android_device_qcom_sepolicy/generic/vendor/common/domain.te

# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#     * Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above
#       copyright notice, this list of conditions and the following
#       disclaimer in the documentation and/or other materials provided
#       with the distribution.
#     * Neither the name of The Linux Foundation nor the names of its
#       contributors may be used to endorse or promote products derived
#       from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
  allow domain vendor_diag_device:chr_file rw_file_perms;
')

# In order for /sys/kernel/debug/kgsl/proc/<pid>/mem
# to be created for memory tracking, the domain of
# the tracked process must have permission to search
# in /sys/kernel/debug/kgsl
allow domain vendor_debugfs_kgsl:dir search;

allow domain vendor_debugfs_ion:dir search;

get_prop(domain, vendor_gralloc_prop)

r_dir_file({domain - isolated_app}, vendor_sysfs_soc);
r_dir_file({domain - isolated_app}, vendor_sysfs_esoc);
r_dir_file({domain - isolated_app}, vendor_sysfs_ssr);
r_dir_file({domain - isolated_app}, sysfs_thermal);

get_prop(domain, vendor_public_vendor_default_prop)

dontaudit domain kernel:system module_request;

# For compliance testing test suite reads vendor_security_path_level
# Which is the public readable property “ ro.vendor.build.security_patch
get_prop(domain, vendor_security_patch_level_prop)
neverallow {
     coredomain
     -init
     -ueventd
     -vold
     } vendor_persist_type: { dir file } *;

# Allow all context to read gpu model
allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;