From 3aeae9b99ff19887ab2e6af7f1b18b06110aa682 Mon Sep 17 00:00:00 2001
From: Nina Chen <sheaunic@google.com>
Date: Wed, 25 Sep 2024 12:04:07 +0800
Subject: [PATCH 01/22] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 369475655
Flag: EXEMPT NDK
Change-Id: Ic8d895b33d24e998faa00b128cad4bc4fd1e14bf
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index aa33000f..3d966019 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -12,6 +12,7 @@ insmod-sh insmod-sh key b/336451874
 kernel dm_device blk_file b/319403445
 kernel kernel capability b/336451113
 kernel tmpfs chr_file b/321731318
+ramdump ramdump capability b/369475655
 rfsd vendor_cbd_prop file b/317734397
 shell sysfs_net file b/329380891
 ssr_detector_app default_prop file b/359428005

From eb84e9c0a4c750031b76705d5034f44f3cd407af Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Wed, 25 Sep 2024 12:40:35 +0000
Subject: [PATCH 02/22] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 369540701
Flag: EXEMPT NDK
Change-Id: Ib5edeaac550562b6bbb5ec35bfce1d6838245c6b
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 3d966019..bb50b3a8 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -12,6 +12,7 @@ insmod-sh insmod-sh key b/336451874
 kernel dm_device blk_file b/319403445
 kernel kernel capability b/336451113
 kernel tmpfs chr_file b/321731318
+pixelstats_vendor block_device dir b/369540701
 ramdump ramdump capability b/369475655
 rfsd vendor_cbd_prop file b/317734397
 shell sysfs_net file b/329380891

From 315cc63557dfd4367f8aed06858531b21b9ee073 Mon Sep 17 00:00:00 2001
From: samou <samou@google.com>
Date: Fri, 4 Oct 2024 14:31:21 +0000
Subject: [PATCH 03/22] sepolicy: allow dumpstate to execute dump_power

10-04 19:36:47.308  7141  7141 I android.hardwar: type=1400 audit(0.0:6974): avc:  denied  { execute_no_trans } for  path="/vendor/bin/dump/dump_power" dev="overlay" ino=91 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6975): avc:  denied  { read } for  name="acpm_stats" dev="sysfs" ino=29227 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6976): avc:  denied  { open } for  path="/sys/devices/platform/acpm_stats" dev="sysfs" ino=29227 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6977): avc:  denied  { search } for  name="acpm_stats" dev="sysfs" ino=29227 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6978): avc:  denied  { read } for  name="core_stats" dev="sysfs" ino=57472 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6979): avc:  denied  { open } for  path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=57472 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-04 19:36:47.332  7141  7141 I dump_power: type=1400 audit(0.0:6980): avc:  denied  { getattr } for  path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=57472 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-04 19:36:47.336  7141  7141 I dump_power: type=1400 audit(0.0:6981): avc:  denied  { read } for  name="time_in_state" dev="sysfs" ino=50604 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_cpu:s0 tclass=file permissive=1
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:25): avc:  denied  { read } for  name="version" dev="sysfs" ino=62887 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:26): avc:  denied  { read } for  name="version" dev="sysfs" ino=62887 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:27): avc:  denied  { read } for  name="status" dev="sysfs" ino=62888 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:28): avc:  denied  { read } for  name="status" dev="sysfs" ino=62888 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:29): avc:  denied  { read } for  name="fw_rev" dev="sysfs" ino=62915 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:30): avc:  denied  { read } for  name="fw_rev" dev="sysfs" ino=62915 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:29): avc:  denied  { search } for  name="battery" dev="sysfs" ino=63428 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:30): avc:  denied  { search } for  name="10d50000.hsi2c" dev="sysfs" ino=21301 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:31): avc:  denied  { search } for  name="power_supply" dev="sysfs" ino=79013 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:32): avc:  denied  { search } for  name="power_supply" dev="sysfs" ino=79013 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:46:57.664  7194  7194 W dump_power: type=1400 audit(0.0:33): avc:  denied  { search } for  name="10d50000.hsi2c" dev="sysfs" ino=21301 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18792): avc:  denied  { search } for  name="battery" dev="sysfs" ino=63428 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18793): avc:  denied  { read } for  name="uevent" dev="sysfs" ino=63429 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18794): avc:  denied  { open } for  path="/sys/devices/platform/google,battery/power_supply/battery/uevent" dev="sysfs" ino=63429 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18795): avc:  denied  { getattr } for  path="/sys/devices/platform/google,battery/power_supply/battery/uevent" dev="sysfs" ino=63429 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18796): avc:  denied  { search } for  name="8-003c" dev="sysfs" ino=55942 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18797): avc:  denied  { read } for  name="maxfg" dev="sysfs" ino=62568 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18798): avc:  denied  { read } for  name="logbuffer_tcpm" dev="tmpfs" ino=1285 scontext=u:r:dump_power:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=1
10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18799): avc:  denied  { open } for  path="/dev/logbuffer_tcpm" dev="tmpfs" ino=1285 scontext=u:r:dump_power:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6191): avc:  denied  { search } for  name="mitigation" dev="dm-50" ino=3758 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=dir permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6192): avc:  denied  { read } for  name="thismeal.txt" dev="dm-50" ino=28765 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6193): avc:  denied  { open } for  path="/data/vendor/mitigation/thismeal.txt" dev="dm-50" ino=28765 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6194): avc:  denied  { getattr } for  path="/data/vendor/mitigation/thismeal.txt" dev="dm-50" ino=28765 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6195): avc:  denied  { search } for  name="mitigation" dev="sysfs" ino=85222 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=dir permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6196): avc:  denied  { read } for  name="last_triggered_count" dev="sysfs" ino=85275 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=dir permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6197): avc:  denied  { open } for  path="/sys/devices/virtual/pmic/mitigation/last_triggered_count" dev="sysfs" ino=85275 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=dir permissive=1
10-04 22:01:08.400  7074  7074 I dump_power: type=1400 audit(0.0:6198): avc:  denied  { read } for  name="batoilo_count" dev="sysfs" ino=85287 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=file permissive=1
10-04 23:49:14.616  6976  6976 I dump_power: type=1400 audit(0.0:875): avc:  denied  { read } for  name="thismeal.txt" dev="dm-57" ino=15028 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 23:49:14.616  6976  6976 I dump_power: type=1400 audit(0.0:876): avc:  denied  { open } for  path="/data/vendor/mitigation/thismeal.txt" dev="dm-57" ino=15028 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-04 23:49:14.616  6976  6976 I dump_power: type=1400 audit(0.0:877): avc:  denied  { getattr } for  path="/data/vendor/mitigation/thismeal.txt" dev="dm-57" ino=15028 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1
10-05 00:00:44.540  7085  7085 I dump_power: type=1400 audit(0.0:878): avc:  denied  { read } for  name="acpm_stats" dev="sysfs" ino=25439 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-05 00:00:44.540  7085  7085 I dump_power: type=1400 audit(0.0:879): avc:  denied  { open } for  path="/sys/devices/platform/acpm_stats" dev="sysfs" ino=25439 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-05 00:00:44.540  7085  7085 I dump_power: type=1400 audit(0.0:880): avc:  denied  { search } for  name="acpm_stats" dev="sysfs" ino=25439 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:881): avc:  denied  { read } for  name="core_stats" dev="sysfs" ino=53039 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:882): avc:  denied  { open } for  path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=53039 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:883): avc:  denied  { getattr } for  path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=53039 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:884): avc:  denied  { read } for  name="time_in_state" dev="sysfs" ino=45585 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_cpu:s0 tclass=file permissive=1
10-05 00:00:44.544  7085  7085 I dump_power: type=1400 audit(0.0:885): avc:  denied  { open } for  path="/sys/devices/platform/cpupm/cpupm/time_in_state" dev="sysfs" ino=45585 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_cpu:s0 tclass=file permissive=1

