From 7fd99e1b1b15279db07d70cf89f9d9c4b6b3a11c Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 23 Aug 2024 09:40:57 +0000 Subject: [PATCH 01/13] Update SELinux error Test: scanBugreport Bug: 359428317 Bug: 361726277 Test: scanAvcDeniedLogRightAfterReboot Bug: 359428317 Flag: EXEMPT bugFix Change-Id: I2ce66f1431a2644076ff29b2337a97b366851d17 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 58f57c8e..28ee2c23 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,6 @@ dump_display sysfs file b/350831939 +dump_modem sscoredump_vendor_data_coredump_file dir b/361726277 +dump_modem sscoredump_vendor_data_logcat_file dir b/361726277 dumpstate unlabeled file b/350832009 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 From 5e0dca971a9abe521a3b78faf3c00965739091da Mon Sep 17 00:00:00 2001 From: samou Date: Wed, 17 Jul 2024 15:30:01 +0000 Subject: [PATCH 02/13] sepolicy: remove dump_power_gs201.sh Flag: EXEMPT refactor Bug: 349935208 Change-Id: I3c0f48d00d312ef19677fe5ef9f080f063408667 Signed-off-by: samou --- whitechapel_pro/dump_power_gs201.te | 30 ----------------------------- whitechapel_pro/file_contexts | 1 - 2 files changed, 31 deletions(-) delete mode 100644 whitechapel_pro/dump_power_gs201.te diff --git a/whitechapel_pro/dump_power_gs201.te b/whitechapel_pro/dump_power_gs201.te deleted file mode 100644 index b61001cb..00000000 --- a/whitechapel_pro/dump_power_gs201.te +++ /dev/null @@ -1,30 +0,0 @@ - -pixel_bugreport(dump_power_gs201) -allow dump_power_gs201 sysfs_acpm_stats:dir r_dir_perms; -allow dump_power_gs201 sysfs_acpm_stats:file r_file_perms; -allow dump_power_gs201 sysfs_cpu:file r_file_perms; -allow dump_power_gs201 vendor_toolbox_exec:file execute_no_trans; -allow dump_power_gs201 logbuffer_device:chr_file r_file_perms; -allow dump_power_gs201 mitigation_vendor_data_file:dir r_dir_perms; -allow dump_power_gs201 sysfs:dir r_dir_perms; -allow dump_power_gs201 sysfs_batteryinfo:dir r_dir_perms; -allow dump_power_gs201 sysfs_batteryinfo:file r_file_perms; -allow dump_power_gs201 sysfs_bcl:dir r_dir_perms; -allow dump_power_gs201 sysfs_bcl:file r_file_perms; -allow dump_power_gs201 sysfs_wlc:dir r_dir_perms; -allow dump_power_gs201 sysfs_wlc:file r_file_perms; -allow dump_power_gs201 battery_history_device:chr_file r_file_perms; -allow dump_power_gs201 mitigation_vendor_data_file:file r_file_perms; - -userdebug_or_eng(` - allow dump_power_gs201 debugfs:dir r_dir_perms; - allow dump_power_gs201 vendor_battery_debugfs:dir r_dir_perms; - allow dump_power_gs201 vendor_battery_debugfs:file r_file_perms; - allow dump_power_gs201 vendor_charger_debugfs:dir r_dir_perms; - allow dump_power_gs201 vendor_charger_debugfs:file r_file_perms; - allow dump_power_gs201 vendor_pm_genpd_debugfs:file r_file_perms; - allow dump_power_gs201 vendor_maxfg_debugfs:dir r_dir_perms; - allow dump_power_gs201 vendor_maxfg_debugfs:file r_file_perms; - allow dump_power_gs201 vendor_votable_debugfs:dir r_dir_perms; - allow dump_power_gs201 vendor_votable_debugfs:file r_file_perms; -') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4bed0472..293afb30 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -40,7 +40,6 @@ /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 -/vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 /vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0 From a8d35041b30e95214b09c33f5c46c2ef20f21df5 Mon Sep 17 00:00:00 2001 From: samou Date: Tue, 13 Aug 2024 13:00:17 +0000 Subject: [PATCH 03/13] sepolicy: gs201: fix bm selinux - add odpm scale value path - add gpu cur_freq Flag: EXEMPT refactor Bug: 349935208 Change-Id: Ie053ead11eae4abdd0a30f74117d9c3e00eedf53 Signed-off-by: samou --- whitechapel_pro/genfs_contexts | 50 ++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index c65e969d..ba0018e1 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -33,6 +33,7 @@ genfscon sysfs /devices/platform/28000000.mali/dma_buf_gpu_mem u genfscon sysfs /devices/platform/28000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/28000000.mali/kprcs u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/28000000.mali/dvfs_period u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/28000000.mali/cur_freq