Evolution-X-Tensor/device_google_gs101
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
107 commits 1 branch 0 tags 494 MiB
Commit graph

107 commits

This branch
This branch
All branches
Author SHA1 Message Date
Sung-fang Tsai
1bcf7d412a Merge "Mark lib_aion_buffer and related library as same_process_hal_file" into sc-dev 2021-03-12 04:18:59 +00:00
andychou
9e582d4bc3 Fix cuttlefish test fail due to sepolicy of Exo 
Need to grant gpu_device dir search permission and
device_config_runtime_native_boot_prop for testing.

Bug: 182445508
Test: atest ExoTests pass  on Cuttlefish
Change-Id: Ia4c27efa2a900a3781301de19ab38209f818aba1
 2021-03-12 11:41:24 +08:00
Vova Sharaienko
175c2eaa31 Merge "Stats: new sepolicy for the AIDL service" into sc-dev 2021-03-12 03:32:22 +00:00
Adam Shih
526da2f9b1 update error on ROM 7202683 
Bug: 182524105
Bug: 182523946
Bug: 182524202
Bug: 182524203
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I4c97960d106a74cbe2ba819671612514d4cba282
 2021-03-12 11:18:10 +08:00
wenchangliu
f98706e87b Add sepolicy for BigOcean device 
add /dev/bigocean to video_device

avc: denied { read write } for name="bigocean" dev="tmpfs" ino=629 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { open } for path="/dev/bigocean" dev="tmpfs" ino=629 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/bigocean" dev="tmpfs" ino=629 \
ioctlcmd=0x4202 scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { ioctl } for comm=436F646563322E30204C6F6F706572 path="/dev/bigocean" \
dev="tmpfs" ino=629 ioctlcmd=0x4202 scontext=u:r:mediacodec:s0 \
tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Bug: 172173484
Test: Play AV1 clips in enforcing mode
Change-Id: Ie0ed96d7bf4324bd38a9c42500f4f747f092bfd9
 2021-03-12 10:54:10 +08:00
wenchangliu
b52121a259 Add sepolicy for MFC device 
- Add sysfs_video type for mfc device
- Allow mediacode to access sysfs_video

avc: denied { read } for name="name" dev="sysfs" ino=62278 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { read } for name="name" dev="sysfs" ino=62230 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

Bug: 172173484
Test: video playback / camera recording with enforcing mode
Change-Id: Id7f43fe11c9ed089067f43a50d7f765df873d6c6
 2021-03-12 10:51:41 +08:00
TreeHugger Robot
1dd171b66f Merge "Add atc sysfs permission for composer service" into sc-dev 2021-03-12 02:44:43 +00:00
Ahmed ElArabawy
4a0294348b Merge "Wifi: Add sepolicy files for wifi_ext service" into sc-dev 2021-03-12 01:37:36 +00:00
Vova Sharaienko
2ed30c23e3 Stats: new sepolicy for the AIDL service 
This allows the pixelstats_vendor communicate with new AIDL IStats service via ServiceManager

Bug: 181914749
Test: Build, flash, and logcat -s "pixelstats_vendor"
Change-Id: Icf1bbbd7f72835fe8f9c2f23281a2f5b4bf8e698
 2021-03-12 01:12:21 +00:00
Benjamin Schwartz
bfa18a7b2a whitechapel: Correct acpm_stats path 
Bug: 182320246
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: I7a67b31e28f34d606cfab369b9e982e9fffe3b3f
 2021-03-11 15:52:48 -08:00
Pat Tjin
854db479bb Merge "Move wireless charger HAL to 1.3" into sc-dev 2021-03-11 19:57:54 +00:00
Sung-fang Tsai
82376e2d49 Mark lib_aion_buffer and related library as same_process_hal_file 
To allow access by Google Camera App, which needs this for vendor-specific
buffer management functionality to enable zero-copy camera RAW->GPU buffer
handling.

