Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 813c25fc91f77db3119b0543e9309db8ca64af91^! / .
commit813c25fc91f77db3119b0543e9309db8ca64af91[log] [tgz]
authorChiachang Wang <chiachangwang@google.com>Thu Dec 24 15:11:15 2020 +0800
committerChiachang Wang <chiachangwang@google.com>Thu Dec 24 15:11:15 2020 +0800
treec8d24727c5c0096ba33963c5113ccc34a1fa2263
parent0afbe0eb98215bcbaa1801e4940dc26b3e38b469 [diff]
Add new selinux type for radio process

ConnectivityService is going to become mainline and can not
access hidden APIs. Telephony and Settings were both accessing
the hidden API ConnectivityManager#getMobileProvisioningUrl.
Moving #getMobileProvisioningUrl method into telephony means
that there is one less access to a hidden API within the overall
framework since the Connectivity stack never needed this value.
Thus, move getMobileProvisioningUrl parsing to telephony surface
and provide the corresponding sepolicy permission for its access.

The exsting radio_data_file is an app data type and may allow
more permission than necessary. Thus create a new type and give
the necessary read access only.

Bug: 175177794
Test: verify that the radio process could read
      /data/misc/radio/provisioning_urls.xml successfully
Change-Id: I191261a57667dc7936c22786d75da971f94710ef

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 532ff16..4801a9c 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -44,6 +44,7 @@
     profcollectd_data_file
     profcollectd_exec
     profcollectd_service
+    radio_core_data_file
     search_ui_service
     shell_test_data_file
     snapuserd

diff --git a/private/file_contexts b/private/file_contexts
index 80e805e..ee84e7e 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -582,6 +582,7 @@
 /data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
 /data/misc/prereboot(/.*)?      u:object_r:prereboot_data_file:s0
 /data/misc/profcollectd(/.*)?   u:object_r:profcollectd_data_file:s0
+/data/misc/radio(/.*)?          u:object_r:radio_core_data_file:s0
 /data/misc/recovery(/.*)?       u:object_r:recovery_data_file:s0
 /data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0

diff --git a/public/file.te b/public/file.te
index ff0cba3..404e1d4 100644
--- a/public/file.te
+++ b/public/file.te

@@ -410,6 +410,7 @@
 # /data/misc/trace for method traces on userdebug / eng builds
 type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type gsi_data_file, file_type, data_file_type, core_data_file_type;
+type radio_core_data_file, file_type, data_file_type, core_data_file_type;
 
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;

diff --git a/public/radio.te b/public/radio.te
index 6ec0086..e03b706 100644
--- a/public/radio.te
+++ b/public/radio.te

@@ -11,7 +11,8 @@
 # Data file accesses.
 allow radio radio_data_file:dir create_dir_perms;
 allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;
 
 allow radio net_data_file:dir search;
 allow radio net_data_file:file r_file_perms;