Merge changes I45a49628,Icf764bf3 into oc-dr1-dev

* changes: Fix netmgrd crash recovery denials sepolicy: Separate system partition sepolicy and hal macros from vendor partition
2026-02-01 07:50:47 +00:00 · 2017-07-06 16:11:19 +00:00
parent 7b9577e9b0 06f2fdfb7e
commit f5ed4d3d87
12 changed files with 34 additions and 26 deletions
--- a/sepolicy/private/dataservice_app.te
+++ b/sepolicy/private/dataservice_app.te
@@ -0,0 +1,21 @@
+typeattribute dataservice_app coredomain;
+app_domain(dataservice_app)
+net_domain(dataservice_app)
+
+add_service(dataservice_app, cne_service)
+add_service(dataservice_app, uce_service)
+allow dataservice_app {
+  app_api_service
+  system_api_service
+  audioserver_service
+  radio_service
+}:service_manager find;
+
+allow dataservice_app hal_imsrcsd_hwservice:hwservice_manager find;
+allow dataservice_app hal_cne_hwservice:hwservice_manager find;
+
+allow dataservice_app system_app_data_file:dir create_dir_perms;
+allow dataservice_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+hwbinder_use(dataservice_app)
+
--- a/sepolicy/private/radio.te
+++ b/sepolicy/private/radio.te
@@ -0,0 +1 @@
+allow radio uce_service:service_manager find;
--- a/sepolicy/private/service.te
+++ b/sepolicy/private/service.te
@@ -0,0 +1,2 @@
+type cne_service,                 service_manager_type;
+type uce_service,                 service_manager_type;
--- a/sepolicy/private/service_contexts
+++ b/sepolicy/private/service_contexts
@@ -1 +1,3 @@
 qti.ims.ext                                          u:object_r:radio_service:s0
+cneservice                                           u:object_r:cne_service:s0
+uce                                                  u:object_r:uce_service:s0
--- a/sepolicy/public/dataservice_app.te
+++ b/sepolicy/public/dataservice_app.te
@@ -0,0 +1 @@
+type dataservice_app, domain;
--- a/sepolicy/public/hwservice.te
+++ b/sepolicy/public/hwservice.te
@@ -0,0 +1,2 @@
+type hal_cne_hwservice, hwservice_manager_type;
+type hal_imsrcsd_hwservice, hwservice_manager_type;
--- a/sepolicy/vendor/dataservice_app.te
+++ b/sepolicy/vendor/dataservice_app.te
@@ -1,25 +1,8 @@
-#TODO Move this to sepolicy/private/dataservice_app.te (b/62574674)
-type dataservice_app, domain, coredomain;
-app_domain(dataservice_app)
-net_domain(dataservice_app)
-
 get_prop(dataservice_app, cnd_prop)
-add_service(dataservice_app, cne_service)
-add_service(dataservice_app, uce_service)
-allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find;

 r_dir_file(dataservice_app, sysfs_msm_subsys)
-#TODO Move this to sepolicy/private/dataservice_app.te (b/62574674)
-allow dataservice_app hal_imsrcsd_hwservice:hwservice_manager find;

-#TODO remove the following 2 if dataservice is moved out of system as part of b/38043081
-allow dataservice_app system_app_data_file:dir create_dir_perms;
-allow dataservice_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-#TODO Move this to sepolicy/private/dataservice_app.te (b/62574674)
-allow dataservice_app hal_cne_hwservice:hwservice_manager find;
 binder_call(dataservice_app, cnd)
-hwbinder_use(dataservice_app)

 # imsrcsd to bind with UceShimService.apk
 binder_call(dataservice_app, hal_rcsservice)
--- a/sepolicy/vendor/hwservice.te
+++ b/sepolicy/vendor/hwservice.te
@@ -1,6 +1,4 @@
 type vnd_ims_radio_hwservice, hwservice_manager_type;
 type vnd_qcrilhook_hwservice, hwservice_manager_type;
 type hal_imsrtp_hwservice, hwservice_manager_type;
-#TODO Move the following 2 types public SE policy (b/62574674)
-type hal_cne_hwservice, hwservice_manager_type;
-type hal_imsrcsd_hwservice, hwservice_manager_type;
+type hal_ipacm_hwservice, hwservice_manager_type;
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
@@ -11,7 +11,7 @@ set_prop(netmgrd, net_rmnet_prop)
 unix_socket_connect(netmgrd, netd, netd)

 allow netmgrd netmgrd_socket:dir w_dir_perms;
-allow netmgrd netmgrd_socket:sock_file { create setattr };
+allow netmgrd netmgrd_socket:sock_file create_file_perms;
 allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write };
 allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow netmgrd self:netlink_route_socket nlmsg_write;
@@ -38,6 +38,9 @@ domain_auto_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper)

 #Allow diag logging
 allow netmgrd sysfs_timestamp_switch:file { read open };
+userdebug_or_eng(`
+  r_dir_file(netmgrd, sysfs_diag)
+')

 #Ignore if device loading for private IOCTL failed
 dontaudit netmgrd kernel:system { module_request };
--- a/sepolicy/vendor/radio.te
+++ b/sepolicy/vendor/radio.te
@@ -15,7 +15,6 @@ allow radio hal_imsrtp_hwservice:hwservice_manager find;

 add_service(radio, radio_service)
 allow radio {
-  uce_service
  mediaextractor_service
  mediacodec_service
 }:service_manager find;
--- a/sepolicy/vendor/service.te
+++ b/sepolicy/vendor/service.te
@@ -1,3 +1 @@
-type cne_service,                 service_manager_type;
-type uce_service,                 service_manager_type;
 type imsuce_service,              service_manager_type;
--- a/sepolicy/vendor/service_contexts
+++ b/sepolicy/vendor/service_contexts
@@ -1,5 +1,3 @@
 rcs                                                  u:object_r:radio_service:s0
-cneservice                                           u:object_r:cne_service:s0
 com.fingerprints.extension.IFingerprintNavigation    u:object_r:fingerprint_service:s0
-uce                                                  u:object_r:uce_service:s0
 com.qualcomm.qti.uceservice                          u:object_r:imsuce_service:s0
				`@@ -0,0 +1 @@`
				`allow radio uce_service:service_manager find;`