From c760b34307f28d8d68ee6b0e03f0d670e3d8eadd Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Tue, 10 Oct 2017 16:23:15 -0700
Subject: [PATCH] Adding userdebug/eng diag access for following domains

World access to diag_device for userdebug/eng builds was revoked due to
potential for dangerous use from 3rd party code so this
CL grants access back to the domains that requested it.

denied { read write } for pid=832 comm="qti" name="diag" dev="tmpfs" ino
=9583 scontext=u:r:qti:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_
file

denied { read write } for pid=808 comm="thermal-engine" name="diag" dev=
"tmpfs" ino=9583 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:diag
_device:s0 tclass=chr_file

denied { read write } for pid=877 comm="cnss_diag" name="diag" dev="tmpf
s" ino=9583 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:diag_devic
e:s0 tclass=chr_file

denied { read write } for pid=816 comm="imsqmidaemon" name="diag" dev="t
mpfs" ino=9583 scontext=u:r:ims:s0 tcontext=u:object_r:diag_device:s0 tc
lass=chr_file

denied { read write } for pid=753 comm="android.hardwar" name="diag" dev
="tmpfs" ino=9583 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_
r:diag_device:s0 tclass=chr_file

denied { read write } for pid=772 comm="sensors.qcom" name="diag" dev="t
mpfs" ino=9583 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s
0 tclass=chr_file

denied { read write } for pid=677 comm="time_daemon" name="diag" dev="tm
pfs" ino=9583 scontext=u:r:time_daemon:s0 tcontext=u:object_r:diag_devic
e:s0 tclass=chr_file

denied { read write } for pid=618 comm="android.hardwar" name="diag" dev
="tmpfs" ino=9583 scontext=u:r:hal_graphics_composer_default:s0 tcontext
=u:object_r:diag_device:s0 tclass=chr_file

denied { read write } for pid=854 comm="rild" name="diag" dev="tmpfs" in
o=10642 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=c
hr_file

denied { read write } for pid=828 comm="netmgrd" name="diag" dev="tmpfs"
ino=10642 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tcl
ass=chr_file

denied { read write } for pid=826 comm="cnd" name="diag" dev="tmpfs" ino
=10642 scontext=u:r:cnd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr
_file

denied { read write } for pid=1559 comm="iptables-wrappe" path="/dev/dia
g" dev="tmpfs" ino=17555 scontext=u:r:netutils_wrapper:s0 tcontext=u:obj
ect_r:diag_device:s0 tclass=chr_file

Test: domains that need diag_device access can get access to it
Change-Id: I6b2473958d10145ed981c5fbcb2ebd3232fcee0e
---
 sepolicy/vendor/cnd.te                           | 5 +++++
 sepolicy/vendor/hal_graphics_composer_default.te | 2 ++
 sepolicy/vendor/hal_sensors_default.te           | 2 ++
 sepolicy/vendor/ims.te                           | 5 +++++
 sepolicy/vendor/netmgrd.te                       | 2 ++
 sepolicy/vendor/netutils_wrapper.te              | 5 +++++
 sepolicy/vendor/qti.te                           | 5 +++++
 sepolicy/vendor/rild.te                          | 2 ++
 sepolicy/vendor/sensors.te                       | 2 ++
 sepolicy/vendor/thermal-engine.te                | 5 +++++
 sepolicy/vendor/time_daemon.te                   | 5 +++++
 sepolicy/vendor/wcnss_service.te                 | 2 ++
 12 files changed, 42 insertions(+)

diff --git a/sepolicy/vendor/cnd.te b/sepolicy/vendor/cnd.te
index ca562c9a..d7aa8103 100644
--- a/sepolicy/vendor/cnd.te
+++ b/sepolicy/vendor/cnd.te
@@ -29,3 +29,8 @@ hwbinder_use(cnd)
 get_prop(cnd, hwservicemanager_prop)
 binder_call(cnd, dataservice_app)
 binder_call(cnd, ims)
+
+userdebug_or_eng(`
+  allow cnd diag_device:chr_file rw_file_perms;
+')
+dontaudit cnd diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
index 7bea2e1b..d9cb26aa 100644
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -31,4 +31,6 @@ allow hal_graphics_composer_default display_vendor_data_file:file create_file_pe
 userdebug_or_eng(`
         allow hal_graphics_composer_default debugfs_mdp:dir r_dir_perms;
         allow hal_graphics_composer_default debugfs_mdp:file r_file_perms;
+        allow hal_graphics_composer_default diag_device:chr_file rw_file_perms;
 ')
+dontaudit hal_graphics_composer_default diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
index fa473a87..ec604515 100644
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -12,4 +12,6 @@ allow hal_sensors_default qdsp_device:chr_file r_file_perms;
 userdebug_or_eng(`
   r_dir_file(hal_sensors_default, sysfs_diag)
   allow hal_sensors_default sysfs_timestamp_switch:file r_file_perms;
+  allow hal_sensors_default diag_device:chr_file rw_file_perms;
 ')
+dontaudit hal_sensors_default diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/ims.te b/sepolicy/vendor/ims.te
index a229417f..4a11d749 100644
--- a/sepolicy/vendor/ims.te
+++ b/sepolicy/vendor/ims.te
@@ -33,3 +33,8 @@ r_dir_file(ims, sysfs_diag)
 hwbinder_use(ims)
 allow ims hal_cne_hwservice:hwservice_manager find;
 binder_call(ims, cnd)
+
+userdebug_or_eng(`
+  allow ims diag_device:chr_file rw_file_perms;
+')
+dontaudit ims diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te
index adbc4b6d..197f6720 100644
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
@@ -40,7 +40,9 @@ domain_auto_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper)
 allow netmgrd sysfs_timestamp_switch:file { read open };
 userdebug_or_eng(`
   r_dir_file(netmgrd, sysfs_diag)
+  allow netmgrd diag_device:chr_file rw_file_perms;
 ')
+dontaudit netmgrd diag_device:chr_file rw_file_perms;
 
 #Ignore if device loading for private IOCTL failed
 dontaudit netmgrd kernel:system { module_request };
diff --git a/sepolicy/vendor/netutils_wrapper.te b/sepolicy/vendor/netutils_wrapper.te
index ec34fd39..f8c6f80a 100644
--- a/sepolicy/vendor/netutils_wrapper.te
+++ b/sepolicy/vendor/netutils_wrapper.te
@@ -5,3 +5,8 @@ allow netutils_wrapper netmgrd:fifo_file { getattr read write append };
 dontaudit netutils_wrapper netmgrd:netlink_socket { getattr read write append };
 dontaudit netutils_wrapper kernel:system module_request;
 dontaudit netutils_wrapper self:capability sys_module;
+
+userdebug_or_eng(`
+  allow netutils_wrapper diag_device:chr_file rw_file_perms;
+')
+dontaudit netutils_wrapper diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/qti.te b/sepolicy/vendor/qti.te
index a5d1aa84..e71ac822 100644
--- a/sepolicy/vendor/qti.te
+++ b/sepolicy/vendor/qti.te
@@ -14,3 +14,8 @@ allow qti self:socket create_socket_perms;
 allowxperm qti self:socket ioctl msm_sock_ipc_ioctls;
 
 r_dir_file(qti, sysfs_msm_subsys)
+
+userdebug_or_eng(`
+  allow qti diag_device:chr_file rw_file_perms;
+')
+dontaudit qti diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
index 15d084ce..ff643af7 100644
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -21,7 +21,9 @@ allow rild time_daemon:unix_stream_socket connectto;
 
 userdebug_or_eng(`
   domain_auto_trans(rild, smlog_dump_exec, smlog_dump)
+  allow rild diag_device:chr_file rw_file_perms;
 ')
+dontaudit rild diag_device:chr_file rw_file_perms;
 
 allow rild radio_vendor_data_file:dir rw_dir_perms;
 allow rild radio_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te
index fb4cf3af..a3139932 100644
--- a/sepolicy/vendor/sensors.te
+++ b/sepolicy/vendor/sensors.te
@@ -29,4 +29,6 @@ r_dir_file(sensors, sysfs_msm_subsys)
 userdebug_or_eng(`
   r_dir_file(sensors, sysfs_diag)
   allow sensors sysfs_timestamp_switch:file r_file_perms;
+  allow sensors diag_device:chr_file rw_file_perms;
 ')
+dontaudit sensors diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te
index 8009959d..e69c1890 100644
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te
@@ -33,3 +33,8 @@ allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls;
 
 # reboot/shutdown for thermal limits exceeded
 set_prop(thermal-engine, powerctl_prop)
+
+userdebug_or_eng(`
+  allow thermal-engine diag_device:chr_file rw_file_perms;
+')
+dontaudit thermal-engine diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/time_daemon.te b/sepolicy/vendor/time_daemon.te
index 82a62e2f..d58bc237 100644
--- a/sepolicy/vendor/time_daemon.te
+++ b/sepolicy/vendor/time_daemon.te
@@ -23,3 +23,8 @@ allow time_daemon persist_file:dir search;
 
 allow time_daemon self:socket create_socket_perms;
 allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls;
+
+userdebug_or_eng(`
+  allow time_daemon diag_device:chr_file rw_file_perms;
+')
+dontaudit time_daemon diag_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te
index aebd86f1..db2d1292 100644
--- a/sepolicy/vendor/wcnss_service.te
+++ b/sepolicy/vendor/wcnss_service.te
@@ -31,7 +31,9 @@ userdebug_or_eng(`
   r_dir_file(wcnss_service, proc_wifi_dbg)
   r_dir_file(wcnss_service, sysfs_diag)
   allow wcnss_service sysfs_timestamp_switch:file r_file_perms;
+  allow wcnss_service diag_device:chr_file rw_file_perms;
 ')
+dontaudit wcnss_service diag_device:chr_file rw_file_perms;
 
 allow wcnss_service sysfs_soc:dir search;
 allow wcnss_service sysfs_soc:file r_file_perms;