Add 'sepolicy/' from tag 'android-15.0.0_r1'

git-subtree-dir: sepolicy git-subtree-mainline: 02d0587cdd git-subtree-split: f0aabb085a Change-Id: I34e37568728d8ef0ad8a4bf39194e60e1e28daad
2024-10-06 23:12:04 +03:00 · 2024-10-06 23:12:04 +03:00 · 86c57cf612
commit 86c57cf612
parent 02d0587cdd f0aabb085a
31 changed files with 230 additions and 0 deletions
--- a/sepolicy/OWNERS
+++ b/sepolicy/OWNERS
@ -0,0 +1,4 @@
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com
+
--- a/sepolicy/bluetooth/file_contexts
+++ b/sepolicy/bluetooth/file_contexts
@ -0,0 +1,10 @@
+# Bluetooth HAL service
+/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti  u:object_r:hal_bluetooth_default_exec:s0
+
+# Bluetooth Vendor nodes
+/dev/btpower                                    u:object_r:bt_device:s0
+/dev/ttySAC18                                   u:object_r:hci_attach_dev:s0
+
+# Bluetooth Debuggable HAL nodes
+/dev/logbuffer_btpower                          u:object_r:logbuffer_device:s0
+/dev/logbuffer_tty18                            u:object_r:logbuffer_device:s0
--- a/sepolicy/bluetooth/genfs_contexts
+++ b/sepolicy/bluetooth/genfs_contexts
@ -0,0 +1 @@
+genfscon sysfs /devices/platform/odm/odm:btqcom/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
--- a/sepolicy/bluetooth/grilservice_app.te
+++ b/sepolicy/bluetooth/grilservice_app.te
@ -0,0 +1 @@
+binder_call(grilservice_app, hal_bluetooth_default)
--- a/sepolicy/bluetooth/hal_bluetooth_default.te
+++ b/sepolicy/bluetooth/hal_bluetooth_default.te
@ -0,0 +1,12 @@
+allow hal_bluetooth_default bt_device:chr_file rw_file_perms;
+
+add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice)
+
+userdebug_or_eng(`
+  allow hal_bluetooth_default logbuffer_device:chr_file r_file_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_coredump_file:file create_file_perms;
+  set_prop(hal_bluetooth_default, vendor_ssrdump_prop)
+')
--- a/sepolicy/bluetooth/hwservice.te
+++ b/sepolicy/bluetooth/hwservice.te
@ -0,0 +1,2 @@
+# Bluetooth HAL extension
+type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
--- a/sepolicy/bluetooth/hwservice_contexts
+++ b/sepolicy/bluetooth/hwservice_contexts
@ -0,0 +1,3 @@
+# Bluetooth HAL extension
+hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
--- a/sepolicy/lynx-sepolicy.mk
+++ b/sepolicy/lynx-sepolicy.mk
@ -0,0 +1,3 @@
+# sepolicy that are shared among devices using whitechapel
+BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/vendor
+BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/tracking_denials
--- a/sepolicy/tracking_denials/bug_map
+++ b/sepolicy/tracking_denials/bug_map
@ -0,0 +1,2 @@
+kernel vendor_charger_debugfs dir b/305600791
+hal_bluetooth_default vendor_data_file dir b/318453067
--- a/sepolicy/vendor/README.txt
+++ b/sepolicy/vendor/README.txt
@ -0,0 +1,2 @@
+This folder holds sepolicy exclusively for one device. For example, genfs_contexts
+paths that are affected by device tree.
