Merge tag 'LA.UM.9.14.r1-23600-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr into lineage-21.0-legacy-um

"LA.UM.9.14.r1-23600-LAHAINA.QSSI14.0"

* tag 'LA.UM.9.14.r1-23600-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr:
  Revert "sepolicy: update display boot service rules"
  sepolicy: update display boot service rules
  Sepolicy_vndr : Allow creating IPA FWs
  sepolicy_vndr : bengal: Fix avc denials for wakeup nodes
  Fix avc denials
  BT: Add bluetooth support to access mediametrics service
  sepolicy rules to allow Gnss Hal to access RIL Srv for kona target
  sepolicy rules to allow Gnss Hal to access RIL Srv for holi target
  sepolicy_vndr : lahaina: Fix avc denials for wakeup nodes
  sepolicy_vndr: Suppress QMCS related denial errors in ENG builds
  sepolicy_vndr : Allow vendor_qti_init_shell to set ctl_start_prop
  sepolicy_vndr:qcc: read vendor_qcc_prop
  Aidirector sepolicy changes to run in enforced mode
  sepolicy: Add uio device node
  QGuard: add permission for black screen detector
  sepolicy_vndr: Allow system_server read vendor_persist_camera_prop
  Sepolicy rules to allow Gnss Hal to access ssgtz
  QCM6490.LA.3.1: addressing Modem & ADSP  sysfs wakeup node.

Change-Id: Idc7a655385a67cead68d5802d990d8c4dd6bbc6d

generic/vendor/bengal/hal_gnss_qti.te

@@ -6,4 +6,5 @@
 #Allow Gnss HAL to access ril socket
 allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
 unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
-
+# allows Gnss HAL to access ssgtzd socket
+unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)

generic/vendor/bengal_32go/hal_gnss_qti.te

@@ -6,4 +6,6 @@
 #Allow Gnss HAL to access ril socket
 allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
 unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
+# allows Gnss HAL to access ssgtzd socket
+unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)
 

generic/vendor/common/vold.te

@@ -30,3 +30,6 @@ get_prop(vold, vendor_tee_listener_prop)
 # be needed
 allow vold mnt_vendor_file:dir { open read ioctl };
 allow vold vendor_sysfs_mmc_host:file w_file_perms;
+userdebug_or_eng(`
+   dontaudit vold vendor_qmcs_file:dir { read };
+')

generic/vendor/holi/hal_gnss_qti.te

@@ -0,0 +1,10 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl
+
+#Allow Gnss HAL to access ril socket
+allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
+unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
+# allows Gnss HAL to access ssgtzd socket
+unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)

generic/vendor/holi/location.te

@@ -0,0 +1,7 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# generic/vendor_location.te - sepolicy rules for generic vendor_location modules
+
+# allows location to access ssgtzd socket
+unix_socket_connect(vendor_location, vendor_ssgtzd, vendor_ssgtzd)

generic/vendor/kona/hal_gnss_qti.te

@@ -0,0 +1,10 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl
+
+#Allow Gnss HAL to access ril socket
+allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
+unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
+# allows Gnss HAL to access ssgtzd socket
+unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)

generic/vendor/kona/location.te

@@ -0,0 +1,7 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# generic/vendor_location.te - sepolicy rules for generic vendor_location modules
+
+# allows location to access ssgtzd socket
+unix_socket_connect(vendor_location, vendor_ssgtzd, vendor_ssgtzd)

generic/vendor/lahaina/genfs_contexts

@@ -303,10 +303,13 @@ genfscon sysfs /devices/platform/soc/a300000.qcom,turing/subsys5/wakeup u:object
 genfscon sysfs /devices/platform/soc/8c00000.hsusb/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys6/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys5/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys7/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys5/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys4/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys6/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/1103_00.01.00/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/ae94000.qcom,mdss_dsi_ctrl0/uio/uio1/name u:object_r:vendor_sysfs_uio_file:s0
 
 # UFS
 genfscon sysfs /devices/platform/soc/1d84000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/discard_max_bytes u:object_r:vendor_sysfs_mmc_host:s0

generic/vendor/lahaina/hal_gnss_qti.te

@@ -6,4 +6,5 @@
 #Allow Gnss HAL to access ril socket
 allow vendor_hal_gnss_qti vendor_rild_socket:dir search;
 unix_socket_connect(vendor_hal_gnss_qti, vendor_rild, rild)
-
+# allows Gnss HAL to access ssgtzd socket
+unix_socket_connect(vendor_hal_gnss_qti, vendor_ssgtzd, vendor_ssgtzd)

generic/vendor/test/qguard.te

@@ -36,7 +36,7 @@ userdebug_or_eng(`
   allow vendor_qguard domain:process { signal sigstop sigkill };
 
   # sh
-  allow vendor_qguard { vendor_shell_exec vendor_toolbox_exec }:file rx_file_perms;
+  #allow vendor_qguard { vendor_shell_exec vendor_toolbox_exec }:file rx_file_perms;
 