u:object_r:sysfs_gpu:s0 # Fabric genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 @@ -64,6 +65,55 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-me genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power8_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power9_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power10_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_power11_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power8_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power9_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power10_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_power11_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current8_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current9_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current10_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm//iio:device0/in_current11_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current8_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current9_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current10_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device1/in_current11_scale u:object_r:sysfs_odpm:s0 + # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 From 150634f0877857f6700feedf9b098edcc90c452c Mon Sep 17 00:00:00 2001 From: attis Date: Mon, 26 Aug 2024 10:56:39 +0800 Subject: [PATCH 04/13] Label sysfs node power_mode as sysfs_display. Label power_mode to sysfs_panel to let it be allowed in dumpstate. avc log: 08-26 13:07:49.660 12467 12467 W dump_display: type=1400 audit(0.0:19): avc: denied { read } for name="power_mode" dev="sysfs" ino=89753 scontext=u:r:dump_display:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 bug=b/350831939 Test: ls -Z, adb bugreport. Flag: EXEMPT bugfix Bug: 358505990 Change-Id: I9feeb2a8270f89d214f7d765893364d0e73f7d39 Signed-off-by: attis --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ba0018e1..ee65fab8 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -153,6 +153,7 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_pwr_vreg u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/power_mode u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/power_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 From 5e8b0722d0c1f4317cbcde7516e17c7a8015c48f Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Mon, 2 Sep 2024 14:51:29 +0800 Subject: [PATCH 05/13] Storage: label ufs firmware upgrade script Bug: 361093041 Test: local build Change-Id: I312d071ecaaedb09b54976e6b3bfe05e7bc6cdea Signed-off-by: Randall Huang --- whitechapel_pro/device.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index ae74fea2..24bb1e8a 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -1,3 +1,4 @@ +# device.te type modem_block_device, dev_type; type custom_ab_block_device, dev_type; type persist_block_device, dev_type; @@ -20,3 +21,6 @@ type fips_block_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; type st33spi_device, dev_type; + +# Storage firmware upgrade +type ufs_internal_block_device, dev_type; From b67284dc2f69d38a6d9ec42f6fd0b6d066047f48 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Wed, 4 Sep 2024 00:01:42 +0800 Subject: [PATCH 06/13] storage: move storage related device type to common folder Bug: 364225000 Test: forrest build Change-Id: Iaed5b07a1d9823ebf3c7210921784d81bf6207a5 Signed-off-by: Randall Huang --- whitechapel_pro/device.te | 5 ----- whitechapel_pro/file_contexts | 1 - whitechapel_pro/ufs_firmware_update.te | 6 +++--- 3 files changed, 3 insertions(+), 9 deletions(-) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 24bb1e8a..d23a1adf 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -1,9 +1,6 @@ # device.te type modem_block_device, dev_type; type custom_ab_block_device, dev_type; -type persist_block_device, dev_type; -type efs_block_device, dev_type; -type modem_userdata_block_device, dev_type; type mfg_data_block_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; @@ -22,5 +19,3 @@ type fips_block_device, dev_type; type st54spi_device, dev_type; type st33spi_device, dev_type; -# Storage firmware upgrade -type ufs_internal_block_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 293afb30..f704078d 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -40,7 +40,6 @@ /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 -/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 /vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0 # Vendor Firmwares diff --git a/whitechapel_pro/ufs_firmware_update.te b/whitechapel_pro/ufs_firmware_update.te index f33c2da9..121e462b 100644 --- a/whitechapel_pro/ufs_firmware_update.te +++ b/whitechapel_pro/ufs_firmware_update.te @@ -1,11 +1,11 @@ -type ufs_firmware_update, domain; -type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type; - +# ufs ffu init_daemon_domain(ufs_firmware_update) +# ufs ffu allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; allow ufs_firmware_update block_device:dir r_dir_perms; allow ufs_firmware_update fips_block_device:blk_file rw_file_perms; allow ufs_firmware_update sysfs:dir r_dir_perms; allow ufs_firmware_update sysfs_scsi_devices_0000:dir search; allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; + From bd7fbe9a022a23ad21a21f6cf316f1693d0eee99 Mon Sep 17 00:00:00 2001 From: Vic Huang Date: Fri, 6 Sep 2024 06:34:21 +0000 Subject: [PATCH 07/13] [BT] Define vendor_bluetooth_prop avc: denied { set } for property=persist.vendor.service.bdroid.bdaddr pid=860 uid=1002 gid=1002 scontext=u:r:hal_bluetooth_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0 Bug: 359428216 Test: Forest build Flag: EXEMPT N/A Change-Id: I1aeb04e32620b2815db02f34ee40eae94deeed3c --- whitechapel_pro/property.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 98fd4534..c727d8e3 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -1,3 +1,5 @@ +# whitechapel_pro Property Define + vendor_internal_prop(vendor_diag_prop) vendor_internal_prop(vendor_slog_prop) vendor_internal_prop(vendor_modem_prop) @@ -45,3 +47,6 @@ vendor_restricted_prop(vendor_arm_runtime_option_prop) # SJTAG lock state vendor_internal_prop(vendor_sjtag_lock_state_prop) + +# Bluetooth props +vendor_restricted_prop(vendor_bluetooth_prop) From c841b33df06ca38f54373c99f035db7c572c27b6 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Thu, 12 Sep 2024 14:25:32 +0800 Subject: [PATCH 08/13] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT NDK Bug: 366116786 Change-Id: I6d17ac72f8bdcc3fc54d08b7c23a0f5e0fd83d23 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 28ee2c23..aa33000f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -16,6 +16,7 @@ rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 ssr_detector_app default_prop file b/359428005 surfaceflinger selinuxfs file b/315104594 +system_server vendor_default_prop file b/366116786 vendor_init debugfs_trace_marker file b/336451787 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 From a5eb284c4a0f694aa134c04301605b05a9e2d362 Mon Sep 17 00:00:00 2001 From: Prochin Wang Date: Thu, 12 Sep 2024 05:04:16 +0000 Subject: [PATCH 09/13] Change vendor_fingerprint_prop to vendor_restricted_prop This is to allow the fingerprint HAL to access the property. Bug: 366105474 Flag: build.RELEASE_PIXEL_BOOST_DATALAYER_PSA_ENABLED Test: mm Change-Id: I5b07acfd7599b099997d46b297e1f7400a9fe478 --- whitechapel_pro/property.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index c727d8e3..2dfe16d1 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -26,7 +26,7 @@ vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_display_prop) # Fingerprint -vendor_internal_prop(vendor_fingerprint_prop) +vendor_restricted_prop(vendor_fingerprint_prop) # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) From 077e59c64f1e8065c79d1c0139efa9db799ee4f4 Mon Sep 17 00:00:00 2001 From: Tej Singh Date: Fri, 20 Sep 2024 21:34:56 -0700 Subject: [PATCH 10/13] Make android.framework.stats-v2-ndk app reachable For libedgetpu Test: TH Bug: 354763040 Flag: EXEMPT bugfix Change-Id: If78bc951a9a4cfc223d01970ca6819fe2b5c6335 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index f704078d..9dc374fd 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -58,6 +58,7 @@ /vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/android\.frameworks\.stats-V2-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 