esepowermanager HAL 1.1 service is required to be
invoked from the boot.
Added entry for esepowermanager HAL 1.1 service.
Change-Id: I82825f66dee8981407903fd7f67cf474a44904cb
SELinux label for vendor properties are required to have vendor_
prefix. Adding vendor_ prefix for vendor properties related to
msm_irqbalancer.
Change-Id: I10338b7c69b7cbe02703d622c2fef4c1de9358e5
Rename NFC HIDL service 1.3 to 2.0 as the NFC
HAL has major changes which are not backward
compatible with the older HALs.
Removed entries for NFC HIDL services
which no more in use.
Change-Id: I1b1f21b9f62336cb5a6aebcc04083c20d7780a6c
to avoid naming colision with system types we are adding vendor_ prefix for all vendor defined types.
Change-Id: I1396f2c6d9576af3c3755096bb1e69d254b6db4e
Switch FM app's domain from system to platform app.
Add sepolicy rules for fm in platform_app domain.
Reomve fm sepolicy rules from system_app domain.
CRs-fixed: 2595596
Change-Id: I40a4f68eb8ded948d44653d3bc0209bbb3d9ef35
NFC HIDL 1.3 service is required to be
invoked from the boot.
Added entry for NFC HIDL 1.3 service.
Change-Id: I82e34f09a4309ca1102ed8f86728eb994ed62852
Since mirrorlink feature is de-PORed,delete mirrorlink
project te files and respective entries throughout
the sepolicy component.
Change-Id: Id8e4a824f0690c519ce2a9bd1007fff2eaf2e36c
As part of making USTA (Sensor android test application) as
installable, we split the app into 2 parts. One Acts as only UI,
another one acts as service which interacts with sensors native
via JNI. Both the apps are placed in system/app path only.
Change-Id: I58df425bebef96b9d6515179e9581eed03571ad6
Remove sepolicy rules which are allowing system to modify
below vendor properties.
- vendor_wifi_ftmd_prop
- vendor_softap_prop
Change-Id: I3fa6c5f7fa34b37eaaa0b7c393fb256c1ed70d42
CRs-Fixed: 2503731
BUG: b/121350843
vold need access to tee device for disk encryption use case. This permission
can be removed as new cryptfshw hal is implemented in vendor which
will interface vold to tee device.
Change-Id: I69cba9cbd7119c2897e93c122b4946fd76773bb9
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
add read/write access to IAR-DB at /mnt/vendor/persist/iar_db
add read/write access to IAR-DB at /vendor/spunvm/iar_db
add read/write access to spss_utils at /dev/spss_utils
Change-Id: If74d48087833a8507d8f167cdd950f0ad73afbe4
Given SE Policy permissions for port-bridge module to create a UNIX
socket and enable communication with clients in different modules.
Change-Id: I1d3a4fdc30847cd8ee7f7715d3249c1957a0776d
WFD HAL requires access to UHID driver to support HID events over
UIBC in a WFD session. Add requisite policy to grant it access.
Change-Id: If895fb2e6ee2fa4de62a2d51b0f6ed675640b83c
CRs-Fixed: 2489083
Cleanup of file_contexts which are no longer needed or optimize
the regexp which can help in betterment in bootup time.
Change-Id: I9b59f7c46290e14bb32d91219d5c2de408a240d9
As the defination in file.te is not matching with the
rule in sensors.te due to typo errro corrected the
name .
Change-Id: Ia5355c2d37bb4d65f8cebeec4e4a6d3996dcef65
Cleanup of file_contexts which are no longer needed or optimize
the regexp which can help in betterment in bootup time.
Change-Id: I3d95b2e9387dfc8fe4a50237c75d79d83c87fa99
The change "sepolicy: update legacy rules for wigig sockets"
contained an incorrect update for vendor_wpa_wlan socket
which caused WIFI start failure. Fix this rule.
Change-Id: I6890fd27f28baabe6177c468b54f81bfd12d39b4
wigig sockets moved into their own directory under
/dev/socket/wigig, but the location was not updated
in the legacy rules.
Change-Id: I443bd2d35698a3ab9d81a17ebe9813bbad1b70c2
Modify the path in sysfs rule for msmnile.
