From 3d6169d30bfcabd47398f43ae7861aefdc99cbf1 Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Tue, 13 Aug 2024 08:14:48 +0000 Subject: [PATCH 01/31] switch waves prebuilt version Flag: EXEMPT bringup waves Bug: 352461861 Test: manual test Change-Id: Ic7a826d98a77ccb579594a9fb7db1df5d62e99aa Signed-off-by: Jasmine Cha --- audio/common.mk | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/audio/common.mk b/audio/common.mk index edf7b6a..a691f0a 100644 --- a/audio/common.mk +++ b/audio/common.mk @@ -3,8 +3,15 @@ BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/common #Audio Vendor libraries PRODUCT_PACKAGES += \ libfvsam_prm_parser \ - libmahalcontroller \ + libmahalcontroller + +ifeq ($(USE_MAM_V4_ABOVE),true) +PRODUCT_PACKAGES += \ + libMAM_Google_Pixel_Android +else +PRODUCT_PACKAGES += \ libAlgFx_HiFi3z +endif ifneq ($(USE_AUDIO_HAL_AIDL),true) ## AudioHAL Configurations From 44f21d0c43f9b476b2276e1931b2ebf23a53fc19 Mon Sep 17 00:00:00 2001 From: attis Date: Fri, 9 Aug 2024 14:15:45 +0800 Subject: [PATCH 02/31] Add dump of panel power_mode. Add the power_mode sysfs node to dump_second_display.cpp and dump_display.cpp. Bug: 358505990 Flag: EXEMPT bugfix Test: adb bugreport. Change-Id: I875b9a3ef416c188376eb2f9226996b6645ccdb9 Signed-off-by: attis --- display/dump_display.cpp | 4 ++-- display/dump_second_display.cpp | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/display/dump_display.cpp b/display/dump_display.cpp index b811889..2df6b4b 100644 --- a/display/dump_display.cpp +++ b/display/dump_display.cpp @@ -25,6 +25,6 @@ int main() { dumpFileContent("Primary panel name", "/sys/devices/platform/exynos-drm/primary-panel/panel_name"); dumpFileContent("Primary panel extra info", "/sys/devices/platform/exynos-drm/primary-panel/panel_extinfo"); dumpFileContent("Primary panel power Vreg", "/sys/devices/platform/exynos-drm/primary-panel/panel_pwr_vreg"); + dumpFileContent("Primary panel power mode register", "/sys/devices/platform/exynos-drm/primary-panel/power_mode"); return 0; -} - +} \ No newline at end of file diff --git a/display/dump_second_display.cpp b/display/dump_second_display.cpp index a6f2665..80ea909 100644 --- a/display/dump_second_display.cpp +++ b/display/dump_second_display.cpp @@ -20,6 +20,7 @@ int main() { dumpFileContent("CRTC-1 event log", "/sys/kernel/debug/dri/0/crtc-1/event"); dumpFileContent("Secondary panel name", "/sys/devices/platform/exynos-drm/secondary-panel/panel_name"); dumpFileContent("Secondary panel extra info", "/sys/devices/platform/exynos-drm/secondary-panel/panel_extinfo"); + dumpFileContent("Secondary panel power mode register", "/sys/devices/platform/exynos-drm/secondary-panel/power_mode"); return 0; } From e6358c91de46809e50419f7a6fb70c9d0f45554f Mon Sep 17 00:00:00 2001 From: Frank Yu Date: Thu, 22 Aug 2024 11:03:01 +0000 Subject: [PATCH 03/31] Move hal_radio_ext_service related policy of grilservice_app to gs-common. Related avc error: avc: denied { find } for pid=2227 uid=10259 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:grilservice_app:s0:c3,c257,c512,c768 tcontext=u:object_r:hal_radio_ext_service:s0 tclass=service_manager permissive=0 avc: denied { call } for comm="oid.grilservice" scontext=u:r:grilservice_app:s0:c3,c257,c512,c768 tcontext=u:r:hal_radioext_default:s0 tclass=binder permissive=0 app=com.google.android.grilservice Bug: 361210953 Change-Id: Ibb8a341847b0772668b52bc01f2d087bf1874fe9 Test: Verify with test ROM Flag: EXEMPT sepolicy refactor --- modem/radio_ext/sepolicy/grilservice_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 modem/radio_ext/sepolicy/grilservice_app.te diff --git a/modem/radio_ext/sepolicy/grilservice_app.te b/modem/radio_ext/sepolicy/grilservice_app.te new file mode 100644 index 0000000..9bd8c8e --- /dev/null +++ b/modem/radio_ext/sepolicy/grilservice_app.te @@ -0,0 +1,2 @@ +allow grilservice_app hal_radio_ext_service:service_manager find; +binder_call(grilservice_app, hal_radio_ext) From 13883d9a54be6a6072054790cabcde3189c422b5 Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Tue, 27 Aug 2024 04:11:51 +0000 Subject: [PATCH 04/31] mediacodec: fix permission for vendor_media_data and ecoservice vendor_media_data: 08-27 12:07:01.540 747 747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1785): avc: denied { search } for comm=436F646563322E30204C6F6F706572 name="media" dev="dm-57" ino=399 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=dir permissive=1 08-27 12:07:01.540 747 747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1786): avc: denied { write } for comm=436F646563322E30204C6F6F706572 name="media" dev="dm-57" ino=399 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=dir permissive=1 08-27 12:07:01.540 747 747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1787): avc: denied { add_name } for comm=436F646563322E30204C6F6F706572 name="input_7335.bin" scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=dir permissive=1 08-27 12:07:01.540 747 747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1788): avc: denied { create } for comm=436F646563322E30204C6F6F706572 name="input_7335.bin" scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=file permissive=1 08-27 12:07:01.540 747 747 I /vendor/bin/hw/google.hardware.media.c2@3.0-service: type=1400 audit(0.0:1789): avc: denied { append open } for comm=436F646563322E30204C6F6F706572 path="/data/vendor/media/input_7335.bin" dev="dm-57" ino=26749 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:vendor_media_data_file:s0 tclass=file permissive=1 ecoservice: 08-27 13:07:44.686 358 358 E SELinux : avc: denied { find } for pid=743 uid=1046 name=media.ecoservice scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:eco_service:s0 tclass=service_manager permissive=1 Flag: EXEMPT bugfix Test: video playback and screen record Bug: 361093311 Change-Id: I37d5081061bad2917b24e320f4e4a9c8116db6fa --- mediacodec/vpu/sepolicy/mediacodec_google.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te index e0f5d7f..47c0be8 100644 --- a/mediacodec/vpu/sepolicy/mediacodec_google.te +++ b/mediacodec/vpu/sepolicy/mediacodec_google.te @@ -7,6 +7,8 @@ hal_server_domain(mediacodec_google, hal_codec2) hal_client_domain(mediacodec_google, hal_graphics_allocator) +add_service(mediacodec_google, eco_service) + allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; allow mediacodec_google video_device:chr_file { read write open ioctl map }; @@ -19,3 +21,8 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; + +userdebug_or_eng(` + allow mediacodec_google vendor_media_data_file:dir rw_dir_perms; + allow mediacodec_google vendor_media_data_file:file create_file_perms; +') From d35b61f3905bea1dfe1c8cb37c2b2e50c98b4d26 Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Wed, 28 Aug 2024 09:16:37 +0000 Subject: [PATCH 05/31] mediacodec: fix perfetto trace permission 08-28 16:33:56.280 1046 720 720 I auditd : type=1400 audit(0.0:469): avc: denied { write } for comm="TracingMuxer" name="traced_producer" dev="tmpfs" ino=1604 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=0 Flag: EXEMPT bugfix Test: atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Bug: 361093311 Change-Id: I0aad9d771069cd0d660708e41c29c79d83e04704 --- mediacodec/vpu/sepolicy/mediacodec_google.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te index 47c0be8..8022675 100644 --- a/mediacodec/vpu/sepolicy/mediacodec_google.te +++ b/mediacodec/vpu/sepolicy/mediacodec_google.te @@ -22,6 +22,9 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; +# Allow HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(mediacodec_google)') + userdebug_or_eng(` allow mediacodec_google vendor_media_data_file:dir rw_dir_perms; allow mediacodec_google vendor_media_data_file:file create_file_perms; From b584b9c7e081d803b32f0ff5f059573dfa6c0a0e Mon Sep 17 00:00:00 2001 From: bgkim Date: Wed, 28 Aug 2024 12:38:34 -0700 Subject: [PATCH 06/31] bootctrl: fixed OOB read in BootControl Fixed OOB read in BootControl::isSlotMarkedSuccessful() by checking if "in_slot" is negative Flag: EXEMPT bugfix Test: tested on Husky device Bug: 353516777 Change-Id: I634c32a8c12403008fe5a724bc447f82931ae9c5 Signed-off-by: bgkim --- bootctrl/aidl/BootControl.