From 79304978aeba02f71f137f006a8b048fd9e3a283 Mon Sep 17 00:00:00 2001 From: Yabin Cui Date: Wed, 31 Mar 2021 10:40:09 -0700 Subject: [PATCH 001/104] Move vendor_kernel_modules to public. Bug: 166559473 Bug: 183135316 Test: build Change-Id: Ib62080d3d12aa197571a0697c17f6fd5d981d653 --- whitechapel/vendor/google/file.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index ea804182..b66acb0c 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -120,9 +120,6 @@ allow modem_img_file self:filesystem associate; # Wireless type sysfs_wlc, sysfs_type, fs_type; -# Kernel modules -type vendor_kernel_modules, vendor_file_type, file_type; - # Camera type persist_camera_file, file_type; type vendor_camera_tuning_file, vendor_file_type, file_type; From dfc3d869271e5a8a85ee91d83ad23076926791ae Mon Sep 17 00:00:00 2001 From: David Anderson Date: Mon, 7 Jun 2021 18:41:39 -0700 Subject: [PATCH 002/104] Fix denial when flashing vendor_boot in fastbootd. This mirrors the same sepolicy line in previous Pixel devices. Bug: 189493387 Test: fastboot flash vendor_boot on r4 Change-Id: Ie15c8e6e5c01b249e1e5e244666c461253279f0b --- whitechapel/vendor/google/fastbootd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te index c1c4de7b..32944aa1 100644 --- a/whitechapel/vendor/google/fastbootd.te +++ b/whitechapel/vendor/google/fastbootd.te @@ -3,4 +3,5 @@ recovery_only(` allow fastbootd devinfo_block_device:blk_file rw_file_perms; allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; +allow fastbootd custom_ab_block_device:blk_file rw_file_perms; ') From 6e7338095bf93bf0b059b3228b48d9d7efed4f53 Mon Sep 17 00:00:00 2001 From: davidycchen Date: Tue, 15 Jun 2021 16:06:33 +0800 Subject: [PATCH 003/104] Allow twoshay to access fwk_stats_service and system_server avc: denied { find } for pid=813 uid=0 name=android.frameworks.stats.IStats/default scontext=u:r:twoshay:s0 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager avc: denied { call } for scontext=u:r:twoshay:s0 tcontext=u:r:system_server:s0 tclass=binder Bug: 179334953 Test: Make selinux_policy and push related files to the device. Signed-off-by: davidycchen Change-Id: Ib95debbc9ce10919c5f935e8f70b340bb293b54a --- whitechapel/vendor/google/twoshay.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te index ad239702..f940d3aa 100644 --- a/whitechapel/vendor/google/twoshay.te +++ b/whitechapel/vendor/google/twoshay.te @@ -8,3 +8,6 @@ allow twoshay twoshay:capability sys_nice; binder_use(twoshay) add_service(twoshay, touch_context_service) + +allow twoshay fwk_stats_service:service_manager find; +binder_call(twoshay, stats_service_server) From 5201b7dd089efb6df183e5078ab7f8112e319384 Mon Sep 17 00:00:00 2001 From: Max Kogan Date: Wed, 14 Jul 2021 15:09:57 -0700 Subject: [PATCH 004/104] Add AoC wakeup stats to dump state Need add support for wakeup stats to track AoC to AP messages resulting in frequent wake-ups. Bug: 192988670 Signed-off-by: Max Kogan Change-Id: I5eec808ed2dba9996607151efe494a238491076d --- whitechapel/vendor/google/genfs_contexts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 42ff564a..ab67d9c7 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -7,6 +7,12 @@ genfscon sysfs /devices/platform/19000000.aoc/reset u:ob genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 From cd9ddb134b306e187bb174478e83c64fc33acd53 Mon Sep 17 00:00:00 2001 From: Rick Yiu Date: Thu, 29 Jul 2021 20:48:48 +0800 Subject: [PATCH 005/104] gs101: Remove vendor_sched Moved to system/sepolicy. Bug: 194656257 Test: build pass Change-Id: Ia5ea1bbc05bdc52b43cb403d99994bad70613e08 --- private/genfs_contexts | 3 --- public/file.te | 7 ------- 2 files changed, 10 deletions(-) delete mode 100644 private/genfs_contexts delete mode 100644 public/file.te diff --git a/private/genfs_contexts b/private/genfs_contexts deleted file mode 100644 index 448ca5e3..00000000 --- a/private/genfs_contexts +++ /dev/null @@ -1,3 +0,0 @@ -# Vendor sched files -genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0 -genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0 diff --git a/public/file.te b/public/file.te deleted file mode 100644 index 4c15c474..00000000 --- a/public/file.te +++ /dev/null @@ -1,7 +0,0 @@ -# Vendor sched files -type sysfs_vendor_sched, sysfs_type, fs_type; -userdebug_or_eng(` - typeattribute sysfs_vendor_sched mlstrustedobject; -') -type proc_vendor_sched, proc_type, fs_type; - From 5cc5d52bd758a3345fa6afd25c8ba1d8835617b0 Mon Sep 17 00:00:00 2001 From: Jiyong Park Date: Fri, 6 Aug 2021 19:58:01 +0900 Subject: [PATCH 006/104] Remove ndk_platform backend. Use the ndk backend. The ndk_platform backend will soon be deprecated because the ndk backend can serve the same purpose. This is to eliminate the confusion about having two variants (ndk and ndk_platform) for the same ndk backend. Bug: 161456198 Test: m Change-Id: Icc9af3798ac89742fa56b1cb37d8116d99b4a9c2 --- edgetpu/file_contexts | 4 ++-- whitechapel/vendor/google/file_contexts | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts index 9255e741..dcaacdcf 100644 --- a/edgetpu/file_contexts +++ b/edgetpu/file_contexts @@ -6,12 +6,12 @@ # EdgeTPU service binaries and libraries /system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 # EdgeTPU vendor service /vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk\.so u:object_r:same_process_hal_file:s0 # EdgeTPU runtime libraries /vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 11445e44..80575289 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -173,7 +173,7 @@ /data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 /vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/pixel-power-ext-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 @@ -374,7 +374,7 @@ /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/gralloc\.gs101\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/vulkan\.gs101\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 # Touch /dev/touch_offload u:object_r:touch_offload_device:s0 @@ -431,6 +431,6 @@ /vendor/bin/wlc_upt/wlc_fw_update\.sh u:object_r:wlcfwupdate_exec:s0 # Statsd service to support EdgeTPU metrics logging service. -/vendor/lib64/android\.frameworks\.stats-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 From 8a586e678656b6359220ef208fc237ccf3823e2c Mon Sep 17 00:00:00 2001 From: Lucas Dupin Date: Wed, 11 Aug 2021 19:57:41 -0700 Subject: [PATCH 007/104] Allow boot color propagation Allows SystemUI to write the boot color sysprop Test: manual Bug: 190093578 Change-Id: I844a4dae87fe09a09ff3368c540ffab5f745d455 --- system_ext/private/platform_app.te | 2 ++ system_ext/private/property_contexts | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 system_ext/private/platform_app.te diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 00000000..10d6bba9 --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# allow systemui to set boot animation colors +set_prop(platform_app, bootanim_system_prop); diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 9f462bda..9cf97280 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,8 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool + +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int From e212167642a8810c6e31768e327f51db8bdf99b5 Mon Sep 17 00:00:00 2001 From: horngchuang Date: Fri, 13 Aug 2021 18:35:16 +0800 Subject: [PATCH 008/104] sepolicy: gs101: Grant permission for more camera device nodes Bug: 193103432 Test: aosp camera Change-Id: Ic921200f05092c217d9c3d859ed33b5dc8e5b44b --- whitechapel/vendor/google/file_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 80575289..5cf443f3 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -192,6 +192,8 @@ /dev/lwis-eeprom-m24c64s u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64s-imx355-inner u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64s-imx355-outer u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-rear u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-front u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64x u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 @@ -218,6 +220,8 @@ /dev/lwis-sensor-imx355 u:object_r:lwis_device:s0 /dev/lwis-sensor-imx355-inner u:object_r:lwis_device:s0 /dev/lwis-sensor-imx355-outer u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-rear u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-front u:object_r:lwis_device:s0 /dev/lwis-sensor-imx363 u:object_r:lwis_device:s0 /dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 /dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 From 941a3bcd44eb24c16dbf8ab100f4cc76aa4ca887 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Tue, 10 Aug 2021 21:10:00 +0800 Subject: [PATCH 009/104] sepolicy: gs101: allows dock power supply permission Bug: 196017001 Test: can dump dock power supply in dumpstate Signed-off-by: Jack Wu Change-Id: Ie2781da77da0f181665974c335998a6dcb0e8ad2 --- whitechapel/vendor/google/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 15473d72..6c9eb2d1 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -22,6 +22,7 @@ genfscon sysfs /devices/platform/google,battery/power_supply/battery genfscon sysfs /devices/platform/google,cpm/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,cpm/ u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d50000.hsi2c u:object_r:sysfs_batteryinfo:s0 # Slider @@ -98,6 +99,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wake genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 # Touch genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 From 515c17c4e351af9f72e7852a1884a63db3f93aca Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Mon, 23 Aug 2021 08:55:07 -0700 Subject: [PATCH 010/104] gs101-sepolicy: Rename hal_uwb -> hal_uwb_vendor Since we are now creating an AOSP HAL for uwb. Rename qorvo's internal HAL to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy rules. Bug: 195308730 Test: Compiles Change-Id: Ief48eacde68b062b2199b20c0c1bb3af23795240 --- whitechapel/vendor/google/dumpstate.te | 2 +- whitechapel/vendor/google/file_contexts | 2 +- whitechapel/vendor/google/hal_uwb.te | 15 --------------- whitechapel/vendor/google/hal_uwb_default.te | 8 -------- whitechapel/vendor/google/hal_uwb_vendor.te | 15 +++++++++++++++ .../vendor/google/hal_uwb_vendor_default.te | 8 ++++++++ whitechapel/vendor/google/service.te | 2 +- whitechapel/vendor/google/service_contexts | 2 +- whitechapel/vendor/google/uwb_vendor_app.te | 10 +++++----- 9 files changed, 32 insertions(+), 32 deletions(-) delete mode 100644 whitechapel/vendor/google/hal_uwb.te delete mode 100644 whitechapel/vendor/google/hal_uwb_default.te create mode 100644 whitechapel/vendor/google/hal_uwb_vendor.te create mode 100644 whitechapel/vendor/google/hal_uwb_vendor_default.te diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te index d4dd87b0..cdf6e8ef 100644 --- a/whitechapel/vendor/google/dumpstate.te +++ b/whitechapel/vendor/google/dumpstate.te @@ -1,6 +1,6 @@ dump_hal(hal_telephony) dump_hal(hal_graphics_composer) -dump_hal(hal_uwb) +dump_hal(hal_uwb_vendor) userdebug_or_eng(` allow dumpstate media_rw_data_file:file append; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 5cf443f3..328a4b39 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -352,7 +352,7 @@ # Uwb # R4 -/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_default_exec:s0 +/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 # RILD files /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/whitechapel/vendor/google/hal_uwb.te b/whitechapel/vendor/google/hal_uwb.te deleted file mode 100644 index d0995686..00000000 --- a/whitechapel/vendor/google/hal_uwb.te +++ /dev/null @@ -1,15 +0,0 @@ -# HwBinder IPC from client to server -binder_call(hal_uwb_client, hal_uwb_server) -binder_call(hal_uwb_server, hal_uwb_client) - -hal_attribute_service(hal_uwb, hal_uwb_service) - -binder_call(hal_uwb_server, servicemanager) - -# allow hal_uwb to set wpan interfaces up and down -allow hal_uwb self:udp_socket create_socket_perms; -allowxperm hal_uwb self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; -allow hal_uwb self:global_capability_class_set { net_admin }; - -# allow hal_uwb to speak to nl802154 in the kernel -allow hal_uwb self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te deleted file mode 100644 index 2d513b61..00000000 --- a/whitechapel/vendor/google/hal_uwb_default.te +++ /dev/null @@ -1,8 +0,0 @@ -type hal_uwb_default, domain; -type hal_uwb_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_uwb_default) - -add_service(hal_uwb_default, hal_uwb_service) - -hal_server_domain(hal_uwb_default, hal_uwb) -binder_call(hal_uwb_default, uwb_vendor_app) diff --git a/whitechapel/vendor/google/hal_uwb_vendor.te b/whitechapel/vendor/google/hal_uwb_vendor.te new file mode 100644 index 00000000..ccfc1705 --- /dev/null +++ b/whitechapel/vendor/google/hal_uwb_vendor.te @@ -0,0 +1,15 @@ +# HwBinder IPC from client to server +binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) +binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) + +hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) + +binder_call(hal_uwb_vendor_server, servicemanager) + +# allow hal_uwb_vendor to set wpan interfaces up and down +allow hal_uwb_vendor self:udp_socket create_socket_perms; +allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; +allow hal_uwb_vendor self:global_capability_class_set { net_admin }; + +# allow hal_uwb_vendor to speak to nl802154 in the kernel +allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te new file mode 100644 index 00000000..31b392be --- /dev/null +++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te @@ -0,0 +1,8 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) +binder_call(hal_uwb_vendor_default, uwb_vendor_app) diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index 99e99483..357dffe4 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,4 +1,4 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; type touch_context_service, service_manager_type, vendor_service; -type hal_uwb_service, service_manager_type, vendor_service; +type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 687f8cc8..6fb9de1f 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,4 +1,4 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 -hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_service:s0 +hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te index ed53fd00..675ecdb6 100644 --- a/whitechapel/vendor/google/uwb_vendor_app.te +++ b/whitechapel/vendor/google/uwb_vendor_app.te @@ -5,18 +5,18 @@ app_domain(uwb_vendor_app) add_service(uwb_vendor_app, uwb_vendor_service) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb) +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow uwb_vendor_app app_api_service:service_manager find; -allow uwb_vendor_app hal_uwb_service:service_manager find; +allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; allow uwb_vendor_app nfc_service:service_manager find; allow uwb_vendor_app radio_service:service_manager find; allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; -allow hal_uwb_default self:global_capability_class_set { sys_nice }; -allow hal_uwb_default kernel:process { setsched }; +allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice }; +allow hal_uwb_vendor_default kernel:process { setsched }; -binder_call(uwb_vendor_app, hal_uwb_default) +binder_call(uwb_vendor_app, hal_uwb_vendor_default) ') From 8383d9e13fe2f880c859041f7dc19ba94368ff7b Mon Sep 17 00:00:00 2001 From: Victor Liu Date: Wed, 18 Aug 2021 17:01:45 -0700 Subject: [PATCH 011/104] uwb: permissions for factory uwb calibration file add permission to: copy factory uwb calib files from persist to /data/vendor/uwb convert copied file to proper format for uwb stack to consume Bug: 195659525 Signed-off-by: Victor Liu Change-Id: I3e5282477fd391b483e03242ce0b806bd447dc54 --- whitechapel/vendor/google/file.te | 2 ++ whitechapel/vendor/google/file_contexts | 3 +++ whitechapel/vendor/google/hal_nfc_default.te | 3 +++ whitechapel/vendor/google/hal_uwb_vendor_default.te | 3 +++ whitechapel/vendor/google/vendor_uwb_init.te | 10 ++++++++++ 5 files changed, 21 insertions(+) create mode 100644 whitechapel/vendor/google/vendor_uwb_init.te diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index b8c22e12..9b4c95b4 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -185,6 +185,8 @@ type sysfs_video, sysfs_type, fs_type; # UWB vendor type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; +type persist_uwb_file, file_type, vendor_persist_type; +type uwb_data_vendor, file_type, data_file_type; # PixelStats_vendor type sysfs_pixelstats, fs_type, sysfs_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 328a4b39..1ab52a02 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -353,6 +353,9 @@ # Uwb # R4 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 +/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 +/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 # RILD files /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te index f98e78c6..174b5383 100644 --- a/whitechapel/vendor/google/hal_nfc_default.te +++ b/whitechapel/vendor/google/hal_nfc_default.te @@ -7,3 +7,6 @@ set_prop(hal_nfc_default, vendor_secure_element_prop) # Modem property set_prop(hal_nfc_default, vendor_modem_prop) +# Access uwb cal for SecureRanging Applet +allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; +allow hal_nfc_default uwb_data_vendor:file r_file_perms; diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te index 31b392be..f72e879d 100644 --- a/whitechapel/vendor/google/hal_uwb_vendor_default.te +++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te @@ -6,3 +6,6 @@ add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) binder_call(hal_uwb_vendor_default, uwb_vendor_app) + +allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; diff --git a/whitechapel/vendor/google/vendor_uwb_init.te b/whitechapel/vendor/google/vendor_uwb_init.te new file mode 100644 index 00000000..716af19c --- /dev/null +++ b/whitechapel/vendor/google/vendor_uwb_init.te @@ -0,0 +1,10 @@ +type vendor_uwb_init, domain; +type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_uwb_init) + +allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; +allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; + +allow vendor_uwb_init uwb_data_vendor:file create_file_perms; +allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; From 8a5863ab6d6a65ff7b7e1ddcf48f3f75e0f42185 Mon Sep 17 00:00:00 2001 From: Mark Chang Date: Thu, 29 Jul 2021 16:31:03 +0800 Subject: [PATCH 012/104] sepolicy: Add "dontaudit" for twoshay dac_override. Bug: 198755236 Test: build pass and boot to home Signed-off-by: Mark Chang Change-Id: I5c330564cc026e113c5d33d5d093dbcdb3ede5e4 (cherry picked from commit a1aab562ca083f2531a551d1b228749d39f14368) --- whitechapel/vendor/google/twoshay.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te index f940d3aa..eba1ccee 100644 --- a/whitechapel/vendor/google/twoshay.te +++ b/whitechapel/vendor/google/twoshay.te @@ -11,3 +11,6 @@ add_service(twoshay, touch_context_service) allow twoshay fwk_stats_service:service_manager find; binder_call(twoshay, stats_service_server) + +# b/198755236 +dontaudit twoshay twoshay:capability dac_override; From 82db60c2d4af0ead1bbc52082ea19f0cab0850d7 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Sep 2021 13:15:44 +0800 Subject: [PATCH 013/104] remove obsolete devices Bug: 196916111 Test: No file on the path Change-Id: If8e54bd161bc955424b40023d94f15bf6b82cc8f --- whitechapel/vendor/google/device.te | 5 ----- whitechapel/vendor/google/file_contexts | 6 ------ 2 files changed, 11 deletions(-) diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index bc3c9477..35833bf8 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -1,18 +1,13 @@ # Block Devices type efs_block_device, dev_type, bdev_type; -type fat_block_device, dev_type, bdev_type; type modem_block_device, dev_type, bdev_type; type modem_userdata_block_device, dev_type, bdev_type; type persist_block_device, dev_type, bdev_type; -type vendor_block_device, dev_type, bdev_type; type sda_block_device, dev_type, bdev_type; type mfg_data_block_device, dev_type, bdev_type; # Exynos devices -type vendor_m2m1shot_device, dev_type; type vendor_gnss_device, dev_type; -type vendor_nanohub_device, dev_type; -type vendor_secmem_device, dev_type; type vendor_toe_device, dev_type; type custom_ab_block_device, dev_type, bdev_type; type devinfo_block_device, dev_type, bdev_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 13179922..86e308c7 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -42,13 +42,11 @@ /dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/fat u:object_r:fat_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/modem u:object_r:modem_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/system u:object_r:system_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor u:object_r:vendor_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 @@ -86,9 +84,6 @@ /dev/bbd_control u:object_r:vendor_gnss_device:s0 /dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/ttyBCM u:object_r:vendor_gnss_device:s0 -/dev/nanohub u:object_r:vendor_nanohub_device:s0 -/dev/nanohub_comms u:object_r:vendor_nanohub_device:s0 -/dev/m2m1shot_scaler0 u:object_r:vendor_m2m1shot_device:s0 /dev/radio0 u:object_r:radio_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 @@ -131,7 +126,6 @@ # GPU device /dev/mali0 u:object_r:gpu_device:s0 -/dev/s5p-smem u:object_r:vendor_secmem_device:s0 # # Exynos Daemon Exec From d1dd6bac2a9045b64a0ec7e76c2590c9665ac2c6 Mon Sep 17 00:00:00 2001 From: Philip Quinn Date: Wed, 25 Aug 2021 12:43:01 -0700 Subject: [PATCH 014/104] Move twoshay definitions to hardware/google/pixel-sepolicy/input. Bug: 187654303 Test: twoshay works on r4 Change-Id: Id2b0e1db3e1cb9ddf579ea7ed74493464d13fc84 --- whitechapel/vendor/google/device.te | 3 --- whitechapel/vendor/google/file_contexts | 4 ---- whitechapel/vendor/google/twoshay.te | 8 -------- 3 files changed, 15 deletions(-) diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index bc3c9477..27b04ec5 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -26,9 +26,6 @@ type cpuctl_device, dev_type; # Bt Wifi Coexistence device type wb_coexistence_dev, dev_type; -# Touch -type touch_offload_device, dev_type; - # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL type lwis_device, dev_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 13179922..f7bec37b 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -387,10 +387,6 @@ /vendor/lib(64)?/hw/vulkan\.gs101\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 -# Touch -/dev/touch_offload u:object_r:touch_offload_device:s0 -/vendor/bin/twoshay u:object_r:twoshay_exec:s0 - # Fingerprint /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te index eba1ccee..e3e71d30 100644 --- a/whitechapel/vendor/google/twoshay.te +++ b/whitechapel/vendor/google/twoshay.te @@ -1,11 +1,3 @@ -type twoshay, domain; -type twoshay_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(twoshay) - -allow twoshay touch_offload_device:chr_file rw_file_perms; -allow twoshay twoshay:capability sys_nice; - binder_use(twoshay) add_service(twoshay, touch_context_service) From 778f7da931ea093ac63c3b29353074ff8f83ee52 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 9 Sep 2021 13:05:36 +0800 Subject: [PATCH 015/104] label Extcon files Bug: 199218084 Test: Boot with target files labeled correctly Change-Id: I7d8c4ecb23a5717e2265cfd66b161fb46717615f --- whitechapel/vendor/google/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 6c9eb2d1..3ec57c2d 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -315,3 +315,7 @@ genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_t genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 + +# Extcon +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 + From 7254de258a89495975a6fe3c9180496e9ee287c5 Mon Sep 17 00:00:00 2001 From: Jonglin Lee Date: Fri, 10 Sep 2021 21:23:57 +0000 Subject: [PATCH 016/104] Revert "Move twoshay definitions to hardware/google/pixel-sepoli..." Revert "Move twoshay definitions to hardware/google/pixel-sepoli..." Revert "Move twoshay definitions to hardware/google/pixel-sepoli..." Revert "Move twoshay definitions to hardware/google/pixel-sepoli..." Revert "Move sepolicy for _touchflow targets." Revert submission 15676823-reflector-sepolicy Reason for revert: breaking several builds in git_master-without-vendor Reverted Changes: Ifecfc81f0:Move twoshay definitions to hardware/google/pixel-... Idfd81131c:Move twoshay definitions to hardware/google/pixel-... Id2b0e1db3:Move twoshay definitions to hardware/google/pixel-... I43ac6337f:Move twoshay definitions to hardware/google/pixel-... If95e6e788:Move twoshay definitions to hardware/google/pixel-... I07ab95780:Move sepolicy for _touchflow targets. I01f378b51:Move sepolicy for _touchflow targets. Bug: 199548147 Change-Id: I84f106c24bd47fd171788301415c0eabafe9254f --- whitechapel/vendor/google/device.te | 3 +++ whitechapel/vendor/google/file_contexts | 4 ++++ whitechapel/vendor/google/twoshay.te | 8 ++++++++ 3 files changed, 15 insertions(+) diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 27b04ec5..bc3c9477 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -26,6 +26,9 @@ type cpuctl_device, dev_type; # Bt Wifi Coexistence device type wb_coexistence_dev, dev_type; +# Touch +type touch_offload_device, dev_type; + # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL type lwis_device, dev_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index f7bec37b..13179922 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -387,6 +387,10 @@ /vendor/lib(64)?/hw/vulkan\.gs101\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 +# Touch +/dev/touch_offload u:object_r:touch_offload_device:s0 +/vendor/bin/twoshay u:object_r:twoshay_exec:s0 + # Fingerprint /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te index e3e71d30..eba1ccee 100644 --- a/whitechapel/vendor/google/twoshay.te +++ b/whitechapel/vendor/google/twoshay.te @@ -1,3 +1,11 @@ +type twoshay, domain; +type twoshay_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(twoshay) + +allow twoshay touch_offload_device:chr_file rw_file_perms; +allow twoshay twoshay:capability sys_nice; + binder_use(twoshay) add_service(twoshay, touch_context_service) From f97138a6bb99b210eaff4eeba7b95a104664047b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Sep 2021 13:35:19 +0800 Subject: [PATCH 017/104] organize wifi_sniffer Bug: 196916111 Test: boot with wifi_sniffer started Change-Id: If12fb0499c749e4e8379a5c2095fbf9cd2ca624e --- gs101-sepolicy.mk | 3 --- 1 file changed, 3 deletions(-) diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk index 989bb70b..8a9eded6 100644 --- a/gs101-sepolicy.mk +++ b/gs101-sepolicy.mk @@ -32,9 +32,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # sscoredump BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump -# Sniffer Logger -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer - # Wifi Logger BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger From 9795c12e8f348d25bca4f3bfa166baf6d51ed4eb Mon Sep 17 00:00:00 2001 From: Patty Date: Mon, 30 Aug 2021 18:02:43 +0800 Subject: [PATCH 018/104] Split bluetooth sepolicy file to avoid conflict - Move bluetooth related config to bluetooth folder Bug: 196308076 Test: make; boot with service btlinux started Change-Id: I8d40697f20a916fc154f0b60851abecd1deadc0d --- bluetooth/file_contexts | 2 ++ .../vendor/google => bluetooth}/hal_bluetooth_btlinux.te | 0 whitechapel/vendor/google/file_contexts | 1 - 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 bluetooth/file_contexts rename {whitechapel/vendor/google => bluetooth}/hal_bluetooth_btlinux.te (100%) diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts new file mode 100644 index 00000000..5bb9a33a --- /dev/null +++ b/bluetooth/file_contexts @@ -0,0 +1,2 @@ +# Bluetooth +/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/bluetooth/hal_bluetooth_btlinux.te similarity index 100% rename from whitechapel/vendor/google/hal_bluetooth_btlinux.te rename to bluetooth/hal_bluetooth_btlinux.te diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 11445e44..6aa2a0f6 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -294,7 +294,6 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_default_exec:s0 # Bluetooth -/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 /dev/wbrc u:object_r:wb_coexistence_dev:s0 /dev/ttySAC16 u:object_r:hci_attach_dev:s0 /dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 From 2d2d6999d2a18590d9e55eb4dc4f22c959660fa7 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Wed, 15 Sep 2021 14:40:51 +0800 Subject: [PATCH 019/104] Update avc error on ROM 7733084 avc: denied { read } for comm="android.ui" name="extcon0" dev="sysfs" ino=72527 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0 Bug: 199987074 Test: PtsSELinuxTestCases Change-Id: I1d160b06b4b0bba9402ae3de5f564d6f893505c1 --- tracking_denials/system_server.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/system_server.te diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te new file mode 100644 index 00000000..538ac241 --- /dev/null +++ b/tracking_denials/system_server.te @@ -0,0 +1,2 @@ +# b/199987074 +dontaudit system_server sysfs_batteryinfo:dir read; From 22ed933f97c98d4f22315889bf189fa7330a265e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 16 Sep 2021 10:02:11 +0800 Subject: [PATCH 020/104] label extcon files Bug: 199987074 Test: boot with no relevant errors Change-Id: Idd26d8675c332043b1066e3eba1706527254eb03 --- tracking_denials/system_server.te | 2 -- whitechapel/vendor/google/genfs_contexts | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/system_server.te diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te deleted file mode 100644 index 538ac241..00000000 --- a/tracking_denials/system_server.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/199987074 -dontaudit system_server sysfs_batteryinfo:dir read; diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 3ec57c2d..59aa244d 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -318,4 +318,5 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time # Extcon genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 From 2bc80fd0e76114f72223f602190dd9b8e545b100 Mon Sep 17 00:00:00 2001 From: Arthur Ishiguro Date: Thu, 23 Sep 2021 08:01:59 -0700 Subject: [PATCH 021/104] Add Context Hub AIDL to gs101 sepolicy Bug: 194285834 Test: None Change-Id: I8f9ef02c51d3f06bbfa94e9ce006cd2a0ee59c73 --- whitechapel/vendor/google/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 9889fcef..a4c3eb40 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -249,7 +249,7 @@ /dev/aoc u:object_r:aoc_device:s0 # Contexthub -/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /(vendor|system/vendor)/bin/chre u:object_r:chre_exec:s0 /dev/socket/chre u:object_r:chre_socket:s0 From 951ce82739f1fcdf610e0a368d1f39c2067a1ebd Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Fri, 24 Sep 2021 17:14:15 +0800 Subject: [PATCH 022/104] Using dontaudit to fix the avc on boot test avc: denied { search } for comm="kworker/6:2" name="google_battery" dev="debugfs" ino=32648 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_battery_debugfs:s0 tclass=dir permissive=1 Bug:200739262 Test: Check bugreport Change-Id: I50a96bab88f564fef0eda9a23bb77dc6ffed357f Signed-off-by: Ted Lin --- whitechapel/vendor/google/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te index 0156784e..c34e7f72 100644 --- a/whitechapel/vendor/google/kernel.te +++ b/whitechapel/vendor/google/kernel.te @@ -7,3 +7,5 @@ allow kernel per_boot_file:file r_file_perms; # memlat needs permision to create/delete perf events when hotplug on/off allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; + +dontaudit kernel vendor_battery_debugfs:dir search; From d5ac0ac3cea5d896ffadb9f4abba9f798c59bfb6 Mon Sep 17 00:00:00 2001 From: Philip Quinn Date: Wed, 25 Aug 2021 12:43:01 -0700 Subject: [PATCH 023/104] Move twoshay definitions to hardware/google/pixel-sepolicy/input. Bug: 187654303 Test: twoshay works on R4, B3, P7 Change-Id: I2cada463fcbfd3b52230430b12b091a655e2abbb --- tracking_denials/dumpstate.te | 2 -- whitechapel/vendor/google/device.te | 3 --- whitechapel/vendor/google/file_contexts | 4 ---- .../vendor/google/hal_dumpstate_default.te | 3 --- whitechapel/vendor/google/platform_app.te | 3 --- whitechapel/vendor/google/service.te | 1 - whitechapel/vendor/google/service_contexts | 1 - whitechapel/vendor/google/twoshay.te | 16 ---------------- 8 files changed, 33 deletions(-) delete mode 100644 whitechapel/vendor/google/twoshay.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 1a3571bf..fa9d5cec 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,6 +1,4 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -# b/187795940 -dontaudit dumpstate twoshay:binder call; # b/190337283 dontaudit dumpstate debugfs_wakeup_sources:file read; diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 1212d6ce..f5a47828 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -21,9 +21,6 @@ type cpuctl_device, dev_type; # Bt Wifi Coexistence device type wb_coexistence_dev, dev_type; -# Touch -type touch_offload_device, dev_type; - # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL type lwis_device, dev_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index a27cdc2b..184f6c65 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -380,10 +380,6 @@ /vendor/lib(64)?/hw/vulkan\.gs101\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 -# Touch -/dev/touch_offload u:object_r:touch_offload_device:s0 -/vendor/bin/twoshay u:object_r:twoshay_exec:s0 - # Fingerprint /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te index b5608c16..612b3c0b 100644 --- a/whitechapel/vendor/google/hal_dumpstate_default.te +++ b/whitechapel/vendor/google/hal_dumpstate_default.te @@ -64,9 +64,6 @@ allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; allow hal_dumpstate_default sysfs_thermal:file r_file_perms; allow hal_dumpstate_default sysfs_thermal:lnk_file read; -allow hal_dumpstate_default touch_context_service:service_manager find; -binder_call(hal_dumpstate_default, twoshay) - # Modem logs allow hal_dumpstate_default modem_efs_file:dir search; allow hal_dumpstate_default modem_efs_file:file r_file_perms; diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te index 66e7721d..70480beb 100644 --- a/whitechapel/vendor/google/platform_app.te +++ b/whitechapel/vendor/google/platform_app.te @@ -13,9 +13,6 @@ allow platform_app uwb_service:service_manager find; allow platform_app fwk_stats_service:service_manager find; binder_use(platform_app) -allow platform_app touch_context_service:service_manager find; -binder_call(platform_app, twoshay) - # Fingerprint (UDFPS) GHBM/LHBM toggle get_prop(platform_app, fingerprint_ghbm_prop) diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index 357dffe4..aa60e3f7 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,4 +1,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; -type touch_context_service, service_manager_type, vendor_service; type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 6fb9de1f..812105a6 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,4 +1,3 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 -com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te deleted file mode 100644 index eba1ccee..00000000 --- a/whitechapel/vendor/google/twoshay.te +++ /dev/null @@ -1,16 +0,0 @@ -type twoshay, domain; -type twoshay_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(twoshay) - -allow twoshay touch_offload_device:chr_file rw_file_perms; -allow twoshay twoshay:capability sys_nice; - -binder_use(twoshay) -add_service(twoshay, touch_context_service) - -allow twoshay fwk_stats_service:service_manager find; -binder_call(twoshay, stats_service_server) - -# b/198755236 -dontaudit twoshay twoshay:capability dac_override; From d61f60e882198799b77d272b3b7044fabc5681ed Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 30 Sep 2021 14:25:57 +0800 Subject: [PATCH 024/104] centralize wifi_ext config Bug: 201599426 Test: boot with wifi_ext started Change-Id: I0638216a7100b26415a79e87cdb1a5a260f05baa --- gs101-sepolicy.mk | 3 --- 1 file changed, 3 deletions(-) diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk index 8a9eded6..8a302845 100644 --- a/gs101-sepolicy.mk +++ b/gs101-sepolicy.mk @@ -23,9 +23,6 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/priv # Dauntless (uses Citadel policy currently) BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel -# Wifi -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext - # PowerStats HAL BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats From 8f3fb5c47f64079a2c1c43eb02968511637fb00d Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 12 May 2021 20:57:09 +0800 Subject: [PATCH 025/104] Update SecureElement Sepolicy Add rules for sysfs_st33spi Separate hal_secure_element_st54spi and st33spi form default Bug: 193417907 Test: VtsHalSecureElementV1_2TargetTest, VtsHalSecureElementV1_1TargetTest, VtsHalSecureElementV1_0TargetTest, CtsOmapiTestCases Change-Id: I444af2e38fc120d173445bce48b7e4d381201a91 --- whitechapel/vendor/google/device.te | 4 ++++ whitechapel/vendor/google/euiccpixel_app.te | 9 ++++++--- whitechapel/vendor/google/fastbootd.te | 2 +- whitechapel/vendor/google/file.te | 3 +++ whitechapel/vendor/google/file_contexts | 10 ++++------ whitechapel/vendor/google/genfs_contexts | 4 ++++ .../vendor/google/hal_secure_element_default.te | 2 -- .../vendor/google/hal_secure_element_st33spi.te | 8 ++++++++ .../vendor/google/hal_secure_element_st54spi.te | 9 +++++++++ whitechapel/vendor/google/ofl_app.te | 9 ++++++--- whitechapel/vendor/google/recovery.te | 2 +- whitechapel/vendor/google/vendor_init.te | 1 + 12 files changed, 47 insertions(+), 16 deletions(-) create mode 100644 whitechapel/vendor/google/hal_secure_element_st33spi.te create mode 100644 whitechapel/vendor/google/hal_secure_element_st54spi.te diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 1212d6ce..764cc877 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -54,3 +54,7 @@ type battery_history_device, dev_type; # Raw HID device type hidraw_device, dev_type; +# SecureElement SPI device +type st54spi_device, dev_type; +type st33spi_device, dev_type; + diff --git a/whitechapel/vendor/google/euiccpixel_app.te b/whitechapel/vendor/google/euiccpixel_app.te index db3d0aed..b03b48db 100644 --- a/whitechapel/vendor/google/euiccpixel_app.te +++ b/whitechapel/vendor/google/euiccpixel_app.te @@ -14,8 +14,11 @@ set_prop(euiccpixel_app, vendor_modem_prop) userdebug_or_eng(` net_domain(euiccpixel_app) - # Access to directly upgrade firmware on secure_element used for engineering devices - typeattribute secure_element_device mlstrustedobject; - allow euiccpixel_app secure_element_device:chr_file rw_file_perms; + # Access to directly upgrade firmware on st54spi_device used for engineering devices + typeattribute st54spi_device mlstrustedobject; + allow euiccpixel_app st54spi_device:chr_file rw_file_perms; + # Access to directly upgrade firmware on st33spi_device used for engineering devices + typeattribute st33spi_device mlstrustedobject; + allow euiccpixel_app st33spi_device:chr_file rw_file_perms; ') diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te index f9d09d95..d6cf7315 100644 --- a/whitechapel/vendor/google/fastbootd.te +++ b/whitechapel/vendor/google/fastbootd.te @@ -1,6 +1,6 @@ # Required by the bootcontrol HAL for the 'set_active' command. recovery_only(` -allow fastbootd secure_element_device:chr_file rw_file_perms; +allow fastbootd st54spi_device:chr_file rw_file_perms; allow fastbootd devinfo_block_device:blk_file rw_file_perms; allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 9b4c95b4..18a034c8 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -202,3 +202,6 @@ type sysfs_sjtag, fs_type, sysfs_type; userdebug_or_eng(` typeattribute sysfs_sjtag mlstrustedobject; ') + +# SecureElement +type sysfs_st33spi, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index a27cdc2b..c460e6a8 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -287,13 +287,11 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 # SecureElement -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st u:object_r:hal_secure_element_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_default_exec:s0 -/dev/st54j_se u:object_r:secure_element_device:s0 -/dev/st54spi u:object_r:secure_element_device:s0 -/dev/st33spi u:object_r:secure_element_device:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_default_exec:s0 +/dev/st54spi u:object_r:st54spi_device:s0 +/dev/st33spi u:object_r:st33spi_device:s0 # Bluetooth /dev/wbrc u:object_r:wb_coexistence_dev:s0 diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 59aa244d..7d622e4a 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -320,3 +320,7 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +# SecureElement +genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi u:object_r:sysfs_st33spi:s0 +genfscon sysfs /devices/platform/175c0000.spi/spi_master/spi15/spi15.0/st33spi u:object_r:sysfs_st33spi:s0 + diff --git a/whitechapel/vendor/google/hal_secure_element_default.te b/whitechapel/vendor/google/hal_secure_element_default.te index dc048746..17a679d2 100644 --- a/whitechapel/vendor/google/hal_secure_element_default.te +++ b/whitechapel/vendor/google/hal_secure_element_default.te @@ -1,7 +1,5 @@ allow hal_secure_element_default secure_element_device:chr_file rw_file_perms; -allow hal_secure_element_default nfc_device:chr_file rw_file_perms; set_prop(hal_secure_element_default, vendor_secure_element_prop) -set_prop(hal_secure_element_default, vendor_nfc_prop) set_prop(hal_secure_element_default, vendor_modem_prop) # Allow hal_secure_element_default to access rild diff --git a/whitechapel/vendor/google/hal_secure_element_st33spi.te b/whitechapel/vendor/google/hal_secure_element_st33spi.te new file mode 100644 index 00000000..a5978f20 --- /dev/null +++ b/whitechapel/vendor/google/hal_secure_element_st33spi.te @@ -0,0 +1,8 @@ +type hal_secure_element_st33spi, domain; +hal_server_domain(hal_secure_element_st33spi, hal_secure_element) +type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type; + +allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st33spi, vendor_secure_element_prop) + +init_daemon_domain(hal_secure_element_st33spi) diff --git a/whitechapel/vendor/google/hal_secure_element_st54spi.te b/whitechapel/vendor/google/hal_secure_element_st54spi.te new file mode 100644 index 00000000..7f6ea41b --- /dev/null +++ b/whitechapel/vendor/google/hal_secure_element_st54spi.te @@ -0,0 +1,9 @@ +type hal_secure_element_st54spi, domain; +hal_server_domain(hal_secure_element_st54spi, hal_secure_element) +type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; +allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) +set_prop(hal_secure_element_st54spi, vendor_nfc_prop) +set_prop(hal_secure_element_st54spi, vendor_modem_prop) +init_daemon_domain(hal_secure_element_st54spi) diff --git a/whitechapel/vendor/google/ofl_app.te b/whitechapel/vendor/google/ofl_app.te index e3f61408..a9498165 100644 --- a/whitechapel/vendor/google/ofl_app.te +++ b/whitechapel/vendor/google/ofl_app.te @@ -11,7 +11,10 @@ userdebug_or_eng(` allow ofl_app radio_service:service_manager find; allow ofl_app surfaceflinger_service:service_manager find; - # Access to directly update firmware on secure_element - typeattribute secure_element_device mlstrustedobject; - allow ofl_app secure_element_device:chr_file rw_file_perms; + # Access to directly update firmware on st54spi_device + typeattribute st54spi_device mlstrustedobject; + allow ofl_app st54spi_device:chr_file rw_file_perms; + # Access to directly update firmware on st33spi_device + typeattribute st33spi_device mlstrustedobject; + allow ofl_app st33spi_device:chr_file rw_file_perms; ') diff --git a/whitechapel/vendor/google/recovery.te b/whitechapel/vendor/google/recovery.te index 4687a43c..1974ebb1 100644 --- a/whitechapel/vendor/google/recovery.te +++ b/whitechapel/vendor/google/recovery.te @@ -1,4 +1,4 @@ recovery_only(` allow recovery sysfs_ota:file rw_file_perms; - allow recovery secure_element_device:chr_file rw_file_perms; + allow recovery st54spi_device:chr_file rw_file_perms; ') diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index c1db5e43..321da078 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -18,6 +18,7 @@ allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file write; allow vendor_init bootdevice_sysdev:file create_file_perms; allow vendor_init block_device:lnk_file setattr; +allow vendor_init sysfs_st33spi:file w_file_perms; userdebug_or_eng(` set_prop(vendor_init, logpersistd_logging_prop) From 17881f3a38eb5a6c8b2ab48215489989c000649e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 8 Oct 2021 11:06:49 +0800 Subject: [PATCH 026/104] reorganize pixelstats_vendor Bug: 202462997 Test: boot with pixelstats_vendor started Change-Id: I8582ac4e83720768ee7992d41bdac0798da892d9 --- whitechapel/vendor/google/file_contexts | 3 --- whitechapel/vendor/google/pixelstats_vendor.te | 6 ------ 2 files changed, 9 deletions(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index aec51ec9..f8648be0 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -362,9 +362,6 @@ /dev/dit2 u:object_r:vendor_toe_device:s0 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service u:object_r:hal_tetheroffload_default_exec:s0 -# pixelstats binary -/vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 - # battery history /dev/battery_history u:object_r:battery_history_device:s0 diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te index 96bd9325..f0cca685 100644 --- a/whitechapel/vendor/google/pixelstats_vendor.te +++ b/whitechapel/vendor/google/pixelstats_vendor.te @@ -1,9 +1,3 @@ -# pixelstats vendor -type pixelstats_vendor, domain; - -type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(pixelstats_vendor) - unix_socket_connect(pixelstats_vendor, chre, chre) get_prop(pixelstats_vendor, hwservicemanager_prop) From a03f3b1a50b304596f2cc0b2126c69405824cfaa Mon Sep 17 00:00:00 2001 From: David Brazdil Date: Wed, 6 Oct 2021 17:33:57 +0000 Subject: [PATCH 027/104] Assign pkvm_enabler to vendor_misc_writer domain Builds of gs101 targets with pKVM force-enabled have an init service which checks that /dev/kvm exists and if not, runs misc_writer to instruct the bootloader to enable pKVM, and forces a reboot. Assign the binary to the existing vendor_misc_writer domain and add permission to execute the /vendor/bin/misc_writer binary. Since this is for tests only, the rules are only added to targets that define TARGET_PKVM_ENABLED. Bug: 192819132 Test: flash a _pkvm build, observe double-reboot, check /dev/kvm exists Change-Id: I5f9962e4cdd3ec267ab19ea4485e4e94a3ec15cd --- gs101-sepolicy.mk | 5 +++++ pkvm/file_contexts | 1 + pkvm/vendor_misc_writer.te | 2 ++ 3 files changed, 8 insertions(+) create mode 100644 pkvm/file_contexts create mode 100644 pkvm/vendor_misc_writer.te diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk index 8a302845..b9b3b8c5 100644 --- a/gs101-sepolicy.mk +++ b/gs101-sepolicy.mk @@ -34,3 +34,8 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger # Public PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public + +# pKVM +ifeq ($(TARGET_PKVM_ENABLED),true) +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm +endif diff --git a/pkvm/file_contexts b/pkvm/file_contexts new file mode 100644 index 00000000..310aad4d --- /dev/null +++ b/pkvm/file_contexts @@ -0,0 +1 @@ +/vendor/bin/pkvm_enabler u:object_r:vendor_misc_writer_exec:s0 diff --git a/pkvm/vendor_misc_writer.te b/pkvm/vendor_misc_writer.te new file mode 100644 index 00000000..b9b4ceb1 --- /dev/null +++ b/pkvm/vendor_misc_writer.te @@ -0,0 +1,2 @@ +# Allow pkvm_enabler to execute misc_writer. +allow vendor_misc_writer vendor_misc_writer_exec:file execute_no_trans; From 6e818988b6bc8d86f6f54f71232845d571617fb8 Mon Sep 17 00:00:00 2001 From: qinyiyan Date: Tue, 12 Oct 2021 13:53:44 -0700 Subject: [PATCH 028/104] Allow the NNAPI HAL to access edgetpu_app_service. 10-12 14:40:11.528 759 759 W Binder:759_1: type=1400 audit(0.0:23): avc: denied { call } for scontext=u:r:hal_neuralnetworks_darwinn:s0 tcontext=u:r:edgetpu_app_server:s0 tclass=binder permissive=0 10-12 18:17:04.678 440 440 E SELinux : avc: denied { find } for pid=753 uid=1000 name=com.google.edgetpu.IEdgeTpuAppService/default scontext=u:r:hal_neuralnetworks_darwinn:s0 tcontext=u:object_r:edgetpu_app_service:s0 tclass=service_manager permissive=0 Test: rebuilt the selinux_policy. The AVC denials don't show up. Bug: 196697793 Change-Id: If43f7411a3324f65323ea004e34878f070d9ebeb --- edgetpu/hal_neuralnetworks_darwinn.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te index b45a7059..18960713 100644 --- a/edgetpu/hal_neuralnetworks_darwinn.te +++ b/edgetpu/hal_neuralnetworks_darwinn.te @@ -43,3 +43,7 @@ allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms; # Allows the logging service to access /sys/class/edgetpu allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms; allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms; + +# Allows the NNAPI HAL to access the edgetpu_app_service +allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find; +binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server); From 3a1c10bb76b1d14b7b26b367748359df28a70947 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Fri, 8 Oct 2021 14:55:37 -0700 Subject: [PATCH 029/104] Stop using the bdev_type and sysfs_block_type SELinux attributes Stop using these attributes since these will be removed soon. This commit reverts 37b574130114 ("Add the 'bdev_type' attribute to all block device types"). Bug: 202520796 Test: Untested. Change-Id: I00f10d1fd164b6ca01ecd5cffd2012acfc05eeca Signed-off-by: Bart Van Assche --- whitechapel/vendor/google/device.te | 16 ++++++++-------- whitechapel/vendor/google/file.te | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 6fcfd0d0..058174d7 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -1,16 +1,16 @@ # Block Devices -type efs_block_device, dev_type, bdev_type; -type modem_block_device, dev_type, bdev_type; -type modem_userdata_block_device, dev_type, bdev_type; -type persist_block_device, dev_type, bdev_type; -type sda_block_device, dev_type, bdev_type; -type mfg_data_block_device, dev_type, bdev_type; +type efs_block_device, dev_type; +type modem_block_device, dev_type; +type modem_userdata_block_device, dev_type; +type persist_block_device, dev_type; +type sda_block_device, dev_type; +type mfg_data_block_device, dev_type; # Exynos devices type vendor_gnss_device, dev_type; type vendor_toe_device, dev_type; -type custom_ab_block_device, dev_type, bdev_type; -type devinfo_block_device, dev_type, bdev_type; +type custom_ab_block_device, dev_type; +type devinfo_block_device, dev_type; # usbpd type logbuffer_device, dev_type; diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 8447cf5b..90098249 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -78,7 +78,7 @@ type updated_wifi_firmware_data_file, file_type, data_file_type; type mediadrm_vendor_data_file, file_type, data_file_type; # Storage Health HAL -type sysfs_scsi_devices_0000, sysfs_type, fs_type, sysfs_block_type; +type sysfs_scsi_devices_0000, sysfs_type, fs_type; type debugfs_f2fs, debugfs_type, fs_type; type proc_f2fs, proc_type, fs_type; From 5c28519e40e06a650eaa4440b006184898a1f2dc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 12 Oct 2021 11:34:29 +0800 Subject: [PATCH 030/104] move bluetooth related types to bluetooth Bug: 202790744 Test: boot with bluetooth hal started Change-Id: I615d4b13262af2bc2c044914e595a7c2085999d2 --- bluetooth/device.te | 3 +++ bluetooth/file_contexts | 4 ++++ bluetooth/genfs_contexts | 7 +++++++ bluetooth/hwservice.te | 3 +++ bluetooth/hwservice_contexts | 5 +++++ whitechapel/vendor/google/device.te | 3 --- whitechapel/vendor/google/file_contexts | 4 +--- whitechapel/vendor/google/genfs_contexts | 6 ------ whitechapel/vendor/google/hwservice.te | 3 --- whitechapel/vendor/google/hwservice_contexts | 5 ----- 10 files changed, 23 insertions(+), 20 deletions(-) create mode 100644 bluetooth/device.te create mode 100644 bluetooth/genfs_contexts create mode 100644 bluetooth/hwservice.te create mode 100644 bluetooth/hwservice_contexts diff --git a/bluetooth/device.te b/bluetooth/device.te new file mode 100644 index 00000000..a2563322 --- /dev/null +++ b/bluetooth/device.te @@ -0,0 +1,3 @@ +# Bt Wifi Coexistence device +type wb_coexistence_dev, dev_type; + diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts index 5bb9a33a..d4681dbd 100644 --- a/bluetooth/file_contexts +++ b/bluetooth/file_contexts @@ -1,2 +1,6 @@ # Bluetooth /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 + +/dev/wbrc u:object_r:wb_coexistence_dev:s0 +/dev/ttySAC16 u:object_r:hci_attach_dev:s0 + diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts new file mode 100644 index 00000000..607e1462 --- /dev/null +++ b/bluetooth/genfs_contexts @@ -0,0 +1,7 @@ +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0 + diff --git a/bluetooth/hwservice.te b/bluetooth/hwservice.te new file mode 100644 index 00000000..5e36cd0c --- /dev/null +++ b/bluetooth/hwservice.te @@ -0,0 +1,3 @@ +# Bluetooth HAL extension +type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; + diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts new file mode 100644 index 00000000..df77e6f8 --- /dev/null +++ b/bluetooth/hwservice_contexts @@ -0,0 +1,5 @@ +# Bluetooth HAL extension +hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0 + diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 6fcfd0d0..59e1eaba 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -18,9 +18,6 @@ type logbuffer_device, dev_type; #cpuctl type cpuctl_device, dev_type; -# Bt Wifi Coexistence device -type wb_coexistence_dev, dev_type; - # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL type lwis_device, dev_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index f8648be0..70a37ee0 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -294,9 +294,7 @@ /dev/st33spi u:object_r:st33spi_device:s0 # Bluetooth -/dev/wbrc u:object_r:wb_coexistence_dev:s0 -/dev/ttySAC16 u:object_r:hci_attach_dev:s0 -/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 /dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 # Audio diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 82e5d700..ea4a4e83 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -126,12 +126,6 @@ genfscon sysfs /devices/platform/cp-tm1/cp_temp u # Bluetooth genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 -genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 -genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 -genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 -genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0 # ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te index 7ac98578..a3a3ead1 100644 --- a/whitechapel/vendor/google/hwservice.te +++ b/whitechapel/vendor/google/hwservice.te @@ -16,9 +16,6 @@ type hal_audio_ext_hwservice, hwservice_manager_type; # WLC type hal_wlc_hwservice, hwservice_manager_type; -# Bluetooth HAL extension -type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; - # Fingerprint type hal_fingerprint_ext_hwservice, hwservice_manager_type; diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts index 0bcb1f64..30207772 100644 --- a/whitechapel/vendor/google/hwservice_contexts +++ b/whitechapel/vendor/google/hwservice_contexts @@ -23,11 +23,6 @@ vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_a # Wireless charger hal vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 -# Bluetooth HAL extension -hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 -hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 -hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0 - # Fingerprint vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 From e6c87533b8cb5d522e0551fadb8118145af44fe0 Mon Sep 17 00:00:00 2001 From: Maurice Lam Date: Fri, 15 Oct 2021 18:11:41 -0700 Subject: [PATCH 031/104] Allow exo_app to find Virtual Device manager Bug: 194949534 Test: Manual Change-Id: I529b9eaf0d2a058a0653ec388d0e1f5abad9d094 --- ambient/exo_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/ambient/exo_app.te b/ambient/exo_app.te index ef928f65..3a88eebb 100644 --- a/ambient/exo_app.te +++ b/ambient/exo_app.te @@ -10,6 +10,7 @@ allow exo_app mediaserver_service:service_manager find; allow exo_app radio_service:service_manager find; allow exo_app fwk_stats_service:service_manager find; allow exo_app mediametrics_service:service_manager find; +allow exo_app virtual_device_service:service_manager find; allow exo_app gpu_device:dir search; allow exo_app uhid_device:chr_file rw_file_perms; From c8220eea823629d7482ccceb5a313204d0d93496 Mon Sep 17 00:00:00 2001 From: Super Liu Date: Thu, 21 Oct 2021 14:19:06 +0800 Subject: [PATCH 032/104] Add touch procfs and sysfs sepolicy. Bug: 193467774 Test: TH build pass. Signed-off-by: Super Liu Change-Id: I25c4d9422966e8603f12222e93ca7b6d6ea6f566 --- whitechapel/vendor/google/genfs_contexts | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index ea4a4e83..f58ed38f 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -108,6 +108,17 @@ genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0 genfscon proc /fts/driver_test u:object_r:proc_touch:s0 genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/input/input2 u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/input/input3 u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/input/nvt_touch u:object_r:sysfs_touch:s0 +genfscon proc /nvt_baseline u:object_r:proc_touch:s0 +genfscon proc /nvt_cc_uniformity u:object_r:proc_touch:s0 +genfscon proc /nvt_diff u:object_r:proc_touch:s0 +genfscon proc /nvt_fw_version u:object_r:proc_touch:s0 +genfscon proc /nvt_heatmap u:object_r:proc_touch:s0 +genfscon proc /nvt_pen_diff u:object_r:proc_touch:s0 +genfscon proc /nvt_raw u:object_r:proc_touch:s0 +genfscon proc /nvt_selftest u:object_r:proc_touch:s0 # GPS genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 From d60240f50401213c76b9dea22cb0a7cf89390ae1 Mon Sep 17 00:00:00 2001 From: qinyiyan Date: Fri, 29 Oct 2021 15:04:31 -0700 Subject: [PATCH 033/104] Grant selinux permission to com.google.edgetpu_app_service-V2-ndk.so Bug: 204528053 Test: forrest build with the change. AVC denials don't show up. Change-Id: Ic3fafeb749156967d772d5288ecf99a44ebc7031 --- edgetpu/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts index dcaacdcf..386e7b34 100644 --- a/edgetpu/file_contexts +++ b/edgetpu/file_contexts @@ -6,7 +6,7 @@ # EdgeTPU service binaries and libraries /system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 # EdgeTPU vendor service From 9a94f84d7b6f513789747486b5a822359ba5d825 Mon Sep 17 00:00:00 2001 From: Sean Wang Date: Tue, 2 Nov 2021 06:02:29 +0000 Subject: [PATCH 034/104] Grant selinux permission to com.google.edgetpu_vendor_service-V2-ndk.so This change is related to ag/16062268 with modifications to the edgetpu_vendor_service Bug: 198131843 Test: tested on oriole Change-Id: Ic512e5878a4d6af3aeaa939868b07dd449948f45 --- edgetpu/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts index 386e7b34..04f8491f 100644 --- a/edgetpu/file_contexts +++ b/edgetpu/file_contexts @@ -11,7 +11,7 @@ # EdgeTPU vendor service /vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 # EdgeTPU runtime libraries /vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 From 18d2a96a115b42c6da7f964b3126642dcf8f4e97 Mon Sep 17 00:00:00 2001 From: Michael Ayoubi Date: Thu, 11 Nov 2021 00:02:08 +0000 Subject: [PATCH 035/104] Allow uwb_vendor_app to get SE properties Bug: 205770401 Test: Build and flash on device. Change-Id: Ic98f394434fad12e7d8ef804ecfd694a55ee8190 --- whitechapel/vendor/google/uwb_vendor_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te index 675ecdb6..8822343c 100644 --- a/whitechapel/vendor/google/uwb_vendor_app.te +++ b/whitechapel/vendor/google/uwb_vendor_app.te @@ -17,6 +17,7 @@ allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice }; allow hal_uwb_vendor_default kernel:process { setsched }; +get_prop(uwb_vendor_app, vendor_secure_element_prop) binder_call(uwb_vendor_app, hal_uwb_vendor_default) ') From c0ad9b7e8a1d5dd707b4c9284afc9c7810f55c72 Mon Sep 17 00:00:00 2001 From: Albert Wang Date: Fri, 12 Nov 2021 14:32:17 +0800 Subject: [PATCH 036/104] Allow suspend_control to access xHCI wakeup node Bug: 205138535 Test: n/a Signed-off-by: Albert Wang Change-Id: I6e012fea56c50656c8f26216199459092dcfc0f9 --- whitechapel/vendor/google/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index f93bc487..9addc141 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -101,6 +101,7 @@ genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 # Touch genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 From 002907fb12d1af03c0b02d75764658cdae15160a Mon Sep 17 00:00:00 2001 From: yixuanjiang Date: Tue, 16 Nov 2021 14:38:20 +0800 Subject: [PATCH 037/104] aoc: add audio property for audio aocdump feature Bug: 204080552 Test: local Signed-off-by: yixuanjiang Change-Id: I79b960cf5e88856c37f7901d718ac8f14e44b812 --- whitechapel/vendor/google/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 18a6059c..ac829149 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -60,6 +60,7 @@ persist.vendor.audio. u:object_r:vendor_audio_prop:s0 vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 +vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 # for display From d7947930ec57e6b4ace7c2d697f77f1d5eb14dbb Mon Sep 17 00:00:00 2001 From: chenpaul Date: Fri, 5 Nov 2021 16:33:32 +0800 Subject: [PATCH 038/104] Remove wifi_logger related sepolicy settings Due to the fact that /vendor/bin/wifi_logger no longer exists on the P21 master branch any more, we remove obsolete sepolicy. Bug: 201599426 Test: wlan_logger in Pixel Logger is workable Change-Id: I22d99c3577f3cceb786e2ffd01c327a67d420202 --- gs101-sepolicy.mk | 3 --- 1 file changed, 3 deletions(-) diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk index b9b3b8c5..d8b19689 100644 --- a/gs101-sepolicy.mk +++ b/gs101-sepolicy.mk @@ -29,9 +29,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # sscoredump BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump -# Wifi Logger -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger - # Public PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public From 68ffcb774d50d951d57983537ecb50ffdbd03aca Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Tue, 23 Nov 2021 11:08:27 +0800 Subject: [PATCH 039/104] Fix health HAL avc denied when running idle-maint Log: avc: denied { read } for comm="android.hardwar" name="wb_avail_buf" dev="sysfs" ino=59061 scontext=u:r:hal_health_storage_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 206741894 Test: adb shell sm idle-maint run Signed-off-by: Randall Huang Change-Id: I79e7763df16816e6799f288d2f8b7e26c204cbc4 --- whitechapel/vendor/google/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 9addc141..3f888564 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -63,6 +63,7 @@ genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 # Networking / Tethering genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee802154/phy0/net u:object_r:sysfs_net:s0 From 4075287498706dcd322b52de4f85692bb35c3c32 Mon Sep 17 00:00:00 2001 From: Rick Yiu Date: Thu, 25 Nov 2021 21:54:47 +0800 Subject: [PATCH 040/104] gs101-sepolicy: Fix avc denials Fix below and other potential denials 11-21 10:10:43.984 3417 3417 I auditd : type=1400 audit(0.0:4): avc: denied { write } for comm=4173796E635461736B202332 path="/sys/kernel/vendor_sched/set_task_group_fg" dev="sysfs" ino=44511 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=file permissive=0 app=com.google.android.pixel.setupwizard 11-21 10:10:44.840 3976 3976 I auditd : type=1400 audit(0.0:10): avc: denied { write } for comm="StallDetector-1" path="/sys/kernel/vendor_sched/set_task_group_fg" dev="sysfs" ino=44511 scontext=u:r:untrusted_app_30:s0:c170,c256,c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=file permissive=0 app=com.google.android.inputmethod.latin 11-21 18:10:51.280 5595 5595 I auditd : type=1400 audit(0.0:102): avc: denied { write } for comm="SharedPreferenc" path="/sys/kernel/vendor_sched/set_task_group_fg" dev="sysfs" ino=44511 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=file permissive=0 app=com.google.android.gms Bug: 206970384 Test: make selinux_policy pass Change-Id: I7c981ef0516dc5be93ec825768de57c15786b4bd --- private/gmscore_app.te | 1 + private/priv_app.te | 1 + whitechapel/vendor/google/logger_app.te | 1 + whitechapel/vendor/google/mediaprovider.te | 1 + whitechapel/vendor/google/shell.te | 1 + whitechapel/vendor/google/untrusted_app_all.te | 1 + 6 files changed, 6 insertions(+) diff --git a/private/gmscore_app.te b/private/gmscore_app.te index fa20f247..3968de30 100644 --- a/private/gmscore_app.te +++ b/private/gmscore_app.te @@ -1,2 +1,3 @@ # b/177389198 dontaudit gmscore_app adbd_prop:file *; +dontaudit gmscore_app sysfs_vendor_sched:file write; diff --git a/private/priv_app.te b/private/priv_app.te index 2ef1f969..de2a4f28 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -17,3 +17,4 @@ dontaudit priv_app ab_update_gki_prop:file { getattr }; dontaudit priv_app ab_update_gki_prop:file { map }; dontaudit priv_app adbd_prop:file { open }; dontaudit priv_app adbd_prop:file { getattr }; +dontaudit priv_app sysfs_vendor_sched:file write; diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te index 8c8f5197..d091cff0 100644 --- a/whitechapel/vendor/google/logger_app.te +++ b/whitechapel/vendor/google/logger_app.te @@ -25,4 +25,5 @@ userdebug_or_eng(` dontaudit logger_app default_prop:file { read }; dontaudit logger_app sysfs_vendor_sched:dir search; + dontaudit logger_app sysfs_vendor_sched:file write; ') diff --git a/whitechapel/vendor/google/mediaprovider.te b/whitechapel/vendor/google/mediaprovider.te index a1b629f8..835593fc 100644 --- a/whitechapel/vendor/google/mediaprovider.te +++ b/whitechapel/vendor/google/mediaprovider.te @@ -1 +1,2 @@ dontaudit mediaprovider sysfs_vendor_sched:dir search; +dontaudit mediaprovider sysfs_vendor_sched:file write; diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te index aa4dfa44..abc2f2cc 100644 --- a/whitechapel/vendor/google/shell.te +++ b/whitechapel/vendor/google/shell.te @@ -7,3 +7,4 @@ userdebug_or_eng(` ') dontaudit shell sysfs_vendor_sched:dir search; +dontaudit shell sysfs_vendor_sched:file write; diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te index 04229ff6..dda81542 100644 --- a/whitechapel/vendor/google/untrusted_app_all.te +++ b/whitechapel/vendor/google/untrusted_app_all.te @@ -3,3 +3,4 @@ allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; dontaudit untrusted_app_all sysfs_vendor_sched:dir search; +dontaudit untrusted_app_all sysfs_vendor_sched:file write; From 02a20e025f823ad846cd91713488eb0b7f9e266f Mon Sep 17 00:00:00 2001 From: joenchen Date: Fri, 19 Nov 2021 13:23:43 +0000 Subject: [PATCH 041/104] Label min_vrefresh and idle_delay_ms as sysfs_display Bug: 202567084 Test: Check the files label by "adb shell ls -Z" Change-Id: I29243751ab5f38eca5d8e4221122764f79c75e04 --- whitechapel/vendor/google/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index f0663808..588b786e 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -130,6 +130,10 @@ genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 From 11c8ad745aca354b7e9cddbe817eb5bdcd0abea4 Mon Sep 17 00:00:00 2001 From: Cliff Wu Date: Mon, 22 Nov 2021 23:40:57 +0800 Subject: [PATCH 042/104] Update the sepolicy for exo_camera_injection v1.1 - Update exo_camera_injection hal service from 1.0 to 1.1. - Selinux avc log: avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0. Bug: 202092371 Test: Verified exo_camera_injection provider service use cases function as expected; no denials. Change-Id: Ica94a00db580356158d94af2ae6dbe9c9a81be0a --- whitechapel/vendor/google/exo_camera_injection/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/exo_camera_injection/file_contexts b/whitechapel/vendor/google/exo_camera_injection/file_contexts index cfcbd6ff..98627c63 100644 --- a/whitechapel/vendor/google/exo_camera_injection/file_contexts +++ b/whitechapel/vendor/google/exo_camera_injection/file_contexts @@ -1 +1 @@ -/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.0-service u:object_r:hal_exo_camera_injection_exec:s0 +/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.1-service u:object_r:hal_exo_camera_injection_exec:s0 From 8f356044ffd6c71ecaa2e68ea6358a74c7d2aa2c Mon Sep 17 00:00:00 2001 From: Super Liu Date: Thu, 9 Dec 2021 14:35:51 +0800 Subject: [PATCH 043/104] Allow vendor init to read gesture_prop. Bug: 209713977 Bug: 193467627 Test: local test. Signed-off-by: Super Liu Change-Id: I7f061f550bcf6c3a61b5528e8c21eae8567e677b --- whitechapel/vendor/google/vendor_init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index 321da078..8b66b73b 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -1,3 +1,4 @@ +get_prop(vendor_init, gesture_prop) set_prop(vendor_init, vendor_camera_prop) set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) From 0b5b4a969204dd32a41a741f7a87c24769445ad1 Mon Sep 17 00:00:00 2001 From: Cyan_Hsieh Date: Mon, 20 Dec 2021 10:09:58 +0800 Subject: [PATCH 044/104] Add pvmfw to custom_ab_block_device Bug: 211070100 Change-Id: Icd8f6d1837b8124bd8cd7b3d59d43b755455bae6 --- whitechapel/vendor/google/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 70a37ee0..d7ac4461 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -66,6 +66,7 @@ /dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/reclaim_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 From 5521fb530c0f2d157e27c2ffb3515dd9bc693ce7 Mon Sep 17 00:00:00 2001 From: Yifan Hong Date: Wed, 5 Jan 2022 23:08:07 -0800 Subject: [PATCH 045/104] Implement health AIDL HAL. Test: VTS Test: manual charger mode Test: recovery Bug: 213273090 Change-Id: Iabaf31644f4406092a881841fb4084499fb4de89 --- gs101-sepolicy.mk | 3 +++ health/file_contexts | 1 + 2 files changed, 4 insertions(+) create mode 100644 health/file_contexts diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk index d8b19689..d33fcd4e 100644 --- a/gs101-sepolicy.mk +++ b/gs101-sepolicy.mk @@ -36,3 +36,6 @@ PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public ifeq ($(TARGET_PKVM_ENABLED),true) BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm endif + +# Health HAL +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/health diff --git a/health/file_contexts b/health/file_contexts new file mode 100644 index 00000000..55321741 --- /dev/null +++ b/health/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.health-service\.gs101 u:object_r:hal_health_default_exec:s0 From b0880417ff61e31f3e11f8b25d8f8517985afb1e Mon Sep 17 00:00:00 2001 From: Joel Galenson Date: Tue, 21 Dec 2021 07:27:03 -0800 Subject: [PATCH 046/104] Include core policy OWNERS. Test: None Change-Id: I053d84eba7695fe125783b536421d43117b3f16d (cherry picked from commit b287da183eec3806b1705469ba5395fc5be7f959) --- OWNERS | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/OWNERS b/OWNERS index a24d5fb4..791abb4a 100644 --- a/OWNERS +++ b/OWNERS @@ -1,11 +1,3 @@ -adamshih@google.com -alanstokes@google.com -bowgotsai@google.com -jbires@google.com -jeffv@google.com -jgalenson@google.com -jiyong@google.com +include platform/system/sepolicy:/OWNERS + rurumihong@google.com -sspatil@google.com -smoreland@google.com -trong@google.com From c876449a7b834cff5b397584f634281880952e75 Mon Sep 17 00:00:00 2001 From: Matt Buckley Date: Sat, 8 Jan 2022 00:00:58 +0000 Subject: [PATCH 047/104] Allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags For the hardware composer and surfaceflinger to coordinate on certain features, it is necessary for the hardware composer to be able to read the surface_flinger_native_boot_prop to know what should be enabled. Bug: b/195990840 Test: None Change-Id: I41e1aa0f80c1138cf46f4f139253158b005a8634 --- display/gs101/hal_graphics_composer_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te index 1bea8b50..c1eac9ce 100644 --- a/display/gs101/hal_graphics_composer_default.te +++ b/display/gs101/hal_graphics_composer_default.te @@ -28,6 +28,9 @@ get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) # allow HWC to get vendor_display_prop get_prop(hal_graphics_composer_default, vendor_display_prop) +# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags +get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) + # allow HWC to access vendor_displaycolor_service add_service(hal_graphics_composer_default, vendor_displaycolor_service) From b69ac35ff006cccbeee26f299826c32104fe1934 Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Tue, 14 Dec 2021 14:33:56 -0800 Subject: [PATCH 048/104] Allow TEE storageproxyd permissions needed for DSU handling Allows the vendor TEE access to GSI metadata files (which are publicly readable). Storageproxyd needs access to this metadata to determine if a GSI image is currently booted. Also allows the TEE domain to make new directories in its data path. Test: access /metadata/gsi/dsu/booted from storageproxyd Bug: 203719297 Merged-In: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b Change-Id: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b --- whitechapel/vendor/google/storageproxyd.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te index d6acb458..76552d04 100644 --- a/whitechapel/vendor/google/storageproxyd.te +++ b/whitechapel/vendor/google/storageproxyd.te @@ -8,6 +8,10 @@ allow tee persist_ss_file:file create_file_perms; allow tee persist_ss_file:dir create_dir_perms; allow tee persist_file:dir r_dir_perms; allow tee mnt_vendor_file:dir r_dir_perms; +allow tee tee_data_file:dir rw_dir_perms; allow tee tee_data_file:lnk_file r_file_perms; allow tee sg_device:chr_file rw_file_perms; allow tee self:capability { setgid setuid }; + +# Allow storageproxyd access to gsi_public_metadata_file +read_fstab(tee) From 400b93eb0bc296fd4bb483a566bbdd3c5fe6ec51 Mon Sep 17 00:00:00 2001 From: Jagadeesh Pakaravoor Date: Thu, 7 Oct 2021 07:57:23 -0700 Subject: [PATCH 049/104] camera_hal: allow changing kthread priority Allow changing kthread priority during insmod for camera-hal/LWIS. Bug: 199950581 Test: boot, local camera testing Change-Id: If59bfe101cab17854a5472ef388411bd19ef0a68 --- whitechapel/vendor/google/init-insmod-sh.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te index 9b2da73d..0e60196e 100644 --- a/whitechapel/vendor/google/init-insmod-sh.te +++ b/whitechapel/vendor/google/init-insmod-sh.te @@ -7,6 +7,9 @@ allow init-insmod-sh sysfs_leds:dir r_dir_perms; allow init-insmod-sh vendor_kernel_modules:system module_load; allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; +allow init-insmod-sh self:capability sys_nice; +allow init-insmod-sh kernel:process setsched; + set_prop(init-insmod-sh, vendor_device_prop) userdebug_or_eng(` From 51735ba3ab65065bd79676c4b0e74f970ba1ea90 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Tue, 19 Oct 2021 13:26:34 -0700 Subject: [PATCH 050/104] android.hardware.usb.IUsb AIDL migration android.hardware.usb.IUsb is migrated to AIDL and runs in its own process. android.hardware.usb.gadget.IUsbGadget is now published in its own exclusive process (android.hardware.usb.gadget-service). Creating file_context and moving the selinux linux rules for IUsbGadget implementation. Bug: 200993386 Change-Id: Ia8c24610244856490c8271433710afb57d3da157 --- whitechapel/vendor/google/file_contexts | 3 ++- whitechapel/vendor/google/hal_usb_gadget_impl.te | 14 ++++++++++++++ whitechapel/vendor/google/hal_usb_impl.te | 5 ----- whitechapel/vendor/google/system_server.te | 1 + 4 files changed, 17 insertions(+), 6 deletions(-) create mode 100644 whitechapel/vendor/google/hal_usb_gadget_impl.te diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index d7ac4461..f0719770 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -7,7 +7,8 @@ /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service u:object_r:hal_vendor_hwcservice_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs101 u:object_r:hal_usb_impl_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.gs101 u:object_r:hal_usb_impl_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.gs101 u:object_r:hal_usb_gadget_impl_exec:s0 /(vendor|system/vendor)/lib(64)?