Merge tag 'LA.UM.6.4.r1-07600-8x98.0' of https://source.codeaurora.org/quic/la/device/qcom/sepolicy into HEAD

"LA.UM.6.4.r1-07600-8x98.0"

15 files changed, 55 insertions, 24 deletions

diff --git a/apq8098_latv/file_contexts b/apq8098_latv/file_contexts
index 8895271a..7824445d 100644
--- a/apq8098_latv/file_contexts
+++ b/apq8098_latv/file_contexts
@@ -1,4 +1,4 @@
-# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+# Copyright (c) 2016-2018, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -105,7 +105,6 @@
 #
 /sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0
 /sys/devices/virtual/graphics/fb([0-3])+/lineptr_value                           u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_persist_mode                     u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/graphics/fb([0-3])+/cec/enable                              u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/graphics/fb([0-3])+/cec/enable_compliance                   u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/graphics/fb([0-3])+/cec/logical_addr                        u:object_r:sysfs_graphics:s0
diff --git a/common/device.te b/common/device.te
index f4dea16d..1d919f78 100644
--- a/common/device.te
+++ b/common/device.te
@@ -100,6 +100,9 @@ type sec_nvm_device, dev_type;
 # Define cryptoapp device
 type cryptoapp_device, dev_type;
 
+# Define spdaemon_ssr device
+type spdaemon_ssr_device, dev_type;
+
 # Define qsee_ipc_irq_spss device
 type qsee_ipc_irq_spss_device, dev_type;
 
diff --git a/common/file.te b/common/file.te
index ec0cdb42..9a0ecd0c 100644
--- a/common/file.te
+++ b/common/file.te
@@ -85,12 +85,6 @@ type sysfs_usb_mtp_device, sysfs_type, fs_type;
 # sysfs module for usb_f_mtp/parameters
 type sysfs_spmi_device, sysfs_type, fs_type;
 
-# sysfs devices for enable
-type sysfs_dcc_device, sysfs_type, fs_type;
-
-# sysfs devices for video4linux
-type sysfs_video4linux_device, sysfs_type, fs_type;
-
 # sysfs vadc device for hvdcp/quickcharge
 type sysfs_vadc_dev, sysfs_type, fs_type;
 # sysfs spmi device for hvdcp/quickcharge
diff --git a/common/file_contexts b/common/file_contexts
index 55a3940a..a2e0a443 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -23,6 +23,7 @@
 /dev/sec_nvm_.*                                 u:object_r:sec_nvm_device:s0
 /dev/sp_keymaster                               u:object_r:sp_keymaster_device:s0
 /dev/cryptoapp                                  u:object_r:cryptoapp_device:s0
+/dev/spdaemon_ssr                               u:object_r:spdaemon_ssr_device:s0
 /dev/qsee_ipc_irq_spss                          u:object_r:qsee_ipc_irq_spss_device:s0
 /dev/radio0                                     u:object_r:fm_radio_device:s0
 /dev/btpower                                    u:object_r:bt_device:s0
@@ -331,15 +332,18 @@
 /sys/devices/f9200000.*/power_supply/usb(/.*)?                      u:object_r:sysfs_usb_supply:s0
 /sys/devices/msm_dwc3/power_supply/usb(/.*)?                        u:object_r:sysfs_usb_supply:s0
 /sys/devices/msm_otg/power_supply/usb(/.*)?                         u:object_r:sysfs_usb_supply:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/usb(/.*)?        u:object_r:sysfs_usb_supply:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/pc_port(/.*)?    u:object_r:sysfs_usb_supply:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb[0-9]+/power_supply/usb(/.*)?        u:object_r:sysfs_usb_supply:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb[0-9]+/power_supply/pc_port(/.*)?    u:object_r:sysfs_usb_supply:s0
 /sys/devices(/platform)?/soc/[a-z0-9]+.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[0-9]+-charger@[0-9]+/power_supply/parallel(/.*)?    u:object_r:sysfs_usb_supply:s0
 /sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,usb-pdphy@[0-9]+/usbpd/usbpd[0-9](/.*)?    u:object_r:sysfs_usbpd_device:s0
 /sys/devices/platform/battery_current_limit                         u:object_r:sysfs_thermal:s0
 /sys/devices/qpnp-charger.*/power_supply/battery(/.*)?              u:object_r:sysfs_battery_supply:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/battery(/.*)?    u:object_r:sysfs_battery_supply:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb[0-9]+/power_supply/battery(/.*)?    u:object_r:sysfs_battery_supply:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smbcharger/power_supply/battery(/.*)?    u:object_r:sysfs_battery_supply:s0
 /sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qpnp,fg/power_supply/bms(/.*)?               u:object_r:sysfs_battery_supply:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qpnp,qg/power_supply/bms(/.*)?               u:object_r:sysfs_battery_supply:s0
 /sys/class/qcom-battery(/.*)?              u:object_r:sysfs_battery_supply:s0
+/sys/class/charge_pump(/.*)?              u:object_r:sysfs_battery_supply:s0
 /sys/devices(/platform)?/soc/qpnp-linear-charger-[a-z0-9]+/power_supply/battery(/.*)?    u:object_r:sysfs_battery_supply:s0
 /sys/devices(/platform)?/soc/qpnp-vm-bms-[a-z0-9]+/power_supply/bms(/.*)?    u:object_r:sysfs_battery_supply:s0
 /sys/devices/soc/qpnp-smbcharger-[a-z0-9]+/power_supply/battery(/.*)?        u:object_r:sysfs_battery_supply:s0
@@ -404,6 +408,7 @@
 /sys/devices/virtual/graphics/fb([0-3])+/dyn_pu                     u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/graphics/fb([0-3])+/ad                         u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/graphics/fb([0-3])+/pp_bl_event                u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_persist_mode        u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/rotator/mdss_rotator/caps                      u:object_r:sysfs_graphics:s0
 