From 3aeae9b99ff19887ab2e6af7f1b18b06110aa682 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 25 Sep 2024 12:04:07 +0800 Subject: [PATCH 11/13] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 369475655 Flag: EXEMPT NDK Change-Id: Ic8d895b33d24e998faa00b128cad4bc4fd1e14bf --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index aa33000f..3d966019 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,7 @@ insmod-sh insmod-sh key b/336451874 kernel dm_device blk_file b/319403445 kernel kernel capability b/336451113 kernel tmpfs chr_file b/321731318 +ramdump ramdump capability b/369475655 rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 ssr_detector_app default_prop file b/359428005 From eb84e9c0a4c750031b76705d5034f44f3cd407af Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 25 Sep 2024 12:40:35 +0000 Subject: [PATCH 12/13] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 369540701 Flag: EXEMPT NDK Change-Id: Ib5edeaac550562b6bbb5ec35bfce1d6838245c6b --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3d966019..bb50b3a8 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,7 @@ insmod-sh insmod-sh key b/336451874 kernel dm_device blk_file b/319403445 kernel kernel capability b/336451113 kernel tmpfs chr_file b/321731318 +pixelstats_vendor block_device dir b/369540701 ramdump ramdump capability b/369475655 rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 From 315cc63557dfd4367f8aed06858531b21b9ee073 Mon Sep 17 00:00:00 2001 From: samou Date: Fri, 4 Oct 2024 14:31:21 +0000 Subject: [PATCH 13/13] sepolicy: allow dumpstate to execute dump_power 10-04 19:36:47.308 7141 7141 I android.hardwar: type=1400 audit(0.0:6974): avc: denied { execute_no_trans } for path="/vendor/bin/dump/dump_power" dev="overlay" ino=91 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1 10-04 19:36:47.332 7141 7141 I dump_power: type=1400 audit(0.0:6975): avc: denied { read } for name="acpm_stats" dev="sysfs" ino=29227 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1 10-04 19:36:47.332 7141 7141 I dump_power: type=1400 audit(0.0:6976): avc: denied { open } for path="/sys/devices/platform/acpm_stats" dev="sysfs" ino=29227 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1 10-04 19:36:47.332 7141 7141 I dump_power: type=1400 audit(0.0:6977): avc: denied { search } for name="acpm_stats" dev="sysfs" ino=29227 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1 10-04 19:36:47.332 7141 7141 I dump_power: type=1400 audit(0.0:6978): avc: denied { read } for name="core_stats" dev="sysfs" ino=57472 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1 10-04 19:36:47.332 7141 7141 I dump_power: type=1400 audit(0.0:6979): avc: denied { open } for path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=57472 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1 10-04 19:36:47.332 7141 7141 I dump_power: type=1400 audit(0.0:6980): avc: denied { getattr } for path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=57472 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1 10-04 19:36:47.336 7141 7141 I dump_power: type=1400 audit(0.0:6981): avc: denied { read } for name="time_in_state" dev="sysfs" ino=50604 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_cpu:s0 tclass=file permissive=1 10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:25): avc: denied { read } for name="version" dev="sysfs" ino=62887 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0 10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:26): avc: denied { read } for name="version" dev="sysfs" ino=62887 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0 10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:27): avc: denied { read } for name="status" dev="sysfs" ino=62888 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0 10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:28): avc: denied { read } for name="status" dev="sysfs" ino=62888 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0 10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:29): avc: denied { read } for name="fw_rev" dev="sysfs" ino=62915 