From 3a2d59d8a93ef1980cc846de4a3b359961463b23 Mon Sep 17 00:00:00 2001 From: Hungyen Weng Date: Mon, 25 Mar 2024 20:33:16 +0000 Subject: [PATCH] Allow modem_svc to access modem files and perfetto Bug: 331147031 Bug: 330730987 Test: Confirmed that modem_svc is able to access token db files in modem partition Test: Confiemed that modem_svc can send traces to perfetto Test: Confirmed v2/pixel-health-guard/device-boot-health-check-extra has no modem_svc avc denials. Change-Id: I5fabd3177c758be533ca8bdef3cb3305afd6a5a6 --- tracking_denials/bug_map | 2 +- whitechapel/vendor/google/modem_svc_sit.te | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 51624460..bb1e6993 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,7 +5,6 @@ incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel dm_device blk_file b/315907959 kernel tmpfs chr_file b/315907959 -modem_svc_sit traced_producer_socket sock_file b/331147031 rfsd vendor_cbd_prop file b/317734418 shell sysfs_net file b/329380904 surfaceflinger selinuxfs file b/313804340 @@ -16,3 +15,4 @@ untrusted_app userdebug_or_eng_prop file b/305600845 vendor_init default_prop file b/315104713 vendor_init default_prop file b/316817111 vendor_init default_prop property_service b/315104713 + diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te index 63dec363..0eb7498d 100644 --- a/whitechapel/vendor/google/modem_svc_sit.te +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -17,7 +17,7 @@ allow modem_svc_sit radio_vendor_data_file:file create_file_perms; allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; allow modem_svc_sit modem_stat_data_file:file create_file_perms; -allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit mnt_vendor_file:dir r_dir_perms; allow modem_svc_sit modem_userdata_file:dir create_dir_perms; allow modem_svc_sit modem_userdata_file:file create_file_perms; @@ -33,3 +33,12 @@ get_prop(modem_svc_sit, vendor_logger_prop) # Modem property set_prop(modem_svc_sit, vendor_modem_prop) + +# Write trace data to the Perfetto traced daemon. This requires connecting to +# its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(modem_svc_sit) + +# Allow modem_svc_sit to access modem image file/dir +allow modem_svc_sit modem_img_file:dir r_dir_perms; +allow modem_svc_sit modem_img_file:file r_file_perms; +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file