From 0c429efc07e21a3de6e08fc68d47f75eac53ec9c Mon Sep 17 00:00:00 2001 From: Victor Liu Date: Wed, 7 Jul 2021 12:13:48 -0700 Subject: [PATCH 01/11] uwb: allow uwb to access the radio service 07-07 18:28:28.391 409 409 E SELinux : avc: denied { find } for pid=4609 uid=1083 name=isub scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=0 Bug: 192833779 Test: on device, no avc denied message Change-Id: I4a6b778dce6f493093d3a05683473bb60e9cfa5c --- whitechapel/vendor/google/uwb_vendor_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te index e0a9ebc9..b9e27426 100644 --- a/whitechapel/vendor/google/uwb_vendor_app.te +++ b/whitechapel/vendor/google/uwb_vendor_app.te @@ -10,6 +10,7 @@ hal_client_domain(uwb_vendor_app, hal_uwb) allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_service:service_manager find; allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; From 39b5815a1e5fb53d90b73a70da00c34974323917 Mon Sep 17 00:00:00 2001 From: Victor Liu Date: Thu, 12 Aug 2021 14:53:10 -0700 Subject: [PATCH 02/11] allow uwb hal sys_nice access hardware.qorvo.: type=1400 audit(0.0:9): avc: denied { sys_nice } for capability=23 scontext=u:r:hal_uwb_default:s0 tcontext=u:r:hal_uwb_default:s0 tclass=capability permissive=0 hardware.qorvo.: type=1400 audit(0.0:9): avc: denied { setsched } for scontext=u:r:hal_uwb_default:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0 Bug: 196438549 Signed-off-by: Victor Liu Change-Id: I742bae701cfcc7b4842cd63abbc8c275d82c8ba1 --- whitechapel/vendor/google/uwb_vendor_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te index b9e27426..ed53fd00 100644 --- a/whitechapel/vendor/google/uwb_vendor_app.te +++ b/whitechapel/vendor/google/uwb_vendor_app.te @@ -15,5 +15,8 @@ allow uwb_vendor_app radio_service:service_manager find; allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +allow hal_uwb_default self:global_capability_class_set { sys_nice }; +allow hal_uwb_default kernel:process { setsched }; + binder_call(uwb_vendor_app, hal_uwb_default) ') From 6e887cf3a05a4a13d92cb260e8f20fad1be23cfe Mon Sep 17 00:00:00 2001 From: Lucas Dupin Date: Wed, 11 Aug 2021 19:57:41 -0700 Subject: [PATCH 03/11] Allow boot color propagation Allows SystemUI to write the boot color sysprop Test: manual Bug: 190093578 Change-Id: I844a4dae87fe09a09ff3368c540ffab5f745d455 (cherry picked from commit 8a586e678656b6359220ef208fc237ccf3823e2c) --- system_ext/private/platform_app.te | 2 ++ system_ext/private/property_contexts | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 system_ext/private/platform_app.te diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 00000000..10d6bba9 --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# allow systemui to set boot animation colors +set_prop(platform_app, bootanim_system_prop); diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 9f462bda..9cf97280 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,8 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool + +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int From c0922582bc6033ef2f37169b68141bc591f09986 Mon Sep 17 00:00:00 2001 From: davidycchen Date: Tue, 15 Jun 2021 16:06:33 +0800 Subject: [PATCH 04/11] Allow twoshay to access fwk_stats_service and system_server avc: denied { find } for pid=813 uid=0 name=android.frameworks.stats.IStats/default scontext=u:r:twoshay:s0 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager avc: denied { call } for scontext=u:r:twoshay:s0 tcontext=u:r:system_server:s0 tclass=binder Bug: 179334953 Test: Make selinux_policy and push related files to the device. Signed-off-by: davidycchen Change-Id: Ib95debbc9ce10919c5f935e8f70b340bb293b54a Merged-In: Ib95debbc9ce10919c5f935e8f70b340bb293b54a --- whitechapel/vendor/google/twoshay.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te index 92b517a1..fafd0642 100644 --- a/whitechapel/vendor/google/twoshay.te +++ b/whitechapel/vendor/google/twoshay.te @@ -11,3 +11,6 @@ add_service(twoshay, touch_context_service) # b/193224954 dontaudit twoshay twoshay:capability dac_override; + +allow twoshay fwk_stats_service:service_manager find; +binder_call(twoshay, stats_service_server) From 29aa9816231281ca4c50f6ed0ff9428bcbd19bc1 Mon Sep 17 00:00:00 2001 From: Victor Liu Date: Wed, 18 Aug 2021 17:01:45 -0700 Subject: [PATCH 05/11] uwb: permissions for factory uwb calibration file add permission to: copy factory uwb calib files from persist to /data/vendor/uwb convert copied file to proper format for uwb stack to consume Bug: 195659525 Signed-off-by: Victor Liu Change-Id: I3e5282477fd391b483e03242ce0b806bd447dc54 Merged-In: I3e5282477fd391b483e03242ce0b806bd447dc54 --- whitechapel/vendor/google/file.te | 2 ++ whitechapel/vendor/google/file_contexts | 3 +++ whitechapel/vendor/google/hal_nfc_default.te | 4 ++++ whitechapel/vendor/google/hal_uwb_default.te | 3 +++ whitechapel/vendor/google/vendor_uwb_init.te | 10 ++++++++++ 5 