From 5a0bb72bf06c955ca84117d98737ec23ccd626c1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 11 Apr 2023 11:29:41 +0800 Subject: [PATCH 01/19] Remove obsolete entries Bug: 268147113 Bug: 237491813 Bug: 239484651 Bug: 268566483 Test: adb bugreport Change-Id: Iceafe7e413a3ffe5d342a222f76093c7110639e6 --- tracking_denials/bug_map | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d05de12f..4ce15ecf 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,12 +1,8 @@ cat_engine_service_app system_app_data_file dir b/238705599 dex2oat privapp_data_file dir b/276386138 -dump_pixel_metrics sysfs file b/268147113 -dumpstate app_zygote process b/237491813 -dumpstate system_data_file dir b/239484651 hal_camera_default boot_status_prop file b/275001783 hal_camera_default edgetpu_app_service service_manager b/275001783 hal_contexthub_default fwk_stats_service service_manager b/241714943 -hal_dumpstate_default dump_thermal process b/268566483 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 From ee611cfb51cbf80e137ae1bcd8ef7d39bba64d73 Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 16:22:01 +0000 Subject: [PATCH 02/19] [TSV2] Remove tcpdump sepolicy from gs201 and move sepolicy to gs-common Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: Ic804a3a4739ec5a9604320cb8e0fdae91b8429c1 --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 1 - 2 files changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index f474d9c0..4a232600 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,7 +5,6 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -17,7 +16,6 @@ type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2a6eaa98..c4f5b098 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,7 +202,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 From 96789e18c75ecb716215be8f5cd7e33e45a9d76f Mon Sep 17 00:00:00 2001 From: Zixuan Lan Date: Thu, 4 May 2023 14:25:29 -0700 Subject: [PATCH 03/19] remove fixed selinux bug from bug map. TPU permission was fixed to avoid error in hal_camera_defaul.The corresponding bug for tracking should be removed from the bug map. Please see bug for more details. Bug: 275001783 Test: logcat grep for selinux error Change-Id: I7a1bf9fd994187f969b68b9fc3504a5411b0807f --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4ce15ecf..a8cafdb2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,7 +1,5 @@ cat_engine_service_app system_app_data_file dir b/238705599 dex2oat privapp_data_file dir b/276386138 -hal_camera_default boot_status_prop file b/275001783 -hal_camera_default edgetpu_app_service service_manager b/275001783 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 From c2d912818c9b20f673e74ef38656bbab82ad9a07 Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Mon, 24 Apr 2023 16:42:56 -0700 Subject: [PATCH 04/19] Add chre channel sepolicy entries Bug: 241960170 Test: in-device verification. Change-Id: I3151d25c4a1cd7a858b84e0c8989dc160d368ca5 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7a9672df..902584c7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -333,6 +333,8 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 From 64111ee561b3c34aed54cf137006eb8aaa81d0aa Mon Sep 17 00:00:00 2001 From: Samuel Gosselin Date: Wed, 10 May 2023 18:03:56 +0000 Subject: [PATCH 05/19] genfs_contexts: add raw s2mpg12mfd and s2mpg13mfd node. This adds the appropriate raw i2c numberings to the sepolicy for the 6.1 kernel driver which does not use the i2c vendor hook to rename these numberings. This is required for the thermal hal to work. Test: Boot to Android Home on WHI PRO with 6.1 kernel, no Thermal HAL crashes. Bug: 276464780 Signed-off-by: Samuel Gosselin (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:83712c5243166cafa3a057d5347515e04947cde8) Merged-In: I8c2633b33cef8ca2b55029190fe42bd66b17390f Change-Id: I8c2633b33cef8ca2b55029190fe42bd66b17390f --- whitechapel_pro/genfs_contexts | 39 ++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c7..59d579b7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -73,6 +73,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -82,6 +92,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 @@ -93,6 +112,17 