Merge "sepolicy_vndr: add new type for USTA test app data file"
diff --git a/generic/vendor/common/device.te b/generic/vendor/common/device.te
index fc8024f..dc7292b 100644
--- a/generic/vendor/common/device.te
+++ b/generic/vendor/common/device.te
@@ -60,6 +60,8 @@
type vendor_dmabuf_display_heap_device, dev_type;
type vendor_dmabuf_audio_ml_heap_device, dev_type;
+type vendor_membuf_dev, dev_type;
+
type vendor_vm_primary_device, dev_type;
type vendor_vm_trusted_device, dev_type;
type vendor_vm_hlos_device, dev_type;
diff --git a/generic/vendor/common/file.te b/generic/vendor/common/file.te
index aa46d71..fbe56f4 100644
--- a/generic/vendor/common/file.te
+++ b/generic/vendor/common/file.te
@@ -25,6 +25,7 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_sysfs_audio, fs_type, sysfs_type;
+type vendor_sysfs_sndcard, fs_type, sysfs_type;
type vendor_sysfs_battery_supply, sysfs_type, fs_type;
type vendor_sysfs_bond0, fs_type, sysfs_type;
type vendor_sysfs_boot_adsp, sysfs_type, fs_type;
diff --git a/generic/vendor/common/file_contexts b/generic/vendor/common/file_contexts
index 0a1f2ad..0982bde 100644
--- a/generic/vendor/common/file_contexts
+++ b/generic/vendor/common/file_contexts
@@ -130,6 +130,10 @@
/dev/dma_heap/qcom,display u:object_r:vendor_dmabuf_display_heap_device:s0
/dev/dma_heap/qcom,audio-ml u:object_r:vendor_dmabuf_audio_ml_heap_device:s0
+# mem-buf device used for inter-VM memory transactions
+/dev/membuf u:object_r:vendor_membuf_dev:s0
+
+# mem_buf_vm device end points to be used in inter-VM memory transactions
/dev/mem_buf_vm/qcom,trusted_vm u:object_r:vendor_vm_primary_device:s0
/dev/mem_buf_vm/qcom,primary_vm u:object_r:vendor_vm_trusted_device:s0
/dev/mem_buf_vm/qcom,hlos u:object_r:vendor_vm_hlos_device:s0
@@ -515,6 +519,7 @@
#Light AIDL HAL
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.qti u:object_r:hal_light_default_exec:s0
+/vendor/bin/hw/vendor\.qti\.hardware\.lights\.service u:object_r:hal_light_default_exec:s0
# Qti Dumpstate HAL
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.qti u:object_r:hal_dumpstate_default_exec:s0
diff --git a/generic/vendor/common/hal_audio_default.te b/generic/vendor/common/hal_audio_default.te
index 13919fe..8bce04c 100644
--- a/generic/vendor/common/hal_audio_default.te
+++ b/generic/vendor/common/hal_audio_default.te
@@ -62,6 +62,9 @@
allow hal_audio vendor_sysfs_audio:file rw_file_perms;
allow hal_audio vendor_sysfs_audio:dir r_dir_perms ;
+#allow access to snd_card sysfs
+allow hal_audio vendor_sysfs_sndcard:file rw_file_perms;
+
# audio properties
get_prop(hal_audio, vendor_audio_prop)
diff --git a/generic/vendor/common/qti_display_boot.te b/generic/vendor/common/qti_display_boot.te
index df72d5a..3f79684 100644
--- a/generic/vendor/common/qti_display_boot.te
+++ b/generic/vendor/common/qti_display_boot.te
@@ -32,3 +32,4 @@
allow qti_display_boot vendor_shell_exec:file rx_file_perms;
allow qti_display_boot vendor_toolbox_exec:file x_file_perms;
set_prop(qti_display_boot, vendor_display_prop)
+set_prop(qti_display_boot, vendor_gralloc_prop)
diff --git a/generic/vendor/common/vendor_modprobe.te b/generic/vendor/common/vendor_modprobe.te
index fd414d5..21f444d 100644
--- a/generic/vendor/common/vendor_modprobe.te
+++ b/generic/vendor/common/vendor_modprobe.te
@@ -29,3 +29,5 @@
allow vendor_modprobe vendor_shell_exec:file rx_file_perms;
allow vendor_modprobe vendor_toolbox_exec:file rx_file_perms;
allow vendor_modprobe proc_version:file r_file_perms;
+# Allow the below search permission for modprobe only in user builds too.
+allow vendor_modprobe { vendor_debugfs_ipc debugfs_tracing_instances }:dir search;
diff --git a/generic/vendor/taro/file_contexts b/generic/vendor/taro/file_contexts
index 9559aaf..2d50f57 100644
--- a/generic/vendor/taro/file_contexts
+++ b/generic/vendor/taro/file_contexts
@@ -231,3 +231,5 @@
# Feature configs
/sys/devices/platform/soc/780000.qfprom/qfprom0/feat_conf* u:object_r:vendor_sysfs_qfprom:s0
+/vendor/bin/hw/vendor\.qti\.hardware\.display\.demura@1\.0-service u:object_r:hal_display_demura_default_exec:s0
+
diff --git a/generic/vendor/taro/hal_display_demura.te b/generic/vendor/taro/hal_display_demura.te
new file mode 100644
index 0000000..054f4fd
--- /dev/null
+++ b/generic/vendor/taro/hal_display_demura.te
@@ -0,0 +1,47 @@
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Define domain
+type hal_display_demura_default, domain;
+hal_server_domain(hal_display_demura_default, vendor_hal_display_demura)
+type hal_display_demura_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_display_demura_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(vendor_hal_display_demura_client, vendor_hal_display_demura_server)
+binder_call(vendor_hal_display_demura_server, vendor_hal_display_demura_client)
+
+# Add hwservice related rules
+hal_attribute_hwservice(vendor_hal_display_demura, vendor_hal_display_demura_hwservice)
+
+# Rule for vndbinder usage
+allow vendor_hal_display_demura vendor_qdisplay_service:service_manager find;
+vndbinder_use(vendor_hal_display_demura);
+
+# Allow reading/writing to "/data/vendor/display"
+allow hal_display_demura_default vendor_display_vendor_data_file:dir create_dir_perms;
+allow hal_display_demura_default vendor_display_vendor_data_file:file create_file_perms;
diff --git a/qva/vendor/taro/device.te b/generic/vendor/taro/hal_graphics_composer_default.te
similarity index 88%
copy from qva/vendor/taro/device.te
copy to generic/vendor/taro/hal_graphics_composer_default.te
index a2b39e5..7b9a784 100644
--- a/qva/vendor/taro/device.te
+++ b/generic/vendor/taro/hal_graphics_composer_default.te
@@ -1,4 +1,4 @@
-# Copyright (c) 2020, The Linux Foundation. All rights reserved.
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,4 +25,5 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-type vendor_membuf_dev, dev_type;
+# Allow composer client to find demura service.
+hal_client_domain(hal_graphics_composer_default, vendor_hal_display_demura);
diff --git a/qva/vendor/taro/device.te b/generic/vendor/taro/hwservice.te
similarity index 90%
rename from qva/vendor/taro/device.te
rename to generic/vendor/taro/hwservice.te
index a2b39e5..16d476f 100644
--- a/qva/vendor/taro/device.te
+++ b/generic/vendor/taro/hwservice.te
@@ -1,4 +1,4 @@
-# Copyright (c) 2020, The Linux Foundation. All rights reserved.
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,5 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type vendor_membuf_dev, dev_type;
+type vendor_hal_display_demura_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/qva/vendor/taro/device.te b/generic/vendor/taro/hwservice_contexts
similarity index 88%
copy from qva/vendor/taro/device.te
copy to generic/vendor/taro/hwservice_contexts
index a2b39e5..1821f8c 100644
--- a/qva/vendor/taro/device.te
+++ b/generic/vendor/taro/hwservice_contexts
@@ -1,4 +1,4 @@
-# Copyright (c) 2020, The Linux Foundation. All rights reserved.