Flag: EXEMPT refactor
Bug: 364989823
Change-Id: Ie4637b1295975c716f50333ad6635b9694a624b8
Signed-off-by: samou <samou@google.com>
---
 whitechapel_pro/dump_power.te | 15 +++++++++++++++
 whitechapel_pro/file_contexts |  1 +
 2 files changed, 16 insertions(+)
 create mode 100644 whitechapel_pro/dump_power.te

diff --git a/whitechapel_pro/dump_power.te b/whitechapel_pro/dump_power.te
new file mode 100644
index 00000000..d745b20d
--- /dev/null
+++ b/whitechapel_pro/dump_power.te
@@ -0,0 +1,15 @@
+# Allow dumpstate to execute dump_power
+pixel_bugreport(dump_power);
+
+allow dump_power sysfs_acpm_stats:dir r_dir_perms;
+allow dump_power sysfs_acpm_stats:file r_file_perms;
+allow dump_power sysfs_cpu:file r_file_perms;
+allow dump_power sysfs_wlc:file r_file_perms;
+allow dump_power sysfs_wlc:dir search;
+allow dump_power sysfs_batteryinfo:dir r_dir_perms;
+allow dump_power sysfs_batteryinfo:file r_file_perms;
+allow dump_power logbuffer_device:chr_file r_file_perms;
+allow dump_power mitigation_vendor_data_file:dir r_dir_perms;
+allow dump_power mitigation_vendor_data_file:file r_file_perms;
+allow dump_power sysfs_bcl:dir r_dir_perms;
+allow dump_power sysfs_bcl:file r_file_perms;
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 9dc374fd..dc8e89b4 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -15,6 +15,7 @@
 /vendor/bin/trusty_apploader                                                u:object_r:trusty_apploader_exec:s0
 /vendor/bin/trusty_metricsd                                                 u:object_r:trusty_metricsd_exec:s0
 /vendor/bin/dumpsys                                                         u:object_r:vendor_dumpsys:s0
+/vendor/bin/dump/dump_power                                                 u:object_r:dump_power_exec:s0
 /vendor/bin/init\.uwb\.calib\.sh                                            u:object_r:vendor_uwb_init_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty           u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0

From ce5420fdf4b9ea4cb42b82f2bb5c133d21bb92e7 Mon Sep 17 00:00:00 2001
From: Nina Chen <sheaunic@google.com>
Date: Wed, 9 Oct 2024 13:05:12 +0800
Subject: [PATCH 04/22] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 372360090
Bug: 372359823
Bug: 372360278
Flag: EXEMPT NDK
Change-Id: I9d195d35cc58503fc7c17a8fac5fabe66026c24b
---
 tracking_denials/bug_map | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index bb50b3a8..404c8f0f 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -2,7 +2,10 @@ dump_display sysfs file b/350831939
 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277
 dump_modem sscoredump_vendor_data_logcat_file dir b/361726277
 dumpstate unlabeled file b/350832009
+hal_camera_default cgroup_desc_file file b/372360090
 hal_face_default traced_producer_socket sock_file b/305600808
+hal_graphics_composer_default cgroup_desc_file file b/372359823
+hal_power_default cgroup_desc_file file b/372360278
 hal_power_default hal_power_default capability b/237492146
 hal_sensors_default sysfs file b/336451433
 hal_vibrator_default default_android_service service_manager b/360057889

From f906b69f95df284e1b261241c429e530f4340180 Mon Sep 17 00:00:00 2001
From: Eileen Lai <eileenisgood@google.com>
Date: Thu, 3 Oct 2024 05:37:41 +0000
Subject: [PATCH 05/22] modem_svc: use shared_modem_platform to replace all
 modem_svc_sit

Bug: 368257019

Flag: NONE local testing only
Change-Id: Icc258ce297b5e7ea51fa60aa2ffb09ce99b7ef18
---
 whitechapel_pro/file_contexts    | 2 +-
 whitechapel_pro/modem_svc_sit.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index dc8e89b4..77fe8ccc 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -5,7 +5,7 @@
 /vendor/bin/vcd                                                             u:object_r:vcd_exec:s0
 /vendor/bin/chre                                                            u:object_r:chre_exec:s0
 /vendor/bin/cbd                                                             u:object_r:cbd_exec:s0
-/vendor/bin/modem_svc_sit                                                   u:object_r:modem_svc_sit_exec:s0
+/vendor/bin/shared_modem_platform                                           u:object_r:modem_svc_sit_exec:s0
 /vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
 /vendor/bin/bipchmgr                                                        u:object_r:bipchmgr_exec:s0
 /vendor/bin/storageproxyd                                                   u:object_r:tee_exec:s0
diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te
index 606cd520..d93789d7 100644
--- a/whitechapel_pro/modem_svc_sit.te
+++ b/whitechapel_pro/modem_svc_sit.te
@@ -1,3 +1,4 @@
+# Selinux rule for modem_svc_sit daemon
 type modem_svc_sit, domain;
 type modem_svc_sit_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(modem_svc_sit)
@@ -37,6 +38,9 @@ get_prop(modem_svc_sit, hwservicemanager_prop)
 # logging property
 get_prop(modem_svc_sit, vendor_logger_prop)
 
+# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal.
+hal_server_domain(modem_svc_sit, hal_shared_modem_platform)
+
 userdebug_or_eng(`
   allow modem_svc_sit radio_test_device:chr_file rw_file_perms;
 ')

From 588e82af38f5141b4e5a18fcf36ba4740dae8de4 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 15 Oct 2024 10:14:23 -0700
Subject: [PATCH 06/22] convert-to-ext4-sh.te: use su domain instead

07af2808d5285376958664823fb1d2a5c9576958 (b/239632964) added
security policy support for /system_ext/bin/convert_to_ext4.sh.
This shell script converts f2fs filesystems into ext4 filesystems
on debuggable builds (userdebug or eng) only. Ever since 2022,
the security policy for this shell script has been in permissive
mode, meaning no SELinux rules were being enforced.

  # convert-to-ext4-sh.te
  permissive convert-to-ext4-sh;

In the intervening 2 years, there has been no attempt to move
this domain into enforcing mode. And by now, this script has
likely served its purpose, by converting f2fs /persist filesystems
on engineering builds to ext4, and is probably no longer needed.

This change eliminates the use of the unenforced convert-to-ext4-sh
security domain, preferring instead to use the "su" security domain.
Like convert-to-ext4-sh, the su security domain enforces no rules
on debuggable builds, and is equivalent to traditional root on
desktop Linux systems, or running /system/xbin/su. This change
eliminates unnecessary technical complexity, and unblocks other
hardening changes, such as WIP commit
https://android-review.googlesource.com/c/platform/system/sepolicy/+/3308856

Moving from one permissive domain ("convert-to-ext4-sh") to another
permissive domain ("su") should be a no-op from a security and
functionality perspective.

Test: compiles and builds, passes treehugger.
Bug: 239632964
Change-Id: Ifd628310a923926d1a57b568c7703cb857f0871b
---
 whitechapel_pro/convert-to-ext4-sh.te | 34 ---------------------------
 whitechapel_pro/file.te               |  3 +++
 whitechapel_pro/init.te               | 11 +++++++++
 3 files changed, 14 insertions(+), 34 deletions(-)
 delete mode 100644 whitechapel_pro/convert-to-ext4-sh.te

diff --git a/whitechapel_pro/convert-to-ext4-sh.te b/whitechapel_pro/convert-to-ext4-sh.te
deleted file mode 100644
index d64382df..00000000
--- a/whitechapel_pro/convert-to-ext4-sh.te
+++ /dev/null
@@ -1,34 +0,0 @@
-type convert-to-ext4-sh, domain, coredomain;
-type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
-  permissive convert-to-ext4-sh;
-
-  init_daemon_domain(convert-to-ext4-sh)
-
-  allow convert-to-ext4-sh block_device:dir search;
-  allow convert-to-ext4-sh e2fs_exec:file rx_file_perms;
-  allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms;
-  allow convert-to-ext4-sh kernel:process setsched;
-  allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms;
-  allow convert-to-ext4-sh persist_block_device:blk_file { getattr ioctl open read write };
-  allow convert-to-ext4-sh shell_exec:file rx_file_perms;
-  allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search };
-  allow convert-to-ext4-sh sysfs_fs_ext4_features:file read;
-  allow convert-to-ext4-sh tmpfs:dir { add_name create mounton open };
-  allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr };
-  allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink };
-  allow convert-to-ext4-sh toolbox_exec:file rx_file_perms;
-  allow convert-to-ext4-sh vendor_persist_type:dir { rw_file_perms search };
-  allow convert-to-ext4-sh vendor_persist_type:file rw_file_perms;
-
-  allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl {
-    BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD
-  };
-
-  dontaudit convert-to-ext4-sh labeledfs:filesystem  { mount unmount };
-  dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio };
-  dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr };
-  dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr };
-  dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override };
-')
diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te
index e528d458..929ea63c 100644
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@@ -93,3 +93,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
 
