cbd: Fix avc errors am: 4d87bc0f2a

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/13805045

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I088a4f7fec8e864e44f8bcb2066b21d523a60cff

tracking_denials/cbd.te

@@ -1,19 +1,5 @@
 # b/171267363
 dontaudit cbd cbd:capability {setuid };
-dontaudit cbd proc_cmdline:file {open };
-dontaudit cbd persist_file:dir {search };
-dontaudit cbd init:unix_stream_socket {connectto };
-dontaudit cbd proc_cmdline:file {read };
-dontaudit cbd kernel:system {syslog_read };
-# b/173971138
-dontaudit cbd radio_prop:file { map };
-dontaudit cbd radio_prop:file { open };
-dontaudit cbd radio_prop:file { read };
-dontaudit cbd radio_prop:file { open };
-dontaudit cbd radio_prop:file { map };
-dontaudit cbd radio_prop:file { read };
-dontaudit cbd radio_prop:file { getattr };
-dontaudit cbd radio_prop:file { getattr };
 # b/178331928
 dontaudit cbd mnt_vendor_file:dir { search };
 dontaudit cbd mnt_vendor_file:dir { search };
@@ -31,21 +17,5 @@ dontaudit cbd unlabeled:dir { search };
 dontaudit cbd unlabeled:file { read };
 dontaudit cbd unlabeled:file { open };
 # b/179198083
-dontaudit cbd radio_vendor_data_file:dir { search };
-dontaudit cbd radio_vendor_data_file:dir { write };
-dontaudit cbd radio_vendor_data_file:dir { add_name };
-dontaudit cbd radio_vendor_data_file:file { create };
-dontaudit cbd radio_vendor_data_file:file { write };
-dontaudit cbd radio_vendor_data_file:file { open };
 dontaudit cbd unlabeled:file { ioctl };
-dontaudit cbd radio_vendor_data_file:file { open };
-dontaudit cbd radio_vendor_data_file:file { read };
-dontaudit cbd radio_vendor_data_file:dir { search };
 dontaudit cbd unlabeled:file { ioctl };
-dontaudit cbd radio_vendor_data_file:file { open };
-dontaudit cbd radio_vendor_data_file:file { read };
-dontaudit cbd radio_vendor_data_file:file { write };
-dontaudit cbd radio_vendor_data_file:file { create };
-dontaudit cbd radio_vendor_data_file:dir { add_name };
-dontaudit cbd radio_vendor_data_file:dir { search };
-dontaudit cbd radio_vendor_data_file:dir { write };

whitechapel/vendor/google/cbd.te

@@ -21,6 +21,14 @@ allow cbd sysfs_chosen:dir r_dir_perms;
 
 allow cbd radio_device:chr_file rw_file_perms;
 
+allow cbd proc_cmdline:file r_file_perms;
+
+allow cbd persist_modem_file:dir create_dir_perms;
+allow cbd persist_modem_file:file create_file_perms;
+
+allow cbd radio_vendor_data_file:dir create_dir_perms;
+allow cbd radio_vendor_data_file:file create_file_perms;
+
 # Allow cbd to operate with modem EFS file/dir
 allow cbd modem_efs_file:dir create_dir_perms;
 allow cbd modem_efs_file:file create_file_perms;
@@ -34,10 +42,12 @@ allow cbd modem_img_file:dir r_dir_perms;
 allow cbd modem_img_file:file r_file_perms;
 
 # Allow cbd to collect crash info
-allow cbd sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
 allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
 
 userdebug_or_eng(`
+  allow cbd kernel:system syslog_read;
+
   allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
   allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
 ')

whitechapel/vendor/google/file.te

@@ -113,6 +113,8 @@ type modem_efs_file, file_type;
 type modem_img_file, file_type;
 type modem_userdata_file, file_type;
 type sysfs_modem, sysfs_type, fs_type;
+type persist_modem_file, file_type, vendor_persist_type;
+
 
 # Wireless
 type sysfs_wlc, sysfs_type, fs_type;

whitechapel/vendor/google/file_contexts

@@ -254,6 +254,8 @@
 /mnt/vendor/efs_backup(/.*)?                                  u:object_r:modem_efs_file:s0
 /mnt/vendor/modem_img(/.*)?                                   u:object_r:modem_img_file:s0
 /mnt/vendor/modem_userdata(/.*)?                              u:object_r:modem_userdata_file:s0
+/mnt/vendor/persist/modem(/.*)?                               u:object_r:persist_modem_file:s0
+
 
 # Subsystem coredump
 /vendor/bin/sscoredump                         u:object_r:sscoredump_exec:s0