Add ITradeInMode service sepolicy.
This defines a new service for the ITradeInMode, and grants it (through
system_server) permissions to modify persist.adb.tradeinmode.
Bug: 307713521
Test: manual test
Change-Id: I0afb349863aaf8488dd3dabaf8e7319e297bffaf
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 4e2a0da..aa47a85 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -473,6 +473,7 @@
"time_zone_detector": EXCEPTION_NO_FUZZER,
"thermalservice": EXCEPTION_NO_FUZZER,
"tracing.proxy": EXCEPTION_NO_FUZZER,
+ "tradeinmode": EXCEPTION_NO_FUZZER,
"translation": EXCEPTION_NO_FUZZER,
"transparency": EXCEPTION_NO_FUZZER,
"trust": EXCEPTION_NO_FUZZER,
diff --git a/private/platform_app.te b/private/platform_app.te
index 320624c..e60dcdd 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -99,6 +99,7 @@
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
allow platform_app stats_service:service_manager find;
+allow platform_app tradeinmode_service:service_manager find;
# Allow platform apps to log via statsd.
binder_call(platform_app, statsd)
diff --git a/private/priv_app.te b/private/priv_app.te
index bb5da7c..1ef5be1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -136,6 +136,9 @@
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
+# Allow privileged apps to read trade in mode property
+get_prop(priv_app, adbd_tradeinmode_prop)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
diff --git a/private/service.te b/private/service.te
index 1f31477..69f1b77 100644
--- a/private/service.te
+++ b/private/service.te
@@ -33,6 +33,7 @@
type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
')
type tracingproxy_service, system_server_service, service_manager_type;
+type tradeinmode_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
diff --git a/private/service_contexts b/private/service_contexts
index 37652ae..8e537b9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -466,6 +466,7 @@
thermalservice u:object_r:thermal_service:s0
thread_network u:object_r:threadnetwork_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
+tradeinmode u:object_r:tradeinmode_service:s0
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index e84175b..6a13816 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1144,6 +1144,9 @@
# Set persist.adb.tls_server.enable property
set_prop(system_server, system_adbd_prop)
+# Set service.adbd.tradeinmode from ITradeInService.
+set_prop(system_server, adbd_tradeinmode_prop)
+
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;