Merge "sepolicy: add nlmsg_readpriv capability to ipacm"
diff --git a/generic/vendor/common/file_contexts b/generic/vendor/common/file_contexts
index cc3e2bb..68447d5 100644
--- a/generic/vendor/common/file_contexts
+++ b/generic/vendor/common/file_contexts
@@ -438,7 +438,8 @@
/data/vendor/mediadrm(/.*)? u:object_r:vendor_mediadrm_vendor_data_file:s0
/data/vendor/nnhal(/.*)? u:object_r:vendor_hal_neuralnetworks_data_file:s0
-/sys/devices(/platform)?/soc/[a-f0-9\.:]+,[a-f0-9\-\_]+/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
+# Moved to target specfic folder so removing this from common file
+#/sys/devices(/platform)?/soc/[a-f0-9\.:]+,[a-f0-9\-\_]+/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0(/.*)? u:object_r:vendor_sysfs_kgsl:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:vendor_sysfs_kgsl:s0
diff --git a/qva/vendor/common/attributes b/qva/vendor/common/attributes
index c01c62d..0a5e458 100644
--- a/qva/vendor/common/attributes
+++ b/qva/vendor/common/attributes
@@ -101,6 +101,8 @@
attribute vendor_hal_srvctracker_client;
attribute vendor_hal_srvctracker_server;
+attribute vendor_spunvm_file_type;
+
attribute vendor_hal_bluetooth_dun;
attribute vendor_hal_bluetooth_dun_client;
attribute vendor_hal_bluetooth_dun_server;
diff --git a/qva/vendor/common/device.te b/qva/vendor/common/device.te
index d29805b..a3be1cb 100644
--- a/qva/vendor/common/device.te
+++ b/qva/vendor/common/device.te
@@ -26,9 +26,11 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hsic_device, dev_type;
+type vendor_spss_utils_device, dev_type;
type vendor_skp_device, dev_type;
type vendor_sp_keymaster_device, dev_type;
type vendor_sp_ssr_device, dev_type;
+type vendor_sp_nvm_device, dev_type;
type vendor_spdaemon_ssr_device, dev_type;
type vendor_spu_hal_ssr_device, dev_type;
type vendor_iuicc_device, dev_type;
diff --git a/qva/vendor/common/domain.te b/qva/vendor/common/domain.te
index 2da0958..106e1e7 100644
--- a/qva/vendor/common/domain.te
+++ b/qva/vendor/common/domain.te
@@ -26,3 +26,9 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
dontaudit domain vendor_persist_dpm_prop:file r_file_perms;
+neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vendor_spdaemon
+} vendor_spunvm_file_type: { dir file } *;
diff --git a/qva/vendor/common/file.te b/qva/vendor/common/file.te
index 957d7b5..a0ec12d 100644
--- a/qva/vendor/common/file.te
+++ b/qva/vendor/common/file.te
@@ -29,6 +29,7 @@
type vendor_qti_data_file, file_type, data_file_type;
type vendor_persist_secnvm_file, file_type , vendor_persist_type;
+type vendor_persist_iar_db_file, file_type , vendor_persist_type;
#mink-lowi-interface-daemon (mlid) socket
type vendor_mlid_socket, file_type, mlstrustedobject;
@@ -42,6 +43,10 @@
#ssg tz daemon socket
type vendor_ssgtzd_socket, file_type, mlstrustedobject;
+#spunvm file types
+type vendor_spunvm_file, file_type, vendor_spunvm_file_type;
+allow vendor_spunvm_file self:filesystem associate;
+
type vendor_qfp-daemon_data_file, file_type, data_file_type;
type vendor_persist_qti_fp_file, file_type, vendor_persist_type;
type vendor_sysfs_touch_aoi, fs_type, sysfs_type;
@@ -92,6 +97,9 @@
type vendor_wifi_vendor_wpa_socket, file_type, data_file_type;
type vendor_hostapd_socket, file_type, data_file_type;
+#spss sysfs files
+type vendor_sysfs_spss, fs_type, sysfs_type;
+
#vpp
type vendor_vpp_data_file, file_type, data_file_type;
type vendor_persist_vpp_file, file_type, vendor_persist_type;
diff --git a/qva/vendor/common/file_contexts b/qva/vendor/common/file_contexts
index e8602b0..72b1b63 100644
--- a/qva/vendor/common/file_contexts
+++ b/qva/vendor/common/file_contexts
@@ -30,9 +30,11 @@
#
/dev/hsicctl.* u:object_r:vendor_hsic_device:s0
/dev/sp_kernel u:object_r:vendor_skp_device:s0
+/dev/sp_nvm u:object_r:vendor_sp_nvm_device:s0
/dev/sp_keymaster u:object_r:vendor_sp_keymaster_device:s0
/dev/sp_ssr u:object_r:vendor_sp_ssr_device:s0
