sepolicy: add Secure Processor Daemon (spdaemon)

Add spdaemon selinux policy file,
to allow it to start by init process.

CRs-Fixed: 1048641
Change-Id: If8a2d6a089cd6c37255896cc9ccd2d82365fbd9f

4 files changed, 81 insertions, 0 deletions

diff --git a/common/device.te b/common/device.te
index 443228d7..22e046e4 100644
--- a/common/device.te
+++ b/common/device.te
@@ -86,6 +86,18 @@ type ipa_dev, dev_type;
 
 type wcnss_device, dev_type;
 
+# Define spcom device
+type spcom_device, dev_type;
+
+# Define skp device
+type skp_device, dev_type;
+
+# Define sp_ssr device
+type sp_ssr_device, dev_type;
+
+# Define sp_keymaster device
+type sp_keymaster_device, dev_type;
+
 # Define QDSS devices
 type qdss_device, dev_type;
 
diff --git a/common/file.te b/common/file.te
index 81a36f94..47ec84f4 100644
--- a/common/file.te
+++ b/common/file.te
@@ -89,6 +89,9 @@ type gamed_socket, file_type;
 type iop_socket, file_type;
 type iop_data_file, file_type, data_file_type;
 
+# SPSS Apps images location
+type spss_data_file, file_type, data_file_type;
+
 #mm-qcamera-daemon socket
 type camera_socket, file_type;
 
diff --git a/common/file_contexts b/common/file_contexts
index 1ab0adb7..bee6d8ea 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -15,6 +15,10 @@
 /dev/nfc-nci                                    u:object_r:nfc_device:s0
 /dev/nq-nci                                     u:object_r:nfc_device:s0
 /dev/qseecom                                    u:object_r:tee_device:s0
+/dev/spcom                                      u:object_r:spcom_device:s0
+/dev/sp_kernel                                  u:object_r:skp_device:s0
+/dev/sp_ssr                                     u:object_r:sp_ssr_device:s0
+/dev/sp_keymaster                               u:object_r:sp_keymaster_device:s0
 /dev/seemplog                                   u:object_r:seemplog_device:s0
 /dev/radio0                                     u:object_r:fm_radio_device:s0
 /dev/rtc0                                       u:object_r:rtc_device:s0
@@ -167,6 +171,7 @@
 /system/bin/tftp_server                         u:object_r:rfs_access_exec:s0
 /system/bin/hvdcp                               u:object_r:hvdcp_exec:s0
 /system/bin/qseecomd                            u:object_r:tee_exec:s0
+/system/bin/spdaemon                            u:object_r:spdaemon_exec:s0
 /system/bin/hostapd_cli                         u:object_r:hostapd_exec:s0
 /system/bin/adsprpcd                            u:object_r:adsprpcd_exec:s0
 /system/bin/wpa_cli                             u:object_r:wcnss_service_exec:s0
@@ -305,6 +310,7 @@
 /data/misc/ipa(/.*)?                                                u:object_r:ipacm_data_file:s0
 /data/dpm(/.*)?                                                     u:object_r:dpmd_data_file:s0
 /data/misc/qsee(/.*)?                                               u:object_r:data_qsee_file:s0
+/data/misc/spss(/.*)?                                               u:object_r:spss_data_file:s0
 /data/misc/location(/.*)?                                           u:object_r:location_data_file:s0
 /data/misc/location/mq/location-mq-s                                u:object_r:location_socket:s0
 /data/misc/location/mq/alarm_svc                                    u:object_r:location_socket:s0
diff --git a/common/spdaemon.te b/common/spdaemon.te
new file mode 100644
index 00000000..1a2d6840
--- /dev/null
+++ b/common/spdaemon.te
@@ -0,0 +1,60 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# spdaemon service
+type spdaemon, domain;
+type spdaemon_exec, exec_type, file_type;
+
+init_daemon_domain(spdaemon)
+
+# Allow access to spcom device
+allow spdaemon spcom_device:chr_file rw_file_perms;
+
+# Allow access to skp device
+allow spdaemon skp_device:chr_file rw_file_perms;
+
+# Allow access to sp_ssr device
+allow spdaemon sp_ssr_device:chr_file rw_file_perms;
+
+# Allow access to sp_keymaster device
+allow spdaemon sp_keymaster_device:chr_file rw_file_perms;
+
+# Allow access to ion device
+allow spdaemon ion_device:chr_file rw_file_perms;
+
+# Allow to load SPSS firmware images
+r_dir_file(spdaemon, firmware_file);
+
+# Allow to load SPSS Apps images
+allow spdaemon spss_data_file:dir r_dir_perms;
+allow spdaemon spss_data_file:file r_file_perms;
+
+# Allow check SPSS Apps images stat()
+allow spdaemon spss_data_file:file getattr;
+
+# Allow set system prop
+allow spdaemon system_prop:property_service set;