From 5de95a5dd930cc8d4b0651a92525fcd35248c582 Mon Sep 17 00:00:00 2001 From: Rajesh Nyamagoud Date: Thu, 22 Sep 2022 20:42:30 +0000 Subject: [PATCH 01/15] Updated confirmationui HAL binary name. Ignore-AOSP-First: Dependent on internal change. Bug: b/205760172 Test: Run confirmation UI test using CTS Verifier Change-Id: I690f6eb49f47bdf2d2790b0a6c9b0c45ca819a31 (cherry picked from commit 2acd1c0e73e31a70af25fe58bc081ac65791c38b) Merged-In: I690f6eb49f47bdf2d2790b0a6c9b0c45ca819a31 --- confirmationui/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/confirmationui/file_contexts b/confirmationui/file_contexts index 49db4171..377857d0 100644 --- a/confirmationui/file_contexts +++ b/confirmationui/file_contexts @@ -1,4 +1,4 @@ /vendor/bin/securedpud\.slider u:object_r:securedpud_slider_exec:s0 -/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor u:object_r:hal_confirmationui_default_exec:s0 +/vendor/bin/hw/android\.hardware\.confirmationui-service\.trusty\.vendor u:object_r:hal_confirmationui_default_exec:s0 /dev/tui-driver u:object_r:tui_device:s0 From 8d802db37aa159c8fe7421eddfe9c6858ad2dbdc Mon Sep 17 00:00:00 2001 From: Chungjui Fan Date: Mon, 17 Oct 2022 12:23:00 +0000 Subject: [PATCH 02/15] sepolicy: gs101: allow fastbootd to access gsc device node avc: denied { getattr } for pid=469 comm="fastbootd" path="/dev/gsc0" dev="tmpfs" ino=470 scontext=u:r:fastbootd:s0 tcontext=u:object_r:citadel_device:s0 tclass=chr_file permissive=0 Bug: 248301125 Change-Id: Ic1aec8874636437b9b8d795b46fae72fa8533302 Signed-off-by: Chungjui Fan --- whitechapel/vendor/google/fastbootd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te index d6cf7315..e350e0f3 100644 --- a/whitechapel/vendor/google/fastbootd.te +++ b/whitechapel/vendor/google/fastbootd.te @@ -5,4 +5,5 @@ allow fastbootd devinfo_block_device:blk_file rw_file_perms; allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; allow fastbootd custom_ab_block_device:blk_file rw_file_perms; +allow fastbootd citadel_device:chr_file rw_file_perms; ') From 5851e176055b694887d717d3872f8d0e2d33854f Mon Sep 17 00:00:00 2001 From: Lucas Wei Date: Wed, 5 Oct 2022 16:41:47 +0800 Subject: [PATCH 03/15] votable: update SEpolicy error Bug: 247905787 Signed-off-by: Lucas Wei Change-Id: Ia6dfb7796ab46b0ac339b98465ccd91624b655ed --- tracking_denials/kernel.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/kernel.te diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te new file mode 100644 index 00000000..45ce8edc --- /dev/null +++ b/tracking_denials/kernel.te @@ -0,0 +1,2 @@ +#b/247905787 +dontaudit kernel vendor_votable_debugfs:dir { search }; From 91960cb2d754c7f2dc86195584f11dcac511be23 Mon Sep 17 00:00:00 2001 From: Lucas Wei Date: Wed, 5 Oct 2022 16:41:47 +0800 Subject: [PATCH 04/15] votable: update SEpolicy error Bug: 247905787 Signed-off-by: Lucas Wei Change-Id: Ia6dfb7796ab46b0ac339b98465ccd91624b655ed Merged-In: Ia6dfb7796ab46b0ac339b98465ccd91624b655ed --- tracking_denials/kernel.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 21776b79..7901bdcf 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,2 +1,4 @@ #b/228181404 -dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file +dontaudit kernel vendor_maxfg_debugfs:dir { search }; +#b/247905787 +dontaudit kernel vendor_votable_debugfs:dir { search }; From 0127869bfdb77d250d9b119b0a85a83e5ab1c626 Mon Sep 17 00:00:00 2001 From: Sam Ou Date: Thu, 29 Sep 2022 06:59:27 +0000 Subject: [PATCH 05/15] sepolicy: fix odpm avc denials add wakeup permissions for odpm driver since we update acc_data based on alarmtimer Bug: 250813284 Change-Id: Id7f70d02475a03e53a206dde3b8efa584cacef85 Merged-In: Id7f70d02475a03e53a206dde3b8efa584cacef85 Signed-off-by: Sam Ou Signed-off-by: Lucas Wei --- whitechapel/vendor/google/genfs_contexts | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 1f745777..42ae9f93 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -355,6 +355,26 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-mete genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 + # bcl sysfs files genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_heavy_clk_ratio u:object_r:sysfs_bcl:s0 From 632c5dba75358d59152180431adf3c4e84caca74 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Fri, 28 Oct 2022 22:22:24 +0800 Subject: [PATCH 06/15] Add permission for logbuffer_bd Bug: 242679204 Change-Id: I134bf8611441274e8438fa06b5ca6c186efb331a Signed-off-by: Jenny Ho --- whitechapel/vendor/google/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index da2222b2..a75eff9e 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -108,6 +108,7 @@ /dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 /dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 /dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_bd u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 From 90aeb6e15cef4087947dab96f91a478a2f52242d Mon Sep 17 00:00:00 2001 From: joenchen Date: Wed, 7 Sep 2022 12:55:19 +0000 Subject: [PATCH 07/15] RRS: Apply the default config from persist prop vendor_config plays as another role to control the display config during the boot time. To change the default configuration of the user selected mode, we use persist config to store the value. Bug: 244492960 Test: Boot w/ and w/o user selected configs and check the resolution Change-Id: Ic3eb4e1c8a2c5eed83d10799a1965dd7a6be58e1 --- display/gs101/hal_graphics_composer_default.te | 4 ++-- whitechapel/vendor/google/property_contexts | 1 + whitechapel/vendor/google/vendor_init.te | 3 +++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te index c1eac9ce..dccddf0e 100644 --- a/display/gs101/hal_graphics_composer_default.te +++ b/display/gs101/hal_graphics_composer_default.te @@ -25,8 +25,8 @@ allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; # allow HWC to get vendor_persist_sys_default_prop get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) -# allow HWC to get vendor_display_prop -get_prop(hal_graphics_composer_default, vendor_display_prop) +# allow HWC to get/set vendor_display_prop +set_prop(hal_graphics_composer_default, vendor_display_prop) # allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 5eba1f8d..9f4e8dc9 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -65,6 +65,7 @@ vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 # for display ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 +persist.vendor.display. u:object_r:vendor_display_prop:s0 # for camera persist.vendor.camera. u:object_r:vendor_camera_prop:s0 diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index dfd8e996..9686bccb 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -35,3 +35,6 @@ set_prop(vendor_init, vendor_battery_defender_prop) # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) + +# Display +set_prop(vendor_init, vendor_display_prop) From bd36256badf8e1fe2ab1990653291b4e91b89740 Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Tue, 8 Nov 2022 22:41:26 +0800 Subject: [PATCH 08/15] Allow CHRE to use EPOLLWAKEUP [DO NOT MERGE] avc: denied { block_suspend } for comm="UsfTransport" capability=36 scontext=u:r:chre:s0 tcontext=u:r:chre:s0 tclass=capability2 permissive=0 Bug: 238666865 Test: Check no chre avc denied. Change-Id: Ifd2c37c58c548aec46a2c46891a1fc4d1f83f9be Signed-off-by: Rick Chen --- whitechapel/vendor/google/chre.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te index 9dfd9bf6..26c1675f 100644 --- a/whitechapel/vendor/google/chre.te +++ b/whitechapel/vendor/google/chre.te @@ -23,3 +23,5 @@ allow chre hal_wifi_ext_hwservice:hwservice_manager find; allow chre fwk_stats_service:service_manager find; binder_call(chre, stats_service_server) +# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP. +allow chre self:global_capability2_class_set block_suspend; From c76556752479a59b7ba006d45792e9ff152e7292 Mon Sep 17 00:00:00 2001 From: Siarhei Vishniakou Date: Thu, 16 Jun 2022 15:59:46 -0700 Subject: [PATCH 09/15] Allow InputProcessor HAL to read display resolution Currently, there's no API to read the resolution from the system domain, so the HAL has to read this from the sysprop provided by the display code. Allow the HAL to do so in this CL. Bug: 244492960 Test: adb shell dmesg | grep input_processor Change-Id: Ibdc3589234bbee8641e3c1f7a300b622803ca1a9 --- whitechapel/vendor/google/hal_input_processor_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 whitechapel/vendor/google/hal_input_processor_default.te diff --git a/whitechapel/vendor/google/hal_input_processor_default.te b/whitechapel/vendor/google/hal_input_processor_default.te new file mode 100644 index 00000000..00d4c695 --- /dev/null +++ b/whitechapel/vendor/google/hal_input_processor_default.te @@ -0,0 +1,2 @@ +# allow InputProcessor HAL to read the display resolution system property +get_prop(hal_input_processor_default, vendor_display_prop) From 2db05a27596e26ec54c3b777dc810e698c9d10e1 Mon Sep 17 00:00:00 2001 From: Salmax Chang Date: Thu, 17 Nov 2022 13:47:57 +0800 Subject: [PATCH 10/15] modem_svc_sit: grant the modem property access Bug: 250779114 Change-Id: I17a3c12d2610c34191ba150ac6fb3a2ac6da2d23 --- whitechapel/vendor/google/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te index d5540e31..63dec363 100644 --- a/whitechapel/vendor/google/modem_svc_sit.te +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -30,3 +30,6 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) + +# Modem property +set_prop(modem_svc_sit, vendor_modem_prop) From 502c76f22b6b06adc0784cfe9e20364cd2348d06 Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Tue, 22 Nov 2022 22:30:24 +0000 Subject: [PATCH 11/15] Allow Trusty storageproxy property Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready when the data filesystems are ready for use, and allows vendor init to query and wait on this property. Test: m raven-userdebug, flash, test app loading Bug: 258018785 Change-Id: If995d35be490fbca6c99ef9f73f2842f5c488bd4 Merged-In: If995d35be490fbca6c99ef9f73f2842f5c488bd4 --- whitechapel/vendor/google/property.te | 3 +++ whitechapel/vendor/google/property_contexts | 3 +++ whitechapel/vendor/google/storageproxyd.te | 2 ++ whitechapel/vendor/google/vendor_init.te | 3 +++ 4 files changed, 11 insertions(+) diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index 31ee4b8f..70c72b68 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -55,3 +55,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) + +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index eabb6f69..0dd3d463 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -117,3 +117,6 @@ vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor # uwb ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string + +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te index ada64441..bf29cbf2 100644 --- a/whitechapel/vendor/google/storageproxyd.te +++ b/whitechapel/vendor/google/storageproxyd.te @@ -19,3 +19,5 @@ read_fstab(tee) # storageproxyd starts before /data is mounted. It handles /data not being there # gracefully. However, attempts to access /data trigger a denial. dontaudit tee unlabeled:dir { search }; + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index 9686bccb..8ebe5e52 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -38,3 +38,6 @@ set_prop(vendor_init, vendor_fingerprint_prop) # Display set_prop(vendor_init, vendor_display_prop) + +# Trusty storage FS ready +get_prop(vendor_init, vendor_trusty_storage_prop) From 86d7d36fcfa70e384207e79c0e6ecdb1d6dc4fef Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Thu, 17 Nov 2022 19:14:01 +0000 Subject: [PATCH 12/15] [ DO NOT MERGE ] gs101-sepolicy: pixelstats: enable pixelstats access to temp-residency-metrics enable pixelstats access to sysfs path Bug: 246799997 Test: Verified the existence of atom and correctness of atom stats Change-Id: If329f2a65ed4cf347bd57150c637d38312f3dcb1 Signed-off-by: Ziyi Cui --- whitechapel/vendor/google/file.te | 3 +++ whitechapel/vendor/google/genfs_contexts | 3 +++ whitechapel/vendor/google/pixelstats_vendor.