From 2bee5a8ca6187d89c45fd14d36adf676e4a94f84 Mon Sep 17 00:00:00 2001
From: Bruno Martins <bgcngm@gmail.com>
Date: Tue, 1 Jun 2021 10:56:16 +0200
Subject: [PATCH] sm8250-common: Move "proprietary" seccomp policies to vendor

Also discard unused qspm.policy as we don't ship qspm.

Change-Id: Icc1b978d373de8b0b7bc3e483c088c2cdeb5d325
---
 common.mk                              |  8 +--
 proprietary-files.txt                  |  5 ++
 seccomp/atfwd@2.0.policy               | 67 -------------------
 seccomp/codec2.vendor.base.policy      | 74 ---------------------
 seccomp/imsrtp.policy                  | 90 --------------------------
 seccomp/qspm.policy                    | 78 ----------------------
 seccomp/qti-systemd.policy             | 77 ----------------------
 seccomp/vendor.qti.hardware.dsp.policy | 63 ------------------
 8 files changed, 6 insertions(+), 456 deletions(-)
 delete mode 100644 seccomp/atfwd@2.0.policy
 delete mode 100644 seccomp/codec2.vendor.base.policy
 delete mode 100644 seccomp/imsrtp.policy
 delete mode 100644 seccomp/qspm.policy
 delete mode 100644 seccomp/qti-systemd.policy
 delete mode 100644 seccomp/vendor.qti.hardware.dsp.policy

diff --git a/common.mk b/common.mk
index fecbdf3..fc72baf 100644
--- a/common.mk
+++ b/common.mk
@@ -475,13 +475,7 @@ PRODUCT_PACKAGES += \
 
 # Seccomp policy
 PRODUCT_COPY_FILES += \
-    $(LOCAL_PATH)/seccomp/atfwd@2.0.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/atfwd@2.0.policy \
-    $(LOCAL_PATH)/seccomp/codec2.vendor.base.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/codec2.vendor.base.policy \
-    $(LOCAL_PATH)/seccomp/imsrtp.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/imsrtp.policy \
-    $(LOCAL_PATH)/seccomp/mediacodec.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/mediacodec.policy \
-    $(LOCAL_PATH)/seccomp/qspm.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/qspm.policy \
-    $(LOCAL_PATH)/seccomp/qti-systemd.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/qti-systemd.policy \
-    $(LOCAL_PATH)/seccomp/vendor.qti.hardware.dsp.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/vendor.qti.hardware.dsp.policy
+    $(LOCAL_PATH)/seccomp/mediacodec.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/mediacodec.policy
 
 # WiFi
 PRODUCT_PACKAGES += \
diff --git a/proprietary-files.txt b/proprietary-files.txt
index 5c6a79e..3e94307 100644
--- a/proprietary-files.txt
+++ b/proprietary-files.txt
@@ -3,6 +3,7 @@
 # ADSP
 vendor/bin/adsprpcd
 vendor/etc/init/vendor.qti.adsprpc-service.rc
+vendor/etc/seccomp_policy/vendor.qti.hardware.dsp.policy
 vendor/lib/vendor.qti.hardware.dsp@1.0.so
 vendor/lib64/libadsp_default_listener.so
 vendor/lib64/vendor.qti.hardware.dsp@1.0.so
@@ -540,6 +541,7 @@ vendor/etc/init/ims_rtp_daemon.rc
 vendor/etc/init/imsdatadaemon.rc
 vendor/etc/init/imsqmidaemon.rc
 vendor/etc/init/imsrcsd.rc
+vendor/etc/seccomp_policy/imsrtp.policy
 vendor/lib64/com.qualcomm.qti.imscmservice@1.0.so
 vendor/lib64/com.qualcomm.qti.imscmservice@2.0.so
 vendor/lib64/com.qualcomm.qti.imscmservice@2.1.so
@@ -643,6 +645,7 @@ vendor/lib/libsmwrapper.so
 system_ext/lib/libmmosal.so
 system_ext/lib/libmmparser_lite.so
 system_ext/lib64/libmmosal.so
+vendor/etc/seccomp_policy/codec2.vendor.base.policy
 vendor/etc/system_properties.xml
 vendor/lib64/libmmosal.so
 
@@ -796,6 +799,7 @@ system/etc/sysconfig/qti_whitelist.xml
 vendor/bin/irsc_util
 vendor/bin/qmipriod
 vendor/etc/init/qmipriod.rc
+vendor/etc/seccomp_policy/qti-systemd.policy
 vendor/etc/sec_config
 vendor/lib/libdiag.so
 vendor/lib/libdsi_netctrl.so
@@ -871,6 +875,7 @@ vendor/etc/init/ssgtzd.rc
 vendor/etc/init/vendor.oneplus.hardware.param@1.0-service.rc
 vendor/etc/init/vendor.qti.rmt_storage.rc
 vendor/etc/init/vendor.qti.tftp.rc
+vendor/etc/seccomp_policy/atfwd@2.0.policy
 vendor/lib64/deviceInfoServiceModule.so
 vendor/lib64/libconfigdb.so
 vendor/lib64/liblqe.so
diff --git a/seccomp/atfwd@2.0.policy b/seccomp/atfwd@2.0.policy
deleted file mode 100644
index d556f3a..0000000
--- a/seccomp/atfwd@2.0.policy
+++ /dev/null
@@ -1,67 +0,0 @@
-# Copyright (c) 2020 Qualcomm Technologies, Inc.