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootctrl/aidl/BootControl.cpp b/bootctrl/aidl/BootControl.cpp index 83deb72..8655929 100644 --- a/bootctrl/aidl/BootControl.cpp +++ b/bootctrl/aidl/BootControl.cpp @@ -384,7 +384,7 @@ ScopedAStatus BootControl::isSlotMarkedSuccessful(int32_t in_slot, bool* _aidl_r *_aidl_return = true; return ScopedAStatus::ok(); } - if (in_slot >= slots) + if (in_slot < 0 || in_slot >= slots) return ScopedAStatus::fromServiceSpecificErrorWithMessage( INVALID_SLOT, (std::string("Invalid slot ") + std::to_string(in_slot)).c_str()); From 956edf0d269c7c8f1b86ddcc567a5c03b5637147 Mon Sep 17 00:00:00 2001 From: Prochin Wang Date: Tue, 27 Aug 2024 07:04:23 +0000 Subject: [PATCH 07/31] Label touch_property_type to associate with vendor_gti_prop Pass ROM build of all git_main targets: https://android-build.googleplex.com/builds/abtd/run/L52500030006128092/ https://android-build.corp.google.com/abtd/run/L93900030006078492/ https://android-build.corp.google.com/abtd/run/L15800030006086232/ https://android-build.corp.google.com/abtd/run/L27700030006086619/ Bug: 361237875 Test: mm and flash rom Flag: build.RELEASE_PIXEL_BOOST_DATALAYER_PSA_ENABLED Change-Id: I518ff7c05fc1fa279cd7300cb77673a86ff3e35b --- touch/gti/ical/sepolicy/property.te | 1 + 1 file changed, 1 insertion(+) diff --git a/touch/gti/ical/sepolicy/property.te b/touch/gti/ical/sepolicy/property.te index 2a71d74..94fa3fc 100644 --- a/touch/gti/ical/sepolicy/property.te +++ b/touch/gti/ical/sepolicy/property.te @@ -1 +1,2 @@ system_public_prop(vendor_gti_prop) +typeattribute vendor_gti_prop touch_property_type; From d6ba7fad68261d667e385271a382861af13e5607 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Tue, 27 Aug 2024 11:09:18 +0800 Subject: [PATCH 08/31] storage: fix idle-maint avc denials. avc: denied { getattr } for path="/dev/block/sda5" dev="tmpfs" ino=1039 scontext=u:r:vold:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { getattr } for path="/dev/block/sda7" dev="tmpfs" ino=1199 scontext=u:r:vold:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 Bug: 361093041 Test: run idle-maint run Change-Id: Ie92ffa8b576c74e3a1cb127b265059ec76c14667 Signed-off-by: Randall Huang --- storage/sepolicy/vold.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te index 3d35589..87387a7 100644 --- a/storage/sepolicy/vold.te +++ b/storage/sepolicy/vold.te @@ -1,3 +1,4 @@ +# ufs hagc allow vold sysfs_scsi_devices_0000:file rw_file_perms; # Access userdata_exp block device. @@ -6,3 +7,7 @@ allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD; dontaudit vold dumpstate:fifo_file rw_file_perms; dontaudit vold dumpstate:fd use ; + +# fix idle-maint +allow vold efs_block_device:blk_file { getattr }; +allow vold modem_userdata_block_device:blk_file { getattr }; From df4a5f7b482ba1e93462b009be2ae21c5aa5d9c0 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Tue, 27 Aug 2024 15:03:35 +0800 Subject: [PATCH 09/31] storage: allow mkfs/fsck for vendor partitons avc: denied { read } for name="sda7" dev="tmpfs" ino=1173 scontext=u:r:fsck:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/dev/block/sda7" dev="tmpfs" ino=1173 scontext=u:r:fsck:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { write } for name="sda7" dev="tmpfs" ino=1173 scontext=u:r:fsck:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for path="/dev/block/sda7" dev="tmpfs" ino=1173 ioctlcmd=0x1268 scontext=u:r:fsck:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { read } for name="sda5" dev="tmpfs" ino=1010 scontext=u:r:fsck:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/dev/block/sda5" dev="tmpfs" ino=1010 scontext=u:r:fsck:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/zoned" dev="sysfs" ino=100275 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { write } for name="sda5" dev="tmpfs" ino=1010 scontext=u:r:fsck:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for path="/dev/block/sda5" dev="tmpfs" ino=1010 ioctlcmd=0x1268 scontext=u:r:fsck:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { search } for name="0:0:0:0" dev="sysfs" ino=100048 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=1 avc: denied { getattr } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda5/partition" dev="sysfs" ino=101272 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { read } for name="zoned" dev="sysfs" ino=100308 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/zoned" dev="sysfs" ino=100308 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { search } for name="0:0:0:0" dev="sysfs" ino=100048 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=1 avc: denied { getattr } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda10/partition" dev="sysfs" ino=102003 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { read } for name="zoned" dev="sysfs" ino=100308 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/zoned" dev="sysfs" ino=100308 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { read } for name="sda5" dev="tmpfs" ino=1004 scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/dev/block/sda5" dev="tmpfs" ino=1004 scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { write } for name="sda5" dev="tmpfs" ino=1004 scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for path="/dev/block/sda5" dev="tmpfs" ino=1004 ioctlcmd=0x1268 scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { read } for name="sda7" dev="tmpfs" ino=1199 scontext=u:r:e2fs:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/dev/block/sda7" dev="tmpfs" ino=1199 scontext=u:r:e2fs:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { write } for name="sda7" dev="tmpfs" ino=1199 scontext=u:r:e2fs:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for path="/dev/block/sda7" dev="tmpfs" ino=1199 ioctlcmd=0x1268 scontext=u:r:e2fs:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 Bug: 361093041 Test: build pass (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0cf7210eb1b5ba1d22fb8dcb59f40cb74b98dd37) Change-Id: I0d89d360e75335784116a4e4769d0b60699917eb Signed-off-by: Randall Huang --- storage/sepolicy/e2fs.te | 8 ++++++++ storage/sepolicy/fsck.te | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/storage/sepolicy/e2fs.te b/storage/sepolicy/e2fs.te index c280cb7..464b4ce 100644 --- a/storage/sepolicy/e2fs.te +++ b/storage/sepolicy/e2fs.te @@ -1 +1,9 @@ +# fix mkfs allow e2fs userdata_exp_block_device:blk_file rw_file_perms; +allow e2fs efs_block_device:blk_file rw_file_perms; +allow e2fs modem_userdata_block_device:blk_file rw_file_perms; +allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te index 2043199..88efb35 100644 --- a/storage/sepolicy/fsck.te +++ b/storage/sepolicy/fsck.te @@ -1 +1,6 @@ +# fix fsck allow fsck userdata_exp_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; From c0b820e056b515b090bad0b564872e92101891bc Mon Sep 17 00:00:00 2001 From: Dennis Song Date: Fri, 30 Aug 2024 03:08:27 +0000 Subject: [PATCH 10/31] Explicitly set user root for the gs_watchdogd service. Otherwise host_init_verifier would fail. Bug: 362447627 Test: Treehugger Flag: EXEMPT bugfix Change-Id: I36a3a67dc357f608b33a131a4e5f6fd6defb91e5 --- gs_watchdogd/init.gs_watchdogd.rc | 1 + 1 file changed, 1 insertion(+) diff --git a/gs_watchdogd/init.gs_watchdogd.rc b/gs_watchdogd/init.gs_watchdogd.rc index 23d5fb2..ba3354f 100644 --- a/gs_watchdogd/init.gs_watchdogd.rc +++ b/gs_watchdogd/init.gs_watchdogd.rc @@ -1,5 +1,6 @@ # Pet watchdog timer every half of its timeout period. service gs_watchdogd /system_ext/bin/gs_watchdogd + user root class core oneshot seclabel u:r:gs_watchdogd:s0 From 15ed5c639e471c2c0a49709ec8bb989821eb62e4 Mon Sep 17 00:00:00 2001 From: Tommy Chiu Date: Thu, 29 Aug 2024 07:06:10 +0000 Subject: [PATCH 11/31] Move PRODUCT_COPY_FILES from each board>device-vendor.mk here We used to put the firmware copy logic in dedicated device-vendor.mk files for each platform. This approach is difficult to maintain and unnecessary since we always want to deploy the latest firmware. Propose a better approach for handling firmware copy logic. Flag: EXEMPT refactor Bug: 359071523 Test: Build pass Change-Id: I4169353b9f8f16b82eb0e4ebf2a884f46e1a5f8b --- dauntless/gsc.mk | 72 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/dauntless/gsc.mk b/dauntless/gsc.mk index 188d9f9..c1cf0e0 100644 --- a/dauntless/gsc.mk +++ b/dauntless/gsc.mk @@ -20,4 +20,76 @@ PRODUCT_PACKAGES_DEBUG += citadel_integration_tests \ nugget_targeted_tests \ CitadelProvision \ nugget_aidl_test_weaver + +# Assign default value for RELEASE_GOOGLE_DAUNTLESS_DIR if no trunk flags support +RELEASE_GOOGLE_DAUNTLESS_DIR ?= vendor/google_nos/prebuilts/dauntless + +# The production Dauntless firmware will be of flavors evt and d3m2. +# There are also several flavors of pre-release chips. Each flavor +# (production and pre-release) requires the firmware to be signed differently. +DAUNTLESS_FIRMWARE_SIZE := 1048576 + +# The nearly-production Dauntless chips are "proto1.1" +ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin)) +ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin)) +$(error GSC firmware size check fail) endif +PRODUCT_COPY_FILES += \ + $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/proto11.ec.bin +$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin) +else +$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR)) +endif + +# The production Dauntless chips are "evt" +ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin)) +ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin)) +$(error GSC firmware size check fail) +endif +PRODUCT_COPY_FILES += \ + $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/evt.ec.bin +$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin) +else +$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR)) +endif + +# New 2023 production Dauntless chips are "d3m2" +ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin)) +ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin)) +$(error GSC firmware size check fail) +endif +PRODUCT_COPY_FILES += \ + $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/d3m2.ec.bin +$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin) +else +$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR)) +endif + +# Intermediate image artifacts are published, but aren't included in /vendor/firmware/dauntless +# in PRODUCT_COPY_FILES +# This is because intermediate images aren't needed on user devices, but the published artifact +# is useful for flashstation purposes. + +# proto11 chips need an intermediate image prior to upgrading to newever versions of the firmware +ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin)) +ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin)) +$(error GSC firmware size check fail) +endif +$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin) +endif +# evt chips need an intermediate image prior to upgrading to newever versions of the firmware +ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin)) +ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin)) +$(error GSC firmware size check fail) +endif +$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin) +endif +# d3m2 chips need an intermediate image prior to upgrading to newever versions of the firmware +ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin)) +ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin)) +$(error GSC firmware size check fail) +endif +$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin) +endif + +endif # $(wildcard vendor) From f71ff2ba7c1990d51cabcb27d61c127a46d5948e Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Fri, 30 Aug 2024 04:03:47 +0000 Subject: [PATCH 12/31] gps: Allow gnss hal access vendor_gps_prop avc: denied { read } for name="u:object_r:vendor_gps_prop:s0" dev="tmpfs" ino=421 scontext=u:r:hal_gnss_pixel:s0 tcontext=u:object_r:vendor_gps_prop:s0 tclass=file permissive=0 Bug: 335354369 Test: Check avc logcat. Change-Id: Idfc885c6d54a9a5160643ff53f3e278ee067b286 --- gps/pixel/sepolicy/hal_gnss_pixel.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gps/pixel/sepolicy/hal_gnss_pixel.te b/gps/pixel/sepolicy/hal_gnss_pixel.te index cc63702..e3e4d92 100644 --- a/gps/pixel/sepolicy/hal_gnss_pixel.te +++ b/gps/pixel/sepolicy/hal_gnss_pixel.te @@ -10,6 +10,9 @@ allow hal_gnss_pixel sysfs_gps:file rw_file_perms; # Allow access to CHRE multiclient HAL. get_prop(hal_gnss_pixel, vendor_chre_hal_prop) +# Allow read vendor gps prop. +get_prop(hal_gnss_pixel, vendor_gps_prop) + # Allow binder to CHRE. binder_call(hal_gnss_pixel, hal_contexthub_default) allow hal_gnss_pixel hal_contexthub_service:service_manager find; From d6d4a779e50154d892f1f3d35107cbbe3396c3a5 Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Fri, 30 Aug 2024 06:14:04 +0000 Subject: [PATCH 13/31] Move compaction_proactiveness to vendor sepolicy Move compaction_proactiveness sepolicy from the system to vendor since it breaks other vendors. Bug: 361985704 Test: check knob value Flag: NONE sepolicy doesn't support flag Change-Id: I14cff8dfe4e143995b9011cd34a1e7d74613ae33 Signed-off-by: Martin Liu --- performance/sepolicy/file.te | 6 ++++++ performance/sepolicy/genfs_contexts | 1 + performance/sepolicy/vendor_init.te | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/performance/sepolicy/file.te b/performance/sepolicy/file.te index 8e16bbf..e79f9b2 100644 --- a/performance/sepolicy/file.te +++ b/performance/sepolicy/file.te @@ -1,2 +1,8 @@ +# proactive kill type sysfs_pakills, fs_type, sysfs_type; + +# bts dump type vendor_bts_debugfs, fs_type, debugfs_type; + +# proc_compaction_proactiveness type +type proc_compaction_proactiveness, fs_type, proc_type; diff --git a/performance/sepolicy/genfs_contexts b/performance/sepolicy/genfs_contexts index 041021c..57e3634 100644 --- a/performance/sepolicy/genfs_contexts +++ b/performance/sepolicy/genfs_contexts @@ -1,3 +1,4 @@ genfscon proc /sys/kernel/sched_pelt_multiplier u:object_r:proc_sched:s0 genfscon sysfs /kernel/vendor_mm/pa_kill u:object_r:sysfs_pakills:s0 genfscon debugfs /bts u:object_r:vendor_bts_debugfs:s0 +genfscon proc /sys/vm/compaction_proactiveness u:object_r:proc_compaction_proactiveness:s0 diff --git a/performance/sepolicy/vendor_init.te b/performance/sepolicy/vendor_init.te index fefecb1..188984f 100644 --- a/performance/sepolicy/vendor_init.te +++ b/performance/sepolicy/vendor_init.te @@ -1,3 +1,3 @@ # MM allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms; - +allow vendor_init proc_compaction_proactiveness:file w_file_perms; From f25cb6895f06d89bbbbeb5d7f8bf77e5d1dc89c8 Mon Sep 17 00:00:00 2001 From: Dennis Song Date: Fri, 30 Aug 2024 03:08:27 +0000 Subject: [PATCH 14/31] Explicitly set user root for the gs_watchdogd service. Otherwise host_init_verifier would fail. Bug: 362447627 Test: Treehugger Merged-In: I36a3a67dc357f608b33a131a4e5f6fd6defb91e5 Change-Id: I36a3a67dc357f608b33a131a4e5f6fd6defb91e5 --- gs_watchdogd/init.gs_watchdogd.rc | 1 + 1 file changed, 1 insertion(+) diff --git a/gs_watchdogd/init.gs_watchdogd.rc b/gs_watchdogd/init.gs_watchdogd.rc index f58ce50..a7ef505 100644 --- a/gs_watchdogd/init.gs_watchdogd.rc +++ b/gs_watchdogd/init.gs_watchdogd.rc @@ -1,5 +1,6 @@ # Set watchdog timer to 30 seconds and pet it every 10 seconds to get a 20 second margin service gs_watchdogd /system_ext/bin/gs_watchdogd 10 20 + user root class core oneshot seclabel u:r:gs_watchdogd:s0 From 69797e03ca6b3d53e64441e450292afc12a4775a Mon Sep 17 00:00:00 2001 From: Kiwon Park Date: Thu, 22 Aug 2024 09:33:40 -0700 Subject: [PATCH 15/31] Add eSIM directory and disable bootstrap when bootloader is unlocked in user build Allow vendor_init to set setupwizard prop Allow priv_app and gmscore_app to get setupwizard prop <11>[ 7.276992][ T329] init: Unable to set property 'setupwizard.feature.provisioning_profile_mode' from uid:0 gid:0 pid:330: SELinux permission check failed 08-28 15:35:42.536 10156 5884 5884 W oid.setupwizard: type=1400 audit(0.0:63): avc: denied { read } for name="u:object_r:setupwizard_feature_prop:s0" dev="tmpfs" ino=335 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:setupwizard_feature_prop:s0 tclass=file permissive=0 app=com.google.android.setupwizard 08-28 15:11:52.015 10185 6915 6915 W highpool[8]: type=1400 audit(0.0:17): avc: denied { read } for name="u:object_r:setupwizard_feature_prop:s0" dev="tmpfs" ino=339 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:setupwizard_feature_prop:s0 tclass=file permissive=0 app=com.google.android.gms Bug: 349592724 Test: m Change-Id: I8330c9f6f9efd215ec4ea1f7d3d6ff5596773e21 Flag: NONE disabling a feature just in factory --- esim/Android.bp | 10 ++++++++++ esim/OWNERS | 2 ++ esim/esim.mk | 5 +++++ esim/init.esim-gs.rc | 7 +++++++ esim/sepolicy/system_ext/private/gmscore_app.te | 2 ++ esim/sepolicy/system_ext/private/priv_app.te | 2 ++ esim/sepolicy/system_ext/private/property_contexts | 2 ++ esim/sepolicy/system_ext/public/property.te | 2 ++ esim/sepolicy/vendor/vendor_init.te | 2 ++ 9 files changed, 34 insertions(+) create mode 100644 esim/Android.bp create mode 100644 esim/OWNERS create mode 100644 esim/esim.mk create mode 100644 esim/init.esim-gs.rc create mode 100644 esim/sepolicy/system_ext/private/gmscore_app.te create mode 100644 esim/sepolicy/system_ext/private/priv_app.te create mode 100644 esim/sepolicy/system_ext/private/property_contexts create mode 100644 esim/sepolicy/system_ext/public/property.te create mode 100644 esim/sepolicy/vendor/vendor_init.te diff --git a/esim/Android.bp b/esim/Android.bp new file mode 100644 index 0000000..a2427f1 --- /dev/null +++ b/esim/Android.bp @@ -0,0 +1,10 @@ +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +prebuilt_etc { + name: "init.esim-gs.rc", + src: "init.esim-gs.rc", + vendor: true, + sub_dir: "init", +} diff --git a/esim/OWNERS b/esim/OWNERS new file mode 100644 index 0000000..157ecd6 --- /dev/null +++ b/esim/OWNERS @@ -0,0 +1,2 @@ +kiwonp@google.com +mewan@google.com \ No newline at end of file diff --git a/esim/esim.mk b/esim/esim.mk new file mode 100644 index 0000000..47e21b7 --- /dev/null +++ b/esim/esim.mk @@ -0,0 +1,5 @@ +PRODUCT_PACKAGES += init.esim-gs.rc +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/vendor +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/system_ext/private diff --git a/esim/init.esim-gs.rc b/esim/init.esim-gs.rc new file mode 100644 index 0000000..291f9ee --- /dev/null +++ b/esim/init.esim-gs.rc @@ -0,0 +1,7 @@ +# Disable bootstrap when bootloader is unlocked in user build +on property:ro.build.type=user && property:ro.boot.flash.locked=0 + setprop setupwizard.feature.provisioning_profile_mode false + +# Disable bootstrap for DVT devices shipping to non-US carriers +on property:ro.boot.warranty.sku=BOF + setprop setupwizard.feature.provisioning_profile_mode false diff --git a/esim/sepolicy/system_ext/private/gmscore_app.te b/esim/sepolicy/system_ext/private/gmscore_app.te new file mode 100644 index 0000000..90bc371 --- /dev/null +++ b/esim/sepolicy/system_ext/private/gmscore_app.te @@ -0,0 +1,2 @@ +# Allow to read setupwizard_feature_prop +get_prop(priv_app, setupwizard_feature_prop) diff --git a/esim/sepolicy/system_ext/private/priv_app.te b/esim/sepolicy/system_ext/private/priv_app.te new file mode 100644 index 0000000..90bc371 --- /dev/null +++ b/esim/sepolicy/system_ext/private/priv_app.te @@ -0,0 +1,2 @@ +# Allow to read setupwizard_feature_prop +get_prop(priv_app, setupwizard_feature_prop) diff --git a/esim/sepolicy/system_ext/private/property_contexts b/esim/sepolicy/system_ext/private/property_contexts new file mode 100644 index 0000000..464a289 --- /dev/null +++ b/esim/sepolicy/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# setupwizard +setupwizard.feature.provisioning_profile_mode u:object_r:setupwizard_feature_prop:s0 diff --git a/esim/sepolicy/system_ext/public/property.te b/esim/sepolicy/system_ext/public/property.te new file mode 100644 index 0000000..96cb3b3 --- /dev/null +++ b/esim/sepolicy/system_ext/public/property.te @@ -0,0 +1,2 @@ +# setupwizard +system_public_prop(setupwizard_feature_prop) diff --git a/esim/sepolicy/vendor/vendor_init.te b/esim/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..c9cb14e --- /dev/null +++ b/esim/sepolicy/vendor/vendor_init.te @@ -0,0 +1,2 @@ +# setupwizard +set_prop(vendor_init, setupwizard_feature_prop) From d1adbe0cb21efb70dddf28d08a15da768c80b67d Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Fri, 30 Aug 2024 06:14:04 +0000 Subject: [PATCH 16/31] Move compaction_proactiveness to vendor sepolicy Move compaction_proactiveness sepolicy from the system to vendor since it breaks other vendors. Bug: 361985704 Test: check knob value Flag: NONE sepolicy doesn't support flag Change-Id: I14cff8dfe4e143995b9011cd34a1e7d74613ae33 Merged-In: I14cff8dfe4e143995b9011cd34a1e7d74613ae33 Signed-off-by: Martin Liu --- performance/sepolicy/file.te | 6 ++++++ performance/sepolicy/genfs_contexts | 1 + performance/sepolicy/vendor_init.te | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/performance/sepolicy/file.te b/performance/sepolicy/file.te index 8e16bbf..e79f9b2 100644 --- a/performance/sepolicy/file.te +++ b/performance/sepolicy/file.te @@ -1,2 +1,8 @@ +# proactive kill type sysfs_pakills, fs_type, sysfs_type; + +# bts dump type vendor_bts_debugfs, fs_type, debugfs_type; + +# proc_compaction_proactiveness type +type proc_compaction_proactiveness, fs_type, proc_type; diff --git a/performance/sepolicy/genfs_contexts b/performance/sepolicy/genfs_contexts index 041021c..57e3634 100644 --- a/performance/sepolicy/genfs_contexts +++ b/performance/sepolicy/genfs_contexts @@ -1,3 +1,4 @@ genfscon proc /sys/kernel/sched_pelt_multiplier u:object_r:proc_sched:s0 genfscon sysfs /kernel/vendor_mm/pa_kill u:object_r:sysfs_pakills:s0 genfscon debugfs /bts u:object_r:vendor_bts_debugfs:s0 +genfscon proc /sys/vm/compaction_proactiveness u:object_r:proc_compaction_proactiveness:s0 diff --git a/performance/sepolicy/vendor_init.te b/performance/sepolicy/vendor_init.te index fefecb1..188984f 100644 --- a/performance/sepolicy/vendor_init.te +++ b/performance/sepolicy/vendor_init.te @@ -1,3 +1,3 @@ # MM allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms; - +allow vendor_init proc_compaction_proactiveness:file w_file_perms; From cf2d68668f63b06250b9d240e4d943089774e07c Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 28 Aug 2024 02:46:48 +0000 Subject: [PATCH 17/31] gs-common: nfc: st54spi: Add rules for hal_secure_element_st54spi_aidl sepolicy for android.hardware.secure_element-service.thales 08-26 12:49:43.959 343 343 E SELinux : avc: denied { add } for pid=706 uid=1068 name=android.hardware.secure_element.ISecureElement/eSE1 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:hal_secure_element_service:s0 tclass=service_manager permissive=1 08-26 12:49:43.936 706 706 I android.hardwar: type=1400 audit(0.0:9): avc: denied { call } for scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 08-26 12:49:43.936 706 706 I android.hardwar: type=1400 audit(0.0:10): avc: denied { transfer } for scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 08-26 12:49:59.904 1 1 I /system/bin/init: type=1107 audit(0.0:139): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.se.reset pid=706 uid=1068 gid=1068 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=1' 08-26 12:50:12.124 706 706 I android.hardwar: type=1400 audit(0.0:461): avc: denied { read write } for name="st54spi" dev="tmpfs" ino=1552 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:st54spi_device:s0 tclass=chr_file permissive=1 08-26 12:50:12.124 706 706 I android.hardwar: type=1400 audit(0.0:462): avc: denied { open } for path="/dev/st54spi" dev="tmpfs" ino=1552 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:st54spi_device:s0 tclass=chr_file permissive=1 08-26 16:33:44.332 737 737 I android.hardwar: type=1400 audit(0.0:959): avc: denied { read write } for name="st21nfc" dev="tmpfs" ino=1550 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 08-26 16:33:44.332 737 737 I android.hardwar: type=1400 audit(0.0:960): avc: denied { open } for path="/dev/st21nfc" dev="tmpfs" ino=1550 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 08-26 16:33:44.332 737 737 I android.hardwar: type=1400 audit(0.0:961): avc: denied { ioctl } for path="/dev/st21nfc" dev="tmpfs" ino=1550 ioctlcmd=0xea05 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 Flag: EXEMPT NDK Bug: 361093024 Test: manual Change-Id: I1f3aebc9894de9f3410f2031e2b99e07d4060fa5 --- nfc/sepolicy_st54spi/file.te | 3 +++ nfc/sepolicy_st54spi/file_contexts | 3 +++ nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te | 9 +++++++++ nfc/sepolicy_st54spi/property.te | 3 +++ nfc/sepolicy_st54spi/property_contexts | 2 ++ nfc/sepolicy_st54spi/vendor_init.te | 2 ++ nfc/st54spi.mk | 3 +++ 7 files changed, 25 insertions(+) create mode 100644 nfc/sepolicy_st54spi/file.te create mode 100644 nfc/sepolicy_st54spi/file_contexts create mode 100644 nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te create mode 100644 nfc/sepolicy_st54spi/property.te create mode 100644 nfc/sepolicy_st54spi/property_contexts create mode 100644 nfc/sepolicy_st54spi/vendor_init.te create mode 100644 nfc/st54spi.mk diff --git a/nfc/sepolicy_st54spi/file.te b/nfc/sepolicy_st54spi/file.te new file mode 100644 index 0000000..5f9a80d --- /dev/null +++ b/nfc/sepolicy_st54spi/file.te @@ -0,0 +1,3 @@ +# SecureElement SPI device +type st54spi_device, dev_type; + diff --git a/nfc/sepolicy_st54spi/file_contexts b/nfc/sepolicy_st54spi/file_contexts new file mode 100644 index 0000000..f2762f3 --- /dev/null +++ b/nfc/sepolicy_st54spi/file_contexts @@ -0,0 +1,3 @@ +/dev/st54spi u:object_r:st54spi_device:s0 +/vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 + diff --git a/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te new file mode 100644 index 0000000..f2051e0 --- /dev/null +++ b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te @@ -0,0 +1,9 @@ +# sepolicy for ST54L secure element +type hal_secure_element_st54spi_aidl, domain; +type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi_aidl) +hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element) +allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop) + diff --git a/nfc/sepolicy_st54spi/property.te b/nfc/sepolicy_st54spi/property.te new file mode 100644 index 0000000..1ac5526 --- /dev/null +++ b/nfc/sepolicy_st54spi/property.te @@ -0,0 +1,3 @@ +# SecureElement vendor property +vendor_internal_prop(vendor_secure_element_prop) + diff --git a/nfc/sepolicy_st54spi/property_contexts b/nfc/sepolicy_st54spi/property_contexts new file mode 100644 index 0000000..2067a86 --- /dev/null +++ b/nfc/sepolicy_st54spi/property_contexts @@ -0,0 +1,2 @@ +# SecureElement vendor property +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 diff --git a/nfc/sepolicy_st54spi/vendor_init.te b/nfc/sepolicy_st54spi/vendor_init.te new file mode 100644 index 0000000..91e5cdb --- /dev/null +++ b/nfc/sepolicy_st54spi/vendor_init.te @@ -0,0 +1,2 @@ +# SecureElement vendor property +set_prop(vendor_init, vendor_secure_element_prop) diff --git a/nfc/st54spi.mk b/nfc/st54spi.mk new file mode 100644 index 0000000..046de87 --- /dev/null +++ b/nfc/st54spi.mk @@ -0,0 +1,3 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st54spi +PRODUCT_PACKAGES += android.hardware.secure_element-service.thales + From 0f4a0bb8a2ef14874c4502720b3102548258b161 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 29 Aug 2024 15:24:47 +0800 Subject: [PATCH 18/31] Storage: add selinux for ufs firmware upgrade event avc: denied { execute_no_trans } for comm="ufs_firmware_up" path="/vendor/bin/toybox_vendor" dev="dm-11" ino=380 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1 avc: denied { read } for comm="cat" name="vendor" dev="sysfs" ino=63193 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { open } for comm="cat" path="/sys/devices/platform/13200000.ufs/vendor" dev="sysfs" ino=63193 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { search } for comm="dd" name="block" dev="tmpfs" ino=12 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { write } for comm="dd" name="sda12" dev="tmpfs" ino=1139 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:ufs_internal_block_device:s0 tclass=blk_file permissive=1 Bug: 361093041 Test: NA Change-Id: I54445d4543a733baae85cd408b433033dd93ec6b Signed-off-by: Randall Huang --- storage/sepolicy/ufs_firmware_update.te | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 storage/sepolicy/ufs_firmware_update.te diff --git a/storage/sepolicy/ufs_firmware_update.te b/storage/sepolicy/ufs_firmware_update.te new file mode 100644 index 0000000..1b92976 --- /dev/null +++ b/storage/sepolicy/ufs_firmware_update.te @@ -0,0 +1,9 @@ +# support ufs ffu via ota +init_daemon_domain(ufs_firmware_update) + +# support ufs ffu via ota +allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; +allow ufs_firmware_update block_device:dir { search }; +allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms; +allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; + From bd3767ae16a3e11166c95d9ecd3bbccc5800ba09 Mon Sep 17 00:00:00 2001 From: Snehal Date: Tue, 3 Sep 2024 09:34:57 +0000 Subject: [PATCH 19/31] Add widevine SELinux permissions 15992 15992 I exoplayer2.demo: type=1400 audit(0.0:1934): avc: denied { call } for scontext=u:r:untrusted_app_29:s0:c36,c257,c512,c768 tcontext=u:r:hal_drm_clearkey:s0 tclass=binder permissive=1 app=com.google.android.exoplayer2.demo 15992 15992 I exoplayer2.demo: type=1400 audit(0.0:1935): avc: denied { call } for scontext=u:r:untrusted_app_29:s0:c36,c257,c512,c768 tcontext=u:r:hal_drm_widevine:s0 tclass=binder permissive=1 app=com.google.android.exoplayer2.demo 860 860 I android.hardwar: type=1400 audit(0.0:4302): avc: denied { write } for name="mediadrm" dev="dm-57" ino=2565 scontext=u:r:hal_drm_widevine:s0 tcontext=u:object_r:mediadrm_vendor_data_file:s0 tclass=dir permissive=1 860 860 I android.hardwar: type=1400 audit(0.0:4304): avc: denied { create } for name="IDM1013" scontext=u:r:hal_drm_widevine:s0 tcontext=u:object_r:mediadrm_vendor_data_file:s0 tclass=dir permissive=1 Bug: 363182767 Bug: 363181505 Flag: EXEMPT bugfix Change-Id: Ia8c3ba3d7fe9f09ceb40fd2b6ae88bbbcf5ac6f6 --- widevine/sepolicy/hal_drm_clearkey.te | 3 ++- widevine/sepolicy/hal_drm_widevine.te | 10 +++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/widevine/sepolicy/hal_drm_clearkey.te b/widevine/sepolicy/hal_drm_clearkey.te index 81ecfb9..fff4f0d 100644 --- a/widevine/sepolicy/hal_drm_clearkey.te +++ b/widevine/sepolicy/hal_drm_clearkey.te @@ -1,5 +1,6 @@ +# sepolicy for DRM clearkey type hal_drm_clearkey, domain; type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_drm_clearkey) -#TODO: snehalreddy@ add sepolicy +hal_server_domain(hal_drm_clearkey, hal_drm) diff --git a/widevine/sepolicy/hal_drm_widevine.te b/widevine/sepolicy/hal_drm_widevine.te index 41e395a..9b4792e 100644 --- a/widevine/sepolicy/hal_drm_widevine.te +++ b/widevine/sepolicy/hal_drm_widevine.te @@ -1,5 +1,13 @@ +# sepolicy for DRM widevine type hal_drm_widevine, domain; type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_drm_widevine) -#TODO: snehalreddy@ add sepolicy +hal_server_domain(hal_drm_widevine, hal_drm) + +# L3 +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; + +#L1 +#TODO(snehalreddy@) : Add L1 permissions From 1d82070ee952565d0f979605d9251a5579f00022 Mon Sep 17 00:00:00 2001 From: Devika Krishnadas Date: Tue, 3 Sep 2024 22:13:10 +0000 Subject: [PATCH 20/31] Add GPU team owners for mk files Bug: 275906497 Flag: EXEMPT only changing OWNERS Change-Id: Ife6cdfd5097c6c50e0276ea3a70552e9feeb76a8 Signed-off-by: Devika Krishnadas --- gpu/MK_OWNERS | 4 ++++ gpu/OWNERS | 2 ++ 2 files changed, 6 insertions(+) create mode 100644 gpu/MK_OWNERS create mode 100644 gpu/OWNERS diff --git a/gpu/MK_OWNERS b/gpu/MK_OWNERS new file mode 100644 index 0000000..1d0be18 --- /dev/null +++ b/gpu/MK_OWNERS @@ -0,0 +1,4 @@ +jessehall@google.com +spyffe@google.com +jorwag@google.com +jeremykemp@google.com diff --git a/gpu/OWNERS b/gpu/OWNERS new file mode 100644 index 0000000..259dd93 --- /dev/null +++ b/gpu/OWNERS @@ -0,0 +1,2 @@ +per-file gpu.mk=set noparent +per-file gpu.mk=file:MK_OWNERS From 6ec23c152f7da13f6e908d13bbe6d86aa0d8fa9a Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Wed, 4 Sep 2024 00:05:10 +0800 Subject: [PATCH 21/31] storage: move storage related device type to common folder Bug: 364225000 Test: forrest build Change-Id: Ica102c5a1ec45560939ac32c3ec22e721659c3cf Signed-off-by: Randall Huang --- storage/sepolicy/device.te | 9 +++++++++ storage/sepolicy/file_contexts | 3 +++ storage/sepolicy/ufs_firmware_update.te | 2 ++ 3 files changed, 14 insertions(+) diff --git a/storage/sepolicy/device.te b/storage/sepolicy/device.te index e0968f9..1252ee0 100644 --- a/storage/sepolicy/device.te +++ b/storage/sepolicy/device.te @@ -1,2 +1,11 @@ # Userdata Exp block device. type userdata_exp_block_device, dev_type; + +# Block Devices +type persist_block_device, dev_type; +type efs_block_device, dev_type; +type modem_userdata_block_device, dev_type; + +# Storage firmware upgrade +type ufs_internal_block_device, dev_type; + diff --git a/storage/sepolicy/file_contexts b/storage/sepolicy/file_contexts index 30335eb..1ef5a67 100644 --- a/storage/sepolicy/file_contexts +++ b/storage/sepolicy/file_contexts @@ -1,6 +1,9 @@ +# storage /vendor/bin/dump/dump_storage u:object_r:dump_storage_exec:s0 /sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging u:object_r:sysfs_scsi_devices_0000:s0 /dev/sg[0-9] u:object_r:sg_device:s0 /data/vendor/storage(/.*)? u:object_r:dump_storage_data_file:s0 /vendor/bin/sg_read_buffer u:object_r:sg_util_exec:s0 /dev/block/by-name/userdata_exp.* u:object_r:userdata_exp_block_device:s0 +/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 + diff --git a/storage/sepolicy/ufs_firmware_update.te b/storage/sepolicy/ufs_firmware_update.te index 1b92976..2313121 100644 --- a/storage/sepolicy/ufs_firmware_update.te +++ b/storage/sepolicy/ufs_firmware_update.te @@ -1,5 +1,7 @@ # support ufs ffu via ota init_daemon_domain(ufs_firmware_update) +type ufs_firmware_update, domain; +type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type; # support ufs ffu via ota allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; From a0681a7b7a94de9bf488130a206336af6a6ea626 Mon Sep 17 00:00:00 2001 From: Kyle Hsiao Date: Wed, 4 Sep 2024 05:04:43 +0000 Subject: [PATCH 22/31] gs-common: nfc: st21nfc: Add rules for android.hardware.nfc-service.st sepolicy for android.hardware.nfc-service.st Flag: EXEMPT NDK Bug: 361093394 Test: manual Change-Id: Ibe90555a6ec9b13fb2cd8eae4131216d3240ec3a --- nfc/sepolicy_st21nfc/file_contexts | 2 ++ nfc/st21nfc.mk | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 nfc/sepolicy_st21nfc/file_contexts create mode 100644 nfc/st21nfc.mk diff --git a/nfc/sepolicy_st21nfc/file_contexts b/nfc/sepolicy_st21nfc/file_contexts new file mode 100644 index 0000000..a06842a --- /dev/null +++ b/nfc/sepolicy_st21nfc/file_contexts @@ -0,0 +1,2 @@ +/dev/st21nfc u:object_r:nfc_device:s0 +/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 diff --git a/nfc/st21nfc.mk b/nfc/st21nfc.mk new file mode 100644 index 0000000..c30ecce --- /dev/null +++ b/nfc/st21nfc.mk @@ -0,0 +1,2 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st21nfc +PRODUCT_PACKAGES += android.hardware.nfc-service.st From 202f18ed1876205f33ee8351867699fdfd62bd31 Mon Sep 17 00:00:00 2001 From: samou Date: Wed, 4 Sep 2024 15:48:10 +0000 Subject: [PATCH 23/31] sepolicy: fix dump_power policy 09-03 10:57:32.552 11878 11878 W dump_power: type=1400 audit(0.0:23): avc: denied { read } for name="thismeal.txt" dev="dm-51" ino=14368 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=0 09-05 00:01:19.432 6967 6967 W dump_power: type=1400 audit(0.0:25): avc: denied { open } for path="/data/vendor/mitigation/thismeal.txt" dev="dm-52" ino=14368 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=0 09-05 00:11:25.532 6913 6913 W dump_power: type=1400 audit(0.0:25): avc: denied { getattr } for path="/data/vendor/mitigation/thismeal.txt" dev="dm-52" ino=14368 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=0 Flag: EXEMPT refactor Bug: 364612419 Change-Id: Ide2ad35e3f2a5bc3246603a4e66b67ec901ddc64 Signed-off-by: samou --- battery_mitigation/sepolicy/vendor/dumpstate.te | 1 + 1 file changed, 1 insertion(+) diff --git a/battery_mitigation/sepolicy/vendor/dumpstate.te b/battery_mitigation/sepolicy/vendor/dumpstate.te index 8248254..bb84ff2 100644 --- a/battery_mitigation/sepolicy/vendor/dumpstate.te +++ b/battery_mitigation/sepolicy/vendor/dumpstate.te @@ -8,6 +8,7 @@ allow hal_dumpstate_default sysfs_cpu:file { read open getattr }; allow hal_dumpstate_default sysfs_batteryinfo:dir { read open search }; allow hal_dumpstate_default sysfs_batteryinfo:file { read open getattr }; allow hal_dumpstate_default logbuffer_device:chr_file { read open getattr }; +allow hal_dumpstate_default mitigation_vendor_data_file:file { read open getattr }; allow hal_dumpstate_default mitigation_vendor_data_file:dir { search }; allow hal_dumpstate_default sysfs_bcl:dir { read open search }; allow hal_dumpstate_default sysfs_bcl:file { read open getattr }; From 0ca7adab014b1da218902d1052ef3f1c41caa702 Mon Sep 17 00:00:00 2001 From: Neo Yu Date: Mon, 19 Aug 2024 02:48:41 +0800 Subject: [PATCH 24/31] Separate GRIL sepolicy for AIDL and HIDL by folders Related avc error: aidl part: avc: denied { find } for pid=2019 uid=10269 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:grilservice_app:s0:c13,c257,c512,c768 tcontext=u:object_r:hal_aidl_radio_ext_service:s0 tclass=service_manager permissive=1 avc: denied { read write } for comm="vendor.google.r" name="umts_boot0" dev="tmpfs" ino=1352 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file permissive=1 avc: denied { search } for name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1 avc: denied { read write } for name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1 avc: denied { read write } for name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1 avc: denied { create } for name="radio" dev="dm-53" ino=379 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 avc: denied { create } for name="radio" dev="dm-53" ino=379 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1 avc: denied { find } for interface=hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance sid=u:r:hal_aidl_radio_ext:s0 pid=792 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:hal_bluetooth_coexistence_hwservice:s0 tclass=hwservice_manager permissive=1 avc: denied { find } for interface=hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance sid=u:r:hal_aidl_radio_ext:s0 pid=792 scontext=u:r:hal_aidl_radio_ext:s0 tcontext=u:object_r:hal_bluetooth_coexistence_service:s0 tclass=service_manager permissive=1 hidl part: avc: denied { read write } for comm="vendor.google.r" name="umts_boot0" dev="tmpfs" ino=1352 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file permissive=1 avc: denied { create } for name="radio" dev="dm-53" ino=379 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 avc: denied { create } for name="radio" dev="dm-53" ino=379 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1 avc: denied { search } for name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1 avc: denied { read write } for name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1 avc: denied { read write } for name="backlight" dev="sysfs" ino=83794 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1 avc: denied { find } for interface=hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance sid=u:r:hal_radioext_default:s0 pid=792 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:hal_bluetooth_coexistence_hwservice:s0 tclass=hwservice_manager permissive=1 avc: denied { find } for interface=hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance sid=u:r:hal_radioext_default:s0 pid=792 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:hal_bluetooth_coexistence_service:s0 tclass=service_manager permissive=1 Bug: 363665676 Test: verify with test roms Flag: EXEMPT sepolicy refactor Change-Id: I0fb75f7f9c7339864ee303c0f1de3b218ceb81ed --- gril/aidl/2.0/compatibility_matrix.xml | 10 ++++++ gril/aidl/2.0/gril_aidl.mk | 3 ++ gril/aidl/2.0/sepolicy/file_contexts | 1 + gril/aidl/2.0/sepolicy/grilservice_app.te | 4 +++ gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te | 33 +++++++++++++++++++ gril/aidl/2.0/sepolicy/hal_camera_default.te | 2 ++ gril/aidl/2.0/sepolicy/service.te | 2 ++ gril/aidl/2.0/sepolicy/service_contexts | 1 + gril/aidl/2.0/sepolicy/twoshay.te | 2 ++ gril/hidl/1.7/compatibility_matrix.xml | 10 ++++++ gril/hidl/1.7/gril_hidl.mk | 3 ++ gril/hidl/1.7/sepolicy/file_contexts | 1 + gril/hidl/1.7/sepolicy/grilservice_app.te | 2 ++ gril/hidl/1.7/sepolicy/hal_camera_default.te | 2 ++ .../hidl/1.7/sepolicy/hal_radioext_default.te | 28 ++++++++++++++++ gril/hidl/1.7/sepolicy/hwservice_contexts | 2 ++ gril/hidl/1.7/sepolicy/twoshay.te | 2 ++ 17 files changed, 108 insertions(+) create mode 100644 gril/aidl/2.0/compatibility_matrix.xml create mode 100644 gril/aidl/2.0/gril_aidl.mk create mode 100644 gril/aidl/2.0/sepolicy/file_contexts create mode 100644 gril/aidl/2.0/sepolicy/grilservice_app.te create mode 100644 gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te create mode 100644 gril/aidl/2.0/sepolicy/hal_camera_default.te create mode 100644 gril/aidl/2.0/sepolicy/service.te create mode 100644 gril/aidl/2.0/sepolicy/service_contexts create mode 100644 gril/aidl/2.0/sepolicy/twoshay.te create mode 100644 gril/hidl/1.7/compatibility_matrix.xml create mode 100644 gril/hidl/1.7/gril_hidl.mk create mode 100644 gril/hidl/1.7/sepolicy/file_contexts create mode 100644 gril/hidl/1.7/sepolicy/grilservice_app.te create mode 100644 gril/hidl/1.7/sepolicy/hal_camera_default.te create mode 100644 gril/hidl/1.7/sepolicy/hal_radioext_default.te create mode 100644 gril/hidl/1.7/sepolicy/hwservice_contexts create mode 100644 gril/hidl/1.7/sepolicy/twoshay.te diff --git a/gril/aidl/2.0/compatibility_matrix.xml b/gril/aidl/2.0/compatibility_matrix.xml new file mode 100644 index 0000000..8a4a776 --- /dev/null +++ b/gril/aidl/2.0/compatibility_matrix.xml @@ -0,0 +1,10 @@ + + + vendor.google.radio_ext + 2 + + IRadioExt + default + + + diff --git a/gril/aidl/2.0/gril_aidl.mk b/gril/aidl/2.0/gril_aidl.mk new file mode 100644 index 0000000..b7d5133 --- /dev/null +++ b/gril/aidl/2.0/gril_aidl.mk @@ -0,0 +1,3 @@ +PRODUCT_PACKAGES += vendor.google.radioext@1.0-service +DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/aidl/2.0/compatibility_matrix.xml +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/aidl/2.0/sepolicy diff --git a/gril/aidl/2.0/sepolicy/file_contexts b/gril/aidl/2.0/sepolicy/file_contexts new file mode 100644 index 0000000..9973b80 --- /dev/null +++ b/gril/aidl/2.0/sepolicy/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_aidl_radio_ext_exec:s0 diff --git a/gril/aidl/2.0/sepolicy/grilservice_app.te b/gril/aidl/2.0/sepolicy/grilservice_app.te new file mode 100644 index 0000000..8f49afa --- /dev/null +++ b/gril/aidl/2.0/sepolicy/grilservice_app.te @@ -0,0 +1,4 @@ +# allow grilservice_app to find hal_aidl_radio_ext_service +allow grilservice_app hal_aidl_radio_ext_service:service_manager find; +binder_call(grilservice_app, hal_aidl_radio_ext) +binder_call(grilservice_app, twoshay) diff --git a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te new file mode 100644 index 0000000..ad6c86b --- /dev/null +++ b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te @@ -0,0 +1,33 @@ +# hal_aidl_radio_ext domain +type hal_aidl_radio_ext, domain; +type hal_aidl_radio_ext_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(hal_aidl_radio_ext) + +get_prop(hal_aidl_radio_ext, hwservicemanager_prop) +get_prop(hal_aidl_radio_ext, telephony_modemtype_prop) +set_prop(hal_aidl_radio_ext, vendor_gril_prop) + +binder_call(hal_aidl_radio_ext, servicemanager) +binder_call(hal_aidl_radio_ext, grilservice_app) +binder_call(hal_aidl_radio_ext, hal_bluetooth_btlinux) + +add_service(hal_aidl_radio_ext, hal_aidl_radio_ext_service) + +# RW /dev/oem_ipc0 +allow hal_aidl_radio_ext radio_device:chr_file rw_file_perms; + +# RW MIPI Freq files +allow hal_aidl_radio_ext radio_vendor_data_file:dir create_dir_perms; +allow hal_aidl_radio_ext radio_vendor_data_file:file create_file_perms; + +# Bluetooth +allow hal_aidl_radio_ext hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow hal_aidl_radio_ext hal_bluetooth_coexistence_service:service_manager find; + +# Allow access to the backlight driver to set ssc_mode +allow hal_aidl_radio_ext sysfs_leds:dir search; +allow hal_aidl_radio_ext sysfs_leds:file rw_file_perms; + +# legacy/zuma/vendor +allow hal_aidl_radio_ext sysfs_display:file rw_file_perms; diff --git a/gril/aidl/2.0/sepolicy/hal_camera_default.te b/gril/aidl/2.0/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..61f8001 --- /dev/null +++ b/gril/aidl/2.0/sepolicy/hal_camera_default.te @@ -0,0 +1,2 @@ +# allow hal_camera_default to binder call hal_aidl_radio_ext +binder_call(hal_camera_default, hal_aidl_radio_ext); diff --git a/gril/aidl/2.0/sepolicy/service.te b/gril/aidl/2.0/sepolicy/service.te new file mode 100644 index 0000000..24aa71e --- /dev/null +++ b/gril/aidl/2.0/sepolicy/service.te @@ -0,0 +1,2 @@ +# Radio Ext AIDL service +type hal_aidl_radio_ext_service, hal_service_type, protected_service, service_manager_type; diff --git a/gril/aidl/2.0/sepolicy/service_contexts b/gril/aidl/2.0/sepolicy/service_contexts new file mode 100644 index 0000000..7b96182 --- /dev/null +++ b/gril/aidl/2.0/sepolicy/service_contexts @@ -0,0 +1 @@ +vendor.google.radio_ext.IRadioExt/default u:object_r:hal_aidl_radio_ext_service:s0 diff --git a/gril/aidl/2.0/sepolicy/twoshay.te b/gril/aidl/2.0/sepolicy/twoshay.te new file mode 100644 index 0000000..f7d3fe1 --- /dev/null +++ b/gril/aidl/2.0/sepolicy/twoshay.te @@ -0,0 +1,2 @@ +# allow twoshay to binder call hal_aidl_radio_ext +binder_call(twoshay, hal_aidl_radio_ext) diff --git a/gril/hidl/1.7/compatibility_matrix.xml b/gril/hidl/1.7/compatibility_matrix.xml new file mode 100644 index 0000000..6129633 --- /dev/null +++ b/gril/hidl/1.7/compatibility_matrix.xml @@ -0,0 +1,10 @@ + + + vendor.google.radioext + 1.7 + + IRadioExt + default + + + diff --git a/gril/hidl/1.7/gril_hidl.mk b/gril/hidl/1.7/gril_hidl.mk new file mode 100644 index 0000000..fcd5ef8 --- /dev/null +++ b/gril/hidl/1.7/gril_hidl.mk @@ -0,0 +1,3 @@ +PRODUCT_PACKAGES += vendor.google.radioext@1.0-service +DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/hidl/1.7/compatibility_matrix.xml +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/hidl/1.7/sepolicy diff --git a/gril/hidl/1.7/sepolicy/file_contexts b/gril/hidl/1.7/sepolicy/file_contexts new file mode 