From d8e64d139e8a3c3dd0327d2d211dbbf53b267a7c Mon Sep 17 00:00:00 2001
From: Josh Hou <joshhou@google.com>
Date: Tue, 10 Sep 2019 19:45:59 +0800
Subject: Add OMADM logs to the bugreport

Allow OMADM to access data/vendor/radio

Fix below avc denied errors

08-23 14:45:16.080   624   624 E SELinux : avc:  denied  { find } for service=isub pid=4274 uid=10156 scontext=u:r:omadm_app:s0:c156,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=0

08-23 14:58:13.443  6623  6623 I auditd  : type=1400 audit(0.0:26): avc: denied { create } for comm="ConnectivityThr" scontext=u:r:omadm_app:s0:c131,c256,c512,c768 tcontext=u:r:omadm_app:s0:c131,c256,c512,c768 tclass=udp_socket permissive=0 app=com.android.omadm.service

08-23 14:58:34.770  6623  6623 I auditd  : type=1400 audit(0.0:28): avc: denied { write } for comm="IntentService[D" name="dnsproxyd" dev="tmpfs" ino=25468 scontext=u:r:omadm_app:s0:c131,c256,c512,c768 tcontext=u:object_r:dnsproxyd_socket:s0 tclass=sock_file permissive=0 app=com.android.omadm.service

08-23 16:15:43.770  6742  6742 I auditd  : type=1400 audit(0.0:27): avc: denied { write } for comm="ConnectivityThr" name="fwmarkd" dev="tmpfs" ino=26777 scontext=u:r:omadm_app:s0:c123,c256,c512,c768 tcontext=u:object_r:fwmarkd_socket:s0 tclass=sock_file permissive=0 app=com.android.omadm.service

08-23 16:16:06.506  6742  6742 I auditd  : type=1400 audit(0.0:35): avc: denied { connectto } for comm="IntentService[D" path="/dev/socket/dnsproxyd" scontext=u:r:omadm_app:s0:c123,c256,c512,c768 tcontext=u:r:netd:s0 tclass=unix_stream_socket permissive=0 app=com.android.omadm.service

Bug: 119871368
Test: Verify OMADM log can be added to the bugreport and avc denied
issues were fixed

Change-Id: Ie043bd4b90da865a39624956324abd7b7c11cb5a
---
 sepolicy/vendor/omadm.te       | 10 ++++++++++
 sepolicy/vendor/seapp_contexts |  3 +++
 2 files changed, 13 insertions(+)
 create mode 100644 sepolicy/vendor/omadm.te

(limited to 'sepolicy')

diff --git a/sepolicy/vendor/omadm.te b/sepolicy/vendor/omadm.te
new file mode 100644
index 00000000..dadb4d96
--- /dev/null
+++ b/sepolicy/vendor/omadm.te
@@ -0,0 +1,10 @@
+# OMADM app
+type omadm_app, domain;
+
+app_domain(omadm_app)
+net_domain(omadm_app)
+
+allow omadm_app app_api_service:service_manager find;
+allow omadm_app radio_vendor_data_file:dir rw_dir_perms;
+allow omadm_app radio_vendor_data_file:file create_file_perms;
+allow omadm_app radio_service:service_manager find;
diff --git a/sepolicy/vendor/seapp_contexts b/sepolicy/vendor/seapp_contexts
index 8475db15..68ba5857 100644
--- a/sepolicy/vendor/seapp_contexts
+++ b/sepolicy/vendor/seapp_contexts
@@ -30,3 +30,6 @@ user=_app seinfo=easel name=com.google.android.imaging.easel.service domain=ease
 
 #Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+#Domain for omadm
+user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
-- 
cgit v1.2.3