From 42a0c820659d811932a58ed1e66478ee9556cecc Mon Sep 17 00:00:00 2001 From: Jinyoung Jeong Date: Wed, 26 Apr 2023 06:00:46 +0000 Subject: [PATCH] Fix SELinux error for com.google.android.euicc bug: 279548423 Test: http://fusion2/bb76429b-7d84-4e14-b127-8458abb3e2ed Change-Id: I00bdf71f04eec985147189eb1b474c7ff6797023 --- private/property.te | 8 +++++++ private/property_contexts | 2 ++ .../vendor/google/certs/EuiccGoogle.x509.pem | 23 +++++++++++++++++++ whitechapel/vendor/google/euicc_app.te | 15 ++++++++++++ whitechapel/vendor/google/keys.conf | 3 +++ whitechapel/vendor/google/mac_permissions.xml | 3 +++ whitechapel/vendor/google/seapp_contexts | 3 +++ 7 files changed, 57 insertions(+) create mode 100644 private/property.te create mode 100644 private/property_contexts create mode 100644 whitechapel/vendor/google/certs/EuiccGoogle.x509.pem create mode 100644 whitechapel/vendor/google/euicc_app.te diff --git a/private/property.te b/private/property.te new file mode 100644 index 00000000..a6bee3b3 --- /dev/null +++ b/private/property.te @@ -0,0 +1,8 @@ +product_restricted_prop(masterclear_esim_prop) +product_restricted_prop(euicc_seamless_transfer_prop) + +neverallow { domain -init } masterclear_esim_prop:property_service set; +neverallow { domain -init } euicc_seamless_transfer_prop:property_service set; + +get_prop(appdomain, masterclear_esim_prop) +get_prop(appdomain, euicc_seamless_transfer_prop) diff --git a/private/property_contexts b/private/property_contexts new file mode 100644 index 00000000..843f2976 --- /dev/null +++ b/private/property_contexts @@ -0,0 +1,2 @@ +masterclear.allow_retain_esim_profiles_after_fdr u:object_r:masterclear_esim_prop:s0 exact bool +euicc.seamless_transfer_enabled_in_non_qs u:object_r:euicc_seamless_transfer_prop:s0 exact bool diff --git a/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem b/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem new file mode 100644 index 00000000..be6c715c --- /dev/null +++ b/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqugAwIBAgIJAOZ2d46ckK9JMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW +aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEUMBIG +A1UEAwwLRXVpY2NHb29nbGUwHhcNMTYxMjE3MDEyMTEzWhcNNDQwNTA0MDEyMTEz +WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN +TW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0Fu +ZHJvaWQxFDASBgNVBAMMC0V1aWNjR29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA1S7b8bGk4fNm3cckWJx2sbnvC39BroHNwk6am6jVP4MZAYuc +PN6QQ7/2s7hvtn91w6VbeGi2fryIMc7jXjlixheotD2Ns+/7qsPpQ+ZovfaQO5Xw +/c4J+1CfiqrLtd4TyO+4uFGTCO/vs4qhMH58QrhnYPZUqeuq0Zs1Irp0FlVFe1qm +1heU2zJy5locjb9UJXY33sVc9vfWy+sM8TLX40nWxIXGdbzJHJNyjjr/NA+0+drx +anJCtac6+evehH6o8+t8RQBU44PEZiyGkM8poNgRTAcFdRFXU8pitZXp3QZQk6HO +JsVuqqADwsfxGSdVyHFmOW7gxpkB9+IuJJEmkQIDAQABo1AwTjAdBgNVHQ4EFgQU +lVkGDn/XmF7HjP0K3ykCNnnZ8jMwHwYDVR0jBBgwFoAUlVkGDn/XmF7HjP0K3ykC +NnnZ8jMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkDOpQMXcuKwt +CPu5/tdskpfoBMrpYJOwfvpj/JwrudnXUHZXnBnH9PtHprghGtNiWPXHTbZSzKUS +Aojpo1Lev7DtowFILA54oY6d1NqbCIJy+Knwt3W5H7Rg8u8LqvzkpX5CBKAhRwkQ +0t3yrlEkI7kx805vg484gAe+AXyBx0dGe6ov4/yrzv9E+1jhIgP7tF/f+x8zX6Tr +mDCjzz4mgKahMbmsHQg430wlbZczrciMMfPiRc3xEHKLUqGL0ARtE01hJiJ4TY/X +iL/8QUA3nBcpUyEwHFwUao40Gjca9xteKd7MtmiZ6BM2JJSQ4nSNkcwQW8PU/7Qb +0QMwPRPLbQ== +-----END CERTIFICATE----- diff --git a/whitechapel/vendor/google/euicc_app.te b/whitechapel/vendor/google/euicc_app.te new file mode 100644 index 00000000..d7259159 --- /dev/null +++ b/whitechapel/vendor/google/euicc_app.te @@ -0,0 +1,15 @@ +type euicc_app, domain; +app_domain(euicc_app) + +allow euicc_app activity_service:service_manager find; +allow euicc_app radio_service:service_manager find; +allow euicc_app content_capture_service:service_manager find; +allow euicc_app virtual_device_service:service_manager find; +allow euicc_app game_service:service_manager find; +allow euicc_app netstats_service:service_manager find; +allow euicc_app registry_service:service_manager find; + +get_prop(euicc_app, setupwizard_esim_prop) +get_prop(euicc_app, bootloader_prop) +get_prop(euicc_app, exported_default_prop) +get_prop(euicc_app, vendor_modem_prop) diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf index fb6e52b6..d609a05d 100644 --- a/whitechapel/vendor/google/keys.conf +++ b/whitechapel/vendor/google/keys.conf @@ -6,3 +6,6 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb [@EUICCSUPPORTPIXEL] ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem + +[@EUICCGOOGLE] +ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml index 6cb7113c..e4658cc5 100644 --- a/whitechapel/vendor/google/mac_permissions.xml +++ b/whitechapel/vendor/google/mac_permissions.xml @@ -30,4 +30,7 @@ + + + diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts index e724de28..e84832b6 100644 --- a/whitechapel/vendor/google/seapp_contexts +++ b/whitechapel/vendor/google/seapp_contexts @@ -52,5 +52,8 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all +# Domain for EuiccGoogle +user=_app isPrivApp=true seinfo=EuiccGoogle name=com.google.android.euicc domain=euicc_app type=app_data_file levelFrom=all + # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all