| Message ID | 20260130102853.2437991-1-gyenugul@qti.qualcomm.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-selinux] pd-mapper: Introduce SELinux domain for pd-mapper | expand |
Thanks for your patch. I won't merge it at this time because I am currently working on updating refpolicy, and this backport patch will be included in the updated version. //Yi On 1/30/26 18:28, Ganga Bhavani Yenugula via lists.yoctoproject.org wrote: > From: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> > > Define a dedicated domain (`pd_mapper_t`) to confine pd-mapper service, ensuring > it operates in a restricted environment isolated from other init processes. > > Grant the necessary permissions to resolve AVC denials observed during > the transition to enforcing mode: > > - Filesystem: Authorize read access to `/sys`. > - Socket: Allow creation and basic use of qipcrtr_socket > > Signed-off-by: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> > --- > ...troduce-SELinux-domain-for-pd-mapper.patch | 73 +++++++++++++++++++ > .../refpolicy/refpolicy_common.inc | 1 + > 2 files changed, 74 insertions(+) > create mode 100644 recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch > > diff --git a/recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch b/recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch > new file mode 100644 > index 0000000..ec89ca9 > --- /dev/null > +++ b/recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch > @@ -0,0 +1,73 @@ > +From 29630f1034ebaaccdf10366f23616367ae138f1e Mon Sep 17 00:00:00 2001 > +From: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> > +Date: Thu, 22 Jan 2026 16:14:50 +0530 > +Subject: [PATCH] pd-mapper: Introduce SELinux domain for pd-mapper > + > +Define a dedicated domain (`pd_mapper_t`) to confine pd-mapper service, ensuring > +it operates in a restricted environment isolated from other init processes. > + > +Grant the necessary permissions to resolve AVC denials observed during > +the transition to enforcing mode: > + > + - Filesystem: Authorize read access to `/sys`. > + - Socket: Allow creation and basic use of qipcrtr_socket > + > +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1070/changes/c8aef7c55e8768378c6adeda7e8edfaeecb9fa28] > + > +Signed-off-by: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> > +--- > + policy/modules/services/pd_mapper.fc | 1 + > + policy/modules/services/pd_mapper.if | 10 ++++++++++ > + policy/modules/services/pd_mapper.te | 15 +++++++++++++++ > + 3 files changed, 26 insertions(+) > + create mode 100644 policy/modules/services/pd_mapper.fc > + create mode 100644 policy/modules/services/pd_mapper.if > + create mode 100644 policy/modules/services/pd_mapper.te > + > +diff --git a/policy/modules/services/pd_mapper.fc b/policy/modules/services/pd_mapper.fc > +new file mode 100644 > +index 000000000..3d83d46b1 > +--- /dev/null > ++++ b/policy/modules/services/pd_mapper.fc > +@@ -0,0 +1 @@ > ++/usr/bin/pd-mapper -- gen_context(system_u:object_r:pd_mapper_exec_t,s0) > +diff --git a/policy/modules/services/pd_mapper.if b/policy/modules/services/pd_mapper.if > +new file mode 100644 > +index 000000000..34da5143f > +--- /dev/null > ++++ b/policy/modules/services/pd_mapper.if > +@@ -0,0 +1,10 @@ > ++## <summary>pd-mapper</summary> > ++# > ++## <desc> > ++## Qualcomm’s pd‑mapper service is the userspace Protection Domain mapper > ++## that enables applications to access remote processors > ++## (Wi‑Fi, modem, sensors, etc.) > ++## on Qualcomm SoCs via the QRTR protocol. > ++## > ++## https://github.com/linux-msm/pd-mapper > ++## </desc> > +diff --git a/policy/modules/services/pd_mapper.te b/policy/modules/services/pd_mapper.te > +new file mode 100644 > +index 000000000..34a8d6bcc > +--- /dev/null > ++++ b/policy/modules/services/pd_mapper.te > +@@ -0,0 +1,15 @@ > ++policy_module(pd_mapper) > ++ > ++######################################## > ++# > ++# Declarations > ++# > ++ > ++type pd_mapper_t; > ++type pd_mapper_exec_t; > ++init_daemon_domain(pd_mapper_t, pd_mapper_exec_t) > ++ > ++allow pd_mapper_t self:qipcrtr_socket connected_socket_perms; > ++ > ++# Read /sys/devices/platform/soc@0/2a300000.remoteproc/remoteproc/remoteproc2/firmware > ++dev_read_sysfs(pd_mapper_t) > +-- > +2.34.1 > + > diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc > index 59dfecd..9d74c85 100644 > --- a/recipes-security/refpolicy/refpolicy_common.inc > +++ b/recipes-security/refpolicy/refpolicy_common.inc > @@ -72,6 +72,7 @@ SRC_URI += " \ > file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ > file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ > file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ > + file://0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch \ > " > > S = "${UNPACKDIR}/refpolicy"
