From d6f91bdd8c0769c42a598d6f117de073225244bf Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 1 Dec 2022 08:58:17 +0800 Subject: [PATCH] restart deomains Bug: 254378739 Test: boot to home Change-Id: I0ba59f5781d50ac4e9d8f501792a74187eda864e --- legacy/whitechapel_pro/con_monitor.te | 10 ---------- legacy/whitechapel_pro/file_contexts | 1 - .../hal_secure_element_st54spi.te | 8 -------- legacy/whitechapel_pro/ofl_app.te | 20 ------------------- legacy/whitechapel_pro/seapp_contexts | 6 ------ tracking_denials/permissive.te | 3 +++ vendor/con_monitor_app.te | 3 +++ vendor/file_contexts | 1 + vendor/hal_secure_element_st54spi.te | 4 ++++ vendor/ofl_app.te | 3 +++ vendor/seapp_contexts | 6 ++++++ 11 files changed, 20 insertions(+), 45 deletions(-) delete mode 100644 legacy/whitechapel_pro/con_monitor.te delete mode 100644 legacy/whitechapel_pro/hal_secure_element_st54spi.te delete mode 100644 legacy/whitechapel_pro/ofl_app.te create mode 100644 vendor/con_monitor_app.te create mode 100644 vendor/hal_secure_element_st54spi.te create mode 100644 vendor/ofl_app.te diff --git a/legacy/whitechapel_pro/con_monitor.te b/legacy/whitechapel_pro/con_monitor.te deleted file mode 100644 index 8695ccaa..00000000 --- a/legacy/whitechapel_pro/con_monitor.te +++ /dev/null @@ -1,10 +0,0 @@ -# ConnectivityMonitor app -type con_monitor_app, domain, coredomain; - -app_domain(con_monitor_app) - -set_prop(con_monitor_app, radio_prop) -allow con_monitor_app app_api_service:service_manager find; -allow con_monitor_app radio_service:service_manager find; -allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; -allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 1b120cff..0f641549 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -13,7 +13,6 @@ /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/legacy/whitechapel_pro/hal_secure_element_st54spi.te b/legacy/whitechapel_pro/hal_secure_element_st54spi.te deleted file mode 100644 index a3e74be3..00000000 --- a/legacy/whitechapel_pro/hal_secure_element_st54spi.te +++ /dev/null @@ -1,8 +0,0 @@ -type hal_secure_element_st54spi, domain; -hal_server_domain(hal_secure_element_st54spi, hal_secure_element) -type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_secure_element_st54spi) -allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; -allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; -set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) - diff --git a/legacy/whitechapel_pro/ofl_app.te b/legacy/whitechapel_pro/ofl_app.te deleted file mode 100644 index a9498165..00000000 --- a/legacy/whitechapel_pro/ofl_app.te +++ /dev/null @@ -1,20 +0,0 @@ -# OFLBasicAgent app - -type ofl_app, domain; - -userdebug_or_eng(` - app_domain(ofl_app) - net_domain(ofl_app) - - allow ofl_app app_api_service:service_manager find; - allow ofl_app nfc_service:service_manager find; - allow ofl_app radio_service:service_manager find; - allow ofl_app surfaceflinger_service:service_manager find; - - # Access to directly update firmware on st54spi_device - typeattribute st54spi_device mlstrustedobject; - allow ofl_app st54spi_device:chr_file rw_file_perms; - # Access to directly update firmware on st33spi_device - typeattribute st33spi_device mlstrustedobject; - allow ofl_app st33spi_device:chr_file rw_file_perms; -') diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 6b5af58d..c34ff929 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -1,15 +1,9 @@ # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all -# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade -user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user - # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index e799b149..7f184724 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -18,4 +18,7 @@ userdebug_or_eng(` permissive hal_contexthub_default; permissive hal_sensors_default; permissive recovery; + permissive con_monitor_app; + permissive hal_secure_element_st54spi; + permissive ofl_app; ') diff --git a/vendor/con_monitor_app.te b/vendor/con_monitor_app.te new file mode 100644 index 00000000..b933bd2e --- /dev/null +++ b/vendor/con_monitor_app.te @@ -0,0 +1,3 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; + diff --git a/vendor/file_contexts b/vendor/file_contexts index 12999617..fc6813da 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -4,6 +4,7 @@ /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/hal_secure_element_st54spi.te b/vendor/hal_secure_element_st54spi.te new file mode 100644 index 00000000..cc4a29b4 --- /dev/null +++ b/vendor/hal_secure_element_st54spi.te @@ -0,0 +1,4 @@ +type hal_secure_element_st54spi, domain; +type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi) + diff --git a/vendor/ofl_app.te b/vendor/ofl_app.te new file mode 100644 index 00000000..eecef5f9 --- /dev/null +++ b/vendor/ofl_app.te @@ -0,0 +1,3 @@ +# OFLBasicAgent app +type ofl_app, domain; + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 6f3ee638..d9296e0d 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -1,5 +1,11 @@ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all +# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user + +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all