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0 10-04 21:24:19.640 15006 15006 W dump_power: type=1400 audit(0.0:30): avc: denied { read } for name="fw_rev" dev="sysfs" ino=62915 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0 10-04 21:46:57.664 7194 7194 W dump_power: type=1400 audit(0.0:29): avc: denied { search } for name="battery" dev="sysfs" ino=63428 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0 10-04 21:46:57.664 7194 7194 W dump_power: type=1400 audit(0.0:30): avc: denied { search } for name="10d50000.hsi2c" dev="sysfs" ino=21301 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0 10-04 21:46:57.664 7194 7194 W dump_power: type=1400 audit(0.0:31): avc: denied { search } for name="power_supply" dev="sysfs" ino=79013 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0 10-04 21:46:57.664 7194 7194 W dump_power: type=1400 audit(0.0:32): avc: denied { search } for name="power_supply" dev="sysfs" ino=79013 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0 10-04 21:46:57.664 7194 7194 W dump_power: type=1400 audit(0.0:33): avc: denied { search } for name="10d50000.hsi2c" dev="sysfs" ino=21301 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0 10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18792): avc: denied { search } for name="battery" dev="sysfs" ino=63428 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1 10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18793): avc: denied { read } for name="uevent" dev="sysfs" ino=63429 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18794): avc: denied { open } for path="/sys/devices/platform/google,battery/power_supply/battery/uevent" dev="sysfs" ino=63429 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 10-04 21:51:18.168 14936 14936 I dump_power: type=1400 audit(0.0:18795): avc: denied { getattr } for path="/sys/devices/platform/google,battery/power_supply/battery/uevent" dev="sysfs" ino=63429 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18796): avc: denied { search } for name="8-003c" dev="sysfs" ino=55942 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1 10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18797): avc: denied { read } for name="maxfg" dev="sysfs" ino=62568 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1 10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18798): avc: denied { read } for name="logbuffer_tcpm" dev="tmpfs" ino=1285 scontext=u:r:dump_power:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=1 10-04 21:51:18.184 14936 14936 I dump_power: type=1400 audit(0.0:18799): avc: denied { open } for path="/dev/logbuffer_tcpm" dev="tmpfs" ino=1285 scontext=u:r:dump_power:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=1 10-04 22:01:08.400 7074 7074 I dump_power: type=1400 audit(0.0:6191): avc: denied { search } for name="mitigation" dev="dm-50" ino=3758 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=dir permissive=1 10-04 22:01:08.400 7074 7074 I dump_power: type=1400 audit(0.0:6192): avc: denied { read } for name="thismeal.txt" dev="dm-50" ino=28765 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1 10-04 22:01:08.400 7074 7074 I dump_power: type=1400 audit(0.0:6193): avc: denied { open } for path="/data/vendor/mitigation/thismeal.txt" dev="dm-50" ino=28765 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1 10-04 22:01:08.400 7074 7074 I dump_power: type=1400 audit(0.0:6194): avc: denied { getattr } for path="/data/vendor/mitigation/thismeal.txt" dev="dm-50" ino=28765 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1 10-04 22:01:08.400 7074 7074 I dump_power: type=1400 audit(0.0:6195): avc: denied { search } for name="mitigation" dev="sysfs" ino=85222 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=dir permissive=1 10-04 22:01:08.400 7074 7074 I dump_power: type=1400 audit(0.0:6196): avc: denied { read } for name="last_triggered_count" dev="sysfs" ino=85275 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=dir permissive=1 10-04 22:01:08.400 7074 7074 I dump_power: type=1400 audit(0.0:6197): avc: denied { open } for path="/sys/devices/virtual/pmic/mitigation/last_triggered_count" dev="sysfs" ino=85275 