Merge "Copy 16KB developer option sepolicy to zumapro" into main

radio/copy_efs_files_to_data.te

@@ -0,0 +1,56 @@
+# necessary permissions to copy efs to be used in 16KB mode
+type copy_efs_files_to_data, domain;
+type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(copy_efs_files_to_data);
+
+# Allow creating files on /data/vendor/copied
+allow copy_efs_files_to_data modem_efs_image_file:dir  { create_dir_perms };
+allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms };
+allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms };
+
+# Allow execute binaries from /vendor/bin
+allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms;
+allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms;
+
+# Allow execute /vendor/bin/dump.f2fs
+allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans };
+
+# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs
+allow copy_efs_files_to_data block_device:dir search;
+allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms;
+allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms;
+allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms;
+
+# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist
+allow copy_efs_files_to_data modem_efs_file:dir getattr;
+allow copy_efs_files_to_data modem_userdata_file:dir getattr;
+allow copy_efs_files_to_data persist_file:dir getattr;
+
+allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms;
+allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms;
+
+# dump.f2fs need to restore file permissions after dumping
+# files from an f2fs image
+allow copy_efs_files_to_data self:capability chown;
+allow copy_efs_files_to_data self:capability fowner;
+
+allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr };
+
+allow copy_efs_files_to_data system_bootstrap_lib_file:dir search;
+
+# Should not write to any block devices. Only read from block device
+# and dump files to /data/vendor/copied
+dontaudit copy_efs_files_to_data dev_type:blk_file write;
+# Setting xattr requires sys_admin
+dontaudit copy_efs_files_to_data self:capability sys_admin;
+# dump.f2fs would attempt to restore selinux on dumped files, but we
+# will use restorecon to do the job.
+dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom;
+dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom;
+dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto;
+dontaudit copy_efs_files_to_data modem_efs_file:file relabelto;
+dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto;
+dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto;
+dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto;
+dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto;

radio/file.te

@@ -1,5 +1,6 @@
 # Data
 type rild_vendor_data_file, file_type, data_file_type;
+type modem_efs_image_file, file_type, data_file_type;
 type modem_ml_data_file, file_type, data_file_type;
 type modem_stat_data_file, file_type, data_file_type;
 type sysfs_gps, sysfs_type, fs_type;

radio/file_contexts

@@ -11,6 +11,7 @@
 /vendor/bin/hw/rild_exynos                                                  u:object_r:rild_exec:s0
 /vendor/bin/liboemservice_proxy_default                                     u:object_r:liboemservice_proxy_default_exec:s0
 /vendor/bin/shared_modem_platform                                           u:object_r:modem_svc_sit_exec:s0
+/vendor/bin/copy_efs_files_to_data                                          u:object_r:copy_efs_files_to_data_exec:s0
 
 # Config files
 /vendor/etc/modem_ml_models\.conf                                           u:object_r:modem_config_file:s0
@@ -22,6 +23,7 @@
 /data/vendor/modem_ml(/.*)?                                                 u:object_r:modem_ml_data_file:s0
 /data/vendor/modem_stat(/.*)?                                               u:object_r:modem_stat_data_file:s0
 /data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
+/data/vendor/copied(/.*)?                                                     u:object_r:modem_efs_image_file:s0
 
 # vendor extra images
 /mnt/vendor/efs(/.*)?                                                       u:object_r:modem_efs_file:s0

vendor/property.te

@@ -18,3 +18,6 @@ vendor_internal_prop(vendor_battery_defender_prop)
 
 # Mali Integration
 vendor_restricted_prop(vendor_arm_runtime_option_prop)
+
+# This prop will be set to "mounted" after /mnt/vendor/persist mounts
+vendor_internal_prop(vendor_persist_prop)

vendor/property_contexts

@@ -36,3 +36,6 @@ ro.vendor.primarydisplay.vrr.expected_present.headsup_ns       u:object_r:vendor
 ro.vendor.primarydisplay.vrr.expected_present.timeout_ns       u:object_r:vendor_display_prop:s0 exact int
 ro.vendor.primarydisplay.powerstats.entity_name       u:object_r:vendor_display_prop:s0 exact string
 ro.vendor.secondarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string
+
+# For checking if persist partition is mounted
+ro.vendor.persist.status u:object_r:vendor_persist_prop:s0 exact string

vendor/vendor_init.te

@@ -8,3 +8,6 @@ userdebug_or_eng(`
     set_prop(vendor_init, vendor_imssvc_prop)
 ')
 
+# Allow vendor_init to read ro.vendor.persist.status
+# to process init.rc actions
+set_prop(vendor_init, vendor_persist_prop)