From 6561e3b343ec78dd5929fe7e989365a5d0f2e37c Mon Sep 17 00:00:00 2001
From: Samridhi <ssmrid@google.com>
Date: Mon, 18 Mar 2024 06:39:40 +0000
Subject: [PATCH] Add SEPolicy domain for cavalry app

AVC error logs: https://paste.googleplex.com/4870439005847552
Test: make selinux_policy, flash build and test
Bug: 329276535
Change-Id: I2ccb4d9205125f02f12cc26ea9e6e6e40b8d6ba2
---
 pixelsupport/pixelsupport.mk                  |  5 ++++
 .../private/certs/pixelsupport.x509.pem       | 30 +++++++++++++++++++
 .../sepolicy/product/private/keys.conf        |  2 ++
 .../product/private/mac_permissions.xml       | 27 +++++++++++++++++
 .../product/private/pixelsupport_app.te       | 11 +++++++
 .../sepolicy/product/private/seapp_contexts   |  2 ++
 .../product/public/pixelsupport_app.te        |  2 ++
 .../sepolicy/vendor/pixelsupport_app.te       |  2 ++
 8 files changed, 81 insertions(+)
 create mode 100644 pixelsupport/pixelsupport.mk
 create mode 100644 pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
 create mode 100644 pixelsupport/sepolicy/product/private/keys.conf
 create mode 100644 pixelsupport/sepolicy/product/private/mac_permissions.xml
 create mode 100644 pixelsupport/sepolicy/product/private/pixelsupport_app.te
 create mode 100644 pixelsupport/sepolicy/product/private/seapp_contexts
 create mode 100644 pixelsupport/sepolicy/product/public/pixelsupport_app.te
 create mode 100644 pixelsupport/sepolicy/vendor/pixelsupport_app.te

diff --git a/pixelsupport/pixelsupport.mk b/pixelsupport/pixelsupport.mk
new file mode 100644
index 0000000..068c94f
--- /dev/null
+++ b/pixelsupport/pixelsupport.mk
@@ -0,0 +1,5 @@
+PRODUCT_PACKAGES += PixelSupportPrebuilt
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/vendor
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/product/private
diff --git a/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem b/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
new file mode 100644
index 0000000..40c874d
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIGBzCCA++gAwIBAgIVAJriiL3+mR75mIC8e0Xqoz59LduNMA0GCSqGSIb3DQEBCwUAMIGSMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
+MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxLjAsBgNVBAMMJWNvbV9nb29n
+bGVfYW5kcm9pZF9hcHBzX3BpeGVsX3N1cHBvcnQwIBcNMjIxMjEyMTM1MDA3WhgPMjA1MjEyMTIx
+MzUwMDdaMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91
+bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxLjAsBgNV
+BAMMJWNvbV9nb29nbGVfYW5kcm9pZF9hcHBzX3BpeGVsX3N1cHBvcnQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCSWvRumhZOIAZmWKcuVjc1l3OIIWc/nSRVnsfdzeRqK0jwVFcTqMDs
+kmZtEj/UTW+N91ExRzWvAQ027AcE7TGF3X2iKKAfpSB0fpVQato5RIzOrRbwgAzsIvBdVtExqSNk
+5vh8xJ0azHt6Jn77gW03Mq7AL55Si5q3vU1meeGBPD/YWeqd/oNhPfe0kAHdNnnTOnN6SBxSeO8r
+YukV4XYJ3BxgWD1sm2NI8kZ+OGAooBFflZYXoY6NVfLXm6jsqWnooAok7CrNxZc/wstiwd8yYX6f
+6R1Trox3a9xOy7E+6Rig0XhbWm4pbp3Zu0OLArUalbQ1cjd1qFy6q9maieBn14ad+UtLNOUjCx91
+hLWg/mdpYCvArQb3bBDJdjYfdoo7Q8F9QW3JrFrbIeBezM4TTdK9v/sM4+1OxEo6vwMKQM9Ata/H
+Mn89a4nFHgRqGIMKK8zh0Eob+OwiBakviVhAI1o7IONujcJ2hfuyHNPZb8sT0Rewxtw2fD/Jwj+l
+ADmlXWw553geFcwP1SqOC6j/XOeazSvV4ccCME2VZqIE4pmL+RUr+cgAyQHXPZnet74C7K9sNRV6
+JluS6inqP4lKp7gSFuVrQNYHawNPVinbeTLYEu+df3m3yrHAUpaSvsSUC6qQVWCs0sI8PC6A1+bV