/libion_exynos\.so u:object_r:same_process_hal_file:s0 /(vendor|system/vendor)/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 diff --git a/whitechapel/vendor/google/hal_usb_gadget_impl.te b/whitechapel/vendor/google/hal_usb_gadget_impl.te new file mode 100644 index 00000000..5170a8ae --- /dev/null +++ b/whitechapel/vendor/google/hal_usb_gadget_impl.te @@ -0,0 +1,14 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) + +allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; +allow hal_usb_gadget_impl sysfs_extcon:dir search; diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te index ec640c29..736f2cc3 100644 --- a/whitechapel/vendor/google/hal_usb_impl.te +++ b/whitechapel/vendor/google/hal_usb_impl.te @@ -1,14 +1,9 @@ type hal_usb_impl, domain; hal_server_domain(hal_usb_impl, hal_usb) -hal_server_domain(hal_usb_impl, hal_usb_gadget) type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_usb_impl) -allow hal_usb_impl configfs:dir { create rmdir }; -allow hal_usb_impl functionfs:dir { watch watch_reads }; -set_prop(hal_usb_impl, vendor_usb_config_prop) - allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; allow hal_usb_impl sysfs_extcon:dir search; diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te index b2563949..abae67c1 100644 --- a/whitechapel/vendor/google/system_server.te +++ b/whitechapel/vendor/google/system_server.te @@ -3,6 +3,7 @@ binder_call(system_server, gpsd); binder_call(system_server, hal_camera_default); # Allow system server to find vendor uwb service allow system_server uwb_vendor_service:service_manager find; +allow system_server hal_usb_service:service_manager find; # pixelstats_vendor/OrientationCollector binder_call(system_server, pixelstats_vendor) From 472abdcd5dd33e472d13e3feb0010ab368cf8c58 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Fri, 21 Jan 2022 17:03:14 -0800 Subject: [PATCH 051/104] Remove redundant rule in system_server.te hal_client_domain(system_server, hal_usb) covers the needed rule. Bug: 200993386 Test: Boot up target to check for selinux denials. Signed-off-by: Badhri Jagan Sridharan Change-Id: If9803a028babb38a6ed0ce5f87a5c7d1eec8e598 --- whitechapel/vendor/google/system_server.te | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te index abae67c1..b2563949 100644 --- a/whitechapel/vendor/google/system_server.te +++ b/whitechapel/vendor/google/system_server.te @@ -3,7 +3,6 @@ binder_call(system_server, gpsd); binder_call(system_server, hal_camera_default); # Allow system server to find vendor uwb service allow system_server uwb_vendor_service:service_manager find; -allow system_server hal_usb_service:service_manager find; # pixelstats_vendor/OrientationCollector binder_call(system_server, pixelstats_vendor) From b9ad182d4a05d9e4fd39534de26d5413c01ed451 Mon Sep 17 00:00:00 2001 From: Junkyu Kang Date: Fri, 21 Jan 2022 07:14:07 +0000 Subject: [PATCH 052/104] Add persist.vendor.gps to sepolicy Bug: 196002632 Test: PixelLogger can modify persist.vendor.gps.* Change-Id: I3fdaf564eacec340003eed0b5845a2c08922362c --- whitechapel/vendor/google/property_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index ac829149..149a91be 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -73,7 +73,8 @@ vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for gps -vendor.gps u:object_r:vendor_gps_prop:s0 +vendor.gps. u:object_r:vendor_gps_prop:s0 +persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # SecureElement persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 From ec2a9fb8fcfd8321d8e827ca0af93e0a58bd0704 Mon Sep 17 00:00:00 2001 From: Ankit Goyal Date: Wed, 26 Jan 2022 15:19:45 -0800 Subject: [PATCH 053/104] Rename vulkan library to be platform agnostic Bug: 174232579 Test: Boots to home Change-Id: I39d633e79896d7196ca7011dd7e017950248e2d8 --- whitechapel/vendor/google/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index f0719770..70cfb3f1 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -372,7 +372,7 @@ /vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/gralloc\.gs101\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/hw/vulkan\.gs101\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 # Fingerprint From a2d6a19bcd019ebf062e3e5eb5c7ce1fd57e5430 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Tue, 1 Feb 2022 08:22:51 -0800 Subject: [PATCH 054/104] Allow logd to read the Trusty log Bug: 190050919 Test: build Change-Id: I8a42cd90b1581272f4dafc37d6eb29a98e1fa2e3 --- whitechapel/vendor/google/logd.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 whitechapel/vendor/google/logd.te diff --git a/whitechapel/vendor/google/logd.te b/whitechapel/vendor/google/logd.te new file mode 100644 index 00000000..cc55e204 --- /dev/null +++ b/whitechapel/vendor/google/logd.te @@ -0,0 +1,2 @@ +r_dir_file(logd, logbuffer_device) +allow logd logbuffer_device:chr_file r_file_perms; From dcb05d137710334260ede5871e32d73cfc4bc53b Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Wed, 9 Feb 2022 17:40:10 +0800 Subject: [PATCH 055/104] sepolicy: gs101: fix charger_vendor permission denied [ 27.025458][ T443] type=1400 audit(1644391560.640:11): avc: denied { search } for comm="android.hardwar" name="vendor" dev="tmpfs" ino=2 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0 [ 26.563658][ T447] type=1400 audit(1644397622.588:5): avc: denied { search } for comm="android.hardwar" name="/" dev="sda1" ino=2 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0 [ 27.198144][ T442] type=1400 audit(1644398156.152:5): avc: denied { search } for comm="android.hardwar" name="battery" dev="sda1" ino=12 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=0 [ 27.327035][ T443] type=1400 audit(1644398785.276:5): avc: denied { read } for comm="android.hardwar" name="defender_active_time" dev="sda1" ino=17 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=file permissive=0 [ 27.355009][ T443] type=1400 audit(1644398785.276:6): avc: denied { write } for comm="android.hardwar" name="defender_charger_time" dev="sda1" ino=16 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=file permissive=0 [ 26.771705][ T444] type=1400 audit(1644379988.804:4): avc: denied { read } for comm="android.hardwar" name="specification_version" dev="sysfs" ino=56257 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 [ 27.898684][ T445] type=1400 audit(1644392754.928:8): avc: denied { read } for comm="android.hardwar" name="thermal_zone6" dev="sysfs" ino=15901 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0 [ 29.180076][ T447] type=1400 audit(1644397625.200:9): avc: denied { write } for comm="android.hardwar" name="mode" dev="sysfs" ino=15915 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 [ 27.043845][ T444] type=1400 audit(1644379988.808:9): avc: denied { search } for comm="android.hardwar" name="thermal" dev="tmpfs" ino=899 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:thermal_link_device:s0 tclass=dir permissive=0 [ 27.064916][ T444] type=1400 audit(1644379988.808:10): avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_battery_defender_prop:s0" dev="tmpfs" ino=306 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:vendor_battery_defender_prop:s0 tclass=file permissive=0 [ 27.356266][ T444] type=1107 audit(1644404450.376:4): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.battery.defender.state pid=457 uid=1000 gid=1000 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:vendor_battery_defender_prop:s0 tclass=property_service permissive=0' Bug: 218485039 Test: manually test, no avc: denied Signed-off-by: Jack Wu Change-Id: I091dbbca35fb833e59fdbc234d74b90bfe74014c --- whitechapel/vendor/google/charger_vendor.te | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 whitechapel/vendor/google/charger_vendor.te diff --git a/whitechapel/vendor/google/charger_vendor.te b/whitechapel/vendor/google/charger_vendor.te new file mode 100644 index 00000000..7b914da1 --- /dev/null +++ b/whitechapel/vendor/google/charger_vendor.te @@ -0,0 +1,9 @@ +allow charger_vendor mnt_vendor_file:dir search; +allow charger_vendor persist_file:dir search; +allow charger_vendor persist_battery_file:dir search; +allow charger_vendor persist_battery_file:file rw_file_perms; +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; +allow charger_vendor sysfs_thermal:file w_file_perms; +allow charger_vendor sysfs_thermal:lnk_file read; +allow charger_vendor thermal_link_device:dir search; +set_prop(charger_vendor, vendor_battery_defender_prop) From 05eb29e217141d84585325971b43a05c0e2ac7b5 Mon Sep 17 00:00:00 2001 From: Ricky Niu Date: Mon, 14 Feb 2022 15:22:04 +0800 Subject: [PATCH 056/104] Add hal_usb_impl permission Add hal_usb_impl get below permission allow hal_usb_impl configfs:dir rw_dir_perms; allow hal_usb_impl configfs:file create_file_perms; avc denied 02-16 12:05:19.820 788 788 I android.hardwar: type=1400 audit(0.0:4882): avc: denied { search } for name="/" dev="configfs" ino=13419 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1 02-16 12:05:19.820 788 788 I android.hardwar: type=1400 audit(0.0:4883): avc: denied { write } for name="g1" dev="configfs" ino=38003 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1 02-16 12:05:19.820 788 788 I android.hardwar: type=1400 audit(0.0:4884): avc: denied { add_name } for name="UDC" scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1 02-16 12:05:19.820 788 788 I android.hardwar: type=1400 audit(0.0:4885): avc: denied { create } for name="UDC" scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=file permissive=1 02-16 12:05:19.820 788 788 I android.hardwar: type=1400 audit(0.0:4886): avc: denied { write } for name="UDC" dev="configfs" ino=106988 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=file permissive=1 Bug: 218997592 Signed-off-by: Ricky Niu Change-Id: I854479cef1a0b8ad518814fb9d20558cf52202e7 --- whitechapel/vendor/google/hal_usb_impl.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te index 736f2cc3..6b6d19f6 100644 --- a/whitechapel/vendor/google/hal_usb_impl.te +++ b/whitechapel/vendor/google/hal_usb_impl.te @@ -4,6 +4,8 @@ hal_server_domain(hal_usb_impl, hal_usb) type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_usb_impl) +allow hal_usb_impl configfs:dir rw_dir_perms; +allow hal_usb_impl configfs:file create_file_perms; allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; allow hal_usb_impl sysfs_extcon:dir search; From 32307ac30d43c31a01d92dda241a1f7d58f94acf Mon Sep 17 00:00:00 2001 From: Midas Chien Date: Wed, 16 Feb 2022 16:17:22 +0800 Subject: [PATCH 057/104] Allow composer to read panel_idle sysfs node Change panel_idle selinux type to sysfs_display to allow composer can read it. Bug: 198808492 Bug: 219857957 Test: ls -Z to check selinux type Test: make sure init(write) and composer(read) can access it Change-Id: I77ae701a73a047b26b4ebb3c9d482c8cb9220999 --- whitechapel/vendor/google/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index bbf63fdf..ecc583d6 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -138,6 +138,8 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 From cb04f5981fc59d8e826079fa1f914ceda986e67d Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Tue, 15 Feb 2022 17:01:48 +0000 Subject: [PATCH 058/104] whitechapel: sepolicy for Widevine AIDL HAL Bug: 219538389 Test: atest GtsMediaTestCases Change-Id: I431554dcbef014f8235f048ee062a218a2131f9c --- whitechapel/vendor/google/file_contexts | 2 +- whitechapel/vendor/google/service_contexts | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 70cfb3f1..69eb9fd3 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -1,7 +1,7 @@ # # Exynos HAL # -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.4-service\.widevine u:object_r:hal_drm_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service u:object_r:hal_vendor_hwcservice_default_exec:s0 diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 812105a6..92fe3e99 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,3 +1,4 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 From 5e2e26114854c92f4ef652506ca7c63afe9275e6 Mon Sep 17 00:00:00 2001 From: Shubham Dubey Date: Mon, 21 Feb 2022 10:22:32 +0000 Subject: [PATCH 059/104] Temporarily don't audit hal_fingerprint to fix avc denial Fix: 220263520 Change-Id: Ic06981fdc071c5027e6ccd137c1a2d19b9366c98 --- tracking_denials/hal_fingerprint_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te index 9a2d37e5..3939b28a 100644 --- a/tracking_denials/hal_fingerprint_default.te +++ b/tracking_denials/hal_fingerprint_default.te @@ -1,3 +1,5 @@ +#b/220263520 +dontaudit hal_fingerprint_default vendor_default_prop:property_service set; # b/183338543 dontaudit hal_fingerprint_default system_data_root_file:file { read }; dontaudit hal_fingerprint_default default_prop:file { getattr }; From acd4220ac9776c06c362fef5c884382104b30ab7 Mon Sep 17 00:00:00 2001 From: Midas Chien Date: Sun, 20 Feb 2022 17:51:54 +0800 Subject: [PATCH 060/104] Allow composer to read panel_idle_handle_exit sysfs node Change panel_idle_exit_handle selinux type to sysfs_display to allow composer to access it. Bug: 202182467 Test: ls -Z to check selinux type Test: composer can access it in enforce mode Change-Id: I5ca811f9500dc452fe6832dd772376da51f675a8 --- whitechapel/vendor/google/genfs_contexts | 26 +++++++++++++----------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index ecc583d6..9f4e1fbc 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -130,18 +130,20 @@ genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed u:object_r:sysfs_gps_assert:s0 # Display -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 # Modem genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 From e0c6120237de82a0e5690f434994f23a3724a721 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Tue, 1 Mar 2022 12:07:13 +0800 Subject: [PATCH 061/104] Add sepolicy rules for fingerprint hal Fix the following avc denial: avc: denied { set } for property=vendor.gf.cali.state pid=1152 uid=1000 gid=1000 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0' Bug: 219372997 Bug: 220263520 Test: No above avc denial in logcat. Change-Id: I93ace30c67e04bc836bfba050028a1f25af641d5 --- tracking_denials/hal_fingerprint_default.te | 2 -- whitechapel/vendor/google/hal_fingerprint_default.te | 4 +--- whitechapel/vendor/google/property.te | 2 +- whitechapel/vendor/google/property_contexts | 3 ++- whitechapel/vendor/google/vendor_init.te | 4 +--- 5 files changed, 5 insertions(+), 10 deletions(-) diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te index 3939b28a..9a2d37e5 100644 --- a/tracking_denials/hal_fingerprint_default.te +++ b/tracking_denials/hal_fingerprint_default.te @@ -1,5 +1,3 @@ -#b/220263520 -dontaudit hal_fingerprint_default vendor_default_prop:property_service set; # b/183338543 dontaudit hal_fingerprint_default system_data_root_file:file { read }; dontaudit hal_fingerprint_default default_prop:file { getattr }; diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te index 6dedfce8..b2378682 100644 --- a/whitechapel/vendor/google/hal_fingerprint_default.te +++ b/whitechapel/vendor/google/hal_fingerprint_default.te @@ -8,9 +8,7 @@ allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint_default fwk_stats_service:service_manager find; get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) -userdebug_or_eng(` - get_prop(hal_fingerprint_default, vendor_fingerprint_fake_prop) -') +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) # allow fingerprint to access power hal diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index bb0894fc..e98973f2 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -48,7 +48,7 @@ vendor_internal_prop(vendor_touchpanel_prop) vendor_internal_prop(vendor_tcpdump_log_prop) # Fingerprint -vendor_internal_prop(vendor_fingerprint_fake_prop) +vendor_internal_prop(vendor_fingerprint_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 149a91be..cdbe1bc4 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -105,7 +105,8 @@ vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_pr vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_prop:s0 # Fingerprint -vendor.fingerprint.disable.fake u:object_r:vendor_fingerprint_fake_prop:s0 +vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 +vendor.gf. u:object_r:vendor_fingerprint_prop:s0 # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index f8731c04..dfd8e996 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -34,6 +34,4 @@ get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_battery_defender_prop) # Fingerprint property -userdebug_or_eng(` - set_prop(vendor_init, vendor_fingerprint_fake_prop) -') +set_prop(vendor_init, vendor_fingerprint_prop) From e5cf8beff3cf214b4fbaa5725feeb0e22f9398a5 Mon Sep 17 00:00:00 2001 From: Robert Lee Date: Thu, 24 Feb 2022 10:32:47 +0800 Subject: [PATCH 062/104] Fix selinux error for aocd allow write permission to fix following error auditd : type=1400 audit(0.0:4): avc: denied { write } for comm="aocd" name="aoc" dev="tmpfs" ino=497 scontext=u:r:aocd:s0 tcontext=u:object_r:aoc_device:s0 tclass=chr_file permissive=0 Bug: 198490099 Test: no avc deny when enable no_ap_restart Change-Id: Ia72ee36137d78f969c28bf22647443cef45d186a Signed-off-by: Robert Lee --- whitechapel/vendor/google/aocd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/aocd.te b/whitechapel/vendor/google/aocd.te index 79add165..69b0af0d 100644 --- a/whitechapel/vendor/google/aocd.te +++ b/whitechapel/vendor/google/aocd.te @@ -12,7 +12,7 @@ allow aocd sysfs_aoc:dir search; allow aocd sysfs_aoc_firmware:file w_file_perms; # dev operations -allow aocd aoc_device:chr_file r_file_perms; +allow aocd aoc_device:chr_file rw_file_perms; # allow inotify to watch for additions/removals from /dev allow aocd device:dir r_dir_perms; From 34c5b9b239833c8c728308a6cf009b99ac1ab921 Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Fri, 18 Feb 2022 15:36:58 -0800 Subject: [PATCH 063/104] gs-sepolicy(uwb): Changes for new UCI stack 1. Rename uwb vendor app. 2. Rename uwb vendor HAL binary name & service name. 3. Allow vendor HAL to host the AOSP UWB HAL service. 