--- a/sepolicy/vendor/cnss-daemon.te
+++ b/sepolicy/vendor/cnss-daemon.te
@ -0,0 +1,20 @@
+# cnss-daemon service
+type cnss-daemon, domain;
+type cnss-daemon_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(cnss-daemon)
+
+net_domain(cnss-daemon)
+
+allow cnss-daemon self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow cnss-daemon self:qipcrtr_socket create_socket_perms_no_ioctl;
+
+# /data/vendor/wifi/
+allow cnss-daemon vendor_wifi_vendor_data_file:dir create_dir_perms;
+allow cnss-daemon vendor_wifi_vendor_data_file:file create_file_perms;
+
+# /proc/sys/net/ipv4/tcp_adv_win_scal
+allow cnss-daemon proc_net:file rw_file_perms;
+
+# /sys/class/remoteproc
+allow cnss-daemon sysfs_cnss_daemon:dir r_dir_perms;
+allow cnss-daemon sysfs_cnss_daemon:file r_file_perms;
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@ -0,0 +1,2 @@
+# Wifi
+type vendor_wlan_device, dev_type;
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@ -0,0 +1,7 @@
+type vendor_location_data_file, file_type, data_file_type;
+type vendor_location_socket, file_type;
+type vendor_wifi_vendor_data_file, file_type, data_file_type;
+type vendor_wifihal_socket, file_type;
+type vendor_location_sysfs, fs_type, sysfs_type;
+type vendor_proc_wifi_dbg, fs_type, proc_type;
+type sysfs_cnss_daemon, fs_type, sysfs_type;
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@ -0,0 +1,18 @@
+# Devices
+/dev/lwis-act-lc898129                                                      u:object_r:lwis_device:s0
+/dev/lwis-eeprom-lc898129                                                   u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx712                                             u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx712-uw                                          u:object_r:lwis_device:s0
+/dev/lwis-ois-lc898129                                                      u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx712                                                     u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx712-uw                                                  u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx787                                                     u:object_r:lwis_device:s0
+
+# Wifi
+/data/vendor/wifi(/.*)?                 u:object_r:vendor_wifi_vendor_data_file:s0
+/dev/wlan                               u:object_r:vendor_wlan_device:s0
+/dev/socket/location(/.*)?              u:object_r:vendor_location_socket:s0
+/dev/socket/wifihal(/.*)?               u:object_r:vendor_wifihal_socket:s0
+/vendor/bin/loc_launcher                u:object_r:vendor_location_exec:s0
+/vendor/bin/lowi-server                 u:object_r:lowi_server_exec:s0
+/vendor/bin/cnss-daemon                 u:object_r:cnss-daemon_exec:s0
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@ -0,0 +1,20 @@
+# Wifi
+genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
+genfscon proc /debugdriver/driverdump    u:object_r:vendor_proc_wifi_dbg:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/net    u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net    u:object_r:sysfs_net:s0
+genfscon sysfs /class/remoteproc     u:object_r:sysfs_cnss_daemon:s0
+
+# BMS
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061                  u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/power_supply     u:object_r:sysfs_batteryinfo:s0
+
+# System Suspend
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/power_supply/wireless/wakeup     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/wakeup                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup                                       u:object_r:sysfs_wakeup:s0
+
+# PowerStats
+genfscon sysfs /kernel/wifi/power_stats    u:object_r:sysfs_power_stats:s0
--- a/sepolicy/vendor/hal_dumpstate_default.te
+++ b/sepolicy/vendor/hal_dumpstate_default.te
@ -0,0 +1,2 @@
+# b/267839070
+dontaudit hal_dumpstate_default sysfs:dir { read };
--- a/sepolicy/vendor/hal_power_stats_default.te
+++ b/sepolicy/vendor/hal_power_stats_default.te
@ -0,0 +1,2 @@
+# Needed to detect wifi on/off
+get_prop(hal_power_stats_default, wifi_hal_prop)
--- a/sepolicy/vendor/hal_radioext_default.te
+++ b/sepolicy/vendor/hal_radioext_default.te
@ -0,0 +1 @@
+binder_call(hal_radioext_default, hal_bluetooth_default)
--- a/sepolicy/vendor/hal_wifi_default.te
+++ b/sepolicy/vendor/hal_wifi_default.te
@ -0,0 +1,19 @@
+allow hal_wifi_default vendor_wlan_device:chr_file w_file_perms;
+allow hal_wifi_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# write to files owned by location daemon
+allow hal_wifi_default vendor_location_socket:dir rw_dir_perms;
+allow hal_wifi_default vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow hal_wifi_default vendor_location:unix_dgram_socket sendto;
+allow hal_wifi_default lowi_server:unix_dgram_socket sendto;
+
+# Connect to vendor_location via vendor_location socket.
+unix_socket_connect(hal_wifi, vendor_location, vendor_location)
+allow hal_wifi_default vendor_wifihal_socket:dir rw_dir_perms;
+allow hal_wifi_default vendor_wifihal_socket:sock_file create_file_perms;
+
+# allow hal_wifi to write into /proc/debugdriver/driverdump
+r_dir_file(hal_wifi_default, vendor_proc_wifi_dbg);
+
+# Write wlan driver/fw version into property
+set_prop(hal_wifi_default, vendor_wifi_version)
--- a/sepolicy/vendor/hal_wifi_ext.te
+++ b/sepolicy/vendor/hal_wifi_ext.te
@ -0,0 +1,16 @@
+allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms;
+allow hal_wifi_ext vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# write to files owned by location daemon
+allow hal_wifi_ext vendor_location_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow hal_wifi_ext vendor_location:unix_dgram_socket sendto;
+allow hal_wifi_ext lowi_server:unix_dgram_socket sendto;
+
+# Connect to vendor_location via vendor_location socket.
