From 3089da6c1006f19ce204d144d54c246fed4329be Mon Sep 17 00:00:00 2001 From: Manu Prasad Date: Fri, 8 Mar 2019 18:03:01 +0530 Subject: [PATCH] sepolicy: Change policy for wfd on legacy targets WFD requires revision in its SEAndroid policies due to an OS upgrade and design re-architecture to conform to system-wide mandates. Change-Id: I5a9adc280cefab73d8c467379b74951fc3a88e71 --- legacy/vendor/common/hwservice_contexts | 3 + legacy/vendor/common/mediacodec.te | 2 +- legacy/vendor/common/wfdservice.te | 32 +--------- legacy/vendor/common/wifidisplayhalservice.te | 62 +++++++++++++++---- legacy/vendor/test/property.te | 30 +++++++++ legacy/vendor/test/property_contexts | 32 ++++++++++ 6 files changed, 118 insertions(+), 43 deletions(-) create mode 100644 legacy/vendor/test/property.te create mode 100644 legacy/vendor/test/property_contexts diff --git a/legacy/vendor/common/hwservice_contexts b/legacy/vendor/common/hwservice_contexts index 207eff90..d6827038 100644 --- a/legacy/vendor/common/hwservice_contexts +++ b/legacy/vendor/common/hwservice_contexts @@ -94,3 +94,6 @@ vendor.qti.hardware.mlshal::IMlsVnc u:object_r:hal_mirr vendor.qti.hardware.mlshal::IMlsIon u:object_r:hal_mirrorlink_hwservice:s0 vendor.qti.hardware.wifi.wifilearner::IWifiStats u:object_r:hal_wifilearner_hwservice:s0 vendor.qti.hardware.fm::IFmHci u:object_r:hal_fm_hwservice:s0 +vendor.qti.hardware.wifidisplaysession::IWifiDisplaySession u:object_r:wifidisplayhalservice_hwservice:s0 +vendor.qti.hardware.wifidisplaysession::IWifiDisplaySessionVideoTrack u:object_r:wifidisplayhalservice_hwservice:s0 +vendor.qti.hardware.wifidisplaysession::IWifiDisplaySessionAudioTrack u:object_r:wifidisplayhalservice_hwservice:s0 diff --git a/legacy/vendor/common/mediacodec.te b/legacy/vendor/common/mediacodec.te index fbc67a35..23193882 100644 --- a/legacy/vendor/common/mediacodec.te +++ b/legacy/vendor/common/mediacodec.te @@ -38,7 +38,7 @@ allow mediacodec xdsp_device:chr_file r_file_perms; #Allow mediacodec to access service manager wfdnativemm_service allow mediacodec wfdnativemm_service:service_manager find; -hal_client_domain(mediacodec, wifidisplayhalservice) +binder_call(mediacodec, wifidisplayhalservice_qti); #Allow mediacodec to access vendor_media_data_file files allow mediacodec vendor_media_data_file:dir create_dir_perms; diff --git a/legacy/vendor/common/wfdservice.te b/legacy/vendor/common/wfdservice.te index 7b5714d3..6768e864 100644 --- a/legacy/vendor/common/wfdservice.te +++ b/legacy/vendor/common/wfdservice.te @@ -1,4 +1,4 @@ -# Copyright (c) 2019, The Linux Foundation. All rights reserved. +# Copyright (c) 2019 The Linux Foundation. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are @@ -25,34 +25,4 @@ # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#allow access to sysfs to know HDMI repeater state -allow wfdservice sysfs_graphics:file rw_file_perms; -allow wfdservice sysfs_graphics:dir r_dir_perms; - -#Allow hardware binder use -hwbinder_use(wfdservice) -get_prop(wfdservice, hwservicemanager_prop) - -#Allow hal graphics mapper permissions -hal_client_domain(wfdservice, hal_graphics_composer); - -#Allow hal graphics allocator permissions -hal_client_domain(wfdservice, hal_graphics_allocator); - hal_client_domain(wfdservice, wifidisplayhalservice); - -#Denial seen - SELinux : avc: denied { find } for interface=com.qualcomm.qti.wifidisplayhal::IHDCPSession -#pid=3530 scontext=u:r:wfdservice:s0 tcontext=u:object_r:wifidisplayhalservice_hwservice:s0 tclass=hwservice_manager -allow wfdservice wifidisplayhalservice_hwservice:hwservice_manager find; - -#Allow for property access -userdebug_or_eng(` -get_prop(wfdservice, wfd_debug_prop) -') -get_prop(wfdservice, vendor_gralloc_prop) - -# Add the rule for wfd to access /proc/asound/pcm file -r_dir_file(wfdservice, proc_asound) - -# Add the rule for wfd to access /proc/asound/card0/state file -r_dir_file(wfdservice, proc_audiod) diff --git a/legacy/vendor/common/wifidisplayhalservice.te b/legacy/vendor/common/wifidisplayhalservice.te index 8360d2da..56d29dca 100644 --- a/legacy/vendor/common/wifidisplayhalservice.te +++ b/legacy/vendor/common/wifidisplayhalservice.te @@ -1,4 +1,4 @@ -# Copyright (c) 2017, The Linux Foundation. All rights reserved. +# Copyright (c) 2017,2019 The Linux Foundation. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are @@ -28,32 +28,72 @@ #Define Domain type wifidisplayhalservice_qti, domain; type wifidisplayhalservice_qti_exec, exec_type, vendor_file_type, file_type; -net_domain(wifidisplayhalservice_qti) - -hal_server_domain_bypass(wifidisplayhalservice_qti,wifidisplayhalservice) #Allow for transition from init domain to wifidisplayhalservice init_daemon_domain(wifidisplayhalservice_qti) +#Inherit base network permissions from netd +net_domain(wifidisplayhalservice_qti) + #Allow wifidisplayhalservice to use Vendor Binder IPC vndbinder_use(wifidisplayhalservice) +hal_server_domain_bypass(wifidisplayhalservice_qti,wifidisplayhalservice) + # Allow hwbinder call from hal client to server binder_call(wifidisplayhalservice_client, wifidisplayhalservice_server) binder_call(wifidisplayhalservice_server, wifidisplayhalservice_client) # Add hwservice related rules -add_hwservice(wifidisplayhalservice_server, wifidisplayhalservice_hwservice) +hal_attribute_hwservice(wifidisplayhalservice, wifidisplayhalservice_hwservice) #Direct streaming native service -add_service(wifidisplayhalservice, wfdnativemm_service) +add_service(wifidisplayhalservice_qti, wfdnativemm_service) #Allow access to firmware files for HDCP session -r_dir_file(wifidisplayhalservice, vendor_firmware_file) -r_dir_file(wifidisplayhalservice, firmware_file) +r_dir_file(wifidisplayhalservice_qti, firmware_file) #Allow access to tee/ion device and tcp socket for HDCP sessions -allow wifidisplayhalservice tee_device:chr_file rw_file_perms; -allow wifidisplayhalservice ion_device:chr_file r_file_perms; +allow wifidisplayhalservice_qti tee_device:chr_file rw_file_perms; + +#Allow access to PCM sound card +allow wifidisplayhalservice_qti audio_device:chr_file rw_file_perms; +allow wifidisplayhalservice_qti audio_device:dir r_dir_perms; + +#Allow access to /dev/video/* devices for encoding/decoding +allow wifidisplayhalservice_qti video_device:chr_file rw_file_perms; + +#Allow binder call to mediacodec from wifidisplayhalservice +binder_call(wifidisplayhalservice_qti, mediacodec); + +#Allow udp socket ioctl +allow wifidisplayhalservice_qti self:udp_socket create_socket_perms; +# ioctlcmd=8bff,8912 +allowxperm wifidisplayhalservice_qti self:udp_socket ioctl priv_sock_ioctls; + +#Allow access to proc/net/arp +allow wifidisplayhalservice_qti proc_net:file r_file_perms; + +# Add the rule for wfd to access /proc/asound/pcm file +r_dir_file(wifidisplayhalservice_qti, proc_asound) + +#Allow hal graphics allocator permissions +hal_client_domain(wifidisplayhalservice_qti, hal_graphics_allocator); + +#Allow hal graphics mapper permissions +hal_client_domain(wifidisplayhalservice_qti, hal_graphics_composer); + +#Allow wifidisplayhalservice_qti to query interface name of network (p2p etc.) +allow wifidisplayhalservice_qti self:netlink_generic_socket create_socket_perms_no_ioctl; + +#Allow communication with init over property server +unix_socket_connect(wifidisplayhalservice_qti, property, init); + +#Allow ion device access +allow wifidisplayhalservice_qti ion_device:chr_file r_file_perms; + +#Allow for property access +userdebug_or_eng(` + get_prop(wifidisplayhalservice_qti,wfd_vendor_debug_prop) +') -allow wifidisplayhalservice qdisplay_service:service_manager { find }; diff --git a/legacy/vendor/test/property.te b/legacy/vendor/test/property.te new file mode 100644 index 00000000..b74c92a3 --- /dev/null +++ b/legacy/vendor/test/property.te @@ -0,0 +1,30 @@ +# Copyright (c) 2018, 2019 The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +type sensors_dbg_prop, property_type; + +#WiFi Display +type wfd_vendor_debug_prop, property_type; diff --git a/legacy/vendor/test/property_contexts b/legacy/vendor/test/property_contexts new file mode 100644 index 00000000..97ecd211 --- /dev/null +++ b/legacy/vendor/test/property_contexts @@ -0,0 +1,32 @@ +# Copyright (c) 2018, 2019 The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +persist.vendor.debug.sensors. u:object_r:sensors_dbg_prop:s0 + +#Wifi Display +persist.vendor.debug.mux. u:object_r:wfd_vendor_debug_prop:s0 +persist.vendor.debug.rtp. u:object_r:wfd_vendor_debug_prop:s0 +persist.vendor.debug.wfd. u:object_r:wfd_vendor_debug_prop:s0