From e6358c91de46809e50419f7a6fb70c9d0f45554f Mon Sep 17 00:00:00 2001 From: Frank Yu Date: Thu, 22 Aug 2024 11:03:01 +0000 Subject: [PATCH 1/6] Move hal_radio_ext_service related policy of grilservice_app to gs-common. Related avc error: avc: denied { find } for pid=2227 uid=10259 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:grilservice_app:s0:c3,c257,c512,c768 tcontext=u:object_r:hal_radio_ext_service:s0 tclass=service_manager permissive=0 avc: denied { call } for comm="oid.grilservice" scontext=u:r:grilservice_app:s0:c3,c257,c512,c768 tcontext=u:r:hal_radioext_default:s0 tclass=binder permissive=0 app=com.google.android.grilservice Bug: 361210953 Change-Id: Ibb8a341847b0772668b52bc01f2d087bf1874fe9 Test: Verify with test ROM Flag: EXEMPT sepolicy refactor --- modem/radio_ext/sepolicy/grilservice_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 modem/radio_ext/sepolicy/grilservice_app.te diff --git a/modem/radio_ext/sepolicy/grilservice_app.te b/modem/radio_ext/sepolicy/grilservice_app.te new file mode 100644 index 0000000..9bd8c8e --- /dev/null +++ b/modem/radio_ext/sepolicy/grilservice_app.te @@ -0,0 +1,2 @@ +allow grilservice_app hal_radio_ext_service:service_manager find; +binder_call(grilservice_app, hal_radio_ext) From d35b61f3905bea1dfe1c8cb37c2b2e50c98b4d26 Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Wed, 28 Aug 2024 09:16:37 +0000 Subject: [PATCH 2/6] mediacodec: fix perfetto trace permission 08-28 16:33:56.280 1046 720 720 I auditd : type=1400 audit(0.0:469): avc: denied { write } for comm="TracingMuxer" name="traced_producer" dev="tmpfs" ino=1604 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=0 Flag: EXEMPT bugfix Test: atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Bug: 361093311 Change-Id: I0aad9d771069cd0d660708e41c29c79d83e04704 --- mediacodec/vpu/sepolicy/mediacodec_google.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te index 47c0be8..8022675 100644 --- a/mediacodec/vpu/sepolicy/mediacodec_google.te +++ b/mediacodec/vpu/sepolicy/mediacodec_google.te @@ -22,6 +22,9 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; +# Allow HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(mediacodec_google)') + userdebug_or_eng(` allow mediacodec_google vendor_media_data_file:dir rw_dir_perms; allow mediacodec_google vendor_media_data_file:file create_file_perms; From b584b9c7e081d803b32f0ff5f059573dfa6c0a0e Mon Sep 17 00:00:00 2001 From: bgkim Date: Wed, 28 Aug 2024 12:38:34 -0700 Subject: [PATCH 3/6] bootctrl: fixed OOB read in BootControl Fixed OOB read in BootControl::isSlotMarkedSuccessful() by checking if "in_slot" is negative Flag: EXEMPT bugfix Test: tested on Husky device Bug: 353516777 Change-Id: I634c32a8c12403008fe5a724bc447f82931ae9c5 Signed-off-by: bgkim --- bootctrl/aidl/BootControl.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootctrl/aidl/BootControl.cpp b/bootctrl/aidl/BootControl.cpp index 83deb72..8655929 100644 --- a/bootctrl/aidl/BootControl.cpp +++ b/bootctrl/aidl/BootControl.cpp @@ -384,7 +384,7 @@ ScopedAStatus BootControl::isSlotMarkedSuccessful(int32_t in_slot, bool* _aidl_r *_aidl_return = true; return ScopedAStatus::ok(); } - if (in_slot >= slots) + if (in_slot < 0 || in_slot >= slots) return ScopedAStatus::fromServiceSpecificErrorWithMessage( INVALID_SLOT, (std::string("Invalid slot ") + std::to_string(in_slot)).c_str()); From 956edf0d269c7c8f1b86ddcc567a5c03b5637147 Mon Sep 17 00:00:00 2001 From: Prochin Wang Date: Tue, 27 Aug 2024 07:04:23 +0000 Subject: [PATCH 4/6] Label touch_property_type to associate with vendor_gti_prop Pass ROM build of all git_main targets: https://android-build.googleplex.com/builds/abtd/run/L52500030006128092/ https://android-build.corp.google.com/abtd/run/L93900030006078492/ https://android-build.corp.google.com/abtd/run/L15800030006086232/ https://android-build.corp.google.com/abtd/run/L27700030006086619/ Bug: 361237875 Test: mm and flash rom Flag: build.RELEASE_PIXEL_BOOST_DATALAYER_PSA_ENABLED Change-Id: I518ff7c05fc1fa279cd7300cb77673a86ff3e35b --- touch/gti/ical/sepolicy/property.te | 1 + 1 file changed, 1 insertion(+) diff --git a/touch/gti/ical/sepolicy/property.te b/touch/gti/ical/sepolicy/property.te index 2a71d74..94fa3fc 100644 --- a/touch/gti/ical/sepolicy/property.te +++ b/touch/gti/ical/sepolicy/property.te @@ -1 +1,2 @@ system_public_prop(vendor_gti_prop) +typeattribute vendor_gti_prop touch_property_type; From d6ba7fad68261d667e385271a382861af13e5607 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Tue, 27 Aug 2024 11:09:18 +0800 Subject: [PATCH 5/6] storage: fix idle-maint avc denials. avc: denied { getattr } for path="/dev/block/sda5" dev="tmpfs" ino=1039 scontext=u:r:vold:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { getattr } for path="/dev/block/sda7" dev="tmpfs" ino=1199 scontext=u:r:vold:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 Bug: 361093041 Test: run idle-maint run Change-Id: Ie92ffa8b576c74e3a1cb127b265059ec76c14667 Signed-off-by: Randall Huang --- storage/sepolicy/vold.