   # look through /proc
   allow vendor_qguard domain:dir r_dir_perms;
@@ -53,4 +53,21 @@ userdebug_or_eng(`
   set_prop(vendor_qguard, powerctl_prop)
 
   dontaudit vendor_qguard default_prop:file read;
+
+  # black screen monitor
+  allow vendor_qguard cgroup:file { read watch };
+  allow vendor_qguard vendor_data_file:file create_file_perms;
+  allow vendor_qguard vendor_data_file:dir create_dir_perms;
+
+  r_dir_file(vendor_qguard, vendor_sysfs_graphics)
+
+  vndbinder_use(vendor_qguard)
+  binder_use(vendor_qguard)
+  binder_call(vendor_qguard, servicemanager)
+
+  allow vendor_qguard vendor_qdisplay_service:service_manager { find };
+
+  hal_client_domain(vendor_qguard, vendor_hal_perf)
+  hal_client_domain(vendor_qguard, hal_graphics_allocator)
+  hal_client_domain(vendor_qguard, hal_graphics_composer)
 ')

legacy/vendor/common/bluetooth.te

@@ -69,6 +69,8 @@ allow bluetooth dun_service:service_manager find;
 
 # for finding wbc_service
 allow bluetooth wbc_service:service_manager find;
+# for finding mediametrics_service
+allow bluetooth mediametrics_service:service_manager find;
 
 # ioctlcmd=c302
 allow bluetooth self:socket ioctl;

qva/vendor/bengal/genfs_contexts

@@ -60,6 +60,7 @@ genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-02/1c40000.q
 
 #PM2250
 genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,pm2250_rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,pm2250_rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/battery u:object_r:vendor_sysfs_battery_supply:s0
 genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/pc_port u:object_r:vendor_sysfs_usb_supply:s0
 genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/usb u:object_r:vendor_sysfs_usb_supply:s0
@@ -75,9 +76,9 @@ genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.q
 genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/power_supply/main/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qpnp,qg/power_supply/bms/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,power-on@800/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,pm2250_rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,pm2250_rtc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm2250@0:qcom,qpnp-smblite/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/4a84000.i2c/i2c-0/0-0064/leds/red u:object_r:vendor_sysfs_graphics:s0
 genfscon sysfs /devices/platform/soc/4a84000.i2c/i2c-0/0-0064/leds/green u:object_r:vendor_sysfs_graphics:s0
 genfscon sysfs /devices/platform/soc/4a84000.i2c/i2c-0/0-0064/leds/blue u:object_r:vendor_sysfs_graphics:s0

qva/vendor/bengal/vendor_init.te

@@ -0,0 +1,4 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+allow vendor_init vendor_ipa_dev:file create_file_perms;

qva/vendor/common/bluetooth.te

@@ -39,3 +39,5 @@ hal_client_domain(bluetooth, vendor_hal_qspmhal)
 
 #allow bluetooth to make binder call to gpuservice
 binder_call(bluetooth, gpuservice);
+
+allow bluetooth mediametrics_service:service_manager find;

qva/vendor/common/init_shell.te

@@ -64,5 +64,8 @@ allow vendor_qti_init_shell {
 dontaudit vendor_qti_init_shell default_prop:file read;
 dontaudit vendor_qti_init_shell init:file read;
 
+#Allow vendor_qti_init_shell to set ctl_start_prop
+set_prop(vendor_qti_init_shell, ctl_start_prop)
+
 # Allow vendor_qti_init_shell to set vendor_pasr_prop
 set_prop(vendor_qti_init_shell, vendor_pasr_prop)

qva/vendor/common/qcc_app.te

@@ -30,3 +30,4 @@ hal_client_domain(vendor_qcc_app, vendor_hal_qccvndhal);
 # IPerf
 hal_client_domain(vendor_qcc_app, vendor_hal_perf);
 
+get_prop(vendor_qcc_app, vendor_qcc_prop)

qva/vendor/lahaina/device.te

@@ -26,3 +26,6 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 type vendor_membuf_dev, dev_type;
+
+#aidirector audio device
+type vendor_aid_audio_device, dev_type;

qva/vendor/lahaina/file_contexts

@@ -78,3 +78,6 @@
 # Strongbox-Keymaster HAL 4.1 service
 /vendor/bin/hw/android\.hardware\.keymaster@4\.1-javacard.service                  u:object_r:hal_keymaster_default_exec:s0
 /vendor/bin/init\.qti\.ese\.strongbox\.sh                                          u:object_r:vendor_init-qti-ese-strongbox-sh_exec:s0
+
+#aidirector
+/dev/snd/controlC0  u:object_r:vendor_aid_audio_device:s0

qva/vendor/lahaina/genfs_contexts

@@ -30,3 +30,7 @@ genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0
 
 #power related wake_up Node.
 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-08/c440000.qcom,spmi:qcom,pm7250b@2:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
+
+#Modem & ADSP related wakeup nodes.
+genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys3/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/3700000.qcom,lpass/subsys4/wakeup u:object_r:sysfs_wakeup:s0

qva/vendor/lahaina/hal_audio_default.te

@@ -0,0 +1,5 @@
+# Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#Allow audio hal access to aid audio node
+allow hal_audio_default vendor_aid_audio_device:chr_file rw_file_perms;

qva/vendor/lahaina/hal_camera.te

@@ -0,0 +1,10 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#Allow base set of permissions for camera hal to be a client of audio hal
+typeattribute hal_camera_default hal_audio_client;
+
+#Allow audio related and read file permissions
+allow hal_camera_default vendor_aid_audio_device:chr_file rw_file_perms;
+allow hal_camera_default audio_device:dir r_dir_perms;
+get_prop(hal_camera_default, vendor_audio_prop)

qva/vendor/lahaina/system_server.te

@@ -0,0 +1,5 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# Allow system_server to read vendor_persist_camera_prop
+get_prop(system_server, vendor_persist_camera_prop)