From 993506e4f1e30d6a890ecf8c3b3ed492e0d174a6 Mon Sep 17 00:00:00 2001
From: Julius Snipes <jsnipes@google.com>
Date: Thu, 14 Nov 2024 05:21:13 +0000
Subject: [PATCH] GRIL sepolicy for aidl radioext v2.1

avc:  denied  { find } for pid=2019 uid=10269 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:grilservice_app:s0:c13,c257,c512,c768 tcontext=u:object_r:hal_aidl_radio_ext_service:s0 tclass=service_manager permissive=1

avc:  denied  { find } for pid=6500 uid=10242 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:grilservice_app:s0:c242,c256,c512,c768 tcontext=u:object_r:hal_radio_ext_service:s0 tclass=service_manager permissive=0

avc:  denied  { find } for interface=vendor.google.radioext::IRadioExt sid=u:r:grilservice_app:s0:c242,c256,c512,c768 pid=6500 scontext=u:r:grilservice_app:s0:c242,c256,c512,c768 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0

avc:  denied  { read write } for  comm="vendor.google.r" name="umts_boot0" dev="tmpfs" ino=1352 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file permissive=1

avc:  denied  { search } for  name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1

avc:  denied  { read write } for  name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

avc:  denied  { read write } for  name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1

avc:  denied  { create } for  name="radio" dev="dm-53" ino=379 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1

avc:  denied  { create } for  name="radio" dev="dm-53" ino=379 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1

avc:  denied  { find } for interface=hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance sid=u:r:hal_aidl_radio_ext:s0 pid=792 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:hal_bluetooth_coexistence_hwservice:s0 tclass=hwservice_manager permissive=1

avc:  denied  { find } for interface=hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance sid=u:r:hal_aidl_radio_ext:s0 pid=792 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:hal_bluetooth_coexistence_service:s0 tclass=service_manager permissive=1

avc:  denied  { read } for  name="link_rate" dev="sysfs" ino=111840 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 355774451
Change-Id: Iea5e0cdff82b140caa1e8b6717e94d6d78076b28
Test: verify with test roms
Flag: EXEMPT sepolicy
---
 gril/aidl/2.1/compatibility_matrix.xml       | 10 ++++++
 gril/aidl/2.1/gril_aidl.mk                   |  4 +++
 gril/aidl/2.1/sepolicy/file_contexts         |  1 +
 gril/aidl/2.1/sepolicy/grilservice_app.te    |  4 +++
 gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te | 36 ++++++++++++++++++++
 gril/aidl/2.1/sepolicy/hal_camera_default.te |  2 ++
 gril/aidl/2.1/sepolicy/twoshay.te            |  2 ++
 7 files changed, 59 insertions(+)
 create mode 100644 gril/aidl/2.1/compatibility_matrix.xml
 create mode 100644 gril/aidl/2.1/gril_aidl.mk
 create mode 100644 gril/aidl/2.1/sepolicy/file_contexts
 create mode 100644 gril/aidl/2.1/sepolicy/grilservice_app.te
 create mode 100644 gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te
 create mode 100644 gril/aidl/2.1/sepolicy/hal_camera_default.te
 create mode 100644 gril/aidl/2.1/sepolicy/twoshay.te

diff --git a/gril/aidl/2.1/compatibility_matrix.xml b/gril/aidl/2.1/compatibility_matrix.xml
new file mode 100644
index 0000000..c1ce8f9
--- /dev/null
+++ b/gril/aidl/2.1/compatibility_matrix.xml
@@ -0,0 +1,10 @@
+<compatibility-matrix version="1.0" type="framework">
+    <hal format="aidl" optional="true">
+        <name>vendor.google.radio_ext</name>
+        <version>3</version>
+        <interface>
+            <name>IRadioExt</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+</compatibility-matrix>
diff --git a/gril/aidl/2.1/gril_aidl.mk b/gril/aidl/2.1/gril_aidl.mk
new file mode 100644
index 0000000..d5bc3fc
--- /dev/null
+++ b/gril/aidl/2.1/gril_aidl.mk
@@ -0,0 +1,4 @@
+PRODUCT_PACKAGES += vendor.google.radioext@1.0-service
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/aidl/2.1/compatibility_matrix.xml
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/aidl/2.1/sepolicy
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy
diff --git a/gril/aidl/2.1/sepolicy/file_contexts b/gril/aidl/2.1/sepolicy/file_contexts
new file mode 100644
index 0000000..9973b80
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service                        u:object_r:hal_aidl_radio_ext_exec:s0
diff --git a/gril/aidl/2.1/sepolicy/grilservice_app.te b/gril/aidl/2.1/sepolicy/grilservice_app.te
new file mode 100644
index 0000000..812c8a2
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/grilservice_app.te
@@ -0,0 +1,4 @@
+# allow grilservice_app to find hal_radio_ext_service
+allow grilservice_app hal_radio_ext_service:service_manager find;
+binder_call(grilservice_app, hal_aidl_radio_ext)
+binder_call(grilservice_app, twoshay)
diff --git a/gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te b/gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te
new file mode 100644
index 0000000..eaff153
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/hal_aidl_radio_ext.te
@@ -0,0 +1,36 @@
+# hal_aidl_radio_ext domain
+type hal_aidl_radio_ext, domain;
+type hal_aidl_radio_ext_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(hal_aidl_radio_ext)
+
+get_prop(hal_aidl_radio_ext, hwservicemanager_prop)
+get_prop(hal_aidl_radio_ext, telephony_modemtype_prop)
+set_prop(hal_aidl_radio_ext, vendor_gril_prop)
+
+binder_call(hal_aidl_radio_ext, servicemanager)
+binder_call(hal_aidl_radio_ext, grilservice_app)
+binder_call(hal_aidl_radio_ext, hal_bluetooth_btlinux)
+
+add_service(hal_aidl_radio_ext, hal_radio_ext_service)
+
+# RW /dev/oem_ipc0
+allow hal_aidl_radio_ext radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_aidl_radio_ext radio_vendor_data_file:dir create_dir_perms;
+allow hal_aidl_radio_ext radio_vendor_data_file:file create_file_perms;
+
+# Bluetooth
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_service:service_manager find;
+
+# Allow access to the backlight driver to set ssc_mode
+allow hal_aidl_radio_ext sysfs_leds:dir search;
+allow hal_aidl_radio_ext sysfs_leds:file rw_file_perms;
+
+# legacy/zuma/vendor
+allow hal_aidl_radio_ext sysfs_display:file rw_file_perms;
+
+# Allow access to read display port info
+allow hal_aidl_radio_ext sysfs:file r_file_perms;
diff --git a/gril/aidl/2.1/sepolicy/hal_camera_default.te b/gril/aidl/2.1/sepolicy/hal_camera_default.te
new file mode 100644
index 0000000..61f8001
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/hal_camera_default.te
@@ -0,0 +1,2 @@
+# allow hal_camera_default to binder call hal_aidl_radio_ext
+binder_call(hal_camera_default, hal_aidl_radio_ext);
diff --git a/gril/aidl/2.1/sepolicy/twoshay.te b/gril/aidl/2.1/sepolicy/twoshay.te
new file mode 100644
index 0000000..f7d3fe1
--- /dev/null
+++ b/gril/aidl/2.1/sepolicy/twoshay.te
@@ -0,0 +1,2 @@
+# allow twoshay to binder call hal_aidl_radio_ext
+binder_call(twoshay, hal_aidl_radio_ext)