From b3c7469b7405d0ccf904a5416da05876813b8513 Mon Sep 17 00:00:00 2001 From: Mobashshirur Rahman Date: Wed, 17 May 2023 17:12:39 +0530 Subject: [PATCH 01/13] Allow vendor_location_xtwifi_client to access ssgtzd socket Change-Id: Ia3bdc36b455192f87fc480143068f49e8a401314 --- generic/vendor/sdm660_64/location.te | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 generic/vendor/sdm660_64/location.te diff --git a/generic/vendor/sdm660_64/location.te b/generic/vendor/sdm660_64/location.te new file mode 100644 index 00000000..7d1a94d3 --- /dev/null +++ b/generic/vendor/sdm660_64/location.te @@ -0,0 +1,7 @@ +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +# generic/vendor_location.te - sepolicy rules for generic vendor_location modules + +# allows location to access ssgtzd socket +unix_socket_connect(vendor_location, vendor_ssgtzd, vendor_ssgtzd) \ No newline at end of file From 5115a5faefd9cbd79dd6947370b7a7fa6359b9e1 Mon Sep 17 00:00:00 2001 From: Mobashshirur Rahman Date: Wed, 17 May 2023 17:18:25 +0530 Subject: [PATCH 02/13] sepolicy rules to allow Gnss Hal to access RIL Srv Change-Id: Iacbe878f740c71923d5da5c82fbe754ec9fb156b --- generic/vendor/sdm660_64/hal_gnss_qti.te | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 generic/vendor/sdm660_64/hal_gnss_qti.te diff --git a/generic/vendor/sdm660_64/hal_gnss_qti.te b/generic/vendor/sdm660_64/hal_gnss_qti.te new file mode 100644 index 00000000..388dbab9 --- /dev/null +++ b/generic/vendor/sdm660_64/hal_gnss_qti.te @@ -0,0 +1,9 @@ +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl + +#Allow Gnss HAL to access ril socket +allow vendor_hal_gnss_qti vendor_rild_socket:dir search; +unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild) + From cdaad86cac88ade1824631c4c2bf759339c9d2fa Mon Sep 17 00:00:00 2001 From: Nilesh Gharde Date: Mon, 25 Sep 2023 00:06:03 -0700 Subject: [PATCH 03/13] Sepolicy rules to allow Gnss Hal to access ssgtz CRs-fixed: 3593483 Change-Id: Iec880aa7908f2c3aa71695a4961823ff7dd0b677 --- generic/vendor/sdm660_64/hal_gnss_qti.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/generic/vendor/sdm660_64/hal_gnss_qti.te b/generic/vendor/sdm660_64/hal_gnss_qti.te index 388dbab9..b85704e3 100644 --- a/generic/vendor/sdm660_64/hal_gnss_qti.te +++ b/generic/vendor/sdm660_64/hal_gnss_qti.te @@ -6,4 +6,5 @@ #Allow Gnss HAL to access ril socket allow vendor_hal_gnss_qti vendor_rild_socket:dir search; unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild) - +# allows Gnss HAL to access ssgtzd socket +unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd) From 61bf1906d73a104d0eaca8f566b9d6c5a8833ee3 Mon Sep 17 00:00:00 2001 From: Neelu Maheshwari Date: Wed, 6 Sep 2023 02:54:20 +0530 Subject: [PATCH 04/13] sepolicy:donotaudit for com.qualcomm.location auditd : type=1400 audit(0.0:25): avc: denied { read } for comm="alcomm.location" name="u:object_r:default_prop:s0" dev="tmpfs" ino=23722 scontext=u:r:vendor_location_app:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.qualcomm.location Change-Id: I1fe8e7730f569fbaf955e79aba784de70cc9f944 --- legacy/vendor/common/location_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/legacy/vendor/common/location_app.te b/legacy/vendor/common/location_app.te index 33219058..d3c6594a 100644 --- a/legacy/vendor/common/location_app.te +++ b/legacy/vendor/common/location_app.te @@ -55,3 +55,4 @@ allowxperm vendor_location_app self:socket ioctl msm_sock_ipc_ioctls; allow vendor_location_app self:qipcrtr_socket create_socket_perms_no_ioctl; allow vendor_location_app sysfs_data:file r_file_perms; unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd) +dontaudit vendor_location_app default_prop:file {read}; From 8b41a7958b4f111155b03f01e5b762c6748941fe Mon Sep 17 00:00:00 2001 From: Neelu Maheshwari Date: Thu, 7 Sep 2023 02:01:34 +0530 Subject: [PATCH 05/13] sepolicy: Fix qcc avc denial issue Add rule to allow qcc to access runtime data file and fix below denial: avc: denied { read } for comm="qccsyshal@1.2-s" name="qcc" dev="dm-36" ino=682 scontext=u:r:vendor_qccsyshal_qti:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 Change-Id: I1477af3537b8158d4c47af93cf753db89e20cccd --- qva/private/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qva/private/file_contexts b/qva/private/file_contexts index e0cffa18..918834a5 100644 --- a/qva/private/file_contexts +++ b/qva/private/file_contexts @@ -65,4 +65,4 @@ /data/misc/qvr(/.*)? u:object_r:vendor_qvrd_data_file:s0 /data/misc/sxr(/.*)? u:object_r:vendor_sys_sxrd_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 -/data/misc/qdma(/.*)? u:object_r:vendor_qcc_data_file:s0 +/data/misc/(qcc|qdma)(/.*)? u:object_r:vendor_qcc_data_file:s0 From a17345a7ce01fdb2452ca4727ac98552ddb8c674 Mon Sep 17 00:00:00 2001 From: Prabhat Roy Date: Tue, 31 Oct 2023 11:24:34 +0530 Subject: [PATCH 06/13] sepolicy: Add file context for DRM Change-Id: I568149e2c91f86a72007fb5b04f5597f133eea64 --- generic/vendor/common/file_contexts | 2 ++ legacy/vendor/common/file_contexts | 2 ++ legacy/vendor/common/service_contexts | 2 ++ 3 files changed, 6 insertions(+) diff --git a/generic/vendor/common/file_contexts b/generic/vendor/common/file_contexts index 85473b26..7c10df01 100644 --- a/generic/vendor/common/file_contexts +++ b/generic/vendor/common/file_contexts @@ -181,6 +181,8 @@ /vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[2-9]+-service-lazy.widevine u:object_r:vendor_hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:vendor_hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service-lazy\.widevine u:object_r:vendor_hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator@1\.0-service u:object_r:hal_graphics_allocator_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer@1\.0-service u:object_r:hal_graphics_composer_default_exec:s0 diff --git a/legacy/vendor/common/file_contexts b/legacy/vendor/common/file_contexts index 1d86294e..f2a21c40 100644 --- a/legacy/vendor/common/file_contexts +++ b/legacy/vendor/common/file_contexts @@ -271,6 +271,8 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[2-4]-service-lazy.clearkey u:object_r:hal_drm_clearkey_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[1-4]-service.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[2-4]-service-lazy.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_qti_exec:s0 diff --git a/legacy/vendor/common/service_contexts b/legacy/vendor/common/service_contexts index f3dc5ffc..9848e3b7 100644 --- a/legacy/vendor/common/service_contexts +++ b/legacy/vendor/common/service_contexts @@ -42,4 +42,6 @@ dts_eagle_service u:object_r:dtseagleservice_servic com.qualcomm.qti.secota.service.SecotaNService u:object_r:secotad_service:s0 com.qualcomm.qti.seemp.health u:object_r:seemp_health_daemon_service:s0 com.qualcomm.qti.uceservice u:object_r:imsrcs_service:s0 +#Refer to b/236750094 +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default u:object_r:hal_wifi_supplicant_service:s0 From a14482b2b1d4e620ea60839565d3176697fa16b8 Mon Sep 17 00:00:00 2001 From: Prabhat Roy Date: Tue, 31 Oct 2023 11:24:34 +0530 Subject: [PATCH 07/13] sepolicy: Add file context for Widevine DRM Set context for widevine services android.hardware.drm-service-widevine android.hardware.drm-service-lazy.widevine validation: xts test case: passes all the xts test case Change-Id: I568149e2c91f86a72007fb5b04f5597f133eea64 --- generic/vendor/common/file_contexts | 2 ++ legacy/vendor/common/file_contexts | 2 ++ legacy/vendor/common/service_contexts | 2 ++ 3 files changed, 6 insertions(+) diff --git a/generic/vendor/common/file_contexts b/generic/vendor/common/file_contexts index 85473b26..7c10df01 100644 --- a/generic/vendor/common/file_contexts +++ b/generic/vendor/common/file_contexts @@ -181,6 +181,8 @@ /vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[2-9]+-service-lazy.widevine u:object_r:vendor_hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:vendor_hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service-lazy\.widevine