From 94d7f6cce6e8a19dd23966cefc603b4bbc689216 Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Tue, 1 Mar 2022 12:00:15 +0000 Subject: [PATCH 1/7] Fix avc denied for slsi engineermode app log: avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:platform_app:s0:c512,c768 pid=5111 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0 avc: denied { call } for comm="si.engineermode" scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=0 app=com.samsung.slsi.engineermode avc: denied { call } for comm="HwBinder:1016_1" scontext=u:r:rild:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=binder permissive=0 avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=154 scontext=u:r:vendor_engineermode_app:s0:c225,c256,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.samsung.slsi.engineermode Test: side load the trail build sepolicy, then check the app Bug: 221482792 Change-Id: I84768ed128a2b8c57d6a3e0a0f0aa8c4d4b91857 --- whitechapel_pro/rild.te | 1 + whitechapel_pro/seapp_contexts | 3 +++ whitechapel_pro/vendor_engineermode_app.te | 12 ++++++++++++ 3 files changed, 16 insertions(+) create mode 100644 whitechapel_pro/vendor_engineermode_app.te diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 89ed610d..d8c8c290 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -25,6 +25,7 @@ binder_call(rild, vendor_rcs_app) binder_call(rild, oemrilservice_app) binder_call(rild, hal_secure_element_uicc) binder_call(rild, grilservice_app) +binder_call(rild, vendor_engineermode_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 81577b60..88789fc7 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -14,6 +14,9 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=ve user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_network_test_app levelFrom=all +# Samsung S.LSI engineer mode +user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all + # Hardware Info Collection user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user diff --git a/whitechapel_pro/vendor_engineermode_app.te b/whitechapel_pro/vendor_engineermode_app.te new file mode 100644 index 00000000..d35403a2 --- /dev/null +++ b/whitechapel_pro/vendor_engineermode_app.te @@ -0,0 +1,12 @@ +type vendor_engineermode_app, domain; +app_domain(vendor_engineermode_app) + +binder_call(vendor_engineermode_app, rild) + +allow vendor_engineermode_app app_api_service:service_manager find; +allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find; + +userdebug_or_eng(` + dontaudit vendor_engineermode_app default_prop:file r_file_perms; +') + From 2d43200489e87745566895c6ed72bbc9c4fdcbd7 Mon Sep 17 00:00:00 2001 From: Siddharth Kapoor Date: Wed, 2 Mar 2022 17:03:34 +0800 Subject: [PATCH 2/7] Add libgpudataproducer as sphal Bug: 222042714 Test: CtsGpuProfilingDataTestCases passes on User build Signed-off-by: Siddharth Kapoor Change-Id: I1997f3e66327486f15b1aa742aa8e82855b07e05 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index ec661202..b30cee19 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -60,6 +60,7 @@ # Graphics /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 # Vendor kernel modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 From 129ef29bc8f2c3524de13a9b2e9d8e22d5da4d77 Mon Sep 17 00:00:00 2001 From: Robert Lee Date: Wed, 2 Mar 2022 14:45:47 +0800 Subject: [PATCH 3/7] Fix selinux error for aocd allow write permission to fix following error auditd : type=1400 audit(0.0:4): avc: denied { write } for comm="aocd" name="aoc" dev="tmpfs" ino=497 scontext=u:r:aocd:s0 tcontext=u:object_r:aoc_device:s0 tclass=chr_file permissive=0 Bug: 198490099 Test: no avc deny when enable no_ap_restart Change-Id: I06dc99f1a5859589b33f89ce435745d15e2e5749 Signed-off-by: Robert Lee --- aoc/aocd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aoc/aocd.te b/aoc/aocd.te index 79add165..69b0af0d 100644 --- a/aoc/aocd.te +++ b/aoc/aocd.te @@ -12,7 +12,7 @@ allow aocd sysfs_aoc:dir search; allow aocd sysfs_aoc_firmware:file w_file_perms; # dev operations -allow aocd aoc_device:chr_file r_file_perms; +allow aocd aoc_device:chr_file rw_file_perms; # allow inotify to watch for additions/removals from /dev allow aocd device:dir r_dir_perms; From e95f5edafeff8816f386eb7ac83ecbc4a8c61b2b Mon Sep 17 00:00:00 2001 From: Nishok Kumar S Date: Thu, 24 Feb 2022 17:20:52 +0000 Subject: [PATCH 4/7] Allow camera HAL and GCA to access Aurora GXP device. The camera HAL and Google Camera App need selinux permission to run workloads on Aurora DSP. This change adds the selinux rules too allow these clients to access the GXP device and load firmware onto DSP cores in order to execute workloads on DSP. Bug: 220086991 Test: Verified that the camera HAL service and GCA app is able to access the GXP device and load GXP firmware. Change-Id: I1bd327cfbe5b37c88154acda54bf6c396e939289 --- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 3 +++ whitechapel_pro/google_camera_app.te | 6 ++++++ whitechapel_pro/hal_camera_default.te | 3 +++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index a5fc57c6..d327aa60 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -12,6 +12,7 @@ type lwis_device, dev_type; type logbuffer_device, dev_type; type rls_device, dev_type; type fingerprint_device, dev_type; +type gxp_device, dev_type, mlstrustedobject; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index b30cee19..5ad46436 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -43,6 +43,7 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 /vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 +/vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 @@ -56,6 +57,7 @@ /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 # Graphics /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 @@ -133,6 +135,7 @@ /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 /dev/g2d u:object_r:graphics_device:s0 +/dev/gxp u:object_r:gxp_device:s0 /dev/dit2 u:object_r:vendor_toe_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/sg1 u:object_r:sg_device:s0 diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 43ea14e3..ad097810 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -7,3 +7,9 @@ allow google_camera_app cameraserver_service:service_manager find; allow google_camera_app mediaextractor_service:service_manager find; allow google_camera_app mediametrics_service:service_manager find; allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the GXP device. +allow google_camera_app gxp_device:chr_file rw_file_perms; + +# Allows camera app to search for GXP firmware file. +allow google_camera_app vendor_fw_file:dir search; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index f604875f..779157ca 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -24,6 +24,9 @@ allow hal_camera_default sysfs_edgetpu:file r_file_perms; allow hal_camera_default edgetpu_vendor_service:service_manager find; binder_call(hal_camera_default, edgetpu_vendor_server) +# Allow the camera hal to access the GXP device. +allow hal_camera_default gxp_device:chr_file rw_file_perms; + # Allow access to data files used by the camera HAL allow hal_camera_default mnt_vendor_file:dir search; allow hal_camera_default persist_file:dir search; From b3a10db9d6dd7c3392ebd1bab3b6ffcf889542e7 Mon Sep 17 00:00:00 2001 From: Devin Moore Date: Tue, 1 Mar 2022 18:15:33 +0000 Subject: [PATCH 5/7] Add the init_boot partition sepolicy Tagging the partition as a boot_block_device so everything that had permission to read/write to the boot partition now also has permissions for this new init_boot partition. This is required for update_engine to be able to write to init_boot on builds that are enforcing sepolicy. Bug: 222052598 Test: adb shell setenforce 1 && update_device.py ota.zip Change-Id: Ic991fa314c8a6fdb848199a626852a68a57d1df5 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5ad46436..f86fa5f1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -159,6 +159,7 @@ /dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 From 990294708f848e4f8673a5ae07c54822e3309571 Mon Sep 17 00:00:00 2001 From: Robb Glasser Date: Tue, 1 Mar 2022 18:20:04 -0800 Subject: [PATCH 6/7] Add hal_graphics_composer_default to sensors sepolicy. Bug: 221396170 Test: No avc denial. Change-Id: I23299524dec50d8c589c6acc9da8b3c8c3399f97 --- whitechapel_pro/hal_sensors_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index a29bb730..69190603 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -48,3 +48,6 @@ allow hal_sensors_default hal_pixel_display_service:service_manager find; # Allow display_info_service access to the backlight driver. allow hal_sensors_default sysfs_leds:dir search; allow hal_sensors_default sysfs_leds:file r_file_perms; + +# Allow sensor HAL to access the graphics composer. +binder_call(hal_sensors_default, hal_graphics_composer_default); From ac44b340d35296831f1ab482f24130f5ef525384 Mon Sep 17 00:00:00 2001 From: Devin Moore Date: Tue, 1 Mar 2022 18:15:33 +0000 Subject: [PATCH 7/7] Add the init_boot partition sepolicy Tagging the partition as a boot_block_device so everything that had permission to read/write to the boot partition now also has permissions for this new init_boot partition. This is required for update_engine to be able to write to init_boot on builds that are enforcing sepolicy. Bug: 222052598 Test: adb shell setenforce 1 && update_device.py ota.zip Merged-In: Ic991fa314c8a6fdb848199a626852a68a57d1df5 Change-Id: Ic991fa314c8a6fdb848199a626852a68a57d1df5 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5ad46436..f86fa5f1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -159,6 +159,7 @@ /dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0