From 811682e50f0a21341dc5801670e05082510c48ba Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Fri, 26 Jan 2024 16:02:08 -0800 Subject: [PATCH 01/14] Add AIDL media.c2 into service_contexts Bug: 321808716 Test: adb shell dumpsys android.hardware.media.c2.IComponentStore/default Test: adb shell dumpsys android.hardware.media.c2.IComponentStore/default1 Change-Id: Ifef80e6d12e1b0c9e5d2ce6b33a61b51239683de --- whitechapel/vendor/google/service_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 074dedf6..25362525 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -3,3 +3,4 @@ hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_ve android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 rlsservice u:object_r:rls_service:s0 +android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0 From 89224de0eb667995bcb01f054cb718e8543cd950 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 18 Mar 2024 02:58:47 +0000 Subject: [PATCH 02/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 329380904 Change-Id: I5ef59058c7c7487a8a9cb238767e019631c5ac63 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 17fcff7d..6b94d7d3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,6 +8,7 @@ incidentd incidentd anon_inode b/282626428 kernel dm_device blk_file b/315907959 kernel tmpfs chr_file b/315907959 rfsd vendor_cbd_prop file b/317734418 +shell sysfs_net file b/329380904 surfaceflinger selinuxfs file b/313804340 untrusted_app nativetest_data_file dir b/305600845 untrusted_app shell_test_data_file dir b/305600845 From 9ddb9bab3d2500edab8cece590c16ade06b81cbc Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:54:01 +0000 Subject: [PATCH 03/14] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I13ef8c4d9b0f84a8641cfbe12a7b5cf89a97d3da Signed-off-by: Spade Lee --- whitechapel/vendor/google/kernel.te | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te index f1156829..d44eed68 100644 --- a/whitechapel/vendor/google/kernel.te +++ b/whitechapel/vendor/google/kernel.te @@ -8,7 +8,11 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_maxfg_debugfs:dir { search }; -dontaudit kernel vendor_votable_debugfs:dir { search }; -dontaudit kernel vendor_usb_debugfs:dir search; +userdebug_or_eng(` + allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; +') From 66d3a4ef4e33553862de92119cd2345b777df1f6 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Thu, 21 Mar 2024 00:29:41 +0000 Subject: [PATCH 04/14] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Change-Id: I2c6069f43d17114f937657724dc34e43cf3d48fe Signed-off-by: Spade Lee --- whitechapel/vendor/google/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te index 7496a7ce..33e9511c 100644 --- a/whitechapel/vendor/google/pixelstats_vendor.te +++ b/whitechapel/vendor/google/pixelstats_vendor.te @@ -25,6 +25,7 @@ allow pixelstats_vendor fwk_sensor_service:service_manager find; # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; #vendor-metrics r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) From 629dd3eaf9183258fa4fbf9242a1da91c69198c2 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 25 Mar 2024 07:56:34 +0000 Subject: [PATCH 05/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 331147031 Change-Id: I098aab7a986a8b2c659c006f50b5dade74ebcb5b --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 6b94d7d3..2bae68e0 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,7 @@ incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel dm_device blk_file b/315907959 kernel tmpfs chr_file b/315907959 +modem_svc_sit traced_producer_socket sock_file b/331147031 rfsd vendor_cbd_prop file b/317734418 shell sysfs_net file b/329380904 surfaceflinger selinuxfs file b/313804340 From 27e4e3cd9d7b4be40a32847416ae05cfd6b82d5d Mon Sep 17 00:00:00 2001 From: Jan Sebechlebsky Date: Thu, 21 Mar 2024 09:37:55 +0100 Subject: [PATCH 06/14] Remove virtual_camera dumpstate denial entry from bug_map Fix: 312894628 Test: N/A Change-Id: Ia31780377ef121b9347eace64af470926220524b --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 6b94d7d3..06ce063e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,4 @@ chre vendor_data_file dir b/301948771 -dumpstate virtual_camera binder b/312894628 -dumpstate virtual_camera process b/312894628 hal_power_default hal_power_default capability b/240632824 hal_vibrator_default default_android_service service_manager b/317316478 incidentd debugfs_wakeup_sources file b/282626428 From 3a2d59d8a93ef1980cc846de4a3b359961463b23 Mon Sep 17 00:00:00 2001 From: Hungyen Weng Date: Mon, 25 Mar 2024 20:33:16 +0000 