diff --git a/generic/vendor/common/qtelephony.te b/generic/vendor/common/qtelephony.te index 19058e26..c708c47d 100644 --- a/generic/vendor/common/qtelephony.te +++ b/generic/vendor/common/qtelephony.te @@ -32,5 +32,7 @@ get_prop(vendor_qtelephony, vendor_audio_prop) get_prop(vendor_qtelephony, vendor_video_prop) allow vendor_qtelephony vendor_hal_imsrtp_hwservice:hwservice_manager find; +#dontaudit for U upgrade since AServiceManager_isDeclared internally does find +dontaudit vendor_qtelephony default_android_service:service_manager find; binder_call(vendor_qtelephony, vendor_hal_imsrtp) hal_client_domain(vendor_qtelephony , vendor_hal_datafactory_qti) diff --git a/qva/vendor/anorak/qvrd_vndr.te b/qva/vendor/anorak/qvrd_vndr.te index 60b0c9e6..b55be740 100644 --- a/qva/vendor/anorak/qvrd_vndr.te +++ b/qva/vendor/anorak/qvrd_vndr.te @@ -37,3 +37,6 @@ allow vendor_qvrd_vndr vendor_qvrd_vndr_cam:fd use; get_prop(vendor_qvrd_vndr, vendor_camera_prop) hal_server_domain_bypass(vendor_qvrd_vndr, vendor_hal_qvrcamservice_qti) + +# Allow to access heap +allow vendor_qvrd_vndr vendor_dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/qva/vendor/anorak/qvrd_vndr_cam.te b/qva/vendor/anorak/qvrd_vndr_cam.te index 5a8ed613..ee3d65ef 100644 --- a/qva/vendor/anorak/qvrd_vndr_cam.te +++ b/qva/vendor/anorak/qvrd_vndr_cam.te @@ -11,6 +11,9 @@ binder_service(vendor_qvrd_vndr_cam) hal_server_domain(vendor_qvrd_vndr_cam, vendor_hal_qvrcamservice_qti) hal_attribute_service(vendor_hal_qvrcamservice_qti, vendor_hal_qvrd_camservice) +allow vendor_qvrd_vndr_cam vendor_hal_qvrcamservice_qti_socket_client:unix_stream_socket { getopt read setopt shutdown write }; +allow vendor_hal_qvrcamservice_qti_socket_fd_use_client vendor_qvrd_vndr_cam: fd use; + binder_use(vendor_qvrd_vndr_cam); # Allow access to our socket @@ -69,3 +72,5 @@ allow vendor_qvrd_vndr_cam video_device:chr_file rw_file_perms; allow vendor_qvrd_vndr_cam proc_uptime:file r_file_perms; crash_dump_fallback(vendor_qvrd_vndr_cam); + +allow vendor_qvrd_vndr_cam appdomain:process setsched; diff --git a/qva/vendor/common/service_contexts b/qva/vendor/common/service_contexts index 3884bb04..02035699 100644 --- a/qva/vendor/common/service_contexts +++ b/qva/vendor/common/service_contexts @@ -25,6 +25,10 @@ # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# Changes from Qualcomm Innovation Center, Inc. are provided under the following license: +# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + vendor.qti.hardware.qxr.IQXRCoreService/default u:object_r:vendor_hal_qvrd_service:s0 vendor.qti.hardware.qxr.IQXRCamService/default u:object_r:vendor_hal_qvrd_camservice:s0 vendor.qti.hardware.qxr.IQXRModService/default u:object_r:vendor_hal_qvrd_service:s0 @@ -33,3 +37,6 @@ vendor.qti.hardware.qxr.IQXRAudioService/default u:object_r:vendor_hal_sx vendor.qti.gnss.ILocAidlGnss/default u:object_r:hal_gnss_service:s0 vendor.qti.hardware.data.connectionfactory.IFactory/slot0 u:object_r:vendor_hal_dataconnection_service:s0 vendor.qti.hardware.data.connectionfactory.IFactory/slot1 u:object_r:vendor_hal_dataconnection_service:s0 +android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 +android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 +android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox u:object_r:hal_keymint_service:s0 diff --git a/qva/vendor/msmsteppe/file.te b/qva/vendor/msmsteppe/file.te index ee8c7a94..ec5cce74 100644 --- a/qva/vendor/msmsteppe/file.te +++ b/qva/vendor/msmsteppe/file.te @@ -67,3 +67,6 @@ type sysfs_power_imagesize, sysfs_type, fs_type; # Proc sys-vm-swappiness file type type proc_swappiness, proc_type, fs_type; + +#qtee +type vendor_qtee_data_file, file_type, data_file_type; diff --git a/qva/vendor/msmsteppe/file_contexts b/qva/vendor/msmsteppe/file_contexts index cdb922a6..b1e799de 100644 --- a/qva/vendor/msmsteppe/file_contexts +++ b/qva/vendor/msmsteppe/file_contexts @@ -27,7 +27,7 @@ # Changes from Qualcomm Innovation Center are provided under the following license: # -# Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. +# Copyright (c) 2022, 2024 Qualcomm Innovation Center, Inc. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted (subject to the limitations in the @@ -75,3 +75,9 @@ # /vendor/bin/hw/vendor\.qti\.hardware\.powerstateservice@1\.0-service u:object_r:vendor_hal_powerstateservice_qti_exec:s0 /vendor/bin/hw/vendor\.qti\.hardware\.powerstateutility@1\.0-service u:object_r:vendor_hal_powerstateutility_qti_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.secureprocessor.2.0@1\.0 u:object_r:vendor_hal_secureprocessor_qti_exec:s0 + +################################### +# Data Files +# +/data/vendor/qtee(/.*)? u:object_r:vendor_qtee_data_file:s0 diff --git a/qva/vendor/msmsteppe/hal_secureprocessor_qti.te b/qva/vendor/msmsteppe/hal_secureprocessor_qti.te new file mode 100644 index 00000000..48461add --- /dev/null +++ b/qva/vendor/msmsteppe/hal_secureprocessor_qti.te @@ -0,0 +1,41 @@ +# Copyright (c) 2019, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Changes from Qualcomm Innovation Center, Inc. are provided under the following license: +# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +allow vendor_hal_secureprocessor_qti vendor_qdsp_device:chr_file r_file_perms; +allow vendor_hal_secureprocessor_qti vendor_xdsp_device:chr_file r_file_perms; + +allow vendor_hal_secureprocessor_qti ion_device:chr_file r_file_perms; + +allow vendor_hal_secureprocessor_qti vendor_qtee_data_file:dir rw_dir_perms; +allow vendor_hal_secureprocessor_qti vendor_qtee_data_file:file create_file_perms; +allow vendor_hal_secureprocessor_qti video_device:chr_file rw_file_perms; + +get_prop(vendor_hal_secureprocessor_qti, vendor_adsprpc_prop); diff --git a/qva/vendor/neo/property.te b/qva/vendor/neo/property.te new file mode 100644 index 00000000..025d5348 --- /dev/null +++ b/qva/vendor/neo/property.te @@ -0,0 +1,37 @@ +# Copyright (c) 2018-2019, 2021 The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# Changes from Qualcomm Innovation Center are provided under the following license: +# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +#keymint quickboot prop +vendor_restricted_prop(vendor_tee_keymint_quickboot); + +#Gatekeper quickboot prop +vendor_restricted_prop(vendor_tee_gk_quickboot); diff --git a/qva/vendor/neo/property_contexts b/qva/vendor/neo/property_contexts new file mode 100644 index 00000000..06df6d2c --- /dev/null +++ b/qva/vendor/neo/property_contexts @@ -0,0 +1,40 @@ +# Copyright (c) 2018-2019, 2021 The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# Changes from Qualcomm Innovation Center are provided under the following license: +# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +#keymint quickboot prop +vendor.keymint.quickboot u:object_r:vendor_tee_keymint_quickboot:s0 + +#Gatekeeper quickboot prop +vendor.gatekeeper.quickboot u:object_r:vendor_tee_gk_quickboot:s0 + +# Qseecomd hibernate prop +vendor.qseecomd.hibernate u:object_r:vendor_tee_keymint_quickboot:s0 diff --git