DataService: Defining policies for CNE/DPM/UCE

- adding policies and permissions for UCE HAL service
  and UCE HAL client to run and execute.
- Separate system partition sepolicy and hal macros
  from vendor partition for dataservice_app and DPM.

CRs-fixed: 2019046
Change-Id: I4460dc2542bec0812ba40e28176475877a1e9797

common/cnd.te

@@ -13,12 +13,6 @@ allow cnd smem_log_device:chr_file rw_file_perms;
 
 # allow cnd the following capability
 allow cnd self:capability {
-    setuid
-    setgid
-    dac_override
-    net_raw
-    chown
-    fsetid
     net_admin
     sys_module
     net_bind_service
@@ -51,12 +45,13 @@ allow cnd cnd_data_file:dir rw_dir_perms;
 qmux_socket(cnd)
 
 # allow cnd to access wpa_socket
-# comment this out for now to resolve compilation
-#unix_socket_send(cnd, wpa, wpa)
+unix_socket_send(cnd, wpa, hal_wifi_supplicant)
 allow cnd wpa_socket:dir rw_dir_perms;
 allow cnd wpa_socket:sock_file { create unlink setattr };
 allow cnd wifi_data_file:dir r_dir_perms;
 
+allow cnd wifi_vendor_data_file:dir r_dir_perms;
+
 # allow cnd to obtain wakelock
 wakelock_use(cnd)
 
@@ -98,3 +93,9 @@ allow cnd self:socket ioctl;
 allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls;
 allow cnd sysfs:file r_file_perms;
 allow cnd sysfs_data:file r_file_perms;
+
+add_hwservice(cnd, hal_cne_hwservice)
+hwbinder_use(cnd)
+get_prop(cnd, hwservicemanager_prop)
+binder_call(cnd, dataservice_app)
+binder_call(cnd, ims)

common/dataservice_app.te

@@ -25,38 +25,21 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-
-#adding mlstrustedsubject to domain to allow access to /proc/<pid>/stat
-type dataservice_app, domain, mlstrustedsubject;
-app_domain(dataservice_app)
-net_domain(dataservice_app)
-
-#allow dataservice_app { qtitetherservice_service dpmservice cne_service } :service_manager { add find } ;
-#allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find;
 set_prop(dataservice_app, persist_dpm_prop)
-
 set_prop(dataservice_app, sys_usb_tethering_prop)
 
-allow dataservice_app self:socket create_socket_perms;
-allowxperm dataservice_app self:socket ioctl msm_sock_ipc_ioctls;
-unix_socket_connect(dataservice_app, netd, netd);
-qmux_socket(dataservice_app);
-
-allow dataservice_app dpmd_socket:sock_file write;
-allow dataservice_app dpmd_data_file:dir rw_dir_perms;
-allow dataservice_app dpmd_data_file:file create_file_perms;
+allow dataservice_app sysfs_data:file r_file_perms;
 allow dataservice_app ipa_dev:chr_file rw_file_perms;
-#allow dataservice_app system_app_data_file:dir create_dir_perms;
-#allow dataservice_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-allow dataservice_app wcnss_service_exec:file rx_file_perms;
-
-#don't audit /proc/<pid>/stat denials
-dontaudit dataservice_app domain:dir r_dir_perms;
-
-#allow dpmservice to get running time for apps
-r_dir_file(dataservice_app, appdomain)
 
 userdebug_or_eng(`
   diag_use(dataservice_app)
 ')
+
+allow dataservice_app hal_cne_hwservice:hwservice_manager find;
+binder_call(dataservice_app, cnd)
+
+allow dataservice_app hal_imsrcsd_hwservice:hwservice_manager find;
+binder_call(dataservice_app, hal_rcsservice)
+
+allow dataservice_app cnd_data_file:file r_file_perms;
+allow dataservice_app cnd_data_file:dir search;

common/dpmd.te

@@ -1,17 +1,18 @@
 #dpmd as domain
-type dpmd, domain, mlstrustedsubject;
-type dpmd_exec, exec_type, vendor_file_type, file_type;
-file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
-init_daemon_domain(dpmd)
-net_domain(dpmd)
-allow dpmd {
-    dpmd_exec
-    system_file
-}:file x_file_perms;
+#type dpmd, domain, mlstrustedsubject;
+#type dpmd_exec, exec_type, vendor_file_type, file_type;
+#file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
+#init_daemon_domain(dpmd)
+#net_domain(dpmd)
+#allow dpmd {
+ #   dpmd_exec
+ #   system_file
+#}:file x_file_perms;
 
 #allow dpmd to access dpm_data_file
-allow dpmd dpmd_data_file:file create_file_perms;
-allow dpmd dpmd_data_file:dir create_dir_perms;
+
+#allow dpmd dpmd_data_file:file create_file_perms;
+#allow dpmd dpmd_data_file:dir create_dir_perms;
 
 allow dpmd persist_dpm_prop:file r_file_perms;
 
@@ -21,39 +22,39 @@ allow dpmd sysfs_data:dir r_dir_perms;
 
 allow dpmd sysfs_data:file r_file_perms;
 
-r_dir_file(dpmd,proc_net)
+#r_dir_file(dpmd,proc_net)
 
-allow dpmd self:capability {
-    setuid
-    setgid
-    dac_override
-    net_raw chown
-    fsetid
-    net_admin
-    sys_module
-};
+#allow dpmd self:capability {
+ #   setuid
+  #  setgid
+   # dac_override
+#    net_raw chown
+ #   fsetid
+  #  net_admin
+   # sys_module
+#}; #Need to check on it . It was present earlier
 
 #socket, self
 allow dpmd smem_log_device:chr_file rw_file_perms;
-wakelock_use(dpmd)
+#wakelock_use(dpmd) # it was present earlier
 
 set_prop(dpmd, system_prop)
 set_prop(dpmd, ctl_default_prop)
 #misc.
-allow dpmd vendor_shell_exec:file rx_file_perms;
+#allow dpmd vendor_shell_exec:file rx_file_perms;
 
 #permission to unlink dpmwrapper socket
-allow dpmd socket_device:dir remove_name;
+#allow dpmd socket_device:dir remove_name;
 
 #permission to communicate with cnd_socket for installing iptable rules
-unix_socket_connect(dpmd, cnd, cnd);
+#unix_socket_connect(dpmd, cnd, cnd);
 
 #allow dpmd to create socket
-allow dpmd self:socket create_socket_perms_no_ioctl;
-allow dpmd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
+#allow dpmd self:socket create_socket_perms_no_ioctl;
+#allow dpmd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
 
 #allow dpmd to write to /proc/net/sys
-allow dpmd proc_net:file write;
+#allow dpmd proc_net:file write;
 
 #allow dpmd get appname and use inet socket.
 #dpmd_socket_perm(appdomain)

common/file.te

@@ -15,9 +15,9 @@ type cnd_socket, file_type, mlstrustedobject;
 type cnd_data_file, file_type;
 
 # Define dpmd data file type
-type dpmd_socket, file_type;
-type dpmwrapper_socket, file_type, mlstrustedobject;
-type dpmd_data_file, file_type, data_file_type;
+#type dpmd_socket, file_type;
+#type dpmwrapper_socket, file_type, mlstrustedobject;
+#type dpmd_data_file, file_type, data_file_type;
 #typealias system_app_data_file alias dpmd_app_data_file;
 #typealias system_app_data_file alias qtitetherservice_app_data_file;
 

common/file_contexts

@@ -115,8 +115,8 @@
 /dev/socket/iop                                 u:object_r:iop_socket:s0
 /dev/socket/qlogd                               u:object_r:qlogd_socket:s0
 /dev/socket/ipacm_log_file                      u:object_r:ipacm_socket:s0
-/dev/socket/dpmd                                u:object_r:dpmd_socket:s0
-/dev/socket/dpmwrapper                          u:object_r:dpmwrapper_socket:s0
+#/dev/socket/dpmd                                u:object_r:dpmd_socket:s0
+#/dev/socket/dpmwrapper                          u:object_r:dpmwrapper_socket:s0
 /dev/socket/pps                                 u:object_r:pps_socket:s0
 /dev/socket/rild2                               u:object_r:rild_socket:s0
 /dev/socket/rild2-debug                         u:object_r:rild_debug_socket:s0
@@ -222,7 +222,7 @@
 /(vendor|system/vendor)/bin/ipacm                               u:object_r:ipacm_exec:s0
 /(vendor|system/vendor)/bin/ipacm-diag          u:object_r:ipacm-diag_exec:s0
 /(vendor|system/vendor)/bin/dpmQmiMgr           u:object_r:hal_dpmQmiMgr_exec:s0
-/(vendor|system/vendor)/bin/dpmd                                u:object_r:dpmd_exec:s0
+#/(vendor|system/vendor)/bin/dpmd                                u:object_r:dpmd_exec:s0
 /(vendor|system/vendor)/bin/ssr_setup           u:object_r:ssr_setup_exec:s0
 /(vendor|system/vendor)/bin/subsystem_ramdump   u:object_r:subsystem_ramdump_exec:s0
 /(vendor|system/vendor)/bin/ssr_diag            u:object_r:ssr_diag_exec:s0
@@ -281,6 +281,7 @@
 /(vendor|system/vendor)/bin/hw/vendor\.nxp\.hardware\.nfc@1\.0-service     u:object_r:hal_nfc_default_exec:s0
 /(vendor|system/vendor)/bin/qdmastatsd          u:object_r:qdmastatsd_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.alarm@1\.0-service      u:object_r:hal_alarm_qti_default_exec:s0
+/(vendor|system/vendor)/bin/imsrcsd             u:object_r:hal_rcsservice_exec:s0
 
 ###################################
 # sysfs files
@@ -379,7 +380,7 @@
 /data/misc/iop(/.*)?                                                u:object_r:iop_data_file:s0
 /data/vendor/display(/.*)?                                          u:object_r:display_misc_file:s0
 /data/misc/ipa(/.*)?                                                u:object_r:ipacm_data_file:s0
-/data/dpm(/.*)?                                                     u:object_r:dpmd_data_file:s0
+#/data/dpm(/.*)?                                                     u:object_r:dpmd_data_file:s0
 /data/misc/qsee(/.*)?                                               u:object_r:data_qsee_file:s0
 /data/misc/spss(/.*)?                                               u:object_r:spss_data_file:s0
 /data/vendor/location(/.*)?                                         u:object_r:location_data_file:s0
@@ -493,7 +494,7 @@
 #Loaded by native loader (zygote) for all processes
 /vendor/lib(64)?/libhalide_hexagon_host\.so u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libadsprpc\.so             u:object_r:same_process_hal_file:s0
-
+/vendor/lib(64)?/libdiag\.so                u:object_r:same_process_hal_file:s0
 ###################################
 # firmware images
 #

common/hal_rcsservice.te

@@ -0,0 +1,49 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_rcsservice, domain;
+type hal_rcsservice_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(hal_rcsservice)
+net_domain(hal_rcsservice)
+
+# use hwBinder for imsrcsd
+hwbinder_use(hal_rcsservice)
+# add IUceSerive Hidl interface
+add_hwservice(hal_rcsservice, hal_imsrcsd_hwservice)
+get_prop(hal_rcsservice, hwservicemanager_prop)
+
+# allow imsrcsd to connect to imsdatad over socket
+unix_socket_connect(hal_rcsservice, ims, ims)
+
+#diag
+userdebug_or_eng(`
+  diag_use(hal_rcsservice)
+')
+
+allow hal_rcsservice sysfs_data:file r_file_perms;

common/hwservice.te

@@ -33,3 +33,5 @@ type hal_dpmqmi_hwservice, hwservice_manager_type;
 type hal_imsrtp_hwservice, hwservice_manager_type;
 type hal_perf_hwservice, hwservice_manager_type;
 type hal_alarm_qti_hwservice, hwservice_manager_type;
+type hal_cne_hwservice, hwservice_manager_type;
+type hal_imsrcsd_hwservice, hwservice_manager_type;

common/hwservice_contexts

@@ -45,3 +45,7 @@ com.qualcomm.qti.ant::IAntHci                                u:object_r:hal_blue
 vendor.qti.hardware.fm::IFmHci                               u:object_r:hal_bluetooth_hwservice:s0
 vendor.qti.hardware.perf::IPerf                              u:object_r:hal_perf_hwservice:s0
 vendor.qti.hardware.alarm::IAlarm                            u:object_r:hal_alarm_qti_hwservice:s0
+com.qualcomm.qti.uceservice::IUceService                     u:object_r:hal_imsrcsd_hwservice:s0
+com.qualcomm.qti.imscmservice::IImsCmService                 u:object_r:hal_imsrcsd_hwservice:s0
+com.quicinc.cne.api::IApiService                             u:object_r:hal_cne_hwservice:s0
+com.quicinc.cne.server::IServer                              u:object_r:hal_cne_hwservice:s0

common/ims.te

@@ -70,3 +70,9 @@ allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;
 allowxperm ims self:udp_socket ioctl priv_sock_ioctls;
 allow ims sysfs:file r_file_perms;
 allow ims sysfs_data:file r_file_perms;
+
+hwbinder_use(ims)
+get_prop(ims, hwservicemanager_prop)
+get_prop(ims, qcom_ims_prop)
+allow ims hal_cne_hwservice:hwservice_manager find;
+binder_call(ims, cnd)

common/mmi.te

@@ -112,7 +112,7 @@ allow mmi kmsg_device:chr_file rw_file_perms;
 
 #mmi test
 unix_socket_connect(mmi, cnd, cnd);
-unix_socket_connect(mmi, dpmwrapper, dpmd);
+#unix_socket_connect(mmi, dpmwrapper, dpmd);
 unix_socket_connect(mmi, netmgrd, netmgrd);
 net_domain(mmi);
 

common/platform_app.te

@@ -11,6 +11,8 @@ binder_call(platform_app, secotad)
 # Allow platform apps to interact with imscm daemon
 binder_call(platform_app, imscm)
 allow platform_app imscm_service:service_manager find;
+
+allow platform_app imsuce_service:service_manager find;
 allow platform_app color_service:service_manager find;
 
 # Allow NFC service to be found
@@ -19,9 +21,6 @@ allow platform_app nfc_service:service_manager find;
 #Allow platform apps to interact with seemp health daemon
 binder_call(platform_app, seemp_health_daemon)
 
-# Allow cneservice to be found
-allow platform_app cne_service:service_manager find;
-
 # Allow gba_auth_service to be found
 allow platform_app gba_auth_service:service_manager find;
 
@@ -29,6 +28,5 @@ allow platform_app gba_auth_service:service_manager find;
 hal_client_domain(platform_app, hal_hbtp)
 
 # Allow dpmservice to be found
-allow platform_app dpmservice:service_manager find;
 #get_prop(platform_app, bluetooth_prop)
 get_prop(platform_app, debug_gralloc_prop)

common/radio.te

@@ -1,8 +1,6 @@
 # IMS needs permission to use avtimer
 allow radio avtimer_device:chr_file r_file_perms;
 
