From: Tim Zimmermann <tim@linux4.de>
Date: Thu, 14 Mar 2024 04:51:46 +0000 (+0100)
Subject: sepolicy: Add policy for cass and vaultkeeperd
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=b18fd94642db63b1dc5ed375f7b6d4799be758e6;p=GitHub%2FLineageOS%2Fandroid_device_samsung_slsi_sepolicy.git

sepolicy: Add policy for cass and vaultkeeperd

* This is required for new RIL stacks from T and up

Change-Id: I4628a43865728d0ef01e1099a9b3f2a87ec6cca5
---

diff --git a/common/vendor/cass.te b/common/vendor/cass.te
new file mode 100644
index 0000000..611b437
--- /dev/null
+++ b/common/vendor/cass.te
@@ -0,0 +1,13 @@
+type cass, domain;
+type cass_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(cass)
+
+allow cass kmsg_device:chr_file getattr;
+allow cass vendor_radio_device:chr_file rw_file_perms;
+
+wakelock_use(cass)
+get_prop(cass, vendor_vaultkeeper_prop)
+
+allow cass vaultkeeperd_socket:dir search;
+unix_socket_connect(cass, vaultkeeperd, vaultkeeperd)
diff --git a/common/vendor/device.te b/common/vendor/device.te
index e64856a..32626d3 100644
--- a/common/vendor/device.te
+++ b/common/vendor/device.te
@@ -8,6 +8,7 @@ type modem_block_device, dev_type;
 type omr_block_device, dev_type;
 type radio_block_device, dev_type;
 type sec_efs_block_device, dev_type;
+type steady_block_device, dev_type;
 type vbmeta_block_device, dev_type;
 
 type bbd_device, dev_type;
diff --git a/common/vendor/file.te b/common/vendor/file.te
index 66b8cca..d7be99a 100644
--- a/common/vendor/file.te
+++ b/common/vendor/file.te
@@ -28,6 +28,7 @@ type proc_last_kmsg, fs_type, proc_type;
 
 # SOCKETS
 type epicd_socket, file_type, data_file_type;
+type vaultkeeperd_socket, file_type, data_file_type;
 
 ### SYSFS
 type sysfs_argos, sysfs_type, r_fs_type, fs_type;
diff --git a/common/vendor/file_contexts b/common/vendor/file_contexts
index 5e325ad..2ded296 100644
--- a/common/vendor/file_contexts
+++ b/common/vendor/file_contexts
@@ -29,6 +29,7 @@
 /dev/block/platform/.+/by-name/(radio|RADIO)        u:object_r:radio_block_device:s0
 /dev/block/platform/.+/by-name/(recovery|RECOVERY)  u:object_r:recovery_block_device:s0
 /dev/block/platform/.+/by-name/sec_efs              u:object_r:sec_efs_block_device:s0
+/dev/block/platform/.+/by-name/steady               u:object_r:steady_block_device:s0
 /dev/block/platform/.+/by-name/super                u:object_r:super_block_device:s0
 /dev/block/platform/.+/by-name/(system|SYSTEM)      u:object_r:system_block_device:s0
 /dev/block/platform/.+/by-name/(userdata|USERDATA)  u:object_r:userdata_block_device:s0
@@ -123,10 +124,15 @@
 /mnt/vendor/efs/tee(/.*)?                    u:object_r:tee_efs_file:s0
 /mnt/vendor/efs/wifi(/.*)?                   u:object_r:wifi_efs_file:s0
 
+## VaultKeeper
+/dev/socket/vaultkeeper                      u:object_r:vaultkeeperd_socket:s0
+
 ### VENDOR
+/(vendor|system/vendor)/bin/cass             u:object_r:cass_exec:s0
 /(vendor|system/vendor)/bin/cbd              u:object_r:cbd_exec:s0
 /(vendor|system/vendor)/bin/secril_config_svc    u:object_r:secril_config_svc_exec:s0
 /(vendor|system/vendor)/bin/thermal_symlinks\.samsung  u:object_r:init-thermal-symlinks-sh_exec:s0
+/(vendor|system/vendor)/bin/vaultkeeperd     u:object_r:vaultkeeperd_exec:s0
 
 /(vendor|system/vendor)/bin/hw/gpsd              u:object_r:gpsd_exec:s0
 /(vendor|system/vendor)/bin/hw/lhd               u:object_r:lhd_exec:s0
diff --git a/common/vendor/property.te b/common/vendor/property.te
index 4242eab..9c39e27 100644
--- a/common/vendor/property.te
+++ b/common/vendor/property.te
@@ -5,4 +5,5 @@ vendor_restricted_prop(vendor_hwc_prop)
 vendor_internal_prop(vendor_radio_prop)
 vendor_internal_prop(vendor_fastcharge_prop)
 vendor_internal_prop(vendor_thermal_prop)
+vendor_internal_prop(vendor_vaultkeeper_prop)
 vendor_internal_prop(vendor_wifi_prop)
diff --git a/common/vendor/property_contexts b/common/vendor/property_contexts
index dabaa4e..c2801b6 100644
--- a/common/vendor/property_contexts
+++ b/common/vendor/property_contexts
@@ -16,6 +16,10 @@ persist.vendor.sec.fastchg_enabled     u:object_r:vendor_fastcharge_prop:s0
 ## thermal
 vendor.thermal.                u:object_r:vendor_thermal_prop:s0
 
+## vaultkeeper
+ro.vendor.security.vaultkeeper u:object_r:vendor_vaultkeeper_prop:s0
+vendor.security.vaultkeeper    u:object_r:vendor_vaultkeeper_prop:s0
+
 ### wifi
 vendor.wifi.                   u:object_r:vendor_wifi_prop:s0
 ro.vendor.wifi.                u:object_r:vendor_wifi_prop:s0
diff --git a/common/vendor/vaultkeeperd.te b/common/vendor/vaultkeeperd.te
new file mode 100644
index 0000000..7c91757
--- /dev/null
+++ b/common/vendor/vaultkeeperd.te
@@ -0,0 +1,14 @@
+type vaultkeeperd, domain;
+type vaultkeeperd_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(vaultkeeperd)
+
+allow vaultkeeperd kmsg_device:chr_file getattr;
+allow vaultkeeperd block_device:dir search;
+allow vaultkeeperd steady_block_device:blk_file rw_file_perms;
+
+set_prop(vaultkeeperd, vendor_vaultkeeper_prop)
+
+allow vaultkeeperd socket_device:dir w_dir_perms;
+allow vaultkeeperd vaultkeeperd_socket:dir rw_dir_perms;
+allow vaultkeeperd vaultkeeperd_socket:sock_file create_file_perms;
diff --git a/tee/teegris/vendor/vaultkeeperd.te b/tee/teegris/vendor/vaultkeeperd.te
new file mode 100644
index 0000000..ecddd31
--- /dev/null
+++ b/tee/teegris/vendor/vaultkeeperd.te
@@ -0,0 +1 @@
+teegris_use(vaultkeeperd)