u:object_r:vendor_hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator@1\.0-service u:object_r:hal_graphics_allocator_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer@1\.0-service u:object_r:hal_graphics_composer_default_exec:s0 diff --git a/legacy/vendor/common/file_contexts b/legacy/vendor/common/file_contexts index 1d86294e..f2a21c40 100644 --- a/legacy/vendor/common/file_contexts +++ b/legacy/vendor/common/file_contexts @@ -271,6 +271,8 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[2-4]-service-lazy.clearkey u:object_r:hal_drm_clearkey_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[1-4]-service.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[2-4]-service-lazy.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_qti_exec:s0 diff --git a/legacy/vendor/common/service_contexts b/legacy/vendor/common/service_contexts index f3dc5ffc..9848e3b7 100644 --- a/legacy/vendor/common/service_contexts +++ b/legacy/vendor/common/service_contexts @@ -42,4 +42,6 @@ dts_eagle_service u:object_r:dtseagleservice_servic com.qualcomm.qti.secota.service.SecotaNService u:object_r:secotad_service:s0 com.qualcomm.qti.seemp.health u:object_r:seemp_health_daemon_service:s0 com.qualcomm.qti.uceservice u:object_r:imsrcs_service:s0 +#Refer to b/236750094 +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default u:object_r:hal_wifi_supplicant_service:s0 From 1750c0806f2568dbec8fa1ef6f0dd87b254e41bf Mon Sep 17 00:00:00 2001 From: Nilesh Gharde Date: Tue, 7 Nov 2023 22:46:38 -0800 Subject: [PATCH 08/13] Avc denials on sdm660 from location, hal_gnss_qti Change-Id: I3ac6a4d5db46cce66eecd70531a180e21177d979 CRs-fixed: 3661430 --- legacy/vendor/sdm660/hal_gnss_qti.te | 9 +++++++++ legacy/vendor/sdm660/location.te | 7 +++++++ legacy/vendor/sdm660/location_app.te | 5 +++++ 3 files changed, 21 insertions(+) create mode 100644 legacy/vendor/sdm660/hal_gnss_qti.te create mode 100644 legacy/vendor/sdm660/location.te diff --git a/legacy/vendor/sdm660/hal_gnss_qti.te b/legacy/vendor/sdm660/hal_gnss_qti.te new file mode 100644 index 00000000..6cdc4b84 --- /dev/null +++ b/legacy/vendor/sdm660/hal_gnss_qti.te @@ -0,0 +1,9 @@ +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl + +#Allow Gnss HAL to access ril socket +allow hal_gnss_qti vendor_rild_socket:dir search; +allow hal_gnss_qti vendor_rild_socket:sock_file write; +unix_socket_connect(hal_gnss_qti, rild, rild) diff --git a/legacy/vendor/sdm660/location.te b/legacy/vendor/sdm660/location.te new file mode 100644 index 00000000..077b1657 --- /dev/null +++ b/legacy/vendor/sdm660/location.te @@ -0,0 +1,7 @@ +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +# generic/vendor_location.te - sepolicy rules for generic vendor_location modules + +# allows location to access ssgtzd socket +allow location ssgtzd_socket:sock_file write; diff --git a/legacy/vendor/sdm660/location_app.te b/legacy/vendor/sdm660/location_app.te index 0d0273bb..6bf6da9f 100644 --- a/legacy/vendor/sdm660/location_app.te +++ b/legacy/vendor/sdm660/location_app.te @@ -24,5 +24,10 @@ # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Changes from Qualcomm Innovation Center are provided under the following license: +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear allow vendor_location_app sysfs_kgsl_gpu_model:file r_file_perms; +dontaudit vendor_location_app default_android_service:service_manager {find}; From 460350924051133f27ca35867e62c974c5d85281 Mon Sep 17 00:00:00 2001 From: Kamesh Relangi Date: Wed, 15 Nov 2023 10:58:00 +0530 Subject: [PATCH 09/13] SE Policy change to fix avc denial for qcrild socket Change-Id: I1c2f3378d974a07496590a3dbd1b20323dbbba16 --- legacy/vendor/common/file.te | 7 +++++++ legacy/vendor/common/file_contexts | 6 +++++- legacy/vendor/sdm660/rild.te | 8 ++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 legacy/vendor/sdm660/rild.te diff --git a/legacy/vendor/common/file.te b/legacy/vendor/common/file.te index 23b8f122..17c52302 100644 --- a/legacy/vendor/common/file.te +++ b/legacy/vendor/common/file.te @@ -24,6 +24,10 @@ # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Changes from Qualcomm Innovation Center are provided under the following license: +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear # Default type for anything under /firmware. type firmware_file, file_type, contextmount_type, vendor_file_type; @@ -419,3 +423,6 @@ type vendor_sysfs_kgsl_gpuclk, sysfs_type, fs_type; #slub-debug type sysfs_slab_zshandle_storeuser, fs_type, sysfs_type; type sysfs_slab_zspage_storeuser, fs_type, sysfs_type; + +#ril socket +type vendor_rild_socket, file_type; diff --git a/legacy/vendor/common/file_contexts b/legacy/vendor/common/file_contexts index 1d86294e..26c39849 100644 --- a/legacy/vendor/common/file_contexts +++ b/legacy/vendor/common/file_contexts @@ -24,7 +24,10 @@ # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - +# +# Changes from Qualcomm Innovation Center are provided under the following license: +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear ################################### # Dev nodes # @@ -151,6 +154,7 @@ /dev/socket/rild3 u:object_r:rild_socket:s0 /dev/socket/rild3-debug u:object_r:rild_debug_socket:s0 /dev/socket/rild-debug3 u:object_r:rild_debug_socket:s0 +/dev/socket/qcrild(/.*)? u:object_r:vendor_rild_socket:s0 /dev/socket/msm_irqbalance u:object_r:vendor_msm_irqbalance_socket:s0 /dev/socket/mlid u:object_r:mlid_socket:s0 /dev/socket/ssgqmig u:object_r:ssgqmig_socket:s0 diff --git a/legacy/vendor/sdm660/rild.te b/legacy/vendor/sdm660/rild.te new file mode 100644 index 00000000..5facef33 --- /dev/null +++ b/legacy/vendor/sdm660/rild.te @@ -0,0 +1,8 @@ +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +# rild.te - sepolicy rules for legacy ril module + +# allows rild to create rild0 and rild1 sockets +allow rild vendor_rild_socket:dir w_dir_perms; +allow rild vendor_rild_socket:sock_file create_file_perms; From adc7e8bb6b318f808e17a31d5ea11ec9d57c8d72 Mon Sep 17 00:00:00 2001 From: Neelu Maheshwari Date: Wed, 6 Sep 2023 01:31:27 +0530 Subject: [PATCH 10/13] Sepolicy : dontaudit to vendor.hw.fm.init property Change-Id: I0abc011871328bb269767ceffe9b6ddb2cf9b185 --- legacy/vendor/common/vendor_init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/legacy/vendor/common/vendor_init.te b/legacy/vendor/common/vendor_init.te index efdcfdaa..1f8b8dc6 100644 --- a/legacy/vendor/common/vendor_init.te +++ b/legacy/vendor/common/vendor_init.te @@ -125,3 +125,4 @@ userdebug_or_eng(` allow vendor_init tee_device:chr_file getattr; allow vendor_init block_device:lnk_file setattr; +dontaudit vendor_init vendor_fm_prop:property_service set; From 4c6d84fd65e38e562568251fcd8c807147b770a1 Mon Sep 17 00:00:00 2001 From: Sanghoon Shin Date: Thu, 17 Sep 2020 00:14:38 -0700 Subject: [PATCH 11/13] sepolicy:qcc : switch to platform app Change-Id: I661fef3af7d0a9518f67e14f2787999f268485e0 --- generic/private/qcc_app.te | 11 ++++++----- qva/private/file.te | 2 +- qva/private/seapp_contexts | 2 +- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/generic/private/qcc_app.te b/generic/private/qcc_app.te index b1674dda..ffab64d1 100644 --- a/generic/private/qcc_app.te +++ b/generic/private/qcc_app.te @@ -25,12 +25,13 @@ # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -typeattribute vendor_qcc_app mlstrustedsubject; app_domain(vendor_qcc_app) net_domain(vendor_qcc_app) binder_use(vendor_qcc_app) +hal_client_domain(vendor_qcc_app, vendor_qccsyshal); + allow vendor_qcc_app radio_service:service_manager find; # for vendor_perf_service allow vendor_qcc_app app_api_service:service_manager find; @@ -44,10 +45,10 @@ unix_socket_connect(vendor_qcc_app, vendor_dpmtcm, vendor_dpmd) # allow access to mediadrmserver for qdmastats/wvstats allow vendor_qcc_app mediadrmserver_service:service_manager find; -# allow vendor_qcc_app to access system_app_data_file -# necessary for read and write /data/user_de/0/com.