From e41a25055a003a6f417d51f46cb475de6d0ed55e Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 11 Dec 2024 13:31:47 +0800 Subject: [PATCH 01/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 383438008 Flag: EXEMPT sepolicy Change-Id: Ia2eb5910086ad0ee92d655ab39948eb47d262158 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 9246974a..3c13d1ea 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -20,6 +20,7 @@ pixelstats_vendor block_device dir b/369540701 platform_app vendor_fw_file dir b/377811773 platform_app vendor_rild_prop file b/377811773 priv_app audio_config_prop file b/379246129 +priv_app metadata_file dir b/383438008 ramdump ramdump capability b/369475655 rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 From a8fbbdb7d73e3df2373245b87baf24aebda22fa8 Mon Sep 17 00:00:00 2001 From: chenkris Date: Thu, 12 Dec 2024 08:15:11 +0000 Subject: [PATCH 02/18] gs201: Add selinux permission for fth Fix the following avc denials: avc: denied { open } for path="/dev/fth_fd" dev="tmpfs" ino=1575 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 avc: denied { read } for name="wakeup96" dev="sysfs" ino=101698 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 Bug: 383048849 Test: ls -lZ /sys/devices/platform/odm//odm:fps_touch_handler/wakeup Test: authenticate fingerprint Flag: EXEMPT NDK Change-Id: I0516b20ea21a4aed33026b9af4a3dae6bc8defd4 --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/genfs_contexts | 3 +++ 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 0d5a2fb1..2e1a5b85 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -81,6 +81,7 @@ /dev/janeiro u:object_r:edgetpu_device:s0 /dev/bigocean u:object_r:video_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/fth_fd u:object_r:fingerprint_device:s0 /dev/ispolin_ranging u:object_r:rls_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 /dev/mali0 u:object_r:gpu_device:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ee65fab8..54b97796 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -275,6 +275,9 @@ genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/wakeup u:object_r:sysfs_wakeup:s0 + #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 From e66afa8cd6dc5800dc5e70fcbbd7f3f105b6dd32 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 13 Dec 2024 14:35:29 +0800 Subject: [PATCH 03/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT sepolicy Bug: 383949172 Change-Id: I93bce4c72d2190fc6636102c2167099e167dc354 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3c13d1ea..5220f4b5 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -38,4 +38,5 @@ vendor_init default_prop file b/329381126 vendor_init default_prop property_service b/315104803 vendor_init default_prop property_service b/359427666 vendor_init default_prop property_service b/359428317 +zygote aconfig_storage_metadata_file dir b/383949172 zygote zygote capability b/379206941 From 4f5612fc4628af4c3a541c3d01acd4e44e7e9006 Mon Sep 17 00:00:00 2001 From: timmyli Date: Mon, 16 Dec 2024 06:51:52 +0000 Subject: [PATCH 04/18] Remove hal_camera_default aconfig_storage_metadata_file bugmap Bug: 383013727 Test: compiles manual test Flag: EXEMPT refactor Change-Id: Ib9de507763ea1c81b540e71d1ba85f7282977a3b --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5220f4b5..214b1861 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,7 +4,6 @@ dump_display sysfs file b/350831939 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277 dump_modem sscoredump_vendor_data_logcat_file dir b/361726277 dumpstate unlabeled file b/350832009 -hal_camera_default aconfig_storage_metadata_file dir b/383013727 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 hal_sensors_default property_socket sock_file b/373755350 From e93699de2a35bfdde496f45ebfe9c3c152669cf4 Mon Sep 17 00:00:00 2001 From: Timmy Li Date: Mon, 16 Dec 2024 16:34:50 -0800 Subject: [PATCH 05/18] Revert "Remove hal_camera_default aconfig_storage_metadata_file ..." Revert submission 30930671-hal_camera_default_ aconfig_storage_metadata_file2 Reason for revert: b/384580942 Reverted changes: /q/submissionid:30930671-hal_camera_default_+aconfig_storage_metadata_file2 Change-Id: I59f7b9e2dcbdb0ed9f6690bc1b53b0360c6a835f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 214b1861..5220f4b5 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ dump_display sysfs file b/350831939 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277 dump_modem sscoredump_vendor_data_logcat_file dir b/361726277 dumpstate unlabeled file b/350832009 +hal_camera_default aconfig_storage_metadata_file dir b/383013727 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 hal_sensors_default property_socket sock_file b/373755350 From 01b373e61fe276095f7a16ad98997cc598ac9947 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Tue, 24 Dec 2024 18:33:04 +0800 Subject: [PATCH 06/18] Update SELinux error. Test: SELinuxUncheckedDenialBootTest Bug: 385858933 Bug: 385858800 Bug: 385829048 Flag: EXEMPT bugfix Change-Id: Ibbe27e7ab4239b0ae55b109a3e98bf78c1a95f64 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5220f4b5..6e228a71 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -13,6 +13,7 @@ incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 init init capability b/379206608 insmod-sh insmod-sh key b/336451874 +insmod-sh vendor_edgetpu_debugfs dir b/385858933 kernel dm_device blk_file b/319403445 kernel kernel capability b/336451113 kernel tmpfs chr_file b/321731318 @@ -22,6 +23,7 @@ platform_app vendor_rild_prop file b/377811773 priv_app audio_config_prop file b/379246129 priv_app metadata_file dir b/383438008 ramdump ramdump capability b/369475655 +ramdump_app privapp_data_file lnk_file b/385858800 rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 ssr_detector_app default_prop file b/359428005 From 4206d28824669c6b2b3f711b37a019e0f0715143 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 26 Dec 2024 08:28:21 +0000 Subject: [PATCH 07/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 386148928 Flag: EXEMPT update sepolicy Change-Id: I5366a1f150a6afa072494469112c5689be4438d8 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 6e228a71..0fe3dbd5 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -23,6 +23,7 @@ platform_app vendor_rild_prop file b/377811773 priv_app audio_config_prop file b/379246129 priv_app metadata_file dir b/383438008 ramdump ramdump capability b/369475655 +ramdump_app default_prop file b/386148928 ramdump_app privapp_data_file lnk_file b/385858800 rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 From 6e58ad004d279a9ed1d24ab1735860762a676bd8 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 27 Dec 2024 07:20:57 +0000 Subject: [PATCH 08/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 386303831 Flag: EXEMPT update sepolicy Change-Id: I069f1df8349426695f850b5814da2a4455d83550 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 0fe3dbd5..fe1639ee 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ dump_display sysfs file b/350831939 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277 dump_modem sscoredump_vendor_data_logcat_file dir b/361726277 dumpstate unlabeled file b/350832009 +hal_bluetooth_synabtlinux device chr_file b/386303831 hal_camera_default aconfig_storage_metadata_file dir b/383013727 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 From 56f1333908810f00be601ae517da30a82cce74ca Mon Sep 17 00:00:00 2001 From: YiKai Peng Date: Mon, 30 Dec 2024 05:08:47 -0800 Subject: [PATCH 09/18] sepolicy: gs201: add genfscon wireless into sysfs_batteryinfo Bug: 377264254 Flag: EXEMPT bugfix Test: ABTD Change-Id: I4ec2350e7129e7630e6d6629a7f81820e679008e Signed-off-by: YiKai Peng --- whitechapel_pro/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 54b97796..a6dcae68 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -212,6 +212,10 @@ genfscon sysfs /devices/platform/google,battery/power_supply/battery genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 + genfscon sysfs /devices/pseudo_0/adapter0/host1/target1:0:0/1:0:0:0/block/sde u:object_r:sysfs_devices_block:s0 # P22 battery From a2bd3ad6ced37e52098c1c07d12f5db07c6cd957 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Fri, 10 Jan 2025 10:49:43 +0800 Subject: [PATCH 10/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT bugfix Bug: 388949662 Bug: 388949536 Change-Id: I6e5624ddd51d195e49e28cecf0f18123c66c31c5 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index fe1639ee..bd62f53d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -13,7 +13,9 @@ hal_sensors_default sysfs file b/336451433 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 init init capability b/379206608 +init-display-sh kmsg_device chr_file b/388949662 insmod-sh insmod-sh key b/336451874 +insmod-sh kmsg_device chr_file b/388949536 insmod-sh vendor_edgetpu_debugfs dir b/385858933 kernel dm_device blk_file b/319403445 kernel kernel capability b/336451113 From 68280fd949ab575f2e1601ec59a8e639daf42991 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Fri, 10 Jan 2025 03:15:16 +0000 Subject: [PATCH 11/18] gs201: update selinux to allow UMI on user build Bug: 375335464 [ 68.189198] type=1400 audit(1722986580.568:59): avc: denied { unlink } for comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { create } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { write } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 Flag: EXEMPT Critical modem system service Change-Id: Id344d2e7537710461c6b3ca3e2b9f2489d695882 --- whitechapel_pro/modem_svc_sit.