db845c: Add support for AOSP on dragonboard db845c

Boots dragonboard db845c to console. HDMI display broken due to missing firmware files. Change-Id: I820aeb7b7ab2536a362f9ae37cc44906be0a6190 Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
author: Amit Pundir <amit.pundir@linaro.org> 2019-04-18 16:46:10 +0530
committer: Amit Pundir <amit.pundir@linaro.org> 2019-09-24 23:50:25 +0530
commit: 4e37582f32480bd153c93fed20b6aabe98bfbb90 (patch)
tree: b86f9698ea06f9d11ead04057b845427798ad0cd /sepolicy
parent: b7005515dd7ac2faebc6000b36075c116fdeacfa (diff)
21 files changed, 75 insertions, 0 deletions
diff --git a/sepolicy/app.te b/sepolicy/app.te
new file mode 100644
index 0000000..890e6e6
--- /dev/null
+++ b/sepolicy/app.te
@@ -0,0 +1,4 @@
+# Few system/untrusted_app_xx apps eg. deskclock,
+# gallery3d et al. need read-only access to /dev/dri
+# as well, otherwise they don't open and crash.
+gpu_access(appdomain -isolated_app)
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
new file mode 100644
index 0000000..e8e7494
--- /dev/null
+++ b/sepolicy/bootanim.te
@@ -0,0 +1 @@
+gpu_access(bootanim)
diff --git a/sepolicy/crash_dump.te b/sepolicy/crash_dump.te
new file mode 100644
index 0000000..b575e22
--- /dev/null
+++ b/sepolicy/crash_dump.te
@@ -0,0 +1,7 @@
+# audit2allow
+allow crash_dump bluetooth_data_file:file { getattr map open read };
+allow crash_dump bluetooth_prop:file { getattr map open };
+allow crash_dump device_config_runtime_native_boot_prop:file { getattr map open };
+allow crash_dump device_config_runtime_native_prop:file { getattr map open };
+allow crash_dump hwservicemanager_prop:file { getattr map open };
+allow crash_dump runtime_event_log_tags_file:file getattr;
diff --git a/sepolicy/dnsmasq.te b/sepolicy/dnsmasq.te
new file mode 100644
index 0000000..1154d8a
--- /dev/null
+++ b/sepolicy/dnsmasq.te
@@ -0,0 +1,3 @@
+# audit2allow
+allow dnsmasq netd:fifo_file getattr;
+allow dnsmasq netd:unix_stream_socket getattr;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..4d9988f
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,2 @@
+type sysfs_gpu, fs_type, sysfs_type;
+type dri_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..ab364f8
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,17 @@
+/dev/block/by-name/metadata		u:object_r:metadata_block_device:s0
+/dev/dri				u:object_r:dri_device:s0
+/dev/dri/card0				u:object_r:graphics_device:s0
+/dev/dri/renderD128			u:object_r:gpu_device:s0
+/dev/ttyMSM0				u:object_r:console_device:s0
+
+/sys/devices/platform/soc/ae00000.mdss							u:object_r:sysfs_gpu:s0
+/sys/devices/platform/soc/c440000.spmi/spmi-0/0-00/c440000.spmi:pmic@0:rtc@6000/rtc	u:object_r:sysfs_rtc:s0
+
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.software			u:object_r:hal_gatekeeper_default_exec:s0
+
+/vendor/lib(64)?/dri/.*									u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/gralloc\.gbm\.so							u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so								u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm_freedreno\.so							u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgbm\.so								u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libglapi\.so								u:object_r:same_process_hal_file:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..52338f0
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,3 @@
+genfscon sysfs   /devices/platform/soc/ae00000.mdss	u:object_r:sysfs_gpu:s0
+
+genfscon sysfs   /devices/platform/soc/c440000.spmi/spmi-0/0-00/c440000.spmi:pmic@0:rtc@6000	u:object_r:sysfs_rtc:s0
diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te
new file mode 100644
index 0000000..e783575
--- /dev/null
+++ b/sepolicy/hal_drm_default.te
@@ -0,0 +1,2 @@
+# audit2allow
+allow hal_drm_default vndbinder_device:chr_file rw_file_perms;
diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..00f38cc
--- /dev/null
+++ b/sepolicy/hal_graphics_allocator_default.te
@@ -0,0 +1 @@
+gpu_access(hal_graphics_allocator_default)
diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te
new file mode 100644
index 0000000..40dbe25
--- /dev/null
+++ b/sepolicy/hal_graphics_composer.te
@@ -0,0 +1 @@
+gpu_access(hal_graphics_composer_server)
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644
index 0000000..9c310f6
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,3 @@
+vndbinder_use(hal_graphics_composer_default)
+
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { bind create read };
diff --git a/sepolicy/hal_memtrack.te b/sepolicy/hal_memtrack.te
new file mode 100644
index 0000000..51bd527
--- /dev/null
+++ b/sepolicy/hal_memtrack.te
@@ -0,0 +1,4 @@
+# Memtrack reads proc/<pid>/cmdline to check if process is surfaceflinger.
