From 8282a5abd2094ffa80b5bd737360c18967c4a599 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 25 Nov 2022 14:03:00 +0800
Subject: [PATCH] restart a number of domains

Bug: 254378739
Test: boot to home
Change-Id: I2390670d7d885d0e63fd6d1b4a1c9996ac3b6ee5
---
 legacy/whitechapel_pro/audioserver.te        |  3 ---
 legacy/whitechapel_pro/bluetooth.te          |  2 --
 legacy/whitechapel_pro/bootdevice_sysdev.te  |  1 -
 legacy/whitechapel_pro/cccdk_timesync_app.te | 10 --------
 legacy/whitechapel_pro/charger_vendor.te     | 10 --------
 legacy/whitechapel_pro/chre.te               | 24 ------------------
 legacy/whitechapel_pro/euiccpixel_app.te     | 26 --------------------
 legacy/whitechapel_pro/kernel.te             | 11 ---------
 legacy/whitechapel_pro/seapp_contexts        |  6 +----
 tracking_denials/permissive.te               |  6 +++++
 vendor/cccdk_timesync_app.te                 |  2 ++
 vendor/chre.te                               |  4 +++
 vendor/euiccpixel_app.te                     |  4 +++
 vendor/seapp_contexts                        |  5 ++++
 14 files changed, 22 insertions(+), 92 deletions(-)
 delete mode 100644 legacy/whitechapel_pro/audioserver.te
 delete mode 100644 legacy/whitechapel_pro/bluetooth.te
 delete mode 100644 legacy/whitechapel_pro/bootdevice_sysdev.te
 delete mode 100644 legacy/whitechapel_pro/cccdk_timesync_app.te
 delete mode 100644 legacy/whitechapel_pro/charger_vendor.te
 delete mode 100644 legacy/whitechapel_pro/chre.te
 delete mode 100644 legacy/whitechapel_pro/euiccpixel_app.te
 delete mode 100644 legacy/whitechapel_pro/kernel.te
 create mode 100644 vendor/cccdk_timesync_app.te
 create mode 100644 vendor/chre.te
 create mode 100644 vendor/euiccpixel_app.te
 create mode 100644 vendor/seapp_contexts

