From d733108c8f5b8c8654ee066ee04ee993457efb50 Mon Sep 17 00:00:00 2001 From: Maurice Lam Date: Tue, 30 Mar 2021 04:45:53 +0000 Subject: [PATCH 01/26] DO NOT MERGE. Revert Exo selinux policies for S Bug: 188074060 Test: Forrest Change-Id: I3465d10c3731ae49fec6e6fb7f2873cf2e5b9c23 --- ambient/exo_app.te | 20 -------------------- ambient/seapp_contexts | 2 -- 2 files changed, 22 deletions(-) delete mode 100644 ambient/exo_app.te delete mode 100644 ambient/seapp_contexts diff --git a/ambient/exo_app.te b/ambient/exo_app.te deleted file mode 100644 index ef928f65..00000000 --- a/ambient/exo_app.te +++ /dev/null @@ -1,20 +0,0 @@ -type exo_app, coredomain, domain; - -app_domain(exo_app) -net_domain(exo_app) - -allow exo_app app_api_service:service_manager find; -allow exo_app audioserver_service:service_manager find; -allow exo_app cameraserver_service:service_manager find; -allow exo_app mediaserver_service:service_manager find; -allow exo_app radio_service:service_manager find; -allow exo_app fwk_stats_service:service_manager find; -allow exo_app mediametrics_service:service_manager find; -allow exo_app gpu_device:dir search; - -allow exo_app uhid_device:chr_file rw_file_perms; - -binder_call(exo_app, statsd) -binder_use(exo_app) - -get_prop(exo_app, device_config_runtime_native_boot_prop) diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts deleted file mode 100644 index 8024688c..00000000 --- a/ambient/seapp_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Domain for Exo app -user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all From 168a6b0c7203df6842275b6a392eaa0fd81e4085 Mon Sep 17 00:00:00 2001 From: chasewu Date: Fri, 21 May 2021 17:32:53 +0800 Subject: [PATCH 02/26] genfs_contexts: fix path for cs40l25a i2c devices Due to recent changes which modifies the device name for i2c devices, cs40l25a device names are now changed from ?-0043 and ?-0042 to "i2c-cs40l25a" and "i2c-cs40l25a-dual" Bug: 188078957 Bug: 188651116 Test: manual check avc denied logs Signed-off-by: chasewu Change-Id: I97d3a030c94166f8e2cda7daa38166b1532b6d9f --- whitechapel/vendor/google/genfs_contexts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 1fa2a451..1f15f2f5 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -71,9 +71,9 @@ genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net u:object # Vibrator genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0042 u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 # Fingerprint genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 From 6224fa93541cfbc234c17c84ba485d58cca95f8f Mon Sep 17 00:00:00 2001 From: Rick Yiu Date: Tue, 17 Aug 2021 21:09:20 +0800 Subject: [PATCH 03/26] gs101-sepolicy: Remove private/mediaprovider_app.te Moved to system/sepolicy to solve GSI avc denials. Bug: 196326750 Test: build pass Change-Id: I4bdcc1d49bf9550297687534074fd3fc526d3acc --- private/mediaprovider_app.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 private/mediaprovider_app.te diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te deleted file mode 100644 index 9d508444..00000000 --- a/private/mediaprovider_app.te +++ /dev/null @@ -1,2 +0,0 @@ -dontaudit mediaprovider_app sysfs_vendor_sched:dir search; - From 9c96111094c3bb7e61cea08a60a05bd08d84956f Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Mon, 23 Aug 2021 08:55:07 -0700 Subject: [PATCH 04/26] gs101-sepolicy: Rename hal_uwb -> hal_uwb_vendor Since we are now creating an AOSP HAL for uwb. Rename qorvo's internal HAL to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy rules. Bug: 195308730 Test: Compiles Change-Id: Ief48eacde68b062b2199b20c0c1bb3af23795240 Merged-In: Ief48eacde68b062b2199b20c0c1bb3af23795240 --- whitechapel/vendor/google/dumpstate.te | 2 +- whitechapel/vendor/google/file_contexts | 2 +- whitechapel/vendor/google/hal_uwb.te | 15 --------------- whitechapel/vendor/google/hal_uwb_default.te | 11 ----------- whitechapel/vendor/google/hal_uwb_vendor.te | 15 +++++++++++++++ .../vendor/google/hal_uwb_vendor_default.te | 11 +++++++++++ whitechapel/vendor/google/service.te | 2 +- whitechapel/vendor/google/service_contexts | 2 +- whitechapel/vendor/google/uwb_vendor_app.te | 10 +++++----- 9 files changed, 35 insertions(+), 35 deletions(-) delete mode 100644 whitechapel/vendor/google/hal_uwb.te delete mode 100644 whitechapel/vendor/google/hal_uwb_default.te create mode 100644 whitechapel/vendor/google/hal_uwb_vendor.te create mode 100644 whitechapel/vendor/google/hal_uwb_vendor_default.te diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te index d4dd87b0..cdf6e8ef 100644 --- a/whitechapel/vendor/google/dumpstate.te +++ b/whitechapel/vendor/google/dumpstate.te @@ -1,6 +1,6 @@ dump_hal(hal_telephony) dump_hal(hal_graphics_composer) -dump_hal(hal_uwb) +dump_hal(hal_uwb_vendor) userdebug_or_eng(` allow dumpstate media_rw_data_file:file append; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index fdbd87e1..581e4154 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -348,7 +348,7 @@ # Uwb # R4 -/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_default_exec:s0 +/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 diff --git a/whitechapel/vendor/google/hal_uwb.te b/whitechapel/vendor/google/hal_uwb.te deleted file mode 100644 index d0995686..00000000 --- a/whitechapel/vendor/google/hal_uwb.te +++ /dev/null @@ -1,15 +0,0 @@ -# HwBinder IPC from client to server -binder_call(hal_uwb_client, hal_uwb_server) -binder_call(hal_uwb_server, hal_uwb_client) - -hal_attribute_service(hal_uwb, hal_uwb_service) - -binder_call(hal_uwb_server, servicemanager) - -# allow hal_uwb to set wpan interfaces up and down -allow hal_uwb self:udp_socket create_socket_perms; -allowxperm hal_uwb self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; -allow hal_uwb self:global_capability_class_set { net_admin }; - -# allow hal_uwb to speak to nl802154 in the kernel -allow hal_uwb self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te deleted file mode 100644 index 8165dc21..00000000 --- a/whitechapel/vendor/google/hal_uwb_default.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_uwb_default, domain; -type hal_uwb_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_uwb_default) - -add_service(hal_uwb_default, hal_uwb_service) - -hal_server_domain(hal_uwb_default, hal_uwb) -binder_call(hal_uwb_default, uwb_vendor_app) - -allow hal_uwb_default uwb_data_vendor:dir create_dir_perms; -allow hal_uwb_default uwb_data_vendor:file create_file_perms; diff --git a/whitechapel/vendor/google/hal_uwb_vendor.te b/whitechapel/vendor/google/hal_uwb_vendor.te new file mode 100644 index 00000000..ccfc1705 --- /dev/null +++ b/whitechapel/vendor/google/hal_uwb_vendor.te @@ -0,0 +1,15 @@ +# HwBinder IPC from client to server +binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) +binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) + +hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) + +binder_call(hal_uwb_vendor_server, servicemanager) + +# allow hal_uwb_vendor to set wpan interfaces up and down +allow hal_uwb_vendor self:udp_socket create_socket_perms; +allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; +allow hal_uwb_vendor self:global_capability_class_set { net_admin }; + +# allow hal_uwb_vendor to speak to nl802154 in the kernel +allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te new file mode 100644 index 00000000..93616874 --- /dev/null +++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te @@ -0,0 +1,11 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) +binder_call(hal_uwb_vendor_default, uwb_vendor_app) + +allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; \ No newline at end of file diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index 99e99483..357dffe4 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,4 +1,4 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; type touch_context_service, service_manager_type, vendor_service; -type hal_uwb_service, service_manager_type, vendor_service; +type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 687f8cc8..6fb9de1f 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,4 +1,4 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 -hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_service:s0 +hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te index ed53fd00..675ecdb6 100644 --- a/whitechapel/vendor/google/uwb_vendor_app.te +++ b/whitechapel/vendor/google/uwb_vendor_app.te @@ -5,18 +5,18 @@ app_domain(uwb_vendor_app) add_service(uwb_vendor_app, uwb_vendor_service) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb) +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow uwb_vendor_app app_api_service:service_manager find; -allow uwb_vendor_app hal_uwb_service:service_manager find; +allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; allow uwb_vendor_app nfc_service:service_manager find; allow uwb_vendor_app radio_service:service_manager find; allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; -allow hal_uwb_default self:global_capability_class_set { sys_nice }; -allow hal_uwb_default kernel:process { setsched }; +allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice }; +allow hal_uwb_vendor_default kernel:process { setsched }; -binder_call(uwb_vendor_app, hal_uwb_default) +binder_call(uwb_vendor_app, hal_uwb_vendor_default) ') From 17e518038e7188a2bc825cedf909b08f28013cab Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Thu, 12 Aug 2021 23:26:43 +0800 Subject: [PATCH 05/26] sepolicy: add rule for new debug file node W dumpstate@1.1-s: type=1400 audit(0.0:7): avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=500 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 Bug: 196755019 Signed-off-by: Jenny Ho Change-Id: I0ddf68d5e15fe8d77d8d61287f65621c14024f46 --- whitechapel/vendor/google/file_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index fdbd87e1..bc03a78e 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -111,6 +111,10 @@ /dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 /dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 + # DM tools device /dev/umts_dm0 u:object_r:radio_device:s0 /dev/umts_router u:object_r:radio_device:s0 From cb6a843980a9ab53f33b95c1cb77d4f3fa5a8e68 Mon Sep 17 00:00:00 2001 From: Michael Ayoubi Date: Thu, 9 Sep 2021 15:44:25 +0000 Subject: [PATCH 06/26] Allow euiccpixel_app to get dck_prop Bug: 189881206 Bug: 183606657 Test: Build and confirm EuiccSupportPixel can get ro.gms.dck.eligible_wcc Change-Id: I59873d33f21632347183d749c9bbf25c6e6ba2cd --- whitechapel/vendor/google/euiccpixel_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/euiccpixel_app.te b/whitechapel/vendor/google/euiccpixel_app.te index db3d0aed..32f958b3 100644 --- a/whitechapel/vendor/google/euiccpixel_app.te +++ b/whitechapel/vendor/google/euiccpixel_app.te @@ -10,6 +10,7 @@ allow euiccpixel_app surfaceflinger_service:service_manager find; set_prop(euiccpixel_app, vendor_secure_element_prop) set_prop(euiccpixel_app, vendor_modem_prop) +get_prop(euiccpixel_app, dck_prop) userdebug_or_eng(` net_domain(euiccpixel_app) From fba4a09331c43bb7a022034451b53f47c39709ee Mon Sep 17 00:00:00 2001 From: Erik Staats Date: Mon, 20 Sep 2021 16:50:50 -0700 Subject: [PATCH 07/26] Allow the sensor HAL to access dynamic sensor properties. Bug: 195964858 Test: Verified dynamic sensor manager is present in sensor list and that no SELinux violations occur. Test: See details in testing done comment in https://googleplex-android-review.git.corp.google.com/15874927 . Change-Id: I76a60f7fbd113059156ccaea2c4f98580cb0836a --- usf/sensor_hal.te | 3 +++ whitechapel/vendor/google/property.te | 4 ++++ whitechapel/vendor/google/property_contexts | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te index e071b9bc..0797253e 100644 --- a/usf/sensor_hal.te +++ b/usf/sensor_hal.te @@ -49,6 +49,9 @@ allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; # Allow sensor HAL to read AoC dumpstate. allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; +# Allow access for dynamic sensor properties. +get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) + # # Suez type enforcements. # diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index 4b671a4c..bb0894fc 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -49,3 +49,7 @@ vendor_internal_prop(vendor_tcpdump_log_prop) # Fingerprint vendor_internal_prop(vendor_fingerprint_fake_prop) + +# Dynamic sensor +vendor_internal_prop(vendor_dynamic_sensor_prop) + diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 5d2f018a..18a6059c 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -104,3 +104,7 @@ vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_pr # Fingerprint vendor.fingerprint.disable.fake u:object_r:vendor_fingerprint_fake_prop:s0 + +# Dynamic sensor +vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 + From aef1a206a7765e90e4d8ea3f385a9f5100b1038e Mon Sep 17 00:00:00 2001 From: Erik Staats Date: Wed, 22 Sep 2021 17:53:58 +0000 Subject: [PATCH 08/26] Revert "Allow the sensor HAL to access dynamic sensor properties." Revert "dynamic_sensor: Add sensor manager init to sub-HAL 2.1." Revert submission 15874906-bug_195964858.2 Reason for revert: b/200815351 Reverted Changes: I76a60f7fb:Allow the sensor HAL to access dynamic sensor prop... I5d587dc46:dynamic_sensor: Add sensor manager init to sub-HAL... Change-Id: Ib29649b058ec6f329958e1dfcba0c2e35ea79306 --- usf/sensor_hal.te | 3 --- whitechapel/vendor/google/property.te | 4 ---- whitechapel/vendor/google/property_contexts | 4 ---- 3 files changed, 11 deletions(-) diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te index 0797253e..e071b9bc 100644 --- a/usf/sensor_hal.te +++ b/usf/sensor_hal.te @@ -49,9 +49,6 @@ allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; # Allow sensor HAL to read AoC dumpstate. allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; -# Allow access for dynamic sensor properties. -get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) - # # Suez type enforcements. # diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index bb0894fc..4b671a4c 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -49,7 +49,3 @@ vendor_internal_prop(vendor_tcpdump_log_prop) # Fingerprint vendor_internal_prop(vendor_fingerprint_fake_prop) - -# Dynamic sensor -vendor_internal_prop(vendor_dynamic_sensor_prop) - diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 18a6059c..5d2f018a 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -104,7 +104,3 @@ vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_pr # Fingerprint vendor.fingerprint.disable.fake u:object_r:vendor_fingerprint_fake_prop:s0 - -# Dynamic sensor -vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 - From e42a4ed3be1fb144c1b14f3bdc3cb933f854d5d1 Mon Sep 17 00:00:00 2001 From: Erik Staats Date: Fri, 24 Sep 2021 05:43:08 -0700 Subject: [PATCH 09/26] Allow the sensor HAL to access dynamic sensor properties. Bug: 195964858 Test: Verified dynamic sensor manager is present in sensor list and that no SELinux violations occur on sc-v2-dev and master. Test: See details in testing done comment in https://googleplex-android-review.git.corp.google.com/15905607 . Change-Id: I2f1c05ec0d840f6ebae1e5356f668b3f9431fd25 --- usf/sensor_hal.te | 3 +++ whitechapel/vendor/google/property.te | 4 ++++ whitechapel/vendor/google/property_contexts | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te index e071b9bc..0797253e 100644 --- a/usf/sensor_hal.te +++ b/usf/sensor_hal.te @@ -49,6 +49,9 @@ allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; # Allow sensor HAL to read AoC dumpstate. allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; +# Allow access for dynamic sensor properties. +get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) + # # Suez type enforcements. # diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index 4b671a4c..bb0894fc 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -49,3 +49,7 @@ vendor_internal_prop(vendor_tcpdump_log_prop) # Fingerprint vendor_internal_prop(vendor_fingerprint_fake_prop) + +# Dynamic sensor +vendor_internal_prop(vendor_dynamic_sensor_prop) + diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 5d2f018a..18a6059c 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -104,3 +104,7 @@ vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_pr # Fingerprint vendor.fingerprint.disable.fake u:object_r:vendor_fingerprint_fake_prop:s0 + +# Dynamic sensor +vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 + From d60ebc5327b34f93a2ba74c0754cc5cebdc9c9ee Mon Sep 17 00:00:00 2001 From: Erik Staats Date: Thu, 16 Sep 2021 15:03:31 -0700 Subject: [PATCH 10/26] Allow the sensor HAL to access raw HID devices. Bug: 195964858 Test: Paired a Sony PS4 controller and verified that it's discovered by the dynamic sensor HAL. Test: See details in testing done comment in https://googleplex-android-review.git.corp.google.com/15847652 . Change-Id: Ic0bdd711d066a9793eba305102e9a850e3973856 --- usf/sensor_hal.te | 3 +++ whitechapel/vendor/google/device.te | 4 ++++ whitechapel/vendor/google/file_contexts | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te index 0797253e..22a42087 100644 --- a/usf/sensor_hal.te +++ b/usf/sensor_hal.te @@ -52,6 +52,9 @@ allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; # Allow access for dynamic sensor properties. get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) +# Allow access to raw HID devices for dynamic sensors. +allow hal_sensors_default hidraw_device:chr_file rw_file_perms; + # # Suez type enforcements. # diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index bc3c9477..bad0be07 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -55,3 +55,7 @@ type amcs_device, dev_type; # Battery history type battery_history_device, dev_type; + +# Raw HID device +type hidraw_device, dev_type; + diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index bc03a78e..ff401dcd 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -441,3 +441,7 @@ /vendor/lib64/android\.frameworks\.stats-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 + +# Raw HID device +/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 + From 936079ad1cd7a9baaac7aa0e51af214b313e11cb Mon Sep 17 00:00:00 2001 From: jintinglin Date: Wed, 22 Sep 2021 12:51:52 +0800 Subject: [PATCH 11/26] Allow modem app to read the battery info Test: flash the forrest build, MDS can read the info file Bug: 203478533 Change-Id: I9985dd2731a43445dd653e226fd2939ca355cda4 --- whitechapel/vendor/google/modem_diagnostics.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/modem_diagnostics.te b/whitechapel/vendor/google/modem_diagnostics.te index 7908be1b..9fa772b4 100644 --- a/whitechapel/vendor/google/modem_diagnostics.te +++ b/whitechapel/vendor/google/modem_diagnostics.te @@ -29,4 +29,7 @@ userdebug_or_eng(` allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; ') From 27a4afc1a9b4577433d624d35dec4cf1d4308984 Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Thu, 16 Sep 2021 17:57:33 +0800 Subject: [PATCH 12/26] audio: add permission to request health/sensor data - Add audio hal into hal_health clients - Allow audio hal to find fwk_sensor_hwservice SELinux : avc: denied { find } for interface=android.frameworks.sensorservice::ISensorManager sid=u:r:hal_audio_default:s0 pid=5907 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:fwk_sensor_hwservice:s0 tclass=hwservice_manager permissive=1 SELinux : avc: denied { find } for interface=android.hardware.health::IHealth sid=u:r:hal_audio_default:s0 pid=9875 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:hal_health_hwservice:s0 tclass=hwservice_manager permissive=1 audio.service: type=1400 audit(0.0:14): avc: denied { call } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_health_default:s0 tclass=binder permissive=1 audio.service: type=1400 audit(0.0:15): avc: denied { transfer } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_health_default:s0 tclass=binder permissive=1 Bug: 199382564 Bug: 199801586 Test: build pass Signed-off-by: Jasmine Cha Change-Id: I8e8a512cfbd6be814c98bac75ff6c0e5db028db2 --- whitechapel/vendor/google/hal_audio_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te index 5ee99469..1f3edbe2 100644 --- a/whitechapel/vendor/google/hal_audio_default.te +++ b/whitechapel/vendor/google/hal_audio_default.te @@ -23,6 +23,9 @@ allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; get_prop(hal_audio_default, vendor_audio_prop); +hal_client_domain(hal_audio_default, hal_health); +allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; + userdebug_or_eng(` allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; From 0d48ab4fbfd11b53828e998eb7b95b2884d07be8 Mon Sep 17 00:00:00 2001 From: Philip Quinn Date: Wed, 25 Aug 2021 12:43:01 -0700 Subject: [PATCH 13/26] Move twoshay definitions to hardware/google/pixel-sepolicy/input. Bug: 187654303 Test: twoshay works on R4, B3, P7 Change-Id: I2cada463fcbfd3b52230430b12b091a655e2abbb Merged-In: I2cada463fcbfd3b52230430b12b091a655e2abbb --- tracking_denials/dumpstate.te | 2 -- whitechapel/vendor/google/device.te | 3 --- whitechapel/vendor/google/file_contexts | 4 ---- .../vendor/google/hal_dumpstate_default.te | 3 --- whitechapel/vendor/google/platform_app.te | 3 --- whitechapel/vendor/google/service.te | 1 - whitechapel/vendor/google/service_contexts | 1 - whitechapel/vendor/google/twoshay.te | 16 ---------------- 8 files changed, 33 deletions(-) delete mode 100644 whitechapel/vendor/google/twoshay.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 1a3571bf..fa9d5cec 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,6 +1,4 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -# b/187795940 -dontaudit dumpstate twoshay:binder call; # b/190337283 dontaudit dumpstate debugfs_wakeup_sources:file read; diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index bad0be07..7cd2c7f2 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -26,9 +26,6 @@ type cpuctl_device, dev_type; # Bt Wifi Coexistence device type wb_coexistence_dev, dev_type; -# Touch -type touch_offload_device, dev_type; - # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL type lwis_device, dev_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index ff401dcd..604e6501 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -383,10 +383,6 @@ /vendor/lib(64)?/hw/vulkan\.gs101\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 -# Touch -/dev/touch_offload u:object_r:touch_offload_device:s0 -/vendor/bin/twoshay u:object_r:twoshay_exec:s0 - # Fingerprint /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te index b5608c16..612b3c0b 100644 --- a/whitechapel/vendor/google/hal_dumpstate_default.te +++ b/whitechapel/vendor/google/hal_dumpstate_default.te @@ -64,9 +64,6 @@ allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; allow hal_dumpstate_default sysfs_thermal:file r_file_perms; allow hal_dumpstate_default sysfs_thermal:lnk_file read; -allow hal_dumpstate_default touch_context_service:service_manager find; -binder_call(hal_dumpstate_default, twoshay) - # Modem logs allow hal_dumpstate_default modem_efs_file:dir search; allow hal_dumpstate_default modem_efs_file:file r_file_perms; diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te index 66e7721d..70480beb 100644 --- a/whitechapel/vendor/google/platform_app.te +++ b/whitechapel/vendor/google/platform_app.te @@ -13,9 +13,6 @@ allow platform_app uwb_service:service_manager find; allow platform_app fwk_stats_service:service_manager find; binder_use(platform_app) -allow platform_app touch_context_service:service_manager find; -binder_call(platform_app, twoshay) - # Fingerprint (UDFPS) GHBM/LHBM toggle get_prop(platform_app, fingerprint_ghbm_prop) diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index 99e99483..6012e87a 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,4 +1,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; -type touch_context_service, service_manager_type, vendor_service; type hal_uwb_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 687f8cc8..9112cd41 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,4 +1,3 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 -com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_service:s0 diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te deleted file mode 100644 index 84087fe7..00000000 --- a/whitechapel/vendor/google/twoshay.te +++ /dev/null @@ -1,16 +0,0 @@ -type twoshay, domain; -type twoshay_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(twoshay) - -allow twoshay touch_offload_device:chr_file rw_file_perms; -allow twoshay twoshay:capability sys_nice; - -binder_use(twoshay) -add_service(twoshay, touch_context_service) - -# b/193224954 -dontaudit twoshay twoshay:capability dac_override; - -allow twoshay fwk_stats_service:service_manager find; -binder_call(twoshay, stats_service_server) \ No newline at end of file From a7aa46862d2366abfe72274508e6323c7a263ffe Mon Sep 17 00:00:00 2001 From: Siddharth Kapoor Date: Thu, 21 Oct 2021 14:19:42 +0800 Subject: [PATCH 14/26] Label GPU power_policy sysfs node Bug: 201718421 Test: trace while App launch Change-Id: Icd85b8611632e4638946b492740e509baf2714ce Signed-off-by: Siddharth Kapoor --- whitechapel/vendor/google/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 6124bc5d..386efc84 