From 53aeda15ef6b495b39e4e2181255c4e458bbcd90 Mon Sep 17 00:00:00 2001 From: Samyak Jain Date: Wed, 30 Jun 2021 18:18:32 +0530 Subject: [PATCH] Selinux enabled for sxr_vndr. This change creates sxr_vndr service which acts as a vendor hal service and enables the sxr_vndr service to receive one of the socket pair fd sent from xrcb application and directly communicates with QXR client running in /data using socket pair fd Change-Id: I9f7d12142c9fb3d8f6683e32f5abb0b62f2bc678 --- qva/vendor/common/file.te | 4 ++ qva/vendor/common/file_contexts | 3 ++ qva/vendor/common/service.te | 1 + qva/vendor/common/service_contexts | 2 + qva/vendor/common/sxrd_vndr.te | 77 ++++++++++++++++++++++++++++++ 5 files changed, 87 insertions(+) create mode 100644 qva/vendor/common/sxrd_vndr.te diff --git a/qva/vendor/common/file.te b/qva/vendor/common/file.te index c99597dc..a3c97b24 100644 --- a/qva/vendor/common/file.te +++ b/qva/vendor/common/file.te @@ -127,6 +127,10 @@ type vendor_sysfs_qvr_external_sensor, sysfs_type, fs_type; type vendor_qvrd_vndr_data_file, file_type, data_file_type; type vendor_qvrd_vndr_socket, file_type; +#sxrservice file +type vendor_sxrd_vndr_data_file, file_type, data_file_type; +type vendor_sxrd_vndr_socket, file_type; + #GuestVM PIL files type vendor_sysfs_bootguestvm, fs_type, sysfs_type; diff --git a/qva/vendor/common/file_contexts b/qva/vendor/common/file_contexts index 934c1e86..02dec16c 100644 --- a/qva/vendor/common/file_contexts +++ b/qva/vendor/common/file_contexts @@ -66,6 +66,7 @@ /dev/socket/wigig/sensingdaemon u:object_r:vendor_sensingdaemon_socket:s0 /dev/socket/qvrservice_vndr u:object_r:vendor_qvrd_vndr_socket:s0 /dev/socket/qvrservice_vndr_camera u:object_r:vendor_qvrd_vndr_socket:s0 +/dev/socket/sxrservice_vndr u:object_r:vendor_sxrd_vndr_socket:s0 /dev/smcinvoke u:object_r:tee_device:s0 ################################### @@ -142,6 +143,7 @@ /vendor/bin/qesdk-manager u:object_r:vendor_hal_qesdhal_default_exec:s0 /(vendor|system/vendor)/bin/mutualex u:object_r:vendor_mutualex_exec:s0 /(vendor|system/vendor)/bin/hw/qvrservice u:object_r:vendor_qvrd_vndr_exec:s0 +/(vendor|system/vendor)/bin/hw/sxrservice u:object_r:vendor_sxrd_vndr_exec:s0 /vendor/bin/modemManager u:object_r:vendor_modem_manager_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qccvndhal@1\.0-service u:object_r:vendor_hal_qccvndhal_qti_exec:s0 @@ -214,6 +216,7 @@ /data/vendor/sensing(/.*)? u:object_r:vendor_sensing_vendor_data_file:s0 /data/vendor/gaming(/.*)? u:object_r:vendor_qspmhal_data_file:s0 /data/vendor/qvr(/.*)? u:object_r:vendor_qvrd_vndr_data_file:s0 +/data/vendor/sxr(/.