Merge "Add selinux labels for spdaemon"
diff --git a/generic/vendor/common/file_contexts b/generic/vendor/common/file_contexts
index 9db5bda..9003415 100644
--- a/generic/vendor/common/file_contexts
+++ b/generic/vendor/common/file_contexts
@@ -181,6 +181,7 @@
/vendor/lib(64)?/hw/gralloc\.qcom\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.0\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgralloccore\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgrallocutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0
diff --git a/generic/vendor/common/hal_rcsservice.te b/generic/vendor/common/hal_rcsservice.te
index 165f0b8..2eef1fb 100644
--- a/generic/vendor/common/hal_rcsservice.te
+++ b/generic/vendor/common/hal_rcsservice.te
@@ -31,7 +31,6 @@
init_daemon_domain(hal_rcsservice)
net_domain(hal_rcsservice)
-allow hal_rcsservice self:{ qipcrtr_socket } rw_socket_perms_no_ioctl;
get_prop(hal_rcsservice, ims_prop)
set_prop(hal_rcsservice, ims_prop)
@@ -46,7 +45,7 @@
allow hal_rcsservice sysfs_timestamp_switch:file r_file_perms;
allow hal_rcsservice sysfs_data:file r_file_perms;
-
+allow hal_rcsservice self: { socket qipcrtr_socket } create_socket_perms_no_ioctl;
#required for socket creation
unix_socket_connect(hal_rcsservice, ims, ims)
diff --git a/generic/vendor/common/hal_usb_default.te b/generic/vendor/common/hal_usb_default.te
index b3c4b07..e6d2f3d 100644
--- a/generic/vendor/common/hal_usb_default.te
+++ b/generic/vendor/common/hal_usb_default.te
@@ -1,4 +1,4 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+# Copyright (c) 2017, 2019 The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -28,3 +28,4 @@
allow hal_usb_default sysfs_usbpd_device:dir r_dir_perms;
allow hal_usb_default sysfs_usbpd_device:lnk_file r_file_perms;
allow hal_usb_default sysfs_usbpd_device:file rw_file_perms;
+r_dir_file(hal_usb_default, sysfs_usb_supply);
diff --git a/generic/vendor/common/radio.te b/generic/vendor/common/radio.te
index b429ceb..d9a9142 100644
--- a/generic/vendor/common/radio.te
+++ b/generic/vendor/common/radio.te
@@ -43,7 +43,11 @@
# IMS needs permission to use avtimer
allow radio avtimer_device:chr_file r_file_perms;
-
+# permissions for RCS clients to communicate with RCS vendor service
+userdebug_or_eng(`
+ allow radio hal_imsrcsd_hwservice:hwservice_manager find;
+ binder_call(radio, hal_rcsservice);
+')
binder_call(radio, hal_imsrtp)
#perf
diff --git a/generic/vendor/kona/genfs_contexts b/generic/vendor/kona/genfs_contexts
index 2634c6d..b4830fa 100644
--- a/generic/vendor/kona/genfs_contexts
+++ b/generic/vendor/kona/genfs_contexts
@@ -37,6 +37,7 @@
genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys2/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys3/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/188101c.qcom,spss/subsys5/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/a600000.ssusb/a600000.dwc3/udc/a600000.dwc3 u:object_r:sysfs_usb_controller:s0
#subsys nodes WLAN
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6390/subsys10/name u:object_r:sysfs_ssr:s0
@@ -55,6 +56,7 @@
genfscon sysfs /devices/platform/soc/soc:qcom,cpu-cpu-llcc-bw/devfreq u:object_r:sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpu-llcc-ddr-bw/devfreq u:object_r:sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,npu-npu-ddr-bw/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,npudsp-npu-ddr-bw/devfreq u:object_r:sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/18590000.qcom,devfreq-l3/18590000.qcom,devfreq-l3:qcom,cpu0-cpu-l3-lat/devfreq u:object_r:sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/18590000.qcom,devfreq-l3/18590000.qcom,devfreq-l3:qcom,cpu4-cpu-l3-lat/devfreq u:object_r:sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/18590000.qcom,devfreq-l3/18590000.qcom,devfreq-l3:qcom,cpu7-cpu-l3-lat/devfreq u:object_r:sysfs_devfreq:s0
diff --git a/legacy/vendor/common/file_contexts b/legacy/vendor/common/file_contexts
index c7e4c80..4c9eee2 100644
--- a/legacy/vendor/common/file_contexts
+++ b/legacy/vendor/common/file_contexts
@@ -648,6 +648,7 @@
# same-process HAL files and their dependencies
#
+/vendor/lib(64)?/hw/gralloc\.qcom\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/gralloc\.msm8998\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.0\.so u:object_r:same_process_hal_file:s0
diff --git a/legacy/vendor/common/hal_iop_default.te b/legacy/vendor/common/hal_iop_default.te
index 939d569..7e7b036 100644
--- a/legacy/vendor/common/hal_iop_default.te
+++ b/legacy/vendor/common/hal_iop_default.te
@@ -37,6 +37,7 @@
# Add hwservice related rules
add_hwservice(hal_iop_server, hal_iop_hwservice)
allow hal_iop_client hal_iop_hwservice:hwservice_manager find;
+allow hal_iop_client hal_perf_hwservice:hwservice_manager find;
#Allow access for vendor property
get_prop(hal_iop, vendor_iop_prop)
diff --git a/legacy/vendor/common/hwservice_contexts b/legacy/vendor/common/hwservice_contexts
index 40a58cf..207eff9 100644
--- a/legacy/vendor/common/hwservice_contexts
+++ b/legacy/vendor/common/hwservice_contexts
@@ -90,5 +90,7 @@
vendor.qti.hardware.scve.objecttracker::IObjectTracker u:object_r:hal_scve_hwservice:s0
vendor.qti.hardware.wifi.hostapd::IHostapdVendor u:object_r:hal_wifi_hostapd_hwservice:s0
vendor.qti.hardware.mlshal::IMlsDap u:object_r:hal_mirrorlink_hwservice:s0
+vendor.qti.hardware.mlshal::IMlsVnc u:object_r:hal_mirrorlink_hwservice:s0
+vendor.qti.hardware.mlshal::IMlsIon u:object_r:hal_mirrorlink_hwservice:s0
vendor.qti.hardware.wifi.wifilearner::IWifiStats u:object_r:hal_wifilearner_hwservice:s0
vendor.qti.hardware.fm::IFmHci u:object_r:hal_fm_hwservice:s0
diff --git a/qva/private/mirrorlink.te b/qva/private/mirrorlink.te
index e569353..356fc2a 100644
--- a/qva/private/mirrorlink.te
+++ b/qva/private/mirrorlink.te
@@ -68,6 +68,9 @@
allow mirrorlink audio_device:chr_file rw_file_perms;
allow mirrorlink audio_device:dir r_dir_perms;
+# Allow access to /proc/asound/pcm file
+r_dir_file(mirrorlink, proc_asound)
+
# Allow a base set of permissions for mirrorlinkserver to be a client of graphics composer HAL.
hal_client_domain(mirrorlink, hal_graphics_composer);
@@ -85,6 +88,9 @@
# Allow read access to EGL lib
allow mirrorlink system_file:dir r_dir_perms;
+# Allow read-write access to gpu device.
+allow mirrorlink gpu_device:chr_file rw_file_perms;
+
# Allow access to video encoder device.
allow mirrorlink video_device:chr_file rw_file_perms;
diff --git a/qva/vendor/common/app.te b/qva/vendor/common/app.te
new file mode 100644
index 0000000..9ac2370
--- /dev/null
+++ b/qva/vendor/common/app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Add app permissions for iop property access
+get_prop(appdomain, vendor_iop_prop)
diff --git a/qva/vendor/common/file.te b/qva/vendor/common/file.te
index bb20a57..0f03ae5 100755
--- a/qva/vendor/common/file.te
+++ b/qva/vendor/common/file.te
@@ -49,6 +49,7 @@
type sysfs_npu, fs_type, sysfs_type;
type vendor_persist_mmi_file, file_type, vendor_persist_type;
+type persist_hvdcp_file, file_type, vendor_persist_type;
#File type by mmi
type vendor_mmi_socket, file_type;
@@ -66,6 +67,10 @@
type mpctl_socket, file_type, mlstrustedobject;
type mpctl_data_file, file_type, data_file_type;
+#IOP
+type iop_socket, file_type;
+type iop_data_file, file_type, data_file_type;
+
#Define the files used by lm
type lm_data_file, file_type, data_file_type;
diff --git a/qva/vendor/common/file_contexts b/qva/vendor/common/file_contexts
index 4ae60b0..abd42c3 100644
--- a/qva/vendor/common/file_contexts
+++ b/qva/vendor/common/file_contexts
@@ -44,6 +44,7 @@
