From fb15c9f12f2cd7250fd9566b234831175e0600be Mon Sep 17 00:00:00 2001
From: Chalard Jean <jchalard@google.com>
Date: Wed, 5 Dec 2018 14:47:51 +0900
Subject: [PATCH] Add sepolicy for IpMemoryStoreService

Bug: 116512211
Test: Builds, boots, including upcoming changes needing this
Change-Id: I6f119368c5a4f7ac6c0325915dff60124c5a6399
---
 private/app.te                      | 3 +++
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/compat/27.0/27.0.ignore.cil | 1 +
 private/compat/28.0/28.0.ignore.cil | 1 +
 private/service_contexts            | 1 +
 private/system_app.te               | 1 +
 public/service.te                   | 1 +
 public/traceur_app.te               | 1 +
 8 files changed, 10 insertions(+)

diff --git a/private/app.te b/private/app.te
index ffe6598d6..876406ffe 100644
--- a/private/app.te
+++ b/private/app.te
@@ -23,3 +23,6 @@ neverallow { appdomain -shell userdebug_or_eng(`-su') }
     { domain -appdomain -crash_dump -rs }:process { transition };
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
     { domain -appdomain }:process { dyntransition };
+
+# Disallow apps from using IP memory store
+neverallow { appdomain -shell } ipmemorystore_service:service_manager *;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 91724c079..351ed54eb 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -102,6 +102,7 @@
     iorapd_exec
     iorapd_service
     iorapd_tmpfs
+    ipmemorystore_service
     kmsg_debug_device
     last_boot_reason_prop
     llkd
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ff1c85781..da1eaa9de 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -93,6 +93,7 @@
     iorapd_exec
     iorapd_service
     iorapd_tmpfs
+    ipmemorystore_service
     last_boot_reason_prop
     llkd
     llkd_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 58e936c31..b6b57dfb8 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -47,6 +47,7 @@
     heapprofd_prop
     heapprofd_socket
     idmap_service
+    ipmemorystore_service
     iris_service
     iris_vendor_data_file
     llkd
diff --git a/private/service_contexts b/private/service_contexts
index 51980ad76..fe2519135 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -82,6 +82,7 @@ iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
 ims                                       u:object_r:radio_service:s0
 imms                                      u:object_r:imms_service:s0
+ipmemorystore                             u:object_r:ipmemorystore_service:s0
 ipsec                                     u:object_r:ipsec_service:s0
 iris                                      u:object_r:iris_service:s0
 isms_msim                                 u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index ed19b82f5..39af1e635 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -74,6 +74,7 @@ allow system_app {
   -dumpstate_service
   -installd_service
   -iorapd_service
+  -ipmemorystore_service
   -netd_service
   -virtual_touchpad_service
   -vold_service
diff --git a/public/service.te b/public/service.te
index cc1bc9f33..9ddc7a468 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@ type hdmi_control_service, system_api_service, system_server_service, service_ma
 type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipmemorystore_service, system_server_service, service_manager_type;
 type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type iris_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index aea13ef70..0bce88536 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@ allow traceur_app {
   -gatekeeper_service
   -incident_service
   -installd_service
+  -ipmemorystore_service
   -iorapd_service
   -netd_service
   -virtual_touchpad_service
-- 
GitLab