zenfone6: Update Sepolicy from last QSSI CAF
Change-Id: Ic0be5b080299fea97bfece816a668ca08450d264
diff --git a/sepolicy/qva/private/audioserver.te b/sepolicy/qva/private/audioserver.te
index fd4c7f9..ca657ed 100644
--- a/sepolicy/qva/private/audioserver.te
+++ b/sepolicy/qva/private/audioserver.te
@@ -25,6 +25,7 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+binder_call(audioserver,vendor_wfdservice);
#allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_service:service_manager find;
diff --git a/sepolicy/qva/private/network_stack.te b/sepolicy/qva/private/bluetooth.te
similarity index 88%
rename from sepolicy/qva/private/network_stack.te
rename to sepolicy/qva/private/bluetooth.te
index 29bfa9c..29ad366 100644
--- a/sepolicy/qva/private/network_stack.te
+++ b/sepolicy/qva/private/bluetooth.te
@@ -1,4 +1,4 @@
-# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,5 +25,4 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-allow network_stack vendor_dpmd:unix_stream_socket connectto;
-allow network_stack vendor_dpmtcm_socket:sock_file write;
+unix_socket_connect(bluetooth, vendor_qvrd_controller, vendor_qvrd)
\ No newline at end of file
diff --git a/sepolicy/qva/private/dpmd.te b/sepolicy/qva/private/dpmd.te
index d1525fe..3df432f 100644
--- a/sepolicy/qva/private/dpmd.te
+++ b/sepolicy/qva/private/dpmd.te
@@ -72,3 +72,4 @@
allow vendor_dpmd proc_net:file write;
#self kill rule to kill vendor_dpmd child process which executes iptable commands
allow vendor_dpmd self:capability kill;
+set_prop(vendor_dpmd, ctl_dpmd_prop)
diff --git a/sepolicy/qva/private/file.te b/sepolicy/qva/private/file.te
index 81ddf78..fb8f9a6 100644
--- a/sepolicy/qva/private/file.te
+++ b/sepolicy/qva/private/file.te
@@ -1,4 +1,4 @@
-# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+# Copyright (c) 2018,2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -30,6 +30,9 @@
type vendor_dpmwrapper_socket, file_type, coredomain_socket, mlstrustedobject;
type vendor_qvrd_data_file, file_type, data_file_type, core_data_file_type;
type vendor_qvrd_socket, file_type, mlstrustedobject, coredomain_socket;
+type vendor_qvrd_controller_socket, file_type, coredomain_socket;
type vendor_qvrd_hvx_socket, file_type, coredomain_socket;
+type vendor_sys_sxrd_data_file, file_type, data_file_type, core_data_file_type;
+type vendor_sys_sxrd_socket, file_type, mlstrustedobject, coredomain_socket;
type vendor_qcc_data_file, file_type, data_file_type, core_data_file_type;
type vendor_qcc_app_socket, file_type, mlstrustedobject, coredomain_socket;
diff --git a/sepolicy/qva/private/file_contexts b/sepolicy/qva/private/file_contexts
index 72d1c2b..b9412f3 100644
--- a/sepolicy/qva/private/file_contexts
+++ b/sepolicy/qva/private/file_contexts
@@ -26,7 +26,6 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
####### device files ##############
-/dev/smcinvoke u:object_r:vendor_smcinvoke_device:s0
/dev/smd7 u:object_r:vendor_smd7_device:s0
####### dev/socket files ##########
@@ -34,28 +33,34 @@
/dev/socket/dpmd u:object_r:vendor_dpmd_socket:s0
/dev/socket/tcm u:object_r:vendor_dpmtcm_socket:s0
/dev/socket/qvrservice u:object_r:vendor_qvrd_socket:s0
+/dev/socket/qvrservice_controller u:object_r:vendor_qvrd_controller_socket:s0
/dev/socket/qvrservice_camera u:object_r:vendor_qvrd_socket:s0
/dev/socket/qvrservice_hvx_camera u:object_r:vendor_qvrd_hvx_socket:s0
+/dev/socket/sxrservice u:object_r:vendor_sys_sxrd_socket:s0
