FR53463: Location generic and qva sepolicy changes.

Location sepolicy changes for SElinux support for common
vendor image as part of FR53463.

Change-Id: I3eed6eed7a44c1aed50b667671f875597da64db1
CRs-Fixed: 2341061

Android.mk

@@ -31,6 +31,7 @@ ifeq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
 
     ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
     BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/generic/vendor/test
+    BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/qva/vendor/test
     endif
 endif
 

generic/vendor/common/file_contexts

@@ -156,7 +156,6 @@
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service-qti         u:object_r:hal_keymaster_qti_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti        u:object_r:hal_gatekeeper_qti_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0
 /vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti         u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.widevine   	u:object_r:hal_drm_widevine_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator@1\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0

generic/vendor/common/hal_gnss_qti.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -24,19 +24,17 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# generic/hal_gnss_qti.te - generic sepolicy rules for location hidl
+
 type hal_gnss_qti, domain;
 hal_server_domain(hal_gnss_qti, hal_gnss)
 
 type hal_gnss_qti_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_gnss_qti)
 
-allow hal_gnss sysfs:dir r_dir_perms;
-allow hal_gnss sysfs_data:file r_file_perms;
-
-vndbinder_use(hal_gnss_qti)
-
-binder_call(hal_gnss_qti, vendor_per_mgr)
-allow hal_gnss_qti vendor_per_mgr_service:service_manager find;
+# vendor binder
+use_vendor_per_mgr(hal_gnss_qti)
 
 # /data/vendor/location
 allow hal_gnss_qti location_data_file:fifo_file { open read setattr write };
@@ -46,19 +44,9 @@ allow hal_gnss_qti location_data_file:file create_file_perms;
 # /dev/socket/location
 allow hal_gnss_qti location_socket:sock_file create_file_perms;
 allow hal_gnss_qti location_socket:dir rw_dir_perms;
-
 allow hal_gnss_qti location:unix_stream_socket connectto;
 allow hal_gnss_qti location:unix_dgram_socket sendto;
 
-allow hal_gnss_qti self:socket create_socket_perms;
-allowxperm hal_gnss_qti self:socket ioctl msm_sock_ipc_ioctls;
-
-unix_socket_connect(hal_gnss_qti, netmgrd, netmgrd)
-allow hal_gnss_qti netmgrd_socket:dir search;
-
-allow hal_gnss_qti self:netlink_generic_socket { bind create read };
-allow hal_gnss_qti self:netlink_route_socket { bind create nlmsg_read read write };
-
 # Most HALs are not allowed to use network sockets. QTI library
 # libqdi is used across multiple processes which are clients of
 # netmgrd including the GNSS HAL. libqdi first attempts to get the network

generic/vendor/common/ioctl_macros

@@ -81,3 +81,13 @@ define(`wlan_sock_ioctls', `{
 SIOCSIWPRIV
 SIOCIWFIRSTPRIV_15
 }')
+
+define(`lowi_server_ioctls', `{
+SIOCGIFINDEX
+SIOCGIFHWADDR
+SIOCGIFFLAGS
+SIOCIWFIRSTPRIV_05
+SIOCIWFIRSTPRIV_11
+SIOCIWFIRSTPRIV_13
+SIOCDEVPRIVATE_1
+}')

generic/vendor/common/location.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -24,6 +24,9 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# generic/location.te - sepolicy rules for generic location modules
+
 # loc_launcher service
 # which launches various other services supporting GPS & Wifi-RTT (LOWI) location
 type location, domain;
@@ -31,37 +34,28 @@ type location_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(location)
 
-# STOPSHIP b/28340421
-# Temporarily grant this permission (for LOWI) and log its use.
-allow location self:capability { net_admin };
-
 allow location self:capability { setgid setuid };
 
 hwbinder_use(location)
+
 get_prop(location, hwservicemanager_prop)
+get_prop(location, cnd_prop)
+#xtra-daemon access to qdma properties
+get_prop(location, vendor_qdma_prop)
+
 allow location fwk_sensor_hwservice:hwservice_manager find;
 binder_call(location, system_server)
-allow location hal_wifi:unix_stream_socket { read write };
+binder_call(location, cnd)
 
 # Enable standard network access (for XTRA download)
 net_domain(location)
 
-# And some additional network access
-allow location self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow location self:netlink_socket create_socket_perms_no_ioctl;
-allowxperm location self:udp_socket ioctl { SIOCGIFINDEX SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 };
-
-allow location sysfs_data:file r_file_perms;
-
-allow location self:socket create_socket_perms;
-# whitelist socket ioctl commands
-allowxperm location self:socket ioctl msm_sock_ipc_ioctls;
+# required for xtra-daemon, slim-daemon.
+allow location self:qipcrtr_socket create_socket_perms_no_ioctl;
 
 dontaudit location kernel:system module_request;
 
-allow location proc_net:file r_file_perms;
-
-# execute /vendor/bin/lowi-server
+# execute permission for location daemons in /vendor/bin/
 allow location location_exec:file rx_file_perms;
 
 # /data/vendor/location
@@ -74,21 +68,25 @@ allow location location_socket:dir rw_dir_perms;
 
 allow location hal_gnss_qti:unix_dgram_socket sendto;
 
-# /data/vendor/wifi/wpa
-allow location wpa_data_file:dir rw_dir_perms;
-
-allow location wpa_data_file:sock_file create_file_perms;
-
-allow location hal_wifi_supplicant_default:unix_dgram_socket sendto;
-
+# permission for read execute location daemons in userdebug mode.
 userdebug_or_eng(`
-  allow location diag_device:chr_file rw_file_perms;
+  allow shell location_exec:file rx_file_perms;
 ')
 
-allow location hal_cne_hwservice:hwservice_manager find;
-binder_call(location, cnd)
+## lowi-server
+##############
+# need net_admin for now. Will be removed once FR51023 is complete.
+allow location self:capability { net_admin };
+# some additional network access
+allow location self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow location self:netlink_socket create_socket_perms_no_ioctl;
+allowxperm location self:udp_socket ioctl lowi_server_ioctls;
+allow location hal_wifi:unix_stream_socket { read write };
 
-allow location hal_cacert_hwservice:hwservice_manager find;
+## xtra-daemon
+##############
+allow location {hal_cacert_hwservice hal_datafactory_hwservice hal_cne_hwservice}:hwservice_manager find;
 binder_call(location, qtidataservices_app)
 
-get_prop(location, vendor_wifi_prop)
+# permission to read hosts file
+allow location system_file:file r_file_perms;

generic/vendor/test/file_contexts

@@ -69,25 +69,13 @@
 /(vendor|system/vendor)/bin/sampleauthdaemon    u:object_r:fidotest_exec:s0
 /(vendor|system/vendor)/bin/qseeproxysampledaemon u:object_r:qseeproxysample_exec:s0
 
-#Context for location features
-/(vendor|system/vendor)/bin/sdp_test                            u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/icm_test                            u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/pf_test_app                         u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/quipc_ipe_test                      u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/ipead_test                          u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/quipc_iwmm_test                     u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/slimcw_test                         u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/lowi_test           u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/test-lowi-client                    u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/quipc_os_api_test_1                 u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/quipc_os_api_test_2                 u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/loc_api_v02_utt                     u:object_r:location_exec:s0
+#### Context for location test binaries
+/(vendor|system/vendor)/bin/lowi_test                           u:object_r:location_exec:s0
 /(vendor|system/vendor)/bin/test-version                        u:object_r:location_exec:s0
 /(vendor|system/vendor)/bin/test-pos-tx                         u:object_r:location_exec:s0
 /(vendor|system/vendor)/bin/xtwifi-upload-test                  u:object_r:location_exec:s0
 /(vendor|system/vendor)/bin/test-fake-ap                        u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/loc_api_app                         u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/test_loc_api_client                 u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/test-fdal                           u:object_r:location_exec:s0
 
 /(vendor|system/vendor)/bin/sns.*               u:object_r:sensors_test_exec:s0
 #for testscripts support

qva/private/file.te

@@ -33,4 +33,3 @@ type qvrd_socket, file_type, mlstrustedobject, coredomain_socket;
 type qvrd_hvx_socket, file_type, coredomain_socket;
 type mirrorlink_data_file, file_type, data_file_type, core_data_file_type;
 type mirrorlink_socket, file_type, coredomain_socket;
-type seempdw_socket, file_type, mlstrustedobject, coredomain_socket;

qva/private/location_app.te

@@ -0,0 +1,50 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# generic/location_app.te - sepolicy rules for qti value added location apps
+# that will be part of system image. Eg: XT app.
+
+type location_app, domain;
+app_domain(location_app)
+binder_use(location_app)
+hal_client_domain(location_app, hal_gnss)
+
+net_domain(location_app)
+
+#Permissions for JDWP
+userdebug_or_eng(`
+  allow location_app { adbd su }:unix_stream_socket connectto;
+')
+
+allow location_app app_api_service:service_manager find;
+
+allow location_app system_app_data_file:dir create_dir_perms;
+allow location_app system_app_data_file:file create_file_perms;
+
+allow location_app cgroup:file {read write};
+
+unix_socket_send(location_app, seempdw, seempd);