 # WLC
 type sysfs_wlc, sysfs_type, fs_type;
+
+# /system_ext/bin/convert_to_ext4.sh
+type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te
index 3175db8c..a9d3ac0e 100644
--- a/whitechapel_pro/init.te
+++ b/whitechapel_pro/init.te
@@ -19,3 +19,14 @@ allow init sysfs_scsi_devices_0000:file w_file_perms;
 # Workaround for b/193113005 that modem_img unlabeled after disable-verity
 dontaudit init overlayfs_file:file rename;
 dontaudit init overlayfs_file:chr_file unlink;
+
+# /system_ext/bin/convert_to_ext4.sh is a script to convert an f2fs
+# filesystem into an ext4 filesystem. This script is executed on
+# debuggable devices only. As it is a one-shot script which
+# has run in permissive mode since 2022, we transition to the
+# su domain to avoid unnecessarily polluting security policy
+# with rules which are never enforced.
+# This script was added in b/239632964
+userdebug_or_eng(`
+  domain_auto_trans(init, convert-to-ext4-sh_exec, su)
+')

From 5000f8a8f9ce6de7dc5c7ff6de023fd151fce5c3 Mon Sep 17 00:00:00 2001
From: Nina Chen <sheaunic@google.com>
Date: Wed, 16 Oct 2024 11:58:28 +0800
Subject: [PATCH 07/22] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Flag: EXEMPT NDK
Bug: 373755350
Change-Id: I3b317eb87c60d150a6cd76a5218808146de5cccd
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 404c8f0f..bdafcad7 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -7,6 +7,7 @@ hal_face_default traced_producer_socket sock_file b/305600808
 hal_graphics_composer_default cgroup_desc_file file b/372359823
 hal_power_default cgroup_desc_file file b/372360278
 hal_power_default hal_power_default capability b/237492146
+hal_sensors_default property_socket sock_file b/373755350
 hal_sensors_default sysfs file b/336451433
 hal_vibrator_default default_android_service service_manager b/360057889
 incidentd debugfs_wakeup_sources file b/282626428

From 6497d42557d1976089bf4334bc447426bea225d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Tue, 15 Oct 2024 06:22:24 +0000
Subject: [PATCH 08/22] Revert "Update SELinux error"

This reverts commit ce5420fdf4b9ea4cb42b82f2bb5c133d21bb92e7.

Reason for revert: Caused by b/372347927, relevant CL was reverted

Change-Id: Ifa42eb30ad3baa1b9f4b94c191bdce4901f9a135
Fix: 372360090
---
 tracking_denials/bug_map | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index bdafcad7..9572df7a 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -2,10 +2,7 @@ dump_display sysfs file b/350831939
 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277
 dump_modem sscoredump_vendor_data_logcat_file dir b/361726277
 dumpstate unlabeled file b/350832009
-hal_camera_default cgroup_desc_file file b/372360090
 hal_face_default traced_producer_socket sock_file b/305600808
-hal_graphics_composer_default cgroup_desc_file file b/372359823
-hal_power_default cgroup_desc_file file b/372360278
 hal_power_default hal_power_default capability b/237492146
 hal_sensors_default property_socket sock_file b/373755350
 hal_sensors_default sysfs file b/336451433

From 1b64d05d93b7f28a1fd56b19b7e5d09d0c9f1916 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Tue, 1 Oct 2024 14:46:50 +1000
Subject: [PATCH 09/22] Remove duplicate service entries

These entries are defined in the platform policy.

Flag: EXEMPT bugfix
Bug: 367832910
Test: TH
Change-Id: I9e06b0c95330afa22da324e3669121d4477baa2f
---
 whitechapel_pro/service_contexts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts
index 0158b562..e3ae0e74 100644
--- a/whitechapel_pro/service_contexts
+++ b/whitechapel_pro/service_contexts
@@ -4,5 +4,3 @@ hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_ve
 vendor.google.wireless_charger.IWirelessCharger/default                      u:object_r:hal_wireless_charger_service:s0
 
 rlsservice                                                 u:object_r:rls_service:s0
-
-android.hardware.media.c2.IComponentStore/default1         u:object_r:hal_codec2_service:s0

From 491a1ccb19c07da4e7596ff3131ed5f023b7571e Mon Sep 17 00:00:00 2001
From: Spade Lee <spadelee@google.com>
Date: Fri, 1 Nov 2024 15:13:29 +0000
Subject: [PATCH 10/22] sepolicy: allow dump_power to read debugfs