/dev/socket/qdma_app(/.*)? u:object_r:vendor_qcc_app_socket:s0
####### system file ###############
/system/bin/seempd u:object_r:vendor_seempd_exec:s0
-/(product|system_ext|system/system_ext)/bin/dpmd u:object_r:vendor_dpmd_exec:s0
-/system/bin/qvrservice u:object_r:vendor_qvrd_exec:s0
+/(system_ext|system/system_ext)/bin/dpmd u:object_r:vendor_dpmd_exec:s0
+/(system_ext|system/system_ext)/bin/qvrservice u:object_r:vendor_qvrd_exec:s0
+/(system_ext|system/system_ext)/bin/sxrservice u:object_r:vendor_sys_sxrd_exec:s0
/system/bin/vpsservice u:object_r:vendor_vpsservice_exec:s0
####### system_ext file ###############
/(system_ext|system/system_ext)/bin/dun-server u:object_r:vendor_dun-server_exec:s0
/(system_ext|system/system_ext)/bin/bt_logger u:object_r:vendor_bt_logger_exec:s0
/(system_ext|system/system_ext)/bin/perfservice u:object_r:vendor_perfservice_exec:s0
+/(system_ext|system/system_ext)/bin/qdtservice u:object_r:vendor_qdtservice_exec:s0
+/(system|system_ext|system/system_ext)/bin/wfdservice u:object_r:vendor_wfdservice_exec:s0
/(system|system_ext|system/system_ext)/bin/sigma_miracasthalservice u:object_r:vendor_sigmahal_qti_exec:s0
/(system_ext|system/system_ext)/bin/qccsyshalservice u:object_r:vendor_qccsyshal_qti_exec:s0
/(system_ext|system/system_ext)/bin/mmi u:object_r:vendor_mmi_sys_exec:s0
/(system_ext|system/system_ext)/bin/mmi_diag u:object_r:vendor_mmi_sys_exec:s0
-
+/(system_ext|system/system_ext)/bin/qspmsvc u:object_r:vendor_qspmsvc_exec:s0
####### data files ################
/data/dpm(/.*)? u:object_r:vendor_dpmd_data_file:s0
/data/misc/qvr(/.*)? u:object_r:vendor_qvrd_data_file:s0
+/data/misc/sxr(/.*)? u:object_r:vendor_sys_sxrd_data_file:s0
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
/data/misc/qdma(/.*)? u:object_r:vendor_qcc_data_file:s0
diff --git a/sepolicy/qva/private/hal_qccsyshalservice.te b/sepolicy/qva/private/hal_qccsyshalservice.te
index bb34fc4..2aaed35 100644
--- a/sepolicy/qva/private/hal_qccsyshalservice.te
+++ b/sepolicy/qva/private/hal_qccsyshalservice.te
@@ -53,3 +53,7 @@
unix_socket_connect(vendor_qccsyshal_qti, vendor_qcc_app, vendor_qcc_app)
allow vendor_qccsyshal_qti vendor_qcc_app_socket:dir r_dir_perms;
allow vendor_qccsyshal_qti vendor_qcc_app_socket:sock_file rw_file_perms;
+
+userdebug_or_eng(`
+ allow vendor_qccsyshal_qti vendor_qcc_lmtp_app:unix_stream_socket connectto;
+')
diff --git a/sepolicy/qva/private/mediaserver.te b/sepolicy/qva/private/mediaserver.te
index 03d0ac4..aa62ea9 100644
--- a/sepolicy/qva/private/mediaserver.te
+++ b/sepolicy/qva/private/mediaserver.te
@@ -28,3 +28,4 @@
unix_socket_send(mediaserver, vendor_seempdw, vendor_seempd)
get_prop(mediaserver, vendor_mm_video_prop)
+get_prop(mediaserver, vendor_sys_video_prop)
diff --git a/sepolicy/qva/private/priv_app.te b/sepolicy/qva/private/priv_app.te
index e557087..2fef4c3 100644
--- a/sepolicy/qva/private/priv_app.te
+++ b/sepolicy/qva/private/priv_app.te
@@ -28,3 +28,5 @@
get_prop(priv_app, vendor_persist_camera_prop)
allow priv_app vendor_dpmtcm_socket:sock_file w_file_perms;
allow priv_app vendor_dpmd:unix_stream_socket connectto;
+# QVA app need to find soundtrigger_middleware_service
+allow priv_app soundtrigger_middleware_service:service_manager find;
diff --git a/sepolicy/qva/private/property.te b/sepolicy/qva/private/property.te
index 80d09a4..45068fa 100644
--- a/sepolicy/qva/private/property.te
+++ b/sepolicy/qva/private/property.te
@@ -32,7 +32,11 @@
