device_google_zuma/radio/copy_efs_files_to_data.te

type copy_efs_files_to_data, domain;
type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(copy_efs_files_to_data);



# Allow creating files on /data/vendor/copied
allow copy_efs_files_to_data modem_efs_image_file:dir  { create_dir_perms };
allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms };
allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms };


# Allow execute binaries from /vendor/bin
allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms;
allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms;

# Allow execute /vendor/bin/dump.f2fs
allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans };

# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs
allow copy_efs_files_to_data block_device:dir search;
allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms;
allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms;
allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms;

# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist
allow copy_efs_files_to_data modem_efs_file:dir getattr;
allow copy_efs_files_to_data modem_userdata_file:dir getattr;
allow copy_efs_files_to_data persist_file:dir getattr;


allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms;
allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms;

# dump.f2fs need to restore file permissions after dumping
# files from an f2fs image
allow copy_efs_files_to_data self:capability chown;
allow copy_efs_files_to_data self:capability fowner;


allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr };



# Should not write to any block devices. Only read from block device
# and dump files to /data/vendor/copied
dontaudit copy_efs_files_to_data dev_type:blk_file write;
# Setting xattr requires sys_admin
dontaudit copy_efs_files_to_data self:capability sys_admin;
# dump.f2fs would attempt to restore selinux on dumped files, but we
# will use restorecon to do the job.
dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom;
dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom;
dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto;
dontaudit copy_efs_files_to_data modem_efs_file:file relabelto;
dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto;
dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto;
dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto;
dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto;