Merge tag 'LA.VENDOR.13.2.0.r1-23800-KAILUA.QSSI14.0' into staging/lineage-21.0_merge-LA.VENDOR.13.2.0.r1-23800-KAILUA.QSSI14.0
LA.VENDOR.13.2.0.r1-23800-KAILUA.QSSI14.0
# By Neelu Maheshwari (3) and others
# Via Gerrit - the friendly Code Review server (4) and others
* tag 'LA.VENDOR.13.2.0.r1-23800-KAILUA.QSSI14.0':
location: Add rules for crash_dump to act on hal_gnss crash
sepolicy_vndr: Allow bootanim to have read access to vendor_display_prop
Revert "Added SE-Policy for UsbUdev Service"
Revert "Added SE-Policy for UsbUdev Service"
sepolicy_vndr: Add rule to allow graphics_composer to find qspm hal
sepolicy_vndr : allow to read aon property(ro.vendor.qc_aon_presence)
Not need access to /dev/smcinvoke for QTEE API
sepolicy_vndr: Added wakeup nodes
sepolicy_vndr: Add leds and vibrator selinux support for bengal
sepolicy: Fix avc denials of icnss for wakeup nodes
Change-Id: Ifcff974d574cd70fa9a052517f89afdfc16d877a
diff --git a/.gitupstream b/.gitupstream
new file mode 100644
index 0000000..3b566ca
--- /dev/null
+++ b/.gitupstream
@@ -0,0 +1 @@
+https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr
diff --git a/SEPolicy.mk b/SEPolicy.mk
index 2f47b2f..bd9c54f 100644
--- a/SEPolicy.mk
+++ b/SEPolicy.mk
@@ -1,6 +1,5 @@
# Board specific SELinux policy variable definitions
-ifeq ($(call is-vendor-board-platform,QCOM),true)
-SEPOLICY_PATH:= device/qcom/sepolicy_vndr
+SEPOLICY_PATH:= device/qcom/sepolicy_vndr/sm8550
QSSI_SEPOLICY_PATH:= device/qcom/sepolicy
BOARD_SYSTEM_EXT_PREBUILT_DIR := device/qcom/sepolicy/generic
BOARD_PRODUCT_PREBUILT_DIR := device/qcom/sepolicy/generic/product
@@ -25,26 +24,24 @@
$(QSSI_SEPOLICY_PATH)/generic/product/private
ifeq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
- BOARD_SEPOLICY_DIRS := \
- $(BOARD_SEPOLICY_DIRS) \
+ BOARD_VENDOR_SEPOLICY_DIRS := \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) \
$(SEPOLICY_PATH) \
$(SEPOLICY_PATH)/generic/vendor/common \
$(SEPOLICY_PATH)/generic/vendor/common/attribute \
$(SEPOLICY_PATH)/qva/vendor/common
ifeq ($(TARGET_SEPOLICY_DIR),)
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_BOARD_PLATFORM)
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_BOARD_PLATFORM)
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_BOARD_PLATFORM)
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_BOARD_PLATFORM)
else
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_SEPOLICY_DIR)
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_SEPOLICY_DIR)
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
endif
ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/test
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test/sysmonapp
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/test
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test/sysmonapp
endif
endif
-
-endif
diff --git a/generic/vendor/common/app.te b/generic/vendor/common/app.te
index 7648f6c..13defbd 100644
--- a/generic/vendor/common/app.te
+++ b/generic/vendor/common/app.te
@@ -42,6 +42,6 @@
allow appdomain vendor_npu_device:chr_file r_file_perms;
# Allow all apps to access /dev/dma_heap/qcom,system
-allow { appdomain -isolated_app -coredomain } vendor_dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app_all -coredomain } vendor_dmabuf_system_heap_device:chr_file r_file_perms;
dontaudit appdomain vendor_hal_qspmhal_hwservice:hwservice_manager find;
diff --git a/generic/vendor/common/domain.te b/generic/vendor/common/domain.te
index b3b4732..0f4f053 100644
--- a/generic/vendor/common/domain.te
+++ b/generic/vendor/common/domain.te
@@ -30,10 +30,10 @@
get_prop(domain, vendor_gralloc_prop)
-r_dir_file({domain - isolated_app - untrusted_app_all }, vendor_sysfs_soc);
-r_dir_file({domain - isolated_app - untrusted_app_all }, vendor_sysfs_esoc);
-r_dir_file({domain - isolated_app - untrusted_app_all }, vendor_sysfs_ssr);
-r_dir_file({domain - isolated_app}, sysfs_thermal);
+r_dir_file({domain - isolated_app_all - untrusted_app_all }, vendor_sysfs_soc);
+r_dir_file({domain - isolated_app_all - untrusted_app_all }, vendor_sysfs_esoc);
+r_dir_file({domain - isolated_app_all - untrusted_app_all }, vendor_sysfs_ssr);
