From 6247ff69b2bc00f2629b85c8cba242297b4310fa Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 10 Mar 2021 14:31:55 +0800
Subject: [PATCH] cbd: Fix avc errors

avc: denied { setuid } for comm="cbd" capability=7 scontext=u:r:cbd:s0 tcontext=u:r:cbd:s0 tclass=capability permissive=1
avc: denied { search } for comm="cbd" name="vendor" dev="tmpfs" ino=2 scontext=u:r:cbd:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1

Bug: 178331928
Bug: 171267363
Change-Id: Icf28f494f05ee386ce94213929926369f2775173
---
 tracking_denials/cbd.te          | 8 --------
 whitechapel/vendor/google/cbd.te | 6 ++++++
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te
index 2dd39498..f0d5d6b0 100644
--- a/tracking_denials/cbd.te
+++ b/tracking_denials/cbd.te
@@ -1,8 +1,3 @@
-# b/171267363
-dontaudit cbd cbd:capability {setuid };
-# b/178331928
-dontaudit cbd mnt_vendor_file:dir { search };
-dontaudit cbd mnt_vendor_file:dir { search };
 # b/178979986
 dontaudit cbd unlabeled:dir { getattr };
 dontaudit cbd unlabeled:file { open };
@@ -19,6 +14,3 @@ dontaudit cbd unlabeled:file { open };
 # b/179198083
 dontaudit cbd unlabeled:file { ioctl };
 dontaudit cbd unlabeled:file { ioctl };
-# b/182219008
-dontaudit cbd persist_file:dir { search };
-dontaudit cbd persist_file:dir { search };
diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
index 41ee23d7..c283c3b3 100644
--- a/whitechapel/vendor/google/cbd.te
+++ b/whitechapel/vendor/google/cbd.te
@@ -6,6 +6,12 @@ set_prop(cbd, vendor_modem_prop)
 set_prop(cbd, vendor_cbd_prop)
 set_prop(cbd, vendor_rild_prop)
 
+# Allow cbd to setuid from root to radio
+# TODO: confirming with vendor via b/182334947
+allow cbd self:capability { setgid setuid };
+
+allow cbd mnt_vendor_file:dir r_dir_perms;
+
 allow cbd kmsg_device:chr_file rw_file_perms;
 
 allow cbd vendor_shell_exec:file execute_no_trans;