sepolicy : tcmd system sepolicy rules

-DPM system module movement to vendor -DPM native module which was in system module moved it to vendor and redesigned DPM code to meet the backward compatibility. -dpmservice HAL is introduced to communicate between system dpmserviceapp and vendor.dpmd module. -DPM tcmd module is introduced in system partition to handle tcm call back events from vendor.dpmd -"persist.vendor.dpm.vndr.feature" is used to control vendor.dpmd feature -update sepolicy rules for tcmd system daemon. CRs-Fixed: 2887227 Change-Id: I149fcb6bdda4cce689a9371aebe6c851e2971dc7
2021-02-11 12:11:46 +05:30
parent abc32f5d7e
commit 1e4e9d7283
14 changed files with 119 additions and 2 deletions
--- a/generic/private/compat/30.0/30.0.ignore.cil
+++ b/generic/private/compat/30.0/30.0.ignore.cil
@@ -7,4 +7,5 @@
  ( new_objects
    vendor_hal_displayconfig_service
    vendor_mm_parser_prop
+    vendor_persist_tcm_prop
    vendor_qcc_lmtp_app))
--- a/generic/private/file_contexts
+++ b/generic/private/file_contexts
@@ -38,6 +38,7 @@
 /dev/socket/seempdw                             u:object_r:vendor_seempdw_socket:s0
 /dev/socket/dpmd                                u:object_r:vendor_dpmd_socket:s0
 /dev/socket/tcm                                 u:object_r:vendor_dpmtcm_socket:s0
+/dev/socket/tcmd                                u:object_r:vendor_dpmtcm_socket:s0
 /dev/socket/qvrservice                          u:object_r:vendor_qvrd_socket:s0
 /dev/socket/qvrservice_controller               u:object_r:vendor_qvrd_controller_socket:s0
 /dev/socket/qvrservice_camera                   u:object_r:vendor_qvrd_socket:s0
@@ -47,6 +48,7 @@
 ####### system file ###############
 /system/bin/seempd                              u:object_r:vendor_seempd_exec:s0
 /(system_ext|system/system_ext)/bin/dpmd        u:object_r:vendor_dpmd_exec:s0
+/(system_ext|system/system_ext)/bin/tcmd        u:object_r:vendor_tcmd_exec:s0
 /(system_ext|system/system_ext)/bin/qvrservice  u:object_r:vendor_qvrd_exec:s0
 /system/bin/vpsservice                          u:object_r:vendor_vpsservice_exec:s0

--- a/generic/private/gmscore_app.te
+++ b/generic/private/gmscore_app.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+unix_socket_connect(gmscore_app, vendor_dpmtcm, vendor_tcmd)
--- a/generic/private/location_app.te
+++ b/generic/private/location_app.te
@@ -47,6 +47,7 @@ allow vendor_location_app system_app_data_file:file create_file_perms;
 allow vendor_location_app radio_service:service_manager find;

 unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd);
+unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_tcmd);

 allow vendor_location_app cgroup:file rw_file_perms;

--- a/generic/private/mediaprovider.te
+++ b/generic/private/mediaprovider.te
@@ -27,3 +27,4 @@

 allow mediaprovider vendor_dpmtcm_socket:sock_file w_file_perms;
 allow mediaprovider vendor_dpmd:unix_stream_socket connectto;
+unix_socket_connect(mediaprovider, vendor_dpmtcm, vendor_tcmd);
--- a/generic/private/network_stack.te
+++ b/generic/private/network_stack.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+unix_socket_connect(network_stack, vendor_dpmtcm, vendor_tcmd)
--- a/generic/private/priv_app.te
+++ b/generic/private/priv_app.te
@@ -30,3 +30,5 @@ allow priv_app vendor_dpmtcm_socket:sock_file w_file_perms;
 allow priv_app vendor_dpmd:unix_stream_socket connectto;
 # QVA app need to find soundtrigger_middleware_service
 allow priv_app soundtrigger_middleware_service:service_manager find;
+
+unix_socket_connect(priv_app, vendor_dpmtcm, vendor_tcmd);
--- a/generic/private/property.te
+++ b/generic/private/property.te
@@ -41,3 +41,4 @@ system_internal_prop(vendor_wfd_sys_debug_prop)
 system_internal_prop(vendor_wigig_core_prop)
 system_internal_prop(vendor_fst_prop)
 system_internal_prop(ctl_dpmd_prop)
+system_internal_prop(ctl_tcmd_prop)
--- a/generic/private/property_contexts
+++ b/generic/private/property_contexts
@@ -31,6 +31,7 @@ ro.vendor.perf.scroll_opt        u:object_r:vendor_exported_system_prop:s0 exact
 ro.vendor.perf.scroll_opt.heavy_app        u:object_r:vendor_exported_system_prop:s0 exact int

