Merge "Camera: further sepolicy cleanup" into oc-dev
diff --git a/WCNSS_qcom_cfg.ini b/WCNSS_qcom_cfg.ini
index 6e696b6..822f34a 100644
--- a/WCNSS_qcom_cfg.ini
+++ b/WCNSS_qcom_cfg.ini
@@ -245,7 +245,7 @@
# g_probe_req_ie_bitmap_0=0x80000009 #[0, 3, 31]
# g_probe_req_ie_bitmap_0=0x00000000 #[] (default)
# g_probe_req_ie_bitmap_1=0x80000009 #[32, 35, 63]
-# g_probe_req_ie_bitmap_0=0x00000009
+g_probe_req_ie_bitmap_0=0x00000009
# g_probe_req_ie_bitmap_1=0x00000000
# g_probe_req_ie_bitmap_2=0x00000000
# g_probe_req_ie_bitmap_3=0x00000000
diff --git a/device-common.mk b/device-common.mk
index dd32e5e..a8bcebe 100644
--- a/device-common.mk
+++ b/device-common.mk
@@ -595,3 +595,7 @@
# Vendor seccomp policy files for media components:
PRODUCT_COPY_FILES += \
device/google/marlin/seccomp_policy/mediacodec.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/mediacodec.policy
+
+# whitelisted app
+PRODUCT_COPY_FILES += \
+ device/google/marlin/qti_whitelist.xml:system/etc/sysconfig/qti_whitelist.xml
diff --git a/init.common.rc b/init.common.rc
index 0b6848c..3e4632a 100644
--- a/init.common.rc
+++ b/init.common.rc
@@ -111,8 +111,7 @@
on post-fs
symlink /dev/block/platform/soc.0/f9824900.sdhci /dev/block/bootdevice
-# This section will be executed after all post-fs sections are done
-on post-fs && property:ro.hardware=*
+on load_system_props_action
# Wait qseecomd started
wait_for_prop sys.listeners.registered true
@@ -121,7 +120,6 @@
start devstart_sh
# Start services for bootanim
- start servicemanager
start vr_wm
start surfaceflinger
start bootanim
diff --git a/manifest.xml b/manifest.xml
index a0337c1..1a27d02 100644
--- a/manifest.xml
+++ b/manifest.xml
@@ -264,5 +264,26 @@
<instance>default</instance>
</interface>
</hal>
+ <hal format="hidl">
+ <name>vendor.qti.atcmdfwd</name>
+ <transport>hwbinder</transport>
+ <impl level="generic"></impl>
+ <version>1.0</version>
+ <interface>
+ <name>IAtCmdFwd</name>
+ <instance>AtCmdFwdService</instance>
+ </interface>
+ </hal>
+ <hal format="hidl">
+ <name>vendor.qti.qcril.am</name>
+ <transport>hwbinder</transport>
+ <impl level="generic"></impl>
+ <version>1.0</version>
+ <interface>
+ <name>IQcRilAudio</name>
+ <instance>default</instance>
+ </interface>
+ </hal>
+
</manifest>
diff --git a/qti_whitelist.xml b/qti_whitelist.xml
new file mode 100644
index 0000000..d5272f5
--- /dev/null
+++ b/qti_whitelist.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
+
+<!--
+/* Copyright (c) 2017, The Linux Foundation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ * * Neither the name of The Linux Foundation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+ * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+-->
+
+<config>
+ <!-- These are telephony components that need to freely run in the background -->
+ <allow-in-power-save package="com.qualcomm.atfwd" />
+ <allow-in-power-save package="com.qti.qualcomm.datastatusnotification" />
+ <allow-in-power-save package="com.qualcomm.embms" />
+ <allow-in-power-save package="com.qualcomm.qti.telephonyservice" />
+ <allow-in-power-save package="com.qulacomm.qcrilmsgtunnel" />
+ <allow-in-power-save package="com.qualcomm.qti.ims" />
+ <allow-in-power-save package="com.qualcomm.qti.radioconfiginterface" />
+</config>
diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te
index 6f2caa5..8f96869 100644
--- a/sepolicy/atfwd.te
+++ b/sepolicy/atfwd.te
@@ -3,12 +3,6 @@
init_daemon_domain(atfwd)
-# TODO(b/34603782): Remove this once atfwd no longer uses Binder
-typeattribute atfwd binder_in_vendor_violators;
-binder_use(atfwd)
-
-allow atfwd atfwd_service:service_manager find;
-
allow atfwd self:socket create_socket_perms;
allowxperm atfwd self:socket ioctl msm_sock_ipc_ioctls;
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index f1b9f22..59a7cb7 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -35,16 +35,9 @@
# TODO(b/36663461): Remove once camera no longer accesses data outside
# /data/vendor
typeattribute camera coredata_in_vendor_violators;
+typeattribute camera socket_between_core_and_vendor_violators;
allow camera camera_data_file:dir rw_dir_perms;
allow camera camera_data_file:sock_file { create unlink };
allow camera input_device:dir r_dir_perms;
allow camera input_device:chr_file r_file_perms;
-
-# TODO(b/34274385): Remove this once Camera HAL is guaranteed to not be run in passthrough mode
-# What's going on here is that Camera HAL os talking over sockets to camera daemon, which is
-# permitted. However, those rules target hal_camera rather than hal_camera_server and thus are also
-# granted to all clients of Camera HAL (e.g., cameraserver) which are core components, and
-# socket communications between system components and vendor components are not permted.
-# Once we switch full Treble devices to binderized only mode, this issue will disappear.
-typeattribute camera socket_between_core_and_vendor_violators;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index ed36de9..bf2f302 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -143,12 +143,17 @@
/vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv1_CM_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv2_adreno\.so u:object_r:same_process_hal_file:s0
+
+# RenderScript dependencies.
+# To test: run cts -m CtsRenderscriptTestCases
/vendor/lib(64)?/libRSDriver_adreno\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libbccQTI\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libllvm-qcom\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/librs_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libCB\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libllvm-qgl\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqti-perfd-client\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/librs_adreno\.so u:object_r:same_process_hal_file:s0
# libGLESv2_adreno depends on this
/vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0
diff --git a/sepolicy/hal_camera.te b/sepolicy/hal_camera.te
index 394b0e3..20bd9ce 100644
--- a/sepolicy/hal_camera.te
+++ b/sepolicy/hal_camera.te
@@ -29,10 +29,6 @@
# Grant access to Qualcomm MSM Interface (QMI) radio sockets
qmux_socket(hal_camera)
-# TODO(b/34274385): Remove this once Camera HAL is guaranteed to be binderized on full Treble
-# devices. Passthrough Camera HAL makes cameraserver use qmux socket which is a vendor socket.
-# cameraserver, being a non-vendor component, is not permitted to use that socket.
-typeattribute cameraserver socket_between_core_and_vendor_violators;
# allow hal_camera to call some socket ioctls
allowxperm hal_camera self:socket ioctl { IPC_ROUTER_IOCTL_LOOKUP_SERVER IPC_ROUTER_IOCTL_BIND_CONTROL_PORT };
diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te
index 6555600..e3f6464 100644
--- a/sepolicy/hal_gnss_default.te
+++ b/sepolicy/hal_gnss_default.te
@@ -1,5 +1,5 @@
-# TODO(b/36576569): Remove this once hal_gnss_default stops accessing /dev/binder
-typeattribute hal_gnss_default binder_in_vendor_violators;
# TODO(b/36730929): Remove once hal_gnss_default is no longer accessing
# /data outside /data/vendor.
typeattribute hal_gnss_default coredata_in_vendor_violators;
+
+vndbinder_use(hal_gnss_default)
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index 101f88f..1e1c701 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -43,12 +43,3 @@
# use fds passed from radio app
allow ims radio:fd use;
-
-# TODO(b/34274385): Remove this once Telphony HAL is guaranteed to not be run in passthrough mode
-# What's going on here is that Telephony HAL is talking over sockets to ims daemon, which is
-# permitted. However, those rules target hal_telephony rather than hal_telephony_server and thus
-# are also granted to all clients of Telephony HAL (e.g., radio daemon) which are core
-# components, and socket communications between system components and vendor components are not
-# permted.
-# Once we switch full Treble devices to binderized only mode, this issue will disappear.
-typeattribute ims socket_between_core_and_vendor_violators;
diff --git a/sepolicy/location.te b/sepolicy/location.te
index 8d4c120..f288f37 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -49,11 +49,3 @@
userdebug_or_eng(`
allow location diag_device:chr_file rw_file_perms;
')
-
-# TODO(b/34274385): Remove this once Wi-Fi HAL is guaranteed to not be run in passthrough mode
-# What's going on here is that Wi-Fi HAL is talking over sockets to location daemon, which is
-# permitted. However, those rules target hal_wifi rather than hal_wifi_server and thus are also
-# granted to all clients of these HALs (e.g., system_server) which are core components, and
-# socket communications between system components and vendor components are not permted.
-# Once we switch full Treble devices to binderized only mode, this issue will disappear.
-typeattribute location socket_between_core_and_vendor_violators;
diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te
index eb382d1..05761fe 100644
--- a/sepolicy/per_mgr.te
+++ b/sepolicy/per_mgr.te
@@ -6,12 +6,9 @@
init_daemon_domain(per_mgr)
-allow per_mgr per_mgr_service:service_manager add;
+allow per_mgr per_mgr_service:vndservice_manager add;
-# TODO(b/36570300): Remove this once per_mgr stops using Binder
-typeattribute per_mgr binder_in_vendor_violators;
-binder_use(per_mgr)
-binder_call(per_mgr, system_server)
+vndbinder_use(per_mgr)
binder_call(per_mgr, rild)
binder_call(per_mgr, per_proxy)
diff --git a/sepolicy/per_proxy.te b/sepolicy/per_proxy.te
index af14328..440915b 100644
--- a/sepolicy/per_proxy.te
+++ b/sepolicy/per_proxy.te
@@ -4,11 +4,9 @@
init_daemon_domain(per_proxy)
-# TODO(b/36570130): Remove this once per_proxy stops using Binder
-typeattribute per_proxy binder_in_vendor_violators;
-allow per_proxy per_mgr_service:service_manager find;
+allow per_proxy per_mgr_service:vndservice_manager find;
r_dir_file(per_proxy, sysfs_type)
-binder_use(per_proxy)
+vndbinder_use(per_proxy)
binder_call(per_proxy, per_mgr)
diff --git a/sepolicy/perfd.te b/sepolicy/perfd.te
index 3cb9fb6..ccbb9d6 100644
--- a/sepolicy/perfd.te
+++ b/sepolicy/perfd.te
@@ -34,11 +34,3 @@
# Determining if a process exists does not require the kill capability
# since a permission denied indicates the process exists.
dontaudit perfd self:capability kill;
-
-# TODO(b/34274385): Remove this once HALs are guaranteed to not be run in passthrough mode
-# What's going on here is that Audio HAL, Power and DRM HAL are talking over sockets to perfd,
-# which is permitted. However, those rules target hal_x rather than hal_x_server and thus are also
-# granted to all clients of these HALs (e.g., system_server) which are core components, and
-# socket communications between system components and vendor components are not permted.
-# Once we switch full Treble devices to binderized only mode, this issue will disappear.
-typeattribute perfd socket_between_core_and_vendor_violators;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 3a01e22..ad9eb0a 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -1,3 +1,5 @@
+binder_call(platform_app, rild);
+
userdebug_or_eng(`
# TODO(b/36734870): Remove this once platform_app no longer directly
diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te
index c04f72c..a4ffd5a 100644
--- a/sepolicy/qmuxd.te
+++ b/sepolicy/qmuxd.te
@@ -7,11 +7,3 @@
allow qmuxd qmuxd_socket:dir w_dir_perms;
allow qmuxd qmuxd_socket:sock_file create_file_perms;
allow qmuxd self:socket create_socket_perms_no_ioctl;
-
-# TODO(b/34274385): Remove this once HALs are guaranteed to not be run in passthrough mode
-# What's going on here is that Camera HAL is talking over sockets to qmuxd, which is permitted.
-# However, those rules target hal_camera rather than hal_camera_server and thus are also
-# granted to all clients of these HALs (e.g., cameraserver) which are core components, and
-# socket communications between system components and vendor components are not permted.
-# Once we switch full Treble devices to binderized only mode, this issue will disappear.
-typeattribute qmuxd socket_between_core_and_vendor_violators;
diff --git a/sepolicy/qtelephony.te b/sepolicy/qtelephony.te
index a56fc4f..d792afa 100644
--- a/sepolicy/qtelephony.te
+++ b/sepolicy/qtelephony.te
@@ -3,8 +3,6 @@
app_domain(qtelephony)
-add_service(qtelephony, atfwd_service)
-
allow qtelephony { app_api_service }:service_manager find;
