From a03d0c829d5eda2d560792fb127e0ba0e17fc9c6 Mon Sep 17 00:00:00 2001 From: Daniel Chapin Date: Tue, 5 Mar 2024 00:55:40 +0000 Subject: [PATCH 01/10] Revert "Add betterbug folder to gs-common" Revert submission 26348985-bb-sepolicy-poc Reason for revert: Droidfood blocking bug: b/327991669 Bug: b/327991669 Reverted changes: /q/submissionid:26348985-bb-sepolicy-poc (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aca06d61c64f947252808f73fbe01fdda5109c0e) Merged-In: I0fe0bb22e293093d941b4d8ba826c8c8689a370d Change-Id: I0fe0bb22e293093d941b4d8ba826c8c8689a370d --- betterbug/betterbug.mk | 5 ----- .../sepolicy/product/private/better_bug_app.te | 15 --------------- betterbug/sepolicy/product/private/seapp_contexts | 2 -- .../sepolicy/product/public/better_bug_app.te | 1 - 4 files changed, 23 deletions(-) delete mode 100644 betterbug/betterbug.mk delete mode 100644 betterbug/sepolicy/product/private/better_bug_app.te delete mode 100644 betterbug/sepolicy/product/private/seapp_contexts delete mode 100644 betterbug/sepolicy/product/public/better_bug_app.te diff --git a/betterbug/betterbug.mk b/betterbug/betterbug.mk deleted file mode 100644 index f3ae647..0000000 --- a/betterbug/betterbug.mk +++ /dev/null @@ -1,5 +0,0 @@ -PRODUCT_PACKAGES += BetterBugStub -PRODUCT_PACKAGES_DEBUG += BetterBug - -PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/public -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/private diff --git a/betterbug/sepolicy/product/private/better_bug_app.te b/betterbug/sepolicy/product/private/better_bug_app.te deleted file mode 100644 index bb50612..0000000 --- a/betterbug/sepolicy/product/private/better_bug_app.te +++ /dev/null @@ -1,15 +0,0 @@ -typeattribute better_bug_app coredomain; - -app_domain(better_bug_app) -net_domain(better_bug_app) - -allow better_bug_app shell_data_file:file read; -allow better_bug_app privapp_data_file:file execute; - -allow better_bug_app app_api_service:service_manager find; -allow better_bug_app system_api_service:service_manager find; -allow better_bug_app mediaserver_service:service_manager find; - -set_prop(better_bug_app, ctl_start_prop) - -get_prop(better_bug_app, system_boot_reason_prop) diff --git a/betterbug/sepolicy/product/private/seapp_contexts b/betterbug/sepolicy/product/private/seapp_contexts deleted file mode 100644 index 261e710..0000000 --- a/betterbug/sepolicy/product/private/seapp_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# BetterBug -user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=all diff --git a/betterbug/sepolicy/product/public/better_bug_app.te b/betterbug/sepolicy/product/public/better_bug_app.te deleted file mode 100644 index 9a14782..0000000 --- a/betterbug/sepolicy/product/public/better_bug_app.te +++ /dev/null @@ -1 +0,0 @@ -type better_bug_app, domain; From 0e3f3c1d885041477bdcf01df2db2f4ec15d6075 Mon Sep 17 00:00:00 2001 From: Klines Jiang Date: Mon, 25 Mar 2024 08:58:41 +0000 Subject: [PATCH 02/10] [Gyotaku] Update the build rule to exclude build Gyotaku dump for barbet Pixel 5a (barbet) does not support Pixel dump, we need to exclude build Pixel dump for Pixel 5a (barbet). The git_24Q2-beta-release TARGET_PRODUCT is barbet_beta, updated to barbet% for all barbet target products. Bug: 330819191 Test: Local build and trigger a new build the result passed (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d4de4ddf902f75ebcb6b0e1079e78b8a96410ed5) Merged-In: I2c1785105bab74a483bc68893d96a8a88eabfd90 Change-Id: I2c1785105bab74a483bc68893d96a8a88eabfd90 --- gyotaku_app/gyotaku.