From 7bfcc6f4e5d0cc2b31e856a5820c92368a50a438 Mon Sep 17 00:00:00 2001 From: Asad Ali Date: Tue, 26 Apr 2022 21:38:27 +0000 Subject: [PATCH 01/20] Allow chre to communicate with fwk_stats_service. Bug: 230788686 Test: Logged atoms using CHRE + log atom extension. Change-Id: I0683a224d61cdc8c927360ebad3de115ed431e1a (cherry picked from commit c6ea8d1656662de3c7289f0040f16dc5a34550ab) --- whitechapel/vendor/google/chre.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te index 67ba090a..9dfd9bf6 100644 --- a/whitechapel/vendor/google/chre.te +++ b/whitechapel/vendor/google/chre.te @@ -18,3 +18,8 @@ usf_low_latency_transport(chre) # Allow CHRE to talk to the WiFi HAL allow chre hal_wifi_ext:binder { call transfer }; allow chre hal_wifi_ext_hwservice:hwservice_manager find; + +# Allow CHRE host to talk to stats service +allow chre fwk_stats_service:service_manager find; +binder_call(chre, stats_service_server) + From 5675757d41bfcdfd84ad4e4cee4ea1f0938d4b05 Mon Sep 17 00:00:00 2001 From: Richard Hsu Date: Sat, 7 May 2022 21:37:28 -0700 Subject: [PATCH 02/20] [SELinux] Allow NNAPI HAL to log traces to perfetto under userdebug builds Allows DarwiNN NNAPI HAL to log traces to perfetto only under userdebug builds. This is similar to the camera HAL fix in ag/17080874 Error message: TracingMuxer: type=1400 audit(0.0:486): avc: denied { write } for name="traced_producer" dev="tmpfs" ino=1116 scontext=u:r:hal_neuralnetworks_darwinn:s0 This rule is common for EdgeTPU in both WHI and PRO. Bug: 231838536 Test: tested on PRO before and after the change, and the traces now shows up. Example: https://ui.perfetto.dev/#!/?s=ab911b3972bc16a1a831e148a7446c09757a08426bbe3c3b16d31a728b1d923 https://screenshot.googleplex.com/3roWETkTFyiDjW9 Change-Id: I8d4a57e262087aa4ec6670a487d7b06d2f2cde69 --- edgetpu/hal_neuralnetworks_darwinn.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te index 18960713..f301a729 100644 --- a/edgetpu/hal_neuralnetworks_darwinn.te +++ b/edgetpu/hal_neuralnetworks_darwinn.te @@ -47,3 +47,7 @@ allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms; # Allows the NNAPI HAL to access the edgetpu_app_service allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find; binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server); + +# Allow NNAPI HAL to send trace packets to Perfetto with SELinux enabled +# under userdebug builds. +userdebug_or_eng(`perfetto_producer(hal_neuralnetworks_darwinn)') From d479f730b07c44abb199292d589bf1aa92fbb555 Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 30 Mar 2022 22:36:58 +0800 Subject: [PATCH 03/20] Update nfc from hidl to aidl service Bug: 216290344 Test: atest NfcNciInstrumentationTests Test: atest VtsAidlHalNfcTargetTest Merged-In: I288474f691670655516728fe0e164a3e5689875c Change-Id: I288474f691670655516728fe0e164a3e5689875c --- whitechapel/vendor/google/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 10ffc7af..5327e334 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -283,7 +283,7 @@ /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 # NFC -/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /dev/st21nfc u:object_r:nfc_device:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 From 3b0a628ef4c756b97486ecd5a63d25f1df2afd74 Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 30 Mar 2022 22:36:58 +0800 Subject: [PATCH 04/20] Update nfc from hidl to aidl service Bug: 216290344 Test: atest NfcNciInstrumentationTests Test: atest VtsAidlHalNfcTargetTest Merged-In: I288474f691670655516728fe0e164a3e5689875c Change-Id: I288474f691670655516728fe0e164a3e5689875c --- whitechapel/vendor/google/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index c98edb0c..2a802f4b 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -284,7 +284,7 @@ /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 # NFC -/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /dev/st21nfc