Move platform/vendor data violations to device policy
Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.
Bug: 34980020
Test: build
Change-Id: I0e9a7521f989ec76b4bb16dae887f7b39f61d923
diff --git a/sepolicy/hal_drm.te b/sepolicy/hal_drm.te
new file mode 100644
index 0000000..1bbb734
--- /dev/null
+++ b/sepolicy/hal_drm.te
@@ -0,0 +1,3 @@
+# Allow access to app_data and media_data_files
+allow hal_drm media_data_file:dir create_dir_perms;
+allow hal_drm media_data_file:file create_file_perms;
diff --git a/sepolicy/hal_fingerprint.te b/sepolicy/hal_fingerprint.te
index a339bc7..dfb641e 100644
--- a/sepolicy/hal_fingerprint.te
+++ b/sepolicy/hal_fingerprint.te
@@ -17,3 +17,7 @@
# allow access to sysfs files
r_dir_file(hal_fingerprint, sysfs_type)
+
+# allow HAL module to read/write dir contents and read/write/unlink files
+allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
+allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
diff --git a/sepolicy/hal_nfc.te b/sepolicy/hal_nfc.te
new file mode 100644
index 0000000..664eaa9
--- /dev/null
+++ b/sepolicy/hal_nfc.te
@@ -0,0 +1,3 @@
+# Data file accesses.
+allow hal_nfc nfc_data_file:dir create_dir_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/sepolicy/hal_wifi_supplicant.te b/sepolicy/hal_wifi_supplicant.te
new file mode 100644
index 0000000..b1f24d8
--- /dev/null
+++ b/sepolicy/hal_wifi_supplicant.te
@@ -0,0 +1,6 @@
+allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te
new file mode 100644
index 0000000..15064a0
--- /dev/null
+++ b/sepolicy/hostapd.te
@@ -0,0 +1,9 @@
+# hostapd can read and write WiFi related data and configuration.
+# For example, the entropy file is periodically updated.
+allow hostapd wifi_data_file:file rw_file_perms;
+r_dir_file(hostapd, wifi_data_file)
+
+# hostapd wants to create the directory holding its control socket.
+allow hostapd hostapd_socket:dir create_dir_perms;
+# hostapd needs to create, bind to, read, and write its control socket.
+allow hostapd hostapd_socket:sock_file create_file_perms;