files changed, 22 insertions(+) create mode 100644 whitechapel/vendor/google/vendor_uwb_init.te diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index b8c22e12..9b4c95b4 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -185,6 +185,8 @@ type sysfs_video, sysfs_type, fs_type; # UWB vendor type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; +type persist_uwb_file, file_type, vendor_persist_type; +type uwb_data_vendor, file_type, data_file_type; # PixelStats_vendor type sysfs_pixelstats, fs_type, sysfs_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 11445e44..fdbd87e1 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -349,6 +349,9 @@ # Uwb # R4 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_default_exec:s0 +/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 +/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 +/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 # RILD files /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te index f98e78c6..b6477925 100644 --- a/whitechapel/vendor/google/hal_nfc_default.te +++ b/whitechapel/vendor/google/hal_nfc_default.te @@ -7,3 +7,7 @@ set_prop(hal_nfc_default, vendor_secure_element_prop) # Modem property set_prop(hal_nfc_default, vendor_modem_prop) +# Access uwb cal for SecureRanging Applet +allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; +allow hal_nfc_default uwb_data_vendor:file r_file_perms; + diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te index 2d513b61..8165dc21 100644 --- a/whitechapel/vendor/google/hal_uwb_default.te +++ b/whitechapel/vendor/google/hal_uwb_default.te @@ -6,3 +6,6 @@ add_service(hal_uwb_default, hal_uwb_service) hal_server_domain(hal_uwb_default, hal_uwb) binder_call(hal_uwb_default, uwb_vendor_app) + +allow hal_uwb_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_default uwb_data_vendor:file create_file_perms; diff --git a/whitechapel/vendor/google/vendor_uwb_init.te b/whitechapel/vendor/google/vendor_uwb_init.te new file mode 100644 index 00000000..716af19c --- /dev/null +++ b/whitechapel/vendor/google/vendor_uwb_init.te @@ -0,0 +1,10 @@ +type vendor_uwb_init, domain; +type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_uwb_init) + +allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; +allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; + +allow vendor_uwb_init uwb_data_vendor:file create_file_perms; +allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; From a3f040d2acc254db2b80ab36e5d48a12e1607c07 Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Mon, 23 Aug 2021 08:55:07 -0700 Subject: [PATCH 06/11] gs101-sepolicy: Rename hal_uwb -> hal_uwb_vendor Since we are now creating an AOSP HAL for uwb. Rename qorvo's internal HAL to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy rules. Bug: 195308730 Test: Compiles Change-Id: Ief48eacde68b062b2199b20c0c1bb3af23795240 Merged-In: Ief48eacde68b062b2199b20c0c1bb3af23795240 --- whitechapel/vendor/google/dumpstate.te | 2 +- whitechapel/vendor/google/file_contexts | 2 +- whitechapel/vendor/google/hal_uwb.te | 15 --------------- whitechapel/vendor/google/hal_uwb_default.te | 11 ----------- whitechapel/vendor/google/hal_uwb_vendor.te | 15 +++++++++++++++ .../vendor/google/hal_uwb_vendor_default.te | 11 +++++++++++ whitechapel/vendor/google/service.te | 2 +- whitechapel/vendor/google/service_contexts | 2 +- whitechapel/vendor/google/uwb_vendor_app.te | 10 +++++----- 9 files changed, 35 insertions(+), 35 deletions(-) delete mode 100644 whitechapel/vendor/google/hal_uwb.te delete mode 100644 whitechapel/vendor/google/hal_uwb_default.te create mode 100644 whitechapel/vendor/google/hal_uwb_vendor.te create mode 100644 whitechapel/vendor/google/hal_uwb_vendor_default.te diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te index d4dd87b0..cdf6e8ef 100644 --- a/whitechapel/vendor/google/dumpstate.te +++ b/whitechapel/vendor/google/dumpstate.te @@ -1,6 +1,6 @@ dump_hal(hal_telephony) dump_hal(hal_graphics_composer) -dump_hal(hal_uwb) +dump_hal(hal_uwb_vendor) userdebug_or_eng(` allow dumpstate media_rw_data_file:file append; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index fdbd87e1..581e4154 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -348,7 +348,7 @@ # Uwb # R4 -/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_default_exec:s0 +/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 diff --git a/whitechapel/vendor/google/hal_uwb.te b/whitechapel/vendor/google/hal_uwb.te deleted file mode 100644 index d0995686..00000000 --- a/whitechapel/vendor/google/hal_uwb.te +++ /dev/null @@ -1,15 +0,0 @@ -# HwBinder IPC from client to server -binder_call(hal_uwb_client, hal_uwb_server) -binder_call(hal_uwb_server, hal_uwb_client) - -hal_attribute_service(hal_uwb, hal_uwb_service) - -binder_call(hal_uwb_server, servicemanager) - -# allow hal_uwb to set wpan interfaces up and down -allow hal_uwb self:udp_socket create_socket_perms; -allowxperm hal_uwb self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; -allow hal_uwb self:global_capability_class_set { net_admin }; - -# allow hal_uwb to speak to nl802154 in the kernel -allow hal_uwb self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te deleted file mode 100644 index 8165dc21..00000000 --- a/whitechapel/vendor/google/hal_uwb_default.