-# All Rights Reserved.
-# Confidential and Proprietary - Qualcomm Technologies, Inc
-#
-# Not a contribution.
-#
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-munmap: 1
-getuid: 1
-writev: 1
-prctl: arg0 == PR_SET_VMA || arg0 == PR_GET_DUMPABLE
-mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-openat: 1
-futex: 1
-close: 1
-read: 1
-newfstatat: 1
-fstat: 1
-#ioctl: arg1 == BINDER_WRITE_READ || arg1 == BINDER_SET_MAX_THREADS || arg1 == BINDER_VERSION
-ioctl: 1
-mremap: 1
-readlinkat: 1
-pread64: 1
-fstatfs: 1
-rt_sigprocmask: 1
-faccessat: 1
-sendto: 1
-rt_sigaction: 1
-socket: arg0 == AF_UNIX || arg0 == AF_QIPCRTR
-recvfrom: 1
-getsockname: 1
-getdents64: 1
-fcntl: 1
-nanosleep: 1
-getrandom: 1
-clone: 1
-pipe2: 1
-exit_group: 1
-write: 1
-exit: 1
-getpid: 1
-sigaltstack: 1
-getrlimit: 1
-restart_syscall: 1
-setsockopt: 1
-sched_getscheduler: 1
-rt_sigreturn: 1
-execve: 1
-madvise: 1
-set_tid_address: 1
-connect: 1
-ppoll: 1
-clock_gettime: 1
diff --git a/seccomp/codec2.vendor.base.policy b/seccomp/codec2.vendor.base.policy
deleted file mode 100644
index 4785704..0000000
--- a/seccomp/codec2.vendor.base.policy
+++ /dev/null
@@ -1,74 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Organized by frequency of systemcall - in descending order for
-# best performance.
-futex: 1
-ioctl: 1
-write: 1
-prctl: 1
-clock_gettime: 1
-getpriority: 1
-read: 1
-close: 1
-writev: 1
-dup: 1
-ppoll: 1
-mmap2: 1
-getrandom: 1
-
-# mremap: Ensure |flags| are (MREMAP_MAYMOVE | MREMAP_FIXED) TODO: Once minijail
-# parser support for '<' is in this needs to be modified to also prevent
-# |old_address| and |new_address| from touching the exception vector page, which
-# on ARM is statically loaded at 0xffff 0000. See
-# http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0211h/Babfeega.html
-# for more details.
-#mremap: arg3 == 3
-mremap: arg3 == 3 || arg3 == MREMAP_MAYMOVE
-munmap: 1
-mprotect: 1
-madvise: 1
-openat: 1
-sigaltstack: 1
-clone: 1
-setpriority: 1
-getuid32: 1
-fstat64: 1
-fstatfs64: 1
-pread64: 1
-faccessat: 1
-readlinkat: 1
-exit: 1
-rt_sigprocmask: 1
-set_tid_address: 1
-restart_syscall: 1
-exit_group: 1
-rt_sigreturn: 1
-pipe2: 1
-gettimeofday: 1
-sched_yield: 1
-nanosleep: 1
-lseek: 1
-_llseek: 1
-sched_get_priority_max: 1
-sched_get_priority_min: 1
-statfs64: 1
-sched_setscheduler: 1
-fstatat64: 1
-ugetrlimit: 1
-getdents64: 1
-getrandom: 1
-
-@include /system/etc/seccomp_policy/crash_dump.arm.policy
-
diff --git a/seccomp/imsrtp.policy b/seccomp/imsrtp.policy
deleted file mode 100644
index 44092b0..0000000
--- a/seccomp/imsrtp.policy
+++ /dev/null
@@ -1,90 +0,0 @@
-#Copyright (c) 2020 Qualcomm Technologies, Inc.
