From 02f64cf99f50405dbbd4ee3f3631c66ffd3bb5a6 Mon Sep 17 00:00:00 2001 From: Thomas Flucke Date: Fri, 23 Aug 2024 14:28:17 +0000 Subject: [PATCH 1/5] dumpstate: gsa: Add GSA logs to dumpstate New Stuff: * Add program to read the GSA logs Evidence: avc: denied { read } for comm="dump_gsa" name="gsa-log1" dev="tmpfs" ino=1261 scontext=u:r:dump_gsa:s0 tcontext=u:object_r:gsa_log_device:s0 tclass=chr_file permissive=0 avc: denied { read } for comm="dump_gsa" name="gsa-bl1-log2" dev="tmpfs" ino=1222 scontext=u:r:dump_gsa:s0 tcontext=u:object_r:gsa_log_device:s0 tclass=chr_file permissive=0 Bug: 360205716 Test: adb shell dumpstate and check the dumpstate_board.txt for GSA logs Flag: EXEMPT debug only Change-Id: I4ea35da7916273cf526570067f24145ef4fb14f1 Signed-off-by: Thomas Flucke --- gsa/Android.bp | 20 ++++++++++++++++++++ gsa/dump_gsa.cpp | 31 +++++++++++++++++++++++++++++++ gsa/gsa.mk | 3 +++ gsa/init.gsa.rc | 6 ++++++ gsa/sepolicy/gsa/dump_gsa.te | 6 ++++++ gsa/sepolicy/gsa/file.te | 2 ++ gsa/sepolicy/gsa/file_contexts | 4 ++++ 7 files changed, 72 insertions(+) create mode 100644 gsa/Android.bp create mode 100644 gsa/dump_gsa.cpp create mode 100644 gsa/gsa.mk create mode 100644 gsa/init.gsa.rc create mode 100644 gsa/sepolicy/gsa/dump_gsa.te create mode 100644 gsa/sepolicy/gsa/file.te create mode 100644 gsa/sepolicy/gsa/file_contexts diff --git a/gsa/Android.bp b/gsa/Android.bp new file mode 100644 index 0000000..59e0369 --- /dev/null +++ b/gsa/Android.bp @@ -0,0 +1,20 @@ +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +cc_binary { + name: "dump_gsa", + srcs: ["dump_gsa.cpp"], + init_rc: ["init.gsa.rc"], + cflags: [ + "-Wall", + "-Wextra", + "-Werror", + "-pedantic", + ], + shared_libs: [ + "libdump", + ], + vendor: true, + relative_install_path: "dump", +} diff --git a/gsa/dump_gsa.cpp b/gsa/dump_gsa.cpp new file mode 100644 index 0000000..6308036 --- /dev/null +++ b/gsa/dump_gsa.cpp @@ -0,0 +1,31 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include +#include + +#define DIM(arr) (sizeof(arr) / sizeof(arr[0])) + +const char* paths[][2] = {{"GSA MAIN LOG", "/dev/gsa-log1"}, + {"GSA INTERMEDIATE LOG", "/dev/gsa-bl1-log2"}}; + +int main() { + for (size_t i = 0; i < DIM(paths); i++) { + if (!access(paths[i][1], R_OK)) { + dumpFileContent(paths[i][0], paths[i][1]); + } + } + return 0; +} diff --git a/gsa/gsa.mk b/gsa/gsa.mk new file mode 100644 index 0000000..1938c66 --- /dev/null +++ b/gsa/gsa.mk @@ -0,0 +1,3 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gsa/sepolicy/gsa + +PRODUCT_PACKAGES += dump_gsa diff --git a/gsa/init.gsa.rc b/gsa/init.gsa.rc new file mode 100644 index 0000000..357144e --- /dev/null +++ b/gsa/init.gsa.rc @@ -0,0 +1,6 @@ +on init + # Change GSA log group for dumpstate + chmod 660 /dev/gsa-log1 + chmod 660 /dev/gsa-bl1-log2 + chown root system /dev/gsa-log1 + chown root system /dev/gsa-bl1-log2 diff --git a/gsa/sepolicy/gsa/dump_gsa.te b/gsa/sepolicy/gsa/dump_gsa.te new file mode 100644 index 0000000..dcc3ef6 --- /dev/null +++ b/gsa/sepolicy/gsa/dump_gsa.te @@ -0,0 +1,6 @@ +# GSA +pixel_bugreport(dump_gsa) + +userdebug_or_eng(` + allow dump_gsa gsa_log_device:chr_file r_file_perms; +') diff --git a/gsa/sepolicy/gsa/file.te b/gsa/sepolicy/gsa/file.te new file mode 100644 index 0000000..46a1732 --- /dev/null +++ b/gsa/sepolicy/gsa/file.te @@ -0,0 +1,2 @@ +# GSA +type gsa_log_device, dev_type; diff --git a/gsa/sepolicy/gsa/file_contexts b/gsa/sepolicy/gsa/file_contexts new file mode 100644 index 0000000..ad3a72d --- /dev/null +++ b/gsa/sepolicy/gsa/file_contexts @@ -0,0 +1,4 @@ +# GSA +/dev/gsa-log1 u:object_r:gsa_log_device:s0 +/dev/gsa-bl1-log2 u:object_r:gsa_log_device:s0 +/vendor/bin/dump/dump_gsa u:object_r:dump_gsa_exec:s0 From 1331d97c929bb3b64b3a07271ad0f2aa9693bace Mon Sep 17 00:00:00 2001 From: cey Date: Tue, 10 Sep 2024 15:15:29 +0800 Subject: [PATCH 2/5] Allow devices that use HIDL to find AIDL radio_ext_service Move the type to a common sepolicy