universal7870:selinux: split by private/pub/vendor

BoardConfigCommon.mk

@@ -167,9 +167,13 @@ VENDOR_SECURITY_PATCH := 2019-10-05
 # Seccomp
 BOARD_SECCOMP_POLICY := $(LOCAL_PATH)/seccomp
 
+#SELINUX_IGNORE_NEVERALLOWS := true
+
 # SELinux
-BOARD_SEPOLICY_DIRS := $(LOCAL_PATH)/sepolicy
 BOARD_SEPOLICY_VERS := $(PLATFORM_SDK_VERSION).0
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR := $(LOCAL_PATH)/sepolicy/private
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR := $(LOCAL_PATH)/sepolicy/public
+BOARD_SEPOLICY_DIRS := $(LOCAL_PATH)/sepolicy/vendor
 
 # Shim
 TARGET_LD_SHIM_LIBS += \

sepolicy/vendor/crash_dump.te

+allow crash_dump hwservicemanager_prop:file open;

sepolicy/file.te → sepolicy/vendor/file.te

@@ -48,6 +48,7 @@ type sysfs_block, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_jack, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_v4l, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_sswap, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_kgsl, sysfs_type, fs_type;
 
 ### data types
 type biometrics_vendor_data_file, file_type, data_file_type;

sepolicy/hal_camera_default.te → sepolicy/vendor/hal_camera_default.te

@@ -6,3 +6,7 @@ allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
 vndbinder_use(hal_camera_default)
 
 allow hal_camera_default sysfs:file { getattr open read write };
+
+#allow hal_camera_default ashmem_device_service:service_manager find;
+allow hal_camera_default ashmemd:binder call;
+allow hal_camera_default servicemanager:binder call;