From 38d143aafab5fb902def05da28d442845c172803 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Mon, 18 May 2020 15:31:01 +0900 Subject: Add contexts for exported telephony props To remove bad context names, two contexts are added. - telephony_config_prop - telephony_status_prop exported_radio_prop, exported2_radio_prop are removed. Cleaning up exported3_radio_prop will be a follow-up task. Bug: 152471138 Bug: 155844385 Test: boot and see no denials Change-Id: Ica687a750af61f2d3386691ce6df220b180fb993 --- vendor/qcom/common/qtidataservices_app.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/qtidataservices_app.te b/vendor/qcom/common/qtidataservices_app.te index f6a80fc..2869a54 100644 --- a/vendor/qcom/common/qtidataservices_app.te +++ b/vendor/qcom/common/qtidataservices_app.te @@ -18,6 +18,6 @@ allow qtidataservices_app sysfs_soc:file r_file_perms; allow qtidataservices_app sysfs_ssr:file r_file_perms; get_prop(qtidataservices_app, vendor_default_prop) -set_prop(qtidataservices_app, exported_radio_prop) +set_prop(qtidataservices_app, telephony_status_prop) binder_call(qtidataservices_app, cnd) -- cgit v1.2.3 From 69a23ed50a1bf5cab4d696b8a5fed001a7a7399b Mon Sep 17 00:00:00 2001 From: Chong Zhang Date: Tue, 16 Jun 2020 10:22:12 -0700 Subject: transcoding: add vendor sepolicy for transcoding bug: 154734285 Change-Id: Ifac5b44925b4d94a5eca8c11df776d24a762a4fd --- vendor/qcom/common/mediatranscoding.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 vendor/qcom/common/mediatranscoding.te (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/mediatranscoding.te b/vendor/qcom/common/mediatranscoding.te new file mode 100644 index 0000000..2f9df7f --- /dev/null +++ b/vendor/qcom/common/mediatranscoding.te @@ -0,0 +1,2 @@ +dontaudit mediatranscoding vendor_display_prop:file r_file_perms; + -- cgit v1.2.3 From 2dd41b12d5bd9d78fe0a2804841de8c59bbb38f6 Mon Sep 17 00:00:00 2001 From: Chong Zhang Date: Thu, 18 Jun 2020 15:12:57 -0700 Subject: fix for vendor_display_prop Use get_prop(domain..) to allow graphics library to access vendor_display_prop, so that mediatranscoding type doesn't need to exposed across the Treble boundary. bug: 154734285 Change-Id: I6a1c21a16c11d6c0448fd52eeb3b37547909cba3 --- vendor/qcom/common/mediatranscoding.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/mediatranscoding.te b/vendor/qcom/common/mediatranscoding.te index 2f9df7f..ab3f09d 100644 --- a/vendor/qcom/common/mediatranscoding.te +++ b/vendor/qcom/common/mediatranscoding.te @@ -1,2 +1,2 @@ -dontaudit mediatranscoding vendor_display_prop:file r_file_perms; +get_prop(domain, vendor_display_prop) -- cgit v1.2.3 From 34a4a68dfd3281de61148d2076259905e23fe76f Mon Sep 17 00:00:00 2001 From: Woody Lin Date: Mon, 22 Jun 2020 16:02:28 +0800 Subject: Remove ramdump sepolicies (will be leveraged from hardware/google/pixel-sepolicy) Bug: 160434722 Change-Id: Id0ce349704e01d955ac7b644f7add44061682866 --- vendor/qcom/common/file.te | 2 -- vendor/qcom/common/file_contexts | 7 ------- vendor/qcom/common/property.te | 1 - vendor/qcom/common/property_contexts | 2 -- 4 files changed, 12 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 33bb82e..23073eb 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -131,8 +131,6 @@ type sysfs_sectouch, sysfs_type, fs_type; type vendor_tui_data_file, file_type, data_file_type; type vendor_bt_data_file, file_type, data_file_type; type sysfs_jpeg, fs_type, sysfs_type; -type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; -type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject; type sysfs_npu, fs_type, sysfs_type; type vendor_ramdump_data_file, file_type, data_file_type; type vendor_mdmhelperdata_data_file, file_type, data_file_type; diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 907d5b9..31c8fe8 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -112,12 +112,6 @@ /mnt/vendor/persist/hvdcp_opti(/.*)? u:object_r:persist_hvdcp_file:s0 /mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 -################################### -# ramdumpfs files -# -/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 -/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 - ################################### # adsp files # @@ -262,7 +256,6 @@ /data/vendor/modem_fdr(/.*)? u:object_r:modem_fdr_file:s0 /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/vendor/nnhal(/.*)? u:object_r:hal_neuralnetworks_data_file:s0 -/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrlog(/.*)? u:object_r:ssr_log_file:s0 /data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index e088dad..3a6514e 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -60,5 +60,4 @@ type ctl_vendor_rmt_storage_prop, property_type; type vendor_wifi_version, property_type; type vendor_cnss_diag_prop, property_type; type vendor_modem_diag_prop, property_type; -type vendor_ramdump_prop, property_type; type vendor_hvdcp_opti_prop, property_type; diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index cf09828..d5baf2c 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -38,7 +38,6 @@ persist.vendor.bt.soc.scram_freqs u:object_r:vendor_bluetooth_prop ro.vendor.audio.sdk.fluencetype u:object_r:vendor_audio_prop:s0 ro.vendor.ril. u:object_r:vendor_radio_prop:s0 -ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0 # vendor display prop vendor.gralloc.disable_ahardware_buffer u:object_r:vendor_display_prop:s0 @@ -50,7 +49,6 @@ vendor.debug.prerotation.disable u:object_r:vendor_display_prop:s vendor.debug.egl.swapinterval u:object_r:vendor_display_prop:s0 ro.vendor.graphics.memory u:object_r:vendor_display_prop:s0 -vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0 vendor.ims. u:object_r:qcom_ims_prop:s0 vendor.peripheral. u:object_r:vendor_per_mgr_state_prop:s0 vendor.sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 -- cgit v1.2.3 From 237879a540615e2bd53dfac7a6c86fd54091449b Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Tue, 28 Jul 2020 16:34:50 +0900 Subject: Rename exported3_radio_prop to radio_control_prop The context name exported3_radio_prop is ambiguous and does not reflect the usage and role of the properties. This changes its name to radio_control_prop. Some downstream branches are still using exported3_radio_prop, so get_prop(domain, radio_control_prop) is added to avoid regression. It's just a workaround and to be removed soon, after all exported3_radio_prop are cleaned up. Bug: 162214733 Test: boot a device with a sim and see basic functions work Change-Id: I1bdb3d92377ead1faf4f1296f50846bdce89c596 --- vendor/qcom/common/rmt_storage.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/rmt_storage.te b/vendor/qcom/common/rmt_storage.te index f094ba9..70d9bce 100644 --- a/vendor/qcom/common/rmt_storage.te +++ b/vendor/qcom/common/rmt_storage.te @@ -6,7 +6,7 @@ wakelock_use(rmt_storage) r_dir_file(rmt_storage, sysfs_uio) -get_prop(rmt_storage, exported3_radio_prop) +get_prop(rmt_storage, radio_control_prop) set_prop(rmt_storage, vendor_modem_prop) allow rmt_storage kmsg_device:chr_file w_file_perms; -- cgit v1.2.3 From 6295067435909d249937f48c9ea0c78bb41b919d Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Tue, 28 Jul 2020 16:34:50 +0900 Subject: Rename exported3_radio_prop to radio_control_prop The context name exported3_radio_prop is ambiguous and does not reflect the usage and role of the properties. This changes its name to radio_control_prop. Some downstream branches are still using exported3_radio_prop, so get_prop(domain, radio_control_prop) is added to avoid regression. It's just a workaround and to be removed soon, after all exported3_radio_prop are cleaned up. Exempt-From-Owner-Approval: cherry pick Bug: 162214733 Test: boot a device with a sim and see basic functions work Change-Id: I1bdb3d92377ead1faf4f1296f50846bdce89c596 Merged-In: I1bdb3d92377ead1faf4f1296f50846bdce89c596 --- vendor/qcom/common/rmt_storage.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/rmt_storage.te b/vendor/qcom/common/rmt_storage.te index f094ba9..70d9bce 100644 --- a/vendor/qcom/common/rmt_storage.te +++ b/vendor/qcom/common/rmt_storage.te @@ -6,7 +6,7 @@ wakelock_use(rmt_storage) r_dir_file(rmt_storage, sysfs_uio) -get_prop(rmt_storage, exported3_radio_prop) +get_prop(rmt_storage, radio_control_prop) set_prop(rmt_storage, vendor_modem_prop) allow rmt_storage kmsg_device:chr_file w_file_perms; -- cgit v1.2.3 From a440ee4d54fd72f54f7cb20eeb444a7e2355b92d Mon Sep 17 00:00:00 2001 From: Miao Wang Date: Mon, 3 Aug 2020 18:29:02 -0700 Subject: Suppress warning related to NNAPI HAL accessing zeroth.debuglog.logmask Bug: 159570217 Test: mm Change-Id: I9709698dd62740465c82398349744341799c4518 --- vendor/qcom/common/hal_neuralnetworks.te | 3 +++ 1 file changed, 3 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/hal_neuralnetworks.te b/vendor/qcom/common/hal_neuralnetworks.te index 1d20204..6ccdd39 100644 --- a/vendor/qcom/common/hal_neuralnetworks.te +++ b/vendor/qcom/common/hal_neuralnetworks.te @@ -17,3 +17,6 @@ r_dir_file(hal_neuralnetworks_default, sysfs_soc) r_dir_file(hal_neuralnetworks_default, adsprpcd_file) dontaudit hal_neuralnetworks_default vendor_display_prop:file read; + +# b/159570217 suppress warning related to zeroth.debuglog.logmask +dontaudit hal_neuralnetworks_default default_prop:file { open read }; -- cgit v1.2.3 From 980434f8ce731a4820621f4098208b6495726787 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 14 Aug 2020 17:06:28 +0900 Subject: Attach vendor_property_type to properties We are going to enforce that each property has an explicit owner, such as system, vendor, or product. This attaches vendor_property_type to properties defined under vendor sepolicy directories. Bug: 159097992 Test: m selinux_policy Change-Id: If187026e0940c0bcc06c4d78bdbe860d2692a6e6 --- vendor/qcom/common/property.te | 126 ++++++++++++++++++++--------------------- 1 file changed, 63 insertions(+), 63 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index 3a6514e..5f08525 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -1,63 +1,63 @@ -type uicc_prop, property_type; -type qcom_ims_prop, property_type; -type ctl_vendor_netmgrd_prop, property_type; -type ctl_vendor_port-bridge_prop, property_type; -type ctl_qcrild_prop, property_type; -type vendor_tee_listener_prop, property_type; -type ctl_vendor_rild_prop, property_type; -type ctl_LKCore_prop, property_type; -type freq_prop, property_type; -type vendor_dataqti_prop, property_type; -type cnd_vendor_prop, property_type; -type sensors_prop, property_type; -type slpi_prop, property_type; -type msm_irqbalance_prop, property_type; -type msm_irqbl_sdm630_prop, property_type; -type camera_prop, property_type; -type spcomlib_prop, property_type; -type vendor_display_prop, property_type; -type scr_enabled_prop, property_type; -type bg_boot_complete_prop, property_type; -type opengles_prop, property_type; -type mdm_helper_prop, property_type; -type vendor_mpctl_prop, property_type; -type vendor_iop_prop, property_type; -type vendor_preobtain_prop, property_type; -type vendor_am_prop, property_type; -type vendor_gralloc_prop, property_type; -type fm_prop, property_type; -type chgdiabled_prop, property_type; -type vendor_xlat_prop, property_type; -type location_prop, property_type; -type qemu_hw_mainkeys_prop, property_type; -type vendor_usb_prop, property_type; -type public_vendor_system_prop, property_type; -type vendor_coresight_prop, property_type; -type public_vendor_default_prop, property_type; -type vendor_alarm_boot_prop, property_type; -type dolby_prop, property_type; -type hwui_prop, property_type; -type graphics_vulkan_prop, property_type; -type bservice_prop, property_type; -type reschedule_service_prop, property_type; -type vendor_boot_mode_prop, property_type; -type nfc_nq_prop, property_type; -type vendor_rild_libpath_prop, property_type; -type vendor_per_mgr_state_prop, property_type; -type vendor_system_prop, property_type; -type vendor_bluetooth_prop, property_type; -type ctl_vendor_imsrcsservice_prop, property_type; -type vendor_time_service_prop, property_type; -type vendor_radio_prop, property_type; -type vendor_audio_prop, property_type; -type vendor_ssr_prop, property_type; -type vendor_pd_locater_dbg_prop, property_type; -type vendor_qdcmss_prop, property_type; -type vendor_softap_prop, property_type; -type mm_parser_prop, property_type; -type mm_video_prop, property_type; -type ctl_vendor_rmt_storage_prop, property_type; -type vendor_wifi_version, property_type; -type vendor_cnss_diag_prop, property_type; -type vendor_modem_diag_prop, property_type; -type