100644 index 0000000..dea8592 --- /dev/null +++ b/gril/hidl/1.7/sepolicy/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 diff --git a/gril/hidl/1.7/sepolicy/grilservice_app.te b/gril/hidl/1.7/sepolicy/grilservice_app.te new file mode 100644 index 0000000..43da795 --- /dev/null +++ b/gril/hidl/1.7/sepolicy/grilservice_app.te @@ -0,0 +1,2 @@ +# allow grilservice_app to binder call hal_radioext_default +binder_call(grilservice_app, hal_radioext_default) diff --git a/gril/hidl/1.7/sepolicy/hal_camera_default.te b/gril/hidl/1.7/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..36bdd7e --- /dev/null +++ b/gril/hidl/1.7/sepolicy/hal_camera_default.te @@ -0,0 +1,2 @@ +# allow hal_camera_default to binder call hal_radioext_default +binder_call(hal_camera_default, hal_radioext_default); diff --git a/gril/hidl/1.7/sepolicy/hal_radioext_default.te b/gril/hidl/1.7/sepolicy/hal_radioext_default.te new file mode 100644 index 0000000..6931fb7 --- /dev/null +++ b/gril/hidl/1.7/sepolicy/hal_radioext_default.te @@ -0,0 +1,28 @@ +# hal_radioext_default domain +type hal_radioext_default, domain; +type hal_radioext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_radioext_default) + +hwbinder_use(hal_radioext_default) +get_prop(hal_radioext_default, hwservicemanager_prop) +get_prop(hal_radioext_default, telephony_modemtype_prop) +set_prop(hal_radioext_default, vendor_gril_prop) +add_hwservice(hal_radioext_default, hal_radioext_hwservice) + +binder_call(hal_radioext_default, servicemanager) +binder_call(hal_radioext_default, grilservice_app) +binder_call(hal_radioext_default, hal_bluetooth_btlinux) + +# RW /dev/oem_ipc0 +allow hal_radioext_default radio_device:chr_file rw_file_perms; + +# RW MIPI Freq files +allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; +allow hal_radioext_default radio_vendor_data_file:file create_file_perms; + +# Bluetooth +allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow hal_radioext_default hal_bluetooth_coexistence_service:service_manager find; + +# legacy/zuma/vendor +allow hal_radioext_default sysfs_display:file rw_file_perms; diff --git a/gril/hidl/1.7/sepolicy/hwservice_contexts b/gril/hidl/1.7/sepolicy/hwservice_contexts new file mode 100644 index 0000000..5589c31 --- /dev/null +++ b/gril/hidl/1.7/sepolicy/hwservice_contexts @@ -0,0 +1,2 @@ +# GRIL HAL +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 diff --git a/gril/hidl/1.7/sepolicy/twoshay.te b/gril/hidl/1.7/sepolicy/twoshay.te new file mode 100644 index 0000000..75c3b27 --- /dev/null +++ b/gril/hidl/1.7/sepolicy/twoshay.te @@ -0,0 +1,2 @@ +# allow twoshay to binder call hal_radioext_default +binder_call(twoshay, hal_radioext_default) From 94ef296dae4ee2185d89f2bab0cbfc2d26c51cd5 Mon Sep 17 00:00:00 2001 From: Kieran Cyphus Date: Tue, 3 Sep 2024 23:29:23 +0000 Subject: [PATCH 25/31] shamp: Update shared_modem_platform HAL version to 2 Bug: 364363838 ag/28965951 accidentally started providing a V2 when the manifests only said V1 which broke some VTS tests. Test: `atest vts_treble_vintf_vendor_test:DeviceManifest/SingleAidlTest#HalIsServed/com_google_pixel_shared_modem_platform_ISharedModemPlatform_default_V1_84` Flag: EXEMPT can't flag manifest changes Change-Id: I17113f86e9bceaa3efe2f0d4d76e8349fe2c456e --- modem/shared_modem_platform/compatibility_matrix.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modem/shared_modem_platform/compatibility_matrix.xml b/modem/shared_modem_platform/compatibility_matrix.xml index 5019c3e..66a58ce 100644 --- a/modem/shared_modem_platform/compatibility_matrix.xml +++ b/modem/shared_modem_platform/compatibility_matrix.xml @@ -2,7 +2,7 @@ com.google.pixel.shared_modem_platform - 1 + 2 ISharedModemPlatform default From cacedb4ae85cb270e1662ffe3d120bccaaa94f9a Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 10:41:08 +0800 Subject: [PATCH 26/31] storage: move sepolicy to common folder avc: denied { read } for comm="android.hardwar" name="specification_version" dev="sysfs" ino=56257 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 Bug: 361093041 Test: local build Change-Id: I90d29590908efc329a05bd8f5f3e145dac4982fc Signed-off-by: Randall Huang --- storage/sepolicy/charger_vendor.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 storage/sepolicy/charger_vendor.te diff --git a/storage/sepolicy/charger_vendor.te b/storage/sepolicy/charger_vendor.te new file mode 100644 index 0000000..62a7661 --- /dev/null +++ b/storage/sepolicy/charger_vendor.te @@ -0,0 +1,3 @@ +# fork from dcb05d13 +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; + From 9d99d1d598540fea02906038cf9f7bb656b8a5b2 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 12:01:47 +0800 Subject: [PATCH 27/31] storage: fix PowerStats avc denied avc: denied { search } for name="ufs_stats" dev="sysfs" ino=99872 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=1 avc: denied { open } for comm="android.hardwar" path="/sys/devices/platform/3c400000.ufs/host0/target000/0000/block/sda/stat" dev="sysfs" ino=100761 scontext=urhal_health_default avc: denied { getattr } for comm="android.hardwar" path="/sys/devices/platform/3c400000.ufs/host0/target000/0000/block/sda/stat" dev="sysfs" ino=100761 scontext=urhal_health_default avc: denied { search } for comm="android.hardwar" name="0000" dev="sysfs" ino=100578 scontext=urhal_health_defaults0 tcontext=uobject_r avc: denied { read } for comm="android.hardwar" name="stat" dev="sysfs" ino=100761 scontext=urhal_health_defaults0 tcontext=uobject_rsysfs_scsi_devices_0000s0 tclass=file permissive=1 avc: denied { search } for comm="android.hardwar" name="0000" dev="sysfs" ino=100578 scontext=urhal_health_defaults0 tcontext=uobject_r avc: denied { read } for comm="android.hardwar" name="stat" dev="sysfs" ino=100761 scontext=urhal_health_defaults0 tcontext=uobject_rsysfs_scsi_devices_0000s0 tclass=file permissive=1 Bug: 361093041 Test: dumpsys android.hardware.power.stats.IPowerStats/default Change-Id: I94dadb9b9fc015fd1ecc39f9d62bc7209375a13a Signed-off-by: Randall Huang --- storage/sepolicy/hal_health_default.te | 2 ++ storage/sepolicy/hal_power_stats_default.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 storage/sepolicy/hal_health_default.te create mode 100644 storage/sepolicy/hal_power_stats_default.te diff --git a/storage/sepolicy/hal_health_default.te b/storage/sepolicy/hal_health_default.te new file mode 100644 index 0000000..58ec649 --- /dev/null +++ b/storage/sepolicy/hal_health_default.te @@ -0,0 +1,2 @@ +# dumpsys android.hardware.power.stats.IPowerStats/default +r_dir_file(hal_health_default, sysfs_scsi_devices_0000) diff --git a/storage/sepolicy/hal_power_stats_default.te b/storage/sepolicy/hal_power_stats_default.te new file mode 100644 index 0000000..4d4dda7 --- /dev/null +++ b/storage/sepolicy/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# dumpsys android.hardware.power.stats.IPowerStats/default +r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) From bce5748b4f77e28f982852673425bb2d84f7e850 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 14:55:14 +0800 Subject: [PATCH 28/31] storage: fix adb bugreport and refactor the existing rules avc: denied { getattr } for comm="df" path="/mnt/vendor/persist" dev="sda15" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 avc: denied { call } for comm="binder:10121_3" scontext=u:r:dumpstate:s0 tcontext=u:r:vold:s0 tclass=binder permissive=1 avc: denied { getattr } for comm="df" path="/mnt/vendor/efs" dev="sda5" ino=3 scontext=u:r:dumpstate:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 avc: denied { getattr } for comm="df" path="/mnt/vendor/modem_userdata" dev="sda7" ino=3 scontext=u:r:dumpstate:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 Bug: 361093041 Test: local build Change-Id: I5c6be63beebf66d64db7e495c28493ab35621054 Signed-off-by: Randall Huang --- storage/sepolicy/dump_storage.te | 6 ++++++ storage/sepolicy/dumpstate.te | 8 +++++++- storage/sepolicy/e2fs.te | 1 + storage/sepolicy/fastbootd.te | 2 ++ storage/sepolicy/file.te | 2 ++ storage/sepolicy/fsck.te | 1 + storage/sepolicy/genfs_contexts | 2 ++ storage/sepolicy/hal_health_default.te | 1 + storage/sepolicy/hal_health_storage_default.te | 1 + storage/sepolicy/hal_power_stats_default.te | 1 + storage/sepolicy/init.te | 2 ++ storage/sepolicy/vendor_init.te | 2 ++ storage/sepolicy/vold.te | 2 ++ 13 files changed, 30 insertions(+), 1 deletion(-) diff --git a/storage/sepolicy/dump_storage.te b/storage/sepolicy/dump_storage.te index 5324c17..7a5f563 100644 --- a/storage/sepolicy/dump_storage.te +++ b/storage/sepolicy/dump_storage.te @@ -1,8 +1,11 @@ +# adb bugreport pixel_bugreport(dump_storage) +# adb bugreport allow dump_storage sysfs_scsi_devices_0000:dir r_dir_perms; allow dump_storage sysfs_scsi_devices_0000:file r_file_perms; +# adb bugreport userdebug_or_eng(` allow dump_storage debugfs_f2fs:dir r_dir_perms; allow dump_storage debugfs_f2fs:file r_file_perms; @@ -17,7 +20,10 @@ userdebug_or_eng(` allow dump_storage dump_storage_data_file:file create_file_perms; ') +# adb bugreport get_prop(dump_storage, boottime_public_prop) +# adb bugreport dontaudit dump_storage debugfs_f2fs:dir r_dir_perms; dontaudit dump_storage debugfs_f2fs:file