Move vendor platform apps into their own domains
This moves CNEService, SSRestartDetector, TimeService, AtFwd and
FastDormancy from system_app into their own domains. This enables us
to remove most vendor specific rules from system_app, meaning vanilla
platform apps will have less access. These rules were induced by the
above apps/services.
Test: Device boots, place and receive phone call, change date & time,
this works and with no new SELinux denials
Bug: 34170079
Bug: 36613996
Bug: 36734870
Change-Id: I4d2b314ffd4274929e7544840a5c209fb1802096
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index 5a7dd92..79a1a4d 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -35,5 +35,6 @@
allow cnd shell_exec:file rx_file_perms;
allow cnd system_file:file rx_file_perms;
-# TODO(b/36613996): Remove this once system_app no longer communicates over sockets with cnd
+# TODO(b/36613996): Remove this once qcneservice no longer communicates over sockets with cnd
+# or once qcneservice becomes a vendor service
typeattribute cnd socket_between_core_and_vendor_violators;
diff --git a/sepolicy/qcneservice.te b/sepolicy/qcneservice.te
new file mode 100644
index 0000000..e2b3289
--- /dev/null
+++ b/sepolicy/qcneservice.te
@@ -0,0 +1,15 @@
+# CNEService app
+type qcneservice, domain, coredomain;
+
+app_domain(qcneservice)
+net_domain(qcneservice)
+
+add_service(qcneservice, cne_service)
+
+unix_socket_connect(qcneservice, cnd, cnd)
+
+allow qcneservice { app_api_service radio_service }:service_manager find;
+
+# Read and write /data/data subdirectory.
+allow qcneservice system_app_data_file:dir create_dir_perms;
+allow qcneservice system_app_data_file:{ file lnk_file } create_file_perms;
diff --git a/sepolicy/qtelephony.te b/sepolicy/qtelephony.te
new file mode 100644
index 0000000..a56fc4f
--- /dev/null
+++ b/sepolicy/qtelephony.te
@@ -0,0 +1,14 @@
+# Qualcomm telephony apps, such as AtFwd and FastDormancy
+type qtelephony, domain, coredomain;
+
+app_domain(qtelephony)
+
+add_service(qtelephony, atfwd_service)
+
+allow qtelephony { app_api_service }:service_manager find;
+
+# Read and write /data/data subdirectory.
+allow qtelephony system_app_data_file:dir create_dir_perms;
+allow qtelephony system_app_data_file:{ file lnk_file } create_file_perms;
+
+set_prop(qtelephony, ctl_default_prop)
diff --git a/sepolicy/qtimeservice.te b/sepolicy/qtimeservice.te
new file mode 100644
index 0000000..25548b8
--- /dev/null
+++ b/sepolicy/qtimeservice.te
@@ -0,0 +1,13 @@
+# Qualcomm TimeService app
+type qtimeservice, domain, coredomain;
+
+app_domain(qtimeservice)
+
+allow qtimeservice { app_api_service }:service_manager find;
+
+# Communicate with time_daemon
+allow qtimeservice time:unix_stream_socket connectto;
+
+# Read and write /data/data subdirectory.
+allow qtimeservice system_app_data_file:dir create_dir_perms;
+allow qtimeservice system_app_data_file:{ file lnk_file } create_file_perms;
diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
index 64d4b3f..f0ba11c 100644
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@@ -1,2 +1,11 @@
# Production default camera application for marlin/sailfish
user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=user
+
+user=system seinfo=platform name=com.quicinc.cne.CNEService domain=qcneservice type=system_app_data_file
+user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector type=system_app_data_file
+
+# AtFwd and FastDormancy apps
+user=system seinfo=platform name=com.qualcomm.telephony domain=qtelephony type=system_app_data_file
+
+# TimeService app
+user=system seinfo=platform name=com.qualcomm.timeservice domain=qtimeservice type=system_app_data_file
diff --git a/sepolicy/ssr_detector.te b/sepolicy/ssr_detector.te
new file mode 100644
index 0000000..99509e0
--- /dev/null
+++ b/sepolicy/ssr_detector.te
@@ -0,0 +1,16 @@
+# SSRestartDetector app
+type ssr_detector, domain;
+
+app_domain(ssr_detector)
+
+userdebug_or_eng(`
+ allow ssr_detector ramdump_data_file:dir r_dir_perms;
+ allow ssr_detector ramdump_data_file:file r_file_perms;
+ get_prop(ssr_detector, ssr_prop)
+')
+
+allow ssr_detector { app_api_service }:service_manager find;
+
+# Read and write /data/data subdirectory.
+allow ssr_detector system_app_data_file:dir create_dir_perms;
+allow ssr_detector system_app_data_file:{ file lnk_file } create_file_perms;
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 34b24bb..5fcbaa7 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,12 +1,6 @@
-unix_socket_connect(system_app, cnd, cnd)
-allow system_app atfwd_service:service_manager add;
-allow system_app cne_service:service_manager add;
-allow system_app time:unix_stream_socket connectto;
+# Read ro.boot.hardware.sku. Needed by Regulatory Info screen of Settings app.
+# Normally this property is a default_prop which is readable by anybody, but on marlin/sailfish
+# init_mid needs to be able to set this property and thus this property had to be relabelled as
+# a new type, hw_sku_pop. This in turn requires us to grant system_app read access to this property
+# label.
get_prop(system_app, hw_sku_prop);
-set_prop(system_app, radio_prop)
-r_dir_file(system_app, sysfs_msm_subsys)
-userdebug_or_eng(`
- allow system_app ramdump_data_file:dir r_dir_perms;
- allow system_app ramdump_data_file:file r_file_perms;
- get_prop(system_app, ssr_prop)
-')
diff --git a/sepolicy/time.te b/sepolicy/time.te
index 189cdea..18130e4 100644
--- a/sepolicy/time.te
+++ b/sepolicy/time.te
@@ -25,5 +25,6 @@
allow time diag_device:chr_file rw_file_perms;
')
-# TODO(b/36613996): Remove this once system_app no longer communicates over sockets with time daemon
+# TODO(b/36613996): Remove this once qtimeservice no longer communicates over sockets with time
+# daemon or once qtimeservice becomes a vendor service
typeattribute time socket_between_core_and_vendor_violators;
