Define UWB snoop log in sepolicy

Bug: 341014812 Test: manual, bugreport attached in the associated bugreport Change-Id: I6e96663345263f2587d7ae2e73b7007b2bdcd640
2024-05-15 08:16:16 +00:00 · 2024-05-15 08:16:16 +00:00 · dd2e2ba866
commit dd2e2ba866
parent 60f55289f8
5 changed files with 35 additions and 4 deletions
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@ -936,8 +936,10 @@
 /data/misc/apexdata/com.android.tethering/test                    apex_tethering_data_file
 /data/misc/apexdata/com.android.tethering/threadnetwork           apex_tethering_data_file
 /data/misc/apexdata/com.android.tethering/threadnetwork/test      apex_tethering_data_file
-/data/misc/apexdata/com.android.uwb                               apex_system_server_data_file
-/data/misc/apexdata/com.android.uwb/test                          apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb                               apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/test                          apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/log                           apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/log/test                      apex_uwb_data_file
 /data/misc/apexdata/com.android.wifi                              apex_system_server_data_file
 /data/misc/apexdata/com.android.wifi/test                         apex_system_server_data_file
 /data/misc/apexrollback                                           apex_rollback_data_file
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@ -365,6 +365,12 @@ allow dumpstate bluetooth_logs_data_file:file r_file_perms;
 allow dumpstate nfc_logs_data_file:dir r_dir_perms;
 allow dumpstate nfc_logs_data_file:file r_file_perms;

+# For uwb
+allow dumpstate apex_module_data_file:dir search;
+allow dumpstate apex_system_server_data_file:dir search;
+allow dumpstate apex_uwb_data_file:dir r_dir_perms;
+allow dumpstate apex_uwb_data_file:file r_file_perms;
+
 # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
 allow dumpstate gpu_device:chr_file rw_file_perms;
 allow dumpstate gpu_device:dir r_dir_perms;
@ -558,3 +564,21 @@ neverallow {
  -traceur_app
  -dumpstate
 } dumpstate_service:service_manager find;
+
+# only dumpstate, system_server and related others to access apex_uwb_data_file
+neverallow {
+  domain
+  -dumpstate
+  -system_server
+  -apexd
+  -init
+  -vold_prepare_subdirs
+} apex_uwb_data_file:dir no_rw_file_perms;
+neverallow {
+  domain
+  -dumpstate
+  -system_server
+  -apexd
+  -init
+  -vold_prepare_subdirs
+} apex_uwb_data_file:file no_rw_file_perms;
--- a/private/file.te
+++ b/private/file.te
@ -86,6 +86,9 @@ type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_d
 # /data/misc/apexdata/com.android.tethering
 type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

+# /data/misc/apexdata/com.android.uwb
+type apex_uwb_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
 # legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
 # for backward compatibility b/217581286
 type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
@ -205,4 +208,4 @@ type storage_area_dir, file_type, data_file_type, core_data_file_type, app_data_
 type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type;

 # /data/misc_ce/userId/storage_area_keys
-type storage_area_key_file, file_type, data_file_type, core_data_file_type;
+type storage_area_key_file, file_type, data_file_type, core_data_file_type;
--- a/private/file_contexts
+++ b/private/file_contexts
@ -638,7 +638,7 @@
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.tethering(/.*)?     u:object_r:apex_tethering_data_file:s0
-/data/misc/apexdata/com\.android\.uwb(/.*)?           u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.uwb(/.*)?           u:object_r:apex_uwb_data_file:s0
 /data/misc/apexdata/com\.android\.wifi(/.*)?          u:object_r:apex_system_server_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -1465,6 +1465,8 @@ allow system_server apex_system_server_data_file:dir create_dir_perms;
 allow system_server apex_system_server_data_file:file create_file_perms;
 allow system_server apex_tethering_data_file:dir create_dir_perms;
 allow system_server apex_tethering_data_file:file create_file_perms;
+allow system_server apex_uwb_data_file:dir create_dir_perms;
+allow system_server apex_uwb_data_file:file create_file_perms;
 # Legacy labels that we still need to support (b/217581286)
 allow system_server {
  apex_appsearch_data_file