initial Raspberry Vanilla AOSP 12 commit

* Audio - Based on AOSP hikey audio HAL: https://android.googlesource.com/device/linaro/hikey/+/refs/heads/master/audio/ - ALSA based on Android-x86 - ALSA loop is used to support HDMI audio on Pi 4 because VC4 HDMI audio devices use SNDRV_PCM_FORMAT_IEC958_SUBFRAME_LE that is not supported on Android https://github.com/raspberrypi/linux/issues/4651 https://github.com/raspberrypi/linux/issues/4654 * Bluetooth - AOSP Broadcom vendor stack with some additional fixes from android-rpi * Camera - libcamera for official Raspberry Pi CSI camera modules based on GloDroid - AOSP external camera HAL for UVC USB webcams: https://source.android.com/docs/core/camera/external-usb-cameras * Graphics - OpenGL & Vulkan: upstream Mesa with GloDroid patches - Upstream drm_hwcomposer with force resolution patch from Android-x86 and my additional fixes - minigbm based on GloDroid * Health - Based on AOSP cuttlefish health HAL * Kernel - Merge of Raspberry Pi and AOSP common kernel with my additional fixes and configurations https://github.com/raspberrypi/linux https://android.googlesource.com/kernel/common/ * Lights - Based on LineageOS Xiaomi msm8996-common lights HAL * suspend_blocker - Based on AOSP cuttlefish * v4l2_codec2 - Based on AOSP with my Raspberry Pi 4 specific fixes * Wifi - AOSP Broadcom vendor stack with my additional fixes
2022-09-14 15:06:12 +03:00
commit bbdbc45eea
85 changed files with 3127 additions and 0 deletions
--- a/sepolicy/alsa_loop.te
+++ b/sepolicy/alsa_loop.te
@@ -0,0 +1,7 @@
+type alsa_loop, domain;
+type alsa_loop_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(alsa_loop)
+
+allow alsa_loop audio_device:dir r_dir_perms;
+allow alsa_loop audio_device:chr_file rw_file_perms;
--- a/sepolicy/bluetooth.te
+++ b/sepolicy/bluetooth.te
@@ -0,0 +1 @@
+allow bluetooth vcio_device:chr_file rw_file_perms;
--- a/sepolicy/bootanim.te
+++ b/sepolicy/bootanim.te
@@ -0,0 +1 @@
+gpu_access(bootanim)
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -0,0 +1 @@
+type vcio_device, dev_type, mlstrustedobject;
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -0,0 +1 @@
+type sysfs_gpu, fs_type, sysfs_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -0,0 +1,49 @@
+# Audio
+/vendor/bin/alsa_loop                                                        u:object_r:alsa_loop_exec:s0
+
+# Bluetooth
+/dev/ttyAMA0                                                                 u:object_r:hci_attach_dev:s0
+/dev/vcio                                                                    u:object_r:vcio_device:s0
+/sys/class/rfkill/rfkill[0-9]/state                                          u:object_r:sysfs_bluetooth_writable:s0
+
+# DRM
+/vendor/bin/hw/android\.hardware\.drm@1\.4-service\.clearkey                 u:object_r:hal_drm_clearkey_exec:s0
+/vendor/bin/hw/android\.hardware\.drm@1\.4-service\.widevine                 u:object_r:hal_drm_widevine_exec:s0
+
+# Gatekeeper
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service.software           u:object_r:hal_gatekeeper_default_exec:s0
+
+# Graphics
+/dev/dri                                                                                u:object_r:gpu_device:s0
+/dev/dri/card0                                                                          u:object_r:gpu_device:s0
+/dev/dri/card1                                                                          u:object_r:gpu_device:s0
+/dev/dri/renderD128                                                                     u:object_r:gpu_device:s0
+/vendor/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service\.minigbm_gbm_mesa    u:object_r:hal_graphics_allocator_default_exec:s0
+/vendor/lib(64)?/dri/libgallium_dri\.so                                                 u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/android\.hardware\.graphics.mapper@4\.0-impl\.minigbm_gbm_mesa\.so  u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.broadcom\.so                                                u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so                                                             u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgbm_mesa\.so                                                        u:object_r:same_process_hal_file:s0
+/vendor/lib{64}?/libgbm_mesa_wrapper\.so                                                u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libglapi\.so                                                           u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libminigbm_gralloc_gbm_mesa\.so                                        u:object_r:same_process_hal_file:s0
+
+# Health
+/vendor/bin/hw/android\.hardware\.health@2\.0-service.rpi                    u:object_r:hal_health_default_exec:s0
+
+# Lights
+/sys/class/backlight/rpi_backlight/brightness                                u:object_r:sysfs_leds:s0
+/sys/devices/platform/rpi_backlight/backlight/rpi_backlight/brightness       u:object_r:sysfs_leds:s0
+/vendor/bin/hw/android\.hardware\.light@2\.0-service.rpi                     u:object_r:hal_light_default_exec:s0
+
+# Partitions
+/dev/block/mmcblk0p1                                                         u:object_r:boot_block_device:s0
