sepolicy: moving qssi supported legacy target here.
Change-Id: Ife7e851823afc1dcbf2f561c8079795e909544bc
diff --git a/legacy/vendor/common/system_server.te b/legacy/vendor/common/system_server.te
new file mode 100644
index 0000000..e88c36f
--- /dev/null
+++ b/legacy/vendor/common/system_server.te
@@ -0,0 +1,212 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute system_server system_writes_vendor_properties_violators;
+allow system_server self:capability sys_module;
+
+# allow system_server to communicate with cnd process over cnd_socket
+#unix_socket_connect(system_server, cnd, cnd)
+
+# Access to sensors socket
+#unix_socket_connect(system_server, sensors, sensors)
+#unix_socket_send(system_server, sensors, sensors)
+#allow system_server sensors:unix_stream_socket sendto;
+#allow system_server sensors_socket:sock_file r_file_perms;
+#qmux_socket(system_server);
+
+allow system_server self:socket create_socket_perms;
+allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls;
+allow system_server sysfs_sensors:dir search;
+allow system_server sysfs_sensors:file rw_file_perms;
+
+allow system_server {
+ # For wifistatemachine
+ wbc_service
+ # Allow system_server to add digital pen system service
+ usf_service
+ #dpmservice
+}:service_manager add;
+
+allow system_server qtitetherservice_service:service_manager find;
+
+#For ANT tty communication and to set wc_transport prop
+allow system_server {
+ vendor_bluetooth_prop
+ usf_prop
+}:property_service set;
+
+# required for ANT App to connectto wcnss_filter sockets
+allow system_server bluetooth:unix_stream_socket connectto;
+# access to iop
+unix_socket_send(system_server, iop, dumpstate)
+unix_socket_connect(system_server, iop, dumpstate)
+
+# allow system/framework applications to update the dpmd configuration files
+#unix_socket_connect(system_server, dpmd, dpmd);
+#allow system_server { dpmd_socket socket_device }:sock_file w_file_perms;
+#allow system_server dpmd_data_file:dir create_dir_perms;
+#allow system_server dpmd_data_file:file create_file_perms;
+
+# For location
+binder_call(system_server, location);
+type_transition system_server location_data_file:sock_file location_socket "location-mq-s";
+type_transition system_server location_data_file:sock_file location_socket "alarm_svc";
+#allow system_server location:unix_stream_socket connectto;
+#allow system_server location_socket:sock_file create_file_perms;
+
+#For wifistatemachine
+allow system_server kernel:key search;
+allow system_server wlan_device:chr_file rw_file_perms;
+set_prop(system_server, vendor_softap_prop)
+get_prop(system_server, vendor_softap_prop)
+
+#For ssr
+allow system_server ssr_device:chr_file r_file_perms;
+
+allow system_server { fuse }:dir search;
+
+allow system_server proc_audiod:file r_file_perms;
+
+allow system_server {
+ serial_device
+ smd_device
+ # graphics_device, audio_device, tee_device is for WFD
+ graphics_device
+ audio_device
+ tee_device
+ #allow access to power control ANT chip
+ bt_device
+}:chr_file rw_file_perms;
+
+# Allow system server access to usf resources
+allow system_server usf:process signal;
+#allow system_server usf:unix_stream_socket connectto;
+
+get_prop(system_server, vendor_xlat_prop)
+
+# For WFD
+allow system_server graphics_device:dir r_dir_perms;
+userdebug_or_eng(`
+get_prop(system_server, wfd_debug_prop)
+')
+
+#Allow access to netmgrd socket
+#netmgr_socket(system_server);
+# So init can manage our process
+allow system_server RIDL:fd use;
+allow system_server RIDL:fifo_file write;
+
+# So init can manage our process
+allow system_server qti_logkit:fd use;
+allow system_server qti_logkit:fifo_file write;
+
+#Rules for system server to talk to peripheral manager
+get_prop(system_server, vendor_per_mgr_state_prop);
+
+# Allow system server access to qfp daemon
+binder_call(system_server, qfp-daemon);
+binder_call(system_server, fps_hal)
+allow system_server iqfp_service:service_manager find;
+
+# For shutdown animation
+allow system_server ctl_bootanim_prop:property_service set;
+
+# allow tethering to access dhcp leases
+r_dir_file(system_server, dhcp_data_file)
+
+# Allow system server to access fst,wigig system properties
+set_prop(system_server, fst_prop)
+get_prop(system_server, fst_prop)
+set_prop(system_server, wigig_prop)
+
+#allow access to fingerprintd data file
+allow system_server fingerprintd_data_file:file { r_file_perms unlink };
+allow system_server fingerprintd_data_file:dir { rw_dir_perms rmdir };
+
+#for Wifi module this is needed
+allow system_server system_file:system module_load;
+
+userdebug_or_eng(`
+ diag_use(system_server)
+')
+
+# allow access to low persistence mode sysfs node
+allow system_server sysfs_graphics:file rw_file_perms;
+
+# timerslack_ns
+allow system_server { location_app system_app } :file write;
+
+#OpenGLES version
+get_prop(system_server, vendor_opengles_prop)
+#get_prop(system_server, qemu_hw_mainkeys_prop)
+
+get_prop(system_server, hwui_prop)
+get_prop(system_server, bservice_prop)
+get_prop(system_server, reschedule_service_prop)
+allow system_server appdomain:file w_file_perms;
+get_prop(system_server, vendor_cgroup_follow_prop)
+
+# Allow system_server to access ActivityManager tuning properties from vendor
+get_prop(system_server, vendor_am_prop)
+get_prop(system_server, vendor_mpctl_prop)
+
+# IPC call for sensor feed
+binder_call(system_server, hal_graphics_composer)
+binder_call(system_server, hal_camera)
+binder_call(system_server, mm-pp-daemon)
+
+# Ant ipc
+hal_client_domain(system_server,hal_bluetooth);
+
+hal_client_domain(system_server, hal_perf)
+hal_client_domain(system_server, hal_sensors)
+
+# allow WIGIG framework hosted in system_server to access wigig_hal
+hal_client_domain(system_server, hal_wigig)
+# allow WIGIG framework to access network performance tuner
+hal_client_domain(system_server, hal_wigig_npt)
+# allow WIGIG framework access to wil6210 sysfs files like thermal_throttling
+allow system_server sysfs_wigig:file rw_file_perms;
+
+# allow system_server to access IOP HAL service
+hal_client_domain(system_server, hal_iop)
+
+# Allow Gesture based boost from System Server
+get_prop(system_server, vendor_scroll_prop)
+
+# allow system_server to access vendor display property.
+get_prop(system_server, vendor_display_prop)
+get_prop(system_server, vendor_iop_prop)
+
+# allow system server to get mirrorlink connection status prop
+get_prop(system_server, vendor_mirrorlink_prop)
+
+# allow system server to get vendor_audio_prop
+get_prop(system_server, vendor_audio_prop)
+
+# allow system_server to access IWifiStats HAL service
+hal_client_domain(system_server, hal_wifilearner)