device: setup sepolicy and permisstion for FriendlyThing

Signed-off-by: hmz007 <hmz007@gmail.com>

device/rockchip/common/rootdir/ueventd.rockchip.rc

@@ -70,16 +70,7 @@ import /vendor/etc/ueventd.car.rc
 /dev/hidraw0              0660   audio  audio
 
 # for radio
-/dev/ttyUSB0              0660   radio		radio
-/dev/ttyUSB1              0660   radio		radio
-/dev/ttyUSB2              0660   radio		radio
-/dev/ttyUSB3              0660   radio		radio
-/dev/ttyUSB4              0660   radio		radio
-/dev/ttyUSB5              0660   radio		radio
-/dev/ttyUSB6              0660   radio		radio
-/dev/ttyUSB7              0660   radio		radio
-/dev/ttyUSB8              0660   radio		radio
-/dev/ttyUSB9              0660   radio		radio
+/dev/ttyUSB*              0660   system     radio
 
 # for mali-t764
 /dev/mali0           	  0666   system   	 system
@@ -187,14 +178,45 @@ import /vendor/etc/ueventd.car.rc
 #for autopq function
 /dev/block/by-name/autopq 0660 system system
 
-/dev/cpu_state 0666 system system
-/dev/chip_state 0666 system system
-/dev/i2c-1 0660 system system
+/dev/cpu_state       0666   system     system
+/dev/chip_state      0666   system     system
+/dev/i2c-1           0660   system     system
+/dev/i2c-2           0660   system     system
+/dev/i2c-3           0660   system     system
+/dev/rtc0            0660   system     system
+/dev/spidev*         0660   system     system
+/dev/ttyS3           0660   system     system
+/dev/ttyS4           0660   system     system
+/dev/ttyS5           0660   system     system
+/dev/ttyS6           0660   system     system
+/dev/ttyS7           0660   system     system
+/dev/ttyS8           0660   system     system
+/dev/watchdog        0660   system     system
+
+#for gpio
+/sys/class/gpio/gpio*           active_low  0660 system system
+/sys/class/gpio/gpio*           direction   0660 system system
+/sys/class/gpio/gpio*           edge        0660 system system
+/sys/class/gpio/gpio*           value       0660 system system
+
+#for pwm
+/sys/class/pwm/pwmchip*         export      0660 system system
+/sys/class/pwm/pwmchip*         unexport    0660 system system
+/sys/class/pwm/pwmchip*         pwm0/enable      0660 system system
+/sys/class/pwm/pwmchip*         pwm0/period      0660 system system
+/sys/class/pwm/pwmchip*         pwm0/duty_cycle  0660 system system
+/sys/class/pwm/pwmchip*         pwm0/polarity    0660 system system
+
+#for rtc
+/sys/class/rtc/rtc0             date        0660 system system
+/sys/class/rtc/rtc0             time        0660 system system
+/sys/class/rtc/rtc0             wakealarm   0660 system system
+
 #for ovr
-/dev/ovr0		  0664   system          system
+/dev/ovr0            0664   system     system
 
 #for rk_isp1
-/dev/v4l-subdev*          0666   media      camera
+/dev/v4l-subdev*     0666   media      camera
 
 /dev/video*          0660   media      camera
 /dev/rk803           0660   media      camera

device/rockchip/common/sepolicy/vendor/file.te

@@ -14,3 +14,11 @@ type debugfs_sw_sync, fs_type, debugfs_type;
 type sysfs_dmc, fs_type, sysfs_type;
 type sysfs_mmc, fs_type, sysfs_type;
 type sysfs_udc, fs_type, sysfs_type;
+
+# type for FriendlyThing
+type i2c_device, dev_type;
+type spi_device, dev_type;
+type sysfs_gpio, fs_type, sysfs_type;
+type sysfs_iio, fs_type, sysfs_type;
+type sysfs_pwm, fs_type, sysfs_type;
+type sysfs_soc, sysfs_type, fs_type, mlstrustedobject;

device/rockchip/common/sepolicy/vendor/file_contexts

@@ -183,6 +183,23 @@
 /sys/class/rfkill(/.*)?                 u:object_r:sysfs_bluetooth_writable:s0
 /proc/bluetooth/sleep/lpm               u:object_r:sysfs_bluetooth_writable:s0
 