type vendor_mm_video_prop, property_type, extended_core_property_type;
+#WiFi Display
+type vendor_wfd_service_prop, property_type, extended_core_property_type;
+type vendor_wfd_sys_debug_prop, property_type, extended_core_property_type;
# WIGIG
type vendor_wigig_core_prop, property_type, extended_core_property_type;
type vendor_fst_prop, property_type, extended_core_property_type;
+system_internal_prop(ctl_dpmd_prop)
diff --git a/sepolicy/qva/private/property_contexts b/sepolicy/qva/private/property_contexts
index 6fa6be8..bd4dded 100644
--- a/sepolicy/qva/private/property_contexts
+++ b/sepolicy/qva/private/property_contexts
@@ -56,8 +56,24 @@
vendor.sys.media.target.version u:object_r:vendor_sys_video_prop:s0
vendor.sys.video.disable.ubwc u:object_r:vendor_sys_video_prop:s0
+#Wifi Display
+vendor.wfdservice u:object_r:vendor_wfd_service_prop:s0
+persist.vendor.debug.wfd.wfdsvc u:object_r:vendor_wfd_sys_debug_prop:s0
+persist.vendor.debug.wfdcdbg u:object_r:vendor_wfd_sys_debug_prop:s0
+persist.vendor.debug.wfdcdbgv u:object_r:vendor_wfd_sys_debug_prop:s0
+persist.vendor.sys.debug.mux. u:object_r:vendor_wfd_sys_debug_prop:s0
+persist.vendor.sys.debug.rtp. u:object_r:vendor_wfd_sys_debug_prop:s0
+persist.vendor.sys.debug.wfd. u:object_r:vendor_wfd_sys_debug_prop:s0
+vendor.sys.debug.wfd. u:object_r:vendor_wfd_sys_debug_prop:s0
+
# WIGIG
persist.vendor.wigig. u:object_r:vendor_wigig_core_prop:s0
persist.vendor.fst. u:object_r:vendor_fst_prop:s0
persist.dpm.feature u:object_r:vendor_persist_dpm_prop:s0
+ctl.stop$dpmd u:object_r:ctl_dpmd_prop:s0
+# Beluga
+ro.vendor.beluga.p u:object_r:vendor_exported_system_prop:s0
+ro.vendor.beluga.c u:object_r:vendor_exported_system_prop:s0
+ro.vendor.beluga.s u:object_r:vendor_exported_system_prop:s0
+ro.vendor.beluga.t u:object_r:vendor_exported_system_prop:s0
diff --git a/sepolicy/qva/private/qcc_lmtp_app.te b/sepolicy/qva/private/qcc_lmtp_app.te
new file mode 100644
index 0000000..495284f
--- /dev/null
+++ b/sepolicy/qva/private/qcc_lmtp_app.te
@@ -0,0 +1,57 @@
+# Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_qcc_lmtp_app, domain, coredomain;
+userdebug_or_eng(`
+ app_domain(vendor_qcc_lmtp_app)
+ net_domain(vendor_qcc_lmtp_app)
+ binder_use(vendor_qcc_lmtp_app)
+
+ allow vendor_qcc_lmtp_app {activity_service}:service_manager find;
+
+ allow vendor_qcc_lmtp_app location_service:service_manager find;
+
+ # for vendor_perf_service
+ allow vendor_qcc_lmtp_app vendor_perf_service:service_manager find;
+
+ # allow access to socket
+ unix_socket_connect(vendor_qcc_lmtp_app, vendor_dpmtcm, vendor_dpmd)
+
+ # allow access to qcc dropbox
+ allow vendor_qcc_lmtp_app vendor_qcc_data_file:dir create_dir_perms;
+ allow vendor_qcc_lmtp_app vendor_qcc_data_file:file create_file_perms;
+
+ # allow vendor_qcc_lmtp_app to access system_app_data_file
+ # necessary for read and write /data/data subdirectory
+ allow vendor_qcc_lmtp_app system_app_data_file:dir create_dir_perms;
+ allow vendor_qcc_lmtp_app system_app_data_file:file create_file_perms;
+
+ # Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
+ unix_socket_connect(vendor_qcc_lmtp_app, vendor_qcc_app, vendor_qcc_app)
+ allow vendor_qcc_lmtp_app vendor_qcc_app_socket:dir rw_dir_perms;
+ allow vendor_qcc_lmtp_app vendor_qcc_app_socket:sock_file create_file_perms;
+')
diff --git a/sepolicy/qva/private/qcc_utils_app.te b/sepolicy/qva/private/qcc_utils_app.te
index ee49af7..3253144 100644
