From e72ecd59d8e1d2f9d9cb83ea00c9d65d91d4578c Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 16 Nov 2021 14:47:39 +0800
Subject: [PATCH] fix UWB app settings and zygote library access

11-16 14:46:01.647   446   446 E SELinux : avc:  denied  { add } for pid=2502 uid=1083 name=uwb_vendor scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1
11-16 14:41:41.238   440   440 E SELinux : avc:  denied  { find } for pid=2555 uid=1083 name=hardware.qorvo.uwb.IUwb/default scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1
Bug: 206331617
Bug: 206045471
Bug: 205904384
Test: boot with no zygote errors

Change-Id: I5fe048434d430120334d172481b9cc07cff141dd
---
 tracking_denials/zygote.te                   | 26 ------------------
 whitechapel_pro/certs/com_qorvo_uwb.x509.pem | 29 ++++++++++++++++++++
 whitechapel_pro/file_contexts                |  6 ++--
 whitechapel_pro/keys.conf                    |  2 ++
 whitechapel_pro/mac_permissions.xml          |  3 ++
 whitechapel_pro/seapp_contexts               |  3 ++
 whitechapel_pro/service_contexts             |  2 ++
 whitechapel_pro/vendor_uwb_init.te           |  2 +-
 8 files changed, 43 insertions(+), 30 deletions(-)
 delete mode 100644 tracking_denials/zygote.te
 create mode 100644 whitechapel_pro/certs/com_qorvo_uwb.x509.pem

diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te
deleted file mode 100644
index 7f3db4ec..00000000
--- a/tracking_denials/zygote.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# b/204717520
-dontaudit zygote activity_service:service_manager { find };
-dontaudit zygote content_capture_service:service_manager { find };
-dontaudit zygote default_android_service:service_manager { add };
-dontaudit zygote default_android_service:service_manager { find };
-dontaudit zygote game_service:service_manager { find };
-dontaudit zygote nfc_service:service_manager { find };
-dontaudit zygote radio_service:service_manager { find };
-# b/205904384
-dontaudit zygote adbd:unix_stream_socket { connectto };
-dontaudit zygote nfc:binder { call };
-dontaudit zygote servicemanager:binder { call };
-dontaudit zygote system_server:binder { call };
-dontaudit zygote system_server:binder { transfer };
-# b/206045471
-dontaudit zygote hal_uwb_vendor_default:binder { call };
-dontaudit zygote hal_uwb_vendor_default:binder { transfer };
-dontaudit zygote radio:binder { call };
-dontaudit zygote user_profile_data_file:file { getattr };
-dontaudit zygote vendor_file:file { execute };
-dontaudit zygote vendor_file:file { getattr };
-dontaudit zygote vendor_file:file { map };
-dontaudit zygote vendor_file:file { open };
-dontaudit zygote vendor_file:file { read };
-# b/206331617
-dontaudit zygote servicemanager:binder { transfer };
diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
new file mode 100644
index 00000000..0e7c9ed5
--- /dev/null
+++ b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv
+X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds
+ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa
+IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW
+fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ
+KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW
+BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s
+ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X
+QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG
+gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj
+RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn
+iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ
+KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t
+fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z
+0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe
+cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0
+6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg
+NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY
+ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp
+BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh
+NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz
+lHV8gmlwBAuAx9ITcTJr
+-----END CERTIFICATE-----
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 0fbd6f89..d18bc9dd 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -44,9 +44,9 @@
 /vendor/firmware(/.*)?                                                      u:object_r:vendor_fw_file:s0
 
 # Vendor libraries
-/vendor/lib64/libdrm\.so                                                    u:object_r:same_process_hal_file:s0
-/vendor/lib64/libion_google\.so                                             u:object_r:same_process_hal_file:s0
-/vendor/lib64/arm\.graphics-V1-ndk\.so                                      u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so                                                 u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libion_google\.so                                          u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                   u:object_r:same_process_hal_file:s0
 
 # Vendor kernel modules
 /vendor_dlkm/lib/modules/.*\.ko                                             u:object_r:vendor_kernel_modules:s0
diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf
index dac66f87..f67eb8f2 100644
--- a/whitechapel_pro/keys.conf
+++ b/whitechapel_pro/keys.conf
@@ -1,3 +1,5 @@
 [@MDS]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
 
+[@UWB]
+ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml
index 4b997c27..6cf15728 100644
--- a/whitechapel_pro/mac_permissions.xml
+++ b/whitechapel_pro/mac_permissions.xml
@@ -24,4 +24,7 @@
     <signer signature="@MDS" >
         <seinfo value="mds" />
     </signer>
+    <signer signature="@UWB" >
+        <seinfo value="uwb" />
+    </signer>
 </policy>
diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts
index f7880eab..6aef28f7 100644
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@@ -33,5 +33,8 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_
 # CBRS setup app
 user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
 
+# Qorvo UWB system app
+user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+
 # Sub System Ramdump
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts
index cb6af7cc..8f3c1900 100644
--- a/whitechapel_pro/service_contexts
+++ b/whitechapel_pro/service_contexts
@@ -1,2 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_service:s0
+hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
+uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
diff --git a/whitechapel_pro/vendor_uwb_init.te b/whitechapel_pro/vendor_uwb_init.te
index 716af19c..f317b253 100644
--- a/whitechapel_pro/vendor_uwb_init.te
+++ b/whitechapel_pro/vendor_uwb_init.te
@@ -4,7 +4,7 @@ type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(vendor_uwb_init)
 
 allow vendor_uwb_init vendor_shell_exec:file rx_file_perms;
-allow vendor_uwb_init vendor_toolbox_exec:file  rx_file_perms;
+allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms;
 
 allow vendor_uwb_init uwb_data_vendor:file create_file_perms;
 allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms;