From 6a85e12ff9015b3b5a6a94a711b20fe0db98f5f2 Mon Sep 17 00:00:00 2001 From: Inna Palant Date: Tue, 18 May 2021 11:37:03 -0700 Subject: [PATCH 001/900] Initial empty repository From 703587e97c601c21b36946f505316aadd5ee9ece Mon Sep 17 00:00:00 2001 From: Aaron Ding Date: Wed, 19 May 2021 15:28:01 +0800 Subject: [PATCH 002/900] init gs201-sepolicy.mk Bug: 183183095 Change-Id: Id4b568100f2dbd438d9527253b56169bb4540f44 --- gs201-sepolicy.mk | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 gs201-sepolicy.mk diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk new file mode 100644 index 00000000..e69de29b From d3a63de64bcbc60b6c09ec7dbc27bbce21de73ee Mon Sep 17 00:00:00 2001 From: Pat Tjin Date: Thu, 20 May 2021 17:51:26 -0700 Subject: [PATCH 003/900] clone sepolicy from gs101 s/gs101/gs201/g Bug: 186836335 Test: Boot Signed-off-by: Pat Tjin Change-Id: Ifa0d083f7317c38eb02c8228c2804cbd4d5ee19f --- ambient/exo_app.te | 20 + ambient/seapp_contexts | 2 + display/common/file.te | 1 + display/common/file_contexts | 1 + display/gs101/genfs_contexts | 14 + .../gs101/hal_graphics_composer_default.te | 38 ++ gs201-sepolicy.mk | 39 ++ private/dex2oat.te | 59 +++ private/gmscore_app.te | 2 + private/hal_dumpstate_default.te | 2 + private/incidentd.te | 14 + private/lpdumpd.te | 7 + private/priv_app.te | 19 + private/radio.te | 1 + private/service_contexts | 1 + private/untrusted_app_25.te | 2 + private/wait_for_keymaster.te | 2 + system_ext/private/property_contexts | 2 + system_ext/public/property.te | 2 + tracking_denials/dumpstate.te | 4 + tracking_denials/gpsd.te | 11 + tracking_denials/hal_camera_default.te | 5 + tracking_denials/hal_fingerprint_default.te | 15 + .../hal_graphics_composer_default.te | 3 + tracking_denials/hal_neuralnetworks_armnn.te | 33 ++ .../hal_neuralnetworks_darwinn.te | 14 + tracking_denials/hal_power_default.te | 12 + tracking_denials/hardware_info_app.te | 18 + tracking_denials/incidentd.te | 2 + tracking_denials/init.te | 3 + tracking_denials/ofl_app.te | 3 + tracking_denials/pixelstats_vendor.te | 7 + tracking_denials/priv_app.te | 2 + tracking_denials/servicemanager.te | 3 + tracking_denials/surfaceflinger.te | 12 + tracking_denials/trusty_apploader.te | 3 + tracking_denials/untrusted_app.te | 4 + tracking_denials/update_engine.te | 2 + tracking_denials/vendor_init.te | 2 + usf/file.te | 12 + usf/file_contexts | 10 + usf/sensor_hal.te | 60 +++ usf/te_macros | 14 + whitechapel/vendor/google/aocd.te | 21 + whitechapel/vendor/google/aocdump.te | 19 + whitechapel/vendor/google/attributes | 1 + whitechapel/vendor/google/audioserver.te | 2 + whitechapel/vendor/google/bipchmgr.te | 9 + whitechapel/vendor/google/bootanim.te | 5 + .../vendor/google/bootdevice_sysdev.te | 1 + whitechapel/vendor/google/cbd.te | 63 +++ whitechapel/vendor/google/cbrs_setup.te | 13 + .../google/certs/com_google_mds.x509.pem | 29 ++ .../google/certs/com_qorvo_uwb.x509.pem | 29 ++ whitechapel/vendor/google/chre.te | 17 + whitechapel/vendor/google/con_monitor.te | 10 + whitechapel/vendor/google/device.te | 62 +++ whitechapel/vendor/google/dmd.te | 33 ++ whitechapel/vendor/google/domain.te | 1 + whitechapel/vendor/google/dumpstate.te | 16 + whitechapel/vendor/google/e2fs.te | 6 + .../vendor/google/edgetpu_app_service.te | 41 ++ whitechapel/vendor/google/edgetpu_logging.te | 15 + .../vendor/google/edgetpu_vendor_service.te | 28 ++ .../google/exo_camera_injection/dumpstate.te | 2 + .../google/exo_camera_injection/exo_app.te | 3 + .../google/exo_camera_injection/file_contexts | 1 + .../hal_exo_camera_injection.te | 10 + .../google/exo_camera_injection/hwservice.te | 1 + .../exo_camera_injection/hwservice_contexts | 1 + whitechapel/vendor/google/fastbootd.te | 6 + whitechapel/vendor/google/file.te | 210 ++++++++ whitechapel/vendor/google/file_contexts | 462 ++++++++++++++++++ whitechapel/vendor/google/fsck.te | 3 + whitechapel/vendor/google/genfs_contexts | 356 ++++++++++++++ whitechapel/vendor/google/gpsd.te | 25 + whitechapel/vendor/google/grilservice_app.te | 12 + .../vendor/google/hal_audio_default.te | 31 ++ .../google/hal_audiometricext_default.te | 12 + .../vendor/google/hal_bluetooth_btlinux.te | 22 + .../vendor/google/hal_bootctl_default.te | 3 + .../vendor/google/hal_camera_default.te | 77 +++ .../vendor/google/hal_confirmationui.te | 13 + whitechapel/vendor/google/hal_contexthub.te | 3 + whitechapel/vendor/google/hal_drm_clearkey.te | 5 + whitechapel/vendor/google/hal_drm_default.te | 6 + .../vendor/google/hal_dumpstate_default.te | 192 ++++++++ .../vendor/google/hal_fingerprint_default.te | 14 + whitechapel/vendor/google/hal_gnss_default.te | 4 + .../google/hal_graphics_allocator_default.te | 4 + .../google/hal_graphics_composer_default.te | 6 + .../vendor/google/hal_health_default.te | 14 + .../google/hal_health_storage_default.te | 3 + .../vendor/google/hal_neuralnetworks_armnn.te | 9 + .../google/hal_neuralnetworks_darwinn.te | 35 ++ whitechapel/vendor/google/hal_nfc_default.te | 9 + .../vendor/google/hal_power_default.te | 12 + .../vendor/google/hal_power_stats_default.te | 20 + .../vendor/google/hal_radioext_default.te | 21 + .../google/hal_secure_element_default.te | 10 + .../google/hal_tetheroffload_default.te | 17 + .../vendor/google/hal_thermal_default.te | 3 + whitechapel/vendor/google/hal_usb_impl.te | 13 + whitechapel/vendor/google/hal_uwb_default.te | 5 + .../google/hal_vendor_hwcservice_default.te | 4 + whitechapel/vendor/google/hal_wifi.te | 3 + whitechapel/vendor/google/hal_wifi_ext.te | 13 + whitechapel/vendor/google/hal_wlc.te | 16 + .../vendor/google/hardware_info_app.te | 9 + whitechapel/vendor/google/hbmsvmanager_app.te | 11 + whitechapel/vendor/google/hwservice.te | 27 + whitechapel/vendor/google/hwservice_contexts | 35 ++ whitechapel/vendor/google/hwservicemanager.te | 1 + whitechapel/vendor/google/incident.te | 4 + whitechapel/vendor/google/init-insmod-sh.te | 16 + whitechapel/vendor/google/init.te | 20 + whitechapel/vendor/google/init_radio.te | 8 + whitechapel/vendor/google/installd.te | 1 + whitechapel/vendor/google/kernel.te | 9 + whitechapel/vendor/google/keys.conf | 5 + whitechapel/vendor/google/lhd.te | 23 + whitechapel/vendor/google/logger_app.te | 27 + whitechapel/vendor/google/mac_permissions.xml | 30 ++ whitechapel/vendor/google/mediacodec.te | 9 + .../vendor/google/modem_diagnostics.te | 32 ++ .../vendor/google/modem_logging_control.te | 17 + whitechapel/vendor/google/modem_svc_sit.te | 28 ++ whitechapel/vendor/google/netutils_wrapper.te | 7 + whitechapel/vendor/google/ofl_app.te | 17 + whitechapel/vendor/google/omadm.te | 10 + .../vendor/google/pixelstats_vendor.te | 17 + whitechapel/vendor/google/pktrouter.te | 13 + whitechapel/vendor/google/platform_app.te | 24 + whitechapel/vendor/google/priv_app.te | 9 + whitechapel/vendor/google/property.te | 58 +++ whitechapel/vendor/google/property_contexts | 125 +++++ whitechapel/vendor/google/radio.te | 1 + whitechapel/vendor/google/ramdump_app.te | 24 + whitechapel/vendor/google/recovery.te | 3 + whitechapel/vendor/google/rfsd.te | 39 ++ .../vendor/google/ril_config_service.te | 10 + whitechapel/vendor/google/rild.te | 35 ++ whitechapel/vendor/google/rlsservice.te | 28 ++ whitechapel/vendor/google/scd.te | 17 + whitechapel/vendor/google/sced.te | 23 + whitechapel/vendor/google/seapp_contexts | 46 ++ .../vendor/google/securedpud.slider.te | 9 + whitechapel/vendor/google/service.te | 6 + whitechapel/vendor/google/service_contexts | 11 + whitechapel/vendor/google/shell.te | 7 + whitechapel/vendor/google/ssr_detector.te | 20 + whitechapel/vendor/google/storageproxyd.te | 9 + whitechapel/vendor/google/system_app.te | 6 + whitechapel/vendor/google/system_server.te | 5 + whitechapel/vendor/google/tcpdump_logger.te | 20 + whitechapel/vendor/google/toolbox.te | 3 + whitechapel/vendor/google/trusty_apploader.te | 7 + whitechapel/vendor/google/trusty_metricsd.te | 11 + whitechapel/vendor/google/twoshay.te | 10 + .../vendor/google/untrusted_app_all.te | 10 + whitechapel/vendor/google/update_engine.te | 3 + whitechapel/vendor/google/uwb_vendor_app.te | 12 + whitechapel/vendor/google/vcd.te | 11 + whitechapel/vendor/google/vendor_ims_app.te | 15 + whitechapel/vendor/google/vendor_init.te | 36 ++ whitechapel/vendor/google/vendor_shell.te | 1 + .../vendor/google/vendor_telephony_app.te | 22 + whitechapel/vendor/google/vndservice.te | 4 + whitechapel/vendor/google/vndservice_contexts | 4 + whitechapel/vendor/google/vold.te | 6 + whitechapel/vendor/google/wifi_sniffer.te | 6 + whitechapel/vendor/google/wlcfwupdate.te | 12 + 172 files changed, 3678 insertions(+) create mode 100644 ambient/exo_app.te create mode 100644 ambient/seapp_contexts create mode 100644 display/common/file.te create mode 100644 display/common/file_contexts create mode 100644 display/gs101/genfs_contexts create mode 100644 display/gs101/hal_graphics_composer_default.te create mode 100644 private/dex2oat.te create mode 100644 private/gmscore_app.te create mode 100644 private/hal_dumpstate_default.te create mode 100644 private/incidentd.te create mode 100644 private/lpdumpd.te create mode 100644 private/priv_app.te create mode 100644 private/radio.te create mode 100644 private/service_contexts create mode 100644 private/untrusted_app_25.te create mode 100644 private/wait_for_keymaster.te create mode 100644 system_ext/private/property_contexts create mode 100644 system_ext/public/property.te create mode 100644 tracking_denials/dumpstate.te create mode 100644 tracking_denials/gpsd.te create mode 100644 tracking_denials/hal_camera_default.te create mode 100644 tracking_denials/hal_fingerprint_default.te create mode 100644 tracking_denials/hal_graphics_composer_default.te create mode 100644 tracking_denials/hal_neuralnetworks_armnn.te create mode 100644 tracking_denials/hal_neuralnetworks_darwinn.te create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/hardware_info_app.te create mode 100644 tracking_denials/incidentd.te create mode 100644 tracking_denials/init.te create mode 100644 tracking_denials/ofl_app.te create mode 100644 tracking_denials/pixelstats_vendor.te create mode 100644 tracking_denials/priv_app.te create mode 100644 tracking_denials/servicemanager.te create mode 100644 tracking_denials/surfaceflinger.te create mode 100644 tracking_denials/trusty_apploader.te create mode 100644 tracking_denials/untrusted_app.te create mode 100644 tracking_denials/update_engine.te create mode 100644 tracking_denials/vendor_init.te create mode 100644 usf/file.te create mode 100644 usf/file_contexts create mode 100644 usf/sensor_hal.te create mode 100644 usf/te_macros create mode 100644 whitechapel/vendor/google/aocd.te create mode 100644 whitechapel/vendor/google/aocdump.te create mode 100644 whitechapel/vendor/google/attributes create mode 100644 whitechapel/vendor/google/audioserver.te create mode 100644 whitechapel/vendor/google/bipchmgr.te create mode 100644 whitechapel/vendor/google/bootanim.te create mode 100644 whitechapel/vendor/google/bootdevice_sysdev.te create mode 100644 whitechapel/vendor/google/cbd.te create mode 100644 whitechapel/vendor/google/cbrs_setup.te create mode 100644 whitechapel/vendor/google/certs/com_google_mds.x509.pem create mode 100644 whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem create mode 100644 whitechapel/vendor/google/chre.te create mode 100644 whitechapel/vendor/google/con_monitor.te create mode 100644 whitechapel/vendor/google/device.te create mode 100644 whitechapel/vendor/google/dmd.te create mode 100644 whitechapel/vendor/google/domain.te create mode 100644 whitechapel/vendor/google/dumpstate.te create mode 100644 whitechapel/vendor/google/e2fs.te create mode 100644 whitechapel/vendor/google/edgetpu_app_service.te create mode 100644 whitechapel/vendor/google/edgetpu_logging.te create mode 100644 whitechapel/vendor/google/edgetpu_vendor_service.te create mode 100644 whitechapel/vendor/google/exo_camera_injection/dumpstate.te create mode 100644 whitechapel/vendor/google/exo_camera_injection/exo_app.te create mode 100644 whitechapel/vendor/google/exo_camera_injection/file_contexts create mode 100644 whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te create mode 100644 whitechapel/vendor/google/exo_camera_injection/hwservice.te create mode 100644 whitechapel/vendor/google/exo_camera_injection/hwservice_contexts create mode 100644 whitechapel/vendor/google/fastbootd.te create mode 100644 whitechapel/vendor/google/file.te create mode 100644 whitechapel/vendor/google/file_contexts create mode 100644 whitechapel/vendor/google/fsck.te create mode 100644 whitechapel/vendor/google/genfs_contexts create mode 100644 whitechapel/vendor/google/gpsd.te create mode 100644 whitechapel/vendor/google/grilservice_app.te create mode 100644 whitechapel/vendor/google/hal_audio_default.te create mode 100644 whitechapel/vendor/google/hal_audiometricext_default.te create mode 100644 whitechapel/vendor/google/hal_bluetooth_btlinux.te create mode 100644 whitechapel/vendor/google/hal_bootctl_default.te create mode 100644 whitechapel/vendor/google/hal_camera_default.te create mode 100644 whitechapel/vendor/google/hal_confirmationui.te create mode 100644 whitechapel/vendor/google/hal_contexthub.te create mode 100644 whitechapel/vendor/google/hal_drm_clearkey.te create mode 100644 whitechapel/vendor/google/hal_drm_default.te create mode 100644 whitechapel/vendor/google/hal_dumpstate_default.te create mode 100644 whitechapel/vendor/google/hal_fingerprint_default.te create mode 100644 whitechapel/vendor/google/hal_gnss_default.te create mode 100644 whitechapel/vendor/google/hal_graphics_allocator_default.te create mode 100644 whitechapel/vendor/google/hal_graphics_composer_default.te create mode 100644 whitechapel/vendor/google/hal_health_default.te create mode 100644 whitechapel/vendor/google/hal_health_storage_default.te create mode 100644 whitechapel/vendor/google/hal_neuralnetworks_armnn.te create mode 100644 whitechapel/vendor/google/hal_neuralnetworks_darwinn.te create mode 100644 whitechapel/vendor/google/hal_nfc_default.te create mode 100644 whitechapel/vendor/google/hal_power_default.te create mode 100644 whitechapel/vendor/google/hal_power_stats_default.te create mode 100644 whitechapel/vendor/google/hal_radioext_default.te create mode 100644 whitechapel/vendor/google/hal_secure_element_default.te create mode 100644 whitechapel/vendor/google/hal_tetheroffload_default.te create mode 100644 whitechapel/vendor/google/hal_thermal_default.te create mode 100644 whitechapel/vendor/google/hal_usb_impl.te create mode 100644 whitechapel/vendor/google/hal_uwb_default.te create mode 100644 whitechapel/vendor/google/hal_vendor_hwcservice_default.te create mode 100644 whitechapel/vendor/google/hal_wifi.te create mode 100644 whitechapel/vendor/google/hal_wifi_ext.te create mode 100644 whitechapel/vendor/google/hal_wlc.te create mode 100644 whitechapel/vendor/google/hardware_info_app.te create mode 100644 whitechapel/vendor/google/hbmsvmanager_app.te create mode 100644 whitechapel/vendor/google/hwservice.te create mode 100644 whitechapel/vendor/google/hwservice_contexts create mode 100644 whitechapel/vendor/google/hwservicemanager.te create mode 100644 whitechapel/vendor/google/incident.te create mode 100644 whitechapel/vendor/google/init-insmod-sh.te create mode 100644 whitechapel/vendor/google/init.te create mode 100644 whitechapel/vendor/google/init_radio.te create mode 100644 whitechapel/vendor/google/installd.te create mode 100644 whitechapel/vendor/google/kernel.te create mode 100644 whitechapel/vendor/google/keys.conf create mode 100644 whitechapel/vendor/google/lhd.te create mode 100644 whitechapel/vendor/google/logger_app.te create mode 100644 whitechapel/vendor/google/mac_permissions.xml create mode 100644 whitechapel/vendor/google/mediacodec.te create mode 100644 whitechapel/vendor/google/modem_diagnostics.te create mode 100644 whitechapel/vendor/google/modem_logging_control.te create mode 100644 whitechapel/vendor/google/modem_svc_sit.te create mode 100644 whitechapel/vendor/google/netutils_wrapper.te create mode 100644 whitechapel/vendor/google/ofl_app.te create mode 100644 whitechapel/vendor/google/omadm.te create mode 100644 whitechapel/vendor/google/pixelstats_vendor.te create mode 100644 whitechapel/vendor/google/pktrouter.te create mode 100644 whitechapel/vendor/google/platform_app.te create mode 100644 whitechapel/vendor/google/priv_app.te create mode 100644 whitechapel/vendor/google/property.te create mode 100644 whitechapel/vendor/google/property_contexts create mode 100644 whitechapel/vendor/google/radio.te create mode 100644 whitechapel/vendor/google/ramdump_app.te create mode 100644 whitechapel/vendor/google/recovery.te create mode 100644 whitechapel/vendor/google/rfsd.te create mode 100644 whitechapel/vendor/google/ril_config_service.te create mode 100644 whitechapel/vendor/google/rild.te create mode 100644 whitechapel/vendor/google/rlsservice.te create mode 100644 whitechapel/vendor/google/scd.te create mode 100644 whitechapel/vendor/google/sced.te create mode 100644 whitechapel/vendor/google/seapp_contexts create mode 100644 whitechapel/vendor/google/securedpud.slider.te create mode 100644 whitechapel/vendor/google/service.te create mode 100644 whitechapel/vendor/google/service_contexts create mode 100644 whitechapel/vendor/google/shell.te create mode 100644 whitechapel/vendor/google/ssr_detector.te create mode 100644 whitechapel/vendor/google/storageproxyd.te create mode 100644 whitechapel/vendor/google/system_app.te create mode 100644 whitechapel/vendor/google/system_server.te create mode 100644 whitechapel/vendor/google/tcpdump_logger.te create mode 100644 whitechapel/vendor/google/toolbox.te create mode 100644 whitechapel/vendor/google/trusty_apploader.te create mode 100644 whitechapel/vendor/google/trusty_metricsd.te create mode 100644 whitechapel/vendor/google/twoshay.te create mode 100644 whitechapel/vendor/google/untrusted_app_all.te create mode 100644 whitechapel/vendor/google/update_engine.te create mode 100644 whitechapel/vendor/google/uwb_vendor_app.te create mode 100644 whitechapel/vendor/google/vcd.te create mode 100644 whitechapel/vendor/google/vendor_ims_app.te create mode 100644 