From 4041f814bed47dcefb9d40d1aa6b8b5176fe0d9e Mon Sep 17 00:00:00 2001 From: Peter Csaszar Date: Mon, 14 Feb 2022 20:29:23 -0800 Subject: [PATCH 001/162] pixel-selinux: add SJTAG policies These are the SELinux policies for the sysfs files of the SJTAG kernel interface. The files are in the following directories: /sys/devices/platform/sjtag_ap/interface/ /sys/devices/platform/sjtag_gsa/interface/ Bug: 207571417 Signed-off-by: Peter Csaszar Change-Id: I5ec50d9ff7cd0e08ade7acce21e73751e93a0aff --- whitechapel_pro/file.te | 11 +++++++++++ whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/shell.te | 5 +++++ whitechapel_pro/ssr_detector.te | 5 +++++ 4 files changed, 25 insertions(+) create mode 100644 whitechapel_pro/shell.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 971e4657..e4248525 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -91,3 +91,14 @@ type sysfs_st33spi, sysfs_type, fs_type; # GPU type sysfs_gpu, sysfs_type, fs_type; + +# Vendor sched files +userdebug_or_eng(` + typeattribute sysfs_vendor_sched mlstrustedobject; +') + +# SJTAG +type sysfs_sjtag, fs_type, sysfs_type; +userdebug_or_eng(` + typeattribute sysfs_sjtag mlstrustedobject; +') diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ba3dc909..f7f43487 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -210,3 +210,7 @@ genfscon sysfs /devices/platform/100b0000.TPU u:obje # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 + +# SJTAG +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te new file mode 100644 index 00000000..978a5426 --- /dev/null +++ b/whitechapel_pro/shell.te @@ -0,0 +1,5 @@ +# Allow access to the SJTAG kernel interface from the shell +userdebug_or_eng(` + allow shell sysfs_sjtag:dir r_dir_perms; + allow shell sysfs_sjtag:file rw_file_perms; +') diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index ff3c40f9..793e51b6 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -12,6 +12,11 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; get_prop(ssr_detector_app, vendor_aoc_prop) + allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; + allow ssr_detector_app sysfs_sjtag:file rw_file_perms; + allow ssr_detector_app sysfs_vendor_sched:dir search; + allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms; + allow ssr_detector_app cgroup:file write; ') get_prop(ssr_detector_app, vendor_ssrdump_prop) From 0d22c86fef5a77dd7cd03873274e04833ee4794a Mon Sep 17 00:00:00 2001 From: neoyu Date: Thu, 17 Feb 2022 12:55:26 +0800 Subject: [PATCH 002/162] Fix SELinux errors for ims avc: denied { write } for name="property_service" dev="tmpfs" ino=362 scontext=u:r:vendor_ims_app:s0:c208,c256,c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 app=com.shannon.imsservice avc: denied { set } for property=persist.radio.call.audio.output pid=1920 uid=10216 gid=10216 scontext=u:r:vendor_ims_app:s0:c216,c256,c512,c768 tcontext=u:object_r:radio_prop:s0 tclass=property_service permissive=0' Bug: 219954530 Test: manual Change-Id: I3e7f6781718c3967f7842b074b0ef91818508af2 --- whitechapel_pro/vendor_ims_app.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index b226dc37..b109fcc1 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -6,4 +6,5 @@ allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; allow vendor_ims_app radio_service:service_manager find; binder_call(vendor_ims_app, rild) -get_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, radio_prop) From 453b37ebdc0a9614e09ffbc03592a8350fcb524f Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Thu, 17 Feb 2022 14:29:35 +0800 Subject: [PATCH 003/162] Remove the sepolicy for tetheroffload service Test: m checkvintf run vts -m VtsHalTetheroffloadControlV1_0TargetTest Bug: 207076973 Bug: 214494717 Change-Id: I5ecec46512ff4e1ae6c52147cfa0179e5fc93420 --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_tetheroffload_default.te | 17 ----------------- 2 files changed, 18 deletions(-) delete mode 100644 whitechapel_pro/hal_tetheroffload_default.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4f0451e4..845d50c1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -36,7 +36,6 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/whitechapel_pro/hal_tetheroffload_default.te b/whitechapel_pro/hal_tetheroffload_default.te deleted file mode 100644 index 00ae3214..00000000 --- a/whitechapel_pro/hal_tetheroffload_default.te +++ /dev/null @@ -1,17 +0,0 @@ -# associate netdomain to use for accessing internet sockets -net_domain(hal_tetheroffload_default) - -# Allow operations with TOE device -allow hal_tetheroffload_default vendor_toe_device:chr_file rw_file_perms; - -# Allow NETLINK and socket -allow hal_tetheroffload_default self:{ - netlink_socket - netlink_generic_socket - unix_dgram_socket -} create_socket_perms_no_ioctl; - -# Register to hwbinder service -add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice) -hwbinder_use(hal_tetheroffload_default) -get_prop(hal_tetheroffload_default, hwservicemanager_prop) From e65363450c0bbe739f4e5fe074eace1ef117d218 Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Thu, 17 Feb 2022 07:43:29 +0000 Subject: [PATCH 004/162] Adds logging related properties for logger app Bug: 220073302 Change-Id: I3917ce13f51a5ccb3304eb2db860f4da8424438b --- whitechapel_pro/property_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 6dcddc85..18e9f4ca 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -77,7 +77,9 @@ vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # vendor default ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 From 2c914cd02c6aa40ac3f7ef086e24d47b0d86e319 Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Mon, 21 Feb 2022 07:49:47 +0000 Subject: [PATCH 005/162] Adds mnt file and batt info permissions for modem app Bug: 220076340 Change-Id: Icd02d4f8757719afed020c27a90812921d5f37ec --- whitechapel_pro/modem_diagnostic_app.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te index 887b4285..9fa772b4 100644 --- a/whitechapel_pro/modem_diagnostic_app.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -22,9 +22,14 @@ userdebug_or_eng(` allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; + allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; + allow modem_diagnostic_app modem_img_file:dir r_dir_perms; allow modem_diagnostic_app modem_img_file:file r_file_perms; allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; ') From 62d5b40d35c8dd1fd98416e3a482bcc3ebe495dc Mon Sep 17 00:00:00 2001 From: Jack Yu Date: Fri, 18 Feb 2022 21:43:46 +0800 Subject: [PATCH 006/162] uwb: permissions for factory uwb calibration file Allow nfc hal accessing /data/vendor/uwb. Bug: 220167093 Test: build pass Change-Id: I33093231577b71c24d5bf6f980c7021cc546fa98 --- whitechapel_pro/hal_nfc_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te index f98e78c6..174b5383 100644 --- a/whitechapel_pro/hal_nfc_default.te +++ b/whitechapel_pro/hal_nfc_default.te @@ -7,3 +7,6 @@ set_prop(hal_nfc_default, vendor_secure_element_prop) # Modem property set_prop(hal_nfc_default, vendor_modem_prop) +# Access uwb cal for SecureRanging Applet +allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; +allow hal_nfc_default uwb_data_vendor:file r_file_perms; From 5b6a5292c3f92a880dfa769eeaa90d5a52279e94 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Tue, 22 Feb 2022 10:54:06 +0800 Subject: [PATCH 007/162] hal_health_default: Fix avc denials 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2270): avc: denied { search } for name="thermal" dev="tmpfs" ino=1028 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:thermal_link_device:s0 tclass=dir permissive=1 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2271): avc: denied { search } for name="thermal" dev="sysfs" ino=16790 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2273): avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone13/mode" dev="sysfs" ino=17285 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2272): avc: denied { write } for name="mode" dev="sysfs" ino=17285 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 Bug:208721638 Test: adb bugreport Change-Id: I4d9491862ff1bcc88f89b1478497ac569e3d1df1 Signed-off-by: Ted Lin --- tracking_denials/hal_health_default.te | 5 ----- whitechapel_pro/hal_health_default.te | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/hal_health_default.te diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te deleted file mode 100644 index d36ba385..00000000 --- a/tracking_denials/hal_health_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/208721638 -dontaudit hal_health_default sysfs_thermal:dir { search }; -dontaudit hal_health_default sysfs_thermal:file { open }; -dontaudit hal_health_default sysfs_thermal:file { write }; -dontaudit hal_health_default thermal_link_device:dir { search }; diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index a4294ee5..e7406a76 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -9,3 +9,6 @@ allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; +allow hal_health_default sysfs_thermal:dir search; +allow hal_health_default sysfs_thermal:file w_file_perms; +allow hal_health_default thermal_link_device:dir search; From 775523d1eb5976c85c36c9d5632ff199686e48e6 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Mon, 21 Feb 2022 20:34:39 -0800 Subject: [PATCH 008/162] android.hardware.usb.IUsb AIDL migration android.hardware.usb.IUsb is migrated to AIDL and runs in its own process. android.hardware.usb.gadget.IUsbGadget is now published in its own exclusive process (android.hardware.usb.gadget-service). Creating file_context and moving the selinux linux rules for IUsbGadget implementation. [ 37.177042] type=1400 audit(1645536157.528:3): avc: denied { wake_alarm } for comm="android.hardwar" capability=35 scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_usb_impl:s0 tclass=capability2 permissive=1 [ 37.177139] type=1400 audit(1645536157.528:4): avc: denied { block_suspend } for comm="android.hardwar" capability=36 scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_usb_impl:s0 tclass=capability2 permissive=1 [ 39.936357] type=1400 audit(1645536160.292:5): avc: denied { call } for comm="HwBinder:875_1" scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1 [ 39.936403] type=1400 audit(1645536160.292:6): avc: denied { transfer } for comm="HwBinder:875_1" scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1 ... [ 42.845054] type=1400 audit(1645550991.268:8): avc: denied { read } for comm="HwBinder:860_1" name="u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 42.877781] type=1400 audit(1645550991.268:9): avc: denied { open } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 42.915532] type=1400 audit(1645550991.268:10): avc: denied { getattr } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 42.962130] type=1400 audit(1645550991.268:11): avc: denied { map } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 43.003097] type=1400 audit(1645550991.268:12): avc: denied { watch watch_reads } for comm="HwBinder:860_1" path="/dev/usb-ffs/adb" dev="functionfs" ino=40814 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 [ 43.024529] type=1400 audit(1645550991.268:13): avc: denied { write } for comm="HwBinder:860_1" name="property_service" dev="tmpfs" ino=376 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 [ 43.057605] type=1400 audit(1645550991.268:14): avc: denied { connectto } for comm="HwBinder:860_1" path="/dev/socket/property_service" scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 [ 43.084549] type=1107 audit(1645550991.268:15): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.usb.dwc3_irq pid=860 uid=0 gid=0 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=property_service permissive=1' Bug: 200993386 Change-Id: Ia8c24610244856490c8271433710afb57d3da157 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/file_contexts | 3 ++- whitechapel_pro/genfs_contexts | 5 +++++ whitechapel_pro/hal_usb_gadget_impl.te | 10 ++++++++++ whitechapel_pro/hal_usb_impl.te | 14 ++++++++++++++ 5 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 whitechapel_pro/hal_usb_gadget_impl.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index e4248525..c242e448 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -102,3 +102,6 @@ type sysfs_sjtag, fs_type, sysfs_type; userdebug_or_eng(` typeattribute sysfs_sjtag mlstrustedobject; ') + +# USB-C throttling stats +type sysfs_usbc_throttling_stats, sysfs_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 845d50c1..ec661202 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -34,7 +34,8 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 -/vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 4b3b3ca2..b77832f3 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -215,3 +215,8 @@ genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_t # SJTAG genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 + +# USB-C throttling stats +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/whitechapel_pro/hal_usb_gadget_impl.te new file mode 100644 index 00000000..83dff037 --- /dev/null +++ b/whitechapel_pro/hal_usb_gadget_impl.te @@ -0,0 +1,10 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index 067baf3c..a5da3ce1 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -10,3 +10,17 @@ allow hal_usb_impl functionfs:dir { watch watch_reads }; allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; + +# Needed for reporting Usb Overheat suez event through statsd +allow hal_usb_impl fwk_stats_service:service_manager find; +binder_call(hal_usb_impl, servicemanager) + +# Needed for monitoring usb port temperature +allow hal_usb_impl self:capability2 wake_alarm; +wakelock_use(hal_usb_impl); + +# For interfacing with ThermalHAL +hal_client_domain(hal_usb_impl, hal_thermal); + +# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; From b3a10db9d6dd7c3392ebd1bab3b6ffcf889542e7 Mon Sep 17 00:00:00 2001 From: Devin Moore Date: Tue, 1 Mar 2022 18:15:33 +0000 Subject: [PATCH 009/162] Add the init_boot partition sepolicy Tagging the partition as a boot_block_device so everything that had permission to read/write to the boot partition now also has permissions for this new init_boot partition. This is required for update_engine to be able to write to init_boot on builds that are enforcing sepolicy. Bug: 222052598 Test: adb shell setenforce 1 && update_device.py ota.zip Change-Id: Ic991fa314c8a6fdb848199a626852a68a57d1df5 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5ad46436..f86fa5f1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -159,6 +159,7 @@ /dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 From e2395610618e17fe98014e46198e23848771cb7c Mon Sep 17 00:00:00 2001 From: Ruofei Ma Date: Thu, 3 Mar 2022 04:51:39 +0000 Subject: [PATCH 010/162] Allow mediacodec_google to access secure dma heap The change is for following error: HwBinder:867_1: type=1400 audit(0.0:9): avc: denied { read } for name="vframe-secure" dev="tmpfs" ino=425 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=0 Bug:221500257 Change-Id: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009 --- whitechapel_pro/mediacodec_google.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te index c750ea75..21aea333 100644 --- a/whitechapel_pro/mediacodec_google.te +++ b/whitechapel_pro/mediacodec_google.te @@ -14,6 +14,7 @@ hal_client_domain(mediacodec_google, hal_codec2) hal_client_domain(mediacodec_google, hal_graphics_allocator) allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; allow mediacodec_google video_device:chr_file rw_file_perms; crash_dump_fallback(mediacodec_google) From 500e7624e9b09f86fb5585d5adb2a4885554d565 Mon Sep 17 00:00:00 2001 From: Mason Wang Date: Thu, 17 Mar 2022 18:02:50 +0800 Subject: [PATCH 011/162] vendor_init: Fix touch avc denial of high_sensitivity. Fixed following avc denial: avc: denied { write } for name="high_sensitivity" dev="proc" ino=4026534550 scontext=u:r:vendor_init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 //The file node is proc/focaltech_touch/high_sensitivity Bug: 199105136 Test: Verify pass by checking device log are w/o above errors while switching setting/display/increase touch sensitivity. Change-Id: I8dbe4190056767407413082580320593292725fe --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 3 ++- whitechapel_pro/vendor_init.te | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index c242e448..6b7de845 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -105,3 +105,6 @@ userdebug_or_eng(` # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; + +# Touch +type proc_touch, proc_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index d9fd9901..a7282706 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -29,7 +29,8 @@ genfscon sysfs /devices/soc0/revision u # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 -genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon proc /focaltech_touch u:object_r:proc_touch:s0 # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index f936f4e0..4410e6d9 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -23,3 +23,6 @@ allow vendor_init sysfs_st33spi:file w_file_perms; # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) + +# Touch +allow vendor_init proc_touch:file w_file_perms; From 278d110fba464f89239be6da40ababe4a8389d86 Mon Sep 17 00:00:00 2001 From: Yabin Cui Date: Fri, 18 Mar 2022 15:10:59 -0700 Subject: [PATCH 012/162] Add SOC specific ETM sysfs paths Bug: 225403280 Test: run profcollectd on c10 Change-Id: I10c8d250cf88b371ee573561d6678fc24f4e440c --- whitechapel_pro/genfs_contexts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a7282706..e0e63300 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -227,3 +227,13 @@ genfscon sysfs /devices/platform/sjtag_gsa/interface u:obje genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 + +# Coresight ETM +genfscon sysfs /devices/platform/2b840000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2b940000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2ba40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bb40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 From 6ab671ae18e1cfc1378fa50ac01b9aa6ae617456 Mon Sep 17 00:00:00 2001 From: Jason Macnak Date: Thu, 24 Feb 2022 22:17:51 +0000 Subject: [PATCH 013/162] Remove sysfs_gpu type definition ... as it has moved to system/sepolicy. Bug: b/161819018 Test: presubmit Change-Id: I107f92617bea56590b5af351341cc1c3b2844360 --- whitechapel_pro/file.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index aa4db136..98adac1a 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -93,9 +93,6 @@ type modem_userdata_file, file_type; type sysfs_st33spi, sysfs_type, fs_type; typeattribute sysfs_st33spi mlstrustedobject; -# GPU -type sysfs_gpu, sysfs_type, fs_type; - # Vendor sched files userdebug_or_eng(` typeattribute proc_vendor_sched mlstrustedobject; From 0d31f7bcd7d13162427e2c172648195dcd275d07 Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 30 Mar 2022 22:34:13 +0800 Subject: [PATCH 014/162] Update nfc from hidl to aidl service Bug: 216290344 Test: atest NfcNciInstrumentationTests Test: atest VtsAidlHalNfcTargetTest Change-Id: I90b8499b05e0226298ee8f04d84f55390299e8c8 --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 6858daaa..cbba7deb 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -32,7 +32,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 From 86351764371e22864cc1dc59170a7fb3695bb6ff Mon Sep 17 00:00:00 2001 From: George Chang Date: Fri, 29 Apr 2022 15:37:46 +0000 Subject: [PATCH 015/162] Revert "Update nfc from hidl to aidl service" This reverts commit 0d31f7bcd7d13162427e2c172648195dcd275d07. Reason for revert: Broken tests Bug: 230834308 Change-Id: If695e38eb11b65018768f15aeb4346ba818b058a --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index cbba7deb..6858daaa 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -32,7 +32,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 From eb1d4ec87c611c6a155bb8646eda1131a92c1d7b Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 30 Mar 2022 22:34:13 +0800 Subject: [PATCH 016/162] Update nfc from hidl to aidl service Bug: 216290344 Test: atest NfcNciInstrumentationTests Test: atest VtsAidlHalNfcTargetTest Change-Id: If1f57af334033f9bd7174c052767715c9916700f --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 9dc48c15..efd0e085 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -32,7 +32,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 From 26b2d2e33ee14ed8a3f482cab9197e27cd69c50e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Tue, 10 May 2022 05:35:27 +0000 Subject: [PATCH 017/162] Add dontaudit statements to camera HAL policy. The autogenerated dontaudit statements in tracking_denials are actually the correct policy. Move them to the correct file and add comments. Bug: 205780065 Bug: 218585004 Test: build & camera check Change-Id: Ie0338f0d2a6fd0c589777a82c22a014e462bd5c2 --- tracking_denials/hal_camera_default.te | 5 ----- whitechapel_pro/hal_camera_default.te | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/hal_camera_default.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index f423e497..00000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205780065 -dontaudit hal_camera_default system_data_file:dir { search }; -# b/218585004 -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 92c629ed..437060ea 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -91,3 +91,11 @@ allow hal_camera_default sysfs_leds:file r_file_perms; # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') + +# Some file searches attempt to access system data and are denied. +# This is benign and can be ignored. +dontaudit hal_camera_default system_data_file:dir { search }; + +# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; \ No newline at end of file From 4364d96ac875817a3d28906fdc5b410069b088d8 Mon Sep 17 00:00:00 2001 From: Jacqueline Wong Date: Wed, 18 May 2022 22:50:36 +0000 Subject: [PATCH 018/162] be able to dump coredump Bug: 218358165 Test: adb root; adb remount -R; adb bugreport Signed-off-by: Jacqueline Wong Change-Id: I42c2db7902064e1508676ad93def2e0e4f5c2b28 --- whitechapel_pro/hal_dumpstate_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 88de3775..de49f46c 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -25,6 +25,8 @@ allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; +allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; +allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; allow hal_dumpstate_default sysfs_thermal:file r_file_perms; From cf23b50955716b0b751a58531e8d1f8db385c79f Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Mon, 23 May 2022 16:39:21 -0700 Subject: [PATCH 019/162] Allow sysfs_devices_block to f2fs-tools The fsck.f2fs checks the sysfs entries of block devices to get disk information. Note that, the block device entries are device-specific. 1. fsck.f2fs avc: denied { search } for comm="fsck.f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="fsck.f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda7/partition" dev="sysfs" ino=60672 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 2. mkfs.f2fs avc: denied { search } for comm="make_f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="make_f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda8/partition" dev="sysfs" ino=61046 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 Bug: 172377740 Signed-off-by: Jaegeuk Kim Change-Id: I409feec84565f965baa96b06a5b08bcfc1a8db02 --- whitechapel_pro/e2fs.te | 2 ++ whitechapel_pro/fsck.te | 2 ++ 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/e2fs.te b/whitechapel_pro/e2fs.te index a6664594..3e72adfb 100644 --- a/whitechapel_pro/e2fs.te +++ b/whitechapel_pro/e2fs.te @@ -4,3 +4,5 @@ allow e2fs modem_userdata_block_device:blk_file rw_file_perms; allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET }; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/whitechapel_pro/fsck.te b/whitechapel_pro/fsck.te index d29555b3..cb9470d0 100644 --- a/whitechapel_pro/fsck.te +++ b/whitechapel_pro/fsck.te @@ -1,3 +1,5 @@ allow fsck persist_block_device:blk_file rw_file_perms; allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; From ec7b23cf03f55adda1fdee0966d1b5172f555f9d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 9 Jun 2022 13:20:48 +0800 Subject: [PATCH 020/162] remove obsolete entries Bug: 227694693 Bug: 226850644 Bug: 227121550 Bug: 229677756 Bug: 234547497 Test: adb bugreport Change-Id: I94a7466ece0a1e79dc31d737b89845343ea7d301 --- tracking_denials/bug_map | 1 - tracking_denials/dumpstate.te | 3 --- tracking_denials/incidentd.te | 2 -- tracking_denials/kernel.te | 5 +---- tracking_denials/servicemanager.te | 2 -- 5 files changed, 1 insertion(+), 12 deletions(-) delete mode 100644 tracking_denials/bug_map delete mode 100644 tracking_denials/incidentd.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map deleted file mode 100644 index 600908ad..00000000 --- a/tracking_denials/bug_map +++ /dev/null @@ -1 +0,0 @@ -shell sysfs_wlc dir b/234547497 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index aaff71e5..29678370 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,6 +1,3 @@ # b/221384768 -dontaudit dumpstate app_zygote:process { signal }; dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; dontaudit dumpstate sysfs:file { read }; -# b/227694693 -dontaudit dumpstate incident:process { signal }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index 90b1025f..00000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/226850644 -dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index d75b1fb1..53df8fea 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -2,10 +2,7 @@ dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 allow kernel same_process_hal_file:file r_file_perms; -# b/227121550 -dontaudit kernel vendor_usb_debugfs:dir { search }; -dontaudit kernel vendor_votable_debugfs:dir { search }; # b/227286343 dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/228181404 -dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file +dontaudit kernel vendor_maxfg_debugfs:dir { search }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te index 4b54ceb1..72e6e6e9 100644 --- a/tracking_denials/servicemanager.te +++ b/tracking_denials/servicemanager.te @@ -1,4 +1,2 @@ # b/214122471 dontaudit servicemanager hal_fingerprint_default:binder { call }; -# b/229677756 -dontaudit servicemanager hal_dumpstate_default:binder { call }; From dc339dc7800ca187c8e179eea8fb24ecf3adf163 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Jun 2022 11:09:23 +0800 Subject: [PATCH 021/162] remove obsolete entry Bug: 229354991 Test: take a bug report without showing relevant logs Change-Id: I3c75ca4e79085205f50c07b8ceea9757760a8763 --- tracking_denials/untrusted_app.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tracking_denials/untrusted_app.te diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te deleted file mode 100644 index 337bab8f..00000000 --- a/tracking_denials/untrusted_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/229354991 -dontaudit untrusted_app isolated_app:process { getsched }; -dontaudit untrusted_app shell_test_data_file:dir { search }; From 8d011823ed26bdd7386c0af8dcb31419a38859af Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Jun 2022 13:11:12 +0800 Subject: [PATCH 022/162] allow dumpstate to access sde partition Bug: 221384768 Test: do bugreport without relevant error log Change-Id: I26b0246f8d99a5efce8f7d1b65fa50faafb599e2 --- tracking_denials/dumpstate.te | 3 +-- whitechapel_pro/genfs_contexts | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 29678370..ffb8518c 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,3 +1,2 @@ -# b/221384768 +# b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -dontaudit dumpstate sysfs:file { read }; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 51a79b97..0cd3d358 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -185,6 +185,7 @@ genfscon sysfs /devices/platform/google,battery/power_supply/battery genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/pseudo_0/adapter0/host1/target1:0:0/1:0:0:0/block/sde u:object_r:sysfs_devices_block:s0 # P22 battery genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 From b3576ef751c3ac38ebaec8d4b63b7d4c32b260fb Mon Sep 17 00:00:00 2001 From: xiaofanj Date: Tue, 7 Jun 2022 03:06:13 +0000 Subject: [PATCH 023/162] modem_svc_sit: create oem test iodev - Create radio_test_device for oem_test iodev. - Grant modem_svc_sit to access radio_test_device. Bug: 231380480 Signed-off-by: Xiaofan Jiang Change-Id: Id06deedadf04c70b57e405a05533ed85764bdd1d --- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/modem_svc_sit.te | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 6b81f2a1..952a1675 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -18,6 +18,7 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; type battery_history_device, dev_type; +type radio_test_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 79bb698f..a7aba25f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -149,6 +149,7 @@ /dev/st33spi u:object_r:st33spi_device:s0 /dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/oem_test u:object_r:radio_test_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_ipc1 u:object_r:radio_device:s0 diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index d3e79c93..9954f493 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -24,3 +24,7 @@ get_prop(modem_svc_sit, vendor_rild_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +userdebug_or_eng(` + allow modem_svc_sit radio_test_device:chr_file rw_file_perms; +') From 20053909665d58a75595b17324ff3209aff0d935 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Jun 2022 11:32:27 +0800 Subject: [PATCH 024/162] remove obsolete entry Bug: 228181404 Test: boot with no avc error log Change-Id: Ic8d71ef8ddb99eafb366929af695a50d4779ac0c --- tracking_denials/kernel.