From 942964627a70c857f38c894945e67b8b327d4a00 Mon Sep 17 00:00:00 2001 From: Tushar Patra Jamula Date: Wed, 17 Apr 2024 15:52:23 +0530 Subject: [PATCH 1/4] sepolicy_vndr: sepolicy rules for SecCam2test app Change-Id: I7c2db52a48817c3b1acf7c0e028a9ce78a1974fb Signed-off-by: Tushar Patra Jamula --- qva/vendor/msmsteppe/file.te | 3 ++ qva/vendor/msmsteppe/file_contexts | 8 +++- .../msmsteppe/hal_secureprocessor_qti.te | 41 +++++++++++++++++++ qva/vendor/test/seapp_contexts | 5 +++ 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 qva/vendor/msmsteppe/hal_secureprocessor_qti.te diff --git a/qva/vendor/msmsteppe/file.te b/qva/vendor/msmsteppe/file.te index ee8c7a94..ec5cce74 100644 --- a/qva/vendor/msmsteppe/file.te +++ b/qva/vendor/msmsteppe/file.te @@ -67,3 +67,6 @@ type sysfs_power_imagesize, sysfs_type, fs_type; # Proc sys-vm-swappiness file type type proc_swappiness, proc_type, fs_type; + +#qtee +type vendor_qtee_data_file, file_type, data_file_type; diff --git a/qva/vendor/msmsteppe/file_contexts b/qva/vendor/msmsteppe/file_contexts index cdb922a6..b1e799de 100644 --- a/qva/vendor/msmsteppe/file_contexts +++ b/qva/vendor/msmsteppe/file_contexts @@ -27,7 +27,7 @@ # Changes from Qualcomm Innovation Center are provided under the following license: # -# Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. +# Copyright (c) 2022, 2024 Qualcomm Innovation Center, Inc. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted (subject to the limitations in the @@ -75,3 +75,9 @@ # /vendor/bin/hw/vendor\.qti\.hardware\.powerstateservice@1\.0-service u:object_r:vendor_hal_powerstateservice_qti_exec:s0 /vendor/bin/hw/vendor\.qti\.hardware\.powerstateutility@1\.0-service u:object_r:vendor_hal_powerstateutility_qti_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.secureprocessor.2.0@1\.0 u:object_r:vendor_hal_secureprocessor_qti_exec:s0 + +################################### +# Data Files +# +/data/vendor/qtee(/.*)? u:object_r:vendor_qtee_data_file:s0 diff --git a/qva/vendor/msmsteppe/hal_secureprocessor_qti.te b/qva/vendor/msmsteppe/hal_secureprocessor_qti.te new file mode 100644 index 00000000..48461add --- /dev/null +++ b/qva/vendor/msmsteppe/hal_secureprocessor_qti.te @@ -0,0 +1,41 @@ +# Copyright (c) 2019, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Changes from Qualcomm Innovation Center, Inc. are provided under the following license: +# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +allow vendor_hal_secureprocessor_qti vendor_qdsp_device:chr_file r_file_perms; +allow vendor_hal_secureprocessor_qti vendor_xdsp_device:chr_file r_file_perms; + +allow vendor_hal_secureprocessor_qti ion_device:chr_file r_file_perms; + +allow vendor_hal_secureprocessor_qti vendor_qtee_data_file:dir rw_dir_perms; +allow vendor_hal_secureprocessor_qti vendor_qtee_data_file:file create_file_perms; +allow vendor_hal_secureprocessor_qti video_device:chr_file rw_file_perms; + +get_prop(vendor_hal_secureprocessor_qti, vendor_adsprpc_prop); diff --git a/qva/vendor/test/seapp_contexts b/qva/vendor/test/seapp_contexts index 4bd9dc9d..80fd1092 100755 --- a/qva/vendor/test/seapp_contexts +++ b/qva/vendor/test/seapp_contexts @@ -24,6 +24,10 @@ # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Changes from Qualcomm Innovation Center, Inc. are provided under the following license: +# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear # Add new domain for location test apps user=_app seinfo=platform name=com.qualcomm.qct.dlt levelfrom=all domain=vendor_location_app_test type=app_data_file @@ -34,5 +38,6 @@ user=system seinfo=platform name=com.qualcomm.qti.logkit.lite domain=vendor_logk user=_app seinfo=platform domain=vendor_pdt_app name=com.quicinc.framework.debugapp levelfrom=all type=app_data_file user=_app seinfo=platform name=com.qualcomm.qti.dualstaapp domain=vendor_dualsta_app type=app_data_file levelFrom=all user=_app seinfo=platform name=com.qualcomm.qti.cam2test domain=vendor_sys_seccam2_app type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.qualcomm.qti.seccam2test domain=vendor_sys_seccam2_app type=app_data_file levelFrom=all user=system seinfo=platform name=com.qualcomm.wrd.ue.kpitool.base domain=vendor_cta_app type=system_app_data_file user=_app seinfo=platform name=com.qualcomm.aontest domain=aoncameraservice_app type=app_data_file levelFrom=all From b335f2d0751404c36a543cb025dedd0f213f571f Mon Sep 17 00:00:00 2001 From: Vaishali Rai Date: Thu, 6 Apr 2023 10:26:06 +0530 Subject: [PATCH 2/4] * sepolicy_vndr: fix for AVC denial for U upgrade targets * I/auditd ( 963): avc: denied { find } for pid=3614 uid=10149 * name=vendor.qti.ImsRtpService.IRTPService/ImsRtpService * scontext=u:r:vendor_qtelephony:s0:c149,c256,c512,c768 * tcontext=u:object_r:default_android_service:s0 * tclass=service_manager permissive=0 * * add dontaudit rule for U upgrades since * AServiceManager_isDeclared does find operation internally Change-Id: I820e73f39be4b6f25eda24619abaae9ae92ce34a (cherry picked from commit 1a332e6b327f5b0e6d2524948dba5f327994e749) --- generic/vendor/common/qtelephony.