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,5 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type vendor_membuf_dev, dev_type;
+vendor.qti.hardware.display.demura::IDemuraFileFinder u:object_r:vendor_hal_display_demura_hwservice:s0
\ No newline at end of file
diff --git a/generic/vendor/test/seapp_contexts b/generic/vendor/test/seapp_contexts
index 1e3d842..a04a6ed 100644
--- a/generic/vendor/test/seapp_contexts
+++ b/generic/vendor/test/seapp_contexts
@@ -32,7 +32,7 @@
user=_app seinfo=platform name=com.qualcomm.qti.usta domain=vendor_usta_app type=vendor_usta_app_data_file levelFrom=all
#Add new domain for qsta app
-user=_app seinfo=platform name=com.qualcomm.qti.sensors.qsensortest domain=vendor_qsta_app type=app_data_file
+user=_app seinfo=platform name=com.qualcomm.qti.sensors.qsensortest domain=vendor_qsta_app type=app_data_file levelFrom=all
#Add new domain for ustaservice app
# Needed for USTA test app
diff --git a/qva/vendor/common/genfs_contexts b/qva/vendor/common/genfs_contexts
index 9623261..11c5959 100644
--- a/qva/vendor/common/genfs_contexts
+++ b/qva/vendor/common/genfs_contexts
@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
+# Copyright (c) 2018-2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -31,6 +31,8 @@
genfscon proc /asound/cards u:object_r:vendor_proc_audiod:s0
genfscon sysfs /module/msm_thermal/core_control/cpus_offlined u:object_r:vendor_sysfs_mpctl:s0
+genfscon sysfs /kernel/snd_card/card_state u:object_r:vendor_sysfs_sndcard:s0
+
genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon0/name u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon0/cable.0/ u:object_r:vendor_sysfs_graphics:s0
diff --git a/qva/vendor/common/hal_spu_qti.te b/qva/vendor/common/hal_spu_qti.te
index 2d6fc4b..8024754 100644
--- a/qva/vendor/common/hal_spu_qti.te
+++ b/qva/vendor/common/hal_spu_qti.te
@@ -57,9 +57,14 @@
# Allow to allocate HLOS<=>SP share buffers for loading SP apps (r_file_perms includes ioctl)
allow vendor_hal_spu_qti vendor_dmabuf_sp_hlos_heap_device:chr_file r_file_perms;
+allow vendor_hal_spu_qti vendor_dmabuf_system_heap_device:chr_file r_file_perms;
# Allow hyp_assign() for HLOS<=>SP share buffers (r_file_perms includes ioctl)
+allow vendor_hal_spu_qti vendor_vm_hlos_device:chr_file r_file_perms;
+allow vendor_hal_spu_qti vendor_vm_cp_spss_sp_device:chr_file r_file_perms;
+allow vendor_hal_spu_qti vendor_vm_cp_spss_sp_shared_device:chr_file r_file_perms;
allow vendor_hal_spu_qti vendor_vm_cp_spss_hlos_shared_device:chr_file r_file_perms;
+allow vendor_hal_spu_qti vendor_membuf_dev:chr_file r_file_perms;
# Vendor binder
use_vendor_per_mgr(vendor_hal_spu_qti)
diff --git a/qva/vendor/common/init_shell.te b/qva/vendor/common/init_shell.te
index e6cf336..239bbb5 100644
--- a/qva/vendor/common/init_shell.te
+++ b/qva/vendor/common/init_shell.te
@@ -59,3 +59,6 @@
vendor_sysfs_mmc_host
sysfs_dm
}:file w_file_perms;
+
+# Allow init shell to access vendor pasr properties
+set_prop(vendor_qti_init_shell, vendor_pasr_prop)
diff --git a/qva/vendor/common/platform_app.te b/qva/vendor/common/platform_app.te
index c32ecd8..a706e75 100644
--- a/qva/vendor/common/platform_app.te
+++ b/qva/vendor/common/platform_app.te
@@ -40,3 +40,6 @@
hal_client_domain(platform_app, hal_fingerprint)
