Evolution-X-Tensor/device_google_gs201
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move uwb to system_ext am: 5e75eaa1a5

Browse source 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/24660422

Change-Id: Icf239b4a7ffa79cfe8b7db705e0cd0df279e0198
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Wilson Sung 2023-09-05 21:13:51 +00:00 committed by Automerger Merge Worker
commit a7fd020e52
12 changed files with 52 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

0
whitechapel_pro/certs/com_qorvo_uwb.x509.pem → system_ext/private/certs/com_qorvo_uwb.x509.pem
View file

2
system_ext/private/file.te Normal file
View file

@ -0,0 +1,2 @@
type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;

3
system_ext/private/keys.conf Normal file
View file

@ -0,0 +1,3 @@
[@UWB]
ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem

27
system_ext/private/mac_permissions.xml Normal file
View file

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="utf-8"?>
<policy>
<!--
* A signature is a hex encoded X.509 certificate or a tag defined in
keys.conf and is required for each signer tag.
* A signer tag may contain a seinfo tag and multiple package stanzas.
* A default tag is allowed that can contain policy for all apps not signed with a
previously listed cert. It may not contain any inner package stanzas.
* Each signer/default/package tag is allowed to contain one seinfo tag. This tag
represents additional info that each app can use in setting a SELinux security
context on the eventual process.
* When a package is installed the following logic is used to determine what seinfo
value, if any, is assigned.
- All signatures used to sign the app are checked first.
- If a signer stanza has inner package stanzas, those stanza will be checked
to try and match the package name of the app. If the package name matches
then that seinfo tag is used. If no inner package matches then the outer
seinfo tag is assigned.
- The default tag is consulted last if needed.
-->
<!-- google apps key -->
<signer signature="@UWB" >
<seinfo value="uwb" />
</signer>
</policy>

5
system_ext/private/seapp_contexts
View file

@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon
# HbmSVManager
user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
# Qorvo UWB system app
# TODO(b/222204912): Should this run under uwb user?
user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all

12
system_ext/private/uwb_vendor_app.te Normal file
View file

@ -0,0 +1,12 @@
app_domain(uwb_vendor_app)
not_recovery(`
allow uwb_vendor_app app_api_service:service_manager find;
allow uwb_vendor_app nfc_service:service_manager find;
allow uwb_vendor_app radio_service:service_manager find;
allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
')

2
system_ext/public/uwb_vendor_app.te Normal file
View file

@ -0,0 +1,2 @@
type uwb_vendor_app, domain;

1
whitechapel_pro/file.te
View file

@ -10,7 +10,6 @@ type vendor_misc_data_file, file_type, data_file_type;
type sensor_debug_data_file, file_type, data_file_type;
type sensor_reg_data_file, file_type, data_file_type;
type per_boot_file, file_type, data_file_type, core_data_file_type;
type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
type uwb_data_vendor, file_type, data_file_type;
type powerstats_vendor_data_file, file_type, data_file_type;
type vendor_gps_file, file_type, data_file_type;

3
whitechapel_pro/keys.conf
View file

@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem
[@MDS]
ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
[@UWB]
ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
[@EUICCSUPPORTPIXEL]
ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem

3
whitechapel_pro/mac_permissions.xml
View file

@ -27,9 +27,6 @@
<signer signature="@MDS" >
<seinfo value="mds" />
</signer>
<signer signature="@UWB" >
<seinfo value="uwb" />
</signer>
<signer signature="@EUICCSUPPORTPIXEL" >
<seinfo value="EuiccSupportPixel" />
</signer>

4
whitechapel_pro/seapp_contexts
View file

@ -36,10 +36,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_
# CBRS setup app
user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
# Qorvo UWB system app
# TODO(b/222204912): Should this run under uwb user?
user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
# Domain for EuiccSupportPixel
user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all

12
whitechapel_pro/uwb_vendor_app.te
View file

@ -1,18 +1,8 @@
type uwb_vendor_app, domain;
app_domain(uwb_vendor_app)
not_recovery(`
hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
allow uwb_vendor_app app_api_service:service_manager find;
allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
allow uwb_vendor_app nfc_service:service_manager find;
allow uwb_vendor_app radio_service:service_manager find;
allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
allow hal_uwb_vendor_default self:global_capability_class_set sys_nice;
allow hal_uwb_vendor_default kernel:process setsched;