diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te new file mode 100644 index 0000000..865662a --- /dev/null +++ b/radio/copy_efs_files_to_data.te @@ -0,0 +1,56 @@ +# necessary permissions to copy efs to be used in 16KB mode +type copy_efs_files_to_data, domain; +type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(copy_efs_files_to_data); + +# Allow creating files on /data/vendor/copied +allow copy_efs_files_to_data modem_efs_image_file:dir { create_dir_perms }; +allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms }; +allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }; + +# Allow execute binaries from /vendor/bin +allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; +allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; + +# Allow execute /vendor/bin/dump.f2fs +allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans }; + +# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs +allow copy_efs_files_to_data block_device:dir search; +allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms; +allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms; +allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms; + +# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist +allow copy_efs_files_to_data modem_efs_file:dir getattr; +allow copy_efs_files_to_data modem_userdata_file:dir getattr; +allow copy_efs_files_to_data persist_file:dir getattr; + +allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms; +allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms; + +# dump.f2fs need to restore file permissions after dumping +# files from an f2fs image +allow copy_efs_files_to_data self:capability chown; +allow copy_efs_files_to_data self:capability fowner; + +allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; + +allow copy_efs_files_to_data system_bootstrap_lib_file:dir search; + +# Should not write to any block devices. Only read from block device +# and dump files to /data/vendor/copied +dontaudit copy_efs_files_to_data dev_type:blk_file write; +# Setting xattr requires sys_admin +dontaudit copy_efs_files_to_data self:capability sys_admin; +# dump.f2fs would attempt to restore selinux on dumped files, but we +# will use restorecon to do the job. +dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom; +dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom; +dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto; +dontaudit copy_efs_files_to_data modem_efs_file:file relabelto; +dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto; +dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto; +dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto; +dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto; diff --git a/radio/file.te b/radio/file.te index a79dfcc..7745a6e 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,5 +1,6 @@ # Data type rild_vendor_data_file, file_type, data_file_type; +type modem_efs_image_file, file_type, data_file_type; type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type sysfs_gps, sysfs_type, fs_type; diff --git a/radio/file_contexts b/radio/file_contexts index 5a2653c..42086a3 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -11,6 +11,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 /vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 @@ -22,6 +23,7 @@ /data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/copied(/.*)? u:object_r:modem_efs_image_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 diff --git a/vendor/property.te b/vendor/property.te index 3f61bea..12a9d49 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -18,3 +18,6 @@ vendor_internal_prop(vendor_battery_defender_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# This prop will be set to "mounted" after /mnt/vendor/persist mounts +vendor_internal_prop(vendor_persist_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 8625439..d34fa99 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -36,3 +36,6 @@ ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.powerstats.entity_name u:object_r:vendor_display_prop:s0 exact string ro.vendor.secondarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string + +# For checking if persist partition is mounted +ro.vendor.persist.status u:object_r:vendor_persist_prop:s0 exact string diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 7a8ec91..9738e63 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -8,3 +8,6 @@ userdebug_or_eng(` set_prop(vendor_init, vendor_imssvc_prop) ') +# Allow vendor_init to read ro.vendor.persist.status +# to process init.rc actions +set_prop(vendor_init, vendor_persist_prop)