-allow radio uce_service:service_manager { add find };
-
 allow radio { cameraserver_service mediaextractor_service mediacodec_service }:service_manager find;
 #diag
 userdebug_or_eng(`

common/service.te

@@ -1,14 +1,13 @@
 type iqfp_service,                service_manager_type;
 type qfp_proxy_service,           service_manager_type;
 type atfwd_service,               service_manager_type;
-type dpmservice,                  service_manager_type;
-type cne_service,                 service_manager_type;
 type fidodaemon_service,          service_manager_type;
 type seemp_health_daemon_service, service_manager_type;
 type secotad_service,             service_manager_type;
 type wbc_service,                 service_manager_type;
 type dun_service,                 service_manager_type;
 type imscm_service,               system_api_service, service_manager_type;
+type imsuce_service,              system_api_service, service_manager_type;
 type color_service,               service_manager_type;
 type improve_touch_service,       service_manager_type;
 type wfdservice_service,          service_manager_type;
@@ -18,6 +17,5 @@ type gba_auth_service,            service_manager_type;
 type izat_service,                app_api_service, system_api_service, service_manager_type;
 type mdtpdaemon_service,          service_manager_type;
 type qtitetherservice_service,    service_manager_type;
-type uce_service,                 service_manager_type;
 type wigigp2p_service,            app_api_service, system_server_service, service_manager_type;
 type wigig_service,               app_api_service, system_server_service, service_manager_type;

common/service_contexts

@@ -25,9 +25,7 @@
 android.apps.IQfpService                       u:object_r:iqfp_service:s0
 android.apps.IQfpAndroidService                u:object_r:qfp_proxy_service:s0
 AtCmdFwd                                       u:object_r:atfwd_service:s0
-dpmservice                                     u:object_r:dpmservice:s0
 listen.service                                 u:object_r:mediaserver_service:s0
-cneservice                                     u:object_r:cne_service:s0
 gbahttpauth                                    u:object_r:gba_auth_service:s0
 com.qualcomm.qti.auth.fidocryptodaemon         u:object_r:fidodaemon_service:s0
 wbc_service                                    u:object_r:wbc_service:s0
@@ -49,7 +47,7 @@ com.qualcomm.qti.secota.service.SecotaNService u:object_r:secotad_service:s0
 mdtp                                           u:object_r:mdtpdaemon_service:s0
 qtitetherservice                               u:object_r:qtitetherservice_service:s0
 com.qualcomm.qti.seemp.health                  u:object_r:seemp_health_daemon_service:s0
-uce                                            u:object_r:uce_service:s0
+com.qualcomm.qti.uceservice                    u:object_r:imsuce_service:s0
 wigigp2p                                       u:object_r:wigigp2p_service:s0
 wigig                                          u:object_r:wigig_service:s0
 # DOLBY_START

common/system_server.te

@@ -32,7 +32,7 @@ allow system_server {
     wbc_service
     # Allow system_server to add digital pen system service
     usf_service
-    dpmservice
+    #dpmservice
 }:service_manager add;
 
 allow system_server qtitetherservice_service:service_manager find;
@@ -54,8 +54,8 @@ unix_socket_connect(system_server, iop, dumpstate)
 # allow  system/framework applications to update the dpmd configuration files
 #unix_socket_connect(system_server, dpmd, dpmd);
 #allow system_server { dpmd_socket socket_device }:sock_file w_file_perms;
-allow system_server dpmd_data_file:dir create_dir_perms;
-allow system_server dpmd_data_file:file create_file_perms;
+#allow system_server dpmd_data_file:dir create_dir_perms;
+#allow system_server dpmd_data_file:file create_file_perms;
 
 #unix_socket_send(system_server, mpctl, perfd)
 #unix_socket_connect(system_server, mpctl, perfd)

common/wfdservice.te

@@ -83,7 +83,7 @@ allow wfdservice self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl
 
 # Allow it to use perflock
 allow wfdservice mpctl_socket:dir r_dir_perms;
-allow wfdservice dpmservice:service_manager add;
+#allow wfdservice dpmservice:service_manager add;
 unix_socket_send(wfdservice, mpctl, perfd)
 unix_socket_connect(wfdservice, mpctl, perfd)
 unix_socket_send(wfdservice, mpctl, mpdecision)

