From 8119d482ed646b2e08057e1b183f28c0ef0e9617 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Wed, 31 Mar 2021 15:01:48 -0700
Subject: [PATCH] Uwb: Create a new Uwb system service

Move the vendor service to a different name which will be used by AOSP
uwb service.

Also, create a new domain for the UWB vendor app which can expose this
vendor service.

Denials:
04-12 16:38:38.282   411   411 E SELinux : avc:  denied  { find } for pid=2964
uid=1000 name=tethering scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768
tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=0

04-12 17:56:49.320   411   411 E SELinux : avc:  denied  { find } for pid=2964
uid=1000 name=hardware.qorvo.uwb.IUwb/default scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768
tcontext=u:object_r:hal_uwb_service:s0 tclass=service_manager permissive=0

04-12 20:13:37.952  3034  3034 W com.qorvo.uwb: type=1400 audit(0.0:8): avc: denied
{ getattr } for path="/data/user/0/com.qorvo.uwb" dev="dm-11" ino=7176
scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0
tclass=dir permissive=0

04-12 20:13:38.003   408   408 E SELinux : avc:  denied  { find } for pid=3034
uid=1000 name=content_capture scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768
tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=0

04-12 21:25:03.244  2992  2992 W com.qorvo.uwb: type=1400 audit(0.0:7): avc: denied
{ getattr } for path="/data/user/0/com.qorvo.uwb" dev="dm-11" ino=7176
scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768 tcontext=u:object_r:
system_app_data_file:s0:c232,c259,c512,c768 tclass=dir permissive=0

Bug: 183904955
Test: atest android.uwb.cts.UwbManagerTest
Change-Id: Iecb871902ebe7d110f2deb9ddb960c1a3945d8e9
---
 whitechapel/vendor/google/file.te              |  3 +++
 whitechapel/vendor/google/gmscore_app.te       |  3 ---
 whitechapel/vendor/google/seapp_contexts       |  3 +++
 whitechapel/vendor/google/service.te           |  2 +-
 whitechapel/vendor/google/service_contexts     |  2 +-
 whitechapel/vendor/google/system_app.te        |  2 --
 whitechapel/vendor/google/system_server.te     |  2 ++
 whitechapel/vendor/google/untrusted_app_all.te |  4 ----
 whitechapel/vendor/google/uwb_service.te       |  1 -
 whitechapel/vendor/google/uwb_vendor_app.te    | 10 ++++++++++
 10 files changed, 20 insertions(+), 12 deletions(-)
 delete mode 100644 whitechapel/vendor/google/gmscore_app.te
 delete mode 100644 whitechapel/vendor/google/uwb_service.te
 create mode 100644 whitechapel/vendor/google/uwb_vendor_app.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index e7b7d513..a83e7817 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -192,3 +192,6 @@ type sysfs_video, sysfs_type, fs_type;
 # TODO(b/184768835): remove this once the bug is fixed
 # LHBM (Local High Brightness Mode)
 type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject;
+
+# UWB vendor
+type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
diff --git a/whitechapel/vendor/google/gmscore_app.te b/whitechapel/vendor/google/gmscore_app.te
deleted file mode 100644
index d2394b77..00000000
--- a/whitechapel/vendor/google/gmscore_app.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Allow gmscore to use UwbService APIs
-# TODO (b/183904955): remove
-allow gmscore_app uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index c88dfbde..94bf35f7 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -43,3 +43,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=
 
 # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade
 user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user
+
+# Qorvo UWB system app
+user=system seinfo=platform name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index debd8bd9..99e99483 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,4 +1,4 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
-type uwb_service, service_manager_type;
+type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index f3a6acb8..e0455372 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -2,5 +2,5 @@
 com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
-uwb                                                        u:object_r:uwb_service:s0
+uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
 hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_service:s0
diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te
index 043d4bb1..b7542fd6 100644
--- a/whitechapel/vendor/google/system_app.te
+++ b/whitechapel/vendor/google/system_app.te
@@ -4,5 +4,3 @@ allow system_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(system_app, hal_wlc)
 
 allow system_app fwk_stats_hwservice:hwservice_manager find;
-
-add_service(system_app, uwb_service)
diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te
index 329a693a..001b8556 100644
--- a/whitechapel/vendor/google/system_server.te
+++ b/whitechapel/vendor/google/system_server.te
@@ -1,3 +1,5 @@
 # Allow system server to send sensor data callbacks to GPS and camera HALs
 binder_call(system_server, gpsd);
 binder_call(system_server, hal_camera_default);
+# Allow system server to find vendor uwb service
+allow system_server uwb_vendor_service:service_manager find;
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index 01206d90..ae7386fc 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -8,7 +8,3 @@ allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }
 # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
 # for secure video playback
 allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allows cts tests to test for UwbService presence
-# TODO (b/183904955): remove
-allow untrusted_app_all uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/uwb_service.te b/whitechapel/vendor/google/uwb_service.te
deleted file mode 100644
index 7360278d..00000000
--- a/whitechapel/vendor/google/uwb_service.te
+++ /dev/null
@@ -1 +0,0 @@
-allow uwb_service hal_uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
new file mode 100644
index 00000000..ef771dd5
--- /dev/null
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -0,0 +1,10 @@
+type uwb_vendor_app, domain;
+
+app_domain(uwb_vendor_app)
+
+add_service(uwb_vendor_app, uwb_vendor_service)
+
+allow uwb_vendor_app app_api_service:service_manager find;
+allow uwb_vendor_app hal_uwb_service:service_manager find;
+
+allow uwb_vendor_app uwb_vendor_data_file:dir { getattr search };