From a624fcd629546d838d938d444272ad6e5bf360cf Mon Sep 17 00:00:00 2001
From: Shwetha B <shwetha.b@intel.com>
Date: Thu, 2 May 2024 14:05:01 +0530
Subject: [PATCH] Sepolicy for android_pm_tune script

Adding the required domain and rules for
executing android_pm_tune script to obtain
the power optimization during idle display
conditions.

Tracked-On: OAM-123276
Signed-off-by: Shwetha B <shwetha.b@intel.com>
---
 power/android_pm_tune.te | 37 +++++++++++++++++++++++++++++++++++++
 power/file_contexts      |  2 ++
 power/shell.te           |  1 +
 3 files changed, 40 insertions(+)
 create mode 100644 power/android_pm_tune.te
 create mode 100644 power/shell.te

diff --git a/power/android_pm_tune.te b/power/android_pm_tune.te
new file mode 100644
index 00000000..ad1bf45f
--- /dev/null
+++ b/power/android_pm_tune.te
@@ -0,0 +1,37 @@
+# Rules for android_pm_tune script
+type android_pm_tune, domain;
+type android_pm_tune_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(android_pm_tune)
+
+allow android_pm_tune proc_cmdline:file r_file_perms;
+allow android_pm_tune proc:file rw_file_perms;
+allow android_pm_tune proc:file {getattr};
+allow android_pm_tune sysfs:dir r_dir_perms;
+allow android_pm_tune sysfs:file rw_file_perms;
+#allow android_pm_tune sysfs:file {getattr open write};
+allow android_pm_tune sysfs_net:dir r_dir_perms;
+allow android_pm_tune sysfs_net:file rw_file_perms;
+allow android_pm_tune sysfs_net:file {getattr};
+allow android_pm_tune sysfs_app_readable:file rw_file_perms;
+allow android_pm_tune sysfs_app_readable:dir r_dir_perms;
+allow android_pm_tune sysfs_app_readable:file {getattr};
+allow android_pm_tune sysfs_gfx:file {getattr};
+
+allow android_pm_tune dbc_sysfs:file {getattr};
+allow android_pm_tune dbc_sysfs:dir r_dir_perms;
+allow android_pm_tune dbc_sysfs:file rw_file_perms;
+
+allow android_pm_tune sysfs_virtio:file rw_file_perms;
+
+allow android_pm_tune vendor_file:file rx_file_perms;
+allow android_pm_tune proc_cpuinfo:file r_file_perms;
+allow android_pm_tune vendor_toolbox_exec:file execute_no_trans;
+
+not_full_treble(`
+  allow android_pm_tune system_file:file rx_file_perms;
+  allow android_pm_tune shell_exec:file rx_file_perms;
+')
+full_treble_only(`
+  allow android_pm_tune vendor_shell_exec:file rx_file_perms;
+  allow android_pm_tune vendor_toolbox_exec:file rx_file_perms;
+')
diff --git a/power/file_contexts b/power/file_contexts
index c6cf2234..977a7a72 100644
--- a/power/file_contexts
+++ b/power/file_contexts
@@ -2,3 +2,5 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@[0-9]+.?[0-9]*-service          u:object_r:hal_power_service_exec:s0
 # Power HAL helper
 (/system)?/vendor/bin/power_hal_helper u:object_r:power_hal_helper_exec:s0
+# android_power_tune
+(/system)?/vendor/bin/android_pm_tune.sh u:object_r:android_pm_tune_exec:s0
diff --git a/power/shell.te b/power/shell.te
new file mode 100644
index 00000000..9b85867f
--- /dev/null
+++ b/power/shell.te
@@ -0,0 +1 @@
+allow shell android_pm_tune_exec:file getattr;