sepolicy: Add rules for seemp

Allow seempd to read files

Change-Id: Iae5c431d512aa937c0006d913fd2be1f9cefa59a

6 files changed, 84 insertions, 0 deletions

diff --git a/common/seempd.te b/common/seempd.te
index f2737934..dc3b5dbb 100644
--- a/common/seempd.te
+++ b/common/seempd.te
@@ -14,3 +14,16 @@ r_dir_file(seempd, firmware_file)
 
 #allow access to packages.list
 allow seempd system_data_file:file r_file_perms;
+
+#allow binder calls
+binder_use(seempd)
+binder_call(seempd, system_server)
+binder_call(seempd, appdomain)
+
+#allow read access to proc files for app_domain
+dontaudit seempd domain:dir r_dir_perms;
+r_dir_file(seempd, appdomain)
+
+#for seemp
+allow seempd seemp_service:service_manager add;
+allow seempd self:binder call;
diff --git a/common/service.te b/common/service.te
index 905cc8a1..f3f19092 100644
--- a/common/service.te
+++ b/common/service.te
@@ -14,3 +14,4 @@ type usf_service,               service_manager_type;
 type dtseagleservice_service,   service_manager_type;
 type gba_auth_service,          service_manager_type;
 type izat_service,              system_api_service, service_manager_type;
+type seemp_service,             service_manager_type;
diff --git a/common/service_contexts b/common/service_contexts
index 9f4545de..465db38a 100644
--- a/common/service_contexts
+++ b/common/service_contexts
@@ -17,3 +17,5 @@ dts_eagle_service                              u:object_r:dtseagleservice_servic
 wfd.native.mm.service                          u:object_r:wfdservice_service:s0
 extphone                                       u:object_r:radio_service:s0
 com.qualcomm.location.izat.IzatService         u:object_r:izat_service:s0
+qti.security.seemp                             u:object_r:seemp_service:s0
+seempservice                                   u:object_r:seemp_service:s0
diff --git a/common/system_server.te b/common/system_server.te
index b31af81c..723af16a 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -98,3 +98,9 @@ allow system_server RIDL:fifo_file write;
 
 #Rules for system server to talk to peripheral manager
 use_per_mgr(system_server);
+
+#allow binder calls
+binder_call(system_server, seempd)
+
+#for seemp
+unix_socket_send(system_server, seempdw, seempd)
diff --git a/test/platform_app.te b/test/platform_app.te
new file mode 100644
index 00000000..6025eb4e
--- /dev/null
+++ b/test/platform_app.te
@@ -0,0 +1,31 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+userdebug_or_eng(`
+  r_dir_file(platform_app, seemp_file)
+  allow platform_app seemp_file: file w_file_perms;
+')
diff --git a/test/untrusted_app.te b/test/untrusted_app.te
new file mode 100644
index 00000000..245be906
--- /dev/null
+++ b/test/untrusted_app.te
@@ -0,0 +1,31 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+userdebug_or_eng(`
+  r_dir_file(untrusted_app, seemp_file)
+  allow untrusted_app seemp_file: file w_file_perms;
+')