whitechapel/vendor/google/vendor_init.te create mode 100644 whitechapel/vendor/google/vendor_shell.te create mode 100644 whitechapel/vendor/google/vendor_telephony_app.te create mode 100644 whitechapel/vendor/google/vndservice.te create mode 100644 whitechapel/vendor/google/vndservice_contexts create mode 100644 whitechapel/vendor/google/vold.te create mode 100644 whitechapel/vendor/google/wifi_sniffer.te create mode 100644 whitechapel/vendor/google/wlcfwupdate.te diff --git a/ambient/exo_app.te b/ambient/exo_app.te new file mode 100644 index 00000000..ef928f65 --- /dev/null +++ b/ambient/exo_app.te @@ -0,0 +1,20 @@ +type exo_app, coredomain, domain; + +app_domain(exo_app) +net_domain(exo_app) + +allow exo_app app_api_service:service_manager find; +allow exo_app audioserver_service:service_manager find; +allow exo_app cameraserver_service:service_manager find; +allow exo_app mediaserver_service:service_manager find; +allow exo_app radio_service:service_manager find; +allow exo_app fwk_stats_service:service_manager find; +allow exo_app mediametrics_service:service_manager find; +allow exo_app gpu_device:dir search; + +allow exo_app uhid_device:chr_file rw_file_perms; + +binder_call(exo_app, statsd) +binder_use(exo_app) + +get_prop(exo_app, device_config_runtime_native_boot_prop) diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts new file mode 100644 index 00000000..8024688c --- /dev/null +++ b/ambient/seapp_contexts @@ -0,0 +1,2 @@ +# Domain for Exo app +user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all diff --git a/display/common/file.te b/display/common/file.te new file mode 100644 index 00000000..3734e33c --- /dev/null +++ b/display/common/file.te @@ -0,0 +1 @@ +type persist_display_file, file_type, vendor_persist_type; diff --git a/display/common/file_contexts b/display/common/file_contexts new file mode 100644 index 00000000..bca77466 --- /dev/null +++ b/display/common/file_contexts @@ -0,0 +1 @@ +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts new file mode 100644 index 00000000..6b155761 --- /dev/null +++ b/display/gs101/genfs_contexts @@ -0,0 +1,14 @@ +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible u:object_r:sysfs_display:s0 + +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c300000.drmdecon/dqe/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te new file mode 100644 index 00000000..b5139133 --- /dev/null +++ b/display/gs101/hal_graphics_composer_default.te @@ -0,0 +1,38 @@ +allow hal_graphics_composer_default video_device:chr_file rw_file_perms; +add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +vndbinder_use(hal_graphics_composer_default) + +userdebug_or_eng(` + allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms; + + # For HWC/libdisplaycolor to generate calibration file. + allow hal_graphics_composer_default persist_display_file:file create_file_perms; + allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms; +') + +# allow HWC/libdisplaycolor to read calibration data +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default persist_file:dir search; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; + +# allow HWC to r/w backlight +allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; + +# allow HWC to get vendor_persist_sys_default_prop +get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) + +# allow HWC to get vendor_display_prop +get_prop(hal_graphics_composer_default, vendor_display_prop) + +# allow HWC to access vendor_displaycolor_service +add_service(hal_graphics_composer_default, vendor_displaycolor_service) + +add_service(hal_graphics_composer_default, hal_pixel_display_service) +binder_use(hal_graphics_composer_default) +get_prop(hal_graphics_composer_default, boot_status_prop); + +# allow HWC to access vendor log file +allow hal_graphics_composer_default vendor_log_file:file create_file_perms; diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index e69de29b..17e22778 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -0,0 +1,39 @@ +# sepolicy that are shared among devices using whitechapel +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel/vendor/google + +# unresolved SELinux error log with bug tracking +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials + +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private + +# Display +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/display/common +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/display/gs201 + +# Micro sensor framework (usf) +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/usf + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/private + +# +# Pixel-wide +# +# Dauntless (uses Citadel policy currently) +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel + +# Wifi +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext + +# PowerStats HAL +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats + +# sscoredump +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump + +# Sniffer Logger +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer + +# Wifi Logger +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger diff --git a/private/dex2oat.te b/private/dex2oat.te new file mode 100644 index 00000000..50d7852c --- /dev/null +++ b/private/dex2oat.te @@ -0,0 +1,59 @@ +# b/187016929 +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat proc_filesystems:file read ; +dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat proc_filesystems:file read ; +dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; diff --git a/private/gmscore_app.te b/private/gmscore_app.te new file mode 100644 index 00000000..fa20f247 --- /dev/null +++ b/private/gmscore_app.te @@ -0,0 +1,2 @@ +# b/177389198 +dontaudit gmscore_app adbd_prop:file *; diff --git a/private/hal_dumpstate_default.te b/private/hal_dumpstate_default.te new file mode 100644 index 00000000..83c75689 --- /dev/null +++ b/private/hal_dumpstate_default.te @@ -0,0 +1,2 @@ +# b/176868217 +dontaudit hal_dumpstate adbd_prop:file *; diff --git a/private/incidentd.te b/private/incidentd.te new file mode 100644 index 00000000..1557f065 --- /dev/null +++ b/private/incidentd.te @@ -0,0 +1,14 @@ +# b/174961589 +dontaudit incidentd adbd_config_prop:file open ; +dontaudit incidentd adbd_prop:file getattr ; +dontaudit incidentd adbd_prop:file open ; +dontaudit incidentd adbd_config_prop:file open ; +dontaudit incidentd adbd_config_prop:file getattr ; +dontaudit incidentd adbd_config_prop:file map ; +dontaudit incidentd adbd_prop:file open ; +dontaudit incidentd adbd_prop:file getattr ; +dontaudit incidentd adbd_prop:file map ; +dontaudit incidentd apexd_prop:file open ; +dontaudit incidentd adbd_config_prop:file getattr ; +dontaudit incidentd adbd_config_prop:file map ; +dontaudit incidentd adbd_prop:file map ; diff --git a/private/lpdumpd.te b/private/lpdumpd.te new file mode 100644 index 00000000..86a101c5 --- /dev/null +++ b/private/lpdumpd.te @@ -0,0 +1,7 @@ +# b/177176997 +dontaudit lpdumpd block_device:blk_file getattr ; +dontaudit lpdumpd block_device:blk_file getattr ; +dontaudit lpdumpd block_device:blk_file read ; +dontaudit lpdumpd block_device:blk_file getattr ; +dontaudit lpdumpd block_device:blk_file read ; +dontaudit lpdumpd block_device:blk_file read ; diff --git a/private/priv_app.te b/private/priv_app.te new file mode 100644 index 00000000..2ef1f969 --- /dev/null +++ b/private/priv_app.te @@ -0,0 +1,19 @@ +# b/178433525 +dontaudit priv_app adbd_prop:file { map }; +dontaudit priv_app adbd_prop:file { getattr }; +dontaudit priv_app adbd_prop:file { open }; +dontaudit priv_app ab_update_gki_prop:file { map }; +dontaudit priv_app ab_update_gki_prop:file { getattr }; +dontaudit priv_app ab_update_gki_prop:file { open }; +dontaudit priv_app aac_drc_prop:file { map }; +dontaudit priv_app aac_drc_prop:file { getattr }; +dontaudit priv_app aac_drc_prop:file { open }; +dontaudit priv_app adbd_prop:file { map }; +dontaudit priv_app aac_drc_prop:file { open }; +dontaudit priv_app aac_drc_prop:file { getattr }; +dontaudit priv_app aac_drc_prop:file { map }; +dontaudit priv_app ab_update_gki_prop:file { open }; +dontaudit priv_app ab_update_gki_prop:file { getattr }; +dontaudit priv_app ab_update_gki_prop:file { map }; +dontaudit priv_app adbd_prop:file { open }; +dontaudit priv_app adbd_prop:file { getattr }; diff --git a/private/radio.te b/private/radio.te new file mode 100644 index 00000000..a569b9c5 --- /dev/null +++ b/private/radio.te @@ -0,0 +1 @@ +add_service(radio, uce_service) diff --git a/private/service_contexts b/private/service_contexts new file mode 100644 index 00000000..8877518a --- /dev/null +++ b/private/service_contexts @@ -0,0 +1 @@ +telephony.oem.oemrilhook u:object_r:radio_service:s0 diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te new file mode 100644 index 00000000..f26e0815 --- /dev/null +++ b/private/untrusted_app_25.te @@ -0,0 +1,2 @@ +# b/177389321 +dontaudit untrusted_app_25 adbd_prop:file *; diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te new file mode 100644 index 00000000..0e29999c --- /dev/null +++ b/private/wait_for_keymaster.te @@ -0,0 +1,2 @@ +# b/188114822 +dontaudit wait_for_keymaster servicemanager:binder transfer; diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 00000000..9f462bda --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te new file mode 100644 index 00000000..8908e485 --- /dev/null +++ b/system_ext/public/property.te @@ -0,0 +1,2 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +system_vendor_config_prop(fingerprint_ghbm_prop) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 00000000..513736b9 --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,4 @@ +# b/185723618 +dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; +# b/187795940 +dontaudit dumpstate twoshay:binder call; diff --git a/tracking_denials/gpsd.te b/tracking_denials/gpsd.te new file mode 100644 index 00000000..fe554396 --- /dev/null +++ b/tracking_denials/gpsd.te @@ -0,0 +1,11 @@ +# b/173969091 +dontaudit gpsd radio_prop:file { read }; +dontaudit gpsd radio_prop:file { open }; +dontaudit gpsd radio_prop:file { map }; +dontaudit gpsd radio_prop:file { map }; +dontaudit gpsd system_data_file:dir { search }; +dontaudit gpsd radio_prop:file { read }; +dontaudit gpsd radio_prop:file { open }; +dontaudit gpsd radio_prop:file { getattr }; +dontaudit gpsd system_data_file:dir { search }; +dontaudit gpsd radio_prop:file { getattr }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te new file mode 100644 index 00000000..6ab5a51c --- /dev/null +++ b/tracking_denials/hal_camera_default.te @@ -0,0 +1,5 @@ +# b/178980085 +dontaudit hal_camera_default system_data_file:dir { search }; +# b/180567725 +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te new file mode 100644 index 00000000..e9c6ff2a --- /dev/null +++ b/tracking_denials/hal_fingerprint_default.te @@ -0,0 +1,15 @@ +# b/183338543 +dontaudit hal_fingerprint_default system_data_root_file:file { read }; +dontaudit hal_fingerprint_default default_prop:file { getattr }; +dontaudit hal_fingerprint_default default_prop:file { map }; +dontaudit hal_fingerprint_default default_prop:file { open }; +dontaudit hal_fingerprint_default default_prop:file { read }; +dontaudit hal_fingerprint_default system_data_root_file:file { open }; +dontaudit hal_fingerprint_default system_data_root_file:file { read }; +dontaudit hal_fingerprint_default default_prop:file { map }; +dontaudit hal_fingerprint_default default_prop:file { getattr }; +dontaudit hal_fingerprint_default default_prop:file { open }; +dontaudit hal_fingerprint_default default_prop:file { read }; +dontaudit hal_fingerprint_default system_data_root_file:file { open }; +# b/187015705 +dontaudit hal_fingerprint_default property_socket:sock_file write; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te new file mode 100644 index 00000000..ef727b51 --- /dev/null +++ b/tracking_denials/hal_graphics_composer_default.te @@ -0,0 +1,3 @@ +# b/185723492 +dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use }; +dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te new file mode 100644 index 00000000..9ebda637 --- /dev/null +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -0,0 +1,33 @@ +# b/171160755 +dontaudit hal_neuralnetworks_armnn traced:unix_stream_socket connectto ; +dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager add ; +dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager find ; +dontaudit hal_neuralnetworks_armnn hwservicemanager:binder transfer ; +dontaudit hal_neuralnetworks_armnn hwservicemanager:binder call ; +dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file map ; +dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file getattr ; +dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file open ; +dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file read ; +dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ; +dontaudit hal_neuralnetworks_armnn gpu_device:chr_file open ; +dontaudit hal_neuralnetworks_armnn gpu_device:chr_file getattr ; +dontaudit hal_neuralnetworks_armnn gpu_device:chr_file ioctl ; +dontaudit hal_neuralnetworks_armnn gpu_device:chr_file map ; +dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ; +dontaudit hal_neuralnetworks_armnn traced_producer_socket:sock_file write ; +dontaudit hal_neuralnetworks_armnn hidl_base_hwservice:hwservice_manager add ; +# b/171670122 +dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { read }; +dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { open }; +# b/180550063 +dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; +dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; +# b/180858476 +dontaudit hal_neuralnetworks_armnn default_prop:file { read }; +dontaudit hal_neuralnetworks_armnn default_prop:file { read }; +dontaudit hal_neuralnetworks_armnn default_prop:file { open }; +dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; +dontaudit hal_neuralnetworks_armnn default_prop:file { map }; +dontaudit hal_neuralnetworks_armnn default_prop:file { open }; +dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; +dontaudit hal_neuralnetworks_armnn default_prop:file { map }; diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te new file mode 100644 index 00000000..54fa8a2f --- /dev/null +++ b/tracking_denials/hal_neuralnetworks_darwinn.te @@ -0,0 +1,14 @@ +# b/182524105 +dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; +dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; +dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; +dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; +dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; +dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; +dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; +dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; +dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; +dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; +# b/183935302 +dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; +dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..ab5c7ecd --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,12 @@ +# b/171760921 +dontaudit hal_power_default hal_power_default:capability { dac_override }; +# b/178331773 +dontaudit hal_power_default sysfs:file { write }; +dontaudit hal_power_default sysfs:file { open }; +dontaudit hal_power_default sysfs:file { write }; +dontaudit hal_power_default sysfs:file { open }; +# b/178752616 +dontaudit hal_power_default sysfs:file { read }; +dontaudit hal_power_default sysfs:file { getattr }; +dontaudit hal_power_default sysfs:file { read }; +dontaudit hal_power_default sysfs:file { getattr }; diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te new file mode 100644 index 00000000..810cb701 --- /dev/null +++ b/tracking_denials/hardware_info_app.te @@ -0,0 +1,18 @@ +# b/181177926 +dontaudit hardware_info_app sysfs_scsi_devices_0000:file { getattr }; +dontaudit hardware_info_app sysfs_scsi_devices_0000:file { open }; +dontaudit hardware_info_app sysfs_batteryinfo:file { read }; +dontaudit hardware_info_app sysfs:file { read }; +dontaudit hardware_info_app sysfs:file { open }; +dontaudit hardware_info_app sysfs:file { getattr }; +dontaudit hardware_info_app sysfs_scsi_devices_0000:dir { search }; +dontaudit hardware_info_app sysfs_scsi_devices_0000:file { read }; +dontaudit hardware_info_app sysfs_batteryinfo:dir { search }; +# b/181914888 +dontaudit hardware_info_app sysfs_batteryinfo:file { open }; +dontaudit hardware_info_app sysfs_batteryinfo:file { getattr }; +dontaudit hardware_info_app vendor_regmap_debugfs:dir { search }; +# b/181915166 +dontaudit hardware_info_app sysfs_batteryinfo:file { getattr }; +dontaudit hardware_info_app sysfs_batteryinfo:file { open }; +dontaudit hardware_info_app vendor_regmap_debugfs:dir { search }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 00000000..a998712f --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,2 @@ +# b/187015816 +dontaudit incidentd apex_info_file:file getattr; diff --git a/tracking_denials/init.te b/tracking_denials/init.te new file mode 100644 index 00000000..27d6f882 --- /dev/null +++ b/tracking_denials/init.te @@ -0,0 +1,3 @@ +# b/180963348 +dontaudit init overlayfs_file:chr_file { unlink }; +dontaudit init overlayfs_file:file { rename }; diff --git a/tracking_denials/ofl_app.te b/tracking_denials/ofl_app.te new file mode 100644 index 00000000..525ebdad --- /dev/null +++ b/tracking_denials/ofl_app.te @@ -0,0 +1,3 @@ +# b/184005231 +dontaudit ofl_app default_prop:file { read }; + diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te new file mode 100644 index 00000000..4bc5f01f --- /dev/null +++ b/tracking_denials/pixelstats_vendor.te @@ -0,0 +1,7 @@ +# b/183338421 +dontaudit pixelstats_vendor sysfs_dma_heap:dir { search }; +dontaudit pixelstats_vendor sysfs_dma_heap:file { read }; +dontaudit pixelstats_vendor sysfs_dma_heap:file { open }; +dontaudit pixelstats_vendor sysfs_dma_heap:file { getattr }; +# b/188114896 +dontaudit pixelstats_vendor debugfs_mgm:dir read; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 00000000..bebe3936 --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,2 @@ +# b/187016930 +dontaudit priv_app