meta-qti-auto-sepolicy: add policies for ITS stack

Add new policies for ITS stack. CRs-Fixed: 3095563 Change-Id: I7db05bbf8ce611b5ed9ccd493d6d1c02a01215c7 Signed-off-by: jie Chen <quic_jie@quicinc.com>

meta-qti-auto-sepolicy: add policies for ITS stack
Add new policies for ITS stack. CRs-Fixed: 3095563 Change-Id: I7db05bbf8ce611b5ed9ccd493d6d1c02a01215c7 Signed-off-by: jie Chen <quic_jie@quicinc.com>
9a8c1fff · jie Chen · 8b8d428c · 9a8c1fff
Commit 9a8c1fff authored 2 years ago by jie Chen
--- a/recipes-security/auto-sepolicy/qcs40x/device/savari.te
+++ b/recipes-security/auto-sepolicy/qcs40x/device/savari.te
@@ -139,8 +139,15 @@ init_vendor_domain(savari_savapp_t,savari_savapp_exec_t)
 #allow unconfined domain for start-stop-daemon
 init_script_domain(savari_initrc_t,savari_initrc_exec_t)

+#allow unconfined domain for start_sav_mgmtd
+init_script_domain(savari_mgmtd_t, savari_mgmtd_exec_t)
+
+#transition to confined domain for savapp
+transition_to_confined_domain(savari_savapp_t, savari_savapp_exec_t);
+
 gen_require(`
    type tmp_t;
+    type tmpfs_t;
    type syslogd_t;
    type node_t;
    type unreserved_port_t;
@@ -154,6 +161,8 @@ gen_require(`
    type proc_net_t;
    type default_t;
    type aerolink_data_t;
+    type user_tmp_t;
+    type systemd_tmpfiles_t;
 ')

 #start_savari_stack_le
@@ -211,6 +220,7 @@ allow savari_smgrd_t self:tcp_socket create_stream_socket_perms;
 filetrans_pattern(savari_smgrd_t, tmp_t, savari_smgrd_socket_t, sock_file)
 allow savari_smgrd_t savari_smgrd_socket_t:sock_file manage_sock_file_perms;
 allow savari_smgrd_t node_t:tcp_socket node_bind;
+logging_send_syslog_msg(savari_smgrd_t);

 #CV2Xd
 allow savari_cv2xd_t self:netlink_socket rw_socket_perms;
@@ -291,6 +301,7 @@ logging_send_syslog_msg(savari_sv2xsecd_t)

 #savapp
 filetrans_pattern(savari_savapp_t, tmp_t, savari_fac_socket_t, sock_file)
+filetrans_pattern(savari_savapp_t, user_tmp_t, savari_fac_socket_t, sock_file)
 allow savari_savapp_t savari_fac_socket_t:sock_file manage_sock_file_perms;
 manage_user_data_files(savari_savapp_t,savari_data_t)
 allow savari_savapp_t savari_bsmd_t:unix_dgram_socket sendto;
@@ -312,3 +323,13 @@ allow savari_blackbox_t self:udp_socket create_socket_perms;
 allow savari_blackbox_t savari_smgrd_socket_t:sock_file write_sock_file_perms;
 allow savari_blackbox_t savari_smgrd_t:unix_stream_socket connectto;
 logging_send_syslog_msg(savari_blackbox_t)
+
+#systemd_tmpfiles
+allow systemd_tmpfiles_t proc_net_t:file read_sock_file_perms;
+allow systemd_tmpfiles_t savari_cv2xd_socket_t:sock_file getattr_sock_file_perms;
+allow systemd_tmpfiles_t savari_fac_socket_t:sock_file getattr_sock_file_perms;
+allow systemd_tmpfiles_t savari_gnsscand_socket_t:sock_file getattr_sock_file_perms;
+allow systemd_tmpfiles_t savari_smgrd_socket_t:sock_file getattr_sock_file_perms;
+allow systemd_tmpfiles_t savari_sv2xsecd_socket_t:sock_file getattr_sock_file_perms;
+allow systemd_tmpfiles_t savari_net_socket_t:sock_file getattr_sock_file_perms;
+allow systemd_tmpfiles_t tmp_t:sock_file getattr_sock_file_perms;
\ No newline at end of file