-#All Rights Reserved.
-#Confidential and Proprietary - Qualcomm Technologies, Inc
-
-#Not a contribution.
-
-#Copyright (C) 2018 The Android Open Source Project
-
-#"Licensed under the Apache License, Version 2.0 (the \"License\");"
-#you may not use this file except in compliance with the License.
-#You may obtain a copy of the License at
-
-#http://www.apache.org/licenses/LICENSE-2.0
-
-#Unless required by applicable law or agreed to in writing, software
-#"distributed under the License is distributed on an \"AS IS\" BASIS,"
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#See the License for the specific language governing permissions and
-#limitations under the License.
-
-mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-munmap: 1
-mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-#prctl: arg0 == PR_SET_VMA || arg0 == PR_SET_NO_NEW_PRIVS || arg0 == PR_GET_DUMPABLE || arg0 == PR_SET_SECCOMP || arg0 == 0x37 /* PR_??? */
-prctl: 1
-read: 1
-openat: 1
-close: 1
-shutdown: 1
-kill: 1
-futex: 1
-fstat: 1
-gettimeofday: 1
-readlinkat: 1
-newfstatat: 1
-mremap: 1
-pread64: 1
-fstatfs: 1
-rt_sigaction: 1
-faccessat: 1
-socket: arg0 == AF_UNIX || arg0 == AF_QIPCRTR
-writev: 1
-connect: 1
-rt_sigprocmask: 1
-fcntl: 1
-sendto: 1
-getrandom: 1
-lseek: 1
-exit_group: 1
-rt_tgsigqueueinfo: 1
-write: 1
-exit: 1
-getpid: 1
-sigaltstack: 1
-recvmsg: 1
-dup: 1
-getrlimit: 1
-restart_syscall: 1
-clone: 1
-gettid: 1
-sched_getscheduler: 1
-ioctl: 1
-execve: 1
-getuid: 1
-madvise: 1
-set_tid_address: 1
-nanosleep: 1
-rt_sigreturn: 1
-rt_sigsuspend: 1
-setpriority: 1
-geteuid: 1
-getgid: 1
-getegid: 1
-getgroups: 1
-pipe2: 1
-setitimer: 1
-pselect6: 1
-getsockname: 1
-recvfrom: 1
-ppoll: 1
-socketpair: 1
-setsockopt: 1
-getsockopt: 1
-sendmsg: 1
-bind: 1
-timer_create: 1
-timer_settime: 1
-timer_delete: 1
-clock_gettime: 1
-sched_getaffinity: 1
diff --git a/seccomp/qspm.policy b/seccomp/qspm.policy
deleted file mode 100644
index 83e7250..0000000
--- a/seccomp/qspm.policy
+++ /dev/null
@@ -1,78 +0,0 @@
-# Copyright (c) 2020 Qualcomm Technologies, Inc.
-# All Rights Reserved.
-# Confidential and Proprietary - Qualcomm Technologies, Inc
-#
-# Not a contribution.
-#
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-ioctl: 1
-futex: 1
-openat: 1
-getuid: 1
-writev: 1
-newfstatat: 1
-fstat: 1
-rt_sigaction: 1
-prctl: 1
-mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-close: 1
-rt_sigreturn: 1
-restart_syscall: 1
-exit: 1
-exit_group: 1
-mprotect: 1
-faccessat: 1
-getrlimit: 1
-read: 1
-lseek: 1
-getdents64: 1
-write: 1
-readlinkat: 1
-fstatfs: 1
-pread64: 1
-munmap: 1
-mremap: 1
-dup: 1
-renameat: 1
-unlinkat: 1
-madvise: 1
-mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-fstat: 1
-clock_gettime: 1
-socket: arg0 == AF_UNIX
-rt_sigprocmask: 1
-connect: 1
-getrandom: 1
-fcntl: 1
-execve: 1
-getpid: 1
-set_tid_address: 1
-sched_getscheduler: 1
-sigaltstack: 1
-sched_getaffinity: 1
-pipe2: 1
-
-# crash dump policy additions
-sigreturn: 1
-gettid: 1
-recvmsg: 1
-process_vm_readv: 1
-tgkill: 1
-rt_tgsigqueueinfo: 1
-geteuid32: 1
-getgid32: 1
-getegid32: 1
-getgroups32: 1
diff --git a/seccomp/qti-systemd.policy b/seccomp/qti-systemd.policy
deleted file mode 100644
index 4020e52..0000000
--- a/seccomp/qti-systemd.policy
+++ /dev/null
@@ -1,77 +0,0 @@
-# Copyright (c) 2020 Qualcomm Technologies, Inc.