+/dev/block/mmcblk0p2                                                         u:object_r:system_block_device:s0
+/dev/block/mmcblk0p3                                                         u:object_r:system_block_device:s0
+/dev/block/mmcblk0p4                                                         u:object_r:userdata_block_device:s0
+
+# Suspend
+/vendor/bin/suspend_blocker_rpi                                              u:object_r:suspend_blocker_exec:s0
+
+# V4L2
+/vendor/bin/hw/android\.hardware\.media\.c2@1\.0-service-v4l2(.*)?           u:object_r:mediacodec_exec:s0
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,3 @@
+genfscon sysfs /devices/platform/v3dbus/fec00000.v3d/uevent u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/gpu/uevent u:object_r:sysfs_gpu:s0
+genfscon sysfs /firmware/devicetree/base/serial-number u:object_r:sysfs_dt_firmware_android:s0
--- a/sepolicy/hal_camera.te
+++ b/sepolicy/hal_camera.te
@@ -0,0 +1,14 @@
+vndbinder_use(hal_camera_default);
+
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+hal_client_domain(hal_camera_default, hal_graphics_allocator);
+hal_client_domain(hal_camera_default, hal_graphics_composer);
+
+allow cameraserver device:dir r_dir_perms;
+allow cameraserver video_device:dir r_dir_perms;
+allow cameraserver video_device:chr_file rw_file_perms;
+
+allow hal_camera_default gpu_device:dir { open read search };
+allow hal_camera_default gpu_device:chr_file { open read write ioctl map getattr };
+allow cameraserver gpu_device:dir { open read write search getattr };
+allow cameraserver gpu_device:chr_file { open read write ioctl map getattr };
--- a/sepolicy/hal_drm_clearkey.te
+++ b/sepolicy/hal_drm_clearkey.te
@@ -0,0 +1,10 @@
+type hal_drm_clearkey, domain;
+type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_clearkey)
+
+hal_server_domain(hal_drm_clearkey, hal_drm)
+
+vndbinder_use(hal_drm_clearkey);
+
+allow hal_drm_clearkey hal_allocator_server:fd use;
--- a/sepolicy/hal_drm_widevine.te
+++ b/sepolicy/hal_drm_widevine.te
@@ -0,0 +1,13 @@
+type hal_drm_widevine, domain;
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_widevine)
+
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+vndbinder_use(hal_drm_widevine);
+
+allow hal_drm_widevine hal_allocator_server:fd use;
+allow hal_drm mediacodec:fd use;
+
+hal_client_domain(hal_drm_widevine, hal_graphics_composer);
--- a/sepolicy/hal_graphics_allocator_default.te
+++ b/sepolicy/hal_graphics_allocator_default.te
@@ -0,0 +1 @@
+gpu_access(hal_graphics_allocator_default)
--- a/sepolicy/hal_graphics_composer_default.te
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,2 @@
+vndbinder_use(hal_graphics_composer_default)
+gpu_access(hal_graphics_composer_default)
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -0,0 +1,2 @@
+allow init kernel:system module_request;
+allow init tmpfs:lnk_file create;
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -0,0 +1,4 @@
+allow kernel self:capability mknod;
+allow kernel self:system module_request;
+allow kernel device:dir { create write add_name remove_name rmdir };
+allow kernel device:chr_file { create setattr getattr unlink };
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@@ -0,0 +1 @@
+gpu_access(mediacodec)
--- a/sepolicy/mediaprovider.te
+++ b/sepolicy/mediaprovider.te
@@ -0,0 +1 @@
+gpu_access(surfaceflinger)
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1 @@
+gpu_access(mediaserver)
--- a/sepolicy/mediaswcodec.te
+++ b/sepolicy/mediaswcodec.te
@@ -0,0 +1,2 @@
+gpu_access(mediaswcodec)
+allow mediaswcodec gpu_device:chr_file { getattr ioctl map open read write };
--- a/sepolicy/netd.te
+++ b/sepolicy/netd.te
@@ -0,0 +1,2 @@
+dontaudit netd self:capability sys_module;
+allow netd kernel:system module_request;
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -0,0 +1 @@
+gpu_access(platform_app)
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -0,0 +1 @@
+gpu_access(priv_app)
--- a/sepolicy/proc_net.te
+++ b/sepolicy/proc_net.te
@@ -0,0 +1 @@
+allow proc_net proc:filesystem associate;
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1 @@
+gpu_access(surfaceflinger)
--- a/sepolicy/suspend_blocker.te
+++ b/sepolicy/suspend_blocker.te
@@ -0,0 +1,6 @@
+type suspend_blocker, domain;
+type suspend_blocker_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(suspend_blocker);
+
+wakelock_use(suspend_blocker);
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -0,0 +1 @@
+gpu_access(system_app)
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -0,0 +1,2 @@
+gpu_access(system_server)
+allow system_server self:capability sys_module;
--- a/sepolicy/te_macros
+++ b/sepolicy/te_macros
@@ -0,0 +1,8 @@
+#####################################
+# gpu_access(client_domain)
+# Allow client_domain to communicate with the GPU
+define(`gpu_access', `
+allow $1 gpu_device:dir { open read search getattr };
+allow $1 gpu_device:chr_file { open read getattr ioctl map write };
+allow $1 sysfs_gpu:file { getattr open read };
+')
--- a/sepolicy/untrusted_app_all.te
+++ b/sepolicy/untrusted_app_all.te
@@ -0,0 +1 @@
+gpu_access(untrusted_app_all)
				`@@ -0,0 +1 @@`
				`allow bluetooth vcio_device:chr_file rw_file_perms;`
				`@@ -0,0 +1 @@`
				`type vcio_device, dev_type, mlstrustedobject;`