Promotion of sepolicy.lnx.2.0-00045.

CRs      Change ID                                   Subject
--------------------------------------------------------------------------------------------------------------
1057865   If4acfc4a04ce6c937736e8eaf5cd3bd00591c300   sepolicy: Update the rmt_stroage and rfs_access policies
989495   Iabebff204aa57504bdd39a18f67c4065b8b4678d   sepolicy: secure_touch: enable secure touch for qseecomd
1082124   Ic712c5e51f67ca035020420ae529beb9cf168672   device: sepolicy: Fix MDTP device support for msmcobalt.

Change-Id: I8ccbfca5a5a5fa6db202280f163b2e0875fe009a
CRs-Fixed: 989495, 1057865, 1082124

6 files changed, 16 insertions, 3 deletions

diff --git a/common/file.te b/common/file.te
index 2d31a6d4..b2290e7e 100644
--- a/common/file.te
+++ b/common/file.te
@@ -206,3 +206,6 @@ type persist_time_file, file_type;
 
 # kgsl file type for sysfs access
 type sysfs_kgsl, sysfs_type, fs_type;
+
+# secure touch files
+type sysfs_securetouch, fs_type, sysfs_type;
diff --git a/common/init_shell.te b/common/init_shell.te
index 487caf05..22dc2769 100644
--- a/common/init_shell.te
+++ b/common/init_shell.te
@@ -160,6 +160,9 @@ allow qti_init_shell kernel:key search;
 # To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio
 allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr };
 
+# To change owner/permissions of secure touch sysfs files
+r_dir_file(qti_init_shell, sysfs_securetouch)
+
 # core-ctl
 allow qti_init_shell cgroup:dir add_name;
 
diff --git a/common/qseecomd.te b/common/qseecomd.te
index a2118202..8e2f8955 100644
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -47,6 +47,9 @@ allow tee time_daemon:unix_stream_socket connectto;
 allow tee graphics_device:dir r_dir_perms;
 allow tee graphics_device:chr_file r_file_perms;
 
+#allow tee access for secure touch to work
+allow tee sysfs_securetouch:file rw_file_perms;
+
 allow tee surfaceflinger_service : service_manager  find;
 
 binder_call(tee, surfaceflinger)
diff --git a/common/rfs_access.te b/common/rfs_access.te
index 318fffc1..629f9e46 100644
--- a/common/rfs_access.te
+++ b/common/rfs_access.te
@@ -54,7 +54,6 @@ allow rfs_access self:capability {
     setgid
     setpcap
     net_bind_service
-    net_raw
 };
 
 # RFS UID and GIDs were changed and moved from old values to new ones OEM range.
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
index f043becc..56f6f928 100644
--- a/common/rmt_storage.te
+++ b/common/rmt_storage.te
@@ -17,9 +17,7 @@ allow rmt_storage self:capability {
     setuid
     setgid
     sys_admin
-    dac_override
     net_bind_service
-    net_raw
     setpcap
 };
 
diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts
index a63b3c3a..a3dde719 100644
--- a/msmcobalt/file_contexts
+++ b/msmcobalt/file_contexts
@@ -43,6 +43,8 @@
 /dev/block/platform/soc/1da4000.ufshc/by-name/recovery                           u:object_r:recovery_block_device:s0
 /dev/block/platform/soc/1da4000.ufshc/by-name/cache                              u:object_r:cache_block_device:s0
 /dev/block/platform/soc/1da4000.ufshc/by-name/frp                                u:object_r:frp_block_device:s0
+/dev/block/platform/soc/1da4000.ufshc/by-name/mdtp                               u:object_r:mdtp_device:s0
+/dev/block/platform/soc/1da4000.ufshc/by-name/dip                                u:object_r:dip_device:s0
 
 #rawdump partition
 /dev/block/platform/soc/1da4000.ufshc/by-name/rawdump                            u:object_r:rawdump_block_device:s0
@@ -65,3 +67,8 @@
 ##################################
 # FBE
 /system/bin/init.qcom.qseecomd.sh						u:object_r:init-qcom-fbe-sh_exec:s0
+
+###################################
+# sysfs files
+#
+/sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0