Skip to content

refpolicy: Introduce SELinux domain and policies for pd-mapper service #1417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gyenugul wants to merge 1 commit into
base: master
Choose a base branch
from
Open

refpolicy: Introduce SELinux domain and policies for pd-mapper service #1417

gyenugul wants to merge 1 commit into from
+73 −0

Conversation

@gyenugul
Copy link
Contributor

@gyenugul gyenugul commented Jan 21, 2026

Introduce a new SELinux domain for the Qualcomm pd-mapper service to ensure proper labeling, isolation, and access control under the targeted refpolicy.

Changes include:

  • Adding a new policy patch defining the pd-mapper domain
  • Adding SELinux policy rules granting pd-mapper.service the necessary permissions to access sysfs nodes, socket creation and communication.
  • Extending the refpolicy-targeted recipe via bbappend to integrate the domain

Patch addresses the following AVC Denials as well:

  • type=AVC msg=audit(387.087:312): avc: denied { read } for pid=1610 comm="pd-mapper" name="remoteproc2" dev="sysfs" ino=58235 scontext=system_u:system_r:qcom_pd_mapper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
  • type=AVC msg=audit(387.087:312): avc: denied { read } for pid=1610 comm="pd-mapper" name="firmware" dev="sysfs" ino=58238 scontext=system_u:system_r:qcom_pd_mapper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
  • type=AVC msg=audit(387.087:312): avc: denied { open } for pid=1610 comm="pd-mapper" path="/sys/devices/platform/soc@0/2a300000.remoteproc/remoteproc/remoteproc2/firmware" dev="sysfs" ino=58238 scontext=system_u:system_r:qcom_pd_mapper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
  • type=AVC msg=audit(387.091:313): avc: denied { create } for pid=1610 comm="pd-mapper" scontext=system_u:system_r:qcom_pd_mapper_t:s0 tcontext=system_u:system_r:qcom_pd_mapper_t:s0 tclass=qipcrtr_socket permissive=1
  • type=AVC msg=audit(387.091:314): avc: denied { setopt } for pid=1610 comm="pd-mapper" scontext=system_u:system_r:qcom_pd_mapper_t:s0 tcontext=system_u:system_r:qcom_pd_mapper_t:s0 tclass=qipcrtr_socket permissive=1
  • type=AVC msg=audit(387.091:315): avc: denied { getattr } for pid=1610 comm="pd-mapper" scontext=system_u:system_r:qcom_pd_mapper_t:s0 tcontext=system_u:system_r:qcom_pd_mapper_t:s0 tclass=qipcrtr_socket permissive=1
  • type=AVC msg=audit(387.091:316): avc: denied { write } for pid=1610 comm="pd-mapper" scontext=system_u:system_r:qcom_pd_mapper_t:s0 tcontext=system_u:system_r:qcom_pd_mapper_t:s0 tclass=qipcrtr_socket permissive=1

@gyenugul
refpolicy: Introduce SELinux domain and policies for pd-mapper service
bc24047 
Introduce a new SELinux domain for the Qualcomm pd-mapper service to ensure
proper labeling, isolation, and access control under the targeted refpolicy.

Changes include:
- Adding a new policy patch defining the pd-mapper domain
- Adding SELinux policy rules granting pd-mapper.service the necessary
  permissions to access sysfs nodes, socket creation and communication.
- Extending the refpolicy-targeted recipe via bbappend to integrate the domain

Signed-off-by: Gangabhavani Yenugula <gyenugul@qti.qualcomm.com>
@sasikuma-qti
Copy link

sasikuma-qti commented Jan 21, 2026

change looks good to me.

lumag
lumag reviewed Jan 21, 2026
View reviewed changes
...linux/recipes-security/refpolicy/refpolicy-targeted/0001-Qcom-pd-mapper-selinux-domain.patch
Introduce SELinux policy rules granting pd-mapper.service the necessary
permissions to access sysfs nodes, socket creation, and communication.

Upstream-Status: Inappropriate [Qualcomm specific change]
Copy link
Contributor

@lumag lumag Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please clarify, what makes it inappropriate? Have you tried sending it upstream?
In the end, pd-mapper, tqftpserv and rmtfs are normal services, packaged in several distros, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lumag lumag lumag left review comments

@vkraleti vkraleti Awaiting requested review from vkraleti vkraleti is a code owner

@ricardosalveti ricardosalveti Awaiting requested review from ricardosalveti ricardosalveti is a code owner

@sbanerjee-quic sbanerjee-quic Awaiting requested review from sbanerjee-quic sbanerjee-quic is a code owner

@ndechesne ndechesne Awaiting requested review from ndechesne ndechesne is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gyenugul @sasikuma-qti @lumag