common: sepolicy: legacy: Add support for MSM8937/MSM8953/MSM8998/SDM660

from LA.UM.9.6.4.r1-03900-89xx.QSSI13.0 and LA.UM.11.2.1.r1-02600-sdm660.0

Includes support for MSM8937/MSM8953/MSM8998/SDM660

Change-Id: Iaa111b2eebaf7ef755b57cea26d6c4ba0a4d5def

BoardConfigQcom.mk

@@ -1,4 +1,4 @@
-# Copyright (C) 2022 Paranoid Android
+# Copyright (C) 2023 Paranoid Android
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -28,15 +28,11 @@ endif
 TARGET_MOUNT_POINTS_SYMLINKS ?= false
 
 # SEPolicy
-ifneq ($(call is-board-platform-in-list, msm8937 msm8953 msm8996 msm8998 sdm660),true)
 ifneq ($(TARGET_EXCLUDE_QCOM_SEPOLICY),true)
-ifneq ($(BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE),)
+ifneq ($(call is-board-platform-in-list, msm8937 msm8953 msm8998 sdm660),true)
 include device/qcom/sepolicy_vndr/SEPolicy.mk
-include device/qcom/common/sepolicy/SEPolicy.mk
-else
+else # if (8937 || 8953 || 8998 || 660)
 include device/qcom/sepolicy/SEPolicy.mk
-endif
-endif # Exclude QCOM SEPolicy
-else
-include device/qcom/sepolicy-legacy/SEPolicy.mk
-endif
+endif # !(8937 || 8953 || 8998 || 660)
+include device/qcom/common/sepolicy/SEPolicy.mk
+endif # Exclude QCOM SEPolicy

sepolicy/SEPolicy.mk

@@ -4,13 +4,13 @@ ifeq ($(TARGET_SEPOLICY_DIR),)
     TARGET_SEPOLICY_DIR := $(TARGET_BOARD_PLATFORM)
 endif
 
-ifeq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
+ifeq (,$(filter sdm845 sdm710 sdm660 msm8937 msm8953 msm8998, $(TARGET_BOARD_PLATFORM)))
     BOARD_VENDOR_SEPOLICY_DIRS += \
         $(COMMON_SEPOLICY_PATH)/generic/vendor/common \
         $(COMMON_SEPOLICY_PATH)/qva/vendor/common \
         $(COMMON_SEPOLICY_PATH)/generic/vendor/$(TARGET_SEPOLICY_DIR) \
         $(COMMON_SEPOLICY_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
-else # 845 and 710
+else # Legacy
     BOARD_VENDOR_SEPOLICY_DIRS += \
         $(COMMON_SEPOLICY_PATH)/legacy/vendor/ssg \
         $(COMMON_SEPOLICY_PATH)/legacy/vendor/common \
@@ -21,8 +21,7 @@ else # 845 and 710
             $(COMMON_SEPOLICY_PATH)/legacy/vendor/test \
             $(COMMON_SEPOLICY_PATH)/legacy/vendor/test/sysmonapp
     endif
-
-endif # 845 and 710
+endif
 
 # Common system policies
 SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \

sepolicy/legacy/vendor/common/adsprpcd.te

@@ -38,8 +38,8 @@ allow adsprpcd xdsp_device:chr_file r_file_perms;
 # For reading dir/files on /dsp
 r_dir_file(adsprpcd, adsprpcd_file)
 
-# For reading adsprpc_prop
-get_prop(adsprpcd, adsprpc_prop)
+# For reading vendor_adsprpc_prop
+get_prop(adsprpcd, vendor_adsprpc_prop)
 
 allow adsprpcd ion_device:chr_file r_file_perms;
 allow adsprpcd mnt_vendor_file:dir r_dir_perms;

sepolicy/legacy/vendor/common/app.te

@@ -25,9 +25,12 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-get_prop(appdomain, hwui_prop)
-get_prop(appdomain, bservice_prop)
-get_prop(appdomain, reschedule_service_prop)
+#Allow all apps to open and send ioctl to qdsp device
+allow appdomain qdsp_device:chr_file r_file_perms;
+
+get_prop(appdomain, vendor_hwui_prop)
+get_prop(appdomain, vendor_bservice_prop)
+get_prop(appdomain, vendor_reschedule_service_prop)
 get_prop(appdomain, vendor_iop_prop)
 get_prop(appdomain, vendor_scroll_prop)
 

sepolicy/legacy/vendor/common/bluetooth.te

@@ -86,3 +86,6 @@ hal_client_domain(bluetooth, hal_perf);
 
