From 62eebf952ffdb477401bf48c49f8b3f76abcb633 Mon Sep 17 00:00:00 2001 From: leochuang Date: Tue, 21 Feb 2023 08:49:55 +0800 Subject: [PATCH 01/45] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 270079857 Change-Id: I1755253d915e7d9ff1fe624ecf8e6439f7a1bcd6 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b944d0e1..b7acf725 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -22,3 +22,4 @@ shell rootfs file b/239484612 shell sscoredump_vendor_data_crashinfo_file dir b/241714944 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 +vndservicemanager hal_keymint_citadel binder b/270079857 From 4183daf7f19e5bb80abe87a9b7ab07ee1cd0e1ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Wagner?= Date: Tue, 27 Dec 2022 14:00:23 +0000 Subject: [PATCH 02/45] Update Mali DDK to r40 : Additional SELinux settings Expose DDK's dynamic configuration options through the Android Sysprop interface, following recommendations from Arm's Android Integration Manual. b/261718474 Change-Id: I75457d2d4f6e37bdd85329bac7fd81327cfff628 --- whitechapel_pro/domain.te | 4 ++++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te index fd876e09..ad32036f 100644 --- a/whitechapel_pro/domain.te +++ b/whitechapel_pro/domain.te @@ -1,2 +1,6 @@ allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; + +# Mali +get_prop(domain, vendor_arm_runtime_option_prop) + diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d276e851..2ea19553 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -38,3 +38,6 @@ vendor_internal_prop(vendor_telephony_app_prop) # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) + +# Mali Integration +vendor_public_prop(vendor_arm_runtime_option_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index acc73a66..947018e8 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -102,3 +102,6 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 + +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index dfbd3d75..acf6b05d 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -38,3 +38,6 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Trusty storage FS ready get_prop(vendor_init, vendor_trusty_storage_prop) + +# Mali +set_prop(vendor_init, vendor_arm_runtime_option_prop) From 0350bd250be421f840345be1b11642dcaaf29f79 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 24 Mar 2023 12:41:23 +0800 Subject: [PATCH 03/45] use radio dump in gs-common Bug: 273380509 Test: adb bugreport Change-Id: I5e4318a427c0b503c47fb81ddb9e813fa9a41ab4 --- whitechapel_pro/hal_dumpstate_default.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index d5dfd1b5..42d727e0 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -49,8 +49,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; get_prop(hal_dumpstate_default, vendor_camera_prop) -get_prop(hal_dumpstate_default, vendor_rild_prop) -get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) set_prop(hal_dumpstate_default, vendor_logger_prop) userdebug_or_eng(` From 9d61da55a193a12b7552e67e67d968c46d4dec86 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 13:48:05 +0000 Subject: [PATCH 04/45] Add ArmNN config sysprops SELinux rules Bug: b/205202540 Test: manual - reboot device and check the absence of AVC denials Change-Id: I90af8201d5fae44f73d709491f272a113b44ca67 --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/vendor_init.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 723379ba..d297abea 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -41,3 +41,6 @@ vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# ArmNN +vendor_internal_prop(vendor_armnn_config_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index b9a563f3..08eb601b 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,3 +105,6 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# ArmNN configuration +ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index e27855d0..4d8516a2 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -40,3 +40,6 @@ get_prop(vendor_init, vendor_trusty_storage_prop) # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) + +# ArmNN +set_prop(vendor_init, vendor_armnn_config_prop) From 4f1ca4a7ad3895f5a5adc25fc2cf3a532eac79f6 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 5 Apr 2023 14:56:12 +0000 Subject: [PATCH 05/45] Remove 'hal_neuralnetworks_armnn' sysprop exceptions Bug: b/205202540 Test: manual - reboot device and check the absence of AVC denials Change-Id: Ief9f33ea3aca3f6b0756c92feb1753462e86b894 --- tracking_denials/hal_neuralnetworks_armnn.te | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index b58f29fe..16b6b131 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -1,8 +1,2 @@ -# b/205073167 -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/205202540 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; # b/205779871 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; From bb69b32fc5b6f468561017f6bd5628626a571696 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 15:21:42 +0000 Subject: [PATCH 06/45] Remove 'hal_neuralnetworks_armnn' '/data' access exception The mali driver has been configured not to look there anymore. Bug: b/205779871 Test: manual - reboot device and check the absence of AVC denials Change-Id: Ie651cd788e6f057cd902d1c14880bd1ad71ec5a5 --- tracking_denials/hal_neuralnetworks_armnn.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index 16b6b131..00000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205779871 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; From 83712c5243166cafa3a057d5347515e04947cde8 Mon Sep 17 00:00:00 2001 From: Samuel Gosselin Date: Wed, 10 May 2023 18:03:56 +0000 Subject: [PATCH 07/45] genfs_contexts: add raw s2mpg12mfd and s2mpg13mfd node. This adds the appropriate raw i2c numberings to the sepolicy for the 6.1 kernel driver which does not use the i2c vendor hook to rename these numberings. This is required for the thermal hal to work. Test: Boot to Android Home on WHI PRO with 6.1 kernel, no Thermal HAL crashes. Change-Id: I8c2633b33cef8ca2b55029190fe42bd66b17390f Signed-off-by: Samuel Gosselin --- whitechapel_pro/genfs_contexts | 39 ++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c7..59d579b7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -73,6 +73,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -82,6 +92,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 @@ -93,6 +112,17 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/9-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -103,6 +133,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From dc0f13eb032bdf08eb54478b9d782df2b8a4b7dc Mon Sep 17 00:00:00 2001 From: JohnnLee Date: Wed, 10 May 2023 16:08:07 +0800 Subject: [PATCH 08/45] Remove obsolete entries Test: adb bugreport Bug: 241714943 Bug: 241714944 Bug: 268147092 Bug: 237492091 Bug: 214122471 Bug: 239484612 Bug: 270079857 Bug: 239364360 Bug: 238705599 Bug: 238571150 Change-Id: I1cc1aa8d7a48a9fe8b5c84817d827c8915a701c7 --- tracking_denials/bug_map | 17 ----------------- tracking_denials/incidentd.te | 2 -- tracking_denials/servicemanager.te | 2 -- 3 files changed, 21 deletions(-) delete mode 100644 tracking_denials/incidentd.te delete mode 100644 tracking_denials/servicemanager.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index efb18261..c588f134 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,24 +1,7 @@ -cat_engine_service_app system_app_data_file dir b/238705599 dex2oat privapp_data_file dir b/276386138 -hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 -incidentd debugfs_wakeup_sources file b/237492091 -incidentd incidentd anon_inode b/268147092 -init-insmod-sh vendor_ready_prop property_service b/239364360 -kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 -shell adb_keys_file file b/239484612 -shell cache_file lnk_file b/239484612 -shell init_exec lnk_file b/239484612 -shell linkerconfig_file dir b/239484612 -shell metadata_file dir b/239484612 -shell mirror_data_file dir b/239484612 -shell postinstall_mnt_dir dir b/239484612 -shell rootfs file b/239484612 -shell sscoredump_vendor_data_crashinfo_file dir b/241714944 -shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 -vndservicemanager hal_keymint_citadel binder b/270079857 system_app proc_pagetypeinfo file b/275645892 system_server privapp_data_file lnk_file b/276385494 diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index e6fce309..00000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/237492091 -dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te deleted file mode 100644 index 72e6e6e9..00000000 --- a/tracking_denials/servicemanager.