From 8f84cc32a8c6cc9ceaf2f2e504f51563674ffa23 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Wed, 19 Feb 2020 06:59:53 -0800
Subject: [PATCH] sepolicy(wifi): Allow wifi service access to wifi apex
 directories

Bug: 148660313
Test: Compiles
Change-Id: I4a973c4516fda5f96f17f82cd3a424b0ca89004b
---
 private/apexd.te                    | 2 ++
 private/compat/29.0/29.0.ignore.cil | 1 +
 private/file_contexts               | 3 +++
 private/system_server.te            | 2 ++
 private/vold_prepare_subdirs.te     | 2 ++
 public/file.te                      | 1 +
 6 files changed, 11 insertions(+)

diff --git a/private/apexd.te b/private/apexd.te
index 36b799903..9e702dd91 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -18,6 +18,8 @@ allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
 allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
 allow apexd apex_rollback_data_file:dir create_dir_perms;
 allow apexd apex_rollback_data_file:file create_file_perms;
+allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
 
 # Allow apexd to read directories under /data/misc_de in order to snapshot and
 # restore apex data for all users.
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 4419ff2fc..ea3c6b0ee 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -11,6 +11,7 @@
     apex_module_data_file
     apex_permission_data_file
     apex_rollback_data_file
+    apex_wifi_data_file
     app_integrity_service
     app_search_service
     auth_service
diff --git a/private/file_contexts b/private/file_contexts
index d459cf284..e95a1af94 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -514,6 +514,7 @@
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
 /data/misc/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc/apexdata/com.android.permission(/.*)?    u:object_r:apex_permission_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)?    u:object_r:apex_wifi_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
@@ -605,6 +606,8 @@
 /data/misc_ce/[0-9]+/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)?  u:object_r:apex_permission_data_file:s0
 /data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)?  u:object_r:apex_permission_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)?  u:object_r:apex_wifi_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)?  u:object_r:apex_wifi_data_file:s0
 
 # Apex rollback directories
 /data/misc_de/[0-9]+/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index ef527fd94..ad22085eb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1096,6 +1096,8 @@ allow system_server vendor_apex_file:file r_file_perms;
 allow system_server apex_module_data_file:dir { getattr search };
 allow system_server apex_permission_data_file:dir create_dir_perms;
 allow system_server apex_permission_data_file:file create_file_perms;
+allow system_server apex_wifi_data_file:dir create_dir_perms;
+allow system_server apex_wifi_data_file:file create_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
 # communicate which slots are available for use.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 157ee5571..f3ec05859 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -17,6 +17,7 @@ allow vold_prepare_subdirs {
     apex_module_data_file
     apex_permission_data_file
     apex_rollback_data_file
+    apex_wifi_data_file
     backup_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file
@@ -29,6 +30,7 @@ allow vold_prepare_subdirs {
     apex_module_data_file
     apex_permission_data_file
     apex_rollback_data_file
+    apex_wifi_data_file
     backup_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file
diff --git a/public/file.te b/public/file.te
index 1f8dacc7c..1420637b3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -352,6 +352,7 @@ type adb_keys_file, file_type, data_file_type, core_data_file_type;
 type apex_module_data_file, file_type, data_file_type, core_data_file_type;
 type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
 type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
 type audio_data_file, file_type, data_file_type, core_data_file_type;
 type audioserver_data_file, file_type, data_file_type, core_data_file_type;
 type bluetooth_data_file, file_type, data_file_type, core_data_file_type;