Merge tag 'LA.UM.9.14.r1-23600-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr into lineage-21.0-legacy-um
"LA.UM.9.14.r1-23600-LAHAINA.QSSI14.0" * tag 'LA.UM.9.14.r1-23600-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr: Revert "sepolicy: update display boot service rules" sepolicy: update display boot service rules Sepolicy_vndr : Allow creating IPA FWs sepolicy_vndr : bengal: Fix avc denials for wakeup nodes Fix avc denials BT: Add bluetooth support to access mediametrics service sepolicy rules to allow Gnss Hal to access RIL Srv for kona target sepolicy rules to allow Gnss Hal to access RIL Srv for holi target sepolicy_vndr : lahaina: Fix avc denials for wakeup nodes sepolicy_vndr: Suppress QMCS related denial errors in ENG builds sepolicy_vndr : Allow vendor_qti_init_shell to set ctl_start_prop sepolicy_vndr:qcc: read vendor_qcc_prop Aidirector sepolicy changes to run in enforced mode sepolicy: Add uio device node QGuard: add permission for black screen detector sepolicy_vndr: Allow system_server read vendor_persist_camera_prop Sepolicy rules to allow Gnss Hal to access ssgtz QCM6490.LA.3.1: addressing Modem & ADSP sysfs wakeup node. Change-Id: Idc7a655385a67cead68d5802d990d8c4dd6bbc6d
This commit is contained in:
Bruno Martins
commit
4aa876fa77
22 changed files with 110 additions and 6 deletions
3
generic/vendor/bengal/hal_gnss_qti.te
vendored
3
generic/vendor/bengal/hal_gnss_qti.te
vendored
|
|
@ -6,4 +6,5 @@
|
|||
#Allow Gnss HAL to access ril socket
|
||||
allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
|
||||
|
||||
# allows Gnss HAL to access ssgtzd socket
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)
|
||||
|
|
|
|||
2
generic/vendor/bengal_32go/hal_gnss_qti.te
vendored
2
generic/vendor/bengal_32go/hal_gnss_qti.te
vendored
|
|
@ -6,4 +6,6 @@
|
|||
#Allow Gnss HAL to access ril socket
|
||||
allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
|
||||
# allows Gnss HAL to access ssgtzd socket
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)
|
||||
|
||||
|
|
|
|||
3
generic/vendor/common/vold.te
vendored
3
generic/vendor/common/vold.te
vendored
|
|
@ -30,3 +30,6 @@ get_prop(vold, vendor_tee_listener_prop)
|
|||
# be needed
|
||||
allow vold mnt_vendor_file:dir { open read ioctl };
|
||||
allow vold vendor_sysfs_mmc_host:file w_file_perms;
|
||||
userdebug_or_eng(`
|
||||
dontaudit vold vendor_qmcs_file:dir { read };
|
||||
')
|
||||
|
|
|
|||
10
generic/vendor/holi/hal_gnss_qti.te
vendored
Normal file
10
generic/vendor/holi/hal_gnss_qti.te
vendored
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
# SPDX-License-Identifier: BSD-3-Clause-Clear
|
||||
|
||||
# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl
|
||||
|
||||
#Allow Gnss HAL to access ril socket
|
||||
allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
|
||||
# allows Gnss HAL to access ssgtzd socket
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)
|
||||
7
generic/vendor/holi/location.te
vendored
Normal file
7
generic/vendor/holi/location.te
vendored
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
# SPDX-License-Identifier: BSD-3-Clause-Clear
|
||||
|
||||
# generic/vendor_location.te - sepolicy rules for generic vendor_location modules
|
||||
|
||||
# allows location to access ssgtzd socket
|
||||
unix_socket_connect(vendor_location, vendor_ssgtzd, vendor_ssgtzd)
|
||||
10
generic/vendor/kona/hal_gnss_qti.te
vendored
Normal file
10
generic/vendor/kona/hal_gnss_qti.te
vendored
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
# SPDX-License-Identifier: BSD-3-Clause-Clear
|
||||
|
||||
# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl
|
||||
|
||||
#Allow Gnss HAL to access ril socket
|
||||
allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
|
||||
# allows Gnss HAL to access ssgtzd socket
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)
|
||||
7
generic/vendor/kona/location.te
vendored
Normal file
7
generic/vendor/kona/location.te
vendored
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
# SPDX-License-Identifier: BSD-3-Clause-Clear
|
||||
|
||||
# generic/vendor_location.te - sepolicy rules for generic vendor_location modules
|
||||
|
||||
# allows location to access ssgtzd socket
|
||||
unix_socket_connect(vendor_location, vendor_ssgtzd, vendor_ssgtzd)
|
||||
3
generic/vendor/lahaina/genfs_contexts
vendored
3
generic/vendor/lahaina/genfs_contexts