u:object_r:nfc_device:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 From fbcf66a04a78b7ec23946bddb5888b1c6fe95275 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Tue, 10 May 2022 05:12:05 +0000 Subject: [PATCH 05/20] gs101: Add dontaudit statements to camera HAL policy. The autogenerated dontaudit statements in tracking_denials are actually the correct policy. Move them to the correct file and add comments. Fix: 178980085 Fix: 180567725 Fix: 218585004 Test: build & camera check on raven Change-Id: I3f3a1f64d403182d4f592f1cacc6ef8d1418062d (cherry picked from commit b71d24d62c578494fa381acbe63e3a51fca75811) --- tracking_denials/hal_camera_default.te | 5 ----- whitechapel/vendor/google/hal_camera_default.te | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/hal_camera_default.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index 6ab5a51c..00000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/178980085 -dontaudit hal_camera_default system_data_file:dir { search }; -# b/180567725 -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te index 440b503c..2e36e4a8 100644 --- a/whitechapel/vendor/google/hal_camera_default.te +++ b/whitechapel/vendor/google/hal_camera_default.te @@ -96,3 +96,11 @@ allow hal_camera_default proc_interrupts:file r_file_perms; # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') + +# Some file searches attempt to access system data and are denied. +# This is benign and can be ignored. +dontaudit hal_camera_default system_data_file:dir { search }; + +# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; \ No newline at end of file From bf1333f881ffe337a140982f5888b91be0797a6a Mon Sep 17 00:00:00 2001 From: matthuang Date: Mon, 9 May 2022 15:19:36 +0800 Subject: [PATCH 06/20] Add acd-com.google.usf.non_wake_up file to AoC file context. Bug: 195077076 Test: ls -lZ dev/acd-com.google.usf.non_wake_up Change-Id: If9add3528bde47a618bd884ce28121b6fa32754c --- whitechapel/vendor/google/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 2a802f4b..bcad888d 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -248,6 +248,7 @@ # Sensors /data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0 /dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 /dev/acd-logging u:object_r:aoc_device:s0 /dev/aoc u:object_r:aoc_device:s0 From a9157994c3e376ff6fc12be5f31502c0cd447744 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Mon, 6 Jun 2022 20:36:44 +0800 Subject: [PATCH 07/20] modem_svc: Fix avc error avc: denied { write } for comm="modem_svc_sit" name="modem_stat" dev="dm-42" ino=331 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0 Bug: 234844823 Change-Id: I51db41d73be317cc7fc84981ac5f04e254a360d0 Merged-In: I51db41d73be317cc7fc84981ac5f04e254a360d0 --- whitechapel/vendor/google/file_contexts | 2 +- whitechapel/vendor/google/modem_svc_sit.te | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 2a802f4b..4cb534ac 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -268,7 +268,7 @@ # modem_svc_sit files /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 -/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 +/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 # modem mnt files /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te index eeba9976..f664359d 100644 --- a/whitechapel/vendor/google/modem_svc_sit.te +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -14,6 +14,7 @@ allow modem_svc_sit radio_device:chr_file rw_file_perms; # Grant vendor radio and modem file/dir creation permission allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms; allow modem_svc_sit radio_vendor_data_file:file create_file_perms; +allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; allow modem_svc_sit modem_stat_data_file:file create_file_perms; allow modem_svc_sit mnt_vendor_file:dir search; From 24553295365c7f5c11c7024ad405c79a1a743223 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Mon, 20 Jun 2022 15:55:16 +0800 