fix UWB app settings and zygote library access

11-16 14:46:01.647 446 446 E SELinux : avc: denied { add } for pid=2502 uid=1083 name=uwb_vendor scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 11-16 14:41:41.238 440 440 E SELinux : avc: denied { find } for pid=2555 uid=1083 name=hardware.qorvo.uwb.IUwb/default scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 Bug: 206331617 Bug: 206045471 Bug: 205904384 Test: boot with no zygote errors Change-Id: I5fe048434d430120334d172481b9cc07cff141dd
2021-11-16 14:47:39 +08:00 · 2021-11-16 14:47:39 +08:00 · e72ecd59d8
commit e72ecd59d8
parent 4c66de3d3b
8 changed files with 43 additions and 30 deletions
--- a/tracking_denials/zygote.te
+++ b/tracking_denials/zygote.te
@ -1,26 +0,0 @@
 # b/204717520
 dontaudit zygote activity_service:service_manager { find };
 dontaudit zygote content_capture_service:service_manager { find };
 dontaudit zygote default_android_service:service_manager { add };
 dontaudit zygote default_android_service:service_manager { find };
 dontaudit zygote game_service:service_manager { find };
 dontaudit zygote nfc_service:service_manager { find };
 dontaudit zygote radio_service:service_manager { find };
 # b/205904384
 dontaudit zygote adbd:unix_stream_socket { connectto };
 dontaudit zygote nfc:binder { call };
 dontaudit zygote servicemanager:binder { call };
 dontaudit zygote system_server:binder { call };
 dontaudit zygote system_server:binder { transfer };
 # b/206045471
 dontaudit zygote hal_uwb_vendor_default:binder { call };
 dontaudit zygote hal_uwb_vendor_default:binder { transfer };
 dontaudit zygote radio:binder { call };
 dontaudit zygote user_profile_data_file:file { getattr };
 dontaudit zygote vendor_file:file { execute };
 dontaudit zygote vendor_file:file { getattr };
 dontaudit zygote vendor_file:file { map };
 dontaudit zygote vendor_file:file { open };
 dontaudit zygote vendor_file:file { read };
 # b/206331617
 dontaudit zygote servicemanager:binder { transfer };
--- a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
+++ b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
@ -0,0 +1,29 @@
 -----BEGIN CERTIFICATE-----
 MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ
 BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
 EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv
 X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR
 BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds
 ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq
 hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa
 IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW
 fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ
 KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW
 BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s
 ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X
 QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG
 gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj
 RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn
 iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
 EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ
 KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t
 fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z
 0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe
 cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0
 6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg
 NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY
 ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp
 BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh
 NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz
 lHV8gmlwBAuAx9ITcTJr
 -----END CERTIFICATE-----
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@ -44,9 +44,9 @@
 /vendor/firmware(/.*)?                                                      u:object_r:vendor_fw_file:s0
 # Vendor libraries
-/vendor/lib64/libdrm\.so                                                    u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so                                                 u:object_r:same_process_hal_file:s0
-/vendor/lib64/libion_google\.so                                             u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libion_google\.so                                          u:object_r:same_process_hal_file:s0
-/vendor/lib64/arm\.graphics-V1-ndk\.so                                      u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                   u:object_r:same_process_hal_file:s0
 # Vendor kernel modules
 /vendor_dlkm/lib/modules/.*\.ko                                             u:object_r:vendor_kernel_modules:s0
--- a/whitechapel_pro/keys.conf
+++ b/whitechapel_pro/keys.conf
@ -1,3 +1,5 @@
 [@MDS]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
 [@UWB]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
--- a/whitechapel_pro/mac_permissions.xml
+++ b/whitechapel_pro/mac_permissions.xml
@ -24,4 +24,7 @@
    <signer signature="@MDS" >
        <seinfo value="mds" />
    </signer>
    <signer signature="@UWB" >
        <seinfo value="uwb" />
    </signer>
 </policy>
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@ -33,5 +33,8 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_
 # CBRS setup app
 user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
 # Qorvo UWB system app
 user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
 # Sub System Ramdump
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
--- a/whitechapel_pro/service_contexts
+++ b/whitechapel_pro/service_contexts
@ -1,2 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_service:s0
 hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
--- a/whitechapel_pro/vendor_uwb_init.te
+++ b/whitechapel_pro/vendor_uwb_init.te
@ -4,7 +4,7 @@ type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(vendor_uwb_init)
 allow vendor_uwb_init vendor_shell_exec:file rx_file_perms;
-allow vendor_uwb_init vendor_toolbox_exec:file  rx_file_perms;
+allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms;
 allow vendor_uwb_init uwb_data_vendor:file create_file_perms;
 allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms;