Move coredomain policies to system_ext/product

Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble
violation.

Bug: 280547417
Test: TH
Change-Id: If768b5cb9f3b4024893117d8e3bf49adb7c5b070

gs201-sepolicy.mk

@@ -4,6 +4,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro
 # unresolved SELinux error log with bug tracking
 BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials
 
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/public
 PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private
 
 # system_ext

private/debug_camera_app.te

@@ -0,0 +1,16 @@
+typeattribute debug_camera_app coredomain;
+
+userdebug_or_eng(`
+	app_domain(debug_camera_app)
+	net_domain(debug_camera_app)
+
+	allow debug_camera_app app_api_service:service_manager find;
+	allow debug_camera_app audioserver_service:service_manager find;
+	allow debug_camera_app cameraserver_service:service_manager find;
+	allow debug_camera_app mediaextractor_service:service_manager find;
+	allow debug_camera_app mediametrics_service:service_manager find;
+	allow debug_camera_app mediaserver_service:service_manager find;
+
+	# Allows camera app to access the PowerHAL.
+	hal_client_domain(debug_camera_app, hal_power)
+')

private/google_camera_app.te

@@ -0,0 +1,17 @@
+typeattribute google_camera_app coredomain;
+
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+
+# Allows camera app to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };

private/seapp_contexts

@@ -0,0 +1,11 @@
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all

public/debug_camera_app.te

@@ -0,0 +1 @@
+type debug_camera_app, domain;

public/google_camera_app.te

@@ -0,0 +1 @@
+type google_camera_app, domain;

system_ext/private/con_monitor.te

@@ -0,0 +1,7 @@
+typeattribute con_monitor_app coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;

system_ext/private/hbmsvmanager_app.te

@@ -0,0 +1,11 @@
+typeattribute hbmsvmanager_app coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;

system_ext/private/seapp_contexts

@@ -0,0 +1,5 @@
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all

system_ext/public/con_monitor.te

@@ -0,0 +1,2 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;

system_ext/public/hbmsvmanager_app.te

@@ -0,0 +1 @@
+type hbmsvmanager_app, domain;

whitechapel_pro/con_monitor.te

@@ -1,10 +1,2 @@
-# ConnectivityMonitor app
-type con_monitor_app, domain, coredomain;
-
-app_domain(con_monitor_app)
-
-set_prop(con_monitor_app, radio_prop)
-allow con_monitor_app app_api_service:service_manager find;
-allow con_monitor_app radio_service:service_manager find;
 allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
 allow con_monitor_app radio_vendor_data_file:file create_file_perms;

whitechapel_pro/debug_camera_app.te

@@ -1,16 +1,4 @@
-type debug_camera_app, domain, coredomain;
-
 userdebug_or_eng(`
-	app_domain(debug_camera_app)
-	net_domain(debug_camera_app)
-
-	allow debug_camera_app app_api_service:service_manager find;
-	allow debug_camera_app audioserver_service:service_manager find;
-	allow debug_camera_app cameraserver_service:service_manager find;
-	allow debug_camera_app mediaextractor_service:service_manager find;
-	allow debug_camera_app mediametrics_service:service_manager find;
-	allow debug_camera_app mediaserver_service:service_manager find;
-
 	# Allows camera app to access the GXP device and properties.
 	allow debug_camera_app gxp_device:chr_file rw_file_perms;
 	get_prop(debug_camera_app, vendor_gxp_prop)
@@ -18,10 +6,6 @@ userdebug_or_eng(`
 	# Allows camera app to search for GXP firmware file.
 	allow debug_camera_app vendor_fw_file:dir search;
 
-	# Allows camera app to access the PowerHAL.
-	hal_client_domain(debug_camera_app, hal_power)
-')
-userdebug_or_eng(`
 	# Allows GCA-Eng to find and access the EdgeTPU.
 	allow debug_camera_app edgetpu_app_service:service_manager find;
 	allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };

whitechapel_pro/google_camera_app.te

@@ -1,14 +1,3 @@
-type google_camera_app, domain, coredomain;
-app_domain(google_camera_app)
-net_domain(google_camera_app)
-
-allow google_camera_app app_api_service:service_manager find;
-allow google_camera_app audioserver_service:service_manager find;
-allow google_camera_app cameraserver_service:service_manager find;
-allow google_camera_app mediaextractor_service:service_manager find;
-allow google_camera_app mediametrics_service:service_manager find;
-allow google_camera_app mediaserver_service:service_manager find;
-
 # Allows camera app to access the GXP device and properties.
 allow google_camera_app gxp_device:chr_file rw_file_perms;
 get_prop(google_camera_app, vendor_gxp_prop)
@@ -16,12 +5,6 @@ get_prop(google_camera_app, vendor_gxp_prop)
 # Allows camera app to search for GXP firmware file.
 allow google_camera_app vendor_fw_file:dir search;
 
-# Allows camera app to access the PowerHAL.
-hal_client_domain(google_camera_app, hal_power)
-
 # Allows GCA to find and access the EdgeTPU.
 allow google_camera_app edgetpu_app_service:service_manager find;
 allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
-
-# Library code may try to access vendor properties, but should be denied
-dontaudit google_camera_app vendor_default_prop:file { getattr map open };

whitechapel_pro/hbmsvmanager_app.te

@@ -1,14 +1,2 @@
-type hbmsvmanager_app, domain, coredomain;
-
-app_domain(hbmsvmanager_app);
-
-allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
-allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;

whitechapel_pro/seapp_contexts

@@ -27,15 +27,9 @@ user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicag
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
@@ -52,18 +46,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom
 # Sub System Ramdump
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
 
-# Google Camera
-user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
-
-# Google Camera Eng
-user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
-
-# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
-user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
-
-# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
-user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
-
 # Domain for CatEngineService
 user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all