11-01 11:59:42.836 11781 11781 W dump_power: type=1400 audit(0.0:46): avc:  denied  { search } for  name="usb" dev="debugfs" ino=2059 scontext=u:r:dump_power:s0 tcontext=u:object_r:vendor_usb_debugfs:s0 tclass=dir permissive=0
11-01 11:59:42.844 11781 11781 W dump_power: type=1400 audit(0.0:47): avc:  denied  { search } for  name="google_battery" dev="debugfs" ino=18509 scontext=u:r:dump_power:s0 tcontext=u:object_r:vendor_battery_debugfs:s0 tclass=dir permissive=0
11-01 11:59:42.844 11781 11781 W dump_power: type=1400 audit(0.0:48): avc:  denied  { read } for  name="maxfg" dev="debugfs" ino=16428 scontext=u:r:dump_power:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0
11-01 11:59:42.844 11781 11781 W dump_power: type=1400 audit(0.0:49): avc:  denied  { read } for  name="/" dev="debugfs" ino=1 scontext=u:r:dump_power:s0 tcontext=u:object_r:debugfs:s0 tclass=dir permissive=0
11-01 11:59:42.844 11781 11781 W dump_power: type=1400 audit(0.0:50): avc:  denied  { read } for  name="/" dev="debugfs" ino=1 scontext=u:r:dump_power:s0 tcontext=u:object_r:debugfs:s0 tclass=dir permissive=0
11-01 11:59:42.844 11781 11781 W dump_power: type=1400 audit(0.0:51): avc:  denied  { read } for  name="/" dev="debugfs" ino=1 scontext=u:r:dump_power:s0 tcontext=u:object_r:debugfs:s0 tclass=dir permissive=0

Bug: 376080915
Test: adb bugreport without audit
Flag: EXEMPT bugfix
Change-Id: Ib0a81269edf683428720e6e380f7d7959d71decf
Signed-off-by: Spade Lee <spadelee@google.com>
---
 whitechapel_pro/dump_power.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/whitechapel_pro/dump_power.te b/whitechapel_pro/dump_power.te
index d745b20d..cf7c14ed 100644
--- a/whitechapel_pro/dump_power.te
+++ b/whitechapel_pro/dump_power.te
@@ -13,3 +13,12 @@ allow dump_power mitigation_vendor_data_file:dir r_dir_perms;
 allow dump_power mitigation_vendor_data_file:file r_file_perms;
 allow dump_power sysfs_bcl:dir r_dir_perms;
 allow dump_power sysfs_bcl:file r_file_perms;
+
+userdebug_or_eng(`
+  r_dir_file(dump_power, vendor_battery_debugfs)
+  r_dir_file(dump_power, vendor_maxfg_debugfs)
+  r_dir_file(dump_power, vendor_charger_debugfs)
+  r_dir_file(dump_power, vendor_votable_debugfs)
+  allow dump_power debugfs:dir r_dir_perms;
+  allow dump_power vendor_usb_debugfs:dir { search };
+')

From d2f8dde307cc4b5478ba89a6559291571b8c8aec Mon Sep 17 00:00:00 2001
From: Nina Chen <sheaunic@google.com>
Date: Thu, 7 Nov 2024 14:36:44 +0800
Subject: [PATCH 11/22] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 377811773
Flag: EXEMPT NDK
Bug: 377781394
Change-Id: I6e2361b6b3500773a5cd8e5c98905a3f50513472
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 9572df7a..e41de3b4 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -14,6 +14,8 @@ kernel dm_device blk_file b/319403445
 kernel kernel capability b/336451113
 kernel tmpfs chr_file b/321731318
 pixelstats_vendor block_device dir b/369540701
+platform_app vendor_fw_file dir b/377811773
+platform_app vendor_rild_prop file b/377811773
 ramdump ramdump capability b/369475655
 rfsd vendor_cbd_prop file b/317734397
 shell sysfs_net file b/329380891

From 8b6e65478125ed2d2c742e0e49a0ed7fc30eb8cb Mon Sep 17 00:00:00 2001
From: Spade Lee <spadelee@google.com>
Date: Thu, 7 Nov 2024 17:30:16 +0000
Subject: [PATCH 12/22] sepolicy: allow dump_power to read
 battery_history_device

avc:  denied  { open } for  path="/dev/maxfg_history" dev="tmpfs" ino=1235 scontext=u:r:dump_power:s0 tcontext=u:object_r:battery_history_device:s0 tclass=chr_file permissive=0
avc:  denied  { read } for  name="maxfg_history" dev="tmpfs" ino=1250 scontext=u:r:dump_power:s0 tcontext=u:object_r:battery_history_device:s0 tclass=chr_file permissive=0

Bug: 377895720
Flag: EXEMPT bugfix
Test: /dev/maxfg_history correctly dumped
Change-Id: I766f8a21468370e69a7c11b028b2326434ad2380
Signed-off-by: Spade Lee <spadelee@google.com>
---
 whitechapel_pro/dump_power.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel_pro/dump_power.te b/whitechapel_pro/dump_power.te
index cf7c14ed..66115230 100644
--- a/whitechapel_pro/dump_power.te
+++ b/whitechapel_pro/dump_power.te
@@ -13,6 +13,7 @@ allow dump_power mitigation_vendor_data_file:dir r_dir_perms;
 allow dump_power mitigation_vendor_data_file:file r_file_perms;
 allow dump_power sysfs_bcl:dir r_dir_perms;
 allow dump_power sysfs_bcl:file r_file_perms;
+allow dump_power battery_history_device:chr_file r_file_perms;
 
 userdebug_or_eng(`
   r_dir_file(dump_power, vendor_battery_debugfs)