Test: GCA works with forrest build P20546991.
Bug: 159839616
Change-Id: I71bdcd12f17013881d7a5da2f11e444f0d3b4f94
 2021-03-11 12:02:04 +00:00
linpeter
ebd2a24596 Add atc sysfs permission for composer service 
avc: denied { read write } for name="en" dev="sysfs" ino=66979 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/en" dev="sysfs" ino=66979 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/en" dev="sysfs" ino=66979 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

avc: denied { read write } for name="gain_limit" dev="sysfs" ino=66998 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/gain_limit" dev="sysfs" ino=66998 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/gain_limit" dev="sysfs" ino=66998 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

avc: denied { read write } for name="st" dev="sysfs" ino=66982 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/st" dev="sysfs" ino=66982 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/st" dev="sysfs" ino=66982 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Bug: 168848203
test: test: check avc denied
Change-Id: I48dd839e0ca6f3eb16e35f1b7a4d5f6d4a1fd88b
 2021-03-11 20:01:21 +08:00
Eddie Tashjian
78cd6eb78e Add selinux policies for mounted modem parition 
Bug: 178980032
Bug: 178979986
Bug: 179198083
Bug: 179198085
Bug: 178980065

Test: Check selinux denials
Change-Id: I7f826442d1536946d0e84aadfd80f679c0f4d6da
 2021-03-11 10:16:27 +00:00
TreeHugger Robot
ef6e91692a Merge changes I68aace66,Idf510e4a into sc-dev 
* changes:
  gs101-sepolicy: Add twoshay permissions
  Add touch procfs and sysfs sepolicy
 2021-03-11 09:16:51 +00:00
yihsiangpeng
cc8429cc0d Move wireless charger HAL to 1.3 
Bug: 179464598
Signed-off-by: yihsiangpeng <yihsiangpeng@google.com>
Change-Id: I73d1d811f2483bbe80e7d4aea1f6e9f143bc2836
 2021-03-11 14:47:49 +08:00
TreeHugger Robot
db0ca5a3b2 Merge changes I6f6e8359,Ib7bf4029 into sc-dev 
* changes:
  label kernel modules and grant bt permission
  update error on ROM 7196668
 2021-03-11 03:53:57 +00:00
TreeHugger Robot
6657774b4c Merge "Fix avc denied issue when accessing to IStats service" into sc-dev 2021-03-10 16:57:56 +00:00
TreeHugger Robot
d2cee097f8 Merge "Fix avc denied in OMA DM" into sc-dev 2021-03-10 15:52:45 +00:00
Tai Kuo
8cac55487b gs101-sepolicy: Add twoshay permissions 
Add twoshay and touch input context library permissions

Bug: 173330899
Bug: 173330981
Test: check boot-time twoshay startup and no denials.
Signed-off-by: Steve Pfetsch <spfetsch@google.com>
Change-Id: I68aace66f49c2af1ebfd4bde7082039f9caf3f64
Signed-off-by: Tai Kuo <taikuo@google.com>
 2021-03-10 22:23:49 +08:00
SalmaxChang
6247ff69b2 cbd: Fix avc errors 
avc: denied { setuid } for comm="cbd" capability=7 scontext=u:r:cbd:s0 tcontext=u:r:cbd:s0 tclass=capability permissive=1
avc: denied { search } for comm="cbd" name="vendor" dev="tmpfs" ino=2 scontext=u:r:cbd:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1

Bug: 178331928
Bug: 171267363
Change-Id: Icf28f494f05ee386ce94213929926369f2775173
 2021-03-10 13:33:43 +00:00
SalmaxChang
7edb7e30c4 vendor_init: Update tracking denials 
Removed the path creation from init rc.

Bug: 177186257
Change-Id: I5a8e99ae273d0c8370255bcdb4b9e802fa9895ca
 2021-03-10 13:33:19 +00:00
Tai Kuo
4dd3e1e99e Add touch procfs and sysfs sepolicy 
Touch palm sepolicies are not included.

Bug: 173330981
Test: No avc denied log for touch sysfs, procfs access.
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Idf510e4a9c65e5af0885159353ef85d6b6ec553f
 2021-03-10 17:00:16 +08:00
Calvin Pan
47bf48c03b Fix avc denied in OMA DM 
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:493): avc: denied { search } for comm="IntentService[D" name="radio" dev="dm-6" ino=242 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:493): avc: denied { search } for name="radio" dev="dm-6" ino=242 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:494): avc: denied { getattr } for comm="IntentService[D" path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:494): avc: denied { getattr } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:495): avc: denied { setattr } for comm="IntentService[D" name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:495): avc: denied { setattr } for name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:496): avc: denied { append } for comm="IntentService[D" name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:496): avc: denied { append } for name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:497): avc: denied { open } for comm="IntentService[D" path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:497): avc: denied { open } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service

03-10 11:57:07.155   386   386 E SELinux : avc:  denied  { find } for pid=8406 uid=10141 name=autofill scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
03-10 11:57:07.155   386   386 I auditd  : avc:  denied  { find } for pid=8406 uid=10141 name=autofill scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1

