Merge "sepolicy: allow netmgrd to access qmipriod properties"

generic/vendor/common/file.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+# Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -128,6 +128,7 @@ type vendor_persist_feature_enabler_file, file_type, vendor_persist_type;
 
 type vendor_netmgr_data_file, file_type, data_file_type;
 type vendor_netmgr_recovery_data_file, file_type, data_file_type;
+type vendor_qmipriod_data_file, file_type, data_file_type;
 type vendor_ipa_vendor_data_file, file_type, data_file_type;
 
 type vendor_tombstone_data_file, file_type, data_file_type;

generic/vendor/common/file_contexts

@@ -138,6 +138,7 @@
 /vendor/bin/cnss_diag           u:object_r:vendor_wcnss_service_exec:s0
 /vendor/bin/diag_mdlog          u:object_r:vendor_qlogd_exec:s0
 /vendor/bin/netmgrd             u:object_r:vendor_netmgrd_exec:s0
+/vendor/bin/qmipriod            u:object_r:vendor_qmipriod_exec:s0
 /vendor/bin/port-bridge         u:object_r:vendor_port-bridge_exec:s0
 /vendor/bin/qti                 u:object_r:vendor_qti_exec:s0
 /vendor/bin/loc_launcher        u:object_r:vendor_location_exec:s0
@@ -281,6 +282,7 @@
 # data files
 /data/vendor/netmgr(/.*)?              u:object_r:vendor_netmgr_data_file:s0
 /data/vendor/netmgr/recovery(/.*)?     u:object_r:vendor_netmgr_recovery_data_file:s0
+/data/vendor/qmipriod(/.*)?            u:object_r:vendor_qmipriod_data_file:s0
 /data/vendor/location(/.*)?            u:object_r:vendor_location_data_file:s0
 /data/vendor/camera(/.*)?              u:object_r:vendor_camera_data_file:s0
 /data/vendor/display(/.*)?             u:object_r:vendor_display_vendor_data_file:s0

generic/vendor/common/netmgrd.te

@@ -41,6 +41,9 @@ allowxperm vendor_netmgrd self:socket ioctl msm_sock_ipc_ioctls;
 allowxperm vendor_netmgrd self:udp_socket ioctl priv_sock_ioctls;
 allow vendor_netmgrd self:tipc_socket { create_socket_perms_no_ioctl };
 
+#Allow connections to qmipriod
+unix_socket_connect(vendor_netmgrd, vendor_netmgrd, vendor_qmipriod);
+
 allow vendor_netmgrd sysfs_net:dir r_dir_perms;
 allow vendor_netmgrd sysfs_net:file rw_file_perms;
 allow vendor_netmgrd vendor_sysfs_data:file r_file_perms;
@@ -74,6 +77,7 @@ allow vendor_netmgrd system_net_netd_hwservice:hwservice_manager find;
 
 # Allow netmgrd to use shsusrd properties
 set_prop(vendor_netmgrd, vendor_data_shsusr_prop)
+set_prop(vendor_netmgrd, vendor_data_qmipriod_prop)
 
 allow vendor_netmgrd self:capability { net_admin net_raw setgid setpcap setuid };
 

generic/vendor/common/property.te

@@ -70,6 +70,8 @@ vendor_restricted_prop(vendor_audio_prop);
 # shsusrd props
 vendor_restricted_prop(vendor_data_shsusr_prop);
 
+vendor_restricted_prop(vendor_data_qmipriod_prop);
+
 #ss-restart
 vendor_internal_prop(vendor_ssr_prop);
 

generic/vendor/common/property_contexts

@@ -117,6 +117,7 @@ vendor.debug.egl.profiler  u:object_r:vendor_public_vendor_default_prop:s0
 
 # shsusrd loading
 persist.vendor.data.shsusr_load u:object_r:vendor_data_shsusr_prop:s0
+persist.vendor.data.qmipriod_load u:object_r:vendor_data_qmipriod_prop:s0
 
 #vendor-wlan
 vendor.wlan.  u:object_r:vendor_wifi_prop:s0

generic/vendor/common/qmipriod.te

@@ -0,0 +1,46 @@
+# Copyright (c) 2020, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+type vendor_qmipriod, domain;
+type vendor_qmipriod_exec, exec_type, vendor_file_type, file_type;
+
+#set domains
+init_daemon_domain(vendor_qmipriod)
+net_domain(vendor_qmipriod)
+
+#allow use of the QRTR socket for the QMI communication
+allow vendor_qmipriod self:qipcrtr_socket create_socket_perms_no_ioctl;
+
+#allow use of netmgrd unix sockets
+netmgr_socket(vendor_qmipriod);
+allow vendor_qmipriod vendor_netmgrd_socket:dir w_dir_perms;
+allow vendor_qmipriod vendor_netmgrd_socket:sock_file create;
+
+#allow logging to file for engineering builds
+userdebug_or_eng(`
+  allow vendor_qmipriod vendor_qmipriod_data_file:dir rw_dir_perms;
+  allow vendor_qmipriod vendor_qmipriod_data_file:file create_file_perms;
+')