This is the first step to conquer the SELinux issues of Android-x86.
Just copy from build/target/board/generic/sepolicy/ and
build/target/board/generic_x86/sepolicy/ and remove unnecessary
emulator stuff.
ZIP_OPTIMIZATION_NO_INTEGRITY := true
DEVICE_MANIFEST_FILE := device/generic/common/manifest.xml
+
+BOARD_SEPOLICY_DIRS += device/generic/common/sepolicy \
+ system/bt/vendor_libs/linux/sepolicy \
--- /dev/null
+set_prop(adbd, ctl_mdnsd_prop);
--- /dev/null
+allow audioserver bootanim:binder call;
--- /dev/null
+allow bootanim self:process execmem;
+allow bootanim ashmem_device:chr_file execute;
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit bootanim system_data_file:dir read;
--- /dev/null
+allow cameraserver system_file:dir { open read };
+allow cameraserver hal_allocator:fd use;
--- /dev/null
+allow domain cpuctl_device:dir search;
--- /dev/null
+# ranchu
+/dev/block/vda u:object_r:system_block_device:s0
+/dev/block/vdb u:object_r:cache_block_device:s0
+/dev/block/vdc u:object_r:userdata_block_device:s0
+/dev/block/vdd u:object_r:metadata_block_device:s0
+/dev/block/vde u:object_r:system_block_device:s0
+
+/dev/ttyS0 u:object_r:console_device:s0
+
+/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
+
+/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0
--- /dev/null
+vndbinder_use(hal_camera_default);
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+hal_client_domain(hal_camera_default, hal_graphics_composer)
--- /dev/null
+vndbinder_use(hal_cas_default);
--- /dev/null
+vndbinder_use(hal_drm_default);
+hal_client_domain(hal_drm_default, hal_graphics_composer)
--- /dev/null
+# define SELinux domain
+type hal_drm_widevine, domain;
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+allow hal_drm mediacodec:fd use;
+allow hal_drm { appdomain -isolated_app }:fd use;
+
+vndbinder_use(hal_drm_widevine);
+hal_client_domain(hal_drm_widevine, hal_graphics_composer);
--- /dev/null
+#============= hal_gnss_default ==============
+allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
+
--- /dev/null
+#============= hal_graphics_composer_default ==============
+allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
+
--- /dev/null
+allow healthd self:capability sys_nice;
--- /dev/null
+allow init tmpfs:lnk_file create_file_perms;
+dontaudit init kernel:system module_request;
+allow init tmpfs:lnk_file create_file_perms;
--- /dev/null
+allow installd self:process execmem;
--- /dev/null
+# See global logcat.te/logpersist.te, only set for eng & userdebug,
+# allow for all builds in a non-conflicting manner.
+
+domain_auto_trans(init, logcat_exec, logpersist)
+
+# Read from logd.
+unix_socket_connect(logpersist, logdr, logd)
+
+# Write to /dev/ttyS2 and /dev/ttyGF2.
+allow logpersist serial_device:chr_file { write open };
--- /dev/null
+allow mediacodec system_file:dir { open read };
--- /dev/null
+dontaudit netd self:capability sys_module;
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit netd kernel:system module_request;
--- /dev/null
+#TODO: b/62908025
+dontaudit priv_app firstboot_prop:file { getattr open };
+dontaudit priv_app device:dir { open read };
+dontaudit priv_app proc_interrupts:file { getattr open read };
+dontaudit priv_app proc_modules:file { getattr open read };
--- /dev/null
+type radio_noril_prop, property_type;
+type opengles_prop, property_type;
--- /dev/null
+ro.radio.noril u:object_r:radio_noril_prop:s0
+ro.opengles. u:object_r:opengles_prop:s0
--- /dev/null
+allow shell serial_device:chr_file rw_file_perms;
--- /dev/null
+allow surfaceflinger self:process execmem;
+allow surfaceflinger ashmem_device:chr_file execute;
--- /dev/null
+get_prop(system_server, opengles_prop)
+get_prop(system_server, radio_noril_prop)
--- /dev/null
+dontaudit vold kernel:system module_request;
--- /dev/null
+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;
+allow zygote self:process execmem;
+allow zygote self:capability sys_nice;