vendor_hvdcp_opti_prop, property_type; +vendor_internal_prop(uicc_prop) +vendor_restricted_prop(qcom_ims_prop) +vendor_internal_prop(ctl_vendor_netmgrd_prop) +vendor_internal_prop(ctl_vendor_port-bridge_prop) +vendor_internal_prop(ctl_qcrild_prop) +vendor_internal_prop(vendor_tee_listener_prop) +vendor_internal_prop(ctl_vendor_rild_prop) +vendor_internal_prop(ctl_LKCore_prop) +vendor_internal_prop(freq_prop) +vendor_internal_prop(vendor_dataqti_prop) +vendor_restricted_prop(cnd_vendor_prop) +vendor_internal_prop(sensors_prop) +vendor_internal_prop(slpi_prop) +vendor_internal_prop(msm_irqbalance_prop) +vendor_internal_prop(msm_irqbl_sdm630_prop) +vendor_restricted_prop(camera_prop) +vendor_internal_prop(spcomlib_prop) +vendor_restricted_prop(vendor_display_prop) +vendor_internal_prop(scr_enabled_prop) +vendor_internal_prop(bg_boot_complete_prop) +vendor_internal_prop(opengles_prop) +vendor_internal_prop(mdm_helper_prop) +vendor_internal_prop(vendor_mpctl_prop) +vendor_internal_prop(vendor_iop_prop) +vendor_internal_prop(vendor_preobtain_prop) +vendor_internal_prop(vendor_am_prop) +vendor_internal_prop(vendor_gralloc_prop) +vendor_internal_prop(fm_prop) +vendor_internal_prop(chgdiabled_prop) +vendor_internal_prop(vendor_xlat_prop) +vendor_internal_prop(location_prop) +vendor_internal_prop(qemu_hw_mainkeys_prop) +vendor_internal_prop(vendor_usb_prop) +vendor_internal_prop(public_vendor_system_prop) +vendor_internal_prop(vendor_coresight_prop) +vendor_restricted_prop(public_vendor_default_prop) +vendor_internal_prop(vendor_alarm_boot_prop) +vendor_internal_prop(dolby_prop) +vendor_internal_prop(hwui_prop) +vendor_internal_prop(graphics_vulkan_prop) +vendor_internal_prop(bservice_prop) +vendor_internal_prop(reschedule_service_prop) +vendor_internal_prop(vendor_boot_mode_prop) +vendor_internal_prop(nfc_nq_prop) +vendor_internal_prop(vendor_rild_libpath_prop) +vendor_internal_prop(vendor_per_mgr_state_prop) +vendor_internal_prop(vendor_system_prop) +vendor_internal_prop(vendor_bluetooth_prop) +vendor_internal_prop(ctl_vendor_imsrcsservice_prop) +vendor_internal_prop(vendor_time_service_prop) +vendor_restricted_prop(vendor_radio_prop) +vendor_internal_prop(vendor_audio_prop) +vendor_internal_prop(vendor_ssr_prop) +vendor_internal_prop(vendor_pd_locater_dbg_prop) +vendor_internal_prop(vendor_qdcmss_prop) +vendor_internal_prop(vendor_softap_prop) +vendor_internal_prop(mm_parser_prop) +vendor_internal_prop(mm_video_prop) +vendor_internal_prop(ctl_vendor_rmt_storage_prop) +vendor_internal_prop(vendor_wifi_version) +vendor_internal_prop(vendor_cnss_diag_prop) +vendor_internal_prop(vendor_modem_diag_prop) +vendor_restricted_prop(vendor_hvdcp_opti_prop) -- cgit v1.2.3 From 74a8ffda880e16af8f5126b9dd9958a8b5a7b955 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 14 Aug 2020 17:06:28 +0900 Subject: Attach vendor_property_type to properties We are going to enforce that each property has an explicit owner, such as system, vendor, or product. This attaches vendor_property_type to properties defined under vendor sepolicy directories. Bug: 159097992 Test: m selinux_policy Change-Id: If187026e0940c0bcc06c4d78bdbe860d2692a6e6 Merged-In: If187026e0940c0bcc06c4d78bdbe860d2692a6e6 (cherry picked from commit 980434f8ce731a4820621f4098208b6495726787) --- vendor/qcom/common/property.te | 128 ++++++++++++++++++++--------------------- 1 file changed, 64 insertions(+), 64 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index e088dad..d232ac6 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -1,64 +1,64 @@ -type uicc_prop, property_type; -type qcom_ims_prop, property_type; -type ctl_vendor_netmgrd_prop, property_type; -type ctl_vendor_port-bridge_prop, property_type; -type ctl_qcrild_prop, property_type; -type vendor_tee_listener_prop, property_type; -type ctl_vendor_rild_prop, property_type; -type ctl_LKCore_prop, property_type; -type freq_prop, property_type; -type vendor_dataqti_prop, property_type; -type cnd_vendor_prop, property_type; -type sensors_prop, property_type; -type slpi_prop, property_type; -type msm_irqbalance_prop, property_type; -type msm_irqbl_sdm630_prop, property_type; -type camera_prop, property_type; -type spcomlib_prop, property_type; -type vendor_display_prop, property_type; -type scr_enabled_prop, property_type; -type bg_boot_complete_prop, property_type; -type opengles_prop, property_type; -type mdm_helper_prop, property_type; -type vendor_mpctl_prop, property_type; -type vendor_iop_prop, property_type; -type vendor_preobtain_prop, property_type; -type vendor_am_prop, property_type; -type vendor_gralloc_prop, property_type; -type fm_prop, property_type; -type chgdiabled_prop, property_type; -type vendor_xlat_prop, property_type; -type location_prop, property_type; -type qemu_hw_mainkeys_prop, property_type; -type vendor_usb_prop, property_type; -type public_vendor_system_prop, property_type; -type vendor_coresight_prop, property_type; -type public_vendor_default_prop, property_type; -type vendor_alarm_boot_prop, property_type; -type dolby_prop, property_type; -type hwui_prop, property_type; -type graphics_vulkan_prop, property_type; -type bservice_prop, property_type; -type reschedule_service_prop, property_type; -type vendor_boot_mode_prop, property_type; -type nfc_nq_prop, property_type; -type vendor_rild_libpath_prop, property_type; -type vendor_per_mgr_state_prop, property_type; -type vendor_system_prop, property_type; -type vendor_bluetooth_prop, property_type; -type ctl_vendor_imsrcsservice_prop, property_type; -type vendor_time_service_prop, property_type; -type vendor_radio_prop, property_type; -type vendor_audio_prop, property_type; -type vendor_ssr_prop, property_type; -type vendor_pd_locater_dbg_prop, property_type; -type vendor_qdcmss_prop, property_type; -type vendor_softap_prop, property_type; -type mm_parser_prop, property_type; -type mm_video_prop, property_type; -type ctl_vendor_rmt_storage_prop, property_type; -type vendor_wifi_version, property_type; -type vendor_cnss_diag_prop, property_type; -type vendor_modem_diag_prop, property_type; -type vendor_ramdump_prop, property_type; -type vendor_hvdcp_opti_prop, property_type; +vendor_internal_prop(uicc_prop) +vendor_restricted_prop(qcom_ims_prop) +vendor_internal_prop(ctl_vendor_netmgrd_prop) +vendor_internal_prop(ctl_vendor_port-bridge_prop) +vendor_internal_prop(ctl_qcrild_prop) +vendor_internal_prop(vendor_tee_listener_prop) +vendor_internal_prop(ctl_vendor_rild_prop) +vendor_internal_prop(ctl_LKCore_prop) +vendor_internal_prop(freq_prop) +vendor_internal_prop(vendor_dataqti_prop) +vendor_restricted_prop(cnd_vendor_prop) +vendor_internal_prop(sensors_prop) +vendor_internal_prop(slpi_prop) +vendor_internal_prop(msm_irqbalance_prop) +vendor_internal_prop(msm_irqbl_sdm630_prop) +vendor_restricted_prop(camera_prop) +vendor_internal_prop(spcomlib_prop) +vendor_restricted_prop(vendor_display_prop) +vendor_internal_prop(scr_enabled_prop) +vendor_internal_prop(bg_boot_complete_prop) +vendor_internal_prop(opengles_prop) +vendor_internal_prop(mdm_helper_prop) +vendor_internal_prop(vendor_mpctl_prop) +vendor_internal_prop(vendor_iop_prop) +vendor_internal_prop(vendor_preobtain_prop) +vendor_internal_prop(vendor_am_prop) +vendor_internal_prop(vendor_gralloc_prop) +vendor_internal_prop(fm_prop) +vendor_internal_prop(chgdiabled_prop) +vendor_internal_prop(vendor_xlat_prop) +vendor_internal_prop(location_prop) +vendor_internal_prop(qemu_hw_mainkeys_prop) +vendor_internal_prop(vendor_usb_prop) +vendor_internal_prop(public_vendor_system_prop) +vendor_internal_prop(vendor_coresight_prop) +vendor_restricted_prop(public_vendor_default_prop) +vendor_internal_prop(vendor_alarm_boot_prop) +vendor_internal_prop(dolby_prop) +vendor_internal_prop(hwui_prop) +vendor_internal_prop(graphics_vulkan_prop) +vendor_internal_prop(bservice_prop) +vendor_internal_prop(reschedule_service_prop) +vendor_internal_prop(vendor_boot_mode_prop) +vendor_internal_prop(nfc_nq_prop) +vendor_internal_prop(vendor_rild_libpath_prop) +vendor_internal_prop(vendor_per_mgr_state_prop) +vendor_internal_prop(vendor_system_prop) +vendor_internal_prop(vendor_bluetooth_prop) +vendor_internal_prop(ctl_vendor_imsrcsservice_prop) +vendor_internal_prop(vendor_time_service_prop) +vendor_restricted_prop(vendor_radio_prop) +vendor_internal_prop(vendor_audio_prop) +vendor_internal_prop(vendor_ssr_prop) +vendor_internal_prop(vendor_pd_locater_dbg_prop) +vendor_internal_prop(vendor_qdcmss_prop) +vendor_internal_prop(vendor_softap_prop) +vendor_internal_prop(mm_parser_prop) +vendor_internal_prop(mm_video_prop) +vendor_internal_prop(ctl_vendor_rmt_storage_prop) +vendor_internal_prop(vendor_wifi_version) +vendor_internal_prop(vendor_cnss_diag_prop) +vendor_internal_prop(vendor_modem_diag_prop) +vendor_internal_prop(vendor_ramdump_prop) +vendor_restricted_prop(vendor_hvdcp_opti_prop) -- cgit v1.2.3 From c4c350271454c26d55533d67e644050359818458 Mon Sep 17 00:00:00 2001 From: Peiyong Lin Date: Fri, 14 Aug 2020 18:08:46 -0700 Subject: Add necessary permission for GPU profiling libraries. Bug: b/157832445, b/164542774 Test: Run AGI validate gpu profiling Change-Id: I4c3188c6e07224b5a7c16b2ebc1b2cf0475d2b97 --- vendor/qcom/common/file_contexts | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 907d5b9..7931a55 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -150,6 +150,7 @@ /vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgsl\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0 @@ -179,6 +180,10 @@ # libGLESv2_adreno depends on this /vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0 +# Game profiling library +/vendor/lib(64)?/libadreno_app_profiles\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.qspmhal@1\.0\.so u:object_r:same_process_hal_file:s0 + # libOpenCL-pixel and its dependencies /vendor/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 -- cgit v1.2.3 From 96e87f9423c3c7b3b434a288570a6ae7423c07a3 Mon Sep 17 00:00:00 2001 From: Peiyong Lin Date: Fri, 14 Aug 2020 18:08:46 -0700 Subject: Add necessary permission for GPU profiling libraries. Bug: b/157832445, b/164542774 Test: Run AGI validate gpu profiling Change-Id: I4c3188c6e07224b5a7c16b2ebc1b2cf0475d2b97 --- vendor/qcom/common/file_contexts | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 907d5b9..7931a55 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -150,6 +150,7 @@ /vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgsl\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0 @@ -179,6 +180,10 @@ # libGLESv2_adreno depends on this /vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0 +# Game profiling library +/vendor/lib(64)?/libadreno_app_profiles\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.qspmhal@1\.0\.so u:object_r:same_process_hal_file:s0 + # libOpenCL-pixel and its dependencies /vendor/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 -- cgit v1.2.3 From fe1fc6f2209058370ecbbd69281476b412138d62 Mon Sep 17 00:00:00 2001 From: Benjamin Schwartz Date: Wed, 5 Aug 2020 09:13:09 -0700 Subject: Fix sepolicy name conflict Need to distinguish between power stats hal's main service and the vendor service that it runs to provide an AIDL interface to other userspace stats providers. This also uncovered a problem where con_monitor_app was not labeled as coredomain. Bug: 162472196 Bug: 162964335 Test: m Change-Id: Iaf62c098334657093947c75ac786b8d9e97fbf20 --- vendor/qcom/common/con_monitor.te | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/con_monitor.te b/vendor/qcom/common/con_monitor.te index 64d0257..860c16e 100644 --- a/vendor/qcom/common/con_monitor.te +++ b/vendor/qcom/common/con_monitor.te @@ -1,10 +1,9 @@ # ConnectivityMonitor app -type con_monitor_app, domain; +type con_monitor_app, domain, coredomain; app_domain(con_monitor_app) set_prop(con_monitor_app, radio_prop) -set_prop(con_monitor_app, vendor_radio_prop) allow con_monitor_app app_api_service:service_manager find; allow con_monitor_app audioserver_service:service_manager find; allow con_monitor_app radio_service:service_manager find; -- cgit v1.2.3 From e8aaab33deffd4f8f9112e8058489d530e0b724c Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Sat, 29 Aug 2020 11:12:50 -0700 Subject: Add SEPolicy rule for hal_drm_widevine 1. Add node /dev/qce. 2. Allow hal_drm_widevine r/w qce_device 3. Allow tee access for secure UI to work Test: GtsMediaTestCases Bug: 165071964 Change-Id: If9e71f1415ec79154ccd582d033b0881f0d321cb --- vendor/qcom/common/file_contexts | 1 + vendor/qcom/common/hal_drm_widevine.te | 4 +++- vendor/qcom/common/tee.te | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 62a9f5e..816596d 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -242,6 +242,7 @@ /dev/msm_.* u:object_r:audio_device:s0 /dev/ramdump_.* u:object_r:ramdump_device:s0 /dev/at_.* u:object_r:at_device:s0 +/dev/qce u:object_r:qce_device:s0 # dev socket nodes /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 diff --git a/vendor/qcom/common/hal_drm_widevine.te b/vendor/qcom/common/hal_drm_widevine.te index 4b52daf..2f8fbdd 100644 --- a/vendor/qcom/common/hal_drm_widevine.te +++ b/vendor/qcom/common/hal_drm_widevine.te @@ -10,4 +10,6 @@ allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; allow hal_drm_widevine hal_display_config_hwservice:hwservice_manager find; binder_call(hal_drm_widevine, hal_graphics_composer_default) -allow hal_drm_widevine { appdomain -isolated_app }:fd use; \ No newline at end of file +allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +allow hal_drm_widevine qce_device:chr_file rw_file_perms; diff --git a/vendor/qcom/common/tee.te b/vendor/qcom/common/tee.te index b28b1b7..d1e8cc1 100644 --- a/vendor/qcom/common/tee.te +++ b/vendor/qcom/common/tee.te @@ -31,3 +31,6 @@ allow tee hal_graphics_allocator_default:fd use; allow tee sysfs_wake_lock:file append; allow tee time_daemon:unix_stream_socket connectto; + +# allow tee access for secure UI to work +allow tee graphics_device:chr_file rw_file_perms; -- cgit v1.2.3 From ec5e567245697e0dd5c253b4d4c5d4abe5439ded Mon Sep 17 00:00:00 2001 From: Hongbo Zeng Date: Mon, 31 Aug 2020 16:00:07 +0800 Subject: fix denials for wifi_hal_prop in cnd domain Bug: 162700455 Test: apply this patch and the original denials are gone Original denials: 08-31 15:18:17.135 17812 17812 I cnd : type=1400 audit(0.0:20): avc: denied { read } for name="u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=27661 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=1 b/162700455 08-31 15:18:17.135 17812 17812 I cnd : type=1400 audit(0.0:21): avc: denied { open } for path="/dev/__properties__/u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=27661 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=1 b/162700455 08-31 15:18:17.135 17812 17812 I cnd : type=1400 audit(0.0:22): avc: denied { getattr } for path="/dev/__properties__/u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=27661 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=1 b/162700455 08-31 15:18:17.135 17812 17812 I cnd : type=1400 audit(0.0:23): avc: denied { map } for path="/dev/__properties__/u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=27661 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=1 b/162700455 Change-Id: Idabcde86600993f41b7fa82a95c12b93a816619d --- vendor/qcom/common/cnd.te | 2 ++ 1 file changed, 2 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/cnd.te b/vendor/qcom/common/cnd.te index 333ac60..473de1b 100644 --- a/vendor/qcom/common/cnd.te +++ b/vendor/qcom/common/cnd.te @@ -42,3 +42,5 @@ allow cnd self:{ netlink_generic_socket qipcrtr_socket } create_socket_perms_no_ioctl; + +dontaudit cnd wifi_hal_prop:file r_file_perms; -- cgit v1.2.3 From bb5bdbe504a122cb786f4ebb61880d52158f7458 Mon Sep 17 00:00:00 2001 From: Benjamin Schwartz Date: Wed, 5 Aug 2020 09:13:09 -0700 Subject: Fix sepolicy name conflict Need to distinguish between power stats hal's main service and the vendor service that it runs to provide an AIDL interface to other userspace stats providers. This also uncovered a problem where con_monitor_app was not labeled as coredomain. Bug: 162472196 Bug: 162964335 Test: m Merged-In: Iaf62c098334657093947c75ac786b8d9e97fbf20 Change-Id: I240c285109596a1a82d952228c05ed04c697b31d --- vendor/qcom/common/con_monitor.te | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/con_monitor.te b/vendor/qcom/common/con_monitor.te index 64d0257..860c16e 100644 --- a/vendor/qcom/common/con_monitor.te +++ b/vendor/qcom/common/con_monitor.te @@ -1,10 +1,9 @@ # ConnectivityMonitor app -type con_monitor_app, domain; +type con_monitor_app, domain, coredomain; app_domain(con_monitor_app) set_prop(con_monitor_app, radio_prop) -set_prop(con_monitor_app, vendor_radio_prop) allow con_monitor_app app_api_service:service_manager find; allow con_monitor_app audioserver_service:service_manager find; allow con_monitor_app radio_service:service_manager find; -- cgit v1.2.3 From ed9e08dd8fa82253b865b364879b38698a653823 Mon Sep 17 00:00:00 2001 From: Hongbo Zeng Date: Mon, 31 Aug 2020 16:00:07 +0800 Subject: fix denials for wifi_hal_prop in cnd domain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug: 162700455 Bug: 169204118 (stage-aosp-... and sunfish) Test: apply this patch and the original denials are gone Original denials: 08-31 15:18:17.135 17812 17812 I cnd : type=1400 audit(0.0:20): avc: denied { read } for name="u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=27661 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=1 b/162700455 08-31 15:18:17.135 17812 17812 I cnd : type=1400 audit(0.0:21): avc: denied { open } for path="/dev/__properties__/u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=27661 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=1 b/162700455 08-31 15:18:17.135 17812 17812 I cnd : type=1400 audit(0.0:22): avc: denied { getattr } for path="/dev/__properties__/u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=27661 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=1 b/162700455 08-31 15:18:17.135 17812 17812 I cnd : type=1400 audit(0.0:23): avc: denied { map } for path="/dev/__properties__/u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=27661 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=1 b/162700455 Exempt-From-Owner-Approval:‌ ‌cherry-pick Change-Id: Idabcde86600993f41b7fa82a95c12b93a816619d (cherry picked from commit ec5e567245697e0dd5c253b4d4c5d4abe5439ded) Merged-In: Idabcde86600993f41b7fa82a95c12b93a816619d --- vendor/qcom/common/cnd.te | 2 ++ 1 file changed, 2 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/cnd.te b/vendor/qcom/common/cnd.te index 333ac60..473de1b 100644 --- a/vendor/qcom/common/cnd.te +++ b/vendor/qcom/common/cnd.te @@ -42,3 +42,5 @@ allow cnd self:{ netlink_generic_socket qipcrtr_socket } create_socket_perms_no_ioctl; + +dontaudit cnd wifi_hal_prop:file r_file_perms; -- cgit v1.2.3 From e7fdff305e11dda824a79cd4eff3dd5612fc27dd Mon Sep 17 00:00:00 2001 From: Mariia Sandrikova Date: Fri, 25 Sep 2020 23:27:19 +0100 Subject: Add vendor_hwservice_type attribute to all hwservice Bug: 159707777 Test: make Change-Id: I698d591526cec34957678d5b96a3b39089e534a0 --- vendor/qcom/common/hwservice.te | 48 ++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 24 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/hwservice.te b/vendor/qcom/common/hwservice.te index e681898..39e009b 100644 --- a/vendor/qcom/common/hwservice.te +++ b/vendor/qcom/common/hwservice.te @@ -1,24 +1,24 @@ -type hal_display_color_hwservice, hwservice_manager_type; -type hal_iwlan_hwservice, hwservice_manager_type; -type hal_display_config_hwservice, hwservice_manager_type; -type hal_display_postproc_hwservice, hwservice_manager_type; -type hal_dpmqmi_hwservice, hwservice_manager_type; -type hal_imsrtp_hwservice, hwservice_manager_type; -type hal_imscallinfo_hwservice, hwservice_manager_type; -type hal_datafactory_hwservice, hwservice_manager_type; -type hal_cne_hwservice, hwservice_manager_type; -type hal_latency_hwservice, hwservice_manager_type; -type hal_imsrcsd_hwservice, hwservice_manager_type; -type hal_ipacm_hwservice, hwservice_manager_type; -type hal_qteeconnector_hwservice, hwservice_manager_type; -type hal_voiceprint_hwservice, hwservice_manager_type; -type vendor_hal_factory_qti_hwservice, hwservice_manager_type; -type hal_tui_comm_hwservice, hwservice_manager_type; -type hal_qdutils_disp_hwservice, hwservice_manager_type; -type hal_sensorscalibrate_qti_hwservice, hwservice_manager_type; -type vnd_atcmdfwd_hwservice, hwservice_manager_type; -type hal_dataconnection_hwservice, hwservice_manager_type; -type hal_bluetooth_coexistence_hwservice, hwservice_manager_type; -type hal_cacert_hwservice, hwservice_manager_type; -type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type; -type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice; +type hal_display_color_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_iwlan_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_display_config_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_display_postproc_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_dpmqmi_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imsrtp_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imscallinfo_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_datafactory_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_cne_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_latency_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imsrcsd_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_ipacm_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qteeconnector_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_voiceprint_hwservice, hwservice_manager_type, vendor_hwservice_type; +type vendor_hal_factory_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_tui_comm_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qdutils_disp_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_sensorscalibrate_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type vnd_atcmdfwd_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_dataconnection_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_cacert_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; -- cgit v1.2.3 From 9d71f05192164424735e146ce95b59753db19954 Mon Sep 17 00:00:00 2001 From: Ted Wang Date: Thu, 17 Sep 2020 09:59:40 +0800 Subject: Add sepolicy for BTChannelAvoidance on sunfish Bug: 168572910 Test: make Change-Id: Ia18792dda9783cdc4a5b9460dc5ebcd55f568fd4 --- vendor/qcom/common/hwservice_contexts | 1 - 1 file changed, 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/hwservice_contexts b/vendor/qcom/common/hwservice_contexts index 2aecfbc..3e4c304 100644 --- a/vendor/qcom/common/hwservice_contexts +++ b/vendor/qcom/common/hwservice_contexts @@ -12,7 +12,6 @@ vendor.display.config::IDisplayConfig u:object vendor.display.postproc::IDisplayPostproc u:object_r:hal_display_postproc_hwservice:s0 vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0 vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 -vendor.qti.hardware.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:hal_qdutils_disp_hwservice:s0 vendor.qti.hardware.qteeconnector::IAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.qteeconnector::IGPAppConnector u:object_r:hal_qteeconnector_hwservice:s0 -- cgit v1.2.3 From 01f88e63c5d3f4570e0f4c7c9cf640b9b59542dd Mon Sep 17 00:00:00 2001 From: Alan Stokes Date: Fri, 23 Oct 2020 14:26:35 +0100 Subject: Remove levelFrom=none from vendor apps. (This is the same as https://r.android.com/1458479, for crosshatch-sepolicy, but with minor modifications due to different base policy - e.g. time_daemon is already mlstrustedsubject here. I've checked again that these changes should be safe with the local sepolicy and updated the explanation below. I also removed an obsolete TODO.) Set levelFrom=user or levelFrom=all explicitly on the apps that were implicitly using levelFrom=none before. This provides better isolation for app data files and unblocks future policy changes. These changes should be safe even if the apps create files with their new level: - ssr_detector_app has write access to system_app_data_file and cgroup, but they are mlstrustedobject. - data_service_app has write access to radio_data_file, but it is mlstrustedobject. - ril_config_service_app has write access to vendor_radio_data_file, but it is mlstrustedobject. - timeservice_app connects to time_daemon:unix_stream_socket, but it is mlstrustedsubject. Test: presubmits Bug: 170622707 Change-Id: I4b291c03797e623540ee66c3de034d3e9da29996 --- vendor/qcom/common/seapp_contexts | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index cb5dedf..5581229 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -1,11 +1,9 @@ -#TODO(b/126137625): moving dataservice app from system to radio process -user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file -#user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file +user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file levelFrom=user # Hardware Info Collection user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user -user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file +user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file levelFrom=all user=_app seinfo=platform name=.qtidataservices domain=qtidataservices_app type=app_data_file levelFrom=all @@ -15,7 +13,7 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon user=_app seinfo=platform name=com.qualcomm.qti.services.secureui* domain=secure_ui_service_app levelFrom=all #Needed for time service apk -user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file +user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file levelFrom=all # Use a custom domain for GoogleCamera, to allow for Hexagon DSP / Easel access user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all -- cgit v1.2.3 From 239da66c1a9d7fb4a6543018e87d86e7e62b6113 Mon Sep 17 00:00:00 2001 From: EvenlyWang Date: Thu, 22 Oct 2020 07:02:32 +0000 Subject: sepolicy: audio: add vendor.audio.adm.buffering.ms The property is to define the buffer size in ADM (Audio Data Manager) and it might lead to glitches or extra latency if it is not configured properly. Bug: 160107932 Change-Id: I67e833edb9b7bbd6327297a5c4e86498d2a920f7 Signed-off-by: JJ Lee --- vendor/qcom/common/property_contexts | 1 + 1 file changed, 1 insertion(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index cf09828..0be4914 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -1,5 +1,6 @@ # vendor_audio_prop vendor.audio.snd_card.open.retries u:object_r:vendor_audio_prop:s0 +vendor.audio.adm.buffering.ms u:object_r:vendor_audio_prop:s0 vendor.audio.volume.listener.dump u:object_r:vendor_audio_prop:s0 vendor.audio.volume.headset.gain.depcal u:object_r:vendor_audio_prop:s0 -- cgit v1.2.3 From 87f21dca9d4c6ca831299507ee73b8f0fdbb38d7 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Sat, 29 Aug 2020 11:12:50 -0700 Subject: Add SEPolicy rule for hal_drm_widevine 1. Add node /dev/qce. 2. Allow hal_drm_widevine r/w qce_device 3. Allow tee access for secure UI to work Test: GtsMediaTestCases Bug: 136317881 Bug: 165071964 Change-Id: If9e71f1415ec79154ccd582d033b0881f0d321cb Merged-In: If9e71f1415ec79154ccd582d033b0881f0d321cb (cherry picked from commit e8aaab33deffd4f8f9112e8058489d530e0b724c) --- vendor/qcom/common/file_contexts | 1 + vendor/qcom/common/hal_drm_widevine.te | 4 +++- vendor/qcom/common/tee.te | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 7931a55..38d8a33 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -248,6 +248,7 @@ /dev/msm_.