+r_dir_file({domain - isolated_app_all}, sysfs_thermal);
#Reding of standard chip details need this
allow untrusted_app_all {
@@ -41,7 +41,7 @@
vendor_sysfs_esoc
vendor_sysfs_ssr
}:dir search ;
-r_dir_file({domain - isolated_app }, vendor_sysfs_public);
+r_dir_file({domain - isolated_app_all }, vendor_sysfs_public);
get_prop(domain, vendor_public_vendor_default_prop)
@@ -58,10 +58,10 @@
-vold
} vendor_persist_type: { dir file } *;
-allow { domain - isolated_app } vendor_sysfs_kgsl:dir search;
+allow { domain - isolated_app_all } vendor_sysfs_kgsl:dir search;
# Allow all context to read gpu model
-allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;
-allow { domain - isolated_app } vendor_sysfs_kgsl_gpubusy:file r_file_perms;
+allow { domain - isolated_app_all } vendor_sysfs_kgsl_gpu_model:file r_file_perms;
+allow { domain - isolated_app_all } vendor_sysfs_kgsl_gpubusy:file r_file_perms;
neverallow {
coredomain
diff --git a/generic/vendor/common/file.te b/generic/vendor/common/file.te
index 34c775a..db807b8 100644
--- a/generic/vendor/common/file.te
+++ b/generic/vendor/common/file.te
@@ -154,7 +154,7 @@
type vendor_location_data_file, file_type, data_file_type;
type vendor_audio_data_file, file_type, data_file_type;
type vendor_audio_dsp_data_file, file_type, data_file_type;
-type vendor_radio_data_file, file_type, data_file_type;
+type vendor_radio_data_file, file_type, data_file_type, app_data_file_type;
type vendor_wifi_vendor_log_data_file, file_type, data_file_type;
type vendor_log_wifi_data_file, file_type, data_file_type;
# for mount /persist
diff --git a/generic/vendor/common/genfs_contexts b/generic/vendor/common/genfs_contexts
index 4794756..014ed46 100644
--- a/generic/vendor/common/genfs_contexts
+++ b/generic/vendor/common/genfs_contexts
@@ -201,3 +201,5 @@
genfscon sysfs /kernel/qts/primary/trusted_touch_enable u:object_r:vendor_sysfs_trusted_touch_enable:s0
genfscon sysfs /kernel/qts/secondary/trusted_touch_enable u:object_r:vendor_sysfs_trusted_touch_enable:s0
+
+genfscon sysfs /devices/platform/soc/soc:qcom,pmic_glink/soc:qcom,pmic_glink:qcom,ucsi/power_supply/ucsi-source-psy-soc:qcom,pmic_glink:qcom,ucsi1 u:object_r:vendor_sysfs_battery_supply:s0
diff --git a/generic/vendor/common/hal_drm_widevine.te b/generic/vendor/common/hal_drm_widevine.te
index b1b168c..c81f792 100644
--- a/generic/vendor/common/hal_drm_widevine.te
+++ b/generic/vendor/common/hal_drm_widevine.te
@@ -33,7 +33,7 @@
init_daemon_domain(vendor_hal_drm_widevine)
allow vendor_hal_drm_widevine mediacodec:fd use;
-allow vendor_hal_drm_widevine { appdomain -isolated_app }:fd use;
+allow vendor_hal_drm_widevine { appdomain -isolated_app_all }:fd use;
allow vendor_hal_drm_widevine vendor_qce_device:chr_file rw_file_perms;
#Allow access to smcinvoke device
diff --git a/generic/vendor/common/hwservice_contexts b/generic/vendor/common/hwservice_contexts
index 9ba1f13..7b9b5f4 100644
--- a/generic/vendor/common/hwservice_contexts
+++ b/generic/vendor/common/hwservice_contexts
@@ -39,7 +39,6 @@
vendor.display.config::IDisplayConfig u:object_r:vendor_hal_display_config_hwservice:s0
vendor.display.color::IDisplayColor u:object_r:vendor_hal_display_color_hwservice:s0
vendor.display.postproc::IDisplayPostproc u:object_r:vendor_hal_display_postproc_hwservice:s0
-vendor.qti.hardware.data.iwlan::IIWlan u:object_r:vendor_hal_iwlan_hwservice:s0
vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object_r:vendor_hal_capabilityconfigstore_qti_hwservice:s0
vendor.qti.hardware.improvetouch.touchcompanion::ITouchCompanion u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.improvetouch.gesturemanager::IGestureManager u:object_r:vendor_hal_hbtp_hwservice:s0
diff --git a/generic/vendor/common/seapp_contexts b/generic/vendor/common/seapp_contexts
index f843911..1a1d7ce 100644
--- a/generic/vendor/common/seapp_contexts
+++ b/generic/vendor/common/seapp_contexts
@@ -40,7 +40,7 @@
user=_app seinfo=platform name=.qtidataservices domain=vendor_qtidataservices_app type=app_data_file levelFrom=all
#Add new domain for imshelper service
-user=radio seinfo=platform name=.imshelperservice domain=vendor_imshelper_app type=radio_data_file
