From 2260099ad39288cc8ea29f0973a0e972acf8c8dc Mon Sep 17 00:00:00 2001 From: George Lee Date: Wed, 5 Oct 2022 14:03:34 -0700 Subject: [PATCH 01/31] bcl: Add mitigation ready device sepolicy Instead of relying on vendor.thermal.link_ready property to gate write to BCL's SYSFS node, adding mitigation ready SYSFS so that writes to BCL's SYSFS node would not cause NULL pointer dereference. Bug: 249130916 Test: Confirm property vendor.brownout.mitigation.ready is set Signed-off-by: George Lee Change-Id: I1b21a1c745e7e17f78e9d4c001032dd2c46673cf --- whitechapel_pro/battery_mitigation.te | 4 ++++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ 3 files changed, 10 insertions(+) diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 59af9d53..5fecbcba 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -2,6 +2,7 @@ type battery_mitigation, domain; type battery_mitigation_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) +set_prop(battery_mitigation, vendor_mitigation_ready_prop) hal_client_domain(battery_mitigation, hal_thermal); hal_client_domain(battery_mitigation, hal_health); @@ -11,6 +12,9 @@ r_dir_file(battery_mitigation, sysfs_iio_devices) r_dir_file(battery_mitigation, sysfs_thermal) r_dir_file(battery_mitigation, thermal_link_device) r_dir_file(battery_mitigation, sysfs_odpm) +allow battery_mitigation sysfs_bcl:dir r_dir_perms; +allow battery_mitigation sysfs_bcl:file r_file_perms; +allow battery_mitigation sysfs_bcl:lnk_file r_file_perms; allow battery_mitigation sysfs_thermal:lnk_file r_file_perms; allow battery_mitigation mitigation_vendor_data_file:dir rw_dir_perms; allow battery_mitigation mitigation_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ec7d84ed..b88506be 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -36,3 +36,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) + +# Battery Mitigation +vendor_internal_prop(vendor_mitigation_ready_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 98a7980a..f4c5eeb0 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -106,3 +106,6 @@ persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 # for vendor telephony debug app vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 + +# Battery Mitigation +vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 From b72e47e1b0d13dc52883276b1350144efdb9d7a0 Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 10 Oct 2022 09:40:51 -0700 Subject: [PATCH 02/31] bcl: Add brownout boot reason sepolicy Lastmeal.txt may be generated from after device rebooted from IRQ triggering. By applying limit on the time when it generates, lastmeal.txt will not be generated after device rebooted. Bug: 246817058 Test: Confirm lastmeal.txt generation Signed-off-by: George Lee Change-Id: I02515fc452dbfa5c8a40041cbb8731664dace62e --- whitechapel_pro/battery_mitigation.te | 1 + whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 2 ++ whitechapel_pro/vendor_init.te | 4 ++++ 4 files changed, 9 insertions(+) diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 5fecbcba..56b83733 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -2,6 +2,7 @@ type battery_mitigation, domain; type battery_mitigation_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) +get_prop(battery_mitigation, vendor_startup_bugreport_requested_prop) set_prop(battery_mitigation, vendor_mitigation_ready_prop) hal_client_domain(battery_mitigation, hal_thermal); diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index b88506be..151cefc3 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -39,3 +39,5 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) +vendor_internal_prop(vendor_brownout_boot_reason_prop) +vendor_internal_prop(vendor_startup_bugreport_requested_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index f4c5eeb0..02b9ce80 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -109,3 +109,5 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Battery Mitigation vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 +vendor.brownout_boot_reason u:object_r:vendor_brownout_boot_reason_prop:s0 +vendor.startup_bugreport_requested u:object_r:vendor_startup_bugreport_requested_prop:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 3287d344..0dedd097 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -35,3 +35,7 @@ set_prop(vendor_init, vendor_battery_defender_prop) # Display set_prop(vendor_init, vendor_display_prop) + +# Battery Mitigation +set_prop(vendor_init, vendor_brownout_boot_reason_prop) +set_prop(vendor_init, vendor_startup_bugreport_requested_prop) From 083ba629028b15373d54f1338b1236bc3f0e8272 Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 13 Oct 2022 12:52:20 -0700 Subject: [PATCH 03/31] bcl: Remove unused brownout boot reason sepolicy vendor_brownout_boot_reason was added under previous change. It should be added as part of follow on change to enable metric collection. Bug: 246817058 Test: Confirm brownout_boot_reason non existent Signed-off-by: George Lee Change-Id: I1fed12e851750314f53a0d6517a9eff92c44e247 --- whitechapel_pro/property.te | 1 - whitechapel_pro/property_contexts | 1 - whitechapel_pro/vendor_init.te | 1 - 3 files changed, 3 deletions(-) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 151cefc3..1bca1a73 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -39,5 +39,4 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) -vendor_internal_prop(vendor_brownout_boot_reason_prop) vendor_internal_prop(vendor_startup_bugreport_requested_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 02b9ce80..814d0184 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -109,5 +109,4 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Battery Mitigation vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 -vendor.brownout_boot_reason u:object_r:vendor_brownout_boot_reason_prop:s0 vendor.startup_bugreport_requested u:object_r:vendor_startup_bugreport_requested_prop:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 0dedd097..a82ad9f1 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -37,5 +37,4 @@ set_prop(vendor_init, vendor_battery_defender_prop) set_prop(vendor_init, vendor_display_prop) # Battery Mitigation -set_prop(vendor_init, vendor_brownout_boot_reason_prop) set_prop(vendor_init, vendor_startup_bugreport_requested_prop) From 39ffb227b33c85dfb09cd5efd19b4177988f946e Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 13 Oct 2022 09:19:07 -0700 Subject: [PATCH 04/31] betterbug: Add selinux policy for betterbug Enable Betterbug to read reboot reason such that Betterbug can file bugreport when *uvlo* or *ocp* is found within reboot reason. Bug: 237287659 Test: Load Betterbug for accessing boot reason property Signed-off-by: George Lee Change-Id: Id699be34d2e060ee7827737982403fd58f133c4a --- whitechapel_pro/better_bug_app.te | 6 ++++++ whitechapel_pro/seapp_contexts | 3 +++ 2 files changed, 9 insertions(+) create mode 100644 whitechapel_pro/better_bug_app.te diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te new file mode 100644 index 00000000..7a8c3818 --- /dev/null +++ b/whitechapel_pro/better_bug_app.te @@ -0,0 +1,6 @@ +type better_bug_app, domain; + +userdebug_or_eng(` + app_domain(better_bug_app) + get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) +') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 0fbe0333..7a908751 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -71,3 +71,6 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all + +# BetterBug +user=_app seinfo=platform name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=user From 5c48a9028512d067de0b4add8ce30f27a7a9203a Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 13 Oct 2022 18:43:09 -0700 Subject: [PATCH 05/31] pixelstats: add bcl directory permission Bug: 253522156 Test: Local test $>cmd stats print-logs $>logcat | grep Signed-off-by: George Lee Change-Id: I934f6efb043893666dac88257619556e30d82751 --- whitechapel_pro/pixelstats_vendor.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 371bef41..d327a30d 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -26,3 +26,7 @@ allow pixelstats_vendor sysfs_pca:file rw_file_perms; #Thermal r_dir_file(pixelstats_vendor, sysfs_thermal) allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; + +# BCL +allow pixelstats_vendor sysfs_bcl:dir search; +allow pixelstats_vendor sysfs_bcl:file r_file_perms; From 36df3f715f8d3aa6216bfb1baffba6e089f6d606 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Fri, 14 Oct 2022 13:54:34 +0000 Subject: [PATCH 06/31] Use generic wildcard for vendor libprotobuf. The suffix changes on each upgrade and the newest release uses a two-part version number instead of a three-part one. Use a regex that will match any suffix. Bug: 203713560 Test: presubmit, log check Change-Id: I7a3357d11c162a9bc24196bb232f58be9ba062ec --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 83232f1e..d6db670d 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -62,7 +62,7 @@ /vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 From 19419cbdb30c6efc358b4ed4f92ab205507c179d Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Fri, 14 Oct 2022 09:26:40 +0800 Subject: [PATCH 07/31] allow vendor_init to acces watermark_scale_factor Bug: 251881967 Test: boot Signed-off-by: Martin Liu Change-Id: I0840cf19f9c3120aaacc49de751fdd0a55aebf5f --- whitechapel_pro/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index a82ad9f1..5de29166 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -38,3 +38,6 @@ set_prop(vendor_init, vendor_display_prop) # Battery Mitigation set_prop(vendor_init, vendor_startup_bugreport_requested_prop) + +# MM +allow vendor_init proc_watermark_scale_factor:file w_file_perms; From 939d05cbf811c7979477a2916032ef2c5b13470c Mon Sep 17 00:00:00 2001 From: Lucas Wei Date: Thu, 6 Oct 2022 10:29:59 +0800 Subject: [PATCH 08/31] SEPolicy: Don't audit search regmap by kernel Bug: 247948906 Signed-off-by: Lucas Wei Change-Id: I8886b5c3790036a9fe2d1ed8f524a0555b900dbb Merged-In: I8886b5c3790036a9fe2d1ed8f524a0555b900dbb --- whitechapel_pro/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index c34e7f72..376d8e14 