sepolicy: fix avc denial of system_data_file
fix avc denials of system_data_file and IPerf
avc: denied { search } for comm="alcomm.qti.qdma" name="0" dev="dm-10" ino=496
scontext=u:r:vendor_qcc_app:s0 tcontext=u:object_r:system_data_file:s0:c512,c768
tclass=dir permissive=0
avc: denied { find } for interface=vendor.qti.hardware.perf::IPerf
sid=u:r:vendor_qcc_lmtp_app:s0 pid=6078 scontext=u:r:vendor_qcc_lmtp_app:s0
tcontext=u:object_r:vendor_hal_perf_hwservice:s0 tclass=hwservice_manager
permissive=0
Change-Id: I6a53c353d4429fa8b6d05b5cd411b5efa8c0cc8c
diff --git a/generic/private/qcc_app.te b/generic/private/qcc_app.te
index 642a240..e793970 100644
--- a/generic/private/qcc_app.te
+++ b/generic/private/qcc_app.te
@@ -25,24 +25,13 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+typeattribute vendor_qcc_app mlstrustedsubject;
app_domain(vendor_qcc_app)
net_domain(vendor_qcc_app)
binder_use(vendor_qcc_app)
-# allow invoking activity and access app content to vendor_qcc_app
-#allow vendor_qcc_app { activity_service content_service }:service_manager find;
-# allow display service to vendor_qcc_app
-#allow vendor_qcc_app { display_service }:service_manager find;
-# allow access to wifi and data network to vendor_qcc_app
-#allow vendor_qcc_app { connectivity_service network_management_service }:service_manager find;
-# allow access telephony service info to vendor_qcc_app
-#allow vendor_qcc_app { radio_service registry_service }:service_manager find;
allow vendor_qcc_app radio_service:service_manager find;
-# allow acquire wakelock to vendor_qcc_app
-#allow vendor_qcc_app { power_service }:service_manager find;
-# allow to load native library
-#allow vendor_qcc_app { mount_service }:service_manager find;
# for vendor_perf_service
allow vendor_qcc_app app_api_service:service_manager find;
@@ -57,11 +46,13 @@
allow vendor_qcc_app mediadrmserver_service:service_manager find;
# allow vendor_qcc_app to access system_app_data_file
-# necessary for read and write /data/data subdirectory.
+# necessary for read and write /data/user_de/0/com.---.qti.qdma subdirectory.
allow vendor_qcc_app system_data_file:dir search;
allow vendor_qcc_app system_app_data_file:dir create_dir_perms;
allow vendor_qcc_app system_app_data_file:file create_file_perms;
+allow vendor_qcc_app user_profile_root_file:dir search;
+
# allow cgroup access
allow vendor_qcc_app cgroup:file rw_file_perms;
@@ -71,3 +62,5 @@
# Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
allow vendor_qcc_app vendor_qcc_app_socket:dir rw_dir_perms;
allow vendor_qcc_app vendor_qcc_app_socket:sock_file create_file_perms;
+
+
diff --git a/generic/private/qcc_lmtp_app.te b/generic/private/qcc_lmtp_app.te
index a67fc18..8ef64c8 100644
--- a/generic/private/qcc_lmtp_app.te
+++ b/generic/private/qcc_lmtp_app.te
@@ -30,9 +30,12 @@
net_domain(vendor_qcc_lmtp_app)
binder_use(vendor_qcc_lmtp_app)
+ hal_client_domain(vendor_qcc_lmtp_app, vendor_hal_perf);
+
allow vendor_qcc_lmtp_app {activity_service}:service_manager find;
allow vendor_qcc_lmtp_app location_service:service_manager find;
+ allow vendor_qcc_lmtp_app app_api_service:service_manager find;
# for vendor_perf_service
allow vendor_qcc_lmtp_app vendor_perf_service:service_manager find;
@@ -46,9 +49,9 @@
# allow vendor_qcc_lmtp_app to access system_app_data_file
# necessary for read and write /data/data subdirectory
- allow vendor_qcc_app system_data_file:dir search;
allow vendor_qcc_lmtp_app system_app_data_file:dir create_dir_perms;
allow vendor_qcc_lmtp_app system_app_data_file:file create_file_perms;
+ allow vendor_qcc_lmtp_app system_data_file:dir search;
# Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
unix_socket_connect(vendor_qcc_lmtp_app, vendor_qcc_app, vendor_qcc_app)
diff --git a/generic/private/qcc_utils_app.te b/generic/private/qcc_utils_app.te
index 3253144..71ee026 100644
--- a/generic/private/qcc_utils_app.te
+++ b/generic/private/qcc_utils_app.te
@@ -25,6 +25,8 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+typeattribute vendor_qcc_utils_app mlstrustedsubject;
+
app_domain(vendor_qcc_utils_app)
net_domain(vendor_qcc_utils_app)
binder_use(vendor_qcc_utils_app)