generic/vendor/common/imsservice.te

# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#     * Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above
#       copyright notice, this list of conditions and the following
#       disclaimer in the documentation and/or other materials provided
#       with the distribution.
#     * Neither the name of The Linux Foundation nor the names of its
#       contributors may be used to endorse or promote products derived
#       from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# Changes from Qualcomm Innovation Center are provided under the following license:
#
# Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
# SPDX-License-Identifier: BSD-3-Clause-Clear

type vendor_ims_service, domain;
type vendor_ims_service_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(vendor_ims_service)
net_domain(vendor_ims_service)

set_prop(vendor_ims_service, vendor_ims_prop)
get_prop(vendor_ims_service, vendor_ims_prop)
get_prop(vendor_ims_service, vendor_cnd_prop)
get_prop(vendor_ims_service, vendor_persist_rcs_prop)

allow vendor_ims_service vendor_sysfs_data:file r_file_perms;

wakelock_use(vendor_ims_service)
allow vendor_ims_service self:capability net_bind_service;
allow vendor_ims_service self:capability2 wake_alarm;

allow vendor_ims_service ion_device:chr_file r_file_perms;

unix_socket_connect(vendor_ims_service, vendor_cnd, vendor_cnd)

allow vendor_ims_service self: { socket qipcrtr_socket } create_socket_perms_no_ioctl;
allow vendor_ims_service vendor_ims_service_socket:sock_file write;
netmgr_socket(vendor_ims_service);
allowxperm vendor_ims_service self:udp_socket ioctl RMNET_IOCTL_EXTENDED;
allow vendor_ims_service self:tipc_socket { create_socket_perms_no_ioctl };

#diag
userdebug_or_eng(`
    diag_use(vendor_ims_service)
    binder_call(vendor_ims_service, radio)
')

set_prop(vendor_ims_service, vendor_ctl_vendor_imsrcsservice_prop)

hwbinder_use(vendor_ims_service)
allow vendor_ims_service vendor_hal_cne_hwservice:hwservice_manager find;

hal_client_domain(vendor_ims_service , vendor_hal_datafactory_qti)

#add IService and IImsFactory to HIDL interface

#hal server domain for ims_service
hal_server_domain_bypass(vendor_ims_service, vendor_hal_imsfactory)
binder_call(vendor_hal_imsfactory_client, vendor_hal_imsfactory_server)
binder_call(vendor_hal_imsfactory_server, vendor_hal_imsfactory_client)
hal_attribute_hwservice(vendor_hal_imsfactory, vendor_hal_imsfactory_hwservice)
hal_attribute_hwservice(vendor_hal_imsfactory, vendor_hal_imsrcsd_hwservice)
hal_attribute_hwservice(vendor_hal_imsfactory, vendor_hal_imscallinfo_hwservice)


# imsdaemon needs read/write access to devpts
allow vendor_ims_service devpts:chr_file rw_file_perms;

allow vendor_ims_service vendor_imsd_data_file:dir rw_dir_perms;
allow vendor_ims_service vendor_imsd_data_file:file create_file_perms;
neverallow {domain -vendor_ims_service} vendor_imsd_data_file:chr_file no_rw_file_perms;