Could you please share an expected timeline for the refpolicy update that will include the pd‑mapper changes? ________________________________ From: Yi Zhao <yi.zhao@windriver.com> Sent: Monday, February 2, 2026 2:18 PM To: Ganga Bhavani Yenugula <gyenugul@qti.qualcomm.com> Cc: yocto-patches@lists.yoctoproject.org <yocto-patches@lists.yoctoproject.org> Subject: Re: [yocto-patches] [meta-selinux][PATCH] pd-mapper: Introduce SELinux domain for pd-mapper WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros. Thanks for your patch. I won't merge it at this time because I am currently working on updating refpolicy, and this backport patch will be included in the updated version. //Yi On 1/30/26 18:28, Ganga Bhavani Yenugula via lists.yoctoproject.org wrote: > From: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> > > Define a dedicated domain (`pd_mapper_t`) to confine pd-mapper service, ensuring > it operates in a restricted environment isolated from other init processes. > > Grant the necessary permissions to resolve AVC denials observed during > the transition to enforcing mode: > > - Filesystem: Authorize read access to `/sys`. > - Socket: Allow creation and basic use of qipcrtr_socket > > Signed-off-by: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> > --- > ...troduce-SELinux-domain-for-pd-mapper.patch | 73 +++++++++++++++++++ > .../refpolicy/refpolicy_common.inc | 1 + > 2 files changed, 74 insertions(+) > create mode 100644 recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch > > diff --git a/recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch b/recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch > new file mode 100644 > index 0000000..ec89ca9 > --- /dev/null > +++ b/recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch > @@ -0,0 +1,73 @@ > +From 29630f1034ebaaccdf10366f23616367ae138f1e Mon Sep 17 00:00:00 2001 > +From: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> > +Date: Thu, 22 Jan 2026 16:14:50 +0530 > +Subject: [PATCH] pd-mapper: Introduce SELinux domain for pd-mapper > + > +Define a dedicated domain (`pd_mapper_t`) to confine pd-mapper service, ensuring > +it operates in a restricted environment isolated from other init processes. > + > +Grant the necessary permissions to resolve AVC denials observed during > +the transition to enforcing mode: > + > + - Filesystem: Authorize read access to `/sys`. > + - Socket: Allow creation and basic use of qipcrtr_socket > + > +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1070/changes/c8aef7c55e8768378c6adeda7e8edfaeecb9fa28] > + > +Signed-off-by: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> > +--- > + policy/modules/services/pd_mapper.fc | 1 + > + policy/modules/services/pd_mapper.if | 10 ++++++++++ > + policy/modules/services/pd_mapper.te | 15 +++++++++++++++ > + 3 files changed, 26 insertions(+) > + create mode 100644 policy/modules/services/pd_mapper.fc > + create mode 100644 policy/modules/services/pd_mapper.if > + create mode 100644 policy/modules/services/pd_mapper.te > + > +diff --git a/policy/modules/services/pd_mapper.fc b/policy/modules/services/pd_mapper.fc > +new file mode 100644 > +index 000000000..3d83d46b1 > +--- /dev/null > ++++ b/policy/modules/services/pd_mapper.fc > +@@ -0,0 +1 @@ > ++/usr/bin/pd-mapper -- gen_context(system_u:object_r:pd_mapper_exec_t,s0) > +diff --git a/policy/modules/services/pd_mapper.if b/policy/modules/services/pd_mapper.if > +new file mode 100644 > +index 000000000..34da5143f > +--- /dev/null > ++++ b/policy/modules/services/pd_mapper.if > +@@ -0,0 +1,10 @@ > ++## <summary>pd-mapper</summary> > ++# > ++## <desc> > ++## Qualcomm’s pd‑mapper service is the userspace Protection Domain mapper > ++## that enables applications to access remote processors > ++## (Wi‑Fi, modem, sensors, etc.) > ++## on Qualcomm SoCs via the QRTR protocol. > ++## > ++## https://github.com/linux-msm/pd-mapper > ++## </desc> > +diff --git