From 9642d1dd8bf2b844008baf0f559f1d621f64d549 Mon Sep 17 00:00:00 2001
From: William Roberts <wroberts@tresys.com>
Date: Thu, 15 Aug 2013 13:08:41 -0700
Subject: [PATCH] sepolicy: Start CM Common sepolicy

Rather than having to maintain out of tree changes, it is often
easier to maintain a hiearchy of changes, starting with the vendors
common config file. From there, inheriting products can pick up a base
and start to add or remove certain bits from it, making use of the
BOARD_SEPOLICY_* functions documented in external/sepolicy/README.

Change-Id: I28a4aaf6c126535f0a88001582641b234a750015
---
 config/common.mk             |  2 +-
 sepolicy/mac_permissions.xml | 17 +++++++++++++++++
 sepolicy/sepolicy.mk         | 10 ++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 sepolicy/mac_permissions.xml
 create mode 100644 sepolicy/sepolicy.mk

diff --git a/config/common.mk b/config/common.mk
index 22be0b7d..36584f21 100644
--- a/config/common.mk
+++ b/config/common.mk
@@ -259,5 +259,5 @@ PRODUCT_PROPERTY_OVERRIDES += \
   ro.cm.version=$(CM_VERSION) \
   ro.modversion=$(CM_VERSION)
 
-
+-include vendor/cm/sepolicy/sepolicy.mk
 -include $(WORKSPACE)/hudson/image-auto-bits.mk
diff --git a/sepolicy/mac_permissions.xml b/sepolicy/mac_permissions.xml
new file mode 100644
index 00000000..e91c6f41
--- /dev/null
+++ b/sepolicy/mac_permissions.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!-- Most Google-authored apps -->
+  <signer signature="308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a" >
+    <!-- This should probably be refined, but it's a ton of them -->
+    <allow-all />
+    <!-- We should only add the exact key + package name, rather then giving this to all gapps -->
+    <seinfo value="release" />
+  </signer>
+
+  <!-- Youtube -->
+  <signer signature="30820252308201bb02044934987e300d06092a864886f70d01010405003070310b3009060355040613025553310b3009060355040813024341311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c652c20496e6331143012060355040b130b476f6f676c652c20496e633110300e06035504031307556e6b6e6f776e301e170d3038313230323032303735385a170d3336303431393032303735385a3070310b3009060355040613025553310b3009060355040813024341311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c652c20496e6331143012060355040b130b476f6f676c652c20496e633110300e06035504031307556e6b6e6f776e30819f300d06092a864886f70d010101050003818d00308189028181009f48031990f9b14726384e0453d18f8c0bbf8dc77b2504a4b1207c4c6c44babc00adc6610fa6b6ab2da80e33f2eef16b26a3f6b85b9afaca909ffbbeb3f4c94f7e8122a798e0eba75ced3dd229fa7365f41516415aa9c1617dd583ce19bae8a0bbd885fc17a9b4bd2640805121aadb9377deb40013381418882ec52282fc580d0203010001300d06092a864886f70d0101040500038181004086669ed631da4384ddd061d226e073b98cc4b99df8b5e4be9e3cbe97501e83df1c6fa959c0ce605c4fd2ac6d1c84cede20476cbab19be8f2203aff7717ad652d8fcc890708d1216da84457592649e0e9d3c4bb4cf58da19db1d4fc41bcb9584f64e65f410d0529fd5b68838c141d0a9bd1db1191cb2a0df790ea0cb12db3a4" >
+    <allow-all />
+    <seinfo value="release" />
+  </signer>
+</policy>
diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
new file mode 100644
index 00000000..2defe789
--- /dev/null
+++ b/sepolicy/sepolicy.mk
@@ -0,0 +1,10 @@
+#
+# This policy configuration will be used by all products that
+# inherit from CM
+#
+
+BOARD_SEPOLICY_DIRS := \
+    vendor/cm/sepolicy
+
+BOARD_SEPOLICY_UNION := \
+    mac_permissions.xml