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 847499d1..48cb759d 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -213,6 +213,9 @@ type sysfs_trusty, sysfs_type, fs_type; # BootControl type sysfs_bootctl, sysfs_type, fs_type; +#vendor-metrics +type sysfs_vendor_metrics, fs_type, sysfs_type; + # Radio type radio_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 42ae9f93..9f2f3c89 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -551,6 +551,9 @@ genfscon sysfs /devices/platform/100b0000.G3D u:obje genfscon sysfs /devices/platform/100b0000.ISP u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 +#vendor-metrics +genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats u:object_r:sysfs_vendor_metrics:s0 + # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te index f0cca685..eb255475 100644 --- a/whitechapel/vendor/google/pixelstats_vendor.te +++ b/whitechapel/vendor/google/pixelstats_vendor.te @@ -23,6 +23,9 @@ allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +#vendor-metrics +r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) + # BCL allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; From 713d3ebf052b474043a8d5f40ef0ac5b7f4ecb2b Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Tue, 29 Nov 2022 10:55:04 -0800 Subject: [PATCH 13/15] gs101-sepolicy:dumpstate: allow dumpstate access sysfs_vendor_metrics Test: "adb bugreport" includes metrics capture. Bug: 246799997 Test: "adb bugreport" includes metrics capture. Change-Id: I48247f8378e52d15b264c37342dee5a938ba90a1 Signed-off-by: Ziyi Cui --- whitechapel/vendor/google/hal_dumpstate_default.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te index 28137c77..314546f2 100644 --- a/whitechapel/vendor/google/hal_dumpstate_default.te +++ b/whitechapel/vendor/google/hal_dumpstate_default.te @@ -143,6 +143,9 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_maxfg_debugfs:dir search; allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; + allow hal_dumpstate_default sysfs_vendor_metrics:dir search; + allow hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; + allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; @@ -173,6 +176,9 @@ dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; dontaudit hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms; dontaudit hal_dumpstate_default sysfs_pixel_stat:file r_file_perms; +dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search; +dontaudit hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; + dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search; From 1a39bb777e42b42cc4ff224fd77ccccd2e1dd074 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Tue, 29 Nov 2022 12:12:43 -0800 Subject: [PATCH 14/15] [ DO NOT MERGE ] gs101-sepolicy: pixelstats: enable pixelstats access to perf-metrics enable pixelstats access to sysfs path, define sysfs_perfmetrics Bug: 227809911 Bug: 232541623 Test: Verified the existence of atom and correctness of resume latency, irq stats Change-Id: Ia0da1afb96b7f364d018d48d5cc8768c7b67f067 Signed-off-by: Ziyi Cui --- whitechapel/vendor/google/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 9f2f3c89..8bb12c67 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -553,6 +553,8 @@ genfscon sysfs /devices/platform/100b0000.TPU u:obje #vendor-metrics genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 From 1d7352fb4d772093a4f07d7407b7e0b8b264bc15 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 6 Jul 2022 14:40:23 +0800 Subject: [PATCH 15/15] ignore shell access on wlc Bug: 261804136 Test: boot Change-Id: I09b67ca07d7f9573d77f64686fb818d4dc1753cc Merged-In: I09b67ca07d7f9573d77f64686fb818d4dc1753cc --- whitechapel/vendor/google/shell.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te index f982424d..e13e744e 100644 --- a/whitechapel/vendor/google/shell.te +++ b/whitechapel/vendor/google/shell.te @@ -8,3 +8,4 @@ userdebug_or_eng(` dontaudit shell proc_vendor_sched:dir search; dontaudit shell proc_vendor_sched:file write; +dontaudit shell sysfs_wlc:dir search;