From d3c176fc742ea2ade231d7da9eb64fc950189d93 Mon Sep 17 00:00:00 2001 From: Inna Palant Date: Wed, 4 Jan 2023 12:35:10 -0800 Subject: [PATCH 01/44] Initial empty repository From aaae350c478af40fe4f5526430bb942ba71d0660 Mon Sep 17 00:00:00 2001 From: Cyan_Hsieh Date: Mon, 9 Jan 2023 16:12:19 +0800 Subject: [PATCH 02/44] Initial device comet sepolicy Bug: 263919239 Change-Id: I5a72c5574a66c6719b87bc3dbd5e3b0baec09bd1 --- OWNERS | 3 +++ comet-sepolicy.mk | 3 +++ vendor/README.txt | 2 ++ 3 files changed, 8 insertions(+) create mode 100644 OWNERS create mode 100644 comet-sepolicy.mk create mode 100644 vendor/README.txt diff --git a/OWNERS b/OWNERS new file mode 100644 index 0000000..791abb4 --- /dev/null +++ b/OWNERS @@ -0,0 +1,3 @@ +include platform/system/sepolicy:/OWNERS + +rurumihong@google.com diff --git a/comet-sepolicy.mk b/comet-sepolicy.mk new file mode 100644 index 0000000..72aa4b3 --- /dev/null +++ b/comet-sepolicy.mk @@ -0,0 +1,3 @@ +# sepolicy exclusively for comet. +BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor + diff --git a/vendor/README.txt b/vendor/README.txt new file mode 100644 index 0000000..67a320f --- /dev/null +++ b/vendor/README.txt @@ -0,0 +1,2 @@ +This folder holds sepolicy exclusively for one device. For example, genfs_contexts +paths that are affected by device tree. From ee9740df18f85cfb890fe8d23b655ace531221c9 Mon Sep 17 00:00:00 2001 From: Tai Kuo Date: Sat, 4 Feb 2023 15:31:31 +0800 Subject: [PATCH 03/44] Update vibrator SEPolicy for possible paths Pre-porting. Align with other P23 projects. Bug: 264625320 Test: Build sepolicy. Change-Id: I8996bbdd32fd8c2c708dca00f49a0ab4c33aedb7 --- vendor/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 vendor/genfs_contexts diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts new file mode 100644 index 0000000..2147fa3 --- /dev/null +++ b/vendor/genfs_contexts @@ -0,0 +1,4 @@ +# Haptics +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0043 u:object_r:sysfs_vibrator:s0 From 0017642efe146104ee71d8e7693176e45a6a26eb Mon Sep 17 00:00:00 2001 From: eddielan Date: Wed, 19 Apr 2023 13:20:45 +0800 Subject: [PATCH 04/44] sepolicy: Add sepolicy for FPS Bug: 277843284 Test: make selinux_policy Change-Id: I29b7ea88b001ec2dd4fdb56d8a6b8ae598478c0f --- comet-sepolicy.mk | 2 ++ fingerprint_capacitance/file.te | 1 + fingerprint_capacitance/file_contexts | 5 +++ .../fingerprint_factory_service.te | 3 ++ fingerprint_capacitance/genfs_contexts | 1 + .../hal_fingerprint_capacitance.te | 35 +++++++++++++++++++ fingerprint_capacitance/hwservice.te | 1 + fingerprint_capacitance/hwservice_contexts | 2 ++ fingerprint_capacitance/servicemanager.te | 1 + 9 files changed, 51 insertions(+) create mode 100644 fingerprint_capacitance/file.te create mode 100644 fingerprint_capacitance/file_contexts create mode 100644 fingerprint_capacitance/fingerprint_factory_service.te create mode 100644 fingerprint_capacitance/genfs_contexts create mode 100644 fingerprint_capacitance/hal_fingerprint_capacitance.te create mode 100644 fingerprint_capacitance/hwservice.te create mode 100644 fingerprint_capacitance/hwservice_contexts create mode 100644 fingerprint_capacitance/servicemanager.te diff --git a/comet-sepolicy.mk b/comet-sepolicy.mk index 72aa4b3..20454d2 100644 --- a/comet-sepolicy.mk +++ b/comet-sepolicy.mk @@ -1,3 +1,5 @@ # sepolicy exclusively for comet. BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor +# Fingerprint +BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/fingerprint_capacitance diff --git a/fingerprint_capacitance/file.te b/fingerprint_capacitance/file.te new file mode 100644 index 0000000..0218b46 --- /dev/null +++ b/fingerprint_capacitance/file.te @@ -0,0 +1 @@ +type sysfs_fingerprint, sysfs_type, fs_type; diff --git a/fingerprint_capacitance/file_contexts b/fingerprint_capacitance/file_contexts new file mode 100644 index 0000000..338b8a2 --- /dev/null +++ b/fingerprint_capacitance/file_contexts @@ -0,0 +1,5 @@ +# FPC AIDL HAL +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42 u:object_r:hal_fingerprint_capacitance_exec:s0 + +# FPC HIDL HAL +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 diff --git a/fingerprint_capacitance/fingerprint_factory_service.te b/fingerprint_capacitance/fingerprint_factory_service.te new file mode 100644 index 0000000..86ab35c --- /dev/null +++ b/fingerprint_capacitance/fingerprint_factory_service.te @@ -0,0 +1,3 @@ +type fingerprint_factory_service, service_manager_type; +type fingerprint_factory_service_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(fingerprint_factory_service) diff --git a/fingerprint_capacitance/genfs_contexts b/fingerprint_capacitance/genfs_contexts new file mode 100644 index 0000000..9fe2a86 --- /dev/null +++ b/fingerprint_capacitance/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te new file mode 100644 index 0000000..52073d0 --- /dev/null +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -0,0 +1,35 @@ +# hal_fingerprint_capacitance definition +type hal_fingerprint_capacitance, domain; +#hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint) + +type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_fingerprint_capacitance) + +#set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop) + +# allow fingerprint to access file +#allow hal_fingerprint_capacitance fingerprint_device:chr_file rw_file_perms; +#allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms; +#allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms; +#allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms; + +# allow fingerprint to access power hal +#hal_client_domain(hal_fingerprint_capacitance, hal_power); + +# allow fingerprint to find fwk service +#allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; + +# allow fingerprint to access sysfs_leds +#allow hal_fingerprint_capacitance sysfs_leds:dir search; +#allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms; + +# allow fingerprint to access input_device +#allow hal_fingerprint_capacitance input_device:dir r_dir_perms; +#allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; + +# allow fingerprint to access hwservice +#hwbinder_use(hal_fingerprint_capacitance) +#add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) + +# allow fingerprint to access fwk sensor hwservice +#allow hal_fingerprint_capacitance fwk_sensor_hwservice:hwservice_manager find; diff --git a/fingerprint_capacitance/hwservice.te b/fingerprint_capacitance/hwservice.te new file mode 100644 index 0000000..68c51ab --- /dev/null +++ b/fingerprint_capacitance/hwservice.te @@ -0,0 +1 @@ +type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type; diff --git a/fingerprint_capacitance/hwservice_contexts b/fingerprint_capacitance/hwservice_contexts new file mode 100644 index 0000000..ed09300 --- /dev/null +++ b/fingerprint_capacitance/hwservice_contexts @@ -0,0 +1,2 @@ +com.fingerprints42.extension::IFingerprintEngineering u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 +com.fingerprints42.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 diff --git a/fingerprint_capacitance/servicemanager.te b/fingerprint_capacitance/servicemanager.te new file mode 100644 index 0000000..5297448 --- /dev/null +++ b/fingerprint_capacitance/servicemanager.te @@ -0,0 +1 @@ +#binder_call(servicemanager, hal_fingerprint_capacitance) From e2906c4eb9650589424c5a7be2845340a40225e1 Mon Sep 17 00:00:00 2001 From: eddielan Date: Mon, 24 Apr 2023 10:52:31 +0800 Subject: [PATCH 05/44] fps: Enable policy for SFPS Bug: 279363703 Test: Build pass Change-Id: I5c55fa507db79ad490dd315574d6e02212c6cb9b --- .../hal_fingerprint_capacitance.te | 30 +++++++------------ 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te index 52073d0..1f62633 100644 --- a/fingerprint_capacitance/hal_fingerprint_capacitance.te +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -1,35 +1,27 @@ # hal_fingerprint_capacitance definition type hal_fingerprint_capacitance, domain; -#hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint) +hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint) type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_fingerprint_capacitance) -#set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop) - # allow fingerprint to access file -#allow hal_fingerprint_capacitance fingerprint_device:chr_file rw_file_perms; -#allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms; -#allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms; -#allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms; +allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms; # allow fingerprint to access power hal -#hal_client_domain(hal_fingerprint_capacitance, hal_power); +hal_client_domain(hal_fingerprint_capacitance, hal_power); # allow fingerprint to find fwk service -#allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; - -# allow fingerprint to access sysfs_leds -#allow hal_fingerprint_capacitance sysfs_leds:dir search; -#allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms; +allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; # allow fingerprint to access input_device -#allow hal_fingerprint_capacitance input_device:dir r_dir_perms; -#allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance input_device:dir r_dir_perms; +allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; # allow fingerprint to access hwservice -#hwbinder_use(hal_fingerprint_capacitance) -#add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) +add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) -# allow fingerprint to access fwk sensor hwservice -#allow hal_fingerprint_capacitance fwk_sensor_hwservice:hwservice_manager find; +# allow fingerprint to access servicemanager +binder_call(hal_fingerprint_capacitance, servicemanager) From faa97399ca7921bef05f690ecf375c3faa0c7e98 Mon Sep 17 00:00:00 2001 From: lbill Date: Tue, 2 May 2023 09:14:44 +0000 Subject: [PATCH 06/44] Allow SystemUI to access fp hal. Bug: 279363703 Test: Verified SystemUI can access HAL extension. Change-Id: I3bc678008b5c4961d2a20e49351ea25d1ec7a629 --- fingerprint_capacitance/systemui_app.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 fingerprint_capacitance/systemui_app.te diff --git a/fingerprint_capacitance/systemui_app.te b/fingerprint_capacitance/systemui_app.te new file mode 100644 index 0000000..b1e16d4 --- /dev/null +++ b/fingerprint_capacitance/systemui_app.te @@ -0,0 +1,3 @@ +# TODO (b/264266705) Remove this and make it specific to the app +# allow SystemUIGoogle to access fingerprint hal +hal_client_domain(systemui_app, hal_fingerprint) \ No newline at end of file From b86598fe560411b5166071af94c8058e02c68541 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 12 May 2023 02:31:04 +0000 Subject: [PATCH 07/44] introduce a new sepolicy owner Bug: 281631102 Test: N/A Change-Id: Ia7cba55f4331ef98a101e248de65c89b30415ce3 --- OWNERS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/OWNERS b/OWNERS index 791abb4..5232bc3 100644 --- a/OWNERS +++ b/OWNERS @@ -1,3 +1,4 @@ -include platform/system/sepolicy:/OWNERS +include device/google/gs-common:/sepolicy/OWNERS + +adamshih@google.com -rurumihong@google.com From 86776d4e107af86cdf4aaa5c2a759807be1a121e Mon Sep 17 00:00:00 2001 From: eddielan Date: Thu, 1 Jun 2023 05:24:31 +0000 Subject: [PATCH 08/44] fps: Allow fp to access sensor_servie & property ELinux : avc: denied { find } for pid=826 uid=1000 name=android.frameworks.sensorservice.ISensorManager/default scontext=u:r:hal_fingerprint_capacitance:s0 tcontext=u:object_r:fwk_sensor_service:s0 tclass=service_manager permissive=0 avc: denied { read } for name="u:object_r:vendor_fingerprint_prop:s0" dev="tmpfs" ino=380 scontext=u:r:hal_fingerprint_capacitance:s0 tcontext=u:object_r:vendor_fingerprint_prop:s0 tclass=file permissive=0 Bug: 279363703 Test: make selinux_policy -j112 Change-Id: Idd3fe8100a3982a0a0279e44e0be439a16961543 --- fingerprint_capacitance/hal_fingerprint_capacitance.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te index 1f62633..06a1ac1 100644 --- a/fingerprint_capacitance/hal_fingerprint_capacitance.te +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -25,3 +25,9 @@ add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwser # allow fingerprint to access servicemanager binder_call(hal_fingerprint_capacitance, servicemanager) + +# allow fingerprint to access fwk sensor hwservice +allow hal_fingerprint_capacitance fwk_sensor_service:service_manager find; + +# allow fingerprint to access fingerprint property +set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop) From 9f7a30113ad52c1cdd1309b05f287f51859cfd38 Mon Sep 17 00:00:00 2001 From: Weizhung Ding Date: Thu, 15 Jun 2023 06:35:20 +0000 Subject: [PATCH 09/44] Add permission for secondary dsim Bug: 287392044 Test: adjust brightness Change-Id: I730ab114243911bd08f21579ab1d43d60ca4a19b --- vendor/genfs_contexts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 2147fa3..75073f2 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -2,3 +2,21 @@ genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0043 u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0043 u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0043 u:object_r:sysfs_vibrator:s0 + +# Display +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 From 83b0b32da2b50adcfe84d5c30845e41811046f94 Mon Sep 17 00:00:00 2001 From: Tai Kuo Date: Mon, 4 Sep 2023 19:11:56 +0800 Subject: [PATCH 10/44] Remove unused CS40L26 I2C paths Bug: 285343932 Test: No AVC denials. Change-Id: I35ef8dbd4304d620cf7eb57fc00f88387d76eb64 --- vendor/genfs_contexts | 5 ----- 1 file changed, 5 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 75073f2..f678d2b 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1,8 +1,3 @@ -# Haptics -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0043 u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0043 u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0043 u:object_r:sysfs_vibrator:s0 - # Display genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 From 5e161ebcd60b3b1461bf931289ecaf6b33f3f1ce Mon Sep 17 00:00:00 2001 From: eddielan Date: Tue, 5 Sep 2023 16:40:42 +0800 Subject: [PATCH 11/44] fingerprint: Add sepolicy for SW42_fw49 Bug: 289005099 Test: Build pass Change-Id: Id3000db0f274cffd3dd2a5b83299706f9543740a --- fingerprint_capacitance/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fingerprint_capacitance/file_contexts b/fingerprint_capacitance/file_contexts index 338b8a2..71db7ed 100644 --- a/fingerprint_capacitance/file_contexts +++ b/fingerprint_capacitance/file_contexts @@ -1,5 +1,5 @@ # FPC AIDL HAL -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42 u:object_r:hal_fingerprint_capacitance_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42_fw49 u:object_r:hal_fingerprint_capacitance_exec:s0 # FPC HIDL HAL /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 From 8572f023b25a7fd65cf64364c07d056bca8fcc1a Mon Sep 17 00:00:00 2001 From: Burney Yu Date: Tue, 5 Sep 2023 13:24:19 +0800 Subject: [PATCH 12/44] Add service context for IDisplay/secondary Bug: 283353282 Test: Test pixel display interface Change-Id: I30f56cb721155d90292049bcf35274a5d6fbe065 --- vendor/service_contexts | 1 + 1 file changed, 1 insertion(+) create mode 100644 vendor/service_contexts diff --git a/vendor/service_contexts b/vendor/service_contexts new file mode 100644 index 0000000..4f239ae --- /dev/null +++ b/vendor/service_contexts @@ -0,0 +1 @@ +com.google.hardware.pixel.display.IDisplay/secondary u:object_r:hal_pixel_display_service:s0 \ No newline at end of file From c46d5ae69548780f92f07233a579028b6c68b3a8 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Thu, 7 Sep 2023 15:48:18 +0800 Subject: [PATCH 13/44] sepolicy: add secondary battery