sepolicy_vndr : DPM system module movement to vendor

-sepolicy rules are updated to support dpm system movement to vendor Allow dpmd_vndr to do netfilter socket operations for deleting conntrack entries CRs-Fixed: 2888094 Change-Id: Ic7681897e19ce664eb162574db85357e07e04ea0
LineageOS · Mar 28, 2021 · 0c5ea8a · 0c5ea8a
1 parent b3a7d6a
commit 0c5ea8a
Show file tree

Hide file tree

Showing 8 changed files with 103 additions and 14 deletions.
diff --git a/qva/vendor/common/dpmd.te b/qva/vendor/common/dpmd.te
@@ -34,11 +34,7 @@ wakelock_use(vendor_dpmd)
 
 r_dir_file(vendor_dpmd, vendor_sysfs_data)
 
-#Allow vendor_dpmd to connect to hal_dpmQMiMgr
-allow vendor_dpmd vendor_hal_dpmqmi_hwservice:hwservice_manager find;
-get_prop(vendor_dpmd, hwservicemanager_prop)
-binder_call(vendor_dpmd,vendor_hal_dpmQmiMgr)
-hwbinder_use(vendor_dpmd)
+hal_client_domain(vendor_dpmd,vendor_hal_dpmqmiservice_qti)
 
 #diag
 userdebug_or_eng(`

diff --git a/qva/vendor/common/dpmd_vndr.te b/qva/vendor/common/dpmd_vndr.te
@@ -0,0 +1,86 @@
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#dpmd_vndr as domain
+type vendor_dpmd_vndr, domain;
+
+type vendor_dpmd_vndr_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_dpmd_vndr)
+
+net_domain(vendor_dpmd_vndr)
+
+use_netutils(vendor_dpmd_vndr)
+set_prop(vendor_dpmd_vndr, vendor_persist_dpm_prop)
+set_prop(vendor_dpmd_vndr, vendor_persist_tcm_prop)
+
+wakelock_use(vendor_dpmd_vndr)
+
+r_dir_file(vendor_dpmd_vndr, vendor_sysfs_data)
+
+#dpmQmiHalService
+hal_client_domain(vendor_dpmd_vndr,vendor_hal_dpmqmiservice_qti)
+
+#register dpmApiHalService
+hal_server_domain_bypass(vendor_dpmd_vndr, vendor_hal_dpmapiservice_qti)
+binder_call(vendor_hal_dpmapiservice_qti_client, vendor_hal_dpmapiservice_qti_server)
+binder_call(vendor_hal_dpmapiservice_qti_server, vendor_hal_dpmapiservice_qti_client)
+hal_attribute_hwservice(vendor_hal_dpmapiservice_qti,vendor_hal_dpmapi_hwservice)
+
+allow vendor_dpmd_vndr vendor_dpm_vndr_data_file:file create_file_perms;
+allow vendor_dpmd_vndr vendor_dpm_vndr_data_file:dir create_dir_perms;
+
+r_dir_file(vendor_dpmd_vndr,proc_net)
+
+allow vendor_dpmd_vndr self:capability {
+    setuid
+    net_raw
+    net_admin
+};
+
+dontaudit vendor_dpmd_vndr self:capability sys_module;
+
+allow vendor_dpmd_vndr netutils_wrapper:process sigkill;
+allow vendor_dpmd_vndr self:capability2 wake_alarm;
+
+r_dir_file(vendor_dpmd_vndr, appdomain)
+
+#self kill rule to kill dpmd child process which executes iptable commands
+allow vendor_dpmd_vndr self:capability kill;
+
+allow vendor_dpmd_vndr proc_net:file write;
+
+allow vendor_dpmd_vndr self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+
+#diag
+userdebug_or_eng(`
+    diag_use(vendor_dpmd_vndr)
+    hal_client_domain(vendor_dpmd_vndr, vendor_hal_diaghal)
+    hal_client_domain(vendor_dpmd_vndr, hal_allocator)
+')
+
+#allow vendor_dpmd_vndr default_prop:file read;
diff --git a/qva/vendor/common/file.te b/qva/vendor/common/file.te
@@ -143,3 +143,6 @@ type vendor_sysfs_mem_offline, sysfs_type, fs_type;
 #slub-debug
 type vendor_sysfs_slab_zshandle_storeuser, fs_type, sysfs_type;
 type vendor_sysfs_slab_zspage_storeuser, fs_type, sysfs_type;
+
+#dpmd_vndr
+type vendor_dpm_vndr_data_file, file_type, data_file_type ;
diff --git a/qva/vendor/common/file_contexts b/qva/vendor/common/file_contexts
@@ -71,6 +71,7 @@
 #
 