# Read and write /data/data subdirectory.
diff --git a/sepolicy/radio.te b/sepolicy/radio.te
index ed77733..7825fe6 100644
--- a/sepolicy/radio.te
+++ b/sepolicy/radio.te
@@ -1,5 +1,5 @@
# TODO(b/36791780): Remove this once radio no longer communicates with qmuxd over sockets
-typeattribute radio socket_between_core_and_vendor_violators;
+typeattribute qmuxd socket_between_core_and_vendor_violators;
# Grant access to Qualcomm MSM Interface (QMI) radio sockets
qmux_socket(radio)
@@ -12,6 +12,9 @@
allow radio vendor_framework_file:dir { getattr search };
allow radio vendor_framework_file:file { getattr open read };
+# TODO(b/37164021): Remove this once radio no longer communicates with ims over sockets
+typeattribute radio socket_between_core_and_vendor_violators;
+typeattribute ims socket_between_core_and_vendor_violators;
# communicate with ims
unix_socket_connect(radio, ims, ims)
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 324450a..75adf35 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,15 +1,14 @@
# Grant access to Qualcomm MSM Interface (QMI) radio sockets
qmux_socket(rild)
-# TODO(b/36565056, b/36651714): Remove this once rild stops using Binder
-typeattribute rild binder_in_vendor_violators;
-allow rild audioserver_service:service_manager find;
-allow rild per_mgr_service:service_manager find;
+allow rild per_mgr_service:vndservice_manager find;
-binder_use(rild)
-binder_call(rild, audioserver)
+vndbinder_use(rild)
binder_call(rild, per_mgr)
+# callback into telephony app
+binder_call(rild, platform_app);
+
allow rild netmgrd_socket:dir search;
unix_socket_connect(rild, netmgrd, netmgrd)
diff --git a/sepolicy/service.te b/sepolicy/service.te
index abe70c8..a682951 100644
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -1,6 +1,3 @@
-type atfwd_service, service_manager_type;
type cne_service, service_manager_type;
type imscm_service, service_manager_type;
-type per_mgr_service, service_manager_type;
type uce_service, service_manager_type;
-type qdisplay_service, vndservice_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
index a0e6849..7ae0b3d 100644
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -1,6 +1,4 @@
-AtCmdFwd u:object_r:atfwd_service:s0
cneservice u:object_r:cne_service:s0
qti.ims.connectionmanagerservice u:object_r:imscm_service:s0
rcs u:object_r:radio_service:s0
uce u:object_r:uce_service:s0
-vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 8378dc6..546f51c 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -5,6 +5,9 @@
allow system_server self:socket ioctl; # create already in core policy
allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls;
+# TODO(b/37161693): Remove this once system_server no longer communicates with qmuxd over sockets
+typeattribute system_server socket_between_core_and_vendor_violators;
+typeattribute qmuxd socket_between_core_and_vendor_violators;
# Grant access to Qualcomm MSM Interface (QMI) radio sockets
qmux_socket(system_server)
@@ -16,10 +19,6 @@
allow system_server netmgrd_socket:dir search;
unix_socket_connect(system_server, netmgrd, netmgrd)
-# talk to peripheral manager
-allow system_server per_mgr_service:service_manager find;
-binder_call(system_server, per_mgr)
-
binder_call(system_server, hal_camera_default)
# files in /sys
diff --git a/sepolicy/vndservice.te b/sepolicy/vndservice.te
new file mode 100644
index 0000000..1a35322
--- /dev/null
+++ b/sepolicy/vndservice.te
@@ -0,0 +1,2 @@
+type per_mgr_service, vndservice_manager_type;
+type qdisplay_service, vndservice_manager_type;
diff --git a/sepolicy/vndservice_contexts b/sepolicy/vndservice_contexts
index 2b9cf7f..7cbff6b 100644
--- a/sepolicy/vndservice_contexts
+++ b/sepolicy/vndservice_contexts
@@ -1 +1,2 @@
display.qservice u:object_r:qdisplay_service:s0
+vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0
diff --git a/sepolicy/wcnss_filter.te b/sepolicy/wcnss_filter.te
index 74be430..833a43f 100644
--- a/sepolicy/wcnss_filter.te
+++ b/sepolicy/wcnss_filter.te
@@ -19,12 +19,3 @@
# Allow reading Bluetooth-related system properties
get_prop(wcnss_filter, bluetooth_prop)
-
-# TODO(b/34274385): Remove this once Bluetooh HAL is guaranteed to not be run in passthrough mode
-# What's going on here is that Bluetooth HAL is talking over sockets to wcnss_filter, which is
-# permitted. However, those rules target hal_bluetooth rather than hal_bluetooth_server and thus
-# are also granted to all clients of Bluetooth HAL (e.g., bluetooth daemon) which are core
-# components, and socket communications between system components and vendor components are not
-# permted.
-# Once we switch full Treble devices to binderized only mode, this issue will disappear.
-typeattribute wcnss_filter socket_between_core_and_vendor_violators;
