Merge 24Q3 to AOSP main

Bug: 357762254
Merged-In: I65790202886298f9862d68d65cf794e67db5a878
Change-Id: I733204cdf91a8f8355c79450373501fb34c47b54

system_ext/private/pixelntnservice_app.te

@@ -0,0 +1,5 @@
+typeattribute pixelntnservice_app coredomain;
+
+app_domain(pixelntnservice_app);
+allow pixelntnservice_app app_api_service:service_manager find;
+set_prop(pixelntnservice_app, telephony_modem_prop)

system_ext/private/property_contexts

@@ -2,4 +2,5 @@
 persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
 
 # Telephony
+telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0    exact enum ntn tn
 telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool

system_ext/private/seapp_contexts

@@ -8,3 +8,5 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app
 # TODO(b/222204912): Should this run under uwb user?
 user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
 
+# PixelNtnService
+user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all

system_ext/public/pixelntnservice_app.te

@@ -0,0 +1 @@
+type pixelntnservice_app, domain;

system_ext/public/property.te

@@ -3,7 +3,8 @@ system_vendor_config_prop(fingerprint_ghbm_prop)
 
 # Telephony
 system_public_prop(telephony_ril_prop)
+system_restricted_prop(telephony_modem_prop)
 
 userdebug_or_eng(`
   set_prop(shell, telephony_ril_prop)
-')
+')

tracking_denials/bug_map

@@ -1,13 +1,20 @@
 hal_face_default traced_producer_socket sock_file b/305600808
 hal_power_default hal_power_default capability b/237492146
+hal_sensors_default sysfs file b/336451433
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
+insmod-sh insmod-sh key b/336451874
 kernel dm_device blk_file b/319403445
+kernel kernel capability b/336451113
 kernel tmpfs chr_file b/321731318
 rfsd vendor_cbd_prop file b/317734397
+shell sysfs_net file b/329380891
 surfaceflinger selinuxfs file b/315104594
+vendor_init debugfs_trace_marker file b/336451787
 vendor_init default_prop file b/315104479
 vendor_init default_prop file b/315104803
 vendor_init default_prop file b/323086703
 vendor_init default_prop file b/323086890
+vendor_init default_prop file b/329380363
+vendor_init default_prop file b/329381126
 vendor_init default_prop property_service b/315104803

whitechapel_pro/cbd.te

@@ -5,6 +5,7 @@ init_daemon_domain(cbd)
 set_prop(cbd, vendor_modem_prop)
 set_prop(cbd, vendor_cbd_prop)
 set_prop(cbd, vendor_rild_prop)
+get_prop(cbd, telephony_modem_prop)
 
 # Allow cbd to set gid/uid from too to radio
 allow cbd self:capability { setgid setuid };

whitechapel_pro/file_contexts

@@ -208,6 +208,7 @@
 /dev/maxfg_history                                                          u:object_r:battery_history_device:s0
 /dev/battery_history                                                        u:object_r:battery_history_device:s0
 /data/vendor/powerstats(/.*)?                                               u:object_r:powerstats_vendor_data_file:s0
+/data/vendor/fingerprint(/.*)?                                              u:object_r:fingerprint_vendor_data_file:s0
 
 # Persist
 /mnt/vendor/persist/battery(/.*)?                                           u:object_r:persist_battery_file:s0

whitechapel_pro/kernel.te

@@ -8,9 +8,11 @@ allow kernel per_boot_file:file r_file_perms;
 allow kernel self:capability2 perfmon;
 allow kernel self:perf_event cpu;
 
-dontaudit kernel vendor_battery_debugfs:dir search;
-dontaudit kernel vendor_maxfg_debugfs:dir { search };
-dontaudit kernel vendor_regmap_debugfs:dir search;
-dontaudit kernel vendor_votable_debugfs:dir search;
-dontaudit kernel vendor_usb_debugfs:dir search;
-dontaudit kernel vendor_charger_debugfs:dir search;
+userdebug_or_eng(`
+  allow kernel vendor_battery_debugfs:dir search;
+  allow kernel vendor_regmap_debugfs:dir search;
+  allow kernel vendor_usb_debugfs:dir search;
+  allow kernel vendor_votable_debugfs:dir search;
+  allow kernel vendor_charger_debugfs:dir search;
+  allow kernel vendor_maxfg_debugfs:dir search;
+')

whitechapel_pro/modem_svc_sit.te

@@ -20,7 +20,7 @@ allow modem_svc_sit modem_stat_data_file:file create_file_perms;
 allow modem_svc_sit vendor_fw_file:dir search;
 allow modem_svc_sit vendor_fw_file:file r_file_perms;
 
