From 0ca25830008f26cbda925ee5ce111fd8f83d4d1a Mon Sep 17 00:00:00 2001 From: Naseer Ahmed Date: Mon, 2 Apr 2018 14:11:36 -0400 Subject: [PATCH] sepolicy: Changes to enable FOSS Change-Id: I737141930a9c97748a771a62cc54a89774d5574c --- vendor/common/attributes | 12 +++++ vendor/common/file.te | 1 + vendor/common/file_contexts | 5 ++ vendor/common/hal_display_color.te | 51 ++++++++++++++++++++ vendor/common/hwservice.te | 2 + vendor/common/hwservice_contexts | 2 + vendor/common/mm-pp-daemon.te | 75 ++++++++++++++++++++++++++++++ 7 files changed, 148 insertions(+) create mode 100644 vendor/common/hal_display_color.te create mode 100644 vendor/common/mm-pp-daemon.te diff --git a/vendor/common/attributes b/vendor/common/attributes index 27716571..d0556449 100644 --- a/vendor/common/attributes +++ b/vendor/common/attributes @@ -40,3 +40,15 @@ attribute hal_qdutils_disp_server; attribute hal_tui_comm; attribute hal_tui_comm_client; attribute hal_tui_comm_server; + +attribute hal_display_color; +attribute hal_display_color_client; +attribute hal_display_color_server; + +attribute hal_display_config; +attribute hal_display_config_client; +attribute hal_display_config_server; + +attribute hal_display_postproc; +attribute hal_display_postproc_client; +attribute hal_display_postproc_server; diff --git a/vendor/common/file.te b/vendor/common/file.te index fa836bbe..d1c0a84f 100644 --- a/vendor/common/file.te +++ b/vendor/common/file.te @@ -61,6 +61,7 @@ type cnd_socket, file_type; type chre_socket, file_type; type hal_bootctl_socket, file_type; type location_socket, file_type; +type pps_socket, file_type; type firmware_file, fs_type, contextmount_type; diff --git a/vendor/common/file_contexts b/vendor/common/file_contexts index 493055d7..e319cdd2 100644 --- a/vendor/common/file_contexts +++ b/vendor/common/file_contexts @@ -56,6 +56,7 @@ /dev/socket/thermal-recv-passive-client u:object_r:thermal_socket:s0 /dev/socket/netmgr(/.*)? u:object_r:netmgrd_socket:s0 /dev/socket/location(/.*)? u:object_r:location_socket:s0 +/dev/socket/pps u:object_r:pps_socket:s0 /dev/nq-nci u:object_r:nfc_device:s0 /dev/ttyHS0 u:object_r:hci_attach_dev:s0 /dev/wlan u:object_r:wlan_device:s0 @@ -120,6 +121,8 @@ /vendor/bin/time_daemon u:object_r:time_daemon_exec:s0 /vendor/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 /vendor/bin/tloc_daemon u:object_r:tlocd_exec:s0 +/vendor/bin/mm-pp-dpps u:object_r:mm-pp-daemon_exec:s0 + /vendor/bin/hw/qcrild u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service.widevine u:object_r:hal_drm_widevine_exec:s0 /vendor/bin/hw/android\.hardware\.vibrator@1\.1-service.crosshatch u:object_r:hal_vibrator_default_exec:s0 @@ -133,6 +136,8 @@ /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.tui_comm@1\.0-service-qti u:object_r:hal_tui_comm_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qdutils_disp@1\.0-service-qti u:object_r:hal_qdutils_disp_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.perf@1\.0-service u:object_r:hal_perf_default_exec:s0 +/vendor/bin/hw/vendor\.display\.color@1\.0-service u:object_r:hal_display_color_default_exec:s0 + ############################################### # same-process HAL files and their dependencies # diff --git a/vendor/common/hal_display_color.te b/vendor/common/hal_display_color.te new file mode 100644 index 00000000..d0ca140f --- /dev/null +++ b/vendor/common/hal_display_color.te @@ -0,0 +1,51 @@ +# Copyright (c) 2018, The Linux Foundation. All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Define domain +type hal_display_color_default, domain; +hal_server_domain(hal_display_color_default, hal_display_color) +type hal_display_color_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_display_color_default) + +# Allow hwbinder call from hal client to server +binder_call(hal_display_color_client, hal_display_color_server) + +# Add hwservice related rules +add_hwservice(hal_display_color_server, hal_display_color_hwservice) +allow hal_display_color_client hal_display_color_hwservice:hwservice_manager find; + +# Rule for vndbinder usage +allow hal_display_color qdisplay_service:service_manager find; +vndbinder_use(hal_display_color); +binder_call(hal_display_color, hal_graphics_composer) + +# Rule for pps socket usage +unix_socket_connect(hal_display_color, pps, mm-pp-daemon) + +#Add rules for postproc hal +add_hwservice(hal_display_color_server, hal_display_postproc_hwservice) +allow hal_display_postproc_client hal_display_postproc_hwservice:hwservice_manager find; diff --git a/vendor/common/hwservice.te b/vendor/common/hwservice.te index 6706b82e..a16f3f5b 100644 --- a/vendor/common/hwservice.te +++ b/vendor/common/hwservice.te @@ -7,3 +7,5 @@ type hal_hbtp_hwservice, hwservice_manager_type; type hal_perf_hwservice, hwservice_manager_type, untrusted_app_visible_hwservice; type hal_tui_comm_hwservice, hwservice_manager_type; type hal_qdutils_disp_hwservice, hwservice_manager_type; +type hal_display_color_hwservice, hwservice_manager_type; +type hal_display_postproc_hwservice, hwservice_manager_type; diff --git a/vendor/common/hwservice_contexts b/vendor/common/hwservice_contexts index b2d2f226..e01969c3 100644 --- a/vendor/common/hwservice_contexts +++ b/vendor/common/hwservice_contexts @@ -9,6 +9,8 @@ android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_t com.quicinc.cne.api::IApiService u:object_r:hal_cne_hwservice:s0 com.quicinc.cne.server::IServer u:object_r:hal_cne_hwservice:s0 vendor.display.config::IDisplayConfig u:object_r:hal_display_config_hwservice:s0 +vendor.display.color::IDisplayColor u:object_r:hal_display_color_hwservice:s0 +vendor.display.postproc::IDisplayPostproc u:object_r:hal_display_postproc_hwservice:s0 vendor.qti.hardware.improvetouch.touchcompanion::ITouchCompanion u:object_r:hal_hbtp_hwservice:s0 vendor.qti.hardware.improvetouch.gesturemanager::IGestureManager u:object_r:hal_hbtp_hwservice:s0 vendor.qti.hardware.improvetouch.blobmanager::IBlobManager u:object_r:hal_hbtp_hwservice:s0 diff --git a/vendor/common/mm-pp-daemon.te b/vendor/common/mm-pp-daemon.te new file mode 100644 index 00000000..3b8699b2 --- /dev/null +++ b/vendor/common/mm-pp-daemon.te @@ -0,0 +1,75 @@ +# Copyright (c) 2018, The Linux Foundation. All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type mm-pp-daemon, domain; +type mm-pp-daemon_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mm-pp-daemon) + +#Need to use fb ioctls to communicate with kernel +allow mm-pp-daemon graphics_device:chr_file rw_file_perms; +allow mm-pp-daemon graphics_device:dir r_dir_perms; + +# Allow reading/writing data config files +allow mm-pp-daemon display_vendor_data_file:dir create_dir_perms; +allow mm-pp-daemon display_vendor_data_file:file create_file_perms; + +# Allow read to sensor device and read/write to sensor socket +allow mm-pp-daemon sensors_device:chr_file r_file_perms; +allow mm-pp-daemon sensors:unix_stream_socket connectto; + + +# Rule for IPC communication +allow mm-pp-daemon qdisplay_service:service_manager find; +vndbinder_use(mm-pp-daemon) +hwbinder_use(mm-pp-daemon) +hal_client_domain(mm-pp-daemon, hal_graphics_composer) +allow mm-pp-daemon fwk_sensor_hwservice:hwservice_manager find; +binder_call(mm-pp-daemon, system_server) + +# Allow mm-pp-daemon to change the brightness +allow mm-pp-daemon sysfs_leds:dir r_dir_perms; +allow mm-pp-daemon sysfs_leds:file rw_file_perms; +allow mm-pp-daemon sysfs_leds:lnk_file read; +allow mm-pp-daemon sysfs_graphics:dir r_dir_perms; +allow mm-pp-daemon sysfs_graphics:file rw_file_perms; +allow mm-pp-daemon sysfs_data:file r_file_perms; + +userdebug_or_eng(` +set_prop(mm-pp-daemon, debug_prop) +') + +# Allow socket calls in pp-daemon +unix_socket_connect(mm-pp-daemon, pps, init) + +allow mm-pp-daemon init:unix_stream_socket { listen accept }; + +# Allow connections between sensor manager and mm-pp-daemon +#allow mm-pp-daemon system_server:unix_stream_socket rw_socket_perms; + +# access lcd-backlight +r_dir_file(mm-pp-daemon, sysfs_leds)