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 53df8fea..7f80734a 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -4,5 +4,5 @@ dontaudit kernel vendor_battery_debugfs:dir { search }; allow kernel same_process_hal_file:file r_file_perms; # b/227286343 dontaudit kernel vendor_regmap_debugfs:dir { search }; -# b/228181404 -dontaudit kernel vendor_maxfg_debugfs:dir { search }; +# b/227121550 +dontaudit kernel vendor_votable_debugfs:dir search; From 1b954eef3b6ceb9731c5d565981c23243dcc4f04 Mon Sep 17 00:00:00 2001 From: Nucca Chen Date: Mon, 13 Jun 2022 03:25:31 +0000 Subject: [PATCH 025/162] Remove clatd tracking_denial Bug: 210363983 Change-Id: Ie3a38ef9cdb4447a3684912d2a65b0167c484cc6 Test: boot with no relevant error log --- tracking_denials/clatd.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tracking_denials/clatd.te diff --git a/tracking_denials/clatd.te b/tracking_denials/clatd.te deleted file mode 100644 index 3c27ad97..00000000 --- a/tracking_denials/clatd.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/210363983 -#dontaudit clatd netd:rawip_socket { read write }; -#dontaudit clatd netd:rawip_socket { setopt }; From 6e578b68253bc4af8d56f63006ac03981f323196 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Thu, 16 Jun 2022 10:40:57 +0800 Subject: [PATCH 026/162] Update avc error on ROM 8732242 Bug: 236200710 Test: PtsSELinuxTestCases Change-Id: I9b4b487aa78a69fe981a542aef1a7dbe368a30ce --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) create mode 100644 tracking_denials/bug_map diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 00000000..208522d4 --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1 @@ +hal_input_processor_default vendor_display_prop file b/236200710 \ No newline at end of file From ced9e0ebbf3ab6d2402f6fda183756496439970c Mon Sep 17 00:00:00 2001 From: Siarhei Vishniakou Date: Thu, 16 Jun 2022 15:59:46 -0700 Subject: [PATCH 027/162] Allow InputProcessor HAL to read display resolution Currently, there's no API to read the resolution from the system domain, so the HAL has to read this from the sysprop provided by the display code. Allow the HAL to do so in this CL. Bug: 236200710 Test: adb shell dmesg | grep input_processor Change-Id: I23285c21a82748c63fbe20988af42884b9261b66 --- whitechapel_pro/hal_input_processor_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 whitechapel_pro/hal_input_processor_default.te diff --git a/whitechapel_pro/hal_input_processor_default.te b/whitechapel_pro/hal_input_processor_default.te new file mode 100644 index 00000000..00d4c695 --- /dev/null +++ b/whitechapel_pro/hal_input_processor_default.te @@ -0,0 +1,2 @@ +# allow InputProcessor HAL to read the display resolution system property +get_prop(hal_input_processor_default, vendor_display_prop) From 555d8a9aca57c8bd2aab1e2d7841f3d9c6eb3b51 Mon Sep 17 00:00:00 2001 From: Siarhei Vishniakou Date: Fri, 17 Jun 2022 20:50:13 +0000 Subject: [PATCH 028/162] Revert "Update avc error on ROM 8732242" This reverts commit 6e578b68253bc4af8d56f63006ac03981f323196. Bug: 236200710 Test: verified locally Reason for revert: sepolicy was fixed, no more need for the exception Change-Id: Ic343b513c5426e5caca77bcd8c56f7336834b4ec --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) delete mode 100644 tracking_denials/bug_map diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map deleted file mode 100644 index 208522d4..00000000 --- a/tracking_denials/bug_map +++ /dev/null @@ -1 +0,0 @@ -hal_input_processor_default vendor_display_prop file b/236200710 \ No newline at end of file From d893b6e7f8270819e7adc81231e2956dac041c26 Mon Sep 17 00:00:00 2001 From: Peter Csaszar Date: Wed, 22 Jun 2022 03:20:39 -0700 Subject: [PATCH 029/162] Remove ssr_detector_app dontaudits Bug: 207571417 Test: pts-tradefed run pts -m PtsSELinuxTest Signed-off-by: Peter Csaszar Change-Id: I2e92edf4d22a142a3817b5f399edd65ebbe4b32f --- tracking_denials/ssr_detector_app.te | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te index 182b08e1..dd4768b2 100644 --- a/tracking_denials/ssr_detector_app.te +++ b/tracking_denials/ssr_detector_app.te @@ -3,10 +3,3 @@ dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; -# b/207571417 -dontaudit ssr_detector_app cgroup:file { open }; -dontaudit ssr_detector_app cgroup:file { write }; -dontaudit ssr_detector_app sysfs:file { getattr }; -dontaudit ssr_detector_app sysfs:file { open }; -dontaudit ssr_detector_app sysfs:file { read }; -dontaudit ssr_detector_app sysfs:file { write }; From ffec0c64b4316cbaf467e9d7292d5726c405db05 Mon Sep 17 00:00:00 2001 From: jimmyshiu Date: Thu, 23 Jun 2022 07:33:47 +0000 Subject: [PATCH 030/162] Remove dontaudit since read early_wakeup completed The display file node, early_wakeup, just for trigger the worker for display and it doesn't have meaningful read function. But PowerHAL read all nodes and try to dump their valuesi while triggering bugreport. As the read operation has been completed, so we can remove the clause. 07-02 00:53:56.888 522 522 W android.hardwar: type=1400 audit(0.0:8): avc: denied { dac_read_search } for capability=2 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0 07-02 00:53:56.888 522 522 W android.hardwar: type=1400 audit(0.0:9): avc: denied { dac_override } for capability=1 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0 Bug: 192617242 Bug: 208909174 Bug: 221384860 Test: adb shell dumpsys android.hardware.power.IPower/default Change-Id: Ice57c5cda51db150ec313337bb2385503f43529f --- tracking_denials/hal_power_default.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hal_power_default.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index 731d4baa..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/208909174 -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; -# b/221384860 -dontaudit hal_power_default hal_power_default:capability { dac_override }; From f131707b2a56a10217115aed4b5f44db5506a0c3 Mon Sep 17 00:00:00 2001 From: sashwinbalaji Date: Thu, 23 Jun 2022 11:35:23 +0800 Subject: [PATCH 031/162] thermal: added property persist.vendor.disable.thermal.dfs.control Updated the sepolicy to access tmu register Bug: 235156080 Test: Used local build to verify security context of tmu_reg file Change-Id: I3d43a393d76e7245e48ebcf9592c7e230c58d9bd --- whitechapel_pro/genfs_contexts | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index fe049804..c3bb542d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -377,12 +377,7 @@ genfscon sysfs /devices/platform/100b0000.G3D u:obje genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.AUR u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters u:object_r:sysfs_thermal:s0 genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 From b5edce085f8150d45659cc4a1d03b38f81bef3eb Mon Sep 17 00:00:00 2001 From: sukiliu Date: Wed, 29 Jun 2022 14:07:37 +0800 Subject: [PATCH 032/162] Update avc error on ROM 8780665 Bug: 237491813 Bug: 237492145 Bug: 237491814 Bug: 237492146 Bug: 237492091 Test: PtsSELinuxTestCases Change-Id: I615453d58ea17306ceefe6195bc95974de0f259b --- tracking_denials/bug_map | 5 +++++ tracking_denials/dumpstate.te | 2 ++ tracking_denials/hal_drm_widevine.te | 2 ++ tracking_denials/hal_googlebattery.te | 2 ++ tracking_denials/hal_power_default.te | 3 +++ tracking_denials/incidentd.te | 2 ++ 6 files changed, 16 insertions(+) create mode 100644 tracking_denials/bug_map create mode 100644 tracking_denials/hal_googlebattery.te create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/incidentd.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 00000000..d53dde6c --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1,5 @@ +dumpstate app_zygote process b/237491813 +hal_drm_widevine default_prop file b/237492145 +hal_googlebattery dumpstate fd b/237491814 +hal_power_default hal_power_default capability b/237492146 +incidentd debugfs_wakeup_sources file b/237492091 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index ffb8518c..e93762d6 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,2 +1,4 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; +# b/237491813 +dontaudit dumpstate app_zygote:process { signal }; diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te index cfe7fcf7..b0124389 100644 --- a/tracking_denials/hal_drm_widevine.te +++ b/tracking_denials/hal_drm_widevine.te @@ -1,2 +1,4 @@ # b/229209076 dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; +# b/237492145 +dontaudit hal_drm_widevine default_prop:file { read }; diff --git a/tracking_denials/hal_googlebattery.te b/tracking_denials/hal_googlebattery.te new file mode 100644 index 00000000..da7f8c6f --- /dev/null +++ b/tracking_denials/hal_googlebattery.te @@ -0,0 +1,2 @@ +# b/237491814 +dontaudit hal_googlebattery dumpstate:fd { use }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..a2ce6fdb --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,3 @@ +# b/237492146 +dontaudit hal_power_default hal_power_default:capability { dac_override }; +dontaudit hal_power_default hal_power_default:capability { dac_read_search }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 00000000..e6fce309 --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,2 @@ +# b/237492091 +dontaudit incidentd debugfs_wakeup_sources:file { read }; From 5631fe741c402f63853a1a3dba56a23c56b18daf Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Thu, 30 Jun 2022 02:23:47 +0800 Subject: [PATCH 033/162] ssr_detector_app: remove tracking denials Avc errors already fixed. Remove tracking denials. Bug: 205202542 Change-Id: I08522d563de58e4bc2be2c4a1bea54bbeac6adb8 --- tracking_denials/ssr_detector_app.te | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 tracking_denials/ssr_detector_app.te diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te deleted file mode 100644 index dd4768b2..00000000 --- a/tracking_denials/ssr_detector_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205202542 -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; From 3439f51f287e566ed5dfaf7dc3c51cf8b315c2d5 Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Fri, 1 Jul 2022 16:59:04 +0800 Subject: [PATCH 034/162] Remove googlebattery from dontaduit list Bug: 237700766 Bug: 237491814 Test: PtsSELinuxTestCases Change-Id: Ic4119e552827a490ba829a80cd10c5fc3ba1d35e --- tracking_denials/bug_map | 1 - tracking_denials/hal_googlebattery.te | 2 -- 2 files changed, 3 deletions(-) delete mode 100644 tracking_denials/hal_googlebattery.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d53dde6c..5bd008ba 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,4 @@ dumpstate app_zygote process b/237491813 hal_drm_widevine default_prop file b/237492145 -hal_googlebattery dumpstate fd b/237491814 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/237492091 diff --git a/tracking_denials/hal_googlebattery.te b/tracking_denials/hal_googlebattery.te deleted file mode 100644 index da7f8c6f..00000000 --- a/tracking_denials/hal_googlebattery.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/237491814 -dontaudit hal_googlebattery dumpstate:fd { use }; From c0ec14b9b185596674ac230d74111e53d615f48e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 5 Jul 2022 10:48:03 +0800 Subject: [PATCH 035/162] Update error on ROM 8765438 Bug: 238037492 Bug: 237093466 Test: SELinuxUncheckedDenialBootTest Change-Id: I4b067085dc0c9f79b715505a5831cab63fda6381 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5bd008ba..47bfbdb3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,3 +2,4 @@ dumpstate app_zygote process b/237491813 hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/237492091 +hal_radioext_default radio_vendor_data_file file b/237093466 From 7bb9a6aaf4bb14967e9540f4497d3a7eaf9999e8 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Mon, 4 Jul 2022 10:50:25 +0800 Subject: [PATCH 036/162] HwInfo: remove -sepolicy/tracking_denials/hardware_info_app.te Bug: 208909060 Test: not avc log for hardware_info_app Change-Id: I52dd55bcea0dd70f60d9156937861ef2036dc46d Signed-off-by: Denny cy Lee --- tracking_denials/hardware_info_app.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hardware_info_app.te diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te deleted file mode 100644 index 2975d243..00000000 --- a/tracking_denials/hardware_info_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/208909060 -dontaudit hardware_info_app vendor_maxfg_debugfs:dir search; From 2bd613cfe6efc44be93bc505d58cda3bb7b678a6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 5 Jul 2022 11:16:51 +0800 Subject: [PATCH 037/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 227121550 Change-Id: I3e5c653a63b099aa44a880c4d1b2a327415f4d97 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 47bfbdb3..2345b263 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,3 +3,4 @@ hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/237492091 hal_radioext_default radio_vendor_data_file file b/237093466 +kernel vendor_usb_debugfs dir b/227121550 From e87fbe539d2221822c86cbda96586c5c919c14ea Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 7 Jul 2022 10:19:39 +0800 Subject: [PATCH 038/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 238260726 Bug: 238260742 Bug: 238260741 Change-Id: Ia3796d62a044b6c0e55c280918251f48143cfd0f --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2345b263..d3f11d1f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,3 +4,6 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/237492091 hal_radioext_default radio_vendor_data_file file b/237093466 kernel vendor_usb_debugfs dir b/227121550 +dumpstate hal_input_processor_default process b/238260726 +hal_googlebattery dumpstate fd b/238260742 +shell sysfs_wlc dir b/238260741 From eeced97ca94f544f07f0bbf362831781bb35fbfa Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Thu, 7 Jul 2022 03:17:41 +0000 Subject: [PATCH 039/162] fix avc error for fg_model/registers remove tracking with fix http://ag/19145061 Bug: 226271913 Signed-off-by: Jenny Ho Change-Id: Idaa9e75a013dc7c78234bff041819c3c131f3793 --- tracking_denials/vendor_init.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 850099a9..ea8ff1e4 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,4 +1,2 @@ # b/205656950 dontaudit vendor_init thermal_link_device:file { create }; -# b/226271913 -dontaudit vendor_init vendor_maxfg_debugfs:file setattr; From 3adb31f0041043ee3ee6688ba571a7d7bc480660 Mon Sep 17 00:00:00 2001 From: Daniel Angell Date: Fri, 1 Jul 2022 20:24:05 +0000 Subject: [PATCH 040/162] Remove dontaudit rules related to storageproxyd's /data access. Removing dontaudits for both tracking_denials/tee.te and whitechapel_pro/tee.te results in no new audit log messages related to storageproxyd, so they can both be removed. Bug: 215649571 Test: adb logcat | grep -iE 'storageproxyd' Change-Id: I8dc735bcaf0725c8d4eab4587f7a7fce21f4e25c --- tracking_denials/tee.te | 3 --- whitechapel_pro/tee.te | 4 ---- 2 files changed, 7 deletions(-) diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te index 3a56e037..9a1070ab 100644 --- a/tracking_denials/tee.te +++ b/tracking_denials/tee.te @@ -1,5 +1,2 @@ # TODO(b/205904330): avoid using setuid, setgid permission allow tee tee:capability { setuid setgid }; -# b/215649571 -dontaudit tee gsi_metadata_file:dir { search }; -dontaudit tee metadata_file:dir { search }; diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index 58228b5a..f93bf59e 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -11,7 +11,3 @@ allow tee sg_device:chr_file rw_file_perms; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) - -# storageproxyd starts before /data is mounted. It handles /data not being there -# gracefully. However, attempts to access /data trigger a denial. -dontaudit tee unlabeled:dir { search }; From 1e606d96f145978b267d4d4c1647b3704e251879 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 11 Jul 2022 10:24:25 +0800 Subject: [PATCH 041/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 238571150 Change-Id: Idb8c4f3e99d23e73fe2e63beec1142d1207c0a05 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d3f11d1f..687d7ba2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,3 +7,4 @@ kernel vendor_usb_debugfs dir b/227121550 dumpstate hal_input_processor_default process b/238260726 hal_googlebattery dumpstate fd b/238260742 shell sysfs_wlc dir b/238260741 +kernel vendor_charger_debugfs dir b/238571150 From 9899069adb55eedbaee330c82d962f1902304e46 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 12 Jul 2022 12:49:17 +0800 Subject: [PATCH 042/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 238705599 Change-Id: Ia78ce7f5b2adc41f7d64b99279681acce647e8bb --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 687d7ba2..1ef8e72f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,3 +8,4 @@ dumpstate hal_input_processor_default process b/238260726 hal_googlebattery dumpstate fd b/238260742 shell sysfs_wlc dir b/238260741 kernel vendor_charger_debugfs dir b/238571150 +cat_engine_service_app system_app_data_file dir b/238705599 From 5eda61d1e030bd3e797785a47c837cb4465cfdaa Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 14 Jul 2022 06:47:30 +0000 Subject: [PATCH 043/162] Update SELinux error Bug: 234547283 Change-Id: I81b2885e2b7c7f77f76bc6048c901dfc4226a4fb --- tracking_denials/bug_map | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1ef8e72f..6349be5c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,11 +1,11 @@ -dumpstate app_zygote process b/237491813 -hal_drm_widevine default_prop file b/237492145 -hal_power_default hal_power_default capability b/237492146 -incidentd debugfs_wakeup_sources file b/237492091 -hal_radioext_default radio_vendor_data_file file b/237093466 -kernel vendor_usb_debugfs dir b/227121550 -dumpstate hal_input_processor_default process b/238260726 -hal_googlebattery dumpstate fd b/238260742 -shell sysfs_wlc dir b/238260741 -kernel vendor_charger_debugfs dir b/238571150 cat_engine_service_app system_app_data_file dir b/238705599 +dumpstate app_zygote process b/237491813 +dumpstate hal_input_processor_default process b/238260726 +hal_drm_widevine default_prop file b/237492145 +hal_googlebattery dumpstate fd b/238260742 +hal_power_default hal_power_default capability b/237492146 +hal_radioext_default radio_vendor_data_file file b/237093466 +incidentd debugfs_wakeup_sources file b/237492091 +kernel vendor_charger_debugfs dir b/238571150 +kernel vendor_usb_debugfs dir b/227121550 +shell sysfs_wlc dir b/238260741 From 52ec99ce413120c21706012a01719396abd4add0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 18 Jul 2022 10:55:53 +0800 Subject: [PATCH 044/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 239364360 Change-Id: I6ea0b1a4fabd7ac29470afa48a0d84beccf0af28 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 6349be5c..ae341e70 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ hal_googlebattery dumpstate fd b/238260742 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 +init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 shell sysfs_wlc dir b/238260741 From 2c3812aac3244c3ad68f0f3f6e26ab494c359a9b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 19 Jul 2022 09:07:27 +0800 Subject: [PATCH 045/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 239484651 Bug: 239484612 Change-Id: If07a3611f40324d985a387c6dd7f2570c90c7c11 --- tracking_denials/bug_map | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ae341e70..050f91f6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,7 @@ cat_engine_service_app system_app_data_file dir b/238705599 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 +dumpstate system_data_file dir b/239484651 hal_drm_widevine default_prop file b/237492145 hal_googlebattery dumpstate fd b/238260742 hal_power_default hal_power_default capability b/237492146 @@ -9,4 +10,13 @@ incidentd debugfs_wakeup_sources file b/237492091 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 +shell adb_keys_file file b/239484612 +shell cache_file lnk_file b/239484612 +shell init_exec lnk_file b/239484612 +shell linkerconfig_file dir b/239484612 +shell metadata_file dir b/239484612 +shell mirror_data_file dir b/239484612 +shell postinstall_mnt_dir dir b/239484612 +shell rootfs file b/239484612 shell sysfs_wlc dir b/238260741 +shell system_dlkm_file dir b/239484612 From ebd7170495640b82154915363dc74ea3b9dbc442 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Jul 2022 09:12:17 +0800 Subject: [PATCH 046/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 239632439 Change-Id: I42608d6fc5b3128915f7801e9000548a12ce7efa --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 050f91f6..bc6f2d07 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,7 @@ cat_engine_service_app system_app_data_file dir b/238705599 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 +dumpstate incident process b/239632439 dumpstate system_data_file dir b/239484651 hal_drm_widevine default_prop file b/237492145 hal_googlebattery dumpstate fd b/238260742 From eabd74399198c79552bb98317e642414a6d89d3b Mon Sep 17 00:00:00 2001 From: sukiliu Date: Wed, 20 Jul 2022 11:09:47 +0800 Subject: [PATCH 047/162] Remove regmap from list Bug: 227286343 Test: PtsSELinuxTestCases Change-Id: I0df048e6944623d992f66688550e534c038714d9 --- tracking_denials/kernel.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 91fa7a46..d743b75c 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -4,7 +4,5 @@ dontaudit kernel vendor_charger_debugfs:dir { search }; dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 allow kernel same_process_hal_file:file r_file_perms; -# b/227286343 -dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/227121550 dontaudit kernel vendor_votable_debugfs:dir search; From 13f3fdc8ff979f0d3990b2cf5471c5de04a84c04 Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Fri, 15 Jul 2022 13:24:25 -0700 Subject: [PATCH 048/162] storageproxyd: Remove setuid/setgid SELinux permissions Bug: 205904330 Test: fingerprint enrollment/authentication Change-Id: Ied64163f1142c1dd05274867c2863592e49042f3 --- tracking_denials/tee.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/tee.te diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te deleted file mode 100644 index 9a1070ab..00000000 --- a/tracking_denials/tee.te +++ /dev/null @@ -1,2 +0,0 @@ -# TODO(b/205904330): avoid using setuid, setgid permission -allow tee tee:capability { setuid setgid }; From aacf5c43fc303568dc8ed5f8220168daa3c7a5dd Mon Sep 17 00:00:00 2001 From: Stephane Lee Date: Fri, 22 Jul 2022 16:59:07 -0700 Subject: [PATCH 049/162] Bug fixed in ag/19153533 Bug: 238260742 Test: N/A Change-Id: I4f7494eb37b04f994e14b7ff418bc9e2819e25cb --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bc6f2d07..ee5b954a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,7 +4,6 @@ dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 dumpstate system_data_file dir b/239484651 hal_drm_widevine default_prop file b/237492145 -hal_googlebattery dumpstate fd b/238260742 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 From d889102a8fb19576f285ecddec13723d4a14850e Mon Sep 17 00:00:00 2001 From: Wiwit Rifa'i Date: Tue, 5 Jul 2022 14:12:23 +0800 Subject: [PATCH 050/162] Add SE policies for HWC logs Bug: 230361290 Test: adb bugreport Test: adb shell vndservice call Exynos.HWCService 11 i32 0 i32 308 i32 1 Change-Id: I12e6c1b4527829699211dae379f1e44da069b974 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 3 +++ whitechapel_pro/hal_graphics_composer_default.te | 4 ++++ 4 files changed, 9 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index af98aebb..4fff5c7f 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,6 +1,7 @@ # Data type rild_vendor_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; +type vendor_hwc_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index be4f5506..11786215 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -197,6 +197,7 @@ /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 0f153f22..78b77a9a 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -9,6 +9,9 @@ allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; +allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; + allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te index 61972c75..24966746 100644 --- a/whitechapel_pro/hal_graphics_composer_default.te +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -52,3 +52,7 @@ vndbinder_use(hal_graphics_composer_default) # allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) + +# allow HWC to write log file +allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; +allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; From 89781162e95a57298a1d9bbd107628517033abd0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 29 Jul 2022 15:38:05 +0800 Subject: [PATCH 051/162] Update SELinux error Test: testAtomicWrite Bug: 240653918 Test: testCheckSQLiteJournalMode Bug: 240653918 Test: testConfigMaxSectorsKB Bug: 240653918 Test: testConfigReadAhead Bug: 240653918 Test: testDirectWrite Bug: 240653918 Test: testDirectWriteDirectReadInEncryptedDir Bug: 240653918 Test: testDirectWriteDirectReadInNonEncryptedDir Bug: 240653918 Test: testDirectWriteDirectReadInPerBootEncryptedDir Bug: 240653918 Test: testDirectWriteNormalReadInEncryptedDir Bug: 240653918 Test: testDirectWriteNormalReadInNonEncryptedDir Bug: 240653918 Test: testDirectWriteNormalReadInPerBootEncryptedDir Bug: 240653918 Test: testInvalidWrite Bug: 240653918 Test: testLargeReadRequestSize Bug: 240653918 Test: testLoopMaxPartDefined Bug: 240653918 Test: testMetadataEncryptionEnabled Bug: 240653918 Test: testNormalWrite Bug: 240653918 Test: testNormalWriteDirectReadInEncryptedDir Bug: 240653918 Test: testNormalWriteDirectReadInNonEncryptedDir Bug: 240653918 Test: testNormalWriteDirectReadInPerBootEncryptedDir Bug: 240653918 Test: testNormalWriteNormalReadInPerBootEncryptedDir Bug: 240653918 Test: testPinFile Bug: 240653918 Test: testPtssBashToolFindBdevOfData Bug: 240653918 Test: testPtssBashToolFindRawBdevOfData Bug: 240653918 Test: testPtssBashToolGetDevNameOnlyOfData Bug: 240653918 Test: testPtssBashToolGetFsOfData Bug: 240653918 Test: testPtssBashToolGetMaxSectorsOfData Bug: 240653918 Test: testPtssBashToolGetReadAheadOfData Bug: 240653918 Test: testPtssBashToolStorageModel Bug: 240653918 Test: testPtssBashToolUsagePercentOfData Bug: 240653918 Test: testPxlIOCreateLargeFile Bug: 240653918 Test: testSmallFileInEncryptedDir Bug: 240653918 Test: testSmallFileInPerBootEncryptedDir Bug: 240653918 Test: testStorageTestUtilGetReqStatPath Bug: 240653918 Change-Id: I40c87c191644238e81516555f73aeebcd1abf0f6 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ee5b954a..71c12792 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -20,3 +20,4 @@ shell postinstall_mnt_dir dir b/239484612 shell rootfs file b/239484612 shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 +su modem_img_file filesystem b/240653918 From ee1b7d6bb405b03783913de5dc9f0bdd2bb690de Mon Sep 17 00:00:00 2001 From: lucaslin Date: Fri, 29 Jul 2022 16:38:51 +0800 Subject: [PATCH 052/162] Add sepolicy for dumpstate to zip tcpdump into bugreport Bug: 239634976 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: I01b9b25a6236bcfa1ce2b89afb3ed1bc2ef49cae --- whitechapel_pro/hal_dumpstate_default.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 78b77a9a..77d1b7db 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -129,6 +129,10 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; + allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; + allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; + + set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) ') dontaudit hal_dumpstate_default mnt_vendor_file:dir search; @@ -153,3 +157,6 @@ dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; +dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms; From b969be2277027f1e13ce6581c11e188ce56b4bb5 Mon Sep 17 00:00:00 2001 From: Lei Ju Date: Tue, 26 Jul 2022 13:51:21 -0700 Subject: [PATCH 053/162] Allow chre to use WakeLock on whitechapel pro. Test: Manual test to confirm wakelock is acquired. Bug: 202447392 Change-Id: Iecd3aca411b43abed4c318e9e584b6713ca119a8 --- whitechapel_pro/chre.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index 6d826217..4eda4096 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -22,3 +22,6 @@ allow chre hal_wifi_ext_hwservice:hwservice_manager find; # Allow CHRE host to talk to stats service allow chre fwk_stats_service:service_manager find; binder_call(chre, stats_service_server) + +# Allow CHRE to use WakeLock +wakelock_use(chre) From 613f6bf6af3c11c9cef925177530f5e941cf3487 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 2 Aug 2022 14:14:19 +0800 Subject: [PATCH 054/162] Update error on ROM 8846993 Bug: 241050831 Test: SELinuxUncheckedDenialBootTest Change-Id: I6517ffc33ccea453b796fd1ebaee687516de8b5c --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 71c12792..defd25f4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -21,3 +21,4 @@ shell rootfs file b/239484612 shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 +dumpstate incident process b/241050831 From 03f00703592f3abe456083e8f54be17911f4f4fd Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 3 Aug 2022 01:08:49 +0000 Subject: [PATCH 055/162] Update SELinux error Test: checkSensors Bug: 241172220 Test: checkLockScreen Bug: 241172220 Test: scanBugreport Bug: 241172220 Test: testAtomicWrite Bug: 241172220 Test: testConfigMaxSectorsKB Bug: 241172186 Test: testConfigReadAhead Bug: 241172220 Test: testInvalidWrite Bug: 241172220 Test: testLoopMaxPartDefined Bug: 241172220 Test: testPinFile Bug: 241172220 Test: testSysfsHealth Bug: 241172220 Change-Id: I1e8e927e6850bf03f7d62774e979c0e26551b9a6 --- tracking_denials/bug_map | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index defd25f4..a5af186b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,11 +2,20 @@ cat_engine_service_app system_app_data_file dir b/238705599 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 +dumpstate incident process b/241050831 dumpstate system_data_file dir b/239484651 hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 +init app_data_file dir b/241172186 +init app_data_file dir b/241172220 +init gsi_data_file file b/241172186 +init gsi_data_file file b/241172220 +init privapp_data_file dir b/241172186 +init privapp_data_file dir b/241172220 +init system_app_data_file dir b/241172186 +init system_app_data_file dir b/241172220 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 @@ -21,4 +30,3 @@ shell rootfs file b/239484612 shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 -dumpstate incident process b/241050831 From d64d7fa852c36c219e96688c7900e27912bb29e5 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Thu, 21 Jul 2022 10:07:31 +0000 Subject: [PATCH 056/162] HwInfo: Move hardware info sepolicy to pixel common Bug: 215271971 Test: no sepolicy for hardware info Change-Id: Ic887e59878352fa5784a172af0453f3bb881e1f2 Signed-off-by: Denny cy Lee --- aoc/file.te | 1 - whitechapel_pro/device.te | 1 - whitechapel_pro/file.te | 4 ---- whitechapel_pro/hardware_info_app.te | 26 -------------------------- whitechapel_pro/seapp_contexts | 3 --- 5 files changed, 35 deletions(-) delete mode 100644 whitechapel_pro/hardware_info_app.te diff --git a/aoc/file.te b/aoc/file.te index 3e0baf8a..649e161a 100644 --- a/aoc/file.te +++ b/aoc/file.te @@ -4,7 +4,6 @@ type sysfs_aoc_boottime, sysfs_type, fs_type; type sysfs_aoc_firmware, sysfs_type, fs_type; type sysfs_aoc, sysfs_type, fs_type; type sysfs_aoc_reset, sysfs_type, fs_type; -type sysfs_pixelstats, fs_type, sysfs_type; # persist type persist_aoc_file, file_type, vendor_persist_type; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 952a1675..b1f5ecbf 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -17,7 +17,6 @@ type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; -type battery_history_device, dev_type; type radio_test_device, dev_type; # SecureElement SPI device diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4fff5c7f..142cf543 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -36,15 +36,12 @@ type sysfs_em_profile, sysfs_type, fs_type; type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; -type sysfs_display, sysfs_type, fs_type; -type sysfs_scsi_devices_0000, sysfs_type, fs_type; type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcl, sysfs_type, fs_type; -type sysfs_chip_id, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; @@ -52,7 +49,6 @@ type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; type sysfs_odpm, sysfs_type, fs_type; -type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te deleted file mode 100644 index 751bb885..00000000 --- a/whitechapel_pro/hardware_info_app.te +++ /dev/null @@ -1,26 +0,0 @@ -type hardware_info_app, domain; -app_domain(hardware_info_app) - -allow hardware_info_app app_api_service:service_manager find; - -# Storage -allow hardware_info_app sysfs_scsi_devices_0000:dir search; -allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; - -# Audio -allow hardware_info_app sysfs_pixelstats:file r_file_perms; - -# Batteryinfo -allow hardware_info_app sysfs_batteryinfo:dir search; -allow hardware_info_app sysfs_batteryinfo:file r_file_perms; - -# Display -allow hardware_info_app sysfs_display:dir search; -allow hardware_info_app sysfs_display:file r_file_perms; - -# SoC -allow hardware_info_app sysfs_soc:file r_file_perms; -allow hardware_info_app sysfs_chip_id:file r_file_perms; - -# Batery history -allow hardware_info_app battery_history_device:chr_file r_file_perms; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 0fbe0333..223c931a 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -17,9 +17,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma # Samsung S.LSI engineer mode user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all -# Hardware Info Collection -user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user - # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all From 17659673a4acb133e42397d7efad319cc830d376 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 8 Aug 2022 02:14:53 +0000 Subject: [PATCH 057/162] Update error on ROM 8892407 Bug: 241714943 Bug: 241714944 Test: SELinuxUncheckedDenialBootTest Change-Id: I38e6cc9da23c72aed05e79346a3a6c8188fc8556 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a5af186b..3d52f1fd 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 dumpstate incident process b/241050831 dumpstate system_data_file dir b/239484651 +hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 @@ -27,6 +28,7 @@ shell metadata_file dir b/239484612 shell mirror_data_file dir b/239484612 shell postinstall_mnt_dir dir b/239484612 shell rootfs file b/239484612 +shell sscoredump_vendor_data_crashinfo_file dir b/241714944 shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 From 8deeec1a30e5bda1c057ef125c2bdcf38ea8fc61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Tue, 16 Aug 2022 15:57:25 +1000 Subject: [PATCH 058/162] Revert "Update SELinux error" This reverts commit 03f00703592f3abe456083e8f54be17911f4f4fd. Remove duplicate entry for dumpstate. These are ignored by auditd. Bug: 241172220 Bug: 241172186 Test: TH Change-Id: Ia72eecbb6055876aa7903e13cd4dc72952d3125e --- tracking_denials/bug_map | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3d52f1fd..0f9c92d7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,21 +2,12 @@ cat_engine_service_app system_app_data_file dir b/238705599 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 -dumpstate incident process b/241050831 dumpstate system_data_file dir b/239484651 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 -init app_data_file dir b/241172186 -init app_data_file dir b/241172220 -init gsi_data_file file b/241172186 -init gsi_data_file file b/241172220 -init privapp_data_file dir b/241172186 -init privapp_data_file dir b/241172220 -init system_app_data_file dir b/241172186 -init system_app_data_file dir b/241172220 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 From f43976db9f7dde2977d8f84d2a64c71013dfa94c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 22 Aug 2022 13:48:10 +0800 Subject: [PATCH 059/162] modularize gsc dump Bug: 242479757 Test: do bugreport that has the same content as before Change-Id: I1ca725b77f98012ebe63cf640cca18b44a5c7d57 --- whitechapel_pro/hal_dumpstate_default.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 77d1b7db..244ebc15 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -60,10 +60,6 @@ allow hal_dumpstate_default vendor_slog_file:file r_file_perms; allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; -allow hal_dumpstate_default citadeld_service:service_manager find; -allow hal_dumpstate_default citadel_updater:file execute_no_trans; -binder_call(hal_dumpstate_default, citadeld); - allow hal_dumpstate_default device:dir r_dir_perms; allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; From 21b6c72d26e8ec8e07ddcbd5f7bb8dd1290a1c6a Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 30 Aug 2022 11:29:11 +0800 Subject: [PATCH 060/162] Move dauntless settings to gs-common Bug: 242479757 Test: build pass on all Gchip devices Change-Id: Ifb33ea566117392dbdf57c212db2741732abcfdb --- dauntless/citadel_provision.te | 6 ------ dauntless/citadeld.te | 13 ------------- dauntless/device.te | 1 - dauntless/file.te | 1 - dauntless/file_contexts | 9 --------- dauntless/hal_identity_citadel.te | 11 ----------- dauntless/hal_keymint_citadel.te | 9 --------- dauntless/hal_weaver_citadel.te | 11 ----------- dauntless/init_citadel.te | 15 --------------- dauntless/service_contexts | 3 --- dauntless/vndservice.te | 1 - dauntless/vndservice_contexts | 1 - whitechapel_pro/vndservice.te | 1 - 13 files changed, 82 deletions(-) delete mode 100644 dauntless/citadel_provision.te delete mode 100644 dauntless/citadeld.te delete mode 100644 dauntless/device.te delete mode 100644 dauntless/file.te delete mode 100644 dauntless/file_contexts delete mode 100644 dauntless/hal_identity_citadel.te delete mode 100644 dauntless/hal_keymint_citadel.te delete mode 100644 dauntless/hal_weaver_citadel.te delete mode 100644 dauntless/init_citadel.te delete mode 100644 dauntless/service_contexts delete mode 100644 dauntless/vndservice.te delete mode 100644 dauntless/vndservice_contexts diff --git a/dauntless/citadel_provision.te b/dauntless/citadel_provision.te deleted file mode 100644 index 56050857..00000000 --- a/dauntless/citadel_provision.te +++ /dev/null @@ -1,6 +0,0 @@ -type citadel_provision, domain; -type citadel_provision_exec, exec_type, vendor_file_type, file_type; - -userdebug_or_eng(` - init_daemon_domain(citadel_provision) -') diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te deleted file mode 100644 index 86cb61c7..00000000 --- a/dauntless/citadeld.te +++ /dev/null @@ -1,13 +0,0 @@ -type citadeld, domain; -type citadeld_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(citadeld) - -add_service(citadeld, citadeld_service) -binder_use(citadeld) -vndbinder_use(citadeld) -binder_call(citadeld, system_server) - -allow citadeld citadel_device:chr_file rw_file_perms; -allow citadeld fwk_stats_service:service_manager find; -allow citadeld hal_power_stats_vendor_service:service_manager find; diff --git a/dauntless/device.te b/dauntless/device.te deleted file mode 100644 index f63186f4..00000000 --- a/dauntless/device.te +++ /dev/null @@ -1 +0,0 @@ -type citadel_device, dev_type; diff --git a/dauntless/file.te b/dauntless/file.te deleted file mode 100644 index cfc0dea1..00000000 --- a/dauntless/file.te +++ /dev/null @@ -1 +0,0 @@ -type citadel_updater, vendor_file_type, file_type; diff --git a/dauntless/file_contexts b/dauntless/file_contexts deleted file mode 100644 index 76a25023..00000000 --- a/dauntless/file_contexts +++ /dev/null @@ -1,9 +0,0 @@ -/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 -/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 -/vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0 -/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 - -/dev/gsc0 u:object_r:citadel_device:s0 diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te deleted file mode 100644 index c181e27c..00000000 --- a/dauntless/hal_identity_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_identity_citadel, domain; -type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_identity_citadel) -binder_call(hal_identity_citadel, citadeld) -allow hal_identity_citadel citadeld_service:service_manager find; -allow hal_identity_citadel hal_keymint_citadel:binder call; - -hal_server_domain(hal_identity_citadel, hal_identity) -hal_server_domain(hal_identity_citadel, hal_keymint) -init_daemon_domain(hal_identity_citadel) diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te deleted file mode 100644 index e1a6177d..00000000 --- a/dauntless/hal_keymint_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_keymint_citadel, domain; -type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type; - -hal_server_domain(hal_keymint_citadel, hal_keymint) -init_daemon_domain(hal_keymint_citadel) -vndbinder_use(hal_keymint_citadel) -get_prop(hal_keymint_citadel, vendor_security_patch_level_prop) -allow hal_keymint_citadel citadeld_service:service_manager find; -binder_call(hal_keymint_citadel, citadeld) diff --git a/dauntless/hal_weaver_citadel.te b/dauntless/hal_weaver_citadel.te deleted file mode 100644 index c47287b9..00000000 --- a/dauntless/hal_weaver_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_weaver_citadel, domain; -type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hal_weaver_citadel) -hal_server_domain(hal_weaver_citadel, hal_weaver) -hal_server_domain(hal_weaver_citadel, hal_oemlock) -hal_server_domain(hal_weaver_citadel, hal_authsecret) -vndbinder_use(hal_weaver_citadel) -binder_call(hal_weaver_citadel, citadeld) - -allow hal_weaver_citadel citadeld_service:service_manager find; diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te deleted file mode 100644 index 2e986d08..00000000 --- a/dauntless/init_citadel.te +++ /dev/null @@ -1,15 +0,0 @@ -type init_citadel, domain; -type init_citadel_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(init_citadel) - -# Citadel communication must be via citadeld -vndbinder_use(init_citadel) -binder_call(init_citadel, citadeld) -allow init_citadel citadeld_service:service_manager find; - -# Many standard utils are actually vendor_toolbox (like xxd) -allow init_citadel vendor_toolbox_exec:file rx_file_perms; - -# init_citadel needs to invoke citadel_updater -allow init_citadel citadel_updater:file rx_file_perms; diff --git a/dauntless/service_contexts b/dauntless/service_contexts deleted file mode 100644 index ac6a1867..00000000 --- a/dauntless/service_contexts +++ /dev/null @@ -1,3 +0,0 @@ -android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 -android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 -android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox u:object_r:hal_remotelyprovisionedcomponent_service:s0 diff --git a/dauntless/vndservice.te b/dauntless/vndservice.te deleted file mode 100644 index 880c09ca..00000000 --- a/dauntless/vndservice.te +++ /dev/null @@ -1 +0,0 @@ -type citadeld_service, vndservice_manager_type; diff --git a/dauntless/vndservice_contexts b/dauntless/vndservice_contexts deleted file mode 100644 index b4df996b..00000000 --- a/dauntless/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index d1483600..7f116c48 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1,4 +1,3 @@ -type hal_power_stats_vendor_service, vndservice_manager_type; type rls_service, vndservice_manager_type; type vendor_displaycolor_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; From 39570f2d0334cc002697390fe1e918b6f864ebe0 Mon Sep 17 00:00:00 2001 From: chungkai Date: Wed, 31 Aug 2022 09:27:14 +0000 Subject: [PATCH 061/162] sepolicy: ignore avc denial dont audit since it's debugfs Bug: 228181404 Test: boot without avc denial Signed-off-by: chungkai Change-Id: I8c9922d71cef6eaef7d95ad2abdbeac912490ca7 --- whitechapel_pro/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index c34e7f72..fa6c2fac 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -9,3 +9,4 @@ allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; dontaudit kernel vendor_battery_debugfs:dir search; +dontaudit kernel vendor_maxfg_debugfs:dir { search }; From 8064010f8a43b3772c25a7d1c342cf1f2be1637e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 6 Sep 2022 12:41:01 +0800 Subject: [PATCH 062/162] use gs-common insert module script Bug: 243763292 Test: boot to home Change-Id: I6f0c1a020ea2962f03df6794a6011a31d2244b1a --- whitechapel_pro/file_contexts | 5 +---- whitechapel_pro/init-display-sh.te | 10 ++++++++++ whitechapel_pro/init-insmod-sh.te | 18 ------------------ whitechapel_pro/insmod-sh.te | 7 +++++++ whitechapel_pro/property.te | 2 -- whitechapel_pro/property_contexts | 8 -------- 6 files changed, 18 insertions(+), 32 deletions(-) create mode 100644 whitechapel_pro/init-display-sh.te delete mode 100644 whitechapel_pro/init-insmod-sh.te create mode 100644 whitechapel_pro/insmod-sh.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 6072042f..41074125 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -11,7 +11,7 @@ /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 -/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 +/vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 @@ -70,9 +70,6 @@ /vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 -# Vendor kernel modules -/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 - # Devices /dev/trusty-log0 u:object_r:logbuffer_device:s0 /dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 diff --git a/whitechapel_pro/init-display-sh.te b/whitechapel_pro/init-display-sh.te new file mode 100644 index 00000000..54ff7d6e --- /dev/null +++ b/whitechapel_pro/init-display-sh.te @@ -0,0 +1,10 @@ +type init-display-sh, domain; +type init-display-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(init-display-sh) + +allow init-display-sh self:capability sys_module; +allow init-display-sh vendor_kernel_modules:system module_load; +allow init-display-sh vendor_toolbox_exec:file execute_no_trans; + +dontaudit init-display-sh proc_cmdline:file r_file_perms; + diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te deleted file mode 100644 index 1e56c094..00000000 --- a/whitechapel_pro/init-insmod-sh.te +++ /dev/null @@ -1,18 +0,0 @@ -type init-insmod-sh, domain; -type init-insmod-sh_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(init-insmod-sh) - -allow init-insmod-sh self:capability sys_module; -allow init-insmod-sh vendor_kernel_modules:system module_load; -allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; - -allow init-insmod-sh self:capability sys_nice; -allow init-insmod-sh kernel:process setsched; - -set_prop(init-insmod-sh, vendor_device_prop) -set_prop(init-insmod-sh, vendor_ready_prop) - -dontaudit init-insmod-sh proc_cmdline:file r_file_perms; - -allow init-insmod-sh debugfs_mgm:dir search; -allow init-insmod-sh vendor_regmap_debugfs:dir search; diff --git a/whitechapel_pro/insmod-sh.te b/whitechapel_pro/insmod-sh.te new file mode 100644 index 00000000..c7bbdc6f --- /dev/null +++ b/whitechapel_pro/insmod-sh.te @@ -0,0 +1,7 @@ +allow insmod-sh self:capability sys_nice; +allow insmod-sh kernel:process setsched; + +dontaudit insmod-sh proc_cmdline:file r_file_perms; + +allow insmod-sh debugfs_mgm:dir search; +allow insmod-sh vendor_regmap_debugfs:dir search; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ec7d84ed..32895e7b 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -17,8 +17,6 @@ vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_tcpdump_log_prop) -vendor_internal_prop(vendor_device_prop) -vendor_internal_prop(vendor_ready_prop) vendor_internal_prop(vendor_gps_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 98a7980a..14c5b07d 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -4,14 +4,6 @@ persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 vendor.sys.diag. u:object_r:vendor_diag_prop:s0 -# Kernel modules related -vendor.common.modules.ready u:object_r:vendor_device_prop:s0 -vendor.device.modules.ready u:object_r:vendor_device_prop:s0 - -# Indicating signal that all modules and devices are ready -vendor.all.modules.ready u:object_r:vendor_ready_prop:s0 -vendor.all.devices.ready u:object_r:vendor_ready_prop:s0 - # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 From 9c9ae24f647dca080b686bbefc47d41f21c38430 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 12 Sep 2022 12:58:29 +0800 Subject: [PATCH 063/162] remove global access to firmware mali Bug: 220801802 Test: device can resume Change-Id: Idf0fd84c2efa37c94e30c3f682a09e6546f50235 --- tracking_denials/kernel.te | 2 +- whitechapel_pro/file_contexts | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 0e6f2e78..dba5af95 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,6 +1,6 @@ # b/213817227 dontaudit kernel vendor_battery_debugfs:dir { search }; -# b/220801802 +# b/246218258 allow kernel same_process_hal_file:file r_file_perms; # b/227121550 dontaudit kernel vendor_votable_debugfs:dir search; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 41074125..51221baa 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -47,7 +47,6 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 -/vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 /vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 # Vendor libraries From 7c6154bdcea3432c9eecabce8760a9d24dc8cb0b Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Fri, 16 Sep 2022 14:00:24 +0800 Subject: [PATCH 064/162] Remove the tracking denials code. Bug: 213817227 Test: Check the bugreport Signed-off-by: Ted Lin Change-Id: I94a64f6ea05757b9c74657647ef7f0d14fa34c55 --- tracking_denials/kernel.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index dba5af95..4238f339 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,5 +1,3 @@ -# b/213817227 -dontaudit kernel vendor_battery_debugfs:dir { search }; # b/246218258 allow kernel same_process_hal_file:file r_file_perms; # b/227121550 From 87bc6d189d36b2aa0c31553fb672b7173418f9a5 Mon Sep 17 00:00:00 2001 From: Vova Sharaienko Date: Fri, 16 Sep 2022 18:58:26 +0000 Subject: [PATCH 065/162] hal_health_default: updated sepolicy This allows the android.hardware.health service to access AIDL Stats service Bug: 237639591 Test: Build, flash, boot & and logcat | grep "avc" Change-Id: I71013c0b17ee5e526387efa0afb823f97775e572 --- whitechapel_pro/hal_health_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index e7406a76..8285eb2c 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -7,6 +7,9 @@ set_prop(hal_health_default, vendor_battery_defender_prop) allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_health_default fwk_stats_service:service_manager find; +binder_use(hal_health_default) + allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; From 7054110441d661b00ea987cf5f10e8a81ef249b0 Mon Sep 17 00:00:00 2001 From: timmyli Date: Wed, 21 Sep 2022 21:15:54 +0000 Subject: [PATCH 066/162] Allow camera_hal to access always on compute device As a part of RLSRefactor efforst, we need to access libusf from within camera_hal. Bug: 248089742 Test: Compiles, Manual test that we can access aoc device Change-Id: Ie79a2ee544067de69f402e2dd5ce6e55c200be13 --- whitechapel_pro/hal_camera_default.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 437060ea..ba2b5304 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -98,4 +98,7 @@ dontaudit hal_camera_default system_data_file:dir { search }; # google3 prebuilts attempt to connect to the wrong trace socket, ignore them. dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; \ No newline at end of file +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; + +# Allow access to always-on compute device node +allow hal_camera_default aoc_device:chr_file rw_file_perms; From 6580ccce50aead345307b2b1acb464e8781cb056 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 23 Sep 2022 13:07:27 +0800 Subject: [PATCH 067/162] dump f2fs in gs-common Bug: 248143736 Test: adb bugreport Change-Id: Id3b62464fb80cb6178e5b8fc4a53c8c3dfe1b27e --- whitechapel_pro/file.te | 1 - whitechapel_pro/genfs_contexts | 1 - whitechapel_pro/hal_dumpstate_default.te | 5 ----- 3 files changed, 7 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index abbdc663..cb17558c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -55,7 +55,6 @@ type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; # debugfs -type debugfs_f2fs, debugfs_type, fs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_regmap_debugfs, fs_type, debugfs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6bc52ad0..b05283e6 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -188,7 +188,6 @@ genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 # debugfs -genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 9992df4f..c41cbfcd 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -106,7 +106,6 @@ userdebug_or_eng(` ') get_prop(hal_dumpstate_default, vendor_camera_debug_prop); -get_prop(hal_dumpstate_default, boottime_public_prop) get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) set_prop(hal_dumpstate_default, vendor_modem_prop) @@ -121,8 +120,6 @@ userdebug_or_eng(` allow hal_dumpstate_default debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; - allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; - allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; @@ -149,8 +146,6 @@ dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; -dontaudit hal_dumpstate_default debugfs_f2fs:file r_file_perms; dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; From df53edb110ce2b8dfc9d323403f85628f50d3647 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 28 Sep 2022 13:27:03 +0800 Subject: [PATCH 068/162] move UFS dump to gs-common Bug: 248143736 Test: adb bugreport Change-Id: I06374e41f2e4c4695780d7f1f2ff12d27f77351f --- whitechapel_pro/hal_dumpstate_default.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index c41cbfcd..a8ee4a52 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -71,9 +71,6 @@ allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; allow hal_dumpstate_default proc_f2fs:file r_file_perms; -allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; - allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; allow hal_dumpstate_default sysfs_touch:file rw_file_perms; From 9bb5e3e05bddcdd977ac041b26eba96c680aaa3f Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Wed, 28 Sep 2022 10:58:59 +0800 Subject: [PATCH 069/162] Set sepolicy for shell script of disabling contaminant detection (ported from Ib2e3cf498851c0c9e5e74aacc9bf391549c0ad1a) Bug: 244658328 Signed-off-by: Kyle Tso Change-Id: Idbfa55d4c7091ce2861600ff3881fcc7217ec662 --- whitechapel_pro/disable-contaminant-detection-sh.te | 7 +++++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 8 insertions(+) create mode 100644 whitechapel_pro/disable-contaminant-detection-sh.te diff --git a/whitechapel_pro/disable-contaminant-detection-sh.te b/whitechapel_pro/disable-contaminant-detection-sh.te new file mode 100644 index 00000000..95845a18 --- /dev/null +++ b/whitechapel_pro/disable-contaminant-detection-sh.te @@ -0,0 +1,7 @@ +type disable-contaminant-detection-sh, domain; +type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(disable-contaminant-detection-sh) + +allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans; +allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms; +allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 29bca7a4..bf45934b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 +/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From 8902c457d7b8e315640ba7a5c2f3307211cd82f8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 19 Sep 2022 11:31:01 +0800 Subject: [PATCH 070/162] move trusty device to gs-common Bug: 244504232 Test: adb bugreport Change-Id: If0df8122e5655b659ac001d42b9a6cf28a59a627 --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/logd.te | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index bf45934b..77345d68 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -71,7 +71,6 @@ /vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 # Devices -/dev/trusty-log0 u:object_r:logbuffer_device:s0 /dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 /dev/ttySAC0 u:object_r:tty_device:s0 /dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 diff --git a/whitechapel_pro/logd.te b/whitechapel_pro/logd.te index cc55e204..ca969d80 100644 --- a/whitechapel_pro/logd.te +++ b/whitechapel_pro/logd.te @@ -1,2 +1,4 @@ r_dir_file(logd, logbuffer_device) allow logd logbuffer_device:chr_file r_file_perms; +allow logd trusty_log_device:chr_file r_file_perms; + From d03b6f3be2f758a5d1a5c13d0e5a739f59629c07 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 3 Oct 2022 13:39:41 +0800 Subject: [PATCH 071/162] move ramdump relate dumpstate to gs-common Bug: 248428203 Test: adb bugreport Change-Id: I40d9aff0e8069acc5d5ecbd0a596a850315e0b22 --- whitechapel_pro/hal_dumpstate_default.