diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-10 06:53:06 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-10 06:53:06 +0000 |
commit | bb0385357e291ee497821c6916d6c350ef7613b3 (patch) | |
tree | 8368e24c77e5cc642648107fd1737a78b2c010be /vendor/qcom/common | |
parent | 216fcd65c7be58344bacd7b6a3c9c6d72e724c32 (diff) | |
parent | 05a1b76da9b95260b0fc9583b6ad797016836fef (diff) | |
download | sunfish-sepolicy-bb0385357e291ee497821c6916d6c350ef7613b3.tar.gz |
Snap for 8564071 from 05a1b76da9b95260b0fc9583b6ad797016836fef to mainline-sdkext-release
Change-Id: Ib69aec2d57986eaa43bf6931802e96474c366f30
Diffstat (limited to 'vendor/qcom/common')
31 files changed, 199 insertions, 120 deletions
diff --git a/vendor/qcom/common/cameraserver.te b/vendor/qcom/common/cameraserver.te index 92aacf7..dfd4524 100644 --- a/vendor/qcom/common/cameraserver.te +++ b/vendor/qcom/common/cameraserver.te @@ -6,3 +6,5 @@ get_prop(cameraserver, vendor_display_prop) # are not essential, and access denial to it won't break any gralloc mapper # functionality. dontaudit cameraserver gpu_device:chr_file rw_file_perms; + +dontaudit cameraserver sysfs_msm_subsys:dir search; diff --git a/vendor/qcom/common/cnd.te b/vendor/qcom/common/cnd.te index 333ac60..30acc21 100644 --- a/vendor/qcom/common/cnd.te +++ b/vendor/qcom/common/cnd.te @@ -20,6 +20,7 @@ allow cnd cnd_data_file:dir rw_dir_perms; wakelock_use(cnd) # To register cnd to hwbinder add_hwservice(cnd, hal_datafactory_hwservice) +add_hwservice(cnd, hal_mwqemadapter_hwservice) userdebug_or_eng(` allow cnd diag_device:chr_file rw_file_perms; ') @@ -42,3 +43,5 @@ allow cnd self:{ netlink_generic_socket qipcrtr_socket } create_socket_perms_no_ioctl; + +dontaudit cnd wifi_hal_prop:file r_file_perms; diff --git a/vendor/qcom/common/con_monitor.te b/vendor/qcom/common/con_monitor.te index 64d0257..860c16e 100644 --- a/vendor/qcom/common/con_monitor.te +++ b/vendor/qcom/common/con_monitor.te @@ -1,10 +1,9 @@ # ConnectivityMonitor app -type con_monitor_app, domain; +type con_monitor_app, domain, coredomain; app_domain(con_monitor_app) set_prop(con_monitor_app, radio_prop) -set_prop(con_monitor_app, vendor_radio_prop) allow con_monitor_app app_api_service:service_manager find; allow con_monitor_app audioserver_service:service_manager find; allow con_monitor_app radio_service:service_manager find; diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 33bb82e..23073eb 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -131,8 +131,6 @@ type sysfs_sectouch, sysfs_type, fs_type; type vendor_tui_data_file, file_type, data_file_type; type vendor_bt_data_file, file_type, data_file_type; type sysfs_jpeg, fs_type, sysfs_type; -type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; -type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject; type sysfs_npu, fs_type, sysfs_type; type vendor_ramdump_data_file, file_type, data_file_type; type vendor_mdmhelperdata_data_file, file_type, data_file_type; diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 907d5b9..a360e5a 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -52,7 +52,7 @@ /(vendor|system/vendor)/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0 /(vendor|system/vendor)/bin/hw/qcrild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 @@ -67,6 +67,8 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/init\.qti\.keymaster\.sh u:object_r:init-qti-keymaster-sh_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0 /(vendor|system/vendor)/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0 @@ -113,12 +115,6 @@ /mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 ################################### -# ramdumpfs files -# -/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 -/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 - -################################### # adsp files # /(vendor|system/vendor)/dsp(/.*)? u:object_r:adsprpcd_file:s0 @@ -144,12 +140,15 @@ /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.1\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgralloc\.qti\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgsl\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0 @@ -179,6 +178,10 @@ # libGLESv2_adreno depends on this /vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0 +# Game profiling library +/vendor/lib(64)?/libadreno_app_profiles\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.qspmhal@1\.0\.so u:object_r:same_process_hal_file:s0 + # libOpenCL-pixel and its dependencies /vendor/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 @@ -243,6 +246,7 @@ /dev/msm_.* u:object_r:audio_device:s0 /dev/ramdump_.* u:object_r:ramdump_device:s0 /dev/at_.* u:object_r:at_device:s0 +/dev/qce u:object_r:qce_device:s0 # dev socket nodes /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 @@ -262,7 +266,6 @@ /data/vendor/modem_fdr(/.*)? u:object_r:modem_fdr_file:s0 /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/vendor/nnhal(/.*)? u:object_r:hal_neuralnetworks_data_file:s0 -/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrlog(/.*)? u:object_r:ssr_log_file:s0 /data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 diff --git a/vendor/qcom/common/genfs_contexts b/vendor/qcom/common/genfs_contexts index 8afbb14..d8158ec 100644 --- a/vendor/qcom/common/genfs_contexts +++ b/vendor/qcom/common/genfs_contexts @@ -26,3 +26,5 @@ genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws@1e08000 genfscon sysfs /devices/virtual/xt_hardidletimer/timers u:object_r:sysfs_data:s0 genfscon sysfs /devices/virtual/xt_idletimer/timers u:object_r:sysfs_data:s0 genfscon sysfs /module/subsystem_restart/parameters/enable_ramdumps u:object_r:sysfs_ssr:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd-secure/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/qcom/common/hal_drm_widevine.te b/vendor/qcom/common/hal_drm_widevine.te index 4b52daf..2f8fbdd 100644 --- a/vendor/qcom/common/hal_drm_widevine.te +++ b/vendor/qcom/common/hal_drm_widevine.te @@ -10,4 +10,6 @@ allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; allow hal_drm_widevine hal_display_config_hwservice:hwservice_manager find; binder_call(hal_drm_widevine, hal_graphics_composer_default) -allow hal_drm_widevine { appdomain -isolated_app }:fd use;
\ No newline at end of file +allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +allow hal_drm_widevine qce_device:chr_file rw_file_perms; diff --git a/vendor/qcom/common/hal_gnss_qti.te b/vendor/qcom/common/hal_gnss_qti.te index c4481a7..80abd2e 100644 --- a/vendor/qcom/common/hal_gnss_qti.te +++ b/vendor/qcom/common/hal_gnss_qti.te @@ -24,5 +24,7 @@ allow hal_gnss_qti location:unix_dgram_socket sendto; allow hal_gnss_qti self:qipcrtr_socket create_socket_perms_no_ioctl; +allow hal_gnss_qti location_data_file:dir r_dir_perms; + # Allow Gnss HAL to get updates from health hal hal_client_domain(hal_gnss_qti, hal_health) diff --git a/vendor/qcom/common/hal_neuralnetworks.te b/vendor/qcom/common/hal_neuralnetworks.te index 1d20204..6ccdd39 100644 --- a/vendor/qcom/common/hal_neuralnetworks.te +++ b/vendor/qcom/common/hal_neuralnetworks.te @@ -17,3 +17,6 @@ r_dir_file(hal_neuralnetworks_default, sysfs_soc) r_dir_file(hal_neuralnetworks_default, adsprpcd_file) dontaudit hal_neuralnetworks_default vendor_display_prop:file read; + +# b/159570217 suppress warning related to zeroth.debuglog.logmask +dontaudit hal_neuralnetworks_default default_prop:file { open read }; diff --git a/vendor/qcom/common/hal_rcsservice.te b/vendor/qcom/common/hal_rcsservice.te index 9acd706..0c95f16 100644 --- a/vendor/qcom/common/hal_rcsservice.te +++ b/vendor/qcom/common/hal_rcsservice.te @@ -11,6 +11,8 @@ hwbinder_use(hal_rcsservice) # add IUceSerive and IService to Hidl interface add_hwservice(hal_rcsservice, hal_imsrcsd_hwservice) add_hwservice(hal_rcsservice, hal_imscallinfo_hwservice) +# add imsfactory to HIDl interface +add_hwservice(hal_rcsservice, hal_imsfactory_hwservice) get_prop(hal_rcsservice, hwservicemanager_prop) set_prop(hal_rcsservice, qcom_ims_prop) diff --git a/vendor/qcom/common/hvdcp.te b/vendor/qcom/common/hvdcp.te index 7cdae50..9c1b7eb 100644 --- a/vendor/qcom/common/hvdcp.te +++ b/vendor/qcom/common/hvdcp.te @@ -7,7 +7,7 @@ allow hvdcp sysfs_batteryinfo:dir r_dir_perms; allow hvdcp qg_device:chr_file rw_file_perms; allow hvdcp self:capability2 wake_alarm; allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; -allow hvdcp kmsg_device:chr_file r_file_perms; +allow hvdcp kmsg_device:chr_file rw_file_perms; allow hvdcp mnt_vendor_file:dir r_dir_perms; allow hvdcp persist_file:dir search; allow hvdcp persist_hvdcp_file:dir search; diff --git a/vendor/qcom/common/hwservice.te b/vendor/qcom/common/hwservice.te index e681898..c17da13 100644 --- a/vendor/qcom/common/hwservice.te +++ b/vendor/qcom/common/hwservice.te @@ -1,24 +1,25 @@ -type hal_display_color_hwservice, hwservice_manager_type; -type hal_iwlan_hwservice, hwservice_manager_type; -type hal_display_config_hwservice, hwservice_manager_type; -type hal_display_postproc_hwservice, hwservice_manager_type; -type hal_dpmqmi_hwservice, hwservice_manager_type; -type hal_imsrtp_hwservice, hwservice_manager_type; -type hal_imscallinfo_hwservice, hwservice_manager_type; -type hal_datafactory_hwservice, hwservice_manager_type; -type hal_cne_hwservice, hwservice_manager_type; -type hal_latency_hwservice, hwservice_manager_type; -type hal_imsrcsd_hwservice, hwservice_manager_type; -type hal_ipacm_hwservice, hwservice_manager_type; -type hal_qteeconnector_hwservice, hwservice_manager_type; -type hal_voiceprint_hwservice, hwservice_manager_type; -type vendor_hal_factory_qti_hwservice, hwservice_manager_type; -type hal_tui_comm_hwservice, hwservice_manager_type; -type hal_qdutils_disp_hwservice, hwservice_manager_type; -type hal_sensorscalibrate_qti_hwservice, hwservice_manager_type; -type vnd_atcmdfwd_hwservice, hwservice_manager_type; -type hal_dataconnection_hwservice, hwservice_manager_type; -type hal_bluetooth_coexistence_hwservice, hwservice_manager_type; -type hal_cacert_hwservice, hwservice_manager_type; -type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type; -type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice; +type hal_display_color_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_iwlan_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_display_config_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_display_postproc_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_dpmqmi_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imsrtp_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imscallinfo_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_datafactory_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_cne_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_latency_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imsrcsd_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_ipacm_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qteeconnector_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_voiceprint_hwservice, hwservice_manager_type, vendor_hwservice_type; +type vendor_hal_factory_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_tui_comm_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qdutils_disp_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_sensorscalibrate_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type vnd_atcmdfwd_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_dataconnection_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_cacert_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; +type hal_mwqemadapter_hwservice, hwservice_manager_type, protected_hwservice; +type hal_imsfactory_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; diff --git a/vendor/qcom/common/hwservice_contexts b/vendor/qcom/common/hwservice_contexts index 2aecfbc..d6d205b 100644 --- a/vendor/qcom/common/hwservice_contexts +++ b/vendor/qcom/common/hwservice_contexts @@ -11,12 +11,11 @@ vendor.display.color::IDisplayColor u:object vendor.display.config::IDisplayConfig u:object_r:hal_display_config_hwservice:s0 vendor.display.postproc::IDisplayPostproc u:object_r:hal_display_postproc_hwservice:s0 vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0 -vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 -vendor.qti.hardware.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:hal_qdutils_disp_hwservice:s0 vendor.qti.hardware.qteeconnector::IAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.qteeconnector::IGPAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qtiradio::IQtiRadio u:object_r:hal_telephony_hwservice:s0 @@ -29,6 +28,7 @@ vendor.qti.hardware.tui_comm::ITuiComm u:object vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd u:object_r:vnd_atcmdfwd_hwservice:s0 vendor.qti.hardware.data.latency::ILinkLatency u:object_r:hal_latency_hwservice:s0 vendor.qti.data.factory::IFactory u:object_r:hal_datafactory_hwservice:s0 +vendor.qti.ims.factory::IImsFactory u:object_r:hal_imsfactory_hwservice:s0 vendor.qti.imsrtpservice::IRTPService u:object_r:hal_imsrtp_hwservice:s0 vendor.qti.hardware.cacert::IService u:object_r:hal_cacert_hwservice:s0 hardware.google.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 @@ -37,3 +37,6 @@ vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object vendor.qti.hardware.display.allocator::IQtiAllocator u:object_r:hal_graphics_allocator_hwservice:s0 vendor.qti.ims.callinfo::IService u:object_r:hal_imscallinfo_hwservice:s0 vendor.qti.hardware.qseecom::IQSEECom u:object_r:hal_qseecom_hwservice:s0 +vendor.qti.hardware.mwqemadapter::IMwqemAdapter u:object_r:hal_mwqemadapter_hwservice:s0 +vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 +vendor.qti.hardware.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 diff --git a/vendor/qcom/common/init-qti-keymaster-sh.te b/vendor/qcom/common/init-qti-keymaster-sh.te new file mode 100644 index 0000000..f5a6c31 --- /dev/null +++ b/vendor/qcom/common/init-qti-keymaster-sh.te @@ -0,0 +1,37 @@ +# Copyright (c) 2020, The Linux Foundation. All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type init-qti-keymaster-sh, domain; +type init-qti-keymaster-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-qti-keymaster-sh) + +# Set vendor.keymaster.strongbox.version to 40 or 41 +set_prop(init-qti-keymaster-sh, vendor_km_strongbox_version_prop); + +allow init-qti-keymaster-sh vendor_shell_exec:file rx_file_perms; +allow init-qti-keymaster-sh vendor_toolbox_exec:file rx_file_perms; diff --git a/vendor/qcom/common/mediacodec.te b/vendor/qcom/common/mediacodec.te index 5ef6b8f..bec15f6 100644 --- a/vendor/qcom/common/mediacodec.te +++ b/vendor/qcom/common/mediacodec.te @@ -3,3 +3,5 @@ get_prop(mediacodec, ecoservice_prop) allow mediacodec hal_camera_default:binder call; get_prop(mediacodec, vendor_display_prop) + +dontaudit mediacodec sysfs_msm_subsys:dir search; diff --git a/vendor/qcom/common/mediatranscoding.te b/vendor/qcom/common/mediatranscoding.te new file mode 100644 index 0000000..ab3f09d --- /dev/null +++ b/vendor/qcom/common/mediatranscoding.te @@ -0,0 +1,2 @@ +get_prop(domain, vendor_display_prop) + diff --git a/vendor/qcom/common/netmgrd.te b/vendor/qcom/common/netmgrd.te index 238a61b..4d53e7c 100644 --- a/vendor/qcom/common/netmgrd.te +++ b/vendor/qcom/common/netmgrd.te @@ -69,5 +69,6 @@ allow netmgrd self:netlink_xfrm_socket create_socket_perms_no_ioctl; #Allow set persist.vendor.data.shsusr_load #Allow set persist.vendor.data.perf_ko_load #Allow set persist.vendor.data.qmipriod_load +#Allow set persist.vendor.data.offload_ko_load set_prop(netmgrd, vendor_radio_prop) diff --git a/vendor/qcom/common/pd_services.te b/vendor/qcom/common/pd_services.te index 3f48cef..b504a16 100644 --- a/vendor/qcom/common/pd_services.te +++ b/vendor/qcom/common/pd_services.te @@ -6,7 +6,7 @@ init_daemon_domain(vendor_pd_mapper); allow vendor_pd_mapper self:qipcrtr_socket create_socket_perms_no_ioctl; userdebug_or_eng(` - allow vendor_pd_mapper kmsg_device:chr_file w_file_perms; + allow vendor_pd_mapper kmsg_device:chr_file rw_file_perms; ') dontaudit vendor_pd_mapper sysfs_esoc:dir search; diff --git a/vendor/qcom/common/peripheral_manager.te b/vendor/qcom/common/peripheral_manager.te index bd5f923..05e75bc 100644 --- a/vendor/qcom/common/peripheral_manager.te +++ b/vendor/qcom/common/peripheral_manager.te @@ -8,6 +8,7 @@ init_daemon_domain(vendor_per_mgr); vndbinder_use(vendor_per_mgr) binder_call(vendor_per_mgr, vendor_per_mgr) binder_call(vendor_per_mgr, wcnss_service) +binder_call(vendor_per_mgr, rild) set_prop(vendor_per_mgr, vendor_per_mgr_state_prop) allow vendor_per_mgr self:qipcrtr_socket create_socket_perms_no_ioctl; diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index e088dad..81b3b55 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -1,64 +1,64 @@ -type uicc_prop, property_type; -type qcom_ims_prop, property_type; -type ctl_vendor_netmgrd_prop, property_type; -type ctl_vendor_port-bridge_prop, property_type; -type ctl_qcrild_prop, property_type; -type vendor_tee_listener_prop, property_type; -type ctl_vendor_rild_prop, property_type; -type ctl_LKCore_prop, property_type; -type freq_prop, property_type; -type vendor_dataqti_prop, property_type; -type cnd_vendor_prop, property_type; -type sensors_prop, property_type; -type slpi_prop, property_type; -type msm_irqbalance_prop, property_type; -type msm_irqbl_sdm630_prop, property_type; -type camera_prop, property_type; -type spcomlib_prop, property_type; -type vendor_display_prop, property_type; -type scr_enabled_prop, property_type; -type bg_boot_complete_prop, property_type; -type opengles_prop, property_type; -type mdm_helper_prop, property_type; -type vendor_mpctl_prop, property_type; -type vendor_iop_prop, property_type; -type vendor_preobtain_prop, property_type; -type vendor_am_prop, property_type; -type vendor_gralloc_prop, property_type; -type fm_prop, property_type; -type chgdiabled_prop, property_type; -type vendor_xlat_prop, property_type; -type location_prop, property_type; -type qemu_hw_mainkeys_prop, property_type; -type vendor_usb_prop, property_type; -type public_vendor_system_prop, property_type; -type vendor_coresight_prop, property_type; -type public_vendor_default_prop, property_type; -type vendor_alarm_boot_prop, property_type; -type dolby_prop, property_type; -type hwui_prop, property_type; -type graphics_vulkan_prop, property_type; -type bservice_prop, property_type; -type reschedule_service_prop, property_type; -type vendor_boot_mode_prop, property_type; -type nfc_nq_prop, property_type; -type vendor_rild_libpath_prop, property_type; -type vendor_per_mgr_state_prop, property_type; -type vendor_system_prop, property_type; -type vendor_bluetooth_prop, property_type; -type ctl_vendor_imsrcsservice_prop, property_type; -type vendor_time_service_prop, property_type; -type vendor_radio_prop, property_type; -type vendor_audio_prop, property_type; -type vendor_ssr_prop, property_type; -type vendor_pd_locater_dbg_prop, property_type; -type