*)? u:object_r:vendor_sxrd_vndr_data_file:s0 ################################### # persist files diff --git a/qva/vendor/common/service.te b/qva/vendor/common/service.te index a0eaeb07..ee772758 100644 --- a/qva/vendor/common/service.te +++ b/qva/vendor/common/service.te @@ -28,3 +28,4 @@ type vendor_dun_service, service_manager_type; type vendor_imsrcs_service, service_manager_type; type vendor_hal_qvrd_service, vendor_service,service_manager_type; +type vendor_hal_sxrd_service, vendor_service,service_manager_type; diff --git a/qva/vendor/common/service_contexts b/qva/vendor/common/service_contexts index de6a0cc9..f45f1d36 100644 --- a/qva/vendor/common/service_contexts +++ b/qva/vendor/common/service_contexts @@ -28,3 +28,5 @@ vendor.qti.hardware.qxr.IQXRCoreService/default u:object_r:vendor_hal_qvrd_service:s0 vendor.qti.hardware.qxr.IQXRCamService/default u:object_r:vendor_hal_qvrd_service:s0 vendor.qti.hardware.qxr.IQXRModService/default u:object_r:vendor_hal_qvrd_service:s0 +vendor.qti.hardware.qxr.IQXRSplitService/default u:object_r:vendor_hal_sxrd_service:s0 +vendor.qti.hardware.qxr.IQXRAudioService/default u:object_r:vendor_hal_sxrd_service:s0 diff --git a/qva/vendor/common/sxrd_vndr.te b/qva/vendor/common/sxrd_vndr.te new file mode 100644 index 00000000..0bea7e59 --- /dev/null +++ b/qva/vendor/common/sxrd_vndr.te @@ -0,0 +1,77 @@ +# Copyright (c) 2021, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type vendor_sxrd_vndr, domain; +typeattribute vendor_sxrd_vndr vendor_sys_sxrauxservice_qti_socket_client; +type vendor_sxrd_vndr_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(vendor_sxrd_vndr) + +hal_server_domain_bypass(vendor_sxrd_vndr, vendor_hal_sxrservice_qti) +binder_call(vendor_hal_sxrservice_qti_client, vendor_hal_sxrservice_qti_server) +binder_call(vendor_hal_sxrservice_qti_server, vendor_hal_sxrservice_qti_client) + +allow vendor_hal_sxrservice_qti_client vendor_hal_sxrd_service:service_manager find; +allow vendor_sxrd_vndr vendor_hal_sxrd_service:service_manager find; +add_service(vendor_hal_sxrservice_qti_server, vendor_hal_sxrd_service) + +allow vendor_sxrd_vndr vendor_hal_sxrservice_qti_socket_client:unix_stream_socket { getopt read setopt shutdown write }; +allow vendor_hal_sxrservice_qti_socket_fd_use_client vendor_sxrd_vndr: fd use; + +binder_use(vendor_sxrd_vndr); +# Allow access to our socket +allow vendor_sxrd_vndr vendor_sxrd_vndr_socket:sock_file rw_file_perms; + +# Allow interracting with vendor_sxrd_vndr directory +allow vendor_sxrd_vndr vendor_sxrd_vndr_data_file:dir create_dir_perms; +allow vendor_sxrd_vndr vendor_sxrd_vndr_data_file:file create_file_perms; + +#video device +allow vendor_sxrd_vndr video_device:chr_file rw_file_perms; + +#Allow hal graphics allocator permissions +hal_client_domain(vendor_sxrd_vndr, hal_graphics_allocator); + +#access to usb device +allow vendor_sxrd_vndr usb_device:chr_file rw_file_perms; +allow vendor_sxrd_vndr usb_device:dir { open read search watch }; +allow vendor_sxrd_vndr device:dir { read watch }; + +#Allow access to PCM sound card +allow vendor_sxrd_vndr audio_device:chr_file rw_file_perms; +allow vendor_sxrd_vndr audio_device:dir r_dir_perms; + +# Add rule to access /proc/asound/pcm file +r_dir_file(vendor_sxrd_vndr, proc_asound); + +#Allow access to ion device +allow vendor_sxrd_vndr ion_device:chr_file { open read }; + +#add sxrd to access tombstoned +userdebug_or_eng(` +crash_dump_fallback(vendor_sxrd_vndr); +')