# allow platform_app to interact with pasr hal
hal_client_domain(platform_app, vendor_hal_pasrmanager)
+
+# allow platform_app access to NFC service
+allow platform_app nfc_service:service_manager find;
diff --git a/qva/vendor/common/qseecomd.te b/qva/vendor/common/qseecomd.te
index 7f4b89f..a831a7e 100644
--- a/qva/vendor/common/qseecomd.te
+++ b/qva/vendor/common/qseecomd.te
@@ -49,3 +49,8 @@
allowxperm tee vendor_rpmb_device:blk_file ioctl { MMC_IOC_CMD };
allowxperm tee vendor_rpmb_device:chr_file ioctl {MMC_IOC_MULTI_CMD};
+
+# As each dma buf is seperate device, need to allow access to those devices
+allow tee vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms;
+allow tee vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms;
+allow tee vendor_dmabuf_user_contig_heap_device:chr_file r_file_perms;
diff --git a/qva/vendor/common/sec_nvm.te b/qva/vendor/common/sec_nvm.te
index 5c82797..93abf0d 100644
--- a/qva/vendor/common/sec_nvm.te
+++ b/qva/vendor/common/sec_nvm.te
@@ -43,9 +43,14 @@
# Allow to allocate HLOS<=>SP share buffers for loading SP apps (r_file_perms includes ioctl)
allow vendor_sec_nvm vendor_dmabuf_sp_hlos_heap_device:chr_file r_file_perms;
+allow vendor_sec_nvm vendor_dmabuf_system_heap_device:chr_file r_file_perms;
# Allow hyp_assign() for HLOS<=>SP share buffers (r_file_perms includes ioctl)
+allow vendor_sec_nvm vendor_vm_hlos_device:chr_file r_file_perms;
+allow vendor_sec_nvm vendor_vm_cp_spss_sp_device:chr_file r_file_perms;
+allow vendor_sec_nvm vendor_vm_cp_spss_sp_shared_device:chr_file r_file_perms;
allow vendor_sec_nvm vendor_vm_cp_spss_hlos_shared_device:chr_file r_file_perms;
+allow vendor_sec_nvm vendor_membuf_dev:chr_file r_file_perms;
allow vendor_sec_nvm vendor_spcom_device:chr_file { getattr rw_file_perms };
allow vendor_sec_nvm vendor_sp_ssr_device:chr_file rw_file_perms;
diff --git a/qva/vendor/common/spdaemon.te b/qva/vendor/common/spdaemon.te
index c595582..d36eb23 100644
--- a/qva/vendor/common/spdaemon.te
+++ b/qva/vendor/common/spdaemon.te
@@ -69,9 +69,14 @@
# Allow to allocate HLOS<=>SP share buffers for loading SP apps (r_file_perms includes ioctl)
allow vendor_spdaemon vendor_dmabuf_sp_hlos_heap_device:chr_file r_file_perms;
+allow vendor_spdaemon vendor_dmabuf_system_heap_device:chr_file r_file_perms;
# Allow hyp_assign() for HLOS<=>SP share buffers (r_file_perms includes ioctl)
+allow vendor_spdaemon vendor_vm_hlos_device:chr_file r_file_perms;
+allow vendor_spdaemon vendor_vm_cp_spss_sp_device:chr_file r_file_perms;
+allow vendor_spdaemon vendor_vm_cp_spss_sp_shared_device:chr_file r_file_perms;
allow vendor_spdaemon vendor_vm_cp_spss_hlos_shared_device:chr_file r_file_perms;
+allow vendor_spdaemon vendor_membuf_dev:chr_file r_file_perms;
userdebug_or_eng(`
allow vendor_spdaemon vendor_debugfs_ipc:file rw_file_perms;
diff --git a/qva/vendor/taro/file_contexts b/qva/vendor/taro/file_contexts
index dbc8a3f..cfd52c5 100644
--- a/qva/vendor/taro/file_contexts
+++ b/qva/vendor/taro/file_contexts
@@ -32,7 +32,6 @@
###################################
#eID
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.eid@1\.0-service u:object_r:vendor_hal_eid_qti_exec:s0
-/dev/membuf u:object_r:vendor_membuf_dev:s0
###################################
#camera