so it can be shared. avc: denied { find } for pid=6493 uid=10256 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:grilservice_app:s0:c0,c257,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0 NO_AVC_EVIDENCE_CHECK=default_android_service not supported Bug: 365099058 Test: manual Flag: EXEMPT mk file Change-Id: I9c2471792c2a423e19f1472bd7923a5284f9127e --- gril/aidl/2.0/gril_aidl.mk | 1 + gril/aidl/2.0/sepolicy/grilservice_app.te | 4 ++-- gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te | 2 +- gril/aidl/2.0/sepolicy/service.te | 2 -- {modem/radio_ext => gril/common}/sepolicy/service.te | 1 + gril/{aidl/2.0 => common}/sepolicy/service_contexts | 2 +- gril/hidl/1.7/gril_hidl.mk | 1 + gril/hidl/1.7/sepolicy/grilservice_app.te | 2 ++ modem/radio_ext/radio_ext.mk | 1 + 9 files changed, 10 insertions(+), 6 deletions(-) delete mode 100644 gril/aidl/2.0/sepolicy/service.te rename {modem/radio_ext => gril/common}/sepolicy/service.te (68%) rename gril/{aidl/2.0 => common}/sepolicy/service_contexts (64%) diff --git a/gril/aidl/2.0/gril_aidl.mk b/gril/aidl/2.0/gril_aidl.mk index b7d5133..d4fa9e9 100644 --- a/gril/aidl/2.0/gril_aidl.mk +++ b/gril/aidl/2.0/gril_aidl.mk @@ -1,3 +1,4 @@ PRODUCT_PACKAGES += vendor.google.radioext@1.0-service DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/aidl/2.0/compatibility_matrix.xml BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/aidl/2.0/sepolicy +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy diff --git a/gril/aidl/2.0/sepolicy/grilservice_app.te b/gril/aidl/2.0/sepolicy/grilservice_app.te index 8f49afa..812c8a2 100644 --- a/gril/aidl/2.0/sepolicy/grilservice_app.te +++ b/gril/aidl/2.0/sepolicy/grilservice_app.te @@ -1,4 +1,4 @@ -# allow grilservice_app to find hal_aidl_radio_ext_service -allow grilservice_app hal_aidl_radio_ext_service:service_manager find; +# allow grilservice_app to find hal_radio_ext_service +allow grilservice_app hal_radio_ext_service:service_manager find; binder_call(grilservice_app, hal_aidl_radio_ext) binder_call(grilservice_app, twoshay) diff --git a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te index ad6c86b..68dd397 100644 --- a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te +++ b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te @@ -12,7 +12,7 @@ binder_call(hal_aidl_radio_ext, servicemanager) binder_call(hal_aidl_radio_ext, grilservice_app) binder_call(hal_aidl_radio_ext, hal_bluetooth_btlinux) -add_service(hal_aidl_radio_ext, hal_aidl_radio_ext_service) +add_service(hal_aidl_radio_ext, hal_radio_ext_service) # RW /dev/oem_ipc0 allow hal_aidl_radio_ext radio_device:chr_file rw_file_perms; diff --git a/gril/aidl/2.0/sepolicy/service.te b/gril/aidl/2.0/sepolicy/service.te deleted file mode 100644 index 24aa71e..0000000 --- a/gril/aidl/2.0/sepolicy/service.te +++ /dev/null @@ -1,2 +0,0 @@ -# Radio Ext AIDL service -type hal_aidl_radio_ext_service, hal_service_type, protected_service, service_manager_type; diff --git a/modem/radio_ext/sepolicy/service.te b/gril/common/sepolicy/service.te similarity index 68% rename from modem/radio_ext/sepolicy/service.te rename to gril/common/sepolicy/service.te index 7288ef1..ee6fb77 100644 --- a/modem/radio_ext/sepolicy/service.te +++ b/gril/common/sepolicy/service.te @@ -1,2 +1,3 @@ # Radio Ext AIDL service +# Shared definition so a single type is referenced type hal_radio_ext_service, hal_service_type, protected_service, service_manager_type; diff --git a/gril/aidl/2.0/sepolicy/service_contexts b/gril/common/sepolicy/service_contexts similarity index 64% rename from gril/aidl/2.0/sepolicy/service_contexts rename to gril/common/sepolicy/service_contexts index 7b96182..7e50c2e 100644 --- a/gril/aidl/2.0/sepolicy/service_contexts +++ b/gril/common/sepolicy/service_contexts @@ -1 +1 @@ -vendor.google.radio_ext.IRadioExt/default u:object_r:hal_aidl_radio_ext_service:s0 +vendor.google.radio_ext.IRadioExt/default u:object_r:hal_radio_ext_service:s0 