From 44ee5a2fb20eb4de752c09c4d9f7f9ed69222914 Mon Sep 17 00:00:00 2001
From: neoyu <neoyu@google.com>
Date: Fri, 24 Mar 2023 02:30:44 +0800
Subject: [PATCH 1/3] sepolicy: allow hal_radioext_default binder call with
 servicemanager

avc: denied { call } for comm="binder:795_2" scontext=u:r:hal_radioext_default:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0

Bug: 274374768
Test: verify by test rom
Change-Id: I31cfbd234756fdc41663cec766f6b3bf23063bc7
---
 radio/hal_radioext_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te
index 521c0950..bbdd2a0c 100644
--- a/radio/hal_radioext_default.te
+++ b/radio/hal_radioext_default.te
@@ -6,6 +6,7 @@ hwbinder_use(hal_radioext_default)
 get_prop(hal_radioext_default, hwservicemanager_prop)
 add_hwservice(hal_radioext_default, hal_radioext_hwservice)
 
+binder_call(hal_radioext_default, servicemanager)
 binder_call(hal_radioext_default, grilservice_app)
 binder_call(hal_radioext_default, hal_bluetooth_btlinux)
 

From 84aa699ac89d0cde0645e58da85fd1bba772ff63 Mon Sep 17 00:00:00 2001
From: Dinesh Yadav <dkyadav@google.com>
Date: Fri, 24 Mar 2023 04:37:15 +0000
Subject: [PATCH 2/3] Add certificate & label for GCA-ENG & GCA-Next

This commit makes following changes:
- Add selinux policies for GCA-Eng & GCA-Next to access GXP device &
edgetpu services.
- Refactor code to push policies for Google Camera app from
legacy/whitechapel_pro/* to vendor/*

Tested:
- flashed both GCA-Eng & GCA-Next apps and observed no crashes due to gxp or edgetpu.
- scontext changed from "untrusted_app_32" to "debug_camera_app" in both cases.

Bug: 264490031
Change-Id: I51f69168eebd6c7e54e512b7abde8dd6bbe7c443
Signed-off-by: Dinesh Yadav <dkyadav@google.com>
---
 legacy/whitechapel_pro/keys.conf              |  3 --
 legacy/whitechapel_pro/mac_permissions.xml    |  3 --
 .../certs/app.x509.pem                        |  0
 vendor/certs/camera_eng.x509.pem              | 17 ++++++++++
 vendor/certs/camera_fishfood.x509.pem         | 15 +++++++++
 vendor/debug_camera_app.te                    | 23 +++++++++++++
 vendor/keys.conf                              |  8 +++++
 vendor/mac_permissions.xml                    | 33 +++++++++++++++++++
 vendor/seapp_contexts                         |  9 +++++
 9 files changed, 105 insertions(+), 6 deletions(-)
 rename {legacy/whitechapel_pro => vendor}/certs/app.x509.pem (100%)
 create mode 100644 vendor/certs/camera_eng.x509.pem
 create mode 100644 vendor/certs/camera_fishfood.x509.pem
 create mode 100644 vendor/debug_camera_app.te
 create mode 100644 vendor/keys.conf
 create mode 100644 vendor/mac_permissions.xml

diff --git a/legacy/whitechapel_pro/keys.conf b/legacy/whitechapel_pro/keys.conf
index 9766e571..acc82e47 100644
--- a/legacy/whitechapel_pro/keys.conf
+++ b/legacy/whitechapel_pro/keys.conf
@@ -1,6 +1,3 @@
-[@GOOGLE]
-ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/app.x509.pem
-
 [@UWB]
 ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
 
