Merge tag 'LA.UM.12.2.1.r1-02500-sdm660.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy into lineage-21.0-legacy-um
"LA.UM.12.2.1.r1-02500-sdm660.0"
* tag 'LA.UM.12.2.1.r1-02500-sdm660.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy:
sepolicy : Allow apps to have read access to vendor_display_prop
sepolicy:qcc: add qcc path to dropbox
sepolicy:qcc : switch to platform app
Sepolicy : dontaudit to vendor.hw.fm.init property
SE Policy change to fix avc denial for qcrild socket
Avc denials on sdm660 from location, hal_gnss_qti
sepolicy: Add file context for Widevine DRM
sepolicy: Add file context for DRM
sepolicy: Fix qcc avc denial issue
sepolicy:donotaudit for com.qualcomm.location
Sepolicy rules to allow Gnss Hal to access ssgtz
sepolicy rules to allow Gnss Hal to access RIL Srv
Allow vendor_location_xtwifi_client to access ssgtzd socket
Conflicts:
generic/vendor/common/file_contexts
legacy/vendor/common/vendor_init.te
Change-Id: Ibcd6a15e0ee9ab5bee6da5bafb41702e67549e30
diff --git a/generic/private/qcc_app.te b/generic/private/qcc_app.te
index b1674dd..ffab64d 100644
--- a/generic/private/qcc_app.te
+++ b/generic/private/qcc_app.te
@@ -25,12 +25,13 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-typeattribute vendor_qcc_app mlstrustedsubject;
app_domain(vendor_qcc_app)
net_domain(vendor_qcc_app)
binder_use(vendor_qcc_app)
+hal_client_domain(vendor_qcc_app, vendor_qccsyshal);
+
allow vendor_qcc_app radio_service:service_manager find;
# for vendor_perf_service
allow vendor_qcc_app app_api_service:service_manager find;
@@ -44,10 +45,10 @@
# allow access to mediadrmserver for qdmastats/wvstats
allow vendor_qcc_app mediadrmserver_service:service_manager find;
-# allow vendor_qcc_app to access system_app_data_file
-# necessary for read and write /data/user_de/0/com.---.qti.qdma subdirectory.
-allow vendor_qcc_app system_app_data_file:dir create_dir_perms;
-allow vendor_qcc_app system_app_data_file:file create_file_perms;
+# allow vendor_qcc_app to access app_data_file
+# necessary for read and write /data/user_de/0/ subdirectory.
+allow vendor_qcc_app app_data_file:dir create_dir_perms;
+allow vendor_qcc_app app_data_file:file create_file_perms;
# allow cgroup access
allow vendor_qcc_app cgroup:file rw_file_perms;
diff --git a/legacy/vendor/common/app.te b/legacy/vendor/common/app.te
index 684da80..b642238 100644
--- a/legacy/vendor/common/app.te
+++ b/legacy/vendor/common/app.te
@@ -24,6 +24,10 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
#Allow all apps to open and send ioctl to qdsp device
allow appdomain qdsp_device:chr_file r_file_perms;
@@ -39,3 +43,6 @@
# Allow all apps to open and send ioctl to npu device
allow appdomain npu_device:chr_file r_file_perms;
+
+#Allow all apps to have read access to vendor_display_prop
+get_prop(appdomain, vendor_display_prop)
