From ca1c35e500ed9d714bf65353342397ea05280e32 Mon Sep 17 00:00:00 2001 From: Wayne Lin Date: Mon, 29 Jan 2024 11:52:10 +0800 Subject: [PATCH] gps: refine iGNSS build system - sepolicy Bug: 318310869 Bug: 315915958 Test: build pass, GPS works and no GPS avc denied error Change-Id: Ib2aa778a0d0e8a51f4d6733b6a55ccf588a05079 --- gps/lsi/s5400.mk | 16 ++++++++++++++++ gps/lsi/sepolicy/file.te | 1 + gps/lsi/sepolicy/file_contexts | 12 ++++++++++++ gps/lsi/sepolicy/gnss_check.te | 9 +++++++++ gps/lsi/sepolicy/gnssd.te | 26 ++++++++++++++++++++++++++ gps/lsi/sepolicy/hal_gnss_default.te | 9 +++++++++ gps/lsi/sepolicy/rild.te | 1 + gps/lsi/sepolicy/sctd.te | 3 +++ gps/lsi/sepolicy/spad.te | 3 +++ gps/lsi/sepolicy/swcnd.te | 3 +++ gps/lsi/sepolicy/vendor_init.te | 2 ++ 11 files changed, 85 insertions(+) create mode 100644 gps/lsi/s5400.mk create mode 100644 gps/lsi/sepolicy/file.te create mode 100644 gps/lsi/sepolicy/file_contexts create mode 100644 gps/lsi/sepolicy/gnss_check.te create mode 100644 gps/lsi/sepolicy/gnssd.te create mode 100644 gps/lsi/sepolicy/hal_gnss_default.te create mode 100644 gps/lsi/sepolicy/rild.te create mode 100644 gps/lsi/sepolicy/sctd.te create mode 100644 gps/lsi/sepolicy/spad.te create mode 100644 gps/lsi/sepolicy/swcnd.te create mode 100644 gps/lsi/sepolicy/vendor_init.te diff --git a/gps/lsi/s5400.mk b/gps/lsi/s5400.mk new file mode 100644 index 0000000..de676ff --- /dev/null +++ b/gps/lsi/s5400.mk @@ -0,0 +1,16 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/lsi/sepolicy + +PRODUCT_SOONG_NAMESPACES += \ + vendor/samsung_slsi/gps/s5400 + +PRODUCT_PACKAGES += \ + android.hardware.location.gps.prebuilt.xml \ + gnssd \ + android.hardware.gnss-service \ + ca.pem \ + gnss_check.sh \ + kepler.bin + +ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) + PRODUCT_VENDOR_PROPERTIES += vendor.gps.aol.enabled=true +endif diff --git a/gps/lsi/sepolicy/file.te b/gps/lsi/sepolicy/file.te new file mode 100644 index 0000000..af9582b --- /dev/null +++ b/gps/lsi/sepolicy/file.te @@ -0,0 +1 @@ +type vendor_gps_file, file_type, data_file_type; diff --git a/gps/lsi/sepolicy/file_contexts b/gps/lsi/sepolicy/file_contexts new file mode 100644 index 0000000..9840eab --- /dev/null +++ b/gps/lsi/sepolicy/file_contexts @@ -0,0 +1,12 @@ +# GPS +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/gnss_boot u:object_r:vendor_gnss_device:s0 +/dev/gnss_dump u:object_r:vendor_gnss_device:s0 +/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 +/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 +/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 +/vendor/bin/hw/spad u:object_r:spad_exec:s0 +/vendor/bin/hw/android.hardware.gnss-service u:object_r:hal_gnss_default_exec:s0 +/vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 +# keep only one rule and use eGNSS one +# /data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 diff --git a/gps/lsi/sepolicy/gnss_check.te b/gps/lsi/sepolicy/gnss_check.te new file mode 100644 index 0000000..31d0944 --- /dev/null +++ b/gps/lsi/sepolicy/gnss_check.te @@ -0,0 +1,9 @@ +type