From a920c3e87541c198e8245d3aba3a0ead5300205d Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 13 Dec 2024 14:34:57 +0800 Subject: [PATCH 01/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT sepolicy Bug: 383949055 Change-Id: Ibb64328a31a16fb930f459a6c4f299b40ce2af92 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2574e7cf..e1cab32f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -47,4 +47,5 @@ vendor_init default_prop property_service b/366115458 vendor_init default_prop property_service b/366116214 vendor_init default_prop property_service b/369735133 vendor_init default_prop property_service b/369735170 +zygote aconfig_storage_metadata_file dir b/383949055 zygote zygote capability b/379591519 From 5c7033096b762fb3322c1c8c34f783c78afad928 Mon Sep 17 00:00:00 2001 From: timmyli Date: Mon, 16 Dec 2024 06:50:39 +0000 Subject: [PATCH 02/14] Remove hal_camera_default aconfig_storage_metadata_file from bugmap Bug: 383013727 Test: compiles Flag: EXEMPT refactor Change-Id: I67c8f502e590297a1720ffb64d2c402a23ad7806 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e1cab32f..04900a68 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,7 +6,6 @@ chre vendor_data_file dir b/301948771 dump_display sysfs file b/340722772 dump_modem sscoredump_vendor_data_coredump_file dir b/366115873 dump_modem sscoredump_vendor_data_logcat_file dir b/366115873 -hal_camera_default aconfig_storage_metadata_file dir b/383013727 hal_power_default hal_power_default capability b/240632824 hal_sensors_default sysfs file b/340723303 incidentd debugfs_wakeup_sources file b/282626428 From 99e1afe75d5b638c7e18905f80b09836dd7a39c6 Mon Sep 17 00:00:00 2001 From: Timmy Li Date: Mon, 16 Dec 2024 16:34:50 -0800 Subject: [PATCH 03/14] Revert "Remove hal_camera_default aconfig_storage_metadata_file ..." Revert submission 30930671-hal_camera_default_ aconfig_storage_metadata_file2 Reason for revert: b/384580942 Reverted changes: /q/submissionid:30930671-hal_camera_default_+aconfig_storage_metadata_file2 Change-Id: Ic505a8cdb84c48dd622e51ba0193ae1a4141784c --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 04900a68..e1cab32f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ chre vendor_data_file dir b/301948771 dump_display sysfs file b/340722772 dump_modem sscoredump_vendor_data_coredump_file dir b/366115873 dump_modem sscoredump_vendor_data_logcat_file dir b/366115873 +hal_camera_default aconfig_storage_metadata_file dir b/383013727 hal_power_default hal_power_default capability b/240632824 hal_sensors_default sysfs file b/340723303 incidentd debugfs_wakeup_sources file b/282626428 From efcb01f9a301988ee29fd2a55a1b67f962080483 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 25 Dec 2024 11:14:29 +0800 Subject: [PATCH 04/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 385977809 Flag: EXEMPT bugfix Change-Id: I0882cc3e0cbb2fa3761811f1492158e1ca62eb9d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e1cab32f..b3373b51 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -25,6 +25,7 @@ priv_app audio_config_prop file b/379226710 priv_app audio_config_prop file b/379246066 radio audio_config_prop file b/379227275 ramdump ramdump capability b/369538457 +ramdump_app privapp_data_file lnk_file b/385977809 rfsd vendor_cbd_prop file b/317734418 shell sysfs_net file b/329380904 ssr_detector_app default_prop file b/350831964 From 5dbf8b9836efc121aea96e2ee1ada089e3fb9d41 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 26 Dec 2024 08:27:37 +0000 Subject: [PATCH 05/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 386149238 Flag: EXEMPT update sepolicy Change-Id: I903a71b445af846a3fc290c572c9a7faba1a0e47 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b3373b51..cd2c30da 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -25,6 +25,7 @@ priv_app audio_config_prop file b/379226710 priv_app audio_config_prop file b/379246066 radio audio_config_prop file b/379227275 ramdump ramdump capability b/369538457 +ramdump_app default_prop file b/386149238 ramdump_app privapp_data_file lnk_file b/385977809 rfsd vendor_cbd_prop file b/317734418 shell sysfs_net file b/329380904 From b807c761ffd89ed66e28f91167de5cb3c4f5a0ea Mon Sep 17 00:00:00 2001 From: YiKai Peng Date: Thu, 19 Dec 2024 22:24:43 -0800 Subject: [PATCH 06/14] sepolicy: gs101: add genfscon wireless into sysfs_batteryinfo Bug: 377264254 Flag: EXEMPT bugfix Test: ABTD Change-Id: Iaaa20ac86422fe4052c9f4c263a23b06a9a5bcf3 Signed-off-by: YiKai Peng --- whitechapel/vendor/google/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 2a0642d1..6813a393 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -33,6 +33,10 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock genfscon sysfs /devices/platform/10d50000.hsi2c u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 + # Slider genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-0/0-003c/power_supply u:object_r:sysfs_batteryinfo:s0 From 276946c2654a3e2d7b29f63ed59f5f9388ea5b4d Mon Sep 17 00:00:00 2001 From: chenkris Date: Fri, 3 Jan 2025 04:29:02 +0000 Subject: [PATCH 07/14] whi: Add selinux permission for fth Fix the following avc denials: avc: denied { open } for path="/dev/fth_fd" dev="tmpfs" ino=1575 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { read } for name="wakeup96" dev="sysfs" ino=101698 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 Bug: 383048849 Test: ls -lZ /sys/devices/platform/odm//odm:fps_touch_handler/wakeup Test: authenticate fingerprint Flag: EXEMPT NDK Change-Id: I97305f6ac077e114624674e18b5d0718771a5e3a --- whitechapel/vendor/google/file_contexts | 1 + whitechapel/vendor/google/genfs_contexts | 3 +++ 2 files changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 5b77f135..196d0dd7 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -359,6 +359,7 @@ /dev/bigocean u:object_r:video_device:s0 # Fingerprint +/dev/fth_fd u:object_r:fingerprint_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 /data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0 diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 6813a393..ec02ff21 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -132,6 +132,9 @@ genfscon sysfs /devices/platform/sound-aoc/wakeup genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/wakeup u:object_r:sysfs_wakeup:s0 + # Input genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 From e1977e82878e16c7401184727ab4c452573ed3ef Mon Sep 17 00:00:00 2001 From: Terry Huang Date: Thu, 9 Jan 2025 09:00:03 +0800 Subject: [PATCH 08/14] Remove sced sepolicy rule Bug: 381778782 Test: gts pass Flag: EXEMPT bugfix Change-Id: I2c75c28ddf2ded0c8902acc2b2ded845da5e4464 --- whitechapel/vendor/google/file.te | 1 - whitechapel/vendor/google/file_contexts | 2 -- whitechapel/vendor/google/sced.te | 23 ------------------- .../vendor/google/vendor_telephony_app.te | 1 - 4 files changed, 27 deletions(-) delete mode 100644 whitechapel/vendor/google/sced.te diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index db4d0570..616aad27 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -9,7 +9,6 @@ type vendor_dmd_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_dump_log_file, file_type, data_file_type; type vendor_rild_log_file, file_type, data_file_type; -type vendor_sced_log_file, file_type, data_file_type; type vendor_telephony_log_file, file_type, data_file_type; # app data files diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 196d0dd7..47124b7a 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -136,7 +136,6 @@ /(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 /(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 -/(vendor|system/vendor)/bin/sced u:object_r:sced_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 # @@ -148,7 +147,6 @@ /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/log/dump(/.*)? u:object_r:vendor_dump_log_file:s0 /data/vendor/log/rild(/.*)? u:object_r:vendor_rild_log_file:s0 -/data/vendor/log/sced(/.*)? u:object_r:vendor_sced_log_file:s0 /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 diff --git a/whitechapel/vendor/google/sced.te b/whitechapel/vendor/google/sced.te deleted file mode 100644 index 43292621..00000000 --- a/whitechapel/vendor/google/sced.te +++ /dev/null @@ -1,23 +0,0 @@ -type sced, domain; -type sced_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(sced) - -userdebug_or_eng(` -typeattribute sced vendor_executes_system_violators; - -hwbinder_use(sced) -binder_call(sced, dmd) -binder_call(sced, vendor_telephony_app) - -get_prop(sced, hwservicemanager_prop) -allow sced self:packet_socket create_socket_perms_no_ioctl; - -allow sced self:capability net_raw; -allow sced shell_exec:file rx_file_perms; -allow sced tcpdump_exec:file rx_file_perms; -allow sced vendor_shell_exec:file x_file_perms; -allow sced vendor_slog_file:dir create_dir_perms; -allow sced vendor_slog_file:file create_file_perms; -allow sced hidl_base_hwservice:hwservice_manager add; -allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; -') diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te index 499764b2..b046e60b 100644 --- a/whitechapel/vendor/google/vendor_telephony_app.te +++ b/whitechapel/vendor/google/vendor_telephony_app.te @@ -12,7 +12,6 @@ allow vendor_telephony_app vendor_slog_file:file create_file_perms; allow vendor_telephony_app app_api_service:service_manager find; allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find; binder_call(vendor_telephony_app, dmd) -binder_call(vendor_telephony_app, sced) userdebug_or_eng(` # Silent Logging From e521ebbc45708ac436d9a8197a82b720cb267a24 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Fri, 10 Jan 2025 03:09:56 +0000 Subject: [PATCH 09/14] gs101: update selinux to allow UMI on user build Bug: 375335464 [ 68.189198] type=1400 audit(1722986580.568:59): avc: denied { unlink } for comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { create } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { write } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 Flag: EXEMPT Critical modem system service Change-Id: Iedda88ebf6d03ea8218ae7843a226be8021491c0 --- whitechapel/vendor/google/modem_svc_sit.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te index 467e8799..8f6c240f 100644 --- a/whitechapel/vendor/google/modem_svc_sit.te +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -45,7 +45,5 @@ allow modem_svc_sit modem_img_file:file r_file_perms; allow modem_svc_sit modem_img_file:lnk_file r_file_perms; # Allow modem_svc_sit to access socket for UMI -userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; -') +allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink write}; From 829c6fb8637c3eee35d9016a68de41a2229883a3 Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Thu, 9 Jan 2025 18:41:43 +0800 Subject: [PATCH 10/14] init-display-sh: Don't audit writing to kmsg modprobe would log errors to /dev/kmsg, need to explicit allow this. ``` avc: denied { write } for comm="modprobe" name="kmsg" dev="tmpfs" ino=5 scontext=u:r:init-display-sh:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 ``` Bug: 388717752 Test: DeviceBootTest#SELinuxUncheckedDenialBootTest Change-Id: I62a43416291d4d79164765004f156f2bdb69b0b5 --- whitechapel/vendor/google/init-display-sh.