Commit graph

417 commits

Author SHA1 Message Date
Naseer Ahmed
a0cc2d5fd8 sepolicy: Add memtrack HAL
Change-Id: I96aba595b174dcdf8949e17cd13f97d1c76af1d4
2024-07-13 10:30:37 +08:00
Bruno Martins
84869e5cb4 legacy: Add common telephony rules
Seen across msm4.4 and msm4.9 families.

Change-Id: I47a049dc72e30363b728aa8c25f4571c3b25045b
2024-04-14 16:34:29 +00:00
Bruno Martins
d3dc18a45c legacy: Allow communication between rild and data module
Fixes full IWLAN mode on msm8998 devices.

Change-Id: Id7cb510336f6ee28033d7683cc2c01b29db6c6a2
2024-03-31 02:47:12 +01:00
Michael Bestas
7eabf65ff9
Merge tag 'LA.UM.12.2.1.r1-02900-sdm660.0' into staging/lineage-21.0_merge-LA.UM.12.2.1.r1-02900-sdm660.0
"LA.UM.12.2.1.r1-02900-sdm660.0"

* tag 'LA.UM.12.2.1.r1-02900-sdm660.0':
  Sepolicy : Allow vendor_init to access bluetooth prop.
  Add sepolicy dir and sock permissions to location module
  location AVC denials during user profile switch

 Conflicts:
	legacy/vendor/common/property_contexts

Change-Id: Ic870aa5f9abe177e4d8c00a1bf3d9b66b67e3d75
2024-03-29 12:08:16 +02:00
Michael Bestas
a55fc3cc31
legacy: Allow USB HAL get vendor_usb_prop
Similar to hal_usb_qti.

Change-Id: If0f608f8f2c59a21f89ffebc118e56c559a90755
2024-03-22 13:44:03 +01:00
Neelu Maheshwari
781cfc8b70 Sepolicy : Allow vendor_init to access bluetooth prop.
Change-Id: I393b039b87ac8d717f42640030c1e5d01049ab70
2024-02-08 23:56:36 -08:00
Linux Build Service Account
dabe110bf0 Merge "Add sepolicy dir and sock permissions to location module" into sepolicy.lnx.12.0.c2 2024-01-30 21:10:00 -08:00
Harikrishnan Hariharan
e1c8914c62 Add sepolicy dir and sock permissions to location module
Allow location module to have directory read, write
and socket create permissions in /data/vendor/ path.

CRs-Fixed: 2205732
Change-Id: I4a75623b562337e13b121bacf86af0f97f457916
2024-01-25 09:06:34 +05:30
Nilesh Gharde
8273b09de3 location AVC denials during user profile switch
CRs-fixed: 3713029
Change-Id: Ie20f60a981769278dc1fda195e55f27942cd6a78
2024-01-23 03:12:55 -08:00
Bruno Martins
18b608b651 Merge tag 'LA.UM.12.2.1.r1-02500-sdm660.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy into lineage-21.0-legacy-um
"LA.UM.12.2.1.r1-02500-sdm660.0"

* tag 'LA.UM.12.2.1.r1-02500-sdm660.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy:
  sepolicy : Allow apps to have read access to vendor_display_prop
  sepolicy:qcc: add qcc path to dropbox
  sepolicy:qcc : switch to platform app
  Sepolicy : dontaudit to vendor.hw.fm.init property
  SE Policy change to fix avc denial for qcrild socket
  Avc denials on sdm660 from location, hal_gnss_qti
  sepolicy: Add file context for Widevine DRM
  sepolicy: Add file context for DRM
  sepolicy: Fix qcc avc denial issue
  sepolicy:donotaudit for com.qualcomm.location
  Sepolicy rules to allow Gnss Hal to access ssgtz
  sepolicy rules to allow Gnss Hal to access RIL Srv
  Allow vendor_location_xtwifi_client to access ssgtzd socket

 Conflicts:
	generic/vendor/common/file_contexts
	legacy/vendor/common/vendor_init.te

Change-Id: Ibcd6a15e0ee9ab5bee6da5bafb41702e67549e30
2024-01-09 10:36:03 +00:00
Neelu Maheshwari
8569f71b88 sepolicy : Allow apps to have read access to vendor_display_prop
Change-Id: Ib2793107a54fa1a2df60ac872645277a9a0b2415
2023-11-27 23:29:02 -08:00
Michael Bestas
4bf4c11974
Revert "sepolicy: Label idle_state node"
This reverts commit 4479f08d19.

Change-Id: Iecfb9e94e65e45597a43256eb877fb8c8a8f4717
2023-11-28 02:31:57 +02:00
Linux Build Service Account
36ea3c2980 Merge "SE Policy change to fix avc denial for qcrild socket" into sepolicy.lnx.12.0.c2 2023-11-27 01:46:54 -08:00
Linux Build Service Account
1ea539bb46 Merge "Avc denials on sdm660 from location, hal_gnss_qti" into sepolicy.lnx.12.0.c2 2023-11-27 01:46:51 -08:00
BeYkeRYkt
4479f08d19 sepolicy: Label idle_state node
Change-Id: I4ab197511726e28f7005d0e808803493e406591e
2023-11-25 23:45:59 +00:00
Linux Build Service Account
5207f749c4 Merge "sepolicy: Add file context for Widevine DRM" into sepolicy.lnx.12.0.c2 2023-11-22 23:31:23 -08:00
Neelu Maheshwari
adc7e8bb6b Sepolicy : dontaudit to vendor.hw.fm.init property
Change-Id: I0abc011871328bb269767ceffe9b6ddb2cf9b185
2023-11-16 17:39:38 +05:30
Kamesh Relangi
4603509240 SE Policy change to fix avc denial for qcrild socket
Change-Id: I1c2f3378d974a07496590a3dbd1b20323dbbba16
2023-11-15 11:51:54 +05:30
Nilesh Gharde
1750c0806f Avc denials on sdm660 from location, hal_gnss_qti
Change-Id: I3ac6a4d5db46cce66eecd70531a180e21177d979
CRs-fixed: 3661430
2023-11-15 11:48:10 +05:30
Bruno Martins
f9b54fb034 sepolicy: Label QTI health AIDL service
Change-Id: Ic49f0d4fa46ac4749e9bad3a9d4a780c54c3880e
2023-11-13 17:01:08 +00:00
Alexander Martinz
6aeeffc61d legacy: allow apexd to write to sysfs_mmc_host
As qualcomm relabels read_ahead_kb and friends as sysfs_mmc_host
we explicitly need to grant apexd access to it or it will break.

This results in eg GSIs to be unbootable.

type=1400 audit(3799551.036:40): avc: denied { read write }
  for comm="apexd" name="read_ahead_kb" dev="sysfs" ino=81305
  scontext=u:r:apexd:s0 tcontext=u:object_r:sysfs_mmc_host:s0
  tclass=file permissive=0

Change-Id: Iea24b94318893e8526e06e24bc3308acba37b0cc
Signed-off-by: Alexander Martinz <amartinz@shiftphones.com>
2023-11-03 22:21:59 +00:00
Prabhat Roy
a14482b2b1 sepolicy: Add file context for Widevine DRM
Set context for widevine services
android.hardware.drm-service-widevine
android.hardware.drm-service-lazy.widevine

validation:
xts test case: passes all the xts test case

Change-Id: I568149e2c91f86a72007fb5b04f5597f133eea64
2023-11-03 12:46:32 +05:30
LuK1337
f0f3f11097 sepolicy: isolated_app -> isolated_app_all
Change-Id: I10b09afe41b927875d1f7c37d6fc18b75ae1250a
2023-10-31 23:56:49 +00:00
Giovanni Ricca
47ba089fb7
sepolicy: Drop duplicate label
* Merged on https://review.lineageos.org/c/LineageOS/android_device_lineage_sepolicy/+/371121

Change-Id: If4ab4cf2765572b662a60286651ab967fb90d133
2023-10-28 15:08:26 +02:00
Neelu Maheshwari
61bf1906d7 sepolicy:donotaudit for com.qualcomm.location
auditd  : type=1400 audit(0.0:25): avc:  denied  { read } for  comm="alcomm.location"
name="u:object_r:default_prop:s0" dev="tmpfs" ino=23722
scontext=u:r:vendor_location_app:s0 tcontext=u:object_r:default_prop:s0
tclass=file permissive=0 app=com.qualcomm.location

Change-Id: I1fe8e7730f569fbaf955e79aba784de70cc9f944
2023-10-11 22:56:13 -07:00
Bharath
9f61741dd6 sepolicy: Label QTI Thermal HAL 2.0
The name was changed from thermal.msm8953 to a generic one while
moving to 2.0. Hence, add proper label to the new HAL binary.

Change-Id: I7e73035224a3f421c1f8f8e7a4e0f6ab072fab32
(cherry picked from commit 578d104a6e72b9289af668780acd571bad4bc489)
2023-09-28 15:09:36 +05:30
Nolen Johnson
fd5f0ffce2 legacy: common: Label discard_max_bytes for SDB devices
Change-Id: Ic95a3bfdb53073b6f68b985ea1fbd3f3c3ce34a3
2023-08-23 15:13:41 +00:00
me-cafebabe
ada4be8ba0 Allow FM2 app to read/write vendor.hw.fm. props
* Those props are used by vendor/qcom/opensource/fm-commonsys/jni/android_hardware_fm.cpp

Change-Id: I1a141e7d4a0e7d1d788fb049e0e8625d1b2d7e27
2023-08-04 09:50:10 +02:00
jro1979oliver
d2866673fb
sepolicy: Import legacy usb rules
- commit https://review.lineageos.org/c/LineageOS/android_device_qcom_sepolicy/+/360376
  relabeled the usb hal and we hit the following log:

usb@1.0-service: type=1400 audit(0.0:5346): avc: denied { search } for uid=1000 name="usbpd0" dev="sysfs" ino=40564 scontext=u:r:hal_usb_default:s0 tcontext=u:object_r:sysfs_usbpd_device:s0 tclass=dir permissive=0
07-13 12: 41:07.134   816  2117 E android.hardware.usb@1.0-service: uevent received SUBSYSTEM=dual_role_usb
07-13 12: 41:07.135   816  2117 I android.hardware.usb@1.0-service: otg_default
07-13 12: 41:07.135   816  2117 E android.hardware.usb@1.0-service: getCurrentRole: Failed to open filesystem node
07-13 12: 41:07.135   816  2117 E android.hardware.usb@1.0-service: Error while retreiving portNames
07-13 12: 41:07.138  1588  2451 E UsbPortManager: port status enquiry failed

Co-authored-by: ExactExampl <64069095+ExactExampl@users.noreply.github.com>
Change-Id: I6b58a248195c59f09514caa7b89c2810f7a8e146
2023-07-25 19:45:53 +03:00
Michael Bestas
b1710c61ea
sdm660: Label 4.19 backlight node
Change-Id: Ied1fc8844852fbef3711e46bcc07d4ec100e7a12
2023-07-15 14:01:14 +03:00
Quallenauge
470d8edfda
sepolicy: Allow qti_init_shell to set proc_watermark_scale_factor.
Change-Id: I5e59fd91e723df95224e5738295c2b8007f6f053
2023-07-15 14:01:14 +03:00
Michael Bestas
fc9b1c6105
sepolicy: Guard debugfs rules
Allow building with PRODUCT_SET_DEBUGFS_RESTRICTIONS set.

Change-Id: I0d0703ea21f1f812c06247a3db2bc755e8904149
2023-07-15 14:01:14 +03:00
Bruno Martins
5484e1497d
hal_usb_qti: Make legacy rules more aligned with QVA
Change-Id: If35e87a56efb3e7a82ed2f06bb4dcab8ec4a0e82
2023-07-15 14:01:14 +03:00
LuK1337
c2b70184e1
sepolicy: Label QTI USB HAL
Change-Id: I0fce6172ce47f4f61d9ee2cb829749b4e5643403
2023-07-15 14:01:14 +03:00
Michael Bestas
28a0580725
Merge tag 'LA.UM.11.2.1.r1-04100-sdm660.0' into staging/lineage-20.0_merge-LA.UM.11.2.1.r1-04100-sdm660.0
"LA.UM.11.2.1.r1-04100-sdm660.0"

* tag 'LA.UM.11.2.1.r1-04100-sdm660.0':
  sepolicy: Compilation fix for newer upgrade.
  sepolicy: Add sepolicy rules for TZAS
  sepolicy: using SYSTEM_EXT_<PUBLIC/PRIVATE>_SEPOLICY_DIRS variable
  sepolicy: Add policy for atfwd client
  sepolicy: Add sepolicy for AtCmdFwd app

 Conflicts:
	SEPolicy.mk

Change-Id: I3743693bab62bcacd4862b40fe3a51e8131ca66a
2023-07-11 16:17:48 +03:00
Michael Bestas
1d7b129f0b
sepolicy: Allow location read xtra-daemon control property
Change-Id: If869f21c4397c65672c9319990d8dc4baca2aa3a
2023-06-07 00:58:30 +03:00
Himanshu Agrawal
6f68a803eb sepolicy: Compilation fix for newer upgrade.
Change-Id: I7eb38060cb0a1ad3e09d221022bd5955fb95b396
2023-05-19 05:10:20 -07:00
Michael Bestas
efdc05a907
sepolicy: Restrict access to /sys/devices/soc0/serial_number
Change-Id: I6254ef6e160ff0d3c3ce2e51f20f557e75826dff
2023-05-11 20:14:34 +03:00
Himanshu Agrawal
0d44cf1b75 sepolicy: Add sepolicy rules for TZAS
Add the sepolicy rules for trustzone
access service to provide it access to
various vendor and android services.