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=dir permissive=1 10-04 22:01:08.400 7074 7074 I dump_power: type=1400 audit(0.0:6198): avc: denied { read } for name="batoilo_count" dev="sysfs" ino=85287 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_bcl:s0 tclass=file permissive=1 10-04 23:49:14.616 6976 6976 I dump_power: type=1400 audit(0.0:875): avc: denied { read } for name="thismeal.txt" dev="dm-57" ino=15028 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1 10-04 23:49:14.616 6976 6976 I dump_power: type=1400 audit(0.0:876): avc: denied { open } for path="/data/vendor/mitigation/thismeal.txt" dev="dm-57" ino=15028 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1 10-04 23:49:14.616 6976 6976 I dump_power: type=1400 audit(0.0:877): avc: denied { getattr } for path="/data/vendor/mitigation/thismeal.txt" dev="dm-57" ino=15028 scontext=u:r:dump_power:s0 tcontext=u:object_r:mitigation_vendor_data_file:s0 tclass=file permissive=1 10-05 00:00:44.540 7085 7085 I dump_power: type=1400 audit(0.0:878): avc: denied { read } for name="acpm_stats" dev="sysfs" ino=25439 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1 10-05 00:00:44.540 7085 7085 I dump_power: type=1400 audit(0.0:879): avc: denied { open } for path="/sys/devices/platform/acpm_stats" dev="sysfs" ino=25439 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1 10-05 00:00:44.540 7085 7085 I dump_power: type=1400 audit(0.0:880): avc: denied { search } for name="acpm_stats" dev="sysfs" ino=25439 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=dir permissive=1 10-05 00:00:44.544 7085 7085 I dump_power: type=1400 audit(0.0:881): avc: denied { read } for name="core_stats" dev="sysfs" ino=53039 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1 10-05 00:00:44.544 7085 7085 I dump_power: type=1400 audit(0.0:882): avc: denied { open } for path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=53039 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1 10-05 00:00:44.544 7085 7085 I dump_power: type=1400 audit(0.0:883): avc: denied { getattr } for path="/sys/devices/platform/acpm_stats/core_stats" dev="sysfs" ino=53039 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_acpm_stats:s0 tclass=file permissive=1 10-05 00:00:44.544 7085 7085 I dump_power: type=1400 audit(0.0:884): avc: denied { read } for name="time_in_state" dev="sysfs" ino=45585 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_cpu:s0 tclass=file permissive=1 10-05 00:00:44.544 7085 7085 I dump_power: type=1400 audit(0.0:885): avc: denied { open } for path="/sys/devices/platform/cpupm/cpupm/time_in_state" dev="sysfs" ino=45585 scontext=u:r:dump_power:s0 tcontext=u:object_r:sysfs_cpu:s0 tclass=file permissive=1 Flag: EXEMPT refactor Bug: 364989823 Change-Id: Ie4637b1295975c716f50333ad6635b9694a624b8 Signed-off-by: samou --- whitechapel_pro/dump_power.te | 15 +++++++++++++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 16 insertions(+) create mode 100644 whitechapel_pro/dump_power.te diff --git a/whitechapel_pro/dump_power.te b/whitechapel_pro/dump_power.te new file mode 100644 index 00000000..d745b20d --- /dev/null +++ b/whitechapel_pro/dump_power.te @@ -0,0 +1,15 @@ +# Allow dumpstate to execute dump_power +pixel_bugreport(dump_power); + +allow dump_power sysfs_acpm_stats:dir r_dir_perms; +allow dump_power sysfs_acpm_stats:file r_file_perms; +allow dump_power sysfs_cpu:file r_file_perms; +allow dump_power sysfs_wlc:file r_file_perms; +allow dump_power sysfs_wlc:dir search; +allow dump_power sysfs_batteryinfo:dir r_dir_perms; +allow dump_power sysfs_batteryinfo:file r_file_perms; +allow dump_power logbuffer_device:chr_file r_file_perms; +allow dump_power mitigation_vendor_data_file:dir r_dir_perms; +allow dump_power mitigation_vendor_data_file:file r_file_perms; +allow dump_power sysfs_bcl:dir r_dir_perms; +allow dump_power sysfs_bcl:file r_file_perms; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 9dc374fd..dc8e89b4 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -15,6 +15,7 @@ /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 +/vendor/bin/dump/dump_power u:object_r:dump_power_exec:s0 /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0