+# Grant access if that's the case; don't log denials for other processes.
+allow hal_memtrack surfaceflinger:file read;
+dontaudit hal_memtrack { domain -surfaceflinger}:file read;
diff --git a/sepolicy/hal_wifi_supplicant_default.te b/sepolicy/hal_wifi_supplicant_default.te
new file mode 100644
index 0000000..c657db5
--- /dev/null
+++ b/sepolicy/hal_wifi_supplicant_default.te
@@ -0,0 +1,6 @@
+# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
+# hal_wifi_supplicant no longer directly accesses wifi_data_file.
+typeattribute hal_wifi_supplicant_default data_between_core_and_vendor_violators;
+
+allow hal_wifi_supplicant_default wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant_default wifi_data_file:file create_file_perms;
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..46bfee5
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1,5 @@
+# audit2allow
+allow kernel device:chr_file { create setattr };
+allow kernel device:dir { add_name create write };
+allow kernel self:capability mknod;
+allow kernel vendor_file:file { open read };
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..2e954bb
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,3 @@
+# audit2allow
+allow netd kernel:system module_request;
+allow netd self:capability sys_module;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
new file mode 100644
index 0000000..775e964
--- /dev/null
+++ b/sepolicy/platform_app.te
@@ -0,0 +1 @@
+gpu_access(platform_app)
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
new file mode 100644
index 0000000..05c9e47
--- /dev/null
+++ b/sepolicy/priv_app.te
@@ -0,0 +1 @@
+gpu_access(priv_app)
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..17b66a8
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1 @@
+gpu_access(surfaceflinger)
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
new file mode 100644
index 0000000..4a85066
--- /dev/null
+++ b/sepolicy/system_app.te
@@ -0,0 +1 @@
+gpu_access(system_app)
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..80957cc
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1 @@
+gpu_access(system_server)
diff --git a/sepolicy/te_macros b/sepolicy/te_macros
new file mode 100644
index 0000000..322827a
--- /dev/null
+++ b/sepolicy/te_macros
@@ -0,0 +1,8 @@
+#####################################
+# gpu_access(client_domain)
+# Allow client_domain to communicate with the GPU
+define(`gpu_access', `
+allow $1 dri_device:dir { open read search };
+allow $1 sysfs_gpu:dir search;
+allow $1 sysfs_gpu:file { getattr open read };
+')
author	Amit Pundir <amit.pundir@linaro.org>	2019-04-18 16:46:10 +0530
committer	Amit Pundir <amit.pundir@linaro.org>	2019-09-24 23:50:25 +0530
commit	4e37582f32480bd153c93fed20b6aabe98bfbb90 (patch)
tree	b86f9698ea06f9d11ead04057b845427798ad0cd /sepolicy
parent	b7005515dd7ac2faebc6000b36075c116fdeacfa (diff)