Fix selinux permissions errors for UwbService
Fixes gmscore access to UwbManager APIs, fixes UwbService access to UWB
HAL APIs, and fixes CTS UwbService presence test.
Bug: 184402100
Test: atest CtsUwbTestCases
Change-Id: I7450242f8b35570c3d5a676c5835b01f74995202
diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
index 37288bc..aab2056 100644
--- a/tracking_denials/kernel.te
+++ b/tracking_denials/kernel.te
@@ -3,5 +3,4 @@
dontaudit kernel kernel:perf_event { cpu };
userdebug_or_eng(`
permissive kernel;
- permissive hal_uwb_default;
')
diff --git a/whitechapel/vendor/google/gmscore_app.te b/whitechapel/vendor/google/gmscore_app.te
new file mode 100644
index 0000000..d2394b7
--- /dev/null
+++ b/whitechapel/vendor/google/gmscore_app.te
@@ -0,0 +1,3 @@
+# Allow gmscore to use UwbService APIs
+# TODO (b/183904955): remove
+allow gmscore_app uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te
index bb825e3..f066aa4 100644
--- a/whitechapel/vendor/google/hal_uwb_default.te
+++ b/whitechapel/vendor/google/hal_uwb_default.te
@@ -1,3 +1,5 @@
type hal_uwb_default, domain;
type hal_uwb_default_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(hal_uwb_default)
+
+add_service(hal_uwb_default, hal_uwb_service)
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index f66b28c..debd8bd 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,3 +1,4 @@
type hal_pixel_display_service, service_manager_type, vendor_service;
type uwb_service, service_manager_type;
type touch_context_service, service_manager_type, vendor_service;
+type hal_uwb_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 8faa69b..f3a6acb 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -3,3 +3,4 @@
com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0
com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0
uwb u:object_r:uwb_service:s0
+hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_service:s0
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index ae7386f..01206d9 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -8,3 +8,7 @@
# Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
# for secure video playback
allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+# Allows cts tests to test for UwbService presence
+# TODO (b/183904955): remove
+allow untrusted_app_all uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/uwb_service.te b/whitechapel/vendor/google/uwb_service.te
new file mode 100644
index 0000000..7360278
--- /dev/null
+++ b/whitechapel/vendor/google/uwb_service.te
@@ -0,0 +1 @@
+allow uwb_service hal_uwb_service:service_manager find;