 persist.vendor.dpm.                        u:object_r:vendor_persist_dpm_prop:s0
+persist.vendor.tcmd.                       u:object_r:vendor_persist_tcm_prop:s0
 persist.vendor.btstack                     u:object_r:bluetooth_prop:s0
 persist.vendor.bluetooth.emailaccountcount u:object_r:bluetooth_prop:s0
 persist.vendor.bt.a2dp                     u:object_r:bluetooth_prop:s0
@@ -77,6 +78,7 @@ persist.vendor.wigig.                      u:object_r:vendor_wigig_core_prop:s0
 persist.vendor.fst.                        u:object_r:vendor_fst_prop:s0
 persist.dpm.feature                        u:object_r:vendor_persist_dpm_prop:s0
 ctl.stop$dpmd                              u:object_r:ctl_dpmd_prop:s0
+ctl.stop$tcmd                              u:object_r:ctl_tcmd_prop:s0

 # Beluga
 ro.vendor.beluga.p                         u:object_r:vendor_exported_system_prop:s0
--- a/generic/private/qcc_app.te
+++ b/generic/private/qcc_app.te
@@ -52,7 +52,7 @@ allow vendor_qcc_app vendor_qcc_data_file:file create_file_perms;

 # allow access to socket
 unix_socket_connect(vendor_qcc_app, vendor_dpmtcm, vendor_dpmd)
-
+unix_socket_connect(vendor_qcc_app, vendor_dpmtcm, vendor_tcmd)
 # allow access to mediadrmserver for qdmastats/wvstats
 allow vendor_qcc_app mediadrmserver_service:service_manager find;

--- a/generic/private/qcc_lmtp_app.te
+++ b/generic/private/qcc_lmtp_app.te
@@ -39,7 +39,7 @@ userdebug_or_eng(`

  # allow access to socket
  unix_socket_connect(vendor_qcc_lmtp_app, vendor_dpmtcm, vendor_dpmd)
-
+  unix_socket_connect(vendor_qcc_lmtp_app, vendor_dpmtcm, vendor_tcmd)
  # allow access to qcc dropbox
  allow vendor_qcc_lmtp_app vendor_qcc_data_file:dir create_dir_perms;
  allow vendor_qcc_lmtp_app vendor_qcc_data_file:file create_file_perms;
--- a/generic/private/tcmd.te
+++ b/generic/private/tcmd.te
@@ -0,0 +1,42 @@
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#tcmd as domain
+type vendor_tcmd,domain;
+
+typeattribute vendor_tcmd coredomain;
+
+type vendor_tcmd_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(vendor_tcmd)
+
+set_prop(vendor_tcmd, vendor_persist_tcm_prop)
+#allow vendor_tcmd to create socket
+allow vendor_tcmd self:socket create_socket_perms_no_ioctl;
+set_prop(vendor_tcmd, ctl_tcmd_prop)
+
+hal_client_domain(vendor_tcmd,vendor_hal_dpmapiservice_qti);
--- a/generic/public/attributes
+++ b/generic/public/attributes
@@ -229,3 +229,11 @@ attribute vendor_hal_limits_server;
 attribute vendor_hal_poweroptservice;
 attribute vendor_hal_poweroptservice_client;
 attribute vendor_hal_poweroptservice_server;
+
+attribute vendor_hal_dpmapiservice_qti;
+attribute vendor_hal_dpmapiservice_qti_client;
+attribute vendor_hal_dpmapiservice_qti_server;
+
+attribute vendor_hal_dpmqmiservice_qti;
+attribute vendor_hal_dpmqmiservice_qti_client;
+attribute vendor_hal_dpmqmiservice_qti_server;
--- a/generic/public/property.te
+++ b/generic/public/property.te
@@ -26,6 +26,7 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 system_public_prop(vendor_persist_dpm_prop)
+system_public_prop(vendor_persist_tcm_prop)
 system_restricted_prop(vendor_persist_camera_prop)
 # this is vendor defined property  and added with prefix vendor
 # which is going to be working from system