diff --git a/legacy/whitechapel_pro/mac_permissions.xml b/legacy/whitechapel_pro/mac_permissions.xml
index da4dc908..956da955 100644
--- a/legacy/whitechapel_pro/mac_permissions.xml
+++ b/legacy/whitechapel_pro/mac_permissions.xml
@@ -21,9 +21,6 @@
       - The default tag is consulted last if needed.
 -->
     <!-- google apps key -->
-    <signer signature="@GOOGLE" >
-      <seinfo value="google" />
-    </signer>
     <signer signature="@UWB" >
         <seinfo value="uwb" />
     </signer>
diff --git a/legacy/whitechapel_pro/certs/app.x509.pem b/vendor/certs/app.x509.pem
similarity index 100%
rename from legacy/whitechapel_pro/certs/app.x509.pem
rename to vendor/certs/app.x509.pem
diff --git a/vendor/certs/camera_eng.x509.pem b/vendor/certs/camera_eng.x509.pem
new file mode 100644
index 00000000..011a9ec4
--- /dev/null
+++ b/vendor/certs/camera_eng.x509.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw
+NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO
+OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
+UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
+TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
+rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
+TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK
+pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY
+DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG
+ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4
+rscXTxYEf4Tqovc=
+-----END CERTIFICATE-----
diff --git a/vendor/certs/camera_fishfood.x509.pem b/vendor/certs/camera_fishfood.x509.pem
new file mode 100644
index 00000000..fb11572f
--- /dev/null
+++ b/vendor/certs/camera_fishfood.x509.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n
+bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w
+HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv
+b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93
+bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/
+jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B
+IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe
+tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td
+0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg
+Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b
+aIOMFB0Km9HbEZHLKg33kOoMsS2zpA==
+-----END CERTIFICATE-----
diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te
new file mode 100644
index 00000000..4199b078
--- /dev/null
+++ b/vendor/debug_camera_app.te
@@ -0,0 +1,23 @@
+type debug_camera_app, domain, coredomain;
+
+userdebug_or_eng(`
+	app_domain(debug_camera_app)
+	net_domain(debug_camera_app)
+
+	allow debug_camera_app app_api_service:service_manager find;
+	allow debug_camera_app audioserver_service:service_manager find;
+	allow debug_camera_app cameraserver_service:service_manager find;
+	allow debug_camera_app mediaextractor_service:service_manager find;
+	allow debug_camera_app mediametrics_service:service_manager find;
+	allow debug_camera_app mediaserver_service:service_manager find;
+
+	# Allows GCA-Eng & GCA-Next access the GXP device.
+	allow debug_camera_app gxp_device:chr_file rw_file_perms;
+
+	# Allows GCA-Eng & GCA-Next to find and access the EdgeTPU.
+	allow debug_camera_app edgetpu_app_service:service_manager find;
+	allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
+	hal_client_domain(debug_camera_app, hal_power)
+')
diff --git a/vendor/keys.conf b/vendor/keys.conf
new file mode 100644
index 00000000..290a62b5
--- /dev/null
+++ b/vendor/keys.conf
@@ -0,0 +1,8 @@
+[@GOOGLE]
+ALL : device/google/zuma-sepolicy/vendor/certs/app.x509.pem
+
+[@CAMERAENG]
+ALL : device/google/zuma-sepolicy/vendor/certs/camera_eng.x509.pem
+
+[@CAMERAFISHFOOD]
+ALL : device/google/zuma-sepolicy/vendor/certs/camera_fishfood.x509.pem
diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml
new file mode 100644
index 00000000..8e8c3c23
--- /dev/null
+++ b/vendor/mac_permissions.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@GOOGLE" >
+      <seinfo value="google" />
+    </signer>
+    <signer signature="@CAMERAENG" >
+      <seinfo value="CameraEng" />
+    </signer>
+    <signer signature="@CAMERAFISHFOOD" >
+      <seinfo value="CameraFishFood" />
+    </signer>
+</policy>
diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts
index 9ed2e666..8f5eea15 100644
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@@ -16,6 +16,15 @@ user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldispl
 # Google Camera
 user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
 
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
+
 # Qorvo UWB system app
 # TODO(b/222204912): Should this run under uwb user?
 user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all

From 6acea9d647df5b55d4dc487d002a08a06ea7bd86 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Sat, 25 Mar 2023 16:39:12 +0800
Subject: [PATCH 3/3] Move OTA context out of legacy folder

Bug: 275143841
Test: OTA
Change-Id: I4774b7c48c075afc1b02d8c34fded212cd0efffb
---
 legacy/whitechapel_pro/file.te        | 1 -
 legacy/whitechapel_pro/genfs_contexts | 3 ---
 vendor/file.te                        | 2 ++
 vendor/genfs_contexts                 | 3 +++
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te
index eb8edf7d..38d3dc82 100644
--- a/legacy/whitechapel_pro/file.te
+++ b/legacy/whitechapel_pro/file.te
@@ -12,7 +12,6 @@ userdebug_or_eng(`
 ')
 
 # sysfs
-type sysfs_ota, sysfs_type, fs_type;
 type bootdevice_sysdev, dev_type;
 type sysfs_wifi, sysfs_type, fs_type;
 type sysfs_bcmdhd, sysfs_type, fs_type;
diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts
index 464852e2..dccae4e5 100644
--- a/legacy/whitechapel_pro/genfs_contexts
+++ b/legacy/whitechapel_pro/genfs_contexts
@@ -26,9 +26,6 @@ genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_coun
 genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count                         u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count                                 u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 
-# OTA
-genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled           u:object_r:sysfs_ota:s0
-
 # Storage
 genfscon proc /fs/f2fs                                                  u:object_r:proc_f2fs:s0
 genfscon proc /sys/vm/swappiness                                        u:object_r:proc_dirty:s0
diff --git a/vendor/file.te b/vendor/file.te
index 4ba631a7..60d02363 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -39,5 +39,7 @@ userdebug_or_eng(`
     typeattribute proc_vendor_sched mlstrustedobject;
 ')
 
+# sysfs
 type sysfs_fabric, sysfs_type, fs_type;
 type sysfs_em_profile, sysfs_type, fs_type;
+type sysfs_ota, sysfs_type, fs_type;
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 19e281bb..d517e407 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -447,3 +447,6 @@ genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup        u:ob
 genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception      u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32      u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1      u:object_r:sysfs_aoc_dumpstate:s0
+
+# OTA
+genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled           u:object_r:sysfs_ota:s0