FR53056 for Connection Security.

Enable SSG sepolicy on latest Android versions. Port LA.1.0 Connection Security sepolicy to LA.2.0. sepolicy.lnx.4.0 to sepolicy.lnx.5.9 Change-Id: I20c2f5b099baa4664f48e72225cd962a09893991
2019-01-16 14:15:46 -08:00 · 2019-01-16 14:15:46 -08:00 · 0cacafc72f
commit 0cacafc72f
parent 2eaffad9c3
12 changed files with 210 additions and 1 deletions
--- a/Android.mk
+++ b/Android.mk
@ -8,7 +8,8 @@ BOARD_SEPOLICY_DIRS := \
       $(LOCAL_PATH)/generic/vendor/common \
       $(LOCAL_PATH)/generic/vendor/$(TARGET_BOARD_PLATFORM) \
       $(LOCAL_PATH)/qva/vendor/$(TARGET_BOARD_PLATFORM) \
-       $(LOCAL_PATH)/qva/vendor/common
+       $(LOCAL_PATH)/qva/vendor/common \
+       $(LOCAL_PATH)/qva/vendor/ssg

 BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
    $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
--- a/qva/vendor/common/file.te
+++ b/qva/vendor/common/file.te
@ -26,6 +26,21 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 type persist_secnvm_file, file_type , vendor_persist_type;
+
+#mink-lowi-interface-daemon (mlid) socket
+type mlid_socket, file_type, mlstrustedobject;
+
+#ssg qmi gateway daemon socket
+type ssgqmig_socket, file_type, mlstrustedobject;
+
+#ssg tz daemon socket
+type ssgtzd_socket, file_type, mlstrustedobject;
+
 type qfp-daemon_data_file, file_type, data_file_type;
 type persist_qti_fp_file, file_type, vendor_persist_type;
+
+# QDMA data files
+type vendor_qdma_data_file, file_type, data_file_type;
+type qdma_socket, file_type, mlstrustedobject;
+
 type sysfs_npu, fs_type, sysfs_type;
--- a/qva/vendor/common/file_contexts
+++ b/qva/vendor/common/file_contexts
@ -38,6 +38,12 @@
 /dev/esoc.*                           u:object_r:esoc_device:s0
 /dev/mhi_.*                           u:object_r:mhi_device:s0

+###################################
+# Dev socket nodes
+#
+/dev/socket/ssgqmig                             u:object_r:ssgqmig_socket:s0
+/dev/socket/ssgtzd                              u:object_r:ssgtzd_socket:s0
+
 ###################################
 # System files
 #
--- a/qva/vendor/common/mlid.te
+++ b/qva/vendor/common/mlid.te
@ -30,3 +30,7 @@ type mlid, domain, mlstrustedsubject;
 type mlid_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(mlid)
+
+# Allow access to location socket
+allow mlid self:netlink_generic_socket create_socket_perms_no_ioctl;
+unix_socket_connect(mlid, location, location)
--- a/qva/vendor/common/qdma_app.te
+++ b/qva/vendor/common/qdma_app.te
@ -0,0 +1,73 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qdma_app, domain, mlstrustedsubject;
+app_domain(qdma_app)
+net_domain(qdma_app)
+binder_use(qdma_app)
+
+# allow invoking activity and access app content to qdma_app
+allow qdma_app { activity_service content_service }:service_manager find;
+# allow display service to qdma_app
+allow qdma_app { display_service }:service_manager find;
+# allow access to wifi and data network to qdma_app
+allow qdma_app { connectivity_service network_management_service }:service_manager find;
+# allow access telephony service info to qdma_app
+allow qdma_app { radio_service registry_service }:service_manager find;
+# allow acquire wakelock to qdma_app
+allow qdma_app { power_service }:service_manager find;
+# allow to load native library
+allow qdma_app { mount_service }:service_manager find;
+# for vendor_perf_service
+allow qdma_app app_api_service:service_manager find;
+
+# allow access to qdma dropbox
+allow qdma_app vendor_qdma_data_file:dir create_dir_perms;
+allow qdma_app vendor_qdma_data_file:file create_file_perms;
+
+allow qdma_app user_service:service_manager find;
+
+# allow qdma_socket
+allow qdma_app qdma_socket:dir w_dir_perms;
+allow qdma_app qdma_socket:sock_file create_file_perms;
+
+# for /dev/socket/qdma/qdma-campmgr-s
+unix_socket_connect(qdma_app, qdma, qdmastatsd)
+
+# allow access to mediadrmserver for qdmastats/wvstats
+allow qdma_app mediadrmserver_service:service_manager find;
+
+# allow qdma_app to access system_app_data_file
+# necessary for read and write /data/data subdirectory.
+allow qdma_app system_app_data_file:dir create_dir_perms;
+allow qdma_app system_app_data_file:file create_file_perms;
+
+# allow qdma_prop
+set_prop(qdma_app, vendor_qdma_prop);
+
+# allow cgroup access
+allow qdma_app cgroup:file rw_file_perms;
--- a/qva/vendor/common/ssgqmigd.te
+++ b/qva/vendor/common/ssgqmigd.te
@ -30,3 +30,5 @@ type ssgqmigd, domain, mlstrustedsubject;
 type ssgqmigd_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(ssgqmigd)
+
+allow ssgqmigd self:qipcrtr_socket rw_socket_perms_no_ioctl;
--- a/qva/vendor/common/ssgtzd.te
+++ b/qva/vendor/common/ssgtzd.te
@ -30,3 +30,11 @@ type ssgtzd, domain, mlstrustedsubject;
 type ssgtzd_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(ssgtzd)
+
+#Allow access to smcinvoke device
+allow ssgtzd smcinvoke_device:chr_file rw_file_perms;
+
+allow ssgtzd ssg_app:unix_stream_socket connectto;
+#Allow access to firmware/image
+allow ssgtzd vendor_firmware_file:dir r_dir_perms;
+allow ssgtzd vendor_firmware_file:file r_file_perms;
--- a/qva/vendor/ssg/keys.conf
+++ b/qva/vendor/ssg/keys.conf
@ -0,0 +1,2 @@
+[@SSG]
+ALL : device/qcom/sepolicy/qva/vendor/ssg/ssg_app_cert.x509.pem
--- a/qva/vendor/ssg/mac_permissions.xml
+++ b/qva/vendor/ssg/mac_permissions.xml
@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+See /system/sepolicy/private/mac_permissions.xml
+-->
+
+    <signer signature="@SSG" >
+      <seinfo value="ssgapp" />
+    </signer>
+
+</policy>
--- a/qva/vendor/ssg/seapp_contexts
+++ b/qva/vendor/ssg/seapp_contexts
@ -0,0 +1,4 @@
+# SSG apps for Connection Security
+user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.connectionsecurity type=app_data_file levelFrom=all
+user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.telemetry type=app_data_file levelFrom=all
+user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.trustzoneaccess type=app_data_file levelFrom=all
--- a/qva/vendor/ssg/ssg_app.te
+++ b/qva/vendor/ssg/ssg_app.te
@ -0,0 +1,60 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+## ssg_app
+##
+## This file defines the permissions that ssg_apps can carry
+
+type ssg_app, domain;
+
+app_domain(ssg_app)
+net_domain(ssg_app)
+
+# Allow access to sockets
+unix_socket_connect(ssg_app, mlid, mlid)
+unix_socket_connect(ssg_app, ssgqmig, ssgqmigd)
+unix_socket_connect(ssg_app, ssgtzd, ssgtzd)
+
+#access to qdma socket
+qdma_file_socket(ssg_app)
+
+allow ssg_app radio_service:service_manager find;
+allow ssg_app surfaceflinger_service:service_manager find;
+allow ssg_app app_api_service:service_manager find;
+
+# access to qipcrtr socket
+allow ssg_app self:qipcrtr_socket rw_socket_perms_no_ioctl;
+
+# To get uuid and device info
+allow ssg_app proc_cpuinfo:file r_file_perms;
+allow ssg_app proc_meminfo:file r_file_perms;
+
+# Note: implementation might have changed in the latest Android.
+# Uncomment below if see any denial.
+# unix_socket_connect(ssg_app,dpmtcm, dpmd);
+
+r_dir_file(ssg_app, proc)
--- a/qva/vendor/ssg/ssg_app_cert.x509.pem
+++ b/qva/vendor/ssg/ssg_app_cert.x509.pem
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpzCCAo+gAwIBAgIELmaGwzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMC
+VVMxEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xJDAiBgNVBAoT
+G1F1YWxjb21tIFRlY2hub2xvZ2llcywgSW5jLjEMMAoGA1UECxMDU1NHMRwwGgYD
+VQQDExNTU0cgUHJpdmlsZWdlZCBBcHBzMB4XDTE3MDYxOTIxMDAxNloXDTQ0MTEw
+NDIxMDAxNlowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYD
+VQQHEwdVbmtub3duMSQwIgYDVQQKExtRdWFsY29tbSBUZWNobm9sb2dpZXMsIElu
+Yy4xDDAKBgNVBAsTA1NTRzEcMBoGA1UEAxMTU1NHIFByaXZpbGVnZWQgQXBwczCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwaT66u+2CUj44EYbOTeKFy
+7EAmj35UI02ifnJZg+voMHGrp4OII411Gwtx15oPt+Dg7kymqu8urcqDnIS1sEGZ
+TCsgqFnVqvGWk0aLG4PwaKmLo5kU365xIWmVHv/eH4Zu7OW2dvfVkirzc/p6pNS4
+mUbKr52do66B/BWyGOQ6ocxkMap54i+JJsPFl4ejIoAb4VuQKsDzCrgWFJoLwbAJ
+TMvwVjer3KIEsoD3rlftfmWJA8u2OcwhR9L0Z8gTVWdIUEj+BPo3hpA8lNg4OKGb
+F5Nez/MDvagp3TAYk6E+ake+/uWiPPdoZLpu0WvZU0mLIwj+FOAayHk+GfQSQKsC
+AwEAAaMhMB8wHQYDVR0OBBYEFFac8wwmHfDY9GZoPKgY7bzzZApSMA0GCSqGSIb3
+DQEBCwUAA4IBAQA7BZpaBmj5WCTbNCYlZmIWONui89XVjxGmD/43ipFLaXuvG6PV
+8WDIt0kkZTnAi1e7NE1yk7MnQSa37gXf5eYWM7rMxX90gae+/P5P8RT8Gp4OhZT7
+ITNpWKYZEIumxvnHcK/nAWAPgInzBDkNksUawc3ACU0kgoOiJiXfXWuHgjnwWDdA
+YS/MjlXyIju8x+1PkzyXbE2PNOuaQdlaZWXtzsdKVfxk4RK9Um3+9i1Xr6yPNIqR
+suBjThaMw740u4wg2oOZITY6b7RBfn9nxYu8zHzmIWE2xiLB6Rg2c5a3fKiOWXiL
+xhSlrs1uuE+54290ZDtOpCRA0M411ClkyjLU
+-----END CERTIFICATE-----