From 73275bb9c01e43f69efff0b1484a654e07dfc1e4 Mon Sep 17 00:00:00 2001 From: Aayush Gupta Date: Mon, 25 Jan 2021 15:43:35 +0530 Subject: [PATCH] non_plat: Label and address dfps hidl/service denials Signed-off-by: Aayush Gupta Change-Id: I4af35f0ad1cb1f77dae7813341e4d98e0c7b884f --- non_plat/attributes | 5 ++++- non_plat/file_contexts | 3 +++ non_plat/hal_dfps.te | 4 ++++ non_plat/hwservice.te | 3 +++ non_plat/hwservice_contexts | 3 +++ non_plat/init.te | 3 +++ non_plat/merged_hal_service.te | 4 ++++ non_plat/mtk_hal_dfps.te | 18 ++++++++++++++++++ non_plat/mtk_hal_power.te | 4 ++++ non_plat/surfaceflinger.te | 3 +++ non_plat/system_server.te | 3 +++ 11 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 non_plat/hal_dfps.te create mode 100644 non_plat/mtk_hal_dfps.te diff --git a/non_plat/attributes b/non_plat/attributes index e00aa73..b6b1ef1 100644 --- a/non_plat/attributes +++ b/non_plat/attributes @@ -87,4 +87,7 @@ attribute mtk_hal_bgs; attribute mtk_hal_bgs_client; attribute mtk_hal_bgs_server; - +# DFPS HIDL +attribute hal_dfps; +attribute hal_dfps_client; +attribute hal_dfps_server; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index a195ed4..8fd80c5 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -734,3 +734,6 @@ # VPU /dev/vcu u:object_r:vcu_device:s0 /vendor/bin/vpud u:object_r:vpud_native_exec:s0 + +# DFPS +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.dfps@1\.0-service u:object_r:mtk_hal_dfps_exec:s0 diff --git a/non_plat/hal_dfps.te b/non_plat/hal_dfps.te new file mode 100644 index 0000000..9e299f5 --- /dev/null +++ b/non_plat/hal_dfps.te @@ -0,0 +1,4 @@ +binder_call(hal_dfps_client, hal_dfps_server) +binder_call(hal_dfps_server, hal_dfps_client) + +allow hal_dfps_client mtk_hal_dfps_hwservice:hwservice_manager find; diff --git a/non_plat/hwservice.te b/non_plat/hwservice.te index 51f2d74..c6ab590 100644 --- a/non_plat/hwservice.te +++ b/non_plat/hwservice.te @@ -67,3 +67,6 @@ type mtk_hal_videotelephony_hwservice, hwservice_manager_type; # Keyinstall type mtk_hal_keyinstall_hwservice, hwservice_manager_type; + +# DFPS +type mtk_hal_dfps_hwservice, hwservice_manager_type; diff --git a/non_plat/hwservice_contexts b/non_plat/hwservice_contexts index d0f304f..d48a664 100644 --- a/non_plat/hwservice_contexts +++ b/non_plat/hwservice_contexts @@ -81,3 +81,6 @@ vendor.mediatek.hardware.videotelephony::IVideoTelephony u:object_r:mtk_hal_vide # Keyinstall vendor.mediatek.hardware.keyinstall::IKeyinstall u:object_r:mtk_hal_keyinstall_hwservice:s0 + +# DFPS +vendor.mediatek.hardware.dfps::IFpsPolicyService u:object_r:mtk_hal_dfps_hwservice:s0 diff --git a/non_plat/init.te b/non_plat/init.te index c0d1ee9..76b9424 100644 --- a/non_plat/init.te +++ b/non_plat/init.te @@ -148,3 +148,6 @@ allow init vbmeta_block_device:lnk_file relabelto; # TEE allow init teei_client_device:chr_file rw_file_perms; + +# DFPS +allow init mtk_hal_dfps_exec:file getattr; diff --git a/non_plat/merged_hal_service.te b/non_plat/merged_hal_service.te index 23d76a5..108886a 100644 --- a/non_plat/merged_hal_service.te +++ b/non_plat/merged_hal_service.te @@ -66,3 +66,7 @@ allowxperm merged_hal_service proc_ged:file ioctl { proc_ged_ioctls }; # Date: 2019/06/14 # Operation : Migration allow merged_hal_service nvram_agent_binder_hwservice:hwservice_manager find; + +# DFPS +allow merged_hal_service mtk_hal_dfps:binder call; +hal_client_domain(merged_hal_service, hal_dfps); diff --git a/non_plat/mtk_hal_dfps.te b/non_plat/mtk_hal_dfps.te new file mode 100644 index 0000000..cb70e86 --- /dev/null +++ b/non_plat/mtk_hal_dfps.te @@ -0,0 +1,18 @@ +type mtk_hal_dfps, domain; +type mtk_hal_dfps_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(mtk_hal_dfps) + +hwbinder_use(mtk_hal_dfps); +vndbinder_use(mtk_hal_dfps); + +hal_server_domain(mtk_hal_dfps, hal_dfps) + +add_hwservice(hal_dfps_server, mtk_hal_dfps_hwservice) + +r_dir_file(mtk_hal_dfps, sysfs_type) +r_dir_file(mtk_hal_dfps, proc_net); + +get_prop(mtk_hal_dfps, hwservicemanager_prop) + +allow mtk_hal_dfps mtk_dfrc_device:chr_file rw_file_perms; diff --git a/non_plat/mtk_hal_power.te b/non_plat/mtk_hal_power.te index 9689a14..b394273 100644 --- a/non_plat/mtk_hal_power.te +++ b/non_plat/mtk_hal_power.te @@ -175,3 +175,7 @@ allow mtk_hal_power sysfs_pftch_qos:file rw_file_perms; # Purpose : Add f2fs permission allow mtk_hal_power sysfs_fs_f2fs:dir r_dir_perms; allow mtk_hal_power sysfs_fs_f2fs:file rw_file_perms; + +# DFPS +allow mtk_hal_power mtk_hal_dfps:binder call; +hal_client_domain(mtk_hal_power, hal_dfps); diff --git a/non_plat/surfaceflinger.te b/non_plat/surfaceflinger.te index 795076e..732fc17 100644 --- a/non_plat/surfaceflinger.te +++ b/non_plat/surfaceflinger.te @@ -82,3 +82,6 @@ allow surfaceflinger mtk_mdp_device:chr_file rw_file_perms; # Operation : HDR # Purpose: Allow to skip aosp hdr solution get_prop(surfaceflinger, graphics_hwc_hdr_prop) + +# DFPS +hal_client_domain(surfaceflinger, hal_dfps) diff --git a/non_plat/system_server.te b/non_plat/system_server.te index 5110d25..298aef2 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -281,3 +281,6 @@ allow system_server storage_stub_file:dir getattr; # TEE allow system_server teei_fp_device:chr_file rw_file_perms; allow system_server teei_client_device:chr_file r_file_perms; + +# DFPS +hal_client_domain(system_server,hal_dfps)