Evolution-X-Tensor/device_google_gs101
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
719 commits 1 branch 0 tags 494 MiB
Commit graph

719 commits

This branch
This branch
All branches
Author SHA1 Message Date
Taeju Park
1d0e8106f3 Grant vendor_sched sysfs nodes access 
Bug: 182509410
Signed-off-by: Taeju Park <taeju@google.com>
Change-Id: I68bf0c6e4f7b53a871a3393cb317bf6c79ace5e3
 2021-05-11 21:03:30 -07:00
Wei Wang
53ae55618a Merge "Revert "Grant vendor_sched sysfs nodes access"" into sc-dev 2021-05-12 03:56:58 +00:00
Wei Wang
73b65a0f8b Revert "Grant vendor_sched sysfs nodes access" 
This reverts commit 638778c654.

Reason for revert: b/187884708
Bug: 187884708
Change-Id: I60e80246345ca3e827d7b4749f25e2d5c4dddf9d
 2021-05-12 03:56:42 +00:00
Kris Chen
00e1b9a704 Add sepolicy for the UDFPS antispoof property 
Fixes the following avc denial:
/system/bin/init: type=1107 audit(0.0:4): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=fingerprint.disable.fake pid=364 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
android.hardwar: type=1400 audit(0.0:7): avc: denied { read } for name="u:object_r:vendor_fingerprint_fake_prop:s0" dev="tmpfs" ino=307 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_fingerprint_fake_prop:s0 tclass=file permissive=0

Bug: 187394838
Bug: 187562932
Test: Antispoof is disabled by default.
Test: Use the following adb command to manully turn on antispoof.
      "setprop persist.vendor.fingerprint.disable.fake.override 0"
Change-Id: I90d6ea70d5e0e1a125efb902f1fd61ff4b51baa2
 2021-05-12 09:48:48 +08:00
TreeHugger Robot
004c299011 Merge "Sniffer Logger: Add dontaudit getattr for sysfs_wifi" into sc-dev 2021-05-12 01:32:03 +00:00
Hridya Valsaraju
70551d2bc9 Let debugfs be accessed only for non-user builds 
Since production devices(with user builds) must not mount debugfs,
provide dumpstate HAL permission to access debugfs only in userdebug/eng
builds.

Also, delete dumpstate domain's access to
vendor_dmabuf_debugfs(/d/dma_buf/bufinfo) since dumpstate now obtains
the same information from /sys/kernel/dmabuf.

Test: build
Bug: 186500818
Change-Id: I17007d495fba6332bbf17dc7d030e5c6e4d5248b
 2021-05-11 17:35:20 -07:00
Hridya Valsaraju
9e6528da08 Label debugfs files correctly 
A few debugfs files are labelled as belonging to both debugfs_type and
sysfs_type. Hence, any client that is provided access to sysfs_type will
automatically be provided access to these files. This patch corrects the
labelling for these files to prevent this.

Test: build
Bug: 186500818
Change-Id: I364a73a960824cc9051610032179fd5caeca09de
 2021-05-11 17:35:17 -07:00
Qinchen Gu
ab6df9cc18 Add SELinux policy for allowing dumping GSC info 
Bug: 185939493
Test: adb bugreport. Look for GSC-related info.

Change-Id: I30dbb51781526d763205594283ca3b808f45d28f
 2021-05-11 17:27:14 -07:00
Wei Wang
3a2d20a1a2 Merge "Grant vendor_sched sysfs nodes access" into sc-dev 2021-05-11 17:24:38 +00:00
Midas Chien
873511167c Allowed PowerHAL service access Display node 
Bug: 164411401
Test: boot
Change-Id: Idcc1338bc66a7479aed9efd4d1ebc82efd1b7c4d
 2021-05-11 10:23:58 +00:00
sukiliu
99853e483b Update avc error on ROM 7349999 
avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:twoshay:s0 tclass=binder permissive=0

Bug: 187795940
Test: PtsSELinuxTestCases
Change-Id: Ib85ee1d52915b292295b21df8df48c18761c088e
 2021-05-11 17:24:08 +08:00
Maciej Żenczykowski
60e0a18e2a correctly label networking gadgets 
This is to pass system/netd/tests/netd_test.cpp:

TEST(NetdSELinuxTest, CheckProperMTULabels) {
    // Since we expect the egrep regexp to filter everything out,
    // we thus expect no matches and thus a return code of 1
    ASSERT_EQ(W_EXITCODE(1, 0), system("ls -Z /sys/class/net/*/mtu | egrep -q -v "
                                       "'^u:object_r:sysfs_net:s0 /sys/class/net/'"));
}