---.qti.qdma subdirectory. -allow vendor_qcc_app system_app_data_file:dir create_dir_perms; -allow vendor_qcc_app system_app_data_file:file create_file_perms; +# allow vendor_qcc_app to access app_data_file +# necessary for read and write /data/user_de/0/ subdirectory. +allow vendor_qcc_app app_data_file:dir create_dir_perms; +allow vendor_qcc_app app_data_file:file create_file_perms; # allow cgroup access allow vendor_qcc_app cgroup:file rw_file_perms; diff --git a/qva/private/file.te b/qva/private/file.te index fb8f9a67..9ed43ca0 100644 --- a/qva/private/file.te +++ b/qva/private/file.te @@ -34,5 +34,5 @@ type vendor_qvrd_controller_socket, file_type, coredomain_socket; type vendor_qvrd_hvx_socket, file_type, coredomain_socket; type vendor_sys_sxrd_data_file, file_type, data_file_type, core_data_file_type; type vendor_sys_sxrd_socket, file_type, mlstrustedobject, coredomain_socket; -type vendor_qcc_data_file, file_type, data_file_type, core_data_file_type; +type vendor_qcc_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; type vendor_qcc_app_socket, file_type, mlstrustedobject, coredomain_socket; diff --git a/qva/private/seapp_contexts b/qva/private/seapp_contexts index 19d2ca0d..7245b43c 100644 --- a/qva/private/seapp_contexts +++ b/qva/private/seapp_contexts @@ -31,7 +31,7 @@ user=_app seinfo=platform name=com.qualcomm.location isPrivApp=true domain=vendo user=_app seinfo=platform name=com.qualcomm.qti.ssmeditor domain=vendor_qconfig_app type=app_data_file levelfrom=all #Add new domain for QCC -user=system seinfo=platform name=com.qti.qcc isPrivApp=true domain=vendor_qcc_app type=system_app_data_file +user=_app seinfo=platform name=com.qti.qcc domain=vendor_qcc_app type=app_data_file levelFrom=all #Add new domain for QCCLMTP user=system seinfo=platform name=com.qualcomm.qti.qcclmtp isPrivApp=true domain=vendor_qcc_lmtp_app type=system_app_data_file #Add new domain for QCC-Utils From 2145757135020fab2870d98fcb7294a88991a086 Mon Sep 17 00:00:00 2001 From: Sanghoon Shin Date: Tue, 17 May 2022 14:35:34 -0700 Subject: [PATCH 12/13] sepolicy:qcc: add qcc path to dropbox allow both "qcc" and "qdma" in preparation to transition to "qcc" to avoid use "qdma" word in implementation Change-Id: I608f8ecc14e56f3b17823c759c7064f09601f594 --- qva/private/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qva/private/file_contexts b/qva/private/file_contexts index 918834a5..650acafa 100644 --- a/qva/private/file_contexts +++ b/qva/private/file_contexts @@ -38,7 +38,7 @@ /dev/socket/qvrservice_camera u:object_r:vendor_qvrd_socket:s0 /dev/socket/qvrservice_hvx_camera u:object_r:vendor_qvrd_hvx_socket:s0 /dev/socket/sxrservice u:object_r:vendor_sys_sxrd_socket:s0 -/dev/socket/qdma_app(/.*)? u:object_r:vendor_qcc_app_socket:s0 +/dev/socket/(qcc_app|qdma_app)(/.*)? u:object_r:vendor_qcc_app_socket:s0 ####### system file ############### /system/bin/seempd u:object_r:vendor_seempd_exec:s0 From 8569f71b88fafd7061f120677e0bf446e4fc5ce1 Mon Sep 17 00:00:00 2001 From: Neelu Maheshwari Date: Mon, 20 Nov 2023 20:57:31 +0530 Subject: [PATCH 13/13] sepolicy : Allow apps to have read access to vendor_display_prop Change-Id: Ib2793107a54fa1a2df60ac872645277a9a0b2415 --- legacy/vendor/common/app.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/legacy/vendor/common/app.te b/legacy/vendor/common/app.te index 684da80e..b6422387 100644 --- a/legacy/vendor/common/app.te +++ b/legacy/vendor/common/app.te @@ -24,6 +24,10 @@ # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Changes from Qualcomm Innovation Center are provided under the following license: +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear #Allow all apps to open and send ioctl to qdsp device allow appdomain qdsp_device:chr_file r_file_perms; @@ -39,3 +43,6 @@ allow appdomain qti_logkit_pub_socket:dir r_dir_perms; # Allow all apps to open and send ioctl to npu device allow appdomain npu_device:chr_file r_file_perms; + +#Allow all apps to have read access to vendor_display_prop +get_prop(appdomain, vendor_display_prop)