commit f1956206fc8fb172f0030732fc670f19c6633e12
author Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Thu May 30 17:58:47 2024 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu May 30 17:58:47 2024 +0000
tree ecbfa5c079fd310ca23b8f202c28ee5f30cc6502
parent 75c6fe25a1ee1a14dd41dbb7416aa41b3660fdfd
parent dd2e2ba8666ce3ad04c0104590d7b024641c1d76

Merge "Define UWB snoop log in sepolicy" into main

contexts/plat_file_contexts_test

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4607f9d..a0933b4 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -936,8 +936,10 @@
 /data/misc/apexdata/com.android.tethering/test                    apex_tethering_data_file
 /data/misc/apexdata/com.android.tethering/threadnetwork           apex_tethering_data_file
 /data/misc/apexdata/com.android.tethering/threadnetwork/test      apex_tethering_data_file
-/data/misc/apexdata/com.android.uwb                               apex_system_server_data_file
-/data/misc/apexdata/com.android.uwb/test                          apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb                               apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/test                          apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/log                           apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/log/test                      apex_uwb_data_file
 /data/misc/apexdata/com.android.wifi                              apex_system_server_data_file
 /data/misc/apexdata/com.android.wifi/test                         apex_system_server_data_file
 /data/misc/apexrollback                                           apex_rollback_data_file

private/dumpstate.te

diff --git a/private/dumpstate.te b/private/dumpstate.te
index a64f7c7..a60b6a5 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -368,6 +368,12 @@
 allow dumpstate nfc_logs_data_file:dir r_dir_perms;
 allow dumpstate nfc_logs_data_file:file r_file_perms;
 
+# For uwb
+allow dumpstate apex_module_data_file:dir search;
+allow dumpstate apex_system_server_data_file:dir search;
+allow dumpstate apex_uwb_data_file:dir r_dir_perms;
+allow dumpstate apex_uwb_data_file:file r_file_perms;
+
 # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
 allow dumpstate gpu_device:chr_file rw_file_perms;
 allow dumpstate gpu_device:dir r_dir_perms;
@@ -561,3 +567,21 @@
   -traceur_app
   -dumpstate
 } dumpstate_service:service_manager find;
+
+# only dumpstate, system_server and related others to access apex_uwb_data_file
+neverallow {
+  domain
+  -dumpstate
+  -system_server
+  -apexd
+  -init
+  -vold_prepare_subdirs
+} apex_uwb_data_file:dir no_rw_file_perms;
+neverallow {
+  domain
+  -dumpstate
+  -system_server
+  -apexd
+  -init
+  -vold_prepare_subdirs
+} apex_uwb_data_file:file no_rw_file_perms;

private/file.te

diff --git a/private/file.te b/private/file.te
index 54016aa..f8a48cd 100644
--- a/private/file.te
+++ b/private/file.te
@@ -86,6 +86,9 @@
 # /data/misc/apexdata/com.android.tethering
 type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 
+# /data/misc/apexdata/com.android.uwb
+type apex_uwb_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
 # legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
 # for backward compatibility b/217581286
 type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
@@ -205,4 +208,4 @@
 type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
 
 # /data/misc_ce/userId/storage_area_keys
-type storage_area_key_file, file_type, data_file_type, core_data_file_type;
\ No newline at end of file
+type storage_area_key_file, file_type, data_file_type, core_data_file_type;

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index b82b4f0..ffc06f2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -638,7 +638,7 @@
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.tethering(/.*)?     u:object_r:apex_tethering_data_file:s0
-/data/misc/apexdata/com\.android\.uwb(/.*)?           u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.uwb(/.*)?           u:object_r:apex_uwb_data_file:s0
 /data/misc/apexdata/com\.android\.wifi(/.*)?          u:object_r:apex_system_server_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index ba49367..8326628 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1465,6 +1465,8 @@
 allow system_server apex_system_server_data_file:file create_file_perms;
 allow system_server apex_tethering_data_file:dir create_dir_perms;
 allow system_server apex_tethering_data_file:file create_file_perms;
+allow system_server apex_uwb_data_file:dir create_dir_perms;
+allow system_server apex_uwb_data_file:file create_file_perms;
 # Legacy labels that we still need to support (b/217581286)
 allow system_server {
   apex_appsearch_data_file