Snap for 11931036 from 667f2a4670 to 24Q3-release

Change-Id: Ic2fcc14b412ecc37c4af6ebece36aac9be32843f

radio/copy_efs_files_to_data.te

@@ -15,23 +15,46 @@ allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }
 allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms;
 allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms;
 
-allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr };
+# Allow execute /vendor/bin/dump.f2fs
+allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans };
+
+# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs
+allow copy_efs_files_to_data block_device:dir search;
+allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms;
+allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms;
+allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms;
+
+# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist
+allow copy_efs_files_to_data modem_efs_file:dir getattr;
+allow copy_efs_files_to_data modem_userdata_file:dir getattr;
+allow copy_efs_files_to_data persist_file:dir getattr;
+
+
+allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms;
+allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms;
+
+# dump.f2fs need to restore file permissions after dumping
+# files from an f2fs image
+allow copy_efs_files_to_data self:capability chown;
+allow copy_efs_files_to_data self:capability fowner;
+
 
 allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr };
 
 
-# For reading files on /mnt/vendor/persist
-allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr };
-allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr };
-allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms;
 
-# For reading files on /mnt/vendor/efs
+# Should not write to any block devices. Only read from block device
-allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr };
+# and dump files to /data/vendor/copied
-allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr };
+dontaudit copy_efs_files_to_data dev_type:blk_file write;
-
+# Setting xattr requires sys_admin
-# For reading files on /mnt/vendor/modem_userdata
+dontaudit copy_efs_files_to_data self:capability sys_admin;
-allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr };
+# dump.f2fs would attempt to restore selinux on dumped files, but we
-allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr };
+# will use restorecon to do the job.
-
+dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom;
-# Allow changing permission of files on /data/vendor/copied, part of cp -rp
+dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom;
-allow copy_efs_files_to_data self:capability { fowner chown };
+dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto;
+dontaudit copy_efs_files_to_data modem_efs_file:file relabelto;
+dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto;
+dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto;
+dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto;
+dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto;