Grant processes temp access to /data/misc/zoneinfo
Annotate with coredata_in_vendor_violators.
avc: denied { search } for pid=733 comm="rild" name="zoneinfo"
scontext=u:r:rild:s0 tcontext=u:object_r:zoneinfo_data_file:s0
tclass=dir
avc: denied { search } for pid=731 comm="netmgrd" name="zoneinfo"
dev="sda35" ino=3850251 scontext=u:r:netmgrd:s0
tcontext=u:object_r:zoneinfo_data_file:s0 tclass=dir
avc: denied { search } for pid=747 comm="time_daemon" name="zoneinfo"
dev="sda35" ino=3850251 scontext=u:r:time:s0
tcontext=u:object_r:zoneinfo_data_file:s0 tclass=dir
avc: denied { search } for pid=731 comm="cnss_diag" name="zoneinfo"
dev="sda35" ino=3850251 scontext=u:r:cnss_diag:s0
tcontext=u:object_r:zoneinfo_data_file:s0 tclass=dir
Bug: 36730929
Bug: 34980020
Test: Build and boot Marlin. Denials no longer observed.
Change-Id: I47de6e15beb390828c6d992ed843b171c9a1be1b
diff --git a/sepolicy/cnss_diag.te b/sepolicy/cnss_diag.te
index 61fb9e7..031c4be 100644
--- a/sepolicy/cnss_diag.te
+++ b/sepolicy/cnss_diag.te
@@ -1,4 +1,4 @@
-# Policy for /system/bin/cnss_diag
+# Policy for /vendor/bin/cnss_diag
type cnss_diag, domain;
type cnss_diag_exec, exec_type, file_type;
@@ -12,9 +12,10 @@
# b/35877764 suppress the udp_socket denial message temproarily
dontaudit cnss_diag self:udp_socket create;
-r_dir_file(cnss-daemon, sysfs_type)
-allow cnss-daemon sysfs_msm_core:file write;
-
+# TODO(b/36730929): Remove this once cnss_diag no longer accesses data outside
+# /data/vendor
+typeattribute cnss_diag coredata_in_vendor_violators;
+r_dir_file(cnss_diag, zoneinfo_data_file)
userdebug_or_eng(`
allow cnss_diag diag_device:chr_file rw_file_perms;
allow cnss_diag cnss_diag_data_file:dir create_dir_perms;
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 346f188..620354c 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -1,4 +1,4 @@
-# Policy for /system/bin/netmgrd
+# Policy for /vendor/bin/netmgrd
type netmgrd, domain;
type netmgrd_exec, exec_type, file_type;
@@ -21,7 +21,7 @@
allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };
-# TODO(b/36663482): Remove coredata_in_vendor_violators once
+# TODO(b/36663482, b/36730929): Remove coredata_in_vendor_violators once
# netmgrd no longer directly accesses /data outside
# /data/vendor.
typeattribute netmgrd coredata_in_vendor_violators;
@@ -33,6 +33,7 @@
allow netmgrd netmgr_data_file:dir rw_dir_perms;
allow netmgrd netmgr_data_file:file create_file_perms;
')
+r_dir_file(netmgrd, zoneinfo_data_file)
# execute shell, ip, and toolbox
allow netmgrd shell_exec:file rx_file_perms;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index a3fe7df..ce0c1fd 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -29,3 +29,8 @@
# TODO(b/36613472): Remove this once system_server, mediaserver, bluetooth, and radio no longer
# communicate with rild over sockets.
typeattribute rild socket_between_core_and_vendor_violators;
+
+# TODO(b/36730929): Remove this once time daemon no longer access data outside
+# /data/vendor
+typeattribute rild coredata_in_vendor_violators;
+r_dir_file(rild, zoneinfo_data_file)
diff --git a/sepolicy/time.te b/sepolicy/time.te
index 189cdea..645c1ac 100644
--- a/sepolicy/time.te
+++ b/sepolicy/time.te
@@ -16,9 +16,13 @@
allow time sysfs_soc:dir search;
allow time sysfs_soc:file r_file_perms;
-# files in /data/time
+# TODO(b/36730929): Remove this once time daemon no longer access data outside
+# /data/vendor
+typeattribute time coredata_in_vendor_violators;
+r_dir_file(time, zoneinfo_data_file)
allow time time_data_file:file create_file_perms;
allow time time_data_file:dir rw_dir_perms;
+
allow time rtc_device:chr_file r_file_perms;
userdebug_or_eng(`