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_uwb_default, domain; -type hal_uwb_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_uwb_default) - -add_service(hal_uwb_default, hal_uwb_service) - -hal_server_domain(hal_uwb_default, hal_uwb) -binder_call(hal_uwb_default, uwb_vendor_app) - -allow hal_uwb_default uwb_data_vendor:dir create_dir_perms; -allow hal_uwb_default uwb_data_vendor:file create_file_perms; diff --git a/whitechapel/vendor/google/hal_uwb_vendor.te b/whitechapel/vendor/google/hal_uwb_vendor.te new file mode 100644 index 00000000..ccfc1705 --- /dev/null +++ b/whitechapel/vendor/google/hal_uwb_vendor.te @@ -0,0 +1,15 @@ +# HwBinder IPC from client to server +binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) +binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) + +hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) + +binder_call(hal_uwb_vendor_server, servicemanager) + +# allow hal_uwb_vendor to set wpan interfaces up and down +allow hal_uwb_vendor self:udp_socket create_socket_perms; +allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; +allow hal_uwb_vendor self:global_capability_class_set { net_admin }; + +# allow hal_uwb_vendor to speak to nl802154 in the kernel +allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te new file mode 100644 index 00000000..93616874 --- /dev/null +++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te @@ -0,0 +1,11 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) +binder_call(hal_uwb_vendor_default, uwb_vendor_app) + +allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; \ No newline at end of file diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index 99e99483..357dffe4 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,4 +1,4 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; type touch_context_service, service_manager_type, vendor_service; -type hal_uwb_service, service_manager_type, vendor_service; +type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 687f8cc8..6fb9de1f 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,4 +1,4 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 -hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_service:s0 +hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te index ed53fd00..675ecdb6 100644 --- a/whitechapel/vendor/google/uwb_vendor_app.te +++ b/whitechapel/vendor/google/uwb_vendor_app.te @@ -5,18 +5,18 @@ app_domain(uwb_vendor_app) add_service(uwb_vendor_app, uwb_vendor_service) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb) +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow uwb_vendor_app app_api_service:service_manager find; -allow uwb_vendor_app hal_uwb_service:service_manager find; +allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; allow uwb_vendor_app nfc_service:service_manager find; allow uwb_vendor_app radio_service:service_manager find; allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; -allow hal_uwb_default self:global_capability_class_set { sys_nice }; -allow hal_uwb_default kernel:process { setsched }; +allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice }; +allow hal_uwb_vendor_default kernel:process { setsched }; -binder_call(uwb_vendor_app, hal_uwb_default) +binder_call(uwb_vendor_app, hal_uwb_vendor_default) ') From c8651e514ca7a6cb77218fb4a1aa39871f1d3c6a Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Thu, 12 Aug 2021 23:26:43 +0800 Subject: [PATCH 07/11] sepolicy: add rule for new debug file node W dumpstate@1.1-s: type=1400 audit(0.0:7): avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=500 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 Bug: 196755019 Signed-off-by: Jenny Ho Merged-In: I0ddf68d5e15fe8d77d8d61287f65621c14024f46 Change-Id: I0ddf68d5e15fe8d77d8d61287f65621c14024f46 --- whitechapel/vendor/google/file_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index fdbd87e1..bc03a78e 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -111,6 +111,10 @@ /dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 /dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 + # DM tools device /dev/umts_dm0 u:object_r:radio_device:s0 /dev/umts_router u:object_r:radio_device:s0 From b92bc5f51c389d4e29ab45e2277440f05deb0095 Mon Sep 17 00:00:00 2001 From: Max Kogan Date: Thu, 23 Sep 2021 17:45:35 -0700 Subject: [PATCH 08/11] sepolicy: gs101: allow dumpstate to access AoC stats Add AoC DRAM votes to bugreports. Bug: 198203507 Change-Id: I77addf15709fceb70514d552b9fa8553cb129a7c --- whitechapel/vendor/google/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index b9a6a60f..2d34d993 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -14,6 +14,7 @@ genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:ob genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes u:object_r:sysfs_aoc_dumpstate:s0 # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 From 2a4bce5b315fa60300d4fcffbd472e7af7f82564 Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 16 Sep 2021 15:04:20 -0700 Subject: [PATCH 09/11] power_hal: add bcl file permission Bug: 201002339 Test: Local test and ensure proper ratio written via PowerHAL Signed-off-by: George Lee Change-Id: Ib0a3a5401312403ce870b9c4a4ca971f05c253e4 --- whitechapel/vendor/google/genfs_contexts | 8 +++++++- whitechapel/vendor/google/hal_power_default.te | 2 ++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index b9a6a60f..d47c3dc2 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -149,7 +149,13 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 # bcl sysfs files -genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_heavy_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/gpu_heavy_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/cpu2_heavy_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/cpu2_light_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_light_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/gpu_light_clk_ratio u:object_r:sysfs_bcl:s0 # Chosen genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te index cc5fe8ff..a04e40a1 100644 --- a/whitechapel/vendor/google/hal_power_default.te +++ b/whitechapel/vendor/google/hal_power_default.te @@ -12,6 +12,8 @@ allow hal_power_default thermal_link_device:dir r_dir_perms; allow hal_power_default sysfs_thermal:dir r_dir_perms; allow hal_power_default sysfs_thermal:file rw_file_perms; allow hal_power_default sysfs_thermal:lnk_file r_file_perms; +allow hal_power_default sysfs_bcl:dir r_dir_perms; +allow hal_power_default sysfs_bcl:file rw_file_perms; set_prop(hal_power_default, vendor_camera_prop) set_prop(hal_power_default, vendor_camera_debug_prop) set_prop(hal_power_default, vendor_camera_fatp_prop) From 4d6a7023e1abfe50b6f97b8abd078796e57e90bd Mon Sep 17 00:00:00 2001 From: Edwin Tung Date: Tue, 22 Jun 2021 14:01:09 +0800 Subject: [PATCH 10/11] gps: add sepolicy to allow gps access pps gpio Bug: 175086879 Test: no avc deny Change-Id: I960940d7223c25732021ff4d92ae72255c044291 --- whitechapel/vendor/google/file.te | 1 + whitechapel/vendor/google/genfs_contexts | 1 + whitechapel/vendor/google/gpsd.te | 3 +++ 3 files changed, 5 insertions(+) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 9b4c95b4..e2baeca6 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -139,6 +139,7 @@ userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; ') type sysfs_gps, sysfs_type, fs_type; +type sysfs_gps_assert, sysfs_type, fs_type; # Display type sysfs_display, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index b9a6a60f..e4871882 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -108,6 +108,7 @@ genfscon sysfs /devices/virtual/sec/tsp # GPS genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 +genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed u:object_r:sysfs_gps_assert:s0 # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 diff --git a/whitechapel/vendor/google/gpsd.te b/whitechapel/vendor/google/gpsd.te index 64591cba..791a02e4 100644 --- a/whitechapel/vendor/google/gpsd.te +++ b/whitechapel/vendor/google/gpsd.te @@ -23,3 +23,6 @@ allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; # Allow gpsd to access sensor service binder_call(gpsd, system_server); allow gpsd fwk_sensor_hwservice:hwservice_manager find; + +# Allow gpsd to access pps gpio +allow gpsd sysfs_gps_assert:file r_file_perms; From 24693cd264337394d086239eea27ed67eb59a8c6 Mon Sep 17 00:00:00 2001 From: Alfred Lin Date: Fri, 8 Oct 2021 07:38:26 +0000 Subject: [PATCH 11/11] [Display] Add SELinux policy for hal_graphics_composer_default Add SELinux policy for hal_graphics_composer_default to find persist_display_file Bug: 202487234 Test: device boot will not find avc denied log as "avc: denied { search } for name="display" dev="sda1" ino=21 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:persist_display_file:s0 tclass=dir permissive=0" Change-Id: I8fc386cb18397911404e1f2803601711e40edead --- display/gs101/hal_graphics_composer_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te index 0b4c26e8..1bea8b50 100644 --- a/display/gs101/hal_graphics_composer_default.te +++ b/display/gs101/hal_graphics_composer_default.te @@ -16,6 +16,7 @@ userdebug_or_eng(` allow hal_graphics_composer_default mnt_vendor_file:dir search; allow hal_graphics_composer_default persist_file:dir search; allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:dir search; # allow HWC to r/w backlight allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;