sepolicy: cleanup move to minimal sepolicy custom source

- cleanup and not required sepolicy causing issues
- Structured the clo way

[Co-author commit included in squash]
- include github.com/ahnet-69/hardware_sony/commit/568a6c97df1b7917c7bf213fea89da9be306b01f

Co-authored-by: adithya2306 <[email protected]>
Signed-off-by: hpnightowl <[email protected]>

P404Sepolicy.mk

@@ -0,0 +1,13 @@
+#
+# This policy configuration will be used by all qcom products
+# that inherit from 404
+#
+
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
+    device/404/sepolicy/private
+
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \
+    device/404/sepolicy/public
+
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    device/404/sepolicy/vendor

private/appdomain.te

@@ -0,0 +1 @@
+get_prop(appdomain, pih_disable_prop)

private/bootanim.te

@@ -0,0 +1,3 @@
+# Allow bootanimation to call mediametrics.
+allow bootanim mediametrics_service:service_manager find;
+binder_call(bootanim, mediametrics)

private/genfs_contexts

@@ -0,0 +1,8 @@
+# Dirty writeback tunables
+genfscon proc /sys/vm/dirty_background_bytes u:object_r:proc_dirty:s0
+#genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_bytes u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_ratio u:object_r:proc_dirty:s0
+#genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_writeback_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirtytime_expire_seconds u:object_r:proc_dirty:s0

private/platform_app.te

@@ -0,0 +1 @@
+binder_use(platform_app)

private/property.te

@@ -0,0 +1,5 @@
+# PIHooks
+system_public_prop(pih_disable_prop)
+
+# Tethering
+system_internal_prop(device_config_tethering_prop)

private/property_contexts

@@ -0,0 +1,5 @@
+# PIHooks
+persist.sys.pihooks.disable.            u:object_r:pih_disable_prop:s0
+
+# Tethering
+persist.device_config.tethering.        u:object_r:device_config_tethering_prop:s0

private/shell.te

@@ -0,0 +1,5 @@
+# Allow shell to get LMKD's stats
+get_prop(shell, system_lmk_prop)
+
+# Allow shell to disable PIHooks
+set_prop(shell, pih_disable_prop)

private/system_server.te

@@ -0,0 +1,5 @@
+# Set tethering properties
+set_prop(system_server, device_config_tethering_prop)
+
+# CachedAppOptimizer
+allow system_server zygote_tmpfs:file rw_file_perms;

common/private/update_engine.te → private/update_engine.te

@@ -1,13 +1,9 @@
 # Allow update_engine to call the callback function provided by updater_app
-binder_call(update_engine, updater_app)
+binder_call(update_engine, hub_app)
 
 # Read updates from storage data
 r_dir_file(update_engine, mnt_user_file)
 r_dir_file(update_engine, storage_file)
 
 # Allow mount and unmount of system partition
 allow update_engine labeledfs:filesystem { mount unmount };
-
-# Allow transition to backuptool domain
-allow update_engine self:process setexec;
-domain_trans(update_engine, otapreopt_chroot_exec, backuptool)

public/file.te

@@ -0,0 +1,2 @@
+# Fastcharge
+type sysfs_fastcharge, sysfs_type, fs_type;

public/te_macros

@@ -0,0 +1,17 @@
+#####################################
+# rw_dir_file(domain, type)
+# Allow the specified domain to read directories and read/write files
+# and symbolic links of the specified type.
+define(`rw_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } rw_file_perms;
+')
+
+#####################################
+# create_dir_file(domain, type)
+# Allow the specified domain to read directories and create files
+# and symbolic links of the specified type.
+define(`create_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } create_file_perms;
+')