From aeb9bd0406de5d986faed8e60c6a5efb7061c3d9 Mon Sep 17 00:00:00 2001 From: eddielan Date: Fri, 6 May 2022 11:05:38 +0800 Subject: [PATCH 01/31] sepolicy: Add SW35 HIDL factory service into sepolicy Bug: 231549391 Test: Build Pass Change-Id: If5c1bc5ddf6a1fa753ac65b6b4c5983775f2f704 --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/fingerprint_factory_service.te | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 whitechapel_pro/fingerprint_factory_service.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 6858daaa..9dc48c15 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -39,6 +39,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/fingerprint_factory_service.te b/whitechapel_pro/fingerprint_factory_service.te new file mode 100644 index 00000000..86ab35cc --- /dev/null +++ b/whitechapel_pro/fingerprint_factory_service.te @@ -0,0 +1,3 @@ +type fingerprint_factory_service, service_manager_type; +type fingerprint_factory_service_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(fingerprint_factory_service) From 7f89d68af245bafa5803632eb0da2ad0e38f33a3 Mon Sep 17 00:00:00 2001 From: Asad Abbas Ali Date: Thu, 5 May 2022 20:20:53 +0000 Subject: [PATCH 02/31] Allow chre to communicate with fwk_stats_service. Bug: 230788686 Test: Logged atoms using CHRE + log atom extension. Change-Id: I45a207996a28bbe61bbfd4288eaf28e2257cdf52 --- whitechapel_pro/chre.te | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index 319f17dd..6d826217 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -17,4 +17,8 @@ usf_low_latency_transport(chre) # Allow CHRE to talk to the WiFi HAL allow chre hal_wifi_ext:binder { call transfer }; -allow chre hal_wifi_ext_hwservice:hwservice_manager find; \ No newline at end of file +allow chre hal_wifi_ext_hwservice:hwservice_manager find; + +# Allow CHRE host to talk to stats service +allow chre fwk_stats_service:service_manager find; +binder_call(chre, stats_service_server) From 2ddc8ee33315d26848cf0a5446bef533e35420ae Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Mon, 23 May 2022 16:39:21 -0700 Subject: [PATCH 03/31] Allow sysfs_devices_block to f2fs-tools The fsck.f2fs checks the sysfs entries of block devices to get disk information. Note that, the block device entries are device-specific. 1. fsck.f2fs avc: denied { search } for comm="fsck.f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="fsck.f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda7/partition" dev="sysfs" ino=60672 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 2. mkfs.f2fs avc: denied { search } for comm="make_f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="make_f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda8/partition" dev="sysfs" ino=61046 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 Bug: 233835698 Bug: 172377740 Signed-off-by: Jaegeuk Kim Change-Id: I409feec84565f965baa96b06a5b08bcfc1a8db02 --- whitechapel_pro/e2fs.te | 2 ++ whitechapel_pro/fsck.te | 2 ++ 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/e2fs.te b/whitechapel_pro/e2fs.te index a6664594..3e72adfb 100644 --- a/whitechapel_pro/e2fs.te +++ b/whitechapel_pro/e2fs.te @@ -4,3 +4,5 @@ allow e2fs modem_userdata_block_device:blk_file rw_file_perms; allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET }; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/whitechapel_pro/fsck.te b/whitechapel_pro/fsck.te index d29555b3..cb9470d0 100644 --- a/whitechapel_pro/fsck.te +++ b/whitechapel_pro/fsck.te @@ -1,3 +1,5 @@ allow fsck persist_block_device:blk_file rw_file_perms; allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; From 73f69714752c5bfec6cb26546e95f8289779d2c5 Mon Sep 17 00:00:00 2001 From: yixuanjiang Date: Mon, 17 Jan 2022 20:20:50 +0800 Subject: [PATCH 04/31] aoc: add audio property for audio CCA module Bug: 213545113 Test: local test Signed-off-by: yixuanjiang Change-Id: Ic58d944d30d0367a7c3afdf5f1bb1f696c8edda9 --- aoc/property_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aoc/property_contexts b/aoc/property_contexts index d5028300..e957de69 100644 --- a/aoc/property_contexts +++ b/aoc/property_contexts @@ -9,3 +9,5 @@ vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.cca.updated u:object_r:vendor_audio_prop:s0 +vendor.audiodump.cca.config u:object_r:vendor_audio_prop:s0 From 2ee67a6bf30fae8ef76be26e9456abb7c1d1da6a Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Mon, 13 Jun 2022 19:14:44 +0800 Subject: [PATCH 05/31] sepolicy: allows pixelstat to access pca file nodes Bug: 235050913 Test: no Permission denied while accessing the file node Signed-off-by: Jack Wu Change-Id: I7de0a374e1c98f4e9bbf36e39cb0131b0e9ffebc --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 7 +++++++ whitechapel_pro/pixelstats_vendor.te | 3 +++ 3 files changed, 11 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 98a8d28f..ea0caf2a 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -54,6 +54,7 @@ type sysfs_odpm, sysfs_type, fs_type; type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; +type sysfs_pca, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 797344af..87cd5c61 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -217,6 +217,13 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0057/chg_stats u:object_r:sysfs_pca:s0 # Extcon genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index d16acc0b..068e7fb8 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -19,3 +19,6 @@ allow pixelstats_vendor battery_history_device:chr_file r_file_perms; # storage smart idle maintenance get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); + +# Pca charge +allow pixelstats_vendor sysfs_pca:file rw_file_perms; From a48fe668fe01e4864622f89329d75440449c4135 Mon Sep 17 00:00:00 2001 From: Carter Hsu Date: Thu, 21 Apr 2022 08:51:50 +0800 Subject: [PATCH 06/31] audio: allow Audio HAL to write the audio vendor property Bug: 206065000 Test: use test build to check the property Signed-off-by: Carter Hsu Change-Id: I0007459fcfd3a4718af9af00de9f54d125627dd2 --- aoc/hal_audio_default.te | 2 +- whitechapel_pro/vendor_init.te | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te index 0755cba1..aa462bf3 100644 --- a/aoc/hal_audio_default.te +++ b/aoc/hal_audio_default.te @@ -21,7 +21,7 @@ allow hal_audio_default sysfs_pixelstats:file rw_file_perms; #allow access to DMABUF Heaps for AAudio API allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; -get_prop(hal_audio_default, vendor_audio_prop); +set_prop(hal_audio_default, vendor_audio_prop); hal_client_domain(hal_audio_default, hal_health); hal_client_domain(hal_audio_default, hal_thermal); diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index b6741954..25b38beb 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -11,6 +11,7 @@ set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, logpersistd_logging_prop) set_prop(vendor_init, vendor_logger_prop) +set_prop(vendor_init, vendor_audio_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; From da328e0a0fea6f2ad2cfacfd572a72e97d2c22da Mon Sep 17 00:00:00 2001 From: xiaofanj Date: Tue, 7 Jun 2022 03:06:13 +0000 Subject: [PATCH 07/31] modem_svc_sit: create oem test iodev - Create radio_test_device for oem_test iodev. - Grant modem_svc_sit to access radio_test_device. Bug: 231380480 Signed-off-by: Xiaofan Jiang Change-Id: Id06deedadf04c70b57e405a05533ed85764bdd1d Merged-In: Id06deedadf04c70b57e405a05533ed85764bdd1d --- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/modem_svc_sit.te | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 6b81f2a1..952a1675 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -18,6 +18,7 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; type battery_history_device, dev_type; +type radio_test_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 79bb698f..a7aba25f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -149,6 +149,7 @@ /dev/st33spi u:object_r:st33spi_device:s0 /dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/oem_test u:object_r:radio_test_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_ipc1 u:object_r:radio_device:s0 diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index d3e79c93..9954f493 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -24,3 +24,7 @@ get_prop(modem_svc_sit, vendor_rild_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +userdebug_or_eng(` + allow modem_svc_sit radio_test_device:chr_file rw_file_perms; +') From a1b5481877b4a4ed19da6d1f260ccd56141a022b Mon Sep 17 00:00:00 2001 From: matthuang Date: Sun, 8 May 2022 23:35:03 +0800 Subject: [PATCH 08/31] Add acd-com.google.usf.non_wake_up file to AoC file context. Bug: 195077076 Test: ls -lZ dev/acd-com.google.usf.non_wake_up Change-Id: Ib97da81a01f566c7bd600512bb01fda27f34b217 --- aoc/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/file_contexts b/aoc/file_contexts index 71fb097b..93052d2e 