Subject: [PATCH 08/20] hal_dumpstate_default: fix avc error avc: denied { search } for comm="dumpstate@1.1-s" name="modem_stat" dev="dm-44" ino=341 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:modem_stat_data_file:s0 tclass=dir Bug: 235963885 Change-Id: Ib9625eefc367738bcd6594884b1f3b5e3ab5be54 Merged-In: Ib9625eefc367738bcd6594884b1f3b5e3ab5be54 --- whitechapel/vendor/google/hal_dumpstate_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te index 66c51b7c..01c69b49 100644 --- a/whitechapel/vendor/google/hal_dumpstate_default.te +++ b/whitechapel/vendor/google/hal_dumpstate_default.te @@ -67,6 +67,7 @@ allow hal_dumpstate_default sysfs_thermal:lnk_file read; # Modem logs allow hal_dumpstate_default modem_efs_file:dir search; allow hal_dumpstate_default modem_efs_file:file r_file_perms; +allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms; allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; allow hal_dumpstate_default vendor_slog_file:file r_file_perms; From c96220c28241250b18ce5d86e4e40abd4290d64b Mon Sep 17 00:00:00 2001 From: matthuang Date: Mon, 18 Jul 2022 15:12:45 +0800 Subject: [PATCH 09/20] Add security context for com.google.usf.non_wake_up/wakeup. Bug: 195077076 Test: Confirm there is no avc denied log. Change-Id: I8600283d9ff2ebcb45df95e5259484a60921fb1a --- whitechapel/vendor/google/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index d3300e28..50853f0f 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -205,6 +205,7 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:0 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 From 81ccf8d7192ebc37d9def36e23f91171d7a7344d Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Fri, 15 Jul 2022 19:55:13 +0000 Subject: [PATCH 10/20] Remove vendor_service. We want to avoid associating types with where they can be used. Bug: 237115222 Test: build Change-Id: I4766227e2261d0d57be090933926ff3b439694f6 --- edgetpu/service.te | 4 ++-- whitechapel/vendor/google/service.te | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/edgetpu/service.te b/edgetpu/service.te index 46bee033..09fa9cba 100644 --- a/edgetpu/service.te +++ b/edgetpu/service.te @@ -1,5 +1,5 @@ # EdgeTPU binder service type declaration. type edgetpu_app_service, service_manager_type; -type edgetpu_vendor_service, service_manager_type, vendor_service; -type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service; +type edgetpu_vendor_service, service_manager_type, hal_service_type; +type edgetpu_nnapi_service, app_api_service, service_manager_type; diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index 8d5dc1ee..b87c99e1 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,2 +1,2 @@ -type hal_pixel_display_service, service_manager_type, vendor_service; -type hal_uwb_vendor_service, service_manager_type, vendor_service; +type hal_pixel_display_service, service_manager_type, hal_service_type; +type hal_uwb_vendor_service, service_manager_type, hal_service_type; From 5ea60d634843ca867a47503b0d3fc6ec495b8aa5 Mon Sep 17 00:00:00 2001 From: Roger Liao Date: Thu, 28 Jul 2022 15:38:04 +0800 Subject: [PATCH 11/20] Fix build break if BOARD_WITHOUT_RADIO Fix ERROR 'unknown type radio_vendor_data_file' Bug: 235907512 Change-Id: I55e88c9364b42db262c057a2aa85816944c1c761 --- telephony/user/file.te | 5 ----- telephony/user/file_contexts | 2 -- whitechapel/vendor/google/file.te | 6 ++++++ whitechapel/vendor/google/file_contexts | 2 ++ 4 files changed, 8 insertions(+), 7 deletions(-) delete mode 100644 telephony/user/file.te diff --git a/telephony/user/file.te b/telephony/user/file.te deleted file mode 100644 index 05f3c5e2..00000000 --- a/telephony/user/file.te +++ /dev/null @@ -1,5 +0,0 @@ -# Radio -type radio_vendor_data_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute radio_vendor_data_file mlstrustedobject; -') diff --git a/telephony/user/file_contexts b/telephony/user/file_contexts index 1e0c1a44..1aafb7e3 