From e3ae25faca2f9df3eb9e03594a3b86019817b3cf Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 3 Jul 2024 02:04:37 +0000 Subject: [PATCH 01/14] Update SELinux error Test: scanBugreport Bug: 350831939 Bug: 350832009 Change-Id: Ib8cee5cf5cb6acc734c2334e91b49aa4b7a02863 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 75fe53cf..40ebc957 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,5 @@ +dump_display sysfs file b/350831939 +dumpstate unlabeled file b/350832009 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 hal_sensors_default sysfs file b/336451433 From b05833237caf7e50e1b4b7879cc29ce182eeac7a Mon Sep 17 00:00:00 2001 From: Aaron Tsai Date: Thu, 23 May 2024 08:40:37 +0000 Subject: [PATCH 02/14] Add permission for setting gril property 05-22 18:00:40.443 948 948 I auditd : type=1400 audit(0.0:854): avc: denied { write } for comm="radioext@1.0-se" name="property_service" dev="tmpfs" ino=851 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Bug: 343012301 Bug: 203824024 Test: manual test Flag: EXEMPT bugfix Change-Id: Ie873e186d3eda618ba832164d9c9713b410977d2 --- whitechapel_pro/hal_radioext_default.te | 1 + whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 3 +++ 3 files changed, 5 insertions(+) diff --git a/whitechapel_pro/hal_radioext_default.te b/whitechapel_pro/hal_radioext_default.te index fb6bc03d..7e21da86 100644 --- a/whitechapel_pro/hal_radioext_default.te +++ b/whitechapel_pro/hal_radioext_default.te @@ -4,6 +4,7 @@ init_daemon_domain(hal_radioext_default) hwbinder_use(hal_radioext_default) get_prop(hal_radioext_default, hwservicemanager_prop) +set_prop(hal_radioext_default, vendor_gril_prop) add_hwservice(hal_radioext_default, hal_radioext_hwservice) binder_call(hal_radioext_default, grilservice_app) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 559511a0..98fd4534 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -4,6 +4,7 @@ vendor_internal_prop(vendor_modem_prop) vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_gril_prop) vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 0ff833e8..9f1747b5 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -38,6 +38,9 @@ vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 persist.vendor.radio. u:object_r:vendor_rild_prop:s0 ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 +# for GRIL +vendor.gril. u:object_r:vendor_gril_prop:s0 + persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 # SSR Detector From e1d272f6c99a048ce310eaf24fcfadd94ec6b520 Mon Sep 17 00:00:00 2001 From: Carl Tsai Date: Tue, 9 Jul 2024 05:38:01 +0000 Subject: [PATCH 03/14] Add to allocate a security context for panel_pwr_vreg type=1400 audit(1719903781.812:18): avc: denied { read } for comm="dump_display" name="panel_pwr_vreg" dev="sysfs" ino=87631 scontext=u:r:dump_display:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 350831939 Test: run pts -m PtsSELinuxTestCases -t com.google.android.selinux.pts.SELinuxTest#scanBugreport to check the test is Pass Flag: EXEMPT bugfix Change-Id: Ib03479bece87f26f48d6998dfd9b2dd84d439204 --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index d8e63eb1..e8150562 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -102,6 +102,7 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extin genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_pwr_vreg u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 From 27df5480c438753f1d67f19a5b1b8946a0ba0e88 Mon Sep 17 00:00:00 2001 From: Mike McTernan Date: Mon, 15 Jul 2024 10:15:13 +0100 Subject: [PATCH 04/14] trusty: storageproxy: add fs_ready_rw property context Flag: EXEMPT bug fix Bug: 350362101 Test: ABTD Change-Id: I2d6d1ab8dbd60c21a16cadc26c5e4d5d290df42d --- whitechapel_pro/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 9f1747b5..63838701 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,6 +105,7 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 +ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix From e825da7d84d42cea498dae3f031825739212bd26 Mon Sep 17 00:00:00 2001 From: Daniel Chapin Date: Wed, 24 Jul 2024 20:17:20 +0000 Subject: [PATCH 05/14] Revert "trusty: storageproxy: add fs_ready_rw property context" Revert