vendor_qdcmss_prop, property_type; -type vendor_softap_prop, property_type; -type mm_parser_prop, property_type; -type mm_video_prop, property_type; -type ctl_vendor_rmt_storage_prop, property_type; -type vendor_wifi_version, property_type; -type vendor_cnss_diag_prop, property_type; -type vendor_modem_diag_prop, property_type; -type vendor_ramdump_prop, property_type; -type vendor_hvdcp_opti_prop, property_type; +vendor_internal_prop(uicc_prop) +vendor_restricted_prop(qcom_ims_prop) +vendor_internal_prop(ctl_vendor_netmgrd_prop) +vendor_internal_prop(ctl_vendor_port-bridge_prop) +vendor_internal_prop(ctl_qcrild_prop) +vendor_internal_prop(vendor_tee_listener_prop) +vendor_internal_prop(ctl_vendor_rild_prop) +vendor_internal_prop(ctl_LKCore_prop) +vendor_internal_prop(freq_prop) +vendor_internal_prop(vendor_dataqti_prop) +vendor_restricted_prop(cnd_vendor_prop) +vendor_internal_prop(sensors_prop) +vendor_internal_prop(slpi_prop) +vendor_internal_prop(msm_irqbalance_prop) +vendor_internal_prop(msm_irqbl_sdm630_prop) +vendor_restricted_prop(camera_prop) +vendor_internal_prop(spcomlib_prop) +vendor_restricted_prop(vendor_display_prop) +vendor_internal_prop(scr_enabled_prop) +vendor_internal_prop(bg_boot_complete_prop) +vendor_internal_prop(opengles_prop) +vendor_internal_prop(mdm_helper_prop) +vendor_internal_prop(vendor_mpctl_prop) +vendor_internal_prop(vendor_iop_prop) +vendor_internal_prop(vendor_preobtain_prop) +vendor_internal_prop(vendor_am_prop) +vendor_internal_prop(vendor_gralloc_prop) +vendor_internal_prop(fm_prop) +vendor_internal_prop(chgdiabled_prop) +vendor_internal_prop(vendor_xlat_prop) +vendor_internal_prop(location_prop) +vendor_internal_prop(qemu_hw_mainkeys_prop) +vendor_internal_prop(vendor_usb_prop) +vendor_internal_prop(public_vendor_system_prop) +vendor_internal_prop(vendor_coresight_prop) +vendor_restricted_prop(public_vendor_default_prop) +vendor_internal_prop(vendor_alarm_boot_prop) +vendor_internal_prop(dolby_prop) +vendor_internal_prop(hwui_prop) +vendor_internal_prop(graphics_vulkan_prop) +vendor_internal_prop(bservice_prop) +vendor_internal_prop(reschedule_service_prop) +vendor_internal_prop(vendor_boot_mode_prop) +vendor_internal_prop(nfc_nq_prop) +vendor_internal_prop(vendor_rild_libpath_prop) +vendor_internal_prop(vendor_per_mgr_state_prop) +vendor_internal_prop(vendor_system_prop) +vendor_internal_prop(vendor_bluetooth_prop) +vendor_internal_prop(ctl_vendor_imsrcsservice_prop) +vendor_internal_prop(vendor_time_service_prop) +vendor_restricted_prop(vendor_radio_prop) +vendor_internal_prop(vendor_audio_prop) +vendor_internal_prop(vendor_ssr_prop) +vendor_internal_prop(vendor_pd_locater_dbg_prop) +vendor_internal_prop(vendor_qdcmss_prop) +vendor_internal_prop(vendor_softap_prop) +vendor_internal_prop(mm_parser_prop) +vendor_internal_prop(mm_video_prop) +vendor_internal_prop(ctl_vendor_rmt_storage_prop) +vendor_internal_prop(vendor_wifi_version) +vendor_internal_prop(vendor_cnss_diag_prop) +vendor_internal_prop(vendor_modem_diag_prop) +vendor_restricted_prop(vendor_hvdcp_opti_prop) +vendor_restricted_prop(vendor_km_strongbox_version_prop) diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index cf09828..eebfb81 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -1,5 +1,6 @@ # vendor_audio_prop vendor.audio.snd_card.open.retries u:object_r:vendor_audio_prop:s0 +vendor.audio.adm.buffering.ms u:object_r:vendor_audio_prop:s0 vendor.audio.volume.listener.dump u:object_r:vendor_audio_prop:s0 vendor.audio.volume.headset.gain.depcal u:object_r:vendor_audio_prop:s0 @@ -38,7 +39,6 @@ persist.vendor.bt.soc.scram_freqs u:object_r:vendor_bluetooth_prop ro.vendor.audio.sdk.fluencetype u:object_r:vendor_audio_prop:s0 ro.vendor.ril. u:object_r:vendor_radio_prop:s0 -ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0 # vendor display prop vendor.gralloc.disable_ahardware_buffer u:object_r:vendor_display_prop:s0 @@ -50,7 +50,6 @@ vendor.debug.prerotation.disable u:object_r:vendor_display_prop:s vendor.debug.egl.swapinterval u:object_r:vendor_display_prop:s0 ro.vendor.graphics.memory u:object_r:vendor_display_prop:s0 -vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0 vendor.ims. u:object_r:qcom_ims_prop:s0 vendor.peripheral. u:object_r:vendor_per_mgr_state_prop:s0 vendor.sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 @@ -65,6 +64,7 @@ vendor.debug.ssrdump u:object_r:vendor_ssr_prop:s0 persist.vendor.sys.cnss. u:object_r:vendor_cnss_diag_prop:s0 persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 persist.vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 +vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 ctl.vendor.rmt_storage u:object_r:ctl_vendor_rmt_storage_prop:s0 @@ -85,3 +85,7 @@ persist.vendor.data.shs_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.perf_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0 +persist.vendor.data.offload_ko_load u:object_r:vendor_radio_prop:s0 + +#keymaster strongbox service +vendor.keymaster.strongbox.version u:object_r:vendor_km_strongbox_version_prop:s0 diff --git a/vendor/qcom/common/qtelephony.te b/vendor/qcom/common/qtelephony.te index 315b1a2..29ce45f 100644 --- a/vendor/qcom/common/qtelephony.te +++ b/vendor/qcom/common/qtelephony.te @@ -7,6 +7,7 @@ add_hwservice(qtelephony, vnd_atcmdfwd_hwservice) allow qtelephony app_api_service:service_manager find; allow qtelephony hal_imsrtp_hwservice:hwservice_manager find; +allow qtelephony hal_telephony_service:service_manager find; allow qtelephony radio_service:service_manager find; allow qtelephony sysfs_diag:dir search; allow qtelephony sysfs_timestamp_switch:file r_file_perms; diff --git a/vendor/qcom/common/qtidataservices_app.te b/vendor/qcom/common/qtidataservices_app.te index f6a80fc..2869a54 100644 --- a/vendor/qcom/common/qtidataservices_app.te +++ b/vendor/qcom/common/qtidataservices_app.te @@ -18,6 +18,6 @@ allow qtidataservices_app sysfs_soc:file r_file_perms; allow qtidataservices_app sysfs_ssr:file r_file_perms; get_prop(qtidataservices_app, vendor_default_prop) -set_prop(qtidataservices_app, exported_radio_prop) +set_prop(qtidataservices_app, telephony_status_prop) binder_call(qtidataservices_app, cnd) diff --git a/vendor/qcom/common/rfs_access.te b/vendor/qcom/common/rfs_access.te index 97d138d..14cb6a7 100644 --- a/vendor/qcom/common/rfs_access.te +++ b/vendor/qcom/common/rfs_access.te @@ -17,3 +17,5 @@ allow rfs_access rfs_tombstone_data_file:file create_file_perms; allow rfs_access self:qipcrtr_socket create_socket_perms_no_ioctl; wakelock_use(rfs_access) + +dontaudit rfs_access self:capability { dac_override dac_read_search }; diff --git a/vendor/qcom/common/rmt_storage.te b/vendor/qcom/common/rmt_storage.te index f094ba9..70d9bce 100644 --- a/vendor/qcom/common/rmt_storage.te +++ b/vendor/qcom/common/rmt_storage.te @@ -6,7 +6,7 @@ wakelock_use(rmt_storage) r_dir_file(rmt_storage, sysfs_uio) -get_prop(rmt_storage, exported3_radio_prop) +get_prop(rmt_storage, radio_control_prop) set_prop(rmt_storage, vendor_modem_prop) allow rmt_storage kmsg_device:chr_file w_file_perms; diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index cb5dedf..fbf0b3a 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -1,11 +1,9 @@ -#TODO(b/126137625): moving dataservice app from system to radio process -user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file -#user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file +user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file levelFrom=user # Hardware Info Collection -user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user -user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file +user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file levelFrom=all user=_app seinfo=platform name=.qtidataservices domain=qtidataservices_app type=app_data_file levelFrom=all @@ -15,7 +13,7 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon user=_app seinfo=platform name=com.qualcomm.qti.services.secureui* domain=secure_ui_service_app levelFrom=all #Needed for time service apk -user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file +user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file levelFrom=all # Use a custom domain for GoogleCamera, to allow for Hexagon DSP / Easel access user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all @@ -31,3 +29,9 @@ user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=qtelepho #Add DeviceInfoHidlClient to vendor_qtelephony user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=qtelephony type=app_data_file levelFrom=all + +# QtiTelephonyService app +user=_app seinfo=platform name=com.qualcomm.qti.telephonyservice domain=qtelephony type=app_data_file levelFrom=all + +#Add ExtTelephonyService to vendor_qtelephony +user=_app seinfo=platform name=com.qti.phone domain=qtelephony type=app_data_file levelFrom=all diff --git a/vendor/qcom/common/secure_ui_service_app.te b/vendor/qcom/common/secure_ui_service_app.te index bcb3e97..f577653 100644 --- a/vendor/qcom/common/secure_ui_service_app.te +++ b/vendor/qcom/common/secure_ui_service_app.te @@ -5,8 +5,4 @@ binder_call(secure_ui_service_app, system_server) binder_call(secure_ui_service_app, hal_tui_comm_qti) allow secure_ui_service_app hal_tui_comm_hwservice:hwservice_manager find; -allow secure_ui_service_app surfaceflinger_service:service_manager find; -allow secure_ui_service_app telecom_service:service_manager find; -allow secure_ui_service_app trust_service:service_manager find; -allow secure_ui_service_app activity_service:service_manager find; -allow secure_ui_service_app thermal_service:service_manager find; +allow secure_ui_service_app app_api_service:service_manager find; diff --git a/vendor/qcom/common/sensors.te b/vendor/qcom/common/sensors.te index 95737d0..a423192 100644 --- a/vendor/qcom/common/sensors.te +++ b/vendor/qcom/common/sensors.te @@ -12,5 +12,7 @@ allow sensors self:qipcrtr_socket create; allow sensors sensors_persist_file:dir rw_dir_perms; r_dir_file(sensors, sysfs_msm_subsys) allow sensors sysfs_ssr:file r_file_perms; +allow sensors sensors_vendor_data_file:dir rw_dir_perms; +allow sensors sensors_vendor_data_file:file create_file_perms; dontaudit sensors sysfs_esoc:dir r_dir_perms; diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te index c2ea2f6..cb00941 100644 --- a/vendor/qcom/common/service.te +++ b/vendor/qcom/common/service.te @@ -4,3 +4,4 @@ type imsrcs_service, service_manager_type; type improve_touch_service, service_manager_type; type gba_auth_service, service_manager_type; type qtitetherservice_service, service_manager_type; +type hal_telephony_service, service_manager_type, vendor_service, protected_service; diff --git a/vendor/qcom/common/service_contexts b/vendor/qcom/common/service_contexts new file mode 100644 index 0000000..c11263b --- /dev/null +++ b/vendor/qcom/common/service_contexts @@ -0,0 +1,3 @@ +vendor.qti.hardware.radio.ims.IImsRadio/default u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:hal_telephony_service:s0 diff --git a/vendor/qcom/common/tee.te b/vendor/qcom/common/tee.te index b28b1b7..d1e8cc1 100644 --- a/vendor/qcom/common/tee.te +++ b/vendor/qcom/common/tee.te @@ -31,3 +31,6 @@ allow tee hal_graphics_allocator_default:fd use; allow tee sysfs_wake_lock:file append; allow tee time_daemon:unix_stream_socket connectto; + +# allow tee access for secure UI to work +allow tee graphics_device:chr_file rw_file_perms; |