From 841d10981e879dfe295de792b2309626c128ee34 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 8 Apr 2020 18:35:40 +0200
Subject: [PATCH] common: Add cbd service

Change-Id: Ieb839870180262cc233678f91804f95ee051ddc3
---
 common/vendor/cbd.te            | 63 +++++++++++++++++++++++++++++++++
 common/vendor/device.te         |  1 +
 common/vendor/file.te           |  4 +++
 common/vendor/file_contexts     | 11 ++++++
 common/vendor/property.te       |  4 +++
 common/vendor/property_contexts |  3 ++
 6 files changed, 86 insertions(+)
 create mode 100644 common/vendor/cbd.te
 create mode 100644 common/vendor/property.te
 create mode 100644 common/vendor/property_contexts

diff --git a/common/vendor/cbd.te b/common/vendor/cbd.te
new file mode 100644
index 0000000..b3fb0e1
--- /dev/null
+++ b/common/vendor/cbd.te
@@ -0,0 +1,63 @@
+# cbd.te
+
+type cbd, domain;
+type cbd_exec, exec_type, vendor_file_type, file_type;
+
+allow cbd self:capability setuid;
+
+# cbd is started by init, type transit from init domain to cbd domain
+init_daemon_domain(cbd)
+
+# /dev/block/
+allow cbd block_device:dir search;
+
+# /data/vendor/log
+allow cbd log_vendor_data_file:dir search;
+
+# /data/vendor/log/cbd
+allow cbd log_cbd_vendor_data_file:dir create_dir_perms;
+allow cbd log_cbd_vendor_data_file:file create_file_perms;
+
+# /dev/block/platform/.+/by-name/radio
+allow cbd radio_block_device:blk_file r_file_perms;
+
+# /dev/kmsg
+allow cbd kmsg_device:chr_file rw_file_perms;
+
+# /dev/umts_*
+allow cbd vendor_radio_device:chr_file rw_file_perms;
+
+# /mnt/vendor/
+allow cbd mnt_vendor_file:dir search;
+
+# /mnt/vendor/efs/
+allow cbd efs_file:dir r_dir_perms;
+
+# /mnt/vendor/efs/factory.prop
+allow cbd efs_file:file r_file_perms;
+
+# /mnt/vendor/efs/nv_data.bin
+allow cbd bin_nv_data_efs_file:file r_file_perms;
+
+# /proc/cmdline
+allow cbd proc_cmdline:file r_file_perms;
+
+# /sys/power/wake_unlock
+allow cbd sysfs_wake_lock:file rw_file_perms;
+
+# /sys/devices/platform/10000.mif_pdata/sim/
+allow cbd sysfs_sim:dir r_dir_perms;
+allow cbd sysfs_sim:file r_file_perms;
+
+# /sys/devices/platform/10000.mif_pdata/sim/ds_detect
+allow cbd sysfs_sim_writable:file rw_file_perms;
+
+# kernel log
+allow cbd kernel:system syslog_read;
+
+# vendor.cbd.
+set_prop(cbd, vendor_cbd_prop)
+
+# FIXME: Can we be more specific?
+allow cbd vendor_shell_exec:file execute_no_trans;
+# FIXME END
diff --git a/common/vendor/device.te b/common/vendor/device.te
index 4a4a52c..1ebf5ad 100644
--- a/common/vendor/device.te
+++ b/common/vendor/device.te
@@ -11,3 +11,4 @@ type sec_efs_block_device, dev_type;
 type fp_sensor_device, dev_type;
 type io_device, dev_type;
 type ssp_device, dev_type;
+type vendor_radio_device, dev_type;
diff --git a/common/vendor/file.te b/common/vendor/file.te
index 54a685c..9136362 100644
--- a/common/vendor/file.te
+++ b/common/vendor/file.te
@@ -3,6 +3,8 @@
 ### DATA
 type biometrics_vendor_data_file, file_type, data_file_type;
 type conn_vendor_data_file, file_type, data_file_type;
+type log_vendor_data_file, file_type, data_file_type;
+type log_cbd_vendor_data_file, file_type, data_file_type;
 type wifi_vendor_data_file, file_type, data_file_type;
 