+user=radio seinfo=platform name=.imshelperservice domain=vendor_imshelper_app type=vendor_radio_data_file
#Add new domain for power off alarm app
user=_app seinfo=platform name=com.qualcomm.qti.poweroffalarm domain=vendor_poweroffalarm_app type=app_data_file levelFrom=all
diff --git a/generic/vendor/common/service.te b/generic/vendor/common/service.te
index b02bcde..e5df9f7 100644
--- a/generic/vendor/common/service.te
+++ b/generic/vendor/common/service.te
@@ -35,6 +35,6 @@
# Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
# SPDX-License-Identifier: BSD-3-Clause-Clear
-type vendor_hal_vnddisplayconfig_service, vendor_service, protected_service, service_manager_type;
-type vendor_hal_telephony_service2, vendor_service, protected_service, service_manager_type;
-type vendor_hal_imsdc_service, vendor_service, protected_service, service_manager_type;
+type vendor_hal_vnddisplayconfig_service, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_telephony_service2, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_imsdc_service, hal_service_type, protected_service, service_manager_type;
diff --git a/generic/vendor/common/vndr_hal_neverallow.te b/generic/vendor/common/vndr_hal_neverallow.te
index 079979c..097845a 100644
--- a/generic/vendor/common/vndr_hal_neverallow.te
+++ b/generic/vendor/common/vndr_hal_neverallow.te
@@ -67,6 +67,12 @@
neverallow {
vendor_halserverdomain
- vendor_qtidataservices_app
-} { file_type fs_type }:file execute_no_trans;
+} {
+ file_type
+ fs_type
+ # May invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
+}:file execute_no_trans;
neverallow { domain -init } vendor_halserverdomain:process transition;
neverallow * { vendor_halserverdomain - vendor_qtidataservices_app }:process dyntransition;
diff --git a/generic/vendor/kalama/genfs_contexts b/generic/vendor/kalama/genfs_contexts
index aca7d47..10f60db 100644
--- a/generic/vendor/kalama/genfs_contexts
+++ b/generic/vendor/kalama/genfs_contexts
@@ -303,9 +303,13 @@
genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/extcon/extcon0/cable.0/name u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/extcon/extcon0/cable.1/name u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/extcon/extcon0/cable.2/name u:object_r:vendor_sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform:lpass-cdc/wcd938x-codec/extcon/extcon3/name u:object_r:vendor_sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform:lpass-cdc/wcd938x-codec/extcon/extcon3/state u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform:lpass-cdc/wcd938x-codec/extcon/extcon3/cable.0/name u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform:lpass-cdc/wcd938x-codec/extcon/extcon3/cable.1/name u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform:lpass-cdc/wcd938x-codec/extcon/extcon3/cable.2/name u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform:lpass-cdc/wcd938x-codec/extcon/extcon3/cable.3/name u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon0/state u:object_r:vendor_sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon1/state u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon2/state u:object_r:vendor_sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon3/state u:object_r:vendor_sysfs_graphics:s0
diff --git a/generic/vendor/test/domain.te b/generic/vendor/test/domain.te
index ee8e842..24058d1 100644
--- a/generic/vendor/test/domain.te
+++ b/generic/vendor/test/domain.te
@@ -37,7 +37,7 @@
#allow all gpu clients to access configuration settings
userdebug_or_eng(`
allow domain vendor_sysfs_kgsl:dir search;
-r_dir_file({domain - isolated_app}, vendor_sysfs_kgsl_snapshot);
+r_dir_file({domain - isolated_app_all}, vendor_sysfs_kgsl_snapshot);
allow domain coredump_file:dir create_dir_perms;
allow domain coredump_file:file create_file_perms;
allow domain coredump_file:dir rw_dir_perms;
diff --git a/qva/vendor/common/cnd.te b/qva/vendor/common/cnd.te
index e370f73..a2bf960 100644
--- a/qva/vendor/common/cnd.te
+++ b/qva/vendor/common/cnd.te
@@ -46,6 +46,9 @@
allow vendor_cnd vendor_wifi_vendor_data_file:dir r_dir_perms;