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -254,6 +254,7 @@ genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq genfscon sysfs /devices/platform/1c500000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1c500000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1c500000.mali/kprcs u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/power_policy u:object_r:sysfs_gpu:s0 # nvmem (Non Volatile Memory layer) genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem u:object_r:sysfs_memory:s0 From b834b1d0080b95729a8ccb596e8a0a8e54c6cce4 Mon Sep 17 00:00:00 2001 From: Philip Quinn Date: Wed, 25 Aug 2021 12:43:01 -0700 Subject: [PATCH 15/26] Move twoshay definitions to hardware/google/pixel-sepolicy/input. Bug: 187654303 Test: twoshay works on R4, B3, P7 Change-Id: I2cada463fcbfd3b52230430b12b091a655e2abbb Merged-In: I2cada463fcbfd3b52230430b12b091a655e2abbb --- tracking_denials/dumpstate.te | 2 -- whitechapel/vendor/google/device.te | 3 --- whitechapel/vendor/google/file_contexts | 4 ---- .../vendor/google/hal_dumpstate_default.te | 3 --- whitechapel/vendor/google/platform_app.te | 3 --- whitechapel/vendor/google/service.te | 1 - whitechapel/vendor/google/service_contexts | 1 - whitechapel/vendor/google/twoshay.te | 16 ---------------- 8 files changed, 33 deletions(-) delete mode 100644 whitechapel/vendor/google/twoshay.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 1a3571bf..fa9d5cec 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,6 +1,4 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -# b/187795940 -dontaudit dumpstate twoshay:binder call; # b/190337283 dontaudit dumpstate debugfs_wakeup_sources:file read; diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index bad0be07..7cd2c7f2 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -26,9 +26,6 @@ type cpuctl_device, dev_type; # Bt Wifi Coexistence device type wb_coexistence_dev, dev_type; -# Touch -type touch_offload_device, dev_type; - # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL type lwis_device, dev_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index e8cd67ca..bb1288b4 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -383,10 +383,6 @@ /vendor/lib(64)?/hw/vulkan\.gs101\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 -# Touch -/dev/touch_offload u:object_r:touch_offload_device:s0 -/vendor/bin/twoshay u:object_r:twoshay_exec:s0 - # Fingerprint /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te index b5608c16..612b3c0b 100644 --- a/whitechapel/vendor/google/hal_dumpstate_default.te +++ b/whitechapel/vendor/google/hal_dumpstate_default.te @@ -64,9 +64,6 @@ allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; allow hal_dumpstate_default sysfs_thermal:file r_file_perms; allow hal_dumpstate_default sysfs_thermal:lnk_file read; -allow hal_dumpstate_default touch_context_service:service_manager find; -binder_call(hal_dumpstate_default, twoshay) - # Modem logs allow hal_dumpstate_default modem_efs_file:dir search; allow hal_dumpstate_default modem_efs_file:file r_file_perms; diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te index 66e7721d..70480beb 100644 --- a/whitechapel/vendor/google/platform_app.te +++ b/whitechapel/vendor/google/platform_app.te @@ -13,9 +13,6 @@ allow platform_app uwb_service:service_manager find; allow platform_app fwk_stats_service:service_manager find; binder_use(platform_app) -allow platform_app touch_context_service:service_manager find; -binder_call(platform_app, twoshay) - # Fingerprint (UDFPS) GHBM/LHBM toggle get_prop(platform_app, fingerprint_ghbm_prop) diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index 357dffe4..aa60e3f7 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,4 +1,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; -type touch_context_service, service_manager_type, vendor_service; type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 6fb9de1f..812105a6 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,4 +1,3 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 -com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te deleted file mode 100644 index 84087fe7..00000000 --- a/whitechapel/vendor/google/twoshay.te +++ /dev/null @@ -1,16 +0,0 @@ -type twoshay, domain; -type twoshay_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(twoshay) - -allow twoshay touch_offload_device:chr_file rw_file_perms; -allow twoshay twoshay:capability sys_nice; - -binder_use(twoshay) -add_service(twoshay, touch_context_service) - -# b/193224954 -dontaudit twoshay twoshay:capability dac_override; - -allow twoshay fwk_stats_service:service_manager find; -binder_call(twoshay, stats_service_server) \ No newline at end of file From f94633e7187e2c7cf9725a06f6174be397cef015 Mon Sep 17 00:00:00 2001 From: Siddharth Kapoor Date: Thu, 21 Oct 2021 14:19:42 +0800 Subject: [PATCH 16/26] Label GPU power_policy sysfs node Bug: 201718421 Test: trace while App launch Change-Id: Icd85b8611632e4638946b492740e509baf2714ce Signed-off-by: Siddharth Kapoor --- whitechapel/vendor/google/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 