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index a8ee4a52..184b43ae 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -112,8 +112,6 @@ set_prop(hal_dumpstate_default, vendor_logger_prop) userdebug_or_eng(` allow hal_dumpstate_default mnt_vendor_file:dir search; - allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; - allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; allow hal_dumpstate_default debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; From 455201b20dd64b7ab89b277c7ab0e43f9080eafa Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 4 Oct 2022 13:01:37 +0800 Subject: [PATCH 072/162] move soc dump to gs-common Bug: 248428203 Test: adb bugreport Change-Id: I225029624d4bd254dee3997b80ff322bacd07b23 --- whitechapel_pro/genfs_contexts | 6 ------ whitechapel_pro/hal_dumpstate_default.te | 2 -- 2 files changed, 8 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index b05283e6..24c60704 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -4,12 +4,6 @@ genfscon sysfs /devices/platform/exynos-bts/bts_stats u genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 -genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 # CPU genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 184b43ae..f01a4e6d 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -20,8 +20,6 @@ allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; -allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; - allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; allow hal_dumpstate_default sysfs_wlc:file r_file_perms; From b47db82964eb83b03cfd44241ddca547fe9ba883 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 7 Oct 2022 09:31:29 +0800 Subject: [PATCH 073/162] move modem dump to gs-common Bug: 250475732 Test: adb bugreport Change-Id: I8f7f1538b5e236a2c6e0ff5a1d9224c539ef9836 --- whitechapel_pro/hal_dumpstate_default.te | 7 ------- 1 file changed, 7 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index f01a4e6d..5889ba87 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -11,9 +11,6 @@ userdebug_or_eng(` allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms; ') -allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; - allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; @@ -29,8 +26,6 @@ allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; -allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; @@ -57,8 +52,6 @@ allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; allow hal_dumpstate_default modem_efs_file:dir search; allow hal_dumpstate_default modem_efs_file:file r_file_perms; -allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms; -allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; allow hal_dumpstate_default vendor_slog_file:file r_file_perms; allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; From e2ad2a0fd9587a59e9406cce2c3b70af416e21f8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 13 Oct 2022 10:57:36 +0800 Subject: [PATCH 074/162] remove redundant permission that has moved to gs-common Bug: 248426917 Test: adb bugreport Change-Id: I8df8d6197aea78caf6f9903e7fd7953eab567e8c --- whitechapel_pro/hal_dumpstate_default.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 5889ba87..04d1a994 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -23,9 +23,6 @@ allow hal_dumpstate_default sysfs_wlc:file r_file_perms; allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; -allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; -allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; - allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; From 91b093f51e330712e167f54c7310d2690eb8876e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Oct 2022 11:24:07 +0800 Subject: [PATCH 075/162] move aoc settings to gs-common Bug: 248426917 Test: boot with aoc launched Change-Id: Icf7e819e7e0a25695a2fb7b05d08273918e19823 --- aoc/aocd.te | 21 ------------------ aoc/aocdump.te | 18 --------------- aoc/device.te | 5 ----- aoc/file.te | 16 ------------- aoc/file_contexts | 37 ------------------------------- aoc/genfs_contexts | 30 ------------------------- aoc/hal_audio_default.te | 35 ----------------------------- aoc/hal_audiometricext_default.te | 12 ---------- aoc/hwservice.te | 6 ----- aoc/hwservice_contexts | 4 ---- aoc/property.te | 4 ---- aoc/property_contexts | 13 ----------- whitechapel_pro/genfs_contexts | 19 ++++++++++++++++ 13 files changed, 19 insertions(+), 201 deletions(-) delete mode 100644 aoc/aocd.te delete mode 100644 aoc/aocdump.te delete mode 100644 aoc/device.te delete mode 100644 aoc/file.te delete mode 100644 aoc/file_contexts delete mode 100644 aoc/genfs_contexts delete mode 100644 aoc/hal_audio_default.te delete mode 100644 aoc/hal_audiometricext_default.te delete mode 100644 aoc/hwservice.te delete mode 100644 aoc/hwservice_contexts delete mode 100644 aoc/property.te delete mode 100644 aoc/property_contexts diff --git a/aoc/aocd.te b/aoc/aocd.te deleted file mode 100644 index 69b0af0d..00000000 --- a/aoc/aocd.te +++ /dev/null @@ -1,21 +0,0 @@ -type aocd, domain; -type aocd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(aocd) - -# access persist files -allow aocd mnt_vendor_file:dir search; -allow aocd persist_file:dir search; -r_dir_file(aocd, persist_aoc_file); - -# sysfs operations -allow aocd sysfs_aoc:dir search; -allow aocd sysfs_aoc_firmware:file w_file_perms; - -# dev operations -allow aocd aoc_device:chr_file rw_file_perms; - -# allow inotify to watch for additions/removals from /dev -allow aocd device:dir r_dir_perms; - -# set properties -set_prop(aocd, vendor_aoc_prop) diff --git a/aoc/aocdump.te b/aoc/aocdump.te deleted file mode 100644 index 0801ec0e..00000000 --- a/aoc/aocdump.te +++ /dev/null @@ -1,18 +0,0 @@ -type aocdump, domain; -type aocdump_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(aocdump) - -userdebug_or_eng(` - # Permit communication with AoC - allow aocdump aoc_device:chr_file rw_file_perms; - - allow aocdump radio_vendor_data_file:dir rw_dir_perms; - allow aocdump radio_vendor_data_file:file create_file_perms; - allow aocdump wifi_logging_data_file:dir create_dir_perms; - allow aocdump wifi_logging_data_file:file create_file_perms; - set_prop(aocdump, vendor_audio_prop); - r_dir_file(aocdump, proc_asound) - - allow aocdump self:unix_stream_socket create_stream_socket_perms; - allow aocdump audio_vendor_data_file:sock_file { create unlink }; -') diff --git a/aoc/device.te b/aoc/device.te deleted file mode 100644 index fbd2b327..00000000 --- a/aoc/device.te +++ /dev/null @@ -1,5 +0,0 @@ -# AOC device -type aoc_device, dev_type; - -# AMCS device -type amcs_device, dev_type; diff --git a/aoc/file.te b/aoc/file.te deleted file mode 100644 index 649e161a..00000000 --- a/aoc/file.te +++ /dev/null @@ -1,16 +0,0 @@ -# sysfs -type sysfs_aoc_dumpstate, sysfs_type, fs_type; -type sysfs_aoc_boottime, sysfs_type, fs_type; -type sysfs_aoc_firmware, sysfs_type, fs_type; -type sysfs_aoc, sysfs_type, fs_type; -type sysfs_aoc_reset, sysfs_type, fs_type; - -# persist -type persist_aoc_file, file_type, vendor_persist_type; -type persist_audio_file, file_type, vendor_persist_type; - -# vendor -type aoc_audio_file, file_type, vendor_file_type; - -# data -type audio_vendor_data_file, file_type, data_file_type; diff --git a/aoc/file_contexts b/aoc/file_contexts deleted file mode 100644 index fcdeca47..00000000 --- a/aoc/file_contexts +++ /dev/null @@ -1,37 +0,0 @@ -# AoC devices -/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 -/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 -/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 -/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 -/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 -/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 -/dev/acd-sound_trigger u:object_r:aoc_device:s0 -/dev/acd-hotword_notification u:object_r:aoc_device:s0 -/dev/acd-hotword_pcm u:object_r:aoc_device:s0 -/dev/acd-ambient_pcm u:object_r:aoc_device:s0 -/dev/acd-model_data u:object_r:aoc_device:s0 -/dev/acd-debug u:object_r:aoc_device:s0 -/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 -/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 -/dev/acd-com.google.usf u:object_r:aoc_device:s0 -/dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 -/dev/acd-logging u:object_r:aoc_device:s0 -/dev/aoc u:object_r:aoc_device:s0 -/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 -/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0 -/dev/amcs u:object_r:amcs_device:s0 - -# AoC vendor binaries -/vendor/bin/aocd u:object_r:aocd_exec:s0 -/vendor/bin/aocdump u:object_r:aocdump_exec:s0 -/vendor/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 - -# AoC audio files -/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 - -# Aoc persist files -/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 -/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 - -# Audio data files -/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts deleted file mode 100644 index abfc5a99..00000000 --- a/aoc/genfs_contexts +++ /dev/null @@ -1,30 +0,0 @@ -# AOC -genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 -genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 -genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 -genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 -genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 - -# pixelstat_vendor -genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 - diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te deleted file mode 100644 index aa462bf3..00000000 --- a/aoc/hal_audio_default.te +++ /dev/null @@ -1,35 +0,0 @@ -vndbinder_use(hal_audio_default) -hwbinder_use(hal_audio_default) - -allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; -allow hal_audio_default audio_vendor_data_file:file create_file_perms; - -r_dir_file(hal_audio_default, aoc_audio_file); -r_dir_file(hal_audio_default, mnt_vendor_file); -r_dir_file(hal_audio_default, persist_audio_file); - -allow hal_audio_default persist_file:dir search; -allow hal_audio_default aoc_device:file rw_file_perms; -allow hal_audio_default aoc_device:chr_file rw_file_perms; - -allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; - -allow hal_audio_default amcs_device:file rw_file_perms; -allow hal_audio_default amcs_device:chr_file rw_file_perms; -allow hal_audio_default sysfs_pixelstats:file rw_file_perms; - -#allow access to DMABUF Heaps for AAudio API -allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; - -set_prop(hal_audio_default, vendor_audio_prop); - -hal_client_domain(hal_audio_default, hal_health); -hal_client_domain(hal_audio_default, hal_thermal); -allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; - -userdebug_or_eng(` - allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; - allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; -') - -wakelock_use(hal_audio_default); diff --git a/aoc/hal_audiometricext_default.te b/aoc/hal_audiometricext_default.te deleted file mode 100644 index 5358eac4..00000000 --- a/aoc/hal_audiometricext_default.te +++ /dev/null @@ -1,12 +0,0 @@ -type hal_audiometricext_default, domain; -type hal_audiometricext_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_audiometricext_default) - -allow hal_audiometricext_default amcs_device:chr_file rw_file_perms; -allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms; - -get_prop(hal_audiometricext_default, vendor_audio_prop); -get_prop(hal_audiometricext_default, hwservicemanager_prop); - -hwbinder_use(hal_audiometricext_default); -add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice); diff --git a/aoc/hwservice.te b/aoc/hwservice.te deleted file mode 100644 index b7bf5d92..00000000 --- a/aoc/hwservice.te +++ /dev/null @@ -1,6 +0,0 @@ -# Audio -type hal_audio_ext_hwservice, hwservice_manager_type; - -# AudioMetric -type hal_audiometricext_hwservice, hwservice_manager_type; - diff --git a/aoc/hwservice_contexts b/aoc/hwservice_contexts deleted file mode 100644 index f06c8461..00000000 --- a/aoc/hwservice_contexts +++ /dev/null @@ -1,4 +0,0 @@ -# Audio -vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 -vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 - diff --git a/aoc/property.te b/aoc/property.te deleted file mode 100644 index d38e3ec8..00000000 --- a/aoc/property.te +++ /dev/null @@ -1,4 +0,0 @@ -# AoC -vendor_internal_prop(vendor_aoc_prop) -# Audio -vendor_internal_prop(vendor_audio_prop) diff --git a/aoc/property_contexts b/aoc/property_contexts deleted file mode 100644 index e957de69..00000000 --- a/aoc/property_contexts +++ /dev/null @@ -1,13 +0,0 @@ -# AoC -vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 - -# for audio -vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 -vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 -persist.vendor.audio. u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 -vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 -vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.cca.updated u:object_r:vendor_audio_prop:s0 -vendor.audiodump.cca.config u:object_r:vendor_audio_prop:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 24c60704..ae9258aa 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -411,3 +411,22 @@ genfscon sysfs /kernel/pixel_em/active_profile u:obje # Privacy LED genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/pwmleds/leds/green/max_brightness u:object_r:sysfs_leds:s0 + +# AOC +genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 + From 3805fb18954619ca370a7417b4e00030ae420b7b Mon Sep 17 00:00:00 2001 From: Lucas Wei Date: Thu, 6 Oct 2022 10:29:59 +0800 Subject: [PATCH 076/162] SEPolicy: Don't audit search regmap by kernel Bug: 247948906 Signed-off-by: Lucas Wei Change-Id: I8886b5c3790036a9fe2d1ed8f524a0555b900dbb --- whitechapel_pro/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index fa6c2fac..2cddb45b 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -10,3 +10,4 @@ allow kernel self:perf_event cpu; dontaudit kernel vendor_battery_debugfs:dir search; dontaudit kernel vendor_maxfg_debugfs:dir { search }; +dontaudit kernel vendor_regmap_debugfs:dir search; From 7c683d8496fb79593ea682812e574a76ae461bdf Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 21 Oct 2022 12:38:00 +0800 Subject: [PATCH 077/162] move brcm gps solution to gs-common Bug: 254758553 Test: google map can locate on pixel Change-Id: I2c97ac6c327a0c32dbc9223597758bbceb72d2a3 --- gps/device.te | 1 - gps/file.te | 7 ------- gps/file_contexts | 12 ------------ gps/genfs_contexts | 4 ---- gps/gpsd.te | 28 ---------------------------- gps/hal_gnss_default.te | 4 ---- gps/lhd.te | 23 ----------------------- gps/scd.te | 17 ----------------- whitechapel_pro/device.te | 1 + whitechapel_pro/file.te | 2 ++ whitechapel_pro/gpsd.te | 9 +++++++++ 11 files changed, 12 insertions(+), 96 deletions(-) delete mode 100644 gps/device.te delete mode 100644 gps/file.te delete mode 100644 gps/file_contexts delete mode 100644 gps/genfs_contexts delete mode 100644 gps/gpsd.te delete mode 100644 gps/hal_gnss_default.te delete mode 100644 gps/lhd.te delete mode 100644 gps/scd.te create mode 100644 whitechapel_pro/gpsd.te diff --git a/gps/device.te b/gps/device.te deleted file mode 100644 index 15d049fa..00000000 --- a/gps/device.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_gnss_device, dev_type; diff --git a/gps/file.te b/gps/file.te deleted file mode 100644 index 537afdbc..00000000 --- a/gps/file.te +++ /dev/null @@ -1,7 +0,0 @@ -type vendor_gps_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute vendor_gps_file mlstrustedobject; -') - -type sysfs_gps, sysfs_type, fs_type; -type sysfs_gps_assert, sysfs_type, fs_type; diff --git a/gps/file_contexts b/gps/file_contexts deleted file mode 100644 index 8ae128e1..00000000 --- a/gps/file_contexts +++ /dev/null @@ -1,12 +0,0 @@ -# gnss/gps data/log files -/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 - -# devices -/dev/bbd_control u:object_r:vendor_gnss_device:s0 -/dev/ttyBCM u:object_r:vendor_gnss_device:s0 - -# vendor binaries -/vendor/bin/hw/scd u:object_r:scd_exec:s0 -/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 -/vendor/bin/hw/gpsd u:object_r:gpsd_exec:s0 -/vendor/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 diff --git a/gps/genfs_contexts b/gps/genfs_contexts deleted file mode 100644 index 49dfdd05..00000000 --- a/gps/genfs_contexts +++ /dev/null @@ -1,4 +0,0 @@ -# GPS -genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 -genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed u:object_r:sysfs_gps_assert:s0 - diff --git a/gps/gpsd.te b/gps/gpsd.te deleted file mode 100644 index 791a02e4..00000000 --- a/gps/gpsd.te +++ /dev/null @@ -1,28 +0,0 @@ -type gpsd, domain; -type gpsd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(gpsd) - -# Allow gpsd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute gpsd mlstrustedsubject; - allow gpsd logger_app:unix_stream_socket connectto; -') - -# Allow gpsd to obtain wakelock -wakelock_use(gpsd) - -# Allow gpsd access data vendor gps files -allow gpsd vendor_gps_file:dir create_dir_perms; -allow gpsd vendor_gps_file:file create_file_perms; -allow gpsd vendor_gps_file:fifo_file create_file_perms; - -# Allow gpsd to access rild -binder_call(gpsd, rild); -allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; - -# Allow gpsd to access sensor service -binder_call(gpsd, system_server); -allow gpsd fwk_sensor_hwservice:hwservice_manager find; - -# Allow gpsd to access pps gpio -allow gpsd sysfs_gps_assert:file r_file_perms; diff --git a/gps/hal_gnss_default.te b/gps/hal_gnss_default.te deleted file mode 100644 index e3004237..00000000 --- a/gps/hal_gnss_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# Allow hal_gnss_default access data vendor gps files -allow hal_gnss_default vendor_gps_file:dir create_dir_perms; -allow hal_gnss_default vendor_gps_file:file create_file_perms; -allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; diff --git a/gps/lhd.te b/gps/lhd.te deleted file mode 100644 index e980897c..00000000 --- a/gps/lhd.te +++ /dev/null @@ -1,23 +0,0 @@ -type lhd, domain; -type lhd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(lhd) - -# Allow lhd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute lhd mlstrustedsubject; - allow lhd logger_app:unix_stream_socket connectto; -') - -# Allow lhd access data vendor gps files -allow lhd vendor_gps_file:dir create_dir_perms; -allow lhd vendor_gps_file:file create_file_perms; -allow lhd vendor_gps_file:fifo_file create_file_perms; - -# Allow lhd to obtain wakelock -wakelock_use(lhd) - -# Allow lhd access /dev/bbd_control file -allow lhd vendor_gnss_device:chr_file rw_file_perms; - -# Allow lhd access nstandby gpio -allow lhd sysfs_gps:file rw_file_perms; diff --git a/gps/scd.te b/gps/scd.te deleted file mode 100644 index 28aaee0a..00000000 --- a/gps/scd.te +++ /dev/null @@ -1,17 +0,0 @@ -type scd, domain; -type scd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(scd) - -# Allow scd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute scd mlstrustedsubject; - allow scd logger_app:unix_stream_socket connectto; -') - -# Allow a base set of permissions required for network access. -net_domain(scd); - -# Allow scd access data vendor gps files -allow scd vendor_gps_file:dir create_dir_perms; -allow scd vendor_gps_file:file create_file_perms; -allow scd vendor_gps_file:fifo_file create_file_perms; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index b1f5ecbf..426ebadb 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -18,6 +18,7 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; type radio_test_device, dev_type; +type vendor_gnss_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index cb17558c..475a3bfe 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -18,7 +18,9 @@ type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type mitigation_vendor_data_file, file_type, data_file_type; +type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; typeattribute radio_vendor_data_file mlstrustedobject; diff --git a/whitechapel_pro/gpsd.te b/whitechapel_pro/gpsd.te new file mode 100644 index 00000000..79055ecc --- /dev/null +++ b/whitechapel_pro/gpsd.te @@ -0,0 +1,9 @@ +type gpsd, domain; +type gpsd_exec, vendor_file_type, exec_type, file_type; +# Allow gpsd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute gpsd mlstrustedsubject; + allow gpsd logger_app:unix_stream_socket connectto; +') + + From 7e6dc0eabb9be5055ffb13deaa8f5ec869f80e59 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Sat, 29 Oct 2022 11:02:08 +0800 Subject: [PATCH 078/162] ignore shell access on wlc Bug: 238260741 Test: boot Change-Id: I5f1d321df2daa2ec785e2ad1ac2e02478568b688 Signed-off-by: Jack Wu --- tracking_denials/bug_map | 1 - whitechapel_pro/shell.te | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 0f9c92d7..f2b65774 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -20,6 +20,5 @@ shell mirror_data_file dir b/239484612 shell postinstall_mnt_dir dir b/239484612 shell rootfs file b/239484612 shell sscoredump_vendor_data_crashinfo_file dir b/241714944 -shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te index 978a5426..44ae0768 100644 --- a/whitechapel_pro/shell.te +++ b/whitechapel_pro/shell.te @@ -3,3 +3,6 @@ userdebug_or_eng(` allow shell sysfs_sjtag:dir r_dir_perms; allow shell sysfs_sjtag:file rw_file_perms; ') + +# wlc +dontaudit shell sysfs_wlc:dir search; From 13fbaff253534219edf831bf99ecd8af6744dbc5 Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 27 Oct 2022 16:20:45 +0000 Subject: [PATCH 079/162] bcl: Add Mitigation Logger - Del gs201-sepolicy Mitigation Logger logs battery related information for 1 second when it is triggered by under voltage or over current interrupts. Information collected is to help debug system brownout. Bug: 228383769 Test: Boot and Test Change-Id: Ia13f6b16dd35803873f20514c21a95ed8dd20a55 Signed-off-by: George Lee --- whitechapel_pro/battery_mitigation.te | 21 --------------------- whitechapel_pro/file.te | 3 --- whitechapel_pro/file_contexts | 2 -- whitechapel_pro/genfs_contexts | 1 - whitechapel_pro/property.te | 4 ---- whitechapel_pro/property_contexts | 4 ---- 6 files changed, 35 deletions(-) delete mode 100644 whitechapel_pro/battery_mitigation.te diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te deleted file mode 100644 index 56b83733..00000000 --- a/whitechapel_pro/battery_mitigation.te +++ /dev/null @@ -1,21 +0,0 @@ -type battery_mitigation, domain; -type battery_mitigation_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(battery_mitigation) -get_prop(battery_mitigation, boot_status_prop) -get_prop(battery_mitigation, vendor_startup_bugreport_requested_prop) -set_prop(battery_mitigation, vendor_mitigation_ready_prop) - -hal_client_domain(battery_mitigation, hal_thermal); -hal_client_domain(battery_mitigation, hal_health); - -r_dir_file(battery_mitigation, sysfs_batteryinfo) -r_dir_file(battery_mitigation, sysfs_iio_devices) -r_dir_file(battery_mitigation, sysfs_thermal) -r_dir_file(battery_mitigation, thermal_link_device) -r_dir_file(battery_mitigation, sysfs_odpm) -allow battery_mitigation sysfs_bcl:dir r_dir_perms; -allow battery_mitigation sysfs_bcl:file r_file_perms; -allow battery_mitigation sysfs_bcl:lnk_file r_file_perms; -allow battery_mitigation sysfs_thermal:lnk_file r_file_perms; -allow battery_mitigation mitigation_vendor_data_file:dir rw_dir_perms; -allow battery_mitigation mitigation_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 475a3bfe..abd14b81 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -17,7 +17,6 @@ type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; -type mitigation_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; @@ -44,14 +43,12 @@ type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; -type sysfs_bcl, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; -type sysfs_odpm, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 210866fc..9425e56f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -41,7 +41,6 @@ /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 -/vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 @@ -210,7 +209,6 @@ /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 -/data/vendor/mitigation(/.*)? u:object_r:mitigation_vendor_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ae9258aa..8a9820cf 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -3,7 +3,6 @@ genfscon sysfs /devices/platform/exynos-bts u genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 -genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 # CPU genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ba0aeaac..32895e7b 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -34,7 +34,3 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) - -# Battery Mitigation -vendor_internal_prop(vendor_mitigation_ready_prop) -vendor_internal_prop(vendor_startup_bugreport_requested_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 9ffb51a1..14c5b07d 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -98,7 +98,3 @@ persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 # for vendor telephony debug app vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 - -# Battery Mitigation -vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 -vendor.startup_bugreport_requested u:object_r:vendor_startup_bugreport_requested_prop:s0 From 6202c44816525e1bd1489eef7c81ad762a078fb9 Mon Sep 17 00:00:00 2001 From: Gabriel Biren Date: Wed, 26 Oct 2022 23:29:29 +0000 Subject: [PATCH 080/162] Update gs201 sepolicy to allow the wifi_ext AIDL service. Changes should be similar to aosp/2262723. Bug: 205044134 Test: m + Pre-submit tests Change-Id: Ia1c784953225cb48b5320d8f1f5346a3cace005b --- whitechapel_pro/chre.te | 1 + whitechapel_pro/grilservice_app.te | 1 + 2 files changed, 2 insertions(+) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index 4eda4096..ebee19df 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -18,6 +18,7 @@ usf_low_latency_transport(chre) # Allow CHRE to talk to the WiFi HAL allow chre hal_wifi_ext:binder { call transfer }; allow chre hal_wifi_ext_hwservice:hwservice_manager find; +allow chre hal_wifi_ext_service:service_manager find; # Allow CHRE host to talk to stats service allow chre fwk_stats_service:service_manager find; diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te index 6e0dd667..7809537d 100644 --- a/whitechapel_pro/grilservice_app.te +++ b/whitechapel_pro/grilservice_app.te @@ -5,6 +5,7 @@ allow grilservice_app app_api_service:service_manager find; allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; binder_call(grilservice_app, hal_bluetooth_btlinux) From f03c6fb1d8824e4218f8ef589cb77b500e49da04 Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 24 Oct 2022 17:00:13 -0700 Subject: [PATCH 081/162] betterbug: Update selinux policy for betterbug Update startup_bugreport_requested property to vendor_public for betterbug to access. Bug: 237287659 Test: Load Betterbug for accessing startup bugreport reason property Signed-off-by: George Lee Change-Id: Idc07e3f4ce425c0167654743fbe1ad8b7ece5e15 (cherry picked from commit d1e0b924ae1e76151985687bdb11ee25fc9a82f5) --- whitechapel_pro/better_bug_app.te | 11 ----------- whitechapel_pro/seapp_contexts | 3 --- whitechapel_pro/vendor_init.te | 3 --- 3 files changed, 17 deletions(-) delete mode 100644 whitechapel_pro/better_bug_app.te diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te deleted file mode 100644 index 506e832f..00000000 --- a/whitechapel_pro/better_bug_app.te +++ /dev/null @@ -1,11 +0,0 @@ -type better_bug_app, domain, coredomain; - -userdebug_or_eng(` - app_domain(better_bug_app) - net_domain(better_bug_app) - allow better_bug_app app_api_service:service_manager find; - allow better_bug_app system_api_service:service_manager find; - allow better_bug_app privapp_data_file:file execute; - get_prop(better_bug_app, default_prop); - get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) -') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 77a7bd73..223c931a 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -68,6 +68,3 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all - -# BetterBug -user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 5de29166..dfdbf8b3 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -36,8 +36,5 @@ set_prop(vendor_init, vendor_battery_defender_prop) # Display set_prop(vendor_init, vendor_display_prop) -# Battery Mitigation -set_prop(vendor_init, vendor_startup_bugreport_requested_prop) - # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; From e43ab3c52a0e4eb5fa06ae90df35ea5238abb627 Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Tue, 8 Nov 2022 22:44:09 +0800 Subject: [PATCH 082/162] Allow CHRE to use EPOLLWAKEUP avc: denied { block_suspend } for comm="UsfTransport" capability=36 scontext=u:r:chre:s0 tcontext=u:r:chre:s0 tclass=capability2 permissive=0 Bug: 238666865 Test: Check no chre avc denied. Change-Id: Ie936055550c6221beae394c264d664c1e76f946b Signed-off-by: Rick Chen --- whitechapel_pro/chre.