From 813c25fc91f77db3119b0543e9309db8ca64af91 Mon Sep 17 00:00:00 2001 From: Chiachang Wang Date: Thu, 24 Dec 2020 15:11:15 +0800 Subject: [PATCH] Add new selinux type for radio process ConnectivityService is going to become mainline and can not access hidden APIs. Telephony and Settings were both accessing the hidden API ConnectivityManager#getMobileProvisioningUrl. Moving #getMobileProvisioningUrl method into telephony means that there is one less access to a hidden API within the overall framework since the Connectivity stack never needed this value. Thus, move getMobileProvisioningUrl parsing to telephony surface and provide the corresponding sepolicy permission for its access. The exsting radio_data_file is an app data type and may allow more permission than necessary. Thus create a new type and give the necessary read access only. Bug: 175177794 Test: verify that the radio process could read /data/misc/radio/provisioning_urls.xml successfully Change-Id: I191261a57667dc7936c22786d75da971f94710ef --- private/compat/30.0/30.0.ignore.cil | 1 + private/file_contexts | 1 + public/file.te | 1 + public/radio.te | 3 ++- 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index 532ff1645..4801a9c66 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -44,6 +44,7 @@ profcollectd_data_file profcollectd_exec profcollectd_service + radio_core_data_file search_ui_service shell_test_data_file snapuserd diff --git a/private/file_contexts b/private/file_contexts index 80e805e8b..ee84e7e7a 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -582,6 +582,7 @@ /data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0 /data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0 /data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0 /data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0 /data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0 /data/misc/sms(/.*)? u:object_r:radio_data_file:s0 diff --git a/public/file.te b/public/file.te index ff0cba387..404e1d4ce 100644 --- a/public/file.te +++ b/public/file.te @@ -410,6 +410,7 @@ type update_engine_log_data_file, file_type, data_file_type, core_data_file_type # /data/misc/trace for method traces on userdebug / eng builds type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; type gsi_data_file, file_type, data_file_type, core_data_file_type; +type radio_core_data_file, file_type, data_file_type, core_data_file_type; # /data/data subdirectories - app sandboxes type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; diff --git a/public/radio.te b/public/radio.te index 6ec008610..e03b706e9 100644 --- a/public/radio.te +++ b/public/radio.te @@ -11,7 +11,8 @@ not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)') # Data file accesses. allow radio radio_data_file:dir create_dir_perms; allow radio radio_data_file:notdevfile_class_set create_file_perms; - +allow radio radio_core_data_file:dir r_dir_perms; +allow radio radio_core_data_file:file r_file_perms; allow radio net_data_file:dir search; allow radio net_data_file:file r_file_perms;