Merge tag 'LA.VENDOR.1.0.r1-24300-WAIPIO.QSSI14.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr into lineage-21.0-caf-sm8450
"LA.VENDOR.1.0.r1-24300-WAIPIO.QSSI14.0"
* tag 'LA.VENDOR.1.0.r1-24300-WAIPIO.QSSI14.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr:
controller: Upload Firmware2.0 code to add sepolicy
Sepolicy_vndr : Multiple AVC denial fixes for clarence
anorak: allow qvrservice to access ipd distance node
controller:give controller read access to /mnt/vendor/calib dir
Change-Id: I434bdfd04ba03f587008b2d77db062e25404afd2
diff --git a/.gitupstream b/.gitupstream
new file mode 100644
index 0000000..3b566ca
--- /dev/null
+++ b/.gitupstream
@@ -0,0 +1 @@
+https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr
diff --git a/SEPolicy.mk b/SEPolicy.mk
index 46fe273..09e579e 100644
--- a/SEPolicy.mk
+++ b/SEPolicy.mk
@@ -1,26 +1,25 @@
# Board specific SELinux policy variable definitions
-ifeq ($(call is-vendor-board-platform,QCOM),true)
-SEPOLICY_PATH:= device/qcom/sepolicy_vndr
+SEPOLICY_PATH:= device/qcom/sepolicy_vndr/sm8450
QSSI_SEPOLICY_PATH:= device/qcom/sepolicy
BOARD_SYSTEM_EXT_PREBUILT_DIR := device/qcom/sepolicy/generic
BOARD_PRODUCT_PREBUILT_DIR := device/qcom/sepolicy/generic/product
SYS_ATTR_PROJECT_PATH := $(TOP)/device/qcom/sepolicy/generic/public/attribute
-BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
- $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS := \
+ $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) \
$(QSSI_SEPOLICY_PATH)/generic/public \
$(QSSI_SEPOLICY_PATH)/generic/public/attribute
-BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
- $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS := \
+ $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) \
$(QSSI_SEPOLICY_PATH)/generic/private
-BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
- $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS := \
+ $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) \
$(QSSI_SEPOLICY_PATH)/qva/public \
$(QSSI_SEPOLICY_PATH)/qva/public/attribute
-BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
- $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS := \
+ $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) \
$(QSSI_SEPOLICY_PATH)/qva/private
#once all the services are moved to Product /ODM above lines will be removed.
@@ -36,8 +35,8 @@
$(QSSI_SEPOLICY_PATH)/qva/product/private
ifeq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
- BOARD_SEPOLICY_DIRS := \
- $(BOARD_SEPOLICY_DIRS) \
+ BOARD_VENDOR_SEPOLICY_DIRS := \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) \
$(SEPOLICY_PATH) \
$(SEPOLICY_PATH)/generic/vendor/common \
$(SEPOLICY_PATH)/generic/vendor/common/attribute \
@@ -45,18 +44,16 @@
$(SEPOLICY_PATH)/qva/vendor/common
ifeq ($(TARGET_SEPOLICY_DIR),)
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_BOARD_PLATFORM)
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_BOARD_PLATFORM)
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_BOARD_PLATFORM)
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_BOARD_PLATFORM)
else
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_SEPOLICY_DIR)
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_SEPOLICY_DIR)
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
endif
ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/test
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test
- BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test/sysmonapp
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/test
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test
+ BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test/sysmonapp
endif
endif
-
-endif
diff --git a/generic/vendor/common/app.te b/generic/vendor/common/app.te
index b6d0824..5c48801 100644
--- a/generic/vendor/common/app.te
+++ b/generic/vendor/common/app.te
@@ -35,6 +35,6 @@
allow appdomain vendor_npu_device:chr_file r_file_perms;
# Allow all apps to access /dev/dma_heap/qcom,system
-allow { appdomain -isolated_app -coredomain } vendor_dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app_all -coredomain } vendor_dmabuf_system_heap_device:chr_file r_file_perms;
dontaudit appdomain vendor_hal_qspmhal_hwservice:hwservice_manager find;
diff --git a/generic/vendor/common/domain.te b/generic/vendor/common/domain.te
index 8d5c56d..ef8bdad 100644
--- a/generic/vendor/common/domain.te
+++ b/generic/vendor/common/domain.te
@@ -30,10 +30,10 @@
get_prop(domain, vendor_gralloc_prop)