Test: atest, TreeHugger, manual observation of labeling
Bug: 185962988
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib4f8aa6cc2e0f5a5bd432bcfe473e550f5c68132
 2021-05-11 07:40:38 +00:00
Taeju Park
638778c654 Grant vendor_sched sysfs nodes access 
Bug: 182509410
Signed-off-by: Taeju Park <taeju@google.com>
Change-Id: I53a879e904bef3c5b13127404f4f5c422abd46b4
 2021-05-11 04:27:23 +00:00
Peter Csaszar
bc525e1a49 pixel-selinux: add SJTAG policies 
These are the SELinux policies for the DebugFS files of the SJTAG
kernel interface.

Bug: 184768605
Signed-off-by: Peter Csaszar <pcsaszar@google.com>
Change-Id: I36996d6fd5fe09adb7a36be573cf57f15ea35756
 2021-05-10 17:58:04 -07:00
Wei Wang
551505ae05 Merge "Add policy for memlat governor needs create/delete perf events" into sc-dev 2021-05-10 23:59:50 +00:00
Jia-yi Chen
06a0792bf1 Merge "Add high_capacity_start_cpu to u:object_r:sysfs_vendor_sched:s0" into sc-dev 2021-05-10 18:29:41 +00:00
Kyle Lin
1124aeaf32 Add policy for memlat governor needs create/delete perf events 
[   31.756984] type=1400 audit(1620144320.436:11): avc: denied { perfmon } for comm="cpuhp/4" capability=38 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability2 permissive=0
[   31.757246] type=1400 audit(1620144320.436:12): avc: denied { sys_admin } for comm="cpuhp/4" capability=21 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0
[   31.757352] type=1400 audit(1620144320.436:13): avc: denied { perfmon } for comm="cpuhp/4" capability=38 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability2 permissive=0
[   31.757450] type=1400 audit(1620144320.436:14): avc: denied { sys_admin } for comm="cpuhp/4" capability=21 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0
...
...
[  215.584932] type=1400 audit(1620634018.936:191): avc: denied { cpu } for comm="cpuhp/4" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=0

Bug: 187437491
Bug: 170479743
Test: build, boot and suspend/resume test 200 times.

Change-Id: I4fd3d3fb915ca518ffa226f25298c94faaf867f1
 2021-05-10 16:18:58 +08:00
chenpaul
6297e8a5a7 Sniffer Logger: Add dontaudit getattr for sysfs_wifi 
05-10 15:04:37.376 12958 12958 I auditd  : type=1400 audit(0.0:14): avc: denied { getattr } for comm="wifi_sniffer" path="/sys/wifi/firmware_path" dev="sysfs" ino=81201 scontext=u:r:wifi_sniffer:s0 tcontext=u:object_r:sysfs_wifi:s0 tclass=file permissive=0

Bug: 187583019
Test: Sniffer Logger is workable
Change-Id: I6bce0bb58d951b6be39f58340b6418b328ffe386
 2021-05-10 15:28:47 +08:00
JJ Lee
df02b6ef77 Merge "sepolicy: gs101: allow audio hal to use wakelock" into sc-dev 2021-05-10 02:14:07 +00:00
TreeHugger Robot
ec3144742f Merge "vibrator: Remove temporary method" into sc-dev 2021-05-10 01:13:47 +00:00
TreeHugger Robot
a2d2ebd508 Merge changes Ic697ffe8,Idcf38e09 into sc-dev 
* changes:
  Remove dumpstate AVC denials dontaudit for twoshay
  Allow dumpstate to access twoshay
 2021-05-10 01:11:46 +00:00
TreeHugger Robot
c03c055812 Merge "Allow radioext to communicate with bt hal" into sc-dev 2021-05-08 18:59:51 +00:00
TreeHugger Robot
296f8ddc5d Merge "iwlan: update sepolicy for qualifiednetworksservice" into sc-dev 2021-05-07 23:29:31 +00:00
chasewu
59161a5745 vibrator: Remove temporary method 
Bug: 177176811
Test: no avc denied logs
Signed-off-by: chasewu <chasewu@google.com>
Change-Id: I424e15037b3e20824f5e072d88bdf71a50cfdabf
 2021-05-07 18:33:15 +08:00
Seungah Lim
72e6339123 iwlan: update sepolicy for qualifiednetworksservice 
Bug: 185942456
Test: VoLTE/VoWifi

Change-Id: I352bb933e577b11bb052a297d17776ff0a5f3a75
Signed-off-by: Seungah Lim <sss.lim@samsung.com>
 2021-05-07 17:14:00 +08:00
Tai Kuo
8e3aaa30ff Remove dumpstate AVC denials dontaudit for twoshay 
Bug: 187014717
Test: pts-tradefed run pts -m PtsSELinuxTest -t \
  com.google.android.selinux.pts.SELinuxTest#scanBugreport
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Ic697ffe8f6ee15fb9d9330173a3c92aeca61de67
 2021-05-07 14:56:22 +08:00
Tai Kuo
0e68aed154 Allow dumpstate to access twoshay 
Bug: 173330981
Bug: 187014717
Test: no avc denials for twoshay was found.
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Idcf38e0921fb4d6d617e7cd443425193aea3fe91
 2021-05-07 14:55:43 +08:00
Jia-yi Chen
15c046878b Add high_capacity_start_cpu to u:object_r:sysfs_vendor_sched:s0 
Bug: 186564130
Test: Boot & check powerhal log
Change-Id: I1a828f113266d4b3386b2f6fa74df050255113a9
 2021-05-06 21:00:08 -07:00
Labib
a27f8c4480 Allow radioext to communicate with bt hal 
Bug: 187447420
Change-Id: I1a1626502a6c3913846b957c3c0a31fdd99feb31
 2021-05-07 09:20:02 +08:00
Tri Vo
f7bec8b3c6 Merge "trusty: sepolicy for metrics reporter" into sc-dev 2021-05-06 15:52:51 +00:00
JJ Lee
43735f0fc3 sepolicy: gs101: allow audio hal to use wakelock 
Bug: 178789331
Test: build pass
Signed-off-by: JJ Lee <leejj@google.com>
Change-Id: I1d5c9ea8726f2e53bc05e0ecd5dedddede274794
 2021-05-06 19:43:24 +08:00
Aaron Tsai
6a9a85cd07 Fix avc denied for shannon-ims 
04-01 19:10:22.956 10272  2327  2327 W Binder:2327_4: type=1400 audit(0.0:8): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=139 scontext=u:r:vendor_ims_app:s0:c16,c257,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.shannon.imsservice
04-01 19:10:22.960 10272  2327  4608 E libc    : Access denied finding property "persist.dbg.wfc_avail_ovr0"
04-01 19:10:22.981 10272  2327  4608 E libc    : Access denied finding property "persist.dbg.vt_avail_ovr0"
04-01 19:10:22.982 10272  2327  4980 E libc    : Access denied finding property "persist.dbg.volte_avail_ovr0"

Bug: 183935382
Bug: 184858478
Test: verified with the forrest ROM and error log goneFix
Change-Id: I0754c6be7f74ed73533e9570c7d1916320ab2897
 2021-05-06 09:04:03 +00:00
TreeHugger Robot
6978eeaea4 Merge "HardwareInfo: Add sepolicy for display" into sc-dev 2021-05-06 06:03:18 +00:00
TreeHugger Robot
577f562727 Merge "wlc fwupdate implementation" into sc-dev 2021-05-06 05:41:01 +00:00
SalmaxChang
ab97657410 logger_app: Fix avc errors 
avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=141 scontext=u:r:logger_app:s0:c21,c257,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.android.pixellogger
Access denied finding property "viewroot.profile_rendering"
Access denied finding property "ro.input.resampling"
Access denied finding property "persist.input.velocitytracker.strategy"

avc: denied { read } for comm="oid.pixellogger" name="u:object_r:usb_control_prop:s0" dev="tmpfs" ino=281 scontext=u:r:logger_app:s0:c21,c257,c512,c768 tcontext=u:object_r:usb_control_prop:s0 tclass=file permissive=0 app=com.android.pixellogger

