Define UWB snoop log in sepolicy

Bug: 341014812
Test: manual, bugreport attached in the associated bugreport
Change-Id: I6e96663345263f2587d7ae2e73b7007b2bdcd640

contexts/plat_file_contexts_test

@@ -936,8 +936,10 @@
 /data/misc/apexdata/com.android.tethering/test                    apex_tethering_data_file
 /data/misc/apexdata/com.android.tethering/threadnetwork           apex_tethering_data_file
 /data/misc/apexdata/com.android.tethering/threadnetwork/test      apex_tethering_data_file
-/data/misc/apexdata/com.android.uwb                               apex_system_server_data_file
-/data/misc/apexdata/com.android.uwb/test                          apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb                               apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/test                          apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/log                           apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/log/test                      apex_uwb_data_file
 /data/misc/apexdata/com.android.wifi                              apex_system_server_data_file
 /data/misc/apexdata/com.android.wifi/test                         apex_system_server_data_file
 /data/misc/apexrollback                                           apex_rollback_data_file

private/dumpstate.te

@@ -365,6 +365,12 @@ allow dumpstate bluetooth_logs_data_file:file r_file_perms;
 allow dumpstate nfc_logs_data_file:dir r_dir_perms;
 allow dumpstate nfc_logs_data_file:file r_file_perms;
 
+# For uwb
+allow dumpstate apex_module_data_file:dir search;
+allow dumpstate apex_system_server_data_file:dir search;
+allow dumpstate apex_uwb_data_file:dir r_dir_perms;
+allow dumpstate apex_uwb_data_file:file r_file_perms;
+
 # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
 allow dumpstate gpu_device:chr_file rw_file_perms;
 allow dumpstate gpu_device:dir r_dir_perms;
@@ -558,3 +564,21 @@ neverallow {
   -traceur_app
   -dumpstate
 } dumpstate_service:service_manager find;
+
+# only dumpstate, system_server and related others to access apex_uwb_data_file
+neverallow {
+  domain
+  -dumpstate
+  -system_server
+  -apexd
+  -init
+  -vold_prepare_subdirs
+} apex_uwb_data_file:dir no_rw_file_perms;
+neverallow {
+  domain
+  -dumpstate
+  -system_server
+  -apexd
+  -init
+  -vold_prepare_subdirs
+} apex_uwb_data_file:file no_rw_file_perms;

private/file.te

@@ -86,6 +86,9 @@ type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_d
 # /data/misc/apexdata/com.android.tethering
 type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 
+# /data/misc/apexdata/com.android.uwb
+type apex_uwb_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
 # legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
 # for backward compatibility b/217581286
 type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

private/file_contexts

@@ -638,7 +638,7 @@
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.tethering(/.*)?     u:object_r:apex_tethering_data_file:s0
-/data/misc/apexdata/com\.android\.uwb(/.*)?           u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.uwb(/.*)?           u:object_r:apex_uwb_data_file:s0
 /data/misc/apexdata/com\.android\.wifi(/.*)?          u:object_r:apex_system_server_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0

private/system_server.te

@@ -1465,6 +1465,8 @@ allow system_server apex_system_server_data_file:dir create_dir_perms;
 allow system_server apex_system_server_data_file:file create_file_perms;
 allow system_server apex_tethering_data_file:dir create_dir_perms;
 allow system_server apex_tethering_data_file:file create_file_perms;
+allow system_server apex_uwb_data_file:dir create_dir_perms;
+allow system_server apex_uwb_data_file:file create_file_perms;
 # Legacy labels that we still need to support (b/217581286)
 allow system_server {
   apex_appsearch_data_file