0c7a1c70..afdb6314 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -254,6 +254,7 @@ genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq genfscon sysfs /devices/platform/1c500000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1c500000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1c500000.mali/kprcs u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/power_policy u:object_r:sysfs_gpu:s0 # nvmem (Non Volatile Memory layer) genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem u:object_r:sysfs_memory:s0 From 3d463050a2a89d11a5f1d99a3033dabc63124d41 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Fri, 24 Sep 2021 17:14:15 +0800 Subject: [PATCH 17/26] Using dontaudit to fix the avc on boot test avc: denied { search } for comm="kworker/6:2" name="google_battery" dev="debugfs" ino=32648 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_battery_debugfs:s0 tclass=dir permissive=1 Bug:200739262 Test: Check bugreport Change-Id: I50a96bab88f564fef0eda9a23bb77dc6ffed357f Signed-off-by: Ted Lin (cherry picked from commit 951ce82739f1fcdf610e0a368d1f39c2067a1ebd) --- whitechapel/vendor/google/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te index 0156784e..c34e7f72 100644 --- a/whitechapel/vendor/google/kernel.te +++ b/whitechapel/vendor/google/kernel.te @@ -7,3 +7,5 @@ allow kernel per_boot_file:file r_file_perms; # memlat needs permision to create/delete perf events when hotplug on/off allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; + +dontaudit kernel vendor_battery_debugfs:dir search; From a8e745039f6b28868b425fe2d43425b933db5aea Mon Sep 17 00:00:00 2001 From: Michael Ayoubi Date: Thu, 11 Nov 2021 00:02:08 +0000 Subject: [PATCH 18/26] Allow uwb_vendor_app to get SE properties Bug: 205770401 Test: Build and flash on device. Change-Id: Ic98f394434fad12e7d8ef804ecfd694a55ee8190 Merged-In: Ic98f394434fad12e7d8ef804ecfd694a55ee8190 --- whitechapel/vendor/google/uwb_vendor_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te index ed53fd00..7a9dddc9 100644 --- a/whitechapel/vendor/google/uwb_vendor_app.te +++ b/whitechapel/vendor/google/uwb_vendor_app.te @@ -15,6 +15,8 @@ allow uwb_vendor_app radio_service:service_manager find; allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +get_prop(uwb_vendor_app, vendor_secure_element_prop) + allow hal_uwb_default self:global_capability_class_set { sys_nice }; allow hal_uwb_default kernel:process { setsched }; From 63d04e1e020b7758f44a9362528c64ceb01780e6 Mon Sep 17 00:00:00 2001 From: Oleg Matcovschi Date: Wed, 10 Nov 2021 19:01:44 -0800 Subject: [PATCH 19/26] gs101:ssr_detector: Allow access to aoc properties in user builds Bug: 205755422 Signed-off-by: Oleg Matcovschi Change-Id: I684590a2ee91cf6d1edfc8a606f3a9e6672ca46f --- whitechapel/vendor/google/ssr_detector.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te index 793e51b6..958ed352 100644 --- a/whitechapel/vendor/google/ssr_detector.te +++ b/whitechapel/vendor/google/ssr_detector.te @@ -11,7 +11,6 @@ allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - get_prop(ssr_detector_app, vendor_aoc_prop) allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms; allow ssr_detector_app sysfs_vendor_sched:dir search; @@ -21,3 +20,4 @@ userdebug_or_eng(` get_prop(ssr_detector_app, vendor_ssrdump_prop) get_prop(ssr_detector_app, vendor_wifi_version) +get_prop(ssr_detector_app, vendor_aoc_prop) From e6fb90425db144e3af51d0b165a27b954a82f088 Mon Sep 17 00:00:00 2001 From: Albert Wang Date: Fri, 12 Nov 2021 14:32:17 +0800 Subject: [PATCH 20/26] [RESTRICT AUTOMERGE] Allow suspend_control to access xHCI wakeup node Bug: 205138535 Test: n/a Signed-off-by: Albert Wang Change-Id: I6e012fea56c50656c8f26216199459092dcfc0f9 Merged-In: I6e012fea56c50656c8f26216199459092dcfc0f9 --- whitechapel/vendor/google/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index afdb6314..6397bd1f 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -99,6 +99,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wake genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 # Touch genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 From a506ed1e06ed148c9a25c854089a683106b5a82f Mon Sep 17 00:00:00 2001 From: Albert Wang Date: Wed, 1 Dec 2021 23:45:19 +0800 Subject: [PATCH 21/26] Allow suspend_control to access xHCI wakeup node This is a WORKAROUND to avoid the xHCI wakeup node permission problem, since system will automatically allocated device ID. Bug: 205138535 Test: n/a Signed-off-by: Albert Wang Change-Id: Ia2ca04618f950bdded4aea76c897579eb4b92daf --- whitechapel/vendor/google/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 6397bd1f..626e91b7 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -100,6 +100,7 @@ genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 # Touch genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 From bef2d7397cf45af6dac80a7b4717822caecbadf8 Mon Sep 17 00:00:00 2001 From: joenchen Date: Fri, 19 Nov 2021 13:23:43 +0000 Subject: [PATCH 22/26] Label min_vrefresh and idle_delay_ms as sysfs_display Bug: 202567084 Test: Check the files label by "adb shell ls -Z" Change-Id: I29243751ab5f38eca5d8e4221122764f79c75e04 Merged-In: I29243751ab5f38eca5d8e4221122764f79c75e04 --- whitechapel/vendor/google/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 6397bd1f..b06cc1de 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -115,6 +115,10 @@ genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 From 8d4e8a65d67afa21a556963d63b0bb1e169b0243 Mon Sep 17 00:00:00 2001 From: joenchen Date: Fri, 19 Nov 2021 13:23:43 +0000 Subject: [PATCH 23/26] Label min_vrefresh and idle_delay_ms as sysfs_display Bug: 202567084 Test: Check the files label by "adb shell ls -Z" Change-Id: I29243751ab5f38eca5d8e4221122764f79c75e04 Merged-In: I29243751ab5f38eca5d8e4221122764f79c75e04 --- whitechapel/vendor/google/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 626e91b7..cea476c4 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -116,6 +116,10 @@ genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 From 734d79bdaf9d69cefbf0ea54b6481e05e42e905c Mon Sep 17 00:00:00 2001 From: Chris Kuiper Date: Wed, 1 Dec 2021 21:29:36 -0800 Subject: [PATCH 24/26] selinux: Allow sensor HAL to access the display service HAL Add necessary permissions. Bug: b/204471211 Test: Testing with corresponding sensor HAL changes and sensor_test commands. Change-Id: I01774210693ceb4a6d0d4dee4fb5e905117774d3 --- usf/sensor_hal.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te index 22a42087..ac9d5c2d 100644 --- a/usf/sensor_hal.te +++ b/usf/sensor_hal.te @@ -55,6 +55,10 @@ get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) # Allow access to raw HID devices for dynamic sensors. allow hal_sensors_default hidraw_device:chr_file rw_file_perms; +# Allow sensor HAL to access the display service HAL +allow hal_sensors_default hal_pixel_display_service:service_manager find; +binder_call(hal_sensors_default, hal_graphics_composer_default) + # # Suez type enforcements. # From 8337626f4a40d3b0b65ebed41b3e6f6e9a6acde3 Mon Sep 17 00:00:00 2001 From: Vinay Kalia Date: Thu, 16 Dec 2021 00:08:15 +0000 Subject: [PATCH 25/26] [DO NOT MERGE] Allow media codec to access power HAL This commit fixes the following denials: W /vendor/bin/hw/google.hardware.media.c2@1.0-service: type=1400 audit(0.0:276): avc: denied { call } for comm=436F646563322E30204C6F6F706572 scontext=u:r:mediacodec:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 bug: 206687836 Test: Secure HFR AV1 video playback with resolution change. Signed-off-by: Vinay Kalia Change-Id: I79c20bda87af6066ae667a5176747378718a3a62 --- whitechapel/vendor/google/mediacodec.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te index ed7c1adf..f92302eb 100644 --- a/whitechapel/vendor/google/mediacodec.te +++ b/whitechapel/vendor/google/mediacodec.te @@ -7,3 +7,4 @@ allow mediacodec hal_camera_default:binder call; allow mediacodec sysfs_video:file r_file_perms; allow mediacodec sysfs_video:dir r_dir_perms; allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms; +hal_client_domain(mediacodec, hal_power); From ca0622247251d6c817b87893a56c03ff71c753c9 Mon Sep 17 00:00:00 2001 From: YiHo Cheng Date: Thu, 6 Jan 2022 06:21:08 +0800 Subject: [PATCH 26/26] thermal: Label tmu register dump sysfs Allow dumpstate to access tmu register dump sysfs [ 1155.422181] type=1400 audit(1641335196.892:8): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_reg_dump_state" dev="sysfs" ino=68561 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 1155.423398] type=1400 audit(1641335196.892:9): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_reg_dump_current_temp" dev="sysfs" ino =68562 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 1155.443740] type=1400 audit(1641335196.896:10): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_top_reg_dump_rise_thres" dev="sysfs" ino=68563 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 1155.466064] type=1400 audit(1641335196.896:11): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_top_reg_dump_fall_thres" dev="sysfs" ino=68565 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 1155.488251] type=1400 audit(1641335196.916:12): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_sub_reg_dump_rise_thres" dev="sysfs" ino=68564 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 1155.510614] type=1400 audit(1641335196.960:13): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_sub_reg_dump_fall_thres" dev="sysfs" ino=68566 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 o Bug: 202736838 Test: check thermal section in dumpstate Change-Id: Icecca9f69ee9b57d43aa2864864951bf66c4905f --- whitechapel/vendor/google/genfs_contexts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index cea476c4..3029d7f7 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -324,6 +324,14 @@ genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_ genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 +# thermal sysfs files +genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 + # USB-C throttling stats genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0