-allow modem_svc_sit mnt_vendor_file:dir search;
+allow modem_svc_sit mnt_vendor_file:dir r_dir_perms;
 allow modem_svc_sit modem_userdata_file:dir create_dir_perms;
 allow modem_svc_sit modem_userdata_file:file create_file_perms;
 
@@ -40,3 +40,12 @@ get_prop(modem_svc_sit, vendor_logger_prop)
 userdebug_or_eng(`
   allow modem_svc_sit radio_test_device:chr_file rw_file_perms;
 ')
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(modem_svc_sit)
+
+# Allow modem_svc_sit to access modem image file/dir
+allow modem_svc_sit modem_img_file:dir r_dir_perms;
+allow modem_svc_sit modem_img_file:file r_file_perms;
+allow modem_svc_sit modem_img_file:lnk_file r_file_perms;

whitechapel_pro/pixelstats_vendor.te

@@ -19,6 +19,7 @@ allow pixelstats_vendor fwk_sensor_service:service_manager find;
 
 # Batery history
 allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
+allow pixelstats_vendor logbuffer_device:chr_file r_file_perms;
 
 # storage smart idle maintenance
 get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop);

whitechapel_pro/ramdump_app.te

@@ -1,24 +0,0 @@
-type ramdump_app, domain;
-
-userdebug_or_eng(`
-  app_domain(ramdump_app)
-
-  allow ramdump_app app_api_service:service_manager find;
-
-  allow ramdump_app ramdump_vendor_data_file:file create_file_perms;
-  allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms;
-
-  set_prop(ramdump_app, vendor_ramdump_prop)
-  get_prop(ramdump_app, system_boot_reason_prop)
-
-  # To access ramdumpfs.
-  allow ramdump_app mnt_vendor_file:dir search;
-  allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms;
-  allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms;
-
-  # To access subsystem ramdump files and dirs.
-  allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
-  allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
-  allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
-  allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms;
-')

whitechapel_pro/rfsd.te

@@ -32,6 +32,7 @@ allow rfsd radio_device:chr_file rw_file_perms;
 # Allow to set rild and modem property
 set_prop(rfsd, vendor_modem_prop)
 set_prop(rfsd, vendor_rild_prop)
+set_prop(cbd, vendor_cbd_prop)
 
 # Allow rfsd to access modem image file/dir
 allow rfsd modem_img_file:dir r_dir_perms;

whitechapel_pro/seapp_contexts

@@ -18,9 +18,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma
 # Samsung S.LSI engineer mode
 user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all
 
-# coredump/ramdump
-user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
-
 # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade
 user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user
 
@@ -40,9 +37,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=
 # Domain for EuiccSupportPixel
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
 
-# Sub System Ramdump
-user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
-
 # Domain for CatEngineService
 user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all
 

whitechapel_pro/service_contexts

@@ -4,3 +4,5 @@ hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_ve
 vendor.google.wireless_charger.IWirelessCharger/default                      u:object_r:hal_wireless_charger_service:s0
 
 rlsservice                                                 u:object_r:rls_service:s0
+
+android.hardware.media.c2.IComponentStore/default1         u:object_r:hal_codec2_service:s0

whitechapel_pro/ssr_detector.te

@@ -1,26 +0,0 @@
-type ssr_detector_app, domain;
-
-app_domain(ssr_detector_app)
-allow ssr_detector_app app_api_service:service_manager find;
-allow ssr_detector_app radio_service:service_manager find;
-
-allow ssr_detector_app system_app_data_file:dir create_dir_perms;
-allow ssr_detector_app system_app_data_file:file create_file_perms;
-
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
-userdebug_or_eng(`
-  allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
-  allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
-  get_prop(ssr_detector_app, vendor_aoc_prop)
-  set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop)
-  allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
-  allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
-  allow ssr_detector_app proc_vendor_sched:dir search;
-  allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
-  allow ssr_detector_app cgroup:file write;
-  allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans;
-')
-
-get_prop(ssr_detector_app, vendor_ssrdump_prop)
-get_prop(ssr_detector_app, vendor_wifi_version)

whitechapel_pro/vendor_init.te

@@ -11,6 +11,8 @@ set_prop(vendor_init, vendor_usb_config_prop)
 set_prop(vendor_init, vendor_rild_prop)
 set_prop(vendor_init, logpersistd_logging_prop)
 set_prop(vendor_init, vendor_logger_prop)
+get_prop(vendor_init, telephony_modem_prop)
+
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file w_file_perms;