* u:object_r:audio_device:s0 /dev/ramdump_.* u:object_r:ramdump_device:s0 /dev/at_.* u:object_r:at_device:s0 +/dev/qce u:object_r:qce_device:s0 # dev socket nodes /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 diff --git a/vendor/qcom/common/hal_drm_widevine.te b/vendor/qcom/common/hal_drm_widevine.te index 4b52daf..2f8fbdd 100644 --- a/vendor/qcom/common/hal_drm_widevine.te +++ b/vendor/qcom/common/hal_drm_widevine.te @@ -10,4 +10,6 @@ allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; allow hal_drm_widevine hal_display_config_hwservice:hwservice_manager find; binder_call(hal_drm_widevine, hal_graphics_composer_default) -allow hal_drm_widevine { appdomain -isolated_app }:fd use; \ No newline at end of file +allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +allow hal_drm_widevine qce_device:chr_file rw_file_perms; diff --git a/vendor/qcom/common/tee.te b/vendor/qcom/common/tee.te index b28b1b7..d1e8cc1 100644 --- a/vendor/qcom/common/tee.te +++ b/vendor/qcom/common/tee.te @@ -31,3 +31,6 @@ allow tee hal_graphics_allocator_default:fd use; allow tee sysfs_wake_lock:file append; allow tee time_daemon:unix_stream_socket connectto; + +# allow tee access for secure UI to work +allow tee graphics_device:chr_file rw_file_perms; -- cgit v1.2.3 From 1f129da0619149819fb8ae0d9b1b53519a4d192b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 4 Nov 2020 10:02:23 +0800 Subject: Allow peripheral manager to call rild 10-27 18:44:47.296 1912 1912 I auditd : type=1400 audit(0.0:4): avc: denied { call } for comm="Binder:1912_2" scontext=u:r:vendor_per_mgr:s0 tcontext=u:r:rild:s0 tclass=binder permissive=0 Bug: 171838844 Test: boot with no avc error showing up Change-Id: I78d1838211ad7f4b73c375328741c5e462876ec2 --- vendor/qcom/common/peripheral_manager.te | 1 + 1 file changed, 1 insertion(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/peripheral_manager.te b/vendor/qcom/common/peripheral_manager.te index bd5f923..05e75bc 100644 --- a/vendor/qcom/common/peripheral_manager.te +++ b/vendor/qcom/common/peripheral_manager.te @@ -8,6 +8,7 @@ init_daemon_domain(vendor_per_mgr); vndbinder_use(vendor_per_mgr) binder_call(vendor_per_mgr, vendor_per_mgr) binder_call(vendor_per_mgr, wcnss_service) +binder_call(vendor_per_mgr, rild) set_prop(vendor_per_mgr, vendor_per_mgr_state_prop) allow vendor_per_mgr self:qipcrtr_socket create_socket_perms_no_ioctl; -- cgit v1.2.3 From 4be75f97e977de44869b2064a2a935434a088931 Mon Sep 17 00:00:00 2001 From: Ted Wang Date: Wed, 16 Sep 2020 21:10:18 +0800 Subject: Add sepolicy for BluetoothSar common hal on sunfish Bug: 168680634 Test: make Change-Id: I76e709f96f557abe60cb95aa6d1226e97c177456 --- vendor/qcom/common/hwservice.te | 1 - vendor/qcom/common/hwservice_contexts | 1 - 2 files changed, 2 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/hwservice.te b/vendor/qcom/common/hwservice.te index 39e009b..11c8147 100644 --- a/vendor/qcom/common/hwservice.te +++ b/vendor/qcom/common/hwservice.te @@ -18,7 +18,6 @@ type hal_qdutils_disp_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_sensorscalibrate_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; type vnd_atcmdfwd_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_dataconnection_hwservice, hwservice_manager_type, vendor_hwservice_type; -type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_cacert_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; diff --git a/vendor/qcom/common/hwservice_contexts b/vendor/qcom/common/hwservice_contexts index 3e4c304..75e64a1 100644 --- a/vendor/qcom/common/hwservice_contexts +++ b/vendor/qcom/common/hwservice_contexts @@ -11,7 +11,6 @@ vendor.display.color::IDisplayColor u:object vendor.display.config::IDisplayConfig u:object_r:hal_display_config_hwservice:s0 vendor.display.postproc::IDisplayPostproc u:object_r:hal_display_postproc_hwservice:s0 vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0 -vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:hal_qdutils_disp_hwservice:s0 vendor.qti.hardware.qteeconnector::IAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.qteeconnector::IGPAppConnector u:object_r:hal_qteeconnector_hwservice:s0 -- cgit v1.2.3 From 8fc808c37b3e514fa4677f3c9a49fdf1222f43b5 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Wed, 13 Jan 2021 11:27:48 +0800 Subject: logger_app: Gant to access SSR properties avc: denied { set } for property=persist.vendor.sys.ssr.restart_level pid=5997 uid=10304 gid=10304 scontext=u:r:logger_app:s0:c48,c257,c512,c768 tcontext=u:object_r:vendor_ssr_prop:s0 tclass=property_service avc: denied { set } for property=vendor.sys.ssr.refresh.config pid=5997 uid=10304 gid=10304 scontext=u:r:logger_app:s0:c48,c257,c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service Bug: 175176951 Change-Id: I4a0fc14faaf4fed2e58488a868968a4a89207ea0 --- vendor/qcom/common/property_contexts | 1 + 1 file changed, 1 insertion(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index 0be4914..89f0779 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -66,6 +66,7 @@ vendor.debug.ssrdump u:object_r:vendor_ssr_prop:s0 persist.vendor.sys.cnss. u:object_r:vendor_cnss_diag_prop:s0 persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 persist.vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 +vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 ctl.vendor.rmt_storage u:object_r:ctl_vendor_rmt_storage_prop:s0 -- cgit v1.2.3 From 3fa0534efc5b6ee6269b286070991dac5a541fac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Thu, 4 Feb 2021 13:28:02 -0800 Subject: allow secure_ui_service_app app_api_service:service_manager find MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit which obliviates the need for: allow secure_ui_service_app activity_service:service_manager find; allow secure_ui_service_app surfaceflinger_service:service_manager find; allow secure_ui_service_app telecom_service:service_manager find; allow secure_ui_service_app thermal_service:service_manager find; allow secure_ui_service_app trust_service:service_manager find; because they all are app_api_service's This should also fix: auditd : avc: denied { find } for pid=4625 uid=10140 name=tethering scontext=u:r:secure_ui_service_app:s0:c140,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager which would require: allow secure_ui_service_app tethering_service:service_manager find; but again, tethering_service is a app_api_service See system/sepolicy/public/service.te: type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type; type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type trust_service, app_api_service, system_server_service, service_manager_type; Test: TreeHugger Bug: 179337939 Signed-off-by: Maciej Żenczykowski Change-Id: I9bb9f2a580ac615a552f7bac97e478bf086243f6 --- vendor/qcom/common/secure_ui_service_app.te | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/secure_ui_service_app.te b/vendor/qcom/common/secure_ui_service_app.te index bcb3e97..f577653 100644 --- a/vendor/qcom/common/secure_ui_service_app.te +++ b/vendor/qcom/common/secure_ui_service_app.te @@ -5,8 +5,4 @@ binder_call(secure_ui_service_app, system_server) binder_call(secure_ui_service_app, hal_tui_comm_qti) allow secure_ui_service_app hal_tui_comm_hwservice:hwservice_manager find; -allow secure_ui_service_app surfaceflinger_service:service_manager find; -allow secure_ui_service_app telecom_service:service_manager find; -allow secure_ui_service_app trust_service:service_manager find; -allow secure_ui_service_app activity_service:service_manager find; -allow secure_ui_service_app thermal_service:service_manager find; +allow secure_ui_service_app app_api_service:service_manager find; -- cgit v1.2.3 From 933600c11bc96f273667a8c1e56368ade8c44fd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Thu, 4 Feb 2021 13:28:02 -0800 Subject: allow secure_ui_service_app app_api_service:service_manager find MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit which obliviates the need for: allow secure_ui_service_app activity_service:service_manager find; allow secure_ui_service_app surfaceflinger_service:service_manager find; allow secure_ui_service_app telecom_service:service_manager find; allow secure_ui_service_app thermal_service:service_manager find; allow secure_ui_service_app trust_service:service_manager find; because they all are app_api_service's This should also fix: auditd : avc: denied { find } for pid=4625 uid=10140 name=tethering scontext=u:r:secure_ui_service_app:s0:c140,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager which would require: allow secure_ui_service_app tethering_service:service_manager find; but again, tethering_service is a app_api_service See system/sepolicy/public/service.te: type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type; type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type trust_service, app_api_service, system_server_service, service_manager_type; Test: TreeHugger Bug: 179337939 Signed-off-by: Maciej Żenczykowski Change-Id: I9bb9f2a580ac615a552f7bac97e478bf086243f6 Merged-In: I9bb9f2a580ac615a552f7bac97e478bf086243f6 --- vendor/qcom/common/secure_ui_service_app.te | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/secure_ui_service_app.te b/vendor/qcom/common/secure_ui_service_app.te index bcb3e97..f577653 100644 --- a/vendor/qcom/common/secure_ui_service_app.te +++ b/vendor/qcom/common/secure_ui_service_app.te @@ -5,8 +5,4 @@ binder_call(secure_ui_service_app, system_server) binder_call(secure_ui_service_app, hal_tui_comm_qti) allow secure_ui_service_app hal_tui_comm_hwservice:hwservice_manager find; -allow secure_ui_service_app surfaceflinger_service:service_manager find; -allow secure_ui_service_app telecom_service:service_manager find; -allow secure_ui_service_app trust_service:service_manager find; -allow secure_ui_service_app activity_service:service_manager find; -allow secure_ui_service_app thermal_service:service_manager find; +allow secure_ui_service_app app_api_service:service_manager find; -- cgit v1.2.3 From f7a22d3af8bf13567cd239df8653e6d444df8c63 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Sat, 20 Feb 2021 14:32:44 +0800 Subject: Hardwareinfo: remove platform sign key Sign with default key Test: manually, connect to wifi, reboot and check logcat, no new error message after apply patch adb logcat |egrep "Hardware|System.err" Bug: 162295589 Signed-off-by: Denny cy Lee Change-Id: Iafb8f978981a03020974804f121f04aec7bf334f --- vendor/qcom/common/seapp_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index 5581229..c34496a 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -1,7 +1,7 @@ user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file levelFrom=user # Hardware Info Collection -user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file levelFrom=all -- cgit v1.2.3 From e5ab8715a7f34cb2cd19e9509613cd7277b23b8c Mon Sep 17 00:00:00 2001 From: ChihYao Chien Date: Thu, 18 Mar 2021 11:09:02 +0800 Subject: Add rules for netmgrd's new property netmgrd vendor_default_prop:property_service set avc: denied { set } for property=persist.vendor.data.offload_ko_load pid=1213 uid=1001 gid=1001 scontext=u:r:netmgrd:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0 Bug: 175076226 Bug: 171353985 Bug: 183061600 Change-Id: Id7e03e22046eb9306f7b0bb6d7c7f56f44ffbbf7 --- vendor/qcom/common/netmgrd.te | 1 + vendor/qcom/common/property_contexts | 1 + 2 files changed, 2 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/netmgrd.te b/vendor/qcom/common/netmgrd.te index 238a61b..4d53e7c 100644 --- a/vendor/qcom/common/netmgrd.te +++ b/vendor/qcom/common/netmgrd.te @@ -69,5 +69,6 @@ allow netmgrd self:netlink_xfrm_socket create_socket_perms_no_ioctl; #Allow set persist.vendor.data.shsusr_load #Allow set persist.vendor.data.perf_ko_load #Allow set persist.vendor.data.qmipriod_load +#Allow set persist.vendor.data.offload_ko_load set_prop(netmgrd, vendor_radio_prop) diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index 7c8fb35..9ce9ac9 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -85,3 +85,4 @@ persist.vendor.data.shs_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.perf_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0 +persist.vendor.data.offload_ko_load u:object_r:vendor_radio_prop:s0 -- cgit v1.2.3 From 5672357d0368c2db0fe29c118a26165e9a090c4b Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Sat, 20 Feb 2021 14:32:44 +0800 Subject: Hardwareinfo: remove platform sign key Sign with default key Test: manually, connect to wifi, reboot and check logcat, no new error message after apply patch adb logcat |egrep "Hardware|System.err" Bug: 162295589 Signed-off-by: Denny cy Lee Change-Id: Iafb8f978981a03020974804f121f04aec7bf334f Merged-in: Iafb8f978981a03020974804f121f04aec7bf334f --- vendor/qcom/common/seapp_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index 5581229..c34496a 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -1,7 +1,7 @@ user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file levelFrom=user # Hardware Info Collection -user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file levelFrom=all -- cgit v1.2.3 From 6694d21d5982d5b851d5538194a3a0369e92a820 Mon Sep 17 00:00:00 2001 From: ChihYao Chien Date: Thu, 6 May 2021 15:53:17 +0800 Subject: Add sepolicy rules 1. com.qualcomm.qti.telephonyservice { read } for comm="elephonyservice" name="u:object_r:vendor_radio_prop:s0" dev="tmpfs" ino=25322 scontext=u:r:platform_app:s0:c512, c768 tcontext=u:object_r:vendor_radio_prop:s0 tclass=file permissive=0 app=com.qualcomm.qti.telephonyservice Ref: qcom/lito/device/qcom/sepolicy/+/2824781c (CRs-Fixed: 2809413) 2. vendor.qti.hardware.radio.ims.IImsRadio/default avc: denied { find } for pid=2718 uid=10252 name=vendor.qti.hardware.radio.ims.IImsRadio/default scontext=u:r:qtelephony:s0:c252,c256,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0 Bug: 185560630 Bug: 185954927 Change-Id: Ibe935872b7a35ccdc8c2eb8eaea942ec91527abf --- vendor/qcom/common/qtelephony.te | 1 + vendor/qcom/common/seapp_contexts | 3 +++ vendor/qcom/common/service.te | 1 + vendor/qcom/common/service_contexts | 1 + 4 files changed, 6 insertions(+) create mode 100644 vendor/qcom/common/service_contexts (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/qtelephony.te b/vendor/qcom/common/qtelephony.te index 315b1a2..29ce45f 100644 --- a/vendor/qcom/common/qtelephony.te +++ b/vendor/qcom/common/qtelephony.te @@ -7,6 +7,7 @@ add_hwservice(qtelephony, vnd_atcmdfwd_hwservice) allow qtelephony app_api_service:service_manager find; allow qtelephony hal_imsrtp_hwservice:hwservice_manager find; +allow qtelephony hal_telephony_service:service_manager find; allow qtelephony radio_service:service_manager find; allow qtelephony sysfs_diag:dir search; allow qtelephony sysfs_timestamp_switch:file r_file_perms; diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index c34496a..51fdd3d 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -29,3 +29,6 @@ user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=qtelepho #Add DeviceInfoHidlClient to vendor_qtelephony user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=qtelephony type=app_data_file levelFrom=all + +# QtiTelephonyService app +user=_app seinfo=platform name=com.qualcomm.qti.telephonyservice domain=qtelephony type=app_data_file levelFrom=all diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te index c2ea2f6..c3aa9f1 100644 --- a/vendor/qcom/common/service.te +++ b/vendor/qcom/common/service.te @@ -4,3 +4,4 @@ type imsrcs_service, service_manager_type; type improve_touch_service, service_manager_type; type gba_auth_service, service_manager_type; type qtitetherservice_service, service_manager_type; +type hal_telephony_service, service_manager_type, vendor_service; diff --git a/vendor/qcom/common/service_contexts b/vendor/qcom/common/service_contexts new file mode 100644 index 0000000..405f768 --- /dev/null +++ b/vendor/qcom/common/service_contexts @@ -0,0 +1 @@ +vendor.qti.hardware.radio.ims.IImsRadio/default u:object_r:hal_telephony_service:s0 -- cgit v1.2.3 From 2f414056f504325eb38d640ce32d3ec77dcfe02e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 14 May 2021 11:26:37 +0800 Subject: allow pd_mapper to read dmesg 05-12 13:18:16.449 1095 1095 I auditd : type=1400 audit(0.0:7): avc: denied { getattr } for comm="pd-mapper" path="/dev/kmsg" dev="tmpfs" ino=17807 scontext=u:r:vendor_pd_mapper:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 Bug: 177335164 Test: boot to home with no avc error Change-Id: Ia076cca5a5335063edc31990fca7a51fedf117b7 --- vendor/qcom/common/pd_services.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/pd_services.te b/vendor/qcom/common/pd_services.te index 3f48cef..b504a16 100644 --- a/vendor/qcom/common/pd_services.te +++ b/vendor/qcom/common/pd_services.te @@ -6,7 +6,7 @@ init_daemon_domain(vendor_pd_mapper); allow vendor_pd_mapper self:qipcrtr_socket create_socket_perms_no_ioctl; userdebug_or_eng(` - allow vendor_pd_mapper kmsg_device:chr_file w_file_perms; + allow vendor_pd_mapper kmsg_device:chr_file rw_file_perms; ') dontaudit vendor_pd_mapper sysfs_esoc:dir search; -- cgit v1.2.3 From 71e21da3854ac97a21aa3b14957d560a66662d46 Mon Sep 17 00:00:00 2001 From: ChihYao Chien Date: Thu, 4 Feb 2021 17:08:22 +0800 Subject: Sync sepolicy from qcom-au091 for keymaster daemon init: Could not start service 'keymaster-4-1' as part of class 'early_hal': File /vendor/bin/hw/android.hardware.keymaster@4.1-service-qti(labeled "u:object_r:vendor_file:s0") has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined. reference to qcom/lito/platform/vendor/qcom/sepolicy_vndr:fefbf6b185221bb37b24ae8eea74862a97389650 cherry-pick from 6903a0fa10f95bec2d05608a20b2d6164177846d Bug: 185598142 Bug: 178358917 Change-Id: I77c6a6cda6b2772d4ff81a3bb6a0fc819cc47f49 --- vendor/qcom/common/file_contexts | 2 ++ vendor/qcom/common/init-qti-keymaster-sh.te | 38 +++++++++++++++++++++++++++++ vendor/qcom/common/property.te | 2 ++ vendor/qcom/common/property_contexts | 3 +++ 4 files changed, 45 insertions(+) create mode 100644 vendor/qcom/common/init-qti-keymaster-sh.te (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 816596d..0e99310 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -67,6 +67,8 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/init\.qti\.keymaster\.sh u:object_r:init-qti-keymaster-sh_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0 /(vendor|system/vendor)/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0 diff --git a/vendor/qcom/common/init-qti-keymaster-sh.te b/vendor/qcom/common/init-qti-keymaster-sh.te new file mode 100644 index 0000000..bb974c2 --- /dev/null +++ b/vendor/qcom/common/init-qti-keymaster-sh.te @@ -0,0 +1,38 @@ +# Copyright (c) 2020, The Linux Foundation. All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type init-qti-keymaster-sh, domain; +type init-qti-keymaster-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-qti-keymaster-sh) + +# Set vendor.keymaster.strongbox.version to 40 or 41 +set_prop(init-qti-keymaster-sh, vendor_km_strongbox_version_prop); +set_prop(init-qti-keymaster-sh, vendor_disable_spu_prop) + +allow init-qti-keymaster-sh vendor_shell_exec:file rx_file_perms; +allow init-qti-keymaster-sh vendor_toolbox_exec:file rx_file_perms; diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index 5f08525..fb6f433 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -60,4 +60,6 @@ vendor_internal_prop(ctl_vendor_rmt_storage_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_cnss_diag_prop) vendor_internal_prop(vendor_modem_diag_prop) +vendor_internal_prop(vendor_disable_spu_prop) vendor_restricted_prop(vendor_hvdcp_opti_prop) +vendor_restricted_prop(vendor_km_strongbox_version_prop) diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index 9ce9ac9..eebfb81 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -86,3 +86,6 @@ persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.perf_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.offload_ko_load u:object_r:vendor_radio_prop:s0 + +#keymaster strongbox service +vendor.keymaster.strongbox.version u:object_r:vendor_km_strongbox_version_prop:s0 -- cgit v1.2.3 From 9f0cf4d36578512e8be01f7b6eeb0da866d3bdb1 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Sat, 17 Apr 2021 02:09:49 +0800 Subject: Sync previous patch due to no SPU support on sm7150 Bug: 185598142 Bug: 182255618 Change-Id: Idba839ead12334815e0fc989981050f128096cb9 --- vendor/qcom/common/init-qti-keymaster-sh.te | 1 - vendor/qcom/common/property.te | 1 - 2 files changed, 2 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/init-qti-keymaster-sh.te b/vendor/qcom/common/init-qti-keymaster-sh.te index bb974c2..f5a6c31 100644 --- a/vendor/qcom/common/init-qti-keymaster-sh.te +++ b/vendor/qcom/common/init-qti-keymaster-sh.te @@ -32,7 +32,6 @@ init_daemon_domain(init-qti-keymaster-sh) # Set vendor.keymaster.strongbox.version to 40 or 41 set_prop(init-qti-keymaster-sh, vendor_km_strongbox_version_prop); -set_prop(init-qti-keymaster-sh, vendor_disable_spu_prop) allow init-qti-keymaster-sh vendor_shell_exec:file rx_file_perms; allow init-qti-keymaster-sh vendor_toolbox_exec:file rx_file_perms; diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index fb6f433..81b3b55 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -60,6 +60,5 @@ vendor_internal_prop(ctl_vendor_rmt_storage_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_cnss_diag_prop) vendor_internal_prop(vendor_modem_diag_prop) -vendor_internal_prop(vendor_disable_spu_prop) vendor_restricted_prop(vendor_hvdcp_opti_prop) vendor_restricted_prop(vendor_km_strongbox_version_prop) -- cgit v1.2.3 From 9e67b6a0bcbcb4b2c6b56f2044743baf4da17160 Mon Sep 17 00:00:00 2001 From: ChihYao Chien Date: Fri, 21 May 2021 11:13:29 +0800 Subject: Sync QCOM sepolicy rules 1. init_qti_chg_policy sysfs_wakeup:dir read denied { read } for comm="find" name="wakeup8" dev="sysfs" ino=55134 scontext=u:r:init_qti_chg_policy:s0 tcontext=u:object_r:sysfs_wakeup:s0 tclass=dir permissive=0 init_qti_chg_policy sysfs_iio_devices:dir search denied { search } for comm="cat" name="devices" dev="sysfs" ino=42746 scontext=u:r:init_qti_chg_policy:s0 tcontext=u:object_r:sysfs_iio_devices:s0 tclass=dir permissive=0 2. cnd default_android_hwservice:hwservice_manager find denied { find } for interface=vendor.qti.hardware.mwqemadapter::IMwqemAdapter sid=u:r:cnd:s0 pid=1224 scontext=u:r:cnd:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 3. rild default_android_hwservice:hwservice_manager find denied { find } for interface=vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo sid=u:r:rild:s0 pid=1424 scontext=u:r:rild:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 4. sensors sensors_vendor_data_file:dir search denied { search } for name="sensors" dev="dm-6" ino=262 scontext=u:r:sensors:s0 tcontext=u:object_r:sensors_vendor_data_file:s0 tclass=dir permissive=0 5. qtelephony default_android_hwservice:hwservice_manager find denied { find } for interface=vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo sid=u:r:qtelephony:s0:c32,c257,c512,c768 pid=4377 scontext=u:r:qtelephony:s0:c32,c257,c512,c768 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 6. hvdcp denied { write } for name="kmsg" dev="tmpfs" ino=26341 scontext=u:r:hvdcp:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 Bug: 188064567 Change-Id: Ib5e59796a56d6cb39fa1d482599d93903431ab2a --- vendor/qcom/common/cnd.te | 1 + vendor/qcom/common/hvdcp.te | 2 +- vendor/qcom/common/hwservice.te | 1 + vendor/qcom/common/hwservice_contexts | 2 ++ vendor/qcom/common/seapp_contexts | 1 + vendor/qcom/common/sensors.te | 2 ++ 6 files changed, 8 insertions(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/cnd.te b/vendor/qcom/common/cnd.te index 473de1b..30acc21 100644 --- a/vendor/qcom/common/cnd.te +++ b/vendor/qcom/common/cnd.te @@ -20,6 +20,7 @@ allow cnd cnd_data_file:dir rw_dir_perms; wakelock_use(cnd) # To register cnd to hwbinder add_hwservice(cnd, hal_datafactory_hwservice) +add_hwservice(cnd, hal_mwqemadapter_hwservice) userdebug_or_eng(` allow cnd diag_device:chr_file rw_file_perms; ') diff --git a/vendor/qcom/common/hvdcp.te b/vendor/qcom/common/hvdcp.te index 7cdae50..9c1b7eb 100644 --- a/vendor/qcom/common/hvdcp.te +++ b/vendor/qcom/common/hvdcp.te @@ -7,7 +7,7 @@ allow hvdcp sysfs_batteryinfo:dir r_dir_perms; allow hvdcp qg_device:chr_file rw_file_perms; allow hvdcp self:capability2 wake_alarm; allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; -allow hvdcp kmsg_device:chr_file r_file_perms; +allow hvdcp kmsg_device:chr_file rw_file_perms; allow hvdcp mnt_vendor_file:dir r_dir_perms; allow hvdcp persist_file:dir search; allow hvdcp persist_hvdcp_file:dir search; diff --git a/vendor/qcom/common/hwservice.te b/vendor/qcom/common/hwservice.te index 11c8147..5f091a5 100644 --- a/vendor/qcom/common/hwservice.te +++ b/vendor/qcom/common/hwservice.te @@ -21,3 +21,4 @@ type hal_dataconnection_hwservice, hwservice_manager_type, vendor_hwservice_type type hal_cacert_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; +type hal_mwqemadapter_hwservice, hwservice_manager_type, protected_hwservice; diff --git a/vendor/qcom/common/hwservice_contexts b/vendor/qcom/common/hwservice_contexts index 75e64a1..f275324 100644 --- a/vendor/qcom/common/hwservice_contexts +++ b/vendor/qcom/common/hwservice_contexts @@ -15,6 +15,7 @@ vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object vendor.qti.hardware.qteeconnector::IAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.qteeconnector::IGPAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qtiradio::IQtiRadio u:object_r:hal_telephony_hwservice:s0 @@ -35,3 +36,4 @@ vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object vendor.qti.hardware.display.allocator::IQtiAllocator