Snap for 12605939 from 1b64d05d93 to mainline-tzdata6-release

Change-Id: I7b88a32568d0a86b55d56952018be45559a9c3db
2024-11-05 10:09:31 +00:00 · 2024-11-05 10:09:31 +00:00 · 6c34dea406
commit 6c34dea406
parent f40749fe0c 1b64d05d93
7 changed files with 20 additions and 37 deletions
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@ -4,6 +4,7 @@ dump_modem sscoredump_vendor_data_logcat_file dir b/361726277
 dumpstate unlabeled file b/350832009
 hal_face_default traced_producer_socket sock_file b/305600808
 hal_power_default hal_power_default capability b/237492146
+hal_sensors_default property_socket sock_file b/373755350
 hal_sensors_default sysfs file b/336451433
 hal_vibrator_default default_android_service service_manager b/360057889
 incidentd debugfs_wakeup_sources file b/282626428
--- a/whitechapel_pro/convert-to-ext4-sh.te
+++ b/whitechapel_pro/convert-to-ext4-sh.te
@ -1,34 +0,0 @@
-type convert-to-ext4-sh, domain, coredomain;
-type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
-  permissive convert-to-ext4-sh;
-
-  init_daemon_domain(convert-to-ext4-sh)
-
-  allow convert-to-ext4-sh block_device:dir search;
-  allow convert-to-ext4-sh e2fs_exec:file rx_file_perms;
-  allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms;
-  allow convert-to-ext4-sh kernel:process setsched;
-  allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms;
-  allow convert-to-ext4-sh persist_block_device:blk_file { getattr ioctl open read write };
-  allow convert-to-ext4-sh shell_exec:file rx_file_perms;
-  allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search };
-  allow convert-to-ext4-sh sysfs_fs_ext4_features:file read;
-  allow convert-to-ext4-sh tmpfs:dir { add_name create mounton open };
-  allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr };
-  allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink };
-  allow convert-to-ext4-sh toolbox_exec:file rx_file_perms;
-  allow convert-to-ext4-sh vendor_persist_type:dir { rw_file_perms search };
-  allow convert-to-ext4-sh vendor_persist_type:file rw_file_perms;
-
-  allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl {
-    BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD
-  };
-
-  dontaudit convert-to-ext4-sh labeledfs:filesystem  { mount unmount };
-  dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio };
-  dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr };
-  dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr };
-  dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override };
-')
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@ -93,3 +93,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type;

 # WLC
 type sysfs_wlc, sysfs_type, fs_type;
+
+# /system_ext/bin/convert_to_ext4.sh
+type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@ -5,7 +5,7 @@
 /vendor/bin/vcd                                                             u:object_r:vcd_exec:s0
 /vendor/bin/chre                                                            u:object_r:chre_exec:s0
 /vendor/bin/cbd                                                             u:object_r:cbd_exec:s0
-/vendor/bin/modem_svc_sit                                                   u:object_r:modem_svc_sit_exec:s0
+/vendor/bin/shared_modem_platform                                           u:object_r:modem_svc_sit_exec:s0
 /vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
 /vendor/bin/bipchmgr                                                        u:object_r:bipchmgr_exec:s0
 /vendor/bin/storageproxyd                                                   u:object_r:tee_exec:s0
--- a/whitechapel_pro/init.te
+++ b/whitechapel_pro/init.te
@ -19,3 +19,14 @@ allow init sysfs_scsi_devices_0000:file w_file_perms;
 # Workaround for b/193113005 that modem_img unlabeled after disable-verity
 dontaudit init overlayfs_file:file rename;
 dontaudit init overlayfs_file:chr_file unlink;
+
+# /system_ext/bin/convert_to_ext4.sh is a script to convert an f2fs
+# filesystem into an ext4 filesystem. This script is executed on
+# debuggable devices only. As it is a one-shot script which
+# has run in permissive mode since 2022, we transition to the
+# su domain to avoid unnecessarily polluting security policy
+# with rules which are never enforced.
+# This script was added in b/239632964
+userdebug_or_eng(`
+  domain_auto_trans(init, convert-to-ext4-sh_exec, su)
+')
--- a/whitechapel_pro/modem_svc_sit.te
+++ b/whitechapel_pro/modem_svc_sit.te
@ -1,3 +1,4 @@
+# Selinux rule for modem_svc_sit daemon
 type modem_svc_sit, domain;
 type modem_svc_sit_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(modem_svc_sit)
@ -37,6 +38,9 @@ get_prop(modem_svc_sit, hwservicemanager_prop)
 # logging property
 get_prop(modem_svc_sit, vendor_logger_prop)

+# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal.
+hal_server_domain(modem_svc_sit, hal_shared_modem_platform)
+
 userdebug_or_eng(`
  allow modem_svc_sit radio_test_device:chr_file rw_file_perms;
 ')
--- a/whitechapel_pro/service_contexts
+++ b/whitechapel_pro/service_contexts
@ -4,5 +4,3 @@ hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_ve
 vendor.google.wireless_charger.IWirelessCharger/default                      u:object_r:hal_wireless_charger_service:s0

 rlsservice                                                 u:object_r:rls_service:s0
-
-android.hardware.media.c2.IComponentStore/default1         u:object_r:hal_codec2_service:s0