vendored
|
|
@ -303,10 +303,13 @@ genfscon sysfs /devices/platform/soc/a300000.qcom,turing/subsys5/wakeup u:object
|
|||
genfscon sysfs /devices/platform/soc/8c00000.hsusb/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys6/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys5/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys7/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys5/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys4/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys6/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/1103_00.01.00/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/ae94000.qcom,mdss_dsi_ctrl0/uio/uio1/name u:object_r:vendor_sysfs_uio_file:s0
|
||||
|
||||
# UFS
|
||||
genfscon sysfs /devices/platform/soc/1d84000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/discard_max_bytes u:object_r:vendor_sysfs_mmc_host:s0
|
||||
|
|
|
|||
3
generic/vendor/lahaina/hal_gnss_qti.te
vendored
3
generic/vendor/lahaina/hal_gnss_qti.te
vendored
|
|
@ -6,4 +6,5 @@
|
|||
#Allow Gnss HAL to access ril socket
|
||||
allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
|
||||
|
||||
# allows Gnss HAL to access ssgtzd socket
|
||||
unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)
|
||||
|
|
|
|||
19
generic/vendor/test/qguard.te
vendored
19
generic/vendor/test/qguard.te
vendored
|
|
@ -36,7 +36,7 @@ userdebug_or_eng(`
|
|||
allow vendor_qguard domain:process { signal sigstop sigkill };
|
||||
|
||||
# sh
|
||||
allow vendor_qguard { vendor_shell_exec vendor_toolbox_exec }:file rx_file_perms;
|
||||
#allow vendor_qguard { vendor_shell_exec vendor_toolbox_exec }:file rx_file_perms;
|
||||
|
||||
# look through /proc
|
||||
allow vendor_qguard domain:dir r_dir_perms;
|
||||
|
|
@ -53,4 +53,21 @@ userdebug_or_eng(`
|
|||
set_prop(vendor_qguard, powerctl_prop)
|
||||
|
||||
dontaudit vendor_qguard default_prop:file read;
|
||||
|
||||
# black screen monitor
|
||||
allow vendor_qguard cgroup:file { read watch };
|
||||
allow vendor_qguard vendor_data_file:file create_file_perms;
|
||||
allow vendor_qguard vendor_data_file:dir create_dir_perms;
|
||||
|
||||
r_dir_file(vendor_qguard, vendor_sysfs_graphics)
|
||||
|
||||
vndbinder_use(vendor_qguard)
|
||||
binder_use(vendor_qguard)
|
||||
binder_call(vendor_qguard, servicemanager)
|
||||
|
||||
allow vendor_qguard vendor_qdisplay_service:service_manager { find };
|
||||
|
||||
hal_client_domain(vendor_qguard, vendor_hal_perf)
|
||||
hal_client_domain(vendor_qguard, hal_graphics_allocator)
|
||||
hal_client_domain(vendor_qguard, hal_graphics_composer)
|
||||
')
|
||||
|
|
|
|||
2
legacy/vendor/common/bluetooth.te
vendored
2
legacy/vendor/common/bluetooth.te
vendored
|
|
@ -69,6 +69,8 @@ allow bluetooth dun_service:service_manager find;
|
|||
|
||||
# for finding wbc_service
|
||||
allow bluetooth wbc_service:service_manager find;
|
||||
# for finding mediametrics_service
|
||||
allow bluetooth mediametrics_service:service_manager find;
|
||||
|
||||
# ioctlcmd=c302
|
||||
allow bluetooth self:socket ioctl;
|
||||
|
|
|
|||
7
qva/vendor/bengal/genfs_contexts
vendored
7
qva/vendor/bengal/genfs_contexts
vendored
|
|
@ -60,6 +60,7 @@ genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-02/1c40000.q
|
|||
|
||||
#PM2250
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,pm2250_rtc/rtc u:object_r:sysfs_rtc:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,pm2250_rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/battery u:object_r:vendor_sysfs_battery_supply:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/pc_port u:object_r:vendor_sysfs_usb_supply:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/usb u:object_r:vendor_sysfs_usb_supply:s0
|
||||
|
|
@ -75,9 +76,9 @@ genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.q
|
|||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/main/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qpnp,qg/power_supply/bms/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,power-on@800/wakeup/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,pm2250_rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/wakeup/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,pm2250_rtc/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/4a84000.i2c/i2c-0/0-0064/leds/red u:object_r:vendor_sysfs_graphics:s0
|
||||
genfscon sysfs /devices/platform/soc/4a84000.i2c/i2c-0/0-0064/leds/green u:object_r:vendor_sysfs_graphics:s0
|
||||
genfscon sysfs /devices/platform/soc/4a84000.i2c/i2c-0/0-0064/leds/blue u:object_r:vendor_sysfs_graphics:s0
|
||||
|
|
|
|||
4
qva/vendor/bengal/vendor_init.te
vendored
Normal file
4
qva/vendor/bengal/vendor_init.te
vendored
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
# SPDX-License-Identifier: BSD-3-Clause-Clear
|
||||
|
||||
allow vendor_init vendor_ipa_dev:file create_file_perms;
|
||||
2
qva/vendor/common/bluetooth.te
vendored
2
qva/vendor/common/bluetooth.te
vendored
|
|
@ -39,3 +39,5 @@ hal_client_domain(bluetooth, vendor_hal_qspmhal)
|
|||
|
||||
#allow bluetooth to make binder call to gpuservice
|
||||
binder_call(bluetooth, gpuservice);
|
||||
|
||||
allow bluetooth mediametrics_service:service_manager find;
|
||||
|
|
|
|||
3
qva/vendor/common/init_shell.te
vendored
3
qva/vendor/common/init_shell.te
vendored
|
|
@ -64,5 +64,8 @@ allow vendor_qti_init_shell {
|
|||
dontaudit vendor_qti_init_shell default_prop:file read;
|
||||
dontaudit vendor_qti_init_shell init:file read;
|
||||
|
||||
#Allow vendor_qti_init_shell to set ctl_start_prop
|
||||
set_prop(vendor_qti_init_shell, ctl_start_prop)
|
||||
|
||||
# Allow vendor_qti_init_shell to set vendor_pasr_prop
|
||||
set_prop(vendor_qti_init_shell, vendor_pasr_prop)
|
||||
|
|
|
|||
1
qva/vendor/common/qcc_app.te
vendored
1
qva/vendor/common/qcc_app.te
vendored
|
|
@ -30,3 +30,4 @@ hal_client_domain(vendor_qcc_app, vendor_hal_qccvndhal);
|
|||
# IPerf
|
||||
hal_client_domain(vendor_qcc_app, vendor_hal_perf);
|
||||
|
||||
get_prop(vendor_qcc_app, vendor_qcc_prop)
|
||||
|
|
|
|||
3
qva/vendor/lahaina/device.te
vendored
3
qva/vendor/lahaina/device.te
vendored
|
|
@ -26,3 +26,6 @@
|
|||
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
type vendor_membuf_dev, dev_type;
|
||||
|
||||
#aidirector audio device
|
||||
type vendor_aid_audio_device, dev_type;
|
||||
|
|
|
|||
3
qva/vendor/lahaina/file_contexts
vendored
3
qva/vendor/lahaina/file_contexts
vendored
|
|
@ -78,3 +78,6 @@
|
|||
# Strongbox-Keymaster HAL 4.1 service
|
||||
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-javacard.service u:object_r:hal_keymaster_default_exec:s0
|
||||
/vendor/bin/init\.qti\.ese\.strongbox\.sh u:object_r:vendor_init-qti-ese-strongbox-sh_exec:s0
|
||||
|
||||
#aidirector
|
||||
/dev/snd/controlC0 u:object_r:vendor_aid_audio_device:s0
|
||||
|
|
|
|||
4
qva/vendor/lahaina/genfs_contexts
vendored
4
qva/vendor/lahaina/genfs_contexts
vendored
|
|
@ -30,3 +30,7 @@ genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0
|
|||
|
||||
#power related wake_up Node.
|
||||
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-08/c440000.qcom,spmi:qcom,pm7250b@2:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
|
||||
|
||||
#Modem & ADSP related wakeup nodes.
|
||||
genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys3/wakeup u:object_r:sysfs_wakeup:s0
|
||||
genfscon sysfs /devices/platform/soc/3700000.qcom,lpass/subsys4/wakeup u:object_r:sysfs_wakeup:s0
|
||||
|
|
|
|||
5
qva/vendor/lahaina/hal_audio_default.te
vendored
Normal file
5
qva/vendor/lahaina/hal_audio_default.te
vendored
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
# SPDX-License-Identifier: BSD-3-Clause-Clear
|
||||
|
||||
#Allow audio hal access to aid audio node
|
||||
allow hal_audio_default vendor_aid_audio_device:chr_file rw_file_perms;
|
||||
10
qva/vendor/lahaina/hal_camera.te
vendored
Normal file
10
qva/vendor/lahaina/hal_camera.te
vendored
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
# SPDX-License-Identifier: BSD-3-Clause-Clear
|
||||
|
||||
#Allow base set of permissions for camera hal to be a client of audio hal
|
||||
typeattribute hal_camera_default hal_audio_client;
|
||||
|
||||
#Allow audio related and read file permissions
|
||||
allow hal_camera_default vendor_aid_audio_device:chr_file rw_file_perms;
|
||||
allow hal_camera_default audio_device:dir r_dir_perms;
|
||||
get_prop(hal_camera_default, vendor_audio_prop)
|
||||
5
qva/vendor/lahaina/system_server.te
vendored
Normal file
5
qva/vendor/lahaina/system_server.te
vendored
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
|
||||
# SPDX-License-Identifier: BSD-3-Clause-Clear
|
||||
|
||||
# Allow system_server to read vendor_persist_camera_prop
|
||||
get_prop(system_server, vendor_persist_camera_prop)
|
||||
Loading…
Reference in a new issue