-r_dir_file({domain - isolated_app - untrusted_app_all }, vendor_sysfs_soc);
-r_dir_file({domain - isolated_app - untrusted_app_all }, vendor_sysfs_esoc);
-r_dir_file({domain - isolated_app - untrusted_app_all }, vendor_sysfs_ssr);
-r_dir_file({domain - isolated_app}, sysfs_thermal);
+r_dir_file({domain - isolated_app_all - untrusted_app_all }, vendor_sysfs_soc);
+r_dir_file({domain - isolated_app_all - untrusted_app_all }, vendor_sysfs_esoc);
+r_dir_file({domain - isolated_app_all - untrusted_app_all }, vendor_sysfs_ssr);
+r_dir_file({domain - isolated_app_all}, sysfs_thermal);
#Reding of standard chip details need this
allow untrusted_app_all {
@@ -41,7 +41,7 @@
vendor_sysfs_esoc
vendor_sysfs_ssr
}:dir search ;
-r_dir_file({domain - isolated_app }, vendor_sysfs_public);
+r_dir_file({domain - isolated_app_all }, vendor_sysfs_public);
get_prop(domain, vendor_public_vendor_default_prop)
@@ -58,10 +58,10 @@
-vold
} vendor_persist_type: { dir file } *;
-allow { domain - isolated_app } vendor_sysfs_kgsl:dir search;
+allow { domain - isolated_app_all } vendor_sysfs_kgsl:dir search;
# Allow all context to read gpu model
-allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;
-allow { domain - isolated_app } vendor_sysfs_kgsl_gpubusy:file r_file_perms;
+allow { domain - isolated_app_all } vendor_sysfs_kgsl_gpu_model:file r_file_perms;
+allow { domain - isolated_app_all } vendor_sysfs_kgsl_gpubusy:file r_file_perms;
neverallow {
coredomain
diff --git a/generic/vendor/common/file.te b/generic/vendor/common/file.te
index edf01cf..698f423 100644
--- a/generic/vendor/common/file.te
+++ b/generic/vendor/common/file.te
@@ -149,7 +149,7 @@
type vendor_cnd_data_file, file_type, data_file_type;
type vendor_location_data_file, file_type, data_file_type;
type vendor_audio_data_file, file_type, data_file_type;
-type vendor_radio_data_file, file_type, data_file_type;
+type vendor_radio_data_file, file_type, data_file_type, app_data_file_type;
type vendor_wifi_vendor_log_data_file, file_type, data_file_type;
type vendor_log_wifi_data_file, file_type, data_file_type;
# for mount /persist
diff --git a/generic/vendor/common/genfs_contexts b/generic/vendor/common/genfs_contexts
index 6690a25..3a4e3b0 100644
--- a/generic/vendor/common/genfs_contexts
+++ b/generic/vendor/common/genfs_contexts
@@ -187,4 +187,6 @@
genfscon sysfs /module/rmnet_perf_tether/parameters u:object_r:vendor_sysfs_rmnet:s0
genfscon sysfs /module/rmnet_sch/parameters u:object_r:vendor_sysfs_rmnet:s0
genfscon sysfs /module/rmnet_shs/parameters u:object_r:vendor_sysfs_rmnet:s0
-genfscon sysfs /module/rmnet_wlan/parameters u:object_r:vendor_sysfs_rmnet:s0
\ No newline at end of file
+genfscon sysfs /module/rmnet_wlan/parameters u:object_r:vendor_sysfs_rmnet:s0
+
+genfscon sysfs /devices/platform/soc/soc:qcom,pmic_glink/soc:qcom,pmic_glink:qcom,ucsi/power_supply/ucsi-source-psy-soc:qcom,pmic_glink:qcom,ucsi1 u:object_r:vendor_sysfs_battery_supply:s0
diff --git a/generic/vendor/common/hal_drm_widevine.te b/generic/vendor/common/hal_drm_widevine.te
index 864a0f4..563c2da 100644
--- a/generic/vendor/common/hal_drm_widevine.te
+++ b/generic/vendor/common/hal_drm_widevine.te
@@ -33,7 +33,7 @@
init_daemon_domain(vendor_hal_drm_widevine)
allow vendor_hal_drm_widevine mediacodec:fd use;
-allow vendor_hal_drm_widevine { appdomain -isolated_app }:fd use;
+allow vendor_hal_drm_widevine { appdomain -isolated_app_all }:fd use;
allow vendor_hal_drm_widevine vendor_qce_device:chr_file rw_file_perms;
#Allow access to smcinvoke device
diff --git a/generic/vendor/common/hwservice_contexts b/generic/vendor/common/hwservice_contexts
index 9ba1f13..7b9b5f4 100644
--- a/generic/vendor/common/hwservice_contexts
+++ b/generic/vendor/common/hwservice_contexts
@@ -39,7 +39,6 @@
vendor.display.config::IDisplayConfig u:object_r:vendor_hal_display_config_hwservice:s0
vendor.display.color::IDisplayColor u:object_r:vendor_hal_display_color_hwservice:s0
vendor.display.postproc::IDisplayPostproc u:object_r:vendor_hal_display_postproc_hwservice:s0
-vendor.qti.hardware.data.iwlan::IIWlan u:object_r:vendor_hal_iwlan_hwservice:s0
vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object_r:vendor_hal_capabilityconfigstore_qti_hwservice:s0
vendor.qti.hardware.improvetouch.touchcompanion::ITouchCompanion u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.improvetouch.gesturemanager::IGestureManager u:object_r:vendor_hal_hbtp_hwservice:s0
diff --git a/generic/vendor/common/init_shell.te b/generic/vendor/common/init_shell.te
