From f7dab66f68cabc8bbcdaf62cee284ec319d2fb92 Mon Sep 17 00:00:00 2001
From: quark2323 <quark.2323@gmail.com>
Date: Sun, 21 Jun 2020 06:00:17 +0300
Subject: [PATCH] sm8250-common: Pull device/qcom/sepolicy rules for
 bootctrl/update_engine

Change-Id: Ia47d46e8e83562d905aeb51ce8318bee5d538701
---
 sepolicy/vendor/device.te               |  2 +
 sepolicy/vendor/file_contexts           |  3 ++
 sepolicy/vendor/hal_bootctl.te          | 64 +++++++++++++++++++++++++
 sepolicy/vendor/update_engine_common.te | 39 +++++++++++++++
 4 files changed, 108 insertions(+)
 create mode 100644 sepolicy/vendor/hal_bootctl.te
 create mode 100644 sepolicy/vendor/update_engine_common.te

diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
index 24db6e6..26bec60 100644
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -1,3 +1,4 @@
+type ab_block_device, dev_type;
 type custom_ab_block_device, dev_type;
 type efs_boot_dev, dev_type;
 type gpt_block_device, dev_type;
@@ -7,6 +8,7 @@ type modem_block_device, dev_type;
 type modem_efs_partition_device, dev_type;
 type persist_block_device, dev_type;
 type rpmb_device, dev_type;
+type sg_device, dev_type;
 type ssd_block_device, dev_type;
 type uefi_block_device, dev_type;
 type xbl_block_device, dev_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 9a08d8f..2b140f8 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -1,3 +1,6 @@
+# devices
+/dev/sg[0-9]+    u:object_r:sg_device:s0
+
 # graphics device
 /dev/mdss_rotator                               u:object_r:graphics_device:s0
 /dev/dri/card0                                  u:object_r:graphics_device:s0
diff --git a/sepolicy/vendor/hal_bootctl.te b/sepolicy/vendor/hal_bootctl.te
new file mode 100644
index 0000000..7e6e3e1
--- /dev/null
+++ b/sepolicy/vendor/hal_bootctl.te
@@ -0,0 +1,64 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+# These are the permissions required to use the boot_control HAL implemented
+# here: hardware/qcom/bootctrl/boot_control.c
+
+# Getting and setting GPT attributes for the bootloader iterates over all the
+# partition names in the block_device directory /dev/block/.../by-name
+allow hal_bootctl block_device:dir r_dir_perms;
+
+# Edit the attributes stored in the GPT.
+allow hal_bootctl gpt_block_device:blk_file rw_file_perms;
+allow hal_bootctl root_block_device:blk_file rw_file_perms;
+
+# Allow boot_control_hal to get attributes on all the A/B partitions.
+allow hal_bootctl boot_block_device:blk_file rw_file_perms;
+allow hal_bootctl ab_block_device:blk_file getattr;
+allow hal_bootctl xbl_block_device:blk_file getattr;
+allow hal_bootctl modem_block_device:blk_file getattr;
+allow hal_bootctl system_block_device:blk_file getattr;
+allow hal_bootctl custom_ab_block_device:blk_file getattr;
+allow hal_bootctl recovery_block_device:blk_file getattr;
+allow hal_bootctl mdtp_device:blk_file getattr;
+allow hal_bootctl_server misc_block_device:blk_file rw_file_perms;
+
+# Access /dev/sgN devices (generic SCSI) to write the
+# A/B slot selection for the XBL partition. Allow also to issue a
+# UFS_IOCTL_QUERY ioctl.
+allow hal_bootctl sg_device:chr_file rw_file_perms;
+
+# The sys_rawio denial message is benign, and shows up due to a capability()
+# call made by the scsi driver to check for CAP_SYS_RAWIO. Not having this
+# does not result in a error
+dontaudit hal_bootctl self:capability sys_rawio;
+
+# Read the sysfs to lookup what /dev/sgN device
+# corresponds to the XBL partitions.
+allow hal_bootctl sysfs_scsi_target:dir r_dir_perms;
+
+# Write to the XBL devices.
+allow hal_bootctl xbl_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/vendor/update_engine_common.te b/sepolicy/vendor/update_engine_common.te
new file mode 100644
index 0000000..62d5602
--- /dev/null
+++ b/sepolicy/vendor/update_engine_common.te
@@ -0,0 +1,39 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow update_engine and update_engine_sideload (recovery) read/write on the
+# device-specific partitions it should update.
+allow update_engine_common {
+    custom_ab_block_device
+    xbl_block_device
+    ssd_block_device
+    modem_block_device
+    uefi_block_device
+    recovery_block_device
+}:blk_file rw_file_perms;
+
+allow update_engine_common tmpfs:lnk_file r_file_perms;