gs-sepolicy(uwb): Changes for new UCI stack

1. Rename uwb vendor app. 2. Rename uwb vendor HAL binary name & service name. 3. Allow vendor HAL to host the AOSP UWB HAL service. 4. Allow NFC HAL to access uwb calibration files. Bug: 186585880 Bug: 204718220 Bug: 206045367 Test: Manual Tests Change-Id: Ib0456617d0f5cf116d11a9412f47f36e2b8df570
2022-02-24 07:13:01 -08:00 · 2022-02-24 07:13:01 -08:00 · c5710ad18e
commit c5710ad18e
parent 5ddc8be4f4
8 changed files with 16 additions and 8 deletions
--- a/tracking_denials/hal_uwb_vendor_default.te
+++ b/tracking_denials/hal_uwb_vendor_default.te
@ -1,8 +1,3 @@
-# b/204718220
-dontaudit hal_uwb_vendor_default default_android_service:service_manager { add };
-# b/206045367
-dontaudit hal_uwb_vendor_default zygote:binder { call };
-dontaudit hal_uwb_vendor_default zygote:binder { transfer };
 # b/208721505
 dontaudit hal_uwb_vendor_default dumpstate:fd { use };
 dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write };
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@ -37,7 +37,7 @@
 /vendor/bin/hw/android\.hardware\.usb-service                               u:object_r:hal_usb_impl_exec:s0
 /vendor/bin/hw/android\.hardware\.usb\.gadget-service                       u:object_r:hal_usb_gadget_impl_exec:s0
 /vendor/bin/hw/rild_exynos                                                  u:object_r:rild_exec:s0
-/vendor/bin/hw/hardware\.qorvo\.uwb-service                                 u:object_r:hal_uwb_vendor_default_exec:s0
+/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service                       u:object_r:hal_uwb_vendor_default_exec:s0
 /vendor/bin/rlsservice                                                      u:object_r:rlsservice_exec:s0

 # Vendor Firmwares
--- a/whitechapel_pro/hal_nfc_default.te
+++ b/whitechapel_pro/hal_nfc_default.te
@ -10,3 +10,6 @@ set_prop(hal_nfc_default, vendor_modem_prop)
 # Access uwb cal for SecureRanging Applet
 allow hal_nfc_default uwb_data_vendor:dir r_dir_perms;
 allow hal_nfc_default uwb_data_vendor:file r_file_perms;
+
+# allow nfc to read uwb calibration file
+get_prop(hal_nfc_default, vendor_uwb_calibration_prop)
--- a/whitechapel_pro/hal_uwb_vendor_default.te
+++ b/whitechapel_pro/hal_uwb_vendor_default.te
@ -2,6 +2,7 @@ type hal_uwb_vendor_default, domain;
 type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_uwb_vendor_default)

+hal_server_domain(hal_uwb_vendor_default, hal_uwb)
 add_service(hal_uwb_vendor_default, hal_uwb_vendor_service)

 hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor)
@ -9,3 +10,5 @@ binder_call(hal_uwb_vendor_default, uwb_vendor_app)

 allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms;
 allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms;
+
+get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop)
--- a/whitechapel_pro/property.te
+++ b/whitechapel_pro/property.te
@ -26,3 +26,6 @@ vendor_internal_prop(vendor_display_prop)

 # Fingerprint
 vendor_internal_prop(vendor_fingerprint_prop)
+
+# UWB calibration
+system_vendor_config_prop(vendor_uwb_calibration_prop)
--- a/whitechapel_pro/property_contexts
+++ b/whitechapel_pro/property_contexts
@ -93,3 +93,6 @@ persist.vendor.gps.                        u:object_r:vendor_gps_prop:s0
 # Fingerprint
 vendor.fingerprint.                        u:object_r:vendor_fingerprint_prop:s0
 vendor.gf.                                 u:object_r:vendor_fingerprint_prop:s0
+
+#uwb
+ro.vendor.uwb.calibration.                 u:object_r:vendor_uwb_calibration_prop:s0 exact string
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@ -45,7 +45,8 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_
 user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user

 # Qorvo UWB system app
-user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+# TODO(b/222204912): Should this run under uwb user?
+user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all

 # Domain for EuiccSupportPixel
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
--- a/whitechapel_pro/service_contexts
+++ b/whitechapel_pro/service_contexts
@ -1,3 +1,3 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
-hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
+hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_vendor_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0