summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Shih <adamshih@google.com>2018-06-26 14:52:14 +0800
committerMeng Wang <mewan@google.com>2020-05-13 22:59:56 +0000
commit72c61bf69265a114f44b87a60e40085b1ce8a320 (patch)
tree1a90176f80d0cf95a470c348a0fb3dda75c9100a
parent7c1ecf5fa1456cb199e9c7e80791be62da709de9 (diff)
downloadcoral-sepolicy-72c61bf69265a114f44b87a60e40085b1ce8a320.tar.gz
coral-sepolicy: Add selinux rules for verizon OBDM app
Bug: 155809686 Test: build pass and make sure the contents are the same as before - check the domain in device can be changed to obdm_app to apply the rules Note: OBDM is a prebuilt app and tested on old projects with these rules, and we have no environment to do local test now, just sync patch from B1C1(http://ag/4059061, http://ag/4418057) Change-Id: I991b90c345043311077f3e65807432642ddad64c
Diffstat
-rw-r--r--coral-sepolicy.mk1
-rw-r--r--vendor/verizon/keys.conf2
-rw-r--r--vendor/verizon/mac_permissions.xml6
-rw-r--r--vendor/verizon/obdm_app.te21
-rw-r--r--vendor/verizon/seapp_contexts3
-rw-r--r--vendor/verizon/verizon.x509.pem21
6 files changed, 54 insertions, 0 deletions
diff --git a/coral-sepolicy.mk b/coral-sepolicy.mk
index 8ea3e0a..094e701 100644
--- a/coral-sepolicy.mk
+++ b/coral-sepolicy.mk
@@ -7,3 +7,4 @@ BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/common
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/sm8150
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/knowles/common
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/tracking_denials
+BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/verizon
diff --git a/vendor/verizon/keys.conf b/vendor/verizon/keys.conf
new file mode 100644
index 0000000..03f85b8
--- /dev/null
+++ b/vendor/verizon/keys.conf
@@ -0,0 +1,2 @@
+[@VERIZON]
+ALL : device/google/coral-sepolicy/vendor/verizon/verizon.x509.pem
diff --git a/vendor/verizon/mac_permissions.xml b/vendor/verizon/mac_permissions.xml
new file mode 100644
index 0000000..770f40a
--- /dev/null
+++ b/vendor/verizon/mac_permissions.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+ <signer signature="@VERIZON" >
+ <seinfo value="verizon" />
+ </signer>
+</policy>
diff --git a/vendor/verizon/obdm_app.te b/vendor/verizon/obdm_app.te
new file mode 100644
index 0000000..cd7c17f
--- /dev/null
+++ b/vendor/verizon/obdm_app.te
@@ -0,0 +1,21 @@
+type obdm_app, domain, coredomain;
+
+app_domain(obdm_app)
+net_domain(obdm_app)
+
+allow obdm_app app_api_service:service_manager find;
+allow obdm_app radio_service:service_manager find;
+allow obdm_app surfaceflinger_service:service_manager find;
+
+userdebug_or_eng(`
+ allow obdm_app proc_stat:file r_file_perms;
+
+ # talk to /dev/diag
+ allow obdm_app diag_device:chr_file rw_file_perms;
+
+ allow obdm_app self:socket create_socket_perms;
+ allowxperm obdm_app self:socket ioctl { 0x0000c302 0x0000c304 };
+
+ allow obdm_app sysfs:dir r_dir_perms;
+ r_dir_file(obdm_app, sysfs_msm_subsys)
+')
diff --git a/vendor/verizon/seapp_contexts b/vendor/verizon/seapp_contexts
new file mode 100644
index 0000000..951fef3
--- /dev/null
+++ b/vendor/verizon/seapp_contexts
@@ -0,0 +1,3 @@
+# Verizon for OBDM tool
+user=_app seinfo=verizon name=com.verizon.obdm domain=obdm_app type=app_data_file levelFrom=all
+user=_app seinfo=verizon name=com.verizon.obdm:background domain=obdm_app type=app_data_file levelFrom=all
diff --git a/vendor/verizon/verizon.x509.pem b/vendor/verizon/verizon.x509.pem
new file mode 100644
index 0000000..a06efc2
--- /dev/null
+++ b/vendor/verizon/verizon.x509.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDczCCAlugAwIBAgIEMzx+mzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJV
+UzELMAkGA1UECBMCTkoxDzANBgNVBAcTBldhcnJlbjEZMBcGA1UEChMQVmVyaXpv
+biBXaXJlbGVzczELMAkGA1UECxMCRFQxFDASBgNVBAMTC0RNQVQgQ2xpZW50MCAX
+DTE2MTAxMTIxMzgzN1oYDzIxMTYwOTE3MjEzODM3WjBpMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCTkoxDzANBgNVBAcTBldhcnJlbjEZMBcGA1UEChMQVmVyaXpvbiBX
+aXJlbGVzczELMAkGA1UECxMCRFQxFDASBgNVBAMTC0RNQVQgQ2xpZW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr8y6pz1KPVolO8wj02oWSzuLZHWg
+HuatQ5RlbXFBqS9/ScPSw3t/Yt+jg2++VUG726qL7ydx8g3AzMktWHNkdhg6j8Dz
+fkEMa/oqcr+VOAQyPw4X0xkUs6ICsEuULRaAwY1NwSVCrTuSlxzlmumbTCg+tp4Y
+m2FXEct8VNayJcrLnTwl/IiYmFLNLLiZPrwqbSkMVfYbfxws7c2lVZI4qhIC7WWA
+HW5PyhO3Vdhjoj4E1QzkyabtB6el3kfE0xIta1IHV2iJdoAlESjaj3UT1i9d+Twt
+7DCsu/ZevIl/g/vwbYi2uqQuSs/a3/qeUcawvcQZR4vWHo/Gx8PyiTZHJwIDAQAB
+oyEwHzAdBgNVHQ4EFgQUMytyC5Cq0A2kE99nyokx0kTzVH0wDQYJKoZIhvcNAQEL
+BQADggEBAE8AexGFmzTp0ZGgRaiv80ONc5PVA12T7h2F5ZN1Yqg99yhpoS6kBIsw
+EG149nIcgOnSYk7ukTcjfsKcbFaB7tV1dw6SUqjmsqLpzVxGI32/DVdIorfxwaHZ
+dKjvlC9Yh1uDEipKuEzR+nXRnzMdMzEv6KOXeIXJxTHY/f538oPVuiXksdnjllmV
+xL1waQrZzdS15hfeBpGlC0WXk9wMiBbJNfEqQ5/J0EaFu+zPk8R3VLQ8WvKcXPyK
+30vZ56McQuwz2MT/gQxnR84LRXUhLGoWOr0MYFzOwhTso2vhIlEysGX+HtkEJh3L
+Hc+p+viW7lz17QqvZmOxjb6atkRpOVY=
+-----END CERTIFICATE-----
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-09 11:39:31 +0000