submission 28318041-rw_storage Reason for revert: Droidfood blocking bug b/355163562 Reverted changes: /q/submissionid:28318041-rw_storage Change-Id: Ifa22c1551e75dd5161a19c5fb5cb372fe669921c --- whitechapel_pro/property_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 63838701..9f1747b5 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,7 +105,6 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 -ro.vendor.trusty.storage.fs_ready_rw u:object_r:vendor_trusty_storage_prop:s0 # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix From 3e1197bafbe0943da26820d4c279754ddbc069f4 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 2 Aug 2024 09:17:28 +0000 Subject: [PATCH 06/14] Add kernel vendor_fw_file dir read permission 07-31 05:35:39.208 885 885 W binder:885_5: type=1400 audit(0.0:125): avc: denied { read } for name="firmware" dev="dm-7" ino=48 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_fw_file:s0 tclass=dir Fix: 356530883 Flag: EXEMPT bugfix Change-Id: I1bb8fcfc952c69c991fd978a617eb92558817267 --- whitechapel_pro/kernel.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index d44eed68..1af0a9a4 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -1,4 +1,4 @@ -allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:dir r_dir_perms; allow kernel vendor_fw_file:file r_file_perms; # ZRam From 3c082cdefdb733d48e1432cf8bc4f88a4fd89ce0 Mon Sep 17 00:00:00 2001 From: Kevin Ying Date: Thu, 1 Aug 2024 21:29:11 +0000 Subject: [PATCH 07/14] Allow camera HAL to access power_state sysfs 08-03 01:41:34.444 791 791 W TaskPool: type=1400 audit(0.0:178): avc: denied { read } for name="power_state" dev="sysfs" ino=86770 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 339690296 Test: Open camera under SELinux enforcing mode, no display avc error Flag: EXEMPT resource update only Change-Id: Ic0f2d149cbcd8a3da5035f6d2788b4548523bbd6 Signed-off-by: Kevin Ying --- whitechapel_pro/genfs_contexts | 2 ++ whitechapel_pro/hal_camera_default.te | 1 + 2 files changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index e8150562..c65e969d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -103,12 +103,14 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_pwr_vreg u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/power_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/power_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 25f2ffc4..af2350f7 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -88,6 +88,7 @@ allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; # Allow camera HAL to read backlight of display allow hal_camera_default sysfs_leds:dir r_dir_perms; allow hal_camera_default sysfs_leds:file r_file_perms; +allow hal_camera_default sysfs_display:file r_file_perms; # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') From 2b177e8120a833f0f86a7eeef144d386ab3e0c1d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 13 Aug 2024 07:30:43 +0000 Subject: [PATCH 08/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 359428005 Test: scanBugreport Bug: 359427666 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428317 Flag: EXEMPT bugFix Change-Id: Ib4a909b4f6e2bbad977ae66b722ad0de055ef5b5 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 40ebc957..92419c05 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,6 +11,7 @@ kernel kernel capability b/336451113 kernel tmpfs chr_file b/321731318 rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 +ssr_detector_app default_prop file b/359428005 surfaceflinger selinuxfs file b/315104594 vendor_init debugfs_trace_marker file b/336451787 vendor_init default_prop file b/315104479 @@ -20,3 +21,5 @@ vendor_init default_prop file b/323086890 vendor_init default_prop file b/329380363 vendor_init default_prop file b/329381126 vendor_init default_prop property_service b/315104803 +vendor_init default_prop property_service b/359427666 +vendor_init default_prop property_service b/359428317 From b958dd13ad83f5d278dcb094f9e4a9daaed5a7f4 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Wed, 14 Aug 2024 00:34:31 +0000 Subject: [PATCH 09/14] gs201: update shared_modem_platform sepolicy for UMI Bug: 357139752 Flag: EXEMPT sepolicy [ 