From ffabfb3616ebb6c3682af4605e260583751d2547 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Sat, 9 Feb 2019 14:47:55 -0500
Subject: [PATCH] 14.1: fix maguro denials

---
 .../0001-fix_denial.patch                     | 39 ++++++++++++++
 .../0002-fix_denial.patch                     | 37 +++++++++++++
 .../0003-fix_denial.patch                     | 52 +++++++++++++++++++
 .../0004-fix_denial.patch                     | 24 +++++++++
 Scripts/LineageOS-14.1/Patch.sh               |  8 +++
 5 files changed, 160 insertions(+)
 create mode 100644 Patches/LineageOS-14.1/android_device_samsung_tuna/0001-fix_denial.patch
 create mode 100644 Patches/LineageOS-14.1/android_device_samsung_tuna/0002-fix_denial.patch
 create mode 100644 Patches/LineageOS-14.1/android_device_samsung_tuna/0003-fix_denial.patch
 create mode 100644 Patches/LineageOS-14.1/android_device_samsung_tuna/0004-fix_denial.patch

diff --git a/Patches/LineageOS-14.1/android_device_samsung_tuna/0001-fix_denial.patch b/Patches/LineageOS-14.1/android_device_samsung_tuna/0001-fix_denial.patch
new file mode 100644
index 00000000..3871d62a
--- /dev/null
+++ b/Patches/LineageOS-14.1/android_device_samsung_tuna/0001-fix_denial.patch
@@ -0,0 +1,39 @@
+From 3030156fc1e0e69e5fad36fb374a8eb19fed8875 Mon Sep 17 00:00:00 2001
+From: nailyk-fr <nailyk_git@nailyk.fr>
+Date: Sat, 12 Aug 2017 18:46:10 +0200
+Subject: [PATCH] tuna: twrp: Add necessary policy for twrp decrypt
+
+Change-Id: I7fab77518718961ca55f29c5263a43e69efc73ca
+---
+ sepolicy/recovery.te | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
+index dca66805..0d30c0d7 100644
+--- a/sepolicy/recovery.te
++++ b/sepolicy/recovery.te
+@@ -40,3 +40,24 @@ allow recovery { efs_file radio_efs_file bluetooth_efs_file }:file { getattr ope
+ 
+ # For rebooting in tunasetup
+ allow recovery powerctl_prop:property_service set;
++
++# For decryption
++allow recovery tee_device:chr_file { ioctl open read write };
++#============= healthd ==============
++allow healthd device:dir write;
++
++#============= init ==============
++allow init ashmem_device:chr_file execute;
++allow init block_device:blk_file write;
++allow init graphics_device:chr_file { ioctl write };
++allow init init_tmpfs:file append;
++allow init input_device:chr_file ioctl;
++allow init property_socket:sock_file write;
++allow init self:process execmem;
++allow init tee_device:chr_file rw_file_perms;
++
++
++allow init unlabeled:dir search;
++allow init tee_file:dir rw_dir_perms;
++allow init tee_file:file create_file_perms;
++allow init labeledfs:filesystem associate;
diff --git a/Patches/LineageOS-14.1/android_device_samsung_tuna/0002-fix_denial.patch b/Patches/LineageOS-14.1/android_device_samsung_tuna/0002-fix_denial.patch
new file mode 100644
index 00000000..3f1537e7
--- /dev/null
+++ b/Patches/LineageOS-14.1/android_device_samsung_tuna/0002-fix_denial.patch
@@ -0,0 +1,37 @@
+From b9219da6cc3efc4cce9ef39a2d570990fd68cf11 Mon Sep 17 00:00:00 2001
+From: nailyk-fr <nailyk_git@nailyk.fr>
+Date: Sun, 13 Aug 2017 20:31:53 +0200
+Subject: [PATCH] Tuna: Sepolicy: Add tee-fs permissions
+
+ * Tee-fs-setup is launched as recovery context.
+ * Those rules are needed because of toybox android
+   move.
+ * This is mandatory for encryption as this script
+   init /tee then start TEE services.
+
+ * Denials details:
+avc:  denied  { getattr } for  pid=128 comm="tee-fs-setup.sh" path="/system/bin/sh" dev=mmcblk0p10 ino=385 scontext=u:r:recovery:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
+avc:  denied  { getattr } for  pid=128 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
+avc:  denied  { execute } for  pid=128 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
+avc:  denied  { read open } for  pid=131 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
+avc:  denied  { execute_no_trans } for  pid=131 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
+
+Change-Id: I559f15713c7893b97c7e33f421ff19d606814fb1
+---
+ sepolicy/recovery.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
+index 0d30c0d7..f1047b45 100644
+--- a/sepolicy/recovery.te
++++ b/sepolicy/recovery.te
+@@ -43,6 +43,9 @@ allow recovery powerctl_prop:property_service set;
+ 
+ # For decryption
+ allow recovery tee_device:chr_file { ioctl open read write };
++allow recovery shell_exec:file getattr;
++allow recovery toolbox_exec:file { execute execute_no_trans getattr open read };
++
+ #============= healthd ==============
+ allow healthd device:dir write;
+ 
diff --git a/Patches/LineageOS-14.1/android_device_samsung_tuna/0003-fix_denial.patch b/Patches/LineageOS-14.1/android_device_samsung_tuna/0003-fix_denial.patch
new file mode 100644
index 00000000..9d94e1a0
--- /dev/null
+++ b/Patches/LineageOS-14.1/android_device_samsung_tuna/0003-fix_denial.patch
@@ -0,0 +1,52 @@
+From 03320366719016a58225cf2dcf428d9ff04f9039 Mon Sep 17 00:00:00 2001
+From: nailyk-fr <nailyk_git@nailyk.fr>
+Date: Sun, 13 Aug 2017 20:51:06 +0200
+Subject: [PATCH] Tuna: Sepolicy: Label metadata partition
+
+ * Label metadata partition to allow vold
+   accessing it for decryption.
+
+ * Wihtout this patchs:
+avc: denied { read write } for pid=166 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
+avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
+avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
+avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
+avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
+   who cannot be allowed due to never allow
+   into system wide policies.
+
+Change-Id: I577794a7298fcd105392699466661a7bd85a6218
+---
+ sepolicy/file_contexts | 2 ++
+ sepolicy/vold.te       | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
+index 1225c878..efd06764 100644
+--- a/sepolicy/file_contexts
++++ b/sepolicy/file_contexts
+@@ -46,11 +46,13 @@
+ # Block devices
+ /dev/block/mmcblk0					u:object_r:root_block_device:s0
+ /dev/block/mmcblk0p9					u:object_r:radio_device:s0
++/dev/block/mmcblk0p13					u:object_r:metadata_block_device:s0
+ /dev/block/platform/omap/omap_hsmmc.0/by-name/boot	u:object_r:boot_block_device:s0
+ /dev/block/platform/omap/omap_hsmmc.0/by-name/recovery	u:object_r:recovery_block_device:s0
+ /dev/block/platform/omap/omap_hsmmc.0/by-name/cache	u:object_r:cache_block_device:s0
+ /dev/block/platform/omap/omap_hsmmc.0/by-name/system	u:object_r:system_block_device:s0
+ /dev/block/platform/omap/omap_hsmmc.0/by-name/userdata	u:object_r:userdata_block_device:s0
++/dev/block/platform/omap/omap_hsmmc.0/by-name/metadata	u:object_r:metadata_block_device:s0
+ /dev/block/platform/omap/omap_hsmmc.0/by-name/param	u:object_r:radio_device:s0
+ /dev/block/platform/omap/omap_hsmmc.0/by-name/radio	u:object_r:radio_device:s0
+ /dev/block/platform/omap/omap_hsmmc.0/by-name/dgs	u:object_r:tee_block_device:s0
+diff --git a/sepolicy/vold.te b/sepolicy/vold.te
+index 9ba84692..313104b5 100644
+--- a/sepolicy/vold.te
++++ b/sepolicy/vold.te
+@@ -1,5 +1,6 @@
+ # vold
+ allow vold efs_file:dir { getattr read open ioctl };
++allow vold metadata_block_device:blk_file { read write };
+ 
+ # For 'aes-*' module requests.
+ allow vold kernel:system module_request;
diff --git a/Patches/LineageOS-14.1/android_device_samsung_tuna/0004-fix_denial.patch b/Patches/LineageOS-14.1/android_device_samsung_tuna/0004-fix_denial.patch
new file mode 100644
index 00000000..4f5e79a7
--- /dev/null
+++ b/Patches/LineageOS-14.1/android_device_samsung_tuna/0004-fix_denial.patch
@@ -0,0 +1,24 @@
+From b50670cc845167011e16af63fcda74887f03c8ba Mon Sep 17 00:00:00 2001
+From: nailyk-fr <nailyk_git@nailyk.fr>
+Date: Sun, 13 Aug 2017 20:54:18 +0200
+Subject: [PATCH] Tuna: Sepolicy: Solve mediacodec denial
+
+avc: denied { read write } for pid=1180 comm="mediacodec" name="rpmsg-omx1" dev=tmpfs ino=4913 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
+avc: denied { read } for pid=1195 comm="Binder:1180_1" name="rproc_user" dev=tmpfs ino=4631 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
+avc: denied { open } for pid=177 comm="mediacodec" name="rpmsg-omx1" dev=tmpfs ino=4940 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
+avc: denied { ioctl } for pid=1227 comm="Binder:1198_1" path="/dev/rpmsg-omx1" dev="tmpfs" ino=4978 ioctlcmd=5801 scontext=u:r:mediacodec:s0 tcontext=u:object_r:rpmsg_device:s0 tclass=chr_file permissive=0
+
+Change-Id: Ibd6674b3bbf245605b79c6d97ff6ed0d31715870
+---
+ sepolicy/mediacodec.te | 2 ++
+ 1 file changed, 2 insertions(+)
+ create mode 100644 sepolicy/mediacodec.te
+
+diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
+new file mode 100644
+index 00000000..711a2047
+--- /dev/null
++++ b/sepolicy/mediacodec.te
+@@ -0,0 +1,2 @@
++#============= mediacodec ==============
++allow mediacodec rpmsg_device:chr_file { read write open ioctl };
diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh
index b8defb9f..58811feb 100644
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@@ -223,6 +223,14 @@ sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.
 enterAndClear "device/samsung/tuna";
 rm setup-makefiles.sh; #broken, deblobber will still function
 sed -i 's/arm-eabi-4.7/arm-eabi-4.8/' BoardConfig.mk; #fix toolchain
+#See: https://review.lineageos.org/q/topic:%22tuna-sepolicies and https://gerrit.nailyk.fr/#/q/project:android_device_samsung_tuna+branch:cm-14.1
+patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0001-fix_denial.patch";
+patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0002-fix_denial.patch";
+patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0003-fix_denial.patch";
+patch -p1 < "$DOS_PATCHES/android_device_samsung_tuna/0004-fix_denial.patch";
+echo "allow rild system_file:file execmod;" >> sepolicy/rild.te;
+echo "allow rild toolbox_exec:file getattr;" >> sepolicy/rild.te;
+
 
 enter "vendor/google";
 echo "" > atv/atv-common.mk;