From 0cdeda46b2104ca20091d99b43bd7997900e0b98 Mon Sep 17 00:00:00 2001
From: kierancyphus <kierancyphus@google.com>
Date: Tue, 23 Jan 2024 15:22:43 +0800
Subject: [PATCH] liboemservice_proxy: Update sepolicy to hal

This was wrongly configured originally, and has instead been modified to
follow the advice from
https://source.android.com/docs/core/architecture/aidl/aidl-hals#sepolicy.

Test: atest vts_treble_vintf_vendor_test:DeviceManifest/SingleAidlTest
Bug: 321867236

Change-Id: I75df4696660b2c052324313785b244c263ebd75b
---
 radio/dmd.te                   |  7 +------
 radio/file_contexts            |  1 +
 radio/liboemservice_proxy.te   | 34 ++++++++++++++++++++++++++++++++++
 radio/modem_diagnostic_app.te  |  5 +++--
 radio/private/service_contexts |  3 ---
 radio/service.te               |  4 ++--
 radio/service_contexts         |  2 ++
 7 files changed, 43 insertions(+), 13 deletions(-)
 create mode 100644 radio/liboemservice_proxy.te
 create mode 100644 radio/service_contexts

diff --git a/radio/dmd.te b/radio/dmd.te
index 6216106a..be820be8 100644
--- a/radio/dmd.te
+++ b/radio/dmd.te
@@ -30,9 +30,4 @@ binder_call(dmd, hwservicemanager)
 binder_call(dmd, modem_diagnostic_app)
 binder_call(dmd, modem_logging_control)
 binder_call(dmd, vendor_telephony_silentlogging_app)
-
-# Allow proxy to register as android Service
-binder_use(dmd)
-add_service(dmd, liboemservice_proxy)
-allow dmd radio_vendor_data_file:dir create_dir_perms;
-allow dmd radio_vendor_data_file:file create_file_perms;
\ No newline at end of file
+binder_call(dmd, liboemservice_proxy_default)
diff --git a/radio/file_contexts b/radio/file_contexts
index 8d74be8e..1fcdfdd3 100644
--- a/radio/file_contexts
+++ b/radio/file_contexts
@@ -11,6 +11,7 @@
 /vendor/bin/cbd                                                             u:object_r:cbd_exec:s0
 /vendor/bin/hw/rild_exynos                                                  u:object_r:rild_exec:s0
 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service                        u:object_r:hal_radioext_default_exec:s0
+/vendor/bin/liboemservice_proxy_default                                     u:object_r:liboemservice_proxy_default_exec:s0
 
 # Config files
 /vendor/etc/modem_ml_models\.conf                                           u:object_r:modem_config_file:s0
diff --git a/radio/liboemservice_proxy.te b/radio/liboemservice_proxy.te
new file mode 100644
index 00000000..9a4a61a7
--- /dev/null
+++ b/radio/liboemservice_proxy.te
@@ -0,0 +1,34 @@
+type liboemservice_proxy_default, domain;
+type liboemservice_proxy_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(liboemservice_proxy_default)
+
+# Allow proxy to register as android service.
+binder_use(liboemservice_proxy_default);
+add_service(liboemservice_proxy_default, liboemservice_proxy_service);
+
+get_prop(liboemservice_proxy_default, hwservicemanager_prop)
+binder_call(liboemservice_proxy_default, hwservicemanager)
+binder_call(liboemservice_proxy_default, dmd)
+allow liboemservice_proxy_default hal_vendor_oem_hwservice:hwservice_manager find;
+allow liboemservice_proxy_default radio_vendor_data_file:dir create_dir_perms;
+allow liboemservice_proxy_default radio_vendor_data_file:file create_file_perms;
+
+# Grant to access serial device for external logging tool
+allow liboemservice_proxy_default serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow liboemservice_proxy_default radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow liboemservice_proxy_default vendor_slog_file:dir create_dir_perms;
+allow liboemservice_proxy_default vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow liboemservice_proxy_default node:tcp_socket node_bind;
+allow liboemservice_proxy_default self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(liboemservice_proxy_default, vendor_diag_prop)
+set_prop(liboemservice_proxy_default, vendor_slog_prop)
+set_prop(liboemservice_proxy_default, vendor_modem_prop)
+get_prop(liboemservice_proxy_default, vendor_persist_config_default_prop)
diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te
index ecd27394..aaf2aab2 100644
--- a/radio/modem_diagnostic_app.te
+++ b/radio/modem_diagnostic_app.te
@@ -41,6 +41,7 @@ userdebug_or_eng(`
   dontaudit modem_diagnostic_app default_prop:file r_file_perms;
 
   # Modem Log Mask Library Permissions
-  binder_call(modem_diagnostic_app, liboemservice_proxy)
-  allow modem_diagnostic_app liboemservice_proxy:service_manager find;
+  allow modem_diagnostic_app liboemservice_proxy_service:service_manager find;
+  binder_use(modem_diagnostic_app)
+  binder_call(modem_diagnostic_app, liboemservice_proxy_default)
 ')
diff --git a/radio/private/service_contexts b/radio/private/service_contexts
index fdd49d4b..289e8e22 100644
--- a/radio/private/service_contexts
+++ b/radio/private/service_contexts
@@ -1,4 +1 @@
 telephony.oem.oemrilhook        u:object_r:radio_service:s0
-
-# DMD oemservice aidl proxy
-com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default                 u:object_r:liboemservice_proxy:s0
\ No newline at end of file
diff --git a/radio/service.te b/radio/service.te
index 620a3d4b..f2790d71 100644
--- a/radio/service.te
+++ b/radio/service.te
@@ -1,2 +1,2 @@
-# dmd liboemservice_proxy
-type liboemservice_proxy, hal_service_type, service_manager_type;
+# define liboemservice_proxy_service
+type liboemservice_proxy_service, hal_service_type, service_manager_type;
diff --git a/radio/service_contexts b/radio/service_contexts
new file mode 100644
index 00000000..ce755180
--- /dev/null
+++ b/radio/service_contexts
@@ -0,0 +1,2 @@
+# DMD oemservice aidl proxy
+com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0