meta-qti-auto-sepolicy: Sepolicies to access phon_home.json file

Specifying the sepolicy rules for phone-home services to access & modify phone_home.json file. Change-Id: I3293c0cfdf2ebfa1a5e2489ac783a80525271335 Signed-off-by: nnimish <quic_nnimish@quicinc.com> (cherry picked from commit c6e2e126)

meta-qti-auto-sepolicy: Sepolicies to access phon_home.json file
Specifying the sepolicy rules for phone-home services to access & modify phone_home.json file. Change-Id: I3293c0cfdf2ebfa1a5e2489ac783a80525271335 Signed-off-by: nnimish <quic_nnimish@quicinc.com> (cherry picked from commit c6e2e126)
02a3d656 · nnimish · a8130796 · 02a3d656
Commit 02a3d656 authored 4 months ago by nnimish
--- a/recipes-security/auto-sepolicy/common/device/edgehub.te
+++ b/recipes-security/auto-sepolicy/common/device/edgehub.te
@@ -76,6 +76,7 @@ gen_require(`
    type smcinvoke_device_t;
    type vendor_dmabuf_qseecomta_heap_device_t;
    type vendor_dmabuf_qseecom_heap_device_t;
+    type phone_home_t;
    class service { start status stop reload };
 ')

@@ -116,6 +117,10 @@ allow c2c_hub_t unreserved_port_t:tcp_socket name_connect;
 allow c2c_hub_t urandom_device_t:chr_file { read getattr open create};
 corenet_tcp_connect_http_port(c2c_hub_t);
 allow c2c_hub_t edgehub_etc_conf_t:dir { open search read getattr};
+allow c2c_hub_t self:fifo_file {read getattr write};
+allow c2c_hub_t phone_home_t:file {getattr open read };
+
+

 # ph_manager policy
 init_vendor_domain(ph_manager_t, ph_manager_exec_t)
@@ -136,6 +141,7 @@ allow ph_manager_t unreserved_port_t:tcp_socket name_connect;
 allow ph_manager_t urandom_device_t:chr_file { read getattr open create};
 allow ph_manager_t edgehub_etc_conf_t:dir { open search read getattr};
 allow ph_manager_t self:fifo_file {read getattr write};
+allow ph_manager_t phone_home_t:file {getattr open read };
 logging_send_syslog_msg(ph_manager_t)

 # dm policy
@@ -166,6 +172,14 @@ allow dm_manager_t vendor_dmabuf_qseecomta_heap_device_t:chr_file {read open ioc
 allow dm_manager_t vendor_dmabuf_qseecom_heap_device_t:chr_file {read open ioctl};
 allow dm_manager_t smcinvoke_device_t:chr_file {read write open ioctl};
 telux_allow_loc(dm_manager_t);
+allow dm_manager_t self:fifo_file {read getattr write};
+firmware_read_files(dm_manager_t)
+logging_send_syslog_msg(dm_manager_t)
+allow dm_manager_t vendor_dmabuf_qseecomta_heap_device_t:chr_file {read open ioctl};
+allow dm_manager_t vendor_dmabuf_qseecom_heap_device_t:chr_file {read open ioctl};
+allow dm_manager_t smcinvoke_device_t:chr_file {read write open ioctl};
+telux_allow_loc(dm_manager_t);
+allow dm_manager_t phone_home_t:file {getattr open read };

 #smq_manager policy
 init_vendor_domain(smq_manager_t, smq_manager_exec_t)