100644 --- a/telephony/user/file_contexts +++ b/telephony/user/file_contexts @@ -1,5 +1,3 @@ # ECC List /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 -# Radio files. -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 0c7a56d8..847499d1 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -212,3 +212,9 @@ type sysfs_trusty, sysfs_type, fs_type; # BootControl type sysfs_bootctl, sysfs_type, fs_type; + +# Radio +type radio_vendor_data_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute radio_vendor_data_file mlstrustedobject; +') diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 80344efc..253e7452 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -434,3 +434,5 @@ # Raw HID device /dev/hidraw[0-9]* u:object_r:hidraw_device:s0 +# Radio files. +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 From 1673f215452af160fe0bafd9f8632a70eaf3a70b Mon Sep 17 00:00:00 2001 From: Bruce Po Date: Fri, 29 Jul 2022 23:43:45 +0000 Subject: [PATCH 12/20] Allow aocd to access acd-offload nodes For 3-ch hotword feature, aocd daemon will access two new file nodes (b/235648212), which will be used for transmitting audio to/from AOC. BUG: 240744178 Change-Id: Ie0a9403d0dca06befdb807067adb9babc4f28bfc --- whitechapel/vendor/google/file_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 253e7452..da2222b2 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -319,6 +319,8 @@ /dev/acd-debug u:object_r:aoc_device:s0 /dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 /dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0 /dev/amcs u:object_r:amcs_device:s0 # AudioMetric From 0bbfb98cace63579ed685e0a3391d737e39a1a2d Mon Sep 17 00:00:00 2001 From: yixuanjiang Date: Mon, 8 Aug 2022 11:46:53 +0800 Subject: [PATCH 13/20] aoc: add audio property for pixellogger update control Bug: 241059471 Test: local verify Signed-off-by: yixuanjiang Change-Id: I13df2ea88b884756d3a872da545e877ed6b1e033 --- whitechapel/vendor/google/property_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 5eba1f8d..29e35d96 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -61,6 +61,8 @@ vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.cca.updated u:object_r:vendor_audio_prop:s0 +vendor.audiodump.cca.config u:object_r:vendor_audio_prop:s0 # for display From 4b4afb2eeae1e26a20b8346811fd5c8904f85b42 Mon Sep 17 00:00:00 2001 From: Robb Glasser Date: Thu, 18 Aug 2022 16:54:46 -0700 Subject: [PATCH 14/20] Give permissions to save usf stats and dump them in bugreports. Creating a mechanism to save some USF stat history to device and pipe it to bugreports. Granting permissions so that this can work. Bug: 242320914 Test: Stats save and are visible in a bugreport. Change-Id: Ia1973800ed053f54da043d306e11c0a7b10132a7 --- usf/file.te | 4 ++++ usf/file_contexts | 2 ++ usf/sensor_hal.te | 6 ++++++ whitechapel/vendor/google/hal_dumpstate_default.te | 4 ++++ 4 files changed, 16 insertions(+) diff --git a/usf/file.te b/usf/file.te index e264c277..8f49e32b 100644 --- a/usf/file.te +++ b/usf/file.te @@ -10,3 +10,7 @@ type persist_sensor_reg_file, file_type, vendor_persist_type; # end with "data_file". type sensor_reg_data_file, file_type, data_file_type; +# Declare the sensor debug data file type. By convention, data file types +# end with "data_file". +type sensor_debug_data_file, file_type, data_file_type; + diff --git a/usf/file_contexts b/usf/file_contexts index ff3d41d3..3c7833b1 100644 --- a/usf/file_contexts +++ b/usf/file_contexts @@ -8,3 +8,5 @@ # Sensor registry data files. /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 +# Sensor debug data files. +/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0 diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te index bda44c9f..491d6403 100644 --- a/usf/sensor_hal.te +++ b/usf/sensor_hal.te @@ -12,6 +12,12 @@ r_dir_file(hal_sensors_default, persist_camera_file) allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; allow hal_sensors_default sensor_reg_data_file:file create_file_perms; +userdebug_or_eng(` + # Allow creation and writing of sensor debug data files. + allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms; + allow hal_sensors_default sensor_debug_data_file:file create_file_perms; +') + # Allow access to the AoC communication driver. allow hal_sensors_default aoc_device:chr_file rw_file_perms; diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te index 01c69b49..28137c77 100644 --- a/whitechapel/vendor/google/hal_dumpstate_default.te +++ b/whitechapel/vendor/google/hal_dumpstate_default.te @@ -35,6 +35,10 @@ allow hal_dumpstate_default vendor_log_file:dir search; allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; +userdebug_or_eng(` + allow hal_dumpstate_default sensor_debug_data_file:dir r_dir_perms; + allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms; +') allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; From a8eab1aaaf14e031ef2e02f1ea30eab93a6ba119 Mon Sep 17 00:00:00 2001 From: Roger Fang Date: Tue, 23 Aug 2022 16:58:55 +0800 Subject: [PATCH 15/20] sepolicy: add permission for AMS rate of pixelstats-vend I pixelstats-vend: type=1400 audit(0.0:1025): avc: denied { read } for name="ams_rate_read_once" dev="sysfs" ino=79714 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 I pixelstats-vend: type=1400 audit(0.0:1026): avc: denied { open } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" dev="sysfs" ino=79714 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 pixelstats-vend: type=1400 audit(0.0:1027): avc: denied { getattr } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" dev="sysfs" ino=79714 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 Bug: 239508478 Test: Manually test passed Signed-off-by: Roger Fang Change-Id: I5c47003bed664f2cd9b6fe3630a6445aca27d10d --- whitechapel/vendor/google/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 50853f0f..bf33ed56 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -486,6 +486,7 @@ genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_ genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 # SJTAG genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 From f07279785dc9bcd377a3457092bf6e171f319e88 Mon Sep 17 00:00:00 2001 From: JJ Lee Date: Thu, 25 Aug 2022 11:52:28 +0800 Subject: [PATCH 16/20] sepolicy: add nodes for aoc memory votes stats Bug: 223674292 Test: build pass, not blocking bugreport Change-Id: I4732c8b3271f553edc423ac115eb8a6afaebff37 Signed-off-by: JJ Lee --- whitechapel/vendor/google/genfs_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index bf33ed56..1f745777 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -14,7 +14,8 @@ genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:ob genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 From 7b5ed95fddad01d79b7e7ea734d8361b0b3dd437 Mon Sep 17 00:00:00 2001 From: Estefany Torres Date: Fri, 9 Sep 2022 17:29:18 +0000 Subject: [PATCH 17/20] Add rules for letting logger app send the command to ril 08-31 23:40:57.354 458 458 E SELinux : avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:logger_app:s0:c252,c256,c512,c768 pid=2901 scontext=u:r:logger_app:s0:c252,c256,c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0 09-01 00:08:19.600 2881 2881 W oid.pixellogger: type=1400 audit(0.0:10): avc: denied { call } for scontext=u:r:logger_app:s0:c252,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=0 app=com.android.pixellogger Bug: 241412942 Test: tested in C10 with pixel logger change Change-Id: Idcd693790d654d0a9b7aba46a41764d65867a61c --- whitechapel/vendor/google/logger_app.te | 4 ++++ whitechapel/vendor/google/rild.te | 1 + 2 files changed, 5 insertions(+) diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te index be15d0e6..14196600 100644 --- a/whitechapel/vendor/google/logger_app.te +++ b/whitechapel/vendor/google/logger_app.te @@ -5,6 +5,10 @@ userdebug_or_eng(` allow logger_app vendor_gps_file:file create_file_perms; allow logger_app vendor_gps_file:dir create_dir_perms; allow logger_app sysfs_sscoredump_level:file r_file_perms; + allow logger_app hal_exynos_rild_hwservice:hwservice_manager find; + + binder_call(logger_app, rild) + r_dir_file(logger_app, ramdump_vendor_data_file) r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te index 5fc2159c..78b14e51 100644 --- a/whitechapel/vendor/google/rild.te +++ b/whitechapel/vendor/google/rild.te @@ -26,6 +26,7 @@ binder_call(rild, modem_svc_sit) binder_call(rild, vendor_ims_app) binder_call(rild, vendor_rcs_app) binder_call(rild, oemrilservice_app) +binder_call(rild, logger_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) From 908a8fcf14ba578aa3fecbaa421615083e5dc31c Mon Sep 17 00:00:00 2001 From: Jinhee Kim Date: Fri, 9 Sep 2022 10:15:55 +0900 Subject: [PATCH 18/20] sepolicy: gs101: allowed permissions required for network access avc: denied { write } for comm="Thread-102" name="dnsproxyd" dev="tmpfs" ino=1022 scontext=u:r:vendor_ims_app:s0:c251,c256,c512,c768 tcontext=u:object_r:dnsproxyd_socket:s0 tclass=sock_file permissive=0 app=com.shannon.imsservice avc: denied { node_bind } for comm="Thread-102" src=50174 scontext=u:r:vendor_ims_app:s0:c251,c256,c512,c768 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=0 app=com.shannon.imsservice Bug: 242231557 Test: The tester verified IMS didn't crash and no avc denied log Change-Id: Icc3762cef7f9766d845f1e1a56af1315fc97163b Signed-off-by: Jinhee Kim Signed-off-by: Kukjin Kim Merged-In: Icc3762cef7f9766d845f1e1a56af1315fc97163b --- whitechapel/vendor/google/vendor_ims_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te index 8d655747..0b87783a 100644 --- a/whitechapel/vendor/google/vendor_ims_app.te +++ b/whitechapel/vendor/google/vendor_ims_app.te @@ -1,5 +1,6 @@ type vendor_ims_app, domain; app_domain(vendor_ims_app) +net_domain(vendor_ims_app) allow vendor_ims_app app_api_service:service_manager find; allow vendor_ims_app audioserver_service:service_manager find; From 060b56231029ab628e5d33ecfae5f67af8a5b74c Mon Sep 17 00:00:00 2001 From: Hana Kim Date: Thu, 12 May 2022 15:27:45 +0900 Subject: [PATCH 19/20] Sepolicy: add permission to allow create, connect udp socket Bug: 226412527 Test: The tester verified IMS didn't crash and no avc denied log Signed-off-by: Hana Kim Change-Id: Id9ba79ba87010326c53b6aec408e5cdb291122a6 Merged-In: Id9ba79ba87010326c53b6aec408e5cdb291122a6 --- whitechapel/vendor/google/vendor_ims_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te index 0b87783a..140d9c25 100644 --- a/whitechapel/vendor/google/vendor_ims_app.te +++ b/whitechapel/vendor/google/vendor_ims_app.te @@ -12,6 +12,8 @@ allow vendor_ims_app mediaserver_service:service_manager find; allow vendor_ims_app cameraserver_service:service_manager find; allow vendor_ims_app mediametrics_service:service_manager find; +allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl }; + binder_call(vendor_ims_app, rild) set_prop(vendor_ims_app, vendor_rild_prop) set_prop(vendor_ims_app, radio_prop) From 9a4545eafafa4b45c24e6d78796028b981354aba Mon Sep 17 00:00:00 2001 From: jintinglin Date: Mon, 19 Sep 2022 13:10:30 +0800 Subject: [PATCH 20/20] Allows modem_svc to read the logging related properties avc: denied { read } for comm="modem_svc_sit" name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=347 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0 Bug: 243039758 Change-Id: I80a6971a2c3e09320e780d1eff24e040cd8b3541 --- whitechapel/vendor/google/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te index eeba9976..fad6cca5 100644 --- a/whitechapel/vendor/google/modem_svc_sit.te +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -26,3 +26,6 @@ get_prop(modem_svc_sit, vendor_rild_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +# logging property +get_prop(modem_svc_sit, vendor_logger_prop)