Bug: 186612284
Change-Id: I15f00d9ed3cc0c0657c854292caad60e3f7a3011
 2021-05-06 03:57:01 +00:00
Jack Wu
2c1ecf3a54 sepolicy: gs101: Fix hal_health_default avc denials 
01-01 12:00:08.752  1000   682   682 I android.hardwar: type=1400 audit(0.0:3): avc: denied { read } for name="type" dev="sysfs" ino=68812 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
01-01 12:00:08.752  1000   682   682 I android.hardwar: type=1400 audit(0.0:4): avc: denied { open } for path="/sys/devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/type" dev="sysfs" ino=68812 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
01-01 12:00:08.752  1000   682   682 I android.hardwar: type=1400 audit(0.0:5): avc: denied { getattr } for path="/sys/devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/type" dev="sysfs" ino=68812 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Bug: 184429394
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: If1253c902af1723ca80d31223f51ebf439404527
 2021-05-06 00:26:14 +08:00
Alex Hong
be17ec14cc Merge "sepolicy: Update dumpstate HAL to V1.1" into sc-dev 2021-05-05 06:09:11 +00:00
Tri Vo
1dac39e833 trusty: sepolicy for metrics reporter 
Bug: 173423860
Test: m
Change-Id: I42d646c6c9453662e670e7c22712f2bde2368bba
 2021-05-05 05:38:34 +00:00
TreeHugger Robot
6978cd7220 Merge "add sepolicy for dump TRICKLE/TEMP/DWELL defend config" into sc-dev 2021-05-05 02:55:28 +00:00
qinyiyan
9eeae92ade [SEPolicy] Allow EdgeTPU related service to log to stats service 
We are collecting Suez metrics from TPU related services. This includes
NNAPI HAL, edgetput logging service, and edgetpu service.

This change allows them all to find stats_service.

Bug: 151063663
Test: Pushed selinx module to device and successfully logged Stats
service.

Change-Id: I80774485ae7c2a5f994d48a71b6406fac753a9f8
 2021-05-04 17:08:56 -07:00
Chris Kuiper
d0d0304443 Merge "sepolicy: gs101: allow usf_reg_edit to run" into sc-dev 2021-05-04 22:33:57 +00:00
Yu-Chi Cheng
7eef8643a3 Merge "Added the SELinux rule for the EdgeTPU vendor service." into sc-dev 2021-05-04 19:39:32 +00:00
Yu-Chi Cheng
b844190a34 Added the SELinux rule for the EdgeTPU vendor service. 
To comply with the GSI compliance test, this change
splits the compiler part of the edgetpu_service into a
separate edgetpu_vendor_service under vendor.

The edgetpu_service locates under /system_ext/ and used
to be connected by both applications and vendor clients.
With this change, vendor clients could talk to the vendor
part of this service directly without having to cross
the system and vendor boundary.

Applications will still talk to the system_ext one, which
will forward the requests to the vendor service.

Bug: 185432427
Test: tested on Oriole + GCA.
Change-Id: I1ee47946f1fc3694d5f8b5325c192d6bd720a76e
 2021-05-04 10:36:21 -07:00
Alex Hong
ea5b597e3d sepolicy: Update dumpstate HAL to V1.1 
Test: $ make selinux_policy
      Check the label after boot completed
Bug: 186539439
Change-Id: I6690e2bc485aceb53dc607b8a7656a4f57edf70e
 2021-05-04 17:11:07 +08:00
Jenny Ho
f5b47095be add sepolicy for dump TRICKLE/TEMP/DWELL defend config 
type=1400 audit(0.0:12): avc: denied { read } for name="google,charger" dev="sysfs" ino=25880 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0

Bug: 186872139
Signed-off-by: Jenny Ho <hsiufangho@google.com>
Change-Id: Id8868d2b12408d4a39ba42c8b0faf801923f73f3
 2021-05-04 15:24:38 +08:00
Daniel Mentz
48e3555770 Merge "Remove /vendor/lib/modules from file_contexts" into sc-dev 2021-05-04 04:28:49 +00:00
Daniel Mentz
1473b1d155 Merge "Revert "remove wildcard on kernel modules"" into sc-dev 2021-05-04 03:50:16 +00:00
TreeHugger Robot
3186a0f24c Merge changes from topic "tcpdump_logger" into sc-dev 
* changes:
  Add sepolicy for dumpstate to access logs of tcpdump_logger
  Add sepolicy for tcpdump_logger to access wlan_logs folder
 2021-05-04 03:48:04 +00:00
Jenny Ho
93e25c878a Merge "set sepolicy for testing_battery_profile" into sc-dev 2021-05-04 02:48:41 +00:00
lucaslin
34278f05a0 Add sepolicy for dumpstate to access logs of tcpdump_logger 
Bug: 183467815
Test: 1. Enable tcpdump_logger always-on function
      2. Dump bugreport
      3. Pull dumpstate_board.bin and chagne it to zip
      4. Unzip dumpstate_board.zip and check if tcpdump files
         are there.
Change-Id: I178aca40d94602994eef619f05a26ceb78eeff1f
 2021-05-04 10:30:22 +08:00