Move coredomain seapp contexts to system_ext

Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: Ifcaa41df790cb2b720775563cc4cd5cdf10e5c50 Merged-In: Ifcaa41df790cb2b720775563cc4cd5cdf10e5c50 (cherry picked from commit 63200470b8)
2023-08-10 17:00:56 +09:00 · 2023-08-10 17:00:56 +09:00 · d9a89215f4
commit d9a89215f4
parent 08dbe5a438
16 changed files with 82 additions and 82 deletions
--- a/private/debug_camera_app.te
+++ b/private/debug_camera_app.te
@ -0,0 +1,16 @@
+typeattribute debug_camera_app coredomain;
+
+userdebug_or_eng(`
+	app_domain(debug_camera_app)
+	net_domain(debug_camera_app)
+
+	allow debug_camera_app app_api_service:service_manager find;
+	allow debug_camera_app audioserver_service:service_manager find;
+	allow debug_camera_app cameraserver_service:service_manager find;
+	allow debug_camera_app mediaextractor_service:service_manager find;
+	allow debug_camera_app mediametrics_service:service_manager find;
+	allow debug_camera_app mediaserver_service:service_manager find;
+
+	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
+	hal_client_domain(debug_camera_app, hal_power)
+')
--- a/private/google_camera_app.te
+++ b/private/google_camera_app.te
@ -0,0 +1,16 @@
+typeattribute google_camera_app coredomain;
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+
+# Allows GCA to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@ -0,0 +1,11 @@
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
--- a/public/debug_camera_app.te
+++ b/public/debug_camera_app.te
@ -0,0 +1 @@
+type debug_camera_app, domain;
--- a/public/google_camera_app.te
+++ b/public/google_camera_app.te
@ -0,0 +1 @@
+type google_camera_app, domain;
--- a/system_ext/private/pixeldisplayservice_app.te
+++ b/system_ext/private/pixeldisplayservice_app.te
@ -0,0 +1,11 @@
+typeattribute pixeldisplayservice_app coredomain;
+
+app_domain(pixeldisplayservice_app);
+
+allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms;
+allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow pixeldisplayservice_app app_api_service:service_manager find;
+
+allow pixeldisplayservice_app cameraserver_service:service_manager find;
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@ -0,0 +1,6 @@
+# PixelDisplayService
+user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all
+
+# SystemUI
+user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all
--- a/system_ext/private/systemui_app.te
+++ b/system_ext/private/systemui_app.te
@ -0,0 +1,17 @@
+typeattribute systemui_app coredomain;
+app_domain(systemui_app)
+allow systemui_app app_api_service:service_manager find;
+allow systemui_app network_score_service:service_manager find;
+allow systemui_app overlay_service:service_manager find;
+allow systemui_app color_display_service:service_manager find;
+allow systemui_app audioserver_service:service_manager find;
+allow systemui_app cameraserver_service:service_manager find;
+allow systemui_app mediaserver_service:service_manager find;
+allow systemui_app mediaextractor_service:service_manager find;
+allow systemui_app mediametrics_service:service_manager find;
+allow systemui_app radio_service:service_manager find;
+allow systemui_app vr_manager_service:service_manager find;
+
+get_prop(systemui_app, keyguard_config_prop)
+set_prop(systemui_app, bootanim_system_prop)
+get_prop(systemui_app, qemu_hw_prop)
--- a/system_ext/public/pixeldisplayservice_app.te
+++ b/system_ext/public/pixeldisplayservice_app.te
@ -0,0 +1 @@
+type pixeldisplayservice_app, domain;
--- a/system_ext/public/systemui_app.te
+++ b/system_ext/public/systemui_app.te
@ -0,0 +1 @@
+type systemui_app, domain;
--- a/vendor/debug_camera_app.te
+++ b/vendor/debug_camera_app.te
@ -1,23 +1,8 @@
-type debug_camera_app, domain, coredomain;
-
 userdebug_or_eng(`
-	app_domain(debug_camera_app)
-	net_domain(debug_camera_app)
-
-	allow debug_camera_app app_api_service:service_manager find;
-	allow debug_camera_app audioserver_service:service_manager find;
-	allow debug_camera_app cameraserver_service:service_manager find;
-	allow debug_camera_app mediaextractor_service:service_manager find;
-	allow debug_camera_app mediametrics_service:service_manager find;
-	allow debug_camera_app mediaserver_service:service_manager find;
-
 	# Allows GCA-Eng & GCA-Next access the GXP device.
 	allow debug_camera_app gxp_device:chr_file rw_file_perms;

 	# Allows GCA-Eng & GCA-Next to find and access the EdgeTPU.
 	allow debug_camera_app edgetpu_app_service:service_manager find;
 	allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
-
-	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
-	hal_client_domain(debug_camera_app, hal_power)
 ')
--- a/vendor/google_camera_app.te
+++ b/vendor/google_camera_app.te
@ -1,24 +1,7 @@
-type google_camera_app, domain, coredomain;
-app_domain(google_camera_app)
-net_domain(google_camera_app)
-
-allow google_camera_app app_api_service:service_manager find;
-allow google_camera_app audioserver_service:service_manager find;
-allow google_camera_app cameraserver_service:service_manager find;
-allow google_camera_app mediaextractor_service:service_manager find;
-allow google_camera_app mediametrics_service:service_manager find;
-allow google_camera_app mediaserver_service:service_manager find;
-
 # Allows GCA to acccess the GXP device and search for the firmware file.
 allow google_camera_app gxp_device:chr_file rw_file_perms;
 allow google_camera_app vendor_fw_file:dir search;

-# Allows GCA to access the PowerHAL.
-hal_client_domain(google_camera_app, hal_power)
-
 # Allows GCA to find and access the EdgeTPU.
 allow google_camera_app edgetpu_app_service:service_manager find;
 allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
-
-# Library code may try to access vendor properties, but should be denied
-dontaudit google_camera_app vendor_default_prop:file { getattr map open };
--- a/vendor/pixeldisplayservice_app.te
+++ b/vendor/pixeldisplayservice_app.te
@ -1,14 +1,2 @@
-type pixeldisplayservice_app, domain, coredomain;
-
-app_domain(pixeldisplayservice_app);
-
-allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms;
-allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms;
-
 allow pixeldisplayservice_app hal_pixel_display_service:service_manager find;
 binder_call(pixeldisplayservice_app, hal_graphics_composer_default)
-
-# Standard system services
-allow pixeldisplayservice_app app_api_service:service_manager find;
-
-allow pixeldisplayservice_app cameraserver_service:service_manager find;
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@ -7,29 +7,9 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all

-# PixelDisplayService
-user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all
-
-# Google Camera
-user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
-
-# Google Camera Eng
-user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
-
-# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
-user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
-
-# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
-user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
-
 # Qorvo UWB system app
 # TODO(b/222204912): Should this run under uwb user?
 user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all

 # CccDkTimeSyncService
 user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all
-
-# SystemUI
-user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all
-user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all
-
--- a/vendor/systemui_app.te
+++ b/vendor/systemui_app.te
@ -1,21 +1,3 @@
-type systemui_app, domain, coredomain;
-app_domain(systemui_app)
-allow systemui_app app_api_service:service_manager find;
-allow systemui_app network_score_service:service_manager find;
-allow systemui_app overlay_service:service_manager find;
-allow systemui_app color_display_service:service_manager find;
-allow systemui_app audioserver_service:service_manager find;
-allow systemui_app cameraserver_service:service_manager find;
-allow systemui_app mediaserver_service:service_manager find;
-allow systemui_app mediaextractor_service:service_manager find;
-allow systemui_app mediametrics_service:service_manager find;
-allow systemui_app radio_service:service_manager find;
-allow systemui_app vr_manager_service:service_manager find;
-
-get_prop(systemui_app, keyguard_config_prop)
-set_prop(systemui_app, bootanim_system_prop)
-get_prop(systemui_app, qemu_hw_prop)
-
 allow systemui_app pixel_battery_service_type:service_manager find;
 binder_call(systemui_app, pixel_battery_domain)

--- a/zumapro-sepolicy.mk
+++ b/zumapro-sepolicy.mk
@ -6,6 +6,7 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private
 # unresolved SELinux error log with bug tracking
 BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/tracking_denials

+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/zumapro-sepolicy/public
 PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/private

 # system_ext