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/9-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -103,6 +133,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From 918335e2a9c1aaad90ec5c70d5e6fbdd787f99bc Mon Sep 17 00:00:00 2001 From: Samuel Gosselin Date: Wed, 10 May 2023 18:03:56 +0000 Subject: [PATCH 06/19] genfs_contexts: add raw s2mpg12mfd and s2mpg13mfd node. This adds the appropriate raw i2c numberings to the sepolicy for the 6.1 kernel driver which does not use the i2c vendor hook to rename these numberings. This is required for the thermal hal to work. Test: Boot to Android Home on WHI PRO with 6.1 kernel, no Thermal HAL crashes. Bug: 276464780 Signed-off-by: Samuel Gosselin (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:83712c5243166cafa3a057d5347515e04947cde8) Merged-In: I8c2633b33cef8ca2b55029190fe42bd66b17390f Change-Id: I8c2633b33cef8ca2b55029190fe42bd66b17390f (cherry picked from commit 64111ee561b3c34aed54cf137006eb8aaa81d0aa) --- whitechapel_pro/genfs_contexts | 39 ++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c7..59d579b7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -73,6 +73,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -82,6 +92,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 @@ -93,6 +112,17 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/9-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -103,6 +133,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From 513fa361c8c7af21d4fc7f279ec413044e646d45 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Tue, 20 Jun 2023 07:25:10 +0000 Subject: [PATCH 07/19] Create telephony.ril.silent_reset system_ext property for RILD restart RILD listens for changes to this property. If the value changes to 1, RILD will restart itself and set this property back to 0. The TelephonyGoogle app will set this property to 1 when it receives a request from the SCONE app. Since TelephonyGoogle runs in the com.android.phone process, we also need to give the radio domain permission to set the telephony.ril.silent_reset property. Bug: 286476107 Test: manual Change-Id: I689e75f4ebf3f44915bd7f795755f297935e7946 --- system_ext/private/property_contexts | 3 +++ system_ext/public/property.te | 7 +++++++ whitechapel_pro/radio.te | 2 ++ whitechapel_pro/rild.te | 2 ++ 4 files changed, 14 insertions(+) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 9f462bda..ffb1793c 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,5 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool + +# Telephony +telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 8908e485..823acf59 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,2 +1,9 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle system_vendor_config_prop(fingerprint_ghbm_prop) + +# Telephony +system_public_prop(telephony_ril_prop) + +userdebug_or_eng(` + set_prop(shell, telephony_ril_prop) +') \ No newline at end of file diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 47278465..2864bc97 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,3 +1,5 @@ +set_prop(radio, telephony_ril_prop) + allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 484dda08..534bea17 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -6,6 +6,8 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) +set_prop(rild, telephony_ril_prop) + allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; From 4d0eeef36fc29b816ad7aafe8bb10475532c3f64 Mon Sep 17 00:00:00 2001 From: Sebastian Pickl Date: Tue, 27 Jun 2023 08:46:41 +0000 Subject: [PATCH 08/19] Revert "Create telephony.ril.silent_reset system_ext property fo..." Revert submission 23736941-tpsr-ril-property Reason for revert: culprit for b/289014054 verified by abtd run: https://android-build.googleplex.com/builds/abtd/run/L54800000961620143 Bug: 289014054 Reverted changes: /q/submissionid:23736941-tpsr-ril-property Change-Id: I4fa5b2803392e0db03bb622392f3d4afab6a45ea --- system_ext/private/property_contexts | 3 --- system_ext/public/property.te | 7 ------- whitechapel_pro/radio.te | 2 -- whitechapel_pro/rild.te | 2 -- 4 files changed, 14 deletions(-) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index ffb1793c..9f462bda 