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index ebee19df..2531af89 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -26,3 +26,6 @@ binder_call(chre, stats_service_server) # Allow CHRE to use WakeLock wakelock_use(chre) + +# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP. +allow chre self:global_capability2_class_set block_suspend; From e8712e4c93a5d291a47943ec77fe9abe9e1e5dff Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 8 Nov 2022 13:31:14 +0800 Subject: [PATCH 083/162] remove edgetpu folder Bug: 258114806 Test: build pass with the setting still active Change-Id: I9cdf2bbe318647e1f02f152661e57f8430a9a1cb --- edgetpu/debug_camera_app.te | 5 ----- edgetpu/file_contexts | 2 -- edgetpu/genfs_contexts | 2 -- edgetpu/google_camera_app.te | 3 --- whitechapel_pro/debug_camera_app.te | 5 +++++ whitechapel_pro/file_contexts | 1 + whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/google_camera_app.te | 4 ++++ 8 files changed, 13 insertions(+), 12 deletions(-) delete mode 100644 edgetpu/debug_camera_app.te delete mode 100644 edgetpu/file_contexts delete mode 100644 edgetpu/genfs_contexts delete mode 100644 edgetpu/google_camera_app.te diff --git a/edgetpu/debug_camera_app.te b/edgetpu/debug_camera_app.te deleted file mode 100644 index 44382239..00000000 --- a/edgetpu/debug_camera_app.te +++ /dev/null @@ -1,5 +0,0 @@ -userdebug_or_eng(` - # Allows GCA-Eng to find and access the EdgeTPU. - allow debug_camera_app edgetpu_app_service:service_manager find; - allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; -') \ No newline at end of file diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts deleted file mode 100644 index 7b5d25ab..00000000 --- a/edgetpu/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# EdgeTPU device (DarwiNN) -/dev/janeiro u:object_r:edgetpu_device:s0 diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts deleted file mode 100644 index 78e7e959..00000000 --- a/edgetpu/genfs_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 diff --git a/edgetpu/google_camera_app.te b/edgetpu/google_camera_app.te deleted file mode 100644 index a0ad7316..00000000 --- a/edgetpu/google_camera_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allows GCA to find and access the EdgeTPU. -allow google_camera_app edgetpu_app_service:service_manager find; -allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 7ef8ab46..5342fb74 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -20,3 +20,8 @@ userdebug_or_eng(` # Allows camera app to access the PowerHAL. hal_client_domain(debug_camera_app, hal_power) ') +userdebug_or_eng(` + # Allows GCA-Eng to find and access the EdgeTPU. + allow debug_camera_app edgetpu_app_service:service_manager find; + allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; +') \ No newline at end of file diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 19bc8442..4aea8c79 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -80,6 +80,7 @@ /dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/janeiro u:object_r:edgetpu_device:s0 /dev/bigocean u:object_r:video_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 12ab5b97..54d97fb6 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -4,6 +4,9 @@ genfscon sysfs /devices/platform/exynos-bts/bts_stats u genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 + # CPU genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 54f2d664..43e3c16e 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -17,3 +17,7 @@ allow google_camera_app vendor_fw_file:dir search; # Allows camera app to access the PowerHAL. hal_client_domain(google_camera_app, hal_power) + +# Allows GCA to find and access the EdgeTPU. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; From 92e5ed6d554f7277b350bf6a582c511d936a2447 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 17 Oct 2022 13:38:12 +0800 Subject: [PATCH 084/162] move sensors dump to gs-common Bug: 250475720 Test: adb bugreport Change-Id: I09553d0facd7fdca13a8a3e4bdcb70be8265db25 --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 2 -- whitechapel_pro/hal_dumpstate_default.te | 11 ----------- 3 files changed, 15 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index d7ee4425..846b578b 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -87,8 +87,6 @@ type chre_socket, file_type; type proc_f2fs, proc_type, fs_type; # Vendor tools -type vendor_usf_stats, vendor_file_type, file_type; -type vendor_usf_reg_edit, vendor_file_type, file_type; type vendor_dumpsys, vendor_file_type, file_type; # Modem diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4aea8c79..1a0a9ec6 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -14,8 +14,6 @@ /vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 -/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 -/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 88c7073d..2dcbe872 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -3,14 +3,6 @@ allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; allow hal_dumpstate_default sysfs_cpu:file r_file_perms; -allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; -allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; - -userdebug_or_eng(` - allow hal_dumpstate_default sensor_debug_data_file:dir r_dir_perms; - allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms; -') - allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; @@ -56,9 +48,6 @@ allow hal_dumpstate_default vendor_slog_file:file r_file_perms; allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; -allow hal_dumpstate_default device:dir r_dir_perms; -allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; - allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; allow hal_dumpstate_default proc_f2fs:file r_file_perms; From e43c8b3913f0a6dfe8738318690584740b7bebb7 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Fri, 21 Oct 2022 14:59:31 -0700 Subject: [PATCH 085/162] gs201-sepolicy: pixelstats: enable pixelstats access to perf-metrics enable pixelstats access to sysfs path, define sysfs_perfmetrics Bug: 227809911 Bug: 232541623 Test: Tested perf-metrics Signed-off-by: Ziyi Cui Change-Id: If1b95148b59a6816c6795921018dfae68d80550b --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/pixelstats_vendor.te | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 846b578b..f4578773 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -113,3 +113,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type; # Touch type proc_touch, proc_type, fs_type; + +#perf-metrics +type sysfs_vendor_metrics, fs_type, sysfs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 54d97fb6..427c8f0e 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -384,6 +384,10 @@ genfscon sysfs /module/gs_thermal/parameters u:object_r:sysfs_thermal:s0 genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 +#perf-metrics +genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 + # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index d327a30d..4ec563f6 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -30,3 +30,7 @@ allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; + +#perf-metrics +r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) +allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; From 60b73a5b2876323672db1be57912ed9f0b697b17 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 8 Nov 2022 10:31:13 +0800 Subject: [PATCH 086/162] remove raven touch path Bug: 256521567 Test: device does not have the file Change-Id: I1c0335536f7039724f7e6594fd3959610b56335e --- whitechapel_pro/genfs_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 427c8f0e..7376b023 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -25,7 +25,6 @@ genfscon sysfs /devices/soc0/revision u # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 -genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 genfscon proc /focaltech_touch u:object_r:proc_touch:s0 # tracefs From 4952bdc68c424a97893721778860d974ae343919 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 17 Nov 2022 10:33:25 +0800 Subject: [PATCH 087/162] move syna settings to gs-common Bug: 256521567 Test: adb bugreport Change-Id: Idbec89a1a2c8bac63850ad4915a40500d067d49e --- whitechapel_pro/genfs_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7376b023..ed314310 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -24,7 +24,6 @@ genfscon sysfs /devices/soc0/machine u genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 # Touch -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 genfscon proc /focaltech_touch u:object_r:proc_touch:s0 # tracefs From 80f2221562f5e48c00c4c2cb3f89f8ce13411151 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 18 Nov 2022 13:27:11 +0800 Subject: [PATCH 088/162] move focaltech sepolicy to gs-common Bug: 256521567 Test: adb bugreport Change-Id: If58b8df0b89dc4d20240af46502a94eebe81f66f --- whitechapel_pro/file.te | 3 --- whitechapel_pro/genfs_contexts | 3 --- whitechapel_pro/hal_dumpstate_default.te | 3 --- whitechapel_pro/vendor_init.te | 3 --- 4 files changed, 12 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index f4578773..621af916 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -111,8 +111,5 @@ userdebug_or_eng(` # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; -# Touch -type proc_touch, proc_type, fs_type; - #perf-metrics type sysfs_vendor_metrics, fs_type, sysfs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ed314310..c3558ccb 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -23,9 +23,6 @@ genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 -# Touch -genfscon proc /focaltech_touch u:object_r:proc_touch:s0 - # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index c81af2fa..91f4a8ce 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -54,9 +54,6 @@ allow hal_dumpstate_default proc_f2fs:file r_file_perms; allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; allow hal_dumpstate_default sysfs_touch:file rw_file_perms; -allow hal_dumpstate_default proc_touch:dir r_dir_perms; -allow hal_dumpstate_default proc_touch:file rw_file_perms; - allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); allow hal_dumpstate_default sysfs_display:dir r_dir_perms; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index dfdbf8b3..6727a0ac 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -25,9 +25,6 @@ allow vendor_init sysfs_st33spi:file w_file_perms; # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) -# Touch -allow vendor_init proc_touch:file w_file_perms; - allow vendor_init modem_img_file:filesystem { getattr }; # Battery From 2dc65d6b5c004499c34bd9772fc41a8e2910180c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 23 Nov 2022 14:38:22 +0800 Subject: [PATCH 089/162] use gs-common thermal dump Bug: 257880034 Test: adb bugreport Change-Id: Ib5940bce520ca04ee6cb31f5268f0f86dedadf6e --- whitechapel_pro/genfs_contexts | 2 -- whitechapel_pro/hal_dumpstate_default.te | 3 --- 2 files changed, 5 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index c3558ccb..cc626730 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -375,8 +375,6 @@ genfscon sysfs /devices/platform/100b0000.G3D u:obje genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.AUR u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters u:object_r:sysfs_thermal:s0 - genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 #perf-metrics diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 91f4a8ce..3337e35e 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -18,9 +18,6 @@ allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; -allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; -allow hal_dumpstate_default sysfs_thermal:file r_file_perms; - allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; allow hal_dumpstate_default sysfs_bcl:file r_file_perms; From c03e9b58db7b7525d0e0a00e1dd4bf8788919dd6 Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Tue, 22 Nov 2022 23:38:29 +0000 Subject: [PATCH 090/162] Allow Trusty storageproxy property Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready when the data filesystems are ready for use, and allows vendor init to query and wait on this property. Test: build, flash, test app loading Bug: 258018785 Change-Id: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/tee.te | 2 ++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 11 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 32895e7b..2d4714ae 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -34,3 +34,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) + +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 14c5b07d..c6f1428e 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -98,3 +98,6 @@ persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 # for vendor telephony debug app vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 + +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index f93bf59e..256fb384 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -11,3 +11,5 @@ allow tee sg_device:chr_file rw_file_perms; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 6727a0ac..dfbd3d75 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -35,3 +35,6 @@ set_prop(vendor_init, vendor_display_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; + +# Trusty storage FS ready +get_prop(vendor_init, vendor_trusty_storage_prop) From 2e98f5f763a23487c9abcb5a74d9ebc2deae49c8 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Wed, 23 Nov 2022 02:49:13 +0000 Subject: [PATCH 091/162] gs201-sepolicy: pixelstats:remove type definition to perf-metrics move type definition to gs-common Bug: 227809911 Bug: 232541623 Test: Tested perf-metrics Change-Id: I8120f682b12137dfea164912efa0fa0417cb5dd3 Signed-off-by: Ziyi Cui --- whitechapel_pro/file.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 621af916..b7495d67 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -110,6 +110,3 @@ userdebug_or_eng(` # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; - -#perf-metrics -type sysfs_vendor_metrics, fs_type, sysfs_type; From 5b3d90132a984db3d52cc6fc8e37ae8b7147b9d5 Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Wed, 23 Nov 2022 07:02:09 +0000 Subject: [PATCH 092/162] gps: nstandby path depend on platform Bug: 259353063 Test: no avc denied about nstandby Change-Id: Ibf72cfd37837d2a9024b82118cd045a2724c9179 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index cc626730..30cf5273 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -434,3 +434,5 @@ genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:ob genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 +# GPS +genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 From 8586ba78c296a83688003863a77b51fb7e980a75 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Fri, 25 Nov 2022 05:49:15 +0000 Subject: [PATCH 093/162] gs201-sepolicy:move perf_metrics genf_contexts from gs201 to gs-common Bug: 227809911 Bug: 232541623 Test: test adb bugreport Change-Id: I83fc6c8b1adffe9a58e1a3389036461db49efe77 Signed-off-by: Ziyi Cui --- whitechapel_pro/genfs_contexts | 4 ---- 1 file changed, 4 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 30cf5273..6c6cadd5 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -377,10 +377,6 @@ genfscon sysfs /devices/platform/100b0000.AUR u:obje genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 -#perf-metrics -genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 -genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 - # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 From 304509819e650f5d01579ba042786d20ebd5bcc2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 28 Nov 2022 14:14:42 +0800 Subject: [PATCH 094/162] move touch dump to gs-common Bug: 256521567 Test: adb bugreport Change-Id: I198c227508606baf434de456f80477ce6bebcede --- whitechapel_pro/file.te | 1 - whitechapel_pro/hal_dumpstate_default.te | 3 --- 2 files changed, 4 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index b7495d67..9281a8b2 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -43,7 +43,6 @@ type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; -type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 3337e35e..2f7e1d91 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -48,9 +48,6 @@ allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; allow hal_dumpstate_default proc_f2fs:file r_file_perms; -allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; -allow hal_dumpstate_default sysfs_touch:file rw_file_perms; - allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); allow hal_dumpstate_default sysfs_display:dir r_dir_perms; From 2295e34d687925994225bd79a4eeca0f11be22c2 Mon Sep 17 00:00:00 2001 From: Vaibhav Devmurari Date: Mon, 21 Nov 2022 17:39:22 +0000 Subject: [PATCH 095/162] Add SePolicy for system_server accessing sysfs for USB devices Add SePolicy to allow Android input manager accessing sysfs nodes for external USB devices To support input device lights manager feature in frameworks, provide sysfs node access to system server process. DD: go/pk_backlight_control (For keyboard backlight control for external keyboards) Similar changes: ag/20092266 Kernel provides a standardized LED interface to expose LED controls over sysfs: https://docs.kernel.org/leds/leds-class.html The feature will be provided for devices with kernel sysfs class led support and vendor kernel driver for input controllers that do have lights. The kernel sysfs class led support is a kernel config option (LEDS_CLASS), and an input device driver will create the sysfs class node interface. By giving system_server the access to these sysfs nodes, the feature will work on devices with the kernel option and kernel input/hid driver support. We do use CTS tests to enforce the kernel options and the input device drivers. What's already supported? - We already support access to UHID sysfs node which used for all bluetooth based external peripherals What's included in this CL? - Adding support to access sysfs nodes for USB based external devices Test: manual Bug: 245506418 Change-Id: I51c642ffe7293f793b7b6a131e8d2a37aea4a547 --- whitechapel_pro/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6c6cadd5..2cbc6919 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -127,6 +127,10 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo # OTA genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 +# Input +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 + # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 From 5712ba4dec1cc583b8d2e19590b735be2cb25ff2 Mon Sep 17 00:00:00 2001 From: George Lee Date: Sun, 11 Dec 2022 21:02:09 -0800 Subject: [PATCH 096/162] Add BrownoutDetected Events - gs201 sepolicy Brownout Detection is detected during the boot sequence. If the previous shutdown resulted in a reboot reason that has *ocp* or *uvlo* in it, the shutdown was due to brownout. Mitigation Logger should have logged the device state during the brownout. This event metric is to surface the logged data. Bug: 250009365 Test: Confirm triggering of events Ignore-AOSP-First: to detect brownout. Change-Id: Idfc02a8bde6088a5c504ee72014537555af78b04 Signed-off-by: George Lee --- whitechapel_pro/pixelstats_vendor.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 4ec563f6..48877bd9 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -34,3 +34,10 @@ allow pixelstats_vendor sysfs_bcl:file r_file_perms; #perf-metrics r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; + +# BCL +allow pixelstats_vendor sysfs_bcl:dir search; +allow pixelstats_vendor sysfs_bcl:file r_file_perms; +allow pixelstats_vendor mitigation_vendor_data_file:dir search; +allow pixelstats_vendor mitigation_vendor_data_file:file { read write }; +get_prop(pixelstats_vendor, vendor_brownout_reason_prop); From ca38b9685bcf7fdc91482daaeb0bd0c701446575 Mon Sep 17 00:00:00 2001 From: Taylor Nelms Date: Mon, 5 Dec 2022 15:21:32 +0000 Subject: [PATCH 097/162] Modify permissions to allow dumpstate process to access decon_counters node Bug: 240346564 Test: Build for Cheetah device with "user" build, check bugreport for decon_counters content Change-Id: I656ebdcd0f92f2cc3e16de19075e94ada339a39b Signed-off-by: Taylor Nelms --- whitechapel_pro/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 2cbc6919..d74ed5d4 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -141,6 +141,9 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/osc2_clk_kh genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c241000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c242000.drmdecon/counters u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 From 46ae2b14628d3f73ab11002e4c8c122d340e112f Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Mon, 19 Dec 2022 06:15:13 +0000 Subject: [PATCH 098/162] WLC: Remove sysfs_wlc sepolicy Bug: 237600973 Change-Id: Iadd90d55aca37fead3e5528d39df7866c9807205 Signed-off-by: Ken Yang --- whitechapel_pro/file.te | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 9281a8b2..521671af 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -44,7 +44,6 @@ type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; -type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; From 1b4f3771ee5e0b89953d16ee28823b0b9c749cd5 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Tue, 6 Dec 2022 15:40:05 +0000 Subject: [PATCH 099/162] Map Rust KeyMint to same SELinux policy as C++ Allow the Rust and C++ implementations of the KeyMint HAL service to be toggled easily, by mapping them to the same SELinux policy. Bug: 197891150 Bug: 225036046 Test: VtsAidlKeyMintTargetTest with local changes, TreeHugger Change-Id: I37f8016240097381410903f0f326dc16fc24db1e --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index d0a92a9c..4c5f92e1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -18,6 +18,7 @@ /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 From b3bbcd45541913bf08a2b217ed7e418f1c06d2eb Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Thu, 5 Jan 2023 06:51:08 +0000 Subject: [PATCH 100/162] WLC: Cleanup the sysfs_wlc policies The sepolicy must be self-contained without including wirelss_charger to avoid build break in AOSP Bug: 263830018 Change-Id: Ib3e36c9bb4b3048ce97592c3f68260035a32239d Signed-off-by: Ken Yang --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 7 ------- whitechapel_pro/hal_dumpstate_default.te | 3 --- whitechapel_pro/hal_health_default.te | 1 - whitechapel_pro/hal_sensors_default.te | 2 -- whitechapel_pro/hal_wireless_charger.te | 2 ++ whitechapel_pro/hal_wlc.te | 2 -- whitechapel_pro/pixelstats_vendor.te | 3 --- whitechapel_pro/platform_app.te | 4 ++++ whitechapel_pro/service.te | 3 +++ whitechapel_pro/service_contexts | 2 ++ whitechapel_pro/shell.te | 3 --- whitechapel_pro/system_app.te | 5 +++-- 13 files changed, 17 insertions(+), 23 deletions(-) create mode 100644 whitechapel_pro/hal_wireless_charger.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 521671af..9852b023 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -108,3 +108,6 @@ userdebug_or_eng(` # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; + +# WLC +type sysfs_wlc, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index d74ed5d4..a1e00e11 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -210,25 +210,18 @@ genfscon sysfs /devices/pseudo_0/adapter0/host1/target1:0:0/1:0:0:0/block/sde # P22 battery genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply u:object_r:sysfs_batteryinfo:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 2e8ac6d7..80116c44 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -9,9 +9,6 @@ allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; -allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; -allow hal_dumpstate_default sysfs_wlc:file r_file_perms; - allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index f9c888d9..bd6efecb 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -12,7 +12,6 @@ allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_health_default fwk_stats_service:service_manager find; binder_use(hal_health_default) -allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index fcd758a4..06f395a8 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -84,5 +84,3 @@ allow hal_sensors_default sysfs_write_leds:file rw_file_perms; # Allow access to the power supply files for MagCC. r_dir_file(hal_sensors_default, sysfs_batteryinfo) -allow hal_sensors_default sysfs_wlc:dir r_dir_perms; - diff --git a/whitechapel_pro/hal_wireless_charger.te b/whitechapel_pro/hal_wireless_charger.te new file mode 100644 index 00000000..04b3e5e2 --- /dev/null +++ b/whitechapel_pro/hal_wireless_charger.te @@ -0,0 +1,2 @@ +type hal_wireless_charger, domain; +type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; diff --git a/whitechapel_pro/hal_wlc.te b/whitechapel_pro/hal_wlc.te index 80eb1674..1cf9d034 100644 --- a/whitechapel_pro/hal_wlc.te +++ b/whitechapel_pro/hal_wlc.te @@ -7,8 +7,6 @@ add_hwservice(hal_wlc, hal_wlc_hwservice) get_prop(hal_wlc, hwservicemanager_prop) r_dir_file(hal_wlc, sysfs_batteryinfo) -allow hal_wlc sysfs_wlc:dir r_dir_perms; -allow hal_wlc sysfs_wlc:file rw_file_perms; allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 90094635..b5b1594f 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -6,9 +6,6 @@ hwbinder_use(pixelstats_vendor) allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; -# Wireless charge -allow pixelstats_vendor sysfs_wlc:dir search; -allow pixelstats_vendor sysfs_wlc:file rw_file_perms; # Wireless charge/OrientationCollector get_prop(pixelstats_vendor, hwservicemanager_prop); hwbinder_use(pixelstats_vendor); diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 9021c1a8..1891caef 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -17,3 +17,7 @@ binder_call(platform_app, hal_wlc) # allow udfps of systemui access lhbm binder_call(platform_app, hal_graphics_composer_default) + +# WLC +allow platform_app hal_wireless_charger_service:service_manager find; +binder_call(platform_app, hal_wireless_charger) diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index b87c99e1..1c49d4f8 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -1,2 +1,5 @@ type hal_pixel_display_service, service_manager_type, hal_service_type; type hal_uwb_vendor_service, service_manager_type, hal_service_type; + +# WLC +type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index 5df34411..a3849bb7 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -1,2 +1,4 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 + +vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te index 44ae0768..978a5426 100644 --- a/whitechapel_pro/shell.te +++ b/whitechapel_pro/shell.te @@ -3,6 +3,3 @@ userdebug_or_eng(` allow shell sysfs_sjtag:dir r_dir_perms; allow shell sysfs_sjtag:file rw_file_perms; ') - -# wlc -dontaudit shell sysfs_wlc:dir search; diff --git a/whitechapel_pro/system_app.te b/whitechapel_pro/system_app.te index c1560e6e..4677e980 100644 --- a/whitechapel_pro/system_app.te +++ b/whitechapel_pro/system_app.te @@ -1,2 +1,3 @@ -allow system_app hal_wlc_hwservice:hwservice_manager find; -binder_call(system_app, hal_wlc) +# WLC +allow system_app hal_wireless_charger_service:service_manager find; +binder_call(system_app, hal_wireless_charger) From 68bf64905bc3ab4237e27d3f7a982de3bd63d355 Mon Sep 17 00:00:00 2001 From: Doug Zobel Date: Wed, 11 Jan 2023 18:44:08 -0600 Subject: [PATCH 101/162] Add sepolicy for PCIe link statistics PCIe link statistics collected by dumpstate and pixelstats. Test: adb bugreport && unzip bugreport*.zip && grep link_stats dumpstate_board.txt; adb logcat "pixelstats-vendor:D *:S" Bug: 264287533 Change-Id: I173ba399a60f29aa8a5edf1e86f97f214b4879c8 Signed-off-by: Doug Zobel --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/hal_dumpstate_default.te | 3 +++ whitechapel_pro/pixelstats_vendor.te | 4 ++++ 4 files changed, 12 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 9852b023..740eebb9 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -43,6 +43,7 @@ type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; +type sysfs_exynos_pcie_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a1e00e11..68caba73 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -377,6 +377,10 @@ genfscon sysfs /devices/platform/100b0000.AUR u:obje genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 +# PCIe link +genfscon sysfs /devices/platform/14520000.pcie/link_stats u:object_r:sysfs_exynos_pcie_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/link_stats u:object_r:sysfs_exynos_pcie_stats:s0 + # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 80116c44..23832cf1 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -12,6 +12,9 @@ allow hal_dumpstate_default vendor_gps_file:file r_file_perms; allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; +allow hal_dumpstate_default sysfs_exynos_pcie_stats:dir r_dir_perms; +allow hal_dumpstate_default sysfs_exynos_pcie_stats:file r_file_perms; + allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index b5b1594f..23bff0ba 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -31,6 +31,10 @@ allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; +# PCIe statistics +allow pixelstats_vendor sysfs_exynos_pcie_stats:dir search; +allow pixelstats_vendor sysfs_exynos_pcie_stats:file rw_file_perms; + #perf-metrics r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; From 59de0efcca82b576feb6f25238286d536c1df818 Mon Sep 17 00:00:00 2001 From: Long Ling Date: Mon, 23 Jan 2023 17:46:11 -0800 Subject: [PATCH 102/162] Set context for sysfs file refresh_rate Bug: 263821118 Change-Id: Icdba0553fd5228822ce271ef16b877d4bef9f73e --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 68caba73..ebb78283 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -149,11 +149,13 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 From 1d9a7c5877e9c914c159397a82a2224edabfca62 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 31 Jan 2023 15:10:41 +0000 Subject: [PATCH 103/162] WLC: Add required sysfs_wlc sepolicies The sysfs_wlc is still required for certain services like hal_health_default. Add these sepolicies to pass the tests. Bug: 267171670 Change-Id: Id2687a4ac72e04e537704d036155167b68aeca7c Signed-off-by: Ken Yang --- whitechapel_pro/hal_dumpstate_default.te | 4 ++++ whitechapel_pro/hal_health_default.te | 1 + whitechapel_pro/hal_sensors_default.te | 1 + whitechapel_pro/pixelstats_vendor.te | 3 +++ whitechapel_pro/shell.te | 3 +++ 5 files changed, 12 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 23832cf1..bdf64e85 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -9,6 +9,10 @@ allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; +allow hal_dumpstate_default sysfs_wlc:dir search; +allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_wlc:file r_file_perms; + allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index bd6efecb..f9c888d9 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -12,6 +12,7 @@ allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_health_default fwk_stats_service:service_manager find; binder_use(hal_health_default) +allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index 06f395a8..076ceaf7 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -84,3 +84,4 @@ allow hal_sensors_default sysfs_write_leds:file rw_file_perms; # Allow access to the power supply files for MagCC. r_dir_file(hal_sensors_default, sysfs_batteryinfo) +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 23bff0ba..48fd6e8f 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -6,6 +6,9 @@ hwbinder_use(pixelstats_vendor) allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; +# Wireless charge +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; # Wireless charge/OrientationCollector get_prop(pixelstats_vendor, hwservicemanager_prop); hwbinder_use(pixelstats_vendor); diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te index 978a5426..44ae0768 100644 --- a/whitechapel_pro/shell.te +++ b/whitechapel_pro/shell.te @@ -3,3 +3,6 @@ userdebug_or_eng(` allow shell sysfs_sjtag:dir r_dir_perms; allow shell sysfs_sjtag:file rw_file_perms; ') + +# wlc +dontaudit shell sysfs_wlc:dir search; From 4c372ff5cd9c4a26aa64af33f757f7d8dd989503 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Fri, 10 Feb 2023 10:20:48 +0800 Subject: [PATCH 104/162] Update SELinux error Test: scanBugreport Bug: 268147113 Bug: 268566483 Bug: 268147092 Change-Id: Ia0755baf0d2b9cd02e9d69da29cf87120ae13bbe --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f2b65774..db7752dd 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,13 +1,16 @@ cat_engine_service_app system_app_data_file dir b/238705599 +dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 dumpstate system_data_file dir b/239484651 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_drm_widevine default_prop file b/237492145 +hal_dumpstate_default dump_thermal process b/268566483 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 +incidentd incidentd anon_inode b/268147092 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 From 333b450ee7544e34a7ea945405f18d965e787710 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Feb 2023 12:39:37 +0800 Subject: [PATCH 105/162] move tablet settings to gs-common Bug: 240530709 Test: adb bugreport Change-Id: I2bac842aaab1737b2fcecd232e82d49f00439607 --- whitechapel_pro/file.te | 1 - whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_dumpstate_default.te | 7 ------- 3 files changed, 9 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 740eebb9..80f42f25 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -77,7 +77,6 @@ type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; type persist_display_file, file_type, vendor_persist_type; -type persist_leds_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 34232390..df0a82c4 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -222,7 +222,6 @@ /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 -/mnt/vendor/persist/led(/.*)? u:object_r:persist_leds_file:s0 # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index bdf64e85..2ae050ab 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -72,13 +72,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; -userdebug_or_eng(` - allow hal_dumpstate_default sysfs_leds:dir search; - allow hal_dumpstate_default sysfs_leds:file rw_file_perms; - allow hal_dumpstate_default persist_file:dir search; - r_dir_file(hal_dumpstate_default, persist_leds_file); -') - get_prop(hal_dumpstate_default, vendor_camera_debug_prop); get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) From 6defd8cbc8be14b8387fc3877b1894310cf51f78 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Feb 2023 11:34:54 +0800 Subject: [PATCH 106/162] Move memory dump to gs-common Bug: 240530709 Test: adb bugreport Change-Id: I304899f1c9eb1a77ef7559194ab4cfed9daf30ef --- whitechapel_pro/dumpstate.te | 1 - whitechapel_pro/file.te | 2 -- whitechapel_pro/genfs_contexts | 2 -- whitechapel_pro/hal_dumpstate_default.te | 6 ------ 4 files changed, 11 deletions(-) diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te index 8ff47509..eaab9b2f 100644 --- a/whitechapel_pro/dumpstate.te +++ b/whitechapel_pro/dumpstate.te @@ -14,4 +14,3 @@ allow dumpstate modem_userdata_file:dir r_dir_perms; allow dumpstate modem_img_file:dir r_dir_perms; allow dumpstate fuse:dir search; -dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 80f42f25..3a0f932a 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -60,9 +60,7 @@ type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_charger_debugfs, fs_type, debugfs_type; type vendor_votable_debugfs, fs_type, debugfs_type; type vendor_battery_debugfs, fs_type, debugfs_type; -type vendor_dmabuf_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; -type vendor_page_pinner_debugfs, fs_type, debugfs_type; type vendor_cma_debugfs, fs_type, debugfs_type; # vendor extra images diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ebb78283..dc1f8836 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -190,7 +190,6 @@ genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object # debugfs genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 @@ -200,7 +199,6 @@ genfscon debugfs /max77729_pmic u:object genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 -genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Battery diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 2ae050ab..8dfe7cb7 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -89,14 +89,11 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; - allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; allow hal_dumpstate_default debugfs_tracing_instances:dir search; allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; allow hal_dumpstate_default sysfs_vendor_metrics:dir search; @@ -119,14 +116,11 @@ dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; -dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; -dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; dontaudit hal_dumpstate_default debugfs_tracing_instances:dir search; dontaudit hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search; From 1a72a34a919dcb887786ad3cdefa2de8ddd193d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 15 Feb 2023 10:35:26 +1100 Subject: [PATCH 107/162] Remove bug_map entry for incident hal_input_processor_default was fixed in b/219172252 Bug: 239632439 Test: presubmit Change-Id: Idaa9bff7130d54bf24260e26b43605a60dcb7525 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index db7752dd..ad15880a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,8 +1,6 @@ cat_engine_service_app system_app_data_file dir b/238705599 dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 -dumpstate hal_input_processor_default process b/238260726 -dumpstate incident process b/239632439 dumpstate system_data_file dir b/239484651 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_drm_widevine default_prop file b/237492145 From d1daf18a6a23ab576badb29233bf643f54c01fe3 Mon Sep 17 00:00:00 2001 From: Jeffrey Kardatzke Date: Tue, 14 Feb 2023 15:11:39 -0800 Subject: [PATCH 108/162] tracking_denials: Remove b/237492145 Bug: 237492145 Test: TreeHugger Change-Id: I2874665d4166e951de6b9f6ab15be62a35777ad2 --- tracking_denials/bug_map | 1 - tracking_denials/hal_drm_widevine.te | 2 -- 2 files changed, 3 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ad15880a..b944d0e1 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,7 +3,6 @@ dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 dumpstate system_data_file dir b/239484651 hal_contexthub_default fwk_stats_service service_manager b/241714943 -hal_drm_widevine default_prop file b/237492145 hal_dumpstate_default dump_thermal process b/268566483 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te index b0124389..cfe7fcf7 100644 --- a/tracking_denials/hal_drm_widevine.te +++ b/tracking_denials/hal_drm_widevine.te @@ -1,4 +1,2 @@ # b/229209076 dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; -# b/237492145 -dontaudit hal_drm_widevine default_prop:file { read }; From 8c4ca7b5a48ee219b3724bbe152ee68e6fc73d75 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 12 Sep 2022 14:47:57 +0800 Subject: [PATCH 109/162] remove same_process_hal access from gxp firmware Bug: 246218258 Test: boot with no relevant SELinux errors Change-Id: I52c82ff4c70cb16057cf719059f63c3f9c381c46 --- tracking_denials/kernel.te | 2 -- whitechapel_pro/file_contexts | 1 - 2 files changed, 3 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 4238f339..a2e21639 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,4 +1,2 @@ -# b/246218258 -allow kernel same_process_hal_file:file r_file_perms; # b/227121550 dontaudit kernel vendor_votable_debugfs:dir search; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 300e836f..36ccdc92 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -47,7 +47,6 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 -/vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 From 3c494301c8bd463b38ac5006d638a790ece79f68 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 7 Mar 2023 12:35:16 +0800 Subject: [PATCH 110/162] Move display dump to gs-common Bug: 269212897 Test: adb bugreport Change-Id: I8d2d0413987629bd3774034a5f99f5b7feb4b3ba --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 1 - whitechapel_pro/genfs_contexts | 1 - whitechapel_pro/hal_dumpstate_default.te | 12 ------------ whitechapel_pro/vndservice.te | 1 - whitechapel_pro/vndservice_contexts | 1 - 6 files changed, 18 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 3a0f932a..5b5b82e1 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,7 +1,6 @@ # Data type rild_vendor_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; -type vendor_hwc_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; @@ -60,7 +59,6 @@ type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_charger_debugfs, fs_type, debugfs_type; type vendor_votable_debugfs, fs_type, debugfs_type; type vendor_battery_debugfs, fs_type, debugfs_type; -type vendor_dri_debugfs, fs_type, debugfs_type; type vendor_cma_debugfs, fs_type, debugfs_type; # vendor extra images diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 36ccdc92..87fc1d94 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -196,7 +196,6 @@ /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 -/data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index dc1f8836..a7c8a48a 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -198,7 +198,6 @@ genfscon debugfs /max77759_chg u:object genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 -genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Battery diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 8dfe7cb7..fccaed7f 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -3,9 +3,6 @@ allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; allow hal_dumpstate_default sysfs_cpu:file r_file_perms; -allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; - allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; @@ -52,11 +49,6 @@ allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; allow hal_dumpstate_default proc_f2fs:file r_file_perms; -allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; -binder_call(hal_dumpstate_default, hal_graphics_composer_default); -allow hal_dumpstate_default sysfs_display:dir r_dir_perms; -allow hal_dumpstate_default sysfs_display:file r_file_perms; - vndbinder_use(hal_dumpstate_default) allow hal_dumpstate_default shell_data_file:file getattr; @@ -92,8 +84,6 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; allow hal_dumpstate_default debugfs_tracing_instances:dir search; allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; allow hal_dumpstate_default sysfs_vendor_metrics:dir search; @@ -107,8 +97,6 @@ userdebug_or_eng(` ') dontaudit hal_dumpstate_default mnt_vendor_file:dir search; -dontaudit hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index 7f116c48..bd59e836 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1,4 +1,3 @@ type rls_service, vndservice_manager_type; -type vendor_displaycolor_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; type eco_service, vndservice_manager_type; diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts index e7fb4338..16ae43a4 100644 --- a/whitechapel_pro/vndservice_contexts +++ b/whitechapel_pro/vndservice_contexts @@ -1,4 +1,3 @@ rlsservice u:object_r:rls_service:s0 -displaycolor u:object_r:vendor_displaycolor_service:s0 Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 media.ecoservice u:object_r:eco_service:s0 From 3758cdb733b1bbc20a866917c720682254776d1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Thu, 9 Mar 2023 20:12:27 +0000 Subject: [PATCH 111/162] Clean up Google Camera App tracking_denials. EdgeTPU access is already allowed. Vendor property access should be denied and is not an error (most likely from library code that tries to access nonexistent Mediatek-specific properties). Fix: 209889068 Test: presubmit, run GCA Change-Id: Id200da6627ceae1ca6315ea9b4473f61fdc285d0 --- tracking_denials/google_camera_app.te | 8 -------- whitechapel_pro/google_camera_app.te | 3 +++ 2 files changed, 3 insertions(+), 8 deletions(-) delete mode 100644 tracking_denials/google_camera_app.te diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te deleted file mode 100644 index 72796c22..00000000 --- a/tracking_denials/google_camera_app.te +++ /dev/null @@ -1,8 +0,0 @@ -# b/209889068 -dontaudit google_camera_app edgetpu_app_service:service_manager { find }; -dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; -dontaudit google_camera_app edgetpu_device:chr_file { map }; -dontaudit google_camera_app edgetpu_device:chr_file { read write }; -dontaudit google_camera_app vendor_default_prop:file { getattr }; -dontaudit google_camera_app vendor_default_prop:file { map }; -dontaudit google_camera_app vendor_default_prop:file { open }; diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 43e3c16e..d73cd3db 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -21,3 +21,6 @@ hal_client_domain(google_camera_app, hal_power) # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; From c50fcf47940c77471035e841eda30f4657c7bbe1 Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Wed, 8 Mar 2023 13:07:10 +0800 Subject: [PATCH 112/162] audio: move sepolicy about audio to gs-common Bug: 259161622 Test: build pass and check with audio ext hidl/aidl Change-Id: Id9fa7130db9b94a25381d10984ad245658847345 Signed-off-by: Jasmine Cha --- whitechapel_pro/rild.te | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 7b8bc1c7..559fa674 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -32,7 +32,6 @@ binder_call(rild, logger_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) -allow rild hal_audio_ext_hwservice:hwservice_manager find; # Allow rild to access files on modem img. allow rild modem_img_file:dir r_dir_perms; From fc86ce114c7e4dd2372e5b2fb83809a0843b387f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 10 Mar 2023 12:14:54 +0800 Subject: [PATCH 113/162] move modem operation to dump_modemlog Bug: 240530709 Test: adb bugreport Change-Id: I1b5c7defc0b6cb04899d03f1f71f0ac1fe21ed80 --- whitechapel_pro/hal_dumpstate_default.te | 5 ----- 1 file changed, 5 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index fccaed7f..9b403c6d 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -40,10 +40,6 @@ allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; -allow hal_dumpstate_default modem_efs_file:dir search; -allow hal_dumpstate_default modem_efs_file:file r_file_perms; -allow hal_dumpstate_default vendor_slog_file:file r_file_perms; - allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; @@ -67,7 +63,6 @@ allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; get_prop(hal_dumpstate_default, vendor_camera_debug_prop); get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) -set_prop(hal_dumpstate_default, vendor_modem_prop) get_prop(hal_dumpstate_default, vendor_rild_prop) get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) set_prop(hal_dumpstate_default, vendor_logger_prop) From 915841aadabce0723a1bfb79bbca8dabdd47867f Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Mon, 13 Mar 2023 10:55:25 +0800 Subject: [PATCH 114/162] audio: move set_prop to gs-common Bug: 259161622 Test: build pass Change-Id: If9c6d5641a05768446a7b618e447a1d11ad5daab Signed-off-by: Jasmine Cha --- whitechapel_pro/vendor_init.te | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index dfbd3d75..0118ddbe 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -11,7 +11,6 @@ set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, logpersistd_logging_prop) set_prop(vendor_init, vendor_logger_prop) -set_prop(vendor_init, vendor_audio_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; From f5a068e2bfa6b0ddd59f72dcaa11560fa1d54e63 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Mar 2023 10:51:44 +0800 Subject: [PATCH 115/162] use gs-common soc dump Bug: 273380509 Test: adb bugreport Change-Id: I81cd197c1a7c9f19ad9a3c30b65b4499de04b184 --- whitechapel_pro/file.te | 3 --- whitechapel_pro/genfs_contexts | 13 ------------- whitechapel_pro/hal_dumpstate_default.te | 3 --- 3 files changed, 19 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 5b5b82e1..9d1cc959 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -40,13 +40,10 @@ type bootdevice_sysdev, dev_type; type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; -type sysfs_exynos_bts, sysfs_type, fs_type; -type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_exynos_pcie_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; -type sysfs_cpu, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a7c8a48a..64d90d47 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -1,22 +1,9 @@ -# Exynos -genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 -genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 - genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 # EdgeTPU genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 # CPU -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/28000000.mali/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 9b403c6d..f303e9a0 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -10,9 +10,6 @@ allow hal_dumpstate_default sysfs_wlc:dir search; allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; allow hal_dumpstate_default sysfs_wlc:file r_file_perms; -allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; -allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; - allow hal_dumpstate_default sysfs_exynos_pcie_stats:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_pcie_stats:file r_file_perms; From 0e62b47df908713118b58a5e1de3104254486c99 Mon Sep 17 00:00:00 2001 From: Mahesh Kallelil Date: Wed, 15 Mar 2023 15:45:32 -0700 Subject: [PATCH 116/162] Update selinux-policy for ModemService. Allowing the ModemService write access to the sysfs attribute cp_temp which is used to update the thermal zones. Test: Verified sysfs attribute security labels Bug: 267485434 Change-Id: I0915969bfa6354e1884088476fc59cd8027bd2f1 Signed-off-by: Mahesh Kallelil --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/modem_svc_sit.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 9d1cc959..4f3e7edc 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -83,6 +83,7 @@ type vendor_dumpsys, vendor_file_type, file_type; # Modem type modem_efs_file, file_type; type modem_userdata_file, file_type; +type sysfs_modem, sysfs_type, fs_type; # SecureElement type sysfs_st33spi, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 64d90d47..2c2cb23e 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -60,6 +60,9 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/power_stats genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 +# Modem +genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 + # Power ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index fa5298f8..040082e8 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -5,6 +5,9 @@ init_daemon_domain(modem_svc_sit) hwbinder_use(modem_svc_sit) binder_call(modem_svc_sit, rild) +# Grant sysfs modem access +allow modem_svc_sit sysfs_modem:file rw_file_perms; + # Grant radio device access allow modem_svc_sit radio_device:chr_file rw_file_perms; From 0f80193c30c2bc519c7cf69abff3a31a1706259b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 20 Mar 2023 11:14:44 +0800 Subject: [PATCH 117/162] use gs-common camera dump Bug: 273380509 Test: adb bugreport Change-Id: I925fbbba81a92689c4590df4a8d7529cc8b57bf8 --- whitechapel_pro/file.te | 1 - whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_dumpstate_default.te | 4 ---- whitechapel_pro/property.te | 1 - whitechapel_pro/property_contexts | 1 - 5 files changed, 8 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4f3e7edc..bb26b4fa 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -7,7 +7,6 @@ type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; -type vendor_camera_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 87fc1d94..76518071 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,7 +202,6 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 -/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index f303e9a0..07e8402b 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,6 +1,3 @@ -allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; - allow hal_dumpstate_default sysfs_cpu:file r_file_perms; allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; @@ -57,7 +54,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; -get_prop(hal_dumpstate_default, vendor_camera_debug_prop); get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) get_prop(hal_dumpstate_default, vendor_rild_prop) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d276e851..a8fce4a7 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -14,7 +14,6 @@ vendor_internal_prop(vendor_battery_defender_prop) vendor_internal_prop(vendor_shutdown_prop) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_camera_prop) -vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_tcpdump_log_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index acc73a66..17899cd5 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -68,7 +68,6 @@ persist.vendor.display. u:object_r:vendor_display_prop:s0 # Camera persist.vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for logger app From 831323cd8114b51bd28ac1b3b55a819dc2a0a619 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 21 Mar 2023 11:19:21 +0800 Subject: [PATCH 118/162] use gxp dump in gs-common Bug: 273380509 Test: adb bugreport;unzip *zip;tar -xvf dumpstate_board.bin And found gxp content Change-Id: I5a1e77f756a0ec045a578c4ca9bced689d8d9d9c --- whitechapel_pro/hal_dumpstate_default.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 07e8402b..4e3399b1 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -10,9 +10,6 @@ allow hal_dumpstate_default sysfs_wlc:file r_file_perms; allow hal_dumpstate_default sysfs_exynos_pcie_stats:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_pcie_stats:file r_file_perms; -allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; -allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; - allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; allow hal_dumpstate_default sysfs_bcl:file r_file_perms; From 28503a8706a382f7b89086b6c506e2023cad8f28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Wagner?= Date: Tue, 27 Dec 2022 14:00:23 +0000 Subject: [PATCH 119/162] Update Mali DDK to r40 : Additional SELinux settings Expose DDK's dynamic configuration options through the Android Sysprop interface, following recommendations from Arm's Android Integration Manual. Bug: 261718474 (cherry picked from commit 4183daf7f19e5bb80abe87a9b7ab07ee1cd0e1ac) Merged-In: I75457d2d4f6e37bdd85329bac7fd81327cfff628 Change-Id: Ic40d6576537fc6699e3315040236e79aba16af18 --- whitechapel_pro/domain.te | 4 ++++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te index fd876e09..ad32036f 100644 --- a/whitechapel_pro/domain.te +++ b/whitechapel_pro/domain.te @@ -1,2 +1,6 @@ allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; + +# Mali +get_prop(domain, vendor_arm_runtime_option_prop) + diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index a8fce4a7..2b16b5a9 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -37,3 +37,6 @@ vendor_internal_prop(vendor_telephony_app_prop) # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) + +# Mali Integration +vendor_public_prop(vendor_arm_runtime_option_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 17899cd5..d8e3e033 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -101,3 +101,6 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 + +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 0118ddbe..e27855d0 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -37,3 +37,6 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Trusty storage FS ready get_prop(vendor_init, vendor_trusty_storage_prop) + +# Mali +set_prop(vendor_init, vendor_arm_runtime_option_prop) From 1cdfdb426280f0dec360a471c52da8cda3bed2a1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Mar 2023 12:26:10 +0800 Subject: [PATCH 120/162] use gs-common gps dump Bug: 273380509 Test: adb bugreport Change-Id: I7d5fa2f086aeab1b94fe33b3f419d5fb58bfbda5 --- whitechapel_pro/hal_dumpstate_default.