+unix_socket_connect(hal_wifi, vendor_location, vendor_location)
+allow hal_wifi_ext vendor_wifihal_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_wifihal_socket:sock_file create_file_perms;
+
+# allow hal_wifi to write into /proc/debugdriver/driverdump
+r_dir_file(hal_wifi_ext, vendor_proc_wifi_dbg);
--- a/sepolicy/vendor/hal_wifi_hostapd.te
+++ b/sepolicy/vendor/hal_wifi_hostapd.te
@ -0,0 +1 @@
+allow hal_wifi_hostapd_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
--- a/sepolicy/vendor/hal_wifi_supplicant.te
+++ b/sepolicy/vendor/hal_wifi_supplicant.te
@ -0,0 +1 @@
+allow hal_wifi_supplicant_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
--- a/sepolicy/vendor/ioctl_macros
+++ b/sepolicy/vendor/ioctl_macros
@ -0,0 +1,9 @@
+define(`lowi_server_ioctls', `{
+SIOCGIFINDEX
+SIOCGIFHWADDR
+SIOCGIFFLAGS
+SIOCIWFIRSTPRIV_05
+SIOCIWFIRSTPRIV_11
+SIOCIWFIRSTPRIV_13
+SIOCDEVPRIVATE_1
+}')
--- a/sepolicy/vendor/kernel.te
+++ b/sepolicy/vendor/kernel.te
@ -0,0 +1 @@
+dontaudit kernel vendor_battery_debugfs:dir search;
--- a/sepolicy/vendor/logger_app.te
+++ b/sepolicy/vendor/logger_app.te
@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow logger_app vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')
--- a/sepolicy/vendor/lowi_server.te
+++ b/sepolicy/vendor/lowi_server.te
@ -0,0 +1,36 @@
+# lowi_server service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type lowi_server, domain;
+type lowi_server_exec, exec_type, vendor_file_type, file_type;
+
+hwbinder_use(lowi_server)
+allow lowi_server self:udp_socket create_socket_perms;
+allow lowi_server self:netlink_route_socket create_socket_perms_no_ioctl;
+
+## lowi-server
+##############
+allow lowi_server vendor_location:fd use;
+allow lowi_server vendor_location:unix_dgram_socket {sendto read write};
+
+# some additional network access
+allow lowi_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allowxperm lowi_server self:udp_socket ioctl lowi_server_ioctls;
+
+# /data/vendor/wifi
+allow lowi_server vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# /data/vendor/wifi/wpa
+allow lowi_server wpa_data_file:dir rw_dir_perms;
+allow lowi_server wpa_data_file:sock_file create_file_perms;
+allow lowi_server hal_wifi_supplicant_default:unix_dgram_socket sendto;
+
+# /dev/socket/wifihal
+allow lowi_server vendor_wifihal_socket:dir rw_dir_perms;
+allow lowi_server vendor_wifihal_socket:sock_file create_file_perms;
+allow lowi_server vendor_wifihal_socket:unix_dgram_socket sendto;
+unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_default);
+unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_ext);
+
+# /dev/socket/vendor_location
+allow lowi_server vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow lowi_server vendor_location_socket:dir rw_dir_perms;
--- a/sepolicy/vendor/tcpdump_logger.te
+++ b/sepolicy/vendor/tcpdump_logger.te
@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow tcpdump_logger vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@ -0,0 +1,2 @@
+# Camera
+set_prop(vendor_init, vendor_camera_prop)
--- a/sepolicy/vendor/vendor_location.te
+++ b/sepolicy/vendor/vendor_location.te
@ -0,0 +1,20 @@
+# loc_launcher service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type vendor_location, domain;
+type vendor_location_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_location)
+
+# execute permission for vendor_location daemons in /vendor/bin/
+domain_auto_trans(vendor_location, lowi_server_exec, lowi_server)
+
+# /dev/socket/vendor_location
+allow vendor_location vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow vendor_location vendor_location_socket:dir rw_dir_perms;
+
+# /sys/devices/soc0/soc_id
+allow vendor_location vendor_location_sysfs:file create_file_perms;
+
+# /dev/socket/location/mq/*
+allow vendor_location lowi_server:unix_dgram_socket {sendto read write};
+allow vendor_location hal_wifi_default:unix_dgram_socket {sendto read write};
+allow vendor_location hal_wifi_ext:unix_dgram_socket {sendto read write};
--- a/sepolicy/vendor/wifi_perf_diag.te
+++ b/sepolicy/vendor/wifi_perf_diag.te
@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow wifi_perf_diag vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')
--- a/sepolicy/vendor/wifi_sniffer.te
+++ b/sepolicy/vendor/wifi_sniffer.te
@ -0,0 +1,4 @@
+userdebug_or_eng(`
+  allow wifi_sniffer self:capability { setuid setgid };
+  allow wifi_sniffer vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')
				`@ -0,0 +1 @@`
				`genfscon sysfs /devices/platform/odm/odm:btqcom/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0`
				`@ -0,0 +1 @@`
				`binder_call(grilservice_app, hal_bluetooth_default)`
				`@ -0,0 +1 @@`
				`binder_call(hal_radioext_default, hal_bluetooth_default)`
				`@ -0,0 +1 @@`
				`allow hal_wifi_hostapd_default vendor_wifi_vendor_data_file:dir rw_dir_perms;`
				`@ -0,0 +1 @@`
				`allow hal_wifi_supplicant_default vendor_wifi_vendor_data_file:dir rw_dir_perms;`
				`@ -0,0 +1 @@`
				`dontaudit kernel vendor_battery_debugfs:dir search;`