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,5 +1,2 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool - -# Telephony -telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 823acf59..8908e485 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,9 +1,2 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle system_vendor_config_prop(fingerprint_ghbm_prop) - -# Telephony -system_public_prop(telephony_ril_prop) - -userdebug_or_eng(` - set_prop(shell, telephony_ril_prop) -') \ No newline at end of file diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 2864bc97..47278465 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,5 +1,3 @@ -set_prop(radio, telephony_ril_prop) - allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 534bea17..484dda08 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -6,8 +6,6 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) -set_prop(rild, telephony_ril_prop) - allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; From 1a52c8b95207975246ef3b373257d1e61350a42e Mon Sep 17 00:00:00 2001 From: Patty Huang Date: Wed, 28 Jun 2023 22:22:30 +0800 Subject: [PATCH 09/19] Allow bthal to access vendor bluetooth folder Bug:289055382 Test: enable vendor debug log and check the vendor snoop log contain the vendor log Change-Id: I89164330998d7fbea45dab65931c2a3db22a4c92 --- whitechapel_pro/bluetooth.te | 3 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_bluetooth_btlinux.te | 5 +++++ 4 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 whitechapel_pro/hal_bluetooth_btlinux.te diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te index 3795e299..aff0e1a4 100644 --- a/whitechapel_pro/bluetooth.te +++ b/whitechapel_pro/bluetooth.te @@ -1,5 +1,2 @@ allow bluetooth proc_vendor_sched:dir r_dir_perms; allow bluetooth proc_vendor_sched:file w_file_perms; - -allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; -allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..0038103c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -68,6 +68,9 @@ type persist_display_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; +# BT +type vendor_bt_data_file, file_type, data_file_type; + # Storage Health HAL type proc_f2fs, proc_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c4f5b098..35f991ba 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -211,6 +211,7 @@ /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 +/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/hal_bluetooth_btlinux.te b/whitechapel_pro/hal_bluetooth_btlinux.te new file mode 100644 index 00000000..dc746294 --- /dev/null +++ b/whitechapel_pro/hal_bluetooth_btlinux.te @@ -0,0 +1,5 @@ +allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; +allow hal_bluetooth_btlinux device:dir r_dir_perms; + +allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; From 41ed8e83ea86b2670d4c192fb716140dcdd1029f Mon Sep 17 00:00:00 2001 From: Sebastian Pickl Date: Wed, 5 Jul 2023 09:45:56 +0000 Subject: [PATCH 10/19] Revert "Allow bthal to access vendor bluetooth folder" Revert submission 23844270-P22-vendor-log-udc-qpr Reason for revert: causes selinux tests to fail b/289989584 go/abtd: https://android-build.googleplex.com/builds/abtd/run/L37600000961782595 Bug:289989584 Reverted changes: /q/submissionid:23844270-P22-vendor-log-udc-qpr Change-Id: I4e9ccf17050702a6405c549340e7fe97eba0eb65 --- whitechapel_pro/bluetooth.te | 3 +++ whitechapel_pro/file.te | 3 --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_bluetooth_btlinux.te | 5 ----- 4 files changed, 3 insertions(+), 9 deletions(-) delete mode 100644 whitechapel_pro/hal_bluetooth_btlinux.te diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te index aff0e1a4..3795e299 100644 --- a/whitechapel_pro/bluetooth.te +++ b/whitechapel_pro/bluetooth.te @@ -1,2 +1,5 @@ allow bluetooth proc_vendor_sched:dir r_dir_perms; allow bluetooth proc_vendor_sched:file w_file_perms; + +allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; +allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 0038103c..4a232600 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -68,9 +68,6 @@ type persist_display_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; -# BT -type vendor_bt_data_file, file_type, data_file_type; - # Storage Health HAL type proc_f2fs, proc_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 35f991ba..c4f5b098 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -211,7 +211,6 @@ /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 -/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/hal_bluetooth_btlinux.te b/whitechapel_pro/hal_bluetooth_btlinux.te deleted file mode 100644 index dc746294..00000000 --- a/whitechapel_pro/hal_bluetooth_btlinux.te +++ /dev/null @@ -1,5 +0,0 @@ -allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; -allow hal_bluetooth_btlinux device:dir r_dir_perms; - -allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; -allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; From d02a8eef29706ad803726ed635cd3cb4a11dcc1b Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Wed, 28 Jun 2023 06:16:30 +0000 Subject: [PATCH 11/19] Revert "Revert "Create telephony.ril.silent_reset system_ext pro..." Revert submission 23817868-revert-23736941-tpsr-ril-property-WQVGKEVBKX Reason for revert: The root cause is missing property definition in gs101-sepolicy. This CL can be merged safely. Verified by abtd run: https://android-build.googleplex.com/builds/abtd/run/L48900000961646046 Reverted changes: /q/submissionid:23817868-revert-23736941-tpsr-ril-property-WQVGKEVBKX Bug: 286476107 Change-Id: Ia80e4400ff555a637c42193cab3e3acf72bc36a2 --- system_ext/private/property_contexts | 3 +++ system_ext/public/property.te | 7 +++++++ whitechapel_pro/radio.te | 2 ++ whitechapel_pro/rild.te | 2 ++ 4 files changed, 14 insertions(+) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 9f462bda..ffb1793c 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,5 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool + +# Telephony +telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 8908e485..823acf59 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,2 +1,9 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle system_vendor_config_prop(fingerprint_ghbm_prop) + +# Telephony +system_public_prop(telephony_ril_prop) + +userdebug_or_eng(` + set_prop(shell, telephony_ril_prop) +') \ No newline at end of file diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 47278465..2864bc97 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,3 +1,5 @@ +set_prop(radio, telephony_ril_prop) + allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 484dda08..534bea17 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -6,6 +6,8 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) +set_prop(rild, telephony_ril_prop) + allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; From d45ff39442710d2a679e5132efeaef4c65128891 Mon Sep 17 00:00:00 2001 From: Utku Utkan Date: Tue, 11 Jul 2023 17:49:27 -0700 Subject: [PATCH 12/19] Introduce CameraServices seinfo tag for PixelCameraServices Bug: 287069860 Test: m && flashall && check against 'avc: denied' errors Change-Id: I41b435ae0a34fe9c797b9316887c4b56091a26a5 --- whitechapel_pro/keys.conf | 3 +++ whitechapel_pro/mac_permissions.xml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..bff9addf 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,3 +15,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem + +[@CAMERASERVICES] +ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..7627b9d0 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,4 +39,7 @@ + + + From c420cef154a02c8de5ad05fa09fb6175b2203089 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 19 Jul 2023 01:15:07 +0000 Subject: [PATCH 13/19] Revert "Introduce CameraServices seinfo tag for PixelCameraServices" Revert submission 24056607-pixel-camera-services-extensions-sepolicy Reason for revert: build breakage on git_main-without-vendor Reverted changes: /q/submissionid:24056607-pixel-camera-services-extensions-sepolicy Change-Id: I9869874507230f59ac3b8cdc2538e4f223216b45 --- whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- 2 files changed, 6 deletions(-) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index bff9addf..54130ea2 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,6 +15,3 