Add tradeinmode sepolicy.
This allows adbd_tradeinmode to run a wrapper to execute am/content.
This defines a transition from adbd_tradeinmode to tradeinmode, but no
transition from tradeinmode to zygote/am, similar to how "adb shell am"
would work.
There are still denials here, but they don't appear to be critical to
am/content working. These denials would be fixed by:
allow tradeinmode dalvikcache_data_file:dir search;
allow tradeinmode platform_app:binder call;
allow tradeinmode self:anon_inode { create ioctl };
allow tradeinmode tmpfs:file { execute map read write };
The set of denial logs is roughly:
auditd : type=1400 audit(0.0:45): avc: denied { write } for comm="main" name="memfd:jit-cache" dev="tmpfs" ino=3547 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:46): avc: denied { search } for comm="main" name="dalvik-cache" dev="dm-56" ino=114 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir permissive=0
auditd : type=1400 audit(0.0:50): avc: denied { create } for comm="app_process" anonclass=[userfaultfd] scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tradeinmode:s0 tclass=anon_inode permissive=0
app_process: type=1400 audit(0.0:50): avc: denied { create } for anonclass=[userfaultfd] scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tradeinmode:s0 tclass=anon_inode permissive=0
auditd : type=1400 audit(0.0:51): avc: denied { create } for comm="app_process" anonclass=[userfaultfd] scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tradeinmode:s0 tclass=anon_inode permissive=0
app_process: type=1400 audit(0.0:51): avc: denied { create } for anonclass=[userfaultfd] scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tradeinmode:s0 tclass=anon_inode permissive=0
auditd : type=1400 audit(0.0:52): avc: denied { map } for comm="main" path=2F6D656D66643A6A69742D6361636865202864656C6574656429 dev="tmpfs" ino=1332 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:19): avc: denied { getattr } for comm="sh" path="/system/bin/tradeinmode" dev="dm-7" ino=547 scontext=u:r:shell:s0 tcontext=u:object_r:tradeinmode_exec:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:20): avc: denied { getattr } for comm="sh" path="/system/bin/tradeinmode" dev="dm-7" ino=547 scontext=u:r:shell:s0 tcontext=u:object_r:tradeinmode_exec:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:21): avc: denied { getattr } for comm="sh" path="/system/bin/tradeinmode" dev="dm-7" ino=547 scontext=u:r:shell:s0 tcontext=u:object_r:tradeinmode_exec:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:98): avc: denied { read } for comm="main" path=2F6D656D66643A6A69742D6361636865202864656C6574656429 dev="tmpfs" ino=1372 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:99): avc: denied { call } for comm="main" scontext=u:r:tradeinmode:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=binder permissive=0
auditd : type=1400 audit(0.0:59): avc: denied { execute } for comm="main" path=2F6D656D66643A6A69742D6361636865202864656C6574656429 dev="tmpfs" ino=6556 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
Test: manual test
Bug: 307713521
Change-Id: I5ece68f6ec82d46fc040911c2b42aa435c71787d
diff --git a/private/file_contexts b/private/file_contexts
index 016e3e2..f837b70 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -410,7 +410,7 @@
/system/bin/uprobestats u:object_r:uprobestats_exec:s0
/system/bin/bert_collector u:object_r:bert_collector_exec:s0
/system/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
-
+/system/bin/tradeinmode u:object_r:tradeinmode_exec:s0
#############################
# Vendor files