[Bramble] Fix SELinux related to hal_imsrtp
avc: denied { read } for comm="ims_rtp_daemon" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=26759 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { open } for path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17135 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { getattr } for comm="ims_rtp_daemon" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17135 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { write } for comm="ims_rtp_daemon" name="ims_datad" dev="tmpfs" ino=33889 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:ims_socket:s0 tclass=sock_file permissive=1
avc: denied { find } for interface=vendor.qti.imsrtpservice::IRTPService sid=u:r:hal_imsrtp:s0 pid=1008 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:hal_imsrtp_hwservice:s0 tclass=hwservice_manager permissive=1
avc: denied { add } for interface=vendor.qti.imsrtpservice::IRTPService sid=u:r:hal_imsrtp:s0 pid=1008 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:hal_imsrtp_hwservice:s0 tclass=hwservice_manager permissive=1
avc: denied { call } for scontext=u:r:hal_imsrtp:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { connectto } for comm="ims_rtp_daemon" path="/dev/socket/ims_datad" scontext=u:r:hal_imsrtp:s0 tcontext=u:r:ims:s0 tclass=unix_stream_socket permissive=1
avc: denied { open } for comm="ims_rtp_daemon" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=26759 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { read } for comm="ims_rtp_daemon" name="u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=17164 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
avc: denied { open } for comm="ims_rtp_daemon" path="/dev/__properties__/u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=26788 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
avc: denied { getattr } for comm="ims_rtp_daemon" path="/dev/__properties__/u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=17164 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
avc: denied { read } for comm="ims_rtp_daemon" scontext=u:r:hal_imsrtp:s0 tcontext=u:r:hal_imsrtp:s0 tclass=qipcrtr_socket permissive=1
avc: denied { write } for comm="ims_rtp_daemon" scontext=u:r:hal_imsrtp:s0 tcontext=u:r:hal_imsrtp:s0 tclass=qipcrtr_socket permissive=1
avc: denied { create } for comm="ims_rtp_daemon" scontext=u:r:hal_imsrtp:s0 tcontext=u:r:hal_imsrtp:s0 tclass=qipcrtr_socket permissive=1
avc: denied { read } for comm="ims_rtp_daemon" name="name" dev="sysfs" ino=66849 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_ssr:s0 tclass=file permissive=1
avc: denied { open } for comm="ims_rtp_daemon" path="/sys/devices/platform/soc/9800000.qcom,npu/subsys6/name" dev="sysfs" ino=66849 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_ssr:s0 tclass=file permissive=1
avc: denied { read } for name="timestamp_switch" dev="sysfs" ino=38283 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/module/diagchar/parameters/timestamp_switch" dev="sysfs" ino=38283 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1
avc: denied { search } for comm="ims_rtp_daemon" name="soc0" dev="sysfs" ino=39558 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=dir permissive=1
avc: denied { read } for comm="ims_rtp_daemon" name="soc_id" dev="sysfs" ino=39562 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file permissive=1
avc: denied { open } for comm="ims_rtp_daemon" path="/sys/devices/soc0/soc_id" dev="sysfs" ino=39562 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file permissive=1
avc: denied { search } for comm="ims_rtp_daemon" name="msm_subsys" dev="sysfs" ino=27404 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1
avc: denied { read } for comm="ims_rtp_daemon" name="devices" dev="sysfs" ino=27406 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1
avc: denied { open } for comm="ims_rtp_daemon" path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=27406 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1
avc: denied { search } for comm="ims_rtp_daemon" name="diagchar" dev="sysfs" ino=38277 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=1
avc: denied { read write } for comm="ims_rtp_daemon" name="diag" dev="tmpfs" ino=27185 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="ims_rtp_daemon" path="/dev/diag" dev="tmpfs" ino=27185 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="ims_rtp_daemon" path="/dev/diag" dev="tmpfs" ino=27185 ioctlcmd=0x20 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
Bug: 145496740
Test: Flash the rom and boot to home without this avc denied.
Change-Id: Ieab8b5c88723b234f4125fde34bd84cacb765dd9
diff --git a/tracking_denials/hal_imsrtp.te b/tracking_denials/hal_imsrtp.te
deleted file mode 100644
index 3addfea..0000000
--- a/tracking_denials/hal_imsrtp.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# b/145496740
-dontaudit hal_imsrtp diag_device:chr_file { ioctl open read write };
-dontaudit hal_imsrtp fwmarkd_socket:sock_file write;
-dontaudit hal_imsrtp hal_imsrtp_hwservice:hwservice_manager add;
-dontaudit hal_imsrtp hidl_base_hwservice:hwservice_manager add;
-dontaudit hal_imsrtp hwservicemanager:binder { call transfer };
-dontaudit hal_imsrtp hwservicemanager_prop:file { getattr map open read };
-dontaudit hal_imsrtp ims_socket:sock_file write;
-dontaudit hal_imsrtp ims:unix_stream_socket connectto;
-dontaudit hal_imsrtp netd:unix_stream_socket connectto;
-dontaudit hal_imsrtp node:udp_socket node_bind;
-dontaudit hal_imsrtp qcom_ims_prop:file { getattr map open read };
-dontaudit hal_imsrtp self:qipcrtr_socket { create getattr read setopt write };
-dontaudit hal_imsrtp self:udp_socket { bind create getattr getopt ioctl read setopt write };
-dontaudit hal_imsrtp sysfs_diag:dir search;
-dontaudit hal_imsrtp sysfs_msm_subsys:dir { open read search };
-dontaudit hal_imsrtp sysfs_soc:dir search;
-dontaudit hal_imsrtp sysfs_soc:file { getattr open read };
-dontaudit hal_imsrtp sysfs_ssr:file { open read };
-dontaudit hal_imsrtp sysfs_timestamp_switch:file { open read };
diff --git a/vendor/qcom/common/hal_imsrtp.te b/vendor/qcom/common/hal_imsrtp.te
index 905d868..3d585bc 100644
--- a/vendor/qcom/common/hal_imsrtp.te
+++ b/vendor/qcom/common/hal_imsrtp.te
@@ -1,3 +1,25 @@
type hal_imsrtp, domain;
type hal_imsrtp_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_imsrtp)
\ No newline at end of file
+
+init_daemon_domain(hal_imsrtp)
+
+hwbinder_use(hal_imsrtp)
+net_domain(hal_imsrtp)
+
+add_hwservice(hal_imsrtp, hal_imsrtp_hwservice)
+unix_socket_connect(hal_imsrtp, ims, ims)
+
+get_prop(hal_imsrtp, hwservicemanager_prop)
+get_prop(hal_imsrtp, qcom_ims_prop)
+
+allow hal_imsrtp self:qipcrtr_socket create_socket_perms_no_ioctl;
+allow hal_imsrtp sysfs_ssr:file r_file_perms;
+allow hal_imsrtp sysfs_timestamp_switch:file r_file_perms;
+
+r_dir_file(hal_imsrtp, sysfs_soc)
+r_dir_file(hal_imsrtp, sysfs_msm_subsys)
+
+userdebug_or_eng(`
+ r_dir_file(hal_imsrtp, sysfs_diag)
+ allow hal_imsrtp diag_device:chr_file rw_file_perms;
+')
