Move coredomain policies to system_ext/product am: da30985fa5 am: 0827b82595

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/24354374 Change-Id: I21a6ae897a80a8954639e15ebb16218a0e324350 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-08-09 07:35:43 +00:00 · 2023-08-09 07:35:43 +00:00 · 0a40b3bb98
commit 0a40b3bb98
parent 89e7477c43 0827b82595
16 changed files with 70 additions and 67 deletions
--- a/gs201-sepolicy.mk
+++ b/gs201-sepolicy.mk
@ -4,6 +4,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro
 # unresolved SELinux error log with bug tracking
 BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials
 PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/public
 PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private
 # system_ext
--- a/private/debug_camera_app.te
+++ b/private/debug_camera_app.te
@ -0,0 +1,16 @@
 typeattribute debug_camera_app coredomain;
 userdebug_or_eng(`
 	app_domain(debug_camera_app)
 	net_domain(debug_camera_app)
 	allow debug_camera_app app_api_service:service_manager find;
 	allow debug_camera_app audioserver_service:service_manager find;
 	allow debug_camera_app cameraserver_service:service_manager find;
 	allow debug_camera_app mediaextractor_service:service_manager find;
 	allow debug_camera_app mediametrics_service:service_manager find;
 	allow debug_camera_app mediaserver_service:service_manager find;
 	# Allows camera app to access the PowerHAL.
 	hal_client_domain(debug_camera_app, hal_power)
 ')
--- a/private/google_camera_app.te
+++ b/private/google_camera_app.te
@ -0,0 +1,14 @@
 typeattribute google_camera_app coredomain;
 app_domain(google_camera_app)
 net_domain(google_camera_app)
 allow google_camera_app app_api_service:service_manager find;
 allow google_camera_app audioserver_service:service_manager find;
 allow google_camera_app cameraserver_service:service_manager find;
 allow google_camera_app mediaextractor_service:service_manager find;
 allow google_camera_app mediametrics_service:service_manager find;
 allow google_camera_app mediaserver_service:service_manager find;
 # Allows camera app to access the PowerHAL.
 hal_client_domain(google_camera_app, hal_power)
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@ -0,0 +1,11 @@
 # Google Camera
 user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
 # Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
 user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
 # Google Camera Eng
 user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
 # Also label GoogleCameraNext, built with debug keys as debug_camera_app.
 user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
--- a/public/debug_camera_app.te
+++ b/public/debug_camera_app.te
@ -0,0 +1 @@
 type debug_camera_app, domain;
--- a/public/google_camera_app.te
+++ b/public/google_camera_app.te
@ -0,0 +1 @@
 type google_camera_app, domain;
--- a/system_ext/private/con_monitor.te
+++ b/system_ext/private/con_monitor.te
@ -0,0 +1,7 @@
 typeattribute con_monitor_app coredomain;
 app_domain(con_monitor_app)
 set_prop(con_monitor_app, radio_prop)
 allow con_monitor_app app_api_service:service_manager find;
 allow con_monitor_app radio_service:service_manager find;
--- a/system_ext/private/hbmsvmanager_app.te
+++ b/system_ext/private/hbmsvmanager_app.te
@ -0,0 +1,11 @@
 typeattribute hbmsvmanager_app coredomain;
 app_domain(hbmsvmanager_app);
 allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
 allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
 # Standard system services
 allow hbmsvmanager_app app_api_service:service_manager find;
 allow hbmsvmanager_app cameraserver_service:service_manager find;
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@ -0,0 +1,5 @@
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
 # HbmSVManager
 user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
--- a/system_ext/public/con_monitor.te
+++ b/system_ext/public/con_monitor.te
@ -0,0 +1,2 @@
 # ConnectivityMonitor app
 type con_monitor_app, domain;
--- a/system_ext/public/hbmsvmanager_app.te
+++ b/system_ext/public/hbmsvmanager_app.te
@ -0,0 +1 @@
 type hbmsvmanager_app, domain;
--- a/whitechapel_pro/con_monitor.te
+++ b/whitechapel_pro/con_monitor.te
@ -1,10 +1,2 @@
 # ConnectivityMonitor app
 type con_monitor_app, domain, coredomain;
 app_domain(con_monitor_app)
 set_prop(con_monitor_app, radio_prop)
 allow con_monitor_app app_api_service:service_manager find;
 allow con_monitor_app radio_service:service_manager find;
 allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
 allow con_monitor_app radio_vendor_data_file:file create_file_perms;
--- a/whitechapel_pro/debug_camera_app.te
+++ b/whitechapel_pro/debug_camera_app.te
@ -1,24 +1,9 @@
 type debug_camera_app, domain, coredomain;
 userdebug_or_eng(`
 	app_domain(debug_camera_app)
 	net_domain(debug_camera_app)
 	allow debug_camera_app app_api_service:service_manager find;
 	allow debug_camera_app audioserver_service:service_manager find;
 	allow debug_camera_app cameraserver_service:service_manager find;
 	allow debug_camera_app mediaextractor_service:service_manager find;
 	allow debug_camera_app mediametrics_service:service_manager find;
 	allow debug_camera_app mediaserver_service:service_manager find;
 	# Allows camera app to access the GXP device.
 	allow debug_camera_app gxp_device:chr_file rw_file_perms;
 	# Allows camera app to search for GXP firmware file.
 	allow debug_camera_app vendor_fw_file:dir search;
 	# Allows camera app to access the PowerHAL.
 	hal_client_domain(debug_camera_app, hal_power)
 ')
 userdebug_or_eng(`
 	# Allows GCA-Eng to find and access the EdgeTPU.
--- a/whitechapel_pro/google_camera_app.te
+++ b/whitechapel_pro/google_camera_app.te
@ -1,23 +1,9 @@
 type google_camera_app, domain, coredomain;
 app_domain(google_camera_app)
 net_domain(google_camera_app)
 allow google_camera_app app_api_service:service_manager find;
 allow google_camera_app audioserver_service:service_manager find;
 allow google_camera_app cameraserver_service:service_manager find;
 allow google_camera_app mediaextractor_service:service_manager find;
 allow google_camera_app mediametrics_service:service_manager find;
 allow google_camera_app mediaserver_service:service_manager find;
 # Allows camera app to access the GXP device.
 allow google_camera_app gxp_device:chr_file rw_file_perms;
 # Allows camera app to search for GXP firmware file.
 allow google_camera_app vendor_fw_file:dir search;
 # Allows camera app to access the PowerHAL.
 hal_client_domain(google_camera_app, hal_power)
 # Allows GCA to find and access the EdgeTPU.
 allow google_camera_app edgetpu_app_service:service_manager find;
 allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
--- a/whitechapel_pro/hbmsvmanager_app.te
+++ b/whitechapel_pro/hbmsvmanager_app.te
@ -1,14 +1,2 @@
 type hbmsvmanager_app, domain, coredomain;
 app_domain(hbmsvmanager_app);
 allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
 allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
 # Standard system services
 allow hbmsvmanager_app app_api_service:service_manager find;
 allow hbmsvmanager_app cameraserver_service:service_manager find;
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@ -27,15 +27,9 @@ user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicag
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 # HbmSVManager
 user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
@ -52,18 +46,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom
 # Sub System Ramdump
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
 # Google Camera
 user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
 # Google Camera Eng
 user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
 # Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
 user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
 # Also label GoogleCameraNext, built with debug keys as debug_camera_app.
 user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
 # Domain for CatEngineService
 user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all
		`@ -0,0 +1,2 @@`
							`# ConnectivityMonitor app`
							`type con_monitor_app, domain;`