diff --git a/gril/hidl/1.7/gril_hidl.mk b/gril/hidl/1.7/gril_hidl.mk index fcd5ef8..0008a5d 100644 --- a/gril/hidl/1.7/gril_hidl.mk +++ b/gril/hidl/1.7/gril_hidl.mk @@ -1,3 +1,4 @@ PRODUCT_PACKAGES += vendor.google.radioext@1.0-service DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/hidl/1.7/compatibility_matrix.xml BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/hidl/1.7/sepolicy +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy diff --git a/gril/hidl/1.7/sepolicy/grilservice_app.te b/gril/hidl/1.7/sepolicy/grilservice_app.te index 43da795..3a170b8 100644 --- a/gril/hidl/1.7/sepolicy/grilservice_app.te +++ b/gril/hidl/1.7/sepolicy/grilservice_app.te @@ -1,2 +1,4 @@ +# allow grilservice_app to find hal_radio_ext_service +allow grilservice_app hal_radio_ext_service:service_manager find; # allow grilservice_app to binder call hal_radioext_default binder_call(grilservice_app, hal_radioext_default) diff --git a/modem/radio_ext/radio_ext.mk b/modem/radio_ext/radio_ext.mk index 6750fdd..1df3bcc 100644 --- a/modem/radio_ext/radio_ext.mk +++ b/modem/radio_ext/radio_ext.mk @@ -3,3 +3,4 @@ PRODUCT_PACKAGES += vendor.google.radio_ext-service DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/modem/radio_ext/compatibility_matrix.xml BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/radio_ext/sepolicy +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy From 0393e7fbe6619fb10191a43f02b8f32c89e177a1 Mon Sep 17 00:00:00 2001 From: Welly Hsu Date: Tue, 3 Sep 2024 09:32:25 +0000 Subject: [PATCH 3/5] gs-common: add rules for euiccpixel_app 09-11 21:19:25.452 345 345 I auditd : avc: denied { find } for pid=14141 uid=10246 name=activity scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=0 09-11 21:20:57.035 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=netstats scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1 09-11 21:20:57.055 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=content_capture scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1 09-11 21:20:57.064 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=activity_task scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1 09-11 21:20:57.111 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=gpu scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1 09-11 21:20:57.182 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=voiceinteraction scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1 09-11 21:20:57.184 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=autofill scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1 09-11 21:20:57.190 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=sensitive_content_protection_service scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1 09-11 21:20:57.193 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=performance_hint scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1 09-11 21:21:09.436 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=audio scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1 09-11 21:21:09.449 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=batterystats scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:batterystats_service:s0 tclass=service_manager permissive=1 09-11 21:21:09.454 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=batteryproperties scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:batteryproperties_service:s0 tclass=service_manager permissive=1 09-11 23:21:26.678 345 345 I auditd : avc: denied { find } for pid=17450 uid=10246 name=permission_checker scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:permission_checker_service:s0 tclass=service_manager permissive=1 09-03 16:29:54.032 351 351 E SELinux : avc: denied { find } for pid=3914 uid=10217 name=phone scontext=u:r:euiccpixel_app:s0:c217,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1 09-03 17:35:07.453 351 351 E SELinux : avc: denied { find } for pid=3914 uid=10217 name=nfc scontext=u:r:euiccpixel_app:s0:c217,c256,c512,c768 tcontext=u:object_r:nfc_service:s0 tclass=service_manager permissive=1 09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1055): avc: denied { read } for comm="RenderThread" name="uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel 09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1056): avc: denied { open } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel 09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1057): avc: denied { getattr } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel 09-11 21:21:48.494 12343 12343 I auditd : type=1400 audit(0.0:23): avc: denied { read write } for comm=4173796E635461736B202331 name="st54spi" dev="tmpfs" ino=1573 scontext=u:r:euiccpixel_app:s0:c3,c257,c522,c768 tcontext=u:object_r:st54spi_device:s0 tclass=chr_file permissive=1 09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1056): avc: denied { read open } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel 09-11 21:20:57.108 17450 17450 I auditd : type=1400 audit(0.0:1057): avc: denied { getattr } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46479 scontext=u:r:euiccpixel_app:s0:c246,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.euiccpixel 09-13 17:55:20.904 3776 3776 I auditd : type=1400 audit(0.0:1087): avc: denied { read } for comm="RenderThread" name="uevent" dev="sysfs" ino=46480 scontext=u:r:euiccpixel_app:s0:c225,c256,c512,c768 tcontext=u:object_r:sysfs_gpu_uevent:s0 tclass=file permissive=0 app=com.google.euiccpixel 09-13 18:18:26.988 4029 4029 I auditd : type=1400 audit(0.0:1077): avc: denied { open getattr } for comm="RenderThread" path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=46480 scontext=u:r:euiccpixel_app:s0:c225,c256,c512,c768 tcontext=u:object_r:sysfs_gpu_uevent:s0 tclass=file permissive=0 app=com.google.euiccpixel 09-13 17:55:20.996 3776 3776 I auditd : type=1400 audit(0.0:1090): avc: denied { read } for comm="ogle.euiccpixel" name="u:object_r:default_prop:s0" dev="tmpfs" ino=164 scontext=u:r:euiccpixel_app:s0:c225,c256,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.google.euiccpixel Bug: 361092897 Test: make selinux_policy, flash and test on 25' project Flag: EXEMPT NDK Change-Id: I8850fe0c1eae7dc575cb323d1f4a9234b7df82db --- euiccpixel_app/euiccpixel_app_st54.mk | 3 ++ .../common/certs/EuiccSupportPixel.x509.pem | 29 +++++++++++++++++++ .../sepolicy/common/euiccpixel_app.te | 27 +++++++++++++++++ euiccpixel_app/sepolicy/common/file.te | 2 ++ euiccpixel_app/sepolicy/common/genfs_contexts | 1 + euiccpixel_app/sepolicy/common/keys.conf | 2 ++ .../sepolicy/common/mac_permissions.xml | 27 +++++++++++++++++ euiccpixel_app/sepolicy/common/seapp_contexts | 2 ++ .../sepolicy/st54/euiccpixel_app.te | 8 +++++ 9 files changed, 101 insertions(+) create mode 100644 euiccpixel_app/euiccpixel_app_st54.mk create mode 100644 euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem create mode 100644 euiccpixel_app/sepolicy/common/euiccpixel_app.te create mode 100644 euiccpixel_app/sepolicy/common/file.te create mode 100644 euiccpixel_app/sepolicy/common/genfs_contexts create mode 100644 euiccpixel_app/sepolicy/common/keys.conf create mode 100644 euiccpixel_app/sepolicy/common/mac_permissions.xml create mode 100644 euiccpixel_app/sepolicy/common/seapp_contexts create mode 100644 euiccpixel_app/sepolicy/st54/euiccpixel_app.te diff --git a/euiccpixel_app/euiccpixel_app_st54.mk b/euiccpixel_app/euiccpixel_app_st54.mk new file mode 100644 index 0000000..e96d06c --- /dev/null +++ b/euiccpixel_app/euiccpixel_app_st54.mk @@ -0,0 +1,3 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/euiccpixel_app/sepolicy/common +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/euiccpixel_app/sepolicy/st54 +PRODUCT_PACKAGES += EuiccSupportPixel-P23 diff --git a/euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem b/euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem new file mode 100644 