gnss_check, domain; +type gnss_check_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(gnss_check); + +allow gnss_check vendor_toolbox_exec:file { execute_no_trans }; + +set_prop(gnss_check, ctl_stop_prop); +set_prop(gnss_check, ctl_start_prop); diff --git a/gps/lsi/sepolicy/gnssd.te b/gps/lsi/sepolicy/gnssd.te new file mode 100644 index 0000000..487bcbb --- /dev/null +++ b/gps/lsi/sepolicy/gnssd.te @@ -0,0 +1,26 @@ +type gnssd, domain; +type gnssd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gnssd); + +# Allow gnssd to access rild +binder_call(gnssd, rild); +binder_call(gnssd, hwservicemanager) +allow gnssd hal_exynos_rild_hwservice:hwservice_manager find; +allow gnssd radio_device:chr_file rw_file_perms; + +# Allow gnssd to acess gnss device +allow gnssd vendor_gnss_device:chr_file rw_file_perms; +allow gnssd vendor_gps_file:dir create_dir_perms; +allow gnssd vendor_gps_file:file create_file_perms; +allow gnssd vendor_gps_file:fifo_file create_file_perms; + +# Allow gnssd to obtain wakelock +wakelock_use(gnssd) + +# Allow a base set of permissions required for network access. +net_domain(gnssd); + +# Allow gnssd to get boot complete +get_prop(gnssd, bootanim_system_prop) + +allow gnssd sysfs_soc:file r_file_perms; diff --git a/gps/lsi/sepolicy/hal_gnss_default.te b/gps/lsi/sepolicy/hal_gnss_default.te new file mode 100644 index 0000000..515a923 --- /dev/null +++ b/gps/lsi/sepolicy/hal_gnss_default.te @@ -0,0 +1,9 @@ +allow hal_gnss_default fwk_sensor_service:service_manager find; +allow hal_gnss_default gnssd:unix_stream_socket connectto; +allow hal_gnss_default vendor_gps_file:dir create_dir_perms; +allow hal_gnss_default vendor_gps_file:file create_file_perms; +allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; +binder_call(hal_gnss_default, gnssd); + +#Read GPS property +get_prop(hal_gnss_default, vendor_gps_prop) diff --git a/gps/lsi/sepolicy/rild.te b/gps/lsi/sepolicy/rild.te new file mode 100644 index 0000000..c620a19 --- /dev/null +++ b/gps/lsi/sepolicy/rild.te @@ -0,0 +1 @@ +binder_call(rild, gnssd) diff --git a/gps/lsi/sepolicy/sctd.te b/gps/lsi/sepolicy/sctd.te new file mode 100644 index 0000000..8966ef8 --- /dev/null +++ b/gps/lsi/sepolicy/sctd.te @@ -0,0 +1,3 @@ +type sctd, domain; +type sctd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(sctd); diff --git a/gps/lsi/sepolicy/spad.te b/gps/lsi/sepolicy/spad.te new file mode 100644 index 0000000..eaf8b1c --- /dev/null +++ b/gps/lsi/sepolicy/spad.te @@ -0,0 +1,3 @@ +type spad, domain; +type spad_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(spad); diff --git a/gps/lsi/sepolicy/swcnd.te b/gps/lsi/sepolicy/swcnd.te new file mode 100644 index 0000000..c366cad --- /dev/null +++ b/gps/lsi/sepolicy/swcnd.te @@ -0,0 +1,3 @@ +type swcnd, domain; +type swcnd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(swcnd); diff --git a/gps/lsi/sepolicy/vendor_init.te b/gps/lsi/sepolicy/vendor_init.te new file mode 100644 index 0000000..c8d637d --- /dev/null +++ b/gps/lsi/sepolicy/vendor_init.te @@ -0,0 +1,2 @@ +# gps vendor property +set_prop(vendor_init, vendor_gps_prop)