--- a/sepolicy/qva/private/qcc_utils_app.te
+++ b/sepolicy/qva/private/qcc_utils_app.te
@@ -25,7 +25,6 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-type vendor_qcc_utils_app, domain, coredomain;
app_domain(vendor_qcc_utils_app)
net_domain(vendor_qcc_utils_app)
binder_use(vendor_qcc_utils_app)
diff --git a/sepolicy/qva/private/qdtservice.te b/sepolicy/qva/private/qdtservice.te
new file mode 100644
index 0000000..d80a845
--- /dev/null
+++ b/sepolicy/qva/private/qdtservice.te
@@ -0,0 +1,37 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_qdtservice_exec, exec_type, system_file_type, file_type;
+type vendor_qdtservice, domain, coredomain;
+
+init_daemon_domain(vendor_qdtservice)
+
+add_service(vendor_qdtservice, vendor_qdt_service);
+binder_use(vendor_qdtservice);
+binder_service(vendor_qdtservice);
+
+hal_client_domain(vendor_qdtservice, vendor_hal_perf)
diff --git a/sepolicy/qva/private/qspmsvc.te b/sepolicy/qva/private/qspmsvc.te
new file mode 100644
index 0000000..ac71950
--- /dev/null
+++ b/sepolicy/qva/private/qspmsvc.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute vendor_qspmsvc coredomain;
+type vendor_qspmsvc_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(vendor_qspmsvc)
+add_service(vendor_qspmsvc, vendor_qspmsvc_service);
+binder_use(vendor_qspmsvc);
+binder_call(vendor_qspmsvc, system_server);
+binder_service(vendor_qspmsvc);
+hal_client_domain(vendor_qspmsvc, hal_thermal)
diff --git a/sepolicy/qva/private/qvrd.te b/sepolicy/qva/private/qvrd.te
index 09b4feb..a182614 100644
--- a/sepolicy/qva/private/qvrd.te
+++ b/sepolicy/qva/private/qvrd.te
@@ -1,4 +1,4 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+# Copyright (c) 2017,2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -51,6 +51,7 @@
# Allow access to our socket
allow vendor_qvrd vendor_qvrd_socket:sock_file rw_file_perms;
+allow vendor_qvrd vendor_qvrd_controller_socket:sock_file rw_file_perms;
#
# Sensors
diff --git a/sepolicy/qva/private/seapp_contexts b/sepolicy/qva/private/seapp_contexts
index 6ce9d8d..f04368b 100644
--- a/sepolicy/qva/private/seapp_contexts
+++ b/sepolicy/qva/private/seapp_contexts
@@ -28,9 +28,14 @@
#Add new domain for qti value added Location apps
user=_app seinfo=platform name=com.qualcomm.location.XT isPrivApp=true domain=vendor_location_app type=app_data_file
user=_app seinfo=platform name=com.qualcomm.location isPrivApp=true domain=vendor_location_app type=app_data_file
+user=_app seinfo=platform name=com.qualcomm.wfd.service:wfd_service domain=vendor_wfd_app type=app_data_file levelfrom=all
+user=_app seinfo=platform name=com.qualcomm.wfd.client domain=vendor_wfd_app type=app_data_file levelfrom=all
+user=_app seinfo=platform name=com.qualcomm.qti.ssmeditor domain=vendor_qconfig_app type=app_data_file levelfrom=all
#Add new domain for QCC
user=system seinfo=platform name=com.qualcomm.qti.qdma isPrivApp=true domain=vendor_qcc_app type=system_app_data_file
+#Add new domain for QCCLMTP
+user=system seinfo=platform name=com.qualcomm.qti.qcclmtp isPrivApp=true domain=vendor_qcc_lmtp_app type=system_app_data_file
#Add new domain for QCC-Utils
user=system seinfo=platform name=com.qualcomm.qti.qdmautils isPrivApp=true domain=vendor_qcc_utils_app type=system_app_data_file
# Add new domain for FM app
diff --git a/sepolicy/qva/private/service.te b/sepolicy/qva/private/service.te
index 64176ff..87dd607 100644
--- a/sepolicy/qva/private/service.te
+++ b/sepolicy/qva/private/service.te
