Bug: 331147031
Bug: 330730987
Test: Confirmed that modem_svc is able to access token db files in modem partition
Test: Confiemed that modem_svc can send traces to perfetto
Test: Confirmed v2/pixel-health-guard/device-boot-health-check-extra has no modem_svc avc denials.
Change-Id: I5fabd3177c758be533ca8bdef3cb3305afd6a5a6
avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0
Bug: 329174074
Test: no denied log, and able to read logbuffer in pixelstats_vendor
Change-Id: I2c6069f43d17114f937657724dc34e43cf3d48fe
Signed-off-by: Spade Lee <spadelee@google.com>
This is already allowed on all other Google chips and used
for a face auth latency optimization.
Fix: 303391687
Test: check logs on raven
Change-Id: I6f70b70d1cf4c055ce9f3e76c1fca0ae0c3e070d
The change also labeled files under /data/vendor/chre/ to grant
required access.
Test: compilation
Bug: 248615564
Change-Id: I4db158853764987cf04dc7963ff79c680613f028
The cpif logbuffer did not have the right context and was
missing as part of the bugreport.
Test: Tested bugreport on device
Bug: 305600375
Change-Id: I2101037d0044e706969f2582e29f923ae029458b
Signed-off-by: Mahesh Kallelil <kallelil@google.com>
remove mediacodec_samsung sepolicy in legacy path since we will include it from gs-common.
Bug: 318793681
Test: build pass, camera record, youtube
Change-Id: Idc0e19348d1e113e95305279aebbbaf82c79d730
The XHCI driver in kernel will write debugging information to DebugFS on
some USB host operations (for example: plugging in a USB headphone). We
are not using those information right now.
Bug: 311088739
Test: No error when plugging a USB headphone in.
Change-Id: If7c511f4466959d819f2672ae8f82a8a8dae83e4
Contexthub (CHRE) team is removing the chre daemon and incorporating
its functionalities into the next gen HAL. This CL copied the
permissions we received in whitechapel/vendor/google/chre.te to
hal_contexthub.te to enable the same set of permissions on gs101.
Bug: 247124878
Test: launch the hal process on oriole and verify it can perform
required operations such as loading nanoapps holding wakelocks,
query nanoapps, etc.
Change-Id: I8ce6b4f7f411e50cf454bb5f1286f73d4d46aced
The MDS will be signed with platform key and become a platform app. To
make the selinux rules for modem_diagnostic_app work, need to set it to
platform app in app context.
Bug: 287683516
Test: Tested with both dev key or platform key signed MDS apps and the selinux rules works.
Change-Id: If890f7caaac33e5ddc6c02cc8084654a10cea416
Bug: 305120274
Test: Compile pass. Flash the build to WHI devices and no sensor
related avc denied log.
Change-Id: I56174a24d159968c01d1572e84f4bcdd7930a709
Signed-off-by: Rick Chen <rickctchen@google.com>
1. Move rls_service context from vndservice_contexts to
service_contexts.
2. Allow binder calls from rlsservice to servicemanager
3. Change rls_service type from vndservice_manager_type to
service_manager_type.
Bug: 301520085
Test: GCA
Change-Id: I7badfe2ddb73b13884b54d2c8972e1921af6ea38
The i2c-7/7-0043 label is shared with both i2c-7/i2c-cs40l25a and
i2c-7/i2c-cs40l26a nodes. To make it clear that these all are related,
let's move i2c-7/i2c-cs40l26a to gs101-sepolicy and have all the gs101
vibrator policy labels together.
Bug: 302549624
Bug: 291606723
Test: Verify i2c nodes on r4
Fixes: ccdd975a88d0 ("Update the cs40l26a i2c device node sepolicy labeling")
Change-Id: I2950a2c064e31e300d07f124cf1a7bfc00ae58c3
This change needs to be merged with the corresponding kernel change that
sets the i2c bus aliases correctly to match the existing v5.10 bus
probe ordering.
To verify the sepolicy labeling doesn't change, run the below commands
and diff the stdout on builds with and without the changes. For extra
credit, verify the nodes are labeled the same when upgrading the kernel
to v6.1 (with the correct i2c aliases to match the existing policy):
acpm_bus_array=("acpm_mfd_bus@17500000" "acpm_mfd_bus@17510000")
for bus in ${acpm_bus_array[@]}; do
adb shell ls -ZR /sys/devices/platform/${bus}/i2c-*;
done
bus_array=("10960000" "10970000" "10d50000" "10900000")
for bus in ${bus_array[@]}; do
adb shell ls -ZR /sys/devices/platform/${bus}.hsi2c/i2c-*;
done
Test: verify on r4
Bug: 291606723
Change-Id: Ifbfc53fbeb39a47cda4263fc706f11af6675d90e
This change needs to be merged with the corresponding kernel change that
sets the i2c bus aliases correctly to match the existing v5.10 bus
probe ordering.
To verify the sepolicy labeling doesn't change, run the below commands
and diff the stdout on builds with and without the changes. For extra
credit, verify the nodes are labeled the same when upgrading the kernel
to v6.1 (with the correct i2c aliases to match the existing policy):
acpm_bus_array=("acpm_mfd_bus@17500000" "acpm_mfd_bus@17510000")
for bus in ${acpm_bus_array[@]}; do
adb shell ls -ZR /sys/devices/platform/${bus}/i2c-*;
done
bus_array=("10960000" "10970000" "10d50000" "10900000")
for bus in ${bus_array[@]}; do
adb shell ls -ZR /sys/devices/platform/${bus}.hsi2c/i2c-*;
done
Test: verify on r4
Bug: 291606723
Change-Id: Id5b9021cdbf4b9d3578d5e9ee655463ab62dcd12
Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble
violation.
Bug: 280547417
Test: build bluejay and boot test
Change-Id: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