allow vendor_cnd vendor_wifi_vendor_wpa_socket:sock_file write;
+# allow vendor_cnd to read wifi_hal_prop
+get_prop(vendor_cnd, wifi_hal_prop)
+
#allow vendor_cnd daemon to invoke hostapd_cli
domain_auto_trans(vendor_cnd, vendor_hostapd_exec, vendor_hostapd)
allow vendor_cnd vendor_hostapd_socket:dir r_dir_perms;
diff --git a/qva/vendor/common/file_contexts b/qva/vendor/common/file_contexts
index f0e58e9..330f0c2 100644
--- a/qva/vendor/common/file_contexts
+++ b/qva/vendor/common/file_contexts
@@ -156,7 +156,7 @@
/(vendor|system/vendor)/bin/wigighalsvc u:object_r:vendor_wigighalsvc_exec:s0
/(vendor|system/vendor)/bin/wigignpt u:object_r:vendor_wigignpt_exec:s0
/(vendor|system/vendor)/bin/sensingdaemon u:object_r:vendor_sensingdaemon_exec:s0
-/vendor/bin/hw/android\.hardware\.usb\@1\.[0-2]-service-qti u:object_r:vendor_hal_usb_qti_exec:s0
+/vendor/bin/hw/android\.hardware\.usb\@1\.[0-3]-service-qti u:object_r:vendor_hal_usb_qti_exec:s0
/vendor/bin/hw/android\.hardware\.usb\.gadget\@1\.[0-2]-service-qti u:object_r:vendor_hal_usb_qti_exec:s0
/vendor/bin/usbsecure u:object_r:vendor_usb_qti_exec:s0
/vendor/bin/vendor\.qti\.qspmhal@1\.0-service u:object_r:vendor_hal_qspmhal_default_exec:s0
diff --git a/qva/vendor/common/hwservice_contexts b/qva/vendor/common/hwservice_contexts
index 8eccd0a..2260abb 100644
--- a/qva/vendor/common/hwservice_contexts
+++ b/qva/vendor/common/hwservice_contexts
@@ -50,7 +50,6 @@
vendor.qti.gnss::ILocHidlGnss u:object_r:hal_gnss_hwservice:s0
vendor.nxp.hardware.nfc::INqNfc u:object_r:hal_nfc_hwservice:s0
vendor.qti.hardware.sensorscalibrate::ISensorsCalibrate u:object_r:vendor_hal_sensorscalibrate_qti_hwservice:s0
-com.qualcomm.qti.imscmservice::IImsCmService u:object_r:vendor_hal_imsrcsd_hwservice:s0
vendor.qti.hardware.AGMIPC::IAGM u:object_r:hal_audio_hwservice:s0
vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_hwservice:s0
vendor.qti.hardware.radio.qtiradio::IQtiRadio u:object_r:hal_telephony_hwservice:s0
diff --git a/qva/vendor/common/service.te b/qva/vendor/common/service.te
index e2d60d6..5ab976c 100644
--- a/qva/vendor/common/service.te
+++ b/qva/vendor/common/service.te
@@ -65,9 +65,9 @@
type vendor_dun_service, service_manager_type;
type vendor_imsrcs_service, service_manager_type;
-type vendor_hal_qvrd_service, vendor_service,protected_service,service_manager_type;
-type vendor_hal_sxrd_service, vendor_service,protected_service,service_manager_type;
-type vendor_hal_dataconnection_service, vendor_service, protected_service, service_manager_type;
-type vendor_hal_qms_service, vendor_service, protected_service, service_manager_type;
-type vendor_hal_bttpi_service, vendor_service, protected_service, service_manager_type;
-type vendor_hal_qspa_service, vendor_service, protected_service, service_manager_type;
+type vendor_hal_qvrd_service, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_sxrd_service, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_dataconnection_service, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_qms_service, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_bttpi_service, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_qspa_service, hal_service_type, protected_service, service_manager_type;
diff --git a/qva/vendor/test/file_contexts b/qva/vendor/test/file_contexts
index 047bb39..ee02b8e 100644
--- a/qva/vendor/test/file_contexts
+++ b/qva/vendor/test/file_contexts
@@ -47,4 +47,4 @@
/vendor/bin/qsap_sampleclient u:object_r:vendor_qesdk_sampleclient_exec:s0
#QSPA SAMPLE CLIENT
-/vendor/bin/qspa-testclient u:object_r:vendor_qspa_testclient_exec:s0
\ No newline at end of file
+/vendor/bin/qspa-testclient u:object_r:vendor_qspa_testclient_exec:s0
diff --git a/qva/vendor/test/sysmonapp/keys.conf b/qva/vendor/test/sysmonapp/keys.conf
index 4626aff..454d657 100644
--- a/qva/vendor/test/sysmonapp/keys.conf
+++ b/qva/vendor/test/sysmonapp/keys.conf
@@ -25,4 +25,4 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
[@SYSMONAPP]
-ALL : device/qcom/sepolicy_vndr/qva/vendor/test/sysmonapp/sysmonapp_app_cert.x509.pem
+ALL : device/qcom/sepolicy_vndr/sm8550/qva/vendor/test/sysmonapp/sysmonapp_app_cert.x509.pem