From 9088b1a9be05d70ce6363ec4707b7d1610ba9038 Mon Sep 17 00:00:00 2001 From: Sungtak Lee Date: Mon, 29 Jan 2024 20:55:09 +0000 Subject: [PATCH 01/14] Add AIDL media.c2 into service_contexts Bug: 321808716 Change-Id: Ib2426b1997517b23d1301f3a1a30d9029d129971 --- whitechapel_pro/service_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index e3ae0e74..0158b562 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -4,3 +4,5 @@ hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_ve vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 rlsservice u:object_r:rls_service:s0 + +android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0 From 2747579f1e47e3655db26829e66c01c5f8eb1006 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 13 Mar 2024 09:28:36 +0000 Subject: [PATCH 02/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 329380891 Test: scanBugreport Bug: 329381126 Test: scanAvcDeniedLogRightAfterReboot Bug: 329380363 Change-Id: I604c091a24f3f13f7a354c08c210deeaa9ac9cb1 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 264c8ba6..44035952 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,9 +5,12 @@ incidentd incidentd anon_inode b/282626428 kernel dm_device blk_file b/319403445 kernel tmpfs chr_file b/321731318 rfsd vendor_cbd_prop file b/317734397 +shell sysfs_net file b/329380891 surfaceflinger selinuxfs file b/315104594 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 vendor_init default_prop file b/323086703 vendor_init default_prop file b/323086890 +vendor_init default_prop file b/329380363 +vendor_init default_prop file b/329381126 vendor_init default_prop property_service b/315104803 From 269f1640d8dfe3e898227989223f2576641244c0 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:53:25 +0000 Subject: [PATCH 03/14] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I7ca3804056bbfd8459bac2c029a494767f3ae1a6 Signed-off-by: Spade Lee --- whitechapel_pro/kernel.te | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index d5ed958e..d44eed68 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -8,9 +8,11 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_maxfg_debugfs:dir { search }; -dontaudit kernel vendor_regmap_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; -dontaudit kernel vendor_usb_debugfs:dir search; -dontaudit kernel vendor_charger_debugfs:dir search; +userdebug_or_eng(` + allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; +') From 596f6ab1998c584fc2a223831f6f59202e9ad4c5 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Thu, 21 Mar 2024 00:31:01 +0000 Subject: [PATCH 04/14] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Change-Id: Ia591a091fe470c2c367b80b8f1ef9eea6002462c Signed-off-by: Spade Lee --- whitechapel_pro/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 15856a17..4002807e 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -19,6 +19,7 @@ allow pixelstats_vendor fwk_sensor_service:service_manager find; # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; # storage smart idle maintenance get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); From 2b9b7cc6888f0b316fb7aecd0e74d40a0aabf451 Mon Sep 17 00:00:00 2001 From: Hungyen Weng Date: Thu, 21 Mar 2024 17:44:21 +0000 Subject: [PATCH 05/14] Allow modem_svc to access modem files and perfetto Bug: 330730987 Test: Confirmed that modem_svc is able to access token db files in modem partition Test: Confiemed that modem_svc can send traces to perfetto Change-Id: Id50a1fc3b343be9eec834418638c689d8ea56b35 --- whitechapel_pro/modem_svc_sit.te | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 040082e8..5a703c9e 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -20,7 +20,7 @@ allow modem_svc_sit modem_stat_data_file:file create_file_perms; allow modem_svc_sit vendor_fw_file:dir search; allow modem_svc_sit vendor_fw_file:file r_file_perms; -allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit mnt_vendor_file:dir r_dir_perms; allow modem_svc_sit modem_userdata_file:dir create_dir_perms; allow modem_svc_sit modem_userdata_file:file create_file_perms; @@ -40,3 +40,12 @@ get_prop(modem_svc_sit, vendor_logger_prop) userdebug_or_eng(` allow modem_svc_sit radio_test_device:chr_file rw_file_perms; ') + +# Write trace data to the Perfetto traced daemon. This requires connecting to +# its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(modem_svc_sit) + +# Allow modem_svc_sit to access modem image file/dir +allow modem_svc_sit modem_img_file:dir r_dir_perms; +allow modem_svc_sit modem_img_file:file r_file_perms; +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file From 60c66448ef3438a40e7ff5a21cf1cff69b1a7ee9 Mon Sep 17 00:00:00 2001 From: kadirpili Date: Fri, 22 Mar 2024 02:46:30 +0000 Subject: [PATCH 06/14] gs201: telephony property for cbd Bug: 315104803 Change-Id: I2560871e9477a5f8dcd9519b6c60353e89c5df82 --- system_ext/private/pixelntnservice_app.te | 5 +++++ system_ext/private/property_contexts | 1 + system_ext/private/seapp_contexts | 2 ++ system_ext/public/pixelntnservice_app.te | 1 + system_ext/public/property.te | 3 ++- whitechapel_pro/cbd.te | 1 + whitechapel_pro/rfsd.te | 1 + whitechapel_pro/vendor_init.te | 2 ++ 8 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 system_ext/private/pixelntnservice_app.te create mode 100644 system_ext/public/pixelntnservice_app.te