From 6ea5e4634aca7b3e115c8b47507a8098be4d9d87 Mon Sep 17 00:00:00 2001
From: Kah Xuan Lim <kahxuan@google.com>
Date: Tue, 13 Dec 2022 15:12:49 +0800
Subject: [PATCH] Modem ML: create selinux rules

Bug: 262338662
Change-Id: I899a03a36b542bbf6b9e4b936f279f2d6b4a4c7b
---
 radio/file.te             |  1 +
 radio/file_contexts       |  4 ++++
 radio/modem_ml_svc_sit.te | 22 ++++++++++++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 radio/modem_ml_svc_sit.te

diff --git a/radio/file.te b/radio/file.te
index 859dba65..62a9b514 100644
--- a/radio/file.te
+++ b/radio/file.te
@@ -25,6 +25,7 @@ type vendor_fw_file, vendor_file_type, file_type;
 # vendor extra images
 type modem_img_file, contextmount_type, file_type, vendor_file_type;
 allow modem_img_file self:filesystem associate;
+type modem_config_file, file_type, vendor_file_type;
 
 # sysfs
 type sysfs_chosen, sysfs_type, fs_type;
diff --git a/radio/file_contexts b/radio/file_contexts
index 45ae6970..74e4b3ee 100644
--- a/radio/file_contexts
+++ b/radio/file_contexts
@@ -7,10 +7,14 @@
 /vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
 /vendor/bin/modem_logging_control                                           u:object_r:modem_logging_control_exec:s0
 /vendor/bin/modem_svc_sit                                                   u:object_r:modem_svc_sit_exec:s0
+/vendor/bin/modem_ml_svc_sit                                                u:object_r:modem_ml_svc_sit_exec:s0
 /vendor/bin/cbd                                                             u:object_r:cbd_exec:s0
 /vendor/bin/hw/rild_exynos                                                  u:object_r:rild_exec:s0
 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service                        u:object_r:hal_radioext_default_exec:s0
 
+# Config files
+/vendor/etc/modem_ml_models\.conf                                           u:object_r:modem_config_file:s0
+
 # Data
 /data/vendor/log/rfsd(/.*)?                                                 u:object_r:vendor_rfsd_log_file:s0
 /data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0
diff --git a/radio/modem_ml_svc_sit.te b/radio/modem_ml_svc_sit.te
new file mode 100644
index 00000000..e742dbf4
--- /dev/null
+++ b/radio/modem_ml_svc_sit.te
@@ -0,0 +1,22 @@
+type modem_ml_svc_sit, domain;
+type modem_ml_svc_sit_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(modem_ml_svc_sit)
+
+binder_use(modem_ml_svc_sit)
+
+# Grant radio device access
+allow modem_ml_svc_sit radio_device:chr_file rw_file_perms;
+
+# Grant vendor radio and modem file/dir creation permission
+allow modem_ml_svc_sit radio_vendor_data_file:dir create_dir_perms;
+allow modem_ml_svc_sit radio_vendor_data_file:file create_file_perms;
+
+# Grant modem ml models config files access
+allow modem_ml_svc_sit modem_config_file:file r_file_perms;
+
+# RIL property
+get_prop(modem_ml_svc_sit, vendor_rild_prop)
+
+# Access to NNAPI service
+hal_client_domain(modem_ml_svc_sit, hal_neuralnetworks)
+allow modem_ml_svc_sit edgetpu_nnapi_service:service_manager find;