Merge tag 'LA.UM.12.2.1.r1-02500-sdm660.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy into lineage-21.0-legacy-um

"LA.UM.12.2.1.r1-02500-sdm660.0"

* tag 'LA.UM.12.2.1.r1-02500-sdm660.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy:
  sepolicy : Allow apps to have read access to vendor_display_prop
  sepolicy:qcc: add qcc path to dropbox
  sepolicy:qcc : switch to platform app
  Sepolicy : dontaudit to vendor.hw.fm.init property
  SE Policy change to fix avc denial for qcrild socket
  Avc denials on sdm660 from location, hal_gnss_qti
  sepolicy: Add file context for Widevine DRM
  sepolicy: Add file context for DRM
  sepolicy: Fix qcc avc denial issue
  sepolicy:donotaudit for com.qualcomm.location
  Sepolicy rules to allow Gnss Hal to access ssgtz
  sepolicy rules to allow Gnss Hal to access RIL Srv
  Allow vendor_location_xtwifi_client to access ssgtzd socket

 Conflicts:
	generic/vendor/common/file_contexts
	legacy/vendor/common/vendor_init.te

Change-Id: Ibcd6a15e0ee9ab5bee6da5bafb41702e67549e30

generic/private/qcc_app.te

@@ -25,12 +25,13 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-typeattribute vendor_qcc_app mlstrustedsubject;
 
 app_domain(vendor_qcc_app)
 net_domain(vendor_qcc_app)
 binder_use(vendor_qcc_app)
 
+hal_client_domain(vendor_qcc_app, vendor_qccsyshal);
+
 allow vendor_qcc_app radio_service:service_manager find;
 # for vendor_perf_service
 allow vendor_qcc_app app_api_service:service_manager find;
@@ -44,10 +45,10 @@ unix_socket_connect(vendor_qcc_app, vendor_dpmtcm, vendor_dpmd)
 # allow access to mediadrmserver for qdmastats/wvstats
 allow vendor_qcc_app mediadrmserver_service:service_manager find;
 
-# allow vendor_qcc_app to access system_app_data_file
-# necessary for read and write /data/user_de/0/com.---.qti.qdma subdirectory.
-allow vendor_qcc_app system_app_data_file:dir create_dir_perms;
-allow vendor_qcc_app system_app_data_file:file create_file_perms;
+# allow vendor_qcc_app to access app_data_file
+# necessary for read and write /data/user_de/0/ subdirectory.
+allow vendor_qcc_app app_data_file:dir create_dir_perms;
+allow vendor_qcc_app app_data_file:file create_file_perms;
 
 # allow cgroup access
 allow vendor_qcc_app cgroup:file rw_file_perms;

legacy/vendor/common/app.te

@@ -24,6 +24,10 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
 
 #Allow all apps to open and send ioctl to qdsp device
 allow appdomain qdsp_device:chr_file r_file_perms;
@@ -39,3 +43,6 @@ allow appdomain qti_logkit_pub_socket:dir r_dir_perms;
 
 # Allow all apps to open and send ioctl to npu device
 allow appdomain npu_device:chr_file r_file_perms;
+
+#Allow all apps to have read access to vendor_display_prop
+get_prop(appdomain, vendor_display_prop)

legacy/vendor/common/file.te

@@ -24,6 +24,10 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
 
 # Default type for anything under /firmware.
 type firmware_file,  file_type, contextmount_type, vendor_file_type;
@@ -415,3 +419,6 @@ type vendor_sysfs_kgsl_gpuclk, sysfs_type, fs_type;
 #slub-debug
 type sysfs_slab_zshandle_storeuser, fs_type, sysfs_type;
 type sysfs_slab_zspage_storeuser, fs_type, sysfs_type;
+
+#ril socket
+type vendor_rild_socket, file_type;

legacy/vendor/common/file_contexts

@@ -24,7 +24,10 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
+#
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
 ###################################
 # Dev nodes
 #
@@ -151,6 +154,7 @@
 /dev/socket/rild3                               u:object_r:rild_socket:s0
 /dev/socket/rild3-debug                         u:object_r:rild_debug_socket:s0
 /dev/socket/rild-debug3                         u:object_r:rild_debug_socket:s0
+/dev/socket/qcrild(/.*)?                        u:object_r:vendor_rild_socket:s0
 /dev/socket/msm_irqbalance                      u:object_r:vendor_msm_irqbalance_socket:s0
 /dev/socket/mlid                                u:object_r:mlid_socket:s0
 /dev/socket/ssgqmig                             u:object_r:ssgqmig_socket:s0
@@ -271,6 +275,8 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[2-4]-service-lazy.clearkey    u:object_r:hal_drm_clearkey_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[1-4]-service.widevine   u:object_r:hal_drm_widevine_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.[2-4]-service-lazy.widevine    u:object_r:hal_drm_widevine_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.widevine          u:object_r:hal_drm_widevine_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service-lazy\.widevine  u:object_r:hal_drm_widevine_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti  u:object_r:hal_bluetooth_qti_exec:s0

legacy/vendor/common/location_app.te

@@ -55,3 +55,4 @@ allowxperm vendor_location_app self:socket ioctl msm_sock_ipc_ioctls;
 allow vendor_location_app self:qipcrtr_socket create_socket_perms_no_ioctl;
 allow vendor_location_app sysfs_data:file r_file_perms;
 unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd)
+dontaudit vendor_location_app default_prop:file {read};

legacy/vendor/common/service_contexts

@@ -42,4 +42,6 @@ dts_eagle_service                              u:object_r:dtseagleservice_servic
 com.qualcomm.qti.secota.service.SecotaNService u:object_r:secotad_service:s0
 com.qualcomm.qti.seemp.health                  u:object_r:seemp_health_daemon_service:s0
 com.qualcomm.qti.uceservice                    u:object_r:imsrcs_service:s0
+#Refer to b/236750094
+android.hardware.drm.IDrmFactory/widevine                             u:object_r:hal_drm_service:s0
 vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default         u:object_r:hal_wifi_supplicant_service:s0

legacy/vendor/common/vendor_init.te

@@ -125,5 +125,6 @@ userdebug_or_eng(`
 
 allow vendor_init tee_device:chr_file getattr;
 allow vendor_init block_device:lnk_file setattr;
+dontaudit vendor_init vendor_fm_prop:property_service set;
 
 set_prop(vendor_init, vendor_time_service_prop)

legacy/vendor/sdm660/hal_gnss_qti.te

@@ -0,0 +1,9 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl
+
+#Allow Gnss HAL to access ril socket
+allow hal_gnss_qti vendor_rild_socket:dir search;
+allow hal_gnss_qti vendor_rild_socket:sock_file write;
+unix_socket_connect(hal_gnss_qti, rild, rild)

legacy/vendor/sdm660/location.te

@@ -0,0 +1,7 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# generic/vendor_location.te - sepolicy rules for generic vendor_location modules
+
+# allows location to access ssgtzd socket
+allow location ssgtzd_socket:sock_file write;

legacy/vendor/sdm660/location_app.te

@@ -24,5 +24,10 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
 
 allow vendor_location_app sysfs_kgsl_gpu_model:file r_file_perms;
+dontaudit vendor_location_app default_android_service:service_manager {find};

legacy/vendor/sdm660/rild.te

@@ -0,0 +1,8 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# rild.te - sepolicy rules for legacy ril module
+
+# allows rild to create rild0 and rild1 sockets
+allow rild vendor_rild_socket:dir w_dir_perms;
+allow rild vendor_rild_socket:sock_file create_file_perms;

qva/private/file.te

@@ -34,5 +34,5 @@ type vendor_qvrd_controller_socket, file_type, coredomain_socket;
 type vendor_qvrd_hvx_socket, file_type, coredomain_socket;
 type vendor_sys_sxrd_data_file, file_type, data_file_type, core_data_file_type;
 type vendor_sys_sxrd_socket, file_type, mlstrustedobject, coredomain_socket;
-type vendor_qcc_data_file, file_type, data_file_type, core_data_file_type;
+type vendor_qcc_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type vendor_qcc_app_socket, file_type, mlstrustedobject, coredomain_socket;

qva/private/file_contexts

@@ -38,7 +38,7 @@
 /dev/socket/qvrservice_camera                   u:object_r:vendor_qvrd_socket:s0
 /dev/socket/qvrservice_hvx_camera               u:object_r:vendor_qvrd_hvx_socket:s0
 /dev/socket/sxrservice                          u:object_r:vendor_sys_sxrd_socket:s0
-/dev/socket/qdma_app(/.*)?                      u:object_r:vendor_qcc_app_socket:s0
+/dev/socket/(qcc_app|qdma_app)(/.*)?            u:object_r:vendor_qcc_app_socket:s0
 
 ####### system file ###############
 /system/bin/seempd                              u:object_r:vendor_seempd_exec:s0
@@ -65,4 +65,4 @@
 /data/misc/qvr(/.*)?                            u:object_r:vendor_qvrd_data_file:s0
 /data/misc/sxr(/.*)?                            u:object_r:vendor_sys_sxrd_data_file:s0
 /data/nfc(/.*)?                                 u:object_r:nfc_data_file:s0
-/data/misc/qdma(/.*)?                           u:object_r:vendor_qcc_data_file:s0
+/data/misc/(qcc|qdma)(/.*)?                           u:object_r:vendor_qcc_data_file:s0

qva/private/seapp_contexts

@@ -31,7 +31,7 @@ user=_app seinfo=platform name=com.qualcomm.location isPrivApp=true domain=vendo
 user=_app seinfo=platform name=com.qualcomm.qti.ssmeditor domain=vendor_qconfig_app type=app_data_file levelfrom=all
 
 #Add new domain for QCC
-user=system seinfo=platform name=com.qti.qcc isPrivApp=true domain=vendor_qcc_app type=system_app_data_file
+user=_app seinfo=platform name=com.qti.qcc domain=vendor_qcc_app type=app_data_file levelFrom=all
 #Add new domain for QCCLMTP
 user=system seinfo=platform name=com.qualcomm.qti.qcclmtp isPrivApp=true domain=vendor_qcc_lmtp_app type=system_app_data_file
 #Add new domain for QCC-Utils