68.189198] type=1400 audit(1722986580.568:59): avc: denied { unlink } for comm="binder:892_2" name="modem_svc_socket" dev="dm-52" ino=20239 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 [ 68.189448] type=1400 audit(1722986580.568:60): avc: denied { create } for comm="binder:892_2" name="modem_svc_socket" scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=sock_file permissive=1 Change-Id: I0bbef83a3915e4c0e284296bc5b59e0ce6cf6f15 --- whitechapel_pro/modem_svc_sit.te | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 5a703c9e..606cd520 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -48,4 +48,9 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; + +# Allow modem_svc_sit to access socket for UMI +userdebug_or_eng(` + allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; +') From 84725d0c7ac050c9c6e667b8dd0c0e93cb32f7c5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 15 Aug 2024 08:53:22 +0000 Subject: [PATCH 10/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 360057889 Test: scanBugreport Bug: 359428317 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428317 Flag: EXEMPT bugFix Change-Id: I9d573610f24054bd6ea8bb3307d0102da077dc55 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 92419c05..58f57c8e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,6 +3,7 @@ dumpstate unlabeled file b/350832009 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 hal_sensors_default sysfs file b/336451433 +hal_vibrator_default default_android_service service_manager b/360057889 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 insmod-sh insmod-sh key b/336451874 From 0eae05186f1ea18a9ea2218a6aaec1134ea7df3c Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 15 Aug 2024 08:30:36 +0000 Subject: [PATCH 11/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 360057889 Test: scanBugreport Bug: 359428317 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428317 Flag: EXEMPT bugFix Change-Id: Iaec87b719446dbef5dc3d8d8d563cf3f47a2a584 From 4f8e79e4e5846225f04027bfb978b22faf6d6844 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 15 Aug 2024 08:32:44 +0000 Subject: [PATCH 12/14] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 360057889 Test: scanBugreport Bug: 359428317 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428317 Flag: EXEMPT bugFix Change-Id: I3d4a7bfbaab36136fbde6bbd56239e43cc9b012d From e1a25491683a12b146ba821c9dc6c070df2ee0bf Mon Sep 17 00:00:00 2001 From: "Priyanka Advani (xWF)" Date: Thu, 15 Aug 2024 16:14:44 +0000 Subject: [PATCH 13/14] Revert "gs201: update shared_modem_platform sepolicy for UMI" Revert submission 28762313 Reason for revert: Droidmonitor created revert due to b/360059249. Reverted changes: /q/submissionid:28762313 Change-Id: I0fc3d7d99b999eedf7e3948afb58fd962045f1e1 --- whitechapel_pro/modem_svc_sit.te | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 606cd520..5a703c9e 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -48,9 +48,4 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; - -# Allow modem_svc_sit to access socket for UMI -userdebug_or_eng(` - allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; -') +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file From e8d359e8d486f656587d92f1270e2a55cf743503 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Thu, 15 Aug 2024 19:25:28 +0000 Subject: [PATCH 14/14] Revert "Revert "gs201: update shared_modem_platform sepolicy for..." Revert submission 28822848-revert-28762313-SAYUORWKVG Reason for revert: issue identify and fix is ready Reverted changes: /q/submissionid:28822848-revert-28762313-SAYUORWKVG Change-Id: Iae3ca282426fca573b4c42355e1b46eaa74d3c58 --- whitechapel_pro/modem_svc_sit.te | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 5a703c9e..606cd520 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -48,4 +48,9 @@ perfetto_producer(modem_svc_sit) # Allow modem_svc_sit to access modem image file/dir allow modem_svc_sit modem_img_file:dir r_dir_perms; allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; + +# Allow modem_svc_sit to access socket for UMI +userdebug_or_eng(` + allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink }; +')