From ba2198d95330ab04d769ebd77fc50660262e87f4 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 19 Dec 2023 03:35:04 +0000 Subject: [PATCH] Move gnss to each device sepolicy folder Bug: 312322769 Test: make sepolicy Change-Id: Iaeb079415d1a1b8c71dc72dde559dd2ad21c3886 --- caiman-sepolicy.mk | 3 --- caiman/file_contexts | 11 +++++++++++ {gnss => caiman}/gnss_check.te | 0 {gnss => caiman}/gnssd.te | 0 {gnss => caiman}/hal_gnss_default.te | 0 {gnss => caiman}/rild.te | 0 {gnss => caiman}/sctd.te | 0 {gnss => caiman}/spad.te | 0 {gnss => caiman}/swcnd.te | 0 gnss/file_contexts | 11 ----------- komodo-sepolicy.mk | 3 --- komodo/file_contexts | 11 +++++++++++ komodo/gnss_check.te | 9 +++++++++ komodo/gnssd.te | 23 +++++++++++++++++++++++ komodo/hal_gnss_default.te | 3 +++ komodo/rild.te | 1 + komodo/sctd.te | 3 +++ komodo/spad.te | 3 +++ komodo/swcnd.te | 3 +++ ripcurrent24-sepolicy.mk | 3 --- ripcurrent24/file_contexts | 11 +++++++++++ ripcurrent24/gnss_check.te | 9 +++++++++ ripcurrent24/gnssd.te | 23 +++++++++++++++++++++++ ripcurrent24/hal_gnss_default.te | 3 +++ ripcurrent24/rild.te | 1 + ripcurrent24/sctd.te | 3 +++ ripcurrent24/spad.te | 3 +++ ripcurrent24/swcnd.te | 3 +++ tokay-sepolicy.mk | 3 --- tokay/file_contexts | 11 +++++++++++ tokay/gnss_check.te | 9 +++++++++ tokay/gnssd.te | 23 +++++++++++++++++++++++ tokay/hal_gnss_default.te | 3 +++ tokay/rild.te | 1 + tokay/sctd.te | 3 +++ tokay/spad.te | 3 +++ tokay/swcnd.te | 3 +++ 37 files changed, 179 insertions(+), 23 deletions(-) rename {gnss => caiman}/gnss_check.te (100%) rename {gnss => caiman}/gnssd.te (100%) rename {gnss => caiman}/hal_gnss_default.te (100%) rename {gnss => caiman}/rild.te (100%) rename {gnss => caiman}/sctd.te (100%) rename {gnss => caiman}/spad.te (100%) rename {gnss => caiman}/swcnd.te (100%) delete mode 100644 gnss/file_contexts create mode 100644 komodo/gnss_check.te create mode 100644 komodo/gnssd.te create mode 100644 komodo/hal_gnss_default.te create mode 100644 komodo/rild.te create mode 100644 komodo/sctd.te create mode 100644 komodo/spad.te create mode 100644 komodo/swcnd.te create mode 100644 ripcurrent24/gnss_check.te create mode 100644 ripcurrent24/gnssd.te create mode 100644 ripcurrent24/hal_gnss_default.te create mode 100644 ripcurrent24/rild.te create mode 100644 ripcurrent24/sctd.te create mode 100644 ripcurrent24/spad.te create mode 100644 ripcurrent24/swcnd.te create mode 100644 tokay/gnss_check.te create mode 100644 tokay/gnssd.te create mode 100644 tokay/hal_gnss_default.te create mode 100644 tokay/rild.te create mode 100644 tokay/sctd.te create mode 100644 tokay/spad.te create mode 100644 tokay/swcnd.te diff --git a/caiman-sepolicy.mk b/caiman-sepolicy.mk index 7a855876..f5ea59bc 100644 --- a/caiman-sepolicy.mk +++ b/caiman-sepolicy.mk @@ -1,5 +1,2 @@ # sepolicy that are shared among devices using ZumaPro BOARD_SEPOLICY_DIRS += device/google/caimito-sepolicy/caiman - -# GPS sepolicy -BOARD_SEPOLICY_DIRS += device/google/caimito-sepolicy/gnss diff --git a/caiman/file_contexts b/caiman/file_contexts index cdb38af4..2cc3a039 100644 --- a/caiman/file_contexts +++ b/caiman/file_contexts @@ -14,3 +14,14 @@ /dev/lwis-sensor-taotie-tele u:object_r:lwis_device:s0 /dev/lwis-sensor-taotie-uw u:object_r:lwis_device:s0 /dev/lwis-tof-tarasque