Merge pull request #1077 from quic-vkatoch/fastrpc-devices

Add policy support for Qualcomm FastRPC devices

Author: pebenito

policy/modules/kernel/devices.fc

@@ -36,6 +36,10 @@
 /dev/etherd/.+		-c	gen_context(system_u:object_r:lvm_control_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+/dev/fastrpc-[as]dsp	-c	gen_context(system_u:object_r:fastrpc_device_t,s0)
+/dev/fastrpc-[as]dsp-secure	-c	gen_context(system_u:object_r:fastrpc_secure_device_t,s0)
+/dev/fastrpc-[cg]dsp[0-9]*	-c	gen_context(system_u:object_r:fastrpc_device_t,s0)
+/dev/fastrpc-[cg]dsp[0-9]*-secure	-c	gen_context(system_u:object_r:fastrpc_secure_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
 /dev/freefall	-c	gen_context(system_u:object_r:freefall_device_t,s0)
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)

policy/modules/kernel/devices.if

@@ -6167,3 +6167,61 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Allow read/ioctl/open for Qualcomm FastRPC default devices.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the Qualcomm FastRPC default (non-secure) devices.
+##	This includes all ADSP, CDSP, GDSP, and SDSP devices:
+##	/dev/fastrpc-adsp, /dev/fastrpc-cdsp[0-9]*,
+##	/dev/fastrpc-gdsp[0-9]*, /dev/fastrpc-sdsp
+##	</p>
+##	<p>
+##	Example usage: fastrpc_read_device(xdsprpcd_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fastrpc_read_device',`
+	gen_require(`
+		type device_t, fastrpc_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, fastrpc_device_t)
+')
+
+########################################
+## <summary>
+##	Allow read/ioctl/open for Qualcomm FastRPC secure devices.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the Qualcomm FastRPC secure devices.
+##	This includes all secure ADSP, CDSP, GDSP, and SDSP devices:
+##	/dev/fastrpc-adsp-secure, /dev/fastrpc-cdsp[0-9]*-secure,
+##	/dev/fastrpc-gdsp[0-9]*-secure, /dev/fastrpc-sdsp-secure
+##	</p>
+##	<p>
+##	Example usage: fastrpc_read_secure_device(xdsprpcd_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fastrpc_read_secure_device',`
+	gen_require(`
+		type device_t, fastrpc_secure_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, fastrpc_secure_device_t)
+')

policy/modules/kernel/devices.te

@@ -126,6 +126,16 @@ dev_node(framebuf_device_t)
 type freefall_device_t;
 dev_node(freefall_device_t)
 
+#
+# Qualcomm FastRPC nodes
+# Two types: one for default (non-secure) devices, one for secure devices
+#
+type fastrpc_device_t;
+dev_node(fastrpc_device_t)
+
+type fastrpc_secure_device_t;
+dev_node(fastrpc_secure_device_t)
+
 #
 # Type for GPIO chip /dev/gpiochip*
 #