From eb6f000bffa01aa340f2821c27563d4a02f98188 Mon Sep 17 00:00:00 2001
From: Siddharth Ray <siddharthr@google.com>
Date: Mon, 26 Jun 2017 11:09:16 -0700
Subject: [PATCH] Wahoo sepolicy changes

Wahoo's sepolicy is changed to mirror Marlin's. Marlin's sepolicy can be
found at device/google/marlin/sepolicy/hal_gnss_default.te

BUG: 37409476
Change-Id: Id6f49defd70923c56da2dfd68f55cf3dfc2e62fc
---
 sepolicy/vendor/hal_gnss_qti.te | 32 ++++++++++++++++++--------------
 sepolicy/vendor/location.te     | 32 +++++++++++++++++++++++++-------
 sepolicy/vendor/te_macros       | 10 ++++++++++
 3 files changed, 53 insertions(+), 21 deletions(-)
 create mode 100644 sepolicy/vendor/te_macros

diff --git a/sepolicy/vendor/hal_gnss_qti.te b/sepolicy/vendor/hal_gnss_qti.te
index 8f0acc84..7b519591 100644
--- a/sepolicy/vendor/hal_gnss_qti.te
+++ b/sepolicy/vendor/hal_gnss_qti.te
@@ -7,23 +7,27 @@ init_daemon_domain(hal_gnss_qti)
 r_dir_file(hal_gnss_qti, sysfs_msm_subsys)
 
 vndbinder_use(hal_gnss_qti)
+binder_call(hal_gnss_qti, per_mgr)
+allow hal_gnss_qti per_mgr_service:service_manager find;
 
-allow hal_gnss_qti sysfs_soc:dir r_dir_perms;
-allow hal_gnss_qti sysfs_soc:file r_file_perms;
-
-allow hal_gnss_qti location_data_file:dir create_dir_perms;
-allow hal_gnss_qti location_data_file:file create_file_perms;
-allow hal_gnss_qti location_data_file:sock_file write;
+allow hal_gnss_qti location_data_file:fifo_file { open read setattr write };
 allow hal_gnss_qti location:unix_stream_socket connectto;
+allow hal_gnss_qti location_data_file:dir create_dir_perms;
+allow hal_gnss_qti location_data_file:sock_file write;
 
 unix_socket_connect(hal_gnss_qti, netmgrd, netmgrd)
 allow hal_gnss_qti netmgrd_socket:dir search;
+allow hal_gnss_qti self:netlink_route_socket { bind create nlmsg_read read write };
 
-allow hal_gnss_qti self:socket create_socket_perms;
-allowxperm hal_gnss_qti self:socket ioctl msm_sock_ipc_ioctls;
-allow hal_gnss_qti self:netlink_generic_socket { bind create read };
-
-vndbinder_use(hal_gnss_qti)
-binder_call(hal_gnss_qti, per_mgr)
-
-allow hal_gnss_qti per_mgr_service:service_manager find;
+# Most HALs are not allowed to use network sockets. Qcom library
+# libqdi is used across multiple processes which are clients of
+# netmgrd including the GNSS HAL. libqdi first attempts to get the network
+# interface using an IOCTL on a UDP INET socket, which isn't allowed here.
+# If that fails, it falls back to using libc's if_nameindex() which requires
+# a netlink route socket, which HALs may use. Due to the initial
+# attempt to use a UDP socket, we still see a selinux denial,
+# but it is safe to ignore.
+# TODO (b/37730994) Remove udp_socket requirement from
+# libqdi and have all its clients use netlink route
+# sockets.
+dontaudit hal_gnss_qti self:udp_socket create;
diff --git a/sepolicy/vendor/location.te b/sepolicy/vendor/location.te
index 4f186b6e..c46fc663 100644
--- a/sepolicy/vendor/location.te
+++ b/sepolicy/vendor/location.te
@@ -7,20 +7,19 @@ init_daemon_domain(location)
 # Temporarily grant this permission and log its use.
 allow location self:capability { net_admin };
 auditallow location self:capability { net_admin };
-
-allow location location_exec:file execute_no_trans;
-
 allow location self:capability { setgid setuid };
 
-allow location proc_net:file r_file_perms;
-
 allow location location_data_file:dir create_dir_perms;
 allow location location_data_file:{ file sock_file } create_file_perms;
 
-allow location self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow location location_exec:file rx_file_perms;
+
+allow location proc_net:file r_file_perms;
+
+allow location self:netlink_route_socket create_socket_perms_no_ioctl;
 allow location self:netlink_socket create_socket_perms_no_ioctl;
 allow location self:socket create_socket_perms;
-allowxperm location self:udp_socket ioctl { SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 };
+allowxperm location self:udp_socket ioctl { SIOCGIFINDEX SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 };
 allowxperm location self:socket ioctl msm_sock_ipc_ioctls;
 
 # Enable network access (for XTRA download)
@@ -30,3 +29,22 @@ net_domain(location)
 r_dir_file(location, sysfs_type)
 
 dontaudit location kernel:system module_request;
+
+allow location fwk_sensor_hwservice:hwservice_manager find;
+allow location hal_wifi:unix_stream_socket { read write };
+
+# Grant access to Qualcomm MSM Interface (QMI) radio sockets
+qmux_socket(location)
+
+userdebug_or_eng(`
+  allow location diag_device:chr_file rw_file_perms;
+')
+
+# Added to enable XTRA download (from internet) per
+# audit2allow after a test that downloaded XTRA on boot
+allow location dnsproxyd_socket:sock_file write;
+allow location fwmarkd_socket:sock_file write;
+allow location netd:unix_stream_socket connectto;
+allow location port:tcp_socket name_connect;
+allow location self:tcp_socket { connect create read setopt write };
+allow location self:udp_socket { create ioctl read write };
\ No newline at end of file
diff --git a/sepolicy/vendor/te_macros b/sepolicy/vendor/te_macros
new file mode 100644
index 00000000..fa73d0f8
--- /dev/null
+++ b/sepolicy/vendor/te_macros
@@ -0,0 +1,10 @@
+#####################################
+# qmux_socket(clientdomain)
+# Allow client domain to connecto and send
+# via a local socket to the qmux domain.
+# Also allow the client domain to remove
+# its own socket.
+define(`qmux_socket', `
+allow $1 qmuxd_socket:dir create_dir_perms;
+allow $1 qmuxd_socket:sock_file { read getattr write setattr create unlink };
+')
\ No newline at end of file