+#for FriendlyThing
+/dev/i2c-[3-8]                          u:object_r:i2c_device:s0
+/dev/spidev.*                           u:object_r:spi_device:s0
+/sys/class/gpio/.*export                u:object_r:sysfs_gpio:s0
+/sys/devices/platform/board/info        u:object_r:sysfs_soc:s0
+/sys/devices/platform/fec10000.saradc/iio:device0/in_voltage.*          u:object_r:sysfs_iio:s0
+/sys/devices/platform/fec80000.i2c/i2c-6/6-0051/rtc/rtc0/date           u:object_r:sysfs_rtc:s0
+/sys/devices/platform/fec80000.i2c/i2c-6/6-0051/rtc/rtc0/time           u:object_r:sysfs_rtc:s0
+/sys/devices/platform/fec80000.i2c/i2c-6/6-0051/rtc/rtc0/wakealarm      u:object_r:sysfs_rtc:s0
+/sys/devices/platform/fec80000.i2c/i2c-6/6-0051/rtc/rtc0/wakeup.*       u:object_r:sysfs_wakeup:s0
+/sys/devices/platform/pinctrl/f.*/gpio.*/active_low                     u:object_r:sysfs_gpio:s0
+/sys/devices/platform/pinctrl/f.*/gpio.*/direction                      u:object_r:sysfs_gpio:s0
+/sys/devices/platform/pinctrl/f.*/gpio.*/edge                           u:object_r:sysfs_gpio:s0
+/sys/devices/platform/pinctrl/f.*/gpio.*/value                          u:object_r:sysfs_gpio:s0
+/sys/devices/platform/f.*/pwm/.*export  u:object_r:sysfs_pwm:s0
+/sys/devices/platform/f.*/pwm0/.*       u:object_r:sysfs_pwm:s0
+
 #seekwave
 /dev/BTCMD           u:object_r:skwbt_device:s0
 /dev/BTDATA          u:object_r:skwbt_device:s0
@@ -233,7 +250,6 @@
 #abc
 /data/vendor/logs(/.*)?                         u:object_r:abc_data_file:s0
 
-
 #read pcie info
 /vendor/bin/read_pcie_info.sh u:object_r:read_pcie_info_exec:s0
 

device/rockchip/common/sepolicy/vendor/platform_app.te

@@ -3,6 +3,10 @@ rw_rockchip_graphic_device(platform_app)
 
 allow platform_app hal_hdmi_hwservice:hwservice_manager { find };
 
+allow platform_app ota_package_file:dir rw_dir_perms;
+allow platform_app ota_package_file:file rw_file_perms;
+# get_prop(platform_app, vendor_default_prop)
+
 binder_call(platform_app, hal_hdmi_default)
 
 allow platform_app update_engine:binder { call transfer };

device/rockchip/common/sepolicy/vendor/system_app.te

@@ -55,3 +55,19 @@ allow system_app proc_pagetypeinfo:file r_file_perms;
 
 allow system_app mnt_sdcard_file:lnk_file r_file_perms;
 allow system_app mnt_pass_through_file:dir r_file_perms;
+
+#for FriendlyThings demo
+allow system_app sysfs_gpio:dir search;
+allow system_app sysfs_gpio:file rw_file_perms;
+allow system_app sysfs_iio:file r_file_perms;
+allow system_app sysfs_pwm:dir search;
+allow system_app sysfs_pwm:file rw_file_perms;
+allow system_app sysfs_rtc:dir search;
+allow system_app sysfs_rtc:{ file lnk_file } rw_file_perms;
+allow system_app sysfs_soc:file { open read write getattr };
+allow system_app i2c_device:chr_file rw_file_perms;
+allow system_app rtc_device:chr_file rw_file_perms;
+allow system_app spi_device:chr_file rw_file_perms;
+allow system_app serial_device:chr_file rw_file_perms;
+allow system_app usb_serial_device:chr_file rw_file_perms;
+allow system_app watchdog_device:chr_file rw_file_perms;

device/rockchip/rk356x/nanopi5/init.rk356x.rc

@@ -45,6 +45,11 @@ on boot
     # reduce schedul time to improve io performance
     write /sys/kernel/debug/sched_features NO_ENERGY_AWARE
 
+    chmod 0220 /sys/class/gpio/export
+    chown root system /sys/class/gpio/export
+    chmod 0220 /sys/class/gpio/unexport
+    chown root system /sys/class/gpio/unexport
+
     start vendor.usbmod_sh
 
 on init

device/rockchip/rk3588/nanopi6/init.rk3588.rc

@@ -61,6 +61,11 @@ on boot
     chown system system /sys/devices/platform/fd5d0000.syscon/fd5d0000.syscon:usb2-phy@0/otg_mode
     chmod 0660 /sys/devices/platform/fd5d0000.syscon/fd5d0000.syscon:usb2-phy@0/otg_mode
 
+    chmod 0220 /sys/class/gpio/export
+    chown root system /sys/class/gpio/export
+    chmod 0220 /sys/class/gpio/unexport
+    chown root system /sys/class/gpio/unexport
+
     # The initial load of RT process, set the range of 0-1024, set the RT task above 300 will preferentially run on the cpuB(cpu4-cpu7)
     write /proc/sys/kernel/sched_util_clamp_min_rt_default 0