sepolicy: legacy: Update Perf HAL sepolicies

Imported changes from: https://github.com/AOSPA/android_device_qcom_sepolicy_vndr uvite branch Commits to be picked manually: * Added sepolicy rules to access qfprom0 nodes (most probably not needed for this super legacy device) Manual changes made: * Removed "vendor_" prefix on some rules * The counterpart of vendor_sysfs_mpctl in sepolicy legacy is sysfs_mpdecision * Removed some sepol rules that has needed changes outside of hal_perf_default.te * Changed vendor_hal_mem_pasrmanager to hal_pasrmanager_memory (might be correct) Change-Id: Iab1aa42ca7e8af3a1e9b20a321f80fe487426518 Signed-off-by: Jprimero15 <jprimero15@aospa.co>
2024-01-07 17:48:32 +08:00 · 2024-01-07 17:48:32 +08:00 · 85387af7d3
parent 9bae89c654
commit 85387af7d3
1 changed files with 75 additions and 39 deletions
--- a/sepolicy/legacy/vendor/common/hal_perf_default.te
+++ b/sepolicy/legacy/vendor/common/hal_perf_default.te
@ -1,4 +1,4 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@ -34,8 +34,6 @@ init_daemon_domain(vendor_hal_perf_default)
 # Allow hwbinder call from hal client to server
 binder_call(vendor_hal_perf_client, vendor_hal_perf_server)
 binder_call(vendor_hal_perf_default, hal_pasrmanager_memory_qti)
 #Allow AIDL base perf-hal communication
 hal_attribute_service(vendor_hal_perf, vendor_hal_perf2_service)
 binder_call(vendor_hal_perf_server, servicemanager)
@ -55,12 +53,12 @@ allow vendor_hal_perf_default lm_data_file:dir rw_dir_perms;
 allow vendor_hal_perf_default lm_data_file:file create_file_perms;
 allow vendor_hal_perf_default sysfs_lib:file w_file_perms;
 allow vendor_hal_perf_default proc_meminfo:file r_file_perms;
 allow vendor_hal_perf_default self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow vendor_hal_perf_default {appdomain}:process getpgid;
 hal_client_domain(vendor_hal_perf_default, vendor_hal_iop);
 hal_client_domain(vendor_hal_perf_default, vendor_hal_srvctracker);
 r_dir_file(vendor_hal_perf_default, appdomain);
 allow vendor_hal_perf_default {appdomain}:file rw_file_perms;
 allow vendor_hal_perf_default self:capability setuid;
 allow vendor_hal_perf_default hal_display_config_hwservice:hwservice_manager find;
 allow vendor_hal_perf_default hal_pasrmanager_memory_hwservice:hwservice_manager find;
 allow vendor_hal_perf {
     sysfs_devices_system_cpu
@ -82,6 +80,8 @@ allow vendor_hal_perf {
 allow vendor_hal_perf {
     sysfs_devices_system_cpu
     sysfs_mpdecision
     sysfs_cpu_boost
     sysfs_msm_perf
     sysfs_kgsl
     sysfs_cpu_boost
     sysfs_msm_perf
@ -93,6 +93,7 @@ allow vendor_hal_perf {
     sysfs_msm_power
     sysfs_battery_supply
     sysfs_process_reclaim
     sysfs_kgsl_proc
     sysfs_dm
 }:file rw_file_perms;
@ -106,9 +107,44 @@ allow vendor_hal_perf {
 # Allow to self kill capability
 allow vendor_hal_perf_default self:capability { kill };
 binder_call(vendor_hal_perf_default, hal_graphics_composer_default)
 allow vendor_hal_perf_default sysfs_soc:dir r_dir_perms;
 # Allow QSPM access
 hal_client_domain(vendor_hal_perf_default, vendor_hal_qspmhal);
 # Allow hal_perf to set property
 set_prop(vendor_hal_perf_default, vendor_mpctl_prop)
 set_prop(vendor_hal_perf_default, vendor_wlc_public_prop)
 #Allow Display Config access
 hal_client_domain(vendor_hal_perf_default, hal_graphics_composer);
 # Allow connecting to thermal_socket
 unix_socket_connect(vendor_hal_perf_default, thermal, thermal-engine)
 #Allow display driver access
 allow vendor_hal_perf_default graphics_device:chr_file rw_file_perms;
 # Allow shared memory access
 hal_client_domain(vendor_hal_perf_default, hal_allocator);
 # Allow perf hal to interact with pasr memory hal
 hal_client_domain(vendor_hal_perf_default, hal_pasrmanager_memory);
 allow vendor_hal_perf_default block_device:dir { open read search };
 allow vendor_hal_perf_default proc_diskstats:file { getattr open read };
 allow vendor_hal_perf_default self:capability { sys_nice setuid };
 # Rule for vndbinder usage
 allow vendor_hal_perf qdisplay_service:service_manager find;
 vndbinder_use(vendor_hal_perf);
 hal_client_domain(vendor_hal_perf_default, hal_thermal);
 allow vendor_hal_perf_default surfaceflinger:process setsched;
 allow vendor_hal_perf_default hal_graphics_composer_default:process setsched;
 allow vendor_hal_perf_default appdomain:process setsched;
 allow vendor_hal_perf_default appdomain:process getsched;
 allow vendor_hal_perf_default self:capability sys_nice;
 dontaudit vendor_hal_perf_default self:capability dac_override;
 dontaudit vendor_hal_perf_default system_server:dir search;
 dontaudit vendor_hal_perf_default { domain - appdomain }:process { getsched setsched };