r_file_perms; + diff --git a/storage/sepolicy/dumpstate.te b/storage/sepolicy/dumpstate.te index 2c01193..2220870 100644 --- a/storage/sepolicy/dumpstate.te +++ b/storage/sepolicy/dumpstate.te @@ -1 +1,7 @@ -allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; \ No newline at end of file +# adb bugreport +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate persist_file:dir { getattr }; +allow dumpstate modem_efs_file:dir { getattr }; +allow dumpstate modem_userdata_file:dir { getattr }; +allow dumpstate vold:binder { call }; + diff --git a/storage/sepolicy/e2fs.te b/storage/sepolicy/e2fs.te index 464b4ce..92ff839 100644 --- a/storage/sepolicy/e2fs.te +++ b/storage/sepolicy/e2fs.te @@ -7,3 +7,4 @@ allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_dev }; allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; allow e2fs sysfs_scsi_devices_0000:file r_file_perms; + diff --git a/storage/sepolicy/fastbootd.te b/storage/sepolicy/fastbootd.te index 35bac15..e571d0b 100644 --- a/storage/sepolicy/fastbootd.te +++ b/storage/sepolicy/fastbootd.te @@ -1 +1,3 @@ +# fastbootd allow fastbootd devpts:chr_file rw_file_perms; + diff --git a/storage/sepolicy/file.te b/storage/sepolicy/file.te index ed4f925..0fa9564 100644 --- a/storage/sepolicy/file.te +++ b/storage/sepolicy/file.te @@ -1,4 +1,6 @@ +# file.te type debugfs_f2fs, debugfs_type, fs_type; type dump_storage_data_file, file_type, data_file_type; type sg_device, dev_type; type sg_util_exec, exec_type, vendor_file_type, file_type; + diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te index 88efb35..7369bb4 100644 --- a/storage/sepolicy/fsck.te +++ b/storage/sepolicy/fsck.te @@ -4,3 +4,4 @@ allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; allow fsck sysfs_scsi_devices_0000:file r_file_perms; + diff --git a/storage/sepolicy/genfs_contexts b/storage/sepolicy/genfs_contexts index 1a27ec4..69baae6 100644 --- a/storage/sepolicy/genfs_contexts +++ b/storage/sepolicy/genfs_contexts @@ -1 +1,3 @@ +# f2fs genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 + diff --git a/storage/sepolicy/hal_health_default.te b/storage/sepolicy/hal_health_default.te index 58ec649..49bf50c 100644 --- a/storage/sepolicy/hal_health_default.te +++ b/storage/sepolicy/hal_health_default.te @@ -1,2 +1,3 @@ # dumpsys android.hardware.power.stats.IPowerStats/default r_dir_file(hal_health_default, sysfs_scsi_devices_0000) + diff --git a/storage/sepolicy/hal_health_storage_default.te b/storage/sepolicy/hal_health_storage_default.te index af6593a..20a3b7d 100644 --- a/storage/sepolicy/hal_health_storage_default.te +++ b/storage/sepolicy/hal_health_storage_default.te @@ -1,3 +1,4 @@ # Access to /sys/devices/platform/*ufs/* allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; + diff --git a/storage/sepolicy/hal_power_stats_default.te b/storage/sepolicy/hal_power_stats_default.te index 4d4dda7..edd286c 100644 --- a/storage/sepolicy/hal_power_stats_default.te +++ b/storage/sepolicy/hal_power_stats_default.te @@ -1,2 +1,3 @@ # dumpsys android.hardware.power.stats.IPowerStats/default r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) + diff --git a/storage/sepolicy/init.te b/storage/sepolicy/init.te index 7070318..dc24247 100644 --- a/storage/sepolicy/init.te +++ b/storage/sepolicy/init.te @@ -1 +1,3 @@ +# init allow init sysfs_scsi_devices_0000:file w_file_perms; + diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te index da4fcba..f5f17e4 100644 --- a/storage/sepolicy/vendor_init.te +++ b/storage/sepolicy/vendor_init.te @@ -1 +1,3 @@ +# vendor_init allow vendor_init sg_device:chr_file r_file_perms; + diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te index 87387a7..529f495 100644 --- a/storage/sepolicy/vold.te +++ b/storage/sepolicy/vold.te @@ -5,9 +5,11 @@ allow vold sysfs_scsi_devices_0000:file rw_file_perms; allow vold userdata_exp_block_device:blk_file rw_file_perms; allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD; +# adb bugreport dontaudit vold dumpstate:fifo_file rw_file_perms; dontaudit vold dumpstate:fd use ; # fix idle-maint allow vold efs_block_device:blk_file { getattr }; allow vold modem_userdata_block_device:blk_file { getattr }; + From 24568c64d138e1db7343fc6b39b1db61d432081d Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 15:46:21 +0800 Subject: [PATCH 29/31] storage: fix vold avc denied [ 33.709752][ T363] type=1400 audit(1725519791.892:729): avc: denied { read } for comm="binder:369_6" name="/" dev="sda5" ino=3 scontext=u:r:vold:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 33.710804][ T363] type=1400 audit(1725519791.892:730): avc: denied { open } for comm="binder:369_6" path="/mnt/vendor/efs" dev="sda5" ino=3 scontext=u:r:vold:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 33.711734][ T363] type=1400 audit(1725519791.892:731): avc: denied { ioctl } for comm="binder:369_6" path="/mnt/vendor/efs" dev="sda5" ino=3 ioctlcmd=0x5879 scontext=u:r:vold:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 33.712732][ T363] type=1400 audit(1725519791.892:732): avc: denied { read } for comm="binder:369_6" name="/" dev="sda7" ino=3 scontext=u:r:vold:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 [ 33.713612][ T363] type=1400 audit(1725519791.892:733): avc: denied { open } for comm="binder:369_6" path="/mnt/vendor/modem_userdata" dev="sda7" ino=3 scontext=u:r:vold:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 [ 33.714833][ T363] type=1400 audit(1725519791.892:734): avc: denied { ioctl } for comm="binder:369_6" path="/mnt/vendor/modem_userdata" dev="sda7" ino=3 ioctlcmd=0x5879 scontext=u:r:vold:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 Bug: 361093041 Test: local build Change-Id: I629f0303940f3f07ce3717cd0a2c8f975378f24b Signed-off-by: Randall Huang --- storage/sepolicy/vold.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te index 529f495..b776c80 100644 --- a/storage/sepolicy/vold.te +++ b/storage/sepolicy/vold.te @@ -12,4 +12,6 @@ dontaudit vold dumpstate:fd use ; # fix idle-maint allow vold efs_block_device:blk_file { getattr }; allow vold modem_userdata_block_device:blk_file { getattr }; +allow vold modem_efs_file:dir { read open ioctl }; +allow vold modem_userdata_file:dir { read open ioctl }; From 0440e82770dee2bbba5d5860a3452035c7cf3044 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 15:56:26 +0800 Subject: [PATCH 30/31] storage: fix vendor_init avc denied avc: denied { write } for comm="init" name="swappiness" dev="proc" ino=207356 scontext=u:r:vendor_init:s0 tcontext=u:object_r:proc_dirty:s0 tclass=file permissive=1 Bug: 361093041 Test: local build Change-Id: I595008f957c322aedbdf383c4e50c0e0ce30b9dc Signed-off-by: Randall Huang --- storage/sepolicy/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te index f5f17e4..73eb527 100644 --- a/storage/sepolicy/vendor_init.te +++ b/storage/sepolicy/vendor_init.te @@ -1,3 +1,6 @@ # vendor_init allow vendor_init sg_device:chr_file r_file_perms; +# dirty swappiness +allow vendor_init proc_dirty:file w_file_perms; + From c8a640f5917bb59099a4cc1d8c3e7b5b6c507c3a Mon Sep 17 00:00:00 2001 From: Robin Peng Date: Fri, 6 Sep 2024 07:06:03 +0000 Subject: [PATCH 31/31] check_current_prebuilt: Symlink current prebuilt folder to android root The Android are now based on Trunk Stable world and Pixel prebuilts CLs also needs to reply with this which controlled by the flag which results: - the flag value might be different on each branches - the flag value are mostly different on each release configuration - for local builds, ENGs' needs to figure out the correct location of current prebuilts by checking through entire prebuilt textproto files To alleviate this problem, create an symlink file under android root indicates current prebuilt path after invoke the android lunch cmd. Bug: 364831620 Flag: EXEMPT export current prebuilt path Change-Id: Idd130a70815fe1fe5288b003c5edb6979fd4c88c Signed-off-by: Robin Peng --- .../check_current_prebuilt.mk | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 check_current_prebuilt/check_current_prebuilt.mk diff --git a/check_current_prebuilt/check_current_prebuilt.mk b/check_current_prebuilt/check_current_prebuilt.mk new file mode 100644 index 0000000..72e359f --- /dev/null +++ b/check_current_prebuilt/check_current_prebuilt.mk @@ -0,0 +1,27 @@ +# Create symlink for bootloader +$(shell rm -f "pixel_current_bootloader") +ifdef BOOTLOADER_FILE_PATH +$(shell ln -sf ${BOOTLOADER_FILE_PATH} "pixel_current_bootloader") +else ifdef BOOTLOADER_RADIO_FILE_PATH +$(shell ln -sf ${BOOTLOADER_RADIO_FILE_PATH} "pixel_current_bootloader") +endif + +# Create symlink for kernel +$(shell rm -f "pixel_current_kernel") +ifdef TARGET_KERNEL_DIR +$(shell ln -sf ${TARGET_KERNEL_DIR} "pixel_current_kernel") +endif + +# Create symlink for radio +$(shell rm -f "pixel_current_radio") +ifdef RADIO_FILE_PATH +$(shell ln -sf ${RADIO_FILE_PATH} "pixel_current_radio") +else ifdef BOOTLOADER_RADIO_FILE_PATH +$(shell ln -sf ${BOOTLOADER_RADIO_FILE_PATH} "pixel_current_radio") +endif + +# Create symlink for radiocfg +$(shell rm -f "pixel_current_radiocfg") +ifdef SRC_MDM_CFG_DIR +$(shell ln -sf ${SRC_MDM_CFG_DIR} "pixel_current_radiocfg") +endif