From: Jan Altensen <info@stricted.net>
Date: Sun, 18 Oct 2020 11:38:56 +0000 (+0200)
Subject: mobicore: split into legacy and treble folders
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c65590b7211ca033191f8808944e13d2fab2b730;p=GitHub%2FLineageOS%2Fandroid_device_samsung_slsi_sepolicy.git

mobicore: split into legacy and treble folders

Change-Id: I44bdbc49944be89314f1f96d8a2c1c9fb58e1352
(cherry picked from commit 15a5fc063c5f37847cdc6e631e0deaeba28efbd7)
---

diff --git a/sepolicy.mk b/sepolicy.mk
index 68644a6..09305d6 100644
--- a/sepolicy.mk
+++ b/sepolicy.mk
@@ -18,6 +18,19 @@ BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
 BOARD_SEPOLICY_DIRS += \
     device/samsung_slsi/sepolicy/tee/teegris/vendor
 else ifeq ($(BOARD_SEPOLICY_TEE_FLAVOR),mobicore)
+POLICY_TYPE := legacy
+# a device might not set the shipping api level
+# check if its empty to avoid erroring out in the next if
+ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
+$(warning no product shipping level defined, defaulting to legacy policy)
+# devices launched with oreo or later should be treble
+else ifneq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),26),)
+POLICY_TYPE := treble
+endif
+
+BOARD_SEPOLICY_DIRS += \
+    device/samsung_slsi/sepolicy/tee/mobicore/$(POLICY_TYPE)
+
 BOARD_SEPOLICY_DIRS += \
-    device/samsung_slsi/sepolicy/tee/mobicore
+    device/samsung_slsi/sepolicy/tee/mobicore/common
 endif
diff --git a/tee/mobicore/common/file.te b/tee/mobicore/common/file.te
new file mode 100644
index 0000000..b6898fd
--- /dev/null
+++ b/tee/mobicore/common/file.te
@@ -0,0 +1,2 @@
+type mobicore_vendor_data_file, file_type, data_file_type;
+type mobicore_data_file, file_type, core_data_file_type, data_file_type;
diff --git a/tee/mobicore/common/file_contexts b/tee/mobicore/common/file_contexts
new file mode 100644
index 0000000..0a339be
--- /dev/null
+++ b/tee/mobicore/common/file_contexts
@@ -0,0 +1,3 @@
+/dev/mobicore                                u:object_r:tee_device:s0
+/dev/mobicore-user                           u:object_r:tee_device:s0
+/dev/t-base-tui                              u:object_r:tee_device:s0
diff --git a/tee/mobicore/common/hal_fingerprint_default.te b/tee/mobicore/common/hal_fingerprint_default.te
new file mode 100644
index 0000000..ceb8aa4
--- /dev/null
+++ b/tee/mobicore/common/hal_fingerprint_default.te
@@ -0,0 +1,2 @@
+# /dev/mobicore-user
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/common/hal_gatekeeper_default.te b/tee/mobicore/common/hal_gatekeeper_default.te
new file mode 100644
index 0000000..c63173c
--- /dev/null
+++ b/tee/mobicore/common/hal_gatekeeper_default.te
@@ -0,0 +1,2 @@
+# /dev/mobicore-user
+allow hal_gatekeeper_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/common/hal_keymaster_default.te b/tee/mobicore/common/hal_keymaster_default.te
new file mode 100644
index 0000000..357775b
--- /dev/null
+++ b/tee/mobicore/common/hal_keymaster_default.te
@@ -0,0 +1 @@
+get_prop(hal_keymaster_default, tee_prop)
diff --git a/tee/mobicore/common/property.te b/tee/mobicore/common/property.te
new file mode 100644
index 0000000..183c2a5
--- /dev/null
+++ b/tee/mobicore/common/property.te
@@ -0,0 +1 @@
+type tee_prop, property_type;
diff --git a/tee/mobicore/common/tee.te b/tee/mobicore/common/tee.te
new file mode 100644
index 0000000..40359c6
--- /dev/null
+++ b/tee/mobicore/common/tee.te
@@ -0,0 +1,15 @@
+allow tee efs_file:dir { search getattr };
+allow tee efs_file:file r_file_perms;
+allow tee gatekeeper_efs_file:dir r_dir_perms;
+allow tee gatekeeper_efs_file:file r_file_perms;
+allow tee init:unix_stream_socket connectto;
+allow tee property_socket:sock_file write;
+allow tee prov_efs_file:dir search;
+
+set_prop(tee, tee_prop)
+
+# /dev/t-base-tui
+allow tee tee_device:chr_file r_file_perms;
+
+allow tee mobicore_vendor_data_file:dir r_dir_perms;
+allow tee mobicore_vendor_data_file:file rw_file_perms;
diff --git a/tee/mobicore/file.te b/tee/mobicore/file.te
deleted file mode 100644
index b6898fd..0000000
--- a/tee/mobicore/file.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type mobicore_vendor_data_file, file_type, data_file_type;
