From 2e4c437b43615ab2fd0e96627681225a209f12b1 Mon Sep 17 00:00:00 2001
From: TeYuan Wang <kamewang@google.com>
Date: Wed, 6 Mar 2024 21:28:10 +0000
Subject: [PATCH 1/3] sepolicy: allow setprop for thermal_controld

selinux denied log:
[   53.774820] type=1400 audit(1709683991.036:9): avc:  denied  { write } for  comm="setprop" name="property_service" dev="tmpfs" ino=842 scontext=u:r:pixel-thermal-control-sh:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

Bug: 328118301
Test: adb shell getprop vendor.disable.thermalhal.control
Change-Id: I590f05d1119d11400b0115fff63b3420790e7332
---
 thermal/sepolicy/thermal_hal/pixel-thermal-control.sh.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/thermal/sepolicy/thermal_hal/pixel-thermal-control.sh.te b/thermal/sepolicy/thermal_hal/pixel-thermal-control.sh.te
index a6430f1..df699fc 100644
--- a/thermal/sepolicy/thermal_hal/pixel-thermal-control.sh.te
+++ b/thermal/sepolicy/thermal_hal/pixel-thermal-control.sh.te
@@ -9,5 +9,5 @@ userdebug_or_eng(`
   allow pixel-thermal-control-sh sysfs_thermal:file rw_file_perms;
   allow pixel-thermal-control-sh sysfs_thermal:lnk_file r_file_perms;
   allow pixel-thermal-control-sh thermal_link_device:dir r_dir_perms;
-  get_prop(pixel-thermal-control-sh, vendor_thermal_prop)
+  set_prop(pixel-thermal-control-sh, vendor_thermal_prop)
 ')

From 9b300b02b1ef96dbc9c8a9faf9647ea7cd96eb6b Mon Sep 17 00:00:00 2001
From: Hongyang Jiao <jiaohy@google.com>
Date: Tue, 5 Mar 2024 23:12:07 +0000
Subject: [PATCH 2/3] Add betterbug folder to gs-common

Better Bug was previously labeled as priv_app, here we kept the same 'type=privapp_data_file levelFrom=user'

Copied some Better Bug used rules from system/sepolicy/private/priv_app.te.
(https://source.corp.google.com/h/googleplex-android/platform/superproject/main/+/main:system/sepolicy/private/priv_app.te;l=1?q=priv_app.te)

Test: local test
Bug: 322543833
Change-Id: Ia029e855dd46e65b9eec31835ccaabb3cb903058
---
 betterbug/betterbug.mk                        |  5 ++
 .../product/private/better_bug_app.te         | 47 +++++++++++++++++++
 .../sepolicy/product/private/seapp_contexts   |  2 +
 .../sepolicy/product/public/better_bug_app.te |  1 +
 4 files changed, 55 insertions(+)
 create mode 100644 betterbug/betterbug.mk
 create mode 100644 betterbug/sepolicy/product/private/better_bug_app.te
 create mode 100644 betterbug/sepolicy/product/private/seapp_contexts
 create mode 100644 betterbug/sepolicy/product/public/better_bug_app.te