Subject: [PATCH 07/14] Allow modem_svc to access modem files and perfetto Bug: 331147031 Bug: 330730987 Test: Confirmed that modem_svc is able to access token db files in modem partition Test: Confiemed that modem_svc can send traces to perfetto Test: Confirmed v2/pixel-health-guard/device-boot-health-check-extra has no modem_svc avc denials. Change-Id: I5fabd3177c758be533ca8bdef3cb3305afd6a5a6 --- tracking_denials/bug_map | 2 +- whitechapel/vendor/google/modem_svc_sit.te | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 51624460..bb1e6993 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,7 +5,6 @@ incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel dm_device blk_file b/315907959 kernel tmpfs chr_file b/315907959 -modem_svc_sit traced_producer_socket sock_file b/331147031 rfsd vendor_cbd_prop file b/317734418 shell sysfs_net file b/329380904 surfaceflinger selinuxfs file b/313804340 @@ -16,3 +15,4 @@ untrusted_app userdebug_or_eng_prop file b/305600845 vendor_init default_prop file b/315104713 vendor_init default_prop file b/316817111 vendor_init default_prop property_service b/315104713 + diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te index 63dec363..0eb7498d 100644 --- a/whitechapel/vendor/google/modem_svc_sit.te +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -17,7 +17,7 @@ allow modem_svc_sit radio_vendor_data_file:file create_file_perms; allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; allow modem_svc_sit modem_stat_data_file:file create_file_perms; -allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit mnt_vendor_file:dir r_dir_perms; allow modem_svc_sit modem_userdata_file:dir create_dir_perms; allow modem_svc_sit modem_userdata_file:file create_file_perms; @@ -33,3 +33,12 @@ get_prop(modem_svc_sit, vendor_logger_prop) # Modem property set_prop(modem_svc_sit, vendor_modem_prop) + +# Write trace data to the Perfetto traced daemon. This requires connecting to +# its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(modem_svc_sit) + +# Allow modem_svc_sit to access modem image file/dir +allow modem_svc_sit modem_img_file:dir r_dir_perms; +allow modem_svc_sit modem_img_file:file r_file_perms; +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file From ec6f15d8129595a6f22f60d9a982e6b0d4361a90 Mon Sep 17 00:00:00 2001 From: kadirpili Date: Fri, 22 Mar 2024 02:51:44 +0000 Subject: [PATCH 08/14] gs101: telephony property for cbd Bug: 316817111 Change-Id: Idf85b27d755cff0fb5fffb088d13b105c25beb3b --- system_ext/private/pixelntnservice_app.te | 5 +++++ system_ext/private/property_contexts | 1 + system_ext/private/seapp_contexts | 3 +++ system_ext/public/pixelntnservice_app.te | 1 + system_ext/public/property.te | 3 ++- whitechapel/vendor/google/cbd.te | 1 + whitechapel/vendor/google/rfsd.te | 1 + whitechapel/vendor/google/vendor_init.te | 2 ++ 8 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 system_ext/private/pixelntnservice_app.te create mode 100644 system_ext/public/pixelntnservice_app.te diff --git a/system_ext/private/pixelntnservice_app.te b/system_ext/private/pixelntnservice_app.te new file mode 100644 index 00000000..8bf71cc9 --- /dev/null +++ b/system_ext/private/pixelntnservice_app.te @@ -0,0 +1,5 @@ +typeattribute pixelntnservice_app coredomain; + +app_domain(pixelntnservice_app); +allow pixelntnservice_app app_api_service:service_manager find; +set_prop(pixelntnservice_app, telephony_modem_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index a8e90427..1bc593cc 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -5,4 +5,5 @@ persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool persist.modem.esim_profiles_exist u:object_r:esim_modem_prop:s0 exact string # Telephony +telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 6ac71499..2f3c6785 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -6,3 +6,6 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# PixelNtnService +user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all diff --git a/system_ext/public/pixelntnservice_app.te b/system_ext/public/pixelntnservice_app.te new file mode 100644 index 00000000..10661b66 --- /dev/null +++ b/system_ext/public/pixelntnservice_app.te @@ -0,0 +1 @@ +type pixelntnservice_app, domain; diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 1abcc84a..bf64eaad 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -6,7 +6,8 @@ system_vendor_config_prop(esim_modem_prop) # Telephony system_public_prop(telephony_ril_prop) +system_restricted_prop(telephony_modem_prop) userdebug_or_eng(` set_prop(shell, telephony_ril_prop) -') \ No newline at end of file +') diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te index cbd222ff..6b41f57e 100644 --- a/whitechapel/vendor/google/cbd.te +++ b/whitechapel/vendor/google/cbd.te @@ -5,6 +5,7 @@ init_daemon_domain(cbd) set_prop(cbd, vendor_modem_prop) set_prop(cbd, vendor_cbd_prop) set_prop(cbd, vendor_rild_prop) +get_prop(cbd, telephony_modem_prop) # Allow cbd to setuid from root to radio # TODO: confirming with vendor via b/182334947 diff --git a/whitechapel/vendor/google/rfsd.te b/whitechapel/vendor/google/rfsd.te index 2f7102fc..f51ba865 100644 --- a/whitechapel/vendor/google/rfsd.te +++ b/whitechapel/vendor/google/rfsd.te @@ -32,6 +32,7 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) +set_prop(cbd, vendor_cbd_prop) # Allow rfsd to access modem image file/dir allow rfsd modem_img_file:dir r_dir_perms; diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index 5ff78d4d..3771394b 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -14,6 +14,8 @@ get_prop(vendor_init, vendor_touchpanel_prop) set_prop(vendor_init, vendor_tcpdump_log_prop) set_prop(vendor_init, vendor_logger_prop) set_prop(vendor_init, esim_modem_prop) +get_prop(vendor_init, telephony_modem_prop) + allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file write; From bddc287c10ef592977723867b993862c096dfc66 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:54:01 +0000 Subject: [PATCH 09/14] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I13ef8c4d9b0f84a8641cfbe12a7b5cf89a97d3da Signed-off-by: Spade Lee --- whitechapel/vendor/google/kernel.te | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te index f1156829..d44eed68 100644 --- a/whitechapel/vendor/google/kernel.te +++ b/whitechapel/vendor/google/kernel.te @@ -8,7 +8,11 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_maxfg_debugfs:dir { search }; -dontaudit kernel vendor_votable_debugfs:dir { search }; -dontaudit kernel vendor_usb_debugfs:dir search; +userdebug_or_eng(` + allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; +') From b0daa90c01a3f377715524c91392fe80c9aa5800 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:01:43 +0800 Subject: [PATCH 10/14] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual Change-Id: I568f43ab8ed8f5ab330cbda19cd68bcc12838fdf --- gs101-sepolicy.mk | 3 --- whitechapel/vendor/google/ramdump_app.te | 24 ----------------------- whitechapel/vendor/google/seapp_contexts | 4 ---- whitechapel/vendor/google/ssr_detector.te | 24 ----------------------- 4 files changed, 55 deletions(-) delete mode 100644 whitechapel/vendor/google/ramdump_app.te delete mode 100644 whitechapel/vendor/google/ssr_detector.te diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk index 12768b9e..3e8c9022 100644 --- a/gs101-sepolicy.mk +++ b/gs101-sepolicy.mk @@ -20,9 +20,6 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/priv # PowerStats HAL BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats -# sscoredump -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump - # Public PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public diff --git a/whitechapel/vendor/google/ramdump_app.te b/whitechapel/vendor/google/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/whitechapel/vendor/google/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts index f2c53ebc..804c36ce 100644 --- a/whitechapel/vendor/google/seapp_contexts +++ b/whitechapel/vendor/google/seapp_contexts @@ -17,10 +17,6 @@ user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app level user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all -# coredump/ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te deleted file mode 100644 index f27fcc5b..00000000 --- a/whitechapel/vendor/google/ssr_detector.te +++ /dev/null @@ -1,24 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) -get_prop(ssr_detector_app, vendor_aoc_prop) From 2034e36abbb870da145acd246a5602a04134d627 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Thu, 21 Mar 2024 00:29:41 +0000 Subject: [PATCH 11/14] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Signed-off-by: Spade Lee (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:66d3a4ef4e33553862de92119cd2345b777df1f6) Merged-In: I2c6069f43d17114f937657724dc34e43cf3d48fe Change-Id: I2c6069f43d17114f937657724dc34e43cf3d48fe --- whitechapel/vendor/google/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te index 7496a7ce..33e9511c 100644 --- a/whitechapel/vendor/google/pixelstats_vendor.te +++ b/whitechapel/vendor/google/pixelstats_vendor.te @@ -25,6 +25,7 @@ allow pixelstats_vendor fwk_sensor_service:service_manager find; # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; #vendor-metrics r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) From 9df205d57fc633fc7524ca8affd22dac467092b9 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:01:43 +0800 Subject: [PATCH 12/14] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b0daa90c01a3f377715524c91392fe80c9aa5800) Merged-In: I568f43ab8ed8f5ab330cbda19cd68bcc12838fdf Change-Id: I568f43ab8ed8f5ab330cbda19cd68bcc12838fdf --- gs101-sepolicy.mk | 3 --- whitechapel/vendor/google/ramdump_app.te | 24 ----------------------- whitechapel/vendor/google/seapp_contexts | 4 ---- whitechapel/vendor/google/ssr_detector.te | 24 ----------------------- 4 files changed, 55 deletions(-) delete mode 100644 whitechapel/vendor/google/ramdump_app.te delete mode 100644 whitechapel/vendor/google/ssr_detector.te diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk index 12768b9e..3e8c9022 100644 --- a/gs101-sepolicy.mk +++ b/gs101-sepolicy.mk @@ -20,9 +20,6 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/priv # PowerStats HAL BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats -# sscoredump -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump - # Public PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public diff --git a/whitechapel/vendor/google/ramdump_app.te b/whitechapel/vendor/google/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/whitechapel/vendor/google/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts index f2c53ebc..804c36ce 100644 --- a/whitechapel/vendor/google/seapp_contexts +++ b/whitechapel/vendor/google/seapp_contexts @@ -17,10 +17,6 @@ user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app level user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all -# coredump/ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te deleted file mode 100644 index f27fcc5b..00000000 --- a/whitechapel/vendor/google/ssr_detector.te +++ /dev/null @@ -1,24 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) -get_prop(ssr_detector_app, vendor_aoc_prop) From 44f0166eb6c7b2a1194ac027efa41b8808e10968 Mon Sep 17 00:00:00 2001 From: chenkris Date: Wed, 20 Mar 2024 10:27:24 +0000 Subject: [PATCH 13/14] Allow fingerprint to access the folder /data/vendor/fingerprint Fix the following avc denial: android.hardwar: type=1400 audit(0.0:20): avc: denied { write } for name="fingerprint" dev="dm-56" ino=36703 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0 Bug: 267766859 Test: Tested fingerprint under enforcing mode Change-Id: Id3f00d526dbe044f60aad2198fa65fbe3b6b2c60 --- whitechapel/vendor/google/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 40114760..69e0d3a9 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -362,6 +362,7 @@ # Fingerprint /dev/goodix_fp u:object_r:fingerprint_device:s0 +/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0 # Wifi Firmware config update /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 From 855cd95dce6b51fd5695d6f9f0cd02e8143c18c9 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 15 May 2024 03:50:37 +0000 Subject: [PATCH 14/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 340723222 Bug: 340723303 Bug: 340723030 Test: scanBugreport Bug: 340723303 Bug: 340722537 Bug: 340723222 Bug: 340722772 Test: scanAvcDeniedLogRightAfterReboot Bug: 340723303 Bug: 340723030 Bug: 340723222 Change-Id: I91df897d8ae7d8e4b1b49a7eb20f6bb5fe99755c --- tracking_denials/bug_map | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bb1e6993..737d604e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,9 +1,14 @@ + chre vendor_data_file dir b/301948771 +dump_display sysfs file b/340722772 hal_power_default hal_power_default capability b/240632824 +hal_sensors_default sysfs file b/340723303 hal_vibrator_default default_android_service service_manager b/317316478 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel dm_device blk_file b/315907959 +kernel kernel capability b/340722537 +kernel kernel capability b/340723030 kernel tmpfs chr_file b/315907959 rfsd vendor_cbd_prop file b/317734418 shell sysfs_net file b/329380904 @@ -12,7 +17,7 @@ untrusted_app nativetest_data_file dir b/305600845 untrusted_app shell_test_data_file dir b/305600845 untrusted_app system_data_root_file dir b/305600845 untrusted_app userdebug_or_eng_prop file b/305600845 +vendor_init debugfs_trace_marker file b/340723222 vendor_init default_prop file b/315104713 vendor_init default_prop file b/316817111 vendor_init default_prop property_service b/315104713 -