diff --git a/legacy/whitechapel_pro/audioserver.te b/legacy/whitechapel_pro/audioserver.te
deleted file mode 100644
index c7d69097..00000000
--- a/legacy/whitechapel_pro/audioserver.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# allow access to ALSA MMAP FDs for AAudio API
-allow audioserver audio_device:chr_file r_file_perms;
-allow audioserver audio_service:service_manager find;
diff --git a/legacy/whitechapel_pro/bluetooth.te b/legacy/whitechapel_pro/bluetooth.te
deleted file mode 100644
index 47b18f4c..00000000
--- a/legacy/whitechapel_pro/bluetooth.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write };
-allow hal_bluetooth_btlinux device:dir r_dir_perms;
diff --git a/legacy/whitechapel_pro/bootdevice_sysdev.te b/legacy/whitechapel_pro/bootdevice_sysdev.te
deleted file mode 100644
index 2ff0acb9..00000000
--- a/legacy/whitechapel_pro/bootdevice_sysdev.te
+++ /dev/null
@@ -1 +0,0 @@
-allow bootdevice_sysdev sysfs:filesystem associate;
diff --git a/legacy/whitechapel_pro/cccdk_timesync_app.te b/legacy/whitechapel_pro/cccdk_timesync_app.te
deleted file mode 100644
index f6e514d9..00000000
--- a/legacy/whitechapel_pro/cccdk_timesync_app.te
+++ /dev/null
@@ -1,10 +0,0 @@
-type vendor_cccdktimesync_app, domain;
-app_domain(vendor_cccdktimesync_app)
-
-allow vendor_cccdktimesync_app app_api_service:service_manager find;
-
-binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux)
-allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
-
-# allow the HAL to call our registered callbacks
-binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app)
diff --git a/legacy/whitechapel_pro/charger_vendor.te b/legacy/whitechapel_pro/charger_vendor.te
deleted file mode 100644
index df59b717..00000000
--- a/legacy/whitechapel_pro/charger_vendor.te
+++ /dev/null
@@ -1,10 +0,0 @@
-allow charger_vendor mnt_vendor_file:dir search;
-allow charger_vendor sysfs_batteryinfo:file w_file_perms;
-allow charger_vendor persist_file:dir search;
-allow charger_vendor persist_battery_file:dir search;
-allow charger_vendor persist_battery_file:file rw_file_perms;
-allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms;
-allow charger_vendor sysfs_thermal:file w_file_perms;
-allow charger_vendor sysfs_thermal:lnk_file read;
-allow charger_vendor thermal_link_device:dir search;
-set_prop(charger_vendor, vendor_battery_defender_prop)
diff --git a/legacy/whitechapel_pro/chre.te b/legacy/whitechapel_pro/chre.te
deleted file mode 100644
index ea0e1a91..00000000
--- a/legacy/whitechapel_pro/chre.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type chre, domain;
-type chre_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(chre)
-
-# Permit communication with AoC
-allow chre aoc_device:chr_file rw_file_perms;
-
-# Allow CHRE to determine AoC's current clock
-allow chre sysfs_aoc:dir search;
-allow chre sysfs_aoc_boottime:file r_file_perms;
-
-# Allow CHRE to create thread to watch AOC's device
-allow chre device:dir r_dir_perms;
-
-# Allow CHRE to use the USF low latency transport
-usf_low_latency_transport(chre)
-
-# Allow CHRE to talk to the WiFi HAL
-allow chre hal_wifi_ext:binder { call transfer };
-allow chre hal_wifi_ext_hwservice:hwservice_manager find;
-allow chre hal_wifi_ext_service:service_manager find;
-
-# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP.
-allow chre self:global_capability2_class_set block_suspend;
diff --git a/legacy/whitechapel_pro/euiccpixel_app.te b/legacy/whitechapel_pro/euiccpixel_app.te
deleted file mode 100644
index 303f8f36..00000000
--- a/legacy/whitechapel_pro/euiccpixel_app.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# EuiccSupportPixel app
-
-type euiccpixel_app, domain;
-app_domain(euiccpixel_app)
-
-allow euiccpixel_app app_api_service:service_manager find;
-allow euiccpixel_app radio_service:service_manager find;
-allow euiccpixel_app nfc_service:service_manager find;
-allow euiccpixel_app sysfs_st33spi:dir search;
-allow euiccpixel_app sysfs_st33spi:file rw_file_perms;
-
-set_prop(euiccpixel_app, vendor_secure_element_prop)
-set_prop(euiccpixel_app, vendor_modem_prop)
-get_prop(euiccpixel_app, dck_prop)
-
-userdebug_or_eng(`
-    net_domain(euiccpixel_app)
-
-    # Access to directly upgrade firmware on st54spi_device used for engineering devices
-    typeattribute st54spi_device mlstrustedobject;
-    allow euiccpixel_app st54spi_device:chr_file rw_file_perms;
-    # Access to directly upgrade firmware on st33spi_device used for engineering devices
-    typeattribute st33spi_device mlstrustedobject;
-    allow euiccpixel_app st33spi_device:chr_file rw_file_perms;
-')
-
diff --git a/legacy/whitechapel_pro/kernel.te b/legacy/whitechapel_pro/kernel.te
deleted file mode 100644
index c34e7f72..00000000
--- a/legacy/whitechapel_pro/kernel.te
+++ /dev/null
@@ -1,11 +0,0 @@
-allow kernel vendor_fw_file:dir search;
-allow kernel vendor_fw_file:file r_file_perms;
-
-# ZRam
-allow kernel per_boot_file:file r_file_perms;
-
-# memlat needs permision to create/delete perf events when hotplug on/off
-allow kernel self:capability2 perfmon;
-allow kernel self:perf_event cpu;
-
-dontaudit kernel vendor_battery_debugfs:dir search;
diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts
index a7505ad6..6b5af58d 100644
--- a/legacy/whitechapel_pro/seapp_contexts
+++ b/legacy/whitechapel_pro/seapp_contexts
@@ -14,11 +14,7 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon
 # TODO(b/222204912): Should this run under uwb user?
 user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
 
-# Domain for EuiccSupportPixel
-user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
-
 # Google Camera
 user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
 
-# CccDkTimeSyncService
-user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all
+
diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te
index 1be126be..f1a39898 100644
--- a/tracking_denials/permissive.te
+++ b/tracking_denials/permissive.te
@@ -2,4 +2,10 @@ userdebug_or_eng(`
   permissive pixelstats_vendor;
   permissive logger_app;
   permissive fastbootd;
+  permissive audioserver;
+  permissive hal_bluetooth_btlinux;
+  permissive bootdevice_sysdev;
+  permissive charger_vendor;
+  permissive chre;
+  permissive kernel;
 ')
diff --git a/vendor/cccdk_timesync_app.te b/vendor/cccdk_timesync_app.te
new file mode 100644
index 00000000..2377adc8
--- /dev/null
+++ b/vendor/cccdk_timesync_app.te
@@ -0,0 +1,2 @@
+type vendor_cccdktimesync_app, domain;
+
diff --git a/vendor/chre.te b/vendor/chre.te
new file mode 100644
index 00000000..59ee7d58
--- /dev/null
+++ b/vendor/chre.te
@@ -0,0 +1,4 @@
+type chre, domain;
+type chre_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(chre)
+
diff --git a/vendor/euiccpixel_app.te b/vendor/euiccpixel_app.te
new file mode 100644
index 00000000..1ca85843
--- /dev/null
+++ b/vendor/euiccpixel_app.te
@@ -0,0 +1,4 @@
+# EuiccSupportPixel app
+
+type euiccpixel_app, domain;
+
diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts
new file mode 100644
index 00000000..6f3ee638
--- /dev/null
+++ b/vendor/seapp_contexts
@@ -0,0 +1,5 @@
+# Domain for EuiccSupportPixel
+user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
+
+# CccDkTimeSyncService
+user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all