Evolution-X-Tensor/device_google_gs201
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Android 15.0.0 Release 20 (BP1A.250305.019)

Browse source 
-----BEGIN PGP SIGNATURE-----
 
 iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ8eo7QAKCRDorT+BmrEO
 eN4GAJ4zBTRmknJtiHTlKaXFFCxh6RaE0QCfVZMelWDtp9SyAoTrojuN1flREII=
 =d0db
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgPpdpjxPACTIhnlvYz0GM4BR7FJ
 +rYv3jMbfxNKD3JvcAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQNxmO/S26+jdPwxFLrSja++YIz1gQ4cw91J1RkN6PLIHlkKO/NDOnwjLZ5GsotRtiN
 T7BuuJw+LlTK/yei9/Egk=
 -----END SSH SIGNATURE-----

Merge tag 'android-15.0.0_r20' into staging/lineage-22.2_merge-android-15.0.0_r20

Android 15.0.0 Release 20 (BP1A.250305.019)

# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ8eo7QAKCRDorT+BmrEO
# eN4GAJ4zBTRmknJtiHTlKaXFFCxh6RaE0QCfVZMelWDtp9SyAoTrojuN1flREII=
# =d0db
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed Mar  5 03:29:17 2025 EET
# gpg:                using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [ultimate]

# By Nina Chen (9) and others
# Via Android Build Coastguard Worker (22) and others
* tag 'android-15.0.0_r20': (22 commits)
  modem_svc: move shared_modem_platform related sepolicy to gs-common
  Update SELinux error
  Allow tachyon service to make binder calls to GCA
  Update SELinux error
  Update SELinux error
  Revert "modem_svc: move shared_modem_platform related sepolicy t..."
  modem_svc: move shared_modem_platform related sepolicy to gs-common
  Update ldaf sensor device filename
  Update SELinux error
  Update SELinux error
  sepolicy: allow dump_power to read battery_history_device
  Update SELinux error
  sepolicy: allow dump_power to read debugfs
  Remove duplicate service entries
  Revert "Update SELinux error"
  Update SELinux error
  convert-to-ext4-sh.te: use su domain instead
  modem_svc: use shared_modem_platform to replace all modem_svc_sit
  Update SELinux error
  sepolicy: allow dumpstate to execute dump_power
  ...

 Conflicts:
	sepolicy/gs201-sepolicy.mk

Change-Id: Ie0faabb66c73c2e4da10f9f8f0a65fa49e68a7dc
This commit is contained in:
Michael Bestas 2025-03-09 11:06:21 +02:00
commit a770b611a1
13 changed files with 50 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

2
sepolicy/gs201-sepolicy.mk
View file

@ -8,7 +8,7 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/input
BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/googlebattery
# sepolicy that are shared among devices using whitechapel
BOARD_SEPOLICY_DIRS += device/google/gs201/sepolicy/whitechapel_pro
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs201/sepolicy/whitechapel_pro
# unresolved SELinux error log with bug tracking
BOARD_SEPOLICY_DIRS += device/google/gs201/sepolicy/tracking_denials

2
sepolicy/tracking_denials/bluetooth.te Normal file
View file

@ -0,0 +1,2 @@
# b/382362323
dontaudit bluetooth default_android_service:service_manager { find };

13
sepolicy/tracking_denials/bug_map
View file

@ -1,22 +1,32 @@
aconfigd apex_info_file file b/381326452
bluetooth audio_config_prop file b/379245738
dump_display sysfs file b/350831939
dump_modem sscoredump_vendor_data_coredump_file dir b/361726277
dump_modem sscoredump_vendor_data_logcat_file dir b/361726277
dumpstate unlabeled file b/350832009
hal_camera_default aconfig_storage_metadata_file dir b/383013727
hal_face_default traced_producer_socket sock_file b/305600808
hal_power_default hal_power_default capability b/237492146
hal_sensors_default property_socket sock_file b/373755350
hal_sensors_default sysfs file b/336451433
hal_vibrator_default default_android_service service_manager b/360057889
incidentd debugfs_wakeup_sources file b/282626428
incidentd incidentd anon_inode b/282626428
init init capability b/379206608
insmod-sh insmod-sh key b/336451874
kernel dm_device blk_file b/319403445
kernel kernel capability b/336451113
kernel tmpfs chr_file b/321731318
pixelstats_vendor block_device dir b/369540701
platform_app vendor_fw_file dir b/377811773
platform_app vendor_rild_prop file b/377811773
priv_app audio_config_prop file b/379246129
ramdump ramdump capability b/369475655
rfsd vendor_cbd_prop file b/317734397
shell sysfs_net file b/329380891
ssr_detector_app default_prop file b/359428005
surfaceflinger selinuxfs file b/315104594
system_server vendor_default_prop file b/366116786
untrusted_app audio_config_prop file b/379245515
vendor_init debugfs_trace_marker file b/336451787
vendor_init default_prop file b/315104479
vendor_init default_prop file b/315104803
@ -27,3 +37,4 @@ vendor_init default_prop file b/329381126
vendor_init default_prop property_service b/315104803
vendor_init default_prop property_service b/359427666
vendor_init default_prop property_service b/359428317
zygote zygote capability b/379206941

2
sepolicy/tracking_denials/hal_vibrator_default.te Normal file
View file

@ -0,0 +1,2 @@
# b/360057889
dontaudit hal_vibrator_default default_android_service:service_manager { find };

34
sepolicy/whitechapel_pro/convert-to-ext4-sh.te
View file

@ -1,34 +0,0 @@
type convert-to-ext4-sh, domain, coredomain;
type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
permissive convert-to-ext4-sh;
init_daemon_domain(convert-to-ext4-sh)
allow convert-to-ext4-sh block_device:dir search;
allow convert-to-ext4-sh e2fs_exec:file rx_file_perms;
allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms;
allow convert-to-ext4-sh kernel:process setsched;
allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms;
allow convert-to-ext4-sh persist_block_device:blk_file { getattr ioctl open read write };
allow convert-to-ext4-sh shell_exec:file rx_file_perms;
allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search };
allow convert-to-ext4-sh sysfs_fs_ext4_features:file read;
allow convert-to-ext4-sh tmpfs:dir { add_name create mounton open };
allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr };
allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink };
allow convert-to-ext4-sh toolbox_exec:file rx_file_perms;
allow convert-to-ext4-sh vendor_persist_type:dir { rw_file_perms search };
allow convert-to-ext4-sh vendor_persist_type:file rw_file_perms;
allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl {
BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD
};
dontaudit convert-to-ext4-sh labeledfs:filesystem { mount unmount };
dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio };
dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr };
dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr };
dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override };
')

4
sepolicy/whitechapel_pro/debug_camera_app.te
View file

@ -1,3 +1,4 @@
# File containing sepolicies for GCA-Eng & GCA-Next.
userdebug_or_eng(`
# Allows camera app to access the GXP device and properties.
allow debug_camera_app gxp_device:chr_file rw_file_perms;
@ -9,4 +10,7 @@ userdebug_or_eng(`
# Allows GCA-Eng to find and access the EdgeTPU.
allow debug_camera_app edgetpu_app_service:service_manager find;
allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
# Allows tachyon_service to communicate with GCA-Eng via binder.
binder_call(edgetpu_tachyon_server, debug_camera_app);
')

10
sepolicy/whitechapel_pro/dump_power.te
View file

@ -13,3 +13,13 @@ allow dump_power mitigation_vendor_data_file:dir r_dir_perms;
allow dump_power mitigation_vendor_data_file:file r_file_perms;
allow dump_power sysfs_bcl:dir r_dir_perms;
allow dump_power sysfs_bcl:file r_file_perms;
allow dump_power battery_history_device:chr_file r_file_perms;
userdebug_or_eng(`
r_dir_file(dump_power, vendor_battery_debugfs)
r_dir_file(dump_power, vendor_maxfg_debugfs)
r_dir_file(dump_power, vendor_charger_debugfs)
r_dir_file(dump_power, vendor_votable_debugfs)
allow dump_power debugfs:dir r_dir_perms;
allow dump_power vendor_usb_debugfs:dir { search };
')

3
sepolicy/whitechapel_pro/file.te
View file

@ -93,3 +93,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
# WLC
type sysfs_wlc, sysfs_type, fs_type;
# /system_ext/bin/convert_to_ext4.sh
type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;

3
sepolicy/whitechapel_pro/file_contexts
View file

@ -5,7 +5,6 @@
/vendor/bin/vcd u:object_r:vcd_exec:s0
/vendor/bin/chre u:object_r:chre_exec:s0
/vendor/bin/cbd u:object_r:cbd_exec:s0
/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0
/vendor/bin/rfsd u:object_r:rfsd_exec:s0
/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0
/vendor/bin/storageproxyd u:object_r:tee_exec:s0
@ -83,7 +82,7 @@
/dev/janeiro u:object_r:edgetpu_device:s0
/dev/bigocean u:object_r:video_device:s0
/dev/goodix_fp u:object_r:fingerprint_device:s0
/dev/stmvl53l1_ranging u:object_r:rls_device:s0
/dev/ispolin_ranging u:object_r:rls_device:s0
/dev/watchdog0 u:object_r:watchdog_device:s0
/dev/mali0 u:object_r:gpu_device:s0
/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0

3
sepolicy/whitechapel_pro/google_camera_app.te
View file

@ -8,3 +8,6 @@ allow google_camera_app vendor_fw_file:dir search;
# Allows GCA to find and access the EdgeTPU.
allow google_camera_app edgetpu_app_service:service_manager find;
allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
# Allows tachyon service to communicate with google_camera_app via binder.
binder_call(edgetpu_tachyon_server, google_camera_app);

11
sepolicy/whitechapel_pro/init.te
View file

@ -19,3 +19,14 @@ allow init sysfs_scsi_devices_0000:file w_file_perms;
# Workaround for b/193113005 that modem_img unlabeled after disable-verity
dontaudit init overlayfs_file:file rename;
dontaudit init overlayfs_file:chr_file unlink;
# /system_ext/bin/convert_to_ext4.sh is a script to convert an f2fs
# filesystem into an ext4 filesystem. This script is executed on
# debuggable devices only. As it is a one-shot script which
# has run in permissive mode since 2022, we transition to the
# su domain to avoid unnecessarily polluting security policy
# with rules which are never enforced.
# This script was added in b/239632964
userdebug_or_eng(`
domain_auto_trans(init, convert-to-ext4-sh_exec, su)
')

1
sepolicy/whitechapel_pro/modem_svc_sit.te
View file

@ -1,3 +1,4 @@
# Selinux rule for modem_svc_sit daemon
type modem_svc_sit, domain;
type modem_svc_sit_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(modem_svc_sit)

2
sepolicy/whitechapel_pro/service_contexts
View file

@ -4,5 +4,3 @@ hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_ve
vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0
rlsservice u:object_r:rls_service:s0
android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0