From fb3a11636618dbb044e567716ff2984b25117bc5 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 4 Aug 2023 14:26:21 +0900 Subject: [PATCH] Move coredomain seapp ctx and types to system_ext Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: build bluejay and boot test Change-Id: I48441749de4eb1de90ce5a307b1d47ae3cb9592d --- system_ext/private/con_monitor.te | 7 +++++++ system_ext/private/hbmsvmanager_app.te | 11 +++++++++++ system_ext/private/seapp_contexts | 6 ++++++ system_ext/public/con_monitor.te | 2 ++ system_ext/public/hbmsvmanager_app.te | 1 + whitechapel/vendor/google/con_monitor.te | 11 ----------- whitechapel/vendor/google/hbmsvmanager_app.te | 15 --------------- whitechapel/vendor/google/seapp_contexts | 6 ------ 8 files changed, 27 insertions(+), 32 deletions(-) create mode 100644 system_ext/private/con_monitor.te create mode 100644 system_ext/private/hbmsvmanager_app.te create mode 100644 system_ext/public/con_monitor.te create mode 100644 system_ext/public/hbmsvmanager_app.te diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te new file mode 100644 index 00000000..c68ec1f8 --- /dev/null +++ b/system_ext/private/con_monitor.te @@ -0,0 +1,7 @@ +typeattribute con_monitor_app coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te new file mode 100644 index 00000000..6f5ff7ac --- /dev/null +++ b/system_ext/private/hbmsvmanager_app.te @@ -0,0 +1,11 @@ +typeattribute hbmsvmanager_app coredomain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 8c2178a8..6ac71499 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -1,2 +1,8 @@ # Domain for EuiccGoogle user=_app isPrivApp=true name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user + +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te new file mode 100644 index 00000000..6a4d1dac --- /dev/null +++ b/system_ext/public/con_monitor.te @@ -0,0 +1,2 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te new file mode 100644 index 00000000..4fcf2bdb --- /dev/null +++ b/system_ext/public/hbmsvmanager_app.te @@ -0,0 +1 @@ +type hbmsvmanager_app, domain; diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te index ab17c826..32c2056d 100644 --- a/whitechapel/vendor/google/con_monitor.te +++ b/whitechapel/vendor/google/con_monitor.te @@ -1,13 +1,2 @@ -# ConnectivityMonitor app -type con_monitor_app, domain, coredomain; - -# TODO(b/296512193): move con_monitor_app out of vendor sepolicy -typeattribute con_monitor_app vendor_seapp_assigns_coredomain_violators; - -app_domain(con_monitor_app) - -set_prop(con_monitor_app, radio_prop) -allow con_monitor_app app_api_service:service_manager find; -allow con_monitor_app radio_service:service_manager find; allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te index 2acbaa8a..bbedea8c 100644 --- a/whitechapel/vendor/google/hbmsvmanager_app.te +++ b/whitechapel/vendor/google/hbmsvmanager_app.te @@ -1,17 +1,2 @@ -type hbmsvmanager_app, domain, coredomain; - -# TODO(b/296512193): move hbmsvmanager_app out of vendor sepolicy -typeattribute hbmsvmanager_app vendor_seapp_assigns_coredomain_violators; - -app_domain(hbmsvmanager_app); - -allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; - allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts index e724de28..7711c447 100644 --- a/whitechapel/vendor/google/seapp_contexts +++ b/whitechapel/vendor/google/seapp_contexts @@ -24,18 +24,12 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # RIL Config Service user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file