security permissions for CNE and UCE service

Bug: 37994408 Test: Ensure SELinux denials are not seen in logs for IMS Change-Id: I4910d422d768c1c0b0f348156ac0a2c17b3ddad6
2026-02-01 07:50:47 +00:00 · 2017-05-04 12:15:15 -07:00
parent ccae8ba222
commit 2052d84827
10 changed files with 30 additions and 36 deletions
--- a/sepolicy/dataservice_app.te
+++ b/sepolicy/dataservice_app.te
@@ -0,0 +1,17 @@
+type dataservice_app, domain, coredomain;
+app_domain(dataservice_app)
+net_domain(dataservice_app)
+
+get_prop(dataservice_app, cnd_prop)
+add_service(dataservice_app, cne_service)
+add_service(dataservice_app, uce_service)
+allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find;
+
+r_dir_file(dataservice_app, sysfs_msm_subsys)
+allow dataservice_app vnd_uce_hwservice:hwservice_manager find;
+
+# TODO: Remove this when b/38043081 is resolved
+unix_socket_connect(dataservice_app, cnd, cnd)
+
+# imsrcsd to bind with UceShimService.apk
+binder_call(dataservice_app, hal_rcsservice)
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -198,7 +198,6 @@
 /vendor/bin/imsqmidaemon        u:object_r:ims_exec:s0
 /vendor/bin/imsdatadaemon       u:object_r:ims_exec:s0
 /vendor/bin/ims_rtp_daemon      u:object_r:ims_exec:s0
-/vendor/bin/imscmservice        u:object_r:imscm_exec:s0
 /vendor/bin/qmuxd               u:object_r:qmuxd_exec:s0
 /vendor/bin/cnd                 u:object_r:cnd_exec:s0
 /vendor/bin/esed                u:object_r:esed_exec:s0
--- a/sepolicy/hal_rcsservice.te
+++ b/sepolicy/hal_rcsservice.te
@@ -1,25 +1,23 @@
-type hal_rcsservice, binder_in_vendor_violators, domain;
+type hal_rcsservice, domain;
 type hal_rcsservice_exec, exec_type, vendor_file_type, file_type;

 # Started by init
 init_daemon_domain(hal_rcsservice)
 net_domain(hal_rcsservice)

-# To make VT call
+# To register imsrcsd to hwBinder
 hwbinder_use(hal_rcsservice)
+add_hwservice(hal_rcsservice, imsuce_service)
+add_hwservice(hal_rcsservice, vnd_uce_hwservice)
+get_prop(hal_rcsservice, hwservicemanager_prop)

 # allow hal to read sysfs file
-allow hal_rcsservice sysfs:file r_file_perms;
-
-#Add uce service hal
-allow hal_rcsservice imsuce_service:hwservice_manager add;
+r_dir_file(hal_rcsservice, sysfs_msm_subsys)

 unix_socket_connect(hal_rcsservice, ims, ims)

-# rcs_hal needs to communicate with UceShim app
-# using binder call
-binder_call(hal_rcsservice, system_app)
-binder_service(hal_rcsservice)
+# imsrcsd to bind with UceShimService.apk
+binder_call(hal_rcsservice, dataservice_app)

 # imsrcsd needs read/write access to devpts
 allow hal_rcsservice devpts:chr_file rw_file_perms;
--- a/sepolicy/imscm.te
+++ b/sepolicy/imscm.te
@@ -1,8 +0,0 @@
-type imscm, domain;
-type imscm_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(imscm)
-
-userdebug_or_eng(`
-  permissive imscm;
-')
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1,6 +1,6 @@
 persist.camera.            u:object_r:camera_prop:s0
 htc.camera.                u:object_r:camera_prop:s0
-persist.sys.cnd            u:object_r:cnd_prop:s0
+persist.vendor.sys.cnd     u:object_r:cnd_prop:s0
 sys.ims.                   u:object_r:ims_prop:s0
 sys.keymaster.loaded       u:object_r:keymaster_prop:s0
 persist.net.doxlat         u:object_r:net_radio_prop:s0
--- a/sepolicy/radio.te
+++ b/sepolicy/radio.te
@@ -14,11 +14,6 @@ allow radio vnd_qcrilhook_hwservice:hwservice_manager find;

 add_service(radio, radio_service)

-# TODO(b/37212952): Remove this once imscm_service switches over to using
-# vendorservicemanager
-add_service(radio, imscm_service)
-auditallow radio imscm_service:service_manager { add find };
-
 r_dir_file(radio, sysfs_msm_subsys)

 userdebug_or_eng(`
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@@ -1,3 +1,7 @@
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file
 user=_app seinfo=platform name=com.android.nexuslogger domain=logger_app type=app_data_file levelFrom=all
 user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
+
+#Add new domain for DataServices
+#TODO Remove user "system" when b/38043081 is resolved
+user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -1,5 +1,4 @@
 type per_mgr_service,             service_manager_type;
 type cne_service,                 service_manager_type;
-type imscm_service,               service_manager_type;
 type uce_service,                 service_manager_type;
 type imsuce_service,              service_manager_type;
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -1,6 +1,5 @@
 vendor.qcom.PeripheralManager                        u:object_r:per_mgr_service:s0
 rcs                                                  u:object_r:radio_service:s0
-qti.ims.ext                                          u:object_r:imscm_service:s0
 cneservice                                           u:object_r:cne_service:s0
 com.fingerprints.extension.IFingerprintNavigation    u:object_r:fingerprint_service:s0
 uce                                                  u:object_r:uce_service:s0
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,9 +0,0 @@
-r_dir_file(system_app, sysfs_msm_subsys)
-
-unix_socket_connect(system_app, cnd, cnd)
-
-get_prop(system_app, cnd_prop)
-add_service(system_app, cne_service)
-add_service(system_app, uce_service)
-
-allow system_app vnd_uce_hwservice:hwservice_manager find;