@@ -29,9 +29,12 @@
type vendor_dpmservice, service_manager_type;
type vendor_MinkBinderSvc, app_api_service, service_manager_type;
type vendor_perf_service, app_api_service, service_manager_type;
+type vendor_qdt_service, app_api_service, service_manager_type;
type vendor_izat_service, app_api_service, system_api_service, service_manager_type;
type vendor_color_service, service_manager_type;
+type vendor_wfdservice_service, service_manager_type;
type vendor_wigigp2p_service, app_api_service, system_server_service, service_manager_type;
type vendor_wigig_service, app_api_service, system_server_service, service_manager_type;
type vendor_vps_service, app_api_service, service_manager_type;
+type vendor_qspmsvc_service, app_api_service, service_manager_type;
diff --git a/sepolicy/qva/private/service_contexts b/sepolicy/qva/private/service_contexts
index 0e96a0f..afe0493 100644
--- a/sepolicy/qva/private/service_contexts
+++ b/sepolicy/qva/private/service_contexts
@@ -28,6 +28,7 @@
dpmservice u:object_r:vendor_dpmservice:s0
MinkBinderSvc u:object_r:vendor_MinkBinderSvc:s0
vendor.perfservice u:object_r:vendor_perf_service:s0
+vendor.qdtservice u:object_r:vendor_qdt_service:s0
sms-sec u:object_r:radio_service:s0
extphone u:object_r:radio_service:s0
qti.radio.extphone u:object_r:radio_service:s0
@@ -35,8 +36,10 @@
qti.security.seempspa u:object_r:vendor_seemp_service:s0
vendor.audio.vrservice u:object_r:audioserver_service:s0
com.qti.snapdragon.sdk.display.IColorService u:object_r:vendor_color_service:s0
+wfdservice u:object_r:vendor_wfdservice_service:s0
wigigp2p u:object_r:vendor_wigigp2p_service:s0
wigig u:object_r:vendor_wigig_service:s0
display.smomoservice u:object_r:surfaceflinger_service:s0
vendor.vpsservice u:object_r:vendor_vps_service:s0
+vendor.qspmsvc u:object_r:vendor_qspmsvc_service:s0
diff --git a/sepolicy/qva/private/sigma-hal.te b/sepolicy/qva/private/sigma-hal.te
index d22c99f..dc64d3e 100644
--- a/sepolicy/qva/private/sigma-hal.te
+++ b/sepolicy/qva/private/sigma-hal.te
@@ -37,6 +37,12 @@
#Allow the interaction with servicemanager
binder_use(vendor_sigmahal_qti)
+#Allow the interaction with wfdservice
+binder_call(vendor_sigmahal_qti,vendor_wfdservice);
+
+#Allow access to vendor_wfdservice_service,audioserver_service,surfaceflinger_service to interact with vendor_sigmahal_qti
+allow vendor_sigmahal_qti {vendor_wfdservice_service audioserver_service surfaceflinger_service}:service_manager find;
+
#Allow vendor_sigmahal_qti to interact with audio_server
binder_call(vendor_sigmahal_qti,audioserver);
diff --git a/sepolicy/qva/private/surfaceflinger.te b/sepolicy/qva/private/surfaceflinger.te
index 0c5f011..5cff9c7 100644
--- a/sepolicy/qva/private/surfaceflinger.te
+++ b/sepolicy/qva/private/surfaceflinger.te
@@ -25,3 +25,4 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+binder_call(surfaceflinger, vendor_wfdservice);
diff --git a/sepolicy/qva/private/sxrd.te b/sepolicy/qva/private/sxrd.te
new file mode 100644
index 0000000..988c2cb
--- /dev/null
+++ b/sepolicy/qva/private/sxrd.te
@@ -0,0 +1,61 @@
+# Copyright (c) 2020 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute vendor_sys_sxrd coredomain;
+typeattribute vendor_sys_sxrd mlstrustedsubject;
+type vendor_sys_sxrd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(vendor_sys_sxrd)
+
+# Allow access to our socket
+allow vendor_sys_sxrd vendor_sys_sxrd_socket:sock_file rw_file_perms;
+
