From 8ad4c5c9b97421f35cb709da573806de71e47a87 Mon Sep 17 00:00:00 2001
From: Enzo Liao <enzoliao@google.com>
Date: Wed, 30 Oct 2024 17:03:14 +0800
Subject: [PATCH 1/3] RamdumpService: Update the SELinux policy for Flood
 Control to use Firebase Cloud Firestore.

Bug: 369260803
Design: go/fc-app-server
Flag: NONE N/A
Change-Id: Iebc91446aad59e2ed4e995fc5fc8fd3a45e0dc6f
---
 ramdump_and_coredump/sepolicy/ramdump_app.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ramdump_and_coredump/sepolicy/ramdump_app.te b/ramdump_and_coredump/sepolicy/ramdump_app.te
index 85d4bfd..9eebc98 100644
--- a/ramdump_and_coredump/sepolicy/ramdump_app.te
+++ b/ramdump_and_coredump/sepolicy/ramdump_app.te
@@ -1,8 +1,12 @@
+# SEpolicy for com.android.ramdump
 type ramdump_app, domain;
 
 userdebug_or_eng(`
   app_domain(ramdump_app)
 
+  # For using Firebase Cloud Firestore
+  net_domain(ramdump_app)
+
   allow ramdump_app app_api_service:service_manager find;
 
   allow ramdump_app ramdump_vendor_data_file:file create_file_perms;

From 5c50ccab628834d912fc873886cd92a36ca92302 Mon Sep 17 00:00:00 2001
From: timmyli <timmyli@google.com>
Date: Tue, 5 Nov 2024 06:38:20 +0000
Subject: [PATCH 2/3] Add permissions for GCA to access various services

app_api_service gives access to blanket app service permissions. The
more specific ones are listed in logs below.

Bug: 370899024
Bug: 375958865
Test: manual test with GCA to verify permissions
Flag: EXEMPT refactor

Specific logs:
11-05 01:13:34.640   332   332 E SELinux : avc:  denied  { find } for pid=5493 uid=10155 name=media.player scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager permissive=1
11-05 01:13:34.641   332   332 E SELinux : avc:  denied  { find } for pid=5493 uid=10155 name=media.camera scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=1
11-05 01:29:31.002   326   326 E SELinux : avc:  denied  { find } for pid=5465 uid=10155 name=media.metrics scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:mediametrics_service:s0 tclass=service_manager permissive=1
11-05 01:29:31.498   326   326 E SELinux : avc:  denied  { find } for pid=5465 uid=10155 name=media.extractor scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:mediaextractor_service:s0 tclass=service_manager permissive=1
11-05 01:29:30.961   326   326 E SELinux : avc:  denied  { find } for
pid=5465 uid=10155 name=media.audio_flinger
scontext=u:r:google_camera_app:s0:c155,c256,c512,c768
tcontext=u:object_r:audioserver_service:s0 tclass=service_manager
permissive=1

