Evolution-X-Tensor/device_google_gs101
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
1414 commits 1 branch 0 tags 494 MiB
Commit graph

157 commits

Author SHA1 Message Date
TreeHugger Robot
9225f4e5d0 Merge "remove workaround as vendor_init is ready" into sc-dev 2021-03-19 06:43:54 +00:00
Adam Shih
3f6e2bba41 Merge "label missing vibrator sys nodes" into sc-dev 2021-03-19 05:32:27 +00:00
TreeHugger Robot
fc6b81d188 Merge "Add sepolicy rules for fingerprint hal" into sc-dev 2021-03-19 04:37:58 +00:00
Adam Shih
ac6b1273e4 remove workaround as vendor_init is ready 
Bug: 171942789
Test: boot under enforcing ROM
Change-Id: If4bb070ecf2272dd927ceaeda1882d2fad62b4c3
 2021-03-19 11:58:39 +08:00
Kris Chen
09996bc810 Add sepolicy rules for fingerprint hal 
Fixes the following avc denials:
03-18 11:23:15.692   956   956 I android.hardwar: type=1400 audit(0.0:7): avc: denied { read write } for name="trusty-ipc-dev0" dev="tmpfs" ino=691 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
03-18 11:23:15.692   956   956 I android.hardwar: type=1400 audit(0.0:8): avc: denied { open } for path="/dev/trusty-ipc-dev0" dev="tmpfs" ino=691 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
03-18 11:23:15.692   956   956 I android.hardwar: type=1400 audit(0.0:9): avc: denied { ioctl } for path="/dev/trusty-ipc-dev0" dev="tmpfs" ino=691 ioctlcmd=0x7280 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
03-18 11:40:56.072   973   973 I fingerprint@2.1: type=1400 audit(0.0:39): avc: denied { search } for name="battery" dev="sysfs" ino=66502 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
03-18 11:40:56.072   973   973 I fingerprint@2.1: type=1400 audit(0.0:40): avc: denied { read } for name="temp" dev="sysfs" ino=66520 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
03-18 11:40:56.072   973   973 I fingerprint@2.1: type=1400 audit(0.0:41): avc: denied { open } for path="/sys/devices/platform/google,battery/power_supply/battery/temp" dev="sysfs" ino=66520 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
03-18 14:11:23.476   979   979 I fingerprint@2.1: type=1400 audit(0.0:13): avc: denied { search } for name="battery" dev="sysfs" ino=66502 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:9): avc: denied { create } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:10): avc: denied { bind } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:11): avc: denied { write } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:12): avc: denied { read } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:56:30.446   404   404 E SELinux : avc:  denied  { add } for interface=vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon sid=u:r:hal_fingerprint_default:s0 pid=967 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=1

Bug: 171943101
Test: No above avc denials in logcat.
Change-Id: I67b397f86c39625b77ebe6d32d37e42cd87b3f93
 2021-03-19 03:41:18 +00:00
Adam Shih
8d2feed7ed label missing vibrator sys nodes 
Bug: 182954060
Test: boot with no avc error found
Change-Id: I1ffd97c6646d106c88efe36bfb4483ae44415eaa
 2021-03-19 11:14:36 +08:00
Adam Shih
857ea2e064 update error on ROM 7219510 
Bug: 183161715
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Id5c7856e7b77600f47df652a95ac342f11c924f5
 2021-03-19 10:52:09 +08:00
Adam Shih
c36661eb0b remove obsolete entries 
Bug: 177389198
Bug: 177860960
Bug: 178752576
Bug: 178753472
Bug: 179310892
Bug: 179437292
Bug: 179437988
Bug: 180656125
Bug: 180960879
Bug: 182705863
Test: boot and grab bugreport with no gmscore error found
Change-Id: I154733215aeca58a76add8d346cc0016a5f0dff7
 2021-03-18 10:15:43 +08:00
Adam Shih
15a0c61432 update error on ROM 7216638 
Bug: 183055762
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Id60bb2e822734e23803b8f937b71dc59a325c27b
 2021-03-18 10:03:37 +08:00
Yu-Chi Cheng
a802ac3b05 Merge "Allowed Camera hal to access EdgeTPU service for on-device compilation." into sc-dev 2021-03-17 20:37:44 +00:00
Yu-Chi Cheng
86aa156202 Allowed Camera hal to access EdgeTPU service for on-device compilation. 
Camera hal DarwiNN pipelines are switching to use the on-device
compilation, which achieves by talking to the EdgeTPU service.
This change added the required selinux policies to allow accessing
the service, as well as allowing file descriptors to be shared
between them for passing the compilation info around.

