Evolution-X-Tensor/device_google_gs101
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
1414 commits 1 branch 0 tags 494 MiB
Commit graph

1414 commits

This branch
This branch
All branches
Author SHA1 Message Date
Adam Shih
00f6651d46 Merge "update error on ROM" into sc-dev 2021-03-31 06:02:36 +00:00
Charlie Chen
7c92613185 Allow Exoplayer access to the vstream-secure heap for secure playback 
Fixes the following denials:

avc: denied { read } for name="name" dev="sysfs" ino=63727 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { read } for name="name" dev="sysfs" ino=63743 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { read } for name="name" dev="sysfs" ino=64010 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

Bug: 182525521
Test: no more denials and able to play video via ExoPlayer App
Change-Id: I21033bc78858fd407c16d2cd2df4549f97273221
 2021-03-31 05:41:26 +00:00
Adam Shih
1db99c759f allow vendor_init to set logpersist 
Bug: 184093803
Test: boot with the permission error gone
03-31 11:11:19.447     1     1 E init    : Do not have permissions to
set ...

Change-Id: Idc4023b2fa1b04ae4a4b95a2e105700e89e9dffa
 2021-03-31 11:34:12 +08:00
Erik Cheng
90ed4cc72e Merge "Grant permission for more camera device nodes" into sc-dev 2021-03-31 03:09:15 +00:00
Maurice Lam
6bc7204b64 Merge "Fix cuttlefish test fail due to sepolicy of Wirecutter" into sc-dev 2021-03-31 01:20:12 +00:00
Eddie Tashjian
44799a27ba Add sepolicy for CBRS setup app. 
Bug: 182519609
Test: Test CBRS setup
Change-Id: I3ee27dd80eb0484c9cf2c6be0c63aee996383f7f
 2021-03-30 18:06:14 -07:00
TreeHugger Robot
a548cd7773 Merge "Allow mediacodec to access the vstream-secure DMA-BUF heap" into sc-dev 2021-03-31 01:05:14 +00:00
Xu Han
f34ff90b48 Merge "Allow camera HAL access radioext service" into sc-dev 2021-03-31 00:45:11 +00:00
Adam Shih
98d890424d update error on ROM 
Bug: 184091381
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Ia37d49cf2e347a22181058987b0edf8f93457c53
 2021-03-31 08:32:56 +08:00
Eddie Tashjian
a5879bec5b Merge "Allow radioext to access bluetooth coex hal." into sc-dev 2021-03-30 23:03:24 +00:00
Maurice Lam
880dd70064 Fix cuttlefish test fail due to sepolicy of Wirecutter 
Need to grant gpu_device dir search permission to be able to render UI
on cuttlefish.

Fixes: 183995046
Test: atest WirecutterTests
Change-Id: I122e541188ce659381769339e3f9e6b720441a92
 2021-03-30 22:18:45 +00:00
TreeHugger Robot
8250408148 Merge "sepolicy: allow hwservice to see armnn nnhal." into sc-dev 2021-03-30 21:16:27 +00:00
Kevin DuBois
4f5d60403d sepolicy: allow hwservice to see armnn nnhal. 
Allows hwservice to see armnn nnhal.

Fixes: 183917925
Test: build, check for absence of error msg in logcat.
Test: run_nnapi_tests for darwinn
Test: CtsNNAPITestCases64 --hal_service_instance=android.hardware.neuralnetworks@1.3::IDevice/google-edgetpu --gtest_filter="TestGenerated*"
Change-Id: I9778e92d6f15e9aa74774c6a8d143969951046eb
 2021-03-30 19:58:52 +00:00
Hridya Valsaraju
ef8172c028 Allow mediacodec to access the vstream-secure DMA-BUF heap 
This patch fixes the following denial:

avc: denied { read } for comm="HwBinder:727_3" name="vstream-secure"
dev="tmpfs" ino=693 scontext=u:r:mediacodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=0

Bug: 183681871
Test: build
Change-Id: I018a8d42afe2bb58416b47864b8ffd53de9292cb
 2021-03-30 12:41:17 -07:00
Xu Han
6932235e89 Allow camera HAL access radioext service 
Camera needs to query radioext for preferred MIPI clock rate.

