sepolicy: Import missing TurboAdapter type

common/dynamic/flipendo.te

@@ -0,0 +1,25 @@
+type flipendo, domain, coredomain;
+app_domain(flipendo)
+
+# HwBinder IPC from client to flipendo
+binder_call(hal_power_client, flipendo)
+
+# HwBinder IPC from flipendo to statsd
+binder_call(flipendo, statsd)
+
+# HwBinder IPC from flipendo to gpuservice, and callbacks
+binder_call(gpuservice, flipendo)
+binder_call(flipendo, gpuservice)
+
+# HwBinder IPC from stats_service_server to flipendo, and callbacks
+binder_call(stats_service_server, flipendo)
+binder_call(flipendo, stats_service_server)
+
+# Allow flipendo to find app_api_service
+allow flipendo app_api_service:service_manager find;
+
+# Allow flipendo to find fwk_stats_hwservice
+allow flipendo fwk_stats_hwservice:hwservice_manager find;
+
+# Allow flipendo to find color_display_service
+allow flipendo color_display_service:service_manager find;

common/dynamic/hwservice.te

@@ -4,3 +4,6 @@ type hal_lineage_livedisplay_hwservice, hwservice_manager_type;
 type hal_lineage_powershare_hwservice, hwservice_manager_type;
 type hal_lineage_touch_hwservice, hwservice_manager_type;
 type hal_lineage_trust_hwservice, hwservice_manager_type;
+
+# TurboAdapter
+type hal_turbo_adapter_hwservice, hwservice_manager_type;

common/dynamic/seapp_contexts

@@ -0,0 +1,2 @@
+user=_app seinfo=platform name=com.google.android.flipendo domain=flipendo type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.google.android.turboadapter domain=turbo_adapter type=app_data_file levelFrom=all

common/dynamic/turbo_adapter.te

@@ -0,0 +1,10 @@
+# Normal platform_apps cannot access PowerHAL, so we need to define our own domain. Unfortunately
+# this means that TurboAdapter doesn't get the platform_app permissions any more, so we need to
+# list everything that it needs here.
+
+type turbo_adapter, domain, coredomain;
+
+app_domain(turbo_adapter)
+
+# To use ServiceManager
+allow turbo_adapter app_api_service:service_manager find;

common/dynamic_extra/flipendo.te

@@ -0,0 +1,2 @@
+# Access to PowerHal service
+hal_client_domain(flipendo, hal_power);

common/dynamic_extra/turbo_adapter.te

@@ -0,0 +1,2 @@
+# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt)
+hal_client_domain(turbo_adapter, hal_power)

common/private/appdomain.te

@@ -1 +1,3 @@
 get_prop(appdomain, vendor_persist_camera_prop)
+
+allow appdomain zygote:unix_stream_socket getopt;

common/private/file_contexts

@@ -5,7 +5,7 @@
 /system/bin/mkfs\.ntfs                  u:object_r:mkfs_exec:s0
 
 # OTA packages
-/data/lineageos_updates(/.*)?           u:object_r:ota_package_file:s0
+/data/havoc_updates(/.*)?             u:object_r:ota_package_file:s0
 
 # Postinstall
 /system/bin/backuptool_ab\.functions              u:object_r:otapreopt_chroot_exec:s0

common/private/platform_app.te

@@ -9,3 +9,10 @@ hal_client_domain(platform_app, hal_lineage_livedisplay)
 
 # Allow PowerShare HAL service to be found
 hal_client_domain(platform_app, hal_lineage_powershare)
+
+# Allow Touch HAL service to be found
+hal_client_domain(platform_app, hal_lineage_touch)
+
+# allow systemui to set boot animation colors
+get_prop(platform_app, bootanim_system_prop)
+set_prop(platform_app, bootanim_system_prop)

common/private/property_contexts

@@ -1,6 +1,7 @@
 # Aux camera
 vendor.camera.aux.packageexcludelist   u:object_r:vendor_persist_camera_prop:s0
 vendor.camera.aux.packagelist          u:object_r:vendor_persist_camera_prop:s0
+vendor.camera.skip_unconfigure.packagelist  u:object_r:vendor_persist_camera_prop:s0
 
