From cdddc5171c5ff8b1c2cbc496956f38204260926b Mon Sep 17 00:00:00 2001
From: Naveen Kalla <mrnaveen@google.com>
Date: Tue, 8 Aug 2017 16:47:51 -0700
Subject: [PATCH] Add selinux domain for verizon OBDM app

Bug: 64546277
Test: Build and carrier testing
Change-Id: Ia2a996e6e726765b7452ee369f770acf295430c5
---
 BoardConfig.mk                       |  1 +
 sepolicy/verizon/keys.conf           |  2 ++
 sepolicy/verizon/mac_permissions.xml |  6 ++++++
 sepolicy/verizon/obdm_app.te         | 19 +++++++++++++++++++
 sepolicy/verizon/seapp_contexts      |  3 +++
 sepolicy/verizon/verizon.x509.pem    | 21 +++++++++++++++++++++
 6 files changed, 52 insertions(+)
 create mode 100644 sepolicy/verizon/keys.conf
 create mode 100644 sepolicy/verizon/mac_permissions.xml
 create mode 100644 sepolicy/verizon/obdm_app.te
 create mode 100644 sepolicy/verizon/seapp_contexts
 create mode 100644 sepolicy/verizon/verizon.x509.pem

diff --git a/BoardConfig.mk b/BoardConfig.mk
index 0e1f2e6b..fea92c99 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -84,6 +84,7 @@ BOARD_ROOT_EXTRA_FOLDERS := persist firmware metadata
 BOARD_SEPOLICY_DIRS += device/google/wahoo/sepolicy/vendor
 BOARD_PLAT_PUBLIC_SEPOLICY_DIR := device/google/wahoo/sepolicy/public
 BOARD_PLAT_PRIVATE_SEPOLICY_DIR := device/google/wahoo/sepolicy/private
+BOARD_SEPOLICY_DIRS += device/google/wahoo/sepolicy/verizon
 
 TARGET_ANDROID_FILESYSTEM_CONFIG_H := device/google/wahoo/android_filesystem_config.h
 
diff --git a/sepolicy/verizon/keys.conf b/sepolicy/verizon/keys.conf
new file mode 100644
index 00000000..bc5298e9
--- /dev/null
+++ b/sepolicy/verizon/keys.conf
@@ -0,0 +1,2 @@
+[@VERIZON]
+ALL : device/google/wahoo/sepolicy/verizon/verizon.x509.pem
diff --git a/sepolicy/verizon/mac_permissions.xml b/sepolicy/verizon/mac_permissions.xml
new file mode 100644
index 00000000..770f40a6
--- /dev/null
+++ b/sepolicy/verizon/mac_permissions.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+    <signer signature="@VERIZON" >
+        <seinfo value="verizon" />
+    </signer>
+</policy>
diff --git a/sepolicy/verizon/obdm_app.te b/sepolicy/verizon/obdm_app.te
new file mode 100644
index 00000000..c8abf8b0
--- /dev/null
+++ b/sepolicy/verizon/obdm_app.te
@@ -0,0 +1,19 @@
+type obdm_app, domain, coredomain;
+
+app_domain(obdm_app)
+net_domain(obdm_app)
+
+r_dir_file(obdm_app, proc)
+
+# talk to /dev/diag
+allow obdm_app diag_device:chr_file rw_file_perms;
+
+allow obdm_app app_api_service:service_manager find;
+allow obdm_app radio_service:service_manager find;
+allow obdm_app surfaceflinger_service:service_manager find;
+
+allow obdm_app self:socket create_socket_perms;
+allowxperm obdm_app self:socket ioctl { 0x0000c302 0x0000c304 };
+
+allow obdm_app sysfs:dir r_dir_perms;
+r_dir_file(obdm_app, sysfs_msm_subsys)
diff --git a/sepolicy/verizon/seapp_contexts b/sepolicy/verizon/seapp_contexts
new file mode 100644
index 00000000..951fef36
--- /dev/null
+++ b/sepolicy/verizon/seapp_contexts
@@ -0,0 +1,3 @@
+# Verizon for OBDM tool
+user=_app seinfo=verizon name=com.verizon.obdm domain=obdm_app type=app_data_file levelFrom=all
+user=_app seinfo=verizon name=com.verizon.obdm:background domain=obdm_app type=app_data_file levelFrom=all
diff --git a/sepolicy/verizon/verizon.x509.pem b/sepolicy/verizon/verizon.x509.pem
new file mode 100644
index 00000000..a06efc24
--- /dev/null
+++ b/sepolicy/verizon/verizon.x509.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDczCCAlugAwIBAgIEMzx+mzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJV
+UzELMAkGA1UECBMCTkoxDzANBgNVBAcTBldhcnJlbjEZMBcGA1UEChMQVmVyaXpv
+biBXaXJlbGVzczELMAkGA1UECxMCRFQxFDASBgNVBAMTC0RNQVQgQ2xpZW50MCAX
+DTE2MTAxMTIxMzgzN1oYDzIxMTYwOTE3MjEzODM3WjBpMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCTkoxDzANBgNVBAcTBldhcnJlbjEZMBcGA1UEChMQVmVyaXpvbiBX
+aXJlbGVzczELMAkGA1UECxMCRFQxFDASBgNVBAMTC0RNQVQgQ2xpZW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr8y6pz1KPVolO8wj02oWSzuLZHWg
+HuatQ5RlbXFBqS9/ScPSw3t/Yt+jg2++VUG726qL7ydx8g3AzMktWHNkdhg6j8Dz
+fkEMa/oqcr+VOAQyPw4X0xkUs6ICsEuULRaAwY1NwSVCrTuSlxzlmumbTCg+tp4Y
+m2FXEct8VNayJcrLnTwl/IiYmFLNLLiZPrwqbSkMVfYbfxws7c2lVZI4qhIC7WWA
+HW5PyhO3Vdhjoj4E1QzkyabtB6el3kfE0xIta1IHV2iJdoAlESjaj3UT1i9d+Twt
+7DCsu/ZevIl/g/vwbYi2uqQuSs/a3/qeUcawvcQZR4vWHo/Gx8PyiTZHJwIDAQAB
+oyEwHzAdBgNVHQ4EFgQUMytyC5Cq0A2kE99nyokx0kTzVH0wDQYJKoZIhvcNAQEL
+BQADggEBAE8AexGFmzTp0ZGgRaiv80ONc5PVA12T7h2F5ZN1Yqg99yhpoS6kBIsw
+EG149nIcgOnSYk7ukTcjfsKcbFaB7tV1dw6SUqjmsqLpzVxGI32/DVdIorfxwaHZ
+dKjvlC9Yh1uDEipKuEzR+nXRnzMdMzEv6KOXeIXJxTHY/f538oPVuiXksdnjllmV
+xL1waQrZzdS15hfeBpGlC0WXk9wMiBbJNfEqQ5/J0EaFu+zPk8R3VLQ8WvKcXPyK
+30vZ56McQuwz2MT/gQxnR84LRXUhLGoWOr0MYFzOwhTso2vhIlEysGX+HtkEJh3L
+Hc+p+viW7lz17QqvZmOxjb6atkRpOVY=
+-----END CERTIFICATE-----