Logs from app services blanket granted by app_api_service
10-28 02:25:22.057   339   339 I auditd  : avc:  denied  { find } for pid=10509 uid=10149 name=content scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:content_service:s0 tclass=service_manager permissive=1
10-28 02:25:21.953   339   339 I auditd  : avc:  denied  { find } for pid=10509 uid=10149 name=connectivity scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:connectivity_service:s0 tclass=service_manager permissive=1
10-28 02:25:22.577   339   339 I auditd  : avc:  denied  { find } for pid=10509 uid=10149 name=power scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:power_service:s0 tclass=service_manager permissive=1
10-28 02:25:22.062   339   339 I auditd  : avc:  denied  { find } for pid=10509 uid=10149 name=notification scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:notification_service:s0 tclass=service_manager permissive=1
10-28 02:25:21.988   339   339 I auditd  : avc:  denied  { find } for pid=10509 uid=10149 name=appops scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:appops_service:s0 tclass=service_manager permissive=1
10-28 02:25:22.014   339   339 I auditd  : avc:  denied  { find } for pid=10509 uid=10149 name=user scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:user_service:s0 tclass=service_manager permissive=1
10-28 02:25:21.852   339   339 I auditd  : avc:  denied  { find } for pid=10509 uid=10149 name=display scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:display_service:s0 tclass=service_manager permissive=1
10-28 02:25:21.998   339   339 I auditd  : avc:  denied  { find } for pid=10509 uid=10149 name=jobscheduler scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:jobscheduler_service:s0 tclass=service_manager permissive=1
10-28 02:25:21.855   339   339 I auditd  : avc:  denied  { find } for pid=10509 uid=10149 name=network_management scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:network_management_service:s0 tclass=service_manager permissive=1
10-02 05:40:18.428   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=content_capture scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1
10-02 05:40:19.270   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=device_policy scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:device_policy_service:s0 tclass=service_manager permissive=1
10-02 05:40:19.215   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=sensorservice scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:sensorservice_service:s0 tclass=service_manager permissive=1
10-02 05:40:18.166   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=netstats scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1
10-02 05:40:19.219   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=virtualdevice_native scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:virtual_device_native_service:s0 tclass=service_manager permissive=1
10-02 05:40:19.230   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=thermalservice scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:thermal_service:s0 tclass=service_manager permissive=1
10-02 05:40:19.224   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=media.camera scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=1
10-02 05:40:19.214   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=media.player scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager permissive=1
10-02 05:40:19.485   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=backup scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:backup_service:s0 tclass=service_manager permissive=1
10-02 05:40:17.920   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=activity scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
10-02 05:40:19.511   355   355 I auditd  : avc:  denied  { find } for pid=9560 uid=10129 name=device_state scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:device_state_service:s0 tclass=service_manager permissive=1

Change-Id: I9bd98af328f948152c89f9f2c3a066a951f4aaad
---
 .../sepolicy/product/private/google_camera_app.te    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/gcam_app/sepolicy/product/private/google_camera_app.te b/gcam_app/sepolicy/product/private/google_camera_app.te
index a4c7a79..2d3d73c 100644
--- a/gcam_app/sepolicy/product/private/google_camera_app.te
+++ b/gcam_app/sepolicy/product/private/google_camera_app.te
@@ -3,12 +3,12 @@ typeattribute google_camera_app coredomain;
 app_domain(google_camera_app)
 net_domain(google_camera_app)
 
-#allow google_camera_app app_api_service:service_manager find;
-#allow google_camera_app audioserver_service:service_manager find;
-#allow google_camera_app cameraserver_service:service_manager find;
-#allow google_camera_app mediaextractor_service:service_manager find;
-#allow google_camera_app mediametrics_service:service_manager find;
-#allow google_camera_app mediaserver_service:service_manager find;
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
 
 # Allows GCA to access the PowerHAL.
 hal_client_domain(google_camera_app, hal_power)

From 8d4f1c1f07019f3a968b4e9a119a88513c4a585d Mon Sep 17 00:00:00 2001
From: KRIS CHEN <chenkris@google.com>
Date: Tue, 5 Nov 2024 09:31:29 +0000
Subject: [PATCH 3/3] Allow fingerprint HAL to access IGoodixFingerprintDaemon

Fix the following avc denial:
avc:  denied  { add } for pid=1285 uid=1000 name=vendor.goodix.hardware.biometrics.fingerprint.IGoodixFingerprintDaemon/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0

Flag: EXEMPT NDK
Bug: 376602341
Test: boot with no relevant error
Change-Id: I12b5824d239bb3b55bb82fb50b9f6fc4c38b36c5
---
 fingerprint/sepolicy/service_contexts | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 fingerprint/sepolicy/service_contexts

diff --git a/fingerprint/sepolicy/service_contexts b/fingerprint/sepolicy/service_contexts
new file mode 100644
index 0000000..4cc220f
--- /dev/null
+++ b/fingerprint/sepolicy/service_contexts
@@ -0,0 +1,2 @@
+# Fingerprint HAL extension
+vendor.goodix.hardware.biometrics.fingerprint.IGoodixFingerprintDaemon/default  u:object_r:hal_fingerprint_service:s0