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gyotaku_app/gyotaku.mk b/gyotaku_app/gyotaku.mk index c6c41d5..8a6bb10 100644 --- a/gyotaku_app/gyotaku.mk +++ b/gyotaku_app/gyotaku.mk @@ -6,7 +6,7 @@ ifneq ($(TARGET_BUILD_VARIANT), user) BOARD_SEPOLICY_DIRS += device/google/gs-common/gyotaku_app/sepolicy/ # Pixel 5a (barbet) does not support Pixel dump - ifneq ($(TARGET_PRODUCT), barbet) + ifeq (,$(filter barbet%,$(TARGET_PRODUCT))) PRODUCT_PACKAGES_DEBUG += dump_gyotaku BOARD_SEPOLICY_DIRS += device/google/gs-common/gyotaku_app/dump endif From 256d37b5d70fa3d140ad1fd32abe3b296021c285 Mon Sep 17 00:00:00 2001 From: Philip Quinn Date: Wed, 29 May 2024 18:33:49 -0700 Subject: [PATCH 03/10] Remove obsolete relfector HAL policy. Bug: 343566773 Test: presubmit Change-Id: Ie779a71dfdc9d198643f5eb95396085ea842b7a5 --- touch/twoshay/sepolicy/touchflow_debug/file_contexts | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 touch/twoshay/sepolicy/touchflow_debug/file_contexts diff --git a/touch/twoshay/sepolicy/touchflow_debug/file_contexts b/touch/twoshay/sepolicy/touchflow_debug/file_contexts deleted file mode 100644 index 17dfe62..0000000 --- a/touch/twoshay/sepolicy/touchflow_debug/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -/vendor/bin/hw/android\.hardware\.input\.processor-reflector u:object_r:hal_input_processor_default_exec:s0 -/vendor/bin/twoshay_touchflow u:object_r:twoshay_exec:s0 From ec3a55308067d4a608960527d18a5c901522e04e Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Tue, 2 Apr 2024 10:05:36 +0000 Subject: [PATCH 04/10] sepolicy: Allow gnssd access modem_state avc: denied { read } for name="modem_state" dev="sysfs" ino=77641 scontext=u:r:gnssd:s0 tcontext=u:object_r:sysfs_modem_state:s0 tclass=file avc: denied { open } for path="/sys/devices/platform/cpif/modem_state" dev="sysfs" ino=77641 scontext=u:r:gnssd:s0 tcontext=u:object_r:sysfs_modem_state:s0 tclass=file avc: denied { getattr } for path="/sys/devices/platform/cpif/modem_state" dev="sysfs" ino=77641 scontext=u:r:gnssd:s0 tcontext=u:object_r:sysfs_modem_state:s0 tclass=file Bug: 342284863 Test: b/342284863 for boot-health check. Test: b/342284863 for function verification. Change-Id: I1accfe367915737c14ee79dce71fe04cdcdbb727 --- gps/lsi/sepolicy/gnssd.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gps/lsi/sepolicy/gnssd.te b/gps/lsi/sepolicy/gnssd.te index 56ab51f..a293b95 100644 --- a/gps/lsi/sepolicy/gnssd.te +++ b/gps/lsi/sepolicy/gnssd.te @@ -31,3 +31,6 @@ set_prop(gnssd, vendor_gps_prop) # Read RIL property get_prop(gnssd, vendor_rild_prop) + +# Read modme state +allow gnssd sysfs_modem_state:file r_file_perms; From 1f7c89e359122284a469fb1414b88f01271408db Mon Sep 17 00:00:00 2001 From: Bruce Po Date: Fri, 31 May 2024 11:51:10 -0700 Subject: [PATCH 05/10] selinux move aocx from vndservice to service When updating aocx service to use binder ndk backend, we get this selinux violation: SELinux : avc: denied { add } for pid=2772 uid=0 name=aocx.IAocx scontext=u:r:aocxd:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0 TEST: adb push out/target/product/tangorpro/vendor/etc/selinux/* /vendor/etc/selinux adb reboot adb shell aocx_tool list BUG: 343998265 Change-Id: I1e4f554abfe02f33328c851f7da64c671d8f4cb7 --- aoc/sepolicy/service.te | 1 + aoc/sepolicy/{vndservice_contexts => service_contexts} | 0 aoc/sepolicy/vndservice.te | 1 - 3 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 aoc/sepolicy/service.te rename aoc/sepolicy/{vndservice_contexts => service_contexts} (100%) delete mode 100644 aoc/sepolicy/vndservice.te diff --git a/aoc/sepolicy/service.te b/aoc/sepolicy/service.te new file mode 100644 index 0000000..502b28d --- /dev/null +++ b/aoc/sepolicy/service.te @@ -0,0 +1 @@ +type aocx, service_manager_type; diff --git a/aoc/sepolicy/vndservice_contexts b/aoc/sepolicy/service_contexts similarity index 100% rename from aoc/sepolicy/vndservice_contexts rename to aoc/sepolicy/service_contexts diff --git a/aoc/sepolicy/vndservice.te b/aoc/sepolicy/vndservice.te deleted file mode 100644 index 01c2436..0000000 --- a/aoc/sepolicy/vndservice.te +++ /dev/null @@ -1 +0,0 @@ -type aocx, vndservice_manager_type; From bb3522634e7494513dd11ea8084c35e7bf7645c9 Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Fri, 31 May 2024 02:12:23 +0000 Subject: [PATCH 06/10] sepolicy: Allow hal_gnss_pixel access sscoredump file avc: denied { read } for name="ssrdump" dev="dm-48" ino=404 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=0 avc: denied { search } for name="ssrdump" dev="dm-48" ino=404 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=0 avc: denied { read } for name="ssrdump" dev="dm-48" ino=404 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=1 avc: denied { open } for path="/data/vendor/ssrdump" dev="dm-48" ino=404 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=1 avc: denied { search } for name="ssrdump" dev="dm-48" ino=404 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=1 avc: denied { getattr } for path="/data/vendor/ssrdump/crashinfo_gnss_2024-05-22_16-00-45.txt" dev="dm-48" ino=19897 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=file permissive=1 avc: denied { read } for name="crashinfo_modem_2024-05-22_16-34-51.txt" dev="dm-48" ino=20760 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=file permissive=1 Bug: 341224300 Test: b/341224300#comment13 abtd boot health check. Test: b/341224300 SST test verification. Change-Id: Ie2b55cb487e7e801a0199b1e9dd9ad16f1e3d682 --- gps/pixel/sepolicy/hal_gnss_pixel.te | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/gps/pixel/sepolicy/hal_gnss_pixel.te b/gps/pixel/sepolicy/hal_gnss_pixel.te index ecdfcd3..43ff35d 100644 --- a/gps/pixel/sepolicy/hal_gnss_pixel.te +++ b/gps/pixel/sepolicy/hal_gnss_pixel.te @@ -22,4 +22,8 @@ allow hal_gnss_pixel hal_contexthub_service:service_manager find; # Allow connect to gnss service allow hal_gnss_pixel vendor_gps_file:dir create_dir_perms; -allow hal_gnss_pixel vendor_gps_file:fifo_file create_file_perms; \ No newline at end of file +allow hal_gnss_pixel vendor_gps_file:fifo_file create_file_perms; + +# Allow access ssrdump information +allow hal_gnss_pixel sscoredump_vendor_data_crashinfo_file:file r_file_perms; +allow hal_gnss_pixel sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; From 2ced5f695853268695b66ee3124cbcc929e69b84 Mon Sep 17 00:00:00 2001 From: Wayne Lin Date: Sat, 17 Feb 2024 11:03:52 +0800 Subject: [PATCH 07/10] gps: maintain one solution Move the rules from ag/26254728 Bug: 315915958 Test: build pass and GPS function works Change-Id: I730a7af2b8456ae4a350dbd0d6bdbfe7d3484b18 --- gps/lsi/sepolicy/device.te | 1 + gps/lsi/sepolicy/file.te | 4 ++++ gps/lsi/sepolicy/file_contexts | 4 +--- gps/lsi/sepolicy/property.te | 1 + gps/lsi/sepolicy/property_contexts | 2 ++ 5 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 gps/lsi/sepolicy/device.te create mode 100644 gps/lsi/sepolicy/property.te create mode 100644 gps/lsi/sepolicy/property_contexts diff --git a/gps/lsi/sepolicy/device.te b/gps/lsi/sepolicy/device.te new file mode 100644 index 0000000..15d049f --- /dev/null +++ b/gps/lsi/sepolicy/device.te @@ -0,0 +1 @@ +type vendor_gnss_device, dev_type; diff --git a/gps/lsi/sepolicy/file.te b/gps/lsi/sepolicy/file.te index af9582b..246700a 100644 --- a/gps/lsi/sepolicy/file.te +++ b/gps/lsi/sepolicy/file.te @@ -1 +1,5 @@ type vendor_gps_file, file_type, data_file_type; +type sysfs_gps, sysfs_type, fs_type; +userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; +') diff --git a/gps/lsi/sepolicy/file_contexts b/gps/lsi/sepolicy/file_contexts index 9840eab..e6af3b1 100644 --- a/gps/lsi/sepolicy/file_contexts +++ b/gps/lsi/sepolicy/file_contexts @@ -7,6 +7,4 @@ /vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 /vendor/bin/hw/spad u:object_r:spad_exec:s0 /vendor/bin/hw/android.hardware.gnss-service u:object_r:hal_gnss_default_exec:s0 -/vendor/bin/gnss_check\.sh u:object_r:gnss_check_exec:s0 -# keep only one rule and use eGNSS one -# /data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 diff --git a/gps/lsi/sepolicy/property.te b/gps/lsi/sepolicy/property.te new file mode 100644 index 0000000..6b62560 --- /dev/null +++ b/gps/lsi/sepolicy/property.te @@ -0,0 +1 @@ +vendor_internal_prop(vendor_gps_prop) diff --git a/gps/lsi/sepolicy/property_contexts b/gps/lsi/sepolicy/property_contexts new file mode 100644 index 0000000..4546116 --- /dev/null +++ b/gps/lsi/sepolicy/property_contexts @@ -0,0 +1,2 @@ +vendor.gps. u:object_r:vendor_gps_prop:s0 +persist.vendor.gps. u:object_r:vendor_gps_prop:s0 From 70f4b0431e27eb7b382ee651865e2ef9fc01c234 Mon Sep 17 00:00:00 2001 From: Super Liu Date: Mon, 27 May 2024 07:00:20 +0000 Subject: [PATCH 08/10] touch: Add the capability to simulate HW failure Usage: $> setprop vendor.touch.gti0.ical.override.result RESULT The designate RESULT to be used for the designate CMD. If no RESULT assign, the default value will be "0 - -2147483648". $> setprop vendor.touch.gti0.ical.override.cmd CMD The result of designate CMD(e.g. 202 or 301) to be overrode by the designate RESULT. If the CMD is "xxx", the result of any CMD will be overode with the designate RESULT. Bug: 341021854 Test: manual test Change-Id: I3d24618e240b4a966b5a76a33ed9ab96503a3257 Signed-off-by: Super Liu --- touch/gti/touch_gti_ical.cpp | 44 ++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/touch/gti/touch_gti_ical.cpp b/touch/gti/touch_gti_ical.cpp index 0aabd9e..9b5eed5 100644 --- a/touch/gti/touch_gti_ical.cpp +++ b/touch/gti/touch_gti_ical.cpp @@ -34,6 +34,18 @@ int main(int argc, char *argv[]) char *line = NULL; size_t len = 0; FILE *ical_fd; + const char *ical_override_cmd_prop[2] = { + [0] = "vendor.touch.gti0.ical.override.cmd", + [1] = "vendor.touch.gti1.ical.override.cmd", + }; + const char *ical_override_result_prop[2] = { + [0] = "vendor.touch.gti0.ical.override.result", + [1] = "vendor.touch.gti1.ical.override.result", + }; + const char *ical_write_history_prop[2] = { + [0] = "vendor.touch.gti0.ical.write.history", + [1] = "vendor.touch.gti1.ical.write.history", + }; const char *ical_state_prop[2] = { [0] = "vendor.touch.gti0.ical.state", [1] = "vendor.touch.gti1.ical.state", @@ -46,9 +58,16 @@ int main(int argc, char *argv[]) [0] = "/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate", [1] = "/sys/devices/virtual/goog_touch_interface/gti.1/interactive_calibrate", }; + const char *ical_override_cmd_prop_path = ical_override_cmd_prop[0]; + const char *ical_override_result_prop_path = ical_override_result_prop[0]; + const char *ical_write_history_prop_path = ical_write_history_prop[0]; const char *ical_state_prop_path = ical_state_prop[0]; const char *ical_result_prop_path = ical_result_prop[0]; const char *ical_sysfs_path = ical_sysfs[0]; + const char ical_override_all_cmd_prop_val[PROPERTY_VALUE_MAX] = "xxx"; + char ical_override_cmd_prop_val[PROPERTY_VALUE_MAX] = "\0"; + char ical_override_result_prop_val[PROPERTY_VALUE_MAX] = "\0"; + char ical_write_history_prop_val[PROPERTY_VALUE_MAX] = "\0"; if (argc < 3) { ALOGW("No target dev or command for interactive_calibrate sysfs.\n"); @@ -60,11 +79,18 @@ int main(int argc, char *argv[]) if (strncmp(argv[1], "1", strlen(argv[1])) == 0 || strncmp(argv[1], "gti1", strlen(argv[1])) == 0 || strncmp(argv[1], "gti.1", strlen(argv[1])) == 0) { + ical_override_cmd_prop_path = ical_override_cmd_prop[1]; + ical_override_result_prop_path = ical_override_result_prop[1]; + ical_write_history_prop_path = ical_write_history_prop[1]; ical_state_prop_path = ical_state_prop[1]; ical_result_prop_path = ical_result_prop[1]; ical_sysfs_path = ical_sysfs[1]; } + property_get(ical_override_cmd_prop_path, ical_override_cmd_prop_val, NULL); + property_get(ical_override_result_prop_path, ical_override_result_prop_val, "0 - -2147483648"); + property_get(ical_write_history_prop_path, ical_write_history_prop_val, NULL); + property_set(ical_result_prop_path, "na"); property_set(ical_state_prop_path, "running"); if (access(ical_sysfs_path, F_OK | R_OK | W_OK)) { @@ -84,11 +110,25 @@ int main(int argc, char *argv[]) getline(&line, &len, ical_fd); if (line != NULL) { property_set(ical_state_prop_path, "read"); - property_set(ical_result_prop_path, line); - ALOGI("read: %s => %s", ical_sysfs_path, line); + if (strncmp(ical_override_cmd_prop_val, + ical_write_history_prop_val, + strlen(ical_write_history_prop_path)) == 0 || + strncasecmp(ical_override_cmd_prop_val, + ical_override_all_cmd_prop_val, + strlen(ical_override_all_cmd_prop_val)) == 0) { + property_set(ical_result_prop_path, ical_override_result_prop_val); + ALOGW("read(original): %s => %s", + ical_sysfs_path, line); + ALOGW("read(override): %s => %s", + ical_sysfs_path, ical_override_result_prop_val); + } else { + property_set(ical_result_prop_path, line); + ALOGI("read: %s => %s", ical_sysfs_path, line); + } free(line); } } else { + property_set(ical_write_history_prop_path, argv[2]); property_set(ical_state_prop_path, argv[2]); fwrite(argv[2], 1, strlen(argv[2]), ical_fd); ALOGI("write: %s => %s\n", argv[2], ical_sysfs_path); From 7d60dc41df882544150197ae499bb7718be36e79 Mon Sep 17 00:00:00 2001 From: Richard Chou Date: Mon, 3 Jun 2024 17:58:37 +0800 Subject: [PATCH 09/10] Recorder: add sepolicy for Google Recorder app List of avc-denies: http://b/338879856#comment3 Test: build pass Bug: 338879856 Change-Id: I40884f0308f8a77b237c6b588db861b63950a8d8 --- recorder/recorder.mk | 3 ++ .../com_google_android_apps_recorder.x509.pem | 29 +++++++++++++++++++ .../product/private/google_recorder_app.te | 16 ++++++++++ recorder/sepolicy/product/private/keys.conf | 2 ++ .../product/private/mac_permissions.xml | 27 +++++++++++++++++ .../sepolicy/product/private/seapp_contexts | 2 ++ .../product/public/google_recorder_app.te | 1 + .../sepolicy/vendor/google_recorder_app.te | 1 + 8 files changed, 81 insertions(+) create mode 100644 recorder/recorder.mk create mode 100644 