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -9,3 +9,4 @@ allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; dontaudit kernel vendor_battery_debugfs:dir search; +dontaudit kernel vendor_regmap_debugfs:dir search; From ba0eb551e97aff2575cd7ec8c37409ec10fced5f Mon Sep 17 00:00:00 2001 From: eddielan Date: Mon, 22 Aug 2022 17:43:18 +0800 Subject: [PATCH 09/31] fingerprint: Allow fingerprint to access thermal hal SELinux : avc: denied { find } for interface=android.hardware.thermal::IThermal sid=u:r:hal_fingerprint_default:s0 pid=1064 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:hal_thermal_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 243115023 Test: make selinux_policy -j128 Test: Check avc log on device Change-Id: Ida1b18536468df11be5bf44fb6fb79b03a35f4b9 --- whitechapel_pro/hal_fingerprint_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te index ec02f9c4..912776dd 100644 --- a/whitechapel_pro/hal_fingerprint_default.te +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -30,3 +30,6 @@ allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; # Allow fingerprint to access display hal allow hal_fingerprint_default hal_pixel_display_service:service_manager find; binder_call(hal_fingerprint_default, hal_graphics_composer_default) + +# allow fingerprint to access thermal hal +hal_client_domain(hal_fingerprint_default, hal_thermal); From d1e0b924ae1e76151985687bdb11ee25fc9a82f5 Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 24 Oct 2022 17:00:13 -0700 Subject: [PATCH 10/31] betterbug: Update selinux policy for betterbug Update startup_bugreport_requested property to vendor_public for betterbug to access. Bug: 237287659 Test: Load Betterbug for accessing startup bugreport reason property Signed-off-by: George Lee Change-Id: Idc07e3f4ce425c0167654743fbe1ad8b7ece5e15 --- whitechapel_pro/better_bug_app.te | 7 ++++++- whitechapel_pro/property.te | 2 +- whitechapel_pro/seapp_contexts | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te index 7a8c3818..506e832f 100644 --- a/whitechapel_pro/better_bug_app.te +++ b/whitechapel_pro/better_bug_app.te @@ -1,6 +1,11 @@ -type better_bug_app, domain; +type better_bug_app, domain, coredomain; userdebug_or_eng(` app_domain(better_bug_app) + net_domain(better_bug_app) + allow better_bug_app app_api_service:service_manager find; + allow better_bug_app system_api_service:service_manager find; + allow better_bug_app privapp_data_file:file execute; + get_prop(better_bug_app, default_prop); get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) ') diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 1bca1a73..ca17222c 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -39,4 +39,4 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) -vendor_internal_prop(vendor_startup_bugreport_requested_prop) +vendor_public_prop(vendor_startup_bugreport_requested_prop) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 7a908751..ce467c3b 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -73,4 +73,4 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all # BetterBug -user=_app seinfo=platform name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=all From 441a3ad3ef14ddcde44b0a9897eaa607db466b16 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Fri, 30 Sep 2022 16:56:57 +0800 Subject: [PATCH 11/31] Add permission for logbuffer_bd Bug: 242679204 Signed-off-by: Jenny Ho Change-Id: Ie5c9829ee1a4980689c933273a273f1f4ac612b6 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 83232f1e..8b382741 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -107,6 +107,7 @@ /dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_bd u:object_r:logbuffer_device:s0 /dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/lwis-act-jotnar u:object_r:lwis_device:s0 /dev/lwis-act-slenderman u:object_r:lwis_device:s0 From 0810814b496c8135336831bedcebfb88bbb96039 Mon Sep 17 00:00:00 2001 From: pointerkung Date: Fri, 7 Oct 2022 14:59:53 +0800 Subject: [PATCH 12/31] Add required sepolicy rule for Camera Grant access for TNR max_freq to let libperfmgr can control it via powerhint. Bug: 243729855 Test: Build pass, GCA, Control TNR max_freq via powerhint Change-Id: I8f8faa360d9908afe3fe0de3c322a2be356b86c8 --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 452f93b2..b7e4a6fe 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -389,6 +389,7 @@ genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:obj # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 # USB-C throttling stats From 9877742035e91b2e7d4f57d147b020776d6f3b24 Mon Sep 17 00:00:00 2001 From: Puma Hsu Date: Wed, 26 Oct 2022 16:58:59 +0800 Subject: [PATCH 13/31] Add xhci-hcd-exynos.6 wakeup path for suspend_control Bug: 255270480 Test: verified with forrest test build Change-Id: I5e2eed4d5e20361d86f6d6be8c92ca337e4ee004 Signed-off-by: Puma Hsu --- whitechapel_pro/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index b7e4a6fe..85dc310d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -342,6 +342,9 @@ genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.au genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.6.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.6.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.6.auto/usb3 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 From f9552297fa6bb3c4c720d321aa52a346565f9d60 Mon Sep 17 00:00:00 2001 From: Star Chang Date: Thu, 6 Oct 2022 06:47:49 +0000 Subject: [PATCH 14/31] Add sepolicy for TWT to dumpstate Bug: 253348062 Test: dump bugreport ok Signed-off-by: Star Chang Change-Id: I0958fef496302df3f5e6e188f15117de78988a62 --- whitechapel_pro/file.te | 2 +- whitechapel_pro/genfs_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index d20b6f58..e3a6bd52 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -56,7 +56,7 @@ type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; - +type sysfs_ptracker, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 85dc310d..9939bbf4 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -40,6 +40,7 @@ genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/ieee80215 # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 +genfscon sysfs /wlan_ptracker u:object_r:sysfs_ptracker:s0 # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 21fa7025..11f2fc7e 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -45,6 +45,9 @@ allow hal_dumpstate_default mitigation_vendor_data_file:file r_file_perms; allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; allow hal_dumpstate_default sysfs_wifi:file r_file_perms; +allow hal_dumpstate_default sysfs_ptracker:dir r_dir_perms; +allow hal_dumpstate_default sysfs_ptracker:file r_file_perms; + allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; From 40be3818e112434f63532ab2f1c226d9e155c0f6 Mon Sep 17 00:00:00 2001 From: George Lee Date: Sat, 5 Nov 2022 10:03:43 -0700 Subject: [PATCH 15/31] betterbug: Fixed sepolicy related to mediaserver [DO NOT MERGE] Added mediaserver sepolicy for betterbug Bug: 237287659 Test: Run same video capture on Betterbug to confirm video can be captured. Signed-off-by: George Lee Change-Id: I5226bdbf9d4fccb991161bbe6ac4edf8fd3b15a7 --- whitechapel_pro/better_bug_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te index 506e832f..41d403b8 100644 --- a/whitechapel_pro/better_bug_app.te +++ b/whitechapel_pro/better_bug_app.te @@ -6,6 +6,7 @@ userdebug_or_eng(` allow better_bug_app app_api_service:service_manager find; allow better_bug_app system_api_service:service_manager find; allow better_bug_app privapp_data_file:file execute; + allow better_bug_app mediaserver_service:service_manager find; get_prop(better_bug_app, default_prop); get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) ') From 35112bba62a73e3517f9ba70011b6050db3019af Mon Sep 17 00:00:00 2001 From: Roger Fang Date: Wed, 2 Nov 2022 16:31:48 +0800 Subject: [PATCH 16/31] [DO NOT MERGE] sepolicy: add permission for CCA rate of pixelstats-vend pixelstats-vend: type=1400 audit(0.0:7): avc: denied { read } for name="cca_rate_read_once" dev="sysfs" ino=100809 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 249225148 Test: Manually test passed Change-Id: I802b79417cd9ce23386bb62eccb151610bfb8ac1 Signed-off-by: Roger Fang --- aoc/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index abfc5a99..f474c77b 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -27,4 +27,5 @@ genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:ob genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/cca_rate_read_once u:object_r:sysfs_pixelstats:s0 From 8427e1db8de95939cd72131cdf30b46e64333d4b Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 7 Nov 2022 16:57:22 -0800 Subject: [PATCH 17/31] betterbug: Fixed sepolicy related to File [DO NOT MERGE] Added File Attachment sepolicy for betterbug Bug: 237287659 Test: Attach files from local directory and confirm it can be attached. Signed-off-by: George Lee Change-Id: Ie2ee163794a4b955915a1b62b12d5aa625931034 --- whitechapel_pro/better_bug_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te index 41d403b8..6813024b 100644 --- a/whitechapel_pro/better_bug_app.te +++ b/whitechapel_pro/better_bug_app.te @@ -3,6 +3,7 @@ type better_bug_app, domain, coredomain; userdebug_or_eng(` app_domain(better_bug_app) net_domain(better_bug_app) + allow better_bug_app shell_data_file:file read; allow better_bug_app app_api_service:service_manager find; allow better_bug_app system_api_service:service_manager find; allow better_bug_app privapp_data_file:file execute; From 8140a508451466f19a95097d0ce936468801b1da Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Tue, 8 Nov 2022 22:44:09 +0800 Subject: [PATCH 18/31] Allow CHRE to use EPOLLWAKEUP [DO NOT MERGE] avc: denied { block_suspend } for comm="UsfTransport" capability=36 scontext=u:r:chre:s0 tcontext=u:r:chre:s0 tclass=capability2 permissive=0 Bug: 238666865 Test: Check no chre avc denied. Change-Id: Ie936055550c6221beae394c264d664c1e76f946b Signed-off-by: Rick Chen --- whitechapel_pro/chre.