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/214122471 -dontaudit servicemanager hal_fingerprint_default:binder { call }; From 1714d4f6f39c3f04142ceca949c2ad83996a74a5 Mon Sep 17 00:00:00 2001 From: DesmondH Date: Wed, 31 May 2023 01:57:26 +0000 Subject: [PATCH 09/45] Remove obsolete entries Bug: 227121550 Bug: 275645892 Bug: 276385494 Bug: 278639040 Fix: 282096141 Fix: 229209076 Fix: 205904328 Fix: 208721505 Fix: 205656950 Change-Id: I9b8a178ff7ef17f050183159d8fae286a6666056 --- tracking_denials/bug_map | 7 ------- tracking_denials/hal_drm_widevine.te | 2 -- tracking_denials/hal_thermal_default.te | 7 ------- tracking_denials/hal_uwb_vendor_default.te | 3 --- tracking_denials/surfaceflinger.te | 4 ---- tracking_denials/vendor_init.te | 2 -- tracking_denials/vndservicemanager.te | 4 ---- 7 files changed, 29 deletions(-) delete mode 100644 tracking_denials/hal_drm_widevine.te delete mode 100644 tracking_denials/hal_thermal_default.te delete mode 100644 tracking_denials/hal_uwb_vendor_default.te delete mode 100644 tracking_denials/surfaceflinger.te delete mode 100644 tracking_denials/vendor_init.te delete mode 100644 tracking_denials/vndservicemanager.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5b00e311..4397c4cb 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,8 +1 @@ -dex2oat privapp_data_file dir b/276386138 hal_power_default hal_power_default capability b/237492146 -hal_radioext_default radio_vendor_data_file file b/237093466 -kernel vendor_usb_debugfs dir b/227121550 -su modem_img_file filesystem b/240653918 -system_app proc_pagetypeinfo file b/275645892 -system_server privapp_data_file lnk_file b/276385494 -system_server system_userdir_file dir b/282096141 diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te deleted file mode 100644 index cfe7fcf7..00000000 --- a/tracking_denials/hal_drm_widevine.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/229209076 -dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te deleted file mode 100644 index abbd2f97..00000000 --- a/tracking_denials/hal_thermal_default.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/205904328 -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { bind }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { create }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { getattr }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { read }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { setopt }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { write }; diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te deleted file mode 100644 index 2e0025fc..00000000 --- a/tracking_denials/hal_uwb_vendor_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/208721505 -dontaudit hal_uwb_vendor_default dumpstate:fd { use }; -dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te deleted file mode 100644 index cd7b63d9..00000000 --- a/tracking_denials/surfaceflinger.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/215042694 -dontaudit surfaceflinger kernel:process { setsched }; -# b/208721808 -dontaudit surfaceflinger hal_graphics_composer_default:dir { search }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te deleted file mode 100644 index ea8ff1e4..00000000 --- a/tracking_denials/vendor_init.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205656950 -dontaudit vendor_init thermal_link_device:file { create }; diff --git a/tracking_denials/vndservicemanager.te b/tracking_denials/vndservicemanager.te deleted file mode 100644 index 9931d437..00000000 --- a/tracking_denials/vndservicemanager.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/278639040 -dontaudit vndservicemanager hal_keymint_citadel:binder { call }; -# b/278639040 -dontaudit vndservicemanager hal_keymint_citadel:binder { call }; From 61abd02cd3163c335cdde4d3988db55ef9d56bf4 Mon Sep 17 00:00:00 2001 From: changyan Date: Fri, 26 May 2023 02:50:41 +0000 Subject: [PATCH 10/45] Updating sepolicy for dump_modem to read /dev/logbuffer_cpif. This is required as part of bugreport. Test: Pts SELinuxTest#scanBugreport Bug: 277300226 Fix: 282626702 Change-Id: I129116ab78ec89da1529e33be1cfd403715889af --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c4f5b098..8819cdc3 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -103,6 +103,7 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_bd u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpif u:object_r:logbuffer_device:s0 /dev/logbuffer_pcie0 u:object_r:logbuffer_device:s0 /dev/logbuffer_pcie1 u:object_r:logbuffer_device:s0 /dev/bbd_pwrstat u:object_r:power_stats_device:s0 From c3c3f7fd0c9abd02dfc00b9c5fed08711e7fa62e Mon Sep 17 00:00:00 2001 From: changyan Date: Mon, 22 May 2023 06:51:00 +0000 Subject: [PATCH 11/45] Fix avc denied for cat_engine_service_app Test: SELinuxUncheckedDenialBootTest Bug: 282626814 Change-Id: I742e2b20bff09812d2a3ae07903b29e8eae45915 --- whitechapel_pro/cat_engine_service_app.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/cat_engine_service_app.te b/whitechapel_pro/cat_engine_service_app.te index eacf9621..876b7967 100644 --- a/whitechapel_pro/cat_engine_service_app.te +++ b/whitechapel_pro/cat_engine_service_app.te @@ -4,5 +4,6 @@ userdebug_or_eng(` app_domain(cat_engine_service_app) get_prop(cat_engine_service_app, vendor_rild_prop) allow cat_engine_service_app app_api_service:service_manager find; - allow cat_engine_service_app system_app_data_file:dir r_dir_perms; + allow cat_engine_service_app system_app_data_file:dir create_dir_perms; + allow cat_engine_service_app system_app_data_file:file create_file_perms; ') From a66e949591f1aebc746fd31fbb220b1d9c5c2d30 Mon Sep 17 00:00:00 2001 From: DesmondH Date: Wed, 14 Jun 2023 16:59:22 +0000 Subject: [PATCH 12/45] Remove fixed or obsolete entries Bug: 227121550 Bug: 237491813 Change-Id: I6e3ca53d92ae0a1db1565feb7e70d72b57f697e1 --- tracking_denials/dumpstate.te | 2 -- tracking_denials/kernel.te | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 tracking_denials/kernel.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 0dc30ea7..423d4a4a 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,6 +1,4 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -# b/237491813 -dontaudit dumpstate app_zygote:process { signal }; # b/277155245 dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te deleted file mode 100644 index a2e21639..00000000 --- a/tracking_denials/kernel.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/227121550 -dontaudit kernel vendor_votable_debugfs:dir search; From 3219a0a19faf364327cb7464a91c749c426ce0c6 Mon Sep 17 00:00:00 2001 From: DesmondH Date: Wed, 28 Jun 2023 05:28:11 +0000 Subject: [PATCH 13/45] Remove obsolete entries Fix: 274727778 Change-Id: I1334cd68043d6ef8c36a42fb47d888f9b061bfb4 --- tracking_denials/hal_vibrator_default.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te deleted file mode 100644 index 390bfa3c..00000000 --- a/tracking_denials/hal_vibrator_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/274727778 -dontaudit hal_vibrator_default default_android_service:service_manager { find }; From b29cf7645ac03683bc048c25890c417c7e083384 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Mon, 10 Jul 2023 05:10:03 +0000 Subject: [PATCH 14/45] [Cleanup]: Move gxp sepolicies to gs-common for P22 These policies are moved to gs-common as part of ag/24002524 Bug: 288368306 Change-Id: If7466983009021c642db998e1c30071ee548846e Signed-off-by: Dinesh Yadav --- whitechapel_pro/debug_camera_app.te | 5 +++-- whitechapel_pro/device.te | 1 - whitechapel_pro/file_contexts | 3 --- whitechapel_pro/google_camera_app.te | 3 ++- whitechapel_pro/gxp_logging.te | 9 --------- whitechapel_pro/hal_camera_default.te | 3 --- 6 files changed, 5 insertions(+), 19 deletions(-) delete mode 100644 whitechapel_pro/gxp_logging.te diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 5342fb74..cdd58c9b 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -11,8 +11,9 @@ userdebug_or_eng(` allow debug_camera_app mediametrics_service:service_manager find; allow debug_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. + # Allows camera app to access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; + get_prop(debug_camera_app, vendor_gxp_prop) # Allows camera app to search for GXP firmware file. allow debug_camera_app