sysfs_type, fs_type;
diff --git a/fingerprint_capacitance/file_contexts b/fingerprint_capacitance/file_contexts
new file mode 100644
index 0000000..aa6d801
--- /dev/null
+++ b/fingerprint_capacitance/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42 u:object_r:hal_fingerprint_capacitance_exec:s0
diff --git a/fingerprint_capacitance/genfs_contexts b/fingerprint_capacitance/genfs_contexts
new file mode 100644
index 0000000..9fe2a86
--- /dev/null
+++ b/fingerprint_capacitance/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0
diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te
new file mode 100644
index 0000000..632086a
--- /dev/null
+++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te
@@ -0,0 +1,39 @@
+# hal_fingerprint_capacitance definition
+type hal_fingerprint_capacitance, domain;
+hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint)
+
+type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fingerprint_capacitance)
+
+set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop)
+
+# allow fingerprint to access file
+allow hal_fingerprint_capacitance fingerprint_device:chr_file rw_file_perms;
+allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms;
+
+# allow fingerprint to access power hal
+hal_client_domain(hal_fingerprint_capacitance, hal_power);
+
+# allow fingerprint to find fwk service
+allow hal_fingerprint_capacitance fwk_stats_service:service_manager find;
+
+# allow fingerprint to access sysfs_leds
+allow hal_fingerprint_capacitance sysfs_leds:dir search;
+allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms;
+
+# allow fingerprint to access sysfs_batteryinfo
+allow hal_fingerprint_capacitance sysfs_batteryinfo:dir search;
+allow hal_fingerprint_capacitance sysfs_batteryinfo:file rw_file_perms;
+
+# allow fingerprint to access input_device
+allow hal_fingerprint_capacitance input_device:dir r_dir_perms;
+allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms;
+
+# allow fingerprint to access hwservice
+hwbinder_use(hal_fingerprint_capacitance)
+add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice)
+
+# allow fingerprint to access fwk sensor hwservice
+allow hal_fingerprint_capacitance fwk_sensor_hwservice:hwservice_manager find;
diff --git a/fingerprint_capacitance/hwservice.te b/fingerprint_capacitance/hwservice.te
new file mode 100644
index 0000000..68c51ab
--- /dev/null
+++ b/fingerprint_capacitance/hwservice.te
@@ -0,0 +1 @@
+type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type;
diff --git a/fingerprint_capacitance/hwservice_contexts b/fingerprint_capacitance/hwservice_contexts
new file mode 100644
index 0000000..ed09300
--- /dev/null
+++ b/fingerprint_capacitance/hwservice_contexts
@@ -0,0 +1,2 @@
+com.fingerprints42.extension::IFingerprintEngineering u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0
+com.fingerprints42.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0
diff --git a/fingerprint_capacitance/servicemanager.te b/fingerprint_capacitance/servicemanager.te
new file mode 100644
index 0000000..6e1afe9
--- /dev/null
+++ b/fingerprint_capacitance/servicemanager.te
@@ -0,0 +1 @@
+binder_call(servicemanager, hal_fingerprint_capacitance)
diff --git a/fingerprint_capacitance/system_app.te b/fingerprint_capacitance/system_app.te
new file mode 100644
index 0000000..f583431
--- /dev/null
+++ b/fingerprint_capacitance/system_app.te
@@ -0,0 +1,3 @@
+# TODO (b/264266705) Remove this and make it specific to the app
+# allow SystemUIGoogle to access fingerprint hal
+hal_client_domain(system_app, hal_fingerprint)
diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te
new file mode 100644
index 0000000..cd094a3
--- /dev/null
+++ b/system_ext/private/platform_app.te
@@ -0,0 +1,2 @@
+# Allow platform apps to access system_update_service (e.g. check if update info is available).
+allow platform_app system_update_service:service_manager find;
\ No newline at end of file
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
new file mode 100644
index 0000000..f08d9e4
--- /dev/null
+++ b/system_ext/private/property_contexts
@@ -0,0 +1,6 @@
+# TODO(b/246793311): Clean up a temporary property once pa/2342172 lands
+debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool
+
+# Default orienation for boot animation counted from natural orienation of the device
+# Id at the end corresponds to the display id on the device. See b/246793311 for context.
+ro.bootanim.set_orientation_4619827677550801152 u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_90 ORIENTATION_180 ORIENTATION_270
diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk
index 97cf380..f16f331 100644
--- a/tangorpro-sepolicy.mk
+++ b/tangorpro-sepolicy.mk
@@ -1,2 +1,14 @@
# sepolicy that are shared among devices using whitechapel
BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/vendor
+BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/tracking_denials
+
+# fingerprint
+BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance
+
+# for mediashell
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor
+PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/google/gms/src/sepolicy/tv
+
+# system_ext
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private
diff --git a/tracking_denials/README.txt b/tracking_denials/README.txt
new file mode 100644
index 0000000..6cfc62d
--- /dev/null
+++ b/tracking_denials/README.txt
@@ -0,0 +1,2 @@
+This folder stores known errors detected by PTS. Be sure to remove relevant
+files to reproduce error log on latest ROMs.
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
new file mode 100644
index 0000000..c77f421
--- /dev/null
+++ b/tracking_denials/bug_map
@@ -0,0 +1,4 @@
+hal_camera_default boot_status_prop file b/275001805
+hal_camera_default edgetpu_app_service service_manager b/275001805
+hal_dumpstate_default modem_stat_data_file dir b/239115418
+shell sysfs_touch dir b/264823366
diff --git a/vendor/file.te b/vendor/file.te
new file mode 100644
index 0000000..a863220
--- /dev/null
+++ b/vendor/file.te
@@ -0,0 +1,8 @@
+#Pogo USB control & status
+type sysfs_pogo_usb, sysfs_type, fs_type;
+
+# Cast device certificate
+type device_cert_file, file_type, vendor_persist_type;
+
+# Avoid GPS se failed
+type sysfs_gps, sysfs_type, fs_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 46faec0..792f30a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -1,12 +1,15 @@
# Devices
-/dev/lwis-act-lc898129 u:object_r:lwis_device:s0
-/dev/lwis-eeprom-lc898129 u:object_r:lwis_device:s0
-/dev/lwis-eeprom-m24c64x-imx712 u:object_r:lwis_device:s0
-/dev/lwis-eeprom-m24c64x-imx712-uw u:object_r:lwis_device:s0
-/dev/lwis-ois-lc898129 u:object_r:lwis_device:s0
-/dev/lwis-sensor-imx712 u:object_r:lwis_device:s0
-/dev/lwis-sensor-imx712-uw u:object_r:lwis_device:s0
-/dev/lwis-sensor-imx787 u:object_r:lwis_device:s0
+/dev/lwis-eeprom-smaug-front u:object_r:lwis_device:s0
+/dev/lwis-eeprom-smaug-rear u:object_r:lwis_device:s0
+/dev/lwis-sensor-medusa-front u:object_r:lwis_device:s0
+/dev/lwis-sensor-medusa-rear u:object_r:lwis_device:s0
# Wifi
/dev/wlan u:object_r:vendor_wlan_device:s0
+
+# Privacy LED
+/vendor/bin/hw/android\.hardware\.lights-service\.tangorpro u:object_r:hal_light_default_exec:s0
+
+# Cast Factory Credentials
+/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0
+/mnt/vendor/persist/nest/cast_auth\.crt u:object_r:device_cert_file:s0
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
new file mode 100644
index 0000000..4b06cfb
--- /dev/null
+++ b/vendor/genfs_contexts
@@ -0,0 +1,27 @@
+# Dock
+genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0
+
+# Touch
+genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0
+
+# system suspend wakeup files
+genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/nvt-pen-battery/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/input/input2/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0
+
+# Pogo usb control & status
+genfscon sysfs /devices/platform/google,pogo/pogo_usb_active u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/pogo_usb_capable u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/pogo_docked u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/equal_priority u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/move_data_to_usb u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/google,pogo/hall1_s u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/hall1_n u:object_r:sysfs_pogo_usb:s0
+genfscon sysfs /devices/platform/google,pogo/hall2_s u:object_r:sysfs_pogo_usb:s0
diff --git a/vendor/grilservice_app.te b/vendor/grilservice_app.te
new file mode 100644
index 0000000..763121c
--- /dev/null
+++ b/vendor/grilservice_app.te
@@ -0,0 +1,2 @@
+# setBluetoothModeBasedTxPowerCap for SAR
+binder_call(grilservice_app, hal_bluetooth_synabtlinux)
diff --git a/vendor/hal_drm_cast.te b/vendor/hal_drm_cast.te
new file mode 100644
index 0000000..800a231
--- /dev/null
+++ b/vendor/hal_drm_cast.te
@@ -0,0 +1,9 @@
+type hal_drm_cast, domain;
+type hal_drm_cast_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_cast)
+hal_server_domain(hal_drm_cast, hal_drm)
+
+allow hal_drm_cast mnt_vendor_file:dir search;
+allow hal_drm_cast persist_file:dir search;
+allow hal_drm_cast device_cert_file:file r_file_perms;
diff --git a/vendor/hal_lights.te b/vendor/hal_lights.te
new file mode 100644
index 0000000..7c43a93
--- /dev/null
+++ b/vendor/hal_lights.te
@@ -0,0 +1,7 @@
+allow hal_light_default sysfs_leds:dir search;
+allow hal_light_default sysfs_leds:file rw_file_perms;
+allow hal_light_default mnt_vendor_file:dir search;
+allow hal_light_default persist_file:dir search;
+allow hal_light_default hal_pixel_display_service:service_manager find;
+binder_call(hal_light_default, hal_graphics_composer_default);
+r_dir_file(hal_light_default, persist_leds_file);
diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te
new file mode 100644
index 0000000..a81c9ba
--- /dev/null
+++ b/vendor/hal_power_stats_default.te
@@ -0,0 +1,2 @@
+# getStateResidency AIDL callback for Bluetooth HAL
+binder_call(hal_power_stats_default, hal_bluetooth_synabtlinux)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..da6b54e
--- /dev/null
+++ b/vendor/hal_sensors_default.te
@@ -0,0 +1,9 @@
+#
+# USF sensor HAL SELinux type enforcements.
+#
+
+# Allow sensor HAL to access pogo driver hall file node.
+allow hal_sensors_default sysfs_pogo_usb:file rw_file_perms;
+
+# Allow access to the uhid devices.
+allow hal_sensors_default uhid_device:chr_file rw_file_perms;
diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te
new file mode 100644
index 0000000..4f1bfbc
--- /dev/null
+++ b/vendor/hal_usb_impl.te
@@ -0,0 +1,2 @@
+# For Pogo usb management
+allow hal_usb_impl sysfs_pogo_usb:file rw_file_perms;
diff --git a/vendor/service_contexts b/vendor/service_contexts
new file mode 100644
index 0000000..f93a0e0
--- /dev/null
+++ b/vendor/service_contexts
@@ -0,0 +1,2 @@
+# Cast Factory Credentials
+android.hardware.drm.IDrmFactory/castkey u:object_r:hal_drm_service:s0
diff --git a/vendor/system_server.te b/vendor/system_server.te
new file mode 100644
index 0000000..ba82449
--- /dev/null
+++ b/vendor/system_server.te
@@ -0,0 +1 @@
+allow system_server sysfs_touch_gti:file r_file_perms;
diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te
new file mode 100644
index 0000000..de38b6f
--- /dev/null
+++ b/vendor/vendor_init.te
@@ -0,0 +1 @@
+get_prop(vendor_init, gesture_prop)
