From c5710ad18ee930f3f4fd5e985ce707b92f68da17 Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Thu, 24 Feb 2022 07:13:01 -0800 Subject: [PATCH] gs-sepolicy(uwb): Changes for new UCI stack 1. Rename uwb vendor app. 2. Rename uwb vendor HAL binary name & service name. 3. Allow vendor HAL to host the AOSP UWB HAL service. 4. Allow NFC HAL to access uwb calibration files. Bug: 186585880 Bug: 204718220 Bug: 206045367 Test: Manual Tests Change-Id: Ib0456617d0f5cf116d11a9412f47f36e2b8df570 --- tracking_denials/hal_uwb_vendor_default.te | 5 ----- whitechapel_pro/file_contexts | 2 +- whitechapel_pro/hal_nfc_default.te | 3 +++ whitechapel_pro/hal_uwb_vendor_default.te | 3 +++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/seapp_contexts | 3 ++- whitechapel_pro/service_contexts | 2 +- 8 files changed, 16 insertions(+), 8 deletions(-) diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te index 25e0a748..2e0025fc 100644 --- a/tracking_denials/hal_uwb_vendor_default.te +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -1,8 +1,3 @@ -# b/204718220 -dontaudit hal_uwb_vendor_default default_android_service:service_manager { add }; -# b/206045367 -dontaudit hal_uwb_vendor_default zygote:binder { call }; -dontaudit hal_uwb_vendor_default zygote:binder { transfer }; # b/208721505 dontaudit hal_uwb_vendor_default dumpstate:fd { use }; dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write }; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index f86fa5f1..51a23da5 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -37,7 +37,7 @@ /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 # Vendor Firmwares diff --git a/whitechapel_pro/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te index 174b5383..247ca3d7 100644 --- a/whitechapel_pro/hal_nfc_default.te +++ b/whitechapel_pro/hal_nfc_default.te @@ -10,3 +10,6 @@ set_prop(hal_nfc_default, vendor_modem_prop) # Access uwb cal for SecureRanging Applet allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; allow hal_nfc_default uwb_data_vendor:file r_file_perms; + +# allow nfc to read uwb calibration file +get_prop(hal_nfc_default, vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/hal_uwb_vendor_default.te b/whitechapel_pro/hal_uwb_vendor_default.te index f72e879d..b287433f 100644 --- a/whitechapel_pro/hal_uwb_vendor_default.te +++ b/whitechapel_pro/hal_uwb_vendor_default.te @@ -2,6 +2,7 @@ type hal_uwb_vendor_default, domain; type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_uwb_vendor_default) +hal_server_domain(hal_uwb_vendor_default, hal_uwb) add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) @@ -9,3 +10,5 @@ binder_call(hal_uwb_vendor_default, uwb_vendor_app) allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; + +get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index bdad98e9..5ddaf882 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -26,3 +26,6 @@ vendor_internal_prop(vendor_display_prop) # Fingerprint vendor_internal_prop(vendor_fingerprint_prop) + +# UWB calibration +system_vendor_config_prop(vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index b39184a5..58aaff88 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -93,3 +93,6 @@ persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Fingerprint vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.gf. u:object_r:vendor_fingerprint_prop:s0 + +#uwb +ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 88789fc7..2bd4f06a 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -45,7 +45,8 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user # Qorvo UWB system app -user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index 98d9fad8..94f813d8 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -1,3 +1,3 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 -hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 +hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0