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem - -[@CAMERASERVICES] -ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 7627b9d0..b57e61c7 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,7 +39,4 @@ - - - From 34bda7b2b8cd7fa3acf60f5b25aaea1baa568898 Mon Sep 17 00:00:00 2001 From: Utku Utkan Date: Wed, 19 Jul 2023 02:47:43 +0000 Subject: [PATCH 14/19] Revert^2 "Introduce CameraServices seinfo tag for PixelCameraServices" Revert submission 24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL Reason for revert: Relanding the original topic after copying the certificates under `device/google` for `without-vendor` branches Reverted changes: /q/submissionid:24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL Bug: 287069860 Test: m && flashall Change-Id: I5326b61822d367beaff0ac97a34708d306c60007 --- ...ogle_android_apps_camera_services.x509.pem | 30 +++++++++++++++++++ whitechapel_pro/keys.conf | 3 ++ whitechapel_pro/mac_permissions.xml | 3 ++ 3 files changed, 36 insertions(+) create mode 100644 whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem b/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem new file mode 100644 index 00000000..7b8c5b22 --- /dev/null +++ b/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIGCzCCA/OgAwIBAgIVAIHtywgrR7O/EgQ+PeYSfHDaUDt8MA0GCSqGSIb3DQEBCwUAMIGUMQsw +CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU +MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxMDAuBgNVBAMMJ2NvbV9nb29n +bGVfYW5kcm9pZF9hcHBzX2NhbWVyYV9zZXJ2aWNlczAgFw0yMTA2MzAyMzI2MThaGA8yMDUxMDYz +MDIzMjYxOFowgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N +b3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEwMC4G +A1UEAwwnY29tX2dvb2dsZV9hbmRyb2lkX2FwcHNfY2FtZXJhX3NlcnZpY2VzMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAof2MqYxoQkV05oUZULYlNLDIJKryWjC8ha300YUktBNNVBSP +1y33+ZTBldm7drcBGo54S1JE1lCIP1dMxby0rNTJ8/Zv2bMVMjXX0haF5vULt64itDcR0SqUDfFR +UsHapPVmRmMpDOMOUYUbN7gjU7iYAc9oWBo6BFfckdpwwKfzYY/sgieen1E/MN7Zpzmefct3WDU5 +4Dc8mpoNsen3oqquieYAgv9FOw5gCIgsDaOfYFBgvAE08Pqo3J/zU6dAuqUJztNH8EhgTNbcaNVL +jCmofa+iIAjSpmP69jcgaUyfmH0EE3/m55qouVRJzqARvmEO/M7LEr3n1ZKKhDZdO6TJysMzP9g8 +pONPO8/3hTQ+GP+7fOQooNQJEGNgJuZOHSyNL/8nGCgHBZKgZdZPKk8HV2M578UDf8yNyV5AYpx0 +VK1JdoBtNMzp0cv7Q6TTugIuDEzT3jmgGGp6WmXE6B9dJOq+cnVC7cSYva8wctFS3RpoqT79vkW3 +A7g2b26bM5GMQ8KcGC4qm4pJkrX5kKZWZGWXjm0F8gRJQ5D0S/AcUw3B+sG/AmfQzLm8SCK36HhO +sFnPsQJ/VdL7kg9HHWrQYVexNaQnD/QLOCenk09COUzSwexws+kQhUH45OSbQFjOJwPbS4YAn9qV +eV+DPlvemZEFYF5+MVlDwOGQ3JsCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtjMO +nlaC4nsk4PwT+fcIYpg52JQwHwYDVR0jBBgwFoAUtjMOnlaC4nsk4PwT+fcIYpg52JQwDQYJKoZI +hvcNAQELBQADggIBABhYDqPD2yWiXNCVtHk6h7Kb2H2U3rc8G7Or1/mwrXSCEgqHnCkpiWeb1h/5 +YNS9fRrexQD+O0hukCpjvIFccQvk8EkZdWpn4kDlrUqfakWpASzlwEqRviS31Hiybn/+QUpYuDTm +FYorrHzDzPiNttzxVK0ENt4T4ETDWVqiGB7tbTlLPr6tz/oxDjRH8y4iS/For7SkfdI512txJgDr +njvRVY9WJykySs+AAqwS1PIMXGoI03UmLJUsFNUjHehaqguPS1uiewlKiQq07blWbnQXdcyH7QTI +hOUPY2rRBh8ciXu4L0Uk4To7+DP/8nHSGC7qXPvP6W3gqW1hj0d6GviMEfJ9fBSUEzaCRF3aL/5e +JOGQQKxh7Jsl/zZs4+MYg0Q2cyg/BQVNNOhESG4et4OV5go9W+1oAy20FV0NgtdPoeb9ABNoi4T3 +IrKLgxOsbACpoDt3zPhncqiJhX3feFtyVV4oRiylydiiYO927qNdfMGmcnGFSG4814kUxSdpkoCA +V7WCQD42zfBYj4pkdZwiJW4yZSaPWN/Eodi3PBsV+10Y1O1WOvebJuTGmcvWWMCPGtFQJDijUy4H +r8rDe3ZmRGQ+vEGPJZC8nx9+qxLQ314ZCzdS0R1HwRRuOji3fCSCnaPQuCFe3YlzhB2j6fRGNf7F +DB17LhMLl0GxX9j1 +-----END CERTIFICATE----- diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..09999382 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,3 +15,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem + +[@CAMERASERVICES] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..7627b9d0 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,4 +39,7 @@ + + + From 3054cb6eecdab0a574b1fb5a896626368519f292 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 25 Jul 2023 13:12:32 +0000 Subject: [PATCH 15/19] SELinux: fix the wakeup avc denials Fix the wakeup avc denials in a more common place Bug: 292076108 Change-Id: I52627f19cb0fec3dd0851d21d0608048ebc7d45d Signed-off-by: Ken Yang --- whitechapel_pro/genfs_contexts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 57f0237c..c57ea3ea 