 /(vendor|system/vendor)/bin/dpmQmiMgr                                              u:object_r:vendor_hal_dpmQmiMgr_exec:s0
+/vendor/bin/vendor.dpmd                                                            u:object_r:vendor_dpmd_vndr_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti             u:object_r:vendor_hal_keymaster_qti_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.1-strongbox-service-qti             u:object_r:vendor_hal_keymaster_qti_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.1-javacard.service                  u:object_r:hal_keymaster_default_exec:s0
@@ -191,6 +192,7 @@
 ###################################
 # data files
 #
+/data/vendor/dpm_vndr(/.*)?                                         u:object_r:vendor_dpm_vndr_data_file:s0
 /data/vendor/iop(/.*)?                                              u:object_r:vendor_iop_data_file:s0
 /data/vendor/misc/qti_fp(/.*)?                                      u:object_r:vendor_qfp-daemon_data_file:s0
 /data/vendor/wifi(/.*)?                                             u:object_r:vendor_wifi_vendor_data_file:s0

diff --git a/qva/vendor/common/hal_dpmQmiMgr.te b/qva/vendor/common/hal_dpmQmiMgr.te
@@ -33,17 +33,13 @@ init_daemon_domain(vendor_hal_dpmQmiMgr)
 
 net_domain(vendor_hal_dpmQmiMgr)
 
-#Add hal_dpmQMiMgr as hwservice
-add_hwservice(vendor_hal_dpmQmiMgr, vendor_hal_dpmqmi_hwservice)
-
-#Allow hwbinder usage
-hwbinder_use(vendor_hal_dpmQmiMgr)
+hal_server_domain_bypass(vendor_hal_dpmQmiMgr, vendor_hal_dpmqmiservice_qti)
+binder_call(vendor_hal_dpmqmiservice_qti_client, vendor_hal_dpmqmiservice_qti_server)
+binder_call(vendor_hal_dpmqmiservice_qti_server, vendor_hal_dpmqmiservice_qti_client)
+hal_attribute_hwservice(vendor_hal_dpmqmiservice_qti,vendor_hal_dpmqmi_hwservice)
 
 #Allow to get hwservice_prop
-get_prop(vendor_hal_dpmQmiMgr, hwservicemanager_prop)
-
-#Allow binder call from dpmd
-binder_call(vendor_hal_dpmQmiMgr,vendor_dpmd)
+get_prop(vendor_hal_dpmQmiMgr, vendor_persist_dpm_prop)
 
 #sysfs_data file permissions
 allow vendor_hal_dpmQmiMgr vendor_sysfs_data:file r_file_perms;

diff --git a/qva/vendor/common/hwservice.te b/qva/vendor/common/hwservice.te
@@ -62,3 +62,4 @@ type vendor_hal_spu_hwservice, hwservice_manager_type, protected_hwservice;
 type vendor_hal_slmadapter_hwservice, hwservice_manager_type, protected_hwservice;
 type vendor_hal_perfcallback_hwservice, hwservice_manager_type, protected_hwservice;
 type vendor_hal_mwqemadapter_hwservice, hwservice_manager_type, protected_hwservice;
+type vendor_hal_dpmapi_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/qva/vendor/common/hwservice_contexts b/qva/vendor/common/hwservice_contexts
@@ -81,3 +81,5 @@ vendor.qti.spu::ISPUManager                                  u:object_r:vendor_h
 vendor.qti.hardware.slmadapter::ISlmAdapter                  u:object_r:vendor_hal_slmadapter_hwservice:s0
 vendor.qti.hardware.perf::IPerfCallback                      u:object_r:vendor_hal_perfcallback_hwservice:s0
 vendor.qti.hardware.mwqemadapter::IMwqemAdapter              u:object_r:vendor_hal_mwqemadapter_hwservice:s0
+vendor.qti.hardware.dpmservice::IDpmService                  u:object_r:vendor_hal_dpmapi_hwservice:s0
+
diff --git a/qva/vendor/common/vendor_dataservice_app.te b/qva/vendor/common/vendor_dataservice_app.te
@@ -32,3 +32,6 @@ get_prop(vendor_dataservice_app, vendor_slm_prop)
 allow vendor_dataservice_app vendor_hal_mwqemadapter_hwservice:hwservice_manager find;
 
 get_prop(vendor_dataservice_app, vendor_mwqem_prop)
+
+hal_client_domain(vendor_dataservice_app,vendor_hal_dpmapiservice_qti)
+
Original file line number	Diff line number	Diff line change
Expand Up		@@ -32,3 +32,6 @@ get_prop(vendor_dataservice_app, vendor_slm_prop)
		allow vendor_dataservice_app vendor_hal_mwqemadapter_hwservice:hwservice_manager find;

		get_prop(vendor_dataservice_app, vendor_mwqem_prop)

		hal_client_domain(vendor_dataservice_app,vendor_hal_dpmapiservice_qti)