restart domain

Bug: 254378739 Test: boot to home Change-Id: I776bf6fa66605a4c3a888f2362b79fa1e0ec122a
2022-12-07 09:46:04 +08:00 · 2022-12-07 09:46:04 +08:00 · 1774ec056b
commit 1774ec056b
parent 43a2adc630
12 changed files with 22 additions and 77 deletions
--- a/legacy/whitechapel_pro/file_contexts
+++ b/legacy/whitechapel_pro/file_contexts
@ -17,7 +17,6 @@
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix   u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.nfc-service\.st                           u:object_r:hal_nfc_default_exec:s0
 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor         u:object_r:hal_wlc_exec:s0
 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service                       u:object_r:hal_uwb_vendor_default_exec:s0
 /vendor/bin/rlsservice                                                      u:object_r:rlsservice_exec:s0
 # Vendor Firmwares
--- a/legacy/whitechapel_pro/google_camera_app.te
+++ b/legacy/whitechapel_pro/google_camera_app.te
@ -1,15 +0,0 @@
 type google_camera_app, domain, coredomain;
 app_domain(google_camera_app)
 allow google_camera_app app_api_service:service_manager find;
 allow google_camera_app audioserver_service:service_manager find;
 allow google_camera_app cameraserver_service:service_manager find;
 allow google_camera_app mediaextractor_service:service_manager find;
 allow google_camera_app mediametrics_service:service_manager find;
 allow google_camera_app mediaserver_service:service_manager find;
 # Allows camera app to access the GXP device.
 allow google_camera_app gxp_device:chr_file rw_file_perms;
 # Allows camera app to search for GXP firmware file.
 allow google_camera_app vendor_fw_file:dir search;
--- a/legacy/whitechapel_pro/hal_uwb_vendor.te
+++ b/legacy/whitechapel_pro/hal_uwb_vendor.te
@ -1,16 +0,0 @@
 # HwBinder IPC from client to server
 binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server)
 binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client)
 hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service)
 binder_call(hal_uwb_vendor_server, servicemanager)
 # allow hal_uwb_vendor to set wpan interfaces up and down
 allow hal_uwb_vendor self:udp_socket create_socket_perms;
 allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
 # TODO(b/190461440): Find a long term solution for this.
 allow hal_uwb_vendor self:global_capability_class_set { net_admin };
 # allow hal_uwb_vendor to speak to nl802154 in the kernel
 allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl;
--- a/legacy/whitechapel_pro/hal_uwb_vendor_default.te
+++ b/legacy/whitechapel_pro/hal_uwb_vendor_default.te
@ -1,14 +0,0 @@
 type hal_uwb_vendor_default, domain;
 type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_uwb_vendor_default)
 hal_server_domain(hal_uwb_vendor_default, hal_uwb)
 add_service(hal_uwb_vendor_default, hal_uwb_vendor_service)
 hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor)
 binder_call(hal_uwb_vendor_default, uwb_vendor_app)
 allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms;
 allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms;
 get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop)
--- a/legacy/whitechapel_pro/seapp_contexts
+++ b/legacy/whitechapel_pro/seapp_contexts
@ -4,11 +4,4 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # HbmSVManager
 user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
 # Qorvo UWB system app
 # TODO(b/222204912): Should this run under uwb user?
 user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
 # Google Camera
 user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
--- a/legacy/whitechapel_pro/uwb_vendor_app.te
+++ b/legacy/whitechapel_pro/uwb_vendor_app.te
@ -1,21 +0,0 @@
 type uwb_vendor_app, domain;
 app_domain(uwb_vendor_app)
 not_recovery(`
 hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
 allow uwb_vendor_app app_api_service:service_manager find;
 allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
 allow uwb_vendor_app radio_service:service_manager find;
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 allow hal_uwb_vendor_default self:global_capability_class_set sys_nice;
 allow hal_uwb_vendor_default kernel:process setsched;
 get_prop(uwb_vendor_app, vendor_secure_element_prop)
 binder_call(uwb_vendor_app, hal_uwb_vendor_default)
 ')
--- a/tracking_denials/permissive.te
+++ b/tracking_denials/permissive.te
@ -26,4 +26,7 @@ userdebug_or_eng(`
  permissive hal_usb_gadget_impl;
  permissive hal_usb_impl;
  permissive hal_camera_default;
  permissive hal_uwb_vendor_default;
  permissive google_camera_app;
  permissive uwb_vendor_app;
 ')
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -8,6 +8,7 @@
 /vendor/bin/hw/android\.hardware\.usb-service                               u:object_r:hal_usb_impl_exec:s0
 /vendor/bin/hw/android\.hardware\.usb\.gadget-service                       u:object_r:hal_usb_gadget_impl_exec:s0
 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service          u:object_r:hal_secure_element_uicc_exec:s0
 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service                       u:object_r:hal_uwb_vendor_default_exec:s0
 # Vendor Firmwares
 /vendor/firmware(/.*)?                                                      u:object_r:vendor_fw_file:s0
--- a/vendor/google_camera_app.te
+++ b/vendor/google_camera_app.te
@ -1,3 +1,3 @@
-# Allows GCA to find and access the EdgeTPU.
+type google_camera_app, domain, coredomain;
-allow google_camera_app edgetpu_app_service:service_manager find;
+app_domain(google_camera_app)
-allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+
--- a/vendor/hal_uwb_vendor_default.te
+++ b/vendor/hal_uwb_vendor_default.te
@ -0,0 +1,4 @@
 type hal_uwb_vendor_default, domain;
 type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_uwb_vendor_default)
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@ -7,5 +7,12 @@ user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicag
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
 # Google Camera
 user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
 # Qorvo UWB system app
 # TODO(b/222204912): Should this run under uwb user?
 user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
 # CccDkTimeSyncService
 user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all
--- a/vendor/uwb_vendor_app.te
+++ b/vendor/uwb_vendor_app.te
@ -0,0 +1,4 @@
 type uwb_vendor_app, domain;
 app_domain(uwb_vendor_app)
		`@ -0,0 +1,4 @@`
							`type uwb_vendor_app, domain;`

							`app_domain(uwb_vendor_app)`