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -307,6 +307,13 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 @@ -321,6 +328,8 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wir genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 From da30985fa54b3441422952a7466626237a37644b Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 21 Jul 2023 15:09:58 +0900 Subject: [PATCH 16/19] Move coredomain policies to system_ext/product Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 Merged-In: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 --- gs201-sepolicy.mk | 1 + private/debug_camera_app.te | 16 ++++++++++++++++ private/google_camera_app.te | 14 ++++++++++++++ private/seapp_contexts | 11 +++++++++++ public/debug_camera_app.te | 1 + public/google_camera_app.te | 1 + system_ext/private/con_monitor.te | 7 +++++++ system_ext/private/hbmsvmanager_app.te | 11 +++++++++++ system_ext/private/seapp_contexts | 5 +++++ system_ext/public/con_monitor.te | 2 ++ system_ext/public/hbmsvmanager_app.te | 1 + whitechapel_pro/con_monitor.te | 8 -------- whitechapel_pro/debug_camera_app.te | 15 --------------- whitechapel_pro/google_camera_app.te | 14 -------------- whitechapel_pro/hbmsvmanager_app.te | 12 ------------ whitechapel_pro/seapp_contexts | 18 ------------------ 16 files changed, 70 insertions(+), 67 deletions(-) create mode 100644 private/debug_camera_app.te create mode 100644 private/google_camera_app.te create mode 100644 private/seapp_contexts create mode 100644 public/debug_camera_app.te create mode 100644 public/google_camera_app.te create mode 100644 system_ext/private/con_monitor.te create mode 100644 system_ext/private/hbmsvmanager_app.te create mode 100644 system_ext/private/seapp_contexts create mode 100644 system_ext/public/con_monitor.te create mode 100644 system_ext/public/hbmsvmanager_app.te diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 664b851f..2c5da1fc 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -4,6 +4,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/public PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private # system_ext diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te new file mode 100644 index 00000000..c14637be --- /dev/null +++ b/private/debug_camera_app.te @@ -0,0 +1,16 @@ +typeattribute debug_camera_app coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows camera app to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/private/google_camera_app.te b/private/google_camera_app.te new file mode 100644 index 00000000..dc7ee288 --- /dev/null +++ b/private/google_camera_app.te @@ -0,0 +1,14 @@ +typeattribute google_camera_app coredomain; + +app_domain(google_camera_app) +net_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 00000000..bfe5a549 --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,11 @@ +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te new file mode 100644 index 00000000..6f497680 --- /dev/null +++ b/public/debug_camera_app.te @@ -0,0 +1 @@ +type debug_camera_app, domain; diff --git a/public/google_camera_app.te b/public/google_camera_app.te new file mode 100644 index 00000000..c93038cc --- /dev/null +++ b/public/google_camera_app.te @@ -0,0 +1 @@ +type google_camera_app, domain; diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te new file mode 100644 index 00000000..c68ec1f8 --- /dev/null +++ b/system_ext/private/con_monitor.te @@ -0,0 +1,7 @@ +typeattribute con_monitor_app coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te new file mode 100644 index 00000000..6f5ff7ac --- /dev/null +++ b/system_ext/private/hbmsvmanager_app.te @@ -0,0 +1,11 @@ +typeattribute hbmsvmanager_app coredomain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts new file mode 100644 index 00000000..25318ffe --- /dev/null +++ b/system_ext/private/seapp_contexts @@ -0,0 +1,5 @@ +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te new file mode 100644 index 00000000..6a4d1dac --- /dev/null +++ b/system_ext/public/con_monitor.te @@ -0,0 +1,2 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te new file mode 100644 index 00000000..4fcf2bdb --- /dev/null +++ b/system_ext/public/hbmsvmanager_app.te @@ -0,0 +1 @@ +type hbmsvmanager_app, domain; diff --git a/whitechapel_pro/con_monitor.te b/whitechapel_pro/con_monitor.te index 8695ccaa..32c2056d 100644 --- a/whitechapel_pro/con_monitor.te +++ b/whitechapel_pro/con_monitor.te @@ -1,10 +1,2 @@ -# ConnectivityMonitor app -type con_monitor_app, domain, coredomain; - -app_domain(con_monitor_app) - -set_prop(con_monitor_app, radio_prop) -allow con_monitor_app app_api_service:service_manager find; -allow con_monitor_app radio_service:service_manager find; allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 5342fb74..add4b9e7 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -1,24 +1,9 @@ -type debug_camera_app, domain, coredomain; - userdebug_or_eng(` - app_domain(debug_camera_app) - net_domain(debug_camera_app) - - allow debug_camera_app app_api_service:service_manager find; - allow debug_camera_app audioserver_service:service_manager find; - allow debug_camera_app cameraserver_service:service_manager find; - allow debug_camera_app mediaextractor_service:service_manager find; - allow debug_camera_app mediametrics_service:service_manager find; - allow debug_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. allow debug_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to search for GXP firmware file. allow debug_camera_app vendor_fw_file:dir search; - - # Allows camera app to access the PowerHAL. - hal_client_domain(debug_camera_app, hal_power) ') userdebug_or_eng(` # Allows GCA-Eng to find and access the EdgeTPU. diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index d73cd3db..572d1d61 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -1,23 +1,9 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) -net_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. allow google_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to search for GXP firmware file. allow google_camera_app vendor_fw_file:dir search; -# Allows camera app to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index b7058090..bbedea8c 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -1,14 +1,2 @@ -type hbmsvmanager_app, domain, coredomain; - -app_domain(hbmsvmanager_app); - -allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; - allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 149e2287..8ff78b87 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -27,15 +27,9 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user @@ -52,18 +46,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Google Camera Eng -user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera -user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Also label GoogleCameraNext, built with debug keys as debug_camera_app. -user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all From 5e75eaa1a5c084207b561ef982623320c851e14d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 5 Sep 2023 16:25:52 +0800 Subject: [PATCH 17/19] Move uwb to system_ext Bug: 290766628 Test: Boot-to-home, no uwb related avc error Change-Id: I00a1c45f05cc52a9ce93234921d0b759a3143f16 --- .../private}/certs/com_qorvo_uwb.x509.pem | 0 system_ext/private/file.te | 2 ++ system_ext/private/keys.conf | 3 +++ system_ext/private/mac_permissions.xml | 27 +++++++++++++++++++ system_ext/private/seapp_contexts | 5 ++++ system_ext/private/uwb_vendor_app.te | 12 +++++++++ system_ext/public/uwb_vendor_app.te | 2 ++ whitechapel_pro/file.te | 1 - whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 4 --- whitechapel_pro/uwb_vendor_app.te | 12 +-------- 12 files changed, 52 insertions(+), 22 deletions(-) rename {whitechapel_pro => system_ext/private}/certs/com_qorvo_uwb.x509.pem (100%) create mode 100644 system_ext/private/file.te create mode 100644 system_ext/private/keys.conf create mode 100644 system_ext/private/mac_permissions.xml create mode 100644 system_ext/private/uwb_vendor_app.te create mode 100644 system_ext/public/uwb_vendor_app.te diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem rename to system_ext/private/certs/com_qorvo_uwb.x509.pem diff --git a/system_ext/private/file.te b/system_ext/private/file.te new file mode 100644 index 00000000..9344be7e --- /dev/null +++ b/system_ext/private/file.te @@ -0,0 +1,2 @@ + +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf new file mode 100644 index 00000000..c2228db6 --- /dev/null +++ b/system_ext/private/keys.conf @@ -0,0 +1,3 @@ +[@UWB] +ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem + diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml new file mode 100644 index 00000000..51af79f6 --- /dev/null +++ b/system_ext/private/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 25318ffe..82f4347c 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te new file mode 100644 index 00000000..3ae5ecd3 --- /dev/null +++ b/system_ext/private/uwb_vendor_app.te @@ -0,0 +1,12 @@ +app_domain(uwb_vendor_app) + +not_recovery(` + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +') diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te new file mode 100644 index 00000000..6824e4e9 --- /dev/null +++ b/system_ext/public/uwb_vendor_app.te @@ -0,0 +1,2 @@ +type uwb_vendor_app, domain; + diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..fb4bad8c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -10,7 +10,6 @@ type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..2a7a6d56 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem -[@UWB] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem - [@EUICCSUPPORTPIXEL] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..e9031e5f 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -27,9 +27,6 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 8ff78b87..dcaaf664 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -36,10 +36,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index aa4564e6..cc5a9de4 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -1,18 +1,8 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb_vendor) - -allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; -allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; From e39998954f1318a78d20ae0a2aa90cc355165efe Mon Sep 17 00:00:00 2001 From: Leo Liou Date: Thu, 14 Sep 2023 13:45:26 +0800 Subject: [PATCH 18/19] gs201: ufs_firmware_update: add scsi directory permission Bug: 273305600 Test: run ufs ffu flow Change-Id: I36715c1b3500da64863db4cbec08c037df74d3e6 Signed-off-by: Leo Liou --- whitechapel_pro/ufs_firmware_update.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/ufs_firmware_update.te b/whitechapel_pro/ufs_firmware_update.te index 53ceba56..f33c2da9 100644 --- a/whitechapel_pro/ufs_firmware_update.te +++ b/whitechapel_pro/ufs_firmware_update.te @@ -7,4 +7,5 @@ allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; allow ufs_firmware_update block_device:dir r_dir_perms; allow ufs_firmware_update fips_block_device:blk_file rw_file_perms; allow ufs_firmware_update sysfs:dir r_dir_perms; +allow ufs_firmware_update sysfs_scsi_devices_0000:dir search; allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; From b256bc86c018c0df39374d55056af1efa745e895 Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Thu, 28 Sep 2023 15:22:58 +0000 Subject: [PATCH 19/19] Grant the MDS access to the IPowerStats hal service. ref logs: 09-06 10:07:18.006 536 536 I auditd : avc: denied { find } for pid=22543 uid=10225 name=android.hardware.power.stats.IPowerStats/default scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:hal_power_stats_service:s0 tclass=service_manager permissive=1 09-06 10:07:18.010 22543 22543 I auditd : type=1400 audit(0.0:65): avc: denied { call } for comm="pool-4-thread-1" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=1 app=com.google.mds Test: Tested with MDS app and the MDS can get IPowerStats binder and call the interface. Bug: 297250368 Change-Id: I54b6b93179987b9db23d5327711338553906134c --- whitechapel_pro/modem_diagnostic_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te index 8c4a0cac..b5cce03a 100644 --- a/whitechapel_pro/modem_diagnostic_app.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -7,6 +7,8 @@ allow modem_diagnostic_app app_api_service:service_manager find; allow modem_diagnostic_app radio_service:service_manager find; userdebug_or_eng(` + hal_client_domain(modem_diagnostic_app, hal_power_stats); + binder_call(modem_diagnostic_app, dmd) set_prop(modem_diagnostic_app, vendor_cbd_prop)