Merge d70fdccf9a on remote branch

Change-Id: I3225aa23fd24021313239390b350e6bb903389e7

generic/private/device_integration.te

@@ -0,0 +1,31 @@
+# Copyright (C) 2023 Microsoft Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+###
+### Sepolicies below are the same with priv_app domain.
+###
+type device_integration, domain, coredomain;
+app_domain(device_integration)
+net_domain(device_integration)
+bluetooth_domain(device_integration)
+
+# Priv apps can find services that expose both @SystemAPI and normal APIs.
+allow device_integration app_api_service:service_manager find;
+allow device_integration system_api_service:service_manager find;
+
+###
+### Sepolicies below are different from priv_app domain.
+###
+
+allow device_integration vendor_virtual_keyboard_service:service_manager find;

generic/private/domain.te

@@ -27,3 +27,5 @@
 
 get_prop(domain, vendor_exported_system_prop)
 get_prop(domain, vendor_exported_odm_prop)
+
+dontaudit domain vendor_afp_prop:file r_file_perms;

generic/private/file_contexts

@@ -68,7 +68,7 @@
 /(system_ext|system/system_ext)/bin/perfetto_dump\.sh           u:object_r:vendor_perfetto_dump_exec:s0
 /(system_ext|system/system_ext)/bin/qxrsplitauxservice  u:object_r:vendor_sys_sxrauxd_exec:s0
 /(system_ext|system/system_ext)/bin/qsguard  u:object_r:qsguard_exec:s0
-/system_ext/bin/virtual_keyboard     u:object_r:virtual_keyboard_exec:s0
+/system_ext/bin/virtual_keyboard     u:object_r:vendor_virtual_keyboard_exec:s0
 
 ####### data files ################
 /data/dpm(/.*)?                                 u:object_r:vendor_dpmd_data_file:s0

generic/private/priv_app.te

@@ -31,6 +31,5 @@ allow priv_app vendor_dpmtcm_socket:sock_file w_file_perms;
 allow priv_app vendor_dpmd:unix_stream_socket connectto;
 # QVA app need to find soundtrigger_middleware_service
 allow priv_app soundtrigger_middleware_service:service_manager find;
-allow priv_app virtual_keyboard_service:service_manager find;
 
 unix_socket_connect(priv_app, vendor_dpmtcm, vendor_tcmd);

generic/private/qesdkSystem.te

@@ -32,7 +32,8 @@ app_domain(vendor_qesdk_app)
 #allow vendor_qesdk_app to access vendor_hal_qesdhal
 qesdk_app_access(vendor_qesdk_app);
 allow vendor_qesdk_app system_data_file:dir search;
-allow vendor_qesdk_app system_app_data_file:dir { getattr search };
+allow vendor_qesdk_app system_app_data_file:dir { create_dir_perms };
+allow vendor_qesdk_app system_app_data_file:file create_file_perms;
 allow vendor_qesdk_app user_profile_root_file:dir search;
 allow vendor_qesdk_app app_api_service:service_manager find;
 hal_client_domain(vendor_qesdk_app, vendor_hal_perf)

generic/private/qti-testscripts.te

@@ -97,4 +97,7 @@ userdebug_or_eng(`
 
 # allow lmkd to kill tasks with positive oom_score_adj under memory pressure
   allow lmkd qti-testscripts:process { setsched sigkill };
+
+  hal_client_domain(qti-testscripts, vendor_hal_diaghal);
+  hwbinder_use(qti-testscripts)
 ')

generic/private/seapp_contexts

@@ -79,3 +79,6 @@ user=_app seinfo=platform name=com.qualcomm.qti.workloadclassifier domain=vendor
 
