From 2ef225b9c57732e41fb07a309db9bb2641bb5fa9 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 15 Nov 2021 11:36:24 +0800
Subject: [PATCH] label oemrilservice_app and grant relevant permission

11-15 11:32:41.059   442   442 E SELinux : avc:  denied  { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:oemrilservice_app:s0:c195,c256,c512,c768 pid=1866 scontext=u:r:oemrilservice_app:s0:c195,c256,c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=1
11-15 11:32:41.060  1013  1013 I rild_exynos: type=1400 audit(0.0:5): avc: denied { call } for scontext=u:r:rild:s0 tcontext=u:r:oemrilservice_app:s0:c195,c256,c512,c768 tclass=binder permissive=1
11-15 11:32:41.368  1013  1013 I rild_exynos: type=1400 audit(0.0:6): avc: denied { call } for scontext=u:r:rild:s0 tcontext=u:r:oemrilservice_app:s0:c195,c256,c512,c768 tclass=binder permissive=1
11-15 11:32:41.890   441   441 E SELinux : avc:  denied  { find } for pid=1866 uid=10195 name=isub scontext=u:r:oemrilservice_app:s0:c195,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1
Bug: 205904553
Bug: 205073117
Bug: 204718782
Bug: 205904441
Test: boot with no relevant error log

Change-Id: I258aa58b4d3c95b901405e9181138c0d68c2b154
---
 tracking_denials/priv_app.te         | 9 ---------
 tracking_denials/rild.te             | 1 -
 whitechapel_pro/oemrilservice_app.te | 8 ++++++++
 whitechapel_pro/rild.te              | 1 +
 whitechapel_pro/seapp_contexts       | 1 +
 5 files changed, 10 insertions(+), 10 deletions(-)
 delete mode 100644 tracking_denials/priv_app.te
 create mode 100644 whitechapel_pro/oemrilservice_app.te

diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
deleted file mode 100644
index cee32be8..00000000
--- a/tracking_denials/priv_app.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# b/204718782
-dontaudit priv_app hal_exynos_rild_hwservice:hwservice_manager { find };
-# b/205073117
-dontaudit priv_app vendor_default_prop:file { getattr };
-dontaudit priv_app vendor_default_prop:file { map };
-dontaudit priv_app vendor_default_prop:file { open };
-# b/205904553
-dontaudit priv_app rild:binder { call };
-dontaudit priv_app rild:binder { transfer };
diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te
index 532083f3..312cca32 100644
--- a/tracking_denials/rild.te
+++ b/tracking_denials/rild.te
@@ -6,6 +6,5 @@ dontaudit rild vendor_persist_config_default_prop:file { open };
 dontaudit rild vendor_persist_config_default_prop:file { read };
 # b/205904441
 dontaudit rild hal_secure_element_uicc:binder { call };
-dontaudit rild priv_app:binder { call };
 dontaudit rild vendor_ims_app:binder { call };
 dontaudit rild vendor_rcs_app:binder { call };
diff --git a/whitechapel_pro/oemrilservice_app.te b/whitechapel_pro/oemrilservice_app.te
new file mode 100644
index 00000000..f11162dd
--- /dev/null
+++ b/whitechapel_pro/oemrilservice_app.te
@@ -0,0 +1,8 @@
+type oemrilservice_app, domain;
+app_domain(oemrilservice_app)
+
+allow oemrilservice_app app_api_service:service_manager find;
+allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find;
+allow oemrilservice_app radio_service:service_manager find;
+
+binder_call(oemrilservice_app, rild)
diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te
index 5f049d0c..c931a996 100644
--- a/whitechapel_pro/rild.te
+++ b/whitechapel_pro/rild.te
@@ -18,6 +18,7 @@ binder_call(rild, bipchmgr)
 binder_call(rild, gpsd)
 binder_call(rild, hal_audio_default)
 binder_call(rild, modem_svc_sit)
+binder_call(rild, oemrilservice_app)
 
 # for hal service
 add_hwservice(rild, hal_exynos_rild_hwservice)
diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts
index 00cf0c5b..f7880eab 100644
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@@ -4,6 +4,7 @@ user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_re
 user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all
+user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all
 
 # Hardware Info Collection
 user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user