Merge "Move coredomain seapp ctx and types to system_ext" into main

8 files changed, 27 insertions, 32 deletions

diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te
new file mode 100644
index 0000000..c68ec1f
--- /dev/null
+++ b/system_ext/private/con_monitor.te
@@ -0,0 +1,7 @@
+typeattribute con_monitor_app coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;
diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te
new file mode 100644
index 0000000..6f5ff7a
--- /dev/null
+++ b/system_ext/private/hbmsvmanager_app.te
@@ -0,0 +1,11 @@
+typeattribute hbmsvmanager_app coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 8c2178a..6ac7149 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,2 +1,8 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te
new file mode 100644
index 0000000..6a4d1da
--- /dev/null
+++ b/system_ext/public/con_monitor.te
@@ -0,0 +1,2 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;
diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te
new file mode 100644
index 0000000..4fcf2bd
--- /dev/null
+++ b/system_ext/public/hbmsvmanager_app.te
@@ -0,0 +1 @@
+type hbmsvmanager_app, domain;
diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te
index ab17c82..32c2056 100644
--- a/whitechapel/vendor/google/con_monitor.te
+++ b/whitechapel/vendor/google/con_monitor.te
@@ -1,13 +1,2 @@
-# ConnectivityMonitor app
-type con_monitor_app, domain, coredomain;
-
-# TODO(b/296512193): move con_monitor_app out of vendor sepolicy
-typeattribute con_monitor_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(con_monitor_app)
-
-set_prop(con_monitor_app, radio_prop)
-allow con_monitor_app app_api_service:service_manager find;
-allow con_monitor_app radio_service:service_manager find;
 allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
 allow con_monitor_app radio_vendor_data_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
index 2acbaa8..bbedea8 100644
--- a/whitechapel/vendor/google/hbmsvmanager_app.te
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -1,17 +1,2 @@
-type hbmsvmanager_app, domain, coredomain;
-
-# TODO(b/296512193): move hbmsvmanager_app out of vendor sepolicy
-typeattribute hbmsvmanager_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(hbmsvmanager_app);
-
-allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
-allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index ed5f5d7..4db2b0e 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,9 +24,6 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
 # Hardware Info Collection
 user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
 
@@ -36,9 +33,6 @@ user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=o
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file