From 4f115380154ec5941f6e0b0839f5394f02fe51a5 Mon Sep 17 00:00:00 2001
From: Nina Chen <sheaunic@google.com>
Date: Fri, 15 Nov 2024 11:44:27 +0800
Subject: [PATCH 13/22] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 379206608
Bug: 379206941
Flag: EXEMPT NDK
Change-Id: Ib636252a3a8eb38a56099b4e6ea14a5a4e341b4d
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index e41de3b4..4d058538 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -9,6 +9,7 @@ hal_sensors_default sysfs file b/336451433
 hal_vibrator_default default_android_service service_manager b/360057889
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
+init init capability b/379206608
 insmod-sh insmod-sh key b/336451874
 kernel dm_device blk_file b/319403445
 kernel kernel capability b/336451113
@@ -32,3 +33,4 @@ vendor_init default_prop file b/329381126
 vendor_init default_prop property_service b/315104803
 vendor_init default_prop property_service b/359427666
 vendor_init default_prop property_service b/359428317
+zygote zygote capability b/379206941

From edc0829d7531650cb357ac1f5b0059fb397c24fa Mon Sep 17 00:00:00 2001
From: Nina Chen <sheaunic@google.com>
Date: Fri, 15 Nov 2024 18:30:06 +0800
Subject: [PATCH 14/22] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 379246129
Bug: 379245515
Bug: 379245738
Flag: EXEMPT NDK
Change-Id: I20793d45a89b56ecea82f425f90800d66eacfb42
---
 tracking_denials/bug_map | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 4d058538..12246ff3 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,4 @@
+bluetooth audio_config_prop file b/379245738
 dump_display sysfs file b/350831939
 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277
 dump_modem sscoredump_vendor_data_logcat_file dir b/361726277
@@ -17,12 +18,14 @@ kernel tmpfs chr_file b/321731318
 pixelstats_vendor block_device dir b/369540701
 platform_app vendor_fw_file dir b/377811773
 platform_app vendor_rild_prop file b/377811773
+priv_app audio_config_prop file b/379246129
 ramdump ramdump capability b/369475655
 rfsd vendor_cbd_prop file b/317734397
 shell sysfs_net file b/329380891
 ssr_detector_app default_prop file b/359428005
 surfaceflinger selinuxfs file b/315104594
 system_server vendor_default_prop file b/366116786
+untrusted_app audio_config_prop file b/379245515
 vendor_init debugfs_trace_marker file b/336451787
 vendor_init default_prop file b/315104479
 vendor_init default_prop file b/315104803

From cde7e1417d982876f4035bcc41983fe5789e20cb Mon Sep 17 00:00:00 2001
From: Boon Jun <boonjun@google.com>
Date: Mon, 11 Nov 2024 06:59:05 +0000
Subject: [PATCH 15/22] Update ldaf sensor device filename

LDAF sensor device filename changed after kernel upgrade
from v5.10 to v6.1 in some of our in-market devices.
We need to update the device filename to access the LDAF
with this new kernel version.

Bug: 378045567
Test: Open camera, and observe available LDAF sensor in logs
Flag: EXEMPT bugfix
Change-Id: I92313633fc31928ae4f3485c7e49cdd257e1c7bc
---
 whitechapel_pro/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 77fe8ccc..1b200b21 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -82,7 +82,7 @@
 /dev/janeiro                                                                u:object_r:edgetpu_device:s0
 /dev/bigocean                                                               u:object_r:video_device:s0
 /dev/goodix_fp                                                              u:object_r:fingerprint_device:s0
-/dev/stmvl53l1_ranging                                                      u:object_r:rls_device:s0
+/dev/ispolin_ranging                                                        u:object_r:rls_device:s0
 /dev/watchdog0                                                              u:object_r:watchdog_device:s0
 /dev/mali0                                                                  u:object_r:gpu_device:s0
 /dev/logbuffer_usbpd                                                        u:object_r:logbuffer_device:s0

From 1b9fcdf1af9bd13965f16e78eaf5f9cd1807e3d1 Mon Sep 17 00:00:00 2001
From: Eileen Lai <eileenisgood@google.com>
Date: Wed, 20 Nov 2024 08:20:38 +0000
Subject: [PATCH 16/22] modem_svc: move shared_modem_platform related sepolicy
 to gs-common

Bug: 372400955

Change-Id: Ibcdc907b7fe4e8efcbd3217700b4c62873cd124d
Flag: NONE local testing only
---
 gs201-sepolicy.mk                | 2 +-
 whitechapel_pro/file_contexts    | 1 -
 whitechapel_pro/modem_svc_sit.te | 3 ---
 3 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk
index 2c5da1fc..645ca751 100644
--- a/gs201-sepolicy.mk
+++ b/gs201-sepolicy.mk
@@ -1,5 +1,5 @@
 # sepolicy that are shared among devices using whitechapel
-BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro
 
 # unresolved SELinux error log with bug tracking
 BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 1b200b21..0d5a2fb1 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -5,7 +5,6 @@
 /vendor/bin/vcd                                                             u:object_r:vcd_exec:s0
 /vendor/bin/chre                                                            u:object_r:chre_exec:s0
 /vendor/bin/cbd                                                             u:object_r:cbd_exec:s0
-/vendor/bin/shared_modem_platform                                           u:object_r:modem_svc_sit_exec:s0
 /vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
 /vendor/bin/bipchmgr                                                        u:object_r:bipchmgr_exec:s0
 /vendor/bin/storageproxyd                                                   u:object_r:tee_exec:s0
diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te
index d93789d7..0097a46a 100644
--- a/whitechapel_pro/modem_svc_sit.te
+++ b/whitechapel_pro/modem_svc_sit.te
@@ -38,9 +38,6 @@ get_prop(modem_svc_sit, hwservicemanager_prop)
 # logging property
 get_prop(modem_svc_sit, vendor_logger_prop)
 
-# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal.
-hal_server_domain(modem_svc_sit, hal_shared_modem_platform)
-
 userdebug_or_eng(`
   allow modem_svc_sit radio_test_device:chr_file rw_file_perms;
 ')

From 2c027c6288a86512da9cec6f5a7c2c7f3d8385d4 Mon Sep 17 00:00:00 2001
From: "Liana Kazanova (xWF)" <lkazanova@google.com>
Date: Thu, 21 Nov 2024 17:53:56 +0000
Subject: [PATCH 17/22] Revert "modem_svc: move shared_modem_platform related
 sepolicy t..."

Revert submission 30519089-move_modem_sepolicy

Reason for revert: DroidMonitor: Potential culprit for http://b/380274930 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.

Reverted changes: /q/submissionid:30519089-move_modem_sepolicy

Change-Id: I90d720b8bf396f3785c00e9cfa67f55a62a020b2
---
 gs201-sepolicy.mk                | 2 +-
 whitechapel_pro/file_contexts    | 1 +
 whitechapel_pro/modem_svc_sit.te | 3 +++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk
index 645ca751..2c5da1fc 100644
--- a/gs201-sepolicy.mk
+++ b/gs201-sepolicy.mk
@@ -1,5 +1,5 @@
 # sepolicy that are shared among devices using whitechapel
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro
+BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro
 
 # unresolved SELinux error log with bug tracking
 BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 0d5a2fb1..1b200b21 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -5,6 +5,7 @@
 /vendor/bin/vcd                                                             u:object_r:vcd_exec:s0
 /vendor/bin/chre                                                            u:object_r:chre_exec:s0
 /vendor/bin/cbd                                                             u:object_r:cbd_exec:s0
+/vendor/bin/shared_modem_platform                                           u:object_r:modem_svc_sit_exec:s0
 /vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
 /vendor/bin/bipchmgr                                                        u:object_r:bipchmgr_exec:s0
 /vendor/bin/storageproxyd                                                   u:object_r:tee_exec:s0
diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te
index 0097a46a..d93789d7 100644
--- a/whitechapel_pro/modem_svc_sit.te
+++ b/whitechapel_pro/modem_svc_sit.te
@@ -38,6 +38,9 @@ get_prop(modem_svc_sit, hwservicemanager_prop)
 # logging property
 get_prop(modem_svc_sit, vendor_logger_prop)
 
+# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal.
+hal_server_domain(modem_svc_sit, hal_shared_modem_platform)
+
 userdebug_or_eng(`
   allow modem_svc_sit radio_test_device:chr_file rw_file_perms;
 ')

From 0c22beaf9c90a6c0417f96a67ec16686039ab91d Mon Sep 17 00:00:00 2001
From: Nina Chen <sheaunic@google.com>
Date: Thu, 28 Nov 2024 10:57:12 +0800
Subject: [PATCH 18/22] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 381326452
Flag: EXEMPT sepolicy
Change-Id: I02cc7a8054c274c7d487c42366270b815b7a759f
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 12246ff3..6982f87c 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,4 @@
+aconfigd apex_info_file file b/381326452
 bluetooth audio_config_prop file b/379245738
 dump_display sysfs file b/350831939
 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277

From 8059774fe77c46e20e6c8d672ac0801ee9c678c1 Mon Sep 17 00:00:00 2001
From: Nina Chen <sheaunic@google.com>
Date: Thu, 5 Dec 2024 10:50:05 +0800
Subject: [PATCH 19/22] Update SELinux error

Flag: EXEMPT sepolicy
Test: SELinuxUncheckedDenialBootTest
Bug: 382362323
Bug: 360057889
Change-Id: Ic2a2c36368039b4d95ddb9b58b630267c33660a1
---
 tracking_denials/bluetooth.te            | 2 ++
 tracking_denials/bug_map                 | 1 -
 tracking_denials/hal_vibrator_default.te | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 tracking_denials/bluetooth.te
 create mode 100644 tracking_denials/hal_vibrator_default.te

diff --git a/tracking_denials/bluetooth.te b/tracking_denials/bluetooth.te
new file mode 100644
index 00000000..0b18dd9e
--- /dev/null
+++ b/tracking_denials/bluetooth.te
@@ -0,0 +1,2 @@
+# b/382362323
+dontaudit bluetooth default_android_service:service_manager { find };
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 6982f87c..0d6c70f9 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -8,7 +8,6 @@ hal_face_default traced_producer_socket sock_file b/305600808
 hal_power_default hal_power_default capability b/237492146
 hal_sensors_default property_socket sock_file b/373755350
 hal_sensors_default sysfs file b/336451433
-hal_vibrator_default default_android_service service_manager b/360057889
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
 init init capability b/379206608
diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te
new file mode 100644
index 00000000..87fc4f03
--- /dev/null
+++ b/tracking_denials/hal_vibrator_default.te
@@ -0,0 +1,2 @@
+# b/360057889
+dontaudit hal_vibrator_default default_android_service:service_manager { find };

From a3d0621213aa2b3e02534981e81e6ced548f43e1 Mon Sep 17 00:00:00 2001
From: Dinesh Yadav <dkyadav@google.com>
Date: Fri, 6 Dec 2024 03:47:25 +0000
Subject: [PATCH 20/22] Allow tachyon service to make binder calls to GCA

This permission is needed for tachyon service to call callbacks.