+# Allow interracting with vendor_sxrd directory
+allow vendor_sys_sxrd vendor_sys_sxrd_data_file:dir create_dir_perms;
+allow vendor_sys_sxrd vendor_sys_sxrd_data_file:file create_file_perms;
+
+#video device
+allow vendor_sys_sxrd video_device:chr_file rw_file_perms;
+
+#Allow hal graphics allocator permissions
+hal_client_domain(vendor_sys_sxrd, hal_graphics_allocator);
+
+#access to usb device
+allow vendor_sys_sxrd usb_device:chr_file rw_file_perms;
+allow vendor_sys_sxrd usb_device:dir search;
+allow vendor_sys_sxrd device:dir search;
+
+#Allow access to PCM sound card
+allow vendor_sys_sxrd audio_device:chr_file rw_file_perms;
+allow vendor_sys_sxrd audio_device:dir r_dir_perms;
+
+#Allow access to Audio Flinger APIs
+binder_call(vendor_sys_sxrd, audioserver);
+allow vendor_sys_sxrd audioserver_service : service_manager find;
+
+# Add rule to access /proc/asound/pcm file
+r_dir_file(vendor_sys_sxrd, proc_asound);
diff --git a/sepolicy/qva/private/system_app.te b/sepolicy/qva/private/system_app.te
index cf3675c..819e759 100644
--- a/sepolicy/qva/private/system_app.te
+++ b/sepolicy/qva/private/system_app.te
@@ -42,3 +42,6 @@
# allow system_app access to wigig Property
get_prop(system_app, vendor_wigig_core_prop);
+
+#allow system_app to access faceauth
+hal_client_domain(system_app, hal_face)
diff --git a/sepolicy/qva/private/system_server.te b/sepolicy/qva/private/system_server.te
index 6ec24b8..9d026ea 100644
--- a/sepolicy/qva/private/system_server.te
+++ b/sepolicy/qva/private/system_server.te
@@ -50,6 +50,11 @@
binder_call(system_server,vendor_qvrd);
+#Allow for access to WFD specific debug properties
+binder_call(system_server, vendor_wfdservice);
+userdebug_or_eng(`
+ get_prop(system_server, vendor_wfd_sys_debug_prop)
+')
# Allow system server to access fst,wigig system properties
set_prop(system_server, vendor_wigig_core_prop)
set_prop(system_server, vendor_fst_prop)
@@ -57,3 +62,6 @@
# Allow system server to access for dpm
get_prop(system_server, vendor_persist_dpm_prop)
+#Allow system_server to add and find qspmsvc service
+allow system_server vendor_qspmsvc_service:service_manager find;
+
diff --git a/sepolicy/qva/private/untrusted_app_all.te b/sepolicy/qva/private/untrusted_app_all.te
index 3a533a4..c639b1e 100644
--- a/sepolicy/qva/private/untrusted_app_all.te
+++ b/sepolicy/qva/private/untrusted_app_all.te
@@ -28,3 +28,5 @@
unix_socket_connect(untrusted_app_all, vendor_dpmtcm, vendor_dpmd)
unix_socket_connect(untrusted_app_all, vendor_qvrd, vendor_qvrd)
allow untrusted_app_all vendor_qvrd:fd use;
+unix_socket_connect(untrusted_app_all, vendor_sys_sxrd, vendor_sys_sxrd)
+allow untrusted_app_all vendor_sys_sxrd:fd use;
diff --git a/sepolicy/qva/private/vendor_qconfig_app.te b/sepolicy/qva/private/vendor_qconfig_app.te
new file mode 100644
index 0000000..f455f0e
--- /dev/null
+++ b/sepolicy/qva/private/vendor_qconfig_app.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2020, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_qconfig_app, domain;
+typeattribute vendor_qconfig_app coredomain;
+
+app_domain(vendor_qconfig_app)
+binder_use(vendor_qconfig_app)
+
+allow vendor_qconfig_app app_api_service:service_manager find;
+hal_client_domain(vendor_qconfig_app, vendor_hal_qconfig)
diff --git a/sepolicy/qva/private/wfd_app.te b/sepolicy/qva/private/wfd_app.te
new file mode 100644
index 0000000..412b954
--- /dev/null
+++ b/sepolicy/qva/private/wfd_app.te
@@ -0,0 +1,59 @@
+# Copyright (c) 2020 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute vendor_wfd_app coredomain;
+
+app_domain(vendor_wfd_app)
+
+net_domain(vendor_wfd_app)
+
+set_prop(vendor_wfd_app, vendor_wfd_service_prop);
+userdebug_or_eng(`
+ get_prop(vendor_wfd_app, vendor_wfd_sys_debug_prop);
+#Access to MM-OSAL debug prop for parser debugging on WFD sink
+ get_prop(vendor_wfd_app, vendor_mm_osal_prop);
+#Allow access to logmask file in /data/
+ allow vendor_wfd_app system_data_file:file r_file_perms;
+')
+binder_call(vendor_wfd_app, vendor_wfdservice)
+
+# allow access to read video SKU property for WFD sink
+get_prop(vendor_wfd_app, vendor_sys_video_prop)
+
+allow vendor_wfd_app {
+ vendor_wfdservice_service
+ audioserver_service
+ mediaserver_service
+ mediadrmserver_service
+ app_api_service
+ vendor_perf_service
+ mediametrics_service
+}:service_manager find;
+
+# Access to /data/media for debug dump
+allow vendor_wfd_app media_rw_data_file:dir create_dir_perms;
+allow vendor_wfd_app media_rw_data_file:file create_file_perms;
diff --git a/sepolicy/qva/private/wfdservice.te b/sepolicy/qva/private/wfdservice.te
new file mode 100644
index 0000000..2e7c97d
--- /dev/null
+++ b/sepolicy/qva/private/wfdservice.te
@@ -0,0 +1,77 @@
+# Copyright (c) 2017, 2019-2020 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute vendor_wfdservice coredomain;
+type vendor_wfdservice_exec, system_file_type , exec_type, file_type;
+
+#Allow for transition from init domain to vendor_wfdservice
+init_daemon_domain(vendor_wfdservice)
+
+#Inherit base socket permissions from netd domain
+net_domain(vendor_wfdservice)
+
+#Allow vendor_wfdservice to use Binder IPC
+binder_use(vendor_wfdservice)
+
+#Allow for interaction with Display HAL
+binder_call(vendor_wfdservice, surfaceflinger)
+
+#Allow apps to interact with vendor_wfdservice
+binder_call(vendor_wfdservice, vendor_wfd_app)
+
+#Allow access to Audio Flinger APIs
+binder_call(vendor_wfdservice, audioserver)
+
+#Allow access to Permission Controller in System Server
+binder_call(vendor_wfdservice, system_server)
+
+#Allow vendor_wfdservice to be registered with service manager
+add_service(vendor_wfdservice, vendor_wfdservice_service)
+
+userdebug_or_eng(`
+ #Allow access to read mmosal_logmask file in /data partition
+ allow vendor_wfdservice system_data_file:file r_file_perms;
+
+ #Allow access to wfd debug properties
+ get_prop(vendor_wfdservice, vendor_wfd_sys_debug_prop)
+')
+
+# Allow access to mediaserver, surfaceflinger and permissionmanager for interaction of vendor_wfdservice
+allow vendor_wfdservice {audioserver_service permission_service surfaceflinger_service}: service_manager find;
+
+hal_client_domain(vendor_wfdservice, hal_graphics_allocator);
+
+hal_client_domain(vendor_wfdservice, hal_graphics_composer);
+
+#Allow ion device access
+allow vendor_wfdservice ion_device:chr_file r_file_perms;
+
+#Allow source to access video UBWC property(for display config)
+get_prop(vendor_wfdservice, vendor_sys_video_prop)
+
+#Allow the interaction with vendor_sigmahal_qti
+binder_call(vendor_wfdservice, vendor_sigmahal_qti);
diff --git a/sepolicy/qva/private/zygote.te b/sepolicy/qva/private/zygote.te
index ad26a79..1912999 100644
--- a/sepolicy/qva/private/zygote.te
+++ b/sepolicy/qva/private/zygote.te
@@ -28,3 +28,4 @@
unix_socket_send(zygote, vendor_seempdw, vendor_seempd)
get_prop(zygote, vendor_persist_dpm_prop)
+get_prop(zygote, vendor_sys_video_prop)