Ensure treble compliance for time-service

- Use /data/vendor/time instead of /data/time
- Use /persist/time instead of /persist
- Allow vendor to vendor socket communication

Bug: 62184939
Bug: 62256376
Change-Id: Ia1c27cf3dfa393abcbf860249da8e7669c359ad9

init.hardware.rc

@@ -404,7 +404,7 @@ on boot
 
     # Required for time_daemon
     mkdir /persist/time 0770 system system
-    mkdir /data/time/ 0700 system system
+    mkdir /data/vendor/time 0700 system system
 
     # default country code
     setprop ro.boot.wificountrycode 00

sepolicy/vendor/file.te

@@ -59,6 +59,7 @@ type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 type modem_dump_file, file_type, data_file_type;
 type ese_vendor_data_file, file_type, data_file_type;
+type time_vendor_data_file, file_type, data_file_type;
 
 type vendor_firmware_file, vendor_file_type, file_type;
 

sepolicy/vendor/file_contexts

@@ -303,6 +303,8 @@
 /data/vendor/modem_dump(/.*)?          u:object_r:modem_dump_file:s0
 /data/vendor/ese(/.*)?                 u:object_r:ese_vendor_data_file:s0
 /data/vendor/ipa(/.*)?                 u:object_r:ipacm_vendor_data_file:s0
+/data/vendor/time(/.*)?                u:object_r:time_vendor_data_file:s0
+
 # /
 /tombstones             u:object_r:rootfs:s0
 /dsp                    u:object_r:rootfs:s0

sepolicy/vendor/seapp_contexts

@@ -17,3 +17,6 @@ user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_i
 
 # Use a custom domain for GoogleCamera, to allow for Hexagon DSP access
 user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=user
+
+#Needed for time service apk
+user=system seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=system_app_data_file

sepolicy/vendor/system_app.te

@@ -1,3 +1,3 @@
 # Needed by Settings app's TelephonyMonitorPreferenceController, available only on a subset of
 # userdebug and eng devices
-userdebug_or_eng(`set_prop(system_app, tel_mon_prop)')
+userdebug_or_eng(`set_prop(system_app, tel_mon_prop)')

sepolicy/vendor/time_daemon.te

@@ -15,8 +15,14 @@ allow time_daemon sysfs_soc:file r_file_perms;
 # Set sys.time.set property
 set_prop(time_daemon, sys_time_prop);
 
-allow time_daemon persist_file:dir w_dir_perms;
-allow time_daemon persist_file:file rw_file_perms;
+allow time_daemon persist_time_file:dir w_dir_perms;
+allow time_daemon persist_time_file:file create_file_perms;
+allow time_daemon persist_time_file:dir search;
+
+allow time_daemon persist_file:dir search;
+
+allow time_daemon time_vendor_data_file:dir w_dir_perms;
+allow time_daemon time_vendor_data_file:file create_file_perms;
 
 allow time_daemon persist_time_file:dir w_dir_perms;
 allow time_daemon persist_time_file:file create_file_perms;

sepolicy/vendor/timeservice_app.te

@@ -0,0 +1,6 @@
+type timeservice_app, domain;
+app_domain(timeservice_app);
+
+allow timeservice_app app_api_service:service_manager find;
+allow timeservice_app system_app_data_file:dir { search getattr };
+allow timeservice_app time_daemon:unix_stream_socket connectto;