 # EFS
@@ -24,6 +26,7 @@ type sysfs_input, sysfs_type, r_fs_type, fs_type;
 type sysfs_sec_key, sysfs_type, r_fs_type, fs_type;
 type sysfs_sec_sensors, sysfs_type, r_fs_type, fs_type;
 type sysfs_sec_touchscreen, sysfs_type, r_fs_type, fs_type;
+type sysfs_sim, sysfs_type, r_fs_type, fs_type;
 type sysfs_sensors, sysfs_type, r_fs_type, fs_type;
 type sysfs_wifi, sysfs_type, r_fs_type, fs_type;
 
@@ -32,6 +35,7 @@ type sysfs_battery_writable, sysfs_type, rw_fs_type, fs_type;
 type sysfs_lcd_writable, sysfs_type, rw_fs_type, fs_type;
 type sysfs_power_writable, sysfs_type, rw_fs_type, fs_type;
 type sysfs_sensors_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_sim_writable, sysfs_type, rw_fs_type, fs_type;
 type sysfs_spi_writeable, sysfs_type, rw_fs_type, fs_type;
 type sysfs_touchscreen_writable, sysfs_type, rw_fs_type, fs_type;
 type sysfs_wifi_writable, sysfs_type, rw_fs_type, fs_type;
diff --git a/common/vendor/file_contexts b/common/vendor/file_contexts
index 329c8c7..80eb20f 100644
--- a/common/vendor/file_contexts
+++ b/common/vendor/file_contexts
@@ -4,6 +4,8 @@
 /data/vendor/biometrics(/.*)?                u:object_r:biometrics_vendor_data_file:s0
 /data/vendor/conn(/.*)?                      u:object_r:conn_vendor_data_file:s0
 /data/vendor/wifi(/.*)?                      u:object_r:wifi_vendor_data_file:s0
+/data/vendor/log(/.*)?                       u:object_r:log_vendor_data_file:s0
+/data/vendor/log/cbd(/.*)?                   u:object_r:log_cbd_vendor_data_file:s0
 
 ### DEV
 /dev/block/platform/.+/by-name/cache         u:object_r:cache_block_device:s0
@@ -23,6 +25,13 @@
 /dev/batch_io                                u:object_r:io_device:s0
 /dev/ssp_sensorhub                           u:object_r:ssp_device:s0
 
+/dev/umts_boot0                              u:object_r:vendor_radio_device:s0
+/dev/umts_cass                               u:object_r:vendor_radio_device:s0
+/dev/umts_ipc[0-1]                           u:object_r:vendor_radio_device:s0
+/dev/umts_dm0                                u:object_r:vendor_radio_device:s0
+/dev/umts_rfs0                               u:object_r:vendor_radio_device:s0
+/dev/umts_router                             u:object_r:vendor_radio_device:s0
+
 ### EFS
 /efs/DAK(/.*)?                               u:object_r:prov_efs_file:s0
 /efs/afc(/.*)?                               u:object_r:sec_efs_file:s0
@@ -51,6 +60,8 @@
 /mnt/vendor/efs/wifi(/.*)?                   u:object_r:wifi_efs_file:s0
 
 ### VENDOR
+/(vendor|system/vendor)/bin/cbd              u:object_r:cbd_exec:s0
+
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@[0-9].[0-9]-service\.samsung    u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@[0-9].[0-9]-service\.samsung              u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@[0-9].[0-9]-service\.exynos               u:object_r:hal_power_default_exec:s0
diff --git a/common/vendor/property.te b/common/vendor/property.te
new file mode 100644
index 0000000..74abbb8
--- /dev/null
+++ b/common/vendor/property.te
@@ -0,0 +1,4 @@
+# property.te
+
+type vendor_cbd_prop, property_type;
+type vendor_radio_prop, property_type;
diff --git a/common/vendor/property_contexts b/common/vendor/property_contexts
new file mode 100644
index 0000000..3fb4917
--- /dev/null
+++ b/common/vendor/property_contexts
@@ -0,0 +1,3 @@
+### cbd
+vendor.cbd.                    u:object_r:vendor_cbd_prop:s0
+persist.vendor.cbd.            u:object_r:vendor_radio_prop:s0
-- 
2.20.1