u:object_r:lwis_device:s0 +# GPS +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/gnss_boot u:object_r:vendor_gnss_device:s0 +/dev/gnss_dump u:object_r:vendor_gnss_device:s0 + +/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 +/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 +/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 +/vendor/bin/hw/spad u:object_r:spad_exec:s0 +/vendor/bin/hw/gnss-aidl-service_IGnssV2_ISlsiGnssV1 u:object_r:hal_gnss_default_exec:s0 +/vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 diff --git a/gnss/gnss_check.te b/caiman/gnss_check.te similarity index 100% rename from gnss/gnss_check.te rename to caiman/gnss_check.te diff --git a/gnss/gnssd.te b/caiman/gnssd.te similarity index 100% rename from gnss/gnssd.te rename to caiman/gnssd.te diff --git a/gnss/hal_gnss_default.te b/caiman/hal_gnss_default.te similarity index 100% rename from gnss/hal_gnss_default.te rename to caiman/hal_gnss_default.te diff --git a/gnss/rild.te b/caiman/rild.te similarity index 100% rename from gnss/rild.te rename to caiman/rild.te diff --git a/gnss/sctd.te b/caiman/sctd.te similarity index 100% rename from gnss/sctd.te rename to caiman/sctd.te diff --git a/gnss/spad.te b/caiman/spad.te similarity index 100% rename from gnss/spad.te rename to caiman/spad.te diff --git a/gnss/swcnd.te b/caiman/swcnd.te similarity index 100% rename from gnss/swcnd.te rename to caiman/swcnd.te diff --git a/gnss/file_contexts b/gnss/file_contexts deleted file mode 100644 index 1a4c2d4b..00000000 --- a/gnss/file_contexts +++ /dev/null @@ -1,11 +0,0 @@ -# GPS -/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 -/dev/gnss_boot u:object_r:vendor_gnss_device:s0 -/dev/gnss_dump u:object_r:vendor_gnss_device:s0 - -/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 -/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 -/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 -/vendor/bin/hw/spad u:object_r:spad_exec:s0 -/vendor/bin/hw/gnss-aidl-service_IGnssV2_ISlsiGnssV1 u:object_r:hal_gnss_default_exec:s0 -/vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 diff --git a/komodo-sepolicy.mk b/komodo-sepolicy.mk index df5cf997..d54783f6 100644 --- a/komodo-sepolicy.mk +++ b/komodo-sepolicy.mk @@ -1,5 +1,2 @@ # sepolicy that are shared among devices using ZumaPro BOARD_SEPOLICY_DIRS += device/google/caimito-sepolicy/komodo - -# GPS sepolicy -BOARD_SEPOLICY_DIRS += device/google/caimito-sepolicy/gnss diff --git a/komodo/file_contexts b/komodo/file_contexts index cdb38af4..2cc3a039 100644 --- a/komodo/file_contexts +++ b/komodo/file_contexts @@ -14,3 +14,14 @@ /dev/lwis-sensor-taotie-tele u:object_r:lwis_device:s0 /dev/lwis-sensor-taotie-uw u:object_r:lwis_device:s0 /dev/lwis-tof-tarasque u:object_r:lwis_device:s0 +# GPS +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/gnss_boot u:object_r:vendor_gnss_device:s0 +/dev/gnss_dump u:object_r:vendor_gnss_device:s0 + +/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 +/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 +/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 +/vendor/bin/hw/spad u:object_r:spad_exec:s0 +/vendor/bin/hw/gnss-aidl-service_IGnssV2_ISlsiGnssV1 u:object_r:hal_gnss_default_exec:s0 +/vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 diff --git a/komodo/gnss_check.te b/komodo/gnss_check.te new file mode 100644 index 00000000..31d0944f --- /dev/null +++ b/komodo/gnss_check.te @@ -0,0 +1,9 @@ +type gnss_check, domain; +type gnss_check_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(gnss_check); + +allow gnss_check vendor_toolbox_exec:file { execute_no_trans }; + +set_prop(gnss_check, ctl_stop_prop); +set_prop(gnss_check, ctl_start_prop); diff --git a/komodo/gnssd.te b/komodo/gnssd.te new file mode 100644 index 00000000..ea16762b --- /dev/null +++ b/komodo/gnssd.te @@ -0,0 +1,23 @@ +type gnssd, domain; +type gnssd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gnssd); + +# Allow gnssd to access rild +binder_call(gnssd, rild); +# binder_call(gnssd, hwservicemanager) +allow gnssd hal_exynos_rild_hwservice:hwservice_manager find; +allow gnssd radio_device:chr_file rw_file_perms; + +# Allow gnssd to acess gnss device +allow gnssd vendor_gnss_device:chr_file rw_file_perms; +allow gnssd vendor_gps_file:dir create_dir_perms; +allow gnssd vendor_gps_file:file create_file_perms; +allow gnssd vendor_gps_file:fifo_file create_file_perms; + +get_prop(gnssd, bootanim_system_prop) + +# Allow gnssd to obtain wakelock +wakelock_use(gnssd) + +# Allow a base set of permissions required for network access. +net_domain(gnssd); diff --git a/komodo/hal_gnss_default.te b/komodo/hal_gnss_default.te new file mode 100644 index 00000000..bf1a5645 --- /dev/null +++ b/komodo/hal_gnss_default.te @@ -0,0 +1,3 @@ +binder_call(hal_gnss_default, gnssd); + +allow hal_gnss_default gnssd:unix_stream_socket connectto; diff --git a/komodo/rild.te b/komodo/rild.te new file mode 100644 index 00000000..c620a19b --- /dev/null +++ b/komodo/rild.te @@ -0,0 +1 @@ +binder_call(rild, gnssd) diff --git a/komodo/sctd.te b/komodo/sctd.te new file mode 100644 index 00000000..8966ef8a --- /dev/null +++ b/komodo/sctd.te @@ -0,0 +1,3 @@ +type sctd, domain; +type sctd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(sctd); diff --git a/komodo/spad.te b/komodo/spad.te new file mode 100644 index 00000000..eaf8b1c8 --- /dev/null +++ b/komodo/spad.te @@ -0,0 +1,3 @@ +type spad, domain; +type spad_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(spad); diff --git a/komodo/swcnd.te b/komodo/swcnd.te new file mode 100644 index 00000000..c366cad8 --- /dev/null +++ b/komodo/swcnd.te @@ -0,0 +1,3 @@ +type swcnd, domain; +type swcnd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(swcnd); diff --git a/ripcurrent24-sepolicy.mk b/ripcurrent24-sepolicy.mk index a95f1cd4..aa9182b4 100644 --- a/ripcurrent24-sepolicy.mk +++ b/ripcurrent24-sepolicy.mk @@ -1,5 +1,2 @@ # sepolicy that are shared among devices using ZumaPro BOARD_SEPOLICY_DIRS += device/google/caimito-sepolicy/ripcurrent24 - -# GPS sepolicy -BOARD_SEPOLICY_DIRS += device/google/caimito-sepolicy/gnss diff --git a/ripcurrent24/file_contexts b/ripcurrent24/file_contexts index 1143d5fd..9fd7a3b5 100644 --- a/ripcurrent24/file_contexts +++ b/ripcurrent24/file_contexts @@ -42,3 +42,14 @@ /dev/lwis-sensor-taotie-tele u:object_r:lwis_device:s0 /dev/lwis-sensor-taotie-uw u:object_r:lwis_device:s0 /dev/lwis-tof-tarasque u:object_r:lwis_device:s0 +# GPS +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/gnss_boot u:object_r:vendor_gnss_device:s0 +/dev/gnss_dump u:object_r:vendor_gnss_device:s0 + +/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 +/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 +/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 +/vendor/bin/hw/spad u:object_r:spad_exec:s0 +/vendor/bin/hw/gnss-aidl-service_IGnssV2_ISlsiGnssV1 u:object_r:hal_gnss_default_exec:s0 +/vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 diff --git a/ripcurrent24/gnss_check.te b/ripcurrent24/gnss_check.te new file mode 100644 index 00000000..31d0944f --- /dev/null +++ b/ripcurrent24/gnss_check.te @@ -0,0 +1,9 @@ +type gnss_check, domain; +type gnss_check_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(gnss_check); + +allow gnss_check vendor_toolbox_exec:file { execute_no_trans }; + +set_prop(gnss_check, ctl_stop_prop); +set_prop(gnss_check, ctl_start_prop); diff --git a/ripcurrent24/gnssd.te b/ripcurrent24/gnssd.te new file mode 100644 index 00000000..ea16762b --- /dev/null +++ b/ripcurrent24/gnssd.te @@ -0,0 +1,23 @@ +type gnssd, domain; +type gnssd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gnssd); + +# Allow gnssd to access rild +binder_call(gnssd, rild); +# binder_call(gnssd, hwservicemanager) +allow gnssd hal_exynos_rild_hwservice:hwservice_manager find; +allow gnssd radio_device:chr_file rw_file_perms; + +# Allow gnssd to acess gnss device +allow gnssd vendor_gnss_device:chr_file rw_file_perms; +allow gnssd vendor_gps_file:dir create_dir_perms; +allow gnssd vendor_gps_file:file create_file_perms; +allow gnssd vendor_gps_file:fifo_file create_file_perms; + +get_prop(gnssd, bootanim_system_prop) + +# Allow gnssd to obtain wakelock +wakelock_use(gnssd) + +# Allow a base set of permissions required for network access. +net_domain(gnssd); diff --git a/ripcurrent24/hal_gnss_default.te b/ripcurrent24/hal_gnss_default.te new file mode 100644 index 00000000..bf1a5645 --- /dev/null +++ b/ripcurrent24/hal_gnss_default.te @@ -0,0 +1,3 @@ +binder_call(hal_gnss_default, gnssd); + +allow hal_gnss_default gnssd:unix_stream_socket connectto; diff --git a/ripcurrent24/rild.te b/ripcurrent24/rild.te new file mode 100644 index 00000000..c620a19b --- /dev/null +++ b/ripcurrent24/rild.te @@ -0,0 +1 @@ +binder_call(rild, gnssd) diff --git a/ripcurrent24/sctd.te b/ripcurrent24/sctd.te new file mode 100644 index 00000000..8966ef8a --- /dev/null +++ b/ripcurrent24/sctd.te @@ -0,0 +1,3 @@ +type sctd, domain; +type sctd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(sctd); diff --git a/ripcurrent24/spad.te b/ripcurrent24/spad.te new file mode 100644 index 00000000..eaf8b1c8 --- /dev/null +++ b/ripcurrent24/spad.te @@ -0,0 +1,3 @@ +type spad, domain; +type spad_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(spad); diff --git a/ripcurrent24/swcnd.te b/ripcurrent24/swcnd.te new file mode 100644 index 00000000..c366cad8 --- /dev/null +++ b/ripcurrent24/swcnd.te @@ -0,0 +1,3 @@ +type swcnd, domain; +type swcnd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(swcnd); diff --git a/tokay-sepolicy.mk b/tokay-sepolicy.mk index c19f6f71..9183880d 100644 --- a/tokay-sepolicy.mk +++ b/tokay-sepolicy.mk @@ -1,5 +1,2 @@ # sepolicy that are shared among devices using ZumaPro BOARD_SEPOLICY_DIRS += device/google/caimito-sepolicy/tokay - -# GPS sepolicy -BOARD_SEPOLICY_DIRS += device/google/caimito-sepolicy/gnss diff --git a/tokay/file_contexts b/tokay/file_contexts index 025e3799..9c7fe8a5 100644 --- a/tokay/file_contexts +++ b/tokay/file_contexts @@ -10,3 +10,14 @@ /dev/lwis-sensor-boitata u:object_r:lwis_device:s0 /dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 /dev/lwis-sensor-taotie-uw u:object_r:lwis_device:s0 +# GPS +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/gnss_boot u:object_r:vendor_gnss_device:s0 +/dev/gnss_dump u:object_r:vendor_gnss_device:s0 + +/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 +/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 +/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 +/vendor/bin/hw/spad u:object_r:spad_exec:s0 +/vendor/bin/hw/gnss-aidl-service_IGnssV2_ISlsiGnssV1 u:object_r:hal_gnss_default_exec:s0 +/vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 diff --git a/tokay/gnss_check.te b/tokay/gnss_check.te new file mode 100644 index 00000000..31d0944f --- /dev/null +++ b/tokay/gnss_check.te @@ -0,0 +1,9 @@ +type gnss_check, domain; +type gnss_check_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(gnss_check); + +allow gnss_check vendor_toolbox_exec:file { execute_no_trans }; + +set_prop(gnss_check, ctl_stop_prop); +set_prop(gnss_check, ctl_start_prop); diff --git a/tokay/gnssd.te b/tokay/gnssd.te new file mode 100644 index 00000000..ea16762b --- /dev/null +++ b/tokay/gnssd.te @@ -0,0 +1,23 @@ +type gnssd, domain; +type gnssd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gnssd); + +# Allow gnssd to access rild +binder_call(gnssd, rild); +# binder_call(gnssd, hwservicemanager) +allow gnssd hal_exynos_rild_hwservice:hwservice_manager find; +allow gnssd radio_device:chr_file rw_file_perms; + +# Allow gnssd to acess gnss device +allow gnssd vendor_gnss_device:chr_file rw_file_perms; +allow gnssd vendor_gps_file:dir create_dir_perms; +allow gnssd vendor_gps_file:file create_file_perms; +allow gnssd vendor_gps_file:fifo_file create_file_perms; + +get_prop(gnssd, bootanim_system_prop) + +# Allow gnssd to obtain wakelock +wakelock_use(gnssd) + +# Allow a base set of permissions required for network access. +net_domain(gnssd); diff --git a/tokay/hal_gnss_default.te b/tokay/hal_gnss_default.te new file mode 100644 index 00000000..bf1a5645 --- /dev/null +++ b/tokay/hal_gnss_default.te @@ -0,0 +1,3 @@ +binder_call(hal_gnss_default, gnssd); + +allow hal_gnss_default gnssd:unix_stream_socket connectto; diff --git a/tokay/rild.te b/tokay/rild.te new file mode 100644 index 00000000..c620a19b --- /dev/null +++ b/tokay/rild.te @@ -0,0 +1 @@ +binder_call(rild, gnssd) diff --git a/tokay/sctd.te b/tokay/sctd.te new file mode 100644 index 00000000..8966ef8a --- /dev/null +++ b/tokay/sctd.te @@ -0,0 +1,3 @@ +type sctd, domain; +type sctd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(sctd); diff --git a/tokay/spad.te b/tokay/spad.te new file mode 100644 index 00000000..eaf8b1c8 --- /dev/null +++ b/tokay/spad.te @@ -0,0 +1,3 @@ +type spad, domain; +type spad_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(spad); diff --git a/tokay/swcnd.te b/tokay/swcnd.te new file mode 100644 index 00000000..c366cad8 --- /dev/null +++ b/tokay/swcnd.te @@ -0,0 +1,3 @@ +type swcnd, domain; +type swcnd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(swcnd);