From b2fb9cdace45113273bbe2ef85dae5a19d78cbac Mon Sep 17 00:00:00 2001
From: Eddie Tashjian <etashjian@google.com>
Date: Wed, 7 Apr 2021 15:07:49 -0700
Subject: [PATCH] Add TCP dump permissions.

Copy selinux policy for tcp dump binary from previous Pixel to support
TCP logging on P21 through PixelLogger.

Bug: 184777243
Test: Check PixelLogger TCP dump works.
Change-Id: Id958c8a3e6375a7aae569d6fc94deb9f8072b57b
---
 whitechapel/vendor/google/file.te           |  3 +++
 whitechapel/vendor/google/file_contexts     |  4 ++++
 whitechapel/vendor/google/logger_app.te     |  1 +
 whitechapel/vendor/google/property.te       |  3 +++
 whitechapel/vendor/google/property_contexts |  6 ++++++
 whitechapel/vendor/google/tcpdump_logger.te | 18 ++++++++++++++++++
 6 files changed, 35 insertions(+)
 create mode 100644 whitechapel/vendor/google/tcpdump_logger.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 9f59c21e..05efcc19 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -117,6 +117,9 @@ type persist_modem_file, file_type, vendor_persist_type;
 type modem_img_file, contextmount_type, file_type, vendor_file_type;
 allow modem_img_file self:filesystem associate;
 
+# TCP logging
+type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+
 # Wireless
 type sysfs_wlc, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 8f1f3652..89ac5d62 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -254,6 +254,10 @@
 # Modem logging
 /vendor/bin/modem_logging_control   u:object_r:modem_logging_control_exec:s0
 
+# TCP logging
+/vendor/bin/tcpdump_logger          u:object_r:tcpdump_logger_exec:s0
+/data/vendor/tcpdump_logger(/.*)?   u:object_r:tcpdump_vendor_data_file:s0
+
 # Audio logging
 /vendor/bin/aocdump                 u:object_r:aocdump_exec:s0
 
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 4c672447..051b1e64 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -16,4 +16,5 @@ userdebug_or_eng(`
   set_prop(logger_app, vendor_modem_prop)
   set_prop(logger_app, vendor_gps_prop)
   set_prop(logger_app, vendor_audio_prop)
+  set_prop(logger_app, vendor_tcpdump_log_prop)
 ')
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 05cba796..cbef105b 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -41,3 +41,6 @@ vendor_internal_prop(vendor_wifi_version)
 
 # Touchpanel
 vendor_internal_prop(vendor_touchpanel_prop)
+
+# TCP logging
+vendor_internal_prop(vendor_tcpdump_log_prop)
\ No newline at end of file
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 6f6c083f..a8dd0afd 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -102,3 +102,9 @@ vendor.wlan.firmware.version                    u:object_r:vendor_wifi_version:s
 
 # Touchpanel
 vendor.mfgapi.touchpanel.permission             u:object_r:vendor_touchpanel_prop:s0
+
+# Tcpdump_logger
+persist.vendor.tcpdump.log.alwayson             u:object_r:vendor_tcpdump_log_prop:s0
+vendor.tcpdump.log.ondemand                     u:object_r:vendor_tcpdump_log_prop:s0
+vendor.tcpdump.log.alwayson                     u:object_r:vendor_tcpdump_log_prop:s0
+vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_prop:s0
\ No newline at end of file
diff --git a/whitechapel/vendor/google/tcpdump_logger.te b/whitechapel/vendor/google/tcpdump_logger.te
new file mode 100644
index 00000000..329414b6
--- /dev/null
+++ b/whitechapel/vendor/google/tcpdump_logger.te
@@ -0,0 +1,18 @@
+type tcpdump_logger, domain;
+type tcpdump_logger_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+  # make transition from init to its domain
+  init_daemon_domain(tcpdump_logger)
+
+  allow tcpdump_logger self:capability net_raw;
+  allow tcpdump_logger self:packet_socket create_socket_perms;
+  allowxperm tcpdump_logger self:packet_socket ioctl 0x8933;
+  allow tcpdump_logger tcpdump_exec:file rx_file_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms;
+  allow tcpdump_logger radio_vendor_data_file:file create_file_perms;
+  allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms;
+
+  set_prop(tcpdump_logger, vendor_tcpdump_log_prop)
+')