From 421102574606c1d4feb4a3372051fe55c2e9a3ae Mon Sep 17 00:00:00 2001
From: Hongbo Zeng <hongbozeng@google.com>
Date: Tue, 23 Mar 2021 16:26:28 +0800
Subject: [PATCH] Fix denials for ril_config_service_app

- RilConfigService is a common google project in vendor/google/tools,
  sync related rules from the previous project(ag/6697240, ag/7153946)
  to allow it to:
  (1) receive intents
  (2) update database files under /data/vendor/radio
  (3) update RIL properties
- Two new denials found in this project only:
  avc: denied { search } for name="data" dev="dm-7" ino=93
      scontext=u:r:ril_config_service_app:s0
      tcontext=u:object_r:system_data_file:s0:c512,c768 tclass=dir permissive=1
  avc: denied { search } for name="0" dev="dm-7" ino=192
      scontext=u:r:ril_config_service_app:s0
      tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1

Bug: 182715439
Test: apply these rules and check there is no denial for
      RilConfigService finally
Change-Id: Icfb0e121d0d11600bda900dff0511187518105ab
---
 whitechapel/vendor/google/ril_config_service.te | 9 +++++++++
 whitechapel/vendor/google/seapp_contexts        | 3 +++
 2 files changed, 12 insertions(+)
 create mode 100644 whitechapel/vendor/google/ril_config_service.te

diff --git a/whitechapel/vendor/google/ril_config_service.te b/whitechapel/vendor/google/ril_config_service.te
new file mode 100644
index 00000000..125c8c33
--- /dev/null
+++ b/whitechapel/vendor/google/ril_config_service.te
@@ -0,0 +1,9 @@
+type ril_config_service_app, domain;
+app_domain(ril_config_service_app)
+
+set_prop(ril_config_service_app, vendor_rild_prop)
+allow ril_config_service_app app_api_service:service_manager find;
+allow ril_config_service_app radio_vendor_data_file:dir rw_dir_perms;
+allow ril_config_service_app radio_vendor_data_file:file create_file_perms;
+dontaudit ril_config_service_app system_data_file:dir search;
+dontaudit ril_config_service_app user_profile_root_file:dir search;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index f22516fa..c845ce09 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -37,3 +37,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_
 
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# RIL Config Service
+user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file