qva/private/seapp_contexts

@@ -0,0 +1,29 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Add new domain for qti value added Location apps
+user=system seinfo=platform name=com.qualcomm.location.XT isPrivApp=true domain=location_app type=system_app_data_file

qva/private/seempd.te

@@ -25,7 +25,8 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-type seempd, domain, mlstrustedsubject, coredomain;
+typeattribute seempd coredomain;
+typeattribute seempd mlstrustedsubject;
 type seempd_exec, exec_type, system_file_type, file_type;
 
 init_daemon_domain(seempd)

qva/public/file.te

@@ -26,3 +26,4 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 type dpmtcm_socket, file_type, coredomain_socket, mlstrustedobject;
+type seempdw_socket, file_type, mlstrustedobject, coredomain_socket;

qva/public/seempd.te

@@ -0,0 +1,28 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type seempd, domain;

qva/vendor/common/file_contexts

@@ -92,6 +92,15 @@
 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.factory@1\.0-service         u:object_r:vendor_hal_factory_qti_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.cvp@1\.0-service             u:object_r:vendor_cvp_exec:s0
 
+#### Context for location features
+## location daemons and binaries
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service                        u:object_r:hal_gnss_qti_exec:s0
+/(vendor|system/vendor)/bin/xtwifi-inet-agent                                      u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/xtwifi-client                                          u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/garden_app                                             u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/DR_AP_Service                                          u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/slim_daemon                                            u:object_r:location_exec:s0
+
 ###################################
 # data files
 #

qva/vendor/common/hal_gnss_qti.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -25,5 +25,11 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-allow hal_gnss self:qipcrtr_socket create_socket_perms_no_ioctl;
-allowxperm hal_gnss self:qipcrtr_socket ioctl msm_sock_ipc_ioctls;
+# qva/hal_gnss_qti.te - generic sepolicy rules for qti value added
+# location hidl
+
+userdebug_or_eng(`
+  get_prop(hal_gnss_qti, vendor_pd_locater_dbg_prop)
+')
+
+allow hal_gnss self:qipcrtr_socket create_socket_perms_no_ioctl;

qva/vendor/common/location.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -25,4 +25,15 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-allow location self:qipcrtr_socket create_socket_perms_no_ioctl;
+# qva/location.te - sepolicy rules for qti value added location modules
+
+## xtwifi-client
+################
+wakelock_use(location)
+allow location self:capability2 wake_alarm;
+unix_socket_connect(location, property, init);
+
+## xtra-daemon
+##############
+#access to qdma socket
+qdma_file_socket(location);

qva/vendor/common/property.te

@@ -48,3 +48,6 @@ type vendor_mmi_prop, property_type;
 
 # Audio debug props
 type vendor_audio_debug_prop, property_type;
+
+# property for location
+type location_prop, property_type;

qva/vendor/common/property_contexts

@@ -53,3 +53,5 @@ ctl.vendor.mmid                              u:object_r:ctl_vendor_mmid_prop:s0
 
 persist.vendor.mmi.                          u:object_r:vendor_mmi_prop:s0
 
+# izat location property
+vendor.qti.izat.                             u:object_r:location_prop:s0

qva/vendor/test/location_app_test.te

@@ -0,0 +1,47 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# qva/private/location_app_test.te - sepolicy rules for qti value added
+# location apps (internal) that will be part of system image. eg: ODLT, Qlogcat
+
+type location_app_test, domain;
+app_domain(location_app_test)
+
+userdebug_or_eng(`
+    binder_use(location_app_test)
+    hal_client_domain(location_app_test, hal_gnss)
+
+    allow location_app_test { adbd su }:unix_stream_socket connectto;
+
+    allow location_app_test app_api_service:service_manager find;
+    allow location_app_test cgroup:file {read write};
+
+    allow location_app_test anr_data_file:dir rw_dir_perms;
+    allow location_app_test anr_data_file:file rw_file_perms;
+
+    unix_socket_send(location_app_test, seempdw, seempd);
+')

qva/vendor/test/seapp_contexts

@@ -0,0 +1,30 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Add new domain for location test apps
+user=_app seinfo=platform name=com.qualcomm.qct.dlt levelfrom=all domain=location_app_test type=app_data_file
+user=_app seinfo=platform name=com.qualcomm.qti.qlogcat levelfrom=all domain=location_app_test type=app_data_file