sepolicy_vndr: Fixing avc denials for loopback app

* [Kodiak]avc: denied { read } for name="u:object_r:
* vendor_ims_prop:s0" dev="tmpfs" ino=30786 scontext=u:r:
* platform_app:s0:c512,c768 tcontext=u:object_r:vendor_ims_prop:
* s0 tclass=file permissive=0 app=com.qti.vtloopback

Change-Id: I8b2658ff7fe8d18812aa45c9daa3a2906f7e942f

3 files changed, 47 insertions, 1 deletions

diff --git a/generic/vendor/common/hal_imsrtp.te b/generic/vendor/common/hal_imsrtp.te
index d96d4163..02a7aaa4 100644
--- a/generic/vendor/common/hal_imsrtp.te
+++ b/generic/vendor/common/hal_imsrtp.te
@@ -51,5 +51,9 @@ r_dir_file(vendor_hal_imsrtp, vendor_sysfs_diag)
 get_prop(vendor_hal_imsrtp, vendor_ims_prop)
 binder_call(vendor_hal_imsrtp, vendor_qtelephony)
 
+userdebug_or_eng('
+binder_call(vendor_hal_imsrtp, vtloopback_app)
+')
+
 crash_dump_fallback(vendor_hal_imsrtp)
 
diff --git a/generic/vendor/test/seapp_contexts b/generic/vendor/test/seapp_contexts
index 448b75f0..06c2dc48 100755
--- a/generic/vendor/test/seapp_contexts
+++ b/generic/vendor/test/seapp_contexts
@@ -45,4 +45,7 @@ user=_app seinfo=platform name=com.qualcomm.qti.libsochelpertest domain=vendor_l
 user=system seinfo=platform name=com.qti.diagservices domain=qtidiagservices_app type=system_app_data_file
 
 #Add new domain for snapcam app
-user=_app isPrivApp=true name=org.codeaurora.snapcam domain=vendor_snapcam_app type=app_data_file levelFrom=all
\ No newline at end of file
+user=_app isPrivApp=true name=org.codeaurora.snapcam domain=vendor_snapcam_app type=app_data_file levelFrom=all
+
+#Add new domain for VT loopback app
+user=_app seinfo=platform name=com.qti.vtloopback domain=vtloopback_app type=app_data_file levelfrom=all
diff --git a/generic/vendor/test/vtloopback_app.te b/generic/vendor/test/vtloopback_app.te
new file mode 100644
index 00000000..54740866
--- /dev/null
+++ b/generic/vendor/test/vtloopback_app.te
@@ -0,0 +1,39 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+userdebug_or_eng(`
+type vtloopback_app, domain;
+app_domain(vtloopback_app)
+net_domain(vtloopback_app)
+diag_use(vtloopback_app)
+binder_call(vtloopback_app, vendor_hal_imsrtp)
+allow vtloopback_app vendor_hal_imsrtp_hwservice:hwservice_manager find;
+allow vtloopback_app cameraserver_service:service_manager find;
+allow vtloopback_app mediaserver_service:service_manager find;
+get_prop(vtloopback_app, vendor_ims_prop)
+allow vtloopback_app { app_api_service activity_service }:service_manager find;
+')