Add the corresponding net sysfs rule for sdm710.
Change-Id: Ibd299806e4a0edf91ff071774064e19a2135bbbd
CRs-Fixed: 2473945
This patch adds lazyhal property to bluetooth_prop
and allows bluetooth application to access the property.
Change-Id: I1803488eaced69116ba07f219f7dc22b7ee1d1ca
1. Define domain for capabilityconfigstore
2. Add type for /data/vendor/configstore folder
3. Allow capabilityconfigstore HIDL Server access/r/w it
Change-Id: I2781d93f02fc4673d935d6b764f53a9f45868256
Reverting the FIDO session file location accessed via QTEEConnector
to match previous version for backward compatibility
Change-Id: I7701088159977747be8002a4381fd8afdc8b268f
-- Add properties to enable wfd dumping
-- Allow to access logmask file in /data/vendor
-- Allow source to access video SKU and UBWC property
Change-Id: I7688f1e9dde493c9542d213ba87d2efc8dcb37d3
Add socket communication sepolicy rules for location and wifihal.
lowiserver would interact with wifihal for nl communication.
CRs-Fixed: 2467101
Change-Id: Iff7e5f50858c95ad86ff34e5f5333bd9304aec4e
Add charger.te file and add policy for charger script
to access charger devices.
while at it add sepolicy rules for hvdcp_opti.
Change-Id: Ib14d5baad3415e3044732177c73b3e64d4f8fdc4
Sepolicy changes needed for dynamic partition support for legacy
targets : SDM845 and SDM710
- Add rules to enable fastbootd mode flashing of dynamic partition
- Define labels for super, recovery and vbmeta_system partitions
- Allow update_engine to access recovery partition for OTA
Change-Id: I6f692da6ab687529833a87b6feb375fda26508b8
BUG: b/121350843
vold need to communicate with tee device node to set crypto
engine keys for userdata encryption. cryptfs_hw hal is
implemented to facilitate this commuincation.
Change-Id: Ie1d02b211e1f6e147092710008b363795df5e0a6
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
Add sysfs path for mhi timesync feature files to be read from
userspace applications/services.
CRs-Fixed: 2426302
Change-Id: Ib28800e000774d8ce27dd9a78db9efd6ebdbdb00
As part of CTS testing its expected no denails should be seen
from dumpstate domain during testing so addressing generic
permission issue.
test :testNoBugreportDenials
Change-Id: Ic60a49e6330c42aa99280af8e6913af140e981e5
Permit graphics hwcomposer to access kgsl sysfs node to get
the value of maximum GPU clock supported.
Change-Id: Idc3966029364436cbca445a9bc704ee2a2caf874
All vendor init process would have access to vendor_default_prop.
Define security context for "ro.build.software.version" as
vendor_default_prop.
Change-Id: I5b1f1698dcbb3d914a66c540f31f7624c707a72e
- Add permission for rild to set and get the property
persist.vendor.net.doxlat
- Revoke set_prop permission to system_server.
- Define domain for DataConnection HAL
Change-Id: I143bfffa8af61d087d8210516c57a211e25f0a1d
CRs-Fixed: 2425156
As part of CTS testing its expected no denails should be seen
from dumpstate domain during testing so addressing generic
permission issue.
test :testNoBugreportDenials
Change-Id: I27178e6b4180d53cd5f6574bf71fe54819b10454
Following paths on sysfs are now labeled in system side
file_contexts so removing the duplicate entries from
vendor side genfs_contexts .
/module/tcp_cubic/parameters
/devices/virtual/net
Change-Id: I4c872ca3e14da9a73b1adbfd9671c3df1a0046c8
Mediacodec needs to access audio devices to use OMX HW decoders and
encoders. Allow mediacodec to access audio devices.
Change-Id: I6706f989d8e90607bd3134a88268322451122b15
- Label the new a2dp HAL service as Audio he service
so that Audio HAL process can load it and bluetooth
host process can interact with new service.
Change-Id: If7a4c5f9dcf33edbef5647107cae4cfdf847c63f
Latest sepolicy rules in android Q enforce ioctl
restrictions on blk_file. This change adds sepolicy
rules to allow qseecom daemon process to perform ioctl
calls to rpmb partition in case of emmc based targets.
