Update IMS and radio SE policies based on AU 194 drop

Permissive to enforce for ims and cnd domains Introduce new CNE HIDL service Remove CNE talking to cnd via socket and move to HIDL Allow IMS to access sysfs data and diag files Allow radio to access telephony monitor property Bug: 38043081 Change-Id: I1775d6aea4de9843fdbedd06ebd71ec213f38189
2026-01-27 18:19:03 +00:00 · 2017-06-06 18:43:56 -07:00
parent b7c0dc9aaf
commit 25591f24ea
11 changed files with 61 additions and 33 deletions
--- a/android_filesystem_config.h
+++ b/android_filesystem_config.h
@@ -35,6 +35,7 @@ static const struct fs_path_config android_device_files[] = {
    { 00755, AID_SYSTEM,    AID_SYSTEM,    (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/pm-service" },
    { 00755, AID_SYSTEM,    AID_SYSTEM,    (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/cnss-daemon"},
    { 00755, AID_SYSTEM,    AID_SYSTEM,    (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/imsdatadaemon" },
+    { 00755, AID_SYSTEM,    AID_SYSTEM,    (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/cnd" },
    { 00755, AID_SYSTEM,    AID_RADIO,     (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/ims_rtp_daemon" },
    { 00755, AID_SYSTEM,    AID_SYSTEM,    (1ULL << CAP_SYS_NICE), "vendor/bin/wcnss_filter" },
 #ifdef NO_ANDROID_FILESYSTEM_CONFIG_DEVICE_DIRS
--- a/sepolicy/vendor/cnd.te
+++ b/sepolicy/vendor/cnd.te
@@ -1,37 +1,31 @@
 type cnd, domain;
 type cnd_exec, exec_type, vendor_file_type, file_type;
-
 file_type_auto_trans(cnd, socket_device, cnd_socket);

-allow cnd self:capability { chown fsetid setgid setuid };
+# cnd is started by init, type transit from init domain to cnd domain
+init_daemon_domain(cnd)
+
+#TODO remove chown fsetid setgid setuid once b/62571088 is resolved
+allow cnd self:capability { chown fsetid setgid setuid net_bind_service };

 allow cnd self:udp_socket create_socket_perms;
 allowxperm cnd self:udp_socket ioctl SIOCGIFMTU;

-# TODO(b/38227967): Potentially remove following 3 lines upon resolution of this bug
-allow cnd wpa_socket:dir w_dir_perms;
-allow cnd wpa_socket:sock_file create_file_perms;
-allow cnd wifi_data_file:dir search;
-
-allow cnd sysfs_soc:dir search;
-allow cnd sysfs_soc:file r_file_perms;
+allow cnd sysfs_timestamp_switch:file r_file_perms;
+r_dir_file(cnd, sysfs_msm_subsys)
+r_dir_file(cnd, sysfs_diag)
+r_dir_file(cnd, sysfs_soc)

 allow cnd proc_meminfo:file r_file_perms;

-r_dir_file(cnd, sysfs_msm_subsys)
 set_prop(cnd, cnd_prop)

 allow cnd self:socket create_socket_perms;
 allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls;

-# TODO(b/38227967): Potentially remove following line upon resolution of this bug
-allow cnd hal_wifi_supplicant_default:unix_dgram_socket sendto;
-
-init_daemon_domain(cnd)
-
-userdebug_or_eng(`
-  permissive cnd;
-')
-
-# TODO(b/36613996): Remove this once system_app no longer communicates over sockets with cnd
-typeattribute cnd socket_between_core_and_vendor_violators;
+# To register cnd to hwbinder
+add_hwservice(cnd, hal_cne_hwservice)
+hwbinder_use(cnd)
+get_prop(cnd, hwservicemanager_prop)
+binder_call(cnd, dataservice_app)
+binder_call(cnd, ims)
--- a/sepolicy/vendor/dataservice_app.te
+++ b/sepolicy/vendor/dataservice_app.te
@@ -1,3 +1,4 @@
+#TODO Move this to sepolicy/private/dataservice_app.te (b/62574674)
 type dataservice_app, domain, coredomain;
 app_domain(dataservice_app)
 net_domain(dataservice_app)
@@ -8,14 +9,17 @@ add_service(dataservice_app, uce_service)
 allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find;

 r_dir_file(dataservice_app, sysfs_msm_subsys)
-allow dataservice_app vnd_uce_hwservice:hwservice_manager find;
+#TODO Move this to sepolicy/private/dataservice_app.te (b/62574674)
+allow dataservice_app hal_imsrcsd_hwservice:hwservice_manager find;