AVC Error seen when tachyon tries accessing GCA:
12-02 11:40:03.212  6987  6987 W com.google.edge: type=1400 audit(0.0:17): avc:  denied  { call } for  scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:google_camera_app:s0:c145,c256,c512,c768 tclass=binder permissive=0
12-03 07:12:26.424  4166  4166 W com.google.edge: type=1400 audit(0.0:254): avc:  denied  { call } for  scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:debug_camera_app:s0:c67,c257,c512,c768 tclass=binder permissive=0

Bug: 381787911
Flag: EXEMPT updates device sepolicy only
Change-Id: I0913bafb24f02de9090e2d02011287e4deab0d4f
---
 whitechapel_pro/debug_camera_app.te  | 4 ++++
 whitechapel_pro/google_camera_app.te | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te
index 427a7735..9d7bcd87 100644
--- a/whitechapel_pro/debug_camera_app.te
+++ b/whitechapel_pro/debug_camera_app.te
@@ -1,3 +1,4 @@
+# File containing sepolicies for GCA-Eng & GCA-Next.
 userdebug_or_eng(`
 	# Allows camera app to access the GXP device and properties.
 	allow debug_camera_app gxp_device:chr_file rw_file_perms;
@@ -9,4 +10,7 @@ userdebug_or_eng(`
 	# Allows GCA-Eng to find and access the EdgeTPU.
 	allow debug_camera_app edgetpu_app_service:service_manager find;
 	allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+	# Allows tachyon_service to communicate with GCA-Eng via binder.
+	binder_call(edgetpu_tachyon_server, debug_camera_app);
 ')
diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te
index 0ef04cc4..a40f433f 100644
--- a/whitechapel_pro/google_camera_app.te
+++ b/whitechapel_pro/google_camera_app.te
@@ -8,3 +8,6 @@ allow google_camera_app vendor_fw_file:dir search;
 # Allows GCA to find and access the EdgeTPU.
 allow google_camera_app edgetpu_app_service:service_manager find;
 allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows tachyon service to communicate with google_camera_app via binder.
+binder_call(edgetpu_tachyon_server, google_camera_app);

From 438a3edc88d43fe177a2ad2122e634ca13b4f350 Mon Sep 17 00:00:00 2001
From: Nina Chen <sheaunic@google.com>
Date: Mon, 9 Dec 2024 11:40:41 +0800
Subject: [PATCH 21/22] Update SELinux error

copy bug_map entry from gs201

Test: SELinuxUncheckedDenialBootTest
Bug: 383013727
Flag: EXEMPT sepolicy
Change-Id: I78e6c558e24cc0c444143510470151ebb3c258af
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 0d6c70f9..9246974a 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -4,6 +4,7 @@ dump_display sysfs file b/350831939
 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277
 dump_modem sscoredump_vendor_data_logcat_file dir b/361726277
 dumpstate unlabeled file b/350832009
+hal_camera_default aconfig_storage_metadata_file dir b/383013727
 hal_face_default traced_producer_socket sock_file b/305600808
 hal_power_default hal_power_default capability b/237492146
 hal_sensors_default property_socket sock_file b/373755350

From d1f806c78b9e0d29918533958af8c04b4715193c Mon Sep 17 00:00:00 2001
From: Eileen Lai <eileenisgood@google.com>
Date: Sun, 8 Dec 2024 06:52:24 +0000
Subject: [PATCH 22/22] modem_svc: move shared_modem_platform related sepolicy
 to gs-common

Bug: 372400955

Change-Id: I3e19432ab7cf6b18b277a877d1cdbc9ebf687af9
Flag: NONE local testing only
---
 gs201-sepolicy.mk                | 2 +-
 whitechapel_pro/file_contexts    | 1 -
 whitechapel_pro/modem_svc_sit.te | 3 ---
 3 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk
index 2c5da1fc..645ca751 100644
--- a/gs201-sepolicy.mk
+++ b/gs201-sepolicy.mk
@@ -1,5 +1,5 @@
 # sepolicy that are shared among devices using whitechapel
-BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro
 
 # unresolved SELinux error log with bug tracking
 BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 1b200b21..0d5a2fb1 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -5,7 +5,6 @@
 /vendor/bin/vcd                                                             u:object_r:vcd_exec:s0
 /vendor/bin/chre                                                            u:object_r:chre_exec:s0
 /vendor/bin/cbd                                                             u:object_r:cbd_exec:s0
-/vendor/bin/shared_modem_platform                                           u:object_r:modem_svc_sit_exec:s0
 /vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
 /vendor/bin/bipchmgr                                                        u:object_r:bipchmgr_exec:s0
 /vendor/bin/storageproxyd                                                   u:object_r:tee_exec:s0
diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te
index d93789d7..0097a46a 100644
--- a/whitechapel_pro/modem_svc_sit.te
+++ b/whitechapel_pro/modem_svc_sit.te
@@ -38,9 +38,6 @@ get_prop(modem_svc_sit, hwservicemanager_prop)
 # logging property
 get_prop(modem_svc_sit, vendor_logger_prop)
 
-# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal.
-hal_server_domain(modem_svc_sit, hal_shared_modem_platform)
-
 userdebug_or_eng(`
   allow modem_svc_sit radio_test_device:chr_file rw_file_perms;
 ')