From 202f18ed1876205f33ee8351867699fdfd62bd31 Mon Sep 17 00:00:00 2001 From: samou Date: Wed, 4 Sep 2024 15:48:10 +0000 Subject: [PATCH 1/7] sepolicy: fix dump_power policy 09-03 10:57:32.552 11878 11878 W dump_power: type=1400 audit(0.0:23): avc: denied { read } for name="thismeal.txt" dev="dm-51" ino=14368 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=0 09-05 00:01:19.432 6967 6967 W dump_power: type=1400 audit(0.0:25): avc: denied { open } for path="/data/vendor/mitigation/thismeal.txt" dev="dm-52" ino=14368 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=0 09-05 00:11:25.532 6913 6913 W dump_power: type=1400 audit(0.0:25): avc: denied { getattr } for path="/data/vendor/mitigation/thismeal.txt" dev="dm-52" ino=14368 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=0 Flag: EXEMPT refactor Bug: 364612419 Change-Id: Ide2ad35e3f2a5bc3246603a4e66b67ec901ddc64 Signed-off-by: samou --- battery_mitigation/sepolicy/vendor/dumpstate.te | 1 + 1 file changed, 1 insertion(+) diff --git a/battery_mitigation/sepolicy/vendor/dumpstate.te b/battery_mitigation/sepolicy/vendor/dumpstate.te index 8248254..bb84ff2 100644 --- a/battery_mitigation/sepolicy/vendor/dumpstate.te +++ b/battery_mitigation/sepolicy/vendor/dumpstate.te @@ -8,6 +8,7 @@ allow hal_dumpstate_default sysfs_cpu:file { read open getattr }; allow hal_dumpstate_default sysfs_batteryinfo:dir { read open search }; allow hal_dumpstate_default sysfs_batteryinfo:file { read open getattr }; allow hal_dumpstate_default logbuffer_device:chr_file { read open getattr }; +allow hal_dumpstate_default mitigation_vendor_data_file:file { read open getattr }; allow hal_dumpstate_default mitigation_vendor_data_file:dir { search }; allow hal_dumpstate_default sysfs_bcl:dir { read open search }; allow hal_dumpstate_default sysfs_bcl:file { read open getattr }; From 94ef296dae4ee2185d89f2bab0cbfc2d26c51cd5 Mon Sep 17 00:00:00 2001 From: Kieran Cyphus Date: Tue, 3 Sep 2024 23:29:23 +0000 Subject: [PATCH 2/7] shamp: Update shared_modem_platform HAL version to 2 Bug: 364363838 ag/28965951 accidentally started providing a V2 when the manifests only said V1 which broke some VTS tests. Test: `atest vts_treble_vintf_vendor_test:DeviceManifest/SingleAidlTest#HalIsServed/com_google_pixel_shared_modem_platform_ISharedModemPlatform_default_V1_84` Flag: EXEMPT can't flag manifest changes Change-Id: I17113f86e9bceaa3efe2f0d4d76e8349fe2c456e --- modem/shared_modem_platform/compatibility_matrix.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modem/shared_modem_platform/compatibility_matrix.xml b/modem/shared_modem_platform/compatibility_matrix.xml index 5019c3e..66a58ce 100644 --- a/modem/shared_modem_platform/compatibility_matrix.xml +++ b/modem/shared_modem_platform/compatibility_matrix.xml @@ -2,7 +2,7 @@ com.google.pixel.shared_modem_platform - 1 + 2 ISharedModemPlatform default From cacedb4ae85cb270e1662ffe3d120bccaaa94f9a Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 10:41:08 +0800 Subject: [PATCH 3/7] storage: move sepolicy to common folder avc: denied { read } for comm="android.hardwar" name="specification_version" dev="sysfs" ino=56257 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 Bug: 361093041 Test: local build Change-Id: I90d29590908efc329a05bd8f5f3e145dac4982fc Signed-off-by: Randall Huang --- storage/sepolicy/charger_vendor.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 storage/sepolicy/charger_vendor.te diff --git a/storage/sepolicy/charger_vendor.te b/storage/sepolicy/charger_vendor.te new file mode 100644 index 0000000..62a7661 --- /dev/null +++ b/storage/sepolicy/charger_vendor.te @@ -0,0 +1,3 @@ +# fork from dcb05d13 +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; + From 9d99d1d598540fea02906038cf9f7bb656b8a5b2 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 12:01:47 +0800 Subject: [PATCH 4/7] storage: fix PowerStats avc denied avc: denied { search } for name="ufs_stats" dev="sysfs" ino=99872 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=1 avc: denied { open } for comm="android.hardwar" path="/sys/devices/platform/3c400000.ufs/host0/target000/0000/block/sda/stat" dev="sysfs" ino=100761 scontext=urhal_health_default avc: denied { getattr } for comm="android.hardwar" path="/sys/devices/platform/3c400000.ufs/host0/target000/0000/block/sda/stat" dev="sysfs" ino=100761 scontext=urhal_health_default avc: denied { search } for comm="android.hardwar" name="0000" dev="sysfs" ino=100578 scontext=urhal_health_defaults0 tcontext=uobject_r avc: denied { read } for comm="android.hardwar" name="stat" dev="sysfs" ino=100761 scontext=urhal_health_defaults0 tcontext=uobject_rsysfs_scsi_devices_0000s0 tclass=file permissive=1 avc: denied { search } for comm="android.hardwar" name="0000" dev="sysfs" ino=100578 scontext=urhal_health_defaults0 tcontext=uobject_r avc: denied { read } for comm="android.hardwar" name="stat" dev="sysfs" ino=100761 scontext=urhal_health_defaults0 tcontext=uobject_rsysfs_scsi_devices_0000s0 tclass=file permissive=1 Bug: 361093041 Test: dumpsys android.hardware.power.stats.IPowerStats/default Change-Id: I94dadb9b9fc015fd1ecc39f9d62bc7209375a13a Signed-off-by: Randall Huang --- storage/sepolicy/hal_health_default.te | 2 ++ storage/sepolicy/hal_power_stats_default.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 storage/sepolicy/hal_health_default.te create mode 100644 storage/sepolicy/hal_power_stats_default.te diff --git a/storage/sepolicy/hal_health_default.te b/storage/sepolicy/hal_health_default.te new file mode 100644 index 0000000..58ec649 --- /dev/null +++ b/storage/sepolicy/hal_health_default.te @@ -0,0 +1,2 @@ +# dumpsys android.hardware.power.stats.IPowerStats/default +r_dir_file(hal_health_default, sysfs_scsi_devices_0000) diff --git a/storage/sepolicy/hal_power_stats_default.te b/storage/sepolicy/hal_power_stats_default.te new file mode 100644 index 0000000..4d4dda7 --- /dev/null +++ b/storage/sepolicy/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# dumpsys android.hardware.power.stats.IPowerStats/default +r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) From bce5748b4f77e28f982852673425bb2d84f7e850 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 14:55:14 +0800 Subject: [PATCH 5/7] storage: fix adb bugreport and refactor the existing rules avc: denied { getattr } for comm="df" path="/mnt/vendor/persist" dev="sda15" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 avc: denied { call } for comm="binder:10121_3" scontext=u:r:dumpstate:s0 tcontext=u:r:vold:s0 tclass=binder permissive=1 avc: denied { getattr } for comm="df" path="/mnt/vendor/efs" dev="sda5" ino=3 scontext=u:r:dumpstate:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 avc: denied { getattr } for comm="df" path="/mnt/vendor/modem_userdata" dev="sda7" ino=3 scontext=u:r:dumpstate:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 Bug: 361093041 Test: local build Change-Id: I5c6be63beebf66d64db7e495c28493ab35621054 Signed-off-by: Randall Huang --- storage/sepolicy/dump_storage.te | 6 ++++++ storage/sepolicy/dumpstate.te | 8 +++++++- storage/sepolicy/e2fs.te | 1 + storage/sepolicy/fastbootd.te | 2 ++ storage/sepolicy/file.te | 2 ++ storage/sepolicy/fsck.te | 1 + storage/sepolicy/genfs_contexts | 2 ++ storage/sepolicy/hal_health_default.te | 1 + storage/sepolicy/hal_health_storage_default.te | 1 + storage/sepolicy/hal_power_stats_default.te | 1 + storage/sepolicy/init.te | 2 ++ storage/sepolicy/vendor_init.te | 2 ++ storage/sepolicy/vold.te | 2 ++ 13 files changed, 30 insertions(+), 1 deletion(-) diff --git a/storage/sepolicy/dump_storage.te b/storage/sepolicy/dump_storage.te index 5324c17..7a5f563 100644 --- a/storage/sepolicy/dump_storage.te +++ b/storage/sepolicy/dump_storage.te @@ -1,8 +1,11 @@ +# adb bugreport pixel_bugreport(dump_storage) +# adb bugreport allow dump_storage sysfs_scsi_devices_0000:dir r_dir_perms; allow dump_storage sysfs_scsi_devices_0000:file r_file_perms; +# adb bugreport userdebug_or_eng(` allow dump_storage debugfs_f2fs:dir r_dir_perms; allow dump_storage debugfs_f2fs:file r_file_perms; @@ -17,7 +20,10 @@ userdebug_or_eng(` allow dump_storage dump_storage_data_file:file create_file_perms; ') +# adb bugreport get_prop(dump_storage, boottime_public_prop) +# adb bugreport dontaudit dump_storage debugfs_f2fs:dir r_dir_perms; dontaudit dump_storage debugfs_f2fs:file r_file_perms; + diff --git a/storage/sepolicy/dumpstate.te b/storage/sepolicy/dumpstate.te index 2c01193..2220870 100644 --- a/storage/sepolicy/dumpstate.te +++ b/storage/sepolicy/dumpstate.te @@ -1 +1,7 @@ -allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; \ No newline at end of file +# adb bugreport +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate persist_file:dir { getattr }; +allow dumpstate modem_efs_file:dir { getattr }; +allow dumpstate modem_userdata_file:dir { getattr }; +allow dumpstate vold:binder { call }; + diff --git a/storage/sepolicy/e2fs.te b/storage/sepolicy/e2fs.te index 464b4ce..92ff839 100644 --- a/storage/sepolicy/e2fs.te +++ b/storage/sepolicy/e2fs.te @@ -7,3 +7,4 @@ allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_dev }; allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; allow e2fs sysfs_scsi_devices_0000:file r_file_perms; + diff --git a/storage/sepolicy/fastbootd.te b/storage/sepolicy/fastbootd.te index 35bac15..e571d0b 100644 --- a/storage/sepolicy/fastbootd.te +++ b/storage/sepolicy/fastbootd.te @@ -1 +1,3 @@ +# fastbootd allow fastbootd devpts:chr_file rw_file_perms; + diff --git a/storage/sepolicy/file.te b/storage/sepolicy/file.te index ed4f925..0fa9564 100644 --- a/storage/sepolicy/file.te +++ b/storage/sepolicy/file.te @@ -1,4 +1,6 @@ +# file.te type debugfs_f2fs, debugfs_type, fs_type; type dump_storage_data_file, file_type, data_file_type; type sg_device, dev_type; type sg_util_exec, exec_type, vendor_file_type, file_type; + diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te index 88efb35..7369bb4 100644 --- a/storage/sepolicy/fsck.te +++ b/storage/sepolicy/fsck.te @@ -4,3 +4,4 @@ allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; allow fsck sysfs_scsi_devices_0000:file r_file_perms; + diff --git a/storage/sepolicy/genfs_contexts b/storage/sepolicy/genfs_contexts index 1a27ec4..69baae6 100644 --- a/storage/sepolicy/genfs_contexts +++ b/storage/sepolicy/genfs_contexts @@ -1 +1,3 @@ +# f2fs genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 + diff --git a/storage/sepolicy/hal_health_default.te b/storage/sepolicy/hal_health_default.te index 58ec649..49bf50c 100644 --- a/storage/sepolicy/hal_health_default.te +++ b/storage/sepolicy/hal_health_default.te @@ -1,2 +1,3 @@ # dumpsys android.hardware.power.stats.IPowerStats/default r_dir_file(hal_health_default, sysfs_scsi_devices_0000) + diff --git a/storage/sepolicy/hal_health_storage_default.te b/storage/sepolicy/hal_health_storage_default.te index af6593a..20a3b7d 100644 --- a/storage/sepolicy/hal_health_storage_default.te +++ b/storage/sepolicy/hal_health_storage_default.te @@ -1,3 +1,4 @@ # Access to /sys/devices/platform/*ufs/* allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; + diff --git a/storage/sepolicy/hal_power_stats_default.te b/storage/sepolicy/hal_power_stats_default.te index 4d4dda7..edd286c 100644 --- a/storage/sepolicy/hal_power_stats_default.te +++ b/storage/sepolicy/hal_power_stats_default.te @@ -1,2 +1,3 @@ # dumpsys android.hardware.power.stats.IPowerStats/default r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) + diff --git a/storage/sepolicy/init.te b/storage/sepolicy/init.te index 7070318..dc24247 100644 --- a/storage/sepolicy/init.te +++ b/storage/sepolicy/init.te @@ -1 +1,3 @@ +# init allow init sysfs_scsi_devices_0000:file w_file_perms; + diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te index da4fcba..f5f17e4 100644 --- a/storage/sepolicy/vendor_init.te +++ b/storage/sepolicy/vendor_init.te @@ -1 +1,3 @@ +# vendor_init allow vendor_init sg_device:chr_file r_file_perms; + diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te index 87387a7..529f495 100644 --- a/storage/sepolicy/vold.te +++ b/storage/sepolicy/vold.te @@ -5,9 +5,11 @@ allow vold sysfs_scsi_devices_0000:file rw_file_perms; allow vold userdata_exp_block_device:blk_file rw_file_perms; allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD; +# adb bugreport dontaudit vold dumpstate:fifo_file rw_file_perms; dontaudit vold dumpstate:fd use ; # fix idle-maint allow vold efs_block_device:blk_file { getattr }; allow vold modem_userdata_block_device:blk_file { getattr }; + From 24568c64d138e1db7343fc6b39b1db61d432081d Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 15:46:21 +0800 Subject: [PATCH 6/7] storage: fix vold avc denied [ 33.709752][ T363] type=1400 audit(1725519791.892:729): avc: denied { read } for comm="binder:369_6" name="/" dev="sda5" ino=3 scontext=u:r:vold:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 33.710804][ T363] type=1400 audit(1725519791.892:730): avc: denied { open } for comm="binder:369_6" path="/mnt/vendor/efs" dev="sda5" ino=3 scontext=u:r:vold:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 33.711734][ T363] type=1400 audit(1725519791.892:731): avc: denied { ioctl } for comm="binder:369_6" path="/mnt/vendor/efs" dev="sda5" ino=3 ioctlcmd=0x5879 scontext=u:r:vold:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1 [ 33.712732][ T363] type=1400 audit(1725519791.892:732): avc: denied { read } for comm="binder:369_6" name="/" dev="sda7" ino=3 scontext=u:r:vold:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 [ 33.713612][ T363] type=1400 audit(1725519791.892:733): avc: denied { open } for comm="binder:369_6" path="/mnt/vendor/modem_userdata" dev="sda7" ino=3 scontext=u:r:vold:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 [ 33.714833][ T363] type=1400 audit(1725519791.892:734): avc: denied { ioctl } for comm="binder:369_6" path="/mnt/vendor/modem_userdata" dev="sda7" ino=3 ioctlcmd=0x5879 scontext=u:r:vold:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1 Bug: 361093041 Test: local build Change-Id: I629f0303940f3f07ce3717cd0a2c8f975378f24b Signed-off-by: Randall Huang --- storage/sepolicy/vold.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te index 529f495..b776c80 100644 --- a/storage/sepolicy/vold.te +++ b/storage/sepolicy/vold.te @@ -12,4 +12,6 @@ dontaudit vold dumpstate:fd use ; # fix idle-maint allow vold efs_block_device:blk_file { getattr }; allow vold modem_userdata_block_device:blk_file { getattr }; +allow vold modem_efs_file:dir { read open ioctl }; +allow vold modem_userdata_file:dir { read open ioctl }; From 0440e82770dee2bbba5d5860a3452035c7cf3044 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 5 Sep 2024 15:56:26 +0800 Subject: [PATCH 7/7] storage: fix vendor_init avc denied avc: denied { write } for comm="init" name="swappiness" dev="proc" ino=207356 scontext=u:r:vendor_init:s0 tcontext=u:object_r:proc_dirty:s0 tclass=file permissive=1 Bug: 361093041 Test: local build Change-Id: I595008f957c322aedbdf383c4e50c0e0ce30b9dc Signed-off-by: Randall Huang --- storage/sepolicy/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te index f5f17e4..73eb527 100644 --- a/storage/sepolicy/vendor_init.te +++ b/storage/sepolicy/vendor_init.te @@ -1,3 +1,6 @@ # vendor_init allow vendor_init sg_device:chr_file r_file_perms; +# dirty swappiness +allow vendor_init proc_dirty:file w_file_perms; +