03-10 12:26:05.904   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=activity scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.904   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=activity scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.931   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=activity_task scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.931   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=activity_task scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=SurfaceFlinger scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=SurfaceFlinger scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=gpu scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=gpu scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
03-10 12:26:06.041   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=audio scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
03-10 12:26:06.041   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=audio scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1

03-10 12:35:40.653   387   387 E SELinux : avc:  denied  { find } for pid=8328 uid=10141 name=tethering scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=1
03-10 12:35:40.654   387   387 I auditd  : avc:  denied  { find } for pid=8328 uid=10141 name=tethering scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=1
03-10 12:35:40.658   387   387 E SELinux : avc:  denied  { find } for pid=8328 uid=10141 name=isub scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1
03-10 12:35:40.658   387   387 I auditd  : avc:  denied  { find } for pid=8328 uid=10141 name=isub scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1

Bug: 173990082
Test: Trigger OMA DM
Change-Id: Ie66ecd1c9d80f7b12a4545f3651dd2c5f02b119b
 2021-03-10 15:54:08 +08:00
Jack Wu
522a8aefcf hal_health_default: Fix avc denials 
[    5.146740] type=1400 audit(1611123521.796:23): avc: denied { search } for comm="android.hardwar" name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
[    5.425436] type=1400 audit(1611123522.076:24): avc: denied { search } for comm="health@2.1-serv" name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
[   29.943710] type=1400 audit(1611123546.592:483): avc: denied { write } for comm="health@2.1-serv" name="mode" dev="sysfs" ino=14741 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
01-20 14:18:41.796   656   656 I android.hardwar: type=1400 audit(0.0:23): avc: denied { search } for name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1

Bug: 177966434
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I576547e27dceb55fd768de2834e3bb0155857f56
 2021-03-10 14:13:38 +08:00
Adam Shih
58b3344c7a label kernel modules and grant bt permission 
Bug: 182320300
Bug: 182320258
Test: boot to home and connect to bluetooth headset under enforcing mode
Change-Id: I6f6e8359d03eb4205268d56a1fcd50ce1445f442
 2021-03-10 10:36:45 +08:00
Adam Shih
487f66f754 update error on ROM 7196668 
Bug: 182320300
Bug: 182320246
Bug: 182320258
Bug: 182320172
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Ib7bf40299374061526a87714cfd8982544a1698f
 2021-03-10 10:34:03 +08:00
TreeHugger Robot
c625222492 Merge "hal_power_stats_default: Fix avc denials" into sc-dev 2021-03-10 02:11:04 +00:00
andychou
ce711fd18e Fix avc denied issue when accessing to IStats service 
Originally we use isPriv=true but Exo APP is not located in priv-app
folder.
So has to remove isPriv=true and add into net_domain in order to network
accessing.
This is a clone cl updated from ag/13794482

Bug: 180594376
Test: manual test if there is avc denied
Change-Id: Icb5009248d10c23e772040aad8ac2fed849bafa0
 2021-03-10 09:27:04 +08:00
Adam Shih
48113ddced Merge "remove obsolete entries and put crucial domains to permissive" into sc-dev 2021-03-10 01:24:44 +00:00
TreeHugger Robot
c8e903d1c8 Merge "dumpstate: allow dumpstate to access displaycolor" into sc-dev 2021-03-10 01:15:42 +00:00
Yu-Chi Cheng
02ecfdcc0d Merge "Allowed the EdgeTPU service to access Package Manager binder service." into sc-dev 2021-03-09 15:00:12 +00:00
Jack Wu
a3678d9487 hal_power_stats_default: Fix avc denials 
[  351.298850] type=1400 audit(1614041245.976:13): avc: denied { read } for comm="android.hardwar" name="hf1_wfi" dev="sysfs" ino=78155 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
[  698.658433] type=1400 audit(1614041593.336:1733): avc: denied { open } for comm="stats@1.0-servi" path="/sys/devices/platform/19000000.aoc/control/monitor_mode" dev="sysfs" ino=78158 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
02-23 08:53:13.336   673   673 I stats@1.0-servi: type=1400 audit(0.0:1734): avc: denied { getattr } for path="/sys/devices/platform/19000000.aoc/control/monitor_mode" dev="sysfs" ino=78158 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
02-23 08:52:26.228   670   670 I android.hardwar: type=1400 audit(0.0:724): avc: denied { search } for name="19000000.aoc" dev="sysfs" ino=18343 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=dir permissive=1

Bug: 180963514
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: Iab245b320c1f6e75407f1fafb5ad20a087b1a707
 2021-03-09 14:21:20 +00:00
raylinhsu
43fb32d300 dumpstate: allow dumpstate to access displaycolor 
In bugreport, we need to dump libdisplaycolor information.
Hence, we should add corresponding sepolicy.

Bug: 181915591
Test: There is no avc denied regarding to displaycolor when we
capture the bugreport.

Change-Id: I9f7f8f451fab24b4d0c49305d96b8db6b4d0eed4
 2021-03-09 19:06:24 +08:00
Adam Shih
df06cd7760 remove obsolete entries and put crucial domains to permissive 
Bug: 171942789
Bug: 178979986
Bug: 179310854
Bug: 178980065
Bug: 179198085
Bug: 178980032
Test: boot to home under enforcing mode
Change-Id: Ic925dbbb74ca2ba38b22c982761c1e214886bfa1
 2021-03-09 13:46:42 +08:00
Charlie Chen
e265637395 Merge changes I8de6132f,I2bc6057d into sc-dev 
* changes:
  Remove dma_buf_heap tracking_denials
  Add missing permission to dmabuf_video_system_heap
 2021-03-09 04:58:08 +00:00
TreeHugger Robot
ce148d20c6 Merge "update error on ROM 7193586" into sc-dev 2021-03-09 04:05:05 +00:00
Charlie Chen
019eec3f64 Remove dma_buf_heap tracking_denials 
Bug: 182086551
Bug: 182086552
Bug: 182086686
Bug: 182086482
Bug: 182086481
Bug: 182086550
Test: atest VtsHalMediaC2V1_0TargetVideoDecTest
Change-Id: I8de6132fb41b0418f67baac4971ee03031ec3e32
 2021-03-09 02:42:56 +00:00
Taehwan Kim
7d77820127 Add missing permission to dmabuf_video_system_heap 
Bug: 153786620
Bug: 182086551
Bug: 182086552
Bug: 182086686
Bug: 182086482
Bug: 182086481
Bug: 182086550
Test: atest VtsHalMediaC2V1_0TargetVideoDecTest
Signed-off-by: Taehwan Kim <t_h.kim@samsung.com>
Change-Id: I2bc6057d16bbcc32ef8891f89c0440618d174982
 2021-03-09 02:19:06 +00:00
TreeHugger Robot
9c51e64c6e Merge "sepolicy: add sensor related rules for AIDL APIs" into sc-dev 2021-03-09 02:03:39 +00:00
Adam Shih
47abac4459 update error on ROM 7193586 
Bug: 182218891
Bug: 182219008
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Id3d823c2ec41f9b777ccb666338a195bbd3047b6
 2021-03-09 09:53:59 +08:00
TreeHugger Robot
9185f0aafd Merge "Fix selinux error for vendor_telephony_app" into sc-dev 2021-03-09 01:01:45 +00:00
TreeHugger Robot
c5c7a85a0d Merge "trusty_apploader: Fix avc errors" into sc-dev 2021-03-09 00:55:06 +00:00
Yu-Chi Cheng
d18a92b0ef Allowed the EdgeTPU service to access Package Manager binder service. 
EdgeTPU service will connect to the Package Manager service
to verify applicatoin signatures.
This change added the corresponding SELinux rules to allow such
connection.

Bug: 181821398
Test: Verified using Google Camera App on local device.
Change-Id: Ia32b3de102c162e28710e0aa917831e8de784183
 2021-03-08 16:02:14 -08:00
Isaac Chiou
73ce34397a Wifi: Add sepolicy files for wifi_ext service 
This commit adds the sepolicy related files for wifi_ext service.

Bug: 171944352
Bug: 177966433
Bug: 177673356
Test: Manual
Change-Id: I1613e396fd4c904ed563dfd533fb4b8f807f9657
 2021-03-08 19:36:29 +08:00
TreeHugger Robot
cd3a13deaf Merge "sepolicy: add usf folder to BOARD_SEPOLICY_DIRS." into sc-dev 2021-03-08 09:02:32 +00:00
matthuang
94095e1fd3 sepolicy: add sensor related rules for AIDL APIs 
SELinux : avc:  denied  { find } for pid=703 uid=1000name=android.frameworks.stats.IStats/default
scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=1
android.hardwar: type=1400 audit(0.0:24): avc: denied { transfer } for scontext=u:r:hal_sensors_default:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

