From 93f3237f8a927959eeca25c74654aa83bd98e68a Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Tue, 5 Sep 2023 16:25:52 +0800
Subject: [PATCH] Move uwb to system_ext

Bug: 290766628
Change-Id: I00a1c45f05cc52a9ce93234921d0b759a3143f16
---
 .../private}/certs/com_qorvo_uwb.x509.pem     |  0
 system_ext/private/file.te                    |  2 ++
 system_ext/private/keys.conf                  |  3 +++
 system_ext/private/mac_permissions.xml        | 27 +++++++++++++++++++
 system_ext/private/seapp_contexts             |  5 ++++
 system_ext/private/uwb_vendor_app.te          | 12 +++++++++
 system_ext/public/uwb_vendor_app.te           |  2 ++
 whitechapel_pro/file.te                       |  1 -
 whitechapel_pro/keys.conf                     |  3 ---
 whitechapel_pro/mac_permissions.xml           |  3 ---
 whitechapel_pro/seapp_contexts                |  4 ---
 whitechapel_pro/uwb_vendor_app.te             | 12 +--------
 12 files changed, 52 insertions(+), 22 deletions(-)
 rename {whitechapel_pro => system_ext/private}/certs/com_qorvo_uwb.x509.pem (100%)
 create mode 100644 system_ext/private/file.te
 create mode 100644 system_ext/private/keys.conf
 create mode 100644 system_ext/private/mac_permissions.xml
 create mode 100644 system_ext/private/uwb_vendor_app.te
 create mode 100644 system_ext/public/uwb_vendor_app.te

diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem
similarity index 100%
rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem
rename to system_ext/private/certs/com_qorvo_uwb.x509.pem
diff --git a/system_ext/private/file.te b/system_ext/private/file.te
new file mode 100644
index 00000000..9344be7e
--- /dev/null
+++ b/system_ext/private/file.te
@@ -0,0 +1,2 @@
+
+type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf
new file mode 100644
index 00000000..c2228db6
--- /dev/null
+++ b/system_ext/private/keys.conf
@@ -0,0 +1,3 @@
+[@UWB]
+ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem
+
diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml
new file mode 100644
index 00000000..51af79f6
--- /dev/null
+++ b/system_ext/private/mac_permissions.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@UWB" >
+        <seinfo value="uwb" />
+    </signer>
+</policy>
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 25318ffe..82f4347c 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon
 
 # HbmSVManager
 user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
+# Qorvo UWB system app
+# TODO(b/222204912): Should this run under uwb user?
+user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+
diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te
new file mode 100644
index 00000000..3ae5ecd3
--- /dev/null
+++ b/system_ext/private/uwb_vendor_app.te
@@ -0,0 +1,12 @@
+app_domain(uwb_vendor_app)
+
+not_recovery(`
+
+allow uwb_vendor_app app_api_service:service_manager find;
+allow uwb_vendor_app nfc_service:service_manager find;
+allow uwb_vendor_app radio_service:service_manager find;
+
+allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
+allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
+
+')
diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te
new file mode 100644
index 00000000..6824e4e9
--- /dev/null
+++ b/system_ext/public/uwb_vendor_app.te
@@ -0,0 +1,2 @@
+type uwb_vendor_app, domain;
+
diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te
index 4a232600..fb4bad8c 100644
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@@ -10,7 +10,6 @@ type vendor_misc_data_file, file_type, data_file_type;
 type sensor_debug_data_file, file_type, data_file_type;
 type sensor_reg_data_file, file_type, data_file_type;
 type per_boot_file, file_type, data_file_type, core_data_file_type;
-type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
 type uwb_data_vendor, file_type, data_file_type;
 type powerstats_vendor_data_file, file_type, data_file_type;
 type vendor_gps_file, file_type, data_file_type;
diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf
index 54130ea2..2a7a6d56 100644
--- a/whitechapel_pro/keys.conf
+++ b/whitechapel_pro/keys.conf
@@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem
 [@MDS]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
 
-[@UWB]
-ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
-
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem
 
diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml
index b57e61c7..e9031e5f 100644
--- a/whitechapel_pro/mac_permissions.xml
+++ b/whitechapel_pro/mac_permissions.xml
@@ -27,9 +27,6 @@
     <signer signature="@MDS" >
         <seinfo value="mds" />
     </signer>
-    <signer signature="@UWB" >
-        <seinfo value="uwb" />
-    </signer>
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts
index 8ff78b87..dcaaf664 100644
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@@ -36,10 +36,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_
 # CBRS setup app
 user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
 
-# Qorvo UWB system app
-# TODO(b/222204912): Should this run under uwb user?
-user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
-
 # Domain for EuiccSupportPixel
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
 
diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te
index aa4564e6..cc5a9de4 100644
--- a/whitechapel_pro/uwb_vendor_app.te
+++ b/whitechapel_pro/uwb_vendor_app.te
@@ -1,18 +1,8 @@
-type uwb_vendor_app, domain;
-
-app_domain(uwb_vendor_app)
 
 not_recovery(`
-hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
-
-allow uwb_vendor_app app_api_service:service_manager find;
 allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
-allow uwb_vendor_app nfc_service:service_manager find;
-allow uwb_vendor_app radio_service:service_manager find;
-
-allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
-allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
+hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
 allow hal_uwb_vendor_default self:global_capability_class_set sys_nice;
 allow hal_uwb_vendor_default kernel:process setsched;