Snap for 12370120 from 194a58c7bb to 25Q1-release

Change-Id: I31576bdfa801b21e43e2060f68930efdc0440807
2024-09-14 23:01:23 +00:00 · 2024-09-14 23:01:23 +00:00 · ecfc4abba3
commit ecfc4abba3
parent 5b80b21269 194a58c7bb
18 changed files with 217 additions and 1 deletions
--- a/audio/sepolicy/common/hal_audio_default.te
+++ b/audio/sepolicy/common/hal_audio_default.te
@ -1,3 +1,4 @@
+# allow access to folders
 allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms;
 allow hal_audio_default audio_vendor_data_file:file create_file_perms;

@ -23,6 +24,7 @@ allow hal_audio_default sysfs_aoc_boottime:file r_file_perms;
 allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms;

 set_prop(hal_audio_default, vendor_audio_prop);
+set_prop(hal_audio_default, vendor_audio_prop_restricted);

 hal_client_domain(hal_audio_default, hal_health);
 hal_client_domain(hal_audio_default, hal_thermal);
--- a/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
@ -1,3 +1,4 @@
+# Sepolicies for EdgeTPU
 type hal_neuralnetworks_darwinn, domain;
 hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks)

@ -62,3 +63,8 @@ get_prop(hal_neuralnetworks_darwinn, vendor_hetero_runtime_prop)
 # Allow DMA Buf access.
 allow hal_neuralnetworks_darwinn dmabuf_system_heap_device:chr_file r_file_perms;

+# Allows the NNAPI HAL to access the graphics_allocator_service.
+# This is required for shared memory buffer allocation.
+# Context:- b/361711471.
+hal_client_domain(hal_neuralnetworks_darwinn, hal_graphics_allocator);
+allow hal_neuralnetworks_darwinn hal_graphics_allocator_service:service_manager find;
--- a/gcam_app/gcam.mk
+++ b/gcam_app/gcam.mk
@ -0,0 +1,8 @@
+# vendor
+BOARD_SEPOLICY_DIRS += device/google/gs-common/gcam_app/sepolicy/vendor
+
+# product
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/gcam_app/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/gcam_app/sepolicy//product/private
+
+PRODUCT_PACKAGES += GoogleCamera
--- a/gcam_app/sepolicy/product/private/debug_camera_app.te
+++ b/gcam_app/sepolicy/product/private/debug_camera_app.te
@ -0,0 +1,29 @@
+# GCANext and GCAEng.
+# b/363018500
+typeattribute debug_camera_app coredomain;
+
+userdebug_or_eng(`
+	app_domain(debug_camera_app)
+	net_domain(debug_camera_app)
+
+	allow debug_camera_app activity_service:service_manager find;
+	allow debug_camera_app activity_task_service:service_manager find;
+	allow debug_camera_app audioserver_service:service_manager find;
+	allow debug_camera_app batterystats_service:service_manager find;
+	allow debug_camera_app cameraserver_service:service_manager find;
+	allow debug_camera_app device_policy_service:service_manager find;
+	allow debug_camera_app device_state_service:service_manager find;
+	allow debug_camera_app gpu_service:service_manager find;
+	allow debug_camera_app mediaextractor_service:service_manager find;
+	allow debug_camera_app mediametrics_service:service_manager find;
+	allow debug_camera_app mediaserver_service:service_manager find;
+	allow debug_camera_app powerstats_service:service_manager find;
+	allow debug_camera_app sensorservice_service:service_manager find;
+	allow debug_camera_app thermal_service:service_manager find;
+	allow debug_camera_app trust_service:service_manager find;
+	allow debug_camera_app vibrator_manager_service:service_manager find;
+	allow debug_camera_app virtual_device_native_service:service_manager find;
+
+	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
+	hal_client_domain(debug_camera_app, hal_power)
+')
--- a/gcam_app/sepolicy/product/private/google_camera_app.te
+++ b/gcam_app/sepolicy/product/private/google_camera_app.te
@ -0,0 +1,17 @@
+# GCARelease and GCADogfood.
+typeattribute google_camera_app coredomain;
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+
+#allow google_camera_app app_api_service:service_manager find;
+#allow google_camera_app audioserver_service:service_manager find;
+#allow google_camera_app cameraserver_service:service_manager find;
+#allow google_camera_app mediaextractor_service:service_manager find;
+#allow google_camera_app mediametrics_service:service_manager find;
+#allow google_camera_app mediaserver_service:service_manager find;
+
+# Allows GCA to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };
--- a/gcam_app/sepolicy/product/private/seapp_contexts
+++ b/gcam_app/sepolicy/product/private/seapp_contexts
@ -0,0 +1,12 @@
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
+
--- a/gcam_app/sepolicy/product/public/debug_camera_app.te
+++ b/gcam_app/sepolicy/product/public/debug_camera_app.te
@ -0,0 +1,2 @@
+# GCA-Eng and GCA-Next
+type debug_camera_app, domain;
--- a/gcam_app/sepolicy/product/public/google_camera_app.te
+++ b/gcam_app/sepolicy/product/public/google_camera_app.te
@ -0,0 +1,2 @@
+# GCA-Release and GCA-Dogfood
+type google_camera_app, domain;
--- a/gcam_app/sepolicy/vendor/certs/app.x509.pem
+++ b/gcam_app/sepolicy/vendor/certs/app.x509.pem
@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g
+VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE
+AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G
+A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR
+24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy
+xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X
+W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC
+69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA
+cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw
+HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c
+xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE
+CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH
+QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG
+CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP
+zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla
+XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a
+IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a
+ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW
+Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs=
+-----END CERTIFICATE-----
--- a/gcam_app/sepolicy/vendor/certs/camera_eng.x509.pem
+++ b/gcam_app/sepolicy/vendor/certs/camera_eng.x509.pem
@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw
+NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO
+OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
+UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
+TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
+rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
+TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK
+pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY
+DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG
+ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4
+rscXTxYEf4Tqovc=
+-----END CERTIFICATE-----
--- a/gcam_app/sepolicy/vendor/certs/camera_fishfood.x509.pem
+++ b/gcam_app/sepolicy/vendor/certs/camera_fishfood.x509.pem
@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n
+bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w
+HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv
+b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93
+bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/
+jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B
+IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe
+tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td
+0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg
+Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b
+aIOMFB0Km9HbEZHLKg33kOoMsS2zpA==
+-----END CERTIFICATE-----
--- a/gcam_app/sepolicy/vendor/debug_camera_app.te
+++ b/gcam_app/sepolicy/vendor/debug_camera_app.te
@ -0,0 +1,16 @@
+# GCANext and GCAEng.
+userdebug_or_eng(`
+    # Allows GCA-Eng & GCA-Next access the GXP device and properties.
+    allow debug_camera_app gxp_device:chr_file rw_file_perms;
+    get_prop(debug_camera_app, vendor_gxp_prop)
+
+    # Allows GCA-Eng & GCA-Next to find and access the EdgeTPU.
+    allow debug_camera_app edgetpu_app_service:service_manager find;
+    allow debug_camera_app edgetpu_device:chr_file { read write ioctl };
+    # Cannot find avc evidence for below.
+    # allow debug_camera_app edgetpu_device:chr_file { getattr map };
+
+    # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12.
+    # allow debug_camera_app hw_jpg_device:chr_file rw_file_perms;
+')
+
--- a/gcam_app/sepolicy/vendor/google_camera_app.te
+++ b/gcam_app/sepolicy/vendor/google_camera_app.te
@ -0,0 +1,13 @@
+# GCARelease and GCADogfood.
+
+# Allows GCA to acccess the GXP device & properties.
+#allow google_camera_app gxp_device:chr_file rw_file_perms;
+get_prop(google_camera_app, vendor_gxp_prop)
+
+# Allows GCA to find and access the EdgeTPU.
+#allow google_camera_app edgetpu_app_service:service_manager find;
+#allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows GCA to access the hw_jpeg /dev/video12.
+#allow google_camera_app hw_jpg_device:chr_file rw_file_perms;
+
--- a/gcam_app/sepolicy/vendor/keys.conf
+++ b/gcam_app/sepolicy/vendor/keys.conf
@ -0,0 +1,8 @@
+[@GOOGLE]
+ALL : device/google/gs-common/gcam_app/sepolicy/vendor/certs/app.x509.pem
+
+[@CAMERAENG]
+ALL : device/google/gs-common/gcam_app/sepolicy/vendor/certs/camera_eng.x509.pem
+
+[@CAMERAFISHFOOD]
+ALL : device/google/gs-common/gcam_app/sepolicy/vendor/certs/camera_fishfood.x509.pem
--- a/gcam_app/sepolicy/vendor/mac_permissions.xml
+++ b/gcam_app/sepolicy/vendor/mac_permissions.xml
@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@GOOGLE" >
+      <seinfo value="google" />
+    </signer>
+    <signer signature="@CAMERAENG" >
+      <seinfo value="CameraEng" />
+    </signer>
+    <signer signature="@CAMERAFISHFOOD" >
+      <seinfo value="CameraFishFood" />
+    </signer>
+
+</policy>
--- a/modem/shared_modem_platform/compatibility_matrix.xml
+++ b/modem/shared_modem_platform/compatibility_matrix.xml
@ -2,7 +2,7 @@
    <!-- Optional since older devices will not register any services. -->
    <hal format="aidl" optional="true">
        <name>com.google.pixel.shared_modem_platform</name>
-        <version>2</version>
+        <version>3</version>
        <interface>
            <name>ISharedModemPlatform</name>
            <instance>default</instance>
--- a/storage/sepolicy/fsck.te
+++ b/storage/sepolicy/fsck.te
@ -4,4 +4,5 @@ allow fsck efs_block_device:blk_file rw_file_perms;
 allow fsck modem_userdata_block_device:blk_file rw_file_perms;
 allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
 allow fsck sysfs_scsi_devices_0000:file r_file_perms;
+allow fsck persist_block_device:blk_file rw_file_perms;

--- a/storage/sepolicy/recovery.te
+++ b/storage/sepolicy/recovery.te
@ -0,0 +1,7 @@
+# factory data reset
+recovery_only(`
+  allow recovery sysfs_ota:file rw_file_perms;
+  allow recovery sysfs_scsi_devices_0000:file r_file_perms;
+  allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
+')
+