Add new selinux type for radio process

ConnectivityService is going to become mainline and can not access hidden APIs. Telephony and Settings were both accessing the hidden API ConnectivityManager#getMobileProvisioningUrl. Moving #getMobileProvisioningUrl method into telephony means that there is one less access to a hidden API within the overall framework since the Connectivity stack never needed this value. Thus, move getMobileProvisioningUrl parsing to telephony surface and provide the corresponding sepolicy permission for its access. The exsting radio_data_file is an app data type and may allow more permission than necessary. Thus create a new type and give the necessary read access only. Bug: 175177794 Test: verify that the radio process could read /data/misc/radio/provisioning_urls.xml successfully Change-Id: I191261a57667dc7936c22786d75da971f94710ef
2020-12-24 15:11:15 +08:00 · 2020-12-24 15:11:15 +08:00 · 813c25fc91
commit 813c25fc91
parent 0afbe0eb98
4 changed files with 5 additions and 1 deletions
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@ -44,6 +44,7 @@
    profcollectd_data_file
    profcollectd_exec
    profcollectd_service
+    radio_core_data_file
    search_ui_service
    shell_test_data_file
    snapuserd
--- a/private/file_contexts
+++ b/private/file_contexts
@ -582,6 +582,7 @@
 /data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
 /data/misc/prereboot(/.*)?      u:object_r:prereboot_data_file:s0
 /data/misc/profcollectd(/.*)?   u:object_r:profcollectd_data_file:s0
+/data/misc/radio(/.*)?          u:object_r:radio_core_data_file:s0
 /data/misc/recovery(/.*)?       u:object_r:recovery_data_file:s0
 /data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
--- a/public/file.te
+++ b/public/file.te
@ -410,6 +410,7 @@ type update_engine_log_data_file, file_type, data_file_type, core_data_file_type
 # /data/misc/trace for method traces on userdebug / eng builds
 type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type gsi_data_file, file_type, data_file_type, core_data_file_type;
+type radio_core_data_file, file_type, data_file_type, core_data_file_type;

 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
--- a/public/radio.te
+++ b/public/radio.te
@ -11,7 +11,8 @@ not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
 # Data file accesses.
 allow radio radio_data_file:dir create_dir_perms;
 allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;

 allow radio net_data_file:dir search;
 allow radio net_data_file:file r_file_perms;