Change-Id: I884dbe35b5233eac195cfcfdaa73b359b671955d
Signed-off-by: Anmolpreet Kaur <anmolpre@codeaurora.org>
- Add separate hal_btconfigstore_hwservice
- Initialize server and client for hal_btconfigstore.
- Make system_app to be a client of hal_btconfigstore for FM.
- Make Bluetooth to be a client of hal_btconfigstore.
Change-Id: I680bcdb79836fbba22140f9e4bcfadeb7a70ed59
WFD requires revision in its SEAndroid policies due
to an OS upgrade and design re-architecture to conform
to system-wide mandates.
Change-Id: I5a9adc280cefab73d8c467379b74951fc3a88e71
Bootctl needs read access to scsi_generic node to lookup what
/dev/sgN device corresponds to the XBL partitions.
Label it and give read access to bootctl.
Change-Id: I91d54ba05dd3d5fe34296e3911537ed57e51a067
This is a cumulative patch which adds rules needed
for wigig and FST, including cleanup of rules that
are no longer needed, and adjustments for new sepolicy
restrictions.
Based on these changes:
1) sepolicy: Add policies for FST manager service
Add SE policies for FST Manager daemon required for
fast-session-transfer feature.
Change-Id: I3750d298c33e9f70e51545a678502b6d7dd0b0e6
2) sepolicy: allow fstman write permissions to wifi directory
FST Manager needs write permissions to wifi directory for supporting
whitelist of rate upgrate interface (wlan1)
Change-Id: I564e7da6118e17f7487242c55b0373dab8d12578
3) sepolicy: support wigig services
For managing the wigig network, define wigig services as
system service and allow access to wpa_wigig0 control socket.
wigig supplicant creates sockets under /data/misc/wifi/wigig_sockets.
CRs-Fixed: 997409
Change-Id: I8113892b7fdbf1a4f7dd4b9c7cf490264952fe69
4) sepolicy: Update policies for FST
Recent android changes removed permission for
systemserver and netd to read system properties.
Added such support as it is needed for fst feature
Change-Id: I045b7115f9a6ba5c03f7f8e510a29e847a534686
CRs-Fixed: 1028134
5) sepolicy: support wigig services and fast session transfer
Add rules for allowing wigig framework and FST to work.
Includes:
- communication between wigig framework and wigig HAL service
- permissions for wigig HAL service
- file/socket permissions for fstman daemon
- permissions for WIFI framework to operate FST.
Change-Id: Ibf0970aa0f06fac1dab4d8a2b31a9f0fc4ab3a6e
6) sepolicy: support FST in SoftAP mode
Add rules needed for supporting FST in SoftAP mode:
- Extend the wifi_vendor_hostapd_socket file definition to include
the hostapd global socket.
- Allow hostapd to send messages back to fstman event socket
- Allow fstman to communicate with hostapd global socket.
Change-Id: Ifbf38e24ff9e0834ef3f3dd8cf70d4e5ce1af4d1
7) sepolicy: add rules for wigig network performance tuner(npt)
Add rules needed to support the wigig network performance tuner.
The npt is a standalone service which provides the ability to
tune network stack parameters. It can accumulate tuning requests
from multiple clients and merge requests.
The npt provides an hwbinder service used by wigig framework
(hosted inside system_server).
The npt also listens on a unix socket, this is used by vendor
components for backward compatibility with previous implementation.
Change-Id: Iaabb4c13519c14b0e79631c7eaed7e53a1076063
8) sepolicy: add permissions to access wigig's snr_thresh sysfs
Part of FST functionality, fstman needs to access snr_thresh sysfs.
Change-Id: Ie10778c0c4b874b2ea8467f2deac26ae7d776bdc
9) sepolicy: fix hostapd rules for FST
FST was broken by commit 3e2b4523e6
("sepolicy: Adding rule for cnd"). Object was changed from
wifi_vendor_wpa_socket to wpa_socket. However wifi_vendor_wpa_socket
provides access to /data/vendor/wifi/sockets where wpa_socket
provides access to /data/misc/wifi/sockets.
Change-Id: Ia70999c3aedc4e073bfcc2ac72bde83d5b521aa4
10) sepolicy: move definitions of wigig services
Move the definitions of wigig services from common
to private, otherwise they do not work in newer version
of Android.
Change-Id: Ia4d0770314706b97ee0fea8f36fe920f0d7103cf
11) sepolicy: remove duplicate definitions of wigig and wigigp2p
wigig and wigigp2p service definitions were duplicated in
common/service_contexts and private/service_contexts,
it caused problems with OTA build.
Change-Id: Ifaeb9ffdf65be44de3ef8d15c323e436b5e04d9f
12) sepolicy: add rules for on-demand insmod/rmmod of wigig driver
Add rules to allow wigig HAL service to insmod/rmmod the wigig module,
similar to the WIFI HAL. This is needed because the wigig chip
leaks power while wigig driver is loaded, so the driver must be
unloaded when wigig framework is disabled.
Change-Id: Id96f50020b3e7028b2c6bdd319383879565087c6
13) sepolicy: fixes for wigig SoftAP (hostapd)
Added some fixes to get wigig SoftAP working.
In recent version of Android hostapd now has its own HAL domain.
Update hostapd rules to refer to this new domain.
Also, there are few small updates to refer to proper types for
vendor files and sockets.
Change-Id: If53a3674312f5a008984eb7ff2aa6026dcdf0af7
14) sepolicy: FST fixes
1. Restore access to hostapd global socket from fstman.
2. fstman now generates its configuration (fstman.ini) based
on system properties, so it needs read access to these.
3. wpa_supplicant global socket moved to vendor_wpa_wlan0,
so fstman (and other vendor services) can access it.
Change-Id: I099d7f3b187989c26666b93288b1693f5db20bec
15) sepolicy: allow platform_app to read wigig properties
WigigSettings application needs to read wigig system property.
Change-Id: Ic5e28b454bfa261b4cbd91dc76b7e2267e1acb74
16) sepolicy: fix wigignpt access to network parameters
Add rule to fix problem with accessing sysfs network
parameters on recent android versions.
Based on this audit log:
avc: denied { search } for pid=1024 comm="wigignpt" name="net" dev="sysfs" ino=41025 scontext=u:r:wigignpt:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0
CRs-Fixed: 2217480
Change-Id: Ifdb8b794a4a310c1548743cc19df77d7eb0d302b
Change-Id: I0c847447acf3ffd7903a62e0139e69308dca851f
For debugging watchdog issues in system_server, system_server
needs read access to binder-state file. Access to generic debugfs has
been removed for all processes except init, vendor_init & dumpstate.
This CL labels /sys/kernel/debug/binder/state file and allows
system_server, dumpstate, vendor_init & init, 'r_file_perms' access
to the same file.
The label and the associated access permissions only apply to
userdebug builds.
Change-Id: I159e39bcd05d699454797f8b1d1c17c810c99cb1
We need to remove coredomains access to tee_device but as seeing
issue we are restoring this for vold for now.
Change-Id: Ia5599051f75b456a462088e83741a8a975d99056
1. Allow perf-hal to create and read/write values
into default_values file which is created in
/data/vendor/perfd.
2. Allow perf-hal to read /sys/class/devfreq
directory and fetch values from the files.
CRs-Fixed: 2417754
Change-Id: I7a4494e95ff9cd57a295c76c53f4afb90570cc4d
Add selinux permissions for qfp-daemon and
qbt driver. Allow system app to access
fingerprint HAL.
Change-Id: I5106501475f8071fd272700a094cb9e33cfdbc50
As part of security hardening access to sysfs label related
sepolicy rules should be removed.
So cleaning all the directory reads and sysfs:file access
which were seen in the following .
hal_bootctl
hal_gnss_qti
hal_pasrmanager
pd_services
ssr_diag
ssr_setup
thermal-engine
qmuxd
sensors
hal_perf_default
Change-Id: I51e98a3f68211357e2bb1455f28a96fc3aad4d88
added separate hal_fm_hwservice for fm app.
intialize server and client for hal_fm.
made system_app to be a client of hal_fm
Change-Id: I4881913e5f9abc3699730e8a6abac3756dc91337