Bug: 182423730
Bug: 182706078
Test: verified on Oriole running camera.
Change-Id: I5d3bc84fd54d4618f505f37d9773894261061d7f
 2021-03-17 08:18:55 -07:00
Adam Shih
ebeae6abc3 label uwb service to prevent reset after unplugging USB 
Bug: 182953824
Test: unplug USB under enforcing mode
Change-Id: Ib4bdf9b9339fc631d045bde57f78a46ce3ca8b6e
 2021-03-17 15:25:27 +08:00
TreeHugger Robot
b8ec327d5c Merge "sensors: Add sensor related rule to chre." into sc-dev 2021-03-17 06:28:41 +00:00
Adam Shih
63143cdf96 Merge changes I33cd99d5,I8417d4eb into sc-dev 
* changes:
  label missing power sys nodes
  update error on ROM 7213588
 2021-03-17 05:03:29 +00:00
Adam Shih
74052118a8 label missing power sys nodes 
Bug: 182954169
Test: boot with no avc error found
Change-Id: I33cd99d5748dd9fc40301c460a050b6e969f30f4
 2021-03-17 10:49:24 +08:00
Rick Chen
78047fa17b sensors: Add sensor related rule to chre. 
[    8.417813] type=1400 audit(1615518074.988:4): avc: denied { write } for comm="sensors@2.0-ser" name="chre" dev="tmpfs" ino=908 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1
[    8.418075] type=1400 audit(1615518074.988:5): avc: denied { connectto } for comm="sensors@2.0-ser" path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1
03-12 11:01:14.988   694   694 I sensors@2.0-ser: type=1400 audit(0.0:5): avc: denied { connectto } for path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1

Also merge two sensor_hal related files into single file.

Bug: 182523946
Test: make selinux_policy -j128 and push to device.
      No hal_sensors_default related avc deined log during boot.
Signed-off-by: Rick Chen <rickctchen@google.com>
Change-Id: I49ce71ba4703528fb2e26dd8956c4ed741337ffc
 2021-03-17 10:34:14 +08:00
Adam Shih
7c0fd2a413 update error on ROM 7213588 
Bug: 182954169
Bug: 182954060
Bug: 182954138
Bug: 182954062
Bug: 182953824
Bug: 182953825
Bug: 182954248
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I8417d4ebacefa691838e25131749b0e4fd152a2f
 2021-03-17 10:15:02 +08:00
TreeHugger Robot
23017e956d Merge "allow df to collect partition info" into sc-dev 2021-03-17 01:52:43 +00:00
Benjamin Schwartz
ed8fdc9997 Fix sepolicies for hal_power_stats_default 
Bug: 182320246
Test: No more avc denied log messages for hal_power_stats_default
Change-Id: I1cd801bb4823e80bd5ea112fb0b7bdfaeabbdef5
 2021-03-16 10:37:09 -07:00
TreeHugger Robot
96d0c28dc4 Merge "display: add sepolicy for hal_graphics_composer" into sc-dev 2021-03-16 12:05:50 +00:00
raylinhsu
031fe80418 display: add sepolicy for hal_graphics_composer 
Allow HWC to access vendor_log_file and also allow hwc to access
power hal

Bug: 181712799
Test: pts -m PtsSELinuxTest -t
com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot

Change-Id: I403a528f651b9ee5755d11525f2a33c39628ecee
 2021-03-16 13:50:48 +08:00
Adam Shih
dd7f31a99f Merge "label power.stats-vendor properly" into sc-dev 2021-03-16 01:16:20 +00:00
Alex Hong
e2f3348361 Merge "Clean up the obsoleted dontaudit rules" into sc-dev 2021-03-15 08:22:53 +00:00
Alex Hong
abfa9355ee Clean up the obsoleted dontaudit rules 
Verify with the ROM: go/ab/7203892 oriole-userdebug

Test: $ make selinux_policy
      Push selinux modules. Check the denials during boot.