private/dataservice_app.te

@@ -0,0 +1,59 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute dataservice_app coredomain;
+app_domain(dataservice_app)
+net_domain(dataservice_app)
+
+add_service(dataservice_app, cne_service)
+add_service(dataservice_app, uce_service)
+add_service(dataservice_app, dpmservice)
+
+allow dataservice_app {
+    app_api_service
+    system_api_service
+    audioserver_service
+    radio_service
+}:service_manager find;
+
+allow dataservice_app system_app_data_file:dir create_dir_perms;
+allow dataservice_app system_app_data_file:{ file lnk_file } create_file_perms;
+allow dataservice_app dpmd_socket:sock_file write;
+allow dataservice_app dpmd_data_file:dir rw_dir_perms;
+allow dataservice_app dpmd_data_file:file create_file_perms;
+
+#don't audit /proc/<pid>/stat denials
+dontaudit dataservice_app domain:dir r_dir_perms;
+
+#allow dpmservice to get running time for apps
+r_dir_file(dataservice_app, appdomain)
+
+allow dataservice_app self:socket create_socket_perms;
+allowxperm dataservice_app self:socket ioctl msm_sock_ipc_ioctls_system;
+unix_socket_connect(dataservice_app, netd, netd);
+unix_socket_connect(dataservice_app,dpmd,dpmd);
+hwbinder_use(dataservice_app)

private/dpmd.te

@@ -0,0 +1,114 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#dpmd as domain
+#type dpmd, domain,mlstrustedsubject;
+
+typeattribute dpmd coredomain;
+
+#type dpmd_exec, exec_type, file_type, file_type;
+#file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
+#init_daemon_domain(dpmd)
+domain_auto_trans(init, dpmd_exec, dpmd)
+net_domain(dpmd)
+
+allow dpmd {
+    dpmd_exec
+    system_file
+}:file x_file_perms;
+
+#allow dpmd to access dpm_data_file
+allow dpmd dpmd_data_file:file create_file_perms;
+allow dpmd dpmd_data_file:dir create_dir_perms;
+
+#allow dpmd persist_dpm_prop:file r_file_perms;
+
+#allow dpmd sysfs_wake_lock:file rw_file_perms;
+
+#allow dpmd sysfs_data:dir r_dir_perms;
+
+#allow dpmd sysfs_data:file r_file_perms;
+
+r_dir_file(dpmd,proc_net)
+
+allow dpmd self:capability {
+    setuid
+    setgid
+    dac_override
+    net_raw chown
+    fsetid
+    net_admin
+    sys_module
+};
+
+#socket, self
+#allow dpmd smem_log_device:chr_file rw_file_perms;
+#wakelock_use(dpmd)
+
+#set_prop(dpmd, system_prop)
+#set_prop(dpmd, ctl_default_prop)
+#misc.
+allow dpmd shell_exec:file rx_file_perms;
+
+#permission to unlink dpmwrapper socket
+allow dpmd socket_device:dir remove_name;
+
+#permission to communicate with cnd_socket for installing iptable rules
+#unix_socket_connect(dpmd, cnd, cnd);
+
+#allow dpmd to create socket
+allow dpmd self:socket create_socket_perms_no_ioctl;
+allow dpmd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
+
+#allow dpmd to write to /proc/net/sys
+allow dpmd proc_net:file write;
+
+#allow dpmd get appname and use inet socket.
+#dpmd_socket_perm(appdomain)
+#dpmd_socket_perm(system_server)
+#dpmd_socket_perm(mediaserver)
+#dpmd_socket_perm(mtp)
+#dpmd_socket_perm(wfdservice)
+#dpmd_socket_perm(drmserver)
+#dpmd_socket_perm(netd)
+
+#explicitly allow udp socket permissions for appdomain
+#allow dpmd appdomain:udp_socket rw_socket_perms;
+
+#Allow dpmd to acquire lock for iptables
+#allow dpmd system_file:file lock;
+
+#Allow dpmd to connect to hal_dpmQMiMgr
+#allow dpmd hal_dpmqmi_hwservice:hwservice_manager find;
+#get_prop(dpmd, hwservicemanager_prop)
+#binder_call(dpmd,hal_dpmQmiMgr)
+#hwbinder_use(dpmd)
+
+#diag
+#userdebug_or_eng(`
+#    diag_use(dpmd)
+#')

