commit 759758528067d6664c24d7d6ef1206c444a4950e
author Shawn Shin <shshin@codeaurora.org> Thu Feb 18 21:15:22 2021 -0800
committer Gerrit - the friendly Code Review server <code-review@localhost> Fri Mar 12 14:10:24 2021 -0800
tree 397783b6735178f8eafb98095354140eb6618aad
parent 068e70349f9834f13216ef892182d0d607287b08

sepolicy: fix avc denial of system_data_file

fix avc denials of system_data_file and IPerf

avc: denied { search } for comm="alcomm.qti.qdma" name="0" dev="dm-10" ino=496
scontext=u:r:vendor_qcc_app:s0 tcontext=u:object_r:system_data_file:s0:c512,c768
 tclass=dir permissive=0
avc: denied { find } for interface=vendor.qti.hardware.perf::IPerf
sid=u:r:vendor_qcc_lmtp_app:s0 pid=6078 scontext=u:r:vendor_qcc_lmtp_app:s0
 tcontext=u:object_r:vendor_hal_perf_hwservice:s0 tclass=hwservice_manager
 permissive=0

Change-Id: I6a53c353d4429fa8b6d05b5cd411b5efa8c0cc8c

generic/private/qcc_app.te

diff --git a/generic/private/qcc_app.te b/generic/private/qcc_app.te
index 642a240..e793970 100644
--- a/generic/private/qcc_app.te
+++ b/generic/private/qcc_app.te
@@ -25,24 +25,13 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+typeattribute vendor_qcc_app mlstrustedsubject;
 
 app_domain(vendor_qcc_app)
 net_domain(vendor_qcc_app)
 binder_use(vendor_qcc_app)
 
-# allow invoking activity and access app content to vendor_qcc_app
-#allow vendor_qcc_app { activity_service content_service }:service_manager find;
-# allow display service to vendor_qcc_app
-#allow vendor_qcc_app { display_service }:service_manager find;
-# allow access to wifi and data network to vendor_qcc_app
-#allow vendor_qcc_app { connectivity_service network_management_service }:service_manager find;
-# allow access telephony service info to vendor_qcc_app
-#allow vendor_qcc_app { radio_service registry_service }:service_manager find;
 allow vendor_qcc_app radio_service:service_manager find;
-# allow acquire wakelock to vendor_qcc_app
-#allow vendor_qcc_app { power_service }:service_manager find;
-# allow to load native library
-#allow vendor_qcc_app { mount_service }:service_manager find;
 # for vendor_perf_service
 allow vendor_qcc_app app_api_service:service_manager find;
 
@@ -57,11 +46,13 @@
 allow vendor_qcc_app mediadrmserver_service:service_manager find;
 
 # allow vendor_qcc_app to access system_app_data_file
-# necessary for read and write /data/data subdirectory.
+# necessary for read and write /data/user_de/0/com.---.qti.qdma subdirectory.
 allow vendor_qcc_app system_data_file:dir search;
 allow vendor_qcc_app system_app_data_file:dir create_dir_perms;
 allow vendor_qcc_app system_app_data_file:file create_file_perms;
 
+allow vendor_qcc_app user_profile_root_file:dir search;
+
 # allow cgroup access
 allow vendor_qcc_app cgroup:file rw_file_perms;
 
@@ -71,3 +62,5 @@
 # Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
 allow vendor_qcc_app vendor_qcc_app_socket:dir rw_dir_perms;
 allow vendor_qcc_app vendor_qcc_app_socket:sock_file create_file_perms;
+
+

generic/private/qcc_lmtp_app.te

diff --git a/generic/private/qcc_lmtp_app.te b/generic/private/qcc_lmtp_app.te
index a67fc18..8ef64c8 100644
--- a/generic/private/qcc_lmtp_app.te
+++ b/generic/private/qcc_lmtp_app.te
@@ -30,9 +30,12 @@
   net_domain(vendor_qcc_lmtp_app)
   binder_use(vendor_qcc_lmtp_app)
 
+  hal_client_domain(vendor_qcc_lmtp_app, vendor_hal_perf);
+
   allow vendor_qcc_lmtp_app {activity_service}:service_manager find;
 
   allow vendor_qcc_lmtp_app location_service:service_manager find;
+  allow vendor_qcc_lmtp_app app_api_service:service_manager find;
 
   # for vendor_perf_service
   allow vendor_qcc_lmtp_app vendor_perf_service:service_manager find;
@@ -46,9 +49,9 @@
 
   # allow vendor_qcc_lmtp_app to access system_app_data_file
   # necessary for read and write /data/data subdirectory
-  allow vendor_qcc_app system_data_file:dir search;
   allow vendor_qcc_lmtp_app system_app_data_file:dir create_dir_perms;
   allow vendor_qcc_lmtp_app system_app_data_file:file create_file_perms;
+  allow vendor_qcc_lmtp_app system_data_file:dir search;
 
   # Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
   unix_socket_connect(vendor_qcc_lmtp_app, vendor_qcc_app, vendor_qcc_app)

generic/private/qcc_utils_app.te

diff --git a/generic/private/qcc_utils_app.te b/generic/private/qcc_utils_app.te
index 3253144..71ee026 100644
--- a/generic/private/qcc_utils_app.te
+++ b/generic/private/qcc_utils_app.te
@@ -25,6 +25,8 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+typeattribute vendor_qcc_utils_app mlstrustedsubject;
+
 app_domain(vendor_qcc_utils_app)
 net_domain(vendor_qcc_utils_app)
 binder_use(vendor_qcc_utils_app)