From 487f66f754771e092a8d037f51fd7775d57ecb6e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 10 Mar 2021 09:44:05 +0800
Subject: [PATCH 1/2] update error on ROM 7196668

Bug: 182320300
Bug: 182320246
Bug: 182320258
Bug: 182320172
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Ib7bf40299374061526a87714cfd8982544a1698f
---
 tracking_denials/hal_bluetooth_btlinux.te   | 4 ++++
 tracking_denials/hal_power_stats_default.te | 2 ++
 tracking_denials/init-insmod-sh.te          | 9 +++++++++
 tracking_denials/rild.te                    | 9 +++++++++
 4 files changed, 24 insertions(+)
 create mode 100644 tracking_denials/hal_bluetooth_btlinux.te

diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te
new file mode 100644
index 00000000..0136730b
--- /dev/null
+++ b/tracking_denials/hal_bluetooth_btlinux.te
@@ -0,0 +1,4 @@
+# b/182320300
+dontaudit hal_bluetooth_btlinux servicemanager:binder { call };
+dontaudit hal_bluetooth_btlinux servicemanager:binder { call };
+dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find };
diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te
index 866c5176..a3e7430e 100644
--- a/tracking_denials/hal_power_stats_default.te
+++ b/tracking_denials/hal_power_stats_default.te
@@ -10,3 +10,5 @@ dontaudit hal_power_stats_default sysfs:dir { open };
 dontaudit hal_power_stats_default sysfs:file { read };
 dontaudit hal_power_stats_default sysfs:file { open };
 dontaudit hal_power_stats_default sysfs:file { open };
+# b/182320246
+dontaudit hal_power_stats_default default_android_service:service_manager { add };
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
index 9f615fab..ca69d4cb 100644
--- a/tracking_denials/init-insmod-sh.te
+++ b/tracking_denials/init-insmod-sh.te
@@ -2,3 +2,12 @@
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
+# b/182320258
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te
index 10680da3..405763e2 100644
--- a/tracking_denials/rild.te
+++ b/tracking_denials/rild.te
@@ -14,3 +14,12 @@ dontaudit rild unlabeled:file { open };
 dontaudit rild unlabeled:file { read };
 dontaudit rild unlabeled:file { getattr };
 dontaudit rild unlabeled:file { lock };
+# b/182320172
+dontaudit rild sota_prop:file { map };
+dontaudit rild sota_prop:file { getattr };
+dontaudit rild sota_prop:file { open };
+dontaudit rild sota_prop:file { read };
+dontaudit rild sota_prop:file { read };
+dontaudit rild sota_prop:file { open };
+dontaudit rild sota_prop:file { getattr };
+dontaudit rild sota_prop:file { map };

From 58b3344c7aa5ade1f70361a50c9409832e0f771d Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 10 Mar 2021 10:36:45 +0800
Subject: [PATCH 2/2] label kernel modules and grant bt permission

Bug: 182320300
Bug: 182320258
Test: boot to home and connect to bluetooth headset under enforcing mode
Change-Id: I6f6e8359d03eb4205268d56a1fcd50ce1445f442
---
 tracking_denials/hal_bluetooth_btlinux.te          | 2 --
 tracking_denials/init-insmod-sh.te                 | 9 ---------
 whitechapel/vendor/google/file_contexts            | 1 +
 whitechapel/vendor/google/hal_bluetooth_btlinux.te | 1 +
 4 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te
index 0136730b..7a2c4f88 100644
--- a/tracking_denials/hal_bluetooth_btlinux.te
+++ b/tracking_denials/hal_bluetooth_btlinux.te
@@ -1,4 +1,2 @@
 # b/182320300
-dontaudit hal_bluetooth_btlinux servicemanager:binder { call };
-dontaudit hal_bluetooth_btlinux servicemanager:binder { call };
 dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find };
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
index ca69d4cb..9f615fab 100644
--- a/tracking_denials/init-insmod-sh.te
+++ b/tracking_denials/init-insmod-sh.te
@@ -2,12 +2,3 @@
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
-# b/182320258
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 68bcf67f..5c3908d6 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -356,6 +356,7 @@
 
 # Vendor_kernel_modules
 /vendor/lib/modules/.*\.ko                                                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/.*\.ko                                               u:object_r:vendor_kernel_modules:s0
 
 # Display
 /vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0
diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
index 4e61c620..f7096836 100644
--- a/whitechapel/vendor/google/hal_bluetooth_btlinux.te
+++ b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
@@ -4,6 +4,7 @@ allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms;
 allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms;
 allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms;
 allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms;
+binder_call(hal_bluetooth_btlinux, servicemanager)
 
 # power stats
 vndbinder_use(hal_bluetooth_btlinux)