Newer
Older
# Copyright (c) 2019-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# Changes from Qualcomm Innovation Center are provided under the following license:
# Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
# SPDX-License-Identifier: BSD-3-Clause-Clear
## Automotive specific sepolicy rules for location.
##### location hal daemon
gen_require(`
type power_manager_daemon_t;
type power_socket_t;
type qwesd_t;
type qwes_mink_socket_t;
type location_test_app_t;
type loc_socket_t;
type node_t;
type ecall_app_t;
type sensor_hal_daemon_conf_t;
type sensor_util_t;
type qmux_radio_sock_t;
type rilmuxd_t;
type telsdk_etc_t;
type telsdk_data_t;
userdebug_or_eng(`
gen_require(`
type unconfined_t;
')
allow loc_hald_t unconfined_t:unix_dgram_socket sendto;
')
# power manager access
stream_connect_pattern(loc_hald_t,power_socket_t,power_socket_t,power_manager_daemon_t);
# Telsdk location access
dgram_send_pattern(loc_hald_t, loc_socket_t, loc_socket_t, location_test_app_t);
# Ecall app access
dgram_send_pattern(loc_hald_t, loc_socket_t, loc_socket_t, ecall_app_t);
#### loc hal daemon ####
gptp_rw_gptp_sock_file(loc_hald_t);
gptp_rw_daemon_cl_device(loc_hald_t);
gptp_rw_tmpfs_files(loc_hald_t);
read_files_pattern(loc_hald_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
allow loc_hald_t slim_daemon_t :unix_dgram_socket sendto;
allow loc_hald_t qwes_mink_socket_t:dir search;
allow loc_hald_t qwes_mink_socket_t:sock_file write;
allow loc_hald_t qwesd_t:unix_stream_socket connectto;
allow loc_hald_t xtwifi_client_t:unix_dgram_socket sendto;
#### xtwifi_client_t ####
allow xtwifi_client_t {xtwifi_agent_t loc_hald_t}:unix_dgram_socket sendto;
#### xtwifi_agent_t ####
allow xtwifi_agent_t {loc_hald_t xtwifi_client_t}:unix_dgram_socket sendto;
allow { xtwifi_client_t xtwifi_agent_t } loc_t:unix_dgram_socket { read write sendto };
#### engine service #####
corenet_tcp_connect_soundd_port(engine_service_t);
corenet_tcp_connect_xen_port(engine_service_t);
corenet_tcp_connect_http_port(engine_service_t);
miscfiles_read_generic_certs(engine_service_t);
allow engine_service_t qwesd_t:unix_stream_socket connectto;
allow engine_service_t qwes_mink_socket_t:sock_file write;
allow engine_service_t self:qipcrtr_socket { create getattr read setopt write };
allow engine_service_t loc_t:unix_dgram_socket { read write sendto };
allow engine_service_t qwes_mink_socket_t:dir search;
#### slim_daemon ####
allow slim_daemon_t self:udp_socket create_socket_perms;
allow slim_daemon_t unreserved_port_t:udp_socket name_bind;
allow slim_daemon_t node_t:udp_socket node_bind;
allow slim_daemon_t systemd_resolved_var_run_t:dir search;
allow slim_daemon_t tmpfs_t:filesystem getattr;
allow slim_daemon_t tmpfs_t:dir search;
allow slim_daemon_t self:can_socket create;
allow slim_daemon_t self:can_socket { bind ioctl read setopt };
allow slim_daemon_t sensor_util_t:file { getattr open read };
allow slim_daemon_t system_data_t:dir { getattr read };
allow slim_daemon_t system_data_t:dir search;
dontaudit slim_daemon_t self:capability net_admin;
sensor_dev_socket(slim_daemon_t)
sensor_configuration_access(slim_daemon_t)
allow slim_daemon_t { loc_hald_t lowi_server_t }:unix_dgram_socket sendto;
allow slim_daemon_t device_t:dir search;
# IPC router
allow slim_daemon_t self:qipcrtr_socket create_socket_perms;
read_files_pattern(slim_daemon_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
dev_read_urand(slim_daemon_t);
gptp_rw_gptp_sock_file(slim_daemon_t);
gptp_rw_daemon_cl_device(slim_daemon_t);
gptp_rw_tmpfs_files(slim_daemon_t);
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#### add telux related services for loc_t and xtra-daemon####
sysnet_manage_config(loc_t)
sysnet_dns_name_resolve(loc_t)
sysnet_manage_config(loc_t)
corenet_tcp_bind_generic_node(loc_t)
corenet_udp_bind_generic_node(loc_t)
corenet_tcp_connect_http_port(loc_t)
corenet_tcp_bind_generic_node(xtra_daemon_t)
corenet_udp_bind_generic_node(xtra_daemon_t)
read_files_pattern(loc_t, default_t, default_t);
read_files_pattern(loc_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
read_files_pattern(loc_t, cert_t, cert_t)
# read build.prop
leprop_read_props(loc_t)
stream_connect_pattern(xtra_daemon_t,qmux_radio_sock_t,qmux_radio_sock_t,rilmuxd_t);
stream_connect_pattern(loc_t,qmux_radio_sock_t,qmux_radio_sock_t,rilmuxd_t);
allow loc_t cert_t:lnk_file read_lnk_file_perms;
telux_allow_data(loc_t)
telux_allow_data(xtra_daemon_t)
telux_allow_tel(loc_t)
telux_allow_tel(xtra_daemon_t)
telux_allow_data_call_ops(xtra_daemon_t)
telux_allow_tel_private_info_read(xtra_daemon_t)