a/policy/modules/services/pd_mapper.te b/policy/modules/services/pd_mapper.te > +new file mode 100644 > +index 000000000..34a8d6bcc > +--- /dev/null > ++++ b/policy/modules/services/pd_mapper.te > +@@ -0,0 +1,15 @@ > ++policy_module(pd_mapper) > ++ > ++######################################## > ++# > ++# Declarations > ++# > ++ > ++type pd_mapper_t; > ++type pd_mapper_exec_t; > ++init_daemon_domain(pd_mapper_t, pd_mapper_exec_t) > ++ > ++allow pd_mapper_t self:qipcrtr_socket connected_socket_perms; > ++ > ++# Read /sys/devices/platform/soc@0/2a300000.remoteproc/remoteproc/remoteproc2/firmware > ++dev_read_sysfs(pd_mapper_t) > +-- > +2.34.1 > + > diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc > index 59dfecd..9d74c85 100644 > --- a/recipes-security/refpolicy/refpolicy_common.inc > +++ b/recipes-security/refpolicy/refpolicy_common.inc > @@ -72,6 +72,7 @@ SRC_URI += " \ > file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ > file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ > file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ > + file://0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch \ > " > > S = "${UNPACKDIR}/refpolicy"
diff --git a/recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch b/recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch new file mode 100644 index 0000000..ec89ca9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch @@ -0,0 +1,73 @@ +From 29630f1034ebaaccdf10366f23616367ae138f1e Mon Sep 17 00:00:00 2001 +From: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> +Date: Thu, 22 Jan 2026 16:14:50 +0530 +Subject: [PATCH] pd-mapper: Introduce SELinux domain for pd-mapper + +Define a dedicated domain (`pd_mapper_t`) to confine pd-mapper service, ensuring +it operates in a restricted environment isolated from other init processes. + +Grant the necessary permissions to resolve AVC denials observed during +the transition to enforcing mode: + + - Filesystem: Authorize read access to `/sys`. + - Socket: Allow creation and basic use of qipcrtr_socket + +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1070/changes/c8aef7c55e8768378c6adeda7e8edfaeecb9fa28] + +Signed-off-by: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com> +--- + policy/modules/services/pd_mapper.fc | 1 + + policy/modules/services/pd_mapper.if | 10 ++++++++++ + policy/modules/services/pd_mapper.te | 15 +++++++++++++++ + 3 files changed, 26 insertions(+) + create mode 100644 policy/modules/services/pd_mapper.fc + create mode 100644 policy/modules/services/pd_mapper.if + create mode 100644 policy/modules/services/pd_mapper.te + +diff --git a/policy/modules/services/pd_mapper.fc b/policy/modules/services/pd_mapper.fc +new file mode 100644 +index 000000000..3d83d46b1 +--- /dev/null ++++ b/policy/modules/services/pd_mapper.fc +@@ -0,0 +1 @@ ++/usr/bin/pd-mapper -- gen_context(system_u:object_r:pd_mapper_exec_t,s0) +diff --git a/policy/modules/services/pd_mapper.if b/policy/modules/services/pd_mapper.if +new file mode 100644 +index 000000000..34da5143f +--- /dev/null ++++ b/policy/modules/services/pd_mapper.if +@@ -0,0 +1,10 @@ ++## <summary>pd-mapper</summary> ++# ++## <desc> ++## Qualcomm’s pd‑mapper service is the userspace Protection Domain mapper ++## that enables applications to access remote processors ++## (Wi‑Fi, modem, sensors, etc.) ++## on Qualcomm SoCs via the QRTR protocol. ++## ++## https://github.com/linux-msm/pd-mapper ++## </desc> +diff --git a/policy/modules/services/pd_mapper.te b/policy/modules/services/pd_mapper.te +new file mode 100644 +index 000000000..34a8d6bcc +--- /dev/null ++++ b/policy/modules/services/pd_mapper.te +@@ -0,0 +1,15 @@ ++policy_module(pd_mapper) ++ ++######################################## ++# ++# Declarations ++# ++ ++type pd_mapper_t; ++type pd_mapper_exec_t; ++init_daemon_domain(pd_mapper_t, pd_mapper_exec_t) ++ ++allow pd_mapper_t self:qipcrtr_socket connected_socket_perms; ++ ++# Read /sys/devices/platform/soc@0/2a300000.remoteproc/remoteproc/remoteproc2/firmware ++dev_read_sysfs(pd_mapper_t) +-- +2.34.1 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 59dfecd..9d74c85 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -72,6 +72,7 @@ SRC_URI += " \ file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ + file://0057-pd-mapper-Introduce-SELinux-domain-for-pd-mapper.patch \ " S = "${UNPACKDIR}/refpolicy"