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index 6d826217..26c1675f 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -22,3 +22,6 @@ allow chre hal_wifi_ext_hwservice:hwservice_manager find; # Allow CHRE host to talk to stats service allow chre fwk_stats_service:service_manager find; binder_call(chre, stats_service_server) + +# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP. +allow chre self:global_capability2_class_set block_suspend; From 4baa8bea9c1bc4211ff113929dfcfd501b7bb702 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Mon, 7 Nov 2022 10:35:42 -0800 Subject: [PATCH 19/31] dumpstate: allow dumpstate access pixel specific trace events At bugreport, it's useful to debug problems with having trace events. Allow dumpstate access pixel trace event directory and files. Test: "adb bugreport" includes trace event capture. Bug: 238728493 Change-Id: Ia3fe7c149bfa0d0d192070ff28513384898af917 Signed-off-by: Minchan Kim --- whitechapel_pro/hal_dumpstate_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 11f2fc7e..606ec046 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -139,6 +139,8 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; + allow hal_dumpstate_default debugfs_tracing_instances:dir search; + allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; @@ -167,6 +169,8 @@ dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default debugfs_tracing_instances:dir search; +dontaudit hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; From d59612c409a9869f77797c619e8163d5394bf38e Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 14 Nov 2022 10:12:24 -0800 Subject: [PATCH 20/31] gs201-sepolicy: Add BrownoutDetection app [DO NOT MERGE] This app files bugreport for user-debug build with reboot reason = ocp or uvlo. Removed the dependency on BetterBug. Bug: 237287659 Test: Ensure bugreport is generated under user-debug build with reboot reason = ocp or uvlo. Signed-off-by: George Lee Change-Id: Ib8fceb62e66e9d561a6597687ea3cbe5ac9a832d --- whitechapel_pro/battery_mitigation.te | 1 - whitechapel_pro/better_bug_app.te | 13 ------------- whitechapel_pro/brownout_detection_app.te | 9 +++++++++ whitechapel_pro/property.te | 2 +- whitechapel_pro/property_contexts | 2 +- whitechapel_pro/seapp_contexts | 4 ++-- whitechapel_pro/vendor_init.te | 2 +- 7 files changed, 14 insertions(+), 19 deletions(-) delete mode 100644 whitechapel_pro/better_bug_app.te create mode 100644 whitechapel_pro/brownout_detection_app.te diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 56b83733..5fecbcba 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -2,7 +2,6 @@ type battery_mitigation, domain; type battery_mitigation_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) -get_prop(battery_mitigation, vendor_startup_bugreport_requested_prop) set_prop(battery_mitigation, vendor_mitigation_ready_prop) hal_client_domain(battery_mitigation, hal_thermal); diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te deleted file mode 100644 index 6813024b..00000000 --- a/whitechapel_pro/better_bug_app.te +++ /dev/null @@ -1,13 +0,0 @@ -type better_bug_app, domain, coredomain; - -userdebug_or_eng(` - app_domain(better_bug_app) - net_domain(better_bug_app) - allow better_bug_app shell_data_file:file read; - allow better_bug_app app_api_service:service_manager find; - allow better_bug_app system_api_service:service_manager find; - allow better_bug_app privapp_data_file:file execute; - allow better_bug_app mediaserver_service:service_manager find; - get_prop(better_bug_app, default_prop); - get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) -') diff --git a/whitechapel_pro/brownout_detection_app.te b/whitechapel_pro/brownout_detection_app.te new file mode 100644 index 00000000..6146a745 --- /dev/null +++ b/whitechapel_pro/brownout_detection_app.te @@ -0,0 +1,9 @@ +type brownout_detection_app, domain, coredomain; + +userdebug_or_eng(` + app_domain(brownout_detection_app) + net_domain(brownout_detection_app) + allow brownout_detection_app app_api_service:service_manager find; + allow brownout_detection_app system_api_service:service_manager find; + get_prop(brownout_detection_app, vendor_brownout_reason_prop) +') diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ca17222c..6a377573 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -39,4 +39,4 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) -vendor_public_prop(vendor_startup_bugreport_requested_prop) +vendor_public_prop(vendor_brownout_reason_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 814d0184..9aa97f1b 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -109,4 +109,4 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Battery Mitigation vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 -vendor.startup_bugreport_requested u:object_r:vendor_startup_bugreport_requested_prop:s0 +vendor.brownout_reason u:object_r:vendor_brownout_reason_prop:s0 diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index ce467c3b..720081c7 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -72,5 +72,5 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all -# BetterBug -user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=all +# BrownoutDetection +user=_app isPrivApp=true name=com.google.android.brownoutdetection domain=brownout_detection_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 5de29166..dae9fa6c 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -37,7 +37,7 @@ set_prop(vendor_init, vendor_battery_defender_prop) set_prop(vendor_init, vendor_display_prop) # Battery Mitigation -set_prop(vendor_init, vendor_startup_bugreport_requested_prop) +set_prop(vendor_init, vendor_brownout_reason_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; From a2e6c51431608cdd72b1b23e15c27811622dfaff Mon Sep 17 00:00:00 2001 From: Steve Pfetsch Date: Fri, 18 Nov 2022 08:45:41 +0000 Subject: [PATCH 21/31] gs201-sepolicy: provide permission for TouchInspector app [DO NOT MERGE] Resolve these access violations: avc: denied { write } for name="driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { open } for path="/proc/fts/driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { getattr } for path="/proc/fts/driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { read } for name="driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { open } for path="/proc/fts_ext/driver_test" dev="proc" ino=4026535574 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { getattr } for path="/proc/fts_ext/driver_test" dev="proc" ino=4026535574 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector Bug: 182118395 Signed-off-by: Steve Pfetsch Change-Id: Ia3bd2323b77134b8e47d858f36756780dec98c19 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/google_touch_app.te | 11 +++++++++++ whitechapel_pro/seapp_contexts | 3 +++ 3 files changed, 17 insertions(+) create mode 100644 whitechapel_pro/google_touch_app.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index e3a6bd52..288bb7c2 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -109,6 +109,9 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type; # Touch type proc_touch, proc_type, fs_type; +userdebug_or_eng(` + typeattribute proc_touch mlstrustedobject; +') # Vendor sched files userdebug_or_eng(` diff --git a/whitechapel_pro/google_touch_app.te b/whitechapel_pro/google_touch_app.te new file mode 100644 index 00000000..f90fde1e --- /dev/null +++ b/whitechapel_pro/google_touch_app.te @@ -0,0 +1,11 @@ +type google_touch_app, domain; + +userdebug_or_eng(` + app_domain(google_touch_app) + + allow google_touch_app app_api_service:service_manager find; + + allow google_touch_app sysfs_touch:dir r_dir_perms; + allow google_touch_app sysfs_touch:file rw_file_perms; + allow google_touch_app proc_touch:file rw_file_perms; +') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 720081c7..d7fd69de 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -44,6 +44,9 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user +# Touch app +user=_app seinfo=platform name=com.google.touch.touchinspector domain=google_touch_app type=app_data_file levelFrom=user + # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all From 5cd114d3a0aa1173d842f068dccb3c0899c5c306 Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Tue, 22 Nov 2022 23:38:29 +0000 Subject: [PATCH 22/31] Allow Trusty storageproxy property Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready when the data filesystems are ready for use, and allows vendor init to query and wait on this property. Test: build, flash, test app loading Bug: 258018785 Change-Id: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d Merged-In: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/tee.te | 2 ++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 11 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 6a377573..b5bf04c2 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -40,3 +40,6 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) vendor_public_prop(vendor_brownout_reason_prop) + +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 9aa97f1b..32b304b1 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -110,3 +110,6 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Battery Mitigation vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 vendor.brownout_reason u:object_r:vendor_brownout_reason_prop:s0 + +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index 58228b5a..811dcbbc 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -15,3 +15,5 @@ read_fstab(tee) # storageproxyd starts before /data is mounted. It handles /data not being there # gracefully. However, attempts to access /data trigger a denial. dontaudit tee unlabeled:dir { search }; + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index dae9fa6c..5b828e93 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -41,3 +41,6 @@ set_prop(vendor_init, vendor_brownout_reason_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; + +# Trusty storage FS ready +get_prop(vendor_init, vendor_trusty_storage_prop) From 24cfe388c5f6e0c25a42dd3a252a1b0102b981ae Mon Sep 17 00:00:00 2001 From: Wasb Liu Date: Mon, 14 Nov 2022 09:49:24 +0000 Subject: [PATCH 23/31] hal_health_default: updated sepolicy allow android.hardware.health