/dev/spdaemon_ssr u:object_r:vendor_spdaemon_ssr_device:s0
+/dev/spss_utils u:object_r:vendor_spss_utils_device:s0
/dev/spu_hal_ssr u:object_r:vendor_spu_hal_ssr_device:s0
/dev/iuicc u:object_r:vendor_iuicc_device:s0
/dev/iuicc0 u:object_r:vendor_iuicc_device:s0
@@ -170,6 +172,8 @@
/sys/devices(/platform)?/soc/soc:qcom,gpubw/devfreq/soc:qcom,gpubw(/.*)? u:object_r:vendor_sysfs_devfreq:s0
+/sys/devices(/platform)?/soc/soc:qcom,spss_utils(/.*)? u:object_r:vendor_sysfs_spss:s0
+
###################################
# data files
#
@@ -196,11 +200,15 @@
# persist files
#
/mnt/vendor/persist/secnvm(/.*)? u:object_r:vendor_persist_secnvm_file:s0
+/mnt/vendor/persist/iar_db(/.*)? u:object_r:vendor_persist_iar_db_file:s0
/mnt/vendor/persist/qti_fp(/.*)? u:object_r:vendor_persist_qti_fp_file:s0
/mnt/vendor/persist/FTM_AP(/.*)? u:object_r:vendor_persist_mmi_file:s0
/mnt/vendor/persist/vpp(/.*)? u:object_r:vendor_persist_vpp_file:s0
/mnt/vendor/persist/hvdcp_opti(/.*)? u:object_r:vendor_persist_hvdcp_file:s0
+# spunvm partition
+/mnt/vendor/spunvm(/.*)? u:object_r:vendor_spunvm_file:s0
+
# same-process HAL files and their dependencies
#
# libmmi_jni
diff --git a/qva/vendor/common/init.te b/qva/vendor/common/init.te
index 24efd8d..19c6917 100644
--- a/qva/vendor/common/init.te
+++ b/qva/vendor/common/init.te
@@ -26,3 +26,7 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow init vendor_sysfs_graphics:file setattr;
+
+# allow init to mount spunvm partition
+allow init vendor_spunvm_file:dir mounton;
+allow init vendor_spunvm_file:filesystem { relabelto relabelfrom mount };
diff --git a/qva/vendor/common/spdaemon.te b/qva/vendor/common/spdaemon.te
index a2a84d8..2112b67 100644
--- a/qva/vendor/common/spdaemon.te
+++ b/qva/vendor/common/spdaemon.te
@@ -33,10 +33,15 @@
init_daemon_domain(vendor_spdaemon)
allow vendor_spdaemon vendor_spcom_device:chr_file { getattr rw_file_perms };
allow vendor_spdaemon vendor_skp_device:chr_file { getattr rw_file_perms };
+
+# Allow access to spss_utils device
+allow vendor_spdaemon vendor_spss_utils_device:chr_file rw_file_perms;
+
# Need to check if really needed
set_prop(vendor_spdaemon, vendor_spcomlib_prop)
allow vendor_spdaemon vendor_spdaemon_ssr_device:chr_file rw_file_perms;
allow vendor_spdaemon vendor_sp_ssr_device:chr_file rw_file_perms;
+allow vendor_spdaemon vendor_sp_nvm_device:chr_file rw_file_perms;
allow vendor_spdaemon vendor_sp_keymaster_device:chr_file rw_file_perms;
allow vendor_spdaemon vendor_cryptoapp_device:chr_file rw_file_perms;
allow vendor_spdaemon vendor_iuicc_device:chr_file rw_file_perms;
@@ -45,9 +50,17 @@
use_vendor_per_mgr(vendor_spdaemon)
hal_client_domain(vendor_spdaemon, hal_telephony)
-allow vendor_spdaemon vendor_sysfs_data:file r_file_perms;
+# Allow to access IAR-DB at /mnt/vendor/persist/iar_db
+allow vendor_spdaemon vendor_persist_iar_db_file:dir rw_dir_perms;
+allow vendor_spdaemon vendor_persist_iar_db_file:file create_file_perms;
+# Allow to access IAR-DB at /mnt/vendor/spunvm
+allow vendor_spdaemon vendor_spunvm_file:dir rw_dir_perms;
+allow vendor_spdaemon vendor_spunvm_file:file create_file_perms;
+
+allow vendor_spdaemon vendor_sysfs_data:file r_file_perms;
allow vendor_spdaemon vendor_sysfs_spdaemon:file r_file_perms;
+r_dir_file(vendor_spdaemon, vendor_sysfs_spss);
userdebug_or_eng(`
allow vendor_spdaemon vendor_debugfs_ipc:file rw_file_perms;
diff --git a/qva/vendor/test/location_app_test.te b/qva/vendor/test/location_app_test.te
index 7149d67..d1e95da 100644
--- a/qva/vendor/test/location_app_test.te
+++ b/qva/vendor/test/location_app_test.te
@@ -52,4 +52,10 @@
allow vendor_location_app_test self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_location_app_test audioserver_service:service_manager find;
+
+ allow vendor_location_app_test vendor_sysfs_kgsl:file r_file_perms;
+
+ binder_call(vendor_location_app_test, gpuservice);
+
+ allow vendor_location_app_test vendor_sysfs_kgsl_gpu_model:file r_file_perms;
')