private/file.te

@@ -27,3 +27,7 @@
 
 type seemp_data_file, core_data_file_type, file_type;
 type seempdw_socket, file_type, mlstrustedobject;
+type dpmwrapper_socket, file_type, mlstrustedobject;
+
+type dpmd_socket, file_type;
+type dpmd_data_file, file_type, data_file_type;

private/file_contexts

@@ -31,9 +31,13 @@
 
 ####### dev/socket files ##########
 /dev/socket/seempdw                             u:object_r:seempdw_socket:s0
+/dev/socket/dpmd                                u:object_r:dpmd_socket:s0
+/dev/socket/dpmwrapper                          u:object_r:dpmwrapper_socket:s0
 
 ####### system file ###############
 /system/bin/seempd                              u:object_r:seempd_exec:s0
+/system/bin/dpmd                                u:object_r:dpmd_exec:s0
 
 ####### data files ################
 /data/misc/seemp(/.*)?                          u:object_r:seemp_data_file:s0
+/data/dpm(/.*)?                                 u:object_r:dpmd_data_file:s0

private/ioctl_defines

@@ -0,0 +1,34 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#    * Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above
+#      copyright notice, this list of conditions and the following
+#      disclaimer in the documentation and/or other materials provided
+#      with the distribution.
+#    * Neither the name of The Linux Foundation nor the names of its
+#      contributors may be used to endorse or promote products derived
+#      from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
+define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
+define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
+define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
+define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
+define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
+define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')

private/ioctl_macros

@@ -0,0 +1,35 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#    * Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above
+#      copyright notice, this list of conditions and the following
+#      disclaimer in the documentation and/or other materials provided
+#      with the distribution.
+#    * Neither the name of The Linux Foundation nor the names of its
+#      contributors may be used to endorse or promote products derived
+#      from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+define(`msm_sock_ipc_ioctls_system', `{
+IPC_ROUTER_IOCTL_GET_VERSION
+IPC_ROUTER_IOCTL_GET_MTU
+IPC_ROUTER_IOCTL_LOOKUP_SERVER
+IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
+IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
+IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
+}')

private/platform_app.te

@@ -25,6 +25,12 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+# Allow cneservice to be found
+allow platform_app cne_service:service_manager find;
+
+# Allow dpmservice to be found
+allow platform_app dpmservice:service_manager find;
+
 userdebug_or_eng(`
   r_dir_file(platform_app, seemp_data_file)
   allow platform_app seemp_data_file: file w_file_perms;

private/radio.te

@@ -0,0 +1,28 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow radio uce_service:service_manager find;

private/service.te

@@ -26,3 +26,6 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 type seemp_service,               service_manager_type;
+type cne_service,                 service_manager_type;
+type dpmservice,                  service_manager_type;
+type uce_service,                 service_manager_type;

private/service_contexts

@@ -28,3 +28,6 @@
 qti.security.seemp                             u:object_r:seemp_service:s0
 seempservice                                   u:object_r:seemp_service:s0
 qti.security.seempspa                          u:object_r:seemp_service:s0
+cneservice                                     u:object_r:cne_service:s0
+dpmservice                                     u:object_r:dpmservice:s0
+uce                                            u:object_r:uce_service:s0

private/system_server.te

@@ -27,3 +27,6 @@
 
 binder_call(system_server, seempd)
 unix_socket_send(system_server, seempdw, seempd)
+
+allow system_server dpmd_data_file:dir create_dir_perms;
+allow system_server dpmd_data_file:file create_file_perms;

public/dataservice_app.te

@@ -0,0 +1,28 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type dataservice_app, domain;

public/dpmd.te

@@ -0,0 +1,31 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type dpmd,domain;
+type dpmd_exec, exec_type, file_type;
+#init_daemon_domain(dpmd)
+#net_domain(dpmd)