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/init-display-sh.te b/whitechapel/vendor/google/init-display-sh.te index 54ff7d6e..7f64b782 100644 --- a/whitechapel/vendor/google/init-display-sh.te +++ b/whitechapel/vendor/google/init-display-sh.te @@ -8,3 +8,5 @@ allow init-display-sh vendor_toolbox_exec:file execute_no_trans; dontaudit init-display-sh proc_cmdline:file r_file_perms; +# Allow modprobe to log to kmsg. +allow init-display-sh kmsg_device:chr_file w_file_perms; From 249369ecabc56dad64ead0ab3e8c082cc1ac74dd Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Tue, 21 Jan 2025 14:13:18 +0800 Subject: [PATCH 11/14] RamdumpService: Fix the SELinux errors from introducing Firebase Analytics. Fix it by ag/31334770 and remove the tracking bug number. Bug: 386149238 Flag: EXEMPT bugfix Change-Id: Icbf1745ced50ce2a2fa8ae48598c126580aa82eb --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index cd2c30da..61a3acd3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,7 +26,6 @@ priv_app audio_config_prop file b/379246066 radio audio_config_prop file b/379227275 ramdump ramdump capability b/369538457 ramdump_app default_prop file b/386149238 -ramdump_app privapp_data_file lnk_file b/385977809 rfsd vendor_cbd_prop file b/317734418 shell sysfs_net file b/329380904 ssr_detector_app default_prop file b/350831964 From 503ffc6d566cef68989ebadda85159b41d90fdaa Mon Sep 17 00:00:00 2001 From: yixuanwang Date: Thu, 23 Jan 2025 19:49:21 +0000 Subject: [PATCH 12/14] Remove chre vendor_data_file from tracking denials bug map Flag: EXEMPT remove bug map only Bug: 301948771 Test: presubmit Change-Id: I1a41fc646cb337c28d100af31138e5cdf7726cf7 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 61a3acd3..f6fb12c2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,7 +2,6 @@ battery_mitigation sysfs file b/364446534 bluetooth audio_config_prop file b/379226761 bluetooth audio_config_prop file b/379245675 -chre vendor_data_file dir b/301948771 dump_display sysfs file b/340722772 dump_modem sscoredump_vendor_data_coredump_file dir b/366115873 dump_modem sscoredump_vendor_data_logcat_file dir b/366115873 From 2f510558b1c58aa8fb6d4ab1eea8644aa9d9b488 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 5 Feb 2025 10:53:27 +0800 Subject: [PATCH 13/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 394433509 FLag: EXEMPT bugfix Change-Id: If192082b7d675bb41d91bf4eaf727d43b8df54a7 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f6fb12c2..ec423849 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -48,4 +48,5 @@ vendor_init default_prop property_service b/366116214 vendor_init default_prop property_service b/369735133 vendor_init default_prop property_service b/369735170 zygote aconfig_storage_metadata_file dir b/383949055 +zygote media_config_prop file b/394433509 zygote zygote capability b/379591519 From 5a75cda76d5f63d716ad432ef364dfab0d444b4c Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Wed, 11 Dec 2024 15:45:42 +0000 Subject: [PATCH 14/14] Add udc sysfs to udc_sysfs fs context Meeded for system server to monitor usb gadget state. Grant hal_usb_impl read access as it's needed by UsbDataSessionMonitor. Starting at board level api 202504 due to its dependency on aosp/3337514 10956 10956 W android.hardwar: type=1400 audit(0.0:327): avc: denied { read } for name="state" dev="sysfs" ino=84394 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_udc:s0 tclass=file permissive=0 Bug: 339241080 Test: tested on Oriole Flag: android.hardware.usb.flags.enable_udc_sysfs_usb_state_update Change-Id: Iac9384cc81090d71e0cda8a6ba83476af865fe33 --- whitechapel/vendor/google/genfs_contexts | 3 +++ whitechapel/vendor/google/hal_usb_impl.te | 1 + 2 files changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 2a0642d1..85f97b4a 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -345,3 +345,6 @@ genfscon sysfs /devices/platform/25f40000.etm u:object_r:sysfs_devices_cs_etm # BootControl genfscon sysfs /kernel/boot_control/blow_ar u:object_r:sysfs_bootctl:s0 + +# USB +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/udc/11110000.dwc3/state u:object_r:sysfs_udc:s0 diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te index cd2cbf89..f72412e6 100644 --- a/whitechapel/vendor/google/hal_usb_impl.te +++ b/whitechapel/vendor/google/hal_usb_impl.te @@ -30,3 +30,4 @@ get_prop(hal_usb_impl, vendor_usb_config_prop); # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; +allow hal_usb_impl sysfs_udc:file r_file_perms;