and wireless charging permission Bug: 299268124 Test: data is correct in dumpstate Change-Id: I030c3d9230980654b142902bec6c6acf942caa72 Signed-off-by: Jenny Ho --- vendor/genfs_contexts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f678d2b..baab297 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -15,3 +15,11 @@ genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_model genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 + +# Battery +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply u:object_r:sysfs_batteryinfo:s0 + +# wake up nodes +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/power/wakeup u:object_r:sysfs_wakeup:s0 From 97baab595149ad19f74c5b60fe1cdd10e0385041 Mon Sep 17 00:00:00 2001 From: Joe Huang Date: Mon, 2 Oct 2023 16:10:50 +0800 Subject: [PATCH 14/44] Add sepolicy for gnss Bug: 294708565 Test: GPS test Change-Id: I6a460a16b4a9a7624b7769c4725a03249869bb65 --- vendor/file_contexts | 11 +++++++++++ vendor/gnss_check.te | 6 ++++++ vendor/gnssd.te | 23 +++++++++++++++++++++++ vendor/hal_gnss_default.te | 2 ++ vendor/rild.te | 1 + vendor/sctd.te | 3 +++ vendor/spad.te | 3 +++ vendor/swcnd.te | 3 +++ 8 files changed, 52 insertions(+) create mode 100644 vendor/file_contexts create mode 100644 vendor/gnss_check.te create mode 100644 vendor/gnssd.te create mode 100644 vendor/hal_gnss_default.te create mode 100644 vendor/rild.te create mode 100644 vendor/sctd.te create mode 100644 vendor/spad.te create mode 100644 vendor/swcnd.te diff --git a/vendor/file_contexts b/vendor/file_contexts new file mode 100644 index 0000000..1a4c2d4 --- /dev/null +++ b/vendor/file_contexts @@ -0,0 +1,11 @@ +# GPS +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/gnss_boot u:object_r:vendor_gnss_device:s0 +/dev/gnss_dump u:object_r:vendor_gnss_device:s0 + +/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 +/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 +/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 +/vendor/bin/hw/spad u:object_r:spad_exec:s0 +/vendor/bin/hw/gnss-aidl-service_IGnssV2_ISlsiGnssV1 u:object_r:hal_gnss_default_exec:s0 +/vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 diff --git a/vendor/gnss_check.te b/vendor/gnss_check.te new file mode 100644 index 0000000..e19a8b9 --- /dev/null +++ b/vendor/gnss_check.te @@ -0,0 +1,6 @@ +type gnss_check, domain; +type gnss_check_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(gnss_check); + +allow gnss_check vendor_toolbox_exec:file { execute_no_trans }; diff --git a/vendor/gnssd.te b/vendor/gnssd.te new file mode 100644 index 0000000..ea16762 --- /dev/null +++ b/vendor/gnssd.te @@ -0,0 +1,23 @@ +type gnssd, domain; +type gnssd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gnssd); + +# Allow gnssd to access rild +binder_call(gnssd, rild); +# binder_call(gnssd, hwservicemanager) +allow gnssd hal_exynos_rild_hwservice:hwservice_manager find; +allow gnssd radio_device:chr_file rw_file_perms; + +# Allow gnssd to acess gnss device +allow gnssd vendor_gnss_device:chr_file rw_file_perms; +allow gnssd vendor_gps_file:dir create_dir_perms; +allow gnssd vendor_gps_file:file create_file_perms; +allow gnssd vendor_gps_file:fifo_file create_file_perms; + +get_prop(gnssd, bootanim_system_prop) + +# Allow gnssd to obtain wakelock +wakelock_use(gnssd) + +# Allow a base set of permissions required for network access. +net_domain(gnssd); diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te new file mode 100644 index 0000000..25fc30a --- /dev/null +++ b/vendor/hal_gnss_default.te @@ -0,0 +1,2 @@ +binder_call(hal_gnss_default, gnssd); + diff --git a/vendor/rild.te b/vendor/rild.te new file mode 100644 index 0000000..c620a19 --- /dev/null +++ b/vendor/rild.te @@ -0,0 +1 @@ +binder_call(rild, gnssd) diff --git a/vendor/sctd.te b/vendor/sctd.te new file mode 100644 index 0000000..8966ef8 --- /dev/null +++ b/vendor/sctd.te @@ -0,0 +1,3 @@ +type sctd, domain; +type sctd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(sctd); diff --git a/vendor/spad.te b/vendor/spad.te new file mode 100644 index 0000000..eaf8b1c --- /dev/null +++ b/vendor/spad.te @@ -0,0 +1,3 @@ +type spad, domain; +type spad_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(spad); diff --git a/vendor/swcnd.te b/vendor/swcnd.te new file mode 100644 index 0000000..c366cad --- /dev/null +++ b/vendor/swcnd.te @@ -0,0 +1,3 @@ +type swcnd, domain; +type swcnd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(swcnd); From 5e97a88cf9acd3984857028069bc0575013597e7 Mon Sep 17 00:00:00 2001 From: timothywang Date: Fri, 13 Oct 2023 18:12:59 +0800 Subject: [PATCH 15/44] Allow vendor_init to set camera debug prop Bug: 301039060 Test: build pass, check property Change-Id: Iece5d1d88e66d65ad78cba0508cc4547d30d8c0d --- vendor/vendor_init.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 vendor/vendor_init.te diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 0000000..91d16a9 --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1,2 @@ +# Camera vendor property +set_prop(vendor_init, vendor_camera_debug_prop) From 527935ad967a8d50d3d78308226603e3119012de Mon Sep 17 00:00:00 2001 From: Burney Yu Date: Wed, 27 Sep 2023 17:04:05 +0800 Subject: [PATCH 16/44] comet-sepolicy: Enable Lbe atc on secondary display Bug: 283353282 Test: Check PixelDisplayService log Change-Id: I1d60b8da4b0cd35f2b5f3aa439945588e4d1ab72 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index baab297..1f51830 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -15,6 +15,7 @@ genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_model genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19471000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 # Battery genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply u:object_r:sysfs_batteryinfo:s0 From 74e9d81f539bbf3dbb0b2c14db5e8d9fd8a9c0e0 Mon Sep 17 00:00:00 2001 From: YiKai Peng Date: Mon, 23 Oct 2023 07:36:19 +0000 Subject: [PATCH 17/44] WLC: add static i2c number for sepolicy Bug: 306699444 Test: No selinux denials related to wireless Change-Id: I6c3a8781b4a113c14393930be65bdcb028a32c83 Signed-off-by: YiKai Peng --- vendor/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index baab297..99924b1 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -23,3 +23,6 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply # wake up nodes genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/power/wakeup u:object_r:sysfs_wakeup:s0 + +# WLC +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061 u:object_r:sysfs_wlc:s0 From 85bf9466c714d931eb1647e89697dacb090e80c9 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 25 Oct 2023 08:12:26 +0000 Subject: [PATCH 18/44] Initial SEpolicy tracking_denials Bug: 296187211 Change-Id: I277c8383945413e50c7335afac018dc579655e67 --- tracking_denials/README.txt | 2 ++ tracking_denials/bug_map | 1 + 2 files changed, 3 insertions(+) create mode 100644 tracking_denials/README.txt create mode 100644 tracking_denials/bug_map diff --git a/tracking_denials/README.txt b/tracking_denials/README.txt new file mode 100644 index 0000000..6cfc62d --- /dev/null +++ b/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1 @@ + From 018f7619cc9ee96f342645529248f0a3140a0e93 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Tue, 31 Oct 2023 11:37:25 +0800 Subject: [PATCH 19/44] Add sepolicy for dual_batt_gauge power supply 10-30 04:38:39.556 814 814 I auditd : type=1400 audit(0.0:13): avc: denied { getattr } for comm="android.hardwar" path="/sys/devices/platform/google,dual_batt_gauge/power_supply/dualbatt/type" dev="sysfs" ino=77177 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 10-30 04:38:39.556 814 814 I auditd : type=1400 audit(0.0:11): avc: denied { read } for comm="android.hardwar" name="type" dev="sysfs" ino=77177 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 10-30 04:38:39.556 814 814 I auditd : type=1400 audit(0.0:12): avc: denied { open } for comm="android.hardwar" path="/sys/devices/platform/google,dual_batt_gauge/power_supply/dualbatt/type" dev="sysfs" ino=77177 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 Bug: 308380763 Test: reboot device and check the avc Change-Id: Ie39f9df23c4041ac442599d85279b69638a514d2 Signed-off-by: Jack Wu --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 99924b1..44ecbe2 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -19,10 +19,12 @@ genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count # Battery genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply u:object_r:sysfs_batteryinfo:s0 # wake up nodes genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/wakeup u:object_r:sysfs_wakeup:s0 # WLC genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061 u:object_r:sysfs_wlc:s0 From d510a3608b6367531b347a3422d29d2220dccdf8 Mon Sep 17 00:00:00 2001 From: Joe Huang Date: Mon, 30 Oct 2023 17:36:01 +0800 Subject: [PATCH 20/44] Add sepolicy rules for gnss Bug: 303789385 Test: GPS test on normal & factory builds Change-Id: I140d2ec76f11b68b2e0abac2cc9278a82048814d --- vendor/gnss_check.te | 3 +++ vendor/hal_gnss_default.te | 1 + 2 files changed, 4 insertions(+) diff --git a/vendor/gnss_check.te b/vendor/gnss_check.te index e19a8b9..31d0944 100644 --- a/vendor/gnss_check.te +++ b/vendor/gnss_check.te @@ -4,3 +4,6 @@ type gnss_check_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(gnss_check); allow gnss_check vendor_toolbox_exec:file { execute_no_trans }; + +set_prop(gnss_check, ctl_stop_prop); +set_prop(gnss_check, ctl_start_prop); diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te index 25fc30a..bf1a564 100644 --- a/vendor/hal_gnss_default.te +++ b/vendor/hal_gnss_default.te @@ -1,2 +1,3 @@ binder_call(hal_gnss_default, gnssd); +allow hal_gnss_default gnssd:unix_stream_socket connectto; From b66a9c1e64efa87c2587e97ae056d055d6506ce8 Mon Sep 17 00:00:00 2001 From: Kamal Shafi Date: Mon, 27 Nov 2023 06:23:13 +0000 Subject: [PATCH 21/44] sepolicy: migrate zumapro devices sepolicy - Move device specific sepolicy Bug: 312869113 Test: build Change-Id: I6f9228ba62d18cbcb6b8618b3ff7078b50daabbe --- vendor/file_contexts | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 1a4c2d4..ab3f96b 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -3,6 +3,26 @@ /dev/gnss_boot u:object_r:vendor_gnss_device:s0 /dev/gnss_dump u:object_r:vendor_gnss_device:s0 +# Devices +/dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 +/dev/lwis-act-jotnar u:object_r:lwis_device:s0 +/dev/lwis-act-nessie u:object_r:lwis_device:s0 +/dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 +/dev/lwis-eeprom-nessie u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-imentet u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-svarog u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-svarog-outer u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-ois-jotnar u:object_r:lwis_device:s0 +/dev/lwis-ois-nessie u:object_r:lwis_device:s0 +/dev/lwis-sensor-dokkaebi-tele u:object_r:lwis_device:s0 +/dev/lwis-sensor-imentet u:object_r:lwis_device:s0 +/dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 +/dev/lwis-sensor-svarog u:object_r:lwis_device:s0 +/dev/lwis-sensor-svarog-outer u:object_r:lwis_device:s0 +/dev/lwis-tof-tarasque u:object_r:lwis_device:s0 + +# Services /vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 /vendor/bin/hw/sctd u:object_r:sctd_exec:s0 /vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 From 6366ddba28cb5606ffb26b9d45e5ce7a0f3c5d85 Mon Sep 17 00:00:00 2001 From: Vincent Wang Date: Wed, 13 Dec 2023 05:42:51 +0000 Subject: [PATCH 22/44] Add SEPoilcy for comet to access FingerprintHal from Settings Bug: 315927727 Test: Check SettingsGoogle could access FPHal via FingerprintExt Change-Id: I462cb3847e424c1ccb7e8f06c2449b25308db96b --- fingerprint_capacitance/system_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 fingerprint_capacitance/system_app.te diff --git a/fingerprint_capacitance/system_app.te b/fingerprint_capacitance/system_app.te new file mode 100644 index 0000000..e1a7d52 --- /dev/null +++ b/fingerprint_capacitance/system_app.te @@ -0,0 +1,2 @@ +# TODO (b/306087355) Remove this and make it specific to the app +hal_client_domain(system_app, hal_fingerprint) From 05f2f5195b6bd7214d445e7a912ea6ebab1e999c Mon Sep 17 00:00:00 2001 From: sashwinbalaji Date: Mon, 18 Dec 2023 19:06:25 +0800 Subject: [PATCH 23/44] sepolicy: thermal: add init_thermal policies Bug: 315096213 Test: Build and verify for avc errors Change-Id: Idf032c9ce1544253cebd82fda24bcd4582c95111 --- vendor/file_contexts | 9 +++++---- vendor/init_thermal_config.te | 5 +++++ 2 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 vendor/init_thermal_config.te diff --git a/vendor/file_contexts b/vendor/file_contexts index ab3f96b..29561ab 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -23,9 +23,10 @@ /dev/lwis-tof-tarasque u:object_r:lwis_device:s0 # Services -/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 -/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 -/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 -/vendor/bin/hw/spad u:object_r:spad_exec:s0 +/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 +/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 +/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 +/vendor/bin/hw/spad u:object_r:spad_exec:s0 /vendor/bin/hw/gnss-aidl-service_IGnssV2_ISlsiGnssV1 u:object_r:hal_gnss_default_exec:s0 /vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 +/vendor/bin/init_thermal_config u:object_r:init_thermal_config_exec:s0 diff --git a/vendor/init_thermal_config.te b/vendor/init_thermal_config.te new file mode 100644 index 0000000..343fea2 --- /dev/null +++ b/vendor/init_thermal_config.te @@ -0,0 +1,5 @@ +type init_thermal_config, domain; +type init_thermal_config_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(init_thermal_config); + +set_prop(init_thermal_config, vendor_thermal_prop) \ No newline at end of file From 76a6fad054211247b1ef00266794cad260c2020c Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 19 Dec 2023 03:51:10 +0000 Subject: [PATCH 24/44] Move fingerprint to each device sepolicy folder Bug: 312322769 Test: make sepolicy Change-Id: I5f0032655f97e01cd18fdabb9d909e9e2295744d --- comet-sepolicy.mk | 3 --- fingerprint_capacitance/file_contexts | 5 ----- fingerprint_capacitance/genfs_contexts | 1 - {fingerprint_capacitance => vendor}/file.te | 0 vendor/file_contexts | 5 +++++ .../fingerprint_factory_service.te | 0 vendor/genfs_contexts | 1 + .../hal_fingerprint_capacitance.te | 0 {fingerprint_capacitance => vendor}/hwservice.te | 0 {fingerprint_capacitance => vendor}/hwservice_contexts | 0 {fingerprint_capacitance => vendor}/servicemanager.te | 0 {fingerprint_capacitance => vendor}/system_app.te | 0 {fingerprint_capacitance => vendor}/systemui_app.te | 0 13 files changed, 6 insertions(+), 9 deletions(-) delete mode 100644 fingerprint_capacitance/file_contexts delete mode 100644 fingerprint_capacitance/genfs_contexts rename {fingerprint_capacitance => vendor}/file.te (100%) rename {fingerprint_capacitance => vendor}/fingerprint_factory_service.te (100%) rename {fingerprint_capacitance => vendor}/hal_fingerprint_capacitance.te (100%) rename {fingerprint_capacitance => vendor}/hwservice.te (100%) rename {fingerprint_capacitance => vendor}/hwservice_contexts (100%) rename {fingerprint_capacitance => vendor}/servicemanager.te (100%) rename {fingerprint_capacitance => vendor}/system_app.te (100%) rename {fingerprint_capacitance => vendor}/systemui_app.te (100%) diff --git a/comet-sepolicy.mk b/comet-sepolicy.mk index 20454d2..32aa697 100644 --- a/comet-sepolicy.mk +++ b/comet-sepolicy.mk @@ -1,5 +1,2 @@ # sepolicy exclusively for comet. BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor - -# Fingerprint -BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/fingerprint_capacitance diff --git a/fingerprint_capacitance/file_contexts b/fingerprint_capacitance/file_contexts deleted file mode 100644 index 71db7ed..0000000 --- a/fingerprint_capacitance/file_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# FPC AIDL HAL -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42_fw49 u:object_r:hal_fingerprint_capacitance_exec:s0 - -# FPC HIDL HAL -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 diff --git a/fingerprint_capacitance/genfs_contexts b/fingerprint_capacitance/genfs_contexts deleted file mode 100644 index 9fe2a86..0000000 --- a/fingerprint_capacitance/genfs_contexts +++ /dev/null @@ -1 +0,0 @@ -genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 diff --git a/fingerprint_capacitance/file.te b/vendor/file.te similarity index 100% rename from fingerprint_capacitance/file.te rename to vendor/file.te diff --git a/vendor/file_contexts b/vendor/file_contexts index 29561ab..15fc062 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -30,3 +30,8 @@ /vendor/bin/hw/gnss-aidl-service_IGnssV2_ISlsiGnssV1 u:object_r:hal_gnss_default_exec:s0 /vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 /vendor/bin/init_thermal_config u:object_r:init_thermal_config_exec:s0 +# FPC AIDL HAL +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42_fw49 u:object_r:hal_fingerprint_capacitance_exec:s0 + +# FPC HIDL HAL +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 diff --git a/fingerprint_capacitance/fingerprint_factory_service.te b/vendor/fingerprint_factory_service.te similarity index 100% rename from fingerprint_capacitance/fingerprint_factory_service.te rename to vendor/fingerprint_factory_service.te diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 2759d6f..87d3c63 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -29,3 +29,4 @@ genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/wa # WLC genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/vendor/hal_fingerprint_capacitance.te similarity index 100% rename from fingerprint_capacitance/hal_fingerprint_capacitance.te rename to vendor/hal_fingerprint_capacitance.te diff --git a/fingerprint_capacitance/hwservice.te b/vendor/hwservice.te similarity index 100% rename from fingerprint_capacitance/hwservice.te rename to vendor/hwservice.te diff --git a/fingerprint_capacitance/hwservice_contexts b/vendor/hwservice_contexts similarity index 100% rename from fingerprint_capacitance/hwservice_contexts rename to vendor/hwservice_contexts diff --git a/fingerprint_capacitance/servicemanager.te b/vendor/servicemanager.te similarity index 100% rename from fingerprint_capacitance/servicemanager.te rename to vendor/servicemanager.te diff --git a/fingerprint_capacitance/system_app.te b/vendor/system_app.te similarity index 100% rename from fingerprint_capacitance/system_app.te rename to vendor/system_app.te diff --git a/fingerprint_capacitance/systemui_app.te b/vendor/systemui_app.te similarity index 100% rename from fingerprint_capacitance/systemui_app.te rename to vendor/systemui_app.te From 52692f5cc79e349a4ab213e182f062a0b3115c8e Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 8 Jan 2024 16:51:53 +0800 Subject: [PATCH 25/44] Label and sort wakeup nodes Bug: 318032188 Test: make sepolicy Change-Id: I5477cee657942e1b2eb87f250adba4048c5b7696 --- vendor/genfs_contexts | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 87d3c63..c9ef15a 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -23,10 +23,22 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply u:object_r:sysfs_batteryinfo:s0 # wake up nodes +genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply/maxfg_secondary/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply/maxfg_secondary/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gnssif/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/wakeup u:object_r:sysfs_wakeup:s0 - +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020/wakeup u:object_r:sysfs_wakeup:s0 # WLC genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 From 6b25e7527caa628e7b757c3edd7243854e36a96c Mon Sep 17 00:00:00 2001 From: eddielan Date: Fri, 12 Jan 2024 08:18:53 +0000 Subject: [PATCH 26/44] fingerprint: Allow fps to access wakeup node 01-12 08:01:43.652 1852 1852 W android.hardwar: type=1400 audit(0.0:38): avc: denied { write } for name="wakeup_enable" dev="sysfs" ino=97986 scontext=u:r:hal_fingerprint_capacitance:s0 tcontext=u:object_r:sysfs_wakeup:s0 tclass=file permissive=0 Bug: 319578405 Test: Build pass & check on device Change-Id: I31380020ac5fe61bb976954d03a9449bbe6c287d --- vendor/hal_fingerprint_capacitance.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_fingerprint_capacitance.te b/vendor/hal_fingerprint_capacitance.te index 06a1ac1..21a86c7 100644 --- a/vendor/hal_fingerprint_capacitance.te +++ b/vendor/hal_fingerprint_capacitance.te @@ -10,6 +10,9 @@ allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms; allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms; allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms; +# allow fingerprint to access wakeup node +allow hal_fingerprint_capacitance sysfs_wakeup:file rw_file_perms; + # allow fingerprint to access power hal hal_client_domain(hal_fingerprint_capacitance, hal_power); From 9b03fffd65ad47f1eab46b85a122e66ec4fa2cdf Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Thu, 25 Jan 2024 17:17:34 +0800 Subject: [PATCH 27/44] sepolicy: label required display paths for hal_power_stats Bug: 321871758 Test: dumpsys android.hardware.power.stats.IPowerStats/default Change-Id: Ic7f4271730b851194eaf42d3752c834ae85831bc Signed-off-by: Darren Hsu --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index c9ef15a..738c892 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1,4 +1,5 @@ # Display +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 @@ -11,6 +12,7 @@ genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extin genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 From 13470b8cec3a6620e680b1727fa4478f12060c2d Mon Sep 17 00:00:00 2001 From: Wayne Lin Date: Sat, 13 Jan 2024 11:15:53 +0800 Subject: [PATCH 28/44] gps: refine iGNSS build system - sepolicy Bug: 318310869 Bug: 315915958 Test: build pass and GPS function works Change-Id: Ie98482de964c8478f94886cd1494c6362e2c86d9 --- vendor/file_contexts | 11 ----------- vendor/gnss_check.te | 9 --------- vendor/gnssd.te | 23 ----------------------- vendor/hal_gnss_default.te | 3 --- vendor/rild.te | 1 - vendor/sctd.te | 3 --- vendor/spad.te | 3 --- vendor/swcnd.te | 3 --- 8 files changed, 56 deletions(-) delete mode 100644 vendor/gnss_check.te delete mode 100644 vendor/gnssd.te delete mode 100644 vendor/hal_gnss_default.te delete mode 100644 vendor/rild.te delete mode 100644 vendor/sctd.te delete mode 100644 vendor/spad.te delete mode 100644 vendor/swcnd.te diff --git a/vendor/file_contexts b/vendor/file_contexts index 15fc062..e225278 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,8 +1,3 @@ -# GPS -/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 -/dev/gnss_boot u:object_r:vendor_gnss_device:s0 -/dev/gnss_dump u:object_r:vendor_gnss_device:s0 - # Devices /dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 /dev/lwis-act-jotnar u:object_r:lwis_device:s0 @@ -23,12 +18,6 @@ /dev/lwis-tof-tarasque u:object_r:lwis_device:s0 # Services -/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 -/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 -/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 -/vendor/bin/hw/spad u:object_r:spad_exec:s0 -/vendor/bin/hw/gnss-aidl-service_IGnssV2_ISlsiGnssV1 u:object_r:hal_gnss_default_exec:s0 -/vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 /vendor/bin/init_thermal_config u:object_r:init_thermal_config_exec:s0 # FPC AIDL HAL /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42_fw49 u:object_r:hal_fingerprint_capacitance_exec:s0 diff --git a/vendor/gnss_check.te b/vendor/gnss_check.te deleted file mode 100644 index 31d0944..0000000 --- a/vendor/gnss_check.te +++ /dev/null @@ -1,9 +0,0 @@ -type gnss_check, domain; -type gnss_check_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(gnss_check); - -allow gnss_check vendor_toolbox_exec:file { execute_no_trans }; - -set_prop(gnss_check, ctl_stop_prop); -set_prop(gnss_check, ctl_start_prop); diff --git a/vendor/gnssd.te b/vendor/gnssd.te deleted file mode 100644 index ea16762..0000000 --- a/vendor/gnssd.te +++ /dev/null @@ -1,23 +0,0 @@ -type gnssd, domain; -type gnssd_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(gnssd); - -# Allow gnssd to access rild -binder_call(gnssd, rild); -# binder_call(gnssd, hwservicemanager) -allow gnssd hal_exynos_rild_hwservice:hwservice_manager find; -allow gnssd radio_device:chr_file rw_file_perms; - -# Allow gnssd to acess gnss device -allow gnssd vendor_gnss_device:chr_file rw_file_perms; -allow gnssd vendor_gps_file:dir create_dir_perms; -allow gnssd vendor_gps_file:file create_file_perms; -allow gnssd vendor_gps_file:fifo_file create_file_perms; - -get_prop(gnssd, bootanim_system_prop) - -# Allow gnssd to obtain wakelock -wakelock_use(gnssd) - -# Allow a base set of permissions required for network access. -net_domain(gnssd); diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te deleted file mode 100644 index bf1a564..0000000 --- a/vendor/hal_gnss_default.te +++ /dev/null @@ -1,3 +0,0 @@ -binder_call(hal_gnss_default, gnssd); - -allow hal_gnss_default gnssd:unix_stream_socket connectto; diff --git a/vendor/rild.te b/vendor/rild.te deleted file mode 100644 index c620a19..0000000 --- a/vendor/rild.te +++ /dev/null @@ -1 +0,0 @@ -binder_call(rild, gnssd) diff --git a/vendor/sctd.te b/vendor/sctd.te deleted file mode 100644 index 8966ef8..0000000 --- a/vendor/sctd.te +++ /dev/null @@ -1,3 +0,0 @@ -type sctd, domain; -type sctd_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(sctd); diff --git a/vendor/spad.te b/vendor/spad.te deleted file mode 100644 index eaf8b1c..0000000 --- a/vendor/spad.te +++ /dev/null @@ -1,3 +0,0 @@ -type spad, domain; -type spad_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(spad); diff --git a/vendor/swcnd.te b/vendor/swcnd.te deleted file mode 100644 index c366cad..0000000 --- a/vendor/swcnd.te +++ /dev/null @@ -1,3 +0,0 @@ -type swcnd, domain; -type swcnd_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(swcnd); From d3fe6924aa6a8a855dfa72758faf5856cce5d53d Mon Sep 17 00:00:00 2001 From: Mark Chang Date: Mon, 19 Feb 2024 05:31:15 +0000 Subject: [PATCH 29/44] Add device specific entry back. Bug: 325422902 Test: Manual, system booted without sepolicy denied error. Change-Id: Ife1ceda42146f2021cf15015a25a8bf6f0a754b0 Signed-off-by: Mark Chang --- vendor/file_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index e225278..986bc06 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -24,3 +24,6 @@ # FPC HIDL HAL /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 + +# Touch +/dev/touch_offload_outer u:object_r:touch_offload_device:s0 From 09458f6fc005f6ea680758e9c44ad7075454c7b5 Mon Sep 17 00:00:00 2001 From: derickhong Date: Tue, 27 Feb 2024 16:19:22 +0800 Subject: [PATCH 30/44] Allow HWC to access display refresh control Bug: 326869289 Test: adb shell dmesg | grep avc ; adb logcat -d | grep avc Change-Id: I353139e97728486f2a8b6c5f593cddf51adb7804 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 738c892..a99a07e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -12,6 +12,7 @@ genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extin genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/refresh_ctrl u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 From d6ab9d280aff0e1d732043824021d9f7e10ef159 Mon Sep 17 00:00:00 2001 From: Liana Kazanova Date: Tue, 27 Feb 2024 21:11:56 +0000 Subject: [PATCH 31/44] Revert "Add device specific entry back." Revert submission 26288713-twoshay-sepolicy-24 Reason for revert: DroidMonitor: Potential culprit for b/327235315 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted. Bug:327235315 Reverted changes: /q/submissionid:26288713-twoshay-sepolicy-24 Change-Id: I651bf3e08f3c97aad8627d4d471a4ee97e3b2d44 --- vendor/file_contexts | 3 --- 1 file changed, 3 deletions(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 986bc06..e225278 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -24,6 +24,3 @@ # FPC HIDL HAL /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 - -# Touch -/dev/touch_offload_outer u:object_r:touch_offload_device:s0 From c65c61945878c8ea5fab6abf2483ae615260b664 Mon Sep 17 00:00:00 2001 From: Mark Chang Date: Fri, 1 Mar 2024 11:55:01 +0000 Subject: [PATCH 32/44] Add device specific entry back. Bug: 325422902 Test: Manual, system booted without sepolicy denied error. Change-Id: I2373f111c9b6abd064a1095b004caae3be525361 Signed-off-by: Mark Chang --- vendor/file_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index e225278..b75d378 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -24,3 +24,6 @@ # FPC HIDL HAL /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 + +# Touch +/dev/touch_offload_outer u:object_r:touch_offload_device:s0 From 7cf67c1e9ae4e1864ff65e865ff74902687a5454 Mon Sep 17 00:00:00 2001 From: derickhong Date: Tue, 27 Feb 2024 16:19:22 +0800 Subject: [PATCH 33/44] Allow HWC to access display refresh control Bug: 326869289 Test: adb shell dmesg | grep avc ; adb logcat -d | grep avc Change-Id: I353139e97728486f2a8b6c5f593cddf51adb7804 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 738c892..a99a07e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -12,6 +12,7 @@ genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extin genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/refresh_ctrl u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 From 229a44dbf90dd66ea71ef55fd6ec8f71522f82e7 Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Tue, 2 Apr 2024 09:02:39 +0000 Subject: [PATCH 34/44] sepolicy: Move the gnssif/wakeup to zumapro Bug: 329334328 Test: abtd device-boot-health-check-extra under b/329334328. Test: boot and check the logcat avc. Change-Id: Ieb02d6232186a3d0ee43b2b6c96b0db7ad4534f9 --- vendor/genfs_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index a99a07e..a31bd55 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -38,7 +38,6 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wire genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/gnssif/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020/wakeup u:object_r:sysfs_wakeup:s0 From 203b4dd470cbd7ee0505c83f170d56a7ace4231f Mon Sep 17 00:00:00 2001 From: Kevin Ying Date: Mon, 22 Apr 2024 22:29:53 +0000 Subject: [PATCH 35/44] Add sepolicy for power_state node Bug: 329703995 Test: manual - used camera Change-Id: I3764557b98334ec73ba94a691f0cbdbacb5c8400 Signed-off-by: Kevin Ying --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index a31bd55..fd9ff7a 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -8,6 +8,7 @@ genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_need_ genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/power_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 From 221e792107b48988a2747a9143685d68728f133d Mon Sep 17 00:00:00 2001 From: YiKai Peng Date: Fri, 26 Apr 2024 13:05:02 +0000 Subject: [PATCH 36/44] selinux: move wlc 0x61 wakeup to zumapro Bug: 335557235 Test: v2/pixel-health-guard/device-boot-health-check-extra Change-Id: I1ad5bf17dae71ec5e8b6756a8eadf26878afad22 Signed-off-by: YiKai Peng --- vendor/genfs_contexts | 4 ---- 1 file changed, 4 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index a31bd55..4979b1a 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -32,10 +32,6 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power/wakeup genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply/maxfg_secondary/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply/maxfg_secondary/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/power/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/power/wakeup u:object_r:sysfs_wakeup:s0 From 9667a21442b25639f3e79c39fc05faa6fffd12e1 Mon Sep 17 00:00:00 2001 From: Frank Yu Date: Wed, 24 Apr 2024 12:22:50 +0000 Subject: [PATCH 37/44] Support register AntennaTuningService. The devices uses RadioExt 1.7 should have grilservice_app register antennaTuningCallbacks. The avc error log: avc: denied { find } for pid=3441 uid=10273 name=com.google.input.algos.gril.IGrilAntennaTuningService/default scontext=u:r:grilservice_app:s0:c17,c257,c512,c768 tcontext=u:object_r:gril_antenna_tuning_service:s0 tclass=service_manager permissive=0 [ 22.019071] type=1400 audit(1714448048.956:7): avc: denied { call } for comm="pool-2-thread-1" scontext=u:r:grilservice_app:s0:c254,c256,c512,c768 tcontext=u:r:twoshay:s0 tclass=binder permissive=0 app=com.google.android.grilservice Test: Manual. Without sepolicy error. Bug: 321790599 Change-Id: Ie2cecaea493d37cd3009bcf9bab942a62212641f --- vendor/grilservice_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 vendor/grilservice_app.te diff --git a/vendor/grilservice_app.te b/vendor/grilservice_app.te new file mode 100644 index 0000000..792dae4 --- /dev/null +++ b/vendor/grilservice_app.te @@ -0,0 +1,2 @@ +allow grilservice_app gril_antenna_tuning_service:service_manager find; +binder_call(grilservice_app, twoshay) From 432fb7298d14b59411e261b21fd5261023f0da21 Mon Sep 17 00:00:00 2001 From: jimsun Date: Fri, 17 May 2024 09:48:34 +0800 Subject: [PATCH 38/44] Allow vendor_init to set setupwizard prop 05-16 17:07:33.099472 root 351 351 E init : Unable to set property 'setupwizard.feature.provisioning_profile_mode' from uid:0 gid:0 pid:352: SELinux permission check failed 05-16 17:07:33.095723 root 352 352 W libc : Unable to set property "setupwizard.feature.provisioning_profile_mode" to "true": error code: 0x18 Bug: 339918070 Test: manual Change-Id: Ie1737d7632e11de9750305df4255da55b4a0c426 --- comet-sepolicy.mk | 4 ++++ system_ext/private/gmscore_app.te | 2 ++ system_ext/private/priv_app.te | 2 ++ system_ext/private/property_contexts | 2 ++ system_ext/public/property.te | 2 ++ vendor/vendor_init.te | 3 +++ 6 files changed, 15 insertions(+) create mode 100644 system_ext/private/gmscore_app.te create mode 100644 system_ext/private/priv_app.te create mode 100644 system_ext/private/property_contexts create mode 100644 system_ext/public/property.te diff --git a/comet-sepolicy.mk b/comet-sepolicy.mk index 32aa697..3ffaa05 100644 --- a/comet-sepolicy.mk +++ b/comet-sepolicy.mk @@ -1,2 +1,6 @@ # sepolicy exclusively for comet. BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/private diff --git a/system_ext/private/gmscore_app.te b/system_ext/private/gmscore_app.te new file mode 100644 index 0000000..4dc1639 --- /dev/null +++ b/system_ext/private/gmscore_app.te @@ -0,0 +1,2 @@ +# Allow to read setupwizard_feature_prop +get_prop(gmscore_app, setupwizard_feature_prop) diff --git a/system_ext/private/priv_app.te b/system_ext/private/priv_app.te new file mode 100644 index 0000000..90bc371 --- /dev/null +++ b/system_ext/private/priv_app.te @@ -0,0 +1,2 @@ +# Allow to read setupwizard_feature_prop +get_prop(priv_app, setupwizard_feature_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 0000000..464a289 --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# setupwizard +setupwizard.feature.provisioning_profile_mode u:object_r:setupwizard_feature_prop:s0 diff --git a/system_ext/public/property.te b/system_ext/public/property.te new file mode 100644 index 0000000..96cb3b3 --- /dev/null +++ b/system_ext/public/property.te @@ -0,0 +1,2 @@ +# setupwizard +system_public_prop(setupwizard_feature_prop) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 91d16a9..0af5c8a 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1,2 +1,5 @@ # Camera vendor property set_prop(vendor_init, vendor_camera_debug_prop) + +# setupwizard +set_prop(vendor_init, setupwizard_feature_prop) From 28599c27ff189184e34d03c4893a33da83cf8683 Mon Sep 17 00:00:00 2001 From: Kiwon Park Date: Thu, 6 Jun 2024 17:36:40 +0000 Subject: [PATCH 39/44] Revert "Allow vendor_init to set setupwizard prop" This reverts commit 432fb7298d14b59411e261b21fd5261023f0da21. Reason for revert: consolidating it in zumapro sepolicy: ag/27701196 Bug: 336903409 Change-Id: I0ee3ff036b5d51b532c59e427ca2b3942b5377ee --- comet-sepolicy.mk | 4 ---- system_ext/private/gmscore_app.te | 2 -- system_ext/private/priv_app.te | 2 -- system_ext/private/property_contexts | 2 -- system_ext/public/property.te | 2 -- vendor/vendor_init.te | 3 --- 6 files changed, 15 deletions(-) delete mode 100644 system_ext/private/gmscore_app.te delete mode 100644 system_ext/private/priv_app.te delete mode 100644 system_ext/private/property_contexts delete mode 100644 system_ext/public/property.te diff --git a/comet-sepolicy.mk b/comet-sepolicy.mk index 3ffaa05..32aa697 100644 --- a/comet-sepolicy.mk +++ b/comet-sepolicy.mk @@ -1,6 +1,2 @@ # sepolicy exclusively for comet. BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor - -# system_ext -SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/public -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/private diff --git a/system_ext/private/gmscore_app.te b/system_ext/private/gmscore_app.te deleted file mode 100644 index 4dc1639..0000000 --- a/system_ext/private/gmscore_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow to read setupwizard_feature_prop -get_prop(gmscore_app, setupwizard_feature_prop) diff --git a/system_ext/private/priv_app.te b/system_ext/private/priv_app.te deleted file mode 100644 index 90bc371..0000000 --- a/system_ext/private/priv_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow to read setupwizard_feature_prop -get_prop(priv_app, setupwizard_feature_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts deleted file mode 100644 index 464a289..0000000 --- a/system_ext/private/property_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# setupwizard -setupwizard.feature.provisioning_profile_mode u:object_r:setupwizard_feature_prop:s0 diff --git a/system_ext/public/property.te b/system_ext/public/property.te deleted file mode 100644 index 96cb3b3..0000000 --- a/system_ext/public/property.te +++ /dev/null @@ -1,2 +0,0 @@ -# setupwizard -system_public_prop(setupwizard_feature_prop) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 0af5c8a..91d16a9 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1,5 +1,2 @@ # Camera vendor property set_prop(vendor_init, vendor_camera_debug_prop) - -# setupwizard -set_prop(vendor_init, setupwizard_feature_prop) From dd5d44c6f6570e9b21709444751e795662f1dcb0 Mon Sep 17 00:00:00 2001 From: Kiwon Park Date: Thu, 6 Jun 2024 17:36:40 +0000 Subject: [PATCH 40/44] Revert "Allow vendor_init to set setupwizard prop" This reverts commit 432fb7298d14b59411e261b21fd5261023f0da21. Reason for revert: consolidating it in zumapro sepolicy: ag/27701196 Bug: 336903409 Change-Id: I0ee3ff036b5d51b532c59e427ca2b3942b5377ee Merged-In: I0ee3ff036b5d51b532c59e427ca2b3942b5377ee --- comet-sepolicy.mk | 4 ---- system_ext/private/gmscore_app.te | 2 -- system_ext/private/priv_app.te | 2 -- system_ext/private/property_contexts | 2 -- system_ext/public/property.te | 2 -- vendor/vendor_init.te | 3 --- 6 files changed, 15 deletions(-) delete mode 100644 system_ext/private/gmscore_app.te delete mode 100644 system_ext/private/priv_app.te delete mode 100644 system_ext/private/property_contexts delete mode 100644 system_ext/public/property.te diff --git a/comet-sepolicy.mk b/comet-sepolicy.mk index 3ffaa05..32aa697 100644 --- a/comet-sepolicy.mk +++ b/comet-sepolicy.mk @@ -1,6 +1,2 @@ # sepolicy exclusively for comet. BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor - -# system_ext -SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/public -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/private diff --git a/system_ext/private/gmscore_app.te b/system_ext/private/gmscore_app.te deleted file mode 100644 index 4dc1639..0000000 --- a/system_ext/private/gmscore_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow to read setupwizard_feature_prop -get_prop(gmscore_app, setupwizard_feature_prop) diff --git a/system_ext/private/priv_app.te b/system_ext/private/priv_app.te deleted file mode 100644 index 90bc371..0000000 --- a/system_ext/private/priv_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow to read setupwizard_feature_prop -get_prop(priv_app, setupwizard_feature_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts deleted file mode 100644 index 464a289..0000000 --- a/system_ext/private/property_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# setupwizard -setupwizard.feature.provisioning_profile_mode u:object_r:setupwizard_feature_prop:s0 diff --git a/system_ext/public/property.te b/system_ext/public/property.te deleted file mode 100644 index 96cb3b3..0000000 --- a/system_ext/public/property.te +++ /dev/null @@ -1,2 +0,0 @@ -# setupwizard -system_public_prop(setupwizard_feature_prop) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 0af5c8a..91d16a9 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1,5 +1,2 @@ # Camera vendor property set_prop(vendor_init, vendor_camera_debug_prop) - -# setupwizard -set_prop(vendor_init, setupwizard_feature_prop) From 4dffc584be8b0ad3d187a590caf477fbcfa7507b Mon Sep 17 00:00:00 2001 From: Zheng Pan Date: Wed, 12 Jun 2024 12:21:16 -0700 Subject: [PATCH 41/44] Add DP wakeup file permission Bug: 346660264 Test: None Change-Id: I8f85b79aedc640d22982855a099b2448f93b29a3 Merged-In: I8f85b79aedc640d22982855a099b2448f93b29a3 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index fd9ff7a..15960d0 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -37,6 +37,7 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power/wakeup genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/power/wakeup u:object_r:sysfs_wakeup:s0 From 423a870ad43ef049945c63c9f8157b46af12210d Mon Sep 17 00:00:00 2001 From: Zheng Pan Date: Wed, 12 Jun 2024 12:21:16 -0700 Subject: [PATCH 42/44] Add DP wakeup file permission Bug: 346660264 Test: None Change-Id: I8f85b79aedc640d22982855a099b2448f93b29a3 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 9f1faca..da67863 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -33,6 +33,7 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power/wakeup genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply/maxfg_secondary/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/power_supply/maxfg_secondary/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0036/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111c0000.spi/spi_master/spi19/spi19.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/power/wakeup u:object_r:sysfs_wakeup:s0 From 2eea667ffc845312950f22ee00a0057177188d18 Mon Sep 17 00:00:00 2001 From: Kiwon Park Date: Thu, 13 Jun 2024 17:24:00 +0000 Subject: [PATCH 43/44] Revert^2 "Allow vendor_init to set setupwizard prop" This reverts commit 28599c27ff189184e34d03c4893a33da83cf8683. Reason for revert: Doesn't fix the issues in factory testing Change-Id: I7a46078fb68b61b608296c1a1c509dd5cedfd1e2 --- comet-sepolicy.mk | 4 ++++ system_ext/private/gmscore_app.te | 2 ++ system_ext/private/priv_app.te | 2 ++ system_ext/private/property_contexts | 2 ++ system_ext/public/property.te | 2 ++ vendor/vendor_init.te | 3 +++ 6 files changed, 15 insertions(+) create mode 100644 system_ext/private/gmscore_app.te create mode 100644 system_ext/private/priv_app.te create mode 100644 system_ext/private/property_contexts create mode 100644 system_ext/public/property.te diff --git a/comet-sepolicy.mk b/comet-sepolicy.mk index 32aa697..3ffaa05 100644 --- a/comet-sepolicy.mk +++ b/comet-sepolicy.mk @@ -1,2 +1,6 @@ # sepolicy exclusively for comet. BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/private diff --git a/system_ext/private/gmscore_app.te b/system_ext/private/gmscore_app.te new file mode 100644 index 0000000..4dc1639 --- /dev/null +++ b/system_ext/private/gmscore_app.te @@ -0,0 +1,2 @@ +# Allow to read setupwizard_feature_prop +get_prop(gmscore_app, setupwizard_feature_prop) diff --git a/system_ext/private/priv_app.te b/system_ext/private/priv_app.te new file mode 100644 index 0000000..90bc371 --- /dev/null +++ b/system_ext/private/priv_app.te @@ -0,0 +1,2 @@ +# Allow to read setupwizard_feature_prop +get_prop(priv_app, setupwizard_feature_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 0000000..464a289 --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# setupwizard +setupwizard.feature.provisioning_profile_mode u:object_r:setupwizard_feature_prop:s0 diff --git a/system_ext/public/property.te b/system_ext/public/property.te new file mode 100644 index 0000000..96cb3b3 --- /dev/null +++ b/system_ext/public/property.te @@ -0,0 +1,2 @@ +# setupwizard +system_public_prop(setupwizard_feature_prop) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 91d16a9..0af5c8a 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1,2 +1,5 @@ # Camera vendor property set_prop(vendor_init, vendor_camera_debug_prop) + +# setupwizard +set_prop(vendor_init, setupwizard_feature_prop) From d6b057332c0969aebbc73e9f2e1d186a556c001a Mon Sep 17 00:00:00 2001 From: Achigo Liu Date: Thu, 13 Jun 2024 16:23:50 +0000 Subject: [PATCH 44/44] Revert^2 "Allow vendor_init to set setupwizard prop" dd5d44c6f6570e9b21709444751e795662f1dcb0 Change-Id: Id32f5409e88e377f96c0e774a13bbb2cec246bfa Merged-In: I7a46078fb68b61b608296c1a1c509dd5cedfd1e2 --- comet-sepolicy.mk | 4 ++++ system_ext/private/gmscore_app.te | 2 ++ system_ext/private/priv_app.te | 2 ++ system_ext/private/property_contexts | 2 ++ system_ext/public/property.te | 2 ++ vendor/vendor_init.te | 3 +++ 6 files changed, 15 insertions(+) create mode 100644 system_ext/private/gmscore_app.te create mode 100644 system_ext/private/priv_app.te create mode 100644 system_ext/private/property_contexts create mode 100644 system_ext/public/property.te diff --git a/comet-sepolicy.mk b/comet-sepolicy.mk index 32aa697..3ffaa05 100644 --- a/comet-sepolicy.mk +++ b/comet-sepolicy.mk @@ -1,2 +1,6 @@ # sepolicy exclusively for comet. BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/comet-sepolicy/system_ext/private diff --git a/system_ext/private/gmscore_app.te b/system_ext/private/gmscore_app.te new file mode 100644 index 0000000..4dc1639 --- /dev/null +++ b/system_ext/private/gmscore_app.te @@ -0,0 +1,2 @@ +# Allow to read setupwizard_feature_prop +get_prop(gmscore_app, setupwizard_feature_prop) diff --git a/system_ext/private/priv_app.te b/system_ext/private/priv_app.te new file mode 100644 index 0000000..90bc371 --- /dev/null +++ b/system_ext/private/priv_app.te @@ -0,0 +1,2 @@ +# Allow to read setupwizard_feature_prop +get_prop(priv_app, setupwizard_feature_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 0000000..464a289 --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# setupwizard +setupwizard.feature.provisioning_profile_mode u:object_r:setupwizard_feature_prop:s0 diff --git a/system_ext/public/property.te b/system_ext/public/property.te new file mode 100644 index 0000000..96cb3b3 --- /dev/null +++ b/system_ext/public/property.te @@ -0,0 +1,2 @@ +# setupwizard +system_public_prop(setupwizard_feature_prop) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 91d16a9..0af5c8a 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1,2 +1,5 @@ # Camera vendor property set_prop(vendor_init, vendor_camera_debug_prop) + +# setupwizard +set_prop(vendor_init, setupwizard_feature_prop)