-# All Rights Reserved.
-# Confidential and Proprietary - Qualcomm Technologies, Inc
-#
-# Not a contribution.
-#
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-munmap: 1
-mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-#prctl: arg0 == 0x37 /* PR_??? */ || arg0 == PR_SET_VMA || arg0 == PR_GET_DUMPABLE || arg0 == PR_SET_SECCOMP || arg0 == PR_CAP_AMBIENT || arg0 == PR_GET_NO_NEW_PRIVS || arg0 == PR_SET_DUMPABLE || arg0 == PR_GET_NAME || arg0 == PR_SET_PTRACER
-prctl: 1
-openat: 1
-read: 1
-futex: 1
-close: 1
-fstat: 1
-readlinkat: 1
-newfstatat: 1
-mremap: 1
-fstatfs: 1
-pread64: 1
-rt_sigprocmask: 1
-rt_sigaction: 1
-faccessat: 1
-#ioctl: arg1 == _IOC(_IOC_NONE
-ioctl: 1
-clock_gettime: 1
-getrandom: 1
-nanosleep: 1
-fcntl: 1
-getuid: 1
-sigaltstack: 1
-socket: arg0 == AF_QIPCRTR || arg0 == AF_UNIX
-writev: 1
-execve: 1
-getpid: 1
-set_tid_address: 1
-sched_getscheduler: 1
-sigaltstack: 1
-sched_getaffinity: 1
-connect: 1
-pipe2: 1
-clone: 1
-ppoll: 1
-restart_syscall: 1
-exit: 1
-exit_group: 1
-rt_sigreturn: 1
-rt_tgsigqueueinfo: 1
-getppid: 1
-dup: 1
-capget: 1
-capset: 1
-setsid: 1
-setitimer: 1
-ptrace: 1
-recvmsg: 1
-exit: 1
-restart_syscall: 1
-gettid: 1
-write: 1
-dup3: 1
-getdents64: 1
diff --git a/seccomp/vendor.qti.hardware.dsp.policy b/seccomp/vendor.qti.hardware.dsp.policy
deleted file mode 100644
index e5b3618..0000000
--- a/seccomp/vendor.qti.hardware.dsp.policy
+++ /dev/null
@@ -1,63 +0,0 @@
-# Copyright (c) 2020 Qualcomm Technologies, Inc.
-# All Rights Reserved.
-# Confidential and Proprietary - Qualcomm Technologies, Inc
-#
-# Not a contribution.
-#
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-munmap: 1
-#prctl: arg0 == PR_SET_VMA || arg0 == PR_GET_DUMPABLE || arg0 == 0x37
-mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
-futex: 1
-read: 1
-openat: 1
-close: 1
-fstat: 1
-readlinkat: 1
-newfstatat: 1
-mremap: 1
-clock_gettime: 1
-pread64: 1
-fstatfs: 1
-rt_sigaction: 1
-faccessat: 1
-rt_sigprocmask: 1
-#ioctl: arg1 == TCGETS || arg1 == BINDER_WRITE_READ || arg1 == BINDER_SET_MAX_THREADS || arg1 == BINDER_VERSION
-ioctl: 1
-getrandom: 1
-fcntl: 1
-getuid: 1
-lseek: 1
-exit_group: 1
-sched_getaffinity: 1
-writev: 1
-exit: 1
-getpid: 1
-sigaltstack: 1
-getrlimit: 1
-restart_syscall: 1
-clone: 1
-sched_getscheduler: 1
-execve: 1
-socket: arg0 == AF_UNIX
-set_tid_address: 1
-rt_sigreturn: 1
-connect: 1
-gettid: 1
-setpriority: 1
-prctl: 1
-write: 1