Merge tag 'LA.VENDOR.1.0.r1-25800-WAIPIO.QSSI14.0' into staging/lineage-21.0_merge-LA.VENDOR.1.0.r1-25800-WAIPIO.QSSI14.0

"LA.VENDOR.1.0.r1-25800-WAIPIO.QSSI14.0"

# By Seshu Madhavi Puppala (2) and others
# Via Linux Build Service Account (2) and others
* tag 'LA.VENDOR.1.0.r1-25800-WAIPIO.QSSI14.0':
  qseecomd-sepolicy: Add context for qseecomd restart at hibernate exit.
  sepolicy: Add properties to restart keymint and gatekeeper services
  * sepolicy_vndr: fix for AVC denial for U upgrade targets
  sepolicy_vndr: sepolicy rules for SecCam2test app
  Sepolicy_vndr: allow qvr to access heap device
  sepolicy_vndr: Add sepolicies for eSE
  sepolicy_vndr: add permission to access XR app

Change-Id: I4f0fb22feb43c7d703bef8dbb9e35873d5ab1069

generic/vendor/common/qtelephony.te

@@ -32,5 +32,7 @@ get_prop(vendor_qtelephony, vendor_audio_prop)
 get_prop(vendor_qtelephony, vendor_video_prop)
 
 allow vendor_qtelephony vendor_hal_imsrtp_hwservice:hwservice_manager find;
+#dontaudit for U upgrade since AServiceManager_isDeclared internally does find
+dontaudit vendor_qtelephony default_android_service:service_manager find;
 binder_call(vendor_qtelephony, vendor_hal_imsrtp)
 hal_client_domain(vendor_qtelephony , vendor_hal_datafactory_qti)

qva/vendor/anorak/qvrd_vndr.te

@@ -37,3 +37,6 @@ allow vendor_qvrd_vndr vendor_qvrd_vndr_cam:fd use;
 
 get_prop(vendor_qvrd_vndr, vendor_camera_prop)
 hal_server_domain_bypass(vendor_qvrd_vndr, vendor_hal_qvrcamservice_qti)
+
+# Allow to access heap
+allow vendor_qvrd_vndr vendor_dmabuf_system_heap_device:chr_file r_file_perms;

qva/vendor/anorak/qvrd_vndr_cam.te

@@ -11,6 +11,9 @@ binder_service(vendor_qvrd_vndr_cam)
 hal_server_domain(vendor_qvrd_vndr_cam, vendor_hal_qvrcamservice_qti)
 hal_attribute_service(vendor_hal_qvrcamservice_qti, vendor_hal_qvrd_camservice)
 
+allow vendor_qvrd_vndr_cam vendor_hal_qvrcamservice_qti_socket_client:unix_stream_socket { getopt read setopt shutdown write };
+allow vendor_hal_qvrcamservice_qti_socket_fd_use_client vendor_qvrd_vndr_cam: fd use;
+
 binder_use(vendor_qvrd_vndr_cam);
 
 # Allow access to our socket
@@ -69,3 +72,5 @@ allow vendor_qvrd_vndr_cam video_device:chr_file rw_file_perms;
 
 allow vendor_qvrd_vndr_cam proc_uptime:file r_file_perms;
 crash_dump_fallback(vendor_qvrd_vndr_cam);
+
+allow vendor_qvrd_vndr_cam appdomain:process setsched;

qva/vendor/common/service_contexts

@@ -25,6 +25,10 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+# Changes from Qualcomm Innovation Center, Inc. are provided under the following license:
+# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
 vendor.qti.hardware.qxr.IQXRCoreService/default        u:object_r:vendor_hal_qvrd_service:s0
 vendor.qti.hardware.qxr.IQXRCamService/default         u:object_r:vendor_hal_qvrd_camservice:s0
 vendor.qti.hardware.qxr.IQXRModService/default         u:object_r:vendor_hal_qvrd_service:s0
@@ -33,3 +37,6 @@ vendor.qti.hardware.qxr.IQXRAudioService/default        u:object_r:vendor_hal_sx
 vendor.qti.gnss.ILocAidlGnss/default                   u:object_r:hal_gnss_service:s0
 vendor.qti.hardware.data.connectionfactory.IFactory/slot0 u:object_r:vendor_hal_dataconnection_service:s0
 vendor.qti.hardware.data.connectionfactory.IFactory/slot1 u:object_r:vendor_hal_dataconnection_service:s0
+android.hardware.security.keymint.IKeyMintDevice/strongbox                      u:object_r:hal_keymint_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/strongbox                  u:object_r:hal_sharedsecret_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox       u:object_r:hal_keymint_service:s0

qva/vendor/msmsteppe/file.te

@@ -67,3 +67,6 @@ type sysfs_power_imagesize, sysfs_type, fs_type;
 