index 07fad73..f350bd4 100644
--- a/generic/vendor/common/init_shell.te
+++ b/generic/vendor/common/init_shell.te
@@ -27,7 +27,7 @@
# Restricted domain for shell processes spawned by init.
# Normally these are shell commands or scripts invoked via sh
# from an init*.rc file. No service should ever run in this domain.
-#
+#
# Changes from Qualcomm Innovation Center are provided under the following license:
#
# Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
diff --git a/generic/vendor/common/seapp_contexts b/generic/vendor/common/seapp_contexts
index 527246a..42cee04 100644
--- a/generic/vendor/common/seapp_contexts
+++ b/generic/vendor/common/seapp_contexts
@@ -34,7 +34,7 @@
user=_app seinfo=platform name=.qtidataservices domain=vendor_qtidataservices_app type=app_data_file levelFrom=all
#Add new domain for imshelper service
-user=radio seinfo=platform name=.imshelperservice domain=vendor_imshelper_app type=radio_data_file
+user=radio seinfo=platform name=.imshelperservice domain=vendor_imshelper_app type=vendor_radio_data_file
#Add new domain for power off alarm app
user=_app seinfo=platform name=com.qualcomm.qti.poweroffalarm domain=vendor_poweroffalarm_app type=app_data_file levelFrom=all
diff --git a/generic/vendor/common/service.te b/generic/vendor/common/service.te
index d2f1ce9..79e712b 100644
--- a/generic/vendor/common/service.te
+++ b/generic/vendor/common/service.te
@@ -30,5 +30,5 @@
# # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-type vendor_hal_vnddisplayconfig_service, vendor_service, protected_service, service_manager_type;
-type vendor_hal_telephony_service2, vendor_service, protected_service, service_manager_type;
+type vendor_hal_vnddisplayconfig_service, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_telephony_service2, hal_service_type, protected_service, service_manager_type;
diff --git a/generic/vendor/test/domain.te b/generic/vendor/test/domain.te
index ee8e842..24058d1 100644
--- a/generic/vendor/test/domain.te
+++ b/generic/vendor/test/domain.te
@@ -37,7 +37,7 @@
#allow all gpu clients to access configuration settings
userdebug_or_eng(`
allow domain vendor_sysfs_kgsl:dir search;
-r_dir_file({domain - isolated_app}, vendor_sysfs_kgsl_snapshot);
+r_dir_file({domain - isolated_app_all}, vendor_sysfs_kgsl_snapshot);
allow domain coredump_file:dir create_dir_perms;
allow domain coredump_file:file create_file_perms;
allow domain coredump_file:dir rw_dir_perms;
diff --git a/qva/vendor/common/cnd.te b/qva/vendor/common/cnd.te
index edbff51..fe5b0ed 100644
--- a/qva/vendor/common/cnd.te
+++ b/qva/vendor/common/cnd.te
@@ -45,6 +45,9 @@
allow vendor_cnd vendor_wifi_vendor_data_file:dir r_dir_perms;
allow vendor_cnd vendor_wifi_vendor_wpa_socket:sock_file write;
+# allow vendor_cnd to read wifi_hal_prop
+get_prop(vendor_cnd, wifi_hal_prop)
+
#allow vendor_cnd daemon to invoke hostapd_cli
allow vendor_cnd vendor_shell_exec:file rx_file_perms;
domain_auto_trans(vendor_cnd, vendor_hostapd_exec, vendor_hostapd)
diff --git a/qva/vendor/common/file_contexts b/qva/vendor/common/file_contexts
index e394bb6..b076001 100644
--- a/qva/vendor/common/file_contexts
+++ b/qva/vendor/common/file_contexts
@@ -147,7 +147,7 @@
/(vendor|system/vendor)/bin/wigighalsvc u:object_r:vendor_wigighalsvc_exec:s0
/(vendor|system/vendor)/bin/wigignpt u:object_r:vendor_wigignpt_exec:s0
/(vendor|system/vendor)/bin/sensingdaemon u:object_r:vendor_sensingdaemon_exec:s0
