Merge "sepolicy: add policies for mdm_helper"

generic/vendor/msmnile/device.te

@@ -31,5 +31,4 @@ type uefi_block_device, dev_type;
 type logdump_partition, dev_type;
 type mba_debug_dev, dev_type;
 type dip_device, dev_type;
-type efs_boot_dev, dev_type;
 type rawdump_block_device, dev_type;

qva/vendor/common/device.te

@@ -32,3 +32,6 @@ type spdaemon_ssr_device, dev_type;
 type cryptoapp_device, dev_type;
 type sec_nvm_device, dev_type;
 type qbt1000_device, dev_type;
+type esoc_device, dev_type;
+type mhi_device, dev_type;
+type efs_boot_dev, dev_type;

qva/vendor/common/file_contexts

@@ -35,6 +35,8 @@
 /dev/cryptoapp                        u:object_r:cryptoapp_device:s0
 /dev/sec_nvm_.*                       u:object_r:sec_nvm_device:s0
 /dev/qbt1000                          u:object_r:qbt1000_device:s0
+/dev/esoc.*                           u:object_r:esoc_device:s0
+/dev/mhi_.*                           u:object_r:mhi_device:s0
 
 ###################################
 # System files
@@ -69,6 +71,8 @@
 /(vendor|system/vendor)/bin/adpl                                                   u:object_r:adpl_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.qti\.esepowermanager@1\.0-service           u:object_r:hal_esepowermanager_qti_exec:s0
 /(vendor|system/vendor)/bin/esepmdaemon                                            u:object_r:esepmdaemon_exec:s0
+/(vendor|system/vendor)/bin/mdm_helper                                             u:object_r:mdm_helper_exec:s0
+/(vendor|system/vendor)/bin/ks                                                     u:object_r:mdm_helper_exec:s0
 
 ###################################
 # data files

qva/vendor/common/init_shell.te

@@ -26,3 +26,4 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 allow qti_init_shell sysfs_npu:file rw_file_perms;
+set_prop(qti_init_shell, vendor_mdm_helper_prop)

qva/vendor/common/mdm_helper.te

@@ -0,0 +1,62 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Policy for mdm_helper
+#mdm_helper - mdm_helper domain
+type mdm_helper, domain;
+type mdm_helper_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(mdm_helper);
+
+#block_suspend capability is needed by kickstart(ks)
+wakelock_use(mdm_helper)
+
+#Needed to power on the peripheral
+allow mdm_helper ssr_device:chr_file r_file_perms;
+
+#Needed to access the esoc device to control the mdm
+allow mdm_helper esoc_device:dir r_dir_perms;
+allow mdm_helper esoc_device:chr_file rw_file_perms;
+
+#Needed in order to run kickstart
+allow mdm_helper vendor_shell_exec:file rx_file_perms;
+allow mdm_helper mdm_helper_exec :file x_file_perms;
+
+userdebug_or_eng(`
+#Needed for ram dump storage
+allow mdm_helper vendor_tombstone_data_file:dir create_dir_perms;
+allow mdm_helper vendor_tombstone_data_file:file create_file_perms;
+')
+
+#Needed by ks in order to access the efs sync partitions.
+allow mdm_helper block_device:dir r_dir_perms;
+allow mdm_helper efs_boot_dev:blk_file rw_file_perms;
+
+#Needed in order to access the firmware partition
+r_dir_file(mdm_helper, firmware_file)
+
+#Needed to allow boot over PCIe
+allow mdm_helper mhi_device:chr_file rw_file_perms;

qva/vendor/common/property.te

@@ -28,3 +28,4 @@
 type vendor_dataadpl_prop, property_type;
 type spcomlib_prop, property_type;
 type vendor_qdma_prop, property_type;
+type vendor_mdm_helper_prop, property_type;

qva/vendor/common/property_contexts

@@ -28,6 +28,7 @@
 ctl.vendor.dataadpl                          u:object_r:vendor_dataadpl_prop:s0
 vendor.spcom.                                u:object_r:spcomlib_prop:s0
 persist.vendor.bt.soc.scram_freqs            u:object_r:vendor_bluetooth_prop:s0
+ctl.vendor.mdm_helper                        u:object_r:vendor_mdm_helper_prop:s0
 
 # qdma property
 vendor.qti.qdma.                             u:object_r:vendor_qdma_prop:s0