sepolicy_vndr: Add sepolicy for ssg system service

mlid and ssgtzd need to be able to talk to service
apps as well as other vendor services.

Change-Id: Iaee709672f4dd83c428a047be17bb0c087a50215

5 files changed, 74 insertions, 0 deletions

diff --git a/generic/vendor/common/cs_app.te b/generic/vendor/common/cs_app.te
new file mode 100644
index 00000000..52e8a4e4
--- /dev/null
+++ b/generic/vendor/common/cs_app.te
@@ -0,0 +1,60 @@
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+## vendor_cs_app
+##
+## This file defines the permissions that vendor_cs_apps can carry
+
+type vendor_cs_app, domain;
+
+app_domain(vendor_cs_app)
+net_domain(vendor_cs_app)
+
+hal_client_domain(vendor_cs_app, vendor_qccsyshal);
+
+# Allow access to sockets
+unix_socket_connect(vendor_cs_app, vendor_mlid, vendor_mlid)
+unix_socket_connect(vendor_cs_app, vendor_ssgqmig, vendor_ssgqmigd)
+unix_socket_connect(vendor_cs_app, vendor_ssgtzd, vendor_ssgtzd)
+
+# Allow access to Android APK service IPCs
+allow vendor_cs_app radio_service:service_manager find;
+allow vendor_cs_app surfaceflinger_service:service_manager find;
+allow vendor_cs_app app_api_service:service_manager find;
+
+# access to qipcrtr socket (allow creating needed by qmi_cci_xprt_qrtr_supported)
+allow vendor_cs_app self:qipcrtr_socket create_socket_perms_no_ioctl;
+
+# To get uuid and device info
+allow vendor_cs_app proc_cpuinfo:file r_file_perms;
+allow vendor_cs_app proc_meminfo:file r_file_perms;
+
+#allow vendor_cs_app vendor_hal_perf_hwservice:hwservice_manager find;
+hal_client_domain(vendor_cs_app, vendor_hal_perf)
+
+allow vendor_cs_app vendor_mlid_socket:sock_file write;
+allow vendor_cs_app vendor_ssgtzd_socket:sock_file write;
\ No newline at end of file
diff --git a/generic/vendor/common/location.te b/generic/vendor/common/location.te
index b2898ed9..4017e8a4 100644
--- a/generic/vendor/common/location.te
+++ b/generic/vendor/common/location.te
@@ -93,6 +93,9 @@ allow vendor_location hal_wifi_supplicant_default:unix_dgram_socket sendto;
 allow vendor_location vendor_wifihal_socket:dir search;
 unix_socket_send(vendor_location, vendor_wifihal,  hal_wifi_default);
 
+# /dev/socket/mlid
+allow vendor_location vendor_mlid:unix_dgram_socket sendto;
+
 ## xtra-daemon
 ##############
 allow vendor_location {vendor_hal_cacert_hwservice vendor_hal_datafactory_hwservice vendor_hal_cne_hwservice}:hwservice_manager find;
diff --git a/generic/vendor/common/seapp_contexts b/generic/vendor/common/seapp_contexts
index 2aba558e..d2baef84 100644
--- a/generic/vendor/common/seapp_contexts
+++ b/generic/vendor/common/seapp_contexts
@@ -44,3 +44,6 @@ user=_app seinfo=platform name=com.qualcomm.qti.qms.service.trustzoneaccess doma
 
 #allow embms msdc app to access embmssl hal
 user=_app seinfo=platform name=com.qti.ltebc domain=vendor_embmssl_app type=app_data_file levelFrom=all
+
+#Add new domain for connection security service app
+user=_app seinfo=platform name=com.qualcomm.qti.qms.service.connectionsecurity domain=vendor_cs_app type=app_data_file levelFrom=all
diff --git a/qva/vendor/common/mlid.te b/qva/vendor/common/mlid.te
index 17817b59..781f209d 100644
--- a/qva/vendor/common/mlid.te
+++ b/qva/vendor/common/mlid.te
@@ -24,6 +24,7 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
 
 # vendor_mlid - Mink-Lowi Interface daemon
 type vendor_mlid, domain, mlstrustedsubject;
@@ -34,3 +35,9 @@ init_daemon_domain(vendor_mlid)
 # Allow access to location socket
 allow vendor_mlid self:netlink_generic_socket create_socket_perms_no_ioctl;
 unix_socket_connect(vendor_mlid, vendor_location, vendor_location)
+
+allow vendor_mlid vendor_hal_gnss_qti:unix_dgram_socket sendto;
+allow vendor_mlid vendor_location:unix_dgram_socket sendto;
+allow vendor_mlid vendor_location_socket:dir rw_dir_perms;
+allow vendor_mlid vendor_location_socket:lnk_file read;
+allow vendor_mlid vendor_location_socket:sock_file create_file_perms;
\ No newline at end of file
diff --git a/qva/vendor/common/ssgtzd.te b/qva/vendor/common/ssgtzd.te
index 6fabf156..2689f7a9 100644
--- a/qva/vendor/common/ssgtzd.te
+++ b/qva/vendor/common/ssgtzd.te
@@ -33,6 +33,7 @@ init_daemon_domain(vendor_ssgtzd)
 
 #Allow access to smcinvoke device
 allow vendor_ssgtzd tee_device:chr_file rw_file_perms;
+allow vendor_ssgtzd vendor_cs_app:unix_stream_socket connectto;
 
 allow vendor_ssgtzd vendor_ssg_app:unix_stream_socket connectto;
 #Allow access to firmware/image