MDS: Fix avc errors

avc: denied { search } for name="vendor" dev="tmpfs" ino=2 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 app=com.google.mds avc: denied { search } for name="vendor" dev="tmpfs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 app=com.google.mds avc: denied { search } for comm=4173796E635461736B202332 name="radio" dev="dm-9" ino=242 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.google.mds avc: denied { call } for comm=4173796E635461736B202331 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:dmd:s0 tclass=binder permissive=1 app=com.google.mds avc: denied { write } for name="property_service" dev="tmpfs" ino=316 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 app=com.google.mds avc: denied { read } for name="u:object_r:vendor_modem_prop:s0" dev="tmpfs" ino=289 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:vendor_modem_prop:s0 tclass=file permissive=1 app=com.google.mds avc: denied { search } for comm=4173796E635461736B202331 name="chosen" dev="sysfs" ino=9330 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:sysfs_chosen:s0 tclass=dir permissive=1 app=com.google.mds Bug: 181185131 Bug: 179110848 Change-Id: I1ac00b68e2db44cc86f6b5c70001cda78264ff6e
2021-03-10 14:55:10 +08:00 · 2021-03-10 14:55:10 +08:00 · b70e0bebdd
commit b70e0bebdd
parent dd7f31a99f
5 changed files with 90 additions and 0 deletions
--- a/whitechapel/vendor/google/certs/com_google_mds.x509.pem
+++ b/whitechapel/vendor/google/certs/com_google_mds.x509.pem
@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds
+ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG
+A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl
+IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv
+6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh
+WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW
+LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP
+URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6
+TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I
+IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5
+GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO
+C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q
+OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ
+KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz
+K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT
+EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa
+DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx
+7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57
+vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo
+xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH
+64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni
+FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP
+kKzTUNQHaaLHmcLK22Ht
+-----END CERTIFICATE-----
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@ -0,0 +1,2 @@
+[@MDS]
+ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@MDS" >
+        <seinfo value="mds" />
+    </signer>
+</policy>
--- a/whitechapel/vendor/google/modem_diagnostics.te
+++ b/whitechapel/vendor/google/modem_diagnostics.te
@ -0,0 +1,29 @@
+type modem_diagnostic_app, domain;
+
+app_domain(modem_diagnostic_app)
+net_domain(modem_diagnostic_app)
+
+allow modem_diagnostic_app app_api_service:service_manager find;
+allow modem_diagnostic_app radio_service:service_manager find;
+
+userdebug_or_eng(`
+  binder_call(modem_diagnostic_app, dmd)
+
+  set_prop(modem_diagnostic_app, vendor_cbd_prop)
+  set_prop(modem_diagnostic_app, vendor_rild_prop)
+  set_prop(modem_diagnostic_app, vendor_modem_prop)
+
+  allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms;
+  allow modem_diagnostic_app sysfs_chosen:file r_file_perms;
+
+  allow modem_diagnostic_app radio_vendor_data_file:dir r_dir_perms;
+  allow modem_diagnostic_app radio_vendor_data_file:file r_file_perms;
+
+  allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms;
+  allow modem_diagnostic_app mnt_vendor_file:file r_file_perms;
+
+  allow modem_diagnostic_app modem_img_file:dir r_dir_perms;
+  allow modem_diagnostic_app modem_img_file:file r_file_perms;
+
+  allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find;
+')
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@ -31,3 +31,6 @@ user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_in

 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
+
+# Modem Diagnostic System
+user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user