100644 --- a/aoc/file_contexts +++ b/aoc/file_contexts @@ -14,6 +14,7 @@ /dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 /dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 /dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 /dev/acd-logging u:object_r:aoc_device:s0 /dev/aoc u:object_r:aoc_device:s0 /dev/amcs u:object_r:amcs_device:s0 From c2ed52536e9b9ccbbbf62d1c5fec8dffb3268d97 Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Sat, 25 Jun 2022 00:10:22 +0800 Subject: [PATCH 09/31] Add logbuffer file_contexts Bug: 237082721 Signed-off-by: Kyle Tso Change-Id: Ieaf04f7381db1febe5a3899a727b6a49726bf10b --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index a7aba25f..be4f5506 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -90,6 +90,7 @@ /dev/watchdog0 u:object_r:watchdog_device:s0 /dev/mali0 u:object_r:gpu_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_pogo_transport u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 /dev/logbuffer_wireless u:object_r:logbuffer_device:s0 /dev/logbuffer_ttf u:object_r:logbuffer_device:s0 From dfc95d07741b42d92a4c06565d829d592aeb8be0 Mon Sep 17 00:00:00 2001 From: Robin Peng Date: Mon, 18 Jul 2022 12:47:38 +0800 Subject: [PATCH 10/31] init-insmod-sh: fix avc error avc: denied { set } for property=vendor.all.modules.ready pid=1238 uid=0 gid=0 scontext=u:r:init-insmod-sh:s0 tcontext=u:object_r:vendor_ready_prop:s0 tclass=property_service permissive=0 Bug: 238853979 Signed-off-by: Robin Peng Change-Id: Ic8d7af3c1d73f3079e126b66b38d728fe4d70ea4 --- whitechapel_pro/init-insmod-sh.te | 1 + whitechapel_pro/vendor_init.te | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te index ca98618c..1e56c094 100644 --- a/whitechapel_pro/init-insmod-sh.te +++ b/whitechapel_pro/init-insmod-sh.te @@ -10,6 +10,7 @@ allow init-insmod-sh self:capability sys_nice; allow init-insmod-sh kernel:process setsched; set_prop(init-insmod-sh, vendor_device_prop) +set_prop(init-insmod-sh, vendor_ready_prop) dontaudit init-insmod-sh proc_cmdline:file r_file_perms; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 25b38beb..97c0f381 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -3,7 +3,6 @@ allow vendor_init bootdevice_sysdev:file create_file_perms; set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_cbd_prop) -set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) From 1c7154c453bb8ced0908f047dd7dfda9c4520247 Mon Sep 17 00:00:00 2001 From: matthuang Date: Mon, 18 Jul 2022 14:44:06 +0800 Subject: [PATCH 11/31] Add security context for com.google.usf.non_wake_up/wakeup. Bug: 195077076 Test: Confirm there is no avc denied log. Change-Id: I86c787d59203464fc3b8b2b94b4883cbd07196b0 --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 0c2cd112..70252d16 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -343,6 +343,7 @@ genfscon sysfs /devices/platform/11210000.usb/wakeup genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 From c50018a543df55e1d4104ed1f53051fe74b1004e Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Thu, 21 Jul 2022 21:17:41 +0800 Subject: [PATCH 12/31] Update SELinux error Bug: 238398889 Test: no avc denied in TreeHugger verified Signed-off-by: Jack Wu Change-Id: Ia18714461cb9f30fe110917489adddee98de194f --- tracking_denials/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 38fcbb6d..605f1fa6 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,3 +1,5 @@ +# b/238398889 +dontaudit kernel vendor_charger_debugfs:dir { search }; # b/213817227 dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 From d4e0af01054737a0972a758af4aa4e95819b57b9 Mon Sep 17 00:00:00 2001 From: Bruce Po Date: Fri, 29 Jul 2022 23:24:01 +0000 Subject: [PATCH 13/31] Allow aocd to access acd-offload nodes For 3-ch hotword feature, aocd daemon will access two new file nodes (b/235648212), which will be used for transmitting audio to/from AOC. BUG: 240744178 Change-Id: I67b6d6b539f1e436eacfd80d0e1299e1d63b4a1d --- aoc/file_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aoc/file_contexts b/aoc/file_contexts index 93052d2e..fcdeca47 100644 --- a/aoc/file_contexts +++ b/aoc/file_contexts @@ -17,6 +17,8 @@ /dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 /dev/acd-logging u:object_r:aoc_device:s0 /dev/aoc u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0 /dev/amcs u:object_r:amcs_device:s0 # AoC vendor binaries From 2e4daadb2ec323124f2efc50774a05ceaa6014b3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 8 Aug 2022 10:11:18 +0800 Subject: [PATCH 14/31] Update error on ROM 8892407 Bug: 241714943 Bug: 241714944 Bug: 240297563 Test: SELinuxUncheckedDenialBootTest Change-Id: I0aab196ab21ec411540b7a033578a1670e83187a Merged-In: I38e6cc9da23c72aed05e79346a3a6c8188fc8556 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3bc07df7..fcebf544 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,3 +11,5 @@ init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 shell sysfs_wlc dir b/238260741 +hal_contexthub_default fwk_stats_service service_manager b/241714943 +shell sscoredump_vendor_data_crashinfo_file dir b/241714944 From 5ef0888e04f7eaeeb9210b611081df3915212fa9 Mon Sep 17 00:00:00 2001 From: TeYuan Wang Date: Wed, 27 Jul 2022 16:05:31 +0800 Subject: [PATCH 15/31] sepolicy: fix odpm avc denials Fix permissions for ODPM by adding additional bus path Bug: 240380970 Test: Build Change-Id: I7bf02ce016f2cdbf4b45f1a797896a00fb8aa454 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 70252d16..c01c1b55 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -109,6 +109,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -118,6 +119,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From 27f55d7da7b7b29f1a96c092bf4ea5fb5cd458e6 Mon Sep 17 00:00:00 2001 From: Konstantin Vyshetsky Date: Mon, 8 Aug 2022 17:20:04 -0700 Subject: [PATCH 16/31] convert_to_ext4.sh: suppress test error Add exclusion to fix issue with SELinuxUncheckedDenialBootTest Bug: 241072524 Signed-off-by: Konstantin Vyshetsky Change-Id: Id9088f728c34d3c764e1aef66a5e1a126f6243e9 --- whitechapel_pro/convert-to-ext4-sh.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/convert-to-ext4-sh.te b/whitechapel_pro/convert-to-ext4-sh.te index cbf633de..d64382df 100644 --- a/whitechapel_pro/convert-to-ext4-sh.te +++ b/whitechapel_pro/convert-to-ext4-sh.te @@ -30,4 +30,5 @@ userdebug_or_eng(` dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio }; dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr }; dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr }; + dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override }; ') From 4e4608185966c60b3b3b7e0b65e48e183e9ece52 Mon Sep 17 00:00:00 2001 From: Weizhung Ding Date: Fri, 22 Jul 2022 09:26:07 +0800 Subject: [PATCH 17/31] Add coredomain for hbmsvmanager Sync the coredomain from gs101 Bug: 239902607 Test: without denied log Change-Id: I220ce6b2f67877637189fcfcc0f6b328c8be6eae --- whitechapel_pro/hbmsvmanager_app.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index 3ed4f823..b7058090 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -1,4 +1,4 @@ -type hbmsvmanager_app, domain; +type hbmsvmanager_app, domain, coredomain; app_domain(hbmsvmanager_app); From 74eb33d057d47330daeb7e0d0d48ce90e81f8f7f Mon Sep 17 00:00:00 2001 From: Roger Fang Date: Fri, 19 Aug 2022 15:58:25 +0800 Subject: [PATCH 18/31] sepolicy: add permission for AMS rate of pixelstats-vend pixelstats-vend: type=1400 audit(0.0:618): avc: denied { read } for name="ams_rate_read_once" dev="sysfs" ino=100493 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 pixelstats-vend: type=1400 audit(0.0:619): avc: denied { open } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" dev="sysfs" ino=100493 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 pixelstats-vend: type=1400 audit(0.0:620): avc: denied { getattr } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" Bug: 239508478 Test: Manually test passed Signed-off-by: Roger Fang Change-Id: I3e171b35ebdcf11b0da559361f382f1cf01b0f2f --- aoc/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index 46773bb0..63216766 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -25,4 +25,5 @@ genfscon sysfs /devices/platform/audiometrics/speaker_temp u:ob genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 From b69195ebe96f678b1babb14c231c14eb421debcb Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Fri, 12 Aug 2022 07:56:30 +0000 Subject: [PATCH 19/31] Fix avc denied for vendor telephony debug app avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 pid=8533 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0 avc: denied { getattr } for path="/data/user/0/com.samsung.slsi.sysdebugmode" dev="dm-39" ino=7431 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 avc: denied { search } for name="com.samsung.slsi.sysdebugmode" dev="dm-39" ino=7431 