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 0097a46a..373fdf63 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -52,6 +52,4 @@ allow modem_svc_sit modem_img_file:file r_file_perms; allow modem_svc_sit modem_img_file:lnk_file r_file_perms; # Allow modem_svc_sit to access socket for UMI -userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; -') +allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink write }; From bf2b6860593335f717f7f89c0cdb0ed6fbb253e8 Mon Sep 17 00:00:00 2001 From: Terry Huang Date: Thu, 9 Jan 2025 09:06:24 +0800 Subject: [PATCH 12/18] Remove sced sepolicy rule Bug: 381778782 Test: gts pass Flag: EXEMPT bugfix Change-Id: I523174b443f027ee112b153d5df566389815d43c --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/sced.te | 23 ------------------- .../vendor_telephony_silentlogging_app.te | 1 - 3 files changed, 25 deletions(-) delete mode 100644 whitechapel_pro/sced.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2e1a5b85..1db158af 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -1,7 +1,6 @@ # Binaries /vendor/bin/dmd u:object_r:dmd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 -/vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 diff --git a/whitechapel_pro/sced.te b/whitechapel_pro/sced.te deleted file mode 100644 index 2b08973a..00000000 --- a/whitechapel_pro/sced.te +++ /dev/null @@ -1,23 +0,0 @@ -type sced, domain; -type sced_exec, vendor_file_type, exec_type, file_type; - -userdebug_or_eng(` - init_daemon_domain(sced) - typeattribute sced vendor_executes_system_violators; - - hwbinder_use(sced) - binder_call(sced, dmd) - binder_call(sced, vendor_telephony_silentlogging_app) - - get_prop(sced, hwservicemanager_prop) - allow sced self:packet_socket create_socket_perms_no_ioctl; - - allow sced self:capability net_raw; - allow sced shell_exec:file rx_file_perms; - allow sced tcpdump_exec:file rx_file_perms; - allow sced vendor_shell_exec:file x_file_perms; - allow sced vendor_slog_file:dir create_dir_perms; - allow sced vendor_slog_file:file create_file_perms; - allow sced hidl_base_hwservice:hwservice_manager add; - allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; -') diff --git a/whitechapel_pro/vendor_telephony_silentlogging_app.te b/whitechapel_pro/vendor_telephony_silentlogging_app.te index 583f408f..a9497f5d 100644 --- a/whitechapel_pro/vendor_telephony_silentlogging_app.te +++ b/whitechapel_pro/vendor_telephony_silentlogging_app.te @@ -10,7 +10,6 @@ allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms allow vendor_telephony_silentlogging_app app_api_service:service_manager find; allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; binder_call(vendor_telephony_silentlogging_app, dmd) -binder_call(vendor_telephony_silentlogging_app, sced) userdebug_or_eng(` # Silent Logging From 50f433731d6d31e5b5d3008ba8a81228f10a2bdd Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Thu, 9 Jan 2025 18:41:03 +0800 Subject: [PATCH 13/18] init-display-sh: Don't audit writing to kmsg modprobe would log errors to /dev/kmsg, need to explicit allow this. ``` avc: denied { write } for comm="modprobe" name="kmsg" dev="tmpfs" ino=5 scontext=u:r:init-display-sh:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 ``` Bug: 388717752 Test: DeviceBootTest#SELinuxUncheckedDenialBootTest Change-Id: Iaf1157a925e480ec3c8cdd00573f3d0a4ead355b --- whitechapel_pro/init-display-sh.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/init-display-sh.te b/whitechapel_pro/init-display-sh.te index 54ff7d6e..7f64b782 100644 --- a/whitechapel_pro/init-display-sh.te +++ b/whitechapel_pro/init-display-sh.te @@ -8,3 +8,5 @@ allow init-display-sh vendor_toolbox_exec:file execute_no_trans; dontaudit init-display-sh proc_cmdline:file r_file_perms; +# Allow modprobe to log to kmsg. +allow init-display-sh kmsg_device:chr_file w_file_perms; From b3796e625d9e57fa5b7bbeb49da60ef799c31a1b Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Tue, 21 Jan 2025 14:15:57 +0800 Subject: [PATCH 14/18] RamdumpService: Fix the SELinux errors from introducing Firebase Analytics. Fix it by ag/31334770 and remove the tracking bug number. Bug: 386148928 Flag: EXEMPT bugfix Change-Id: Ia3dcc3eca550b8317101bbf1d0b3ddbaa8afb234 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bd62f53d..d7c473b6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -27,7 +27,6 @@ priv_app audio_config_prop file b/379246129 priv_app metadata_file dir b/383438008 ramdump ramdump capability b/369475655 ramdump_app default_prop file b/386148928 -ramdump_app privapp_data_file lnk_file b/385858800 rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 ssr_detector_app default_prop file b/359428005 From fee2572957b28be5a191fa9bfe63b0fcd3ec9fca Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 3 Feb 2025 11:06:35 +0800 Subject: [PATCH 15/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 393956479 Flag: EXEMPT bugfix Change-Id: I4c6257c1e1816f992053654f29c55ddecdbadb4c --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d7c473b6..f843bb8b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,8 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361726277 dumpstate unlabeled file b/350832009 hal_bluetooth_synabtlinux device chr_file b/386303831 hal_camera_default aconfig_storage_metadata_file dir b/383013727 +hal_drm_widevine system_userdir_file dir b/393956479 +hal_drm_widevine widevine_sys_vendor_prop file b/393956479 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 hal_sensors_default property_socket sock_file b/373755350 From aea9d5c16576e4409a761876d5b298cb39cb7f93 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 3 Feb 2025 14:33:04 +0800 Subject: [PATCH 16/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 393978045 Flag: EXEMPT bugfix Change-Id: Ia4d6c8c4bed73a687e7d1f0e35ead3b457810dea --- tracking_denials/hal_fingerprint_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/hal_fingerprint_default.te diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te new file mode 100644 index 00000000..e475e684 --- /dev/null +++ b/tracking_denials/hal_fingerprint_default.te @@ -0,0 +1,2 @@ +# b/393978045 +dontaudit hal_fingerprint_default default_android_service:service_manager add; From 768c29c4506ae302ae5cb22c8c2e809e2078ec49 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 3 Feb 2025 19:30:32 +0800 Subject: [PATCH 17/18] Remove unnecessary dontaudit rule Bug: 393978045 Flag: EXEMPT bugfix Change-Id: I183b9ddd7ed94b9094ae5b2e662d3725185d36dd --- tracking_denials/hal_fingerprint_default.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_fingerprint_default.te diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te deleted file mode 100644 index e475e684..00000000 --- a/tracking_denials/hal_fingerprint_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/393978045 -dontaudit hal_fingerprint_default default_android_service:service_manager add; From 427a3262f1088d1a8894c8a1c36e34197011ca8d Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Wed, 11 Dec 2024 15:50:50 +0000 Subject: [PATCH 18/18] Add udc sysfs to udc_sysfs fs context Meeded for system server to monitor usb gadget state. Grant hal_usb_impl read access as it's needed by UsbDataSessionMonitor. Starting at board level api 202504 due to its dependency on aosp/3337514 10956 10956 W android.hardwar: type=1400 audit(0.0:327): avc: denied { read } for name="state" dev="sysfs" ino=84394 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_udc:s0 tclass=file permissive=0 Bug: 339241080 Test: tested on Cheetah Flag: android.hardware.usb.flags.enable_udc_sysfs_usb_state_update Change-Id: I0eac6b46677c786b505a4bd1c4f63385062bc132 --- whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/hal_usb_impl.te | 1 + 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a6dcae68..a6872ed1 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -360,3 +360,6 @@ genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby # WLC genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-003c u:object_r:sysfs_wlc:s0 + +# USB +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/udc/11210000.dwc3/state u:object_r:sysfs_udc:s0 diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index 4c997733..afc193db 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -33,3 +33,4 @@ allow hal_usb_impl usb_device:dir r_dir_perms; # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; +allow hal_usb_impl sysfs_udc:file r_file_perms;