Move platform/vendor data violations to device policy

am: 70fa655659

Change-Id: I2e79b2dd68ae0184802cd7a493c1a1dbadbf2f6b

4 files changed, 21 insertions, 0 deletions

diff --git a/sepolicy/hal_drm.te b/sepolicy/hal_drm.te
new file mode 100644
index 0000000..1bbb734
--- /dev/null
+++ b/sepolicy/hal_drm.te
@@ -0,0 +1,3 @@
+# Allow access to app_data and media_data_files
+allow hal_drm media_data_file:dir create_dir_perms;
+allow hal_drm media_data_file:file create_file_perms;
diff --git a/sepolicy/hal_nfc.te b/sepolicy/hal_nfc.te
new file mode 100644
index 0000000..664eaa9
--- /dev/null
+++ b/sepolicy/hal_nfc.te
@@ -0,0 +1,3 @@
+# Data file accesses.
+allow hal_nfc nfc_data_file:dir create_dir_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/sepolicy/hal_wifi_supplicant.te b/sepolicy/hal_wifi_supplicant.te
new file mode 100644
index 0000000..b1f24d8
--- /dev/null
+++ b/sepolicy/hal_wifi_supplicant.te
@@ -0,0 +1,6 @@
+allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te
new file mode 100644
index 0000000..15064a0
--- /dev/null
+++ b/sepolicy/hostapd.te
@@ -0,0 +1,9 @@
+# hostapd can read and write WiFi related data and configuration.
+# For example, the entropy file is periodically updated.
+allow hostapd wifi_data_file:file rw_file_perms;
+r_dir_file(hostapd, wifi_data_file)
+
+# hostapd wants to create the directory holding its control socket.
+allow hostapd hostapd_socket:dir create_dir_perms;
+# hostapd needs to create, bind to, read, and write its control socket.
+allow hostapd hostapd_socket:sock_file create_file_perms;