 #allow bluetooth to make binder call to gpuservice
 binder_call(bluetooth, gpuservice);
+
+#Allow bluetooth to read the property
+get_prop(bluetooth, vendor_bluetooth_prop)

sepolicy/legacy/vendor/common/cameraserver.te

@@ -48,8 +48,8 @@ allow cameraserver qdsp_device:chr_file r_file_perms;
 allow cameraserver xdsp_device:chr_file r_file_perms;
 get_prop(cameraserver, camera_prop)
 
-#allow cameraserver to read adsprpc_prop
-get_prop(cameraserver, adsprpc_prop)
+#allow cameraserver to read vendor_adsprpc_prop
+get_prop(cameraserver, vendor_adsprpc_prop)
 
 #need this in full_treble for camera perview
 allow cameraserver hal_allocator:fd use;

sepolicy/legacy/vendor/common/cdsprpcd.te

@@ -35,12 +35,13 @@ init_daemon_domain(cdsprpcd)
 # For reading dir/files on /dsp
 r_dir_file(cdsprpcd, adsprpcd_file)
 
-# For reading adsprpc_prop
-get_prop(cdsprpcd, adsprpc_prop)
+# For reading vendor_adsprpc_prop
+get_prop(cdsprpcd, vendor_adsprpc_prop)
 
 allow cdsprpcd qdsp_device:chr_file r_file_perms;
 allow cdsprpcd ion_device:chr_file r_file_perms;
 
 r_dir_file(cdsprpcd, sysfs_devfreq)
 allow cdsprpcd sysfs_devfreq_l3cdsp:dir r_dir_perms;
 allow cdsprpcd sysfs_devfreq_l3cdsp:file rw_file_perms;
+allow cdsprpcd xdsp_device:chr_file r_file_perms;

sepolicy/legacy/vendor/common/chre.te

@@ -33,7 +33,7 @@ type chre_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(chre)
 r_dir_file(chre, adsprpcd_file)
-get_prop(chre, adsprpc_prop)
+get_prop(chre, vendor_adsprpc_prop)
 
 allow chre ion_device:chr_file r_file_perms;
 allow chre qdsp_device:chr_file r_file_perms;

sepolicy/legacy/vendor/common/cnd.te

@@ -61,7 +61,7 @@ allow cnd self:{
 allow cnd self:netlink_tcpdiag_socket nlmsg_read;
 
 # allow cnd to set cnd property
-set_prop(cnd, cnd_vendor_prop)
+set_prop(cnd, vendor_cnd_vendor_prop)
 
 # allow cnd to access cnd_data_file
 allow cnd cnd_data_file:file create_file_perms;
@@ -113,6 +113,7 @@ allow cnd sysfs_data:file r_file_perms;
 
 add_hwservice(cnd, hal_latency_hwservice)
 add_hwservice(cnd, hal_datafactory_hwservice)
+add_hwservice(cnd, vendor_hal_mwqemadapter_hwservice)
 hwbinder_use(cnd)
 get_prop(cnd, hwservicemanager_prop)
 binder_call(cnd, vendor_dataservice_app)

sepolicy/legacy/vendor/common/dataservice_app.te

@@ -25,7 +25,7 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-get_prop(vendor_dataservice_app, cnd_vendor_prop)
+get_prop(vendor_dataservice_app, vendor_cnd_vendor_prop)
 
 allow vendor_dataservice_app sysfs_data:file r_file_perms;
 
@@ -42,3 +42,5 @@ binder_call(vendor_dataservice_app, hal_rcsservice)
 r_dir_file(vendor_dataservice_app, cnd_data_file)
 
 allow vendor_dataservice_app app_api_service:service_manager find;
+allow vendor_dataservice_app hal_perf_hwservice:hwservice_manager find;
+binder_call(vendor_dataservice_app, hal_perf_default)

sepolicy/legacy/vendor/common/domain.te

@@ -25,16 +25,18 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-r_dir_file({domain - isolated_app -untrusted_app_all }, sysfs_socinfo);
-r_dir_file({domain - isolated_app -untrusted_app_all }, sysfs_esoc);
-r_dir_file({domain - isolated_app -untrusted_app_all }, sysfs_ssr);
+r_dir_file({domain - isolated_app - untrusted_app_all }, sysfs_socinfo);
+r_dir_file({domain - isolated_app - untrusted_app_all }, sysfs_soc);
+r_dir_file({domain - isolated_app - untrusted_app_all }, sysfs_esoc);
+r_dir_file({domain - isolated_app - untrusted_app_all }, sysfs_ssr);
 
