Snap for 11981331 from e15af041dd to 24Q4-release

Change-Id: I8ab4f78f8c7b9efdba134844912c2d13f5c62043

aoc/sepolicy/aocxd.te

@@ -26,3 +26,6 @@ add_service(aocxd, aocx);
 
 # allow managing thread priority
 allow aocxd self:global_capability_class_set sys_nice;
+
+allow aocxd dumpstate:fd use;
+allow aocxd dumpstate:fifo_file write;

aoc/sepolicy/dumpstate.te

@@ -0,0 +1,2 @@
+# Allow dumpstate to talk to aocxd over binder
+binder_call(dumpstate, aocxd)

aoc/sepolicy/service.te

@@ -0,0 +1 @@
+type aocx, service_manager_type;

aoc/sepolicy/vndservice.te

@@ -1 +0,0 @@
-type aocx, vndservice_manager_type;

audio/sepolicy/common/genfs_contexts

@@ -21,3 +21,4 @@ genfscon sysfs /devices/platform/audiometrics/call_count                    u:ob
 genfscon sysfs /devices/platform/audiometrics/offload_effects_id            u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/offload_effects_duration      u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/bt_usage                      u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/speaker_version               u:object_r:sysfs_pixelstats:s0

camera/lyric.mk

@@ -11,13 +11,8 @@ ifneq ($(wildcard vendor/google/services/LyricCameraHAL/src),)
 $(call soong_config_set,gch,hwl_library,lyric)
 endif
 
-# Check if we're in PDK build
-ifeq ($(wildcard vendor/google/camera),)
-# If vendor/google/camera doesn't exist, it's a PDK build.
-$(call soong_config_set,lyric,pdk_build,true)
-else
-# Otherwise, it's an internal Google build.
-$(call soong_config_set,lyric,pdk_build,false)
+# Check if we're in the internal build
+ifneq ($(wildcard vendor/google/camera),)
 
 PRODUCT_SOONG_NAMESPACES += \
     vendor/google/camera \

fingerprint/Android.bp

@@ -0,0 +1,21 @@
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_binary {
+    name: "dump_fingerprint",
+    srcs: ["dump_fingerprint.cpp"],
+    init_rc: ["init.fingerprint.dump.rc"],
+    cflags: [
+        "-Wall",
+        "-Wextra",
+        "-Werror",
+    ],
+    shared_libs: [
+        "libbase",
+        "libdump",
+        "liblog",
+    ],
+    vendor: true,
+    relative_install_path: "dump",
+}

fingerprint/dump_fingerprint.cpp

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <android-base/file.h>
+#include <dump/pixel_dump.h>
+#include <log/log.h>
+#include <stdio.h>
+#include <string.h>
+
+static constexpr const char *kTombstonesDirPath = "/data/vendor/tombstones/fingerprint/";
+
+int main() {
+    printf("------ Fingerprint tombstones ------\n");
+    std::unique_ptr<DIR, decltype(&closedir)> tombstones_dir(opendir(kTombstonesDirPath), closedir);
+    if (tombstones_dir) {
+        dirent *entry;
+        while ((entry = readdir(tombstones_dir.get())) != nullptr) {
+            std::string file_name(entry->d_name);
+            if (!strcmp(file_name.c_str(), ".") || !strcmp(file_name.c_str(), ".."))
+                continue;
+            std::string file_path(kTombstonesDirPath + file_name);
+            dumpFileContent(file_name.c_str(), file_path.c_str());
+        }
+    }
+
+    return 0;
+}

fingerprint/fingerprint.mk

@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/fingerprint/sepolicy
+
+PRODUCT_PACKAGES += dump_fingerprint

fingerprint/init.fingerprint.dump.rc

@@ -0,0 +1,2 @@
+on post-fs-data
+    mkdir /data/vendor/tombstones/fingerprint 0770 system system

fingerprint/sepolicy/dump_fingerprint.te

@@ -0,0 +1,5 @@
+pixel_bugreport(dump_fingerprint)
+
+allow dump_fingerprint fingerprint_vendor_data_file:dir r_dir_perms;
+allow dump_fingerprint fingerprint_vendor_data_file:file r_file_perms;
+

fingerprint/sepolicy/file_contexts

@@ -0,0 +1,2 @@
+/vendor/bin/dump/dump_fingerprint          u:object_r:dump_fingerprint_exec:s0
+/data/vendor/tombstones/fingerprint(/.*)?  u:object_r:fingerprint_vendor_data_file:s0

fingerprint/sepolicy/hal_fingerprint.te

@@ -0,0 +1 @@
+allow hal_fingerprint trusty_log_device:chr_file r_file_perms;

gps/lsi/sepolicy/device.te

@@ -0,0 +1 @@
+type vendor_gnss_device, dev_type;