      $ pts-tradefed run commandAndExit pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest#scanBugreport
      $ pts-tradefed run commandAndExit pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot
Bug: 171760597
Bug: 171760846
Bug: 173969190
Bug: 174443175
Bug: 176777145
Bug: 176868315
Bug: 177386448
Bug: 177389321
Bug: 177614659
Bug: 177616188
Bug: 177778551
Bug: 177778793
Bug: 177860838
Bug: 177862403
Bug: 177862777
Bug: 177966144
Bug: 178433506
Bug: 178433618
Bug: 178753151
Bug: 178752409
Bug: 178979985
Bug: 178980142
Bug: 179093352
Bug: 179310875
Bug: 179435036
Bug: 179437293
Bug: 179437737
Bug: 180551518
Bug: 180567612
Bug: 180655373
Bug: 180656244
Bug: 180874342
Bug: 180963328
Bug: 180963587
Change-Id: I19e19e49d36e5635629c1e68c7d23a98c714ebcf
 2021-03-15 06:24:59 +00:00
Adam Shih
0218941cb8 allow df to collect partition info 
Bug: 179310854
Test: do bugreport and the error disappear
Change-Id: I9fdcbb27742a70f3b796c668c3e0d4688d36b4d8
 2021-03-15 11:00:41 +08:00
Adam Shih
cf96663690 label power.stats-vendor properly 
Bug: 182320246
Test: boot with power.stats-vendor labeled
Change-Id: Icc3ff763be1a23e8f3e9d1ed076fcb5c74401abe
 2021-03-15 10:21:24 +08:00
Adam Shih
36e82d438a update error on ROM 7207833 
Bug: 182706078
Bug: 182705863
Bug: 182705986
Bug: 182705901
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I37728b3b475998668f37d50a70ce980eeff70a63
 2021-03-15 09:26:46 +08:00
TreeHugger Robot
3b10aeadae Merge "allow init to mount modem_img" into sc-dev 2021-03-12 06:01:50 +00:00
Wen Chang Liu
e72c30346f Merge changes Ie0ed96d7,Id7f43fe1 into sc-dev 
* changes:
  Add sepolicy for BigOcean device
  Add sepolicy for MFC device
 2021-03-12 05:41:08 +00:00
TreeHugger Robot
8e2430d151 Merge "update error on ROM 7202683" into sc-dev 2021-03-12 05:19:01 +00:00
Adam Shih
fdeedcba65 allow init to mount modem_img 
Bug: 182524202
Bug: 182524203
Test: modem_img is mounted under enforcing mode
Change-Id: Ie5448468d4d7f1ad6acdd2c93055bba9001185d1
 2021-03-12 12:54:22 +08:00
Vova Sharaienko
175c2eaa31 Merge "Stats: new sepolicy for the AIDL service" into sc-dev 2021-03-12 03:32:22 +00:00
Adam Shih
526da2f9b1 update error on ROM 7202683 
Bug: 182524105
Bug: 182523946
Bug: 182524202
Bug: 182524203
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I4c97960d106a74cbe2ba819671612514d4cba282
 2021-03-12 11:18:10 +08:00
wenchangliu
b52121a259 Add sepolicy for MFC device 
- Add sysfs_video type for mfc device
- Allow mediacode to access sysfs_video

avc: denied { read } for name="name" dev="sysfs" ino=62278 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { read } for name="name" dev="sysfs" ino=62230 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

Bug: 172173484
Test: video playback / camera recording with enforcing mode
Change-Id: Id7f43fe11c9ed089067f43a50d7f765df873d6c6
 2021-03-12 10:51:41 +08:00
Ahmed ElArabawy
4a0294348b Merge "Wifi: Add sepolicy files for wifi_ext service" into sc-dev 2021-03-12 01:37:36 +00:00
Vova Sharaienko
2ed30c23e3 Stats: new sepolicy for the AIDL service 
This allows the pixelstats_vendor communicate with new AIDL IStats service via ServiceManager

Bug: 181914749
Test: Build, flash, and logcat -s "pixelstats_vendor"
Change-Id: Icf1bbbd7f72835fe8f9c2f23281a2f5b4bf8e698
 2021-03-12 01:12:21 +00:00
Eddie Tashjian
78cd6eb78e Add selinux policies for mounted modem parition 
Bug: 178980032
Bug: 178979986
Bug: 179198083
Bug: 179198085
Bug: 178980065

Test: Check selinux denials
Change-Id: I7f826442d1536946d0e84aadfd80f679c0f4d6da
 2021-03-11 10:16:27 +00:00
TreeHugger Robot
db0ca5a3b2 Merge changes I6f6e8359,Ib7bf4029 into sc-dev 
* changes:
  label kernel modules and grant bt permission
  update error on ROM 7196668
 2021-03-11 03:53:57 +00:00
SalmaxChang
6247ff69b2 cbd: Fix avc errors 
avc: denied { setuid } for comm="cbd" capability=7 scontext=u:r:cbd:s0 tcontext=u:r:cbd:s0 tclass=capability permissive=1
avc: denied { search } for comm="cbd" name="vendor" dev="tmpfs" ino=2 scontext=u:r:cbd:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1

Bug: 178331928
Bug: 171267363
Change-Id: Icf28f494f05ee386ce94213929926369f2775173
 2021-03-10 13:33:43 +00:00
SalmaxChang
7edb7e30c4 vendor_init: Update tracking denials 
Removed the path creation from init rc.

Bug: 177186257
Change-Id: I5a8e99ae273d0c8370255bcdb4b9e802fa9895ca
 2021-03-10 13:33:19 +00:00
Jack Wu
522a8aefcf hal_health_default: Fix avc denials 
[    5.146740] type=1400 audit(1611123521.796:23): avc: denied { search } for comm="android.hardwar" name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
[    5.425436] type=1400 audit(1611123522.076:24): avc: denied { search } for comm="health@2.1-serv" name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
[   29.943710] type=1400 audit(1611123546.592:483): avc: denied { write } for comm="health@2.1-serv" name="mode" dev="sysfs" ino=14741 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
01-20 14:18:41.796   656   656 I android.hardwar: type=1400 audit(0.0:23): avc: denied { search } for name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1

Bug: 177966434
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I576547e27dceb55fd768de2834e3bb0155857f56
 2021-03-10 14:13:38 +08:00
Adam Shih
58b3344c7a label kernel modules and grant bt permission 
Bug: 182320300
Bug: 182320258
Test: boot to home and connect to bluetooth headset under enforcing mode
Change-Id: I6f6e8359d03eb4205268d56a1fcd50ce1445f442
 2021-03-10 10:36:45 +08:00
Adam Shih
487f66f754 update error on ROM 7196668 
Bug: 182320300
Bug: 182320246
Bug: 182320258
Bug: 182320172
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Ib7bf40299374061526a87714cfd8982544a1698f
 2021-03-10 10:34:03 +08:00
TreeHugger Robot
c625222492 Merge "hal_power_stats_default: Fix avc denials" into sc-dev 2021-03-10 02:11:04 +00:00
Adam Shih
48113ddced Merge "remove obsolete entries and put crucial domains to permissive" into sc-dev 2021-03-10 01:24:44 +00:00
Jack Wu
a3678d9487 hal_power_stats_default: Fix avc denials 
[  351.298850] type=1400 audit(1614041245.976:13): avc: denied { read } for comm="android.hardwar" name="hf1_wfi" dev="sysfs" ino=78155 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
[  698.658433] type=1400 audit(1614041593.336:1733): avc: denied { open } for comm="stats@1.0-servi" path="/sys/devices/platform/19000000.aoc/control/monitor_mode" dev="sysfs" ino=78158 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
02-23 08:53:13.336   673   673 I stats@1.0-servi: type=1400 audit(0.0:1734): avc: denied { getattr } for path="/sys/devices/platform/19000000.aoc/control/monitor_mode" dev="sysfs" ino=78158 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
02-23 08:52:26.228   670   670 I android.hardwar: type=1400 audit(0.0:724): avc: denied { search } for name="19000000.aoc" dev="sysfs" ino=18343 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=dir permissive=1

Bug: 180963514
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: Iab245b320c1f6e75407f1fafb5ad20a087b1a707
 2021-03-09 14:21:20 +00:00
raylinhsu
43fb32d300 dumpstate: allow dumpstate to access displaycolor 
In bugreport, we need to dump libdisplaycolor information.
Hence, we should add corresponding sepolicy.

Bug: 181915591
Test: There is no avc denied regarding to displaycolor when we
capture the bugreport.

Change-Id: I9f7f8f451fab24b4d0c49305d96b8db6b4d0eed4
 2021-03-09 19:06:24 +08:00
Adam Shih
df06cd7760 remove obsolete entries and put crucial domains to permissive 
Bug: 171942789
Bug: 178979986
Bug: 179310854
Bug: 178980065
Bug: 179198085
Bug: 178980032
Test: boot to home under enforcing mode
Change-Id: Ic925dbbb74ca2ba38b22c982761c1e214886bfa1
 2021-03-09 13:46:42 +08:00
Charlie Chen
e265637395 Merge changes I8de6132f,I2bc6057d into sc-dev 
* changes:
  Remove dma_buf_heap tracking_denials
  Add missing permission to dmabuf_video_system_heap
 2021-03-09 04:58:08 +00:00
TreeHugger Robot
ce148d20c6 Merge "update error on ROM 7193586" into sc-dev 2021-03-09 04:05:05 +00:00