From 8c9a2875ab893d50f14bd6a534965bfba8d2d6fb Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 3 Jul 2024 02:05:23 +0000 Subject: [PATCH 1/8] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 350831964 Change-Id: Iec0a5b8418d95a83cc989681f8bc5b42e03b032f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 737d604e..a81c684d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,7 @@ kernel kernel capability b/340723030 kernel tmpfs chr_file b/315907959 rfsd vendor_cbd_prop file b/317734418 shell sysfs_net file b/329380904 +ssr_detector_app default_prop file b/350831964 surfaceflinger selinuxfs file b/313804340 untrusted_app nativetest_data_file dir b/305600845 untrusted_app shell_test_data_file dir b/305600845 From eb11b78314c9015387d8893c8e2bfbb5401baa0b Mon Sep 17 00:00:00 2001 From: Aaron Tsai Date: Thu, 23 May 2024 08:45:02 +0000 Subject: [PATCH 2/8] Add permission for setting gril property 05-22 17:52:28.190 936 936 I auditd : type=1400 audit(0.0:784): avc: denied { write } for comm="radioext@1.0-se" name="property_service" dev="tmpfs" ino=842 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Bug: 343012301 Bug: 203824024 Test: manual test Flag: EXEMPT bugfix Change-Id: I8048a67b59beac0d2ce8c7331eb0e1ea21881f9b --- whitechapel/vendor/google/hal_radioext_default.te | 1 + whitechapel/vendor/google/property.te | 1 + whitechapel/vendor/google/property_contexts | 3 +++ 3 files changed, 5 insertions(+) diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/whitechapel/vendor/google/hal_radioext_default.te index eef71cf6..0f561ac0 100644 --- a/whitechapel/vendor/google/hal_radioext_default.te +++ b/whitechapel/vendor/google/hal_radioext_default.te @@ -4,6 +4,7 @@ init_daemon_domain(hal_radioext_default) hwbinder_use(hal_radioext_default) get_prop(hal_radioext_default, hwservicemanager_prop) +set_prop(hal_radioext_default, vendor_gril_prop) add_hwservice(hal_radioext_default, hal_radioext_hwservice) binder_call(hal_radioext_default, grilservice_app) diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index 98da3e39..21bd8885 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -2,6 +2,7 @@ vendor_internal_prop(vendor_prop) vendor_internal_prop(vendor_rcs_prop) vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_gril_prop) vendor_internal_prop(sensors_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_usb_config_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index c9187a3f..ba41d6a9 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -8,6 +8,9 @@ vendor.ril. u:object_r:vendor_rild_prop:s0 vendor.radio. u:object_r:vendor_rild_prop:s0 ro.vendor.build.svn u:object_r:vendor_rild_prop:s0 +# for GRIL +vendor.gril. u:object_r:vendor_gril_prop:s0 + # Ramdump persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 From 63a927b837307e3d4e62534ad0ab4a71b83b84c9 Mon Sep 17 00:00:00 2001 From: Mike McTernan Date: Mon, 15 Jul 2024 10:32:27 +0100 Subject: [PATCH 3/8] trusty: storageproxy: add fs_ready_rw property context Flag: EXEMPT bug fix Bug: 350362101 Test: ABTD Change-Id: I6876593d904ce7223b91f30d31edcd3e60fac82b --- whitechapel/vendor/google/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index c9187a3f..fe6d5312 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -93,6 +93,7 @@ vendor.uwb.calibration.country_code u:object_r:vendor_uwb_calibratio # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 +ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix From 7bc5a6b183feca0de5970360a7c120e25fe11fa2 Mon Sep 17 00:00:00 2001 From: Daniel Chapin Date: Wed, 24 Jul 2024 20:17:20 +0000 Subject: [PATCH 4/8] Revert "trusty: storageproxy: add fs_ready_rw property context" Revert submission 28318041-rw_storage Reason for revert: Droidfood blocking bug b/355163562 Reverted changes: /q/submissionid:28318041-rw_storage Change-Id: I3846d284bb6810ed3adea0070ac663babf6bb966 --- whitechapel/vendor/google/property_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index fe6d5312..c9187a3f 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -93,7 +93,6 @@ vendor.uwb.calibration.country_code u:object_r:vendor_uwb_calibratio # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 -ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix From 774949828e714e90a55451dd48cbf59a7fef4794 Mon Sep 17 00:00:00 