From a7d6f83b007f853b290734c4c52caa87176fb4cb Mon Sep 17 00:00:00 2001
From: Aayush Gupta <aayushgupta219@gmail.com>
Date: Sat, 2 Jan 2021 14:14:55 +0530
Subject: [PATCH] non_plat: Label wfca binary and grant required permissions

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I22832543e458ad1e3cc597911b8af347c92ccda5
---
 non_plat/file.te       |  1 +
 non_plat/file_contexts |  2 ++
 non_plat/wfca.te       | 22 ++++++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 non_plat/wfca.te

diff --git a/non_plat/file.te b/non_plat/file.te
index 1dc55b4..c9791cb 100644
--- a/non_plat/file.te
+++ b/non_plat/file.te
@@ -450,3 +450,4 @@ type vendor_teei_data_file, file_type, data_file_type;
 # IMS
 type volte_ua_socket, file_type;
 type volte_imcb_socket, file_type;
+type wfca_socket, file_type;
diff --git a/non_plat/file_contexts b/non_plat/file_contexts
index d2cc05e..1838825 100644
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@@ -714,9 +714,11 @@
 # IMS
 /dev/socket/volte_ua(/.*)?             u:object_r:volte_ua_socket:s0
 /dev/socket/volte_imcb(/.*)?           u:object_r:volte_imcb_socket:s0
+/dev/socket/wfca(/.*)?         u:object_r:wfca_socket:s0
 /(system\/vendor|vendor)/bin/bip         u:object_r:bip_exec:s0
 /(system\/vendor|vendor)/bin/epdg_wod           u:object_r:epdg_wod_exec:s0
 /(system\/vendor|vendor)/bin/volte_imsm_93              u:object_r:volte_imsm_93_exec:s0
 /(system\/vendor|vendor)/bin/volte_md_status            u:object_r:volte_md_status_exec:s0
 /(system\/vendor|vendor)/bin/volte_ua           u:object_r:volte_ua_exec:s0
 /(system\/vendor|vendor)/bin/volte_imcb         u:object_r:volte_imcb_exec:s0
+/(system\/vendor|vendor)/bin/wfca                u:object_r:wfca_exec:s0
diff --git a/non_plat/wfca.te b/non_plat/wfca.te
new file mode 100644
index 0000000..91c9bb2
--- /dev/null
+++ b/non_plat/wfca.te
@@ -0,0 +1,22 @@
+type wfca, domain, netdomain, mtkimsmddomain;
+type wfca_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(wfca)
+
+allow wfca wfca_socket:sock_file write;
+
+allow wfca self:capability2 block_suspend;
+allow wfca self:capability { setgid setuid net_admin net_raw };
+allow wfca self:udp_socket { ioctl read write create getattr bind setopt shutdown };
+allow wfca self:rawip_socket { read write create getattr bind setopt };
+allow wfca self:packet_socket { read create setopt };
+
+allow wfca socket_device:sock_file { write create unlink };
+allow wfca socket_device:dir { write add_name remove_name };
+
+allow wfca { node port }:{ udp_socket rawip_socket } node_bind;
+allow wfca fwmarkd_socket:sock_file write;
+allow wfca ccci_device:chr_file { ioctl read write open };
+allow wfca sysfs_wake_lock:file { read write open };
+
+dontaudit wfca self:capability dac_override;