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/generic/vendor/common/qtelephony.te b/generic/vendor/common/qtelephony.te index 19058e26..c708c47d 100644 --- a/generic/vendor/common/qtelephony.te +++ b/generic/vendor/common/qtelephony.te @@ -32,5 +32,7 @@ get_prop(vendor_qtelephony, vendor_audio_prop) get_prop(vendor_qtelephony, vendor_video_prop) allow vendor_qtelephony vendor_hal_imsrtp_hwservice:hwservice_manager find; +#dontaudit for U upgrade since AServiceManager_isDeclared internally does find +dontaudit vendor_qtelephony default_android_service:service_manager find; binder_call(vendor_qtelephony, vendor_hal_imsrtp) hal_client_domain(vendor_qtelephony , vendor_hal_datafactory_qti) From 205f099dccc4b1aaf941fcbbb2dc978978d8c944 Mon Sep 17 00:00:00 2001 From: Seshu Madhavi Puppala Date: Sat, 25 May 2024 13:05:48 +0530 Subject: [PATCH 3/4] sepolicy: Add properties to restart keymint and gatekeeper services The changes includes adding new properties 2)vendor.keymint.quickboot 3)vendor.gatekeeper.quickboot Add access permission to qseecomd. Using these properties keymint and gatekeeper service will be restarted on hibernate exit. Test: 1)Device is successfully able to Hibernate enter and exit. 2)Keymint and Gatekeeper service are restarting after Hibernate-exit. Change-Id: I9e1d8481cfc244a9bfabbf06fc3777ec2f7b6898 --- qva/vendor/neo/property.te | 37 ++++++++++++++++++++++++++++++++ qva/vendor/neo/property_contexts | 37 ++++++++++++++++++++++++++++++++ qva/vendor/neo/qseecomd.te | 10 +++++++++ 3 files changed, 84 insertions(+) create mode 100644 qva/vendor/neo/property.te create mode 100644 qva/vendor/neo/property_contexts create mode 100644 qva/vendor/neo/qseecomd.te diff --git a/qva/vendor/neo/property.te b/qva/vendor/neo/property.te new file mode 100644 index 00000000..025d5348 --- /dev/null +++ b/qva/vendor/neo/property.te @@ -0,0 +1,37 @@ +# Copyright (c) 2018-2019, 2021 The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# Changes from Qualcomm Innovation Center are provided under the following license: +# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +#keymint quickboot prop +vendor_restricted_prop(vendor_tee_keymint_quickboot); + +#Gatekeper quickboot prop +vendor_restricted_prop(vendor_tee_gk_quickboot); diff --git a/qva/vendor/neo/property_contexts b/qva/vendor/neo/property_contexts new file mode 100644 index 00000000..2817ba85 --- /dev/null +++ b/qva/vendor/neo/property_contexts @@ -0,0 +1,37 @@ +# Copyright (c) 2018-2019, 2021 The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# Changes from Qualcomm Innovation Center are provided under the following license: +# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +#keymint quickboot prop +vendor.keymint.quickboot u:object_r:vendor_tee_keymint_quickboot:s0 + +#Gatekeeper quickboot prop +vendor.gatekeeper.quickboot u:object_r:vendor_tee_gk_quickboot:s0 diff --git a/qva/vendor/neo/qseecomd.te b/qva/vendor/neo/qseecomd.te new file mode 100644 index 00000000..37f7f5e9 --- /dev/null +++ b/qva/vendor/neo/qseecomd.te @@ -0,0 +1,10 @@ +# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +# allow tee access register powerstate hal service +hal_client_domain(tee, vendor_hal_powerstateservice); +# allow tee access set vendor.gk.quickboot property +set_prop(tee, vendor_tee_gk_quickboot) +# allow tee access set vendor.keymint.quickboot property +set_prop(tee, vendor_tee_keymint_quickboot) + From 92a36955ebe5c467e64e759c1f6228d89b849e57 Mon Sep 17 00:00:00 2001 From: Seshu Madhavi Puppala Date: Mon, 13 May 2024 17:26:00 +0530 Subject: [PATCH 4/4] qseecomd-sepolicy: Add context for qseecomd restart at hibernate exit. Test: Multiple iteration of DS-QB and hibernate Change-Id: Id4f8bdaa405af3c2f76437dec32b939d782b3111 --- qva/vendor/neo/property_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/qva/vendor/neo/property_contexts b/qva/vendor/neo/property_contexts index 2817ba85..06df6d2c 100644 --- a/qva/vendor/neo/property_contexts +++ b/qva/vendor/neo/property_contexts @@ -35,3 +35,6 @@ vendor.keymint.quickboot u:object_r:vendor_tee_keymint_quickboot:s0 #Gatekeeper quickboot prop vendor.gatekeeper.quickboot u:object_r:vendor_tee_gk_quickboot:s0 + +# Qseecomd hibernate prop +vendor.qseecomd.hibernate u:object_r:vendor_tee_keymint_quickboot:s0