###################################
# Dev socket nodes
#
+/dev/socket/iop u:object_r:iop_socket:s0
/dev/socket/mlid u:object_r:mlid_socket:s0
/dev/socket/ssgqmig u:object_r:ssgqmig_socket:s0
/dev/socket/ssgtzd u:object_r:ssgtzd_socket:s0
@@ -116,6 +117,7 @@
###################################
# data files
#
+/data/vendor/iop(/.*)? u:object_r:iop_data_file:s0
/data/vendor/misc/qti_fp(/.*)? u:object_r:qfp-daemon_data_file:s0
/data/vendor/wifi(/.*)? u:object_r:wifi_vendor_data_file:s0
/data/vendor/wifi/sockets(/.*)? u:object_r:wifi_vendor_wpa_socket:s0
@@ -135,7 +137,7 @@
/mnt/vendor/persist/qti_fp(/.*)? u:object_r:persist_qti_fp_file:s0
/mnt/vendor/persist/FTM_AP(/.*)? u:object_r:vendor_persist_mmi_file:s0
/mnt/vendor/persist/vpp(/.*)? u:object_r:persist_vpp_file:s0
-
+/mnt/vendor/persist/hvdcp_opti(/.*)? u:object_r:persist_hvdcp_file:s0
# same-process HAL files and their dependencies
#
diff --git a/qva/vendor/common/hal_iop_default.te b/qva/vendor/common/hal_iop_default.te
index ba9dafe..9d8681a 100644
--- a/qva/vendor/common/hal_iop_default.te
+++ b/qva/vendor/common/hal_iop_default.te
@@ -36,3 +36,15 @@
# Add hwservice related rules
add_hwservice(hal_iop_server, hal_iop_hwservice)
allow hal_iop_client hal_iop_hwservice:hwservice_manager find;
+allow hal_iop_client hal_perf_hwservice:hwservice_manager find;
+
+#Allow access for vendor property
+get_prop(hal_iop, vendor_iop_prop)
+get_prop(hal_iop, vendor_mpctl_prop)
+
+# Allow access for /proc
+allow hal_iop_default proc:file r_file_perms;
+
+#Allow Access for /data/vendor/iop
+allow hal_iop iop_data_file:dir rw_dir_perms;
+allow hal_iop iop_data_file:file create_file_perms;
diff --git a/generic/vendor/common/hvdcp.te b/qva/vendor/common/hvdcp.te
similarity index 86%
rename from generic/vendor/common/hvdcp.te
rename to qva/vendor/common/hvdcp.te
index fae5e23..38b8150 100644
--- a/generic/vendor/common/hvdcp.te
+++ b/qva/vendor/common/hvdcp.te
@@ -1,4 +1,4 @@
-# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -56,12 +56,12 @@
sysfs_spmi_dev
}:lnk_file r_file_perms;
-allow hvdcp self:capability { setgid setuid };
allow hvdcp self:capability2 wake_alarm;
-allow hvdcp kmsg_device:chr_file rw_file_perms;
-allow hvdcp cgroup:dir { create add_name };
+userdebug_or_eng(`allow hvdcp kmsg_device:chr_file rw_file_perms;')
allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow hvdcp sysfs_battery_supply:file setattr;
-allow hvdcp sysfs_usb_supply:file setattr;
-allow hvdcp sysfs_usbpd_device:file setattr;
+
+allow hvdcp mnt_vendor_file:dir search;
+allow hvdcp persist_hvdcp_file:dir rw_dir_perms;
+allow hvdcp persist_hvdcp_file:file create_file_perms;
+
wakelock_use(hvdcp)
diff --git a/qva/vendor/common/system_app.te b/qva/vendor/common/system_app.te
index 59f5d45..052a904 100755
--- a/qva/vendor/common/system_app.te
+++ b/qva/vendor/common/system_app.te
@@ -31,6 +31,7 @@
#allow system_app access factory
hal_client_domain(system_app, vendor_hal_factory_qti);
hal_client_domain(system_app, hal_fm);
+
# fm_radio app needes open read on fm_radio_device
allow system_app fm_radio_device:chr_file r_file_perms;
@@ -42,3 +43,5 @@
#allow system app access display color for qdcm
hal_client_domain(system_app, hal_display_color);
+# allow system_app to interact with light hal
+hal_client_domain(system_app, hal_light);
diff --git a/qva/vendor/common/system_server.te b/qva/vendor/common/system_server.te
index b14445c..59d9d3c 100644
--- a/qva/vendor/common/system_server.te
+++ b/qva/vendor/common/system_server.te
@@ -30,3 +30,9 @@
hal_client_domain(system_server, hal_iop)
allow system_server proc_audiod:file r_file_perms;
+
+# allow system_server to access IOP HAL service
+hal_client_domain(system_server, hal_iop)
+
+# allow system_server to access vendor display property.
+get_prop(system_server, vendor_iop_prop)