 # Proc sys-vm-swappiness file type
 type proc_swappiness, proc_type, fs_type;
+
+#qtee
+type vendor_qtee_data_file, file_type, data_file_type;

qva/vendor/msmsteppe/file_contexts

@@ -27,7 +27,7 @@
 
 # Changes from Qualcomm Innovation Center are provided under the following license:
 #
-# Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+# Copyright (c) 2022, 2024 Qualcomm Innovation Center, Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted (subject to the limitations in the
@@ -75,3 +75,9 @@
 #
 /vendor/bin/hw/vendor\.qti\.hardware\.powerstateservice@1\.0-service			   u:object_r:vendor_hal_powerstateservice_qti_exec:s0
 /vendor/bin/hw/vendor\.qti\.hardware\.powerstateutility@1\.0-service			   u:object_r:vendor_hal_powerstateutility_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.secureprocessor.2.0@1\.0             u:object_r:vendor_hal_secureprocessor_qti_exec:s0
+
+###################################
+# Data Files
+#
+/data/vendor/qtee(/.*)?                                             u:object_r:vendor_qtee_data_file:s0

qva/vendor/msmsteppe/hal_secureprocessor_qti.te

@@ -0,0 +1,41 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Changes from Qualcomm Innovation Center, Inc. are provided under the following license:
+# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+allow vendor_hal_secureprocessor_qti vendor_qdsp_device:chr_file r_file_perms;
+allow vendor_hal_secureprocessor_qti vendor_xdsp_device:chr_file r_file_perms;
+
+allow vendor_hal_secureprocessor_qti ion_device:chr_file r_file_perms;
+
+allow vendor_hal_secureprocessor_qti vendor_qtee_data_file:dir rw_dir_perms;
+allow vendor_hal_secureprocessor_qti vendor_qtee_data_file:file create_file_perms;
+allow vendor_hal_secureprocessor_qti video_device:chr_file rw_file_perms;
+
+get_prop(vendor_hal_secureprocessor_qti, vendor_adsprpc_prop);

qva/vendor/neo/property.te

@@ -0,0 +1,37 @@
+# Copyright (c) 2018-2019, 2021 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#keymint quickboot prop
+vendor_restricted_prop(vendor_tee_keymint_quickboot);
+
+#Gatekeper quickboot prop
+vendor_restricted_prop(vendor_tee_gk_quickboot);

qva/vendor/neo/property_contexts

@@ -0,0 +1,40 @@
+# Copyright (c) 2018-2019, 2021 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#keymint quickboot prop
+vendor.keymint.quickboot     u:object_r:vendor_tee_keymint_quickboot:s0
+
+#Gatekeeper quickboot prop
+vendor.gatekeeper.quickboot  u:object_r:vendor_tee_gk_quickboot:s0
+
+# Qseecomd hibernate prop
+vendor.qseecomd.hibernate    u:object_r:vendor_tee_keymint_quickboot:s0

qva/vendor/neo/qseecomd.te

@@ -0,0 +1,10 @@
+# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# allow tee access register powerstate hal service
+hal_client_domain(tee, vendor_hal_powerstateservice);
+# allow tee access set vendor.gk.quickboot property
+set_prop(tee, vendor_tee_gk_quickboot)
+# allow tee access set vendor.keymint.quickboot property
+set_prop(tee, vendor_tee_keymint_quickboot)
+

qva/vendor/parrot/file_contexts

@@ -25,12 +25,12 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-# Changes from Qualcomm Innovation Center are provided under the following license:
+# Changes from Qualcomm Innovation Center, Inc. are provided under the following license:
-#
+# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
-# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
 # SPDX-License-Identifier: BSD-3-Clause-Clear
 
 ###################################
 #Dev nodes
 #
 /dev/st54spi_gpio                     u:object_r:vendor_ese_gpio_device:s0
+/vendor/bin/hw/android\.hardware\.security\.keymint-service-stm\.strongbox    u:object_r:hal_keymint_strongbox_exec:s0

qva/vendor/parrot/hal_keymint_strongbox.te

@@ -0,0 +1,40 @@
+# Copyright (c) 2017, 2021 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Changes from Qualcomm Innovation Center, Inc. are provided under the following license:
+# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+type hal_keymint_strongbox, domain;
+type hal_keymint_strongbox_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_keymint_strongbox)
+
+hal_server_domain(hal_keymint_strongbox, hal_keymint)
+hal_client_domain(hal_keymint_strongbox, hal_secure_element)
+
+vndbinder_use(hal_keymint_strongbox)
+get_prop(hal_keymint_strongbox, vendor_security_patch_level_prop);

qva/vendor/test/seapp_contexts

@@ -24,6 +24,10 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Changes from Qualcomm Innovation Center, Inc. are provided under the following license:
+# Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
 
 # Add new domain for location test apps
 user=_app seinfo=platform name=com.qualcomm.qct.dlt levelfrom=all domain=vendor_location_app_test type=app_data_file
@@ -34,5 +38,6 @@ user=system seinfo=platform name=com.qualcomm.qti.logkit.lite domain=vendor_logk
 user=_app seinfo=platform domain=vendor_pdt_app name=com.quicinc.framework.debugapp levelfrom=all type=app_data_file
 user=_app seinfo=platform name=com.qualcomm.qti.dualstaapp domain=vendor_dualsta_app type=app_data_file levelFrom=all
 user=_app seinfo=platform name=com.qualcomm.qti.cam2test domain=vendor_sys_seccam2_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.qualcomm.qti.seccam2test domain=vendor_sys_seccam2_app type=app_data_file levelFrom=all
 user=system seinfo=platform name=com.qualcomm.wrd.ue.kpitool.base domain=vendor_cta_app type=system_app_data_file
 user=_app seinfo=platform name=com.qualcomm.aontest domain=aoncameraservice_app type=app_data_file levelFrom=all