sepolicy : add sepolicy rules require for DPM

Added sepolicy rules required for DPM.

CRs-fixed: 2395418
Change-Id: Id8b08c827735e826e0cd220b2d380092058992a8

qva/private/dataservice_app.te

@@ -0,0 +1,35 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+add_service(dataservice_app, dpmservice)
+allow dataservice_app system_app_data_file:dir create_dir_perms;
+allow dataservice_app dpmd_socket:sock_file write;
+allow dataservice_app dpmd_data_file:dir rw_dir_perms;
+allow dataservice_app dpmd_data_file:file create_file_perms;
+unix_socket_connect(dataservice_app,dpmd,dpmd);
+set_prop(dataservice_app, persist_dpm_prop)

qva/private/file_contexts

@@ -32,7 +32,6 @@
 ####### dev/socket files ##########
 /dev/socket/seempdw                 u:object_r:seempdw_socket:s0
 /dev/socket/dpmd                                u:object_r:dpmd_socket:s0
-/dev/socket/dpmwrapper                          u:object_r:dpmwrapper_socket:s0
 /dev/socket/tcm                                 u:object_r:dpmtcm_socket:s0
 /dev/socket/qvrservice                          u:object_r:qvrd_socket:s0
 /dev/socket/qvrservice_camera                   u:object_r:qvrd_socket:s0
@@ -42,7 +41,7 @@
 
 ####### system file ###############
 /system/bin/seempd                              u:object_r:seempd_exec:s0
-/system/bin/dpmd                                u:object_r:dpmd_exec:s0
+/system/product/bin/dpmd                        u:object_r:dpmd_exec:s0
 /system/bin/dun-server                          u:object_r:dun-server_exec:s0
 /system/bin/bt_logger                           u:object_r:bt_logger_exec:s0
 /system/bin/smcinvoked                          u:object_r:smcinvoke_daemon_exec:s0

qva/private/mediaprovider.te

@@ -26,5 +26,4 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 allow mediaprovider dpmtcm_socket:sock_file w_file_perms;
-allow mediaprovider dpmwrapper_socket:sock_file w_file_perms;
 allow mediaprovider dpmd:unix_stream_socket connectto;

qva/private/platform_app.te

@@ -32,7 +32,7 @@ allow platform_app cne_service:service_manager find;
 
 # Allow dpmservice to be found
 allow platform_app dpmservice:service_manager find;
-allow platform_app { dpmd_socket dpmtcm_socket dpmwrapper_socket }:sock_file w_file_perms;
+allow platform_app { dpmd_socket dpmtcm_socket }:sock_file w_file_perms;
 allow platform_app dpmd:unix_stream_socket connectto;
 userdebug_or_eng(`
   r_dir_file(platform_app, seemp_data_file)

qva/private/priv_app.te

@@ -27,5 +27,4 @@
 
 get_prop(priv_app, persist_camera_prop)
 allow priv_app dpmtcm_socket:sock_file w_file_perms;
-allow priv_app dpmwrapper_socket:sock_file w_file_perms;
 allow priv_app dpmd:unix_stream_socket connectto;

qva/private/service_contexts

@@ -25,6 +25,7 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+dpmservice                                     u:object_r:dpmservice:s0
 MinkBinderSvc                                  u:object_r:MinkBinderSvc:s0
 vendor.perfservice                             u:object_r:vendor_perf_service:s0
 sms-sec                                        u:object_r:radio_service:s0

qva/private/system_app.te

@@ -33,7 +33,6 @@ allow system_app seemp_data_file:{ file fifo_file } rw_file_perms;
 binder_call(system_app, seempd)
 
 allow system_app dpmtcm_socket:sock_file w_file_perms;
-allow system_app dpmwrapper_socket:sock_file w_file_perms;
 allow system_app dpmd:unix_stream_socket connectto;
 allow system_app color_service:service_manager add;
 get_prop(system_app, bluetooth_prop);

qva/private/system_server.te

@@ -37,7 +37,7 @@ unix_socket_send(system_server, seempdw, seempd)
 #Allow system server to get mirrorlink connection status prop
 get_prop(system_server, vendor_mirrorlink_prop)
 unix_socket_connect(system_server, dpmd, dpmd);
-allow system_server { dpmd_socket dpmtcm_socket dpmwrapper_socket }:sock_file w_file_perms;
+allow system_server { dpmd_socket dpmtcm_socket }:sock_file w_file_perms;
 
 allow system_server dpmd_data_file:dir create_dir_perms;
 allow system_server dpmd_data_file:file create_file_perms;

qva/private/untrusted_app.te

@@ -27,7 +27,6 @@
 
 unix_socket_connect(untrusted_app,dpmtcm, dpmd);
 allow untrusted_app dpmtcm_socket:sock_file w_file_perms;
-allow untrusted_app dpmwrapper_socket:sock_file w_file_perms;
 allow untrusted_app dpmd:unix_stream_socket connectto;
 userdebug_or_eng(`
   r_dir_file(untrusted_app, seemp_data_file)

qva/private/untrusted_app_all.te

@@ -0,0 +1,28 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+unix_socket_connect(untrusted_app_all, dpmtcm, dpmd)