service to access persist_battery_file 11-14 13:53:39.242 872 872 W android.hardwar: type=1400 audit(0.0:17): avc: denied { search } for name="battery" dev="sda1" ino=84 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=0 Bug: 258535661 Test: check for no avc denied on persist_battery_file Change-Id: I7564b03339e17f9eea4aa5a8feda31bcfdd6100c Signed-off-by: Wasb Liu --- whitechapel_pro/hal_health_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index d953d4b2..6c3c6940 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -1,5 +1,7 @@ allow hal_health_default mnt_vendor_file:dir search; allow hal_health_default persist_file:dir search; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; set_prop(hal_health_default, vendor_battery_defender_prop) From 2d4a9c02fce0ec81afa33e8b7964e2844510fe46 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Wed, 9 Nov 2022 18:35:41 -0800 Subject: [PATCH 24/31] [ DO NOT MERGE ] gs201-sepolicy: pixelstats: enable pixelstats access to temp-residency-metrics enable pixelstats access to sysfs path Bug: 246799997 Test: Verified the existence of atom and correctness of atom stats Signed-off-by: Ziyi Cui Change-Id: I4a731d40a586e01c484cf95c57fb16a03f5e6ceb --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/pixelstats_vendor.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 288bb7c2..8b79dbe4 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -96,6 +96,9 @@ type vendor_usf_stats, vendor_file_type, file_type; type vendor_usf_reg_edit, vendor_file_type, file_type; type vendor_dumpsys, vendor_file_type, file_type; +#vendor-metrics +type sysfs_vendor_metrics, fs_type, sysfs_type; + # Modem type modem_efs_file, file_type; type modem_userdata_file, file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 9939bbf4..b06d7e55 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -391,6 +391,9 @@ genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:obj genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +#vendor-metrics +genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats u:object_r:sysfs_vendor_metrics:s0 + # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index d327a30d..a8d7b123 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -27,6 +27,9 @@ allow pixelstats_vendor sysfs_pca:file rw_file_perms; r_dir_file(pixelstats_vendor, sysfs_thermal) allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; +#vendor-metrics +r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) + # BCL allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; From 521334a3667b74ac1149087e4aedba639213dce4 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Mon, 14 Nov 2022 19:00:27 -0800 Subject: [PATCH 25/31] gs201-sepolicy:dumpstate: allow dumpstate access sysfs_vendor_metrics Test: "adb bugreport" includes metrics capture. Bug: 246799997 Signed-off-by: Ziyi Cui Change-Id: I1c2f4aaf1cd875a37497ca8beacb555d39eeb51e --- whitechapel_pro/hal_dumpstate_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 606ec046..e9d7271c 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -141,6 +141,8 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; allow hal_dumpstate_default debugfs_tracing_instances:dir search; allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; + allow hal_dumpstate_default sysfs_vendor_metrics:dir search; + allow hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; @@ -171,6 +173,8 @@ dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; dontaudit hal_dumpstate_default debugfs_tracing_instances:dir search; dontaudit hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; +dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search; +dontaudit hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; From 30e01ffb8c5662216a59eae2bc9a35dd2d025029 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Fri, 21 Oct 2022 14:59:31 -0700 Subject: [PATCH 26/31] [ DO NOT MERGE ] gs201-sepolicy: pixelstats: enable pixelstats access to perf-metrics enable pixelstats access to sysfs path, define sysfs_perfmetrics Bug: 227809911 Bug: 232541623 Test: Verified the existence of atom and correctness of resume latency, irq stats Signed-off-by: Ziyi Cui Change-Id: If1b95148b59a6816c6795921018dfae68d80550b --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index b06d7e55..5ee9a609 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -393,6 +393,8 @@ genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:obj #vendor-metrics genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 From daeff5e18c09bb3bd225da85539cb5a396417cf0 Mon Sep 17 00:00:00 2001 From: Wasb Liu Date: Mon, 14 Nov 2022 09:49:24 +0000 Subject: [PATCH 27/31] hal_health_default: updated sepolicy allow android.hardware.health service to access persist_battery_file 11-14 13:53:39.242 872 872 W android.hardwar: type=1400 audit(0.0:17): avc: denied { search } for name="battery" dev="sda1" ino=84 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=0 Bug: 258535661 Bug: 260878511 Test: check for no avc denied on persist_battery_file Change-Id: I7564b03339e17f9eea4aa5a8feda31bcfdd6100c