 #Add new domain for xrcb app
 user=_app seinfo=platform name=com.qualcomm.qti.xrcb domain=vendor_xrcb_app type=app_data_file levelFrom=all
+
+# Add new domain for device integration service app
+user=_app isPrivApp=true name=com.microsoft.deviceintegrationservice domain=device_integration type=privapp_data_file levelFrom=user

generic/private/service.te

@@ -39,6 +39,6 @@ type vendor_wigig_service,               app_api_service, system_server_service,
 type vendor_vps_service,          app_api_service, service_manager_type;
 type vendor_qspmsvc_service,             app_api_service, service_manager_type;
 type vendor_qvirtmgr_service,            service_manager_type;
-type virtual_keyboard_service,      service_manager_type;
+type vendor_virtual_keyboard_service,      service_manager_type;
 type cross_device_service,          app_api_service, system_server_service, service_manager_type;
 

generic/private/service_contexts

@@ -57,5 +57,5 @@ vendor.qvirtmgr                                u:object_r:vendor_qvirtmgr_servic
 vendor.qti.qesdsys.IQesdSys/default            u:object_r:vendor_qesdk_service:s0
 vendor.qti.hardware.radio.atcmdfwd.IAtCmdFwd/AtCmdFwdAidl u:object_r:radio_service:s0
 vendor.qti.qvirt.IVirtualizationService/default   u:object_r:vendor_hal_qvirt_service:s0
-virtual_keyboard                          u:object_r:virtual_keyboard_service:s0
+vendor.virtual_keyboard                   u:object_r:vendor_virtual_keyboard_service:s0
 cross_device_service                      u:object_r:cross_device_service:s0

generic/private/system_app.te

@@ -46,4 +46,9 @@ get_prop(system_app, vendor_wigig_core_prop);
 #allow system_app to access faceauth
 hal_client_domain(system_app, hal_face)
 
+# allow system_app to access IWifiMyFtm AIDL service
+userdebug_or_eng(`
+hal_client_domain(system_app, vendor_hal_wifimyftm);
+')
+
 unix_socket_connect(system_app, vendor_dpmtcm, vendor_tcmd);

generic/private/tcmd.te

@@ -38,5 +38,5 @@ set_prop(vendor_tcmd, vendor_persist_tcm_prop)
 #allow vendor_tcmd to create socket
 allow vendor_tcmd self:socket create_socket_perms_no_ioctl;
 set_prop(vendor_tcmd, ctl_tcmd_prop)
-
+binder_use(vendor_tcmd)
 hal_client_domain(vendor_tcmd,vendor_hal_dpmapiservice_qti);

generic/private/virtual_keyboard.te

@@ -12,22 +12,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-type virtual_keyboard, domain, coredomain;
-type virtual_keyboard_exec, system_file_type, exec_type, file_type;
+type vendor_virtual_keyboard, domain, coredomain;
+type vendor_virtual_keyboard_exec, system_file_type, exec_type, file_type;
 
-init_daemon_domain(virtual_keyboard);
+init_daemon_domain(vendor_virtual_keyboard);
 
-binder_use(virtual_keyboard)
-binder_service(virtual_keyboard)
-add_service(virtual_keyboard, virtual_keyboard_service)
+binder_use(vendor_virtual_keyboard)
+binder_service(vendor_virtual_keyboard)
+add_service(vendor_virtual_keyboard, vendor_virtual_keyboard_service)
 
 # Needed to check app permissions.
-binder_call(virtual_keyboard, system_server)
+binder_call(vendor_virtual_keyboard, system_server)
 
 # Requires access to /dev/uinput to create and feed the virtual device.
-allow virtual_keyboard uhid_device:chr_file { w_file_perms ioctl };
+allow vendor_virtual_keyboard uhid_device:chr_file { w_file_perms ioctl };
 
 # Requires access to the package manager native service for clients'
 # package name check
-allow virtual_keyboard package_native_service:service_manager find;
+allow vendor_virtual_keyboard package_native_service:service_manager find;
 

generic/product/private/dumpstate.te

@@ -0,0 +1,4 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+allow dumpstate vendor_vm_qti_system_file:dir getattr;

generic/product/private/file_contexts

@@ -34,3 +34,4 @@
 /(product|system|system_ext)/bin/qcrosvm                         u:object_r:vendor_qcrosvm_exec:s0
 /(product|system/product)/vm-system(/.*)?                        u:object_r:vendor_vm_qti_system_file:s0
 /(product|system|system_ext)/bin/vendor\.qti\.qvirt-service      u:object_r:vendor_hal_qvirtservice_qti_exec:s0
+/(product|system|system_ext)/bin/vendor\.qti\.qvirt-service_rs   u:object_r:vendor_hal_qvirtservice_qti_exec:s0