Add sepolicy for ConnectivityMonitor

Bug: 264489520
Test: v2/pixel-pts/base
Change-Id: I669a538fe3d0a03422638d7d19fc62a793246f6b

tracking_denials/bug_map

@@ -1,14 +1,3 @@
-con_monitor_app app_data_file dir b/264483670
-con_monitor_app app_data_file file b/264483670
-con_monitor_app batterystats_service service_manager b/283725302
-con_monitor_app dalvikcache_data_file dir b/264483670
-con_monitor_app dalvikcache_data_file file b/264483670
-con_monitor_app init unix_stream_socket b/283725302
-con_monitor_app mnt_expand_file dir b/264483670
-con_monitor_app property_socket sock_file b/283725302
-con_monitor_app radio_prop property_service b/283725302
-con_monitor_app system_data_file lnk_file b/264483670
-con_monitor_app virtual_device_service service_manager b/283725302
 dump_modem sysfs_dump_modem file b/281815537
 dumpstate app_zygote process b/279680264
 google_camera_app audio_service service_manager b/264600171

tracking_denials/con_monitor_app.te

@@ -1,36 +0,0 @@
-# b/261518779
-dontaudit con_monitor_app activity_service:service_manager { find };
-dontaudit con_monitor_app content_capture_service:service_manager { find };
-dontaudit con_monitor_app game_service:service_manager { find };
-dontaudit con_monitor_app netstats_service:service_manager { find };
-dontaudit con_monitor_app system_server:binder { call };
-dontaudit con_monitor_app system_server:binder { transfer };
-dontaudit con_monitor_app system_server:fd { use };
-# b/261783158
-dontaudit con_monitor_app system_file:file { getattr };
-dontaudit con_monitor_app system_file:file { map };
-dontaudit con_monitor_app system_file:file { open };
-dontaudit con_monitor_app system_file:file { read };
-dontaudit con_monitor_app tmpfs:file { execute };
-dontaudit con_monitor_app tmpfs:file { map };
-dontaudit con_monitor_app tmpfs:file { read };
-dontaudit con_monitor_app tmpfs:file { write };
-# b/261933171
-dontaudit con_monitor_app dumpstate:fd { use };
-dontaudit con_monitor_app dumpstate:fifo_file { append };
-dontaudit con_monitor_app dumpstate:fifo_file { write };
-dontaudit con_monitor_app system_server:fifo_file { write };
-dontaudit con_monitor_app tombstoned:unix_stream_socket { connectto };
-dontaudit con_monitor_app tombstoned_java_trace_socket:sock_file { write };
-# b/262455571
-dontaudit con_monitor_app data_file_type:dir { search };
-dontaudit con_monitor_app servicemanager:binder { call };
-dontaudit con_monitor_app statsd:unix_dgram_socket { sendto };
-dontaudit con_monitor_app statsdw_socket:sock_file { write };
-dontaudit con_monitor_app system_file:file { execute };
-# b/264489520
-userdebug_or_eng(`
-  permissive con_monitor_app;
-')
-# b/267843291
-dontaudit con_monitor_app resourcecache_data_file:file { read };

vendor/con_monitor_app.te

@@ -1,3 +1,12 @@
 # ConnectivityMonitor app
 type con_monitor_app, domain;
 app_domain(con_monitor_app);
+
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app batterystats_service:service_manager find;
+allow con_monitor_app virtual_device_service:service_manager find;
+
+binder_call(con_monitor_app, system_server);
+binder_call(con_monitor_app, servicemanager);
+
+set_prop(con_monitor_app, radio_prop);

vendor/system_server.te

@@ -1,5 +1,6 @@
 # Allow system server to send sensor data callbacks to GPS
 binder_call(system_server, gpsd);
 binder_call(system_server, hal_camera_default);
+binder_call(system_server, con_monitor_app);
 
 allow system_server arm_mali_platform_service:service_manager find;