 #TODO remove the following 2 if dataservice is moved out of system as part of b/38043081
 allow dataservice_app system_app_data_file:dir create_dir_perms;
 allow dataservice_app system_app_data_file:{ file lnk_file } create_file_perms;

-# TODO: Remove this when b/38043081 is resolved
-unix_socket_connect(dataservice_app, cnd, cnd)
+#TODO Move this to sepolicy/private/dataservice_app.te (b/62574674)
+allow dataservice_app hal_cne_hwservice:hwservice_manager find;
+binder_call(dataservice_app, cnd)
+hwbinder_use(dataservice_app)

 # imsrcsd to bind with UceShimService.apk
 binder_call(dataservice_app, hal_rcsservice)
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -63,3 +63,9 @@ type ese_vendor_data_file, file_type, data_file_type;
 type vendor_firmware_file, vendor_file_type, file_type;

 type ramdump_data_file, file_type, data_file_type, mlstrustedobject;
+
+#data sysfs files
+type sysfs_data, fs_type, sysfs_type;
+
+#diag sysfs files
+type sysfs_diag, fs_type, sysfs_type;
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -161,6 +161,8 @@
 /sys/class/typec(/.*)?                                              u:object_r:sysfs_usb_c:s0
 /sys/class/typec/usbc0(/.*)?                                        u:object_r:sysfs_usb_c:s0
 /sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-02/800f000\.qcom,spmi:qcom,pmi8998@2:qcom,usb-pdphy@1700/usbpd0/typec(/.*)?     u:object_r:sysfs_usb_c:s0
+/sys/devices/soc/soc:qcom,ipa_fws@[a-f0-9]+/subsys0/name            u:object_r:sysfs_data:s0
+/sys/module/diagchar(/.*)?                                          u:object_r:sysfs_diag:s0

 # files in debugfs
 /sys/kernel/debug/rpm_stats                      u:object_r:debugfs_rpm:s0
--- a/sepolicy/vendor/hal_imsrtp.te
+++ b/sepolicy/vendor/hal_imsrtp.te
@@ -20,6 +20,13 @@ allowxperm hal_imsrtp self:socket ioctl msm_sock_ipc_ioctls;

 allow hal_imsrtp self:capability net_bind_service;

+allow hal_imsrtp sysfs_timestamp_switch:file r_file_perms;
+allow hal_imsrtp ion_device:chr_file r_file_perms;
+allow hal_imsrtp sysfs_data:file r_file_perms;
+r_dir_file(hal_imsrtp, sysfs_msm_subsys)
+r_dir_file(hal_imsrtp, sysfs_diag)
+r_dir_file(hal_imsrtp, sysfs_soc)
+
 allow hal_imsrtp ion_device:chr_file r_file_perms;
 get_prop(hal_imsrtp, ims_prop)
 binder_call(hal_imsrtp, radio)
--- a/sepolicy/vendor/hal_rcsservice.te
+++ b/sepolicy/vendor/hal_rcsservice.te
@@ -9,12 +9,14 @@ get_prop(hal_rcsservice, hwservicemanager_prop)

 # To register imsrcsd to hwBinder
 hwbinder_use(hal_rcsservice)
-add_hwservice(hal_rcsservice, imsuce_service)
-add_hwservice(hal_rcsservice, vnd_uce_hwservice)
+# add IUceSerive Hidl interface
+add_hwservice(hal_rcsservice, hal_imsrcsd_hwservice)
+
 get_prop(hal_rcsservice, hwservicemanager_prop)

 # allow hal to read sysfs file
 r_dir_file(hal_rcsservice, sysfs_msm_subsys)
+r_dir_file(hal_rcsservice, sysfs_diag)

 allow hal_rcsservice sysfs_timestamp_switch:file r_file_perms;

--- a/sepolicy/vendor/hwservice.te
+++ b/sepolicy/vendor/hwservice.te
@@ -1,5 +1,7 @@
 type vnd_ims_radio_hwservice, hwservice_manager_type;
 type vnd_qcrilhook_hwservice, hwservice_manager_type;
-type vnd_uce_hwservice, hwservice_manager_type;
 type hal_imsrtp_hwservice, hwservice_manager_type;
 type hal_ipacm_hwservice, hwservice_manager_type;
+#TODO Move the following 2 types public SE policy (b/62574674)
+type hal_cne_hwservice, hwservice_manager_type;
+type hal_imsrcsd_hwservice, hwservice_manager_type;
--- a/sepolicy/vendor/hwservice_contexts
+++ b/sepolicy/vendor/hwservice_contexts
@@ -1,7 +1,9 @@
 com.qualcomm.qti.ims.radio::IImsRadio                           u:object_r:vnd_ims_radio_hwservice:s0
 com.qualcomm.qti.qcril.qcrilhook::IQtiOemHook                   u:object_r:vnd_qcrilhook_hwservice:s0
-com.qualcomm.qti.uceservice::IUceService                        u:object_r:vnd_uce_hwservice:s0
+com.qualcomm.qti.uceservice::IUceService                        u:object_r:hal_imsrcsd_hwservice:s0
 vendor.qti.qcril.am::IQcRilAudio                                u:object_r:vnd_qcrilhook_hwservice:s0
 com.qualcomm.qti.imsrtpservice::IRTPService                     u:object_r:hal_imsrtp_hwservice:s0
 android.hardware.tetheroffload.config::IOffloadConfig           u:object_r:hal_ipacm_hwservice:s0
 android.hardware.tetheroffload.control::IOffloadControl         u:object_r:hal_ipacm_hwservice:s0
+com.quicinc.cne.api::IApiService                                u:object_r:hal_cne_hwservice:s0
+com.quicinc.cne.server::IServer                                 u:object_r:hal_cne_hwservice:s0
--- a/sepolicy/vendor/ims.te
+++ b/sepolicy/vendor/ims.te
@@ -28,7 +28,8 @@ allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;
 allowxperm ims self:udp_socket ioctl RMNET_IOCTL_EXTENDED;

 r_dir_file(ims, sysfs_msm_subsys)
+r_dir_file(ims, sysfs_diag)

-userdebug_or_eng(`
-  permissive ims;
-')
+hwbinder_use(ims)
+allow ims hal_cne_hwservice:hwservice_manager find;
+binder_call(ims, cnd)
--- a/sepolicy/vendor/radio.te
+++ b/sepolicy/vendor/radio.te
@@ -1,9 +1,9 @@
 get_prop(radio, ims_prop)
+userdebug_or_eng(`get_prop(radio, tel_mon_prop)')

 allow radio qmuxd_socket:dir search;
 allow radio qmuxd_socket:sock_file write;

-
 allow radio vendor_file:lnk_file r_file_perms;
 allow radio vendor_framework_file:file r_file_perms;
 allow radio vendor_framework_file:dir search;
@@ -14,10 +14,17 @@ allow radio vnd_qcrilhook_hwservice:hwservice_manager find;
 allow radio hal_imsrtp_hwservice:hwservice_manager find;

 add_service(radio, radio_service)
-allow radio uce_service:service_manager find;
+allow radio {
+  uce_service
+  mediaextractor_service
+  mediacodec_service
+}:service_manager find;

 r_dir_file(radio, sysfs_msm_subsys)

+# IMS needs permission to use avtimer
+allow radio avtimer_device:chr_file r_file_perms;
+
 userdebug_or_eng(`
  permissive radio;
 ')