Allow copy_efs_files_to_data to read efs block devices

Previously, we rely on mount points to copy files out of
efs partitions. Switch over to dump.f2fs to read directly
from block device without mounting. This allows us to copy
files out of efs partition in both 4K and 16K mode.

Test: Boot ext4 device with dev option enabled
Bug: 340965747
Change-Id: Ie3108319cfdb5d922a18863de7431c3cfcc4cf16

radio/copy_efs_files_to_data.te

@@ -15,23 +15,46 @@ allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }
 allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms;
 allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms;
 
-allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr };
+# Allow execute /vendor/bin/dump.f2fs
+allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans };
+
+# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs
+allow copy_efs_files_to_data block_device:dir search;
+allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms;
+allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms;
+allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms;
+
+# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist
+allow copy_efs_files_to_data modem_efs_file:dir getattr;
+allow copy_efs_files_to_data modem_userdata_file:dir getattr;
+allow copy_efs_files_to_data persist_file:dir getattr;
+
+
+allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms;
+allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms;
+
+# dump.f2fs need to restore file permissions after dumping
+# files from an f2fs image
+allow copy_efs_files_to_data self:capability chown;
+allow copy_efs_files_to_data self:capability fowner;
+
 
 allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr };
 
 
-# For reading files on /mnt/vendor/persist
-allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr };
-allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr };
-allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms;
 
-# For reading files on /mnt/vendor/efs
+# Should not write to any block devices. Only read from block device
-allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr };
+# and dump files to /data/vendor/copied
-allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr };
+dontaudit copy_efs_files_to_data dev_type:blk_file write;
-
+# Setting xattr requires sys_admin
-# For reading files on /mnt/vendor/modem_userdata
+dontaudit copy_efs_files_to_data self:capability sys_admin;
-allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr };
+# dump.f2fs would attempt to restore selinux on dumped files, but we
-allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr };
+# will use restorecon to do the job.
-
+dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom;
-# Allow changing permission of files on /data/vendor/copied, part of cp -rp
+dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom;
-allow copy_efs_files_to_data self:capability { fowner chown };
+dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto;
+dontaudit copy_efs_files_to_data modem_efs_file:file relabelto;
+dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto;
+dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto;
+dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto;
+dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto;