sepolicy: initial sensors policy changes for common image

Change-Id: I7bc74d7b90ef39d878cd4b096713c66f818b4fe6

generic/vendor/common/hal_sensors_default.te

@@ -27,10 +27,14 @@
 # read factory calibration and sensor configuration data
 allow hal_sensors_default mnt_vendor_file:dir search;
 r_dir_file(hal_sensors_default, persist_sensors_file)
+get_prop(hal_sensors_default, sensors_prop)
 
-# interact with the sensors low power island (SLPI) CPU
-allow hal_sensors_default self:socket { create ioctl read write };
-allowxperm hal_sensors_default self:socket ioctl msm_sock_ipc_ioctls;
+# Access to tests from userdebug/eng builds
+userdebug_or_eng(`
+  diag_use(hal_sensors_default)
+  get_prop(hal_sensors_default, sensors_dbg_prop)
+  allow hal_sensors_default sysfs_timestamp_switch:file r_file_perms;
+')
 
 allow hal_sensors_default qdsp_device:chr_file r_file_perms;
 allow hal_sensors_default xdsp_device:chr_file r_file_perms;
@@ -44,8 +48,13 @@ allow hal_sensors sysfs_sensors:lnk_file read;
 allow hal_sensors_default sysfs_slpi:dir search;
 allow hal_sensors_default sysfs_slpi:file w_file_perms;
 
-
 allow hal_sensors_default persist_sensors_file:dir rw_dir_perms;
 allow hal_sensors_default persist_sensors_file:file create_file_perms;
 allow hal_sensors_default mnt_vendor_file:dir rw_dir_perms;
 allow hal_sensors_default mnt_vendor_file:file create_file_perms;
+
+#interact with the sensors low power island (SLPI) CPU
+allow hal_sensors_default self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm hal_sensors_default self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+allow hal_sensors_default system_server:fd use;

generic/vendor/common/property_contexts

@@ -37,6 +37,7 @@ ctl.vendor.ipacm           u:object_r:ipacm_prop:s0
 ctl.vendor.ipacm-diag      u:object_r:ipacm-diag_prop:s0
 ctl.vendor.dataqti         u:object_r:vendor_dataqti_prop:s0
 ctl.vendor.sensors         u:object_r:sensors_prop:s0
+persist.vendor.sensors.    u:object_r:sensors_prop:s0
 vendor.audio.              u:object_r:vendor_audio_prop:s0
 vendor.voice.              u:object_r:vendor_audio_prop:s0
 persist.vendor.audio.      u:object_r:vendor_audio_prop:s0

generic/vendor/common/sensors.te

@@ -29,6 +29,7 @@ type sensors, domain;
 type sensors_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(sensors)
+get_prop(sensors, sensors_prop)
 
 allow sensors self:capability {
     setuid
@@ -36,11 +37,16 @@ allow sensors self:capability {
     net_bind_service
 };
 
-allow sensors self:socket create_socket_perms;
-allowxperm sensors self:socket ioctl msm_sock_ipc_ioctls;
+# Access to tests from userdebug/eng builds
+userdebug_or_eng(`
+  diag_use(sensors)
+  get_prop(sensors, sensors_dbg_prop)
+')
+
+allow sensors self:{ socket qipcrtr_socket } create_socket_perms;
+# ioctlcmd=c304
+allowxperm sensors self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
 
-allow sensors persist_sensors_file:dir rw_dir_perms;
-allow sensors persist_sensors_file:file create_file_perms;
 allow sensors mnt_vendor_file:dir r_dir_perms;
 
 allow sensors sensors_vendor_data_file:dir create_dir_perms;
@@ -59,3 +65,8 @@ allow sensors xdsp_device:chr_file r_file_perms;
 
 # For reading dir/files on /dsp
 r_dir_file(sensors, adsprpcd_file)
+
+allow sensors persist_sensors_file:fifo_file create_file_perms;
+# Access to /persist/sensors
+allow sensors persist_sensors_file:dir create_dir_perms;
+allow sensors persist_sensors_file:file create_file_perms;

generic/vendor/test/property.te

@@ -0,0 +1,27 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+type sensors_dbg_prop, property_type;

generic/vendor/test/property_contexts

@@ -0,0 +1,27 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+persist.vendor.debug.sensors.             u:object_r:sensors_dbg_prop:s0

generic/vendor/test/qsta_app.te

@@ -0,0 +1,50 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#    * Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above
+#      copyright notice, this list of conditions and the following
+#      disclaimer in the documentation and/or other materials provided
+#      with the distribution.
+#    * Neither the name of The Linux Foundation nor the names of its
+#      contributors may be used to endorse or promote products derived
+#      from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+## qsta_app
+##
+## This file defines the permissions that qsta_apps can carry
+
+type qsta_app, domain;
+app_domain(qsta_app)
+hal_client_domain(qsta_app, hal_perf)
+r_dir_file(qsta_app, persist_sensors_file)
+
+allow qsta_app {
+  app_api_service
+  surfaceflinger_service
+  audioserver_service
+  mediaserver_service
+}:service_manager find;
+
+userdebug_or_eng(`
+  allow qsta_app diag_device:chr_file { read write open ioctl };
+')
+
+allow qsta_app mnt_vendor_file:dir r_dir_perms;
+allow qsta_app system_app_data_file:dir create_dir_perms;
+allow qsta_app system_app_data_file:file create_file_perms;

generic/vendor/test/seapp_contexts

@@ -30,3 +30,6 @@ user=system seinfo=platform name=.pdtapps domain=pdt_app type=system_app_data_fi
 
 #Add new domain for usta app
 user=system seinfo=platform name=com.qualcomm.qti.usta domain=usta_app type=system_app_data_file
+
+#Add new domain for qsta app
+user=system seinfo=platform name=com.qualcomm.qti.sensors.qsensortest domain=qsta_app type=system_app_data_file

generic/vendor/test/usta_app.te

@@ -33,12 +33,16 @@ type usta_app, domain;
 
 app_domain(usta_app)
 hal_client_domain(usta_app, hal_perf)
+get_prop(usta_app, sensors_prop)
 
 #allow only usta_app with userdebug to access ioctl
 userdebug_or_eng(`
+  diag_use(usta_app)
+  get_prop(usta_app, sensors_dbg_prop)
   allowxperm usta_app self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
   allow usta_app self:{ socket qipcrtr_socket } create_socket_perms;
   allow usta_app xdsp_device:chr_file r_file_perms;
+  allow usta_app sysfs_timestamp_switch:file r_file_perms;
 ')
 
 allow usta_app {

qva/vendor/common/hal_sensorscalibrate_qti_default.te

@@ -30,3 +30,8 @@ hal_server_domain(hal_sensorscalibrate_qti_default, hal_sensorscalibrate_qti)
 
 type hal_sensorscalibrate_qti_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_sensorscalibrate_qti_default)
+r_dir_file(hal_sensorscalibrate_qti_default, mnt_vendor_file)
+
+allow hal_sensorscalibrate_qti sysfs_data:file r_file_perms;
+allow hal_sensorscalibrate_qti self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm hal_sensorscalibrate_qti self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;