index 0000000..be303df --- /dev/null +++ b/euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw +b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v +Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC +IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb +WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/ +amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK +aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0 +oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho ++9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td +5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK +rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki +uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag +ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV +HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5 +FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9 +Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp +ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL +EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB +GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U +XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0 +IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj +pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon +A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU +0JD1T1qdCm3aUSEmFgEA4rOL/0K3 +-----END CERTIFICATE----- diff --git a/euiccpixel_app/sepolicy/common/euiccpixel_app.te b/euiccpixel_app/sepolicy/common/euiccpixel_app.te new file mode 100644 index 0000000..8093b49 --- /dev/null +++ b/euiccpixel_app/sepolicy/common/euiccpixel_app.te @@ -0,0 +1,27 @@ +# Euiccpixel_app +type euiccpixel_app, domain; +app_domain(euiccpixel_app) + +allow euiccpixel_app activity_service:service_manager find; +allow euiccpixel_app netstats_service:service_manager find; +allow euiccpixel_app content_capture_service:service_manager find; +allow euiccpixel_app activity_task_service:service_manager find; +allow euiccpixel_app gpu_service:service_manager find; +allow euiccpixel_app voiceinteraction_service:service_manager find; +allow euiccpixel_app autofill_service:service_manager find; +allow euiccpixel_app sensitive_content_protection_service:service_manager find; +allow euiccpixel_app hint_service:service_manager find; +allow euiccpixel_app audio_service:service_manager find; +allow euiccpixel_app batterystats_service:service_manager find; +allow euiccpixel_app batteryproperties_service:service_manager find; +allow euiccpixel_app permission_checker_service:service_manager find; +allow euiccpixel_app radio_service:service_manager find; +allow euiccpixel_app nfc_service:service_manager find; + +set_prop(euiccpixel_app, vendor_secure_element_prop) +set_prop(euiccpixel_app, vendor_modem_prop) +get_prop(euiccpixel_app, dck_prop) + +# b/265286368 framework UI rendering properties and file access +dontaudit euiccpixel_app default_prop:file { read }; +dontaudit euiccpixel_app sysfs_gpu_uevent:file { read open getattr }; diff --git a/euiccpixel_app/sepolicy/common/file.te b/euiccpixel_app/sepolicy/common/file.te new file mode 100644 index 0000000..e76ee79 --- /dev/null +++ b/euiccpixel_app/sepolicy/common/file.te @@ -0,0 +1,2 @@ +# type for gpu uevent +type sysfs_gpu_uevent, sysfs_type, fs_type; diff --git a/euiccpixel_app/sepolicy/common/genfs_contexts b/euiccpixel_app/sepolicy/common/genfs_contexts new file mode 100644 index 0000000..fc146df --- /dev/null +++ b/euiccpixel_app/sepolicy/common/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/34f00000.gpu0/uevent u:object_r:sysfs_gpu_uevent:s0 diff --git a/euiccpixel_app/sepolicy/common/keys.conf b/euiccpixel_app/sepolicy/common/keys.conf new file mode 100644 index 0000000..7071a2a --- /dev/null +++ b/euiccpixel_app/sepolicy/common/keys.conf @@ -0,0 +1,2 @@ +[@EUICCSUPPORTPIXEL] +ALL : device/google/gs-common/euiccpixel_app/sepolicy/common/certs/EuiccSupportPixel.x509.pem diff --git a/euiccpixel_app/sepolicy/common/mac_permissions.xml b/euiccpixel_app/sepolicy/common/mac_permissions.xml new file mode 100644 index 0000000..0eab982 --- /dev/null +++ b/euiccpixel_app/sepolicy/common/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/euiccpixel_app/sepolicy/common/seapp_contexts b/euiccpixel_app/sepolicy/common/seapp_contexts new file mode 100644 index 0000000..9501a3a --- /dev/null +++ b/euiccpixel_app/sepolicy/common/seapp_contexts @@ -0,0 +1,2 @@ +# Domain for EuiccSupportPixel +user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/euiccpixel_app/sepolicy/st54/euiccpixel_app.te b/euiccpixel_app/sepolicy/st54/euiccpixel_app.te new file mode 100644 index 0000000..3d81a57 --- /dev/null +++ b/euiccpixel_app/sepolicy/st54/euiccpixel_app.te @@ -0,0 +1,8 @@ +# euiccpixel requires st54spi for firmware upgrade +userdebug_or_eng(` + net_domain(euiccpixel_app) + + # Access to directly upgrade firmware on st54spi_device used for engineering devices + typeattribute st54spi_device mlstrustedobject; + allow euiccpixel_app st54spi_device:chr_file rw_file_perms; +') From 1685969e605263ad55f1f75e50584dc0f12bd99a Mon Sep 17 00:00:00 2001 From: Charlie Yang Date: Mon, 16 Sep 2024 07:21:11 +0000 Subject: [PATCH 4/5] Revert "Allow devices that use HIDL to find AIDL radio_ext_service" Revert submission 29238469-gril-selinux Reason for revert: b/367183524 - build break Reverted changes: /q/submissionid:29238469-gril-selinux Change-Id: Ica10c6ee500389223256e328d182c9495a826b06 --- gril/aidl/2.0/gril_aidl.mk | 1 - gril/aidl/2.0/sepolicy/grilservice_app.te | 4 ++-- gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te | 2 +- gril/aidl/2.0/sepolicy/service.te | 2 ++ gril/{common => aidl/2.0}/sepolicy/service_contexts | 2 +- gril/hidl/1.7/gril_hidl.mk | 1 - gril/hidl/1.7/sepolicy/grilservice_app.te | 2 -- modem/radio_ext/radio_ext.mk | 1 - {gril/common => modem/radio_ext}/sepolicy/service.te | 1 - 9 files changed, 6 insertions(+), 10 deletions(-) create mode 100644 gril/aidl/2.0/sepolicy/service.te rename gril/{common => aidl/2.0}/sepolicy/service_contexts (64%) rename {gril/common => modem/radio_ext}/sepolicy/service.te (68%) diff --git a/gril/aidl/2.0/gril_aidl.mk b/gril/aidl/2.0/gril_aidl.mk index d4fa9e9..b7d5133 100644 --- a/gril/aidl/2.0/gril_aidl.mk +++ b/gril/aidl/2.0/gril_aidl.mk @@ -1,4 +1,3 @@ PRODUCT_PACKAGES += vendor.google.radioext@1.0-service DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/aidl/2.0/compatibility_matrix.xml BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/aidl/2.0/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy diff --git a/gril/aidl/2.0/sepolicy/grilservice_app.te b/gril/aidl/2.0/sepolicy/grilservice_app.te index 812c8a2..8f49afa 100644 --- a/gril/aidl/2.0/sepolicy/grilservice_app.te +++ b/gril/aidl/2.0/sepolicy/grilservice_app.te @@ -1,4 +1,4 @@ -# allow grilservice_app to find hal_radio_ext_service -allow grilservice_app hal_radio_ext_service:service_manager find; +# allow grilservice_app to find hal_aidl_radio_ext_service +allow grilservice_app hal_aidl_radio_ext_service:service_manager find; binder_call(grilservice_app, hal_aidl_radio_ext) binder_call(grilservice_app, twoshay) diff --git a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te index 68dd397..ad6c86b 100644 --- a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te +++ b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te @@ -12,7 +12,7 @@ binder_call(hal_aidl_radio_ext, servicemanager) binder_call(hal_aidl_radio_ext, grilservice_app) binder_call(hal_aidl_radio_ext, hal_bluetooth_btlinux) -add_service(hal_aidl_radio_ext, hal_radio_ext_service) +add_service(hal_aidl_radio_ext, hal_aidl_radio_ext_service) # RW /dev/oem_ipc0 allow hal_aidl_radio_ext radio_device:chr_file rw_file_perms; diff --git a/gril/aidl/2.0/sepolicy/service.te b/gril/aidl/2.0/sepolicy/service.te new file mode 100644 index 0000000..24aa71e --- /dev/null +++ b/gril/aidl/2.0/sepolicy/service.te @@ -0,0 +1,2 @@ +# Radio Ext AIDL service +type hal_aidl_radio_ext_service, hal_service_type, protected_service, service_manager_type; diff --git a/gril/common/sepolicy/service_contexts b/gril/aidl/2.0/sepolicy/service_contexts similarity index 64% rename from gril/common/sepolicy/service_contexts rename to gril/aidl/2.0/sepolicy/service_contexts index 7e50c2e..7b96182 100644 --- a/gril/common/sepolicy/service_contexts +++ b/gril/aidl/2.0/sepolicy/service_contexts @@ -1 +1 @@ -vendor.google.radio_ext.IRadioExt/default u:object_r:hal_radio_ext_service:s0 +vendor.google.radio_ext.IRadioExt/default u:object_r:hal_aidl_radio_ext_service:s0 diff --git a/gril/hidl/1.7/gril_hidl.mk b/gril/hidl/1.7/gril_hidl.mk index 0008a5d..fcd5ef8 100644 --- a/gril/hidl/1.7/gril_hidl.mk +++ b/gril/hidl/1.7/gril_hidl.mk @@ -1,4 +1,3 @@ PRODUCT_PACKAGES += vendor.google.radioext@1.0-service DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/hidl/1.7/compatibility_matrix.xml BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/hidl/1.7/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy diff --git a/gril/hidl/1.7/sepolicy/grilservice_app.te b/gril/hidl/1.7/sepolicy/grilservice_app.te index 3a170b8..43da795 100644 --- a/gril/hidl/1.7/sepolicy/grilservice_app.te +++ b/gril/hidl/1.7/sepolicy/grilservice_app.te @@ -1,4 +1,2 @@ -# allow grilservice_app to find hal_radio_ext_service -allow grilservice_app hal_radio_ext_service:service_manager find; # allow grilservice_app to binder call hal_radioext_default binder_call(grilservice_app, hal_radioext_default) diff --git a/modem/radio_ext/radio_ext.mk b/modem/radio_ext/radio_ext.mk index 1df3bcc..6750fdd 100644 --- a/modem/radio_ext/radio_ext.mk +++ b/modem/radio_ext/radio_ext.mk @@ -3,4 +3,3 @@ PRODUCT_PACKAGES += vendor.google.radio_ext-service DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/modem/radio_ext/compatibility_matrix.xml BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/radio_ext/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy diff --git a/gril/common/sepolicy/service.te b/modem/radio_ext/sepolicy/service.te similarity index 68% rename from gril/common/sepolicy/service.te rename to modem/radio_ext/sepolicy/service.te index ee6fb77..7288ef1 100644 --- a/gril/common/sepolicy/service.te +++ b/modem/radio_ext/sepolicy/service.te @@ -1,3 +1,2 @@ # Radio Ext AIDL service -# Shared definition so a single type is referenced type hal_radio_ext_service, hal_service_type, protected_service, service_manager_type; From d43a6e1c5a677614ff924bf9b47ed165e908a4de Mon Sep 17 00:00:00 2001 From: "Priyanka Advani (xWF)" Date: Mon, 16 Sep 2024 16:58:16 +0000 Subject: [PATCH 5/5] Revert^2 "Allow devices that use HIDL to find AIDL radio_ext_service" This reverts commit 1685969e605263ad55f1f75e50584dc0f12bd99a. Reason for revert: Droidmonitor created revert due to b/367330939. Change-Id: Idd70cf3d846fad1a25060ebfb6ae6a99599fd861 --- gril/aidl/2.0/gril_aidl.mk | 1 + gril/aidl/2.0/sepolicy/grilservice_app.te | 4 ++-- gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te | 2 +- gril/aidl/2.0/sepolicy/service.te | 2 -- {modem/radio_ext => gril/common}/sepolicy/service.te | 1 + gril/{aidl/2.0 => common}/sepolicy/service_contexts | 2 +- gril/hidl/1.7/gril_hidl.mk | 1 + gril/hidl/1.7/sepolicy/grilservice_app.te | 2 ++ modem/radio_ext/radio_ext.mk | 1 + 9 files changed, 10 insertions(+), 6 deletions(-) delete mode 100644 gril/aidl/2.0/sepolicy/service.te rename {modem/radio_ext => gril/common}/sepolicy/service.te (68%) rename gril/{aidl/2.0 => common}/sepolicy/service_contexts (64%) diff --git a/gril/aidl/2.0/gril_aidl.mk b/gril/aidl/2.0/gril_aidl.mk index b7d5133..d4fa9e9 100644 --- a/gril/aidl/2.0/gril_aidl.mk +++ b/gril/aidl/2.0/gril_aidl.mk @@ -1,3 +1,4 @@ PRODUCT_PACKAGES += vendor.google.radioext@1.0-service DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/aidl/2.0/compatibility_matrix.xml BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/aidl/2.0/sepolicy +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy diff --git a/gril/aidl/2.0/sepolicy/grilservice_app.te b/gril/aidl/2.0/sepolicy/grilservice_app.te index 8f49afa..812c8a2 100644 --- a/gril/aidl/2.0/sepolicy/grilservice_app.te +++ b/gril/aidl/2.0/sepolicy/grilservice_app.te @@ -1,4 +1,4 @@ -# allow grilservice_app to find hal_aidl_radio_ext_service -allow grilservice_app hal_aidl_radio_ext_service:service_manager find; +# allow grilservice_app to find hal_radio_ext_service +allow grilservice_app hal_radio_ext_service:service_manager find; binder_call(grilservice_app, hal_aidl_radio_ext) binder_call(grilservice_app, twoshay) diff --git a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te index ad6c86b..68dd397 100644 --- a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te +++ b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te @@ -12,7 +12,7 @@ binder_call(hal_aidl_radio_ext, servicemanager) binder_call(hal_aidl_radio_ext, grilservice_app) binder_call(hal_aidl_radio_ext, hal_bluetooth_btlinux) -add_service(hal_aidl_radio_ext, hal_aidl_radio_ext_service) +add_service(hal_aidl_radio_ext, hal_radio_ext_service) # RW /dev/oem_ipc0 allow hal_aidl_radio_ext radio_device:chr_file rw_file_perms; diff --git a/gril/aidl/2.0/sepolicy/service.te b/gril/aidl/2.0/sepolicy/service.te deleted file mode 100644 index 24aa71e..0000000 --- a/gril/aidl/2.0/sepolicy/service.te +++ /dev/null @@ -1,2 +0,0 @@ -# Radio Ext AIDL service -type hal_aidl_radio_ext_service, hal_service_type, protected_service, service_manager_type; diff --git a/modem/radio_ext/sepolicy/service.te b/gril/common/sepolicy/service.te similarity index 68% rename from modem/radio_ext/sepolicy/service.te rename to gril/common/sepolicy/service.te index 7288ef1..ee6fb77 100644 --- a/modem/radio_ext/sepolicy/service.te +++ b/gril/common/sepolicy/service.te @@ -1,2 +1,3 @@ # Radio Ext AIDL service +# Shared definition so a single type is referenced type hal_radio_ext_service, hal_service_type, protected_service, service_manager_type; diff --git a/gril/aidl/2.0/sepolicy/service_contexts b/gril/common/sepolicy/service_contexts similarity index 64% rename from gril/aidl/2.0/sepolicy/service_contexts rename to gril/common/sepolicy/service_contexts index 7b96182..7e50c2e 100644 --- a/gril/aidl/2.0/sepolicy/service_contexts +++ b/gril/common/sepolicy/service_contexts @@ -1 +1 @@ -vendor.google.radio_ext.IRadioExt/default u:object_r:hal_aidl_radio_ext_service:s0 +vendor.google.radio_ext.IRadioExt/default u:object_r:hal_radio_ext_service:s0 diff --git a/gril/hidl/1.7/gril_hidl.mk b/gril/hidl/1.7/gril_hidl.mk index fcd5ef8..0008a5d 100644 --- a/gril/hidl/1.7/gril_hidl.mk +++ b/gril/hidl/1.7/gril_hidl.mk @@ -1,3 +1,4 @@ PRODUCT_PACKAGES += vendor.google.radioext@1.0-service DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/hidl/1.7/compatibility_matrix.xml BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/hidl/1.7/sepolicy +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy diff --git a/gril/hidl/1.7/sepolicy/grilservice_app.te b/gril/hidl/1.7/sepolicy/grilservice_app.te index 43da795..3a170b8 100644 --- a/gril/hidl/1.7/sepolicy/grilservice_app.te +++ b/gril/hidl/1.7/sepolicy/grilservice_app.te @@ -1,2 +1,4 @@ +# allow grilservice_app to find hal_radio_ext_service +allow grilservice_app hal_radio_ext_service:service_manager find; # allow grilservice_app to binder call hal_radioext_default binder_call(grilservice_app, hal_radioext_default) diff --git a/modem/radio_ext/radio_ext.mk b/modem/radio_ext/radio_ext.mk index 6750fdd..1df3bcc 100644 --- a/modem/radio_ext/radio_ext.mk +++ b/modem/radio_ext/radio_ext.mk @@ -3,3 +3,4 @@ PRODUCT_PACKAGES += vendor.google.radio_ext-service DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/modem/radio_ext/compatibility_matrix.xml BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/radio_ext/sepolicy +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/common/sepolicy