From 4258135988051a50efa69a4ad8d8b6ffca273d50 Mon Sep 17 00:00:00 2001
From: Jason Macnak <natsu@google.com>
Date: Thu, 24 Feb 2022 18:39:20 +0000
Subject: Remove sysfs_gpu type definition

... as it has moved to system/sepolicy.

Bug: b/161819018
Test: presubmit
Change-Id: I77afd0d7019e0ea0cc475de3817bc2c8e7fcd4bd
Merged-In: I77afd0d7019e0ea0cc475de3817bc2c8e7fcd4bd
---
 sepolicy/file.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sepolicy/file.te b/sepolicy/file.te
index e5a0bd1..b149497 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,4 +1,3 @@
-type sysfs_gpu, fs_type, sysfs_type;
 type sysfs_mss, fs_type, sysfs_type;
 type sysfs_rmtfs, fs_type, sysfs_type;
 type sysfs_remoteproc, fs_type, sysfs_type;
-- 
cgit v1.2.3


From 8c86e3763675f99cd63c6e30d2a951160ac456d8 Mon Sep 17 00:00:00 2001
From: Amit Pundir <amit.pundir@linaro.org>
Date: Mon, 28 Mar 2022 19:20:04 +0530
Subject: sepolicy: Fix rmtfs sysfs path for v5.18+ kernel versions

Upstream commit 63a4021fef47 ("arm64: dts: qcom: sdm845:
rename memory@ nodes to more descriptive names") in v5.18
merge window broke selinux policies for rmtfs. So add the
new path to fix those selinux denials on v5.18+ kernel
versions

Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Change-Id: I9ad554fc2d5d3f3fbb66a1b9dd0dd46e62f9ff1d
---
 sepolicy/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
index e8ddb12..2a50d9c 100644
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@@ -1,4 +1,5 @@
 genfscon sysfs   /devices/platform/88f00000.memory/rmtfs					u:object_r:sysfs_rmtfs:s0
+genfscon sysfs   /devices/platform/88f00000.rmtfs/rmtfs						u:object_r:sysfs_rmtfs:s0
 genfscon sysfs   /devices/platform/remoteproc-adsp/remoteproc					u:object_r:sysfs_remoteproc:s0
 genfscon sysfs   /devices/platform/remoteproc-cdsp/remoteproc					u:object_r:sysfs_remoteproc:s0
 genfscon sysfs   /devices/platform/soc@0/4080000.remoteproc					u:object_r:sysfs_remoteproc:s0
-- 
cgit v1.2.3


From a58e74ea0635d7547df58aec669fe45b56504df7 Mon Sep 17 00:00:00 2001
From: John Stultz <jstultz@google.com>
Date: Thu, 14 Apr 2022 23:17:14 +0000
Subject: dragonboard: sepolicy: Add sepolicy rules to fix problems seen adb
 remount overlays

When using adb remount/adb sync, I noticed some new sepolicy
failures that prevented some things from working.

For instance, if I did adb remount right after flashing a
device, on the next bootup I found that wifi would fail to work.
This was due to sepolicy failures caused by the file accesses
being on the overlayfs.

Similarly, when testing a new version of mesa via adb sync, I
found surfaceflinger would fail to start, again due to new
sepolicy failures

These sepolicy changes were suggested by audit2allow to fix
the problems, and indeed I now have display and wifi working
after adb remount/sync updates.

Signed-off-by: John Stultz <jstultz@google.com>
Change-Id: Ifd819cf34939d1e61b67d8b08c67ec9a2fadd110
---
 sepolicy/kernel.te         | 6 +++++-
 sepolicy/surfaceflinger.te | 1 +
 sepolicy/system_server.te  | 2 ++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
index 3fad122..176d6f6 100644
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -2,6 +2,10 @@
 allow kernel device:chr_file { create setattr };
 allow kernel device:dir { add_name create write };
 allow kernel self:capability mknod;
-allow kernel vendor_file:file { open read };
+allow kernel vendor_file:file { open read getattr};
+allow kernel vendor_file:dir read;
 allow kernel self:system module_request;
 allow vendor_init kernel:system module_request;
+allow kernel sepolicy_file:file getattr;
+allow kernel system_bootstrap_lib_file:dir getattr;
+allow kernel system_bootstrap_lib_file:file getattr;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index 17b66a8..9bffa3f 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1 +1,2 @@
 gpu_access(surfaceflinger)
+allow surfaceflinger vendor_file:dir read;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 80957cc..e801436 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1 +1,3 @@
 gpu_access(system_server)
+allow system_server wifi_hal_prop:file {open read getattr map};
+allow system_server vendor_file:dir read;
-- 
cgit v1.2.3


From 974bda17ecbfa352ba51b57886784c69ee920119 Mon Sep 17 00:00:00 2001
From: Jason Macnak <natsu@google.com>
Date: Thu, 24 Feb 2022 18:39:20 +0000
Subject: Remove sysfs_gpu type definition

... as it has moved to system/sepolicy.

Bug: b/161819018
Test: presubmit
Change-Id: I77afd0d7019e0ea0cc475de3817bc2c8e7fcd4bd
Merged-In: I77afd0d7019e0ea0cc475de3817bc2c8e7fcd4bd
---
 sepolicy/file.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sepolicy/file.te b/sepolicy/file.te
index e5a0bd1..b149497 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,4 +1,3 @@
-type sysfs_gpu, fs_type, sysfs_type;
 type sysfs_mss, fs_type, sysfs_type;
 type sysfs_rmtfs, fs_type, sysfs_type;
 type sysfs_remoteproc, fs_type, sysfs_type;
-- 
cgit v1.2.3