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 4e3399b1..d5dfd1b5 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,8 +1,5 @@ allow hal_dumpstate_default sysfs_cpu:file r_file_perms; -allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_gps_file:file r_file_perms; - allow hal_dumpstate_default sysfs_wlc:dir search; allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; allow hal_dumpstate_default sysfs_wlc:file r_file_perms; @@ -52,7 +49,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; get_prop(hal_dumpstate_default, vendor_camera_prop) -get_prop(hal_dumpstate_default, vendor_gps_prop) get_prop(hal_dumpstate_default, vendor_rild_prop) get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) set_prop(hal_dumpstate_default, vendor_logger_prop) From ba0b76de163a6ff7e30f0ba14463a4b203f7baf6 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Tue, 21 Mar 2023 20:17:31 +0800 Subject: [PATCH 121/162] Allow fingerprint hal to read sysfs_leds Fix the following avc denials: avc: denied { search } for name="backlight" dev="sysfs" ino=79316 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1 avc: denied { read } for name="state" dev="sysfs" ino=79365 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1 Bug: 271072126 Test: Authenticate fingerprint. Change-Id: I9f346cb72ef660712b2bfb610df959667958c36a --- whitechapel_pro/hal_fingerprint_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te index 912776dd..8ec45a9f 100644 --- a/whitechapel_pro/hal_fingerprint_default.te +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -33,3 +33,7 @@ binder_call(hal_fingerprint_default, hal_graphics_composer_default) # allow fingerprint to access thermal hal hal_client_domain(hal_fingerprint_default, hal_thermal); + +# allow fingerprint to read sysfs_leds +allow hal_fingerprint_default sysfs_leds:file r_file_perms; +allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; From dcc7112f6fd810177cca9f0ea963412c4977f490 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 24 Mar 2023 11:11:48 +0800 Subject: [PATCH 122/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 275001783 Change-Id: I6514b7efbd02a5ddcb65ab329f0f01cc2d61e50a --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b944d0e1..f984e872 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,6 +2,8 @@ cat_engine_service_app system_app_data_file dir b/238705599 dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 dumpstate system_data_file dir b/239484651 +hal_camera_default boot_status_prop file b/275001783 +hal_camera_default edgetpu_app_service service_manager b/275001783 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_dumpstate_default dump_thermal process b/268566483 hal_power_default hal_power_default capability b/237492146 From 86faa5607c74f3a929fbb3e3fcbbb44c3d0090b9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 24 Mar 2023 12:41:23 +0800 Subject: [PATCH 123/162] use radio dump in gs-common Bug: 273380509 Test: adb bugreport Change-Id: I5e4318a427c0b503c47fb81ddb9e813fa9a41ab4 Merged-In: I5e4318a427c0b503c47fb81ddb9e813fa9a41ab4 --- whitechapel_pro/hal_dumpstate_default.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index d5dfd1b5..42d727e0 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -49,8 +49,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; get_prop(hal_dumpstate_default, vendor_camera_prop) -get_prop(hal_dumpstate_default, vendor_rild_prop) -get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) set_prop(hal_dumpstate_default, vendor_logger_prop) userdebug_or_eng(` From a3348957899001d16a1221923674ce149bc6a554 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 28 Mar 2023 12:52:52 +0800 Subject: [PATCH 124/162] create a dump for gs201 Bug: 273380509 Test: adb bugreport Change-Id: Ic47e0d43d9a5aef4381880eabbba74633ee260a1 --- whitechapel_pro/dump_gs201.te | 5 +++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 6 insertions(+) create mode 100644 whitechapel_pro/dump_gs201.te diff --git a/whitechapel_pro/dump_gs201.te b/whitechapel_pro/dump_gs201.te new file mode 100644 index 00000000..c2314753 --- /dev/null +++ b/whitechapel_pro/dump_gs201.te @@ -0,0 +1,5 @@ + +pixel_bugreport(dump_gs201) +allow dump_gs201 debugfs_tracing_instances:dir r_dir_perms; +allow dump_gs201 debugfs_tracing_instances:file r_file_perms; + diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 76518071..3a354adc 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 +/vendor/bin/dump/dump_gs201 u:object_r:dump_gs201_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From bb305281856a1b33c91717ea58061045d55329fc Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 29 Mar 2023 10:49:39 +0800 Subject: [PATCH 125/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 275645892 Change-Id: Ib6aa5d2fe4a401cadc02a60b06725156f37aaccf --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f984e872..f132d62c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -24,3 +24,4 @@ shell rootfs file b/239484612 shell sscoredump_vendor_data_crashinfo_file dir b/241714944 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 +system_app proc_pagetypeinfo file b/275645892 From 933e6a172bdbee9962c9da6d96d7c2b6d6ae958d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 29 Mar 2023 13:04:17 +0800 Subject: [PATCH 126/162] Move power dump out of hal_dumpstate_default Bug: 273380509 Test: adb bugreport Change-Id: I0963af3f8f90b4f05724df31017b0d21d10c59ca --- whitechapel_pro/dump_power_gs201.te | 27 +++++++++++++++++++++++++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 28 insertions(+) create mode 100644 whitechapel_pro/dump_power_gs201.te diff --git a/whitechapel_pro/dump_power_gs201.te b/whitechapel_pro/dump_power_gs201.te new file mode 100644 index 00000000..6c6ca245 --- /dev/null +++ b/whitechapel_pro/dump_power_gs201.te @@ -0,0 +1,27 @@ + +pixel_bugreport(dump_power_gs201) +allow dump_power_gs201 sysfs_acpm_stats:dir r_dir_perms; +allow dump_power_gs201 sysfs_acpm_stats:file r_file_perms; +allow dump_power_gs201 sysfs_cpu:file r_file_perms; +allow dump_power_gs201 vendor_toolbox_exec:file execute_no_trans; +allow dump_power_gs201 logbuffer_device:chr_file r_file_perms; +allow dump_power_gs201 mitigation_vendor_data_file:dir r_dir_perms; +allow dump_power_gs201 sysfs:dir r_dir_perms; +allow dump_power_gs201 sysfs_batteryinfo:dir r_dir_perms; +allow dump_power_gs201 sysfs_batteryinfo:file r_file_perms; +allow dump_power_gs201 sysfs_bcl:dir r_dir_perms; +allow dump_power_gs201 sysfs_bcl:file r_file_perms; +allow dump_power_gs201 sysfs_wlc:dir r_dir_perms; +allow dump_power_gs201 sysfs_wlc:file r_file_perms; + +userdebug_or_eng(` + allow dump_power_gs201 debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_battery_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_battery_debugfs:file r_file_perms; + allow dump_power_gs201 vendor_charger_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_charger_debugfs:file r_file_perms; + allow dump_power_gs201 vendor_pm_genpd_debugfs:file r_file_perms; + allow dump_power_gs201 vendor_maxfg_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_votable_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_votable_debugfs:file r_file_perms; +') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 3a354adc..4054e6f7 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -45,6 +45,7 @@ /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 /vendor/bin/dump/dump_gs201 u:object_r:dump_gs201_exec:s0 +/vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From 33b2f0043c43bdfa728adc553cd2601ab19bb847 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 31 Mar 2023 10:55:21 +0800 Subject: [PATCH 127/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 276386138 Bug: 276385494 Change-Id: Idcd05416ca84e0b47629637f8d3287a40d80a6ab --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f132d62c..d05de12f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ cat_engine_service_app system_app_data_file dir b/238705599 +dex2oat privapp_data_file dir b/276386138 dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 dumpstate system_data_file dir b/239484651 @@ -25,3 +26,4 @@ shell sscoredump_vendor_data_crashinfo_file dir b/241714944 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 system_app proc_pagetypeinfo file b/275645892 +system_server privapp_data_file lnk_file b/276385494 From 0161b6fbfa0064ba595abd4c855f6d0c01db5fb9 Mon Sep 17 00:00:00 2001 From: feiyuchen Date: Tue, 4 Apr 2023 21:30:45 +0000 Subject: [PATCH 128/162] Allow camera HAL to access edgetpu_app_service in gs201 We are seeing SELinux error b/276911450. It turns out that I only added the SE policy for 2023 device ag/22248613, but I forgot to add it for gs101 and gs201. So I created this CL. See more background in ag/22248613. Test: For gs201, I tested on my Pixel7 and I saw no more error. For gs101, I just did mm. Bug: 275016466 Bug: 276911450 Change-Id: I223770eb0bc7e09a5dfb4f4188b7fc605c3d1a61 --- whitechapel_pro/hal_camera_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index ba2b5304..96f272d6 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -23,6 +23,10 @@ allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; allow hal_camera_default sysfs_edgetpu:file r_file_perms; allow hal_camera_default edgetpu_vendor_service:service_manager find; binder_call(hal_camera_default, edgetpu_vendor_server) +# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging +# library has a dependency on edgetpu_app_service, see b/275016466. +allow hal_camera_default edgetpu_app_service:service_manager find; +binder_call(hal_camera_default, edgetpu_app_server) # Allow the camera hal to access the GXP device. allow hal_camera_default gxp_device:chr_file rw_file_perms; From 1f54dc72561df7145c246006a162cc5e3e677fc2 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Fri, 17 Mar 2023 00:33:30 +0000 Subject: [PATCH 129/162] Support sending vendor command to GL852G via libusbhost libusbhost need access to USB device fs. Bug: 261923350 Test: no audit log in logcat after command execution Change-Id: I4b0c8cc750eff12d2494504f9f215d5b1bab35fd --- whitechapel_pro/hal_usb_impl.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index a5da3ce1..5d2a65e7 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -24,3 +24,8 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For reading the usb-c throttling stats allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; + +# For issuing vendor commands to USB hub via libusbhost +allow hal_usb_impl device:dir r_dir_perms; +allow hal_usb_impl usb_device:chr_file rw_file_perms; +allow hal_usb_impl usb_device:dir r_dir_perms; From 187dcc4e0829a58965a9494267d15f535b1ecc6a Mon Sep 17 00:00:00 2001 From: Victor Liu Date: Thu, 27 Oct 2022 13:06:39 -0700 Subject: [PATCH 130/162] uwb: add permission for ccc ranging Bug: 255649425 Change-Id: I83ce369e52f382d76723b2b045e09607483a0a6a --- whitechapel_pro/hal_nfc_default.te | 2 ++ whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 2 ++ whitechapel_pro/uwb_vendor_app.te | 4 ++++ 4 files changed, 10 insertions(+) diff --git a/whitechapel_pro/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te index 247ca3d7..11e0617b 100644 --- a/whitechapel_pro/hal_nfc_default.te +++ b/whitechapel_pro/hal_nfc_default.te @@ -13,3 +13,5 @@ allow hal_nfc_default uwb_data_vendor:file r_file_perms; # allow nfc to read uwb calibration file get_prop(hal_nfc_default, vendor_uwb_calibration_prop) +get_prop(hal_nfc_default, vendor_uwb_calibration_country_code) + diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 2b16b5a9..d57ce902 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -28,6 +28,8 @@ vendor_internal_prop(vendor_fingerprint_prop) # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) +# Country code must be vendor_public to be written by UwbVendorService and read by NFC HAL +vendor_internal_prop(vendor_uwb_calibration_country_code) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index d8e3e033..5c19ed48 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -89,6 +89,8 @@ vendor.gf. u:object_r:vendor_fingerprint_prop:s0 #uwb ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string +vendor.uwb.calibration.country_code u:object_r:vendor_uwb_calibration_country_code:s0 exact string + # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index 364bee36..aa4564e6 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -16,6 +16,10 @@ allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; +# UwbVendorService must be able to read USRA version from vendor_secure_element_prop get_prop(uwb_vendor_app, vendor_secure_element_prop) +# UwbVendorService must be able to write country code prop +set_prop(uwb_vendor_app, vendor_uwb_calibration_country_code) + binder_call(uwb_vendor_app, hal_uwb_vendor_default) ') From 4d92dd61f2119d1cccf079b2766e2d930126151f Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 7 Apr 2023 15:02:41 +0800 Subject: [PATCH 131/162] Update error on ROM 9890523 Bug: 277155245 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Iffbc691cff0e3a8d19ca3acef918cb4c1243feae --- tracking_denials/dumpstate.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index e93762d6..0dc30ea7 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -2,3 +2,5 @@ dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; # b/237491813 dontaudit dumpstate app_zygote:process { signal }; +# b/277155245 +dontaudit dumpstate default_android_service:service_manager { find }; From 9519323a9830524f3843b80c09d43208276d2e21 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 7 Apr 2023 13:01:27 +0800 Subject: [PATCH 132/162] use dumpsate from gs-common Bug: 273380985 Test: adb bugreport Change-Id: Ibd54c0049480810e2aa14074e0ec9c4d611d51ff --- whitechapel_pro/file.te | 2 - whitechapel_pro/file_contexts | 2 - whitechapel_pro/hal_dumpstate_default.te | 99 ------------------------ whitechapel_pro/property.te | 1 - whitechapel_pro/property_contexts | 1 - 5 files changed, 105 deletions(-) delete mode 100644 whitechapel_pro/hal_dumpstate_default.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index bb26b4fa..a1e20f88 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -4,7 +4,6 @@ type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; -type radio_vendor_data_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; @@ -20,7 +19,6 @@ userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; - typeattribute radio_vendor_data_file mlstrustedobject; ') # Exynos Firmware diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4054e6f7..8c1f3827 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -24,7 +24,6 @@ /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 @@ -195,7 +194,6 @@ # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te deleted file mode 100644 index 42d727e0..00000000 --- a/whitechapel_pro/hal_dumpstate_default.te +++ /dev/null @@ -1,99 +0,0 @@ -allow hal_dumpstate_default sysfs_cpu:file r_file_perms; - -allow hal_dumpstate_default sysfs_wlc:dir search; -allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; -allow hal_dumpstate_default sysfs_wlc:file r_file_perms; - -allow hal_dumpstate_default sysfs_exynos_pcie_stats:dir r_dir_perms; -allow hal_dumpstate_default sysfs_exynos_pcie_stats:file r_file_perms; - -allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; -allow hal_dumpstate_default sysfs_bcl:file r_file_perms; - -allow hal_dumpstate_default mitigation_vendor_data_file:dir r_dir_perms; -allow hal_dumpstate_default mitigation_vendor_data_file:file r_file_perms; - -allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; -allow hal_dumpstate_default sysfs_wifi:file r_file_perms; - -allow hal_dumpstate_default sysfs_ptracker:dir r_dir_perms; -allow hal_dumpstate_default sysfs_ptracker:file r_file_perms; - -allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; -allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; - -allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; -allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; - -allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; -allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; - -allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; - -allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; -allow hal_dumpstate_default proc_f2fs:file r_file_perms; - -vndbinder_use(hal_dumpstate_default) - -allow hal_dumpstate_default shell_data_file:file getattr; - -allow hal_dumpstate_default vendor_log_file:dir search; -allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; - -allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; -allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; - -allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; -allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; - -allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; - -get_prop(hal_dumpstate_default, vendor_camera_prop) -set_prop(hal_dumpstate_default, vendor_logger_prop) - -userdebug_or_eng(` - allow hal_dumpstate_default mnt_vendor_file:dir search; - allow hal_dumpstate_default debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; - allow hal_dumpstate_default debugfs_tracing_instances:dir search; - allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; - allow hal_dumpstate_default sysfs_vendor_metrics:dir search; - allow hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; - allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; - allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; - allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; - - set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) -') - -dontaudit hal_dumpstate_default mnt_vendor_file:dir search; -dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; -dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; -dontaudit hal_dumpstate_default debugfs_tracing_instances:dir search; -dontaudit hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; -dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search; -dontaudit hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; -dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; -dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; -dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d57ce902..d537c83d 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -20,7 +20,6 @@ vendor_internal_prop(vendor_tcpdump_log_prop) vendor_internal_prop(vendor_gps_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) -vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_display_prop) # Fingerprint diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 5c19ed48..b9a563f3 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -73,7 +73,6 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # vendor default ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 From 3430e752afb315e884fc5efb0d7d50963fe7d17e Mon Sep 17 00:00:00 2001 From: Tommy Kardach Date: Wed, 22 Mar 2023 10:01:01 -0700 Subject: [PATCH 133/162] Update sepolicy for Camera HAL Edit SE policay for WHI_PRO to allow camera HAL to acquire wake locks Bug: 249567788 Test: Flash and manual testing Change-Id: I450b0b53000c5b9649e354350ec80af3528120fb --- whitechapel_pro/hal_camera_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 96f272d6..05909984 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -106,3 +106,6 @@ dontaudit hal_camera_default traced_producer_socket:sock_file { write }; # Allow access to always-on compute device node allow hal_camera_default aoc_device:chr_file rw_file_perms; + +# Allow the Camera HAL to acquire wakelocks +wakelock_use(hal_camera_default) From b7393fd8d897dcf4f70474e9caca94b1dc13f300 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Tue, 4 Apr 2023 08:38:20 -0700 Subject: [PATCH 134/162] move vendor_cma_debugfs into gs-common The CMA dump is common feature for pixel devices so move it to gs-common. Bug: 276901078 Test: dumpstate_board.txt on adb bugreport includes the info Change-Id: I3997e27e3037f013338de5bc36687c63338769aa Signed-off-by: Minchan Kim --- whitechapel_pro/file.te | 1 - whitechapel_pro/genfs_contexts | 1 - 2 files changed, 2 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index a1e20f88..f474d9c0 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -53,7 +53,6 @@ type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_charger_debugfs, fs_type, debugfs_type; type vendor_votable_debugfs, fs_type, debugfs_type; type vendor_battery_debugfs, fs_type, debugfs_type; -type vendor_cma_debugfs, fs_type, debugfs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 2c2cb23e..bde62aef 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -188,7 +188,6 @@ genfscon debugfs /max77759_chg u:object genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 -genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Battery genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 From dc35b4158b8fc4eb8ee714212cdedee40a270a24 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Thu, 6 Apr 2023 20:50:20 -0700 Subject: [PATCH 135/162] remove dump_gs201 sepolicy Bug: 276901078 Test: dumpstate_board.txt on adb bugreport includes the info Change-Id: I39c01692d959a63c091f98969a69ab35b2debe1a Signed-off-by: Minchan Kim --- whitechapel_pro/dump_gs201.te | 5 ----- whitechapel_pro/file_contexts | 1 - 2 files changed, 6 deletions(-) delete mode 100644 whitechapel_pro/dump_gs201.te diff --git a/whitechapel_pro/dump_gs201.te b/whitechapel_pro/dump_gs201.te deleted file mode 100644 index c2314753..00000000 --- a/whitechapel_pro/dump_gs201.te +++ /dev/null @@ -1,5 +0,0 @@ - -pixel_bugreport(dump_gs201) -allow dump_gs201 debugfs_tracing_instances:dir r_dir_perms; -allow dump_gs201 debugfs_tracing_instances:file r_file_perms; - diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 8c1f3827..b3357a77 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -43,7 +43,6 @@ /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 -/vendor/bin/dump/dump_gs201 u:object_r:dump_gs201_exec:s0 /vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 # Vendor Firmwares From 1af348b01f23b6df79b51495a29a267bfc9c8645 Mon Sep 17 00:00:00 2001 From: kadirpili Date: Thu, 23 Mar 2023 03:19:24 +0000 Subject: [PATCH 136/162] gs201: Allow GRIL Service to access radio_vendor_data_file Bug: 274737512 Change-Id: I1c0b045f8a25c5d58be02c2036d2fcaad7d9a8e7 --- whitechapel_pro/grilservice_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te index 7809537d..2525baba 100644 --- a/whitechapel_pro/grilservice_app.te +++ b/whitechapel_pro/grilservice_app.te @@ -8,6 +8,8 @@ allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +allow grilservice_app radio_vendor_data_file:dir create_dir_perms; +allow grilservice_app radio_vendor_data_file:file create_file_perms; binder_call(grilservice_app, hal_bluetooth_btlinux) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) From 5adecc74332d9356c821be0207318b6694655754 Mon Sep 17 00:00:00 2001 From: Leo Liou Date: Tue, 14 Mar 2023 15:14:34 +0800 Subject: [PATCH 137/162] gs201: add sepolicy for ufs_firmware_update process Allow the script to access the specified partition and sysfs. Bug: 273305212 Test: full build and test ffu flow Change-Id: Iefeacea2d4c07e7a5b39713c9575e86bd25ce008 Signed-off-by: Leo Liou --- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 2 ++ whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/ufs_firmware_update.te | 10 ++++++++++ 4 files changed, 16 insertions(+) create mode 100644 whitechapel_pro/ufs_firmware_update.te diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 426ebadb..b66248a7 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -19,6 +19,7 @@ type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; type radio_test_device, dev_type; type vendor_gnss_device, dev_type; +type fips_block_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index b3357a77..2a6eaa98 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 /vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 +/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -190,6 +191,7 @@ /dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/fips u:object_r:fips_block_device:s0 # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index bde62aef..7a9672df 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -177,6 +177,9 @@ genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/vendor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/model u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/rev u:object_r:sysfs_scsi_devices_0000:s0 # debugfs genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 diff --git a/whitechapel_pro/ufs_firmware_update.te b/whitechapel_pro/ufs_firmware_update.te new file mode 100644 index 00000000..53ceba56 --- /dev/null +++ b/whitechapel_pro/ufs_firmware_update.te @@ -0,0 +1,10 @@ +type ufs_firmware_update, domain; +type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(ufs_firmware_update) + +allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; +allow ufs_firmware_update block_device:dir r_dir_perms; +allow ufs_firmware_update fips_block_device:blk_file rw_file_perms; +allow ufs_firmware_update sysfs:dir r_dir_perms; +allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; From c1ee9afdef729c06aa428dc78c8fae04885b7811 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 31 Mar 2023 12:57:55 +0000 Subject: [PATCH 138/162] Use restricted vendor property for ARM runtime options They need to be read by everything that links with libmali, but we don't expect anybody to actually write to them. Bug: b/272740524 Test: CtsDeqpTestCases (dEQP-VK.protected_memory.stack.stacksize_*) Change-Id: I4cd468302da02603cccd9b4b98cb95745129daf5 --- whitechapel_pro/property.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d537c83d..723379ba 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -40,4 +40,4 @@ vendor_internal_prop(vendor_telephony_app_prop) vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration -vendor_public_prop(vendor_arm_runtime_option_prop) +vendor_restricted_prop(vendor_arm_runtime_option_prop) From 4cc8eec22dc59f97b106f98a1334aecce65ff90f Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 18 Apr 2023 11:27:46 +0800 Subject: [PATCH 139/162] Update error on ROM 9954737 Bug: 278639040 Bug: 278639040 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I0d71ec80ea0136f90336d8f80cb75b38b61ebced --- tracking_denials/vndservicemanager.te | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 tracking_denials/vndservicemanager.te diff --git a/tracking_denials/vndservicemanager.te b/tracking_denials/vndservicemanager.te new file mode 100644 index 00000000..9931d437 --- /dev/null +++ b/tracking_denials/vndservicemanager.te @@ -0,0 +1,4 @@ +# b/278639040 +dontaudit vndservicemanager hal_keymint_citadel:binder { call }; +# b/278639040 +dontaudit vndservicemanager hal_keymint_citadel:binder { call }; From 0f6b14dc9582edba67233cc8b716476d7a8c7f12 Mon Sep 17 00:00:00 2001 From: jimsun Date: Wed, 8 Mar 2023 17:17:01 +0800 Subject: [PATCH 140/162] rild: allow rild to ptrace 06-20 18:47:41.940000 8708 8708 I auditd : type=1400 audit(0.0:7): avc: denied { ptrace } for comm="libmemunreachab" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=process permissive=0 06-20 18:47:41.940000 8708 8708 W libmemunreachab: type=1400 audit(0.0:7): avc: denied { ptrace } for scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=process permissive=0 Bug: 263757077 Test: manual Change-Id: I4720650488eca100372d148313e04d6d8950ead5 --- whitechapel_pro/rild.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 559fa674..484dda08 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -37,3 +37,8 @@ add_hwservice(rild, hal_exynos_rild_hwservice) allow rild modem_img_file:dir r_dir_perms; allow rild modem_img_file:file r_file_perms; allow rild modem_img_file:lnk_file r_file_perms; + +# Allow rild to ptrace for memory leak detection +userdebug_or_eng(` +allow rild self:process ptrace; +') From 2a5c26c9b4ed5abc3b6cb6d0e3e567b235c4ad13 Mon Sep 17 00:00:00 2001 From: Joseph Jang Date: Mon, 24 Apr 2023 08:03:30 +0000 Subject: [PATCH 141/162] Move recovery.te to device/google/gs-common/dauntless/sepolicy Bug: 279381809 Change-Id: I80fbd9ef0c7e988de21d07ada57fc6a038b9b585 --- whitechapel_pro/fastbootd.te | 1 - whitechapel_pro/recovery.te | 1 - 2 files changed, 2 deletions(-) diff --git a/whitechapel_pro/fastbootd.te b/whitechapel_pro/fastbootd.te index 5945ef24..e7909d26 100644 --- a/whitechapel_pro/fastbootd.te +++ b/whitechapel_pro/fastbootd.te @@ -3,6 +3,5 @@ recovery_only(` allow fastbootd devinfo_block_device:blk_file rw_file_perms; allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; -allow fastbootd citadel_device:chr_file rw_file_perms; allow fastbootd st54spi_device:chr_file rw_file_perms; ') diff --git a/whitechapel_pro/recovery.te b/whitechapel_pro/recovery.te index a498af07..1974ebb1 100644 --- a/whitechapel_pro/recovery.te +++ b/whitechapel_pro/recovery.te @@ -1,5 +1,4 @@ recovery_only(` allow recovery sysfs_ota:file rw_file_perms; - allow recovery citadel_device:chr_file rw_file_perms; allow recovery st54spi_device:chr_file rw_file_perms; ') From 2b913d29a96519e3381b8ea35c03120d10ca7ad0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 24 Apr 2023 14:47:12 +0800 Subject: [PATCH 142/162] Update error on ROM 9784808 Bug: 274727778 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I56784948658365e8c9ecdf63d163109d8f29e5c3 --- tracking_denials/hal_vibrator_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te new file mode 100644 index 00000000..390bfa3c --- /dev/null +++ b/tracking_denials/hal_vibrator_default.te @@ -0,0 +1,2 @@ +# b/274727778 +dontaudit hal_vibrator_default default_android_service:service_manager { find }; From b7e90ec616c5335310209cf9631f3340b44855f8 Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 16:22:01 +0000 Subject: [PATCH 143/162] Remove tcpdump sepolicy from gs201 and move sepolicy to gs-common Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: I0eb9352e349ae8f06e469e953f137b00204f1c3b --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 1 - 2 files changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index f474d9c0..4a232600 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,7 +5,6 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -17,7 +16,6 @@ type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2a6eaa98..c4f5b098 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,7 +202,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 From c6d08c178194934305b6ac2cede6253483b7955d Mon Sep 17 00:00:00 2001 From: Martin Wu Date: Thu, 27 Apr 2023 02:20:48 +0000 Subject: [PATCH 144/162] Revert "Remove tcpdump sepolicy from gs201 and move sepolicy to ..." Revert submission 22814097-Fix-tcpdump-sepolicy Reason for revert: build break Reverted changes: /q/submissionid:22814097-Fix-tcpdump-sepolicy Change-Id: I5b1c00cc6a1ae186eb51acc2c99171578c43bace --- whitechapel_pro/file.te | 2 ++ whitechapel_pro/file_contexts | 1 + 2 files changed, 3 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..f474d9c0 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,6 +5,7 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; +type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -16,6 +17,7 @@ type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; + typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c4f5b098..2a6eaa98 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,6 +202,7 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 From ee3fe73de0ee738c67d603fa6b3827d23f282e2d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 13:48:05 +0000 Subject: [PATCH 145/162] Add ArmNN config sysprops SELinux rules Bug: 205202540 Bug: 264489188 Test: manual - reboot device and check the absence of AVC denials (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9d61da55a193a12b7552e67e67d968c46d4dec86) Merged-In: I90af8201d5fae44f73d709491f272a113b44ca67 Change-Id: I90af8201d5fae44f73d709491f272a113b44ca67 --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/vendor_init.