From 85387af7d33b3dd92b3b21e76a445d1543100fd0 Mon Sep 17 00:00:00 2001 From: Jprimero15 Date: Sun, 7 Jan 2024 17:48:32 +0800 Subject: [PATCH] sepolicy: legacy: Update Perf HAL sepolicies Imported changes from: https://github.com/AOSPA/android_device_qcom_sepolicy_vndr uvite branch Commits to be picked manually: * Added sepolicy rules to access qfprom0 nodes (most probably not needed for this super legacy device) Manual changes made: * Removed "vendor_" prefix on some rules * The counterpart of vendor_sysfs_mpctl in sepolicy legacy is sysfs_mpdecision * Removed some sepol rules that has needed changes outside of hal_perf_default.te * Changed vendor_hal_mem_pasrmanager to hal_pasrmanager_memory (might be correct) Change-Id: Iab1aa42ca7e8af3a1e9b20a321f80fe487426518 Signed-off-by: Jprimero15 --- .../legacy/vendor/common/hal_perf_default.te | 114 ++++++++++++------ 1 file changed, 75 insertions(+), 39 deletions(-) diff --git a/sepolicy/legacy/vendor/common/hal_perf_default.te b/sepolicy/legacy/vendor/common/hal_perf_default.te index fc9bede3..5e4f8fb5 100644 --- a/sepolicy/legacy/vendor/common/hal_perf_default.te +++ b/sepolicy/legacy/vendor/common/hal_perf_default.te @@ -1,4 +1,4 @@ -# Copyright (c) 2017, The Linux Foundation. All rights reserved. +# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are @@ -34,8 +34,6 @@ init_daemon_domain(vendor_hal_perf_default) # Allow hwbinder call from hal client to server binder_call(vendor_hal_perf_client, vendor_hal_perf_server) -binder_call(vendor_hal_perf_default, hal_pasrmanager_memory_qti) - #Allow AIDL base perf-hal communication hal_attribute_service(vendor_hal_perf, vendor_hal_perf2_service) binder_call(vendor_hal_perf_server, servicemanager) @@ -55,45 +53,48 @@ allow vendor_hal_perf_default lm_data_file:dir rw_dir_perms; allow vendor_hal_perf_default lm_data_file:file create_file_perms; allow vendor_hal_perf_default sysfs_lib:file w_file_perms; allow vendor_hal_perf_default proc_meminfo:file r_file_perms; +allow vendor_hal_perf_default self:netlink_generic_socket create_socket_perms_no_ioctl; +allow vendor_hal_perf_default {appdomain}:process getpgid; +hal_client_domain(vendor_hal_perf_default, vendor_hal_iop); +hal_client_domain(vendor_hal_perf_default, vendor_hal_srvctracker); r_dir_file(vendor_hal_perf_default, appdomain); allow vendor_hal_perf_default {appdomain}:file rw_file_perms; -allow vendor_hal_perf_default self:capability setuid; - -allow vendor_hal_perf_default hal_display_config_hwservice:hwservice_manager find; -allow vendor_hal_perf_default hal_pasrmanager_memory_hwservice:hwservice_manager find; allow vendor_hal_perf { - sysfs_devices_system_cpu - sysfs_mpdecision - sysfs_devfreq - sysfs_mmc_host - sysfs_scsi_host - sysfs_kgsl - sysfs_kgsl_proc - sysfs_cpu_boost - sysfs_msm_perf - sysfs_memory - sysfs_graphics - sysfs_msm_power - sysfs_battery_supply - sysfs_process_reclaim + sysfs_devices_system_cpu + sysfs_mpdecision + sysfs_devfreq + sysfs_mmc_host + sysfs_scsi_host + sysfs_kgsl + sysfs_kgsl_proc + sysfs_cpu_boost + sysfs_msm_perf + sysfs_memory + sysfs_graphics + sysfs_msm_power + sysfs_battery_supply + sysfs_process_reclaim }:dir r_dir_perms; allow vendor_hal_perf { - sysfs_devices_system_cpu - sysfs_mpdecision - sysfs_kgsl - sysfs_cpu_boost - sysfs_msm_perf - sysfs_memory - sysfs_graphics - sysfs_scsi_host - sysfs_devfreq - sysfs_mmc_host - sysfs_msm_power - sysfs_battery_supply - sysfs_process_reclaim - sysfs_dm + sysfs_devices_system_cpu + sysfs_mpdecision + sysfs_cpu_boost + sysfs_msm_perf + sysfs_kgsl + sysfs_cpu_boost + sysfs_msm_perf + sysfs_memory + sysfs_graphics + sysfs_scsi_host + sysfs_devfreq + sysfs_mmc_host + sysfs_msm_power + sysfs_battery_supply + sysfs_process_reclaim + sysfs_kgsl_proc + sysfs_dm }:file rw_file_perms; allow vendor_hal_perf { @@ -106,9 +107,44 @@ allow vendor_hal_perf { # Allow to self kill capability allow vendor_hal_perf_default self:capability { kill }; -binder_call(vendor_hal_perf_default, hal_graphics_composer_default) - -allow vendor_hal_perf_default sysfs_soc:dir r_dir_perms; - # Allow QSPM access hal_client_domain(vendor_hal_perf_default, vendor_hal_qspmhal); + +# Allow hal_perf to set property +set_prop(vendor_hal_perf_default, vendor_mpctl_prop) +set_prop(vendor_hal_perf_default, vendor_wlc_public_prop) + +#Allow Display Config access +hal_client_domain(vendor_hal_perf_default, hal_graphics_composer); + +# Allow connecting to thermal_socket +unix_socket_connect(vendor_hal_perf_default, thermal, thermal-engine) + +#Allow display driver access +allow vendor_hal_perf_default graphics_device:chr_file rw_file_perms; + +# Allow shared memory access +hal_client_domain(vendor_hal_perf_default, hal_allocator); + +# Allow perf hal to interact with pasr memory hal +hal_client_domain(vendor_hal_perf_default, hal_pasrmanager_memory); + +allow vendor_hal_perf_default block_device:dir { open read search }; +allow vendor_hal_perf_default proc_diskstats:file { getattr open read }; + +allow vendor_hal_perf_default self:capability { sys_nice setuid }; + +# Rule for vndbinder usage +allow vendor_hal_perf qdisplay_service:service_manager find; +vndbinder_use(vendor_hal_perf); + +hal_client_domain(vendor_hal_perf_default, hal_thermal); + +allow vendor_hal_perf_default surfaceflinger:process setsched; +allow vendor_hal_perf_default hal_graphics_composer_default:process setsched; +allow vendor_hal_perf_default appdomain:process setsched; +allow vendor_hal_perf_default appdomain:process getsched; +allow vendor_hal_perf_default self:capability sys_nice; +dontaudit vendor_hal_perf_default self:capability dac_override; +dontaudit vendor_hal_perf_default system_server:dir search; +dontaudit vendor_hal_perf_default { domain - appdomain }:process { getsched setsched };