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=150 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 avc: denied { getattr } for path="/data/user/0/com.samsung.slsi.sysdebugmode" dev="dm-39" ino=7431 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 avc: denied { read } for name="u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=344 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=0 avc: denied { write } for name="property_service" dev="tmpfs" ino=379 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Test: manual test Bug: 241976048 Change-Id: I5aa49a8e243d212180c7da6f65da9021164fca44 --- whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/rild.te | 1 + whitechapel_pro/vendor_telephony_debug_app.te | 16 ++++++++++++++++ 4 files changed, 22 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index bc898f47..ec7d84ed 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -34,3 +34,5 @@ system_vendor_config_prop(vendor_uwb_calibration_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) +# Telephony debug app +vendor_internal_prop(vendor_telephony_app_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index ce737004..98a7980a 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -103,3 +103,6 @@ vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop # for ims service persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 + +# for vendor telephony debug app +vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index d8c8c290..88b88716 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -26,6 +26,7 @@ binder_call(rild, oemrilservice_app) binder_call(rild, hal_secure_element_uicc) binder_call(rild, grilservice_app) binder_call(rild, vendor_engineermode_app) +binder_call(rild, vendor_telephony_debug_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) diff --git a/whitechapel_pro/vendor_telephony_debug_app.te b/whitechapel_pro/vendor_telephony_debug_app.te index 946460cc..539fffce 100644 --- a/whitechapel_pro/vendor_telephony_debug_app.te +++ b/whitechapel_pro/vendor_telephony_debug_app.te @@ -2,3 +2,19 @@ type vendor_telephony_debug_app, domain; app_domain(vendor_telephony_debug_app) allow vendor_telephony_debug_app app_api_service:service_manager find; +allow vendor_telephony_debug_app hal_exynos_rild_hwservice:hwservice_manager find; + +binder_call(vendor_telephony_debug_app, rild) + +# RIL property +set_prop(vendor_telephony_debug_app, vendor_rild_prop) + +# Debug property +set_prop(vendor_telephony_debug_app, vendor_telephony_app_prop) + +userdebug_or_eng(` +# System Debug Mode +dontaudit vendor_telephony_debug_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_debug_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_debug_app default_prop:file r_file_perms; +') From feba667c23016d719837423079ef6c1d99724fbe Mon Sep 17 00:00:00 2001 From: Robb Glasser Date: Thu, 18 Aug 2022 16:57:40 -0700 Subject: [PATCH 20/31] Give permissions to save usf stats and dump them in bugreports. Creating a mechanism to save some USF stat history to device and pipe it to bugreports. Granting permissions so that this can work. Bug: 242320914 Test: Stats save and are visible in a bugreport. Change-Id: Ie08fce80e79bd564ea58dab66ce8f0d9892d7020 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 5 +++++ whitechapel_pro/hal_sensors_default.te | 6 ++++++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index ea0caf2a..1ec9e095 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -10,6 +10,7 @@ type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_camera_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; +type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 78a43624..a78c7163 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -208,6 +208,7 @@ /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 +/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /dev/battery_history u:object_r:battery_history_device:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index e819eb16..4676641f 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -6,6 +6,11 @@ allow hal_dumpstate_default sysfs_cpu:file r_file_perms; allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; +userdebug_or_eng(` + allow hal_dumpstate_default sensor_debug_data_file:dir r_dir_perms; + allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms; +') + allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index a645b502..bb3a9139 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -33,6 +33,12 @@ r_dir_file(hal_sensors_default, persist_camera_file) allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; allow hal_sensors_default sensor_reg_data_file:file create_file_perms; +userdebug_or_eng(` + # Allow creation and writing of sensor debug data files. + allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms; + allow hal_sensors_default sensor_debug_data_file:file create_file_perms; +') + # Allow access to the display info for ALS. allow hal_sensors_default sysfs_display:file rw_file_perms; From c252f3ffa8e74b82025a1e9e0d8ac07e9920c146 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Wed, 7 Sep 2022 11:57:09 +0800 Subject: [PATCH 21/31] remove selinux avc error Bug: 238398889 Test: no avc denied in TreeHugger verified Signed-off-by: Jack Wu Change-Id: Icf2a89462574e2f0eea29d0601e77728d67e6e0d --- tracking_denials/kernel.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 605f1fa6..38fcbb6d 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,5 +1,3 @@ -# b/238398889 -dontaudit kernel vendor_charger_debugfs:dir { search }; # b/213817227 dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 From 4b3ae5b9bf8a712072414fb92608d1cb30df146b Mon Sep 17 00:00:00 2001 From: JJ Lee Date: Tue, 23 Aug 2022 20:58:47 +0800 Subject: [PATCH 22/31] sepolicy: add nodes for aoc memory votes stats Bug: 223674292 Test: build pass, not blocking bugreport Change-Id: Iae1c5dc42b3e6213d4399025cb91dc57822fd2cc Signed-off-by: JJ Lee --- aoc/genfs_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index 63216766..abfc5a99 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -13,7 +13,8 @@ genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:ob genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 # pixelstat_vendor genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 From a658683689c11c8da3a612abb644ad26c703b3b4 Mon Sep 17 00:00:00 2001 From: Jeffrey Carlyle Date: Fri, 26 Aug 2022 10:10:30 -0700 Subject: [PATCH 23/31] dck: allow st54spi devivce to be accessed by recovery and fastbootd This is needed so that Digital Car Keys can be cleared from the ST54 during a user data wipe. Bug: 203234558 Test: data wipe in Android recovery mode on raven Test: data wipe in Android recovery mode on c10 Test: data wipe in user mode fastbootd mode on raven Test: data wipe in user mode fastbootd mode on c10 Signed-off-by: Jeffrey Carlyle Change-Id: Icaa3d62aa6b3b88b8db6c1c11807907a06e51019 --- whitechapel_pro/fastbootd.te | 1 + whitechapel_pro/recovery.te | 1 + 2 files changed, 2 insertions(+) diff --git a/whitechapel_pro/fastbootd.te b/whitechapel_pro/fastbootd.te index 0d215a84..5945ef24 100644 --- a/whitechapel_pro/fastbootd.te +++ b/whitechapel_pro/fastbootd.te @@ -4,4 +4,5 @@ allow fastbootd devinfo_block_device:blk_file rw_file_perms; allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; allow fastbootd citadel_device:chr_file rw_file_perms; +allow fastbootd st54spi_device:chr_file rw_file_perms; ') diff --git a/whitechapel_pro/recovery.te b/whitechapel_pro/recovery.te index bfa3c7dc..a498af07 100644 --- a/whitechapel_pro/recovery.te +++ b/whitechapel_pro/recovery.te @@ -1,4 +1,5 @@ recovery_only(` allow recovery sysfs_ota:file rw_file_perms; allow recovery citadel_device:chr_file rw_file_perms; + allow recovery st54spi_device:chr_file rw_file_perms; ') From aa55cb6f2e9fe60660dd5734dd5797954a25a60a Mon Sep 17 00:00:00 2001 From: Chungjui Fan Date: Thu, 8 Sep 2022 09:50:57 +0000 Subject: [PATCH 24/31] Add sepolicy of dumping LED file in dumpstate Bug: 242300919 Change-Id: I14b0af18244c4a71fd7908fdb35e2e86354e02e0 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/hal_dumpstate_default.te | 7 +++++++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 1ec9e095..d20b6f58 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -83,6 +83,7 @@ type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; type persist_display_file, file_type, vendor_persist_type; +type persist_leds_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index a78c7163..e5467e81 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -223,6 +223,7 @@ /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 +/mnt/vendor/persist/led(/.