gps/lsi/sepolicy/file.te

@@ -1 +0,0 @@
-type vendor_gps_file, file_type, data_file_type;

gps/lsi/sepolicy/file_contexts

@@ -7,6 +7,4 @@
 /vendor/bin/hw/swcnd            u:object_r:swcnd_exec:s0
 /vendor/bin/hw/spad             u:object_r:spad_exec:s0
 /vendor/bin/hw/android.hardware.gnss-service           u:object_r:hal_gnss_default_exec:s0
-/vendor/bin/gnss_check\.sh                                     u:object_r:gnss_check_exec:s0
-# keep only one rule and use eGNSS one
-# /data/vendor/gps(/.*)?             u:object_r:vendor_gps_file:s0
+/data/vendor/gps(/.*)?             u:object_r:vendor_gps_file:s0

gps/lsi/sepolicy/gnssd.te

@@ -31,3 +31,6 @@ set_prop(gnssd, vendor_gps_prop)
 
 # Read RIL property
 get_prop(gnssd, vendor_rild_prop)
+
+# Read modme state
+allow gnssd sysfs_modem_state:file r_file_perms;

gps/pixel/sepolicy/hal_gnss_pixel.te

@@ -1,9 +1,3 @@
-type hal_gnss_pixel, domain;
-hal_server_domain(hal_gnss_pixel, hal_gnss)
-
-type hal_gnss_pixel_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_gnss_pixel)
-
 #IPC between pixel and vendor HAL
 binder_call(hal_gnss_pixel, hal_gnss_default)
 
@@ -22,4 +16,8 @@ allow hal_gnss_pixel hal_contexthub_service:service_manager find;
 
 # Allow connect to gnss service
 allow hal_gnss_pixel vendor_gps_file:dir create_dir_perms;
-allow hal_gnss_pixel vendor_gps_file:fifo_file create_file_perms;
+allow hal_gnss_pixel vendor_gps_file:fifo_file create_file_perms;
+
+# Allow access ssrdump information
+allow hal_gnss_pixel sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+allow hal_gnss_pixel sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;

gyotaku_app/dump/dump_gyotaku.cpp

@@ -19,7 +19,7 @@
 
 #define GYOTAKU_DIRECTORY "/data/vendor/gyotaku/andlog"
 #define GYOTAKU_ANDROID_LOG_PREFIX "android_"
-
+#define GYOTAKU_ODPM_LOG_PREFIX "odpm_"
 #define maxFileLogsNumber 30
 
 int main() {
@@ -30,6 +30,7 @@ int main() {
     }
 
     dumpLogs(GYOTAKU_DIRECTORY, outputDir.c_str(), maxFileLogsNumber, GYOTAKU_ANDROID_LOG_PREFIX);
+    dumpLogs(GYOTAKU_DIRECTORY, outputDir.c_str(), maxFileLogsNumber, GYOTAKU_ODPM_LOG_PREFIX);
     return 0;
 }
 

recorder/recorder.mk

@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/recorder/sepolicy/vendor
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/recorder/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/recorder/sepolicy/product/private

