sepolicy: mdtp: mdtp service policies
Define mdtp_service as a service. Allow mdtp_service access to
core mdtp functionality.
Change-Id: I2043a5d093808fcb38ae17c6c38fa6ce9a050772
diff --git a/common/file.te b/common/file.te
index 6ae3ba4..66e7b58 100644
--- a/common/file.te
+++ b/common/file.te
@@ -165,5 +165,8 @@
# audio pp notifier files
type audio_pp_data_file, file_type, data_file_type;
+#mdtp_svc_app file types
+type mdtp_svc_app_data_file, file_type, data_file_type;
+
# subsystem_ramdump files
type ssr_ramdump_data_file, file_type, data_file_type;
diff --git a/common/file_contexts b/common/file_contexts
index dc61a78..9edb047 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -216,6 +216,7 @@
/system/bin/tbaseLoader u:object_r:tbaseLoader_exec:s0
/system/bin/mcStarter u:object_r:mcStarter_exec:s0
/system/bin/fstman u:object_r:fstman_exec:s0
+/system/vendor/bin/mdtp_service u:object_r:mdtpdaemon_exec:s0
###################################
# sysfs files
diff --git a/common/installd.te b/common/installd.te
index ea3b0be..a337fb9 100644
--- a/common/installd.te
+++ b/common/installd.te
@@ -1,3 +1,3 @@
-allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file } :dir { create_dir_perms relabelfrom relabelto };
-allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file } :lnk_file { create_file_perms relabelfrom relabelto };
-allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file } :{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
+allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file} :dir { create_dir_perms relabelfrom relabelto };
+allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file} :lnk_file { create_file_perms relabelfrom relabelto };
+allow installd { dpmd_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file} :{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
diff --git a/common/mdtp.te b/common/mdtp.te
new file mode 100644
index 0000000..f69456c
--- /dev/null
+++ b/common/mdtp.te
@@ -0,0 +1,56 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type mdtpdaemon, domain;
+type mdtpdaemon_exec, exec_type, file_type;
+
+#Allow for transition from init domain to mdtpdaemon
+init_daemon_domain(mdtpdaemon)
+
+#Allow mdtpdaemon to use Binder IPC
+binder_use(mdtpdaemon)
+
+#Mark mdtpdaemon as a Binder service domain
+binder_service(mdtpdaemon)
+
+#Allow mdtpdaemon to be registered with service manager
+allow mdtpdaemon mdtpdaemon_service:service_manager { add find };
+
+#Allow apps to interact with mdtpdaemon
+binder_call(mdtpdaemon, platform_app)
+
+#Allow access to firmware
+r_dir_file(mdtpdaemon, firmware_file)
+
+#Allow access to qsee directories
+allow mdtpdaemon data_qsee_file:dir create_dir_perms;
+
+#Allow access to qsee fifos
+allow mdtpdaemon data_qsee_file:fifo_file create_file_perms;
+
+#Allow access to tee device
+allow mdtpdaemon tee_device:chr_file rw_file_perms;
diff --git a/common/mdtpservice_app.te b/common/mdtpservice_app.te
new file mode 100644
index 0000000..99ca61f
--- /dev/null
+++ b/common/mdtpservice_app.te
@@ -0,0 +1,37 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type mdtpservice_app, domain;
+app_domain(mdtpservice_app)
+binder_use(mdtpservice_app)
+
+# allow mdtpservice_app to interact with proxy daemon
+binder_call(mdtpservice_app, mdtpdaemon_service)
+
+# file permissions
+allow mdtpservice_app mdtp_svc_app_data_file:dir create_dir_perms;
+allow mdtpservice_app mdtp_svc_app_data_file:file create_file_perms;
diff --git a/common/seapp_contexts b/common/seapp_contexts
index e0e7df7..27f8514 100644
--- a/common/seapp_contexts
+++ b/common/seapp_contexts
@@ -9,3 +9,6 @@
#Add new domain for QSEE services
user=system seinfo=platform name=com.qualcomm.qti.auth.fidocryptoservice domain=qsee_svc_app type=qsee_svc_app_data_file
user=system seinfo=platform name=com.qualcomm.qti.auth.fidosuiservice domain=qsee_svc_app type=qsee_svc_app_data_file
+
+#Add new domain for MDTP services
+user=system seinfo=platform name=com.qualcomm.qti.securemsm.mdtp.MdtpService domain=mdtpservice_app type=mdtp_svc_app_data_file
diff --git a/common/service.te b/common/service.te
index da26d7f..19370b5 100644
--- a/common/service.te
+++ b/common/service.te
@@ -16,4 +16,5 @@
type gba_auth_service, service_manager_type;
type izat_service, system_api_service, service_manager_type;
type seemp_service, service_manager_type;
+type mdtpdaemon_service, service_manager_type;
type qtitetherservices_service, service_manager_type;
diff --git a/common/service_contexts b/common/service_contexts
index fffbb54..a0fafbb 100644
--- a/common/service_contexts
+++ b/common/service_contexts
@@ -20,4 +20,5 @@
com.qualcomm.location.izat.IzatService u:object_r:izat_service:s0
qti.security.seemp u:object_r:seemp_service:s0
seempservice u:object_r:seemp_service:s0
+mdtp u:object_r:mdtpdaemon_service:s0
qtitetherservice u:object_r:qtitetherservices_service:s0
diff --git a/common/system_app.te b/common/system_app.te
index 54cf2b5..52fb445 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -100,5 +100,8 @@
#allow access to ipa
allow system_app ipa_dev:chr_file rw_file_perms;
+# allow system_app to interact with mdtp daemon
+binder_call(system_app, mdtpdaemon)
+
# allow access to system_app for audio pp files
r_dir_file(system_app, audio_pp_data_file);
diff --git a/common/system_server.te b/common/system_server.te
index 9dad36a..32b2e07 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -55,8 +55,8 @@
allow system_server location:unix_stream_socket connectto;
allow system_server location_data_file:{ file fifo_file } create_file_perms;
allow system_server location_data_file:dir create_dir_perms;
-allow system_server { dpmd_app_data_file location_app_data_file } :file rw_file_perms;
-allow system_server { dpmd_app_data_file location_app_data_file } :dir r_dir_perms;
+allow system_server { dpmd_app_data_file location_app_data_file mdtp_svc_app_data_file } :file rw_file_perms;
+allow system_server { dpmd_app_data_file location_app_data_file mdtp_svc_app_data_file } :dir r_dir_perms;
allow system_server location_socket:sock_file create_file_perms;
allow system_server location_prop:property_service set;