From 24ee023597d928881d60842311ca170c8bb06c94 Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Wed, 1 May 2024 17:13:52 -0700 Subject: [PATCH 1/4] Allow userdata_exp partitions Bug: 336319772 Change-Id: I7f878f29d356df3992fb49b9df8f8a900a6f12b8 Signed-off-by: Jaegeuk Kim --- storage/sepolicy/device.te | 2 ++ storage/sepolicy/e2fs.te | 1 + storage/sepolicy/file_contexts | 1 + storage/sepolicy/fsck.te | 1 + storage/sepolicy/vold.te | 4 ++++ 5 files changed, 9 insertions(+) create mode 100644 storage/sepolicy/device.te create mode 100644 storage/sepolicy/e2fs.te create mode 100644 storage/sepolicy/fsck.te diff --git a/storage/sepolicy/device.te b/storage/sepolicy/device.te new file mode 100644 index 0000000..e0968f9 --- /dev/null +++ b/storage/sepolicy/device.te @@ -0,0 +1,2 @@ +# Userdata Exp block device. +type userdata_exp_block_device, dev_type; diff --git a/storage/sepolicy/e2fs.te b/storage/sepolicy/e2fs.te new file mode 100644 index 0000000..c280cb7 --- /dev/null +++ b/storage/sepolicy/e2fs.te @@ -0,0 +1 @@ +allow e2fs userdata_exp_block_device:blk_file rw_file_perms; diff --git a/storage/sepolicy/file_contexts b/storage/sepolicy/file_contexts index ecca954..ff863db 100644 --- a/storage/sepolicy/file_contexts +++ b/storage/sepolicy/file_contexts @@ -3,3 +3,4 @@ /dev/sg[0-9] u:object_r:sg_device:s0 /data/vendor/storage(/.*)? u:object_r:dump_storage_data_file:s0 /vendor/bin/sg_read_buffer u:object_r:sg_util_exec:s0 +/dev/block/by-name/userdata_exp.* u:object_r:userdata_exp_block_device:s0 diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te new file mode 100644 index 0000000..2043199 --- /dev/null +++ b/storage/sepolicy/fsck.te @@ -0,0 +1 @@ +allow fsck userdata_exp_block_device:blk_file rw_file_perms; diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te index 1d743b5..3d35589 100644 --- a/storage/sepolicy/vold.te +++ b/storage/sepolicy/vold.te @@ -1,4 +1,8 @@ allow vold sysfs_scsi_devices_0000:file rw_file_perms; +# Access userdata_exp block device. +allow vold userdata_exp_block_device:blk_file rw_file_perms; +allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD; + dontaudit vold dumpstate:fifo_file rw_file_perms; dontaudit vold dumpstate:fd use ; From 92a659256fdb8be9d64e2282efac82ac32a93f2a Mon Sep 17 00:00:00 2001 From: Rios Kao Date: Tue, 21 May 2024 02:53:29 +0000 Subject: [PATCH 2/4] audio: add a restricted property for audio app. note: For app layer to access specific property, define persist.vendor.app.audio. and set it as restricted. Test: build pass Bug: 333497194 Change-Id: I397a1bcb9bd16c7fa236049eead30b6e17a996b5 --- audio/sepolicy/common/property.te | 3 +++ audio/sepolicy/common/property_contexts | 3 +++ audio/sepolicy/common/vendor_init.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/audio/sepolicy/common/property.te b/audio/sepolicy/common/property.te index e2ffcd1..2287b84 100644 --- a/audio/sepolicy/common/property.te +++ b/audio/sepolicy/common/property.te @@ -1,2 +1,5 @@ # Audio vendor_internal_prop(vendor_audio_prop) + +# The property for Audio App +vendor_restricted_prop(vendor_audio_prop_restricted) diff --git a/audio/sepolicy/common/property_contexts b/audio/sepolicy/common/property_contexts index 1749ac8..96e678c 100644 --- a/audio/sepolicy/common/property_contexts +++ b/audio/sepolicy/common/property_contexts @@ -9,3 +9,6 @@ vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 vendor.audiodump.log.cca.updated u:object_r:vendor_audio_prop:s0 vendor.audiodump.cca.config u:object_r:vendor_audio_prop:s0 vendor.audio_hal.aidl.enable u:object_r:vendor_audio_prop:s0 + +# for audio app +persist.vendor.app.audio. u:object_r:vendor_audio_prop_restricted:s0 diff --git a/audio/sepolicy/common/vendor_init.te b/audio/sepolicy/common/vendor_init.te index 26f3fa8..1562d45 100644 --- a/audio/sepolicy/common/vendor_init.te +++ b/audio/sepolicy/common/vendor_init.te @@ -1,2 +1,5 @@ # Audio