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te index 3d35589..87387a7 100644 --- a/storage/sepolicy/vold.te +++ b/storage/sepolicy/vold.te @@ -1,3 +1,4 @@ +# ufs hagc allow vold sysfs_scsi_devices_0000:file rw_file_perms; # Access userdata_exp block device. @@ -6,3 +7,7 @@ allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD; dontaudit vold dumpstate:fifo_file rw_file_perms; dontaudit vold dumpstate:fd use ; + +# fix idle-maint +allow vold efs_block_device:blk_file { getattr }; +allow vold modem_userdata_block_device:blk_file { getattr }; From df4a5f7b482ba1e93462b009be2ae21c5aa5d9c0 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Tue, 27 Aug 2024 15:03:35 +0800 Subject: [PATCH 6/6] storage: allow mkfs/fsck for vendor partitons avc: denied { read } for name="sda7" dev="tmpfs" ino=1173 scontext=u:r:fsck:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/dev/block/sda7" dev="tmpfs" ino=1173 scontext=u:r:fsck:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { write } for name="sda7" dev="tmpfs" ino=1173 scontext=u:r:fsck:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for path="/dev/block/sda7" dev="tmpfs" ino=1173 ioctlcmd=0x1268 scontext=u:r:fsck:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { read } for name="sda5" dev="tmpfs" ino=1010 scontext=u:r:fsck:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/dev/block/sda5" dev="tmpfs" ino=1010 scontext=u:r:fsck:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/zoned" dev="sysfs" ino=100275 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { write } for name="sda5" dev="tmpfs" ino=1010 scontext=u:r:fsck:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for path="/dev/block/sda5" dev="tmpfs" ino=1010 ioctlcmd=0x1268 scontext=u:r:fsck:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { search } for name="0:0:0:0" dev="sysfs" ino=100048 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=1 avc: denied { getattr } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda5/partition" dev="sysfs" ino=101272 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { read } for name="zoned" dev="sysfs" ino=100308 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/zoned" dev="sysfs" ino=100308 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { search } for name="0:0:0:0" dev="sysfs" ino=100048 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=1 avc: denied { getattr } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda10/partition" dev="sysfs" ino=102003 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { read } for name="zoned" dev="sysfs" ino=100308 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/zoned" dev="sysfs" ino=100308 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { read } for name="sda5" dev="tmpfs" ino=1004 scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/dev/block/sda5" dev="tmpfs" ino=1004 scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { write } for name="sda5" dev="tmpfs" ino=1004 scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for path="/dev/block/sda5" dev="tmpfs" ino=1004 ioctlcmd=0x1268 scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file permissive=1 avc: denied { read } for name="sda7" dev="tmpfs" ino=1199 scontext=u:r:e2fs:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { open } for path="/dev/block/sda7" dev="tmpfs" ino=1199 scontext=u:r:e2fs:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { write } for name="sda7" dev="tmpfs" ino=1199 scontext=u:r:e2fs:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for path="/dev/block/sda7" dev="tmpfs" ino=1199 ioctlcmd=0x1268 scontext=u:r:e2fs:s0 tcontext=u:object_r:modem_userdata_block_device:s0 tclass=blk_file permissive=1 Bug: 361093041 Test: build pass (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0cf7210eb1b5ba1d22fb8dcb59f40cb74b98dd37) Change-Id: I0d89d360e75335784116a4e4769d0b60699917eb Signed-off-by: Randall Huang --- storage/sepolicy/e2fs.te | 8 ++++++++ storage/sepolicy/fsck.te | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/storage/sepolicy/e2fs.te b/storage/sepolicy/e2fs.te index c280cb7..464b4ce 100644 --- a/storage/sepolicy/e2fs.te +++ b/storage/sepolicy/e2fs.te @@ -1 +1,9 @@ +# fix mkfs allow e2fs userdata_exp_block_device:blk_file rw_file_perms; +allow e2fs efs_block_device:blk_file rw_file_perms; +allow e2fs modem_userdata_block_device:blk_file rw_file_perms; +allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te index 2043199..88efb35 100644 --- a/storage/sepolicy/fsck.te +++ b/storage/sepolicy/fsck.te @@ -1 +1,6 @@ +# fix fsck allow fsck userdata_exp_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms;