Snap for 12337407 from 92f65e92ab to 25Q1-release

Change-Id: Id725b9026ade2ea898197f807e1d8ff90a174d66

audio/common.mk

@@ -3,8 +3,15 @@ BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/common
 #Audio Vendor libraries
 PRODUCT_PACKAGES += \
 	libfvsam_prm_parser \
-	libmahalcontroller \
+	libmahalcontroller
+
+ifeq ($(USE_MAM_V4_ABOVE),true)
+PRODUCT_PACKAGES += \
+	libMAM_Google_Pixel_Android
+else
+PRODUCT_PACKAGES += \
 	libAlgFx_HiFi3z
+endif
 
 ifneq ($(USE_AUDIO_HAL_AIDL),true)
 ## AudioHAL Configurations

battery_mitigation/sepolicy/vendor/dumpstate.te

@@ -8,6 +8,7 @@ allow hal_dumpstate_default sysfs_cpu:file { read open getattr };
 allow hal_dumpstate_default sysfs_batteryinfo:dir { read open search };
 allow hal_dumpstate_default sysfs_batteryinfo:file { read open getattr };
 allow hal_dumpstate_default logbuffer_device:chr_file { read open getattr };
+allow hal_dumpstate_default mitigation_vendor_data_file:file { read open getattr };
 allow hal_dumpstate_default mitigation_vendor_data_file:dir { search };
 allow hal_dumpstate_default sysfs_bcl:dir { read open search };
 allow hal_dumpstate_default sysfs_bcl:file { read open getattr };

bootctrl/aidl/BootControl.cpp

@@ -384,7 +384,7 @@ ScopedAStatus BootControl::isSlotMarkedSuccessful(int32_t in_slot, bool* _aidl_r
         *_aidl_return = true;
         return ScopedAStatus::ok();
     }
-    if (in_slot >= slots)
+    if (in_slot < 0 || in_slot >= slots)
         return ScopedAStatus::fromServiceSpecificErrorWithMessage(
                 INVALID_SLOT, (std::string("Invalid slot ") + std::to_string(in_slot)).c_str());
 

check_current_prebuilt/check_current_prebuilt.mk

@@ -0,0 +1,27 @@
+# Create symlink for bootloader
+$(shell rm -f "pixel_current_bootloader")
+ifdef BOOTLOADER_FILE_PATH
+$(shell ln -sf ${BOOTLOADER_FILE_PATH} "pixel_current_bootloader")
+else ifdef BOOTLOADER_RADIO_FILE_PATH
+$(shell ln -sf ${BOOTLOADER_RADIO_FILE_PATH} "pixel_current_bootloader")
+endif
+
+# Create symlink for kernel
+$(shell rm -f "pixel_current_kernel")
+ifdef TARGET_KERNEL_DIR
+$(shell ln -sf ${TARGET_KERNEL_DIR} "pixel_current_kernel")
+endif
+
+# Create symlink for radio
+$(shell rm -f "pixel_current_radio")
+ifdef RADIO_FILE_PATH
+$(shell ln -sf ${RADIO_FILE_PATH} "pixel_current_radio")
+else ifdef BOOTLOADER_RADIO_FILE_PATH
+$(shell ln -sf ${BOOTLOADER_RADIO_FILE_PATH} "pixel_current_radio")
+endif
+
+# Create symlink for radiocfg
+$(shell rm -f "pixel_current_radiocfg")
+ifdef SRC_MDM_CFG_DIR
+$(shell ln -sf ${SRC_MDM_CFG_DIR} "pixel_current_radiocfg")
+endif

dauntless/gsc.mk

@@ -20,4 +20,76 @@ PRODUCT_PACKAGES_DEBUG += citadel_integration_tests \
                           nugget_targeted_tests \
                           CitadelProvision \
                           nugget_aidl_test_weaver
+
+# Assign default value for RELEASE_GOOGLE_DAUNTLESS_DIR if no trunk flags support
+RELEASE_GOOGLE_DAUNTLESS_DIR ?= vendor/google_nos/prebuilts/dauntless
+
+# The production Dauntless firmware will be of flavors evt and d3m2.
+# There are also several flavors of pre-release chips. Each flavor
+# (production and pre-release) requires the firmware to be signed differently.
+DAUNTLESS_FIRMWARE_SIZE := 1048576
+
+# The nearly-production Dauntless chips are "proto1.1"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin))
+$(error GSC firmware size check fail)
 endif
+PRODUCT_COPY_FILES += \
+    $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/proto11.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# The production Dauntless chips are "evt"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin))
+$(error GSC firmware size check fail)
+endif
+PRODUCT_COPY_FILES += \
+    $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/evt.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# New 2023 production Dauntless chips are "d3m2"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin))
+$(error GSC firmware size check fail)
+endif
+PRODUCT_COPY_FILES += \
+    $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/d3m2.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# Intermediate image artifacts are published, but aren't included in /vendor/firmware/dauntless
+# in PRODUCT_COPY_FILES
+# This is because intermediate images aren't needed on user devices, but the published artifact
+# is useful for flashstation purposes.
+
+# proto11 chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin)
+endif
+# evt chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin)
+endif
+# d3m2 chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin)
+endif
+
+endif # $(wildcard vendor)

display/dump_display.cpp

@@ -25,6 +25,6 @@ int main() {
     dumpFileContent("Primary panel name", "/sys/devices/platform/exynos-drm/primary-panel/panel_name");
     dumpFileContent("Primary panel extra info", "/sys/devices/platform/exynos-drm/primary-panel/panel_extinfo");
     dumpFileContent("Primary panel power Vreg", "/sys/devices/platform/exynos-drm/primary-panel/panel_pwr_vreg");
+    dumpFileContent("Primary panel power mode register", "/sys/devices/platform/exynos-drm/primary-panel/power_mode");
     return 0;
-}
-
+}

display/dump_second_display.cpp

@@ -20,6 +20,7 @@ int main() {
     dumpFileContent("CRTC-1 event log", "/sys/kernel/debug/dri/0/crtc-1/event");
     dumpFileContent("Secondary panel name", "/sys/devices/platform/exynos-drm/secondary-panel/panel_name");
     dumpFileContent("Secondary panel extra info", "/sys/devices/platform/exynos-drm/secondary-panel/panel_extinfo");
+    dumpFileContent("Secondary panel power mode register", "/sys/devices/platform/exynos-drm/secondary-panel/power_mode");
     return 0;
 }
 

esim/Android.bp

@@ -0,0 +1,10 @@
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+prebuilt_etc {
+    name: "init.esim-gs.rc",
+    src: "init.esim-gs.rc",
+    vendor: true,
+    sub_dir: "init",
+}

esim/OWNERS

@@ -0,0 +1,2 @@
+kiwonp@google.com
+mewan@google.com

esim/esim.mk

@@ -0,0 +1,5 @@
+PRODUCT_PACKAGES += init.esim-gs.rc
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/vendor
+# system_ext
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/system_ext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/system_ext/private

esim/init.esim-gs.rc

@@ -0,0 +1,7 @@
+# Disable bootstrap when bootloader is unlocked in user build
+on property:ro.build.type=user && property:ro.boot.flash.locked=0
+    setprop setupwizard.feature.provisioning_profile_mode false
+
+# Disable bootstrap for DVT devices shipping to non-US carriers
+on property:ro.boot.warranty.sku=BOF
+    setprop setupwizard.feature.provisioning_profile_mode false

esim/sepolicy/system_ext/private/gmscore_app.te

@@ -0,0 +1,2 @@
+# Allow to read setupwizard_feature_prop
+get_prop(priv_app, setupwizard_feature_prop)

esim/sepolicy/system_ext/private/priv_app.te

@@ -0,0 +1,2 @@
+# Allow to read setupwizard_feature_prop
+get_prop(priv_app, setupwizard_feature_prop)

esim/sepolicy/system_ext/private/property_contexts

@@ -0,0 +1,2 @@
+# setupwizard
+setupwizard.feature.provisioning_profile_mode    u:object_r:setupwizard_feature_prop:s0

esim/sepolicy/system_ext/public/property.te

@@ -0,0 +1,2 @@
+# setupwizard
+system_public_prop(setupwizard_feature_prop)

esim/sepolicy/vendor/vendor_init.te

@@ -0,0 +1,2 @@
+# setupwizard
+set_prop(vendor_init, setupwizard_feature_prop)

gps/pixel/sepolicy/hal_gnss_pixel.te

@@ -10,6 +10,9 @@ allow hal_gnss_pixel sysfs_gps:file rw_file_perms;
 # Allow access to CHRE multiclient HAL.
 get_prop(hal_gnss_pixel, vendor_chre_hal_prop)
 