 # Bluetooth
 bluetooth.hci.disabled_commands        u:object_r:bluetooth_config_prop:s0
@@ -14,5 +15,11 @@ ro.minui.default_touch_rotation        u:object_r:recovery_config_prop:s0
 # Recovery update
 persist.vendor.recovery_update         u:object_r:recovery_update_prop:s0
 
+# Themed Bootanimation dynamic colors
+persist.bootanim.color1     u:object_r:bootanim_system_prop:s0
+persist.bootanim.color2     u:object_r:bootanim_system_prop:s0
+persist.bootanim.color3     u:object_r:bootanim_system_prop:s0
+persist.bootanim.color4     u:object_r:bootanim_system_prop:s0
+
 # xtra-daemon control
 persist.sys.xtra-daemon.enabled        u:object_r:xtra_control_prop:s0 exact bool

common/private/seapp_contexts

@@ -1 +1 @@
-user=_app isPrivApp=true seinfo=platform name=org.lineageos.updater domain=updater_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true seinfo=platform name=com.havoc.updater domain=updater_app type=app_data_file levelFrom=user

common/private/service.te

@@ -1,4 +1,5 @@
 type adbroot_service,                   service_manager_type;
+type app_lock_service, system_api_service, system_server_service, service_manager_type;
 type lineage_hardware_service, system_api_service, system_server_service, service_manager_type;
 type lineage_health_interface_service, system_api_service, system_server_service, service_manager_type;
 type lineage_globalactions_service, system_api_service, system_server_service, service_manager_type;

common/private/service_contexts

@@ -6,3 +6,4 @@ lineagetrust                              u:object_r:lineage_trust_service:s0
 profile                                   u:object_r:lineage_profile_service:s0
 
 adbroot_service                           u:object_r:adbroot_service:s0
+app_lock                                  u:object_r:app_lock_service:s0

common/private/system_server.te

@@ -2,6 +2,8 @@ allow system_server storage_stub_file:dir getattr;
 
 allow system_server adbroot_service:service_manager find;
 
+add_service(system_server, app_lock_service);
+
 # Use HALs
 hal_client_domain(system_server, hal_lineage_fastcharge)
 hal_client_domain(system_server, hal_lineage_health)

common/private/uncrypt.te

@@ -0,0 +1,5 @@
+allow uncrypt cache_file:dir rw_dir_perms;
+allow uncrypt cache_file:file create_file_perms;
+
+# OTA with encrypted f2fs
+allow uncrypt self:capability sys_admin;

common/private/updater_app.te

@@ -19,6 +19,9 @@ allow updater_app cache_file:dir r_dir_perms;
 allow updater_app cache_recovery_file:dir rw_dir_perms;
 allow updater_app cache_recovery_file:file create_file_perms;
 
+allow updater_app system_data_file:dir r_dir_perms;
+allow updater_app user_profile_root_file:dir r_dir_perms;
+
 allow updater_app ota_package_file:dir create_dir_perms;
 allow updater_app ota_package_file:file create_file_perms;
 

common/sepolicy.mk

@@ -25,9 +25,15 @@ ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true)
 SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
     device/lineage/sepolicy/common/dynamic \
     device/lineage/sepolicy/common/system
+
+ifneq ($(TARGET_HAL_POWER_RW_INPUT_DEVICE), true)
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
+    device/lineage/sepolicy/common/dynamic_extra
+endif
 else
 BOARD_VENDOR_SEPOLICY_DIRS += \
     device/lineage/sepolicy/common/dynamic \
+    device/lineage/sepolicy/common/dynamic_extra \
     device/lineage/sepolicy/common/vendor
 endif
 

common/vendor/hwservice_contexts

@@ -0,0 +1 @@
+vendor.google.google_battery::IGoogleBattery    u:object_r:hal_turbo_adapter_hwservice:s0

common/vendor/platform_app.te

@@ -0,0 +1 @@
+allow platform_app hal_turbo_adapter_hwservice:hwservice_manager find;

qcom/dynamic/system_server.te

@@ -0,0 +1 @@
+allow system_server sysfs_battery_supply:file rw_file_perms;

qcom/vendor/platform_app.te

@@ -0,0 +1,3 @@
+# Allow FPS access to system
+allow platform_app sysfs_graphics:dir search;
+allow platform_app sysfs_graphics:file r_file_perms;