Signed-off-by: Wasb Liu Signed-off-by: Ken Tsou (cherry picked from commit 24cfe388c5f6e0c25a42dd3a252a1b0102b981ae) --- whitechapel_pro/hal_health_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 0e393765..cfe602df 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -1,5 +1,7 @@ allow hal_health_default mnt_vendor_file:dir search; allow hal_health_default persist_file:dir search; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; set_prop(hal_health_default, vendor_battery_defender_prop) From 0237351f526afce11bc26adf4d0344919fb385b2 Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 1 Dec 2022 16:19:17 -0800 Subject: [PATCH 28/31] Battery Mitigation: Use Brownout Reason - sepolicy Brownout Reason replaces startup_bugreport_requested. Battery Mitigation needs to be updated. Bug: 237287659 Test: Ensure lastmeal.txt is properly generated. Merged-In: Ia03da290f5cb90ebbc7616d46e90064e346a402c Change-Id: Ic123d704e37aa6d1dcd7377c291b537069ede829 Signed-off-by: George Lee --- whitechapel_pro/battery_mitigation.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 5fecbcba..643b2fc6 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -3,6 +3,7 @@ type battery_mitigation_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) set_prop(battery_mitigation, vendor_mitigation_ready_prop) +get_prop(battery_mitigation, vendor_brownout_reason_prop) hal_client_domain(battery_mitigation, hal_thermal); hal_client_domain(battery_mitigation, hal_health); From 5df8045c3bf0c76041584ad36c9388575ea2784f Mon Sep 17 00:00:00 2001 From: chiayupei Date: Mon, 14 Nov 2022 08:42:46 +0000 Subject: [PATCH 29/31] hal_sensors_default: Add sepolicy for MagCC. avc: denied { search } for name="battery" dev="sysfs" ino=78703 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1 avc: denied { read } for name="status" dev="sysfs" ino=78714 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/devices/platform/google,battery/power_supply/battery/status" dev="sysfs" ino=78714 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 avc: denied { getattr } for path="/sys/devices/platform/google,battery/power_supply/battery/status" dev="sysfs" ino=78714 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 avc: denied { read } for name="status" dev="sysfs" ino=78714 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 avc: denied { search } for name="i2c-p9222" dev="sysfs" ino=69679 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1 Bug: 254155730 Test: Manually test no avc denied for MagCC Change-Id: Ie5261b39187ffcdf645ae64727c54643bdbc1c47 Signed-off-by: chiayupei --- whitechapel_pro/hal_sensors_default.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index bb3a9139..fcd758a4 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -81,3 +81,8 @@ binder_call(hal_sensors_default, hal_graphics_composer_default); # Allow display_info_service access to the backlight driver. allow hal_sensors_default sysfs_write_leds:file rw_file_perms; + +# Allow access to the power supply files for MagCC. +r_dir_file(hal_sensors_default, sysfs_batteryinfo) +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; + From 812312fb1cfebb3b313b50b563bf22800010b1b3 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Sat, 29 Oct 2022 11:02:08 +0800 Subject: [PATCH 30/31] ignore shell access on wlc Bug: 261804136 Test: boot Change-Id: I5f1d321df2daa2ec785e2ad1ac2e02478568b688 Merged-In: I5f1d321df2daa2ec785e2ad1ac2e02478568b688 Signed-off-by: Jack Wu --- whitechapel_pro/shell.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te index 978a5426..44ae0768 100644 --- a/whitechapel_pro/shell.te +++ b/whitechapel_pro/shell.te @@ -3,3 +3,6 @@ userdebug_or_eng(` allow shell sysfs_sjtag:dir r_dir_perms; allow shell sysfs_sjtag:file rw_file_perms; ') + +# wlc +dontaudit shell sysfs_wlc:dir search; From f5a88c35a4fc5e8875ef6ad3d49c9980fe23b081 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Wed, 14 Dec 2022 15:11:13 +0800 Subject: [PATCH 31/31] Add sepolicy rule to allow dump battery maxfg history android.hardwar: type=1400 audit(0.0:7): avc: denied { getattr } for path="/dev/maxfg_history" dev="tmpfs" ino=580 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 bug=b/240632721 Bug: 254164096 Change-Id: I64ff95ba8db62a8f831d012b4cdf4e6ec973f086 Signed-off-by: Jenny Ho --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 2 ++ 2 files changed, 3 insertions(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 8b382741..dc1101bc 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -213,6 +213,7 @@ /data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 /data/vendor/mitigation(/.*)? u:object_r:mitigation_vendor_data_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index e9d7271c..fbfbd227 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -102,6 +102,8 @@ allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; +allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; + userdebug_or_eng(` allow hal_dumpstate_default sysfs_leds:dir search; allow hal_dumpstate_default sysfs_leds:file rw_file_perms;