recorder/sepolicy/product/private/certs/com_google_android_apps_recorder.x509.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF+zCCA+OgAwIBAgIVAJFfB9eQ7J1w93C6aGBchm77ysA3MA0GCSqGSIb3DQEBCwUAMIGNMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
+MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxKTAnBgNVBAMMIGNvbV9nb29n
+bGVfYW5kcm9pZF9hcHBzX3JlY29yZGVyMB4XDTE5MDIxNTE1NDQxMloXDTQ5MDIxNTE1NDQxMlow
+gY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBW
+aWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEpMCcGA1UEAwwgY29t
+X2dvb2dsZV9hbmRyb2lkX2FwcHNfcmVjb3JkZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCFSs/DqyyRbMD2mEHxxv+DDnV7V8j/RUB43aZXC11kKbLAD/E8/WxV+e9frFoXlzXepK4m
+FliWHyLWNSUmFwVxl2JsrkxUJ4QWXIpw9azHkW9kO5r/VPTXCBAZn80qqaqHlzplHbflxLiQc+zv
+lWEg7HJPBMMMFC3yCYfhLbDrriZdMnT4mHMLUo24TzO2znv7c7SDBWQ57lAsdRB0OX+N4DfBXvUR
+QLUO9FazerGdcK58KHkxgo3ZHY3c2+efkfCkZUgu6HKLwA24O2e0/iYmC7vQTItGYCCyzbdlXDix
+t0YgpsdcsOtVSJLwv6movtAX9JGsrGkvZR9Ffa52Vfc+vW0yqahHxVFJ5VD6UrrQpkWjonrsIbHb
+RLQ05ZM735kd4NWrxgS0sDwdfvhmsj29Ag3q/cuIpG/+x37+vmTlMKggeqxSxoQ4RwGyZuvyb8PB
+/lCf6r6bAYyr88oAs03ATz3RqRH38rkHmFp5Cdf488tw2Wj6vB/JqnfPN8woslle0hUIkqH7Ezna
+0zF79yov7oePFdqr++khDHrrMQziwIk2PN+V0MLGQpmX5FF47Zmprtzvu52QN2f5rnKq2HSfBG0i
+FqZ8/iAEnUsCngVObHaASPxXq1AKiy3iEJaLDjFhGbQk9mbj9o/RHb0kyorI3d90PU8ss8xNsUnm
+pXa4sQIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRXxQfB1H79Hq56Ld1GUrRRfzWo
+ojAfBgNVHSMEGDAWgBRXxQfB1H79Hq56Ld1GUrRRfzWoojANBgkqhkiG9w0BAQsFAAOCAgEARATw
+47mgvvLpdLTPzjORUSLBWXS2WdH43o9tPBNOaLBVRWiua2OyMp8F+nbxm4y/3djGuXsn5S2F12jp
+7xQZcBU4c21vF/ttio/spnnkPBnf0nKndTLoKt4Tpcxq4vnyqyXlBJHIybh+bbc6HVTYM6n8k4vw
+KReUjEjCXAxZ8vWjTgSOAtDrHkaez3tOkACMFmRv+JP1zNG32chLG+8K0/pyLsnknloPAk02Btoc
+t7FI4XKtS/9Z9oipMHfWg8fjI4vRXqiiAR4ctf9EgxcwHY/KVX8RJxsAXMgl65e7qGagbfTWCbHl
+MnRnapjLKkvJKPiIbBx/xdgUoOxdugwL6XPfzg4THQzAiduCgxkDs/H3SQWem6VBZ57KSuudJsop
+s5hb7GS2Hqb5F3YHAlSGQxvj37mDTzbuTH3paqzPwSgnqw0jnkGl//f2osw/mqfD5msDLk4UcmpQ
+IeC10ofhF7hzaZOGwMg8VGzsMR5M154haxj6Y2NFEir6ylz/stPrelkwDvMIDgIororj2Bj7TkWu
++EABNAr8h9yTsJEvxayNMk96U+Rn2LKMZilJdf00SILpr6IFTD8uvRwLIHSCjSbd9C8kkAqbqKs4
+VCg5HPLHjxyXgWOAK1IeqqnryaFPjLqa2RsG6UL+UtIjC6eWMsWOfvRRrpTU21mo2Koc0MI=
+-----END CERTIFICATE-----

recorder/sepolicy/product/private/google_recorder_app.te

@@ -0,0 +1,16 @@
+app_domain(google_recorder_app)
+net_domain(google_recorder_app)
+
+get_prop(google_recorder_app, graphics_config_writable_prop)
+
+allow google_recorder_app app_api_service:service_manager find;
+allow google_recorder_app audioserver_service:service_manager find;
+allow google_recorder_app mediaextractor_service:service_manager find;
+allow google_recorder_app mediametrics_service:service_manager find;
+allow google_recorder_app mediaserver_service:service_manager find;
+
+allow google_recorder_app privapp_data_file:lnk_file r_file_perms;
+allow google_recorder_app privapp_data_file:file execute;
+
+# Library code may try to access default properties, but should be denied
+dontaudit google_recorder_app default_prop:file read;

recorder/sepolicy/product/private/keys.conf

@@ -0,0 +1,2 @@
+[@GOOGLERECORDER]
+ALL : device/google/gs-common/recorder/sepolicy/product/private/certs/com_google_android_apps_recorder.x509.pem

recorder/sepolicy/product/private/mac_permissions.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- Google Recorder app key -->
+    <signer signature="@GOOGLERECORDER" >
+      <seinfo value="GoogleRecorder" />
+    </signer>
+</policy>

recorder/sepolicy/product/private/seapp_contexts

@@ -0,0 +1,2 @@
+# Google Recorder
+user=_app isPrivApp=true seinfo=GoogleRecorder name=com.google.android.apps.recorder domain=google_recorder_app type=app_data_file levelFrom=all

recorder/sepolicy/product/public/google_recorder_app.te

@@ -0,0 +1 @@
+type google_recorder_app, domain;

recorder/sepolicy/vendor/google_recorder_app.te

@@ -0,0 +1 @@
+get_prop(google_recorder_app, vendor_audio_prop_restricted)

touch/gti/touch_gti_ical.cpp

@@ -34,6 +34,18 @@ int main(int argc, char *argv[])
 	char *line = NULL;
 	size_t len = 0;
 	FILE *ical_fd;
+	const char *ical_override_cmd_prop[2] = {
+		[0] = "vendor.touch.gti0.ical.override.cmd",
+		[1] = "vendor.touch.gti1.ical.override.cmd",
+	};
+	const char *ical_override_result_prop[2] = {
+		[0] = "vendor.touch.gti0.ical.override.result",
+		[1] = "vendor.touch.gti1.ical.override.result",
+	};
+	const char *ical_write_history_prop[2] = {
+		[0] = "vendor.touch.gti0.ical.write.history",
+		[1] = "vendor.touch.gti1.ical.write.history",
+	};
 	const char *ical_state_prop[2] = {
 		[0] = "vendor.touch.gti0.ical.state",
 		[1] = "vendor.touch.gti1.ical.state",
@@ -46,9 +58,16 @@ int main(int argc, char *argv[])
 		[0] = "/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate",
 		[1] = "/sys/devices/virtual/goog_touch_interface/gti.1/interactive_calibrate",
 	};
+	const char *ical_override_cmd_prop_path = ical_override_cmd_prop[0];
+	const char *ical_override_result_prop_path = ical_override_result_prop[0];
+	const char *ical_write_history_prop_path = ical_write_history_prop[0];
 	const char *ical_state_prop_path = ical_state_prop[0];
 	const char *ical_result_prop_path = ical_result_prop[0];
 	const char *ical_sysfs_path = ical_sysfs[0];
+	const char ical_override_all_cmd_prop_val[PROPERTY_VALUE_MAX] = "xxx";
+	char ical_override_cmd_prop_val[PROPERTY_VALUE_MAX] = "\0";
+	char ical_override_result_prop_val[PROPERTY_VALUE_MAX] = "\0";
+	char ical_write_history_prop_val[PROPERTY_VALUE_MAX] = "\0";
 
 	if (argc < 3) {
 		ALOGW("No target dev or command for interactive_calibrate sysfs.\n");
@@ -60,11 +79,18 @@ int main(int argc, char *argv[])
 	if (strncmp(argv[1], "1", strlen(argv[1])) == 0 ||
 		strncmp(argv[1], "gti1", strlen(argv[1])) == 0 ||
 		strncmp(argv[1], "gti.1", strlen(argv[1])) == 0) {
+		ical_override_cmd_prop_path = ical_override_cmd_prop[1];
+		ical_override_result_prop_path = ical_override_result_prop[1];
+		ical_write_history_prop_path = ical_write_history_prop[1];
 		ical_state_prop_path = ical_state_prop[1];
 		ical_result_prop_path = ical_result_prop[1];
 		ical_sysfs_path = ical_sysfs[1];
 	}
 
+	property_get(ical_override_cmd_prop_path, ical_override_cmd_prop_val, NULL);
+	property_get(ical_override_result_prop_path, ical_override_result_prop_val, "0 - -2147483648");
+	property_get(ical_write_history_prop_path, ical_write_history_prop_val, NULL);
+
 	property_set(ical_result_prop_path, "na");
 	property_set(ical_state_prop_path, "running");
 	if (access(ical_sysfs_path, F_OK | R_OK | W_OK)) {
@@ -84,11 +110,25 @@ int main(int argc, char *argv[])
 		getline(&line, &len, ical_fd);
 		if (line != NULL) {
 			property_set(ical_state_prop_path, "read");
-			property_set(ical_result_prop_path, line);
-			ALOGI("read: %s => %s", ical_sysfs_path, line);
+			if (strncmp(ical_override_cmd_prop_val,
+					ical_write_history_prop_val,
+					strlen(ical_write_history_prop_path)) == 0 ||
+				strncasecmp(ical_override_cmd_prop_val,
+					ical_override_all_cmd_prop_val,
+					strlen(ical_override_all_cmd_prop_val)) == 0) {
+				property_set(ical_result_prop_path, ical_override_result_prop_val);
+				ALOGW("read(original): %s => %s",
+					ical_sysfs_path, line);
+				ALOGW("read(override): %s => %s",
+					ical_sysfs_path, ical_override_result_prop_val);
+			} else {
+				property_set(ical_result_prop_path, line);
+				ALOGI("read: %s => %s", ical_sysfs_path, line);
+			}
 			free(line);
 		}
 	} else {
+		property_set(ical_write_history_prop_path, argv[2]);
 		property_set(ical_state_prop_path, argv[2]);
 		fwrite(argv[2], 1, strlen(argv[2]), ical_fd);
 		ALOGI("write: %s => %s\n", argv[2], ical_sysfs_path);

touch/twoshay/sepolicy/touchflow_debug/file_contexts

@@ -1,2 +0,0 @@
-/vendor/bin/hw/android\.hardware\.input\.processor-reflector     u:object_r:hal_input_processor_default_exec:s0
-/vendor/bin/twoshay_touchflow     u:object_r:twoshay_exec:s0