vendor_fw_file:dir search; @@ -24,4 +25,4 @@ userdebug_or_eng(` # Allows GCA-Eng to find and access the EdgeTPU. allow debug_camera_app edgetpu_app_service:service_manager find; allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; -') \ No newline at end of file +') diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index b66248a7..93059b7f 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -12,7 +12,6 @@ type lwis_device, dev_type; type logbuffer_device, dev_type; type rls_device, dev_type; type fingerprint_device, dev_type; -type gxp_device, dev_type, mlstrustedobject; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 8819cdc3..91662c8b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -35,7 +35,6 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 @@ -61,8 +60,6 @@ /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 # Graphics /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index d73cd3db..8cdbaa30 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -9,8 +9,9 @@ allow google_camera_app mediaextractor_service:service_manager find; allow google_camera_app mediametrics_service:service_manager find; allow google_camera_app mediaserver_service:service_manager find; -# Allows camera app to access the GXP device. +# Allows camera app to access the GXP device and properties. allow google_camera_app gxp_device:chr_file rw_file_perms; +get_prop(google_camera_app, vendor_gxp_prop) # Allows camera app to search for GXP firmware file. allow google_camera_app vendor_fw_file:dir search; diff --git a/whitechapel_pro/gxp_logging.te b/whitechapel_pro/gxp_logging.te deleted file mode 100644 index 107942d1..00000000 --- a/whitechapel_pro/gxp_logging.te +++ /dev/null @@ -1,9 +0,0 @@ -type gxp_logging, domain; -type gxp_logging_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(gxp_logging) - -# The logging service accesses /dev/gxp -allow gxp_logging gxp_device:chr_file rw_file_perms; - -# Allow gxp tracing service to send packets to Perfetto -userdebug_or_eng(`perfetto_producer(gxp_logging)') diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 05909984..c16b2481 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -28,9 +28,6 @@ binder_call(hal_camera_default, edgetpu_vendor_server) allow hal_camera_default edgetpu_app_service:service_manager find; binder_call(hal_camera_default, edgetpu_app_server) -# Allow the camera hal to access the GXP device. -allow hal_camera_default gxp_device:chr_file rw_file_perms; - # Allow access to data files used by the camera HAL allow hal_camera_default mnt_vendor_file:dir search; allow hal_camera_default persist_file:dir search; From e5bfccd0fdba6d01d0482d7412091082620969a0 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Thu, 27 Jul 2023 01:42:03 +0000 Subject: [PATCH 15/45] SELinux: fix sysfs_wlc avc denials Bug: 291541479 Change-Id: I94bed765b89ee538f77398ce432315c907ac1a9a Signed-off-by: Ken Yang --- whitechapel_pro/genfs_contexts | 11 +++++++++++ whitechapel_pro/hal_wireless_charger.te | 5 +++++ 2 files changed, 16 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ffc3dbd6..55684b0d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -480,3 +480,14 @@ genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:ob # GPS genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 + +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/1-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0 \ No newline at end of file diff --git a/whitechapel_pro/hal_wireless_charger.te b/whitechapel_pro/hal_wireless_charger.te index 04b3e5e2..8d6c0118 100644 --- a/whitechapel_pro/hal_wireless_charger.te +++ b/whitechapel_pro/hal_wireless_charger.te @@ -1,2 +1,7 @@ type hal_wireless_charger, domain; type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; + +r_dir_file(hal_wireless_charger, sysfs_wlc) + +allow hal_wireless_charger sysfs_wlc:dir search; +allow hal_wireless_charger sysfs_wlc:file rw_file_perms; From 36313e7bc9f1c54be8f15edce8053cb212c5bc02 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Tue, 11 Jul 2023 23:04:24 +0000 Subject: [PATCH 16/45] Support monitoring USB sysfs attributes in USB HAL Grant access to USB sysfs attributes. Bug: 285199434 Test: no audit log in logcat after command execution Change-Id: Ida489f0f8788100795613de900fd06317087d9cc --- whitechapel_pro/hal_usb_impl.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index 5d2a65e7..4c997733 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -29,3 +29,7 @@ allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; allow hal_usb_impl device:dir r_dir_perms; allow hal_usb_impl usb_device:chr_file rw_file_perms; allow hal_usb_impl usb_device:dir r_dir_perms; + +# For monitoring usb sysfs attributes +allow hal_usb_impl sysfs_wakeup:dir search; +allow hal_usb_impl sysfs_wakeup:file r_file_perms; From 62014f17268a2ec269892845b297256203647ffc Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 21 Jul 2023 15:09:58 +0900 Subject: [PATCH 17/45] Move coredomain policies to system_ext/product Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 --- gs201-sepolicy.mk | 1 + private/debug_camera_app.te | 16 ++++++++++++++++ private/google_camera_app.te | 17 +++++++++++++++++ private/seapp_contexts | 11 +++++++++++ public/debug_camera_app.te | 1 + public/google_camera_app.te | 1 + system_ext/private/con_monitor.te | 7 +++++++ system_ext/private/hbmsvmanager_app.te | 11 +++++++++++ system_ext/private/seapp_contexts | 5 +++++ system_ext/public/con_monitor.te | 2 ++ system_ext/public/hbmsvmanager_app.te | 1 + whitechapel_pro/con_monitor.te | 8 -------- whitechapel_pro/debug_camera_app.te | 16 ---------------- whitechapel_pro/google_camera_app.te | 17 ----------------- whitechapel_pro/hbmsvmanager_app.te | 12 ------------ whitechapel_pro/seapp_contexts | 18 ------------------ 16 files changed, 73 insertions(+), 71 deletions(-) create mode 100644 private/debug_camera_app.te create mode 100644 private/google_camera_app.te create mode 100644 private/seapp_contexts create mode 100644 public/debug_camera_app.te create mode 100644 public/google_camera_app.te create mode 100644 system_ext/private/con_monitor.te create mode 100644 system_ext/private/hbmsvmanager_app.te create mode 100644 system_ext/private/seapp_contexts create mode 100644 system_ext/public/con_monitor.te create mode 100644 system_ext/public/hbmsvmanager_app.te diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 664b851f..2c5da1fc 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -4,6 +4,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/public PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private # system_ext diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te new file mode 100644 index 00000000..c14637be --- /dev/null +++ b/private/debug_camera_app.te @@ -0,0 +1,16 @@ +typeattribute debug_camera_app coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows camera app to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/private/google_camera_app.te b/private/google_camera_app.te new file mode 100644 index 00000000..6a9dff32 --- /dev/null +++ b/private/google_camera_app.te @@ -0,0 +1,17 @@ +typeattribute google_camera_app coredomain; + +app_domain(google_camera_app) +net_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 00000000..bfe5a549 --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,11 @@ +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te new file mode 100644 index 00000000..6f497680 --- /dev/null +++ b/public/debug_camera_app.te @@ -0,0 +1 @@ +type debug_camera_app, domain; diff --git a/public/google_camera_app.te b/public/google_camera_app.te new file mode 100644 index 00000000..c93038cc --- /dev/null +++ b/public/google_camera_app.te @@ -0,0 +1 @@ +type google_camera_app, domain; diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te new file mode 100644 index 00000000..c68ec1f8 --- /dev/null +++ b/system_ext/private/con_monitor.te @@ -0,0 +1,7 @@ +typeattribute con_monitor_app coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te new file mode 100644 index 00000000..6f5ff7ac --- /dev/null +++ b/system_ext/private/hbmsvmanager_app.te @@ -0,0 +1,11 @@ +typeattribute hbmsvmanager_app coredomain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts new file mode 100644 index 00000000..25318ffe --- /dev/null +++ b/system_ext/private/seapp_contexts @@ -0,0 +1,5 @@ +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te new file mode 100644 index 00000000..6a4d1dac --- /dev/null +++ b/system_ext/public/con_monitor.te @@ -0,0 +1,2 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te new file mode 100644 index 00000000..4fcf2bdb --- /dev/null +++ b/system_ext/public/hbmsvmanager_app.te @@ -0,0 +1 @@ +type hbmsvmanager_app, domain; diff --git a/whitechapel_pro/con_monitor.te b/whitechapel_pro/con_monitor.te index 8695ccaa..32c2056d 100644 --- a/whitechapel_pro/con_monitor.te +++ b/whitechapel_pro/con_monitor.te @@ -1,10 +1,2 @@ -# ConnectivityMonitor app -type con_monitor_app, domain, coredomain; - -app_domain(con_monitor_app) - -set_prop(con_monitor_app, radio_prop) -allow con_monitor_app app_api_service:service_manager find; -allow con_monitor_app radio_service:service_manager find; allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index cdd58c9b..427a7735 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -1,16 +1,4 @@ -type debug_camera_app, domain, coredomain; - userdebug_or_eng(` - app_domain(debug_camera_app) - net_domain(debug_camera_app) - - allow debug_camera_app app_api_service:service_manager find; - allow debug_camera_app audioserver_service:service_manager find; - allow debug_camera_app cameraserver_service:service_manager find; - allow debug_camera_app mediaextractor_service:service_manager find; - allow debug_camera_app mediametrics_service:service_manager find; - allow debug_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; get_prop(debug_camera_app, vendor_gxp_prop) @@ -18,10 +6,6 @@ userdebug_or_eng(` # Allows camera app to search for GXP firmware file. allow debug_camera_app vendor_fw_file:dir search; - # Allows camera app to access the PowerHAL. - hal_client_domain(debug_camera_app, hal_power) -') -userdebug_or_eng(` # Allows GCA-Eng to find and access the EdgeTPU. allow debug_camera_app edgetpu_app_service:service_manager find; allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 8cdbaa30..0ef04cc4 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -1,14 +1,3 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) -net_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device and properties. allow google_camera_app gxp_device:chr_file rw_file_perms; get_prop(google_camera_app, vendor_gxp_prop) @@ -16,12 +5,6 @@ get_prop(google_camera_app, vendor_gxp_prop) # Allows camera app to search for GXP firmware file. allow google_camera_app vendor_fw_file:dir search; -# Allows camera app to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; - -# Library code may try to access vendor properties, but should be denied -dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index b7058090..bbedea8c 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -1,14 +1,2 @@ -type hbmsvmanager_app, domain, coredomain; - -app_domain(hbmsvmanager_app); - -allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; - allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 149e2287..8ff78b87 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -27,15 +27,9 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user @@ -52,18 +46,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Google Camera Eng -user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera -user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Also label GoogleCameraNext, built with debug keys as debug_camera_app. -user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all From 1f1f647570cc5e1faa6273c69dfd66d055eebb03 Mon Sep 17 00:00:00 2001 From: Renato Grottesi Date: Thu, 17 Aug 2023 09:00:21 +0000 Subject: [PATCH 18/45] Cleanup unused ArmNN settings. Test: pre-submit Bug: 294463729 Change-Id: If623bee7f1050f814a2a3531bfa5de414fa32104 --- whitechapel_pro/property.te | 3 --- whitechapel_pro/property_contexts | 3 --- whitechapel_pro/vendor_init.te | 3 --- 3 files changed, 9 deletions(-) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d297abea..723379ba 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -41,6 +41,3 @@ vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) - -# ArmNN -vendor_internal_prop(vendor_armnn_config_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 08eb601b..b9a563f3 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,6 +105,3 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix - -# ArmNN configuration -ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 415d7c8f..c8acdbb5 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -41,6 +41,3 @@ allow vendor_init tee_data_file:lnk_file read; # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) - -# ArmNN -set_prop(vendor_init, vendor_armnn_config_prop) From 7627d8a7f8a05838434020b82c75128546b53d96 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 5 Sep 2023 16:25:52 +0800 Subject: [PATCH 19/45] Move uwb to system_ext Bug: 290766628 Test: Boot-to-home, no uwb related avc error Change-Id: I00a1c45f05cc52a9ce93234921d0b759a3143f16 --- .../private}/certs/com_qorvo_uwb.x509.pem | 0 system_ext/private/file.te | 2 ++ system_ext/private/keys.conf | 3 +++ system_ext/private/mac_permissions.xml | 27 +++++++++++++++++++ system_ext/private/seapp_contexts | 5 ++++ system_ext/private/uwb_vendor_app.te | 12 +++++++++ system_ext/public/uwb_vendor_app.te | 2 ++ whitechapel_pro/file.te | 1 - whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 4 --- whitechapel_pro/uwb_vendor_app.te | 12 +-------- 12 files changed, 52 insertions(+), 22 deletions(-) rename {whitechapel_pro => system_ext/private}/certs/com_qorvo_uwb.x509.pem (100%) create mode 100644 system_ext/private/file.te create mode 100644 system_ext/private/keys.conf create mode 100644 system_ext/private/mac_permissions.xml create mode 100644 system_ext/private/uwb_vendor_app.te create mode 100644 system_ext/public/uwb_vendor_app.te diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem rename to system_ext/private/certs/com_qorvo_uwb.x509.pem diff --git a/system_ext/private/file.te b/system_ext/private/file.te new file mode 100644 index 00000000..9344be7e --- /dev/null +++ b/system_ext/private/file.te @@ -0,0 +1,2 @@ + +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf new file mode 100644 index 00000000..c2228db6 --- /dev/null +++ b/system_ext/private/keys.conf @@ -0,0 +1,3 @@ +[@UWB] +ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem + diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml new file mode 100644 index 00000000..51af79f6 --- /dev/null +++ b/system_ext/private/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 25318ffe..82f4347c 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te new file mode 100644 index 00000000..3ae5ecd3 --- /dev/null +++ b/system_ext/private/uwb_vendor_app.te @@ -0,0 +1,12 @@ +app_domain(uwb_vendor_app) + +not_recovery(` + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +') diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te new file mode 100644 index 00000000..6824e4e9 --- /dev/null +++ b/system_ext/public/uwb_vendor_app.te @@ -0,0 +1,2 @@ +type uwb_vendor_app, domain; + diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..fb4bad8c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -10,7 +10,6 @@ type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 09999382..8890aff4 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem -[@UWB] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem - [@EUICCSUPPORTPIXEL] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 7627b9d0..290daa9c 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -27,9 +27,6 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 8ff78b87..dcaaf664 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -36,10 +36,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index aa4564e6..cc5a9de4 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -1,18 +1,8 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb_vendor) - -allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; -allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; From 98620c3b106b705364954588111b70ade8f1fee6 Mon Sep 17 00:00:00 2001 From: Woody Lin Date: Fri, 1 Sep 2023 10:11:34 +0800 Subject: [PATCH 20/45] Add vendor_sjtag_lock_state_prop and init-check_ap_pd_auth-sh 1. Add init-check_ap_pd_auth-sh for the vendor daemon script `/vendor/bin/init.check_ap_pd_auth.sh`. 2. Add policy for properties `ro.vendor.sjtag_{ap,gsa}_is_unlocked` for init, init-check_ap_pd_auth-sh and ssr_detector to access them. SjtagService: type=1400 audit(0.0:1005): avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1006): avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1007): avc: denied { map } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1008): avc: denied { write } for name="property_service" dev="tmpfs" ino=446 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 SjtagService: type=1400 audit(0.0:1009): avc: denied { connectto } for path="/dev/socket/property_service" scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 Bug: 298314432 Change-Id: Ib5dbcc50e266e33797626280504ea9e2cdc9f942 --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/init-check_ap_pd_auth-sh.te | 14 ++++++++++++++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 4 ++++ whitechapel_pro/ssr_detector.te | 2 ++ 5 files changed, 24 insertions(+) create mode 100644 whitechapel_pro/init-check_ap_pd_auth-sh.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 91662c8b..75f8ccc1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 /vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 +/vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/init-check_ap_pd_auth-sh.te b/whitechapel_pro/init-check_ap_pd_auth-sh.te new file mode 100644 index 00000000..bcd855c2 --- /dev/null +++ b/whitechapel_pro/init-check_ap_pd_auth-sh.te @@ -0,0 +1,14 @@ +type init-check_ap_pd_auth-sh, domain; +type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(init-check_ap_pd_auth-sh) + + set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop) + + allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms; + allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms; + + allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms; + allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms; +') diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 723379ba..559511a0 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -41,3 +41,6 @@ vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# SJTAG lock state +vendor_internal_prop(vendor_sjtag_lock_state_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index b9a563f3..0ff833e8 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,3 +105,7 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# SJTAG lock state +ro.vendor.sjtag_ap_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 +ro.vendor.sjtag_gsa_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index 2caf6d77..a93d5bdb 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -13,11 +13,13 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; get_prop(ssr_detector_app, vendor_aoc_prop) + set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop) allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms; allow ssr_detector_app proc_vendor_sched:dir search; allow ssr_detector_app proc_vendor_sched:file rw_file_perms; allow ssr_detector_app cgroup:file write; + allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans; ') get_prop(ssr_detector_app, vendor_ssrdump_prop) From 9b94fedda85953541451c28430d877dd12d7beb8 Mon Sep 17 00:00:00 2001 From: Desmond Huang Date: Wed, 13 Sep 2023 01:22:38 +0800 Subject: [PATCH 21/45] Remove obsolete entries Bug: 299029620 Change-Id: I12d75de143c76a338806938755d6e08767314aa6 --- tracking_denials/dumpstate.te | 2 -- tracking_denials/hal_power_default.te | 3 --- 2 files changed, 5 deletions(-) delete mode 100644 tracking_denials/hal_power_default.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 423d4a4a..ffb8518c 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,4 +1,2 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -# b/277155245 -dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index a2ce6fdb..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/237492146 -dontaudit hal_power_default hal_power_default:capability { dac_override }; -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; From 8cec9e510e556bd55ed0480b2cc36941bddd3fd2 Mon Sep 17 00:00:00 2001 From: Desmond Huang Date: Thu, 14 Sep 2023 14:18:28 +0800 Subject: [PATCH 22/45] Relocate common tracking denial entries Bug: 299029620 Change-Id: I1db32cbefb531f48c5a45dcf0f564e89e1b5c4e7 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4397c4cb..4538e4ed 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1 +1,3 @@ hal_power_default hal_power_default capability b/237492146 +incidentd debugfs_wakeup_sources file b/282626428 +incidentd incidentd anon_inode b/282626428 From 151844f3ad8554d13bcb83b59385ec14fb607507 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 16 Oct 2023 12:18:43 +0800 Subject: [PATCH 23/45] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 305601096 Bug: 305600808 Change-Id: I5552e22e252b257156891eab5fcea35faaef9485 --- tracking_denials/bug_map | 1 + tracking_denials/dmd.te | 2 ++ tracking_denials/servicemanager.te | 2 ++ 3 files changed, 5 insertions(+) create mode 100644 tracking_denials/dmd.te create mode 100644 tracking_denials/servicemanager.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4538e4ed..7a4b5596 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ +hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 diff --git a/tracking_denials/dmd.te b/tracking_denials/dmd.te new file mode 100644 index 00000000..68719b9b --- /dev/null +++ b/tracking_denials/dmd.te @@ -0,0 +1,2 @@ +#b/303391666 +dontaudit dmd servicemanager:binder { call }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te new file mode 100644 index 00000000..a6b549ff --- /dev/null +++ b/tracking_denials/servicemanager.te @@ -0,0 +1,2 @@ +# b/305600595 +dontaudit servicemanager hal_thermal_default:binder call; From b289045b3932c7e4ff93fd0685c2ed0993b52cea Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 17 Oct 2023 04:02:26 +0000 Subject: [PATCH 24/45] Supress kernel avc log before SELinux initialized Fix: 305600863 Bug: 305880925 Change-Id: I795c7cd3b1df318a9164d0e3ec15d2930ecd7e21 --- vendor/kernel.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 vendor/kernel.te diff --git a/vendor/kernel.te b/vendor/kernel.te new file mode 100644 index 00000000..ead4d436 --- /dev/null +++ b/vendor/kernel.te @@ -0,0 +1,3 @@ +dontaudit kernel vendor_usb_debugfs:dir search; +dontaudit kernel vendor_votable_debugfs:dir search; + From 5f50ee6ebb5fea1461778d7432b45501a636727a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 18 Oct 2023 09:11:04 +0000 Subject: [PATCH 25/45] Move kernel avc error to bug_map Bug: 305880925 Test: SELinuxUncheckedDenialBootTest Change-Id: Id153cd26801a6b3f635954515e0e8aead5b22f41 --- tracking_denials/bug_map | 2 ++ vendor/kernel.te | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) delete mode 100644 vendor/kernel.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7a4b5596..c3f960e3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,3 +2,5 @@ hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 +kernel vendor_usb_debugfs dir b/305880925 +kernel vendor_votable_debugfs dir b/305880925 diff --git a/vendor/kernel.te b/vendor/kernel.te deleted file mode 100644 index ead4d436..00000000 --- a/vendor/kernel.te +++ /dev/null @@ -1,3 +0,0 @@ -dontaudit kernel vendor_usb_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; - From 042122f0dd6192e5f75be227a535311c9da18bc0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 26 Oct 2023 07:46:20 +0000 Subject: [PATCH 26/45] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 306344298 Test: scanBugreport Bug: 307863753 Change-Id: I8da3045a59949d41992ac4240f63609f9cc49fa3 --- tracking_denials/hal_vibrator_default.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te new file mode 100644 index 00000000..d9199c77 --- /dev/null +++ b/tracking_denials/hal_vibrator_default.te @@ -0,0 +1,3 @@ +# b/306344298 +dontaudit hal_vibrator_default service_manager_type:service_manager find; + From 037d5cccf328e0d78d3e501377dcfd094fad5575 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 26 Oct 2023 13:41:45 +0800 Subject: [PATCH 27/45] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 307863370 Change-Id: I6efdf65cee3cb3c13fbf091659a7afaf01222d55 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c3f960e3..71b647ea 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,5 +2,6 @@ hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 +kernel vendor_charger_debugfs dir b/307863370 kernel vendor_usb_debugfs dir b/305880925 kernel vendor_votable_debugfs dir b/305880925 From 435e0aafa887e72ad900505696983ae3646c56a8 Mon Sep 17 00:00:00 2001 From: George Lee Date: Tue, 31 Oct 2023 02:55:49 +0000 Subject: [PATCH 28/45] pixelstats: Add Brownout Detection sepolicy Bug: 307392882 Test: Confirm lastmeal data upload Change-Id: I9f7386c6c813c2790dcba1c79ce80531b6819b65 Signed-off-by: George Lee --- whitechapel_pro/pixelstats_vendor.