-type mobicore_data_file, file_type, core_data_file_type, data_file_type;
diff --git a/tee/mobicore/file_contexts b/tee/mobicore/file_contexts
deleted file mode 100644
index 0a339be..0000000
--- a/tee/mobicore/file_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-/dev/mobicore                                u:object_r:tee_device:s0
-/dev/mobicore-user                           u:object_r:tee_device:s0
-/dev/t-base-tui                              u:object_r:tee_device:s0
diff --git a/tee/mobicore/hal_fingerprint_default.te b/tee/mobicore/hal_fingerprint_default.te
deleted file mode 100644
index ceb8aa4..0000000
--- a/tee/mobicore/hal_fingerprint_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# /dev/mobicore-user
-allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/hal_gatekeeper_default.te b/tee/mobicore/hal_gatekeeper_default.te
deleted file mode 100644
index c63173c..0000000
--- a/tee/mobicore/hal_gatekeeper_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# /dev/mobicore-user
-allow hal_gatekeeper_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/hal_keymaster_default.te b/tee/mobicore/hal_keymaster_default.te
deleted file mode 100644
index 357775b..0000000
--- a/tee/mobicore/hal_keymaster_default.te
+++ /dev/null
@@ -1 +0,0 @@
-get_prop(hal_keymaster_default, tee_prop)
diff --git a/tee/mobicore/init.te b/tee/mobicore/init.te
deleted file mode 100644
index d32233d..0000000
--- a/tee/mobicore/init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# /dev/mobicore, /dev/t-base-tui
-allow init tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/legacy/init.te b/tee/mobicore/legacy/init.te
new file mode 100644
index 0000000..d32233d
--- /dev/null
+++ b/tee/mobicore/legacy/init.te
@@ -0,0 +1,2 @@
+# /dev/mobicore, /dev/t-base-tui
+allow init tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/legacy/property_contexts b/tee/mobicore/legacy/property_contexts
new file mode 100644
index 0000000..d9bae11
--- /dev/null
+++ b/tee/mobicore/legacy/property_contexts
@@ -0,0 +1 @@
+sys.mobicoredaemon.enable           u:object_r:tee_prop:s0
diff --git a/tee/mobicore/legacy/tee.te b/tee/mobicore/legacy/tee.te
new file mode 100644
index 0000000..df22691
--- /dev/null
+++ b/tee/mobicore/legacy/tee.te
@@ -0,0 +1 @@
+set_prop(tee, system_prop)
diff --git a/tee/mobicore/legacy/vendor_init.te b/tee/mobicore/legacy/vendor_init.te
new file mode 100644
index 0000000..57f9235
--- /dev/null
+++ b/tee/mobicore/legacy/vendor_init.te
@@ -0,0 +1 @@
+allow vendor_init mobicore_data_file:dir setattr;
diff --git a/tee/mobicore/property.te b/tee/mobicore/property.te
deleted file mode 100644
index 183c2a5..0000000
--- a/tee/mobicore/property.te
+++ /dev/null
@@ -1 +0,0 @@
-type tee_prop, property_type;
diff --git a/tee/mobicore/property_contexts b/tee/mobicore/property_contexts
deleted file mode 100644
index fb62b98..0000000
--- a/tee/mobicore/property_contexts
+++ /dev/null
@@ -1 +0,0 @@
-sys.mobicoredaemon.enable      u:object_r:tee_prop:s0
diff --git a/tee/mobicore/tee.te b/tee/mobicore/tee.te
deleted file mode 100644
index 667c8be..0000000
--- a/tee/mobicore/tee.te
+++ /dev/null
@@ -1,15 +0,0 @@
-allow tee efs_file:dir { search getattr };
-allow tee efs_file:file r_file_perms;
-allow tee gatekeeper_efs_file:dir r_dir_perms;
-allow tee gatekeeper_efs_file:file r_file_perms;
-allow tee init:unix_stream_socket connectto;
-allow tee property_socket:sock_file write;
-allow tee prov_efs_file:dir search;
-allow tee system_prop:property_service set;
-allow tee tee_prop:property_service set;
-
-# /dev/t-base-tui
-allow tee tee_device:chr_file r_file_perms;
-
-allow tee mobicore_vendor_data_file:dir r_dir_perms;
-allow tee mobicore_vendor_data_file:file rw_file_perms;
diff --git a/tee/mobicore/treble/property_contexts b/tee/mobicore/treble/property_contexts
new file mode 100644
index 0000000..618c059
--- /dev/null
+++ b/tee/mobicore/treble/property_contexts
@@ -0,0 +1 @@
+vendor.sys.mobicoredaemon.enable    u:object_r:tee_prop:s0
diff --git a/tee/mobicore/vendor_init.te b/tee/mobicore/vendor_init.te
deleted file mode 100644
index 57f9235..0000000
--- a/tee/mobicore/vendor_init.te
+++ /dev/null
@@ -1 +0,0 @@
-allow vendor_init mobicore_data_file:dir setattr;