Uwb: Create a new Uwb system service

Move the vendor service to a different name which will be used by AOSP uwb service. Also, create a new domain for the UWB vendor app which can expose this vendor service. Denials: 04-12 16:38:38.282 411 411 E SELinux : avc: denied { find } for pid=2964 uid=1000 name=tethering scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=0 04-12 17:56:49.320 411 411 E SELinux : avc: denied { find } for pid=2964 uid=1000 name=hardware.qorvo.uwb.IUwb/default scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768 tcontext=u:object_r:hal_uwb_service:s0 tclass=service_manager permissive=0 04-12 20:13:37.952 3034 3034 W com.qorvo.uwb: type=1400 audit(0.0:8): avc: denied { getattr } for path="/data/user/0/com.qorvo.uwb" dev="dm-11" ino=7176 scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 04-12 20:13:38.003 408 408 E SELinux : avc: denied { find } for pid=3034 uid=1000 name=content_capture scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=0 04-12 21:25:03.244 2992 2992 W com.qorvo.uwb: type=1400 audit(0.0:7): avc: denied { getattr } for path="/data/user/0/com.qorvo.uwb" dev="dm-11" ino=7176 scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768 tcontext=u:object_r: system_app_data_file:s0:c232,c259,c512,c768 tclass=dir permissive=0 Bug: 183904955 Test: atest android.uwb.cts.UwbManagerTest Change-Id: Iecb871902ebe7d110f2deb9ddb960c1a3945d8e9
2021-03-31 15:01:48 -07:00 · 2021-03-31 15:01:48 -07:00 · 8119d482ed
commit 8119d482ed
parent 75d0cce94f
10 changed files with 20 additions and 12 deletions
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@ -192,3 +192,6 @@ type sysfs_video, sysfs_type, fs_type;
 # TODO(b/184768835): remove this once the bug is fixed
 # LHBM (Local High Brightness Mode)
 type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject;
+
+# UWB vendor
+type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
--- a/whitechapel/vendor/google/gmscore_app.te
+++ b/whitechapel/vendor/google/gmscore_app.te
@ -1,3 +0,0 @@
-# Allow gmscore to use UwbService APIs
-# TODO (b/183904955): remove
-allow gmscore_app uwb_service:service_manager find;
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@ -43,3 +43,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=

 # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade
 user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user
+
+# Qorvo UWB system app
+user=system seinfo=platform name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@ -1,4 +1,4 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
-type uwb_service, service_manager_type;
+type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_service, service_manager_type, vendor_service;
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@ -2,5 +2,5 @@
 com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
-uwb                                                        u:object_r:uwb_service:s0
+uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
 hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_service:s0
--- a/whitechapel/vendor/google/system_app.te
+++ b/whitechapel/vendor/google/system_app.te
@ -4,5 +4,3 @@ allow system_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(system_app, hal_wlc)

 allow system_app fwk_stats_hwservice:hwservice_manager find;
-
-add_service(system_app, uwb_service)
--- a/whitechapel/vendor/google/system_server.te
+++ b/whitechapel/vendor/google/system_server.te
@ -1,3 +1,5 @@
 # Allow system server to send sensor data callbacks to GPS and camera HALs
 binder_call(system_server, gpsd);
 binder_call(system_server, hal_camera_default);
+# Allow system server to find vendor uwb service
+allow system_server uwb_vendor_service:service_manager find;
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@ -8,7 +8,3 @@ allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }
 # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
 # for secure video playback
 allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allows cts tests to test for UwbService presence
-# TODO (b/183904955): remove
-allow untrusted_app_all uwb_service:service_manager find;
--- a/whitechapel/vendor/google/uwb_service.te
+++ b/whitechapel/vendor/google/uwb_service.te
@ -1 +0,0 @@
-allow uwb_service hal_uwb_service:service_manager find;
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@ -0,0 +1,10 @@
+type uwb_vendor_app, domain;
+
+app_domain(uwb_vendor_app)
+
+add_service(uwb_vendor_app, uwb_vendor_service)
+
+allow uwb_vendor_app app_api_service:service_manager find;
+allow uwb_vendor_app hal_uwb_service:service_manager find;
+
+allow uwb_vendor_app uwb_vendor_data_file:dir { getattr search };
				`@ -1 +0,0 @@`
				`allow uwb_service hal_uwb_service:service_manager find;`