GRIL sepolicy for aidl radioext v2.1

avc: denied { find } for pid=2019 uid=10269 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:grilservice_app:s0:c13,c257,c512,c768 tcontext=u:object_r:hal_aidl_radio_ext_service:s0 tclass=service_manager permissive=1 avc: denied { find } for pid=6500 uid=10242 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:grilservice_app:s0:c242,c256,c512,c768 tcontext=u:object_r:hal_radio_ext_service:s0 tclass=service_manager permissive=0 avc: denied { find } for interface=vendor.google.radioext::IRadioExt sid=u:r:grilservice_app:s0:c242,c256,c512,c768 pid=6500 scontext=u:r:grilservice_app:s0:c242,c256,c512,c768 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 avc: denied { read write } for comm="vendor.google.r" name="umts_boot0" dev="tmpfs" ino=1352 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file permissive=1 avc: denied { search } for name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1 avc: denied { read write } for name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1 avc: denied { read write } for name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1 avc: denied { create } for name="radio" dev="dm-53" ino=379 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 avc: denied { create } for name="radio" dev="dm-53" ino=379 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1 avc: denied { find } for interface=hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance sid=u:r:hal_aidl_radio_ext:s0 pid=792 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:hal_bluetooth_coexistence_hwservice:s0 tclass=hwservice_manager permissive=1 avc: denied { find } for interface=hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance sid=u:r:hal_aidl_radio_ext:s0 pid=792 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:hal_bluetooth_coexistence_service:s0 tclass=service_manager permissive=1 avc: denied { read } for name="link_rate" dev="sysfs" ino=111840 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 355774451 Change-Id: Iea5e0cdff82b140caa1e8b6717e94d6d78076b28 Test: verify with test roms Flag: EXEMPT sepolicy
2024-11-14 05:21:13 +00:00 · 2024-11-14 05:21:13 +00:00 · 993506e4f1
commit 993506e4f1
parent fa76c993b7
7 changed files with 59 additions and 0 deletions
--- a/gril/aidl/2.1/compatibility_matrix.xml
+++ b/gril/aidl/2.1/compatibility_matrix.xml
@ -0,0 +1,10 @@
+<compatibility-matrix version="1.0" type="framework">
+    <hal format="aidl" optional="true">
+        <name>vendor.google.radio_ext</name>
+        <version>3</version>
+        <interface>
+            <name>IRadioExt</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+</compatibility-matrix>
--- a/gril/aidl/2.1/gril_aidl.mk
+++ b/gril/aidl/2.1/gril_aidl.mk
@ -0,0 +1,4 @@
+PRODUCT_PACKAGES += vendor.google.radioext@1.0-service
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/aidl/2.1/compatibility_matrix.xml
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/aidl/2.1/sepolicy
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy
--- a/gril/aidl/2.1/sepolicy/file_contexts
+++ b/gril/aidl/2.1/sepolicy/file_contexts
@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service                        u:object_r:hal_aidl_radio_ext_exec:s0
--- a/gril/aidl/2.1/sepolicy/grilservice_app.te
+++ b/gril/aidl/2.1/sepolicy/grilservice_app.te
@ -0,0 +1,4 @@
+# allow grilservice_app to find hal_radio_ext_service
+allow grilservice_app hal_radio_ext_service:service_manager find;
+binder_call(grilservice_app, hal_aidl_radio_ext)
+binder_call(grilservice_app, twoshay)
--- a/gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te
+++ b/gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te
@ -0,0 +1,36 @@
+# hal_aidl_radio_ext domain
+type hal_aidl_radio_ext, domain;
+type hal_aidl_radio_ext_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(hal_aidl_radio_ext)
+
+get_prop(hal_aidl_radio_ext, hwservicemanager_prop)
+get_prop(hal_aidl_radio_ext, telephony_modemtype_prop)
+set_prop(hal_aidl_radio_ext, vendor_gril_prop)
+
+binder_call(hal_aidl_radio_ext, servicemanager)
+binder_call(hal_aidl_radio_ext, grilservice_app)
+binder_call(hal_aidl_radio_ext, hal_bluetooth_btlinux)
+
+add_service(hal_aidl_radio_ext, hal_radio_ext_service)
+
+# RW /dev/oem_ipc0
+allow hal_aidl_radio_ext radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_aidl_radio_ext radio_vendor_data_file:dir create_dir_perms;
+allow hal_aidl_radio_ext radio_vendor_data_file:file create_file_perms;
+
+# Bluetooth
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_service:service_manager find;
+
+# Allow access to the backlight driver to set ssc_mode
+allow hal_aidl_radio_ext sysfs_leds:dir search;
+allow hal_aidl_radio_ext sysfs_leds:file rw_file_perms;
+
+# legacy/zuma/vendor
+allow hal_aidl_radio_ext sysfs_display:file rw_file_perms;
+
+# Allow access to read display port info
+allow hal_aidl_radio_ext sysfs:file r_file_perms;
--- a/gril/aidl/2.1/sepolicy/hal_camera_default.te
+++ b/gril/aidl/2.1/sepolicy/hal_camera_default.te
@ -0,0 +1,2 @@
+# allow hal_camera_default to binder call hal_aidl_radio_ext
+binder_call(hal_camera_default, hal_aidl_radio_ext);
--- a/gril/aidl/2.1/sepolicy/twoshay.te
+++ b/gril/aidl/2.1/sepolicy/twoshay.te
@ -0,0 +1,2 @@
+# allow twoshay to binder call hal_aidl_radio_ext
+binder_call(twoshay, hal_aidl_radio_ext)
				`@ -0,0 +1 @@`
				`/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_aidl_radio_ext_exec:s0`