recorder/sepolicy/product/private/certs/com_google_android_apps_recorder.x509.pem create mode 100644 recorder/sepolicy/product/private/google_recorder_app.te create mode 100644 recorder/sepolicy/product/private/keys.conf create mode 100644 recorder/sepolicy/product/private/mac_permissions.xml create mode 100644 recorder/sepolicy/product/private/seapp_contexts create mode 100644 recorder/sepolicy/product/public/google_recorder_app.te create mode 100644 recorder/sepolicy/vendor/google_recorder_app.te diff --git a/recorder/recorder.mk b/recorder/recorder.mk new file mode 100644 index 0000000..87620da --- /dev/null +++ b/recorder/recorder.mk @@ -0,0 +1,3 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/recorder/sepolicy/vendor +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/recorder/sepolicy/product/public +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/recorder/sepolicy/product/private diff --git a/recorder/sepolicy/product/private/certs/com_google_android_apps_recorder.x509.pem b/recorder/sepolicy/product/private/certs/com_google_android_apps_recorder.x509.pem new file mode 100644 index 0000000..833c86b --- /dev/null +++ b/recorder/sepolicy/product/private/certs/com_google_android_apps_recorder.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF+zCCA+OgAwIBAgIVAJFfB9eQ7J1w93C6aGBchm77ysA3MA0GCSqGSIb3DQEBCwUAMIGNMQsw +CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU +MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxKTAnBgNVBAMMIGNvbV9nb29n +bGVfYW5kcm9pZF9hcHBzX3JlY29yZGVyMB4XDTE5MDIxNTE1NDQxMloXDTQ5MDIxNTE1NDQxMlow +gY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBW +aWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEpMCcGA1UEAwwgY29t +X2dvb2dsZV9hbmRyb2lkX2FwcHNfcmVjb3JkZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCFSs/DqyyRbMD2mEHxxv+DDnV7V8j/RUB43aZXC11kKbLAD/E8/WxV+e9frFoXlzXepK4m +FliWHyLWNSUmFwVxl2JsrkxUJ4QWXIpw9azHkW9kO5r/VPTXCBAZn80qqaqHlzplHbflxLiQc+zv +lWEg7HJPBMMMFC3yCYfhLbDrriZdMnT4mHMLUo24TzO2znv7c7SDBWQ57lAsdRB0OX+N4DfBXvUR +QLUO9FazerGdcK58KHkxgo3ZHY3c2+efkfCkZUgu6HKLwA24O2e0/iYmC7vQTItGYCCyzbdlXDix +t0YgpsdcsOtVSJLwv6movtAX9JGsrGkvZR9Ffa52Vfc+vW0yqahHxVFJ5VD6UrrQpkWjonrsIbHb +RLQ05ZM735kd4NWrxgS0sDwdfvhmsj29Ag3q/cuIpG/+x37+vmTlMKggeqxSxoQ4RwGyZuvyb8PB +/lCf6r6bAYyr88oAs03ATz3RqRH38rkHmFp5Cdf488tw2Wj6vB/JqnfPN8woslle0hUIkqH7Ezna +0zF79yov7oePFdqr++khDHrrMQziwIk2PN+V0MLGQpmX5FF47Zmprtzvu52QN2f5rnKq2HSfBG0i +FqZ8/iAEnUsCngVObHaASPxXq1AKiy3iEJaLDjFhGbQk9mbj9o/RHb0kyorI3d90PU8ss8xNsUnm +pXa4sQIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRXxQfB1H79Hq56Ld1GUrRRfzWo +ojAfBgNVHSMEGDAWgBRXxQfB1H79Hq56Ld1GUrRRfzWoojANBgkqhkiG9w0BAQsFAAOCAgEARATw +47mgvvLpdLTPzjORUSLBWXS2WdH43o9tPBNOaLBVRWiua2OyMp8F+nbxm4y/3djGuXsn5S2F12jp +7xQZcBU4c21vF/ttio/spnnkPBnf0nKndTLoKt4Tpcxq4vnyqyXlBJHIybh+bbc6HVTYM6n8k4vw +KReUjEjCXAxZ8vWjTgSOAtDrHkaez3tOkACMFmRv+JP1zNG32chLG+8K0/pyLsnknloPAk02Btoc +t7FI4XKtS/9Z9oipMHfWg8fjI4vRXqiiAR4ctf9EgxcwHY/KVX8RJxsAXMgl65e7qGagbfTWCbHl +MnRnapjLKkvJKPiIbBx/xdgUoOxdugwL6XPfzg4THQzAiduCgxkDs/H3SQWem6VBZ57KSuudJsop +s5hb7GS2Hqb5F3YHAlSGQxvj37mDTzbuTH3paqzPwSgnqw0jnkGl//f2osw/mqfD5msDLk4UcmpQ +IeC10ofhF7hzaZOGwMg8VGzsMR5M154haxj6Y2NFEir6ylz/stPrelkwDvMIDgIororj2Bj7TkWu ++EABNAr8h9yTsJEvxayNMk96U+Rn2LKMZilJdf00SILpr6IFTD8uvRwLIHSCjSbd9C8kkAqbqKs4 +VCg5HPLHjxyXgWOAK1IeqqnryaFPjLqa2RsG6UL+UtIjC6eWMsWOfvRRrpTU21mo2Koc0MI= +-----END CERTIFICATE----- diff --git a/recorder/sepolicy/product/private/google_recorder_app.te b/recorder/sepolicy/product/private/google_recorder_app.te new file mode 100644 index 0000000..ac308aa --- /dev/null +++ b/recorder/sepolicy/product/private/google_recorder_app.te @@ -0,0 +1,16 @@ +app_domain(google_recorder_app) +net_domain(google_recorder_app) + +get_prop(google_recorder_app, graphics_config_writable_prop) + +allow google_recorder_app app_api_service:service_manager find; +allow google_recorder_app audioserver_service:service_manager find; +allow google_recorder_app mediaextractor_service:service_manager find; +allow google_recorder_app mediametrics_service:service_manager find; +allow google_recorder_app mediaserver_service:service_manager find; + +allow google_recorder_app privapp_data_file:lnk_file r_file_perms; +allow google_recorder_app privapp_data_file:file execute; + +# Library code may try to access default properties, but should be denied +dontaudit google_recorder_app default_prop:file read; diff --git a/recorder/sepolicy/product/private/keys.conf b/recorder/sepolicy/product/private/keys.conf new file mode 100644 index 0000000..9dad2f5 --- /dev/null +++ b/recorder/sepolicy/product/private/keys.conf @@ -0,0 +1,2 @@ +[@GOOGLERECORDER] +ALL : device/google/gs-common/recorder/sepolicy/product/private/certs/com_google_android_apps_recorder.x509.pem diff --git a/recorder/sepolicy/product/private/mac_permissions.xml b/recorder/sepolicy/product/private/mac_permissions.xml new file mode 100644 index 0000000..b1d21bf --- /dev/null +++ b/recorder/sepolicy/product/private/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/recorder/sepolicy/product/private/seapp_contexts b/recorder/sepolicy/product/private/seapp_contexts new file mode 100644 index 0000000..f264927 --- /dev/null +++ b/recorder/sepolicy/product/private/seapp_contexts @@ -0,0 +1,2 @@ +# Google Recorder +user=_app isPrivApp=true seinfo=GoogleRecorder name=com.google.android.apps.recorder domain=google_recorder_app type=app_data_file levelFrom=all diff --git a/recorder/sepolicy/product/public/google_recorder_app.te b/recorder/sepolicy/product/public/google_recorder_app.te new file mode 100644 index 0000000..b718e12 --- /dev/null +++ b/recorder/sepolicy/product/public/google_recorder_app.te @@ -0,0 +1 @@ +type google_recorder_app, domain; diff --git a/recorder/sepolicy/vendor/google_recorder_app.te b/recorder/sepolicy/vendor/google_recorder_app.te new file mode 100644 index 0000000..e140678 --- /dev/null +++ b/recorder/sepolicy/vendor/google_recorder_app.te @@ -0,0 +1 @@ +get_prop(google_recorder_app, vendor_audio_prop_restricted) From 5f01cd2856f5015c3c4946d54598eda6b1cc63a1 Mon Sep 17 00:00:00 2001 From: Klines Jiang Date: Thu, 30 May 2024 06:09:31 +0000 Subject: [PATCH 10/10] [dump_gyotaku] Add collect odpm logs for dump_gyotaku. Bug: 328551786 Test: Local build and odpm logs collected test passed. Change-Id: Ic0071e8ee2262c3fa439444a6b90f092749afe43 --- gyotaku_app/dump/dump_gyotaku.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gyotaku_app/dump/dump_gyotaku.cpp b/gyotaku_app/dump/dump_gyotaku.cpp index 62c2a57..0f22e68 100644 --- a/gyotaku_app/dump/dump_gyotaku.cpp +++ b/gyotaku_app/dump/dump_gyotaku.cpp @@ -19,7 +19,7 @@ #define GYOTAKU_DIRECTORY "/data/vendor/gyotaku/andlog" #define GYOTAKU_ANDROID_LOG_PREFIX "android_" - +#define GYOTAKU_ODPM_LOG_PREFIX "odpm_" #define maxFileLogsNumber 30 int main() { @@ -30,6 +30,7 @@ int main() { } dumpLogs(GYOTAKU_DIRECTORY, outputDir.c_str(), maxFileLogsNumber, GYOTAKU_ANDROID_LOG_PREFIX); + dumpLogs(GYOTAKU_DIRECTORY, outputDir.c_str(), maxFileLogsNumber, GYOTAKU_ODPM_LOG_PREFIX); return 0; }