Add tradeinmode sepolicy.
This allows adbd_tradeinmode to run a wrapper to execute am/content.
This defines a transition from adbd_tradeinmode to tradeinmode, but no
transition from tradeinmode to zygote/am, similar to how "adb shell am"
would work.
There are still denials here, but they don't appear to be critical to
am/content working. These denials would be fixed by:
allow tradeinmode dalvikcache_data_file:dir search;
allow tradeinmode platform_app:binder call;
allow tradeinmode self:anon_inode { create ioctl };
allow tradeinmode tmpfs:file { execute map read write };
The set of denial logs is roughly:
auditd : type=1400 audit(0.0:45): avc: denied { write } for comm="main" name="memfd:jit-cache" dev="tmpfs" ino=3547 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:46): avc: denied { search } for comm="main" name="dalvik-cache" dev="dm-56" ino=114 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir permissive=0
auditd : type=1400 audit(0.0:50): avc: denied { create } for comm="app_process" anonclass=[userfaultfd] scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tradeinmode:s0 tclass=anon_inode permissive=0
app_process: type=1400 audit(0.0:50): avc: denied { create } for anonclass=[userfaultfd] scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tradeinmode:s0 tclass=anon_inode permissive=0
auditd : type=1400 audit(0.0:51): avc: denied { create } for comm="app_process" anonclass=[userfaultfd] scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tradeinmode:s0 tclass=anon_inode permissive=0
app_process: type=1400 audit(0.0:51): avc: denied { create } for anonclass=[userfaultfd] scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tradeinmode:s0 tclass=anon_inode permissive=0
auditd : type=1400 audit(0.0:52): avc: denied { map } for comm="main" path=2F6D656D66643A6A69742D6361636865202864656C6574656429 dev="tmpfs" ino=1332 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:19): avc: denied { getattr } for comm="sh" path="/system/bin/tradeinmode" dev="dm-7" ino=547 scontext=u:r:shell:s0 tcontext=u:object_r:tradeinmode_exec:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:20): avc: denied { getattr } for comm="sh" path="/system/bin/tradeinmode" dev="dm-7" ino=547 scontext=u:r:shell:s0 tcontext=u:object_r:tradeinmode_exec:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:21): avc: denied { getattr } for comm="sh" path="/system/bin/tradeinmode" dev="dm-7" ino=547 scontext=u:r:shell:s0 tcontext=u:object_r:tradeinmode_exec:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:98): avc: denied { read } for comm="main" path=2F6D656D66643A6A69742D6361636865202864656C6574656429 dev="tmpfs" ino=1372 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
auditd : type=1400 audit(0.0:99): avc: denied { call } for comm="main" scontext=u:r:tradeinmode:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=binder permissive=0
auditd : type=1400 audit(0.0:59): avc: denied { execute } for comm="main" path=2F6D656D66643A6A69742D6361636865202864656C6574656429 dev="tmpfs" ino=6556 scontext=u:r:tradeinmode:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
Test: manual test
Bug: 307713521
Change-Id: I5ece68f6ec82d46fc040911c2b42aa435c71787d
diff --git a/private/system_server.te b/private/system_server.te
index 063c2ed..e84175b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1447,6 +1447,9 @@
# Allow system server to read /apex/apex-info-list.xml
allow system_server apex_info_file:file r_file_perms;
+# Allow system_server to communicate with tradeinmode.
+binder_call(system_server, tradeinmode)
+
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;