u:object_r:hal_graphics_allocator_hwservice:s0 vendor.qti.ims.callinfo::IService u:object_r:hal_imscallinfo_hwservice:s0 vendor.qti.hardware.qseecom::IQSEECom u:object_r:hal_qseecom_hwservice:s0 +vendor.qti.hardware.mwqemadapter::IMwqemAdapter u:object_r:hal_mwqemadapter_hwservice:s0 diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index 51fdd3d..6b2ff84 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -32,3 +32,4 @@ user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=q # QtiTelephonyService app user=_app seinfo=platform name=com.qualcomm.qti.telephonyservice domain=qtelephony type=app_data_file levelFrom=all + diff --git a/vendor/qcom/common/sensors.te b/vendor/qcom/common/sensors.te index 95737d0..a423192 100644 --- a/vendor/qcom/common/sensors.te +++ b/vendor/qcom/common/sensors.te @@ -12,5 +12,7 @@ allow sensors self:qipcrtr_socket create; allow sensors sensors_persist_file:dir rw_dir_perms; r_dir_file(sensors, sysfs_msm_subsys) allow sensors sysfs_ssr:file r_file_perms; +allow sensors sensors_vendor_data_file:dir rw_dir_perms; +allow sensors sensors_vendor_data_file:file create_file_perms; dontaudit sensors sysfs_esoc:dir r_dir_perms; -- cgit v1.2.3 From 63b4165791a11004e3bf0c618c5579332bf3c18e Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Thu, 17 Jun 2021 15:29:58 +0800 Subject: rfs_access: fix avc errors avc: denied { dac_read_search } for comm="tftp_server" capability=2 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability permissive=0 avc: denied { dac_override } for comm="tftp_server" capability=1 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability permissive=0 Bug: 189167816 Change-Id: Ie694865a835f87c3cdd37418178734ebba24cb99 --- vendor/qcom/common/rfs_access.te | 2 ++ 1 file changed, 2 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/rfs_access.te b/vendor/qcom/common/rfs_access.te index 97d138d..14cb6a7 100644 --- a/vendor/qcom/common/rfs_access.te +++ b/vendor/qcom/common/rfs_access.te @@ -17,3 +17,5 @@ allow rfs_access rfs_tombstone_data_file:file create_file_perms; allow rfs_access self:qipcrtr_socket create_socket_perms_no_ioctl; wakelock_use(rfs_access) + +dontaudit rfs_access self:capability { dac_override dac_read_search }; -- cgit v1.2.3 From a6a1859de96577cbb89ca01bbfc8f61261b60125 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Fri, 18 Jun 2021 21:25:21 +0800 Subject: rfs_access: fix avc errors avc: denied { dac_read_search } for comm="tftp_server" capability=2 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability permissive=0 avc: denied { dac_override } for comm="tftp_server" capability=1 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability permissive=0 Bug: 189167816 Change-Id: I738bb1c1699dd6d2e075fb0f822129d65328eb5a --- vendor/qcom/common/rfs_access.te | 2 ++ 1 file changed, 2 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/rfs_access.te b/vendor/qcom/common/rfs_access.te index 97d138d..14cb6a7 100644 --- a/vendor/qcom/common/rfs_access.te +++ b/vendor/qcom/common/rfs_access.te @@ -17,3 +17,5 @@ allow rfs_access rfs_tombstone_data_file:file create_file_perms; allow rfs_access self:qipcrtr_socket create_socket_perms_no_ioctl; wakelock_use(rfs_access) + +dontaudit rfs_access self:capability { dac_override dac_read_search }; -- cgit v1.2.3 From 1b3490e4fbb3299d326a70841b1be805145bb678 Mon Sep 17 00:00:00 2001 From: JohnnLee Date: Mon, 21 Jun 2021 14:28:11 +0800 Subject: Add sepolicy rules for au013 gnss hal_gnss_qti: avc: denied { search } for comm="android.hardwar" name="location" dev="dm-6" ino=341 scontext=u:r:hal_gnss_qti:s0 tcontext=u:object_r:location_data_file:s0 tclass=dir permissive=0 Bug: 191613553 Change-Id: Idc2ff2dab3da8cb0b22ae7ea87370dc2348666eb --- vendor/qcom/common/hal_gnss_qti.te | 2 ++ 1 file changed, 2 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/hal_gnss_qti.te b/vendor/qcom/common/hal_gnss_qti.te index c4481a7..80abd2e 100644 --- a/vendor/qcom/common/hal_gnss_qti.te +++ b/vendor/qcom/common/hal_gnss_qti.te @@ -24,5 +24,7 @@ allow hal_gnss_qti location:unix_dgram_socket sendto; allow hal_gnss_qti self:qipcrtr_socket create_socket_perms_no_ioctl; +allow hal_gnss_qti location_data_file:dir r_dir_perms; + # Allow Gnss HAL to get updates from health hal hal_client_domain(hal_gnss_qti, hal_health) -- cgit v1.2.3 From a1716fc9b77e85ee1a79729859a87876b2ba8288 Mon Sep 17 00:00:00 2001 From: JohnnLee Date: Thu, 3 Jun 2021 15:10:02 +0800 Subject: Add sepolicy for qti mapper 4.0 avc: denied { read } for name="android.hardware.graphics .mapper@4.0-impl-qti-display.so" dev="dm-7" ino=2012 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=0 Bug: 189893985 Change-Id: I4c2275e155bd71793d554e5d44d7833d4c4ab9da --- vendor/qcom/common/file_contexts | 2 ++ 1 file changed, 2 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 0e99310..3ed0ebf 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -140,6 +140,8 @@ /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.1\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgralloc\.qti\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 -- cgit v1.2.3 From 375055f0abc5963af2cc581ee0fbd3eb155f8c51 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 5 Jul 2021 09:50:03 +0800 Subject: sync codebase Bug: 162370942 Test: build pass Change-Id: Ib6042e79d74dedae3b07c91769958f58e439f62b Merged-In: I4c2275e155bd71793d554e5d44d7833d4c4ab9da --- vendor/qcom/common/cnd.te | 1 + vendor/qcom/common/file.te | 2 -- vendor/qcom/common/file_contexts | 11 ++++----- vendor/qcom/common/hal_gnss_qti.te | 2 ++ vendor/qcom/common/hal_neuralnetworks.te | 3 +++ vendor/qcom/common/hvdcp.te | 2 +- vendor/qcom/common/hwservice.te | 2 +- vendor/qcom/common/hwservice_contexts | 4 ++-- vendor/qcom/common/init-qti-keymaster-sh.te | 37 +++++++++++++++++++++++++++++ vendor/qcom/common/mediatranscoding.te | 2 ++ vendor/qcom/common/netmgrd.te | 1 + vendor/qcom/common/property.te | 2 +- vendor/qcom/common/property_contexts | 6 +++-- vendor/qcom/common/qtelephony.te | 1 + vendor/qcom/common/seapp_contexts | 4 ++++ vendor/qcom/common/sensors.te | 2 ++ vendor/qcom/common/service.te | 1 + vendor/qcom/common/service_contexts | 1 + 18 files changed, 68 insertions(+), 16 deletions(-) create mode 100644 vendor/qcom/common/init-qti-keymaster-sh.te create mode 100644 vendor/qcom/common/mediatranscoding.te create mode 100644 vendor/qcom/common/service_contexts (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/cnd.te b/vendor/qcom/common/cnd.te index 473de1b..30acc21 100644 --- a/vendor/qcom/common/cnd.te +++ b/vendor/qcom/common/cnd.te @@ -20,6 +20,7 @@ allow cnd cnd_data_file:dir rw_dir_perms; wakelock_use(cnd) # To register cnd to hwbinder add_hwservice(cnd, hal_datafactory_hwservice) +add_hwservice(cnd, hal_mwqemadapter_hwservice) userdebug_or_eng(` allow cnd diag_device:chr_file rw_file_perms; ') diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 33bb82e..23073eb 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -131,8 +131,6 @@ type sysfs_sectouch, sysfs_type, fs_type; type vendor_tui_data_file, file_type, data_file_type; type vendor_bt_data_file, file_type, data_file_type; type sysfs_jpeg, fs_type, sysfs_type; -type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; -type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject; type sysfs_npu, fs_type, sysfs_type; type vendor_ramdump_data_file, file_type, data_file_type; type vendor_mdmhelperdata_data_file, file_type, data_file_type; diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 38d8a33..3ed0ebf 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -67,6 +67,8 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/init\.qti\.keymaster\.sh u:object_r:init-qti-keymaster-sh_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0 /(vendor|system/vendor)/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0 @@ -112,12 +114,6 @@ /mnt/vendor/persist/hvdcp_opti(/.*)? u:object_r:persist_hvdcp_file:s0 /mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 -################################### -# ramdumpfs files -# -/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 -/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 - ################################### # adsp files # @@ -144,6 +140,8 @@ /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.1\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgralloc\.qti\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 @@ -268,7 +266,6 @@ /data/vendor/modem_fdr(/.*)? u:object_r:modem_fdr_file:s0 /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/vendor/nnhal(/.*)? u:object_r:hal_neuralnetworks_data_file:s0 -/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrlog(/.*)? u:object_r:ssr_log_file:s0 /data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 diff --git a/vendor/qcom/common/hal_gnss_qti.te b/vendor/qcom/common/hal_gnss_qti.te index c4481a7..80abd2e 100644 --- a/vendor/qcom/common/hal_gnss_qti.te +++ b/vendor/qcom/common/hal_gnss_qti.te @@ -24,5 +24,7 @@ allow hal_gnss_qti location:unix_dgram_socket sendto; allow hal_gnss_qti self:qipcrtr_socket create_socket_perms_no_ioctl; +allow hal_gnss_qti location_data_file:dir r_dir_perms; + # Allow Gnss HAL to get updates from health hal hal_client_domain(hal_gnss_qti, hal_health) diff --git a/vendor/qcom/common/hal_neuralnetworks.te b/vendor/qcom/common/hal_neuralnetworks.te index 1d20204..6ccdd39 100644 --- a/vendor/qcom/common/hal_neuralnetworks.te +++ b/vendor/qcom/common/hal_neuralnetworks.te @@ -17,3 +17,6 @@ r_dir_file(hal_neuralnetworks_default, sysfs_soc) r_dir_file(hal_neuralnetworks_default, adsprpcd_file) dontaudit hal_neuralnetworks_default vendor_display_prop:file read; + +# b/159570217 suppress warning related to zeroth.debuglog.logmask +dontaudit hal_neuralnetworks_default default_prop:file { open read }; diff --git a/vendor/qcom/common/hvdcp.te b/vendor/qcom/common/hvdcp.te index 7cdae50..9c1b7eb 100644 --- a/vendor/qcom/common/hvdcp.te +++ b/vendor/qcom/common/hvdcp.te @@ -7,7 +7,7 @@ allow hvdcp sysfs_batteryinfo:dir r_dir_perms; allow hvdcp qg_device:chr_file rw_file_perms; allow hvdcp self:capability2 wake_alarm; allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; -allow hvdcp kmsg_device:chr_file r_file_perms; +allow hvdcp kmsg_device:chr_file rw_file_perms; allow hvdcp mnt_vendor_file:dir r_dir_perms; allow hvdcp persist_file:dir search; allow hvdcp persist_hvdcp_file:dir search; diff --git a/vendor/qcom/common/hwservice.te b/vendor/qcom/common/hwservice.te index 39e009b..5f091a5 100644 --- a/vendor/qcom/common/hwservice.te +++ b/vendor/qcom/common/hwservice.te @@ -18,7 +18,7 @@ type hal_qdutils_disp_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_sensorscalibrate_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; type vnd_atcmdfwd_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_dataconnection_hwservice, hwservice_manager_type, vendor_hwservice_type; -type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_cacert_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; +type hal_mwqemadapter_hwservice, hwservice_manager_type, protected_hwservice; diff --git a/vendor/qcom/common/hwservice_contexts b/vendor/qcom/common/hwservice_contexts index 2aecfbc..f275324 100644 --- a/vendor/qcom/common/hwservice_contexts +++ b/vendor/qcom/common/hwservice_contexts @@ -11,12 +11,11 @@ vendor.display.color::IDisplayColor u:object vendor.display.config::IDisplayConfig u:object_r:hal_display_config_hwservice:s0 vendor.display.postproc::IDisplayPostproc u:object_r:hal_display_postproc_hwservice:s0 vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0 -vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 -vendor.qti.hardware.