diff mbox series

pd-mapper: Introduce SELinux domain for pd-mapper

Message ID 20260129083517.647116-1-gyenugul@qti.qualcomm.com
State New
Headers show
Series pd-mapper: Introduce SELinux domain for pd-mapper | expand

Commit Message

Ganga Bhavani Yenugula Jan. 29, 2026, 8:35 a.m. UTC 
From: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com>

Define a dedicated domain (`pd_mapper_t`) to confine pd-mapper service, ensuring
it operates in a restricted environment isolated from other init processes.

Grant the necessary permissions to resolve AVC denials observed during
the transition to enforcing mode:

 - Filesystem: Authorize read access to `/sys`.
 - Socket: Allow creation and basic use of qipcrtr_socket

Signed-off-by: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com>

Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1070/changes/c8aef7c55e8768378c6adeda7e8edfaeecb9fa28]

---
 policy/modules/services/pd_mapper.fc |  1 +
 policy/modules/services/pd_mapper.if | 10 ++++++++++
 policy/modules/services/pd_mapper.te | 15 +++++++++++++++
 3 files changed, 26 insertions(+)
 create mode 100644 policy/modules/services/pd_mapper.fc
 create mode 100644 policy/modules/services/pd_mapper.if
 create mode 100644 policy/modules/services/pd_mapper.te

Comments

Anuj Mittal Jan. 30, 2026, 1:25 a.m. UTC | #1 
On Thu, Jan 29, 2026 at 5:35 PM Ganga Bhavani Yenugula via
lists.yoctoproject.org
<gyenugul=qti.qualcomm.com@lists.yoctoproject.org> wrote:
>
> From: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com>
>
> Define a dedicated domain (`pd_mapper_t`) to confine pd-mapper service, ensuring
> it operates in a restricted environment isolated from other init processes.
>
> Grant the necessary permissions to resolve AVC denials observed during
> the transition to enforcing mode:
>
>  - Filesystem: Authorize read access to `/sys`.
>  - Socket: Allow creation and basic use of qipcrtr_socket
>
> Signed-off-by: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com>
>
> Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1070/changes/c8aef7c55e8768378c6adeda7e8edfaeecb9fa28]
>
> ---
>  policy/modules/services/pd_mapper.fc |  1 +
>  policy/modules/services/pd_mapper.if | 10 ++++++++++
>  policy/modules/services/pd_mapper.te | 15 +++++++++++++++
>  3 files changed, 26 insertions(+)
>  create mode 100644 policy/modules/services/pd_mapper.fc
>  create mode 100644 policy/modules/services/pd_mapper.if
>  create mode 100644 policy/modules/services/pd_mapper.te

This looks like a patch to refpolicy and not meta-selinux.

Thanks,

Anuj
diff mbox series

Patch

diff --git a/policy/modules/services/pd_mapper.fc b/policy/modules/services/pd_mapper.fc
new file mode 100644
index 000000000..3d83d46b1
--- /dev/null
+++ b/policy/modules/services/pd_mapper.fc
@@ -0,0 +1 @@ 
+/usr/bin/pd-mapper      --      gen_context(system_u:object_r:pd_mapper_exec_t,s0)
diff --git a/policy/modules/services/pd_mapper.if b/policy/modules/services/pd_mapper.if
new file mode 100644
index 000000000..34da5143f
--- /dev/null
+++ b/policy/modules/services/pd_mapper.if
@@ -0,0 +1,10 @@ 
+## <summary>pd-mapper</summary>
+#
+## <desc>
+## Qualcomm’s pd‑mapper service is the userspace Protection Domain mapper
+## that enables applications to access remote processors
+## (Wi‑Fi, modem, sensors, etc.)
+## on Qualcomm SoCs via the QRTR protocol.
+##
+## https://github.com/linux-msm/pd-mapper
+## </desc>
diff --git a/policy/modules/services/pd_mapper.te b/policy/modules/services/pd_mapper.te
new file mode 100644
index 000000000..34a8d6bcc
--- /dev/null
+++ b/policy/modules/services/pd_mapper.te
@@ -0,0 +1,15 @@ 
+policy_module(pd_mapper)
+
+########################################
+#
+# Declarations
+#
+
+type pd_mapper_t;
+type pd_mapper_exec_t;
+init_daemon_domain(pd_mapper_t, pd_mapper_exec_t)
+
+allow pd_mapper_t self:qipcrtr_socket connected_socket_perms;
+
+# Read /sys/devices/platform/soc@0/2a300000.remoteproc/remoteproc/remoteproc2/firmware
+dev_read_sysfs(pd_mapper_t)