+# Allow read vendor gps prop.
+get_prop(hal_gnss_pixel, vendor_gps_prop)
+
 # Allow binder to CHRE.
 binder_call(hal_gnss_pixel, hal_contexthub_default)
 allow hal_gnss_pixel hal_contexthub_service:service_manager find;

gpu/MK_OWNERS

@@ -0,0 +1,4 @@
+jessehall@google.com
+spyffe@google.com
+jorwag@google.com
+jeremykemp@google.com

gpu/OWNERS

@@ -0,0 +1,2 @@
+per-file gpu.mk=set noparent
+per-file gpu.mk=file:MK_OWNERS

gril/aidl/2.0/compatibility_matrix.xml

@@ -0,0 +1,10 @@
+<compatibility-matrix version="1.0" type="framework">
+    <hal format="aidl" optional="true">
+        <name>vendor.google.radio_ext</name>
+        <version>2</version>
+        <interface>
+            <name>IRadioExt</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+</compatibility-matrix>

gril/aidl/2.0/gril_aidl.mk

@@ -0,0 +1,3 @@
+PRODUCT_PACKAGES += vendor.google.radioext@1.0-service
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/aidl/2.0/compatibility_matrix.xml
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/aidl/2.0/sepolicy

gril/aidl/2.0/sepolicy/file_contexts

@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service                        u:object_r:hal_aidl_radio_ext_exec:s0

gril/aidl/2.0/sepolicy/grilservice_app.te

@@ -0,0 +1,4 @@
+# allow grilservice_app to find hal_aidl_radio_ext_service
+allow grilservice_app hal_aidl_radio_ext_service:service_manager find;
+binder_call(grilservice_app, hal_aidl_radio_ext)
+binder_call(grilservice_app, twoshay)

gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te

@@ -0,0 +1,33 @@
+# hal_aidl_radio_ext domain
+type hal_aidl_radio_ext, domain;
+type hal_aidl_radio_ext_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(hal_aidl_radio_ext)
+
+get_prop(hal_aidl_radio_ext, hwservicemanager_prop)
+get_prop(hal_aidl_radio_ext, telephony_modemtype_prop)
+set_prop(hal_aidl_radio_ext, vendor_gril_prop)
+
+binder_call(hal_aidl_radio_ext, servicemanager)
+binder_call(hal_aidl_radio_ext, grilservice_app)
+binder_call(hal_aidl_radio_ext, hal_bluetooth_btlinux)
+
+add_service(hal_aidl_radio_ext, hal_aidl_radio_ext_service)
+
+# RW /dev/oem_ipc0
+allow hal_aidl_radio_ext radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_aidl_radio_ext radio_vendor_data_file:dir create_dir_perms;
+allow hal_aidl_radio_ext radio_vendor_data_file:file create_file_perms;
+
+# Bluetooth
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_service:service_manager find;
+
+# Allow access to the backlight driver to set ssc_mode
+allow hal_aidl_radio_ext sysfs_leds:dir search;
+allow hal_aidl_radio_ext sysfs_leds:file rw_file_perms;
+
+# legacy/zuma/vendor
+allow hal_aidl_radio_ext sysfs_display:file rw_file_perms;

gril/aidl/2.0/sepolicy/hal_camera_default.te

@@ -0,0 +1,2 @@
+# allow hal_camera_default to binder call hal_aidl_radio_ext
+binder_call(hal_camera_default, hal_aidl_radio_ext);

gril/aidl/2.0/sepolicy/service.te

@@ -0,0 +1,2 @@
+# Radio Ext AIDL service
+type hal_aidl_radio_ext_service, hal_service_type, protected_service, service_manager_type;

gril/aidl/2.0/sepolicy/service_contexts

@@ -0,0 +1 @@
+vendor.google.radio_ext.IRadioExt/default                 u:object_r:hal_aidl_radio_ext_service:s0

gril/aidl/2.0/sepolicy/twoshay.te

@@ -0,0 +1,2 @@
+# allow twoshay to binder call hal_aidl_radio_ext
+binder_call(twoshay, hal_aidl_radio_ext)

gril/hidl/1.7/compatibility_matrix.xml

@@ -0,0 +1,10 @@
+<compatibility-matrix version="1.0" type="framework">
+    <hal format="hidl" optional="true">
+        <name>vendor.google.radioext</name>
+        <version>1.7</version>
+        <interface>
+            <name>IRadioExt</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+</compatibility-matrix>

gril/hidl/1.7/gril_hidl.mk

@@ -0,0 +1,3 @@
+PRODUCT_PACKAGES += vendor.google.radioext@1.0-service
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/hidl/1.7/compatibility_matrix.xml
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/hidl/1.7/sepolicy

gril/hidl/1.7/sepolicy/file_contexts

@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service                        u:object_r:hal_radioext_default_exec:s0

gril/hidl/1.7/sepolicy/grilservice_app.te

@@ -0,0 +1,2 @@
+# allow grilservice_app to binder call hal_radioext_default
+binder_call(grilservice_app, hal_radioext_default)

gril/hidl/1.7/sepolicy/hal_camera_default.te

@@ -0,0 +1,2 @@
+# allow hal_camera_default to binder call hal_radioext_default
+binder_call(hal_camera_default, hal_radioext_default);

gril/hidl/1.7/sepolicy/hal_radioext_default.te

@@ -0,0 +1,28 @@
+# hal_radioext_default domain
+type hal_radioext_default, domain;
+type hal_radioext_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_radioext_default)
+
+hwbinder_use(hal_radioext_default)
+get_prop(hal_radioext_default, hwservicemanager_prop)
+get_prop(hal_radioext_default, telephony_modemtype_prop)
+set_prop(hal_radioext_default, vendor_gril_prop)
+add_hwservice(hal_radioext_default, hal_radioext_hwservice)
+
+binder_call(hal_radioext_default, servicemanager)
+binder_call(hal_radioext_default, grilservice_app)
+binder_call(hal_radioext_default, hal_bluetooth_btlinux)
+
+# RW /dev/oem_ipc0
+allow hal_radioext_default radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_radioext_default radio_vendor_data_file:file create_file_perms;
+
+# Bluetooth
+allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow hal_radioext_default hal_bluetooth_coexistence_service:service_manager find;
+
+# legacy/zuma/vendor
+allow hal_radioext_default sysfs_display:file rw_file_perms;

gril/hidl/1.7/sepolicy/hwservice_contexts

@@ -0,0 +1,2 @@
+# GRIL HAL
+vendor.google.radioext::IRadioExt                                                  u:object_r:hal_radioext_hwservice:s0

gril/hidl/1.7/sepolicy/twoshay.te

@@ -0,0 +1,2 @@
+# allow twoshay to binder call hal_radioext_default
+binder_call(twoshay, hal_radioext_default)

gs_watchdogd/init.gs_watchdogd.rc

@@ -1,5 +1,6 @@
 # Pet watchdog timer every half of its timeout period.
 service gs_watchdogd /system_ext/bin/gs_watchdogd
+    user root
     class core
     oneshot
     seclabel u:r:gs_watchdogd:s0

mediacodec/vpu/sepolicy/mediacodec_google.te

@@ -7,6 +7,8 @@ hal_server_domain(mediacodec_google, hal_codec2)
 
 hal_client_domain(mediacodec_google, hal_graphics_allocator)
 
+add_service(mediacodec_google, eco_service)
+
 allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
 allow mediacodec_google video_device:chr_file { read write open ioctl map };
 
@@ -19,3 +21,11 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediacodec_google domain:{ udp_socket rawip_socket } *;
 neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+# Allow HAL to send trace packets to Perfetto
+userdebug_or_eng(`perfetto_producer(mediacodec_google)')
+
+userdebug_or_eng(`
+ allow mediacodec_google vendor_media_data_file:dir rw_dir_perms;
+ allow mediacodec_google vendor_media_data_file:file create_file_perms;
+')

modem/radio_ext/sepolicy/grilservice_app.te

@@ -0,0 +1,2 @@
+allow grilservice_app hal_radio_ext_service:service_manager find;
+binder_call(grilservice_app, hal_radio_ext)

modem/shared_modem_platform/compatibility_matrix.xml

@@ -2,7 +2,7 @@
     <!-- Optional since older devices will not register any services. -->
     <hal format="aidl" optional="true">
         <name>com.google.pixel.shared_modem_platform</name>
-        <version>1</version>
+        <version>2</version>
         <interface>
             <name>ISharedModemPlatform</name>
             <instance>default</instance>

nfc/sepolicy_st21nfc/file_contexts

@@ -0,0 +1,2 @@
+/dev/st21nfc                                                                u:object_r:nfc_device:s0
+/vendor/bin/hw/android\.hardware\.nfc-service\.st                           u:object_r:hal_nfc_default_exec:s0

nfc/sepolicy_st54spi/file.te

@@ -0,0 +1,3 @@
+# SecureElement SPI device
+type st54spi_device, dev_type;
+

nfc/sepolicy_st54spi/file_contexts

@@ -0,0 +1,3 @@
+/dev/st54spi                                                                u:object_r:st54spi_device:s0
+/vendor/bin/hw/android\.hardware\.secure_element-service\.thales            u:object_r:hal_secure_element_st54spi_aidl_exec:s0
+

nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te

@@ -0,0 +1,9 @@
+# sepolicy for ST54L secure element
+type hal_secure_element_st54spi_aidl, domain;
+type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secure_element_st54spi_aidl)
+hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element)
+allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop)
+

nfc/sepolicy_st54spi/property.te

@@ -0,0 +1,3 @@
+# SecureElement vendor property
+vendor_internal_prop(vendor_secure_element_prop)
+

nfc/sepolicy_st54spi/property_contexts

@@ -0,0 +1,2 @@
+# SecureElement vendor property
+persist.vendor.se.                         u:object_r:vendor_secure_element_prop:s0

nfc/sepolicy_st54spi/vendor_init.te

@@ -0,0 +1,2 @@
+# SecureElement vendor property
+set_prop(vendor_init, vendor_secure_element_prop)

nfc/st21nfc.mk

@@ -0,0 +1,2 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st21nfc
+PRODUCT_PACKAGES += android.hardware.nfc-service.st

nfc/st54spi.mk

@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st54spi
+PRODUCT_PACKAGES += android.hardware.secure_element-service.thales
+

performance/sepolicy/file.te

@@ -1,2 +1,8 @@
+# proactive kill
 type sysfs_pakills, fs_type, sysfs_type;
+
+# bts dump
 type vendor_bts_debugfs, fs_type, debugfs_type;
+
+# proc_compaction_proactiveness type
+type proc_compaction_proactiveness, fs_type, proc_type;

performance/sepolicy/genfs_contexts

@@ -1,3 +1,4 @@
 genfscon proc /sys/kernel/sched_pelt_multiplier u:object_r:proc_sched:s0
 genfscon sysfs /kernel/vendor_mm/pa_kill u:object_r:sysfs_pakills:s0
 genfscon debugfs /bts u:object_r:vendor_bts_debugfs:s0
+genfscon proc /sys/vm/compaction_proactiveness u:object_r:proc_compaction_proactiveness:s0

performance/sepolicy/vendor_init.te

@@ -1,3 +1,3 @@
 # MM
 allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms;
-
+allow vendor_init proc_compaction_proactiveness:file w_file_perms;

storage/sepolicy/charger_vendor.te

@@ -0,0 +1,3 @@
+# fork from dcb05d13
+allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms;
+

storage/sepolicy/device.te

@@ -1,2 +1,11 @@
 # Userdata Exp block device.
 type userdata_exp_block_device, dev_type;
+
+# Block Devices
+type persist_block_device, dev_type;
+type efs_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+
+# Storage firmware upgrade
+type ufs_internal_block_device, dev_type;
+

storage/sepolicy/dump_storage.te

@@ -1,8 +1,11 @@
+# adb bugreport
 pixel_bugreport(dump_storage)
 
+# adb bugreport
 allow dump_storage sysfs_scsi_devices_0000:dir r_dir_perms;
 allow dump_storage sysfs_scsi_devices_0000:file r_file_perms;
 
+# adb bugreport
 userdebug_or_eng(`
   allow dump_storage debugfs_f2fs:dir r_dir_perms;
   allow dump_storage debugfs_f2fs:file r_file_perms;
@@ -17,7 +20,10 @@ userdebug_or_eng(`
   allow dump_storage dump_storage_data_file:file create_file_perms;
 ')
 
+# adb bugreport
 get_prop(dump_storage, boottime_public_prop)
 
+# adb bugreport
 dontaudit dump_storage debugfs_f2fs:dir r_dir_perms;
 dontaudit dump_storage debugfs_f2fs:file r_file_perms;
+

storage/sepolicy/dumpstate.te

@@ -1 +1,7 @@
-allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+# adb bugreport
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate persist_file:dir { getattr };
+allow dumpstate modem_efs_file:dir { getattr };
+allow dumpstate modem_userdata_file:dir { getattr };
+allow dumpstate vold:binder { call };
+

storage/sepolicy/e2fs.te

@@ -1 +1,10 @@
+# fix mkfs
 allow e2fs userdata_exp_block_device:blk_file rw_file_perms;
+allow e2fs efs_block_device:blk_file rw_file_perms;
+allow e2fs modem_userdata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl {
+  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
+allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
+allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
+

storage/sepolicy/fastbootd.te

@@ -1 +1,3 @@
+# fastbootd
 allow fastbootd devpts:chr_file rw_file_perms;
+

storage/sepolicy/file.te

@@ -1,4 +1,6 @@
+# file.te
 type debugfs_f2fs, debugfs_type, fs_type;
 type dump_storage_data_file, file_type, data_file_type;
 type sg_device, dev_type;
 type sg_util_exec, exec_type, vendor_file_type, file_type;
+

storage/sepolicy/file_contexts

@@ -1,6 +1,9 @@
+# storage
 /vendor/bin/dump/dump_storage      u:object_r:dump_storage_exec:s0
 /sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging  u:object_r:sysfs_scsi_devices_0000:s0
 /dev/sg[0-9]                       u:object_r:sg_device:s0
 /data/vendor/storage(/.*)?         u:object_r:dump_storage_data_file:s0
 /vendor/bin/sg_read_buffer         u:object_r:sg_util_exec:s0
 /dev/block/by-name/userdata_exp.*  u:object_r:userdata_exp_block_device:s0
+/vendor/bin/ufs_firmware_update\.sh                                  u:object_r:ufs_firmware_update_exec:s0
+

storage/sepolicy/fsck.te

@@ -1 +1,7 @@
+# fix fsck
 allow fsck userdata_exp_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;
+allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
+allow fsck sysfs_scsi_devices_0000:file r_file_perms;
+

storage/sepolicy/genfs_contexts

@@ -1 +1,3 @@
+# f2fs
 genfscon debugfs /f2fs     u:object_r:debugfs_f2fs:s0
+

storage/sepolicy/hal_health_default.te

@@ -0,0 +1,3 @@
+# dumpsys android.hardware.power.stats.IPowerStats/default
+r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
+

storage/sepolicy/hal_health_storage_default.te

@@ -1,3 +1,4 @@
 # Access to /sys/devices/platform/*ufs/*
 allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms;
 allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms;
+

storage/sepolicy/hal_power_stats_default.te

@@ -0,0 +1,3 @@
+# dumpsys android.hardware.power.stats.IPowerStats/default
+r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000)
+

storage/sepolicy/init.te

@@ -1 +1,3 @@
+# init
 allow init sysfs_scsi_devices_0000:file w_file_perms;
+

storage/sepolicy/ufs_firmware_update.te

@@ -0,0 +1,11 @@
+# support ufs ffu via ota
+init_daemon_domain(ufs_firmware_update)
+type ufs_firmware_update, domain;
+type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type;
+
+# support ufs ffu via ota
+allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans;
+allow ufs_firmware_update block_device:dir { search };
+allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms;
+allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms;
+

storage/sepolicy/vendor_init.te

@@ -1 +1,6 @@
+# vendor_init
 allow vendor_init sg_device:chr_file r_file_perms;
+
+# dirty swappiness
+allow vendor_init proc_dirty:file w_file_perms;
+

storage/sepolicy/vold.te

@@ -1,8 +1,17 @@
+# ufs hagc
 allow vold sysfs_scsi_devices_0000:file rw_file_perms;
 
 # Access userdata_exp block device.
 allow vold userdata_exp_block_device:blk_file rw_file_perms;
 allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD;
 
+# adb bugreport
 dontaudit vold dumpstate:fifo_file rw_file_perms;
 dontaudit vold dumpstate:fd use ;
+
+# fix idle-maint
+allow vold efs_block_device:blk_file { getattr };
+allow vold modem_userdata_block_device:blk_file { getattr };
+allow vold modem_efs_file:dir { read open ioctl };
+allow vold modem_userdata_file:dir { read open ioctl };
+

touch/gti/ical/sepolicy/property.te

@@ -1 +1,2 @@
 system_public_prop(vendor_gti_prop)
+typeattribute vendor_gti_prop         touch_property_type;

widevine/sepolicy/hal_drm_clearkey.te

@@ -1,5 +1,6 @@
+# sepolicy for DRM clearkey
 type hal_drm_clearkey, domain;
 type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_drm_clearkey)
 
-#TODO: snehalreddy@ add sepolicy
+hal_server_domain(hal_drm_clearkey, hal_drm)

widevine/sepolicy/hal_drm_widevine.te

@@ -1,5 +1,13 @@
+# sepolicy for DRM widevine
 type hal_drm_widevine, domain;
 type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_drm_widevine)
 
-#TODO: snehalreddy@ add sepolicy
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+# L3
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+
+#L1
+#TODO(snehalreddy@) : Add L1 permissions