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:hal_qdutils_disp_hwservice:s0 vendor.qti.hardware.qteeconnector::IAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.qteeconnector::IGPAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qtiradio::IQtiRadio u:object_r:hal_telephony_hwservice:s0 @@ -37,3 +36,4 @@ vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object vendor.qti.hardware.display.allocator::IQtiAllocator u:object_r:hal_graphics_allocator_hwservice:s0 vendor.qti.ims.callinfo::IService u:object_r:hal_imscallinfo_hwservice:s0 vendor.qti.hardware.qseecom::IQSEECom u:object_r:hal_qseecom_hwservice:s0 +vendor.qti.hardware.mwqemadapter::IMwqemAdapter u:object_r:hal_mwqemadapter_hwservice:s0 diff --git a/vendor/qcom/common/init-qti-keymaster-sh.te b/vendor/qcom/common/init-qti-keymaster-sh.te new file mode 100644 index 0000000..f5a6c31 --- /dev/null +++ b/vendor/qcom/common/init-qti-keymaster-sh.te @@ -0,0 +1,37 @@ +# Copyright (c) 2020, The Linux Foundation. All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type init-qti-keymaster-sh, domain; +type init-qti-keymaster-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-qti-keymaster-sh) + +# Set vendor.keymaster.strongbox.version to 40 or 41 +set_prop(init-qti-keymaster-sh, vendor_km_strongbox_version_prop); + +allow init-qti-keymaster-sh vendor_shell_exec:file rx_file_perms; +allow init-qti-keymaster-sh vendor_toolbox_exec:file rx_file_perms; diff --git a/vendor/qcom/common/mediatranscoding.te b/vendor/qcom/common/mediatranscoding.te new file mode 100644 index 0000000..ab3f09d --- /dev/null +++ b/vendor/qcom/common/mediatranscoding.te @@ -0,0 +1,2 @@ +get_prop(domain, vendor_display_prop) + diff --git a/vendor/qcom/common/netmgrd.te b/vendor/qcom/common/netmgrd.te index 238a61b..4d53e7c 100644 --- a/vendor/qcom/common/netmgrd.te +++ b/vendor/qcom/common/netmgrd.te @@ -69,5 +69,6 @@ allow netmgrd self:netlink_xfrm_socket create_socket_perms_no_ioctl; #Allow set persist.vendor.data.shsusr_load #Allow set persist.vendor.data.perf_ko_load #Allow set persist.vendor.data.qmipriod_load +#Allow set persist.vendor.data.offload_ko_load set_prop(netmgrd, vendor_radio_prop) diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index d232ac6..81b3b55 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -60,5 +60,5 @@ vendor_internal_prop(ctl_vendor_rmt_storage_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_cnss_diag_prop) vendor_internal_prop(vendor_modem_diag_prop) -vendor_internal_prop(vendor_ramdump_prop) vendor_restricted_prop(vendor_hvdcp_opti_prop) +vendor_restricted_prop(vendor_km_strongbox_version_prop) diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index 89f0779..eebfb81 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -39,7 +39,6 @@ persist.vendor.bt.soc.scram_freqs u:object_r:vendor_bluetooth_prop ro.vendor.audio.sdk.fluencetype u:object_r:vendor_audio_prop:s0 ro.vendor.ril. u:object_r:vendor_radio_prop:s0 -ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0 # vendor display prop vendor.gralloc.disable_ahardware_buffer u:object_r:vendor_display_prop:s0 @@ -51,7 +50,6 @@ vendor.debug.prerotation.disable u:object_r:vendor_display_prop:s vendor.debug.egl.swapinterval u:object_r:vendor_display_prop:s0 ro.vendor.graphics.memory u:object_r:vendor_display_prop:s0 -vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0 vendor.ims. u:object_r:qcom_ims_prop:s0 vendor.peripheral. u:object_r:vendor_per_mgr_state_prop:s0 vendor.sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 @@ -87,3 +85,7 @@ persist.vendor.data.shs_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.perf_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0 +persist.vendor.data.offload_ko_load u:object_r:vendor_radio_prop:s0 + +#keymaster strongbox service +vendor.keymaster.strongbox.version u:object_r:vendor_km_strongbox_version_prop:s0 diff --git a/vendor/qcom/common/qtelephony.te b/vendor/qcom/common/qtelephony.te index 315b1a2..29ce45f 100644 --- a/vendor/qcom/common/qtelephony.te +++ b/vendor/qcom/common/qtelephony.te @@ -7,6 +7,7 @@ add_hwservice(qtelephony, vnd_atcmdfwd_hwservice) allow qtelephony app_api_service:service_manager find; allow qtelephony hal_imsrtp_hwservice:hwservice_manager find; +allow qtelephony hal_telephony_service:service_manager find; allow qtelephony radio_service:service_manager find; allow qtelephony sysfs_diag:dir search; allow qtelephony sysfs_timestamp_switch:file r_file_perms; diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index c34496a..6b2ff84 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -29,3 +29,7 @@ user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=qtelepho #Add DeviceInfoHidlClient to vendor_qtelephony user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=qtelephony type=app_data_file levelFrom=all + +# QtiTelephonyService app +user=_app seinfo=platform name=com.qualcomm.qti.telephonyservice domain=qtelephony type=app_data_file levelFrom=all + diff --git a/vendor/qcom/common/sensors.te b/vendor/qcom/common/sensors.te index 95737d0..a423192 100644 --- a/vendor/qcom/common/sensors.te +++ b/vendor/qcom/common/sensors.te @@ -12,5 +12,7 @@ allow sensors self:qipcrtr_socket create; allow sensors sensors_persist_file:dir rw_dir_perms; r_dir_file(sensors, sysfs_msm_subsys) allow sensors sysfs_ssr:file r_file_perms; +allow sensors sensors_vendor_data_file:dir rw_dir_perms; +allow sensors sensors_vendor_data_file:file create_file_perms; dontaudit sensors sysfs_esoc:dir r_dir_perms; diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te index c2ea2f6..c3aa9f1 100644 --- a/vendor/qcom/common/service.te +++ b/vendor/qcom/common/service.te @@ -4,3 +4,4 @@ type imsrcs_service, service_manager_type; type improve_touch_service, service_manager_type; type gba_auth_service, service_manager_type; type qtitetherservice_service, service_manager_type; +type hal_telephony_service, service_manager_type, vendor_service; diff --git a/vendor/qcom/common/service_contexts b/vendor/qcom/common/service_contexts new file mode 100644 index 0000000..405f768 --- /dev/null +++ b/vendor/qcom/common/service_contexts @@ -0,0 +1 @@ +vendor.qti.hardware.radio.ims.IImsRadio/default u:object_r:hal_telephony_service:s0 -- cgit v1.2.3 From e812edc32bf0f3aa844401677d1b4f7bfa32b91e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 4 Aug 2021 12:37:58 +0800 Subject: make sepolicy compatible with different SW versions Bug: 194892738 Test: boot to home with no avc denials Change-Id: Ie25f87671b5dd80819eff15b362324402dd2c4bd --- vendor/qcom/common/hwservice_contexts | 2 ++ 1 file changed, 2 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/hwservice_contexts b/vendor/qcom/common/hwservice_contexts index f275324..ed11eb4 100644 --- a/vendor/qcom/common/hwservice_contexts +++ b/vendor/qcom/common/hwservice_contexts @@ -37,3 +37,5 @@ vendor.qti.hardware.display.allocator::IQtiAllocator u:object vendor.qti.ims.callinfo::IService u:object_r:hal_imscallinfo_hwservice:s0 vendor.qti.hardware.qseecom::IQSEECom u:object_r:hal_qseecom_hwservice:s0 vendor.qti.hardware.mwqemadapter::IMwqemAdapter u:object_r:hal_mwqemadapter_hwservice:s0 +vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 +vendor.qti.hardware.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 -- cgit v1.2.3 From aace3214639d6226f075b8cbe6b2e72be95745b0 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Fri, 13 Aug 2021 11:38:47 -0700 Subject: Add the 'bdev_type' attribute to all block devices The following patch iterates over all block devices: https://android-review.googlesource.com/c/platform/system/core/+/1783847/9 The following patch grants 'init' and 'apexd' permission to iterate over all block devices: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1783947 The above SELinux policy change requires to add the 'bdev_type' attribute to all block devices. Hence this patch. Bug: 194450129 Test: Untested. Change-Id: I40776e26f4300859485759b440575d12d779b5a9 Signed-off-by: Bart Van Assche --- vendor/qcom/common/device.te | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te index 211d3d4..04fe462 100644 --- a/vendor/qcom/common/device.te +++ b/vendor/qcom/common/device.te @@ -19,7 +19,7 @@ type rpmb_device, dev_type; type sg_device, dev_type; type dip_device, dev_type; type sd_device, dev_type; -type ssd_block_device, dev_type; +type ssd_block_device, dev_type, bdev_type; type esoc_device, dev_type; type ssr_device, dev_type; type ramdump_device, dev_type; @@ -50,12 +50,12 @@ type avtimer_device, dev_type; type at_device, dev_type; type bt_device, dev_type; type wlan_device, dev_type; -type rawdump_block_device, dev_type; -type custom_ab_block_device, dev_type; -type xbl_block_device, dev_type; -type gpt_block_device, dev_type; -type modem_block_device, dev_type; -type uefi_block_device, dev_type; -type persist_block_device, dev_type; +type rawdump_block_device, dev_type, bdev_type; +type custom_ab_block_device, dev_type, bdev_type; +type xbl_block_device, dev_type, bdev_type; +type gpt_block_device, dev_type, bdev_type; +type modem_block_device, dev_type, bdev_type; +type uefi_block_device, dev_type, bdev_type; +type persist_block_device, dev_type, bdev_type; type npu_device, dev_type; -type devinfo_block_device, dev_type; +type devinfo_block_device, dev_type, bdev_type; -- cgit v1.2.3 From faf76f81f5bba65a6f9cf745c4be9c1e0850b1a9 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Tue, 17 Aug 2021 14:51:37 -0700 Subject: Associate the sysfs_block_type attribute with sysfs SCSI device information Patch https://android-review.googlesource.com/c/platform/system/sepolicy/+/1783947 ("Allow the init and apexd processes to read all block device properties") associates the sysfs_block_type attribute with the files under /sys/class/block. SCSI device information needs to be labeled separately because it exists elsewhere: # ls -ld /sys/class/block/sda lrwxrwxrwx 1 root root 0 2021-08-17 14:49 /sys/class/block/sda -> ../../devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda Hence this patch that associates the sysfs_block_type attribute with SCSI device information in sysfs. Bug: 196982345 Test: Untested. Change-Id: I16746ca6bc55294db83a8aea87f16fe7ad81d97f Signed-off-by: Bart Van Assche --- vendor/qcom/common/file.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 23073eb..80594f3 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -140,7 +140,7 @@ type hal_neuralnetworks_data_file, file_type, data_file_type; type mpss_rfs_data_file, data_file_type, file_type; type rfs_tombstone_data_file, data_file_type, file_type; type sysfs_msm_wlan, sysfs_type, fs_type; -type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type sysfs_scsi_devices_0000, sysfs_type, fs_type, sysfs_block_type; type proc_sched_energy_aware, proc_type, fs_type; type proc_sched_updown_migrate, proc_type, fs_type; type debugfs_wlan, debugfs_type, fs_type; -- cgit v1.2.3 From e0a221d446537777111d00504678f949ae6acc83 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Mon, 23 Aug 2021 13:25:04 -0700 Subject: Add the bdev_type attribute to the rpmb_device type This patch fixes the following SELinux denial, reported by Treehugger for patch https://android-review.git.corp.google.com/c/platform/system/apex/+/1782069: 07-29 02:52:54.320 582 582 I auditd : type=1400 audit(0.0:4): avc: denied { getattr } for comm="apexd" path="/dev/block/mmcblk0rpmb" dev="tmpfs" ino=15991 scontext=u:r:apexd:s0 Bug: 194450129 Test: Untested. Change-Id: I796546dacd3e309ea0b127100560b23856bdbc8e Signed-off-by: Bart Van Assche --- vendor/qcom/common/device.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te index 04fe462..9845762 100644 --- a/vendor/qcom/common/device.te +++ b/vendor/qcom/common/device.te @@ -15,7 +15,7 @@ type device_latency, dev_type; type fm_radio_device, dev_type; type modem_efs_partition_device, dev_type; type ssd_device, dev_type; -type rpmb_device, dev_type; +type rpmb_device, dev_type, bdev_type; type sg_device, dev_type; type dip_device, dev_type; type sd_device, dev_type; -- cgit v1.2.3 From 225e205a038eb8562f4b64a473a12f9fbe12e0cb Mon Sep 17 00:00:00 2001 From: ChihYao Chien Date: Thu, 30 Sep 2021 10:22:44 +0800 Subject: sepolicy changes for imsfactory hal Fix sepolicy error: avc: denied { find } for interface=vendor.qti.ims.factory::IImsFactory sid=u:r:hal_rcsservice:s0 pid=10907 scontext=u:r:hal_rcsservice:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 Ref: redbull-sepolicy:71ca806a5d6005f18eef94a61fa9edff419dc39c Bug: 193992611 Change-Id: Ia290227a0bb851608d5e7b2b85bb719a5477c88e --- vendor/qcom/common/hal_rcsservice.te | 2 ++ vendor/qcom/common/hwservice.te | 1 + vendor/qcom/common/hwservice_contexts | 1 + 3 files changed, 4 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/hal_rcsservice.te b/vendor/qcom/common/hal_rcsservice.te index 9acd706..0c95f16 100644 --- a/vendor/qcom/common/hal_rcsservice.te +++ b/vendor/qcom/common/hal_rcsservice.te @@ -11,6 +11,8 @@ hwbinder_use(hal_rcsservice) # add IUceSerive and IService to Hidl interface add_hwservice(hal_rcsservice, hal_imsrcsd_hwservice) add_hwservice(hal_rcsservice, hal_imscallinfo_hwservice) +# add imsfactory to HIDl interface +add_hwservice(hal_rcsservice, hal_imsfactory_hwservice) get_prop(hal_rcsservice, hwservicemanager_prop) set_prop(hal_rcsservice, qcom_ims_prop) diff --git a/vendor/qcom/common/hwservice.te b/vendor/qcom/common/hwservice.te index 5f091a5..c17da13 100644 --- a/vendor/qcom/common/hwservice.te +++ b/vendor/qcom/common/hwservice.te @@ -22,3 +22,4 @@ type hal_cacert_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; type hal_mwqemadapter_hwservice, hwservice_manager_type, protected_hwservice; +type hal_imsfactory_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; diff --git a/vendor/qcom/common/hwservice_contexts b/vendor/qcom/common/hwservice_contexts index f275324..b2323bd 100644 --- a/vendor/qcom/common/hwservice_contexts +++ b/vendor/qcom/common/hwservice_contexts @@ -28,6 +28,7 @@ vendor.qti.hardware.tui_comm::ITuiComm u:object vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd u:object_r:vnd_atcmdfwd_hwservice:s0 vendor.qti.hardware.data.latency::ILinkLatency u:object_r:hal_latency_hwservice:s0 vendor.qti.data.factory::IFactory u:object_r:hal_datafactory_hwservice:s0 +vendor.qti.ims.factory::IImsFactory u:object_r:hal_imsfactory_hwservice:s0 vendor.qti.imsrtpservice::IRTPService u:object_r:hal_imsrtp_hwservice:s0 vendor.qti.hardware.cacert::IService u:object_r:hal_cacert_hwservice:s0 hardware.google.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 -- cgit v1.2.3 From b989a887c6250109c8ad13cbd5645686b7e31ef6 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Fri, 8 Oct 2021 09:18:22 -0700 Subject: Remove the bdev_type and sysfs_block_type SELinux attributes Bug: 202520796 Test: Untested. Change-Id: I9c4b2c48b04c30e835784fc0dd52f11e543320bf Signed-off-by: Bart Van Assche --- vendor/qcom/common/device.te | 20 ++++++++++---------- vendor/qcom/common/file.te | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te index 9845762..211d3d4 100644 --- a/vendor/qcom/common/device.te +++ b/vendor/qcom/common/device.te @@ -15,11 +15,11 @@ type device_latency, dev_type; type fm_radio_device, dev_type; type modem_efs_partition_device, dev_type; type ssd_device, dev_type; -type rpmb_device, dev_type, bdev_type; +type rpmb_device, dev_type; type sg_device, dev_type; type dip_device, dev_type; type sd_device, dev_type; -type ssd_block_device, dev_type, bdev_type; +type ssd_block_device, dev_type; type esoc_device, dev_type; type ssr_device, dev_type; type ramdump_device, dev_type; @@ -50,12 +50,12 @@ type avtimer_device, dev_type; type at_device, dev_type; type bt_device, dev_type; type wlan_device, dev_type; -type rawdump_block_device, dev_type, bdev_type; -type custom_ab_block_device, dev_type, bdev_type; -type xbl_block_device, dev_type, bdev_type; -type gpt_block_device, dev_type, bdev_type; -type modem_block_device, dev_type, bdev_type; -type uefi_block_device, dev_type, bdev_type; -type persist_block_device, dev_type, bdev_type; +type rawdump_block_device, dev_type; +type custom_ab_block_device, dev_type; +type xbl_block_device, dev_type; +type gpt_block_device, dev_type; +type modem_block_device, dev_type; +type uefi_block_device, dev_type; +type persist_block_device, dev_type; type npu_device, dev_type; -type devinfo_block_device, dev_type, bdev_type; +type devinfo_block_device, dev_type; diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 80594f3..23073eb 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -140,7 +140,7 @@ type hal_neuralnetworks_data_file, file_type, data_file_type; type mpss_rfs_data_file, data_file_type, file_type; type rfs_tombstone_data_file, data_file_type, file_type; type sysfs_msm_wlan, sysfs_type, fs_type; -type sysfs_scsi_devices_0000, sysfs_type, fs_type, sysfs_block_type; +type sysfs_scsi_devices_0000, sysfs_type, fs_type; type proc_sched_energy_aware, proc_type, fs_type; type proc_sched_updown_migrate, proc_type, fs_type; type debugfs_wlan, debugfs_type, fs_type; -- cgit v1.2.3 From 2ce2569b3507b20f6f733fcc6dcf79e72c66682d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Brzezi=C5=84ski?= Date: Tue, 19 Oct 2021 10:57:42 +0000 Subject: Revert "Remove the bdev_type and sysfs_block_type SELinux attributes" Revert "Revert "Add the 'bdev_type' attribute to all block devic..." Revert^2 "Add the 'bdev_type' attribute to all block devices" 8a13547df44e5492d5b2c87a97412337c5088786 Change-Id: Ia727348093a068dd07d3168d9d95f63c6dc2aeeb --- vendor/qcom/common/device.te | 20 ++++++++++---------- vendor/qcom/common/file.te | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te index 211d3d4..9845762 100644 --- a/vendor/qcom/common/device.te +++ b/vendor/qcom/common/device.te @@ -15,11 +15,11 @@ type device_latency, dev_type; type fm_radio_device, dev_type; type modem_efs_partition_device, dev_type; type ssd_device, dev_type; -type rpmb_device, dev_type; +type rpmb_device, dev_type, bdev_type; type sg_device, dev_type; type dip_device, dev_type; type sd_device, dev_type; -type ssd_block_device, dev_type; +type ssd_block_device, dev_type, bdev_type; type esoc_device, dev_type; type ssr_device, dev_type; type ramdump_device, dev_type; @@ -50,12 +50,12 @@ type avtimer_device, dev_type; type at_device, dev_type; type bt_device, dev_type; type wlan_device, dev_type; -type rawdump_block_device, dev_type; -type custom_ab_block_device, dev_type; -type xbl_block_device, dev_type; -type gpt_block_device, dev_type; -type modem_block_device, dev_type; -type uefi_block_device, dev_type; -type persist_block_device, dev_type; +type rawdump_block_device, dev_type, bdev_type; +type custom_ab_block_device, dev_type, bdev_type; +type xbl_block_device, dev_type, bdev_type; +type gpt_block_device, dev_type, bdev_type; +type modem_block_device, dev_type, bdev_type; +type uefi_block_device, dev_type, bdev_type; +type persist_block_device, dev_type, bdev_type; type npu_device, dev_type; -type devinfo_block_device, dev_type; +type devinfo_block_device, dev_type, bdev_type; diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 23073eb..80594f3 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -140,7 +140,7 @@ type hal_neuralnetworks_data_file, file_type, data_file_type; type mpss_rfs_data_file, data_file_type, file_type; type rfs_tombstone_data_file, data_file_type, file_type; type sysfs_msm_wlan, sysfs_type, fs_type; -type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type sysfs_scsi_devices_0000, sysfs_type, fs_type, sysfs_block_type; type proc_sched_energy_aware, proc_type, fs_type; type proc_sched_updown_migrate, proc_type, fs_type; type debugfs_wlan, debugfs_type, fs_type; -- cgit v1.2.3 From ef2f3aec105762a5f893a7e8cbb218d88bf26138 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Tue, 19 Oct 2021 14:29:14 +0000 Subject: Revert "Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"" This reverts commit 2ce2569b3507b20f6f733fcc6dcf79e72c66682d. Reason for revert: Restore this patch since it was not necessary to revert this patch. Bug: 202520796 Change-Id: I640160b0c310e67fed6cf1374bf0fdfcbfdd5e1e --- vendor/qcom/common/device.te | 20 ++++++++++---------- vendor/qcom/common/file.te | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te index 9845762..211d3d4 100644 --- a/vendor/qcom/common/device.te +++ b/vendor/qcom/common/device.te @@ -15,11 +15,11 @@ type device_latency, dev_type; type fm_radio_device, dev_type; type modem_efs_partition_device, dev_type; type ssd_device, dev_type; -type rpmb_device, dev_type, bdev_type; +type rpmb_device, dev_type; type sg_device, dev_type; type dip_device, dev_type; type sd_device, dev_type; -type ssd_block_device, dev_type, bdev_type; +type ssd_block_device, dev_type; type esoc_device, dev_type; type ssr_device, dev_type; type ramdump_device, dev_type; @@ -50,12 +50,12 @@ type avtimer_device, dev_type; type at_device, dev_type; type bt_device, dev_type; type wlan_device, dev_type; -type rawdump_block_device, dev_type, bdev_type; -type custom_ab_block_device, dev_type, bdev_type; -type xbl_block_device, dev_type, bdev_type; -type gpt_block_device, dev_type, bdev_type; -type modem_block_device, dev_type, bdev_type; -type uefi_block_device, dev_type, bdev_type; -type persist_block_device, dev_type, bdev_type; +type rawdump_block_device, dev_type; +type custom_ab_block_device, dev_type; +type xbl_block_device, dev_type; +type gpt_block_device, dev_type; +type modem_block_device, dev_type; +type uefi_block_device, dev_type; +type persist_block_device, dev_type; type npu_device, dev_type; -type devinfo_block_device, dev_type, bdev_type; +type devinfo_block_device, dev_type; diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 80594f3..23073eb 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -140,7 +140,7 @@ type hal_neuralnetworks_data_file, file_type, data_file_type; type mpss_rfs_data_file, data_file_type, file_type; type rfs_tombstone_data_file, data_file_type, file_type; type sysfs_msm_wlan, sysfs_type, fs_type; -type sysfs_scsi_devices_0000, sysfs_type, fs_type, sysfs_block_type; +type sysfs_scsi_devices_0000, sysfs_type, fs_type; type proc_sched_energy_aware, proc_type, fs_type; type proc_sched_updown_migrate, proc_type, fs_type; type debugfs_wlan, debugfs_type, fs_type; -- cgit v1.2.3 From 93f60c7fb09e743f998f458328bc995e8732ddce Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Mon, 14 Feb 2022 16:05:07 -0800 Subject: sunfish sepolicy: support wv aidl hal Bug: 219538389 Test: atest GtsMediaTestCases Change-Id: If8d3d9469592654082edc0004d7802d8da722ee7 Merged-In: If8d3d9469592654082edc0004d7802d8da722ee7 --- vendor/qcom/common/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 3ed0ebf..a360e5a 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -52,7 +52,7 @@ /(vendor|system/vendor)/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0 /(vendor|system/vendor)/bin/hw/qcrild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 -- cgit v1.2.3 From c1236d91c6c04567ef8fcf735ef4d7d86b1ea1e4 Mon Sep 17 00:00:00 2001 From: ChihYao Chien Date: Tue, 7 Dec 2021 14:56:17 +0800 Subject: Add exception to access sysfs_msm_subsys avc: denied { search } for comm="HwBinder:1281_1" name="5000000.qcom,kgsl-3d0" dev="sysfs" ino=34274 scontext=u:r:cameraserver:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=0 avc: denied { search } for comm="EvtQ_c2.qti.avc" name="5000000.qcom,kgsl-3d0" dev="sysfs" ino=34274 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=0 Bug: 208956148 Change-Id: I9438386217458159446bbe88029384e48c3dda57 --- vendor/qcom/common/cameraserver.te | 2 ++ vendor/qcom/common/mediacodec.te | 2 ++ 2 files changed, 4 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/cameraserver.te b/vendor/qcom/common/cameraserver.te index 92aacf7..dfd4524 100644 --- a/vendor/qcom/common/cameraserver.te +++ b/vendor/qcom/common/cameraserver.te @@ -6,3 +6,5 @@ get_prop(cameraserver, vendor_display_prop) # are not essential, and access denial to it won't break any gralloc mapper # functionality. dontaudit cameraserver gpu_device:chr_file rw_file_perms; + +dontaudit cameraserver sysfs_msm_subsys:dir search; diff --git a/vendor/qcom/common/mediacodec.te b/vendor/qcom/common/mediacodec.te index 5ef6b8f..bec15f6 100644 --- a/vendor/qcom/common/mediacodec.te +++ b/vendor/qcom/common/mediacodec.te @@ -3,3 +3,5 @@ get_prop(mediacodec, ecoservice_prop) allow mediacodec hal_camera_default:binder call; get_prop(mediacodec, vendor_display_prop) + +dontaudit mediacodec sysfs_msm_subsys:dir search; -- cgit v1.2.3 From 0a5fdd83a4218d54e3b547428c408dbc56e3a22b Mon Sep 17 00:00:00 2001 From: ChihYao Chien Date: Wed, 8 Dec 2021 14:23:14 +0800 Subject: Add sepolicy rules avc: denied { search } for comm="com.qti.phone" name="com.qualcomm.qti.telephonyservice" dev="dm-39" ino=2607 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c154,c256,c512,c768 tclass=dir permissive=0 app=com.qualcomm.qti.telephonyservice Bug: 209719286 Change-Id: I70a013563ac53ec725801c7aff77444340b75e3d --- vendor/qcom/common/seapp_contexts | 2 ++ 1 file changed, 2 insertions(+) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index 6b2ff84..fbf0b3a 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -33,3 +33,5 @@ user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=q # QtiTelephonyService app user=_app seinfo=platform name=com.qualcomm.qti.telephonyservice domain=qtelephony type=app_data_file levelFrom=all +#Add ExtTelephonyService to vendor_qtelephony +user=_app seinfo=platform name=com.qti.phone domain=qtelephony type=app_data_file levelFrom=all -- cgit v1.2.3 From 5cde66e787c0eff492d979db16031101f0843b5e Mon Sep 17 00:00:00 2001 From: ChihYao Chien Date: Fri, 21 Jan 2022 17:16:38 +0800 Subject: Add sepolicy rules from AU184 avc: denied { find } for pid=4219 uid=10202 name=vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 scontext=u:r:qtelephony:s0:c202,c256,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0 avc: denied { read } for name="wakeup24" dev="sysfs" ino=63576 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 avc: denied { read } for name="wakeup23" dev="sysfs" ino=63561 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 Bug: 215046366 Change-Id: Ia5a1e0647473250ccbab46df4be88a2a6f2f033a --- vendor/qcom/common/genfs_contexts | 2 ++ vendor/qcom/common/service.te | 2 +- vendor/qcom/common/service_contexts | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) (limited to 'vendor/qcom/common') diff --git a/vendor/qcom/common/genfs_contexts b/vendor/qcom/common/genfs_contexts index 8afbb14..d8158ec 100644 --- a/vendor/qcom/common/genfs_contexts +++ b/vendor/qcom/common/genfs_contexts @@ -26,3 +26,5 @@ genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws@1e08000 genfscon sysfs /devices/virtual/xt_hardidletimer/timers u:object_r:sysfs_data:s0 genfscon sysfs /devices/virtual/xt_idletimer/timers u:object_r:sysfs_data:s0 genfscon sysfs /module/subsystem_restart/parameters/enable_ramdumps u:object_r:sysfs_ssr:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd-secure/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te index c3aa9f1..cb00941 100644 --- a/vendor/qcom/common/service.te +++ b/vendor/qcom/common/service.te @@ -4,4 +4,4 @@ type imsrcs_service, service_manager_type; type improve_touch_service, service_manager_type; type gba_auth_service, service_manager_type; type qtitetherservice_service, service_manager_type; -type hal_telephony_service, service_manager_type, vendor_service; +type hal_telephony_service, service_manager_type, vendor_service, protected_service; diff --git a/vendor/qcom/common/service_contexts b/vendor/qcom/common/service_contexts index 405f768..c11263b 100644 --- a/vendor/qcom/common/service_contexts +++ b/vendor/qcom/common/service_contexts @@ -1 +1,3 @@ vendor.qti.hardware.radio.ims.IImsRadio/default u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:hal_telephony_service:s0 -- cgit v1.2.3