diff --git a/sepolicy/dataservice_app.te b/sepolicy/dataservice_app.te new file mode 100644 index 00000000..da909b2b --- /dev/null +++ b/sepolicy/dataservice_app.te @@ -0,0 +1,17 @@ +type dataservice_app, domain, coredomain; +app_domain(dataservice_app) +net_domain(dataservice_app) + +get_prop(dataservice_app, cnd_prop) +add_service(dataservice_app, cne_service) +add_service(dataservice_app, uce_service) +allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find; + +r_dir_file(dataservice_app, sysfs_msm_subsys) +allow dataservice_app vnd_uce_hwservice:hwservice_manager find; + +# TODO: Remove this when b/38043081 is resolved +unix_socket_connect(dataservice_app, cnd, cnd) + +# imsrcsd to bind with UceShimService.apk +binder_call(dataservice_app, hal_rcsservice) diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index fed747eb..a92ccb64 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -198,7 +198,6 @@ /vendor/bin/imsqmidaemon u:object_r:ims_exec:s0 /vendor/bin/imsdatadaemon u:object_r:ims_exec:s0 /vendor/bin/ims_rtp_daemon u:object_r:ims_exec:s0 -/vendor/bin/imscmservice u:object_r:imscm_exec:s0 /vendor/bin/qmuxd u:object_r:qmuxd_exec:s0 /vendor/bin/cnd u:object_r:cnd_exec:s0 /vendor/bin/esed u:object_r:esed_exec:s0 diff --git a/sepolicy/hal_rcsservice.te b/sepolicy/hal_rcsservice.te index 80fd2d3d..3ccc45e3 100644 --- a/sepolicy/hal_rcsservice.te +++ b/sepolicy/hal_rcsservice.te @@ -1,25 +1,23 @@ -type hal_rcsservice, binder_in_vendor_violators, domain; +type hal_rcsservice, domain; type hal_rcsservice_exec, exec_type, vendor_file_type, file_type; # Started by init init_daemon_domain(hal_rcsservice) net_domain(hal_rcsservice) -# To make VT call +# To register imsrcsd to hwBinder hwbinder_use(hal_rcsservice) +add_hwservice(hal_rcsservice, imsuce_service) +add_hwservice(hal_rcsservice, vnd_uce_hwservice) +get_prop(hal_rcsservice, hwservicemanager_prop) # allow hal to read sysfs file -allow hal_rcsservice sysfs:file r_file_perms; - -#Add uce service hal -allow hal_rcsservice imsuce_service:hwservice_manager add; +r_dir_file(hal_rcsservice, sysfs_msm_subsys) unix_socket_connect(hal_rcsservice, ims, ims) -# rcs_hal needs to communicate with UceShim app -# using binder call -binder_call(hal_rcsservice, system_app) -binder_service(hal_rcsservice) +# imsrcsd to bind with UceShimService.apk +binder_call(hal_rcsservice, dataservice_app) # imsrcsd needs read/write access to devpts allow hal_rcsservice devpts:chr_file rw_file_perms; diff --git a/sepolicy/imscm.te b/sepolicy/imscm.te deleted file mode 100644 index 0e21f8af..00000000 --- a/sepolicy/imscm.te +++ /dev/null @@ -1,8 +0,0 @@ -type imscm, domain; -type imscm_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(imscm) - -userdebug_or_eng(` - permissive imscm; -') diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 50819449..2bfcfb36 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,6 +1,6 @@ persist.camera. u:object_r:camera_prop:s0 htc.camera. u:object_r:camera_prop:s0 -persist.sys.cnd u:object_r:cnd_prop:s0 +persist.vendor.sys.cnd u:object_r:cnd_prop:s0 sys.ims. u:object_r:ims_prop:s0 sys.keymaster.loaded u:object_r:keymaster_prop:s0 persist.net.doxlat u:object_r:net_radio_prop:s0 diff --git a/sepolicy/radio.te b/sepolicy/radio.te index b5aa8f88..e48c5b26 100644 --- a/sepolicy/radio.te +++ b/sepolicy/radio.te @@ -14,11 +14,6 @@ allow radio vnd_qcrilhook_hwservice:hwservice_manager find; add_service(radio, radio_service) -# TODO(b/37212952): Remove this once imscm_service switches over to using -# vendorservicemanager -add_service(radio, imscm_service) -auditallow radio imscm_service:service_manager { add find }; - r_dir_file(radio, sysfs_msm_subsys) userdebug_or_eng(` diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts index 6a66f6de..61cae08d 100644 --- a/sepolicy/seapp_contexts +++ b/sepolicy/seapp_contexts @@ -1,3 +1,7 @@ user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file user=_app seinfo=platform name=com.android.nexuslogger domain=logger_app type=app_data_file levelFrom=all user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + +#Add new domain for DataServices +#TODO Remove user "system" when b/38043081 is resolved +user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file diff --git a/sepolicy/service.te b/sepolicy/service.te index f63bf3e7..bbf51dde 100644 --- a/sepolicy/service.te +++ b/sepolicy/service.te @@ -1,5 +1,4 @@ type per_mgr_service, service_manager_type; type cne_service, service_manager_type; -type imscm_service, service_manager_type; type uce_service, service_manager_type; type imsuce_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index 0e2c97db..b5cae855 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -1,6 +1,5 @@ vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0 rcs u:object_r:radio_service:s0 -qti.ims.ext u:object_r:imscm_service:s0 cneservice u:object_r:cne_service:s0 com.fingerprints.extension.IFingerprintNavigation u:object_r:fingerprint_service:s0 uce u:object_r:uce_service:s0 diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index 78c1c642..e69de29b 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1,9 +0,0 @@ -r_dir_file(system_app, sysfs_msm_subsys) - -unix_socket_connect(system_app, cnd, cnd) - -get_prop(system_app, cnd_prop) -add_service(system_app, cne_service) -add_service(system_app, uce_service) - -allow system_app vnd_uce_hwservice:hwservice_manager find;