 /sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/modes          u:object_r:sysfs_graphics:s0
diff --git a/common/hvdcp.te b/common/hvdcp.te
index e176c9da..fc9759b7 100644
--- a/common/hvdcp.te
+++ b/common/hvdcp.te
@@ -7,13 +7,13 @@ init_daemon_domain(hvdcp)
 
 # Add rules for access permissions
 allow hvdcp hvdcp_device:chr_file rw_file_perms;
+allow hvdcp qg_device:chr_file rw_file_perms;
 allow hvdcp {
     sysfs_battery_supply
     sysfs_usb_supply
     sysfs_usbpd_device
     sysfs_vadc_dev
     sysfs_spmi_dev
-    qg_device
 }:dir r_dir_perms;
 
 allow hvdcp {
@@ -22,7 +22,6 @@ allow hvdcp {
     sysfs_usbpd_device
     sysfs_vadc_dev
     sysfs_spmi_dev
-    qg_device
 }:file rw_file_perms;
 
 allow hvdcp {
@@ -30,7 +29,6 @@ allow hvdcp {
     sysfs_usb_supply
     sysfs_vadc_dev
     sysfs_spmi_dev
-    qg_device
 }:lnk_file r_file_perms;
 
 allow hvdcp self:capability { setgid setuid };
diff --git a/common/radio.te b/common/radio.te
index acb7d814..1bee9d68 100644
--- a/common/radio.te
+++ b/common/radio.te
@@ -17,3 +17,4 @@ userdebug_or_eng(`
   allow radio hal_imsrcsd_hwservice:hwservice_manager find;
   binder_call(radio, hal_rcsservice)
 ')
+hal_client_domain(radio, hal_perf)
diff --git a/common/spdaemon.te b/common/spdaemon.te
index fc018343..30292bfa 100644
--- a/common/spdaemon.te
+++ b/common/spdaemon.te
@@ -47,6 +47,9 @@ allow spdaemon sp_keymaster_device:chr_file rw_file_perms;
 # Allow access to cryptoapp device
 allow spdaemon cryptoapp_device:chr_file rw_file_perms;
 
+# Allow access to spdaemon_ssr device
+allow spdaemon spdaemon_ssr_device:chr_file rw_file_perms;
+
 # Allow access to ion device
 allow spdaemon ion_device:chr_file rw_file_perms;
 
diff --git a/msm8953/file_contexts b/msm8953/file_contexts
index 1ea6355f..c6f61199 100644
--- a/msm8953/file_contexts
+++ b/msm8953/file_contexts
@@ -56,10 +56,6 @@
 /sys/devices/platform/soc/200f000\.qcom,spmi/spmi-0/spmi0-03/200f000\.qcom,spmi:qcom,pmi8950@3:qcom,haptic@c000/leds/vibrator/activate     u:object_r:sysfs_spmi_device:s0
 /sys/devices/platform/soc/200f000.qcom,spmi/spmi-0/spmi0-03/200f000.qcom,spmi:qcom,pmi632@3:qcom,vibrator@5700/leds/vibrator/activate      u:object_r:sysfs_spmi_device:s0
 
-/sys/devices/platform/soc/b3000.dcc(/.*)?                           u:object_r:sysfs_dcc_device:s0
-
-#video4linux_
-/sys/devices/platform/soc/1b00000.qcom,msm-cam/video4linux/video0/name u:object_r:sysfs_video4linux_device:s0
 
 ############################################################################################
 #Same hal process libs
diff --git a/msm8953/genfs_contexts b/msm8953/genfs_contexts
new file mode 100644
index 00000000..a6df7878
--- /dev/null
+++ b/msm8953/genfs_contexts
@@ -0,0 +1,29 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+genfscon sysfs /devices/platform/soc/1b00000.qcom,msm-cam/video4linux/video0/name   u:object_r:sysfs_graphics:s0
+
diff --git a/msm8953/init_shell.te b/msm8953/init_shell.te
index 1e10a27e..e0441be4 100644
--- a/msm8953/init_shell.te
+++ b/msm8953/init_shell.te
@@ -34,5 +34,3 @@ set_prop(qti_init_shell, media_msm8953_version_prop)
 allow qti_init_shell regionalization_file:dir r_dir_perms;
 allow qti_init_shell regionalization_file:file create_file_perms;
 
-# For dcc
-allow qti_init_shell sysfs_dcc_device:file rw_file_perms;
diff --git a/msm8953/mm-qcamerad.te b/msm8953/mm-qcamerad.te
index 5ed285a5..354b6133 100644
--- a/msm8953/mm-qcamerad.te
+++ b/msm8953/mm-qcamerad.te
@@ -26,5 +26,4 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 #for v4L node "name" access
-allow mm-qcamerad sysfs_graphics:file r_file_perms;
-allow mm-qcamerad sysfs_video4linux_device:file rw_file_perms;
+allow mm-qcamerad sysfs_graphics:file rw_file_perms;
diff --git a/msm8998/file_contexts b/msm8998/file_contexts
index 4e7efe10..c113a168 100644
--- a/msm8998/file_contexts
+++ b/msm8998/file_contexts
@@ -1,4 +1,4 @@
-# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+# Copyright (c) 2016-2018, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -95,4 +95,3 @@
 #
 /sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0
 /sys/devices/virtual/graphics/fb([0-3])+/lineptr_value                          u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_persist_mode                    u:object_r:sysfs_graphics:s0
diff --git a/private/file_contexts b/private/file_contexts
index 85d9c860..129bf5c6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -48,6 +48,7 @@
 /system/bin/qvrservice                          u:object_r:qvrd_exec:s0
 /system/bin/wfdservice                          u:object_r:wfdservice_exec:s0
 /system/bin/mmi                                 u:object_r:mmi_sys_exec:s0
+/system/bin/mmi_diag                            u:object_r:mmi_sys_exec:s0
 
 ####### data files ################
 /data/misc/seemp(/.*)?                          u:object_r:seemp_data_file:s0
diff --git a/private/mmi_sys.te b/private/mmi_sys.te
index 790d1125..11bda28c 100644
--- a/private/mmi_sys.te
+++ b/private/mmi_sys.te
@@ -40,3 +40,5 @@ allow mmi_sys ion_device:chr_file { ioctl open };
 allow mmi_sys surfaceflinger_service:service_manager find;
 allow mmi_sys hal_graphics_mapper_hwservice:hwservice_manager find;
 hwbinder_use(mmi_sys)
+get_prop(mmi_sys, hwservicemanager_prop);
+allow mmi_sys mmi_sys_exec:file execute_no_trans;
diff --git a/qcs605/file_contexts b/qcs605/file_contexts
index 40b3d162..2ecfe880 100644
--- a/qcs605/file_contexts
+++ b/qcs605/file_contexts
@@ -48,6 +48,7 @@
 /dev/block/platform/soc/1d84000.ufshc/by-name/frp                                u:object_r:frp_block_device:s0
 /dev/block/platform/soc/1d84000.ufshc/by-name/mdtp                               u:object_r:mdtp_device:s0
 /dev/block/platform/soc/1d84000.ufshc/by-name/dip                                u:object_r:dip_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/storsec                            u:object_r:boot_block_device:s0
 
 #rawdump partition
 /dev/block/platform/soc/1d84000.ufshc/by-name/rawdump                            u:object_r:rawdump_block_device:s0
@@ -78,6 +79,7 @@
 /dev/block/platform/soc/1d84000.ufshc/by-name/mdtpsecapp_[ab]   u:object_r:mdtp_device:s0
 /dev/block/platform/soc/1d84000.ufshc/by-name/qupfw_[ab]        u:object_r:custom_ab_block_device:s0
 /dev/block/platform/soc/1d84000.ufshc/by-name/xbl_config_[ab]   u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/storsec_[ab]      u:object_r:custom_ab_block_device:s0
 
 #for eMMC
 # A/B partitions.
@@ -106,6 +108,7 @@
 /dev/block/platform/soc/7c4000.sdhci/by-name/mdtpsecapp_[ab]   u:object_r:mdtp_device:s0
 /dev/block/platform/soc/7c4000.sdhci/by-name/qupfw_[ab]        u:object_r:custom_ab_block_device:s0
 /dev/block/platform/soc/7c4000.sdhci/by-name/xbl_config_[ab]   u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/storsec_[ab]      u:object_r:custom_ab_block_device:s0
 
 #non A/B
 /dev/block/platform/soc/7c4000.sdhci/by-name/system                            u:object_r:system_block_device:s0
@@ -125,6 +128,7 @@
 /dev/block/platform/soc/7c4000.sdhci/by-name/frp                                u:object_r:frp_block_device:s0
 /dev/block/platform/soc/7c4000.sdhci/by-name/mdtp                               u:object_r:mdtp_device:s0
 /dev/block/platform/soc/7c4000.sdhci/by-name/dip                                u:object_r:dip_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/storsec                            u:object_r:boot_block_device:s0
 
 #rawdump partition
 /dev/block/platform/soc/7c4000.sdhci/by-name/rawdump                            u:object_r:rawdump_block_device:s0