-/vendor/bin/hw/android\.hardware\.usb\@1\.[0-2]-service-qti u:object_r:vendor_hal_usb_qti_exec:s0
+/vendor/bin/hw/android\.hardware\.usb\@1\.[0-3]-service-qti u:object_r:vendor_hal_usb_qti_exec:s0
/vendor/bin/hw/android\.hardware\.usb\.gadget\@1\.[0-2]-service-qti u:object_r:vendor_hal_usb_qti_exec:s0
/vendor/bin/vendor\.qti\.qspmhal@1\.0-service u:object_r:vendor_hal_qspmhal_default_exec:s0
/vendor/bin/qesdk-manager u:object_r:vendor_hal_qesdhal_default_exec:s0
diff --git a/qva/vendor/common/hal_perf_default.te b/qva/vendor/common/hal_perf_default.te
index bdecb56..1b8f6b6 100644
--- a/qva/vendor/common/hal_perf_default.te
+++ b/qva/vendor/common/hal_perf_default.te
@@ -145,4 +145,4 @@
allow vendor_hal_perf_default self:capability sys_nice;
dontaudit vendor_hal_perf_default self:capability dac_override;
dontaudit vendor_hal_perf_default system_server:dir search;
-dontaudit vendor_hal_perf_default { domain – appdomain }:process { getsched setsched };
+dontaudit vendor_hal_perf_default { domain - appdomain }:process { getsched setsched };
diff --git a/qva/vendor/common/hwservice_contexts b/qva/vendor/common/hwservice_contexts
index a91c564..bf53b95 100644
--- a/qva/vendor/common/hwservice_contexts
+++ b/qva/vendor/common/hwservice_contexts
@@ -50,7 +50,6 @@
vendor.qti.gnss::ILocHidlGnss u:object_r:hal_gnss_hwservice:s0
vendor.nxp.hardware.nfc::INqNfc u:object_r:hal_nfc_hwservice:s0
vendor.qti.hardware.sensorscalibrate::ISensorsCalibrate u:object_r:vendor_hal_sensorscalibrate_qti_hwservice:s0
-com.qualcomm.qti.imscmservice::IImsCmService u:object_r:vendor_hal_imsrcsd_hwservice:s0
vendor.qti.hardware.AGMIPC::IAGM u:object_r:vendor_agm_hwservice:s0
vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_hwservice:s0
vendor.qti.hardware.radio.qtiradio::IQtiRadio u:object_r:hal_telephony_hwservice:s0
diff --git a/qva/vendor/common/service.te b/qva/vendor/common/service.te
index f55cad5..30fd6f2 100644
--- a/qva/vendor/common/service.te
+++ b/qva/vendor/common/service.te
@@ -27,6 +27,6 @@
type vendor_dun_service, service_manager_type;
type vendor_imsrcs_service, service_manager_type;
-type vendor_hal_qvrd_service, vendor_service,protected_service,service_manager_type;
-type vendor_hal_sxrd_service, vendor_service,protected_service,service_manager_type;
-type vendor_hal_dataconnection_service, vendor_service, protected_service, service_manager_type;
+type vendor_hal_qvrd_service, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_sxrd_service, hal_service_type, protected_service, service_manager_type;
+type vendor_hal_dataconnection_service, hal_service_type, protected_service, service_manager_type;
diff --git a/qva/vendor/ssg/keys.conf b/qva/vendor/ssg/keys.conf
index bfc08ca..7baca80 100644
--- a/qva/vendor/ssg/keys.conf
+++ b/qva/vendor/ssg/keys.conf
@@ -1,2 +1,2 @@
[@SSG]
-ALL : device/qcom/sepolicy_vndr/qva/vendor/ssg/ssg_app_cert.x509.pem
+ALL : device/qcom/sepolicy_vndr/sm8450/qva/vendor/ssg/ssg_app_cert.x509.pem
diff --git a/qva/vendor/test/sysmonapp/keys.conf b/qva/vendor/test/sysmonapp/keys.conf
index 4626aff..fa69e87 100644
--- a/qva/vendor/test/sysmonapp/keys.conf
+++ b/qva/vendor/test/sysmonapp/keys.conf
@@ -25,4 +25,4 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
[@SYSMONAPP]
-ALL : device/qcom/sepolicy_vndr/qva/vendor/test/sysmonapp/sysmonapp_app_cert.x509.pem
+ALL : device/qcom/sepolicy_vndr/sm8450/qva/vendor/test/sysmonapp/sysmonapp_app_cert.x509.pem