sepolicy: add domain for WfcActivation app
... and allow access qchook_service via servicemanager.
Bug: 73974808
Test: basic sanity
Change-Id: If5aa7d392fa614106cd99654a0293e260cb52826
diff --git a/sepolicy/certs/wfcactivation.x509.pem b/sepolicy/certs/wfcactivation.x509.pem
new file mode 100644
index 0000000..bead020
--- /dev/null
+++ b/sepolicy/certs/wfcactivation.x509.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyTCCArGgAwIBAgIJAODrqTpclyUkMA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
+aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEXMBUG
+A1UEAwwOd2ZjX2FjdGl2YXRpb24wHhcNMTgwMjIxMDA1NTM4WhcNNDUwNzA5MDA1
+NTM4WjB7MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UE
+BwwNTW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsM
+B0FuZHJvaWQxFzAVBgNVBAMMDndmY19hY3RpdmF0aW9uMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAruKdMaQjRrlTwLHWAhUwLXoq+1glzoQ5ibqHDg4i
+GPPlwT7qPG8xWW6UmTiLNES6YSDpvCvptqrZccecviYfYIg7/JCF/xr2cFt9Gyyo
+L0muemdUMFjGQJxKCQMi8jlqPVgfcy7ZEfVvoDWUupD7hVVA6TFkWH1nv/5GzJVK
+h7D4vBaYE6qwM1+NJjrbk1O8SMMCES7MkJhpnfbRYr8d5uxSzDWqqeqvM6CFSvKw
+cxqbCcNl0MDgSCgtnxzZZjg5AFuPECV8lgJpxFEqgEIK1fsebK5G8o4buokMW+W4
+ZT2LZtMq/qsZXl59h22KQX2w5mcI6KyV8WZOcPPOm8uf8wIDAQABo1AwTjAdBgNV
+HQ4EFgQU9jpHDUfkIqBODCp9/c5TsraA9sowHwYDVR0jBBgwFoAU9jpHDUfkIqBO
+DCp9/c5TsraA9sowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZMf+
+KD3oFS0cv/C0qQx28wW5BKFb/PM6RxDwTRF7yyJj4+uZU0+O8NJEqBNDgHusFJR6
+2ZXXiWDqzNb0scZxD95FP1YxiLPAcbn2oCTkGPYcCsBmT1i25RsIKTb7fR3UJ/bY
+V55CQy1FjX5H1katVpezi1bs17stqrjL0aCk8s7wZPQ9KTy7SfMF9rUfg8ltrj8s
+MD5cq21GJuJMpI2kNUV7IT+4B3CeHzpm0iy8NmbavgNezZAx1za4QIySNcKfdsSs
+7PsNYPS0R9BeZK/4u4/yrQvRV0lXzQcIJPpwr0cfuhcgcHG8sbCLaw4Ph6go9kRL
+hvY7ZX9pdBLS8ukQ4w==
+-----END CERTIFICATE-----
diff --git a/sepolicy/keys.conf b/sepolicy/keys.conf
index 8e5cf1f..6e43407 100644
--- a/sepolicy/keys.conf
+++ b/sepolicy/keys.conf
@@ -1,2 +1,5 @@
[@GOOGLE]
ALL : device/google/marlin/sepolicy/certs/app.x509.pem
+
+[@WFCACTIVATION]
+ALL : device/google/wahoo/sepolicy/private/certs/wfcactivation.x509.pem
diff --git a/sepolicy/mac_permissions.xml b/sepolicy/mac_permissions.xml
index 361cd8a..377052f 100644
--- a/sepolicy/mac_permissions.xml
+++ b/sepolicy/mac_permissions.xml
@@ -24,4 +24,7 @@
<signer signature="@GOOGLE" >
<seinfo value="google" />
</signer>
+ <signer signature="@WFCACTIVATION" >
+ <seinfo value="wfcactivation" />
+ </signer>
</policy>
diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
index 2754b30..9e00f05 100644
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@@ -18,3 +18,6 @@
#Domain for connectivity monitor
user=radio seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# Domain for WfcActivation app
+user=_app seinfo=wfcactivation name=com.google.android.wfcactivation domain=wfc_activation_app levelFrom=all
diff --git a/sepolicy/wfc_activation_app.te b/sepolicy/wfc_activation_app.te
new file mode 100644
index 0000000..cd32efc
--- /dev/null
+++ b/sepolicy/wfc_activation_app.te
@@ -0,0 +1,9 @@
+type wfc_activation_app, domain, coredomain;
+
+app_domain(wfc_activation_app)
+net_domain(wfc_activation_app)
+
+# Services
+allow wfc_activation_app app_api_service:service_manager find;
+allow wfc_activation_app qchook_service:service_manager find;
+allow wfc_activation_app radio_service:service_manager find;
