fix UWB app settings and zygote library access

11-16 14:46:01.647 446 446 E SELinux : avc: denied { add } for pid=2502 uid=1083 name=uwb_vendor scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 11-16 14:41:41.238 440 440 E SELinux : avc: denied { find } for pid=2555 uid=1083 name=hardware.qorvo.uwb.IUwb/default scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 Bug: 206331617 Bug: 206045471 Bug: 205904384 Test: boot with no zygote errors Change-Id: I5fe048434d430120334d172481b9cc07cff141dd
2021-11-16 14:47:39 +08:00 · 2021-11-16 14:47:39 +08:00 · e72ecd59d8
commit e72ecd59d8
parent 4c66de3d3b
8 changed files with 43 additions and 30 deletions
--- a/tracking_denials/zygote.te
+++ b/tracking_denials/zygote.te
@ -1,26 +0,0 @@
-# b/204717520
-dontaudit zygote activity_service:service_manager { find };
-dontaudit zygote content_capture_service:service_manager { find };
-dontaudit zygote default_android_service:service_manager { add };
-dontaudit zygote default_android_service:service_manager { find };
-dontaudit zygote game_service:service_manager { find };
-dontaudit zygote nfc_service:service_manager { find };
-dontaudit zygote radio_service:service_manager { find };
-# b/205904384
-dontaudit zygote adbd:unix_stream_socket { connectto };
-dontaudit zygote nfc:binder { call };
-dontaudit zygote servicemanager:binder { call };
-dontaudit zygote system_server:binder { call };
-dontaudit zygote system_server:binder { transfer };
-# b/206045471
-dontaudit zygote hal_uwb_vendor_default:binder { call };
-dontaudit zygote hal_uwb_vendor_default:binder { transfer };
-dontaudit zygote radio:binder { call };
-dontaudit zygote user_profile_data_file:file { getattr };
-dontaudit zygote vendor_file:file { execute };
-dontaudit zygote vendor_file:file { getattr };
-dontaudit zygote vendor_file:file { map };
-dontaudit zygote vendor_file:file { open };
-dontaudit zygote vendor_file:file { read };
-# b/206331617
-dontaudit zygote servicemanager:binder { transfer };
--- a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
+++ b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv
+X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds
+ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa
+IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW
+fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ
+KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW
+BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s
+ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X
+QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG
+gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj
+RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn
+iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ
+KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t
+fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z
+0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe
+cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0
+6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg
+NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY
+ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp
+BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh
+NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz
+lHV8gmlwBAuAx9ITcTJr
+-----END CERTIFICATE-----
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@ -44,9 +44,9 @@
 /vendor/firmware(/.*)?                                                      u:object_r:vendor_fw_file:s0

 # Vendor libraries
-/vendor/lib64/libdrm\.so                                                    u:object_r:same_process_hal_file:s0
-/vendor/lib64/libion_google\.so                                             u:object_r:same_process_hal_file:s0
-/vendor/lib64/arm\.graphics-V1-ndk\.so                                      u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so                                                 u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libion_google\.so                                          u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                   u:object_r:same_process_hal_file:s0

 # Vendor kernel modules
 /vendor_dlkm/lib/modules/.*\.ko                                             u:object_r:vendor_kernel_modules:s0
--- a/whitechapel_pro/keys.conf
+++ b/whitechapel_pro/keys.conf
@ -1,3 +1,5 @@
 [@MDS]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem

+[@UWB]
+ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
--- a/whitechapel_pro/mac_permissions.xml
+++ b/whitechapel_pro/mac_permissions.xml
@ -24,4 +24,7 @@
    <signer signature="@MDS" >
        <seinfo value="mds" />
    </signer>
+    <signer signature="@UWB" >
+        <seinfo value="uwb" />
+    </signer>
 </policy>
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@ -33,5 +33,8 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_
 # CBRS setup app
 user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user

+# Qorvo UWB system app
+user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+
 # Sub System Ramdump
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
--- a/whitechapel_pro/service_contexts
+++ b/whitechapel_pro/service_contexts
@ -1,2 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_service:s0
+hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
+uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
--- a/whitechapel_pro/vendor_uwb_init.te
+++ b/whitechapel_pro/vendor_uwb_init.te
@ -4,7 +4,7 @@ type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(vendor_uwb_init)

 allow vendor_uwb_init vendor_shell_exec:file rx_file_perms;
-allow vendor_uwb_init vendor_toolbox_exec:file  rx_file_perms;
+allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms;

 allow vendor_uwb_init uwb_data_vendor:file create_file_perms;
 allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms;