From b5c2cf040854a1027d784fdc6fa3c17ea39ff558 Mon Sep 17 00:00:00 2001
From: Steve Kondik <steve@cyngn.com>
Date: Tue, 15 Sep 2015 04:10:02 -0700
Subject: [PATCH] cm: sepolicy: Create central place for QC-specific policy

 * We have a number of policy items due to changes in our BSPs or for
   other things which interact with the QC sepolicy. Add a place
   for us to store this stuff so we don't need to copy it around to
   every device.

Change-Id: I155ca202694501d42b42e2bd703d74049d547df0
---
 sepolicy/qcom/bootanim.te      | 3 +++
 sepolicy/qcom/perfd.te         | 6 ++++++
 sepolicy/qcom/sepolicy.mk      | 2 ++
 sepolicy/qcom/system_server.te | 6 ++++++
 4 files changed, 17 insertions(+)
 create mode 100644 sepolicy/qcom/bootanim.te
 create mode 100644 sepolicy/qcom/perfd.te
 create mode 100644 sepolicy/qcom/sepolicy.mk
 create mode 100644 sepolicy/qcom/system_server.te

diff --git a/sepolicy/qcom/bootanim.te b/sepolicy/qcom/bootanim.te
new file mode 100644
index 00000000..9987b46b
--- /dev/null
+++ b/sepolicy/qcom/bootanim.te
@@ -0,0 +1,3 @@
+allow bootanim mpctl_socket:dir search;
+unix_socket_connect(bootanim, mpctl, perfd)
+unix_socket_send(bootanim, mpctl, perfd)
diff --git a/sepolicy/qcom/perfd.te b/sepolicy/qcom/perfd.te
new file mode 100644
index 00000000..2c9e4fff
--- /dev/null
+++ b/sepolicy/qcom/perfd.te
@@ -0,0 +1,6 @@
+allow perfd sysfs_devices_system_iosched:file rw_file_perms;
+unix_socket_connect(perfd, thermal, thermal-engine)
+
+# read mediaserver status
+allow perfd mediaserver:file { read open };
+
diff --git a/sepolicy/qcom/sepolicy.mk b/sepolicy/qcom/sepolicy.mk
new file mode 100644
index 00000000..1214054a
--- /dev/null
+++ b/sepolicy/qcom/sepolicy.mk
@@ -0,0 +1,2 @@
+BOARD_SEPOLICY_DIRS += \
+    vendor/cm/sepolicy/qcom
diff --git a/sepolicy/qcom/system_server.te b/sepolicy/qcom/system_server.te
new file mode 100644
index 00000000..362bd4f4
--- /dev/null
+++ b/sepolicy/qcom/system_server.te
@@ -0,0 +1,6 @@
+# LiveDisplay access to color calibration
+allow system_server pps_socket:sock_file rw_file_perms;
+allow system_server mm-pp-daemon:unix_stream_socket connectto;
+
+# Time services
+allow system_server time_daemon:unix_stream_socket connectto;