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 723379ba..d297abea 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -41,3 +41,6 @@ vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# ArmNN +vendor_internal_prop(vendor_armnn_config_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index b9a563f3..08eb601b 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,3 +105,6 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# ArmNN configuration +ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index e27855d0..4d8516a2 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -40,3 +40,6 @@ get_prop(vendor_init, vendor_trusty_storage_prop) # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) + +# ArmNN +set_prop(vendor_init, vendor_armnn_config_prop) From 01a2e70a17145770089015e126a3a2dfcfb0d09d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 5 Apr 2023 14:56:12 +0000 Subject: [PATCH 146/162] Remove 'hal_neuralnetworks_armnn' sysprop exceptions Bug: 205202540 Bug: 264489188 Test: manual - reboot device and check the absence of AVC denials (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4f1ca4a7ad3895f5a5adc25fc2cf3a532eac79f6) Merged-In: Ief9f33ea3aca3f6b0756c92feb1753462e86b894 Change-Id: Ief9f33ea3aca3f6b0756c92feb1753462e86b894 --- tracking_denials/hal_neuralnetworks_armnn.te | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index b58f29fe..16b6b131 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -1,8 +1,2 @@ -# b/205073167 -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/205202540 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; # b/205779871 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; From a43d300afff870459847f65705189af163609d7f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 15:21:42 +0000 Subject: [PATCH 147/162] Remove 'hal_neuralnetworks_armnn' '/data' access exception The mali driver has been configured not to look there anymore. Bug: 205779871 Bug: 264489188 Test: manual - reboot device and check the absence of AVC denials (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb69b32fc5b6f468561017f6bd5628626a571696) Merged-In: Ie651cd788e6f057cd902d1c14880bd1ad71ec5a5 Change-Id: Ie651cd788e6f057cd902d1c14880bd1ad71ec5a5 --- tracking_denials/hal_neuralnetworks_armnn.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index 16b6b131..00000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205779871 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; From f265749f1def872e0ad35f39fa2e11ce313a475e Mon Sep 17 00:00:00 2001 From: Jinyoung Jeong Date: Wed, 26 Apr 2023 07:39:50 +0000 Subject: [PATCH 148/162] Fix SELinux error for com.google.android.euicc Bug: 279548423 Test: http://fusion2/b7c803be-2dca-4195-b91f-6c4939746b5b Change-Id: Idd231c2412e8f597dea1bfa11f9d1a0fa1e17034 --- private/property.te | 8 ++++++++ private/property_contexts | 4 ++++ whitechapel_pro/certs/EuiccGoogle.x509.pem | 23 ++++++++++++++++++++++ whitechapel_pro/euicc_app.te | 15 ++++++++++++++ whitechapel_pro/keys.conf | 3 +++ whitechapel_pro/mac_permissions.xml | 3 +++ whitechapel_pro/seapp_contexts | 3 +++ 7 files changed, 59 insertions(+) create mode 100644 private/property.te create mode 100644 whitechapel_pro/certs/EuiccGoogle.x509.pem create mode 100644 whitechapel_pro/euicc_app.te diff --git a/private/property.te b/private/property.te new file mode 100644 index 00000000..a6bee3b3 --- /dev/null +++ b/private/property.te @@ -0,0 +1,8 @@ +product_restricted_prop(masterclear_esim_prop) +product_restricted_prop(euicc_seamless_transfer_prop) + +neverallow { domain -init } masterclear_esim_prop:property_service set; +neverallow { domain -init } euicc_seamless_transfer_prop:property_service set; + +get_prop(appdomain, masterclear_esim_prop) +get_prop(appdomain, euicc_seamless_transfer_prop) diff --git a/private/property_contexts b/private/property_contexts index abcdd419..c7321c07 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -3,3 +3,7 @@ persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int + +#eSIM +masterclear.allow_retain_esim_profiles_after_fdr u:object_r:masterclear_esim_prop:s0 exact bool +euicc.seamless_transfer_enabled_in_non_qs u:object_r:euicc_seamless_transfer_prop:s0 exact bool diff --git a/whitechapel_pro/certs/EuiccGoogle.x509.pem b/whitechapel_pro/certs/EuiccGoogle.x509.pem new file mode 100644 index 00000000..be6c715c --- /dev/null +++ b/whitechapel_pro/certs/EuiccGoogle.x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqugAwIBAgIJAOZ2d46ckK9JMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW +aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEUMBIG +A1UEAwwLRXVpY2NHb29nbGUwHhcNMTYxMjE3MDEyMTEzWhcNNDQwNTA0MDEyMTEz +WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN +TW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0Fu +ZHJvaWQxFDASBgNVBAMMC0V1aWNjR29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA1S7b8bGk4fNm3cckWJx2sbnvC39BroHNwk6am6jVP4MZAYuc +PN6QQ7/2s7hvtn91w6VbeGi2fryIMc7jXjlixheotD2Ns+/7qsPpQ+ZovfaQO5Xw +/c4J+1CfiqrLtd4TyO+4uFGTCO/vs4qhMH58QrhnYPZUqeuq0Zs1Irp0FlVFe1qm +1heU2zJy5locjb9UJXY33sVc9vfWy+sM8TLX40nWxIXGdbzJHJNyjjr/NA+0+drx +anJCtac6+evehH6o8+t8RQBU44PEZiyGkM8poNgRTAcFdRFXU8pitZXp3QZQk6HO +JsVuqqADwsfxGSdVyHFmOW7gxpkB9+IuJJEmkQIDAQABo1AwTjAdBgNVHQ4EFgQU +lVkGDn/XmF7HjP0K3ykCNnnZ8jMwHwYDVR0jBBgwFoAUlVkGDn/XmF7HjP0K3ykC +NnnZ8jMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkDOpQMXcuKwt +CPu5/tdskpfoBMrpYJOwfvpj/JwrudnXUHZXnBnH9PtHprghGtNiWPXHTbZSzKUS +Aojpo1Lev7DtowFILA54oY6d1NqbCIJy+Knwt3W5H7Rg8u8LqvzkpX5CBKAhRwkQ +0t3yrlEkI7kx805vg484gAe+AXyBx0dGe6ov4/yrzv9E+1jhIgP7tF/f+x8zX6Tr +mDCjzz4mgKahMbmsHQg430wlbZczrciMMfPiRc3xEHKLUqGL0ARtE01hJiJ4TY/X +iL/8QUA3nBcpUyEwHFwUao40Gjca9xteKd7MtmiZ6BM2JJSQ4nSNkcwQW8PU/7Qb +0QMwPRPLbQ== +-----END CERTIFICATE----- diff --git a/whitechapel_pro/euicc_app.te b/whitechapel_pro/euicc_app.te new file mode 100644 index 00000000..d7259159 --- /dev/null +++ b/whitechapel_pro/euicc_app.te @@ -0,0 +1,15 @@ +type euicc_app, domain; +app_domain(euicc_app) + +allow euicc_app activity_service:service_manager find; +allow euicc_app radio_service:service_manager find; +allow euicc_app content_capture_service:service_manager find; +allow euicc_app virtual_device_service:service_manager find; +allow euicc_app game_service:service_manager find; +allow euicc_app netstats_service:service_manager find; +allow euicc_app registry_service:service_manager find; + +get_prop(euicc_app, setupwizard_esim_prop) +get_prop(euicc_app, bootloader_prop) +get_prop(euicc_app, exported_default_prop) +get_prop(euicc_app, vendor_modem_prop) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..187184ac 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,3 +15,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem + +[@EUICCGOOGLE] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccGoogle.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..24d88e61 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,4 +39,7 @@ + + + diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 149e2287..b91b1a04 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -49,6 +49,9 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all +# Domain for EuiccGoogle +user=_app isPrivApp=true seinfo=EuiccGoogle name=com.google.android.euicc domain=euicc_app type=app_data_file levelFrom=all + # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user From 5f9732a97a0e9cb8cd3f53d68aed3162ab13c18d Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 16:22:01 +0000 Subject: [PATCH 149/162] [TSV2] Remove tcpdump sepolicy from gs201 and move sepolicy to gs-common Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: Ic804a3a4739ec5a9604320cb8e0fdae91b8429c1 Merged-In: Ic804a3a4739ec5a9604320cb8e0fdae91b8429c1 --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 1 - 2 files changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index f474d9c0..4a232600 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,7 +5,6 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -17,7 +16,6 @@ type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2a6eaa98..c4f5b098 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,7 +202,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 From 306bf73c79f75d3e7022e716520f483588d02905 Mon Sep 17 00:00:00 2001 From: Hongbo Zeng Date: Thu, 27 Apr 2023 10:15:18 +0000 Subject: [PATCH 150/162] Fix denials for radio service to access files under /data/venodr/radio Bug: 270561266 Test: get PASS result with go/ril-config-service-test and the original denial logs in http://b/270561266#comment8 are gone Change-Id: I17155852bb2408b4389a86d32228292885e14c46 --- whitechapel_pro/radio.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 8cb144d9..47278465 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,2 +1,5 @@ allow radio proc_vendor_sched:dir r_dir_perms; -allow radio proc_vendor_sched:file w_file_perms; \ No newline at end of file +allow radio proc_vendor_sched:file w_file_perms; + +allow radio radio_vendor_data_file:dir rw_dir_perms; +allow radio radio_vendor_data_file:file create_file_perms; From 2d7181e3fc1f5c9147eeeac3a0322f2dc2d69ff8 Mon Sep 17 00:00:00 2001 From: Jinyoung Jeong Date: Tue, 2 May 2023 06:25:55 +0000 Subject: [PATCH 151/162] Fix LPA crash due to selinux denial Bug: 280336861 Test: No crash found during LPA basic tests: download eSIM, enable/disalbe eSIM. Change-Id: Ie4fd8fccce5ec98cf0b2afff9a41f27206e52626 --- whitechapel_pro/euicc_app.te | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/whitechapel_pro/euicc_app.te b/whitechapel_pro/euicc_app.te index d7259159..2e36435b 100644 --- a/whitechapel_pro/euicc_app.te +++ b/whitechapel_pro/euicc_app.te @@ -1,14 +1,12 @@ type euicc_app, domain; app_domain(euicc_app) +net_domain(euicc_app) -allow euicc_app activity_service:service_manager find; +allow euicc_app app_api_service:service_manager find; allow euicc_app radio_service:service_manager find; -allow euicc_app content_capture_service:service_manager find; -allow euicc_app virtual_device_service:service_manager find; -allow euicc_app game_service:service_manager find; -allow euicc_app netstats_service:service_manager find; -allow euicc_app registry_service:service_manager find; +allow euicc_app cameraserver_service:service_manager find; +get_prop(euicc_app, camera_config_prop) get_prop(euicc_app, setupwizard_esim_prop) get_prop(euicc_app, bootloader_prop) get_prop(euicc_app, exported_default_prop) From 2a02fe5fc5b21fe7df44b146dd2653026ae854bf Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 10 May 2023 10:56:55 +0800 Subject: [PATCH 152/162] add missing permission for gs201 power dump Bug: 281602658 Test: adb bugreport Change-Id: Ibf765c9da65d2c9f6a3825c91cb22771f583457a --- whitechapel_pro/dump_power_gs201.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/dump_power_gs201.te b/whitechapel_pro/dump_power_gs201.te index 6c6ca245..44520b08 100644 --- a/whitechapel_pro/dump_power_gs201.te +++ b/whitechapel_pro/dump_power_gs201.te @@ -13,6 +13,8 @@ allow dump_power_gs201 sysfs_bcl:dir r_dir_perms; allow dump_power_gs201 sysfs_bcl:file r_file_perms; allow dump_power_gs201 sysfs_wlc:dir r_dir_perms; allow dump_power_gs201 sysfs_wlc:file r_file_perms; +allow dump_power_gs201 battery_history_device:chr_file r_file_perms; +allow dump_power_gs201 mitigation_vendor_data_file:file r_file_perms; userdebug_or_eng(` allow dump_power_gs201 debugfs:dir r_dir_perms; From d19337894ad62474b9e52f10c623382d01942db7 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 12 May 2023 12:09:08 +0800 Subject: [PATCH 153/162] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 282096141 Change-Id: I0725e78a76436a0904205f83655755bf7c76c05f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d05de12f..f8217325 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -27,3 +27,4 @@ shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 system_app proc_pagetypeinfo file b/275645892 system_server privapp_data_file lnk_file b/276385494 +system_server system_userdir_file dir b/282096141 From 3992c42501a543651270a6f4fa5b5b9aedb5226a Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Mon, 24 Apr 2023 16:42:56 -0700 Subject: [PATCH 154/162] Add chre channel sepolicy entries Bug: 281814892 Fix: 281814892 Test: in-device verification. Change-Id: I3151d25c4a1cd7a858b84e0c8989dc160d368ca5 Merged-In: I3151d25c4a1cd7a858b84e0c8989dc160d368ca5 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7a9672df..902584c7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -333,6 +333,8 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 From 7f19e81d6152b3e0762d72cd03e5498e094651b4 Mon Sep 17 00:00:00 2001 From: Anthony Zhang Date: Wed, 17 May 2023 10:40:07 -0700 Subject: [PATCH 155/162] [DO NOT MERGE] Allow fingerprint to access persist property Bug: 258901849 Test: Local test on enrollment/delete, version update Change-Id: I96acb79b3e600e0a4dd7b7a1cf494b20a876ca63 --- whitechapel_pro/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 08eb601b..947adf2c 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -83,6 +83,7 @@ vendor.gps. u:object_r:vendor_gps_prop:s0 persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Fingerprint +persist.vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.gf. u:object_r:vendor_fingerprint_prop:s0 From 980c71bea4312d539f3c5ad5146ee623d08ca930 Mon Sep 17 00:00:00 2001 From: Jin Jeong Date: Fri, 12 May 2023 04:18:25 +0000 Subject: [PATCH 156/162] Revert "Fix LPA crash due to selinux denial" Revert submission 22955599-euicc_selinux_fix2 Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules Bug: 279988311 Reverted changes: /q/submissionid:22955599-euicc_selinux_fix2 Change-Id: I2799c61ab5464e5551168f471740afe76edd1113 --- whitechapel_pro/euicc_app.te | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/whitechapel_pro/euicc_app.te b/whitechapel_pro/euicc_app.te index 2e36435b..d7259159 100644 --- a/whitechapel_pro/euicc_app.te +++ b/whitechapel_pro/euicc_app.te @@ -1,12 +1,14 @@ type euicc_app, domain; app_domain(euicc_app) -net_domain(euicc_app) -allow euicc_app app_api_service:service_manager find; +allow euicc_app activity_service:service_manager find; allow euicc_app radio_service:service_manager find; -allow euicc_app cameraserver_service:service_manager find; +allow euicc_app content_capture_service:service_manager find; +allow euicc_app virtual_device_service:service_manager find; +allow euicc_app game_service:service_manager find; +allow euicc_app netstats_service:service_manager find; +allow euicc_app registry_service:service_manager find; -get_prop(euicc_app, camera_config_prop) get_prop(euicc_app, setupwizard_esim_prop) get_prop(euicc_app, bootloader_prop) get_prop(euicc_app, exported_default_prop) From 10ef6d8619602de44dd481680d060770374f167c Mon Sep 17 00:00:00 2001 From: Jin Jeong Date: Fri, 12 May 2023 04:17:26 +0000 Subject: [PATCH 157/162] Revert "Fix SELinux error for com.google.android.euicc" Revert submission 22899490-euicc_selinux_fix Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules Bug: 279988311 Reverted changes: /q/submissionid:22899490-euicc_selinux_fix Change-Id: I50ff4f8e48389d034c3f6c716dad1a81e9b73e64 --- private/property.te | 8 -------- private/property_contexts | 4 ---- whitechapel_pro/certs/EuiccGoogle.x509.pem | 23 ---------------------- whitechapel_pro/euicc_app.te | 15 -------------- whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 3 --- 7 files changed, 59 deletions(-) delete mode 100644 private/property.te delete mode 100644 whitechapel_pro/certs/EuiccGoogle.x509.pem delete mode 100644 whitechapel_pro/euicc_app.te diff --git a/private/property.te b/private/property.te deleted file mode 100644 index a6bee3b3..00000000 --- a/private/property.te +++ /dev/null @@ -1,8 +0,0 @@ -product_restricted_prop(masterclear_esim_prop) -product_restricted_prop(euicc_seamless_transfer_prop) - -neverallow { domain -init } masterclear_esim_prop:property_service set; -neverallow { domain -init } euicc_seamless_transfer_prop:property_service set; - -get_prop(appdomain, masterclear_esim_prop) -get_prop(appdomain, euicc_seamless_transfer_prop) diff --git a/private/property_contexts b/private/property_contexts index c7321c07..abcdd419 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -3,7 +3,3 @@ persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int - -#eSIM -masterclear.allow_retain_esim_profiles_after_fdr u:object_r:masterclear_esim_prop:s0 exact bool -euicc.seamless_transfer_enabled_in_non_qs u:object_r:euicc_seamless_transfer_prop:s0 exact bool diff --git a/whitechapel_pro/certs/EuiccGoogle.x509.pem b/whitechapel_pro/certs/EuiccGoogle.x509.pem deleted file mode 100644 index be6c715c..00000000 --- a/whitechapel_pro/certs/EuiccGoogle.x509.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDwzCCAqugAwIBAgIJAOZ2d46ckK9JMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV -BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW -aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEUMBIG -A1UEAwwLRXVpY2NHb29nbGUwHhcNMTYxMjE3MDEyMTEzWhcNNDQwNTA0MDEyMTEz -WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN -TW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0Fu -ZHJvaWQxFDASBgNVBAMMC0V1aWNjR29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA1S7b8bGk4fNm3cckWJx2sbnvC39BroHNwk6am6jVP4MZAYuc -PN6QQ7/2s7hvtn91w6VbeGi2fryIMc7jXjlixheotD2Ns+/7qsPpQ+ZovfaQO5Xw -/c4J+1CfiqrLtd4TyO+4uFGTCO/vs4qhMH58QrhnYPZUqeuq0Zs1Irp0FlVFe1qm -1heU2zJy5locjb9UJXY33sVc9vfWy+sM8TLX40nWxIXGdbzJHJNyjjr/NA+0+drx -anJCtac6+evehH6o8+t8RQBU44PEZiyGkM8poNgRTAcFdRFXU8pitZXp3QZQk6HO -JsVuqqADwsfxGSdVyHFmOW7gxpkB9+IuJJEmkQIDAQABo1AwTjAdBgNVHQ4EFgQU -lVkGDn/XmF7HjP0K3ykCNnnZ8jMwHwYDVR0jBBgwFoAUlVkGDn/XmF7HjP0K3ykC -NnnZ8jMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkDOpQMXcuKwt -CPu5/tdskpfoBMrpYJOwfvpj/JwrudnXUHZXnBnH9PtHprghGtNiWPXHTbZSzKUS -Aojpo1Lev7DtowFILA54oY6d1NqbCIJy+Knwt3W5H7Rg8u8LqvzkpX5CBKAhRwkQ -0t3yrlEkI7kx805vg484gAe+AXyBx0dGe6ov4/yrzv9E+1jhIgP7tF/f+x8zX6Tr -mDCjzz4mgKahMbmsHQg430wlbZczrciMMfPiRc3xEHKLUqGL0ARtE01hJiJ4TY/X -iL/8QUA3nBcpUyEwHFwUao40Gjca9xteKd7MtmiZ6BM2JJSQ4nSNkcwQW8PU/7Qb -0QMwPRPLbQ== ------END CERTIFICATE----- diff --git a/whitechapel_pro/euicc_app.te b/whitechapel_pro/euicc_app.te deleted file mode 100644 index d7259159..00000000 --- a/whitechapel_pro/euicc_app.te +++ /dev/null @@ -1,15 +0,0 @@ -type euicc_app, domain; -app_domain(euicc_app) - -allow euicc_app activity_service:service_manager find; -allow euicc_app radio_service:service_manager find; -allow euicc_app content_capture_service:service_manager find; -allow euicc_app virtual_device_service:service_manager find; -allow euicc_app game_service:service_manager find; -allow euicc_app netstats_service:service_manager find; -allow euicc_app registry_service:service_manager find; - -get_prop(euicc_app, setupwizard_esim_prop) -get_prop(euicc_app, bootloader_prop) -get_prop(euicc_app, exported_default_prop) -get_prop(euicc_app, vendor_modem_prop) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 187184ac..54130ea2 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,6 +15,3 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem - -[@EUICCGOOGLE] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccGoogle.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 24d88e61..b57e61c7 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,7 +39,4 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index b91b1a04..149e2287 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -49,9 +49,6 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# Domain for EuiccGoogle -user=_app isPrivApp=true seinfo=EuiccGoogle name=com.google.android.euicc domain=euicc_app type=app_data_file levelFrom=all - # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user From 1113c66dea0dc8d4023551ea5c5460ad85d9c0da Mon Sep 17 00:00:00 2001 From: sashwinbalaji Date: Mon, 8 May 2023 12:57:54 +0800 Subject: [PATCH 158/162] thermal: thermal_metrics: Update selinux to reset stats Bug: 193833982 Test: Local build and verify statsD logs adb shell cmd stats print-logs && adb logcat -b all | grep -i 105045 Change-Id: I0dc1c557797d7fe97da7f0fcb2d600485526c979 --- whitechapel_pro/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 48fd6e8f..6aba16ae 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -41,6 +41,7 @@ allow pixelstats_vendor sysfs_exynos_pcie_stats:file rw_file_perms; #perf-metrics r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; +allow pixelstats_vendor sysfs_vendor_metrics:file w_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; From 955ae6825f4b98cb8633da83e19ff0b998f53224 Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Wed, 24 May 2023 16:51:46 +0200 Subject: [PATCH 159/162] Allow vendor_init to fix permissions of TEE data file Background: * vendor_init needs to be able to possibly fix ownership of tee_data_file Bug: 280325952 Test: Changed permissions and confirmed user transitions Change-Id: I27681589c9d0b0aa88463e6476fb75119ea89e8a Signed-off-by: Donnie Pollitz --- whitechapel_pro/vendor_init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 4d8516a2..415d7c8f 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -37,6 +37,7 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Trusty storage FS ready get_prop(vendor_init, vendor_trusty_storage_prop) +allow vendor_init tee_data_file:lnk_file read; # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) From ee160b5880496559fda584ca04cf3b35337495a3 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Tue, 30 May 2023 12:01:25 +0800 Subject: [PATCH 160/162] Add permissions for maxfg_base/maxfg_secondary Bug: 284878175 Change-Id: I3fe3030ecd36773405f0e70b767d4a28062d91ad Signed-off-by: Jenny Ho --- whitechapel_pro/dump_power_gs201.te | 1 + whitechapel_pro/genfs_contexts | 3 +++ 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/dump_power_gs201.te b/whitechapel_pro/dump_power_gs201.te index 44520b08..b61001cb 100644 --- a/whitechapel_pro/dump_power_gs201.te +++ b/whitechapel_pro/dump_power_gs201.te @@ -24,6 +24,7 @@ userdebug_or_eng(` allow dump_power_gs201 vendor_charger_debugfs:file r_file_perms; allow dump_power_gs201 vendor_pm_genpd_debugfs:file r_file_perms; allow dump_power_gs201 vendor_maxfg_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_maxfg_debugfs:file r_file_perms; allow dump_power_gs201 vendor_votable_debugfs:dir r_dir_perms; allow dump_power_gs201 vendor_votable_debugfs:file r_file_perms; ') diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c7..57f0237c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -183,6 +183,8 @@ genfscon sysfs /devices/platform/14700000.ufs/rev u:object # debugfs genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /maxfg_base u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /maxfg_secondary u:object_r:vendor_maxfg_debugfs:s0 genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 @@ -214,6 +216,7 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-0050/eeprom genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0069/power_supply u:object_r:sysfs_batteryinfo:s0 From f4eada749fb3abf944524d5d7979b6f131bf2cc3 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 4 Sep 2023 15:33:41 +0800 Subject: [PATCH 161/162] Update SELinux error Bug: 290766628 Merged-In: If623bee7f1050f814a2a3531bfa5de414fa32104 Change-Id: I13d2fb464c80b0be2d6524a58b441fcd8eaaa830 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f8217325..b8ca75ac 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -28,3 +28,4 @@ su modem_img_file filesystem b/240653918 system_app proc_pagetypeinfo file b/275645892 system_server privapp_data_file lnk_file b/276385494 system_server system_userdir_file dir b/282096141 +platform_app hal_uwb_vendor_service find b/290766628 From 93f3237f8a927959eeca25c74654aa83bd98e68a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 5 Sep 2023 16:25:52 +0800 Subject: [PATCH 162/162] Move uwb to system_ext Bug: 290766628 Change-Id: I00a1c45f05cc52a9ce93234921d0b759a3143f16 --- .../private}/certs/com_qorvo_uwb.x509.pem | 0 system_ext/private/file.te | 2 ++ system_ext/private/keys.conf | 3 +++ system_ext/private/mac_permissions.xml | 27 +++++++++++++++++++ system_ext/private/seapp_contexts | 5 ++++ system_ext/private/uwb_vendor_app.te | 12 +++++++++ system_ext/public/uwb_vendor_app.te | 2 ++ whitechapel_pro/file.te | 1 - whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 4 --- whitechapel_pro/uwb_vendor_app.te | 12 +-------- 12 files changed, 52 insertions(+), 22 deletions(-) rename {whitechapel_pro => system_ext/private}/certs/com_qorvo_uwb.x509.pem (100%) create mode 100644 system_ext/private/file.te create mode 100644 system_ext/private/keys.conf create mode 100644 system_ext/private/mac_permissions.xml create mode 100644 system_ext/private/uwb_vendor_app.te create mode 100644 system_ext/public/uwb_vendor_app.te diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem rename to system_ext/private/certs/com_qorvo_uwb.x509.pem diff --git a/system_ext/private/file.te b/system_ext/private/file.te new file mode 100644 index 00000000..9344be7e --- /dev/null +++ b/system_ext/private/file.te @@ -0,0 +1,2 @@ + +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf new file mode 100644 index 00000000..c2228db6 --- /dev/null +++ b/system_ext/private/keys.conf @@ -0,0 +1,3 @@ +[@UWB] +ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem + diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml new file mode 100644 index 00000000..51af79f6 --- /dev/null +++ b/system_ext/private/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 25318ffe..82f4347c 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te new file mode 100644 index 00000000..3ae5ecd3 --- /dev/null +++ b/system_ext/private/uwb_vendor_app.te @@ -0,0 +1,12 @@ +app_domain(uwb_vendor_app) + +not_recovery(` + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +') diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te new file mode 100644 index 00000000..6824e4e9 --- /dev/null +++ b/system_ext/public/uwb_vendor_app.te @@ -0,0 +1,2 @@ +type uwb_vendor_app, domain; + diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..fb4bad8c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -10,7 +10,6 @@ type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..2a7a6d56 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem -[@UWB] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem - [@EUICCSUPPORTPIXEL] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..e9031e5f 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -27,9 +27,6 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 8ff78b87..dcaaf664 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -36,10 +36,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index aa4564e6..cc5a9de4 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -1,18 +1,8 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb_vendor) - -allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; -allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched;