From 5e63caa5689ae4e41d9238a33d794c34304ed652 Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Mon, 8 Mar 2021 15:48:34 +0800
Subject: [PATCH] Fix selinux error for vendor_telephony_app

// b/174961423
[   43.295540] type=1400 audit(1607136492.652:21): avc: denied { open } for comm="y.silentlogging" path="/dev/__properties__/u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   43.295445] type=1400 audit(1607136492.652:20): avc: denied { read } for comm="y.silentlogging" name="u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   43.290494] type=1400 audit(1607136492.648:19): avc: denied { search } for comm="y.silentlogging" name="com.samsung.slsi.telephony.silentlogging" dev="dm-6" ino=3751 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=1
[   43.267396] type=1400 audit(1607136492.624:18): avc: denied { getattr } for comm="y.silentlogging" path="/data/user/0/com.samsung.slsi.telephony.silentlogging" dev="dm-6" ino=3751 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=1
[   43.267076] type=1400 audit(1607136492.624:17): avc: denied { search } for comm="y.silentlogging" name="data" dev="dm-6" ino=87 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:system_data_file:s0:c512,c768 tclass=dir permissive=1

// b/176868380
[   44.640326] type=1400 audit(1609377760.052:32): avc: denied { search } for comm="y.silentlogging" name="0" dev="dm-6" ino=181 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
[   44.705763] type=1400 audit(1609377760.120:36): avc: denied { search } for comm="ephony.testmode" name="0" dev="dm-6" ino=181 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
[   44.649879] type=1400 audit(1609377760.064:33): avc: denied { getattr } for comm="y.silentlogging" path="/dev/__properties__/u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   44.649981] type=1400 audit(1609377760.064:34): avc: denied { map } for comm="y.silentlogging" path="/dev/__properties__/u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   44.650286] type=1400 audit(1609377760.064:35): avc: denied { search } for comm="y.silentlogging" name="slog" dev="dm-6" ino=228 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=1

// b/177176900
[   46.609809] type=1400 audit(1610075109.964:21): avc: denied { getattr } for comm="ephony.testmode" path="/dev/__properties__/u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1
[   46.609747] type=1400 audit(1610075109.964:20): avc: denied { open } for comm="ephony.testmode" path="/dev/__properties__/u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1
[   46.609580] type=1400 audit(1610075109.960:19): avc: denied { read } for comm="ephony.testmode" name="u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1
[   46.609867] type=1400 audit(1610075109.964:22): avc: denied { map } for comm="ephony.testmode" path="/dev/__properties__/u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1

// b/179437464
02-05 09:46:38.796   376   376 E SELinux : avc:  denied  { find } for pid=9609 uid=1000 name=activity scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
02-05 09:46:38.894   376   376 E SELinux : avc:  denied  { find } for pid=9631 uid=1000 name=thermalservice scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:thermal_service:s0 tclass=service_manager permissive=1
02-05 09:46:38.825   376   376 E SELinux : avc:  denied  { find } for pid=9609 uid=1000 name=tethering scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=1


Bug: 174961423
Bug: 176868380
Bug: 177176900
Bug: 179437464

Test: verified with the forrest ROM and error log gone
Change-Id: Ibd2dfb61eb58b381504ac43595e99695a5e21b7e
---
 tracking_denials/vendor_telephony_app.te      | 21 -------------------
 whitechapel/vendor/google/seapp_contexts      | 12 +++++------
 .../vendor/google/vendor_telephony_app.te     |  8 ++++++-
 3 files changed, 13 insertions(+), 28 deletions(-)
 delete mode 100644 tracking_denials/vendor_telephony_app.te

diff --git a/tracking_denials/vendor_telephony_app.te b/tracking_denials/vendor_telephony_app.te
deleted file mode 100644
index 2969a576..00000000
--- a/tracking_denials/vendor_telephony_app.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# b/174961423
-dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file open ;
-dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file read ;
-dontaudit vendor_telephony_app system_app_data_file:dir search ;
-dontaudit vendor_telephony_app system_app_data_file:dir getattr ;
-dontaudit vendor_telephony_app system_data_file:dir search ;
-# b/176868380
-dontaudit vendor_telephony_app user_profile_root_file:dir search ;
-dontaudit vendor_telephony_app user_profile_root_file:dir search ;
-dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file getattr ;
-dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file map ;
-dontaudit vendor_telephony_app vendor_slog_file:dir search ;
-# b/177176900
-dontaudit vendor_telephony_app vendor_rild_prop:file getattr ;
-dontaudit vendor_telephony_app vendor_rild_prop:file open ;
-dontaudit vendor_telephony_app vendor_rild_prop:file read ;
-dontaudit vendor_telephony_app vendor_rild_prop:file map ;
-# b/179437464
-dontaudit vendor_telephony_app activity_service:service_manager { find };
-dontaudit vendor_telephony_app thermal_service:service_manager { find };
-dontaudit vendor_telephony_app tethering_service:service_manager { find };
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 8dfa07e4..287d6ecf 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -1,10 +1,10 @@
 # Samsung S.LSI telephony
-user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all
 
 # Samsung S.LSI IMS
 user=system seinfo=platform name=com.shannon.imsservice domain=vendor_ims_app
diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te
index 06d867c7..1f114508 100644
--- a/whitechapel/vendor/google/vendor_telephony_app.te
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -1,4 +1,10 @@
 type vendor_telephony_app, domain;
 app_domain(vendor_telephony_app)
 
-set_prop(vendor_telephony_app, vendor_modem_prop)
\ No newline at end of file
+get_prop(vendor_telephony_app, vendor_rild_prop)
+get_prop(vendor_telephony_app, vendor_persist_sys_default_prop)
+set_prop(vendor_telephony_app, vendor_modem_prop)
+r_dir_file(vendor_telephony_app, system_app_data_file)
+r_dir_file(vendor_telephony_app, vendor_slog_file)
+
+allow vendor_telephony_app app_api_service:service_manager find;