gs-common: add rules for euiccpixel_app
09-11 21:19:25.452 345 345 I auditd : avc: denied { find } for pid=14141 uid=10246 name=activity scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=0
09-11 21:20:57.035 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=netstats scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.055 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=content_capture scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.064 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=activity_task scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.111 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=gpu scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.182 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=voiceinteraction scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.184 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=autofill scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.190 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=sensitive_content_protection_service scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.193 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=performance_hint scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1
09-11 21:21:09.436 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=audio scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-11 21:21:09.449 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=batterystats scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:batterystats_service:s0 tclass=service_manager permissive=1
09-11 21:21:09.454 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=batteryproperties scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:batteryproperties_service:s0 tclass=service_manager permissive=1
09-11 23:21:26.678 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=permission_checker scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:permission_checker_service:s0 tclass=service_manager permissive=1
09-03 16:29:54.032 351 351 E SELinux : avc: denied { find } for pid=3914 uid=10217 name=phone scontext=u:r:euiccpixel_app:s0:c217,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1
09-03 17:35:07.453 351 351 E SELinux : avc: denied { find } for pid=3914 uid=10217 name=nfc scontext=u:r:euiccpixel_app:s0:c217,c256,c512,c768 tcontext=u:object_r:nfc_service:s0 tclass=service_manager permissive=1
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1055): avc: denied { read } for comm="RenderThread" name="uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1056): avc: denied { open } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1057): avc: denied { getattr } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-11 21:21:48.494 12343 12343 I auditd : type=1400 audit(0.0:23): avc: denied { read write } for comm=4173796E635461736B202331 name="st54spi" dev="tmpfs" ino=1573 scontext=u:r:euiccpixel_app:s0:c3,c257,c522,c768 tcontext=u:object_r:st54spi_device:s0 tclass=chr_file permissive=1
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1056): avc: denied { read open } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1057): avc: denied { getattr } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel
09-13 17:55:20.904 3776 3776 I auditd : type=1400 audit(0.0:1087): avc: denied { read } for comm="RenderThread" name="uevent" dev="sysfs" ino=46480 scontext=u:r:euiccpixel_app:s0:c225,c256,c512,c768 tcontext=u:object_r:sysfs_gpu_uevent:s0 tclass=file permissive=0 app=com.google.euiccpixel
09-13 18:18:26.988 4029 4029 I auditd : type=1400 audit(0.0:1077): avc: denied { open getattr } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46480 scontext=u:r:euiccpixel_app:s0:c225,c256,c512,c768 tcontext=u:object_r:sysfs_gpu_uevent:s0 tclass=file permissive=0 app=com.google.euiccpixel
09-13 17:55:20.996 3776 3776 I auditd : type=1400 audit(0.0:1090): avc: denied { read } for comm="ogle.euiccpixel" name="u:object_r:default_prop:s0" dev="tmpfs" ino=164 scontext=u:r:euiccpixel_app:s0:c225,c256,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.google.euiccpixel
Bug: 361092897
Test: make selinux_policy, flash and test on 25' project
Flag: EXEMPT NDK
Change-Id: I8850fe0c1eae7dc575cb323d1f4a9234b7df82db
diff --git a/euiccpixel_app/euiccpixel_app_st54.mk b/euiccpixel_app/euiccpixel_app_st54.mk
new file mode 100644
index 0000000..e96d06c
--- /dev/null
+++ b/euiccpixel_app/euiccpixel_app_st54.mk
@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/euiccpixel_app/sepolicy/common
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/euiccpixel_app/sepolicy/st54
+PRODUCT_PACKAGES += EuiccSupportPixel-P23
diff --git a/euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem b/euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem
new file mode 100644
index 0000000..be303df
--- /dev/null
+++ b/euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw
+b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v
+Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb
+WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/
+amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK
+aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0
+oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho
++9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td
+5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK
+rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki
+uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag
+ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV
+HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5
+FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9
+Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp
+ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL
+EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB
+GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U
+XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0
+IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj
+pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon
+A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU
+0JD1T1qdCm3aUSEmFgEA4rOL/0K3
+-----END CERTIFICATE-----
diff --git a/euiccpixel_app/sepolicy/common/euiccpixel_app.te b/euiccpixel_app/sepolicy/common/euiccpixel_app.te
new file mode 100644
index 0000000..8093b49
--- /dev/null
+++ b/euiccpixel_app/sepolicy/common/euiccpixel_app.te
@@ -0,0 +1,27 @@
+# Euiccpixel_app
+type euiccpixel_app, domain;
+app_domain(euiccpixel_app)
+
+allow euiccpixel_app activity_service:service_manager find;
+allow euiccpixel_app netstats_service:service_manager find;
+allow euiccpixel_app content_capture_service:service_manager find;
+allow euiccpixel_app activity_task_service:service_manager find;
+allow euiccpixel_app gpu_service:service_manager find;
+allow euiccpixel_app voiceinteraction_service:service_manager find;
+allow euiccpixel_app autofill_service:service_manager find;
+allow euiccpixel_app sensitive_content_protection_service:service_manager find;
+allow euiccpixel_app hint_service:service_manager find;
+allow euiccpixel_app audio_service:service_manager find;
+allow euiccpixel_app batterystats_service:service_manager find;
+allow euiccpixel_app batteryproperties_service:service_manager find;
+allow euiccpixel_app permission_checker_service:service_manager find;
+allow euiccpixel_app radio_service:service_manager find;
+allow euiccpixel_app nfc_service:service_manager find;
+
+set_prop(euiccpixel_app, vendor_secure_element_prop)
+set_prop(euiccpixel_app, vendor_modem_prop)
+get_prop(euiccpixel_app, dck_prop)
+
+# b/265286368 framework UI rendering properties and file access
+dontaudit euiccpixel_app default_prop:file { read };
+dontaudit euiccpixel_app sysfs_gpu_uevent:file { read open getattr };
diff --git a/euiccpixel_app/sepolicy/common/file.te b/euiccpixel_app/sepolicy/common/file.te
new file mode 100644
index 0000000..e76ee79
--- /dev/null
+++ b/euiccpixel_app/sepolicy/common/file.te
@@ -0,0 +1,2 @@
+# type for gpu uevent
+type sysfs_gpu_uevent, sysfs_type, fs_type;
diff --git a/euiccpixel_app/sepolicy/common/genfs_contexts b/euiccpixel_app/sepolicy/common/genfs_contexts
new file mode 100644
index 0000000..fc146df
--- /dev/null
+++ b/euiccpixel_app/sepolicy/common/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /devices/platform/34f00000.gpu0/uevent u:object_r:sysfs_gpu_uevent:s0
diff --git a/euiccpixel_app/sepolicy/common/keys.conf b/euiccpixel_app/sepolicy/common/keys.conf
new file mode 100644
index 0000000..7071a2a
--- /dev/null
+++ b/euiccpixel_app/sepolicy/common/keys.conf
@@ -0,0 +1,2 @@
+[@EUICCSUPPORTPIXEL]
+ALL : device/google/gs-common/euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem
diff --git a/euiccpixel_app/sepolicy/common/mac_permissions.xml b/euiccpixel_app/sepolicy/common/mac_permissions.xml
new file mode 100644
index 0000000..0eab982
--- /dev/null
+++ b/euiccpixel_app/sepolicy/common/mac_permissions.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+ * A signature is a hex encoded X.509 certificate or a tag defined in
+ keys.conf and is required for each signer tag.
+ * A signer tag may contain a seinfo tag and multiple package stanzas.
+ * A default tag is allowed that can contain policy for all apps not signed with a
+ previously listed cert. It may not contain any inner package stanzas.
+ * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+ represents additional info that each app can use in setting a SELinux security
+ context on the eventual process.
+ * When a package is installed the following logic is used to determine what seinfo
+ value, if any, is assigned.
+ - All signatures used to sign the app are checked first.
+ - If a signer stanza has inner package stanzas, those stanza will be checked
+ to try and match the package name of the app. If the package name matches
+ then that seinfo tag is used. If no inner package matches then the outer
+ seinfo tag is assigned.
+ - The default tag is consulted last if needed.
+-->
+ <!-- google apps key -->
+ <signer signature="@EUICCSUPPORTPIXEL" >
+ <seinfo value="EuiccSupportPixel" />
+ </signer>
+</policy>
diff --git a/euiccpixel_app/sepolicy/common/seapp_contexts b/euiccpixel_app/sepolicy/common/seapp_contexts
new file mode 100644
index 0000000..9501a3a
--- /dev/null
+++ b/euiccpixel_app/sepolicy/common/seapp_contexts
@@ -0,0 +1,2 @@
+# Domain for EuiccSupportPixel
+user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
diff --git a/euiccpixel_app/sepolicy/st54/euiccpixel_app.te b/euiccpixel_app/sepolicy/st54/euiccpixel_app.te
new file mode 100644
index 0000000..3d81a57
--- /dev/null
+++ b/euiccpixel_app/sepolicy/st54/euiccpixel_app.te
@@ -0,0 +1,8 @@
+# euiccpixel requires st54spi for firmware upgrade
+userdebug_or_eng(`
+ net_domain(euiccpixel_app)
+
+ # Access to directly upgrade firmware on st54spi_device used for engineering devices
+ typeattribute st54spi_device mlstrustedobject;
+ allow euiccpixel_app st54spi_device:chr_file rw_file_perms;
+')