4. Allow NFC HAL to access uwb calibration files. Bug: 186585880 Test: Manual Tests Change-Id: I2c7c2466f42317d643634e24b1efb1855e673d09 --- whitechapel/vendor/google/file_contexts | 2 +- whitechapel/vendor/google/hal_nfc_default.te | 3 +++ whitechapel/vendor/google/hal_uwb_vendor_default.te | 3 +++ whitechapel/vendor/google/property.te | 2 ++ whitechapel/vendor/google/property_contexts | 2 ++ whitechapel/vendor/google/seapp_contexts | 3 ++- whitechapel/vendor/google/service_contexts | 2 +- 7 files changed, 14 insertions(+), 3 deletions(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 69eb9fd3..05e49591 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -347,7 +347,7 @@ # Uwb # R4 -/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te index 174b5383..247ca3d7 100644 --- a/whitechapel/vendor/google/hal_nfc_default.te +++ b/whitechapel/vendor/google/hal_nfc_default.te @@ -10,3 +10,6 @@ set_prop(hal_nfc_default, vendor_modem_prop) # Access uwb cal for SecureRanging Applet allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; allow hal_nfc_default uwb_data_vendor:file r_file_perms; + +# allow nfc to read uwb calibration file +get_prop(hal_nfc_default, vendor_uwb_calibration_prop) diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te index f72e879d..b287433f 100644 --- a/whitechapel/vendor/google/hal_uwb_vendor_default.te +++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te @@ -2,6 +2,7 @@ type hal_uwb_vendor_default, domain; type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_uwb_vendor_default) +hal_server_domain(hal_uwb_vendor_default, hal_uwb) add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) @@ -9,3 +10,5 @@ binder_call(hal_uwb_vendor_default, uwb_vendor_app) allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; + +get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index bb0894fc..b8bfacc8 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -53,3 +53,5 @@ vendor_internal_prop(vendor_fingerprint_fake_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) +# UWB calibration +system_vendor_config_prop(vendor_uwb_calibration_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 149a91be..821f4de1 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -110,3 +110,5 @@ vendor.fingerprint.disable.fake u:object_r:vendor_fingerprint_fa # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 +# uwb +ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts index 4dcd8e5d..f866e37a 100644 --- a/whitechapel/vendor/google/seapp_contexts +++ b/whitechapel/vendor/google/seapp_contexts @@ -48,7 +48,8 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user # Qorvo UWB system app -user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 92fe3e99..ca2ec939 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,4 +1,4 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 -hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 +hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 From c3d3c574f4ba1cbe84ba29ccb6c6e5748e2b5f29 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Tue, 8 Mar 2022 20:56:51 +0800 Subject: [PATCH 064/104] sepolicy: fix VTS failure for SuspendSepolicyTests Label the common parent wakeup path instead of each individual wakeup source to avoid bloating the genfs contexts. Bug: 221174227 Test: run vts -m SuspendSepolicyTests Change-Id: I83a074840198aba323805fd455ee78a0e57174ac Signed-off-by: Darren Hsu --- whitechapel/vendor/google/genfs_contexts | 36 ++++++++++++------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 9f4e1fbc..c3773b0d 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -82,27 +82,27 @@ genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:s # System_suspend genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -190,19 +190,19 @@ genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id: genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 # system_suspend wakeup nodes -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -219,14 +219,14 @@ genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 # OTA genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 From 037f9cda4e0468d1f42aeeaa816c06e9bf13027e Mon Sep 17 00:00:00 2001 From: sukiliu Date: Wed, 9 Mar 2022 14:15:55 +0800 Subject: [PATCH 065/104] Update avc error on ROM 8276520 Bug: 223502652 Bug: 223330933 Test: PtsSELinuxTestCases Change-Id: Ib8c14c4928410ee5ed4626e95e2882b89341ee9a --- tracking_denials/hal_drm_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/hal_drm_default.te diff --git a/tracking_denials/hal_drm_default.te b/tracking_denials/hal_drm_default.te new file mode 100644 index 00000000..ee4ed089 --- /dev/null +++ b/tracking_denials/hal_drm_default.te @@ -0,0 +1,2 @@ +# b/223502652 +dontaudit hal_drm_default vndbinder_device:chr_file { read }; From 44fcba7efd30a8d70ac8bbb57d75ffc246a172c1 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Thu, 10 Mar 2022 08:48:05 +0800 Subject: [PATCH 066/104] sepolicy: reorder genfs labels for system suspend Bug: 223683748 Test: check bugreport without relevant avc denials Change-Id: I66ede69d94bb3cb1a446e1cd5f3250b6f9b7f7e9 Signed-off-by: Darren Hsu --- whitechapel/vendor/google/genfs_contexts | 125 +++++++++++------------ 1 file changed, 61 insertions(+), 64 deletions(-) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index c3773b0d..63d06d1c 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -81,31 +81,67 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a u:object genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 # System_suspend -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 # Touch genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 @@ -189,45 +225,6 @@ genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id: genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 -# system_suspend wakeup nodes -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 - # OTA genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 From 9b54bf3665abce7a6f5f5df22069a8ef081ad80e Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Wed, 8 Dec 2021 07:05:51 +0800 Subject: [PATCH 067/104] Allow hal_fingerprint_default to access fwk_sensor_hwservice Fix the following avc denial: avc: denied { find } for interface=android.frameworks.sensorservice::ISensorManager sid=u:r:hal_fingerprint_default:s0 pid=1258 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:fwk_sensor_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 197789721 Test: build and test fingerprint on device. Change-Id: I7494f28e69e5a1b660dc7fbaa528b1088048723b --- whitechapel/vendor/google/hal_fingerprint_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te index b2378682..d1ac4d72 100644 --- a/whitechapel/vendor/google/hal_fingerprint_default.te +++ b/whitechapel/vendor/google/hal_fingerprint_default.te @@ -20,3 +20,7 @@ r_dir_file(hal_fingerprint_default, sysfs_chosen) # Allow fingerprint to access calibration blk device. allow hal_fingerprint_default mfg_data_block_device:blk_file { rw_file_perms }; allow hal_fingerprint_default block_device:dir search; + +# Allow fingerprint to access fwk_sensor_hwservice +allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; + From 17f6a0a1bae86210534eeaa0eedfc3126ccde7b6 Mon Sep 17 00:00:00 2001 From: eddielan Date: Mon, 14 Mar 2022 10:57:53 +0800 Subject: [PATCH 068/104] sepolicy: Add policy for persist.vendor.udfps Bug: 222175797 Test: Build Pass Change-Id: I978325adb5cf25a590b307a38ce2deac4034e656 --- whitechapel/vendor/google/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index cdbe1bc4..a4f2016b 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -107,6 +107,7 @@ vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_pr # Fingerprint vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.gf. u:object_r:vendor_fingerprint_prop:s0 +persist.vendor.udfps. u:object_r:vendor_fingerprint_prop:s0 # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 From 753edef5f6da6c4a170295470d801787d6961d94 Mon Sep 17 00:00:00 2001 From: samou Date: Tue, 22 Feb 2022 06:54:31 +0000 Subject: [PATCH 069/104] Move ODPM file rule to pixel sepolicy Bug: 213257759 Change-Id: Ic9a89950a609efe5434dfedc0aa023312c4192d9 --- whitechapel/vendor/google/file.te | 1 - whitechapel/vendor/google/hal_power_stats_default.te | 2 -- whitechapel/vendor/google/hal_thermal_default.te | 1 - 3 files changed, 4 deletions(-) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 90098249..6eabe45d 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -152,7 +152,6 @@ type sysfs_chargelevel, sysfs_type, fs_type; # ODPM type powerstats_vendor_data_file, file_type, data_file_type; -type sysfs_odpm, sysfs_type, fs_type; # bcl type sysfs_bcl, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te index db81a74e..b8ab8c5b 100644 --- a/whitechapel/vendor/google/hal_power_stats_default.te +++ b/whitechapel/vendor/google/hal_power_stats_default.te @@ -7,8 +7,6 @@ binder_call(hal_power_stats_default, hal_bluetooth_btlinux) r_dir_file(hal_power_stats_default, sysfs_iio_devices) allow hal_power_stats_default powerstats_vendor_data_file:dir search; allow hal_power_stats_default powerstats_vendor_data_file:file r_file_perms; -allow hal_power_stats_default sysfs_odpm:dir search; -allow hal_power_stats_default sysfs_odpm:file rw_file_perms; allow hal_power_stats_default sysfs_edgetpu:dir search; allow hal_power_stats_default sysfs_edgetpu:file r_file_perms; diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/whitechapel/vendor/google/hal_thermal_default.te index 9852a767..5e597c7c 100644 --- a/whitechapel/vendor/google/hal_thermal_default.te +++ b/whitechapel/vendor/google/hal_thermal_default.te @@ -1,2 +1 @@ allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; -allow hal_thermal_default sysfs_odpm:file r_file_perms; From 3ffd8035a2c882c846c26db7767a821a8f45b9dd Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Mon, 21 Mar 2022 09:13:58 -0700 Subject: [PATCH 070/104] gs-policy: Remove obsolete uwb vendor service rules This service no longer exists in the UCI stack. Bug: 186585880 Test: Manual UWB tests Change-Id: I198a20f85cb24f9e38035fa037609d6541640d9e --- whitechapel/vendor/google/service.te | 1 - whitechapel/vendor/google/service_contexts | 1 - whitechapel/vendor/google/system_server.te | 2 -- whitechapel/vendor/google/uwb_vendor_app.te | 2 -- 4 files changed, 6 deletions(-) diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index aa60e3f7..8d5dc1ee 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,3 +1,2 @@ type hal_pixel_display_service, service_manager_type, vendor_service; -type uwb_vendor_service, service_manager_type, vendor_service; type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index ca2ec939..25108867 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,4 +1,3 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 -uwb_vendor u:object_r:uwb_vendor_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te index b2563949..d064cb73 100644 --- a/whitechapel/vendor/google/system_server.te +++ b/whitechapel/vendor/google/system_server.te @@ -1,8 +1,6 @@ # Allow system server to send sensor data callbacks to GPS and camera HALs binder_call(system_server, gpsd); binder_call(system_server, hal_camera_default); -# Allow system server to find vendor uwb service -allow system_server uwb_vendor_service:service_manager find; # pixelstats_vendor/OrientationCollector binder_call(system_server, pixelstats_vendor) diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te index 8822343c..68edcb1b 100644 --- a/whitechapel/vendor/google/uwb_vendor_app.te +++ b/whitechapel/vendor/google/uwb_vendor_app.te @@ -2,8 +2,6 @@ type uwb_vendor_app, domain; app_domain(uwb_vendor_app) -add_service(uwb_vendor_app, uwb_vendor_service) - not_recovery(` hal_client_domain(uwb_vendor_app, hal_uwb_vendor) From 22def09e8a0b05dc3a759bca0488d101aac6ee58 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Thu, 24 Mar 2022 14:49:43 +0800 Subject: [PATCH 071/104] Allow hal_power_stats to read sysfs_aoc_dumpstate avc: denied { read } for comm="android.hardwar" name="restart_count" dev="sysfs" ino=72823 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc_dumpstate:s0 tclass=file permissive=0 Bug: 226173008 Test: check bugreport without avc denials Change-Id: Iccd8e4475ba6055d07aedc43de72bd39e6674469 Signed-off-by: Darren Hsu --- whitechapel/vendor/google/hal_power_stats_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te index db81a74e..13a0487f 100644 --- a/whitechapel/vendor/google/hal_power_stats_default.te +++ b/whitechapel/vendor/google/hal_power_stats_default.te @@ -15,6 +15,7 @@ allow hal_power_stats_default sysfs_edgetpu:file r_file_perms; binder_call(hal_power_stats_default, citadeld) r_dir_file(hal_power_stats_default, sysfs_aoc) +r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) r_dir_file(hal_power_stats_default, sysfs_cpu) r_dir_file(hal_power_stats_default, sysfs_leds) r_dir_file(hal_power_stats_default, sysfs_acpm_stats) From 28ddd3bf9fcfa679679ad3580daf6e2517fe8ee7 Mon Sep 17 00:00:00 2001 From: Chris Kuiper Date: Thu, 24 Mar 2022 17:55:43 -0700 Subject: [PATCH 072/104] Allow Sensor HAL access to display sysfs panel_name file. Bug: 208926536 Test: Accessed the display sysfs from sensor HAL correctly. Change-Id: Ide86813de20a1240f8ac55322b017329f30b296e --- usf/sensor_hal.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te index ac9d5c2d..bda44c9f 100644 --- a/usf/sensor_hal.te +++ b/usf/sensor_hal.te @@ -59,6 +59,9 @@ allow hal_sensors_default hidraw_device:chr_file rw_file_perms; allow hal_sensors_default hal_pixel_display_service:service_manager find; binder_call(hal_sensors_default, hal_graphics_composer_default) +# Allow sensor HAL to access to display sysfs. +allow hal_sensors_default sysfs_display:file r_file_perms; + # # Suez type enforcements. # From 3df0d7812b3f1c996b7ffce6f1c7cd3b66d70b08 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Fri, 25 Mar 2022 14:53:53 +0800 Subject: [PATCH 073/104] Allow hal_fingerprint_default to access sysfs_display Fix the following avc denial: avc: denied { read } for name="panel_name" dev="sysfs" ino=71133 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=0 Bug: 223687187 Test: build and test fingerprint on device. Change-Id: Ic2b2cadb97f36643b79de6a8ebfe2232093fe7d7 --- whitechapel/vendor/google/hal_fingerprint_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te index d1ac4d72..2b2e852d 100644 --- a/whitechapel/vendor/google/hal_fingerprint_default.te +++ b/whitechapel/vendor/google/hal_fingerprint_default.te @@ -24,3 +24,5 @@ allow hal_fingerprint_default block_device:dir search; # Allow fingerprint to access fwk_sensor_hwservice allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; +# Allow fingerprint to read sysfs_display +allow hal_fingerprint_default sysfs_display:file r_file_perms; From de44d766e48789f2b79292dddc5aa842b17c8c5f Mon Sep 17 00:00:00 2001 From: chungkai Date: Wed, 23 Mar 2022 09:45:37 +0000 Subject: [PATCH 074/104] sched: move sysfs to procfs Modify name from sysfs_vendor_sched to proc_vendor_sched Test: without avc denial Bug: 216207007 Signed-off-by: chungkai Change-Id: Ic113b2d8ee1d3ae1ced9985636b17ef1e7657a84 --- private/gmscore_app.te | 2 +- private/permissioncontroller_app.te | 4 ++-- private/priv_app.te | 2 +- whitechapel/vendor/google/bluetooth.te | 4 ++-- whitechapel/vendor/google/bug_map | 2 +- whitechapel/vendor/google/domain.te | 4 ++-- whitechapel/vendor/google/hal_dumpstate_default.te | 2 +- whitechapel/vendor/google/hal_power_default.te | 2 +- whitechapel/vendor/google/hbmsvmanager_app.te | 4 ++-- whitechapel/vendor/google/logger_app.te | 4 ++-- whitechapel/vendor/google/mediaprovider.te | 4 ++-- whitechapel/vendor/google/nfc.te | 4 ++-- whitechapel/vendor/google/platform_app.te | 4 ++-- whitechapel/vendor/google/radio.te | 4 ++-- whitechapel/vendor/google/secure_element.te | 4 ++-- whitechapel/vendor/google/shell.te | 4 ++-- whitechapel/vendor/google/ssr_detector.te | 4 ++-- whitechapel/vendor/google/system_app.te | 4 ++-- whitechapel/vendor/google/untrusted_app_all.te | 4 ++-- 19 files changed, 33 insertions(+), 33 deletions(-) diff --git a/private/gmscore_app.te b/private/gmscore_app.te index 3968de30..e52eb551 100644 --- a/private/gmscore_app.te +++ b/private/gmscore_app.te @@ -1,3 +1,3 @@ # b/177389198 dontaudit gmscore_app adbd_prop:file *; -dontaudit gmscore_app sysfs_vendor_sched:file write; +dontaudit gmscore_app proc_vendor_sched:file write; diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te index 425ea309..4619571c 100644 --- a/private/permissioncontroller_app.te +++ b/private/permissioncontroller_app.te @@ -1,3 +1,3 @@ -allow permissioncontroller_app sysfs_vendor_sched:dir r_dir_perms; -allow permissioncontroller_app sysfs_vendor_sched:file w_file_perms; +allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms; +allow permissioncontroller_app proc_vendor_sched:file w_file_perms; diff --git a/private/priv_app.te b/private/priv_app.te index de2a4f28..c77a18da 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -17,4 +17,4 @@ dontaudit priv_app ab_update_gki_prop:file { getattr }; dontaudit priv_app ab_update_gki_prop:file { map }; dontaudit priv_app adbd_prop:file { open }; dontaudit priv_app adbd_prop:file { getattr }; -dontaudit priv_app sysfs_vendor_sched:file write; +dontaudit priv_app proc_vendor_sched:file write; diff --git a/whitechapel/vendor/google/bluetooth.te b/whitechapel/vendor/google/bluetooth.te index b246eca1..92737abe 100644 --- a/whitechapel/vendor/google/bluetooth.te +++ b/whitechapel/vendor/google/bluetooth.te @@ -1,3 +1,3 @@ -allow bluetooth sysfs_vendor_sched:dir search; -allow bluetooth sysfs_vendor_sched:file w_file_perms; +allow bluetooth proc_vendor_sched:dir search; +allow bluetooth proc_vendor_sched:file w_file_perms; diff --git a/whitechapel/vendor/google/bug_map b/whitechapel/vendor/google/bug_map index 6799ba21..b7c26b57 100644 --- a/whitechapel/vendor/google/bug_map +++ b/whitechapel/vendor/google/bug_map @@ -1,3 +1,3 @@ -permissioncontroller_app sysfs_vendor_sched file b/190671898 +permissioncontroller_app proc_vendor_sched file b/190671898 vendor_ims_app default_prop file b/194281028 hal_fingerprint_default default_prop property_service b/215640468 diff --git a/whitechapel/vendor/google/domain.te b/whitechapel/vendor/google/domain.te index 3e1cbbb7..fd876e09 100644 --- a/whitechapel/vendor/google/domain.te +++ b/whitechapel/vendor/google/domain.te @@ -1,2 +1,2 @@ -allow {domain -appdomain -rs} sysfs_vendor_sched:dir r_dir_perms; -allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms; +allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; +allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te index 612b3c0b..66c51b7c 100644 --- a/whitechapel/vendor/google/hal_dumpstate_default.te +++ b/whitechapel/vendor/google/hal_dumpstate_default.te @@ -96,7 +96,7 @@ binder_call(hal_dumpstate_default, hal_graphics_composer_default); allow hal_dumpstate_default sysfs_display:dir r_dir_perms; allow hal_dumpstate_default sysfs_display:file r_file_perms; -allow hal_dumpstate_default sysfs_vendor_sched:file read; +allow hal_dumpstate_default proc_vendor_sched:file read; allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te index 22764a32..19cd0bb4 100644 --- a/whitechapel/vendor/google/hal_power_default.te +++ b/whitechapel/vendor/google/hal_power_default.te @@ -1,7 +1,7 @@ allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; -allow hal_power_default sysfs_vendor_sched:file rw_file_perms; +allow hal_power_default proc_vendor_sched:file rw_file_perms; allow hal_power_default cpuctl_device:file rw_file_perms; allow hal_power_default sysfs_gpu:file rw_file_perms; allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms; diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te index 2300a2a8..b7058090 100644 --- a/whitechapel/vendor/google/hbmsvmanager_app.te +++ b/whitechapel/vendor/google/hbmsvmanager_app.te @@ -2,8 +2,8 @@ type hbmsvmanager_app, domain, coredomain; app_domain(hbmsvmanager_app); -allow hbmsvmanager_app sysfs_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app sysfs_vendor_sched:file w_file_perms; +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te index d091cff0..be15d0e6 100644 --- a/whitechapel/vendor/google/logger_app.te +++ b/whitechapel/vendor/google/logger_app.te @@ -24,6 +24,6 @@ userdebug_or_eng(` set_prop(logger_app, vendor_wifi_sniffer_prop) dontaudit logger_app default_prop:file { read }; - dontaudit logger_app sysfs_vendor_sched:dir search; - dontaudit logger_app sysfs_vendor_sched:file write; + dontaudit logger_app proc_vendor_sched:dir search; + dontaudit logger_app proc_vendor_sched:file write; ') diff --git a/whitechapel/vendor/google/mediaprovider.te b/whitechapel/vendor/google/mediaprovider.te index 835593fc..dc3e1c01 100644 --- a/whitechapel/vendor/google/mediaprovider.te +++ b/whitechapel/vendor/google/mediaprovider.te @@ -1,2 +1,2 @@ -dontaudit mediaprovider sysfs_vendor_sched:dir search; -dontaudit mediaprovider sysfs_vendor_sched:file write; +dontaudit mediaprovider proc_vendor_sched:dir search; +dontaudit mediaprovider proc_vendor_sched:file write; diff --git a/whitechapel/vendor/google/nfc.te b/whitechapel/vendor/google/nfc.te index febd851a..80784434 100644 --- a/whitechapel/vendor/google/nfc.te +++ b/whitechapel/vendor/google/nfc.te @@ -1,2 +1,2 @@ -allow nfc sysfs_vendor_sched:dir r_dir_perms; -allow nfc sysfs_vendor_sched:file w_file_perms; +allow nfc proc_vendor_sched:dir r_dir_perms; +allow nfc proc_vendor_sched:file w_file_perms; diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te index 70480beb..49fb531b 100644 --- a/whitechapel/vendor/google/platform_app.te +++ b/whitechapel/vendor/google/platform_app.te @@ -4,8 +4,8 @@ allow platform_app hal_exynos_rild_hwservice:hwservice_manager find; allow platform_app hal_wlc_hwservice:hwservice_manager find; binder_call(platform_app, hal_wlc) -allow platform_app sysfs_vendor_sched:dir r_dir_perms; -allow platform_app sysfs_vendor_sched:file w_file_perms; +allow platform_app proc_vendor_sched:dir r_dir_perms; +allow platform_app proc_vendor_sched:file w_file_perms; allow platform_app nfc_service:service_manager find; allow platform_app uwb_service:service_manager find; diff --git a/whitechapel/vendor/google/radio.te b/whitechapel/vendor/google/radio.te index af56688b..baa356bd 100644 --- a/whitechapel/vendor/google/radio.te +++ b/whitechapel/vendor/google/radio.te @@ -1,6 +1,6 @@ allow radio hal_exynos_rild_hwservice:hwservice_manager find; -allow radio sysfs_vendor_sched:dir r_dir_perms; -allow radio sysfs_vendor_sched:file w_file_perms; +allow radio proc_vendor_sched:dir r_dir_perms; +allow radio proc_vendor_sched:file w_file_perms; # Allow telephony to access file descriptor of the QOS socket # so it can make sure the QOS is meant for the intended addresses diff --git a/whitechapel/vendor/google/secure_element.te b/whitechapel/vendor/google/secure_element.te index 831d360e..cb6c1396 100644 --- a/whitechapel/vendor/google/secure_element.te +++ b/whitechapel/vendor/google/secure_element.te @@ -1,2 +1,2 @@ -allow secure_element sysfs_vendor_sched:dir r_dir_perms; -allow secure_element sysfs_vendor_sched:file w_file_perms; +allow secure_element proc_vendor_sched:dir r_dir_perms; +allow secure_element proc_vendor_sched:file w_file_perms; diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te index abc2f2cc..f982424d 100644 --- a/whitechapel/vendor/google/shell.te +++ b/whitechapel/vendor/google/shell.te @@ -6,5 +6,5 @@ userdebug_or_eng(` allow shell sysfs_sjtag:file rw_file_perms; ') -dontaudit shell sysfs_vendor_sched:dir search; -dontaudit shell sysfs_vendor_sched:file write; +dontaudit shell proc_vendor_sched:dir search; +dontaudit shell proc_vendor_sched:file write; diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te index 958ed352..934028e1 100644 --- a/whitechapel/vendor/google/ssr_detector.te +++ b/whitechapel/vendor/google/ssr_detector.te @@ -13,8 +13,8 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app sysfs_vendor_sched:dir search; - allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms; + allow ssr_detector_app proc_vendor_sched:dir search; + allow ssr_detector_app proc_vendor_sched:file rw_file_perms; allow ssr_detector_app cgroup:file write; ') diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te index 07536ccf..8c9d5345 100644 --- a/whitechapel/vendor/google/system_app.te +++ b/whitechapel/vendor/google/system_app.te @@ -1,5 +1,5 @@ -allow system_app sysfs_vendor_sched:dir r_dir_perms; -allow system_app sysfs_vendor_sched:file w_file_perms; +allow system_app proc_vendor_sched:dir r_dir_perms; +allow system_app proc_vendor_sched:file w_file_perms; allow system_app hal_wlc_hwservice:hwservice_manager find; binder_call(system_app, hal_wlc) diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te index dda81542..642ee175 100644 --- a/whitechapel/vendor/google/untrusted_app_all.te +++ b/whitechapel/vendor/google/untrusted_app_all.te @@ -2,5 +2,5 @@ # for secure video playback allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; -dontaudit untrusted_app_all sysfs_vendor_sched:dir search; -dontaudit untrusted_app_all sysfs_vendor_sched:file write; +dontaudit untrusted_app_all proc_vendor_sched:dir search; +dontaudit untrusted_app_all proc_vendor_sched:file write; From ed3ac0623ba0237bfc969d971b7a0cae718a7deb Mon Sep 17 00:00:00 2001 From: sukiliu Date: Thu, 31 Mar 2022 15:47:05 +0800 Subject: [PATCH 075/104] Update avc error on ROM 8386107 Bug: 226717475 Test: PtsSELinuxTestCases Change-Id: Ia366a4ad0f193858960b7c5df34096bd2d4eada5 --- tracking_denials/dumpstate.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index fa9d5cec..fc4afa4d 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -2,3 +2,5 @@ dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; # b/190337283 dontaudit dumpstate debugfs_wakeup_sources:file read; +# b/226717475 +dontaudit dumpstate app_zygote:process { signal }; From 8a19d8be9c355dfb2224449e0709d0718f018267 Mon Sep 17 00:00:00 2001 From: chungkai Date: Thu, 31 Mar 2022 05:52:07 +0000 Subject: [PATCH 076/104] genfs_contexts: fix path for i2c peripheral devices paths are changed when we enable parallel module loading and reorder the initializtaion of devices. Test: without avc denial on Raven Bug: 227541760 Signed-off-by: chungkai Change-Id: I7d835205696fd727e9be24fcf010ed44bcd5d6ae --- whitechapel/vendor/google/genfs_contexts | 102 +++++++++++++++++++---- 1 file changed, 88 insertions(+), 14 deletions(-) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 63d06d1c..bcdff4b0 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -29,21 +29,29 @@ genfscon sysfs /devices/platform/10d50000.hsi2c # Slider genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -# R4 / P7 LunchBox -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 - -# O6 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats u:object_r:sysfs_pca:s0 # Storage genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 @@ -76,6 +84,12 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a u:object genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 # Fingerprint genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 @@ -83,6 +97,10 @@ genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:s # System_suspend genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 @@ -91,8 +109,21 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup u:object_r:sysfs_wakeup:s0 @@ -111,11 +142,22 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_sup genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 @@ -125,12 +167,16 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:0 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 @@ -206,6 +252,24 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 + # bcl sysfs files genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_heavy_clk_ratio u:object_r:sysfs_bcl:s0 @@ -277,6 +341,10 @@ genfscon sysfs /devices/platform/1c500000.mali/power_policy # nvmem (Non Volatile Memory layer) genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem u:object_r:sysfs_memory:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/5-00500/nvmem u:object_r:sysfs_memory:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/6-00500/nvmem u:object_r:sysfs_memory:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/7-00500/nvmem u:object_r:sysfs_memory:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/8-00500/nvmem u:object_r:sysfs_memory:s0 # Broadcom genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 @@ -285,6 +353,10 @@ genfscon sysfs /module/bcmdhd4389 genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 @@ -351,8 +423,10 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 # Extcon -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 # SecureElement genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi u:object_r:sysfs_st33spi:s0 From 384218408f069629527c4b4ceefe122321a0fce7 Mon Sep 17 00:00:00 2001 From: chungkai Date: Wed, 6 Apr 2022 08:07:26 +0000 Subject: [PATCH 077/104] sepolicy: ignore avc denial dont audit since it's debugfs Bug: 228181404 Test: forrest with boot test Signed-off-by: chungkai Change-Id: I7f2a85e2a405c78c9d8d11e9c2fdfdc5e87f7931 --- tracking_denials/kernel.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/kernel.te diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te new file mode 100644 index 00000000..21776b79 --- /dev/null +++ b/tracking_denials/kernel.te @@ -0,0 +1,2 @@ +#b/228181404 +dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file From 13f85a37f3f1eab2883d68fb026fa3c2b68fc881 Mon Sep 17 00:00:00 2001 From: Siddharth Kapoor Date: Thu, 7 Apr 2022 03:29:56 +0000 Subject: [PATCH 078/104] Revert "Move ODPM file rule to pixel sepolicy" Revert "Move ODPM file rule to pixel sepolicy" Revert submission 17215583-odpm_sepolicy_refactor-tm-dev Reason for revert: build failure tracked in b/228261711 Reverted Changes: Ic9a89950a:Move ODPM file rule to pixel sepolicy I24105669b:Move ODPM file rule to pixel sepolicy I044a285ff:Move ODPM file rule to pixel sepolicy Change-Id: I36abfddaa5903739f9c5bf65d3c1cd506db9e604 --- whitechapel/vendor/google/file.te | 1 + whitechapel/vendor/google/hal_power_stats_default.te | 2 ++ whitechapel/vendor/google/hal_thermal_default.te | 1 + 3 files changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 6eabe45d..90098249 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -152,6 +152,7 @@ type sysfs_chargelevel, sysfs_type, fs_type; # ODPM type powerstats_vendor_data_file, file_type, data_file_type; +type sysfs_odpm, sysfs_type, fs_type; # bcl type sysfs_bcl, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te index b8ab8c5b..db81a74e 100644 --- a/whitechapel/vendor/google/hal_power_stats_default.te +++ b/whitechapel/vendor/google/hal_power_stats_default.te @@ -7,6 +7,8 @@ binder_call(hal_power_stats_default, hal_bluetooth_btlinux) r_dir_file(hal_power_stats_default, sysfs_iio_devices) allow hal_power_stats_default powerstats_vendor_data_file:dir search; allow hal_power_stats_default powerstats_vendor_data_file:file r_file_perms; +allow hal_power_stats_default sysfs_odpm:dir search; +allow hal_power_stats_default sysfs_odpm:file rw_file_perms; allow hal_power_stats_default sysfs_edgetpu:dir search; allow hal_power_stats_default sysfs_edgetpu:file r_file_perms; diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/whitechapel/vendor/google/hal_thermal_default.te index 5e597c7c..9852a767 100644 --- a/whitechapel/vendor/google/hal_thermal_default.te +++ b/whitechapel/vendor/google/hal_thermal_default.te @@ -1 +1,2 @@ allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; +allow hal_thermal_default sysfs_odpm:file r_file_perms; From 8606aa8a51d8d777289480de4a9be076817b6bc5 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Thu, 7 Apr 2022 17:21:15 -0700 Subject: [PATCH 079/104] Allow usb hal to read contaminantdisable property avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=367 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=0 Bug: 227792357 Change-Id: Id4d5ef7c214f0c0f672db28991b9fbe0152530b7 --- whitechapel/vendor/google/hal_usb_impl.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te index 6b6d19f6..97ec1c7c 100644 --- a/whitechapel/vendor/google/hal_usb_impl.te +++ b/whitechapel/vendor/google/hal_usb_impl.te @@ -23,3 +23,6 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For reading the usb-c throttling stats allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; + +# For checking contaminant detection status +get_prop(hal_usb_impl, vendor_usb_config_prop); From 40cd670c9f624393b86656918a709996d9f49a91 Mon Sep 17 00:00:00 2001 From: Patty Date: Wed, 6 Apr 2022 19:16:05 +0800 Subject: [PATCH 080/104] Grant policy for EWP feature Bug: 220121592 Test: Manual Change-Id: I274a9519c40915cf65de45a3d8cf452faf16c8b4 --- bluetooth/hwservice_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts index df77e6f8..1b4f5445 100644 --- a/bluetooth/hwservice_contexts +++ b/bluetooth/hwservice_contexts @@ -2,4 +2,4 @@ hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0 - +hardware.google.bluetooth.ewp::IBluetoothEwp u:object_r:hal_bluetooth_coexistence_hwservice:s0 From 613bdcdec8d8b4b0fd357b49213201d0b9a320cb Mon Sep 17 00:00:00 2001 From: Anthony Stange Date: Tue, 12 Apr 2022 20:58:12 +0000 Subject: [PATCH 081/104] Update SELinux to allow CHRE to talk to the Wifi HAL Bug: 206614765 Test: Run locally Change-Id: I73bcf96ed1cab0a101e5f84852a1d82258b9c690 --- whitechapel/vendor/google/chre.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te index 7eca5e43..67ba090a 100644 --- a/whitechapel/vendor/google/chre.te +++ b/whitechapel/vendor/google/chre.te @@ -15,3 +15,6 @@ allow chre device:dir r_dir_perms; # Allow CHRE to use the USF low latency transport usf_low_latency_transport(chre) +# Allow CHRE to talk to the WiFi HAL +allow chre hal_wifi_ext:binder { call transfer }; +allow chre hal_wifi_ext_hwservice:hwservice_manager find; From 953583844f6844265a6dee0ad283d5daa9e8fd6c Mon Sep 17 00:00:00 2001 From: chungkai Date: Thu, 14 Apr 2022 04:12:41 +0000 Subject: [PATCH 082/104] genfs_contexts: fix path for i2c peripheral device paths are changed when we enable parallel module loading and reorder the initializtaion of devices. Test: without avc denial on R4/O6 when booting Bug: 22754176 Signed-off-by: chungkai Change-Id: Ibcd5138170449e24115a0de5c3beda79914d1dc1 --- whitechapel/vendor/google/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 1b367a46..9f1921d7 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -130,6 +130,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_sup genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 @@ -440,6 +441,8 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 # Extcon +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 From 517ab7da4ddc46597df17ad68b548b75d93e05b9 Mon Sep 17 00:00:00 2001 From: Joshua McCloskey Date: Wed, 6 Apr 2022 22:33:26 +0000 Subject: [PATCH 083/104] Allow platform apps to access FP Hal Bug: 227247855 Test: Verified manually that the fingerprint extension is working. Change-Id: Ia8fedcb373e23bf2103803195f844bf90b1807bc --- system_ext/private/platform_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te index 10d6bba9..e9dcc76b 100644 --- a/system_ext/private/platform_app.te +++ b/system_ext/private/platform_app.te @@ -1,2 +1,5 @@ # allow systemui to set boot animation colors set_prop(platform_app, bootanim_system_prop); + +# allow systemui to access fingerprint +hal_client_domain(platform_app, hal_fingerprint) From f2be252260049581e8e37226fe2f375b967c8e8b Mon Sep 17 00:00:00 2001 From: Jason Macnak Date: Thu, 24 Feb 2022 18:37:55 +0000 Subject: [PATCH 084/104] Remove sysfs_gpu type definition ... as it has moved to system/sepolicy. Bug: b/161819018 Test: presubmit Change-Id: I6fcafa87541ed0cbaf3ba74fa5ff4dbdebd533f7 Merged-In: I6fcafa87541ed0cbaf3ba74fa5ff4dbdebd533f7 --- whitechapel/vendor/google/file.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 90098249..cb5ade95 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -169,9 +169,6 @@ type persist_battery_file, file_type, vendor_persist_type; # CPU type sysfs_cpu, sysfs_type, fs_type; -# GPU -type sysfs_gpu, sysfs_type, fs_type; - # Fabric type sysfs_fabric, sysfs_type, fs_type; From 19073ba66c7c491a402974f2de935a9f204ad9ed Mon Sep 17 00:00:00 2001 From: chungkai Date: Mon, 18 Apr 2022 13:53:42 +0000 Subject: [PATCH 085/104] sepolicy: fix avc denials add potential paths for i2c peripheral devices sine we enable parallel module loading Bug: 229670628 Test: do bugreport without avc denials Signed-off-by: chungkai Change-Id: I6747e6d36731664d7f2fd88382c8a6189c936860 --- whitechapel/vendor/google/genfs_contexts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 9f1921d7..0dfba9b5 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -122,6 +122,13 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a/wakeup genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 @@ -441,6 +448,7 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 # Extcon +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 From 11770d9dfef1407970152c943a9a23177389c3b2 Mon Sep 17 00:00:00 2001 From: chungkai Date: Thu, 21 Apr 2022 01:39:18 +0000 Subject: [PATCH 086/104] sepolicy: Remove tracking denials files and fix avc problems 04-19 10:53:57.364 W binder:575_2: type=1400 audit(0.0:17): avc: denied { read } for name="wakeup11" dev="sysfs" ino=59892 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 Bug: 229670628 Test: pass Signed-off-by: chungkai Change-Id: I6a83b77c4a4bb836e4014cf865cb720a360fd981 --- whitechapel/vendor/google/genfs_contexts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 0dfba9b5..8f00b4d5 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -30,6 +30,13 @@ genfscon sysfs /devices/platform/10d50000.hsi2c genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 + +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 From 1291c3cec9dbab7b3837f11d0ed4beb5addbc988 Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Sat, 23 Apr 2022 21:09:22 -0700 Subject: [PATCH 087/104] Grant trusty to power hal Bug: 229350721 Test: UDFPS with stress Signed-off-by: Wei Wang Change-Id: Ia88d6cff1d21940e22ae5122dbfcf52de27ad700 --- whitechapel/vendor/google/file.te | 3 +++ whitechapel/vendor/google/genfs_contexts | 4 ++++ whitechapel/vendor/google/hal_power_default.te | 1 + 3 files changed, 8 insertions(+) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index cb5ade95..704e0753 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -203,3 +203,6 @@ userdebug_or_eng(` # SecureElement type sysfs_st33spi, sysfs_type, fs_type; + +# Trusty +type sysfs_trusty, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 8f00b4d5..881b7ef5 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -475,6 +475,10 @@ genfscon sysfs /devices/platform/100b0000.G3D u:obje genfscon sysfs /devices/platform/100b0000.ISP u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 +# Trusty +genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 +genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 + # Coresight ETM genfscon sysfs /devices/platform/25840000.etm u:object_r:sysfs_devices_cs_etm:s0 genfscon sysfs /devices/platform/25940000.etm u:object_r:sysfs_devices_cs_etm:s0 diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te index 19cd0bb4..122661ae 100644 --- a/whitechapel/vendor/google/hal_power_default.te +++ b/whitechapel/vendor/google/hal_power_default.te @@ -10,6 +10,7 @@ allow hal_power_default sysfs_camera:file rw_file_perms; allow hal_power_default sysfs_display:file rw_file_perms; allow hal_power_default sysfs_bcl:dir r_dir_perms; allow hal_power_default sysfs_bcl:file rw_file_perms; +allow hal_power_default sysfs_trusty:file rw_file_perms; set_prop(hal_power_default, vendor_camera_prop) set_prop(hal_power_default, vendor_camera_debug_prop) set_prop(hal_power_default, vendor_camera_fatp_prop) From 2715a08a73662e3ce1e02121d95aaa3361531ab2 Mon Sep 17 00:00:00 2001 From: Edmond Chung Date: Sun, 24 Apr 2022 15:41:21 -0700 Subject: [PATCH 088/104] Camera: add setsched capability. The camera HAL needs to configure schedule policies for performance optimizations. Bug: 228632527 Test: GCA, adb logcat Change-Id: Ifbf433c026549ca774a9521704d0b0b75c9e9f23 --- whitechapel/vendor/google/hal_camera_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te index 24246d2f..440b503c 100644 --- a/whitechapel/vendor/google/hal_camera_default.te +++ b/whitechapel/vendor/google/hal_camera_default.te @@ -1,6 +1,7 @@ type hal_camera_default_tmpfs, file_type; allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default kernel:process setsched; binder_use(hal_camera_default); vndbinder_use(hal_camera_default); From 15036785cfcf9b462b9cf001ed3c3d6d8358f034 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Wed, 27 Apr 2022 13:37:16 +0800 Subject: [PATCH 089/104] sepolicy: allow access debugfs charger register dump [ 438.549652] type=1400 audit(1651035282.616:8): avc: denied { read } for comm="dumpstate@1.1-s" name="registers" dev="debugfs" ino=31549 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=0 [ 438.550252] type=1400 audit(1651035282.616:9): avc: denied { read } for comm="dumpstate@1.1-s" name="registers" dev="debugfs" ino=31532 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=0 Bug: 230360103 Signed-off-by: Jenny Ho Change-Id: I102a159ca23a65d99a52cac3d011f5ce535a37e7 --- whitechapel/vendor/google/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 881b7ef5..b2833b78 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -405,6 +405,8 @@ genfscon debugfs /pm_genpd/pm_genpd_summary genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77759_chg u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 From 615f85c22dc0f75452b3284dd4ba7a421d29a602 Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Wed, 27 Apr 2022 13:18:28 -0700 Subject: [PATCH 090/104] allow udfps hal to access trusty Bug: 229350721 Bug: 230492593 Test: UDFPS with stress Signed-off-by: Wei Wang Change-Id: Ib1abe0e0318689528a6658f3597f1c11ad9fa1c3 --- whitechapel/vendor/google/hal_fingerprint_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te index 2b2e852d..56b1605c 100644 --- a/whitechapel/vendor/google/hal_fingerprint_default.te +++ b/whitechapel/vendor/google/hal_fingerprint_default.te @@ -26,3 +26,6 @@ allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; # Allow fingerprint to read sysfs_display allow hal_fingerprint_default sysfs_display:file r_file_perms; + +# Allow fingerprint to access trusty sysfs +allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; From c6eea8a657cbd9001e52941522def2ab0cfdfb88 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Wed, 20 Apr 2022 02:35:41 +0800 Subject: [PATCH 091/104] Allow hal_fingerprint_default to access hal_pixel_display_service Fix the following avc denial: avc: denied { find } for pid=1158 uid=1000 name=com.google.hardware.pixel.display.IDisplay/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:hal_pixel_display_service:s0 tclass=service_manager permissive=0 avc: denied { call } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_graphics_composer_default:s0 tclass=binder permissive=0 Bug: 229716695 Bug: 224573604 Test: build and test fingerprint on device. Change-Id: Id24e65213221048d6dfdeae6ed2bcb7b762a0f75 --- whitechapel/vendor/google/hal_fingerprint_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te index 56b1605c..aee24633 100644 --- a/whitechapel/vendor/google/hal_fingerprint_default.te +++ b/whitechapel/vendor/google/hal_fingerprint_default.te @@ -29,3 +29,7 @@ allow hal_fingerprint_default sysfs_display:file r_file_perms; # Allow fingerprint to access trusty sysfs allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; + +# Allow fingerprint to access display hal +allow hal_fingerprint_default hal_pixel_display_service:service_manager find; +binder_call(hal_fingerprint_default, hal_graphics_composer_default) From 12b3700a38d57516ee02f162241f592c4f37bc31 Mon Sep 17 00:00:00 2001 From: Will McVicker Date: Mon, 2 May 2022 10:09:57 -0700 Subject: [PATCH 092/104] genfs_contexts: add raw i2c-s2mpg10mfd and i2c-s2mpg11mfd nodes This adds the [067]-001f and [178]-002f raw i2c numberings to the sepolicy for the P21-mainline driver which doesn't use the i2c vendor hook to rename these numberings. This is required for the thermal hal to work. Bug: 231155356 Signed-off-by: Will McVicker Change-Id: I8e4bbbd0768e63e708f46eb42bddb5fc28b29caa --- whitechapel/vendor/google/genfs_contexts | 32 ++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 881b7ef5..0c514a82 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -267,40 +267,72 @@ genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci # ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 # bcl sysfs files genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 From 7ac349e932b66130d7351bd05fb462362f4d8eac Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Tue, 1 Mar 2022 21:54:40 +0800 Subject: [PATCH 093/104] Allow hal_usb_gadget_impl to access proc_irq Bug: 224699556 Test: build pass Change-Id: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891 Merged-In: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891 (cherry picked from commit 455c3c165348fa9ea65c65b004d4dda1426d04be) --- whitechapel/vendor/google/hal_usb_gadget_impl.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel/vendor/google/hal_usb_gadget_impl.te b/whitechapel/vendor/google/hal_usb_gadget_impl.te index 5170a8ae..7eb0f632 100644 --- a/whitechapel/vendor/google/hal_usb_gadget_impl.te +++ b/whitechapel/vendor/google/hal_usb_gadget_impl.te @@ -12,3 +12,10 @@ set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; allow hal_usb_gadget_impl sysfs_extcon:dir search; + +# parser the number of dwc3 irq +allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; + +# change irq to other cores +allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; +allow hal_usb_gadget_impl proc_irq:file w_file_perms; From 503fa0901031f42b064be9c3daf0827868a91b9e Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Wed, 4 May 2022 09:49:17 +0800 Subject: [PATCH 094/104] Revert "add sepolicy for set_usb_irq.sh" This reverts commit 714075eba72067489d08c36b87bfed9656092b2c. Bug: 224699556 Test: build pass Change-Id: Ie275e48ee87c4e9f5c83b7802c3f3baa12ad30af Merged-In: Ie275e48ee87c4e9f5c83b7802c3f3baa12ad30af (cherry picked from commit bf9ec40ab79d9546ecbf7b5c8b8ac0779d8153dc) --- whitechapel/vendor/google/file_contexts | 1 - whitechapel/vendor/google/set-usb-irq-sh.te | 13 ------------- 2 files changed, 14 deletions(-) delete mode 100644 whitechapel/vendor/google/set-usb-irq-sh.te diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 05e49591..10ffc7af 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -280,7 +280,6 @@ /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 # USB -/vendor/bin/hw/set_usb_irq\.sh u:object_r:set-usb-irq-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 # NFC diff --git a/whitechapel/vendor/google/set-usb-irq-sh.te b/whitechapel/vendor/google/set-usb-irq-sh.te deleted file mode 100644 index a00fe3bb..00000000 --- a/whitechapel/vendor/google/set-usb-irq-sh.te +++ /dev/null @@ -1,13 +0,0 @@ -type set-usb-irq-sh, domain; -type set-usb-irq-sh_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(set-usb-irq-sh) - -allow set-usb-irq-sh vendor_toolbox_exec:file execute_no_trans; - -allow set-usb-irq-sh proc_irq:dir r_dir_perms; -allow set-usb-irq-sh proc_irq:file w_file_perms; - -# AFAICT this happens if /proc/irq updates as we're running -# and we end up trying to write into non-existing file, -# which implies creation... -dontaudit set-usb-irq-sh self:capability dac_override; From 9cbc9eceecefab98eebb7fd598aba4f8ff64f71d Mon Sep 17 00:00:00 2001 From: Will McVicker Date: Thu, 5 May 2022 15:58:08 -0700 Subject: [PATCH 095/104] genfs_contexts: fix more i2c raw paths These were added in commit 8a19d8be9c35 ("genfs_contexts: fix path for i2c peripheral devices") to address missing i2c paths when kernel modules are loaded in parallel. The raw i2c paths were not added in that commit. So add them here in order to fix a vibrator crash for P21-mainline due to not having the named i2c paths. Bug: 231637004 Fixes: 8a19d8be9c35 ("genfs_contexts: fix path for i2c peripheral devices") Change-Id: I02dfff504704f761c99c328b39595789c2cbeef5 --- whitechapel/vendor/google/genfs_contexts | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 17a5a0bc..2e73f80d 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -88,6 +88,13 @@ genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043 u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043 u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 @@ -202,15 +209,27 @@ genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 From 59f29edf9259012639d097f8781769b39bb9f4bb Mon Sep 17 00:00:00 2001 From: Lily Lin Date: Thu, 28 Apr 2022 19:04:18 +0800 Subject: [PATCH 096/104] Add selinux permissions to r/w sysfs st33spi_state Bug: 228655141 Test: Confirm can read/write st33spi_state Change-Id: I65299414d6268580dc532170759459147378418b --- whitechapel/vendor/google/euiccpixel_app.te | 4 ++++ whitechapel/vendor/google/file.te | 3 +++ 2 files changed, 7 insertions(+) diff --git a/whitechapel/vendor/google/euiccpixel_app.te b/whitechapel/vendor/google/euiccpixel_app.te index db71a871..8763117f 100644 --- a/whitechapel/vendor/google/euiccpixel_app.te +++ b/whitechapel/vendor/google/euiccpixel_app.te @@ -21,5 +21,9 @@ userdebug_or_eng(` # Access to directly upgrade firmware on st33spi_device used for engineering devices typeattribute st33spi_device mlstrustedobject; allow euiccpixel_app st33spi_device:chr_file rw_file_perms; + + allow euiccpixel_app sysfs_st33spi:dir search; + allow euiccpixel_app sysfs_st33spi:file rw_file_perms; + allow euiccpixel_app sysfs_touch:dir search; ') diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 704e0753..673bc785 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -203,6 +203,9 @@ userdebug_or_eng(` # SecureElement type sysfs_st33spi, sysfs_type, fs_type; +userdebug_or_eng(` + typeattribute sysfs_st33spi mlstrustedobject; +') # Trusty type sysfs_trusty, sysfs_type, fs_type; From a5e9b426ebaec1757e01d82ae3e7f75cbc111634 Mon Sep 17 00:00:00 2001 From: Jerry Huang Date: Wed, 16 Feb 2022 01:15:03 +0800 Subject: [PATCH 097/104] Allow mediacodec to access vendor_data_file For dumping output buffer of HDR to SDR fliter. This patch fixes the following denial: 05-06 15:26:54.248 1046 856 856 W HwBinder:856_4: type=1400 audit(0.0:174404): avc: denied { getattr } for name="/" dev="dmabuf" ino=1 scontext=u:r:mediacodec:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=0 Bug: 229360116 Change-Id: I41acb29407a7ddb27279a834e27c5ee515efe666 --- whitechapel/vendor/google/mediacodec.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te index ed7c1adf..0c22d5bf 100644 --- a/whitechapel/vendor/google/mediacodec.te +++ b/whitechapel/vendor/google/mediacodec.te @@ -1,5 +1,7 @@ userdebug_or_eng(` set_prop(mediacodec, vendor_codec2_debug_prop) + allow mediacodec vendor_media_data_file:dir rw_dir_perms; + allow mediacodec vendor_media_data_file:file create_file_perms; ') add_service(mediacodec, eco_service) From 9f214e0453df397eb7121c1c5e0b6c3601fe1343 Mon Sep 17 00:00:00 2001 From: jonerlin Date: Fri, 13 May 2022 14:39:00 +0800 Subject: [PATCH 098/104] Grant policy for BluetoothHal Extionsion feature Bug: 228943442 Test: Manually Change-Id: I00b37c1f74ca9b904df2319d2c58d34228e9678b --- bluetooth/hwservice_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts index 1b4f5445..8480b4e1 100644 --- a/bluetooth/hwservice_contexts +++ b/bluetooth/hwservice_contexts @@ -3,3 +3,4 @@ hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0 hardware.google.bluetooth.ewp::IBluetoothEwp u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.ext::IBluetoothExt u:object_r:hal_bluetooth_coexistence_hwservice:s0 From 7347d18b7392b84a570fd9df223e0ef0b089198b Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Mon, 16 May 2022 18:03:29 +0800 Subject: [PATCH 099/104] Add logbuffer_pogo_transfer file_contexts Bug: 232556226 Signed-off-by: Kyle Tso Change-Id: I1037d39f4187807e6aa9753339fae29e3bc89359 Merged-In: I1037d39f4187807e6aa9753339fae29e3bc89359 --- whitechapel/vendor/google/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 10ffc7af..c98edb0c 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -96,6 +96,7 @@ /dev/umts_boot0 u:object_r:radio_device:s0 /dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_pogo_transport u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 /dev/logbuffer_wireless u:object_r:logbuffer_device:s0 /dev/logbuffer_ttf u:object_r:logbuffer_device:s0 From f276625942b502cd5b481a8f175a79d2a755cdf6 Mon Sep 17 00:00:00 2001 From: Jidong Sun Date: Fri, 3 Jun 2022 17:16:47 -0700 Subject: [PATCH 100/104] gs101: Allow BootControl to access sysfs blow_ar Bug: 232277507 Signed-off-by: Jidong Sun Change-Id: I120672722a5ab8b5cadf0dce6d872e00c9fae642 --- whitechapel/vendor/google/file.te | 3 +++ whitechapel/vendor/google/genfs_contexts | 3 +++ whitechapel/vendor/google/hal_bootctl_default.te | 1 + 3 files changed, 7 insertions(+) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 673bc785..0c7a56d8 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -209,3 +209,6 @@ userdebug_or_eng(` # Trusty type sysfs_trusty, sysfs_type, fs_type; + +# BootControl +type sysfs_bootctl, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 2e73f80d..d3300e28 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -541,3 +541,6 @@ genfscon sysfs /devices/platform/25c40000.etm u:object_r:sysfs_devices_cs_etm genfscon sysfs /devices/platform/25d40000.etm u:object_r:sysfs_devices_cs_etm:s0 genfscon sysfs /devices/platform/25e40000.etm u:object_r:sysfs_devices_cs_etm:s0 genfscon sysfs /devices/platform/25f40000.etm u:object_r:sysfs_devices_cs_etm:s0 + +# BootControl +genfscon sysfs /kernel/boot_control/blow_ar u:object_r:sysfs_bootctl:s0 diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te index 30db79bd..a9f9cdea 100644 --- a/whitechapel/vendor/google/hal_bootctl_default.te +++ b/whitechapel/vendor/google/hal_bootctl_default.te @@ -1,3 +1,4 @@ allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; allow hal_bootctl_default sysfs_ota:file rw_file_perms; +allow hal_bootctl_default sysfs_bootctl:file rw_file_perms; From acf18a6f23a2f98b0e31c6f03c4214fd38d2c496 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 9 Jun 2022 10:04:28 +0800 Subject: [PATCH 101/104] remove obsolete sepolicy Bug: 193474772 Bug: 193726003 Bug: 193009345 Bug: 190337283 Bug: 226717475 Test: boot with no relevant avc error shows up Change-Id: I8af2693fb7726e49d9b6d1c13010840a0b581326 --- private/fsverity_init.te | 2 -- tracking_denials/dumpstate.te | 4 ---- tracking_denials/init-insmod-sh.te | 4 ---- tracking_denials/uwb_vendor_app.te | 2 -- 4 files changed, 12 deletions(-) delete mode 100644 private/fsverity_init.te delete mode 100644 tracking_denials/init-insmod-sh.te delete mode 100644 tracking_denials/uwb_vendor_app.te diff --git a/private/fsverity_init.te b/private/fsverity_init.te deleted file mode 100644 index ed3728d6..00000000 --- a/private/fsverity_init.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/193474772 -dontaudit fsverity_init domain:key view; diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index fc4afa4d..ffb8518c 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,6 +1,2 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -# b/190337283 -dontaudit dumpstate debugfs_wakeup_sources:file read; -# b/226717475 -dontaudit dumpstate app_zygote:process { signal }; diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te deleted file mode 100644 index 8b2358b2..00000000 --- a/tracking_denials/init-insmod-sh.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/193474772 -dontaudit init-insmod-sh self:key write; -# b/193726003 -dontaudit init-insmod-sh debugfs_bootreceiver_tracing:dir search; diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te deleted file mode 100644 index 91933c0d..00000000 --- a/tracking_denials/uwb_vendor_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/193009345 -dontaudit uwb_vendor_app radio_service:service_manager find; From 2bb24e91b3d7d2e5f60327c3532fd785427ca99e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 9 Jun 2022 11:59:06 +0800 Subject: [PATCH 102/104] remove obsolete entries Bug: 190337296 Bug: 228181404 Test: adb bugreport Change-Id: Ibd5ea9d9d56b7da9b17f78f22aef985d5f33df94 --- tracking_denials/incidentd.te | 2 -- tracking_denials/kernel.te | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 tracking_denials/incidentd.te delete mode 100644 tracking_denials/kernel.te diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index a67cc1b9..00000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/190337296 -dontaudit incidentd debugfs_wakeup_sources:file read; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te deleted file mode 100644 index 21776b79..00000000 --- a/tracking_denials/kernel.te +++ /dev/null @@ -1,2 +0,0 @@ -#b/228181404 -dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file From 143668225a66a443de0c6837a29f64acdee45fb4 Mon Sep 17 00:00:00 2001 From: JimiChen Date: Sat, 11 Jun 2022 15:39:19 +0800 Subject: [PATCH 103/104] allow rlsservice read vendor camera property Bug: 233020488 Test: no avc denied Change-Id: I96dee4482d4c0ff5b7852db635dc100a7ea4874c --- whitechapel/vendor/google/rlsservice.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te index 425620f3..3086bcad 100644 --- a/whitechapel/vendor/google/rlsservice.te +++ b/whitechapel/vendor/google/rlsservice.te @@ -32,3 +32,6 @@ usf_low_latency_transport(rlsservice) # For observing apex file changes allow rlsservice apex_info_file:file r_file_perms; + +# Allow read camera property +get_prop(rlsservice, vendor_camera_prop); From b20e917ebf90ea72c670f73905433a10cf99de61 Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Fri, 15 Jul 2022 19:55:13 +0000 Subject: [PATCH 104/104] Remove vendor_service. We want to avoid associating types with where they can be used. Bug: 237115222 Test: build Change-Id: I4766227e2261d0d57be090933926ff3b439694f6 Merged-In: I4766227e2261d0d57be090933926ff3b439694f6 (cherry picked from commit 81ccf8d7192ebc37d9def36e23f91171d7a7344d) --- edgetpu/service.te | 4 ++-- whitechapel/vendor/google/service.te | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/edgetpu/service.te b/edgetpu/service.te index 46bee033..09fa9cba 100644 --- a/edgetpu/service.te +++ b/edgetpu/service.te @@ -1,5 +1,5 @@ # EdgeTPU binder service type declaration. type edgetpu_app_service, service_manager_type; -type edgetpu_vendor_service, service_manager_type, vendor_service; -type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service; +type edgetpu_vendor_service, service_manager_type, hal_service_type; +type edgetpu_nnapi_service, app_api_service, service_manager_type; diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index 8d5dc1ee..b87c99e1 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,2 +1,2 @@ -type hal_pixel_display_service, service_manager_type, vendor_service; -type hal_uwb_vendor_service, service_manager_type, vendor_service; +type hal_pixel_display_service, service_manager_type, hal_service_type; +type hal_uwb_vendor_service, service_manager_type, hal_service_type;