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 6aba16ae..15856a17 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -33,6 +33,9 @@ allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; +allow pixelstats_vendor mitigation_vendor_data_file:dir search; +allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms; +get_prop(pixelstats_vendor, vendor_brownout_reason_prop); # PCIe statistics allow pixelstats_vendor sysfs_exynos_pcie_stats:dir search; From 4f1d96210d0a090d4f2bde23cee1ccfe011478bf Mon Sep 17 00:00:00 2001 From: JimiChen Date: Fri, 27 Oct 2023 19:45:33 +0800 Subject: [PATCH 29/45] Update SELinux policies for rlsservice 1. Move rls_service context from vndservice_contexts to service_contexts. 2. Allow binder calls from rlsservice to servicemanager 3. Change rls_service type from vndservice_manager_type to service_manager_type. Bug: 301520085 Test: GCA Change-Id: Ief845b5691487f48d570c531de1ea99945087e42 --- whitechapel_pro/rlsservice.te | 2 ++ whitechapel_pro/service.te | 2 ++ whitechapel_pro/service_contexts | 2 ++ whitechapel_pro/vndservice.te | 1 - whitechapel_pro/vndservice_contexts | 1 - 5 files changed, 6 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te index e5f1acef..967389a1 100644 --- a/whitechapel_pro/rlsservice.te +++ b/whitechapel_pro/rlsservice.te @@ -16,6 +16,8 @@ allow rlsservice mnt_vendor_file:dir search; allow rlsservice rls_device:chr_file rw_file_perms; binder_call(rlsservice, hal_camera_default) +binder_call(rlsservice, servicemanager) + # Allow access to display backlight information allow rlsservice sysfs_leds:dir search; diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index 1c49d4f8..2fff6689 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -3,3 +3,5 @@ type hal_uwb_vendor_service, service_manager_type, hal_service_type; # WLC type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; + +type rls_service, service_manager_type; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index a3849bb7..e3ae0e74 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -2,3 +2,5 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_ hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 + +rlsservice u:object_r:rls_service:s0 diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index bd59e836..06ef0b2d 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1,3 +1,2 @@ -type rls_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; type eco_service, vndservice_manager_type; diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts index 16ae43a4..6ddcabfe 100644 --- a/whitechapel_pro/vndservice_contexts +++ b/whitechapel_pro/vndservice_contexts @@ -1,3 +1,2 @@ -rlsservice u:object_r:rls_service:s0 Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 media.ecoservice u:object_r:eco_service:s0 From ac39f865e182a4a8cc9ce65670d02c1e088d36ee Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Fri, 29 Sep 2023 21:33:53 +0000 Subject: [PATCH 30/45] Add selinux policy change to allow MDS access Samsung OemRil hal. Bug: 301641283 selinux log: 11-03 15:32:38.850 2643 2643 I auditd : type=1400 audit(0.0:1616): avc: denied { call } for comm="binder:2643_3" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.850 2643 2643 I binder:2643_3: type=1400 audit(0.0:1616): avc: denied { call } for scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.854 2643 2643 I auditd : type=1400 audit(0.0:1617): avc: denied { transfer } for comm="binder:2643_3" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.854 2643 2643 I binder:2643_3: type=1400 audit(0.0:1617): avc: denied { transfer } for scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.854 1095 1095 I auditd : type=1400 audit(0.0:1618): avc: denied { call } for comm="HwBinder:1095_1" scontext=u:r:rild:s0 tcontext=u:r:modem_diagnostic_app:s0:c512,c768 tclass=binder permissive=1 11-03 15:32:38.854 1095 1095 I HwBinder:1095_1: type=1400 audit(0.0:1618): avc: denied { call } for scontext=u:r:rild:s0 tcontext=u:r:modem_diagnostic_app:s0:c512,c768 tclass=binder permissive=1 Change-Id: I62986e4bb0a4ed04616f8f3a8521f01934e63d74 --- whitechapel_pro/modem_diagnostic_app.te | 3 +++ whitechapel_pro/rild.te | 2 ++ 2 files changed, 5 insertions(+) diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te index b5cce03a..b21b7929 100644 --- a/whitechapel_pro/modem_diagnostic_app.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -9,6 +9,9 @@ allow modem_diagnostic_app radio_service:service_manager find; userdebug_or_eng(` hal_client_domain(modem_diagnostic_app, hal_power_stats); + allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find; + binder_call(modem_diagnostic_app, rild) + binder_call(modem_diagnostic_app, dmd) set_prop(modem_diagnostic_app, vendor_cbd_prop) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 534bea17..356e8727 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -43,4 +43,6 @@ allow rild modem_img_file:lnk_file r_file_perms; # Allow rild to ptrace for memory leak detection userdebug_or_eng(` allow rild self:process ptrace; + +binder_call(rild, modem_diagnostic_app) ') From d50939ab22f2c8db84d230489e960d4337cf4dcf Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 6 Nov 2023 08:01:29 +0000 Subject: [PATCH 31/45] Update SELinux error Test: scanBugreport Bug: 309379465 Bug: 309379994 Test: scanAvcDeniedLogRightAfterReboot Bug: 309379994 Change-Id: I45a01648f4c412b99e3fdcb70008e21c5d99fef3 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 71b647ea..3df2958a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ +dumpstate rlsservice binder b/309379465 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 @@ -5,3 +6,4 @@ incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 kernel vendor_usb_debugfs dir b/305880925 kernel vendor_votable_debugfs dir b/305880925 +kernel vendor_votable_debugfs dir b/309379994 From e22b188d9d7a7aa4f199bf89a95f8cc0663937c9 Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Fri, 3 Nov 2023 20:07:11 +0800 Subject: [PATCH 32/45] sensors: Move USF related sepolicy to gs-common. Bug: 305120274 Test: Compile pass. Flash the build to WHI_PRO devices and no sensor related avc denied log. Change-Id: I48d959d439565e9c31ce83812bf29b6d8025c35b Signed-off-by: Rick Chen --- whitechapel_pro/file.te | 3 -- whitechapel_pro/file_contexts | 3 -- whitechapel_pro/hal_sensors_default.te | 74 +++----------------------- whitechapel_pro/te_macros | 14 ----- 4 files changed, 7 insertions(+), 87 deletions(-) delete mode 100644 whitechapel_pro/te_macros diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index fb4bad8c..b6630138 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -7,8 +7,6 @@ type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; -type sensor_debug_data_file, file_type, data_file_type; -type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; @@ -59,7 +57,6 @@ allow modem_img_file self:filesystem associate; type persist_battery_file, file_type, vendor_persist_type; type persist_camera_file, file_type, vendor_persist_type; type persist_modem_file, file_type, vendor_persist_type; -type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; type persist_display_file, file_type, vendor_persist_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 75f8ccc1..c7203b50 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -204,8 +204,6 @@ /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 -/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0 -/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 @@ -215,7 +213,6 @@ /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 -/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index 076ceaf7..620095d0 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -2,15 +2,14 @@ # USF sensor HAL SELinux type enforcements. # -# Allow access to the AoC communication driver. -allow hal_sensors_default aoc_device:chr_file rw_file_perms; +# Allow reading of camera persist files. +r_dir_file(hal_sensors_default, persist_camera_file) -# Allow access to CHRE socket to connect to nanoapps. -allow hal_sensors_default chre:unix_stream_socket connectto; -allow hal_sensors_default chre_socket:sock_file write; +# Allow access to the files of CDT information. +r_dir_file(hal_sensors_default, sysfs_chosen) -# Allow create thread to watch AOC's device. -allow hal_sensors_default device:dir r_dir_perms; +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_write_leds:file rw_file_perms; # Allow access for dynamic sensor properties. get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) @@ -18,70 +17,11 @@ get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) # Allow access to raw HID devices for dynamic sensors. allow hal_sensors_default hidraw_device:chr_file rw_file_perms; -# Allow SensorSuez to connect AIDL stats. -allow hal_sensors_default fwk_stats_service:service_manager find; - -# Allow reading of sensor registry persist files and camera persist files. -allow hal_sensors_default mnt_vendor_file:dir search; -allow hal_sensors_default persist_file:dir search; -allow hal_sensors_default persist_file:file r_file_perms; -allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; -allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; -r_dir_file(hal_sensors_default, persist_camera_file) - -# Allow creation and writing of sensor registry data files. -allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; -allow hal_sensors_default sensor_reg_data_file:file create_file_perms; - -userdebug_or_eng(` - # Allow creation and writing of sensor debug data files. - allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms; - allow hal_sensors_default sensor_debug_data_file:file create_file_perms; -') - -# Allow access to the display info for ALS. -allow hal_sensors_default sysfs_display:file rw_file_perms; - -# Allow access to the sysfs_aoc. -allow hal_sensors_default sysfs_aoc:dir search; -allow hal_sensors_default sysfs_aoc:file r_file_perms; - -# Allow access for AoC properties. -get_prop(hal_sensors_default, vendor_aoc_prop) - -# Allow sensor HAL to read AoC dumpstate. -allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; - -# Allow access to the AoC clock and kernel boot time sys FS node. This is needed -# to synchronize the AP and AoC clock timestamps. -allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; - -# Allow access to the files of CDT information. -allow hal_sensors_default sysfs_chosen:dir search; -allow hal_sensors_default sysfs_chosen:file r_file_perms; - -# Allow access to sensor service for sensor_listener. -binder_call(hal_sensors_default, system_server); - -# Allow sensor HAL to reset AOC. -allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; - -# Allow sensor HAL to read AoC dumpstate. -allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; - # Allow sensor HAL to access the display service HAL allow hal_sensors_default hal_pixel_display_service:service_manager find; -# Allow display_info_service access to the backlight driver. -allow hal_sensors_default sysfs_leds:dir search; -allow hal_sensors_default sysfs_leds:file r_file_perms; - # Allow sensor HAL to access the graphics composer. -binder_call(hal_sensors_default, hal_graphics_composer_default); - -# Allow display_info_service access to the backlight driver. -allow hal_sensors_default sysfs_write_leds:file rw_file_perms; +binder_call(hal_sensors_default, hal_graphics_composer_default) # Allow access to the power supply files for MagCC. -r_dir_file(hal_sensors_default, sysfs_batteryinfo) allow hal_sensors_default sysfs_wlc:dir r_dir_perms; diff --git a/whitechapel_pro/te_macros b/whitechapel_pro/te_macros deleted file mode 100644 index 01ac13c1..00000000 --- a/whitechapel_pro/te_macros +++ /dev/null @@ -1,14 +0,0 @@ -# -# USF SELinux type enforcement macros. -# - -# -# usf_low_latency_transport(domain) -# -# Allows domain use of the USF low latency transport. -# -define(`usf_low_latency_transport', ` - allow $1 hal_graphics_mapper_hwservice:hwservice_manager find; - hal_client_domain($1, hal_graphics_allocator) -') - From 551b83f7c585d62a273dffd4207eb4d74aa695d9 Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Wed, 8 Nov 2023 05:23:35 +0000 Subject: [PATCH 33/45] Change the MDS to platform app in selinux ap context. The MDS will be signed with platform key and become a platform app. To make the selinux rules for modem_diagnostic_app work, need to set it to platform app in app context. Bug: 287683516 Test: Tested with both dev key or platform key signed MDS apps and the selinux rules works. Change-Id: Ia0dacafc5e096c101e115b7356d8490391cb6bbd --- whitechapel_pro/seapp_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index dcaaf664..eda8c10c 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -32,6 +32,7 @@ user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_ # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user +user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user From b204558a731d6a6a79b701dc8d7c017f59e9af93 Mon Sep 17 00:00:00 2001 From: Daniel Norman Date: Fri, 10 Nov 2023 22:44:31 +0000 Subject: [PATCH 34/45] Removes duplicate hidraw_device type definition. This type is now defined by the platform. Bug: 303522222 Change-Id: Ia2f817ce99548c30f39a5164c8f6ec323db66155 Test: ls -z /dev/hidraw0 --- whitechapel_pro/device.te | 4 ---- whitechapel_pro/file_contexts | 3 --- 2 files changed, 7 deletions(-) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 93059b7f..446e2725 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -23,7 +23,3 @@ type fips_block_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; type st33spi_device, dev_type; - -# Raw HID device -type hidraw_device, dev_type; - diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c7203b50..55bca671 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -222,6 +222,3 @@ /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 - -# Raw HID device -/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 From 7411947a02ec33a343ab3860f903bf8c1892ccff Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Wed, 15 Nov 2023 16:46:52 +0800 Subject: [PATCH 35/45] dontaudit on dir search for vendor_votable_debugfs Bug: 305880925 Bug: 309379994 Change-Id: I7317bdb4ec80eb73a57cbb924d3132579e0b4f98 Signed-off-by: Kyle Tso --- tracking_denials/bug_map | 2 -- whitechapel_pro/kernel.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3df2958a..a462fcff 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,5 +5,3 @@ incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 kernel vendor_usb_debugfs dir b/305880925 -kernel vendor_votable_debugfs dir b/305880925 -kernel vendor_votable_debugfs dir b/309379994 diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index 2cddb45b..0ed0410d 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -11,3 +11,4 @@ allow kernel self:perf_event cpu; dontaudit kernel vendor_battery_debugfs:dir search; dontaudit kernel vendor_maxfg_debugfs:dir { search }; dontaudit kernel vendor_regmap_debugfs:dir search; +dontaudit kernel vendor_votable_debugfs:dir search; From 3b40f18e299c2b8f3ee7604fa39568f2651c20bb Mon Sep 17 00:00:00 2001 From: Devika Krishnadas Date: Thu, 16 Nov 2023 01:20:23 +0000 Subject: [PATCH 36/45] Add Pixel Mapper as a sp-HAL Bug: 267352318 Change-Id: I460f379d8d6904f5bda3f67a7158c0ac6f2e7b5f Signed-off-by: Devika Krishnadas --- whitechapel_pro/file_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 55bca671..56a2e5ee 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -49,6 +49,9 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +# Gralloc +/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so u:object_r:same_process_hal_file:s0 + # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 From 8f30df1dcf2ef47fb039237845e51714f409e308 Mon Sep 17 00:00:00 2001 From: Alex Iacobucci Date: Fri, 10 Nov 2023 18:23:22 +0000 Subject: [PATCH 37/45] aoc: add sysfs file entry Test: on device Bug: 309950738 Change-Id: Ie5437a02b3a4f69d05ecb274169b4bd328315a22 Signed-off-by: Alex Iacobucci --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 55684b0d..ff6464f4 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -477,6 +477,7 @@ genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:ob genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0 # GPS genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 From 2bd12254f48fedb0ea1800a6c4e215931e3e1122 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Wed, 22 Nov 2023 14:16:38 +0800 Subject: [PATCH 38/45] Move sg_device related policy Bug: 312582937 Test: make selinux_policy Change-Id: I18617643e66d6d2fe5ff19e440dea204206b3035 Signed-off-by: Randall Huang --- whitechapel_pro/device.te | 1 - whitechapel_pro/file_contexts | 1 - whitechapel_pro/tee.te | 1 - 3 files changed, 3 deletions(-) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 446e2725..6ba793fa 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -6,7 +6,6 @@ type persist_block_device, dev_type; type efs_block_device, dev_type; type modem_userdata_block_device, dev_type; type mfg_data_block_device, dev_type; -type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; type logbuffer_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 56a2e5ee..3f03822c 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -146,7 +146,6 @@ /dev/gxp u:object_r:gxp_device:s0 /dev/dit2 u:object_r:vendor_toe_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 -/dev/sg1 u:object_r:sg_device:s0 /dev/st21nfc u:object_r:nfc_device:s0 /dev/st54spi u:object_r:st54spi_device:s0 /dev/st33spi u:object_r:st33spi_device:s0 diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index 256fb384..bfff0a91 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -7,7 +7,6 @@ allow tee persist_file:dir r_dir_perms; allow tee mnt_vendor_file:dir r_dir_perms; allow tee tee_data_file:dir rw_dir_perms; allow tee tee_data_file:lnk_file r_file_perms; -allow tee sg_device:chr_file rw_file_perms; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) From a2847d44754c7acbb01424b73c5a98c3e1eabf7f Mon Sep 17 00:00:00 2001 From: Khoa Hong Date: Thu, 30 Nov 2023 14:59:09 +0800 Subject: [PATCH 39/45] Suppress avc error log on debugfs's usb folder. The XHCI driver in kernel will write debugging information to DebugFS on some USB host operations (for example: plugging in a USB headphone). We are not using those information right now. Bug: 305880925 Bug: 311088739 Test: No error when plugging a USB headphone in. Change-Id: I3b53a3924a1fb3f2a37b0d8a1ae9df037cbc1dd2 --- tracking_denials/bug_map | 1 - whitechapel_pro/kernel.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a462fcff..302c2017 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,4 +4,3 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 -kernel vendor_usb_debugfs dir b/305880925 diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index 0ed0410d..9f5bf882 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -12,3 +12,4 @@ dontaudit kernel vendor_battery_debugfs:dir search; dontaudit kernel vendor_maxfg_debugfs:dir { search }; dontaudit kernel vendor_regmap_debugfs:dir search; dontaudit kernel vendor_votable_debugfs:dir search; +dontaudit kernel vendor_usb_debugfs:dir search; From e2d97955585ca6dbed6d6622a240c6879d171864 Mon Sep 17 00:00:00 2001 From: Jason Chiu Date: Thu, 9 Nov 2023 21:30:13 +0800 Subject: [PATCH 40/45] gs201: move sepolicy related to bootctrl hal to gs-common Bug: 265063384 Change-Id: I30a71900c2a305b05ae6e17d658df32d95097d14 Signed-off-by: Jason Chiu --- whitechapel_pro/device.te | 2 -- whitechapel_pro/file.te | 1 - whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_bootctl_default.te | 3 --- 4 files changed, 7 deletions(-) delete mode 100644 whitechapel_pro/hal_bootctl_default.te diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 6ba793fa..ae74fea2 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -1,5 +1,3 @@ -type sda_block_device, dev_type; -type devinfo_block_device, dev_type; type modem_block_device, dev_type; type custom_ab_block_device, dev_type; type persist_block_device, dev_type; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index b6630138..378c466c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -27,7 +27,6 @@ type sysfs_em_profile, sysfs_type, fs_type; # sysfs type sysfs_chosen, sysfs_type, fs_type; -type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 3f03822c..67cfcfb8 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -22,7 +22,6 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 diff --git a/whitechapel_pro/hal_bootctl_default.te b/whitechapel_pro/hal_bootctl_default.te deleted file mode 100644 index 30db79bd..00000000 --- a/whitechapel_pro/hal_bootctl_default.te +++ /dev/null @@ -1,3 +0,0 @@ -allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; -allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; -allow hal_bootctl_default sysfs_ota:file rw_file_perms; From eca39285c5e3ab798f4291248a21ee1eeec02615 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Tue, 14 Nov 2023 13:49:42 +0000 Subject: [PATCH 41/45] Add Secretkeeper HAL Test: VtsAidlAuthGraphSessionTest Bug: 306364873 Change-Id: I84d4098960d6445da1eb7e58e25a015cd591d6b3 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 67cfcfb8..e5defcc1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -20,6 +20,7 @@ /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 From bf2cd60aaad8eb98ebb2cf23edfdf978fe891109 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 6 Dec 2023 10:43:28 +0000 Subject: [PATCH 42/45] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 315104803 Test: scanBugreport Bug: 315104594 Bug: 315104803 Test: scanAvcDeniedLogRightAfterReboot Bug: 315104803 Change-Id: Iad6a4ea7a3a58c161359a87a6083a015665d5b14 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 302c2017..efd9764b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,3 +4,6 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 +surfaceflinger selinuxfs file b/315104594 +vendor_init default_prop file b/315104803 +vendor_init default_prop property_service b/315104803 From c118ee96abdf9c6399fa70954fc53fa55f5fa54b Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 11 Dec 2023 02:54:55 +0000 Subject: [PATCH 43/45] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 315720727 Test: scanBugreport Bug: 315721328 Bug: 315104479 Test: scanAvcDeniedLogRightAfterReboot Bug: 315104479 Bug: 315720727 Change-Id: I936dba39a2d2cfbd6c2924aed7c1e2f8b9e00fb2 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index efd9764b..17977519 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,9 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 +rild default_prop file b/315720727 +rild default_prop file b/315721328 surfaceflinger selinuxfs file b/315104594 +vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 vendor_init default_prop property_service b/315104803 From a4fa4427bc2f646b47ade202c969df088d3f0ba5 Mon Sep 17 00:00:00 2001 From: Boon Jun Soh Date: Fri, 8 Dec 2023 18:54:45 +0800 Subject: [PATCH 44/45] Fix rlsservice sepolicy Allows bugreport generation Bug: 315255760 Bug: 309379465 Test: abd bugreport & ensure lack of rls avc denied logs Change-Id: Ic390d6ddd6bac78e5979c78bc6d02262f08b3468 --- tracking_denials/bug_map | 1 - whitechapel_pro/dumpstate.te | 2 +- whitechapel_pro/rlsservice.te | 4 ++++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 17977519..39726296 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,3 @@ -dumpstate rlsservice binder b/309379465 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te index eaab9b2f..da71a845 100644 --- a/whitechapel_pro/dumpstate.te +++ b/whitechapel_pro/dumpstate.te @@ -13,4 +13,4 @@ allow dumpstate modem_efs_file:dir r_dir_perms; allow dumpstate modem_userdata_file:dir r_dir_perms; allow dumpstate modem_img_file:dir r_dir_perms; allow dumpstate fuse:dir search; - +allow dumpstate rlsservice:binder call; \ No newline at end of file diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te index 967389a1..e531b0d6 100644 --- a/whitechapel_pro/rlsservice.te +++ b/whitechapel_pro/rlsservice.te @@ -32,3 +32,7 @@ allow rlsservice apex_info_file:file r_file_perms; # Allow read camera property get_prop(rlsservice, vendor_camera_prop); + +# Allow rlsservice bugreport generation +allow rlsservice dumpstate:fd use; +allow rlsservice dumpstate:fifo_file write; \ No newline at end of file From 04bc1d210a874f0e90d93bd65048091da8fe9ee0 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Wed, 13 Dec 2023 15:27:23 +0800 Subject: [PATCH 45/45] sepolicy: add read wlc sysfs permission 12-12 18:33:17.960000 1000 906 906 I auditd : type=1400 audit(0.0:10): avc: denied { read } for comm="android.hardwar" name="type" dev="sysfs" ino=75851 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0 Bug: 306534100 Change-Id: I3381aaa1e08637c1cc8eb278bd775c81b32ed3bd Signed-off-by: Jenny Ho --- whitechapel_pro/hal_health_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index fbbad6bb..805b707d 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -18,3 +18,4 @@ allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; allow hal_health_default thermal_link_device:dir search; +allow hal_health_default sysfs_wlc:file r_file_perms;