blob: 6fabf15695a0bcc0e1cfb3cc8d0a42ba4f0912c4 [file] [log] [blame]
# Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# vendor_ssgtzd - SSG TZ Daemon
type vendor_ssgtzd, domain, mlstrustedsubject;
type vendor_ssgtzd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_ssgtzd)
#Allow access to smcinvoke device
allow vendor_ssgtzd tee_device:chr_file rw_file_perms;
allow vendor_ssgtzd vendor_ssg_app:unix_stream_socket connectto;
#Allow access to firmware/image
allow vendor_ssgtzd vendor_firmware_file:dir r_dir_perms;
allow vendor_ssgtzd vendor_firmware_file:file r_file_perms;
#Allow ssgtzd to create sockets for HTTP
allow vendor_ssgtzd self:udp_socket create_socket_perms;
# Allow ssgtzd to write state information to /data/vendor/qwes/qwesd.conf
allow vendor_ssgtzd vendor_qwes_data_file:dir { rw_dir_perms setattr };
allow vendor_ssgtzd vendor_qwes_data_file:file rw_file_perms;
# Allow access to qipcrtr_socket
# Remove this when QMI service moves to pfmd
allow vendor_ssgtzd self:{ socket qipcrtr_socket } create_socket_perms;
allowxperm vendor_ssgtzd self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;