qva/vendor/common/dpmd.te

@@ -0,0 +1,46 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Add netutils support to install iptables
+use_netutils(dpmd)
+
+get_prop(dpmd, persist_dpm_prop)
+
+wakelock_use(dpmd)
+
+r_dir_file(dpmd, sysfs_data)
+
+#Allow dpmd to connect to hal_dpmQMiMgr
+allow dpmd hal_dpmqmi_hwservice:hwservice_manager find;
+get_prop(dpmd, hwservicemanager_prop)
+binder_call(dpmd,hal_dpmQmiMgr)
+hwbinder_use(dpmd)
+
+#diag
+userdebug_or_eng(`
+    diag_use(dpmd)
+')

qva/vendor/common/file_contexts

@@ -50,6 +50,8 @@
 ###################################
 # System files
 #
+
+/(vendor|system/vendor)/bin/dpmQmiMgr                                              u:object_r:hal_dpmQmiMgr_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti             u:object_r:hal_keymaster_qti_exec:s0
 /vendor/bin/hw/android\.hardware\.drm@1\.1-service.clearkey                        u:object_r:hal_drm_clearkey_exec:s0
 /vendor/bin/hw/vendor\.nxp\.hardware\.nfc@1\.1-service                             u:object_r:hal_nfc_default_exec:s0

qva/vendor/common/hal_dpmQmiMgr.te

@@ -0,0 +1,65 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#dpmQmiMgr as domain
+type hal_dpmQmiMgr, domain;
+type hal_dpmQmiMgr_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_dpmQmiMgr)
+
+net_domain(hal_dpmQmiMgr)
+
+#Add hal_dpmQMiMgr as hwservice
+add_hwservice(hal_dpmQmiMgr, hal_dpmqmi_hwservice)
+
+#Allow hwbinder usage
+hwbinder_use(hal_dpmQmiMgr)
+
+#Allow to get hwservice_prop
+get_prop(hal_dpmQmiMgr, hwservicemanager_prop)
+
+#Allow binder call from dpmd
+binder_call(hal_dpmQmiMgr,dpmd)
+
+#sysfs_data file permissions
+allow hal_dpmQmiMgr sysfs_data:file r_file_perms;
+
+#Allow reading proc/net entries
+r_dir_file(hal_dpmQmiMgr,proc_net)
+r_dir_file(hal_dpmQmiMgr,proc_net_tcp_udp)
+
+#Allow creating socket and IOCTLs
+allow hal_dpmQmiMgr self:{ socket qipcrtr_socket udp_socket } create_socket_perms_no_ioctl;
+
+#Rules below are needed to communicate with IPC_ROUTER for QMI
+allowxperm hal_dpmQmiMgr self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+allow hal_dpmQmiMgr self:capability net_bind_service;
+allowxperm hal_dpmQmiMgr self:udp_socket ioctl priv_sock_ioctls;
+
+userdebug_or_eng(`
+    diag_use(hal_dpmQmiMgr)
+')

qva/vendor/common/hal_wifi_supplicant.te

@@ -27,3 +27,4 @@
 
 # Allow write to proc_net.
 allow hal_wifi_supplicant_default proc_net:file write;
+allow hal_wifi_supplicant_default wifi_vendor_data_file:dir rw_dir_perms;

qva/vendor/common/hwservice.te

@@ -25,6 +25,7 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+type hal_dpmqmi_hwservice, hwservice_manager_type;
 type hal_iop_hwservice, hwservice_manager_type;
 type hal_mirrorlink_hwservice, hwservice_manager_type;
 type hal_pasrmanager_hwservice, hwservice_manager_type;

qva/vendor/common/hwservice_contexts

@@ -38,6 +38,7 @@ vendor.qti.hardware.mlshal::IMlsDap                          u:object_r:hal_mirr
 vendor.qti.hardware.mlshal::IMlsVnc                          u:object_r:hal_mirrorlink_hwservice:s0
 vendor.qti.power.pasrmanager::IPasrManager                   u:object_r:hal_pasrmanager_hwservice:s0
 com.qualcomm.qti.bluetooth_audio::IBluetoothAudio            u:object_r:hal_audio_hwservice:s0
+com.qualcomm.qti.dpm.api::IdpmQmi                            u:object_r:hal_dpmqmi_hwservice:s0
 vendor.qti.hardware.audiohalext::IAudioHalExt                u:object_r:hal_audio_hwservice:s0
 vendor.qti.gnss::ILocHidlGnss                                u:object_r:hal_gnss_hwservice:s0
 vendor.nxp.hardware.nfc::INqNfc                              u:object_r:hal_nfc_hwservice:s0
@@ -54,4 +55,3 @@ vendor.qti.esepowermanager::IEsePowerManager                 u:object_r:hal_esep
 vendor.qti.hardware.wifi.supplicant::ISupplicantVendor       u:object_r:hal_wifi_supplicant_hwservice:s0
 vendor.qti.hardware.factory::IFactory                        u:object_r:vendor_hal_factory_qti_hwservice:s0
 vendor.qti.hardware.cvp::ICvp                                u:object_r:hal_cvp_hwservice:s0
-