generic/vendor/common/location.te - LeafOS-Project/android_device_qcom_sepolicy_vndr - Gitiles

 # Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
 # met:
 #     * Redistributions of source code must retain the above copyright
 #       notice, this list of conditions and the following disclaimer.
 #     * Redistributions in binary form must reproduce the above
 #       copyright notice, this list of conditions and the following
 #       disclaimer in the documentation and/or other materials provided
 #       with the distribution.
 #     * Neither the name of The Linux Foundation nor the names of its
 #       contributors may be used to endorse or promote products derived
 #       from this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
 # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
 # ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
 # Changes from Qualcomm Innovation Center are provided under the following license:
 #
 # Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
 # SPDX-License-Identifier: BSD-3-Clause-Clear

 # generic/vendor_location.te - sepolicy rules for generic vendor_location modules

 # loc_launcher service
 # which launches various other services supporting GPS & Wifi-RTT (LOWI) vendor_location
 type vendor_location, domain;
 type vendor_location_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(vendor_location)

 allow vendor_location self:capability { setgid setuid };

 hwbinder_use(vendor_location)

 get_prop(vendor_location, hwservicemanager_prop)
 get_prop(vendor_location, vendor_cnd_prop)
 #xtra-daemon access to qcc properties
 get_prop(vendor_location, vendor_qcc_prop)

 allow vendor_location fwk_sensor_hwservice:hwservice_manager find;
 binder_call(vendor_location, system_server)
 binder_call(vendor_location, vendor_cnd)

 # Enable standard network access (for XTRA download)
 net_domain(vendor_location)

 # required for xtra-daemon, slim-daemon.
 allow vendor_location self:qipcrtr_socket create_socket_perms_no_ioctl;

 dontaudit vendor_location kernel:system module_request;

 # execute permission for vendor_location daemons in /vendor/bin/
 allow vendor_location vendor_location_exec:file rx_file_perms;

 # /data/vendor/vendor_location
 allow vendor_location vendor_location_data_file:dir create_dir_perms;
 allow vendor_location vendor_location_data_file:file create_file_perms;

 # /dev/socket/vendor_location
 allow vendor_location vendor_location_socket: {sock_file lnk_file } create_file_perms;
 allow vendor_location vendor_location_socket:dir rw_dir_perms;

 allow vendor_location vendor_hal_gnss_qti:unix_dgram_socket sendto;

 # permission for read execute vendor_location daemons in userdebug mode.
 userdebug_or_eng(`
   allow shell vendor_location_exec:file rx_file_perms;
 ')

 ## lowi-server
 ##############
 # some additional network access
 allow vendor_location self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow vendor_location self:netlink_socket create_socket_perms_no_ioctl;
 allowxperm vendor_location self:udp_socket ioctl lowi_server_ioctls;
 allow vendor_location hal_wifi:unix_stream_socket { read write };

 # /data/vendor/wifi
 allow vendor_location vendor_wifi_vendor_data_file:dir search;

 # /data/vendor/wifi/wpa
 allow vendor_location wpa_data_file:dir rw_dir_perms;
 allow vendor_location wpa_data_file:sock_file create_file_perms;
 allow vendor_location hal_wifi_supplicant_default:unix_dgram_socket sendto;

 # /dev/socket/wifihal
 allow vendor_location vendor_wifihal_socket:dir search;
 unix_socket_send(vendor_location, vendor_wifihal,  hal_wifi_default);

 # /dev/socket/mlid
 allow vendor_location vendor_mlid:unix_dgram_socket sendto;

 ## xtra-daemon
 ##############
 hal_client_domain(vendor_location , vendor_hal_datafactory_qti)
 hal_client_domain(vendor_location , vendor_hal_cacertservice_qti)

 crash_dump_fallback(vendor_location)
	# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
	#
	# Redistribution and use in source and binary forms, with or without
	# modification, are permitted provided that the following conditions are
	# met:
	# * Redistributions of source code must retain the above copyright
	# notice, this list of conditions and the following disclaimer.
	# * Redistributions in binary form must reproduce the above
	# copyright notice, this list of conditions and the following
	# disclaimer in the documentation and/or other materials provided
	# with the distribution.
	# * Neither the name of The Linux Foundation nor the names of its
	# contributors may be used to endorse or promote products derived
	# from this software without specific prior written permission.
	#
	# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
	# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
	# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
	# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
	# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
	# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
	# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
	# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
	# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	#
	# Changes from Qualcomm Innovation Center are provided under the following license:
	#
	# Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
	# SPDX-License-Identifier: BSD-3-Clause-Clear

	# generic/vendor_location.te - sepolicy rules for generic vendor_location modules

	# loc_launcher service
	# which launches various other services supporting GPS & Wifi-RTT (LOWI) vendor_location
	type vendor_location, domain;
	type vendor_location_exec, exec_type, vendor_file_type, file_type;

	init_daemon_domain(vendor_location)

	allow vendor_location self:capability { setgid setuid };

	hwbinder_use(vendor_location)

	get_prop(vendor_location, hwservicemanager_prop)
	get_prop(vendor_location, vendor_cnd_prop)
	#xtra-daemon access to qcc properties
	get_prop(vendor_location, vendor_qcc_prop)

	allow vendor_location fwk_sensor_hwservice:hwservice_manager find;
	binder_call(vendor_location, system_server)
	binder_call(vendor_location, vendor_cnd)

	# Enable standard network access (for XTRA download)
	net_domain(vendor_location)

	# required for xtra-daemon, slim-daemon.
	allow vendor_location self:qipcrtr_socket create_socket_perms_no_ioctl;

	dontaudit vendor_location kernel:system module_request;

	# execute permission for vendor_location daemons in /vendor/bin/
	allow vendor_location vendor_location_exec:file rx_file_perms;

	# /data/vendor/vendor_location
	allow vendor_location vendor_location_data_file:dir create_dir_perms;
	allow vendor_location vendor_location_data_file:file create_file_perms;

	# /dev/socket/vendor_location
	allow vendor_location vendor_location_socket: {sock_file lnk_file } create_file_perms;
	allow vendor_location vendor_location_socket:dir rw_dir_perms;

	allow vendor_location vendor_hal_gnss_qti:unix_dgram_socket sendto;

	# permission for read execute vendor_location daemons in userdebug mode.
	userdebug_or_eng(`
	allow shell vendor_location_exec:file rx_file_perms;
	')

	## lowi-server
	##############
	# some additional network access
	allow vendor_location self:netlink_generic_socket create_socket_perms_no_ioctl;
	allow vendor_location self:netlink_socket create_socket_perms_no_ioctl;
	allowxperm vendor_location self:udp_socket ioctl lowi_server_ioctls;
	allow vendor_location hal_wifi:unix_stream_socket { read write };

	# /data/vendor/wifi
	allow vendor_location vendor_wifi_vendor_data_file:dir search;

	# /data/vendor/wifi/wpa
	allow vendor_location wpa_data_file:dir rw_dir_perms;
	allow vendor_location wpa_data_file:sock_file create_file_perms;
	allow vendor_location hal_wifi_supplicant_default:unix_dgram_socket sendto;

	# /dev/socket/wifihal
	allow vendor_location vendor_wifihal_socket:dir search;
	unix_socket_send(vendor_location, vendor_wifihal, hal_wifi_default);

	# /dev/socket/mlid
	allow vendor_location vendor_mlid:unix_dgram_socket sendto;

	## xtra-daemon
	##############
	hal_client_domain(vendor_location , vendor_hal_datafactory_qti)
	hal_client_domain(vendor_location , vendor_hal_cacertservice_qti)

	crash_dump_fallback(vendor_location)