*)? u:object_r:persist_leds_file:s0 # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6ca38c63..452f93b2 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -416,3 +416,7 @@ genfscon sysfs /module/trusty_core/parameters/use_high_wq u:obje # EM Profile genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0 + +# Privacy LED +genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/pwmleds/leds/green/max_brightness u:object_r:sysfs_leds:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 4676641f..21fa7025 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -99,6 +99,13 @@ allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; +userdebug_or_eng(` + allow hal_dumpstate_default sysfs_leds:dir search; + allow hal_dumpstate_default sysfs_leds:file rw_file_perms; + allow hal_dumpstate_default persist_file:dir search; + r_dir_file(hal_dumpstate_default, persist_leds_file); +') + get_prop(hal_dumpstate_default, vendor_camera_debug_prop); get_prop(hal_dumpstate_default, boottime_public_prop) get_prop(hal_dumpstate_default, vendor_camera_prop) From 6cb9f4e6239790a6bb0ff6a33ba06de3091c37fa Mon Sep 17 00:00:00 2001 From: Estefany Torres Date: Fri, 9 Sep 2022 19:27:42 +0000 Subject: [PATCH 25/31] Add rules for letting logger app send the command to ril 08-31 23:40:57.354 458 458 E SELinux : avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:logger_app:s0:c252,c256,c512,c768 pid=2901 scontext=u:r:logger_app:s0:c252,c256,c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0 09-01 00:08:19.600 2881 2881 W oid.pixellogger: type=1400 audit(0.0:10): avc: denied { call } for scontext=u:r:logger_app:s0:c252,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=0 app=com.android.pixellogger Bug: 241412942 Test: tested on C10 with pixel logger change Change-Id: I845eefc609be2b7fbc22c9b37d1eb2b3195e014f --- whitechapel_pro/logger_app.te | 4 ++++ whitechapel_pro/rild.te | 1 + 2 files changed, 5 insertions(+) diff --git a/whitechapel_pro/logger_app.te b/whitechapel_pro/logger_app.te index 9809f309..684e94ad 100644 --- a/whitechapel_pro/logger_app.te +++ b/whitechapel_pro/logger_app.te @@ -5,6 +5,10 @@ userdebug_or_eng(` allow logger_app vendor_gps_file:file create_file_perms; allow logger_app vendor_gps_file:dir create_dir_perms; allow logger_app sysfs_sscoredump_level:file r_file_perms; + allow logger_app hal_exynos_rild_hwservice:hwservice_manager find; + + binder_call(logger_app, rild) + r_dir_file(logger_app, ramdump_vendor_data_file) r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 88b88716..bfabf428 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -27,6 +27,7 @@ binder_call(rild, hal_secure_element_uicc) binder_call(rild, grilservice_app) binder_call(rild, vendor_engineermode_app) binder_call(rild, vendor_telephony_debug_app) +binder_call(rild, logger_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) From 9dd930e4c2f4e0e98cc9b2ded5674d895f5da368 Mon Sep 17 00:00:00 2001 From: Sherry Luo Date: Fri, 9 Sep 2022 21:29:43 +0000 Subject: [PATCH 26/31] Add network permissions for debug camera Noticed that Estrella upload failing w/ java.lang.SecurityException: Permission denied (missing INTERNET permission?) Followed investigation in b/230434151. Verified that upload working once this change is flashed. Test: Flash build w/ local change Test: Take a picture and upload using Estrella Test: Verify that the upload succeeded BUG=245995782 Change-Id: I505af355f25e9063927c946ee8af21de25758ef1 --- whitechapel_pro/debug_camera_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 50379b54..7ef8ab46 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -2,6 +2,7 @@ type debug_camera_app, domain, coredomain; userdebug_or_eng(` app_domain(debug_camera_app) + net_domain(debug_camera_app) allow debug_camera_app app_api_service:service_manager find; allow debug_camera_app audioserver_service:service_manager find; From 37c32d672f0031f02bfde14f00eb8e18d70fe471 Mon Sep 17 00:00:00 2001 From: "Jinhee.k" Date: Thu, 15 Sep 2022 19:15:31 +0000 Subject: [PATCH 27/31] sepolicy: allowed permissions required for network access : add permission to allow create, connect udp socket Apply to add network access permissions Bug: 242231557 Test: Verified no IMS exception and avc denied Change-Id: I4a4bd1efb22b5538b1679aad8f543d00203e0b48 Signed-off-by: Jinhee.k --- whitechapel_pro/vendor_ims_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index 38e63646..ed65eae1 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -1,5 +1,6 @@ type vendor_ims_app, domain; app_domain(vendor_ims_app) +net_domain(vendor_ims_app) allow vendor_ims_app app_api_service:service_manager find; allow