diff --git a/legacy/vendor/common/file.te b/legacy/vendor/common/file.te
index 7baddc6..d86ce0d 100644
--- a/legacy/vendor/common/file.te
+++ b/legacy/vendor/common/file.te
@@ -24,6 +24,10 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
# Default type for anything under /firmware.
type firmware_file, file_type, contextmount_type, vendor_file_type;
@@ -415,3 +419,6 @@
#slub-debug
type sysfs_slab_zshandle_storeuser, fs_type, sysfs_type;
type sysfs_slab_zspage_storeuser, fs_type, sysfs_type;
+
+#ril socket
+type vendor_rild_socket, file_type;
diff --git a/legacy/vendor/common/file_contexts b/legacy/vendor/common/file_contexts
index ce8b856..22e5389 100644
--- a/legacy/vendor/common/file_contexts
+++ b/legacy/vendor/common/file_contexts
@@ -24,7 +24,10 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
+#
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
###################################
# Dev nodes
#
@@ -151,6 +154,7 @@
/dev/socket/rild3 u:object_r:rild_socket:s0
/dev/socket/rild3-debug u:object_r:rild_debug_socket:s0
/dev/socket/rild-debug3 u:object_r:rild_debug_socket:s0
+/dev/socket/qcrild(/.*)? u:object_r:vendor_rild_socket:s0
/dev/socket/msm_irqbalance u:object_r:vendor_msm_irqbalance_socket:s0
/dev/socket/mlid u:object_r:mlid_socket:s0
/dev/socket/ssgqmig u:object_r:ssgqmig_socket:s0
@@ -271,6 +275,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[2-4]-service-lazy.clearkey u:object_r:hal_drm_clearkey_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[1-4]-service.widevine u:object_r:hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[2-4]-service-lazy.widevine u:object_r:hal_drm_widevine_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:hal_drm_widevine_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_qti_exec:s0
diff --git a/legacy/vendor/common/location_app.te b/legacy/vendor/common/location_app.te
index 3321905..d3c6594 100644
--- a/legacy/vendor/common/location_app.te
+++ b/legacy/vendor/common/location_app.te
@@ -55,3 +55,4 @@
allow vendor_location_app self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_location_app sysfs_data:file r_file_perms;
unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd)
+dontaudit vendor_location_app default_prop:file {read};
diff --git a/legacy/vendor/common/service_contexts b/legacy/vendor/common/service_contexts
index f3dc5ff..9848e3b 100644
--- a/legacy/vendor/common/service_contexts
+++ b/legacy/vendor/common/service_contexts
@@ -42,4 +42,6 @@
com.qualcomm.qti.secota.service.SecotaNService u:object_r:secotad_service:s0
com.qualcomm.qti.seemp.health u:object_r:seemp_health_daemon_service:s0
com.qualcomm.qti.uceservice u:object_r:imsrcs_service:s0
+#Refer to b/236750094
+android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0
vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default u:object_r:hal_wifi_supplicant_service:s0
diff --git a/legacy/vendor/common/vendor_init.te b/legacy/vendor/common/vendor_init.te
index 9c45dd8..b3f8a87 100644
--- a/legacy/vendor/common/vendor_init.te
+++ b/legacy/vendor/common/vendor_init.te
@@ -125,5 +125,6 @@
allow vendor_init tee_device:chr_file getattr;
allow vendor_init block_device:lnk_file setattr;
+dontaudit vendor_init vendor_fm_prop:property_service set;
set_prop(vendor_init, vendor_time_service_prop)
diff --git a/legacy/vendor/sdm660/hal_gnss_qti.te b/legacy/vendor/sdm660/hal_gnss_qti.te
new file mode 100644
index 0000000..6cdc4b8
--- /dev/null
+++ b/legacy/vendor/sdm660/hal_gnss_qti.te
@@ -0,0 +1,9 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl
+
+#Allow Gnss HAL to access ril socket
+allow hal_gnss_qti vendor_rild_socket:dir search;
+allow hal_gnss_qti vendor_rild_socket:sock_file write;
+unix_socket_connect(hal_gnss_qti, rild, rild)
diff --git a/legacy/vendor/sdm660/location.te b/legacy/vendor/sdm660/location.te
new file mode 100644
index 0000000..077b165
--- /dev/null
+++ b/legacy/vendor/sdm660/location.te
@@ -0,0 +1,7 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# generic/vendor_location.te - sepolicy rules for generic vendor_location modules
+
+# allows location to access ssgtzd socket
+allow location ssgtzd_socket:sock_file write;
diff --git a/legacy/vendor/sdm660/location_app.te b/legacy/vendor/sdm660/location_app.te
index 0d0273b..6bf6da9 100644
--- a/legacy/vendor/sdm660/location_app.te
+++ b/legacy/vendor/sdm660/location_app.te
@@ -24,5 +24,10 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
allow vendor_location_app sysfs_kgsl_gpu_model:file r_file_perms;
+dontaudit vendor_location_app default_android_service:service_manager {find};
diff --git a/legacy/vendor/sdm660/rild.te b/legacy/vendor/sdm660/rild.te
new file mode 100644
index 0000000..5facef3
--- /dev/null
+++ b/legacy/vendor/sdm660/rild.te
@@ -0,0 +1,8 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# rild.te - sepolicy rules for legacy ril module
+
+# allows rild to create rild0 and rild1 sockets
+allow rild vendor_rild_socket:dir w_dir_perms;
+allow rild vendor_rild_socket:sock_file create_file_perms;
diff --git a/qva/private/file.te b/qva/private/file.te
index fb8f9a6..9ed43ca 100644
--- a/qva/private/file.te
+++ b/qva/private/file.te
@@ -34,5 +34,5 @@
type vendor_qvrd_hvx_socket, file_type, coredomain_socket;
type vendor_sys_sxrd_data_file, file_type, data_file_type, core_data_file_type;
type vendor_sys_sxrd_socket, file_type, mlstrustedobject, coredomain_socket;
-type vendor_qcc_data_file, file_type, data_file_type, core_data_file_type;
+type vendor_qcc_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vendor_qcc_app_socket, file_type, mlstrustedobject, coredomain_socket;
diff --git a/qva/private/file_contexts b/qva/private/file_contexts
index e0cffa1..650acaf 100644
--- a/qva/private/file_contexts
+++ b/qva/private/file_contexts
@@ -38,7 +38,7 @@
/dev/socket/qvrservice_camera u:object_r:vendor_qvrd_socket:s0
/dev/socket/qvrservice_hvx_camera u:object_r:vendor_qvrd_hvx_socket:s0
/dev/socket/sxrservice u:object_r:vendor_sys_sxrd_socket:s0
-/dev/socket/qdma_app(/.*)? u:object_r:vendor_qcc_app_socket:s0
+/dev/socket/(qcc_app|qdma_app)(/.*)? u:object_r:vendor_qcc_app_socket:s0
####### system file ###############
/system/bin/seempd u:object_r:vendor_seempd_exec:s0
@@ -65,4 +65,4 @@
/data/misc/qvr(/.*)? u:object_r:vendor_qvrd_data_file:s0
/data/misc/sxr(/.*)? u:object_r:vendor_sys_sxrd_data_file:s0
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
-/data/misc/qdma(/.*)? u:object_r:vendor_qcc_data_file:s0
+/data/misc/(qcc|qdma)(/.*)? u:object_r:vendor_qcc_data_file:s0
diff --git a/qva/private/seapp_contexts b/qva/private/seapp_contexts
index 19d2ca0..7245b43 100644
--- a/qva/private/seapp_contexts
+++ b/qva/private/seapp_contexts
@@ -31,7 +31,7 @@
user=_app seinfo=platform name=com.qualcomm.qti.ssmeditor domain=vendor_qconfig_app type=app_data_file levelfrom=all
#Add new domain for QCC
-user=system seinfo=platform name=com.qti.qcc isPrivApp=true domain=vendor_qcc_app type=system_app_data_file
+user=_app seinfo=platform name=com.qti.qcc domain=vendor_qcc_app type=app_data_file levelFrom=all
#Add new domain for QCCLMTP
user=system seinfo=platform name=com.qualcomm.qti.qcclmtp isPrivApp=true domain=vendor_qcc_lmtp_app type=system_app_data_file
#Add new domain for QCC-Utils