Bug: 178038924
Test: camera CTS
Change-Id: Id1dbe8a12d07b5ccfb4fc7db69dda7ce78a163a7
 2021-03-30 11:15:44 -07:00
Oleg Matcovschi
20c4be9a06 Merge "gs101-sepolicy: add sscoredump" into sc-dev 2021-03-30 18:02:18 +00:00
Yu-Chi Cheng
755a1de452 Allowed EdgeTPU service and the EdgeTPU NNAPI hal to read /proc/version. 
Both services invoke InitGoogle in order to use google utilities (e.g.
file).  Since InitGoogle reads the kernel info from /proc/version,
this change added the corresponding selinux rules to allow that.

Bug: 183935416
Test: tested on Oriole.
Change-Id: Icb8f3a57e249774b5fad3284413661b04ff7dae6
 2021-03-30 10:07:43 -07:00
Ankit Goyal
4097aa96ab Merge "Fix SELinux denials for arm.graphics AIDL interface" into sc-dev 2021-03-30 16:27:55 +00:00
TreeHugger Robot
fd3d8c0467 Merge "vendor_init: allow set_prop for vendor_ro_config_default_prop" into sc-dev 2021-03-30 16:06:04 +00:00
Oleg Matcovschi
de30c53177 gs101-sepolicy: add sscoredump 
Bug: 183995288
Change-Id: I5363d0c45c183d809c03fe755835c1fc95a33159
 2021-03-30 15:31:10 +00:00
Ankit Goyal
b07d84f087 Fix SELinux denials for arm.graphics AIDL interface 
Denial example:
03-30 05:44:44.468   490   490 W RenderEngine: type=1400 audit(0.0:4): avc: denied { read } for name="arm.graphics-V1-ndk_platform.so" dev="dm-9" ino=1923 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=0

Bug: 143246001
Test: Build and boot to home
Change-Id: Id7c2bd98aa634f852a21812fb2421a2e96ef7636
 2021-03-30 22:22:22 +08:00
Erik Cheng
5f6e263527 Grant permission for more camera device nodes 
Bug: 184004655
Test: aosp camera
Change-Id: I52fdb3f7f3d37537461c94b139e72add1a300bb2
 2021-03-30 17:34:38 +08:00
Yu-Chi Cheng
93bf9b613b Labelled EdgeTPU service libraries as SP-HAL. 
The EdgeTPU service libraries (libedgetpu_client.google.so and
com.google.edgetpu-V1-ndk.so) provide both the system_ext and
vendor variants.  Since these need to be linked by pre-built
applications from /product/, this change labelled them as
the same_process_hal_file in order to allow the applications
to link with the vendor variant.

Bug: 184008444
Test: tested on local Oriole with GCA.
Change-Id: I8c510f51ccc1a76d14978962d72fd91f15bf7a90
 2021-03-29 23:22:33 -07:00
Krzysztof Kosiński
dffdeca76d Improve camera HAL SELinux policy. 
- Grant access to DMA system heap for Tuscany.
- Reorder statements for more logical grouping.
- Allow access to isolated tmpfs for google3 prebuilts.
- Remove fixed denials.

Bug: 181913550
Bug: 182705901
Test: Inspected logcat, no denials from hal_camera_default
Change-Id: I9bf1ce207c3bcae1b9f9ab0f0072bb7501201451
 2021-03-29 20:42:50 -07:00
Aaron Tsai
181f1d3cd0 vendor_init: allow set_prop for vendor_ro_config_default_prop 
03-29 15:18:56.425  root     1     1 E init    : Do not have permissions to set 'ro.vendor.config.build_carrier' to 'europen' in property file '/vendor/build.prop': SELinux permission check failed

Bug: 183919837
Test: verified with the forrest ROM and error log gone
Change-Id: I87cc05306f9c038df779040514a879fc2b8ab929
 2021-03-30 11:38:19 +08:00
John Tsai
f06c0a9f38 Merge "Allowed Camera hal to create debug files" into sc-dev 2021-03-30 02:51:28 +00:00
Oleg Matcovschi
5a504a1708 Merge "vendor_init: allow set_prop for vendor_ssrdump_prop" into sc-dev 2021-03-30 00:39:12 +00:00
Oleg Matcovschi
a91ba31808 vendor_init: allow set_prop for vendor_ssrdump_prop 
Bug: 183686188
Change-Id: I6a22419909cd85c55bd1c7e500b06f0420d0ec86
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
 2021-03-30 00:28:04 +00:00
Oleg Matcovschi
3872f8015f Merge changes from topic "b180760068" into sc-dev 
* changes:
  genfs_contexts: add sscoredump per-subsystem policies
  vendor: remove sscoredump policies
 2021-03-29 22:05:23 +00:00
Eddie Tashjian
ffd2cf4eb7 Allow radioext to access bluetooth coex hal. 
Allow radio extension hal to forward coexistence message from modem to
bluetooth hal.

