sepolicy: Add systemhelper_app binder calls

Add systemhelper_app binder client/server calls to allow clients to get required permissions with hal_client_domain(). Change-Id: I1e181f2f03c32e013143b61d9caac7e720b4bdca
2021-11-09 17:50:25 +05:30
parent 007fd2fbe2
commit 6ec871b660
2 changed files with 43 additions and 2 deletions
--- a/generic/product/private/sys_hal_neverallow.te
+++ b/generic/product/private/sys_hal_neverallow.te
@@ -36,14 +36,16 @@ neverallow {

 neverallow {
  system_halserverdomain
+  - vendor_systemhelper_app
 } domain:{ tcp_socket udp_socket rawip_socket } *;

 neverallow {
  system_halserverdomain
+  - vendor_systemhelper_app
 } { file_type fs_type }:file execute_no_trans;

 neverallow { domain -init } system_halserverdomain:process transition;

-neverallow *  { system_halserverdomain }:process dyntransition;
+neverallow *  { system_halserverdomain - vendor_systemhelper_app }:process dyntransition;

-neverallow { system_halserverdomain - netdomain  } hwservicemanager:binder { call transfer };
+neverallow { system_halserverdomain - netdomain - vendor_systemhelper_app } hwservicemanager:binder { call transfer };
--- a/generic/product/private/systemhelper_app.te
+++ b/generic/product/private/systemhelper_app.te
@@ -25,9 +25,48 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+# Changes from Qualcomm Innovation Center are provided under the following
+# license:
+#
+# Copyright (c) 2022 Qualcomm Innovation Center, Inc.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted (subject to the limitations in the
+# disclaimer below) provided that the following conditions are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#
+#     * Neither the name of Qualcomm Innovation Center nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# NO EXPRESS OR IMPLIED LICENSES TO ANY PARTY'S PATENT RIGHTS ARE
+# GRANTED BY THIS LICENSE. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
+# HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 typeattribute vendor_systemhelper_app coredomain;
 app_domain(vendor_systemhelper_app)

+hal_server_domain_bypass_qssi(vendor_systemhelper_app, vendor_hal_systemhelper)
+binder_call(vendor_hal_systemhelper_client, vendor_hal_systemhelper_server)
+binder_call(vendor_hal_systemhelper_server, vendor_hal_systemhelper_client)
+
 allow vendor_hal_systemhelper_client vendor_hal_systemhelper_hwservice:hwservice_manager find;
 add_hwservice(vendor_systemhelper_app, vendor_hal_systemhelper_hwservice)
 neverallow { domain -vendor_hal_systemhelper_client -vendor_systemhelper_app } vendor_hal_systemhelper_hwservice:hwservice_manager find;