2001 From: Kevin Ying Date: Thu, 9 May 2024 20:57:27 +0000 Subject: [PATCH 5/8] Allow camera HAL to access power_state sysfs 08-03 01:36:52.108 791 791 W TaskPool: type=1400 audit(0.0:125): avc: denied { read } for name="power_state" dev="sysfs" ino=86770 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 339690296 Test: Open camera, no display avc error Flag: EXEMPT resource update only Change-Id: I407c31e0898b07bef0df1b090dbc570f61c49272 Signed-off-by: Kevin Ying --- display/gs101/genfs_contexts | 2 ++ whitechapel/vendor/google/hal_camera_default.te | 1 + 2 files changed, 3 insertions(+) diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts index 99badab8..6144af66 100644 --- a/display/gs101/genfs_contexts +++ b/display/gs101/genfs_contexts @@ -2,12 +2,14 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/power_state u:object_r:sysfs_display:s0 genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/power_state u:object_r:sysfs_display:s0 genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te index b488860d..5697afef 100644 --- a/whitechapel/vendor/google/hal_camera_default.te +++ b/whitechapel/vendor/google/hal_camera_default.te @@ -91,6 +91,7 @@ allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; # Allow camera HAL to read backlight of display allow hal_camera_default sysfs_leds:dir r_dir_perms; allow hal_camera_default sysfs_leds:file r_file_perms; +allow hal_camera_default sysfs_display:file r_file_perms; # Allow camera HAL to query interrupts and set interrupt affinity allow hal_camera_default proc_irq:dir r_dir_perms; From bf7161db5600494ffcdba208bb81803550d38aac Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Wed, 14 Aug 2024 00:37:53 +0000 Subject: [PATCH 6/8] gs101: update shared_modem_platform sepolicy for UMI Bug: 357139752 Flag: EXEMPT sepolicy [ 68.189198] type=1400 audit(1722986580.568:59): avc: denied { unlink } for comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { create } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 Change-Id: I7e28f5a8c7f8a6909fccdc813e7c94ce8c7f8831 --- whitechapel/vendor/google/modem_svc_sit.te | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te index 0eb7498d..8e4ac3d6 100644 --- a/whitechapel/vendor/google/modem_svc_sit.te +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -41,4 +41,10 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; + +# Allow modem_svc_sit to access socket for UMI +userdebug_or_eng(` + allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; +') + From 4c48ef2770664d265091c85495014d9dc448658f Mon Sep 17 00:00:00 2001 From: "Priyanka Advani (xWF)" Date: Thu, 15 Aug 2024 16:14:44 +0000 Subject: [PATCH 7/8] Revert "gs101: update shared_modem_platform sepolicy for UMI" Revert submission 28762313 Reason for revert: Droidmonitor created revert due to b/360059249. Reverted changes: /q/submissionid:28762313 Change-Id: I4ffb476a64b32a4e725c894f8014070121848cc0 --- whitechapel/vendor/google/modem_svc_sit.te | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te index 8e4ac3d6..0eb7498d 100644 --- a/whitechapel/vendor/google/modem_svc_sit.te +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -41,10 +41,4 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; - -# Allow modem_svc_sit to access socket for UMI -userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; -') - +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file From 4b26ef2e43e9ee2ce8ef67c3602e837b5bef0765 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Thu, 15 Aug 2024 19:25:28 +0000 Subject: [PATCH 8/8] Revert "Revert "gs101: update shared_modem_platform sepolicy for..." Revert submission 28822848-revert-28762313-SAYUORWKVG Reason for revert: issue identify and fix is ready Reverted changes: /q/submissionid:28822848-revert-28762313-SAYUORWKVG Change-Id: I17fd2b246fc95eac9a5e953c7c7889ecb2c91d1d --- whitechapel/vendor/google/modem_svc_sit.te | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te index 0eb7498d..8e4ac3d6 100644 --- a/whitechapel/vendor/google/modem_svc_sit.te +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -41,4 +41,10 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; + +# Allow modem_svc_sit to access socket for UMI +userdebug_or_eng(` + allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; +') +