Bug: 183978772
Test: Check selinux denials
Change-Id: Idc288ce2a1fdcf380301e2d7c10ea03af520e4d0
 2021-03-29 15:03:40 -07:00
Oleg Matcovschi
005fafff5b genfs_contexts: add sscoredump per-subsystem policies 
Bug: 180760068
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: I448dd8d5ea1e11eb774c62e129eb4c7896a5bd15
 2021-03-29 10:04:57 -07:00
Alex Hong
122849026f Merge "update error on ROM 7242124" into sc-dev 2021-03-29 16:37:47 +00:00
Alex Hong
68569d8fe3 update error on ROM 7242124 
Bug: 183935416
Bug: 183935302
Bug: 183935382
Bug: 183935443
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Iccdfc8a9eea3e8d52bebc89ca1eafcd2ec26e3c6
 2021-03-29 22:18:39 +08:00
JohnCH Tsai
522c283dee Allowed Camera hal to create debug files 
For steadiface and eis, they needs to create debug folders and files
under /data/vendor/camera.

Bug: 183708219
Test: GCA and check debug files
Change-Id: I5b87120702278199ac4f98cfa9114be47c760433
 2021-03-29 15:26:44 +08:00
Hsiaoan Hsu
c9f580b083 Fix netutils_wrapper avc denied 
avc denied log:
03-25 22:30:40.226  root 22962 22962 W iptables-wrappe: type=1400 audit(0.0:2269): avc: denied { read write } for path="/dev/umts_wfc1" dev="tmpfs" ino=748 scontext=u:r:netutils_wrapper:s0 tcontext=u:object_r:pktrouter_device:s0 tclass=chr_file permissive=0

03-25 22:30:40.226  root 22962 22962 W iptables-wrappe: type=1400 audit(0.0:2270): avc: denied { read write } for path="socket:[1017]" dev="sockfs" ino=1017 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:pktrouter:s0 tclass=netlink_route_socket permissive=0

03-25 22:30:40.226  root 22962 22962 W iptables-wrappe: type=1400 audit(0.0:2274): avc: denied { read write } for path="socket:[655847]" dev="sockfs" ino=655847 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:pktrouter:s0 tclass=udp_socket permissive=0

Bug: 183713618
Test: WFC/WFC handover

Change-Id: I363bf009c3b05ac2ceccb5580e786fcebf0f5631
 2021-03-29 05:22:41 +00:00
Oleg Matcovschi
6862b8e239 vendor: remove sscoredump policies 
Bug: 180760068
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: Ib8d360b227286bdea7de00125ef2ed6ad7978e67
 2021-03-28 21:26:34 -07:00
TreeHugger Robot
6d56fb7391 Merge "SELinux: Grant camera HAL TEE access" into sc-dev 2021-03-26 06:21:05 +00:00
Kevin DuBois
978b3b4e9b Merge "hal_neuralnetworks_armnn: allow GPU access" into sc-dev 2021-03-25 22:01:42 +00:00
Jidong Sun
eda148cd47 SELinux: Grant camera HAL TEE access 
Bug: 183714594
Signed-off-by: Jidong Sun <jidong@google.com>
Change-Id: I84fd3a7cf18bc3b574632b665be86c0fcb505704
 2021-03-25 20:01:12 +00:00
Kevin DuBois
9c8327de8d hal_neuralnetworks_armnn: allow GPU access 
Neuralnetworks for armnn driver needs GPU access in order to issue
OpenCL commands to GPU. Add rule that allows this.

Fixes: 183673130
Test: setenforce 1, stop and start hal, see that hal started.
Change-Id: I9be0ee4326e5e128a37f2c4df0878f8fbbea7f8d
 2021-03-25 11:10:40 -07:00
Krzysztof Kosiński
74bc4bf947 Merge "Mark libGrallocWrapper.so as same-process HAL." into sc-dev 2021-03-25 16:34:28 +00:00
Terry Huang
bea1d217b5 Merge "Fix VT issue avc denied" into sc-dev 2021-03-25 15:21:53 +00:00
Steven Liu
acf218cb51 Merge "Add sepolicy for the wifi firmware config OTA feature" into sc-dev 2021-03-25 14:40:18 +00:00
terrycrhuang
3316a7135d Fix VT issue avc denied 
03-25 19:59:12.604 E SELinux : avc:  denied  { find } for pid=3822
uid=10264 name=media.camera
scontext=u:r:vendor_ims_app:s0:c8,c257,c512,c768
tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager
permissive=0

03-25 19:59:19.283 E SELinux : avc:  denied  { find } for pid=3822
uid=10264 name=media.player
scontext=u:r:vendor_ims_app:s0:c8,c257,c512,c768
tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
permissive=0

Bug: 183698793
Test: Manual

Change-Id: I5ccff82df99b6bcb3883b880ef1fbfe8710b2e99
 2021-03-25 21:22:33 +08:00
terrycrhuang
dbef5fe678 Fix pktrouter avc denied 
03-25 15:28:05.656 I auditd  : type=1400 audit(0.0:48): avc: denied {
net_raw } for comm="wfc-pkt-router" capability=13
scontext=u:r:pktrouter:s0 tcontext=u:r:pktrouter:s0 tclass=capability
permissive=0

Bug: 183664765
Test: Manual

Change-Id: I378b2c0ed8af9e4ba1accfdcc5380a1f9f066b81
 2021-03-25 15:56:35 +08:00
terrycrhuang
986fe49987 Fix vendor.pktrouter avc denied 
03-24 19:45:17.324 E init : Do not have permissions to set
'vendor.pktrouter' to '1' in property file '/vendor/build.prop': SELinux
permission check failed

Bug: 183664765
Test: Manual

Change-Id: Ibf0f764c905c4797b179dff2cdd1faa98fae5bc0
 2021-03-25 14:36:05 +08:00
TreeHugger Robot
f112196d64 Merge "Fix avc denied for vendor_ims_app" into sc-dev 2021-03-25 04:59:51 +00:00
Ilya Matyukhin
3233492f78 Add sepolicy for Goodix AIDL HAL 
Bug: 183054007
Test: adb logcat | grep "avc: denied"
Change-Id: Iea9a652dbc78c488a72600b4226140ccf123b004
 2021-03-24 21:00:41 -07:00
terrycrhuang
9778af3cef Fix avc denied for vendor_ims_app 
03-25 09:24:16.810 E SELinux : avc:  denied  { find } for pid=3681
uid=10272 name=media.audio_flinger
scontext=u:r:vendor_ims_app:s0:c16,c257,c512,c768
tcontext=u:object_r:audioserver_service:s0 tclass=service_manager
permissive=0

Bug: 183593669
Test: Manual

Change-Id: I9d659b475d5d19ae5dd1642974f9064c152ee4b0
 2021-03-25 10:57:57 +08:00
Aaron Tsai
d135bde241 Fix selinux errors for rild 
03-10 09:33:20.380   849   849 I rild_exynos: type=1400 audit(0.0:11): avc: denied { map } for path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
03-10 09:33:20.380   849   849 I rild_exynos: type=1400 audit(0.0:10): avc: denied { getattr } for path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
03-10 09:33:20.380   849   849 I rild_exynos: type=1400 audit(0.0:9): avc: denied { open } for path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
03-10 09:33:20.380   849   849 I rild_exynos: type=1400 audit(0.0:8): avc: denied { read } for name="u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
[   16.814981] type=1400 audit(1615340000.380:8): avc: denied { read } for comm="rild_exynos" name="u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
[   16.815057] type=1400 audit(1615340000.380:9): avc: denied { open } for comm="rild_exynos" path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
[   16.815089] type=1400 audit(1615340000.380:10): avc: denied { getattr } for comm="rild_exynos" path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
[   16.815108] type=1400 audit(1615340000.380:11): avc: denied { map } for comm="rild_exynos" path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1

Bug: 182320172
Test: verified with the forrest ROM and error log gone
Change-Id: Ib0300629de5a0186c4f9fd2f603be52aefd085bc
 2021-03-25 02:47:16 +00:00