From f3f76788de70e73851fcfc59f9a5894311320822 Mon Sep 17 00:00:00 2001
From: Ziyan <jaraidaniel@gmail.com>
Date: Sun, 24 Jan 2016 21:13:51 +0100
Subject: Add common sepolicy

Change-Id: Id08f4e07439763f6d5069dfbb82fab15648fd80e
---
 BoardConfigCommon.mk      |  4 ++++
 sepolicy/file.te          |  2 ++
 sepolicy/file_contexts    | 10 ++++++++++
 sepolicy/init.te          |  2 ++
 sepolicy/pvrsrvinit.te    |  8 ++++++++
 sepolicy/system_server.te |  2 ++
 6 files changed, 28 insertions(+)
 create mode 100644 sepolicy/file.te
 create mode 100644 sepolicy/file_contexts
 create mode 100644 sepolicy/init.te
 create mode 100644 sepolicy/pvrsrvinit.te
 create mode 100644 sepolicy/system_server.te

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index a9983a6..6c6ef09 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -76,6 +76,10 @@ TARGET_BOOTANIMATION_PRELOAD := false
 TARGET_BOOTANIMATION_TEXTURE_CACHE := false
 TARGET_BOOTANIMATION_USE_RGB565 := true
 
+# SELinux
+BOARD_SEPOLICY_DIRS += \
+    $(OMAP4_NEXT_FOLDER)/sepolicy
+
 # Misc
 BOARD_USES_SECURE_SERVICES := true
 
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..c29f1df
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,2 @@
+# Hardware tunables
+type sysfs_hardware, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..08d1b38
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,10 @@
+# Device nodes
+/dev/tiler                   u:object_r:video_device:s0
+/dev/dsscomp                 u:object_r:graphics_device:s0
+
+# System binaries
+/system/bin/pvrsrvinit       u:object_r:pvrsrvinit_exec:s0
+
+# Hardware tunables
+/sys/devices/platform/omapdss/manager0/cpr_coef       -- u:object_r:sysfs_hardware:s0
+/sys/devices/platform/omapdss/manager0/cpr_enable     -- u:object_r:sysfs_hardware:s0
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..d269ef2
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,2 @@
+# Hardware tunables
+allow init sysfs_hardware:file rw_file_perms;
diff --git a/sepolicy/pvrsrvinit.te b/sepolicy/pvrsrvinit.te
new file mode 100644
index 0000000..0a2a98e
--- /dev/null
+++ b/sepolicy/pvrsrvinit.te
@@ -0,0 +1,8 @@
+type pvrsrvinit, domain;
+type pvrsrvinit_exec, exec_type, file_type;
+
+init_daemon_domain(pvrsrvinit)
+
+allow pvrsrvinit gpu_device:chr_file rw_file_perms;
+allow pvrsrvinit kernel:system module_request;
+allow pvrsrvinit self:capability sys_module;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..24ff30f
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,2 @@
+# Hardware tunables
+allow system_server sysfs_hardware:file rw_file_perms;
-- 
cgit v1.1