Bug: 182086688
Test: make selinux_policy -j128 and push to device.
Test: avc denials are disappeared in boot log.
Change-Id: I13e658c1cef3bd24ae25cc1c22dd9336b4e45b0f
 2021-03-08 09:00:36 +00:00
Kris Chen
5c76e0c1f3 trusty_apploader: Fix avc errors 
Fix the following avc denials:
trusty_apploade: type=1400 audit(0.0:3): avc: denied { read } for name="system" dev="tmpfs" ino=713 scontext=u:r:trusty_apploader:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
trusty_apploade: type=1400 audit(0.0:4): avc: denied { open } for path="/dev/dma_heap/system" dev="tmpfs" ino=713 scontext=u:r:trusty_apploader:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
trusty_apploade: type=1400 audit(0.0:5): avc: denied { ioctl } for path="/dev/dma_heap/system" dev="tmpfs" ino=713 ioctlcmd=0x4800 scontext=u:r:trusty_apploader:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1

Bug: 180874342
Test: Verify no avc denied when trusty app is loaded.
Change-Id: Idbd850580220a1cb85a221d769d741f63cd8751f
 2021-03-08 16:42:27 +08:00
TreeHugger Robot
433719c74f Merge "Allow vendor_init to set USB properties" into sc-dev 2021-03-08 08:38:01 +00:00
Aaron Tsai
5e63caa568 Fix selinux error for vendor_telephony_app 
// b/174961423
[   43.295540] type=1400 audit(1607136492.652:21): avc: denied { open } for comm="y.silentlogging" path="/dev/__properties__/u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   43.295445] type=1400 audit(1607136492.652:20): avc: denied { read } for comm="y.silentlogging" name="u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   43.290494] type=1400 audit(1607136492.648:19): avc: denied { search } for comm="y.silentlogging" name="com.samsung.slsi.telephony.silentlogging" dev="dm-6" ino=3751 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=1
[   43.267396] type=1400 audit(1607136492.624:18): avc: denied { getattr } for comm="y.silentlogging" path="/data/user/0/com.samsung.slsi.telephony.silentlogging" dev="dm-6" ino=3751 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=1
[   43.267076] type=1400 audit(1607136492.624:17): avc: denied { search } for comm="y.silentlogging" name="data" dev="dm-6" ino=87 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:system_data_file:s0:c512,c768 tclass=dir permissive=1

// b/176868380
[   44.640326] type=1400 audit(1609377760.052:32): avc: denied { search } for comm="y.silentlogging" name="0" dev="dm-6" ino=181 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
[   44.705763] type=1400 audit(1609377760.120:36): avc: denied { search } for comm="ephony.testmode" name="0" dev="dm-6" ino=181 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
[   44.649879] type=1400 audit(1609377760.064:33): avc: denied { getattr } for comm="y.silentlogging" path="/dev/__properties__/u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   44.649981] type=1400 audit(1609377760.064:34): avc: denied { map } for comm="y.silentlogging" path="/dev/__properties__/u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   44.650286] type=1400 audit(1609377760.064:35): avc: denied { search } for comm="y.silentlogging" name="slog" dev="dm-6" ino=228 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=1

// b/177176900
[   46.609809] type=1400 audit(1610075109.964:21): avc: denied { getattr } for comm="ephony.testmode" path="/dev/__properties__/u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1
[   46.609747] type=1400 audit(1610075109.964:20): avc: denied { open } for comm="ephony.testmode" path="/dev/__properties__/u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1
[   46.609580] type=1400 audit(1610075109.960:19): avc: denied { read } for comm="ephony.testmode" name="u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1
[   46.609867] type=1400 audit(1610075109.964:22): avc: denied { map } for comm="ephony.testmode" path="/dev/__properties__/u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1

// b/179437464
02-05 09:46:38.796   376   376 E SELinux : avc:  denied  { find } for pid=9609 uid=1000 name=activity scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
02-05 09:46:38.894   376   376 E SELinux : avc:  denied  { find } for pid=9631 uid=1000 name=thermalservice scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:thermal_service:s0 tclass=service_manager permissive=1
02-05 09:46:38.825   376   376 E SELinux : avc:  denied  { find } for pid=9609 uid=1000 name=tethering scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=1


Bug: 174961423
Bug: 176868380
Bug: 177176900
Bug: 179437464

Test: verified with the forrest ROM and error log gone
Change-Id: Ibd2dfb61eb58b381504ac43595e99695a5e21b7e
 2021-03-08 15:48:34 +08:00