diff --git a/system_ext/private/pixelntnservice_app.te b/system_ext/private/pixelntnservice_app.te new file mode 100644 index 00000000..8bf71cc9 --- /dev/null +++ b/system_ext/private/pixelntnservice_app.te @@ -0,0 +1,5 @@ +typeattribute pixelntnservice_app coredomain; + +app_domain(pixelntnservice_app); +allow pixelntnservice_app app_api_service:service_manager find; +set_prop(pixelntnservice_app, telephony_modem_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index ffb1793c..4e60110f 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -2,4 +2,5 @@ persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool # Telephony +telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 82f4347c..0a2050e2 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -8,3 +8,5 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all +# PixelNtnService +user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all diff --git a/system_ext/public/pixelntnservice_app.te b/system_ext/public/pixelntnservice_app.te new file mode 100644 index 00000000..10661b66 --- /dev/null +++ b/system_ext/public/pixelntnservice_app.te @@ -0,0 +1 @@ +type pixelntnservice_app, domain; diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 823acf59..e194720a 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -3,7 +3,8 @@ system_vendor_config_prop(fingerprint_ghbm_prop) # Telephony system_public_prop(telephony_ril_prop) +system_restricted_prop(telephony_modem_prop) userdebug_or_eng(` set_prop(shell, telephony_ril_prop) -') \ No newline at end of file +') diff --git a/whitechapel_pro/cbd.te b/whitechapel_pro/cbd.te index c4cfe7a6..9cb7ee2a 100644 --- a/whitechapel_pro/cbd.te +++ b/whitechapel_pro/cbd.te @@ -5,6 +5,7 @@ init_daemon_domain(cbd) set_prop(cbd, vendor_modem_prop) set_prop(cbd, vendor_cbd_prop) set_prop(cbd, vendor_rild_prop) +get_prop(cbd, telephony_modem_prop) # Allow cbd to set gid/uid from too to radio allow cbd self:capability { setgid setuid }; diff --git a/whitechapel_pro/rfsd.te b/whitechapel_pro/rfsd.te index 2d1f0928..b4508328 100644 --- a/whitechapel_pro/rfsd.te +++ b/whitechapel_pro/rfsd.te @@ -32,6 +32,7 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) +set_prop(cbd, vendor_cbd_prop) # Allow rfsd to access modem image file/dir allow rfsd modem_img_file:dir r_dir_perms; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index c8acdbb5..7ee3c95b 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -11,6 +11,8 @@ set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, logpersistd_logging_prop) set_prop(vendor_init, vendor_logger_prop) +get_prop(vendor_init, telephony_modem_prop) + allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; From 17ab68a5ac296847c0c442dc28559a4001d4c2a8 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:53:25 +0000 Subject: [PATCH 07/14] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I7ca3804056bbfd8459bac2c029a494767f3ae1a6 Signed-off-by: Spade Lee --- whitechapel_pro/kernel.te | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index d5ed958e..d44eed68 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -8,9 +8,11 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_maxfg_debugfs:dir { search }; -dontaudit kernel vendor_regmap_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; -dontaudit kernel vendor_usb_debugfs:dir search; -dontaudit kernel vendor_charger_debugfs:dir search; +userdebug_or_eng(` + allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; +') From 66254ad14d1401cb3992b64352efa5c243203bc3 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:22:11 +0800 Subject: [PATCH 08/14] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual Change-Id: I57f9b8b77aa070ad2216cae1e84630a26a03618d --- whitechapel_pro/ramdump_app.te | 24 ------------------------ whitechapel_pro/seapp_contexts | 6 ------ whitechapel_pro/ssr_detector.te | 26 -------------------------- 3 files changed, 56 deletions(-) delete mode 100644 whitechapel_pro/ramdump_app.te delete mode 100644 whitechapel_pro/ssr_detector.te diff --git a/whitechapel_pro/ramdump_app.te b/whitechapel_pro/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/whitechapel_pro/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index eda8c10c..271e8574 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -18,9 +18,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma # Samsung S.LSI engineer mode user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user @@ -40,9 +37,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# Sub System Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te deleted file mode 100644 index a93d5bdb..00000000 --- a/whitechapel_pro/ssr_detector.te +++ /dev/null @@ -1,26 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - get_prop(ssr_detector_app, vendor_aoc_prop) - set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop) - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; - allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) From b826a9bf8e1e6fcebe76deadcb52e8b654d7b5e5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 23 Apr 2024 06:52:49 +0000 Subject: [PATCH 09/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 336451433 Bug: 336451874 Bug: 336451113 Bug: 336451787 Change-Id: I5124448d8e35615da861011235a45ce890297564 --- tracking_denials/bug_map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 44035952..75fe53cf 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,12 +1,16 @@ hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 +hal_sensors_default sysfs file b/336451433 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 +insmod-sh insmod-sh key b/336451874 kernel dm_device blk_file b/319403445 +kernel kernel capability b/336451113 kernel tmpfs chr_file b/321731318 rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 surfaceflinger selinuxfs file b/315104594 +vendor_init debugfs_trace_marker file b/336451787 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 vendor_init default_prop file b/323086703 From 9a131d961bc77a17d2ad308df17f33be72b0313d Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Thu, 21 Mar 2024 00:31:01 +0000 Subject: [PATCH 10/14] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Signed-off-by: Spade Lee (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:596f6ab1998c584fc2a223831f6f59202e9ad4c5) Merged-In: Ia591a091fe470c2c367b80b8f1ef9eea6002462c Change-Id: Ia591a091fe470c2c367b80b8f1ef9eea6002462c --- whitechapel_pro/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 15856a17..4002807e 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -19,6 +19,7 @@ allow pixelstats_vendor fwk_sensor_service:service_manager find; # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; # storage smart idle maintenance get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); From ceab5d174064639b1b5ba9778e0d2b166be8cc39 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:22:11 +0800 Subject: [PATCH 11/14] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:66254ad14d1401cb3992b64352efa5c243203bc3) Merged-In: I57f9b8b77aa070ad2216cae1e84630a26a03618d Change-Id: I57f9b8b77aa070ad2216cae1e84630a26a03618d --- whitechapel_pro/ramdump_app.te | 24 ------------------------ whitechapel_pro/seapp_contexts | 6 ------ whitechapel_pro/ssr_detector.te | 26 -------------------------- 3 files changed, 56 deletions(-) delete mode 100644 whitechapel_pro/ramdump_app.te delete mode 100644 whitechapel_pro/ssr_detector.te diff --git a/whitechapel_pro/ramdump_app.te b/whitechapel_pro/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/whitechapel_pro/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index eda8c10c..271e8574 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -18,9 +18,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma # Samsung S.LSI engineer mode user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user @@ -40,9 +37,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# Sub System Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te deleted file mode 100644 index a93d5bdb..00000000 --- a/whitechapel_pro/ssr_detector.te +++ /dev/null @@ -1,26 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - get_prop(ssr_detector_app, vendor_aoc_prop) - set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop) - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; - allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) From 5a1bb0df6eb80c38b929cc1f86af0a1d22be7efb Mon Sep 17 00:00:00 2001 From: chenkris Date: Wed, 20 Mar 2024 10:29:38 +0000 Subject: [PATCH 12/14] Allow fingerprint to access the folder /data/vendor/fingerprint Fix the following avc denial: android.hardwar: type=1400 audit(0.0:20): avc: denied { write } for name="fingerprint" dev="dm-56" ino=36703 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0 Bug: 267766859 Test: Tested fingerprint under enforcing mode Change-Id: I11c465fe89fcbfa7d9132ccee1c7666d1cd75a24 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index f7216f60..4bed0472 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -208,6 +208,7 @@ /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 +/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 From d1fe9f8f80193e8c006fbbec1727b638dadf3be6 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 14 May 2024 05:14:55 +0000 Subject: [PATCH 13/14] SELinux: fix avc denials Bug: 338332877 Change-Id: I5fb0a73cdc0d276ec14e55906c9bbd9c6875c786 Signed-off-by: Ken Yang --- whitechapel_pro/hal_health_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 805b707d..8dc2b599 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -19,3 +19,4 @@ allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; allow hal_health_default thermal_link_device:dir search; allow hal_health_default sysfs_wlc:file r_file_perms; +dontaudit hal_health_default sysfs_touch:dir *; From 9d3f39622cb16759c3f555cb6cf32ee323a4ed2c Mon Sep 17 00:00:00 2001 From: Chaitanya Cheemala Date: Tue, 14 May 2024 15:07:58 +0000 Subject: [PATCH 14/14] Revert "SELinux: fix avc denials" This reverts commit d1fe9f8f80193e8c006fbbec1727b638dadf3be6. Reason for revert: Likely culprit for b/340511525 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted. Change-Id: I65790202886298f9862d68d65cf794e67db5a878 --- whitechapel_pro/hal_health_default.te | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 8dc2b599..805b707d 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -19,4 +19,3 @@ allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; allow hal_health_default thermal_link_device:dir search; allow hal_health_default sysfs_wlc:file r_file_perms; -dontaudit hal_health_default sysfs_touch:dir *;