sepolicy: Add policy for Limits HAL

Add policy to access netlink socket and thermal sysfs nodes for limits
HAL.

Change-Id: I95d0503e2e2d642a21d9950a9f2fb6bacf6d55cc
This commit is contained in:
Ram Chandrasekar 2021-06-24 15:41:22 -07:00 committed by Gerrit - the friendly Code Review server
parent 3e972cd0d7
commit 661cc2b360
4 changed files with 52 additions and 1 deletions

View file

@ -161,6 +161,7 @@
/vendor/bin/thermal-engine u:object_r:vendor_thermal-engine_exec:s0 /vendor/bin/thermal-engine u:object_r:vendor_thermal-engine_exec:s0
/vendor/bin/hw/android.hardware.thermal@2.0-service.qti-v2 u:object_r:hal_thermal_default_exec:s0 /vendor/bin/hw/android.hardware.thermal@2.0-service.qti-v2 u:object_r:hal_thermal_default_exec:s0
/vendor/bin/thermal-engine-v2 u:object_r:vendor_thermal-engine_exec:s0 /vendor/bin/thermal-engine-v2 u:object_r:vendor_thermal-engine_exec:s0
/vendor/bin/hw/vendor.qti.hardware.limits@1.1-service u:object_r:vendor_limits-hal_exec:s0
/vendor/bin/sensors.qti u:object_r:vendor_sensors_qti_exec:s0 /vendor/bin/sensors.qti u:object_r:vendor_sensors_qti_exec:s0
/vendor/bin/sensors-qesdk u:object_r:vendor_sensors_qesdk_exec:s0 /vendor/bin/sensors-qesdk u:object_r:vendor_sensors_qesdk_exec:s0
/vendor/bin/ssr_setup u:object_r:vendor_ssr_setup_exec:s0 /vendor/bin/ssr_setup u:object_r:vendor_ssr_setup_exec:s0

48
generic/vendor/common/hal_limits_default.te vendored Executable file
View file

@ -0,0 +1,48 @@
# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_limits-hal, domain;
hal_server_domain(vendor_limits-hal, vendor_hal_limits)
type vendor_limits-hal_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_limits-hal)
# Allow hwbinder call from hal client to server
binder_call(vendor_hal_limits_client, vendor_hal_limits_server)
binder_call(vendor_hal_limits_server, vendor_hal_limits_client)
# Add hwservice related rules
hal_attribute_hwservice(vendor_hal_limits, vendor_hal_limits_hwservice);
# Thermal HAL access
hal_client_domain(vendor_limits-hal, hal_thermal);
# This is required for thermal sysfs access
allow vendor_limits-hal sysfs_thermal:file w_file_perms;
# netlink access
allow vendor_limits-hal self: { netlink_generic_socket } create_socket_perms_no_ioctl;

View file

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved. # Copyright (c) 2018-2021, The Linux Foundation. All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are # modification, are permitted provided that the following conditions are
@ -47,3 +47,4 @@ type vendor_hal_embmssl_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_dspmanager_hwservice, hwservice_manager_type; type vendor_hal_dspmanager_hwservice, hwservice_manager_type;
type vendor_hal_camera_aon_hwservice, hwservice_manager_type, protected_hwservice; type vendor_hal_camera_aon_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_poweroptservice_hwservice, hwservice_manager_type, protected_hwservice; type vendor_hal_poweroptservice_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_limits_hwservice, hwservice_manager_type, protected_hwservice;

View file

@ -67,3 +67,4 @@ vendor.qti.hardware.embmssl::IEmbms u:object_r:vendor_h
vendor.qti.hardware.dsp::IDspService u:object_r:vendor_hal_dspmanager_hwservice:s0 vendor.qti.hardware.dsp::IDspService u:object_r:vendor_hal_dspmanager_hwservice:s0
vendor.qti.hardware.camera.aon::IAONService u:object_r:vendor_hal_camera_aon_hwservice:s0 vendor.qti.hardware.camera.aon::IAONService u:object_r:vendor_hal_camera_aon_hwservice:s0
vendor.qti.hardware.power.powermodule::IPowerModule u:object_r:vendor_hal_poweroptservice_hwservice:s0 vendor.qti.hardware.power.powermodule::IPowerModule u:object_r:vendor_hal_poweroptservice_hwservice:s0
vendor.qti.hardware.limits::ILimits u:object_r:vendor_hal_limits_hwservice:s0