Change-Id: I80f8bcb9a917ed18331fa3b92f1e8c65f8c631ad
2023-05-09 03:05:55 -07:00
Michael Bestas
f587eed501
Merge tag 'LA.UM.11.2.1.r1-03400-sdm660.0' into staging/lineage-20.0_merge-LA.UM.11.2.1.r1-03400-sdm660.0
"LA.UM.11.2.1.r1-03400-sdm660.0"

# By Arvind Kumar (1) and Jiani Liu (1)
# Via Jiani Liu (1) and Linux Build Service Account (1)
* tag 'LA.UM.11.2.1.r1-03400-sdm660.0':
  Add sepolicy for ISupplicantVendor aidl
  Permission to access binderfs for binder info

Change-Id: Ice22795ff63de9cc918af6a22e113fe1fce1de83
2023-04-24 18:10:38 +03:00
Sridhar Kasukurthi
ee6be5f18d sepolicy: Add policy for atfwd client
Add policy for atfwd daemon client

Change-Id: I0251b892ffdfbd02ba16b3dc08998581b1c45015
CRs-Fixed: 3450521
2023-04-05 11:54:07 +05:30
Michael Bestas
eca848c791
Merge tag 'LA.UM.11.2.1.r1-03300-sdm660.0' into staging/lineage-20.0_merge-LA.UM.11.2.1.r1-03300-sdm660.0
"LA.UM.11.2.1.r1-03300-sdm660.0"

# By Jiani Liu (1) and Sanghoon Shin (1)
# Via Gerrit - the friendly Code Review server (1) and Linux Build Service Account (1)
* tag 'LA.UM.11.2.1.r1-03300-sdm660.0':
  Add sepolicy for ISupplicantVendor aidl
  sepolicy: fix issue on non-snap target

Change-Id: I512ef692ad0178c26817da2745b67e5dd43c1ee1
2023-03-24 03:08:25 +02:00
Jiani Liu
e0e6534e6e Add sepolicy for ISupplicantVendor aidl
This commit adds required sepolicy changes to avoid avc denial for new
vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default.

Change-Id: Ie272772338299eb2c684b1c3683e062b12ca486b
2023-03-06 22:56:30 -08:00
Jiani Liu
f9714cd55d Add sepolicy for ISupplicantVendor aidl
This commit adds required sepolicy changes to avoid avc denial for new
vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default.

Change-Id: Ie272772338299eb2c684b1c3683e062b12ca486b
2023-03-07 14:54:08 +08:00
Georg Veichtlbauer
286e849647 sepolicy: msm8998: Label discard_max_bytes
Change-Id: I7adc3514c0958da8d27d7210b84c375dc66d9c43
2023-02-16 09:38:36 +01:00
Georg Veichtlbauer
95d4b318ab sepolicy: msm8998: Label extcon cable nodes
Change-Id: I8e48a9a1c411a5573902833da48da6dbc1b15bb7
2023-02-15 10:49:36 +01:00
Arvind Kumar
127987d3e0 Permission to access binderfs for binder info
Change-Id: If386da636f084c2c67ee6323300aae0c2ac75bc5
2022-11-03 11:43:07 +05:30
Georg Veichtlbauer
0c87ade841 poweroffalarm_app: Remove levelFrom attribute
levelFrom is used to determine the level (sensitivity + categories)
for MLS/MCS. If set to all, level is determined from both UID and
user ID. This is bad for poweroffalarm, as it needs to be able to
write to /persist/alarm/data which has a context without mls_level:
  u:object_r:persist_alarm_file:s0
instead of
  u:object_r:persist_alarm_file:s0:c0,c256,c512,c768

Change-Id: I9a8b706cdedc090281e4b5542eb34816b7ff338e
2022-10-19 11:26:56 +02:00
Guixiong Wei
397c843152 Sepolicy: Remove poweroffalarm system uid
remove poweroffalarm system uid

Change-Id: I2e93c12b5e9b0169b77d1beecbdbbb7757b8ee1e
2022-10-19 00:04:09 +02:00
Michael Bestas
4cc11498a0
Merge tag 'LA.UM.11.2.1.r1-01900-sdm660.0' into staging/lineage-20.0_merge-LA.UM.11.2.1.r1-01900-sdm660.0
"LA.UM.11.2.1.r1-01900-sdm660.0"

# By Neelu Maheshwari (1) and Sanghoon Shin (1)
# Via Gerrit - the friendly Code Review server (1) and Linux Build Service Account (1)
* tag 'LA.UM.11.2.1.r1-01900-sdm660.0':
  sepolicy: fix issue on non-snap target
  Sepolicy : Fixed Multiple AVC Denials in 11.2.1 SDM660.

 Conflicts:
	generic/vendor/common/hwservice.te
	generic/vendor/common/hwservice_contexts
	legacy/vendor/msm8996/hal_qccvndhalservice.te
	legacy/vendor/sdm660/file_contexts
	qva/vendor/common/hwservice.te
	qva/vendor/common/hwservice_contexts

Change-Id: Ic0fa79f8c74969f25061f50706000abee5b0d008
2022-10-05 18:54:55 +03:00