vendor_ims_app audioserver_service:service_manager find; @@ -11,6 +12,8 @@ allow vendor_ims_app mediaserver_service:service_manager find; allow vendor_ims_app cameraserver_service:service_manager find; allow vendor_ims_app mediametrics_service:service_manager find; +allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl }; + binder_call(vendor_ims_app, rild) set_prop(vendor_ims_app, vendor_rild_prop) set_prop(vendor_ims_app, radio_prop) From 5acc68de3b727163a3703a17489b7a52e1b9fa0d Mon Sep 17 00:00:00 2001 From: jintinglin Date: Mon, 19 Sep 2022 13:08:39 +0800 Subject: [PATCH 28/31] Allows modem_svc to read the logging related properties avc: denied { read } for comm="modem_svc_sit" name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=347 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0 Bug: 243039758 Change-Id: Ib3031552faf03771f86e72e7dbd81c3610c518cc --- whitechapel_pro/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 9954f493..9d4cba72 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -25,6 +25,9 @@ get_prop(modem_svc_sit, vendor_rild_prop) allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) +# logging property +get_prop(modem_svc_sit, vendor_logger_prop) + userdebug_or_eng(` allow modem_svc_sit radio_test_device:chr_file rw_file_perms; ') From cbb62de10cfa34f1a6c3acc27031967d8a6596eb Mon Sep 17 00:00:00 2001 From: Sayanna Chandula Date: Mon, 22 Aug 2022 16:15:13 -0700 Subject: [PATCH 29/31] thermal: enable pixelstats access to thermal metrics Allow pixelstats daemon to access thermal metric nodes Bug: 228247740 Test: Build and boot on device. Check thermal stats Change-Id: Iada717b92782bc9c085928462b2e06d2db136cab Signed-off-by: Sayanna Chandula --- whitechapel_pro/pixelstats_vendor.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 068e7fb8..371bef41 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -22,3 +22,7 @@ get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); # Pca charge allow pixelstats_vendor sysfs_pca:file rw_file_perms; + +#Thermal +r_dir_file(pixelstats_vendor, sysfs_thermal) +allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; From c18eea71d7b441e8ba17f4ac5150324d3285db0f Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Wed, 28 Sep 2022 10:58:59 +0800 Subject: [PATCH 30/31] Set sepolicy for shell script of disabling contaminant detection (ported from Ib2e3cf498851c0c9e5e74aacc9bf391549c0ad1a) Bug: 244658328 Signed-off-by: Kyle Tso Change-Id: Idbfa55d4c7091ce2861600ff3881fcc7217ec662 Merged-In: Idbfa55d4c7091ce2861600ff3881fcc7217ec662 --- whitechapel_pro/disable-contaminant-detection-sh.te | 7 +++++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 8 insertions(+) create mode 100644 whitechapel_pro/disable-contaminant-detection-sh.te diff --git a/whitechapel_pro/disable-contaminant-detection-sh.te b/whitechapel_pro/disable-contaminant-detection-sh.te new file mode 100644 index 00000000..95845a18 --- /dev/null +++ b/whitechapel_pro/disable-contaminant-detection-sh.te @@ -0,0 +1,7 @@ +type disable-contaminant-detection-sh, domain; +type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(disable-contaminant-detection-sh) + +allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans; +allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms; +allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index e5467e81..83232f1e 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 +/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From bdf3d6abcce8bf7626e6dbfc5e9a2a3043aaa8c4 Mon Sep 17 00:00:00 2001 From: Vova Sharaienko Date: Fri, 16 Sep 2022 18:58:26 +0000 Subject: [PATCH 31/31] hal_health_default: updated sepolicy This allows the android.hardware.health service to access AIDL Stats service Bug: 237639591 Bug: 249827340 Test: Build, flash, boot & and logcat | grep "avc" Change-Id: I71013c0b17ee5e526387efa0afb823f97775e572 (cherry picked from commit 87bc6d189d36b2aa0c31553fb672b7173418f9a5) Merged-In: I71013c0b17ee5e526387efa0afb823f97775e572 --- whitechapel_pro/hal_health_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 0e393765..d953d4b2 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -7,6 +7,9 @@ set_prop(hal_health_default, vendor_battery_defender_prop) allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_health_default fwk_stats_service:service_manager find; +binder_use(hal_health_default) + allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search;