+DXMsIYRvrSnmtN75vOECaQIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTODyZ1S/is
+Y/2ZuMl8B1M6kFiJwDAfBgNVHSMEGDAWgBTODyZ1S/isY/2ZuMl8B1M6kFiJwDANBgkqhkiG9w0B
+AQsFAAOCAgEAL26IGjeu8Q5tn/b4vfYa+7bRUwozAJA9Buyduw/4wVG6rIAkpEsghkgnoOvyjD72
+ncbCkDoBV3a1PLw2W/bMQWfZvYScOzc2yFwcR9LdQIiEYmtgnwuJHnqc2MDsh+MDeclblyBYfIQQ
+bpZ0JArKalSmDyul0QIcfHq+RKmGAzC3bx0xigclIZJxXEG4tyQylttnqNodAEqYdhMMRajI3w9t
+61QwqNv1KTGJt1sC2Q7NyzbZJo02Kwu711Dw6KnVgHaGKC2sRIixsvjm2s6f9/CcVasuLopkJnyl
+epPeD2jHwHdE4/c2K5ZVQeZ+R0pIOEBKwg1AVkn+/UTbhpjYCkEGP09e8T45Y+//eMlrbORJAbji
+H5cfD9aSO2z4slN4B4w+Fw9Kn+a7bsN2xhv7lvAgQ92aq9g/YS1YysZ7kSoCpmKl7rN+0V/RGRVP
+ab2Cb0C3+JewTnOAF30e7zVs9Vaq3oTAV4XFYNiDRUBU/rvv8EIZKcBdufFJmCGYUpmm1EQQdsTt
+mFMPEh5I4Qd0sy+HKvLjThcMGHqDX0bCeXkbFZdj0GXPOOt5LX8NZBdnsbVgENrZml318uLEj3ZU
+DlojsfsTlVcs5eIPX6Dkx0OdgVcMAXnLF+vjP/ygWuLqiPFPCrZD1b+2g2P9Yip3e221tuyca42b
+q3bvQEBwOsA=
+-----END CERTIFICATE-----
diff --git a/pixelsupport/sepolicy/product/private/keys.conf b/pixelsupport/sepolicy/product/private/keys.conf
new file mode 100644
index 0000000..eff6067
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/keys.conf
@@ -0,0 +1,2 @@
+[@PIXELSUPPORT]
+ALL : device/google/gs-common/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
diff --git a/pixelsupport/sepolicy/product/private/mac_permissions.xml b/pixelsupport/sepolicy/product/private/mac_permissions.xml
new file mode 100644
index 0000000..cb8d42a
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/mac_permissions.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- PixelSupport app key -->
+    <signer signature="@PIXELSUPPORT" >
+      <seinfo value="PixelSupport" />
+    </signer>
+</policy>
diff --git a/pixelsupport/sepolicy/product/private/pixelsupport_app.te b/pixelsupport/sepolicy/product/private/pixelsupport_app.te
new file mode 100644
index 0000000..be6f7dd
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/pixelsupport_app.te
@@ -0,0 +1,11 @@
+typeattribute pixelsupport_app coredomain;
+
+app_domain(pixelsupport_app)
+# Access the network.
+net_domain(pixelsupport_app)
+# Access bluetooth.
+bluetooth_domain(pixelsupport_app)
+
+allow pixelsupport_app app_api_service:service_manager find;
+allow pixelsupport_app radio_service:service_manager find;
+
diff --git a/pixelsupport/sepolicy/product/private/seapp_contexts b/pixelsupport/sepolicy/product/private/seapp_contexts
new file mode 100644
index 0000000..f16a054
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/seapp_contexts
@@ -0,0 +1,2 @@
+# Pixel Support App
+user=_app seinfo=PixelSupport name=com.google.android.apps.pixel.support domain=pixelsupport_app type=app_data_file isPrivApp=true levelFrom=user
diff --git a/pixelsupport/sepolicy/product/public/pixelsupport_app.te b/pixelsupport/sepolicy/product/public/pixelsupport_app.te
new file mode 100644
index 0000000..1846ac9
--- /dev/null
+++ b/pixelsupport/sepolicy/product/public/pixelsupport_app.te
@@ -0,0 +1,2 @@
+type pixelsupport_app, domain;
+
diff --git a/pixelsupport/sepolicy/vendor/pixelsupport_app.te b/pixelsupport/sepolicy/vendor/pixelsupport_app.te
new file mode 100644
index 0000000..e3b380c
--- /dev/null
+++ b/pixelsupport/sepolicy/vendor/pixelsupport_app.te
@@ -0,0 +1,2 @@
+set_prop(pixelsupport_app, vendor_gti_prop)
+