diff --git a/betterbug/betterbug.mk b/betterbug/betterbug.mk
new file mode 100644
index 0000000..f3ae647
--- /dev/null
+++ b/betterbug/betterbug.mk
@@ -0,0 +1,5 @@
+PRODUCT_PACKAGES += BetterBugStub
+PRODUCT_PACKAGES_DEBUG += BetterBug
+
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/private
diff --git a/betterbug/sepolicy/product/private/better_bug_app.te b/betterbug/sepolicy/product/private/better_bug_app.te
new file mode 100644
index 0000000..26e0565
--- /dev/null
+++ b/betterbug/sepolicy/product/private/better_bug_app.te
@@ -0,0 +1,47 @@
+typeattribute better_bug_app coredomain;
+
+app_domain(better_bug_app)
+net_domain(better_bug_app)
+
+allow better_bug_app app_api_service:service_manager find;
+allow better_bug_app mediaserver_service:service_manager find;
+allow better_bug_app radio_service:service_manager find;
+allow better_bug_app system_api_service:service_manager find;
+
+allow better_bug_app privapp_data_file:file execute;
+allow better_bug_app privapp_data_file:lnk_file r_file_perms;
+allow better_bug_app shell_data_file:file r_file_perms;
+allow better_bug_app shell_data_file:dir r_dir_perms;
+
+# Allow traceur to pass file descriptors through a content provider to betterbug
+allow better_bug_app trace_data_file:file { getattr read };
+
+# Allow betterbug to read profile reports generated by profcollect.
+userdebug_or_eng(`
+  allow better_bug_app profcollectd_data_file:file r_file_perms;
+')
+
+# Allow BetterBug access to WM traces attributes
+allow better_bug_app wm_trace_data_file:dir r_dir_perms;
+allow better_bug_app wm_trace_data_file:file getattr;
+
+# Allow the bug reporting frontend to read the presence and timestamp of the
+# trace attached to the bugreport (but not its contents, which will go in the
+# usual bugreport .zip file). This is used by the bug reporting UI to tell if
+# the bugreport will contain a system trace or not while the bugreport is still
+# in progress.
+allow better_bug_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
+allow better_bug_app perfetto_traces_bugreport_data_file:file { getattr };
+
+# Allow BetterBug to receive Perfetto traces through the framework
+# (i.e. TracingServiceProxy) and sendfile them into their private
+# directories for reporting when network and battery conditions are
+# appropriate.
+allow better_bug_app perfetto:fd use;
+allow better_bug_app perfetto_traces_data_file:file { read getattr };
+
+# Allow BetterBug to set property to start vendor.touch_dumpstate
+set_prop(better_bug_app, ctl_start_prop)
+
+# Allow BetterBug to read system boot reason
+get_prop(better_bug_app, system_boot_reason_prop)
diff --git a/betterbug/sepolicy/product/private/seapp_contexts b/betterbug/sepolicy/product/private/seapp_contexts
new file mode 100644
index 0000000..77fe3e1
--- /dev/null
+++ b/betterbug/sepolicy/product/private/seapp_contexts
@@ -0,0 +1,2 @@
+# BetterBug
+user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=privapp_data_file levelFrom=user
diff --git a/betterbug/sepolicy/product/public/better_bug_app.te b/betterbug/sepolicy/product/public/better_bug_app.te
new file mode 100644
index 0000000..9a14782
--- /dev/null
+++ b/betterbug/sepolicy/product/public/better_bug_app.te
@@ -0,0 +1 @@
+type better_bug_app, domain;

From b2a04f23d6f004bae86ab6bb0ebedd56f0a48de3 Mon Sep 17 00:00:00 2001
From: Zheng Pan <zhengpan@google.com>
Date: Tue, 12 Mar 2024 18:21:05 -0700
Subject: [PATCH 3/3] Support conditional insmod

Conditional insmod config file format

condinsmod|system_property_name|module1|module2

if getprop system_property_name == true;
    load module1
else
    load module2

Bug: 325647677
Change-Id: I0f2dd92caaefd707a626b9f80923aeab495d31a2
---
 insmod/insmod.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/insmod/insmod.sh b/insmod/insmod.sh
index 03843f5..8cac37e 100755
--- a/insmod/insmod.sh
+++ b/insmod/insmod.sh
@@ -66,6 +66,17 @@ if [ -f $cfg_file ]; then
       "insmod") insmod $arg ;;
       "setprop") setprop $arg 1 ;;
       "enable") echo 1 > $arg ;;
+      "condinsmod")
+        prop=$(echo $arg | cut -d '|' -f 1)
+        module1=$(echo $arg | cut -d '|' -f 2)
+        module2=$(echo $arg | cut -d '|' -f 3)
+        value=$(getprop $prop)
+        if [[ ${value} == "true" ]]; then
+          insmod ${vendor_modules_dir}/${module1}
+        else
+          insmod ${vendor_modules_dir}/${module2}
+        fi
+        ;;
       "modprobe")
         case ${arg} in
           "system -b *" | "system -b")