Allow rfs_access (tftp server) to create its tombstone directories.

It runs as system, but data/vendor/tombstone is writeable only by
root, so we get init to create the initial directory. rfs_access then
creates sub-directories.

Denials:
denied { write } for name="rfs" dev="sda19" ino=51687 scontext=u:r:rfs_access:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir
denied { add_name } for name="modem" scontext=u:r:rfs_access:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir
denied { create } for name="modem" scontext=u:r:rfs_access:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir
denied { setattr } for name="modem" dev="sda19" ino=51689 scontext=u:r:rfs_access:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir

Bug: 72643420
Test: Device boots, denials gone.

Change-Id: Ia5fba7aa59ee52367f72ce4ee337298d1c7ae915

5 files changed, 7 insertions, 2 deletions

diff --git a/init.hardware.mpssrfs.rc.user b/init.hardware.mpssrfs.rc.user
index ac7bacca..99cb03ab 100644
--- a/init.hardware.mpssrfs.rc.user
+++ b/init.hardware.mpssrfs.rc.user
@@ -2,3 +2,4 @@ on post-fs-data
     # Modem Remote FS
     mkdir /data/vendor/rfs      0700 system system
     mkdir /data/vendor/rfs/mpss 0700 system system
+    mkdir /data/vendor/tombstones/rfs      0700 system system
diff --git a/init.hardware.mpssrfs.rc.userdebug b/init.hardware.mpssrfs.rc.userdebug
index 6abf2e33..5b2de5cc 100644
--- a/init.hardware.mpssrfs.rc.userdebug
+++ b/init.hardware.mpssrfs.rc.userdebug
@@ -2,6 +2,7 @@ on post-fs-data
     # Modem Remote FS
     mkdir /data/vendor/rfs      0700 system system
     mkdir /data/vendor/rfs/mpss 0700 system system
+    mkdir /data/vendor/tombstones/rfs      0700 system system
     write /data/vendor/rfs/mpss/mcfg_nv_list_flag "1"
     chown system system /data/vendor/rfs/mpss/mcfg_nv_list_flag
     chmod 0700 /data/vendor/rfs/mpss/mcfg_nv_list_flag
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 0e4e11ed..4d6d6144 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -68,7 +68,6 @@ type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 type modem_dump_file, file_type, data_file_type;
 type sensors_vendor_data_file, file_type, data_file_type;
-
 type vendor_firmware_file, vendor_file_type, file_type;
 
 #data sysfs files
@@ -79,5 +78,6 @@ type sysfs_diag, fs_type, sysfs_type;
 
 type hexagon_halide_file, vendor_file_type, file_type;
 
-#mpss rfs files
+#rfs files
 type mpss_rfs_data_file, data_file_type, file_type;
+type rfs_tombstone_data_file, data_file_type, file_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 86b1de2e..bd9a7e27 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -232,6 +232,7 @@
 /data/vendor/ipa(/.*)?                 u:object_r:ipa_vendor_data_file:s0
 /data/vendor/sensors(/.*)?             u:object_r:sensors_vendor_data_file:s0
 /data/vendor/rfs/mpss(/.*)?            u:object_r:mpss_rfs_data_file:s0
+/data/vendor/tombstones/rfs(/.*)?      u:object_r:rfs_tombstone_data_file:s0
 
 # /
 /tombstones             u:object_r:rootfs:s0
diff --git a/sepolicy/vendor/rfs_access.te b/sepolicy/vendor/rfs_access.te
index 306daefb..1751eef4 100644
--- a/sepolicy/vendor/rfs_access.te
+++ b/sepolicy/vendor/rfs_access.te
@@ -16,5 +16,7 @@ allow rfs_access persist_rfs_file:dir create_dir_perms;
 allow rfs_access persist_rfs_file:file create_file_perms;
 allow rfs_access mpss_rfs_data_file:dir create_dir_perms;
 allow rfs_access mpss_rfs_data_file:file create_file_perms;
+allow rfs_access rfs_tombstone_data_file:dir create_dir_perms;
+allow rfs_access rfs_tombstone_data_file:file create_file_perms;
 
 allow rfs_access self:socket create_socket_perms_no_ioctl;