 #Reding of standard chip details need this
 allow untrusted_app_all {
         sysfs_socinfo
+        sysfs_soc
         sysfs_esoc
         sysfs_ssr
-        }:dir search ;
+        }:dir search;
 r_dir_file({domain - isolated_app }, vendor_sysfs_public);
 
 dontaudit domain kernel:system module_request;
@@ -70,9 +72,10 @@ allowxperm domain domain:icmp_socket ioctl { unpriv_sock_ioctls unpriv_tty_ioctl
 # For compliance testing test suite reads vendor_security_path_level
 # Which is the public readable property “ ro.vendor.build.security_patch
 get_prop(domain, vendor_security_patch_level_prop)
-get_prop(domain, public_vendor_default_prop)
+get_prop(domain, vendor_public_vendor_default_prop)
 
 allow domain qti_debugfs:dir search;
+
 # allow all context to read sysfs_kgsl
 allow { domain - isolated_app } sysfs_kgsl:dir search;
 # allow all context to read gpu model

sepolicy/legacy/vendor/common/dspservice.te

@@ -47,7 +47,7 @@ hal_attribute_hwservice(vendor_hal_dspmanager, vendor_hal_dspmanager_hwservice)
 r_dir_file(vendor_dspservice, adsprpcd_file)
 
 # For reading "vendor.fastrpc." properties
-get_prop(vendor_dspservice, adsprpc_prop)
+get_prop(vendor_dspservice, vendor_adsprpc_prop)
 
 # Allow access to adsprpc secure and non-secure devices
 allow vendor_dspservice qdsp_device:chr_file r_file_perms;

sepolicy/legacy/vendor/common/dumpstate.te

@@ -41,4 +41,5 @@ dontaudit dumpstate sysfs:file * ;
 allow dumpstate debugfs_mmc:dir search;
 
 binder_call(dumpstate, hal_light_default)
+
 binder_call(dumpstate, hal_power_default)

sepolicy/legacy/vendor/common/embmssl_app.te

@@ -0,0 +1,38 @@
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_embmssl_app, domain;
+app_domain(vendor_embmssl_app);
+
+#============= vendor_embmssl_app ==============
+net_domain(vendor_embmssl_app)
+unix_socket_connect(vendor_embmssl_app, vendor_dpmtcm, vendor_dpmd)
+allow vendor_embmssl_app { app_api_service radio_service }:service_manager find;
+
+#allow embmssl app to access embmssl hal
+hal_client_domain(vendor_embmssl_app, vendor_hal_embmssl);
+hal_client_domain(vendor_embmssl_app, vendor_hal_perf);

sepolicy/legacy/vendor/common/file.te

@@ -195,6 +195,7 @@ type sysfs_hsic_host_rdy, sysfs_type, fs_type;
 
 # Files accessed by qcom-system-daemon
 type sysfs_socinfo, fs_type, sysfs_type;
+type sysfs_soc, sysfs_type, fs_type;
 type vendor_sysfs_public, fs_type, sysfs_type;
 
 type qlogd_socket, file_type, mlstrustedobject;
@@ -236,7 +237,7 @@ type qfp-daemon_data_file, file_type, data_file_type;
 type persist_qti_fp_file, file_type, vendor_persist_type;
 
 # imshelper_app file types
-type imshelper_app_data_file, file_type, data_file_type;
+type vendor_imshelper_app_data_file, file_type, data_file_type;
 
 # RIDL data files
 type RIDL_data_file, file_type, data_file_type;
@@ -286,6 +287,7 @@ type nfc_vendor_data_file, file_type, data_file_type;
 # kgsl file type for sysfs access
 type sysfs_kgsl, sysfs_type, fs_type;
 type sysfs_kgsl_proc, sysfs_type, fs_type;
+type sysfs_kgsl_shell, sysfs_type, fs_type;
 # kgsl snapshot file type for sysfs access
 type sysfs_kgsl_snapshot, sysfs_type, fs_type;
 # kgsl gpu model file type for sysfs access
@@ -416,6 +418,8 @@ type vendor_capabilityconfigstore_data_file, file_type, data_file_type;
 #sensor log files
 type sensors_vendor_data_file, file_type, data_file_type;
 
-type vendor_sysfs_devicetree_cpu, sysfs_type, fs_type;
-
 type vendor_sysfs_kgsl_gpuclk, sysfs_type, fs_type;
+
+#slub-debug
+type sysfs_slab_zshandle_storeuser, fs_type, sysfs_type;
+type sysfs_slab_zspage_storeuser, fs_type, sysfs_type;