a/qva/vendor/neo/qseecomd.te b/qva/vendor/neo/qseecomd.te new file mode 100644 index 00000000..37f7f5e9 --- /dev/null +++ b/qva/vendor/neo/qseecomd.te @@ -0,0 +1,10 @@ +# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +# allow tee access register powerstate hal service +hal_client_domain(tee, vendor_hal_powerstateservice); +# allow tee access set vendor.gk.quickboot property +set_prop(tee, vendor_tee_gk_quickboot) +# allow tee access set vendor.keymint.quickboot property +set_prop(tee, vendor_tee_keymint_quickboot) + diff --git a/qva/vendor/parrot/file_contexts b/qva/vendor/parrot/file_contexts index 0425b1c1..da830403 100644 --- a/qva/vendor/parrot/file_contexts +++ b/qva/vendor/parrot/file_contexts @@ -25,12 +25,12 @@ # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# Changes from Qualcomm Innovation Center are provided under the following license: -# -# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# Changes from Qualcomm Innovation Center, Inc. are provided under the following license: +# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. # SPDX-License-Identifier: BSD-3-Clause-Clear ################################### #Dev nodes # /dev/st54spi_gpio u:object_r:vendor_ese_gpio_device:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service-stm\.strongbox u:object_r:hal_keymint_strongbox_exec:s0 diff --git a/qva/vendor/parrot/hal_keymint_strongbox.te b/qva/vendor/parrot/hal_keymint_strongbox.te new file mode 100644 index 00000000..2028d43e --- /dev/null +++ b/qva/vendor/parrot/hal_keymint_strongbox.te @@ -0,0 +1,40 @@ +# Copyright (c) 2017, 2021 The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Changes from Qualcomm Innovation Center, Inc. are provided under the following license: +# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +type hal_keymint_strongbox, domain; +type hal_keymint_strongbox_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_keymint_strongbox) + +hal_server_domain(hal_keymint_strongbox, hal_keymint) +hal_client_domain(hal_keymint_strongbox, hal_secure_element) + +vndbinder_use(hal_keymint_strongbox) +get_prop(hal_keymint_strongbox, vendor_security_patch_level_prop); diff --git a/qva/vendor/test/seapp_contexts b/qva/vendor/test/seapp_contexts index 4bd9dc9d..80fd1092 100755 --- a/qva/vendor/test/seapp_contexts +++ b/qva/vendor/test/seapp_contexts @@ -24,6 +24,10 @@ # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Changes from Qualcomm Innovation Center, Inc. are provided under the following license: +# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear # Add new domain for location test apps user=_app seinfo=platform name=com.qualcomm.qct.dlt levelfrom=all domain=vendor_location_app_test type=app_data_file @@ -34,5 +38,6 @@ user=system seinfo=platform name=com.qualcomm.qti.logkit.lite domain=vendor_logk user=_app seinfo=platform domain=vendor_pdt_app name=com.quicinc.framework.debugapp levelfrom=all type=app_data_file user=_app seinfo=platform name=com.qualcomm.qti.dualstaapp domain=vendor_dualsta_app type=app_data_file levelFrom=all user=_app seinfo=platform name=com.qualcomm.qti.cam2test domain=vendor_sys_seccam2_app type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.qualcomm.qti.seccam2test domain=vendor_sys_seccam2_app type=app_data_file levelFrom=all user=system seinfo=platform name=com.qualcomm.wrd.ue.kpitool.base domain=vendor_cta_app type=system_app_data_file user=_app seinfo=platform name=com.qualcomm.aontest domain=aoncameraservice_app type=app_data_file levelFrom=all