property set_prop(vendor_init, vendor_audio_prop) + +# Audio App property +set_prop(vendor_init, vendor_audio_prop_restricted) From ea854a89c49e2e810dad4bdb1958263d7eafa97f Mon Sep 17 00:00:00 2001 From: Madhav Iyengar Date: Wed, 1 May 2024 16:25:33 +0000 Subject: [PATCH 3/4] Add the new IPC and ring buffer files. Adds file_contexts entries for the files representing new AOC services used by a new transport between CHRE on AOC and the bthal. NOTE: The use-case for these files is the same as the /dev/acd-com.google.bt* files (lines 23-24). Those files will eventually be removed when we migrate from the old USF-based transport to the one under development. Bug: 342415506 Test: Works with other CLs in topic to support BT offload over the new transport (with a local change to hook the new transport in). Change-Id: I81246a25af020ab14da3d4ae7675f2a0f00f97be --- aoc/sepolicy/file_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/aoc/sepolicy/file_contexts b/aoc/sepolicy/file_contexts index ed8a6d6..73293f7 100644 --- a/aoc/sepolicy/file_contexts +++ b/aoc/sepolicy/file_contexts @@ -31,6 +31,9 @@ /dev/acd-aocx_inject[0-9]* u:object_r:aoc_device:s0 /dev/acd-aocx_tapout[0-9]* u:object_r:aoc_device:s0 /dev/acd-mc_headpos u:object_r:aoc_device:s0 +/dev/acd-chre_bt_offload_ctl u:object_r:aoc_device:s0 +/dev/acd-chre_bt_offload_data_tx u:object_r:aoc_device:s0 +/dev/acd-chre_bt_offload_data_rx u:object_r:aoc_device:s0 # AoC vendor binaries /vendor/bin/aocd u:object_r:aocd_exec:s0 From 65a5fe99c10d8ffd41996788dbbc16257da524f0 Mon Sep 17 00:00:00 2001 From: Klines Jiang Date: Wed, 29 May 2024 02:23:19 +0000 Subject: [PATCH 4/4] [SELinux] Initial access fingerprint sepolicy for gyotaku_app Initial a specific build folder for fingerprint, we need to include the mk file on specific build. Bug: 342335081 Test: Local build and sepolicy tests passed. Change-Id: I8b8522ed949abc586ebab2efe4061f5e4b6cdde0 --- gyotaku_app/fingerprint/gyotaku_app.te | 19 +++++++++++++++++++ gyotaku_app/fingerprint/seapp_contexts | 2 ++ gyotaku_app/gyotaku_fingerprint.mk | 5 +++++ 3 files changed, 26 insertions(+) create mode 100644 gyotaku_app/fingerprint/gyotaku_app.te create mode 100644 gyotaku_app/fingerprint/seapp_contexts create mode 100644 gyotaku_app/gyotaku_fingerprint.mk diff --git a/gyotaku_app/fingerprint/gyotaku_app.te b/gyotaku_app/fingerprint/gyotaku_app.te new file mode 100644 index 0000000..f6475f5 --- /dev/null +++ b/gyotaku_app/fingerprint/gyotaku_app.te @@ -0,0 +1,19 @@ +# Specific build for fingerprint +type gyotaku_app, domain; + +app_domain(gyotaku_app) +net_domain(gyotaku_app) + +# For Gyotaku app common use +allow gyotaku_app app_api_service:service_manager find; +allow gyotaku_app privapp_data_file:lnk_file read; +allow gyotaku_app system_app_data_file:dir create_dir_perms; +allow gyotaku_app system_app_data_file:file create_file_perms; + +# For getproperty isDebuggable use +get_prop(gyotaku_app, userdebug_or_eng_prop) + +# For access /data/vendor/misc fingerprint use. +allow gyotaku_app vendor_misc_data_file:dir search; +allow gyotaku_app vendor_fingerprint_data_file:dir r_dir_perms; +allow gyotaku_app vendor_fingerprint_data_file:file r_file_perms; diff --git a/gyotaku_app/fingerprint/seapp_contexts b/gyotaku_app/fingerprint/seapp_contexts new file mode 100644 index 0000000..b1c6248 --- /dev/null +++ b/gyotaku_app/fingerprint/seapp_contexts @@ -0,0 +1,2 @@ +# Gyotaku app +user=system seinfo=platform name=com.google.android.apps.internal.gyotaku domain=gyotaku_app type=system_app_data_file levelFrom=all diff --git a/gyotaku_app/gyotaku_fingerprint.mk b/gyotaku_app/gyotaku_fingerprint.mk new file mode 100644 index 0000000..051b88e --- /dev/null +++ b/gyotaku_app/gyotaku_fingerprint.mk @@ -0,0 +1,5 @@ +# Specific build for fingerprint +PRODUCT_PACKAGES_DEBUG += \ + Gyotaku + +BOARD_SEPOLICY_DIRS += device/google/gs-common/gyotaku_app/fingerprint