| # Copyright (c) 2018-2020, The Linux Foundation. All rights reserved. |
| # |
| # Redistribution and use in source and binary forms, with or without |
| # modification, are permitted provided that the following conditions are |
| # met: |
| # * Redistributions of source code must retain the above copyright |
| # notice, this list of conditions and the following disclaimer. |
| # * Redistributions in binary form must reproduce the above |
| # copyright notice, this list of conditions and the following |
| # disclaimer in the documentation and/or other materials provided |
| # with the distribution. |
| # * Neither the name of The Linux Foundation nor the names of its |
| # contributors may be used to endorse or promote products derived |
| # from this software without specific prior written permission. |
| # |
| # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED |
| # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
| # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT |
| # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS |
| # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
| # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, |
| # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE |
| # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
| # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| |
| # generic/vendor_location.te - sepolicy rules for generic vendor_location modules |
| |
| # loc_launcher service |
| # which launches various other services supporting GPS & Wifi-RTT (LOWI) vendor_location |
| type vendor_location, domain; |
| type vendor_location_exec, exec_type, vendor_file_type, file_type; |
| |
| init_daemon_domain(vendor_location) |
| |
| allow vendor_location self:capability { setgid setuid }; |
| |
| hwbinder_use(vendor_location) |
| |
| get_prop(vendor_location, hwservicemanager_prop) |
| get_prop(vendor_location, vendor_cnd_prop) |
| #xtra-daemon access to qcc properties |
| get_prop(vendor_location, vendor_qcc_prop) |
| |
| allow vendor_location fwk_sensor_hwservice:hwservice_manager find; |
| binder_call(vendor_location, system_server) |
| binder_call(vendor_location, vendor_cnd) |
| |
| # Enable standard network access (for XTRA download) |
| net_domain(vendor_location) |
| |
| # required for xtra-daemon, slim-daemon. |
| allow vendor_location self:qipcrtr_socket create_socket_perms_no_ioctl; |
| |
| dontaudit vendor_location kernel:system module_request; |
| |
| # execute permission for vendor_location daemons in /vendor/bin/ |
| allow vendor_location vendor_location_exec:file rx_file_perms; |
| |
| # /data/vendor/vendor_location |
| allow vendor_location vendor_location_data_file:dir create_dir_perms; |
| allow vendor_location vendor_location_data_file:file create_file_perms; |
| |
| # /dev/socket/vendor_location |
| allow vendor_location vendor_location_socket: {sock_file lnk_file } create_file_perms; |
| allow vendor_location vendor_location_socket:dir rw_dir_perms; |
| |
| allow vendor_location vendor_hal_gnss_qti:unix_dgram_socket sendto; |
| |
| # permission for read execute vendor_location daemons in userdebug mode. |
| userdebug_or_eng(` |
| allow shell vendor_location_exec:file rx_file_perms; |
| ') |
| |
| ## lowi-server |
| ############## |
| # some additional network access |
| allow vendor_location self:netlink_generic_socket create_socket_perms_no_ioctl; |
| allow vendor_location self:netlink_socket create_socket_perms_no_ioctl; |
| allowxperm vendor_location self:udp_socket ioctl lowi_server_ioctls; |
| allow vendor_location hal_wifi:unix_stream_socket { read write }; |
| |
| # /data/vendor/wifi |
| allow vendor_location vendor_wifi_vendor_data_file:dir search; |
| |
| # /data/vendor/wifi/wpa |
| allow vendor_location wpa_data_file:dir rw_dir_perms; |
| allow vendor_location wpa_data_file:sock_file create_file_perms; |
| allow vendor_location hal_wifi_supplicant_default:unix_dgram_socket sendto; |
| |
| # /dev/socket/wifihal |
| allow vendor_location vendor_wifihal_socket:dir search; |
| unix_socket_send(vendor_location, vendor_wifihal, hal_wifi_default); |
| |
| ## xtra-daemon |
| ############## |
| allow vendor_location {vendor_hal_cacert_hwservice vendor_hal_datafactory_hwservice vendor_hal_cne_hwservice}:hwservice_manager find; |
| binder_call(vendor_location, vendor_qtidataservices_app) |