fwk_stats_service:service_manager find ; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te new file mode 100644 index 00000000..0900dcdf --- /dev/null +++ b/tracking_denials/servicemanager.te @@ -0,0 +1,3 @@ +# b/182086688 +dontaudit servicemanager hal_sensors_default:binder { call }; +dontaudit servicemanager hal_sensors_default:binder { call }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te new file mode 100644 index 00000000..1f7fd2ad --- /dev/null +++ b/tracking_denials/surfaceflinger.te @@ -0,0 +1,12 @@ +# b/176868297 +dontaudit surfaceflinger hal_graphics_composer_default:dir search ; +# b/177176899 +dontaudit surfaceflinger hal_graphics_composer_default:file open ; +dontaudit surfaceflinger hal_graphics_composer_default:file read ; +dontaudit surfaceflinger hal_graphics_composer_default:file getattr ; +dontaudit surfaceflinger hal_graphics_composer_default:file read ; +dontaudit surfaceflinger hal_graphics_composer_default:file open ; +dontaudit surfaceflinger hal_graphics_composer_default:file read ; +dontaudit surfaceflinger hal_graphics_composer_default:file open ; +dontaudit surfaceflinger hal_graphics_composer_default:file getattr ; +dontaudit surfaceflinger hal_graphics_composer_default:file getattr ; diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te new file mode 100644 index 00000000..3f6e9ae9 --- /dev/null +++ b/tracking_denials/trusty_apploader.te @@ -0,0 +1,3 @@ +# b/182953825 +dontaudit trusty_apploader trusty_apploader:capability { dac_override }; +dontaudit trusty_apploader trusty_apploader:capability { dac_override }; diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te new file mode 100644 index 00000000..9b098f88 --- /dev/null +++ b/tracking_denials/untrusted_app.te @@ -0,0 +1,4 @@ +# b/184593993 +dontaudit untrusted_app vendor_camera_prop:file { read }; +dontaudit untrusted_app vendor_camera_prop:file { read }; +dontaudit untrusted_app vendor_camera_prop:file { read }; diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te new file mode 100644 index 00000000..98e7b851 --- /dev/null +++ b/tracking_denials/update_engine.te @@ -0,0 +1,2 @@ +# b/187016910 +dontaudit update_engine mnt_vendor_file:dir search ; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te new file mode 100644 index 00000000..d2c20fe1 --- /dev/null +++ b/tracking_denials/vendor_init.te @@ -0,0 +1,2 @@ +# b/176528557 +dontaudit vendor_init debugfs_trace_marker:file { getattr }; diff --git a/usf/file.te b/usf/file.te new file mode 100644 index 00000000..e264c277 --- /dev/null +++ b/usf/file.te @@ -0,0 +1,12 @@ +# +# USF file SELinux type enforcements. +# + +# Declare the sensor registry persist file type. By convention, persist file +# types begin with "persist_". +type persist_sensor_reg_file, file_type, vendor_persist_type; + +# Declare the sensor registry data file type. By convention, data file types +# end with "data_file". +type sensor_reg_data_file, file_type, data_file_type; + diff --git a/usf/file_contexts b/usf/file_contexts new file mode 100644 index 00000000..ff3d41d3 --- /dev/null +++ b/usf/file_contexts @@ -0,0 +1,10 @@ +# +# USF SELinux file security contexts. +# + +# Sensor registry persist files. +/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 + +# Sensor registry data files. +/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 + diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te new file mode 100644 index 00000000..233c5231 --- /dev/null +++ b/usf/sensor_hal.te @@ -0,0 +1,60 @@ +# +# USF sensor HAL SELinux type enforcements. +# + +# Allow reading of sensor registry persist files. +allow hal_sensors_default persist_file:dir search; +allow hal_sensors_default mnt_vendor_file:dir search; +r_dir_file(hal_sensors_default, persist_sensor_reg_file) + +# Allow creation and writing of sensor registry data files. +allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; +allow hal_sensors_default sensor_reg_data_file:file create_file_perms; + +# Allow access to the AoC communication driver. +allow hal_sensors_default aoc_device:chr_file rw_file_perms; + +# Allow access to the AoC clock and kernel boot time sys FS node. This is needed +# to synchronize the AP and AoC clock timestamps. +allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms; + +# Allow create thread to watch AOC's device. +allow hal_sensors_default device:dir r_dir_perms; + +# Allow access to the files of CDT information. +r_dir_file(hal_sensors_default, sysfs_chosen) + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_leds:dir search; +allow hal_sensors_default sysfs_leds:file rw_file_perms; + +# Allow access to the power supply files for MagCC. +r_dir_file(hal_sensors_default, sysfs_batteryinfo) +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; + +# Allow access to sensor service for sensor_listener. +binder_call(hal_sensors_default, system_server); + +# Allow access to the sysfs_aoc. +allow hal_sensors_default sysfs_aoc:dir search; +allow hal_sensors_default sysfs_aoc:file r_file_perms; + +# Allow use of the USF low latency transport. +usf_low_latency_transport(hal_sensors_default) + +# Allow sensor HAL to reset AOC. +allow hal_sensors_default sysfs_aoc_reset:file w_file_perms; + +# +# Suez type enforcements. +# + +# Allow SensorSuez to connect AIDL stats. +binder_use(hal_sensors_default); +allow hal_sensors_default fwk_stats_service:service_manager find; + +# Allow access to CHRE socket to connect to nanoapps. +unix_socket_connect(hal_sensors_default, chre, chre) + +# Allow sensor HAL to read lhbm. +allow hal_sensors_default sysfs_lhbm:file r_file_perms; diff --git a/usf/te_macros b/usf/te_macros new file mode 100644 index 00000000..01ac13c1 --- /dev/null +++ b/usf/te_macros @@ -0,0 +1,14 @@ +# +# USF SELinux type enforcement macros. +# + +# +# usf_low_latency_transport(domain) +# +# Allows domain use of the USF low latency transport. +# +define(`usf_low_latency_transport', ` + allow $1 hal_graphics_mapper_hwservice:hwservice_manager find; + hal_client_domain($1, hal_graphics_allocator) +') + diff --git a/whitechapel/vendor/google/aocd.te b/whitechapel/vendor/google/aocd.te new file mode 100644 index 00000000..79add165 --- /dev/null +++ b/whitechapel/vendor/google/aocd.te @@ -0,0 +1,21 @@ +type aocd, domain; +type aocd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(aocd) + +# access persist files +allow aocd mnt_vendor_file:dir search; +allow aocd persist_file:dir search; +r_dir_file(aocd, persist_aoc_file); + +# sysfs operations +allow aocd sysfs_aoc:dir search; +allow aocd sysfs_aoc_firmware:file w_file_perms; + +# dev operations +allow aocd aoc_device:chr_file r_file_perms; + +# allow inotify to watch for additions/removals from /dev +allow aocd device:dir r_dir_perms; + +# set properties +set_prop(aocd, vendor_aoc_prop) diff --git a/whitechapel/vendor/google/aocdump.te b/whitechapel/vendor/google/aocdump.te new file mode 100644 index 00000000..ca468a35 --- /dev/null +++ b/whitechapel/vendor/google/aocdump.te @@ -0,0 +1,19 @@ +type aocdump, domain; +type aocdump_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(aocdump) + +userdebug_or_eng(` + # Permit communication with AoC + allow aocdump aoc_device:chr_file rw_file_perms; + + allow aocdump radio_vendor_data_file:dir rw_dir_perms; + allow aocdump radio_vendor_data_file:file create_file_perms; + allow aocdump wifi_logging_data_file:dir create_dir_perms; + allow aocdump wifi_logging_data_file:file create_file_perms; + set_prop(aocdump, vendor_audio_prop); + r_dir_file(aocdump, proc_asound) + + allow aocdump self:unix_stream_socket create_stream_socket_perms; + allow aocdump property_socket:sock_file { write }; + allow aocdump audio_vendor_data_file:sock_file { create unlink }; +') diff --git a/whitechapel/vendor/google/attributes b/whitechapel/vendor/google/attributes new file mode 100644 index 00000000..7e6def72 --- /dev/null +++ b/whitechapel/vendor/google/attributes @@ -0,0 +1 @@ +attribute vendor_persist_type; diff --git a/whitechapel/vendor/google/audioserver.te b/whitechapel/vendor/google/audioserver.te new file mode 100644 index 00000000..69d7c1a4 --- /dev/null +++ b/whitechapel/vendor/google/audioserver.te @@ -0,0 +1,2 @@ +# allow access to ALSA MMAP FDs for AAudio API +allow audioserver audio_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/bipchmgr.te b/whitechapel/vendor/google/bipchmgr.te new file mode 100644 index 00000000..9298e322 --- /dev/null +++ b/whitechapel/vendor/google/bipchmgr.te @@ -0,0 +1,9 @@ +type bipchmgr, domain; +type bipchmgr_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(bipchmgr) + +get_prop(bipchmgr, hwservicemanager_prop); + +allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find; +hwbinder_use(bipchmgr) +binder_call(bipchmgr, rild) diff --git a/whitechapel/vendor/google/bootanim.te b/whitechapel/vendor/google/bootanim.te new file mode 100644 index 00000000..7b3019df --- /dev/null +++ b/whitechapel/vendor/google/bootanim.te @@ -0,0 +1,5 @@ +# TODO(b/62954877). On Android Wear, bootanim reads the time +# during boot to display. It currently gets that time from a file +# in /data/system. This should be moved. In the meantime, suppress +# this denial on phones since this functionality is not used. +dontaudit bootanim system_data_file:dir r_dir_perms; diff --git a/whitechapel/vendor/google/bootdevice_sysdev.te b/whitechapel/vendor/google/bootdevice_sysdev.te new file mode 100644 index 00000000..2ff0acb9 --- /dev/null +++ b/whitechapel/vendor/google/bootdevice_sysdev.te @@ -0,0 +1 @@ +allow bootdevice_sysdev sysfs:filesystem associate; diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te new file mode 100644 index 00000000..23c4e576 --- /dev/null +++ b/whitechapel/vendor/google/cbd.te @@ -0,0 +1,63 @@ +type cbd, domain; +type cbd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(cbd) + +set_prop(cbd, vendor_modem_prop) +set_prop(cbd, vendor_cbd_prop) +set_prop(cbd, vendor_rild_prop) + +# Allow cbd to setuid from root to radio +# TODO: confirming with vendor via b/182334947 +allow cbd self:capability { setgid setuid }; + +allow cbd mnt_vendor_file:dir r_dir_perms; + +allow cbd kmsg_device:chr_file rw_file_perms; + +allow cbd vendor_shell_exec:file execute_no_trans; +allow cbd vendor_toolbox_exec:file execute_no_trans; + +# Allow cbd to access modem block device +allow cbd block_device:dir search; +allow cbd modem_block_device:blk_file r_file_perms; + +# Allow cbd to access sysfs chosen files +allow cbd sysfs_chosen:file r_file_perms; +allow cbd sysfs_chosen:dir r_dir_perms; + +allow cbd radio_device:chr_file rw_file_perms; + +allow cbd proc_cmdline:file r_file_perms; + +allow cbd persist_modem_file:dir create_dir_perms; +allow cbd persist_modem_file:file create_file_perms; + +allow cbd radio_vendor_data_file:dir create_dir_perms; +allow cbd radio_vendor_data_file:file create_file_perms; + +# Allow cbd to operate with modem EFS file/dir +allow cbd modem_efs_file:dir create_dir_perms; +allow cbd modem_efs_file:file create_file_perms; + +# Allow cbd to operate with modem userdata file/dir +allow cbd modem_userdata_file:dir create_dir_perms; +allow cbd modem_userdata_file:file create_file_perms; + +# Allow cbd to access modem image file/dir +allow cbd modem_img_file:dir r_dir_perms; +allow cbd modem_img_file:file r_file_perms; +allow cbd modem_img_file:lnk_file r_file_perms; + +# Allow cbd to collect crash info +allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms; + +userdebug_or_eng(` + r_dir_file(cbd, vendor_slog_file) + + allow cbd kernel:system syslog_read; + + allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms; +') + diff --git a/whitechapel/vendor/google/cbrs_setup.te b/whitechapel/vendor/google/cbrs_setup.te new file mode 100644 index 00000000..1abbcff1 --- /dev/null +++ b/whitechapel/vendor/google/cbrs_setup.te @@ -0,0 +1,13 @@ +# GoogleCBRS app +type cbrs_setup_app, domain; + +userdebug_or_eng(` + app_domain(cbrs_setup_app) + net_domain(cbrs_setup_app) + + allow cbrs_setup_app app_api_service:service_manager find; + allow cbrs_setup_app cameraserver_service:service_manager find; + allow cbrs_setup_app radio_service:service_manager find; + set_prop(cbrs_setup_app, radio_prop) + set_prop(cbrs_setup_app, vendor_rild_prop) +') diff --git a/whitechapel/vendor/google/certs/com_google_mds.x509.pem b/whitechapel/vendor/google/certs/com_google_mds.x509.pem new file mode 100644 index 00000000..640c6fb9 --- /dev/null +++ b/whitechapel/vendor/google/certs/com_google_mds.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds +ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG +A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl +IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv +6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh +WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW +LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP +URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6 +TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I +IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5 +GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO +C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q +OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ +KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz +K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT +EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa +DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx +7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57 +vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo +xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH +64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni +FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP +kKzTUNQHaaLHmcLK22Ht +-----END CERTIFICATE----- diff --git a/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem b/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem new file mode 100644 index 00000000..0e7c9ed5 --- /dev/null +++ b/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv +X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds +ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa +IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW +fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ +KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW +BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s +ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X +QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG +gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj +RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn +iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ +KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t +fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z +0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe +cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0 +6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg +NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY +ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp +BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh +NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz +lHV8gmlwBAuAx9ITcTJr +-----END CERTIFICATE----- diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te new file mode 100644 index 00000000..7eca5e43 --- /dev/null +++ b/whitechapel/vendor/google/chre.te @@ -0,0 +1,17 @@ +type chre, domain; +type chre_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(chre) + +# Permit communication with AoC +allow chre aoc_device:chr_file rw_file_perms; + +# Allow CHRE to determine AoC's current clock +allow chre sysfs_aoc:dir search; +allow chre sysfs_aoc_boottime:file r_file_perms; + +# Allow CHRE to create thread to watch AOC's device +allow chre device:dir r_dir_perms; + +# Allow CHRE to use the USF low latency transport +usf_low_latency_transport(chre) + diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te new file mode 100644 index 00000000..8695ccaa --- /dev/null +++ b/whitechapel/vendor/google/con_monitor.te @@ -0,0 +1,10 @@ +# ConnectivityMonitor app +type con_monitor_app, domain, coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; +allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; +allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te new file mode 100644 index 00000000..5c6a2d88 --- /dev/null +++ b/whitechapel/vendor/google/device.te @@ -0,0 +1,62 @@ +# Block Devices +type efs_block_device, dev_type; +type fat_block_device, dev_type; +type modem_block_device, dev_type; +type modem_userdata_block_device, dev_type; +type persist_block_device, dev_type; +type vendor_block_device, dev_type; +type sda_block_device, dev_type; + +# Exynos devices +type vendor_m2m1shot_device, dev_type; +type vendor_gnss_device, dev_type; +type vendor_nanohub_device, dev_type; +type vendor_secmem_device, dev_type; +type pktrouter_device, dev_type; +type vendor_toe_device, dev_type; +type custom_ab_block_device, dev_type; +type devinfo_block_device, dev_type; +type tui_device, dev_type; + +# usbpd +type logbuffer_device, dev_type; + +# EdgeTPU device (DarwiNN) +type edgetpu_device, dev_type, mlstrustedobject; + +#cpuctl +type cpuctl_device, dev_type; + +# Bt Wifi Coexistence device +type wb_coexistence_dev, dev_type; + +# Touch +type touch_offload_device, dev_type; + +# LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL +type lwis_device, dev_type; + +# RLS device +type rls_device, dev_type; + +# sensor direct DMA-BUF heap +type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; + +#faceauth DMA-BUF heaps +type faceauth_heap_device, dmabuf_heap_device_type, dev_type; + +#vframe-secure DMA-BUF heap +type vframe_heap_device, dmabuf_heap_device_type, dev_type; + +#vscaler-secure DMA-BUF heap +type vscaler_heap_device, dmabuf_heap_device_type, dev_type; + +# AOC device +type aoc_device, dev_type; + +# Fingerprint device +type fingerprint_device, dev_type; + +# AMCS device +type amcs_device, dev_type; + diff --git a/whitechapel/vendor/google/dmd.te b/whitechapel/vendor/google/dmd.te new file mode 100644 index 00000000..4f9cef1d --- /dev/null +++ b/whitechapel/vendor/google/dmd.te @@ -0,0 +1,33 @@ +type dmd, domain; +type dmd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(dmd) + +# Grant to access serial device for external logging tool +allow dmd serial_device:chr_file rw_file_perms; + +# Grant to access radio device +allow dmd radio_device:chr_file rw_file_perms; + +# Grant to access slog dir/file +allow dmd vendor_slog_file:dir create_dir_perms; +allow dmd vendor_slog_file:file create_file_perms; + +# Grant to access tcp socket +allow dmd node:tcp_socket node_bind; +allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; + +# Grant to access log related properties +set_prop(dmd, vendor_diag_prop) +set_prop(dmd, vendor_slog_prop) +set_prop(dmd, vendor_modem_prop) + +get_prop(dmd, vendor_persist_config_default_prop) + +# Grant to access hwservice manager +get_prop(dmd, hwservicemanager_prop) +allow dmd hidl_base_hwservice:hwservice_manager add; +allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find }; +binder_call(dmd, hwservicemanager) +binder_call(dmd, modem_diagnostic_app) +binder_call(dmd, modem_logging_control) +binder_call(dmd, vendor_telephony_app) diff --git a/whitechapel/vendor/google/domain.te b/whitechapel/vendor/google/domain.te new file mode 100644 index 00000000..cffaf8cd --- /dev/null +++ b/whitechapel/vendor/google/domain.te @@ -0,0 +1 @@ +allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms; diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te new file mode 100644 index 00000000..7c024e3d --- /dev/null +++ b/whitechapel/vendor/google/dumpstate.te @@ -0,0 +1,16 @@ +dump_hal(hal_telephony) +dump_hal(hal_graphics_composer) + +userdebug_or_eng(` + allow dumpstate media_rw_data_file:file append; +') + +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate persist_file:dir r_dir_perms; + +allow dumpstate modem_efs_file:dir getattr; +allow dumpstate modem_img_file:dir getattr; +allow dumpstate modem_userdata_file:dir getattr; +allow dumpstate fuse:dir search; + +dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; diff --git a/whitechapel/vendor/google/e2fs.te b/whitechapel/vendor/google/e2fs.te new file mode 100644 index 00000000..a6664594 --- /dev/null +++ b/whitechapel/vendor/google/e2fs.te @@ -0,0 +1,6 @@ +allow e2fs persist_block_device:blk_file rw_file_perms; +allow e2fs efs_block_device:blk_file rw_file_perms; +allow e2fs modem_userdata_block_device:blk_file rw_file_perms; +allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; diff --git a/whitechapel/vendor/google/edgetpu_app_service.te b/whitechapel/vendor/google/edgetpu_app_service.te new file mode 100644 index 00000000..ffecdd1f --- /dev/null +++ b/whitechapel/vendor/google/edgetpu_app_service.te @@ -0,0 +1,41 @@ +# EdgeTPU app server process which runs the EdgeTPU binder service. +type edgetpu_app_server, coredomain, domain; +type edgetpu_app_server_exec, exec_type, system_file_type, file_type; +init_daemon_domain(edgetpu_app_server) + +# The server will use binder calls. +binder_use(edgetpu_app_server); + +# The server will serve a binder service. +binder_service(edgetpu_app_server); + +# EdgeTPU binder service type declaration. +type edgetpu_app_service, service_manager_type; + +# EdgeTPU server to register the service to service_manager. +add_service(edgetpu_app_server, edgetpu_app_service); + +# EdgeTPU service needs to access /dev/abrolhos. +allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms; +allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms; +allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms; + +# Applications are not allowed to open the EdgeTPU device directly. +neverallow appdomain edgetpu_device:chr_file { open }; + +# Allow EdgeTPU service to access the Package Manager service. +allow edgetpu_app_server package_native_service:service_manager find; +binder_call(edgetpu_app_server, system_server); + +# Allow EdgeTPU service to read EdgeTPU service related system properties. +get_prop(edgetpu_app_server, vendor_edgetpu_service_prop); + +# Allow EdgeTPU service to generate Perfetto traces. +perfetto_producer(edgetpu_app_server); + +# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service. +allow edgetpu_app_server edgetpu_vendor_service:service_manager find; +binder_call(edgetpu_app_server, edgetpu_vendor_server); + +# Allow EdgeTPU service to log to stats service. (metrics) +allow edgetpu_app_server fwk_stats_service:service_manager find; diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/whitechapel/vendor/google/edgetpu_logging.te new file mode 100644 index 00000000..8c2f0dc7 --- /dev/null +++ b/whitechapel/vendor/google/edgetpu_logging.te @@ -0,0 +1,15 @@ +type edgetpu_logging, domain; +type edgetpu_logging_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(edgetpu_logging) + +# The logging service accesses /dev/abrolhos +allow edgetpu_logging edgetpu_device:chr_file rw_file_perms; + +# Allows the logging service to access /sys/class/edgetpu +allow edgetpu_logging sysfs_edgetpu:dir search; +allow edgetpu_logging sysfs_edgetpu:file rw_file_perms; + +# Allow TPU logging service to log to stats service. (metrics) +allow edgetpu_logging fwk_stats_service:service_manager find; +binder_call(edgetpu_logging, system_server); +binder_use(edgetpu_logging) diff --git a/whitechapel/vendor/google/edgetpu_vendor_service.te b/whitechapel/vendor/google/edgetpu_vendor_service.te new file mode 100644 index 00000000..538c47b9 --- /dev/null +++ b/whitechapel/vendor/google/edgetpu_vendor_service.te @@ -0,0 +1,28 @@ +# EdgeTPU vendor service. +type edgetpu_vendor_server, domain; +type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(edgetpu_vendor_server) + +# The vendor service will use binder calls. +binder_use(edgetpu_vendor_server); + +# The vendor service will serve a binder service. +binder_service(edgetpu_vendor_server); + +# EdgeTPU vendor service to register the service to service_manager. +add_service(edgetpu_vendor_server, edgetpu_vendor_service); + +# Allow communications between other vendor services. +allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map }; + +# Allow EdgeTPU vendor service to access its data files. +allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms; +allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms; + +# Allow EdgeTPU vendor service to access Android shared memory allocated +# by the camera hal for on-device compilation. +allow edgetpu_vendor_server hal_camera_default:fd use; + +# Allow EdgeTPU vendor service to read the kernel version. +# This is done inside the InitGoogle. +allow edgetpu_vendor_server proc_version:file r_file_perms; diff --git a/whitechapel/vendor/google/exo_camera_injection/dumpstate.te b/whitechapel/vendor/google/exo_camera_injection/dumpstate.te new file mode 100644 index 00000000..1a5b393d --- /dev/null +++ b/whitechapel/vendor/google/exo_camera_injection/dumpstate.te @@ -0,0 +1,2 @@ +# For collecting bugreports. +dump_hal(hal_camera) diff --git a/whitechapel/vendor/google/exo_camera_injection/exo_app.te b/whitechapel/vendor/google/exo_camera_injection/exo_app.te new file mode 100644 index 00000000..a90de48e --- /dev/null +++ b/whitechapel/vendor/google/exo_camera_injection/exo_app.te @@ -0,0 +1,3 @@ +# Allow exo app to find and bind exo camera injection hal. +allow exo_app hal_exo_camera_injection_hwservice:hwservice_manager find; +binder_call(exo_app, hal_exo_camera_injection) diff --git a/whitechapel/vendor/google/exo_camera_injection/file_contexts b/whitechapel/vendor/google/exo_camera_injection/file_contexts new file mode 100644 index 00000000..cfcbd6ff --- /dev/null +++ b/whitechapel/vendor/google/exo_camera_injection/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.0-service u:object_r:hal_exo_camera_injection_exec:s0 diff --git a/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te b/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te new file mode 100644 index 00000000..138d1b1d --- /dev/null +++ b/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te @@ -0,0 +1,10 @@ +# TODO(b/180558115): It will moved to pixel-sepolicy after pixel 6 launches. +type hal_exo_camera_injection, domain; +hal_server_domain(hal_exo_camera_injection, hal_camera) + +type hal_exo_camera_injection_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_exo_camera_injection) + +hwbinder_use(hal_exo_camera_injection) +add_hwservice(hal_exo_camera_injection, hal_exo_camera_injection_hwservice) +allow hal_exo_camera_injection hal_graphics_mapper_hwservice:hwservice_manager find; diff --git a/whitechapel/vendor/google/exo_camera_injection/hwservice.te b/whitechapel/vendor/google/exo_camera_injection/hwservice.te new file mode 100644 index 00000000..cea97689 --- /dev/null +++ b/whitechapel/vendor/google/exo_camera_injection/hwservice.te @@ -0,0 +1 @@ +type hal_exo_camera_injection_hwservice, hwservice_manager_type; diff --git a/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts b/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts new file mode 100644 index 00000000..59ccfe67 --- /dev/null +++ b/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts @@ -0,0 +1 @@ +vendor.google.exo_camera_injection::IExoCameraInjection u:object_r:hal_exo_camera_injection_hwservice:s0 diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te new file mode 100644 index 00000000..c1c4de7b --- /dev/null +++ b/whitechapel/vendor/google/fastbootd.te @@ -0,0 +1,6 @@ +# Required by the bootcontrol HAL for the 'set_active' command. +recovery_only(` +allow fastbootd devinfo_block_device:blk_file rw_file_perms; +allow fastbootd sda_block_device:blk_file rw_file_perms; +allow fastbootd sysfs_ota:file rw_file_perms; +') diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te new file mode 100644 index 00000000..5fd7861e --- /dev/null +++ b/whitechapel/vendor/google/file.te @@ -0,0 +1,210 @@ +# Exynos Data Files +#type vendor_data_file, file_type, data_file_type; +type vendor_cbd_boot_file, file_type, data_file_type; +type vendor_media_data_file, file_type, data_file_type; + +# Exynos Log Files +type vendor_log_file, file_type, data_file_type; +type vendor_cbd_log_file, file_type, data_file_type; +type vendor_dmd_log_file, file_type, data_file_type; +type vendor_rfsd_log_file, file_type, data_file_type; +type vendor_dump_log_file, file_type, data_file_type; +type vendor_rild_log_file, file_type, data_file_type; +type vendor_sced_log_file, file_type, data_file_type; +type vendor_slog_file, file_type, data_file_type, mlstrustedobject; +type vendor_telephony_log_file, file_type, data_file_type; +type vendor_vcd_log_file, file_type, data_file_type; + +# app data files +type vendor_test_data_file, file_type, data_file_type; +type vendor_telephony_data_file, file_type, data_file_type; +type vendor_ims_data_file, file_type, data_file_type; +type vendor_misc_data_file, file_type, data_file_type; +type vendor_rpmbmock_data_file, file_type, data_file_type; + +# Exynos debugfs +type vendor_ion_debugfs, fs_type, debugfs_type; +type vendor_dmabuf_debugfs, fs_type, debugfs_type; +type vendor_page_pinner_debugfs, fs_type, debugfs_type, sysfs_type; +type vendor_mali_debugfs, fs_type, debugfs_type; +type vendor_dri_debugfs, fs_type, debugfs_type; +type vendor_pm_genpd_debugfs, fs_type, debugfs_type; +type vendor_regmap_debugfs, fs_type, debugfs_type; +type vendor_usb_debugfs, fs_type, debugfs_type; +type vendor_maxfg_debugfs, fs_type, debugfs_type; +type vendor_charger_debugfs, fs_type, debugfs_type; +type vendor_votable_debugfs, fs_type, debugfs_type; +type vendor_battery_debugfs, fs_type, debugfs_type; +type vendor_sjtag_debugfs, fs_type, debugfs_type; + +# Exynos sysfs +type sysfs_exynos_bts, sysfs_type, fs_type; +type sysfs_exynos_bts_stats, sysfs_type, fs_type; +type sysfs_ota, sysfs_type, fs_type; + +# Exynos Firmware +type vendor_fw_file, vendor_file_type, file_type; + +# ACPM +type sysfs_acpm_stats, sysfs_type, fs_type; + +# Vendor tools +type vendor_usf_stats, vendor_file_type, file_type; +type vendor_usf_reg_edit, vendor_file_type, file_type; +type vendor_dumpsys, vendor_file_type, file_type; + +# Sensors +type nanohub_lock_file, file_type, data_file_type; +type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject; +type sensors_cal_file, file_type; +type sysfs_nanoapp_cmd, sysfs_type, fs_type; + +# Fingerprint +type sysfs_fingerprint, sysfs_type, fs_type; + +# CHRE +type chre_socket, file_type; + +# IOMMU +type sysfs_iommu, sysfs_type, fs_type; + +type sysfs_devicetree, sysfs_type, fs_type; +type sysfs_mem, sysfs_type, fs_type; + +# WiFi +type sysfs_wifi, sysfs_type, fs_type; + +# All files under /data/vendor/firmware/wifi +type updated_wifi_firmware_data_file, file_type, data_file_type; + +# Widevine DRM +type mediadrm_vendor_data_file, file_type, data_file_type; + +# Storage Health HAL +type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type debugfs_f2fs, debugfs_type, fs_type; +type proc_f2fs, proc_type, fs_type; + +type bootdevice_sysdev, dev_type; + +# ZRam +type per_boot_file, file_type, data_file_type, core_data_file_type; + +# Touch +type proc_touch, proc_type, fs_type, mlstrustedobject; +type sysfs_touch, sysfs_type, fs_type; + +# AOC +type sysfs_aoc_boottime, sysfs_type, fs_type; +type sysfs_aoc_firmware, sysfs_type, fs_type; +type sysfs_aoc, sysfs_type, fs_type; +type sysfs_aoc_reset, sysfs_type, fs_type; + +# Audio +type persist_audio_file, file_type, vendor_persist_type; +type persist_aoc_file, file_type, vendor_persist_type; +type audio_vendor_data_file, file_type, data_file_type; +type aoc_audio_file, file_type, vendor_file_type; + +# Radio +type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject; + +# RILD +type rild_vendor_data_file, file_type, data_file_type; + +# Modem +type modem_stat_data_file, file_type, data_file_type; +type modem_efs_file, file_type; +type modem_userdata_file, file_type; +type sysfs_modem, sysfs_type, fs_type; +type persist_modem_file, file_type, vendor_persist_type; + + +type modem_img_file, contextmount_type, file_type, vendor_file_type; +allow modem_img_file self:filesystem associate; + +# TCP logging +type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; + +# Wireless +type sysfs_wlc, sysfs_type, fs_type; + +# Camera +type persist_camera_file, file_type; +type vendor_camera_tuning_file, vendor_file_type, file_type; +type vendor_camera_data_file, file_type, data_file_type; + +# EdgeTPU hal data file +type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type; + +# EdgeTPU vendor service data file +type edgetpu_vendor_service_data_file, file_type, data_file_type; + +# EdgeTPU sysfs +type sysfs_edgetpu, sysfs_type, fs_type; + +# Vendor sched files +type sysfs_vendor_sched, sysfs_type, fs_type; + +# GPS +type vendor_gps_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; +') +type sysfs_gps, sysfs_type, fs_type; + +# Display +type sysfs_display, sysfs_type, fs_type; + +# Backlight +type sysfs_backlight, sysfs_type, fs_type; + +# Charger +type sysfs_chargelevel, sysfs_type, fs_type; + +# ODPM +type odpm_config_file, file_type, data_file_type; +type sysfs_odpm, sysfs_type, fs_type; + +# bcl +type sysfs_bcl, sysfs_type, fs_type; + +# Chosen +type sysfs_chosen, sysfs_type, fs_type; + +type sysfs_chip_id, sysfs_type, fs_type; +type sysfs_spi, sysfs_type, fs_type; + +# Battery +type persist_battery_file, file_type, vendor_persist_type; + +# CPU +type sysfs_cpu, sysfs_type, fs_type; + +# GPU +type sysfs_gpu, sysfs_type, fs_type; + +# Fabric +type sysfs_fabric, sysfs_type, fs_type; + +# Memory +type sysfs_memory, sysfs_type, fs_type; + +# bcmdhd (Broadcom FullMAC wireless cards support) +type sysfs_bcmdhd, sysfs_type, fs_type; + +# Video +type sysfs_video, sysfs_type, fs_type; + +# TODO(b/184768835): remove this once the bug is fixed +# LHBM (Local High Brightness Mode) +type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject; + +# UWB vendor +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; + +# PixelStats_vendor +type sysfs_pixelstats, fs_type, sysfs_type; + +# WLC FW +type vendor_wlc_fwupdata_file, vendor_file_type, file_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts new file mode 100644 index 00000000..8ef29aa3 --- /dev/null +++ b/whitechapel/vendor/google/file_contexts @@ -0,0 +1,462 @@ +# +# Exynos HAL +# +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.4-service\.widevine u:object_r:hal_drm_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service u:object_r:hal_vendor_hwcservice_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 +/(vendor|system/vendor)/lib(64)?/libion_exynos\.so u:object_r:same_process_hal_file:s0 + +/(vendor|system/vendor)/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 + +/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 +/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 +/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 + +# +# HALs +# +/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs201 u:object_r:hal_bootctl_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.1-service-brcm u:object_r:hal_gnss_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-brcm u:object_r:hal_gnss_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs201 u:object_r:hal_power_stats_default_exec:s0 +# Wireless charger HAL +/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 + +# Vendor Firmwares +/(vendor|system/vendor)/firmware(/.*)? u:object_r:vendor_fw_file:s0 + +# +# Exynos Block Devices +# +/dev/block/platform/14700000\.ufs/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/fat u:object_r:fat_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor u:object_r:vendor_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtb_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/sda u:object_r:sda_block_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 + +# +# Exynos Devices +# +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/bbd_control u:object_r:vendor_gnss_device:s0 +/dev/bbd_pwrstat u:object_r:power_stats_device:s0 +/dev/ttyBCM u:object_r:vendor_gnss_device:s0 +/dev/nanohub u:object_r:vendor_nanohub_device:s0 +/dev/nanohub_comms u:object_r:vendor_nanohub_device:s0 +/dev/m2m1shot_scaler0 u:object_r:vendor_m2m1shot_device:s0 +/dev/radio0 u:object_r:radio_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/fimg2d u:object_r:graphics_device:s0 +/dev/g2d u:object_r:graphics_device:s0 +/dev/tsmux u:object_r:video_device:s0 +/dev/repeater u:object_r:video_device:s0 +/dev/scsc_h4_0 u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/tui-driver u:object_r:tui_device:s0 +/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 +/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 +/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 +/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 + +# DM tools device +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 + +# OEM IPC device +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 + +# SIPC RIL device +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/watchdog0 u:object_r:watchdog_device:s0 + +# GPU device +/dev/mali0 u:object_r:gpu_device:s0 +/dev/s5p-smem u:object_r:vendor_secmem_device:s0 +/dev/umts_wfc[01] u:object_r:pktrouter_device:s0 + +# +# Exynos Daemon Exec +# +/(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 +/(vendor|system/vendor)/bin/dmd u:object_r:dmd_exec:s0 +/(vendor|system/vendor)/bin/hw/scd u:object_r:scd_exec:s0 +/(vendor|system/vendor)/bin/hw/gpsd u:object_r:gpsd_exec:s0 +/(vendor|system/vendor)/bin/hw/lhd u:object_r:lhd_exec:s0 +/(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 +/(vendor|system/vendor)/bin/sced u:object_r:sced_exec:s0 +/(vendor|system/vendor)/bin/vcd u:object_r:vcd_exec:s0 +/(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 + +# WFC +/(vendor|system/vendor)/bin/wfc-pkt-router u:object_r:pktrouter_exec:s0 + +# +# Exynos Data Files +# +# gnss/gps data/log files +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 + +# +# Exynos Log Files +# +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/cbd(/.*)? u:object_r:vendor_cbd_log_file:s0 +/data/vendor/log/dmd(/.*)? u:object_r:vendor_dmd_log_file:s0 +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/log/dump(/.*)? u:object_r:vendor_dump_log_file:s0 +/data/vendor/log/rild(/.*)? u:object_r:vendor_rild_log_file:s0 +/data/vendor/log/sced(/.*)? u:object_r:vendor_sced_log_file:s0 +/data/vendor/log/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/log/vcd(/.*)? u:object_r:vendor_vcd_log_file:s0 + +/persist/sensorcal\.json u:object_r:sensors_cal_file:s0 + +# data files +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 + +# Camera +/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google u:object_r:hal_camera_default_exec:s0 +/vendor/lib64/camera u:object_r:vendor_camera_tuning_file:s0 +/vendor/lib64/camera/ghawb_para_lut\.bin u:object_r:vendor_camera_tuning_file:s0 +/vendor/lib64/camera/slider_.*\.binarypb u:object_r:vendor_camera_tuning_file:s0 +/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 +/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 + +/dev/stmvl53l1_ranging u:object_r:rls_device:s0 + +/dev/lwis-act0 u:object_r:lwis_device:s0 +/dev/lwis-act1 u:object_r:lwis_device:s0 +/dev/lwis-act-ak7377 u:object_r:lwis_device:s0 +/dev/lwis-act-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-act-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-csi u:object_r:lwis_device:s0 +/dev/lwis-dpm u:object_r:lwis_device:s0 +/dev/lwis-eeprom0 u:object_r:lwis_device:s0 +/dev/lwis-eeprom1 u:object_r:lwis_device:s0 +/dev/lwis-eeprom2 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-lc898128 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-imx355-inner u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-imx355-outer u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-flash0 u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-g3aa u:object_r:lwis_device:s0 +/dev/lwis-gdc0 u:object_r:lwis_device:s0 +/dev/lwis-gdc1 u:object_r:lwis_device:s0 +/dev/lwis-gtnr-align u:object_r:lwis_device:s0 +/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 +/dev/lwis-ipp u:object_r:lwis_device:s0 +/dev/lwis-itp u:object_r:lwis_device:s0 +/dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-lc898128 u:object_r:lwis_device:s0 +/dev/lwis-ois-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-ois-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-pdp u:object_r:lwis_device:s0 +/dev/lwis-scsc u:object_r:lwis_device:s0 +/dev/lwis-sensor0 u:object_r:lwis_device:s0 +/dev/lwis-sensor1 u:object_r:lwis_device:s0 +/dev/lwis-sensor2 u:object_r:lwis_device:s0 +/dev/lwis-sensor-gn1 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-inner u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-outer u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx363 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 +/dev/lwis-slc u:object_r:lwis_device:s0 +/dev/lwis-top u:object_r:lwis_device:s0 +/dev/lwis-votf u:object_r:lwis_device:s0 + +# VIDEO +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 +/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 + +# thermal sysfs files +/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0 +/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0 + + +# IMS VoWiFi +/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 +/data/vendor/VoWiFi(/.*)? u:object_r:vendor_ims_data_file:s0 + +# Sensors +/data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0 +/dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-logging u:object_r:aoc_device:s0 +/dev/aoc u:object_r:aoc_device:s0 + +# Contexthub +/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/(vendor|system/vendor)/bin/chre u:object_r:chre_exec:s0 +/dev/socket/chre u:object_r:chre_socket:s0 + +# Modem logging +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 + +# TCP logging +/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 + +# Audio logging +/vendor/bin/aocdump u:object_r:aocdump_exec:s0 + +# modem_svc_sit files +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 + +# modem mnt files +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 + +# Kernel modules related +/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 + +# NFC +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/dev/st21nfc u:object_r:nfc_device:s0 +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 + +# SecureElement +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st u:object_r:hal_secure_element_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_default_exec:s0 +/dev/st54j_se u:object_r:secure_element_device:s0 +/dev/st54spi u:object_r:secure_element_device:s0 +/dev/st33spi u:object_r:secure_element_device:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_default_exec:s0 + +# Bluetooth +/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 +/dev/wbrc u:object_r:wb_coexistence_dev:s0 +/dev/ttySAC16 u:object_r:hci_attach_dev:s0 +/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 + +# Audio +/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 +/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 +/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 +/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 +/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-sound_trigger u:object_r:aoc_device:s0 +/dev/acd-hotword_notification u:object_r:aoc_device:s0 +/dev/acd-hotword_pcm u:object_r:aoc_device:s0 +/dev/acd-ambient_pcm u:object_r:aoc_device:s0 +/dev/acd-model_data u:object_r:aoc_device:s0 +/dev/acd-debug u:object_r:aoc_device:s0 +/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 +/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 +/dev/amcs u:object_r:amcs_device:s0 + +# AudioMetric +/(vendor|system/vendor)/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 + + +# Trusty +/vendor/bin/securedpud.slider u:object_r:securedpud_slider_exec:s0 +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 +/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0 +/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor u:object_r:hal_confirmationui_default_exec:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:tee_data_file:s0 +/dev/sg1 u:object_r:sg_device:s0 + +# Battery +/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 + +# AoC file contexts. +/vendor/bin/aocd u:object_r:aocd_exec:s0 + +# NeuralNetworks file contexts +/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn u:object_r:hal_neuralnetworks_armnn_exec:s0 +/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0 +/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 + +# GRIL +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 + +# Uwb +# R4 +/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_default_exec:s0 + +# Radio files. +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 + +# RILD files +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 + +# Citadel StrongBox +/dev/gsc0 u:object_r:citadel_device:s0 + +# EdgeTPU device (DarwiNN) +/dev/abrolhos u:object_r:edgetpu_device:s0 + +# EdgeTPU logging service +/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 + +# EdgeTPU service binaries and libraries +/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 +/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU vendor service +/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 +/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU runtime libraries +/vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU data files +/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 +/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 + +# Tetheroffload Service +/dev/dit2 u:object_r:vendor_toe_device:s0 +/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 + +# pixelstats binary +/vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 + +# Vendor_kernel_modules +/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 + +# Display +/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.gs201\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 + +# Touch +/dev/touch_offload u:object_r:touch_offload_device:s0 +/vendor/bin/twoshay u:object_r:twoshay_exec:s0 + +# Fingerprint +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 + +# ECC List +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 + +# Zram +/data/per_boot(/.*)? u:object_r:per_boot_file:s0 + +# cpuctl +/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 + +# ODPM +/data/vendor/powerstats(/.*)? u:object_r:odpm_config_file:s0 + +# sensor direct DMA-BUF heap +/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 + +# Console +/dev/ttySAC0 u:object_r:tty_device:s0 + +# faceauth DMA-BUF heaps +/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 + +# vframe-secure DMA-BUF heap +/dev/dma_heap/vframe-secure u:object_r:vframe_heap_device:s0 + +# vscaler-secure DMA-BUF heap +/dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 + +# vstream-secure DMA-BUF heap +/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 + +# BigOcean +/dev/bigocean u:object_r:video_device:s0 + +# Fingerprint +/dev/goodix_fp u:object_r:fingerprint_device:s0 + +# Wifi Firmware config update +/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 + +# WLC FW update +/vendor/bin/wlc_upt/p9412_mtp u:object_r:vendor_wlc_fwupdata_file:s0 +/vendor/bin/wlc_upt/wlc_fw_update\.sh u:object_r:wlcfwupdate_exec:s0 diff --git a/whitechapel/vendor/google/fsck.te b/whitechapel/vendor/google/fsck.te new file mode 100644 index 00000000..d29555b3 --- /dev/null +++ b/whitechapel/vendor/google/fsck.te @@ -0,0 +1,3 @@ +allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_userdata_block_device:blk_file rw_file_perms; diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts new file mode 100644 index 00000000..e532d855 --- /dev/null +++ b/whitechapel/vendor/google/genfs_contexts @@ -0,0 +1,356 @@ +# AOC +genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 + +# WiFi +genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 +# Battery +genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 + +# Slider +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050 u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +# Whitefin +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050 u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply u:object_r:sysfs_batteryinfo:s0 +# R4 / P7 LunchBox +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 + +# O6 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 + +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply u:object_r:sysfs_batteryinfo:s0 + +# Storage +genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 +genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 + +# Tethering +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net u:object_r:sysfs_net:s0 + +# Vibrator +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0042 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 + +# Fingerprint +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 + +# System_suspend +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 + +# Touch +genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0 u:object_r:sysfs_touch:s0 +genfscon proc /fts/driver_test u:object_r:proc_touch:s0 +genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 + +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 +genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 + +# Vendor sched files +genfscon sysfs /kernel/vendor_sched/bg_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/bg_prefer_idle u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/bg_task_spreading u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/bg_uclamp_max u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/bg_uclamp_min u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/cam_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/cam_prefer_idle u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/cam_task_spreading u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/cam_uclamp_max u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/cam_uclamp_min u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/fg_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/fg_prefer_idle u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/fg_task_spreading u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/fg_uclamp_max u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/fg_uclamp_min u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/ta_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/ta_prefer_idle u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/ta_task_spreading u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/ta_uclamp_max u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/ta_uclamp_min u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sys_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sys_prefer_idle u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sys_task_spreading u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sys_uclamp_max u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sys_uclamp_min u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sysbg_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sysbg_prefer_idle u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sysbg_task_spreading u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sysbg_uclamp_max u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/sysbg_uclamp_min u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/nnapi_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/nnapi_prefer_idle u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/nnapi_task_spreading u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/nnapi_uclamp_max u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/nnapi_uclamp_min u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/clear_group u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/set_task_group_bg u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/set_task_group_cam u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/set_task_group_fg u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/set_task_group_nnapi u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/set_task_group_sys u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/set_task_group_sysbg u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/set_task_group_ta u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/high_capacity_start_cpu u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/uclamp_effective_stats u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/reset_uclamp_stats u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/uclamp_stats u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/uclamp_threshold u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/uclamp_util_diff_stats u:object_r:sysfs_vendor_sched:s0 +genfscon sysfs /kernel/vendor_sched/util_threshold u:object_r:sysfs_vendor_sched:s0 + +# GPS +genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 + +# Display +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 + +# TODO(b/184768835): remove this once the bug is fixed +# Display / LHBM (Local High Brightness Mode) +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_lhbm:s0 + +# Modem +genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 + +# Bluetooth +genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 + +# ODPM +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + +# bcl sysfs files +genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 + +# Chosen +genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 + +genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 + +# system_suspend wakeup nodes +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 + +# OTA +genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 + +# ACPM +genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 + +genfscon sysfs /devices/platform/10d40000.spi/spi_master u:object_r:sysfs_spi:s0 + +# Exynos +genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 +genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 + +# CPU +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 + +# Devfreq directory +genfscon sysfs /class/devfreq u:object_r:sysfs_devfreq_dir:s0 + +# Devfreq current frequency +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 + +# Fabric +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 + +# GPU +genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 + +# nvmem (Non Volatile Memory layer) +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem u:object_r:sysfs_memory:s0 + +# Broadcom +genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 + +# Power Stats +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 + +# debugfs + +genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /maxfg_base u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /maxfg_flip u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 +genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 +genfscon debugfs /ion u:object_r:vendor_ion_debugfs:s0 +genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 +genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 +genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 +genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 +genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 +genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 +genfscon debugfs /sjtag u:object_r:vendor_sjtag_debugfs:s0 + +# tracefs +genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 + +# sscoredump (per device) +genfscon sysfs /devices/platform/abrolhos/sscoredump/sscd_abrolhos/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 + +# mediacodec +genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_video:s0 + +# pixelstat_vendor +genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 diff --git a/whitechapel/vendor/google/gpsd.te b/whitechapel/vendor/google/gpsd.te new file mode 100644 index 00000000..64591cba --- /dev/null +++ b/whitechapel/vendor/google/gpsd.te @@ -0,0 +1,25 @@ +type gpsd, domain; +type gpsd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(gpsd) + +# Allow gpsd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute gpsd mlstrustedsubject; + allow gpsd logger_app:unix_stream_socket connectto; +') + +# Allow gpsd to obtain wakelock +wakelock_use(gpsd) + +# Allow gpsd access data vendor gps files +allow gpsd vendor_gps_file:dir create_dir_perms; +allow gpsd vendor_gps_file:file create_file_perms; +allow gpsd vendor_gps_file:fifo_file create_file_perms; + +# Allow gpsd to access rild +binder_call(gpsd, rild); +allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; + +# Allow gpsd to access sensor service +binder_call(gpsd, system_server); +allow gpsd fwk_sensor_hwservice:hwservice_manager find; diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te new file mode 100644 index 00000000..50ff22a5 --- /dev/null +++ b/whitechapel/vendor/google/grilservice_app.te @@ -0,0 +1,12 @@ +type grilservice_app, domain; +app_domain(grilservice_app) + +allow grilservice_app app_api_service:service_manager find; +allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow grilservice_app hal_radioext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +binder_call(grilservice_app, hal_bluetooth_btlinux) +binder_call(grilservice_app, hal_radioext_default) +binder_call(grilservice_app, hal_wifi_ext) +binder_call(grilservice_app, hal_audiometricext_default) diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te new file mode 100644 index 00000000..5ee99469 --- /dev/null +++ b/whitechapel/vendor/google/hal_audio_default.te @@ -0,0 +1,31 @@ +vndbinder_use(hal_audio_default) +hwbinder_use(hal_audio_default) + +allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; +allow hal_audio_default audio_vendor_data_file:file create_file_perms; + +r_dir_file(hal_audio_default, aoc_audio_file); +r_dir_file(hal_audio_default, mnt_vendor_file); +r_dir_file(hal_audio_default, persist_audio_file); + +allow hal_audio_default persist_file:dir search; +allow hal_audio_default aoc_device:file rw_file_perms; +allow hal_audio_default aoc_device:chr_file rw_file_perms; + +allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; + +allow hal_audio_default amcs_device:file rw_file_perms; +allow hal_audio_default amcs_device:chr_file rw_file_perms; +allow hal_audio_default sysfs_pixelstats:file rw_file_perms; + +#allow access to DMABUF Heaps for AAudio API +allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; + +get_prop(hal_audio_default, vendor_audio_prop); + +userdebug_or_eng(` + allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; + allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; +') + +wakelock_use(hal_audio_default); diff --git a/whitechapel/vendor/google/hal_audiometricext_default.te b/whitechapel/vendor/google/hal_audiometricext_default.te new file mode 100644 index 00000000..5358eac4 --- /dev/null +++ b/whitechapel/vendor/google/hal_audiometricext_default.te @@ -0,0 +1,12 @@ +type hal_audiometricext_default, domain; +type hal_audiometricext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_audiometricext_default) + +allow hal_audiometricext_default amcs_device:chr_file rw_file_perms; +allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms; + +get_prop(hal_audiometricext_default, vendor_audio_prop); +get_prop(hal_audiometricext_default, hwservicemanager_prop); + +hwbinder_use(hal_audiometricext_default); +add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice); diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/whitechapel/vendor/google/hal_bluetooth_btlinux.te new file mode 100644 index 00000000..f348099e --- /dev/null +++ b/whitechapel/vendor/google/hal_bluetooth_btlinux.te @@ -0,0 +1,22 @@ +add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice); +get_prop(hal_bluetooth_btlinux, boot_status_prop) + +allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms; +allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms; +allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms; +allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms; +binder_call(hal_bluetooth_btlinux, servicemanager) + +# power stats +vndbinder_use(hal_bluetooth_btlinux) +allow hal_bluetooth_btlinux hal_power_stats_vendor_service:service_manager find; +binder_call(hal_bluetooth_btlinux, hal_power_stats_default) + +allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; + +userdebug_or_eng(` + allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:file create_file_perms; + allow hal_bluetooth_btlinux logbuffer_device:chr_file r_file_perms; +') diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te new file mode 100644 index 00000000..30db79bd --- /dev/null +++ b/whitechapel/vendor/google/hal_bootctl_default.te @@ -0,0 +1,3 @@ +allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; +allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sysfs_ota:file rw_file_perms; diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te new file mode 100644 index 00000000..df210f6f --- /dev/null +++ b/whitechapel/vendor/google/hal_camera_default.te @@ -0,0 +1,77 @@ +type hal_camera_default_tmpfs, file_type; + +allow hal_camera_default self:global_capability_class_set sys_nice; + +binder_use(hal_camera_default); +vndbinder_use(hal_camera_default); + +allow hal_camera_default lwis_device:chr_file rw_file_perms; +allow hal_camera_default gpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_chip_id:file r_file_perms; + +# Tuscany (face auth) code that is part of the camera HAL needs to allocate +# dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; + +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; +allow hal_camera_default sysfs_edgetpu:file r_file_perms; +allow hal_camera_default edgetpu_vendor_service:service_manager find; +binder_call(hal_camera_default, edgetpu_vendor_server) + +# Allow access to data files used by the camera HAL +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default persist_camera_file:dir search; +allow hal_camera_default persist_camera_file:file r_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; +allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms; +allow hal_camera_default vendor_camera_tuning_file:file r_file_perms; + +# Allow creating dump files for debugging in non-release builds +userdebug_or_eng(` + allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; + allow hal_camera_default vendor_camera_data_file:file create_file_perms; +') + +# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files +# compiled into the shared libraries with cc_embed_data rules +tmpfs_domain(hal_camera_default); + +# Allow access to camera-related system properties +get_prop(hal_camera_default, vendor_camera_prop); +get_prop(hal_camera_default, vendor_camera_debug_prop); +userdebug_or_eng(` + set_prop(hal_camera_default, vendor_camera_fatp_prop); + set_prop(hal_camera_default, vendor_camera_debug_prop); +') + + +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) + +hal_client_domain(hal_camera_default, hal_graphics_allocator); +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power); +hal_client_domain(hal_camera_default, hal_thermal); + +# Allow access to sensor service for sensor_listener +binder_call(hal_camera_default, system_server); + +# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering +allow hal_camera_default eco_service:service_manager find; +binder_call(hal_camera_default, mediacodec); + +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +binder_call(hal_camera_default, hal_radioext_default); + +# Allow camera HAL to connect to the stats service. +allow hal_camera_default fwk_stats_service:service_manager find; diff --git a/whitechapel/vendor/google/hal_confirmationui.te b/whitechapel/vendor/google/hal_confirmationui.te new file mode 100644 index 00000000..a8f4ae8c --- /dev/null +++ b/whitechapel/vendor/google/hal_confirmationui.te @@ -0,0 +1,13 @@ +allow hal_confirmationui_default tee_device:chr_file rw_file_perms; + +binder_call(hal_confirmationui_default, keystore) + +vndbinder_use(hal_confirmationui_default) +binder_call(hal_confirmationui_default, citadeld) +allow hal_confirmationui_default citadeld_service:service_manager find; + +allow hal_confirmationui_default input_device:chr_file rw_file_perms; +allow hal_confirmationui_default input_device:dir r_dir_perms; + +allow hal_confirmationui_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_confirmationui_default ion_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/hal_contexthub.te b/whitechapel/vendor/google/hal_contexthub.te new file mode 100644 index 00000000..ba776c89 --- /dev/null +++ b/whitechapel/vendor/google/hal_contexthub.te @@ -0,0 +1,3 @@ +# Allow context hub HAL to communicate with daemon via socket +allow hal_contexthub_default chre:unix_stream_socket connectto; +allow hal_contexthub_default chre_socket:sock_file write; \ No newline at end of file diff --git a/whitechapel/vendor/google/hal_drm_clearkey.te b/whitechapel/vendor/google/hal_drm_clearkey.te new file mode 100644 index 00000000..0e0a5c24 --- /dev/null +++ b/whitechapel/vendor/google/hal_drm_clearkey.te @@ -0,0 +1,5 @@ +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) diff --git a/whitechapel/vendor/google/hal_drm_default.te b/whitechapel/vendor/google/hal_drm_default.te new file mode 100644 index 00000000..30e443a8 --- /dev/null +++ b/whitechapel/vendor/google/hal_drm_default.te @@ -0,0 +1,6 @@ +# L3 +allow hal_drm_default mediadrm_vendor_data_file:file create_file_perms; +allow hal_drm_default mediadrm_vendor_data_file:dir create_dir_perms; + +# L1 +allow hal_drm_default dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te new file mode 100644 index 00000000..38381b15 --- /dev/null +++ b/whitechapel/vendor/google/hal_dumpstate_default.te @@ -0,0 +1,192 @@ +allow hal_dumpstate_default sysfs_exynos_bts:dir search; +allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; + +allow hal_dumpstate_default sysfs_bcmdhd:dir search; +allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms; + +allow hal_dumpstate_default sysfs_memory:file r_file_perms; +allow hal_dumpstate_default sysfs_cpu:file r_file_perms; + +vndbinder_use(hal_dumpstate_default) + +allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_gps_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_wlc:dir search; +allow hal_dumpstate_default sysfs_wlc:file r_file_perms; + +allow hal_dumpstate_default shell_data_file:file getattr; + +allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; +allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; + +allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; + +# camera debugging dump file access +allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; + +allow hal_dumpstate_default vendor_log_file:dir search; + +allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; +allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; +allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; + +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; +allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; + +allow hal_dumpstate_default sysfs_spi:dir search; +allow hal_dumpstate_default sysfs_spi:file rw_file_perms; + +allow hal_dumpstate_default device:dir r_dir_perms; +allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; +allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; + +allow hal_dumpstate_default sysfs_wifi:dir search; +allow hal_dumpstate_default sysfs_wifi:file r_file_perms; + +# Touch sysfs interface +allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; +allow hal_dumpstate_default sysfs_touch:file rw_file_perms; +allow hal_dumpstate_default proc_touch:file rw_file_perms; + +allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; +allow hal_dumpstate_default sysfs_thermal:file r_file_perms; +allow hal_dumpstate_default sysfs_thermal:lnk_file read; + +allow hal_dumpstate_default touch_context_service:service_manager find; +binder_call(hal_dumpstate_default, twoshay) + +# Modem logs +allow hal_dumpstate_default modem_efs_file:dir search; +allow hal_dumpstate_default modem_efs_file:file r_file_perms; +allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; +allow hal_dumpstate_default vendor_slog_file:file r_file_perms; + +allow hal_dumpstate_default block_device:dir r_dir_perms; + +allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; +allow hal_dumpstate_default proc_f2fs:file r_file_perms; +allow hal_dumpstate_default proc_touch:file rw_file_perms; + +allow hal_dumpstate_default sysfs_batteryinfo:dir search; +allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; +allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; +allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; + +allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; +allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; + +allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; + +allow hal_dumpstate_default citadeld_service:service_manager find; +allow hal_dumpstate_default citadel_updater_exec:file execute_no_trans; +binder_call(hal_dumpstate_default, citadeld); + +allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; +binder_call(hal_dumpstate_default, hal_graphics_composer_default); + +userdebug_or_eng(` + allow hal_dumpstate_default mnt_vendor_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; +') + +get_prop(hal_dumpstate_default, boottime_public_prop) +get_prop(hal_dumpstate_default, vendor_gps_prop) +set_prop(hal_dumpstate_default, vendor_modem_prop) +get_prop(hal_dumpstate_default, vendor_rild_prop) + +userdebug_or_eng(` + allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_ion_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; + allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_dri_debugfs:dir search; + + allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_usb_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_maxfg_debugfs:dir search; + allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; + + allow hal_dumpstate_default debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; + + allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; + allow hal_dumpstate_default sysfs_bcl:file r_file_perms; + allow hal_dumpstate_default sysfs_bcl:lnk_file read; + allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; + allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; + allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; + allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; + + set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) +') + +dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search; + +dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_usb_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default mnt_vendor_file:dir r_dir_perms; +dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir search; +dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; + +dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; +dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; + +dontaudit hal_dumpstate_default rootfs:dir r_dir_perms; + +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; +dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms; diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te new file mode 100644 index 00000000..c6d64d5d --- /dev/null +++ b/whitechapel/vendor/google/hal_fingerprint_default.te @@ -0,0 +1,14 @@ +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms; +allow hal_fingerprint_default sysfs_batteryinfo:dir search; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; +allow hal_fingerprint_default fwk_stats_service:service_manager find; +get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) +userdebug_or_eng(` + get_prop(hal_fingerprint_default, vendor_fingerprint_fake_prop) +') +add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) diff --git a/whitechapel/vendor/google/hal_gnss_default.te b/whitechapel/vendor/google/hal_gnss_default.te new file mode 100644 index 00000000..e3004237 --- /dev/null +++ b/whitechapel/vendor/google/hal_gnss_default.te @@ -0,0 +1,4 @@ +# Allow hal_gnss_default access data vendor gps files +allow hal_gnss_default vendor_gps_file:dir create_dir_perms; +allow hal_gnss_default vendor_gps_file:file create_file_perms; +allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; diff --git a/whitechapel/vendor/google/hal_graphics_allocator_default.te b/whitechapel/vendor/google/hal_graphics_allocator_default.te new file mode 100644 index 00000000..63a7dcfb --- /dev/null +++ b/whitechapel/vendor/google/hal_graphics_allocator_default.te @@ -0,0 +1,4 @@ +allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default vframe_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/hal_graphics_composer_default.te b/whitechapel/vendor/google/hal_graphics_composer_default.te new file mode 100644 index 00000000..0562aa0e --- /dev/null +++ b/whitechapel/vendor/google/hal_graphics_composer_default.te @@ -0,0 +1,6 @@ +allow hal_graphics_composer_default sysfs_display:dir search; +allow hal_graphics_composer_default sysfs_display:file rw_file_perms; + +# allow HWC to access power hal +binder_call(hal_graphics_composer_default, hal_power_default); +hal_client_domain(hal_graphics_composer_default, hal_power); diff --git a/whitechapel/vendor/google/hal_health_default.te b/whitechapel/vendor/google/hal_health_default.te new file mode 100644 index 00000000..a684dcc2 --- /dev/null +++ b/whitechapel/vendor/google/hal_health_default.te @@ -0,0 +1,14 @@ +allow hal_health_default mnt_vendor_file:dir search; +allow hal_health_default persist_file:dir search; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; + +set_prop(hal_health_default, vendor_battery_defender_prop) +r_dir_file(hal_health_default, sysfs_scsi_devices_0000) + +allow hal_health_default sysfs_wlc:dir search; +allow hal_health_default sysfs_batteryinfo:file w_file_perms; +allow hal_health_default sysfs_thermal:dir search; +allow hal_health_default sysfs_thermal:file w_file_perms; +allow hal_health_default sysfs_thermal:lnk_file read; +allow hal_health_default thermal_link_device:dir search; diff --git a/whitechapel/vendor/google/hal_health_storage_default.te b/whitechapel/vendor/google/hal_health_storage_default.te new file mode 100644 index 00000000..2aa0881e --- /dev/null +++ b/whitechapel/vendor/google/hal_health_storage_default.te @@ -0,0 +1,3 @@ +# Access to /sys/devices/platform/14700000.ufs/* +allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/whitechapel/vendor/google/hal_neuralnetworks_armnn.te b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te new file mode 100644 index 00000000..c9872853 --- /dev/null +++ b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te @@ -0,0 +1,9 @@ +type hal_neuralnetworks_armnn, domain; +hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks) + +type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type; + +allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms; + +init_daemon_domain(hal_neuralnetworks_armnn) + diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te new file mode 100644 index 00000000..88a24db9 --- /dev/null +++ b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te @@ -0,0 +1,35 @@ +type hal_neuralnetworks_darwinn, domain; +hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks) + +type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_neuralnetworks_darwinn) + +# The TPU HAL looks for TPU instance in /dev/abrolhos +allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms; + +# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/. +allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms; + +# Allow DarwiNN service to access data files. +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms; +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms; + +# Allow DarwiNN service to access unix sockets for IPC. +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms }; + +# Register to hwbinder service. +# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te +hwbinder_use(hal_neuralnetworks_darwinn) +get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop) + +# Allow TPU HAL to read the kernel version. +# This is done inside the InitGoogle. +allow hal_neuralnetworks_darwinn proc_version:file r_file_perms; + +# Allow TPU NNAPI HAL to log to stats service. (metrics) +allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find; +binder_call(hal_neuralnetworks_darwinn, system_server); +binder_use(hal_neuralnetworks_darwinn) + +# TPU NNAPI to register the service to service_manager. +add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service); diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te new file mode 100644 index 00000000..f98e78c6 --- /dev/null +++ b/whitechapel/vendor/google/hal_nfc_default.te @@ -0,0 +1,9 @@ +# NFC property +set_prop(hal_nfc_default, vendor_nfc_prop) + +# SecureElement property +set_prop(hal_nfc_default, vendor_secure_element_prop) + +# Modem property +set_prop(hal_nfc_default, vendor_modem_prop) + diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te new file mode 100644 index 00000000..4b95db79 --- /dev/null +++ b/whitechapel/vendor/google/hal_power_default.te @@ -0,0 +1,12 @@ +allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; +allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; +allow hal_power_default sysfs_vendor_sched:file rw_file_perms; +allow hal_power_default cpuctl_device:file rw_file_perms; +allow hal_power_default sysfs_gpu:file rw_file_perms; +allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms; +allow hal_power_default sysfs_fabric:file rw_file_perms; +allow hal_power_default sysfs_display:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop) +set_prop(hal_power_default, vendor_camera_debug_prop) +set_prop(hal_power_default, vendor_camera_fatp_prop) diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te new file mode 100644 index 00000000..497350c6 --- /dev/null +++ b/whitechapel/vendor/google/hal_power_stats_default.te @@ -0,0 +1,20 @@ +allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; + +# getStats AIDL callback to each power entry +binder_call(hal_power_stats_default, hal_bluetooth_btlinux) + +r_dir_file(hal_power_stats_default, sysfs_iio_devices) +allow hal_power_stats_default odpm_config_file:dir search; +allow hal_power_stats_default odpm_config_file:file r_file_perms; +allow hal_power_stats_default sysfs_odpm:dir search; +allow hal_power_stats_default sysfs_odpm:file rw_file_perms; + +binder_call(hal_power_stats_default, citadeld) +r_dir_file(hal_power_stats_default, sysfs_aoc) +r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_leds) +r_dir_file(hal_power_stats_default, sysfs_acpm_stats) +r_dir_file(hal_power_stats_default, sysfs_wifi) +r_dir_file(hal_power_stats_default, sysfs_backlight) +r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/whitechapel/vendor/google/hal_radioext_default.te new file mode 100644 index 00000000..eef71cf6 --- /dev/null +++ b/whitechapel/vendor/google/hal_radioext_default.te @@ -0,0 +1,21 @@ +type hal_radioext_default, domain; +type hal_radioext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_radioext_default) + +hwbinder_use(hal_radioext_default) +get_prop(hal_radioext_default, hwservicemanager_prop) +add_hwservice(hal_radioext_default, hal_radioext_hwservice) + +binder_call(hal_radioext_default, grilservice_app) +binder_call(hal_radioext_default, hal_bluetooth_btlinux) + +# RW /dev/oem_ipc0 +allow hal_radioext_default radio_device:chr_file rw_file_perms; + +# RW MIPI Freq files +allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; +allow hal_radioext_default radio_vendor_data_file:file create_file_perms; +allow hal_radioext_default sysfs_display:file rw_file_perms; + +# Bluetooth +allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/whitechapel/vendor/google/hal_secure_element_default.te b/whitechapel/vendor/google/hal_secure_element_default.te new file mode 100644 index 00000000..dc048746 --- /dev/null +++ b/whitechapel/vendor/google/hal_secure_element_default.te @@ -0,0 +1,10 @@ +allow hal_secure_element_default secure_element_device:chr_file rw_file_perms; +allow hal_secure_element_default nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_default, vendor_secure_element_prop) +set_prop(hal_secure_element_default, vendor_nfc_prop) +set_prop(hal_secure_element_default, vendor_modem_prop) + +# Allow hal_secure_element_default to access rild +binder_call(hal_secure_element_default, rild); +allow hal_secure_element_default hal_exynos_rild_hwservice:hwservice_manager find; + diff --git a/whitechapel/vendor/google/hal_tetheroffload_default.te b/whitechapel/vendor/google/hal_tetheroffload_default.te new file mode 100644 index 00000000..00ae3214 --- /dev/null +++ b/whitechapel/vendor/google/hal_tetheroffload_default.te @@ -0,0 +1,17 @@ +# associate netdomain to use for accessing internet sockets +net_domain(hal_tetheroffload_default) + +# Allow operations with TOE device +allow hal_tetheroffload_default vendor_toe_device:chr_file rw_file_perms; + +# Allow NETLINK and socket +allow hal_tetheroffload_default self:{ + netlink_socket + netlink_generic_socket + unix_dgram_socket +} create_socket_perms_no_ioctl; + +# Register to hwbinder service +add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice) +hwbinder_use(hal_tetheroffload_default) +get_prop(hal_tetheroffload_default, hwservicemanager_prop) diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/whitechapel/vendor/google/hal_thermal_default.te new file mode 100644 index 00000000..491035ee --- /dev/null +++ b/whitechapel/vendor/google/hal_thermal_default.te @@ -0,0 +1,3 @@ +allow hal_thermal_default self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; +allow hal_thermal_default sysfs_odpm:file r_file_perms; diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te new file mode 100644 index 00000000..14abf59c --- /dev/null +++ b/whitechapel/vendor/google/hal_usb_impl.te @@ -0,0 +1,13 @@ +type hal_usb_impl, domain; +hal_server_domain(hal_usb_impl, hal_usb) +hal_server_domain(hal_usb_impl, hal_usb_gadget) + +type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_impl) + +allow hal_usb_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_impl, vendor_usb_config_prop) + +allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; +allow hal_usb_impl sysfs_extcon:dir search; diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te new file mode 100644 index 00000000..f066aa4d --- /dev/null +++ b/whitechapel/vendor/google/hal_uwb_default.te @@ -0,0 +1,5 @@ +type hal_uwb_default, domain; +type hal_uwb_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_default) + +add_service(hal_uwb_default, hal_uwb_service) diff --git a/whitechapel/vendor/google/hal_vendor_hwcservice_default.te b/whitechapel/vendor/google/hal_vendor_hwcservice_default.te new file mode 100644 index 00000000..0cd13b33 --- /dev/null +++ b/whitechapel/vendor/google/hal_vendor_hwcservice_default.te @@ -0,0 +1,4 @@ +type hal_vendor_hwcservice_default, domain; +type hal_vendor_hwcservice_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_vendor_hwcservice_default) + diff --git a/whitechapel/vendor/google/hal_wifi.te b/whitechapel/vendor/google/hal_wifi.te new file mode 100644 index 00000000..e7f657ec --- /dev/null +++ b/whitechapel/vendor/google/hal_wifi.te @@ -0,0 +1,3 @@ +# files in /data/vendor/firmware/wifi +allow hal_wifi updated_wifi_firmware_data_file:dir r_dir_perms; +allow hal_wifi updated_wifi_firmware_data_file:file r_file_perms; diff --git a/whitechapel/vendor/google/hal_wifi_ext.te b/whitechapel/vendor/google/hal_wifi_ext.te new file mode 100644 index 00000000..959f71b6 --- /dev/null +++ b/whitechapel/vendor/google/hal_wifi_ext.te @@ -0,0 +1,13 @@ +# Allow wifi_ext to report callbacks to gril-service app +binder_call(hal_wifi_ext, grilservice_app) + +# Write wlan driver/fw version into property +set_prop(hal_wifi_ext, vendor_wifi_version) + +# Allow wifi_ext to read and write /data/vendor/firmware/wifi +allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; +allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; + +# Allow wifi_ext to read the updated firmware files from app +allow hal_wifi_ext priv_app:fd use; +allow hal_wifi_ext privapp_data_file:file { read map }; diff --git a/whitechapel/vendor/google/hal_wlc.te b/whitechapel/vendor/google/hal_wlc.te new file mode 100644 index 00000000..891853c9 --- /dev/null +++ b/whitechapel/vendor/google/hal_wlc.te @@ -0,0 +1,16 @@ +type hal_wlc, domain; +type hal_wlc_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_wlc) +hwbinder_use(hal_wlc) +add_hwservice(hal_wlc, hal_wlc_hwservice) +get_prop(hal_wlc, hwservicemanager_prop) + +r_dir_file(hal_wlc, sysfs_batteryinfo) +allow hal_wlc sysfs_wlc:dir r_dir_perms; +allow hal_wlc sysfs_wlc:file rw_file_perms; + +allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +binder_call(hal_wlc, platform_app) +binder_call(hal_wlc, system_app) \ No newline at end of file diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te new file mode 100644 index 00000000..c5bfb879 --- /dev/null +++ b/whitechapel/vendor/google/hardware_info_app.te @@ -0,0 +1,9 @@ +type hardware_info_app, domain; + +app_domain(hardware_info_app) + +allow hardware_info_app app_api_service:service_manager find; + +# Display +allow hardware_info_app sysfs_display:dir search; +allow hardware_info_app sysfs_display:file r_file_perms; diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te new file mode 100644 index 00000000..534f6c82 --- /dev/null +++ b/whitechapel/vendor/google/hbmsvmanager_app.te @@ -0,0 +1,11 @@ +type hbmsvmanager_app, domain, coredomain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app hal_pixel_display_service:service_manager find; +binder_call(hbmsvmanager_app, hal_graphics_composer_default) + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te new file mode 100644 index 00000000..7ac98578 --- /dev/null +++ b/whitechapel/vendor/google/hwservice.te @@ -0,0 +1,27 @@ +type hal_vendor_telephony_hwservice, hwservice_manager_type; +type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type; + +# dmd servcie +type hal_vendor_oem_hwservice, hwservice_manager_type; + +# rild service +type hal_exynos_rild_hwservice, hwservice_manager_type; + +# GRIL service +type hal_radioext_hwservice, hwservice_manager_type; + +# Audio +type hal_audio_ext_hwservice, hwservice_manager_type; + +# WLC +type hal_wlc_hwservice, hwservice_manager_type; + +# Bluetooth HAL extension +type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; + +# Fingerprint +type hal_fingerprint_ext_hwservice, hwservice_manager_type; + +# AudioMetric +type hal_audiometricext_hwservice, hwservice_manager_type; + diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts new file mode 100644 index 00000000..c00e9572 --- /dev/null +++ b/whitechapel/vendor/google/hwservice_contexts @@ -0,0 +1,35 @@ +vendor.samsung_slsi.hardware.radio::IOemSamsungslsi u:object_r:hal_telephony_hwservice:s0 +vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 +vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 + +# dmd HAL +vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 + +# rild HAL +vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 +android.vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 +vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 + +# VIDEO +android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0 +android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 + +# GRIL HAL +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 + +#Audio +vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 + +# Wireless charger hal +vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 + +# Bluetooth HAL extension +hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 + +# Fingerprint +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 + +#Audio +vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 + diff --git a/whitechapel/vendor/google/hwservicemanager.te b/whitechapel/vendor/google/hwservicemanager.te new file mode 100644 index 00000000..7b64499b --- /dev/null +++ b/whitechapel/vendor/google/hwservicemanager.te @@ -0,0 +1 @@ +binder_call(hwservicemanager, bipchmgr) diff --git a/whitechapel/vendor/google/incident.te b/whitechapel/vendor/google/incident.te new file mode 100644 index 00000000..672606df --- /dev/null +++ b/whitechapel/vendor/google/incident.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + allow incident logger_app:fd use; + allow incident media_rw_data_file:file append; +') diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te new file mode 100644 index 00000000..9b2da73d --- /dev/null +++ b/whitechapel/vendor/google/init-insmod-sh.te @@ -0,0 +1,16 @@ +type init-insmod-sh, domain; +type init-insmod-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(init-insmod-sh) + +allow init-insmod-sh self:capability sys_module; +allow init-insmod-sh sysfs_leds:dir r_dir_perms; +allow init-insmod-sh vendor_kernel_modules:system module_load; +allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; + +set_prop(init-insmod-sh, vendor_device_prop) + +userdebug_or_eng(` + allow init-insmod-sh vendor_regmap_debugfs:dir search; +') + +dontaudit init-insmod-sh proc_cmdline:file r_file_perms; diff --git a/whitechapel/vendor/google/init.te b/whitechapel/vendor/google/init.te new file mode 100644 index 00000000..5d6a6810 --- /dev/null +++ b/whitechapel/vendor/google/init.te @@ -0,0 +1,20 @@ +allow init custom_ab_block_device:lnk_file relabelto; + +# This is needed for chaining a boot partition vbmeta +# descriptor, where init will probe the boot partition +# to read the chained vbmeta in the first-stage, then +# relabel /dev/block/by-name/boot_[a|b] to block_device +# after loading sepolicy in the second stage. +allow init boot_block_device:lnk_file relabelto; + +allow init modem_img_file:dir mounton; +allow init mnt_vendor_file:dir mounton; +allow init modem_img_file:filesystem { getattr mount relabelfrom }; + +allow init persist_file:dir mounton; +allow init modem_efs_file:dir mounton; +allow init modem_userdata_file:dir mounton; +allow init ram_device:blk_file w_file_perms; +allow init per_boot_file:file ioctl; +allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE }; +allow init sysfs_scsi_devices_0000:file w_file_perms; diff --git a/whitechapel/vendor/google/init_radio.te b/whitechapel/vendor/google/init_radio.te new file mode 100644 index 00000000..3a29edf3 --- /dev/null +++ b/whitechapel/vendor/google/init_radio.te @@ -0,0 +1,8 @@ +type init_radio, domain; +type init_radio_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_radio); + +allow init_radio vendor_toolbox_exec:file execute_no_trans; +allow init_radio radio_vendor_data_file:dir create_dir_perms; +allow init_radio radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel/vendor/google/installd.te b/whitechapel/vendor/google/installd.te new file mode 100644 index 00000000..44e74c63 --- /dev/null +++ b/whitechapel/vendor/google/installd.te @@ -0,0 +1 @@ +dontaudit installd modem_img_file:filesystem quotaget; diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te new file mode 100644 index 00000000..0156784e --- /dev/null +++ b/whitechapel/vendor/google/kernel.te @@ -0,0 +1,9 @@ +allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:file r_file_perms; + +# ZRam +allow kernel per_boot_file:file r_file_perms; + +# memlat needs permision to create/delete perf events when hotplug on/off +allow kernel self:capability2 perfmon; +allow kernel self:perf_event cpu; diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf new file mode 100644 index 00000000..175d09de --- /dev/null +++ b/whitechapel/vendor/google/keys.conf @@ -0,0 +1,5 @@ +[@MDS] +ALL : device/google/gs201-sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem + +[@UWB] +ALL : device/google/gs201-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem diff --git a/whitechapel/vendor/google/lhd.te b/whitechapel/vendor/google/lhd.te new file mode 100644 index 00000000..e980897c --- /dev/null +++ b/whitechapel/vendor/google/lhd.te @@ -0,0 +1,23 @@ +type lhd, domain; +type lhd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(lhd) + +# Allow lhd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute lhd mlstrustedsubject; + allow lhd logger_app:unix_stream_socket connectto; +') + +# Allow lhd access data vendor gps files +allow lhd vendor_gps_file:dir create_dir_perms; +allow lhd vendor_gps_file:file create_file_perms; +allow lhd vendor_gps_file:fifo_file create_file_perms; + +# Allow lhd to obtain wakelock +wakelock_use(lhd) + +# Allow lhd access /dev/bbd_control file +allow lhd vendor_gnss_device:chr_file rw_file_perms; + +# Allow lhd access nstandby gpio +allow lhd sysfs_gps:file rw_file_perms; diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te new file mode 100644 index 00000000..fac3b5ea --- /dev/null +++ b/whitechapel/vendor/google/logger_app.te @@ -0,0 +1,27 @@ +userdebug_or_eng(` + allow logger_app radio_vendor_data_file:file create_file_perms; + allow logger_app radio_vendor_data_file:dir create_dir_perms; + allow logger_app vendor_slog_file:file {r_file_perms unlink}; + allow logger_app vendor_gps_file:file create_file_perms; + allow logger_app vendor_gps_file:dir create_dir_perms; + allow logger_app sysfs_sscoredump_level:file r_file_perms; + r_dir_file(logger_app, ramdump_vendor_data_file) + r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) + r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) + + get_prop(logger_app, usb_control_prop) + set_prop(logger_app, vendor_logger_prop) + set_prop(logger_app, vendor_modem_prop) + set_prop(logger_app, vendor_gps_prop) + set_prop(logger_app, vendor_audio_prop) + set_prop(logger_app, vendor_tcpdump_log_prop) + set_prop(logger_app, vendor_ramdump_prop) + set_prop(logger_app, vendor_ssrdump_prop) + set_prop(logger_app, vendor_rild_prop) + set_prop(logger_app, logpersistd_logging_prop) + set_prop(logger_app, logd_prop) + set_prop(logger_app, vendor_usb_config_prop) + set_prop(logger_app, vendor_wifi_sniffer_prop) + + dontaudit logger_app default_prop:file { read }; +') diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml new file mode 100644 index 00000000..6cf15728 --- /dev/null +++ b/whitechapel/vendor/google/mac_permissions.xml @@ -0,0 +1,30 @@ + + + + + + + + + + + + diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te new file mode 100644 index 00000000..ed7c1adf --- /dev/null +++ b/whitechapel/vendor/google/mediacodec.te @@ -0,0 +1,9 @@ +userdebug_or_eng(` + set_prop(mediacodec, vendor_codec2_debug_prop) +') + +add_service(mediacodec, eco_service) +allow mediacodec hal_camera_default:binder call; +allow mediacodec sysfs_video:file r_file_perms; +allow mediacodec sysfs_video:dir r_dir_perms; +allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/modem_diagnostics.te b/whitechapel/vendor/google/modem_diagnostics.te new file mode 100644 index 00000000..7908be1b --- /dev/null +++ b/whitechapel/vendor/google/modem_diagnostics.te @@ -0,0 +1,32 @@ +type modem_diagnostic_app, domain; + +app_domain(modem_diagnostic_app) +net_domain(modem_diagnostic_app) + +allow modem_diagnostic_app app_api_service:service_manager find; +allow modem_diagnostic_app radio_service:service_manager find; + +userdebug_or_eng(` + binder_call(modem_diagnostic_app, dmd) + + set_prop(modem_diagnostic_app, vendor_cbd_prop) + set_prop(modem_diagnostic_app, vendor_rild_prop) + set_prop(modem_diagnostic_app, vendor_modem_prop) + + allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms; + allow modem_diagnostic_app sysfs_chosen:file r_file_perms; + + allow modem_diagnostic_app vendor_fw_file:file r_file_perms; + + allow modem_diagnostic_app radio_vendor_data_file:dir create_dir_perms; + allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; + + allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; + allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; + + allow modem_diagnostic_app modem_img_file:dir r_dir_perms; + allow modem_diagnostic_app modem_img_file:file r_file_perms; + allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; + + allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; +') diff --git a/whitechapel/vendor/google/modem_logging_control.te b/whitechapel/vendor/google/modem_logging_control.te new file mode 100644 index 00000000..7392297f --- /dev/null +++ b/whitechapel/vendor/google/modem_logging_control.te @@ -0,0 +1,17 @@ +type modem_logging_control, domain; +type modem_logging_control_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(modem_logging_control) + +hwbinder_use(modem_logging_control) +binder_call(modem_logging_control, dmd) + +allow modem_logging_control radio_device:chr_file rw_file_perms; +allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find; +allow modem_logging_control radio_vendor_data_file:dir create_dir_perms; +allow modem_logging_control radio_vendor_data_file:file create_file_perms; +allow modem_logging_control vendor_slog_file:dir create_dir_perms; +allow modem_logging_control vendor_slog_file:file create_file_perms; + +set_prop(modem_logging_control, vendor_modem_prop) +get_prop(modem_logging_control, hwservicemanager_prop) diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te new file mode 100644 index 00000000..eeba9976 --- /dev/null +++ b/whitechapel/vendor/google/modem_svc_sit.te @@ -0,0 +1,28 @@ +type modem_svc_sit, domain; +type modem_svc_sit_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(modem_svc_sit) + +hwbinder_use(modem_svc_sit) +binder_call(modem_svc_sit, rild) + +# Grant sysfs_modem access +allow modem_svc_sit sysfs_modem:file rw_file_perms; + +# Grant radio device access +allow modem_svc_sit radio_device:chr_file rw_file_perms; + +# Grant vendor radio and modem file/dir creation permission +allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms; +allow modem_svc_sit radio_vendor_data_file:file create_file_perms; +allow modem_svc_sit modem_stat_data_file:file create_file_perms; + +allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit modem_userdata_file:dir create_dir_perms; +allow modem_svc_sit modem_userdata_file:file create_file_perms; + +# RIL property +get_prop(modem_svc_sit, vendor_rild_prop) + +# hwservice permission +allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; +get_prop(modem_svc_sit, hwservicemanager_prop) diff --git a/whitechapel/vendor/google/netutils_wrapper.te b/whitechapel/vendor/google/netutils_wrapper.te new file mode 100644 index 00000000..ff1be58e --- /dev/null +++ b/whitechapel/vendor/google/netutils_wrapper.te @@ -0,0 +1,7 @@ +allow netutils_wrapper pktrouter:fd use; +allow netutils_wrapper pktrouter:fifo_file write; +allow netutils_wrapper pktrouter:netlink_route_socket { read write }; +allow netutils_wrapper pktrouter:packet_socket { read write }; +allow netutils_wrapper pktrouter:rawip_socket { read write }; +allow netutils_wrapper pktrouter:udp_socket { read write }; +allow netutils_wrapper pktrouter_device:chr_file rw_file_perms; diff --git a/whitechapel/vendor/google/ofl_app.te b/whitechapel/vendor/google/ofl_app.te new file mode 100644 index 00000000..e3f61408 --- /dev/null +++ b/whitechapel/vendor/google/ofl_app.te @@ -0,0 +1,17 @@ +# OFLBasicAgent app + +type ofl_app, domain; + +userdebug_or_eng(` + app_domain(ofl_app) + net_domain(ofl_app) + + allow ofl_app app_api_service:service_manager find; + allow ofl_app nfc_service:service_manager find; + allow ofl_app radio_service:service_manager find; + allow ofl_app surfaceflinger_service:service_manager find; + + # Access to directly update firmware on secure_element + typeattribute secure_element_device mlstrustedobject; + allow ofl_app secure_element_device:chr_file rw_file_perms; +') diff --git a/whitechapel/vendor/google/omadm.te b/whitechapel/vendor/google/omadm.te new file mode 100644 index 00000000..3990dd7b --- /dev/null +++ b/whitechapel/vendor/google/omadm.te @@ -0,0 +1,10 @@ +# OMADM app +type omadm_app, domain; + +app_domain(omadm_app) +net_domain(omadm_app) + +allow omadm_app radio_vendor_data_file:dir rw_dir_perms; +allow omadm_app radio_vendor_data_file:file create_file_perms; +allow omadm_app app_api_service:service_manager find; +allow omadm_app radio_service:service_manager find; diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te new file mode 100644 index 00000000..ba063193 --- /dev/null +++ b/whitechapel/vendor/google/pixelstats_vendor.te @@ -0,0 +1,17 @@ +# pixelstats vendor +type pixelstats_vendor, domain; + +type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(pixelstats_vendor) + +unix_socket_connect(pixelstats_vendor, chre, chre) + +get_prop(pixelstats_vendor, hwservicemanager_prop) +hwbinder_use(pixelstats_vendor) + +binder_call(pixelstats_vendor, stats_service_server) +binder_use(pixelstats_vendor); +allow pixelstats_vendor fwk_stats_service:service_manager find; + +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; +allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; diff --git a/whitechapel/vendor/google/pktrouter.te b/whitechapel/vendor/google/pktrouter.te new file mode 100644 index 00000000..e06c8db6 --- /dev/null +++ b/whitechapel/vendor/google/pktrouter.te @@ -0,0 +1,13 @@ +type pktrouter, domain; +type pktrouter_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(pktrouter) +net_domain(pktrouter) + +domain_auto_trans(pktrouter, netutils_wrapper_exec, netutils_wrapper); + +allow pktrouter pktrouter_device:chr_file rw_file_perms; +allow pktrouter self:netlink_route_socket nlmsg_write; +allow pktrouter self:packet_socket { bind create read write getattr shutdown}; +allow pktrouter self:capability net_raw; + +get_prop(pktrouter, vendor_ims_prop); diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te new file mode 100644 index 00000000..14cf0554 --- /dev/null +++ b/whitechapel/vendor/google/platform_app.te @@ -0,0 +1,24 @@ +binder_call(platform_app, rild) +allow platform_app hal_exynos_rild_hwservice:hwservice_manager find; + +allow platform_app hal_wlc_hwservice:hwservice_manager find; +binder_call(platform_app, hal_wlc) + +allow platform_app nfc_service:service_manager find; +allow platform_app uwb_service:service_manager find; + +allow platform_app fwk_stats_service:service_manager find; +binder_use(platform_app) + +allow platform_app touch_context_service:service_manager find; +binder_call(platform_app, twoshay) + +# Fingerprint (UDFPS) GHBM/LHBM toggle +get_prop(platform_app, fingerprint_ghbm_prop) + +# TODO(b/184768835): remove this once the bug is fixed +# Fingerprint (UDFPS) LHBM access +userdebug_or_eng(` + allow platform_app sysfs_leds:dir search; + allow platform_app sysfs_lhbm:file rw_file_perms; +') diff --git a/whitechapel/vendor/google/priv_app.te b/whitechapel/vendor/google/priv_app.te new file mode 100644 index 00000000..a9b49c33 --- /dev/null +++ b/whitechapel/vendor/google/priv_app.te @@ -0,0 +1,9 @@ +# Allows privileged applications to discover the EdgeTPU service. +allow priv_app edgetpu_app_service:service_manager find; + +# Allows privileged applications to discover the NNAPI TPU service. +allow priv_app edgetpu_nnapi_service:service_manager find; + +# Allows privileged applications to access the EdgeTPU device, except open, +# which is guarded by the EdgeTPU service. +allow priv_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te new file mode 100644 index 00000000..f1e377f0 --- /dev/null +++ b/whitechapel/vendor/google/property.te @@ -0,0 +1,58 @@ +# For Exynos Properties +vendor_internal_prop(vendor_prop) +vendor_internal_prop(vendor_ims_prop) +vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_slog_prop) +vendor_internal_prop(sensors_prop) +vendor_internal_prop(vendor_ssrdump_prop) +vendor_internal_prop(vendor_device_prop) +vendor_internal_prop(vendor_usb_config_prop) +vendor_internal_prop(vendor_secure_element_prop) +vendor_internal_prop(vendor_modem_prop) +vendor_internal_prop(vendor_diag_prop) +vendor_internal_prop(vendor_cbd_prop) +# vendor defaults +vendor_internal_prop(vendor_config_default_prop) +vendor_internal_prop(vendor_ro_config_default_prop) +vendor_internal_prop(vendor_persist_config_default_prop) +vendor_internal_prop(vendor_sys_default_prop) +vendor_internal_prop(vendor_ro_sys_default_prop) +vendor_internal_prop(vendor_persist_sys_default_prop) +vendor_internal_prop(vendor_audio_prop) +vendor_internal_prop(vendor_codec2_debug_prop) +vendor_internal_prop(vendor_display_prop) +vendor_internal_prop(vendor_camera_prop) +vendor_internal_prop(vendor_camera_debug_prop) +vendor_internal_prop(vendor_camera_fatp_prop) +vendor_internal_prop(vendor_gps_prop) + +# EdgeTPU service requires system public properties +# since it lives under /system_ext/. +system_public_prop(vendor_edgetpu_service_prop) + +# Battery defender +vendor_internal_prop(vendor_battery_defender_prop) + +# Battery profile for harness mode +vendor_internal_prop(vendor_battery_profile_prop) + +# AoC +vendor_internal_prop(vendor_aoc_prop) + +# Logger +vendor_internal_prop(vendor_logger_prop) + +# NFC +vendor_internal_prop(vendor_nfc_prop) + +# WiFi +vendor_internal_prop(vendor_wifi_version) + +# Touchpanel +vendor_internal_prop(vendor_touchpanel_prop) + +# TCP logging +vendor_internal_prop(vendor_tcpdump_log_prop) + +# Fingerprint +vendor_internal_prop(vendor_fingerprint_fake_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts new file mode 100644 index 00000000..61497257 --- /dev/null +++ b/whitechapel/vendor/google/property_contexts @@ -0,0 +1,125 @@ +# for rild +persist.vendor.debug_level u:object_r:vendor_rild_prop:s0 +persist.vendor.ril. u:object_r:vendor_rild_prop:s0 +persist.vendor.radio. u:object_r:vendor_rild_prop:s0 +vendor.radio.ril. u:object_r:vendor_rild_prop:s0 +vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +vendor.ril. u:object_r:vendor_rild_prop:s0 +ro.vendor.build.svn u:object_r:vendor_rild_prop:s0 + +# for ims service +vendor.charon. u:object_r:vendor_ims_prop:s0 +vendor.pktrouter u:object_r:vendor_ims_prop:s0 + +# Ramdump +persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 + +# SSR Detector +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 + +# Kernel modules related +vendor.common.modules.ready u:object_r:vendor_device_prop:s0 +vendor.device.modules.ready u:object_r:vendor_device_prop:s0 +vendor.all.modules.ready u:object_r:vendor_device_prop:s0 +vendor.all.devices.ready u:object_r:vendor_device_prop:s0 + +# for codec2 +vendor.debug.c2.level u:object_r:vendor_codec2_debug_prop:s0 +vendor.debug.c2.dump u:object_r:vendor_codec2_debug_prop:s0 +vendor.debug.c2.dump.opt u:object_r:vendor_codec2_debug_prop:s0 + +# USB HAL +persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 +vendor.usb. u:object_r:vendor_usb_config_prop:s0 + +# for modem +persist.vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 +persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 + +# for logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 + +# for cbd +vendor.cbd. u:object_r:vendor_cbd_prop:s0 +persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 + +# for slog +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 + +# for dmd +persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 +vendor.sys.diag. u:object_r:vendor_diag_prop:s0 + +# vendor default +vendor.config. u:object_r:vendor_config_default_prop:s0 +ro.vendor.config. u:object_r:vendor_ro_config_default_prop:s0 +persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 +vendor.sys. u:object_r:vendor_sys_default_prop:s0 +ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 +persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 + + +# for audio +vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 +vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 +persist.vendor.audio. u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 +vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 + + +# for display +ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 + +# for camera +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 +vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 + +# for gps +vendor.gps u:object_r:vendor_gps_prop:s0 + +# for EdgeTPU +vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 + +# SecureElement +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 + +# NFC +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 + +# Battery +vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 + +# test battery profile +persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 + +# AoC +vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 + +# WiFi +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 + +# Touchpanel +vendor.mfgapi.touchpanel.permission u:object_r:vendor_touchpanel_prop:s0 + +# Tcpdump_logger +persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump.log.ondemand u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_prop:s0 + +# Fingerprint +vendor.fingerprint.disable.fake u:object_r:vendor_fingerprint_fake_prop:s0 diff --git a/whitechapel/vendor/google/radio.te b/whitechapel/vendor/google/radio.te new file mode 100644 index 00000000..ffa43521 --- /dev/null +++ b/whitechapel/vendor/google/radio.te @@ -0,0 +1 @@ +allow radio hal_exynos_rild_hwservice:hwservice_manager find; diff --git a/whitechapel/vendor/google/ramdump_app.te b/whitechapel/vendor/google/ramdump_app.te new file mode 100644 index 00000000..308e9fb7 --- /dev/null +++ b/whitechapel/vendor/google/ramdump_app.te @@ -0,0 +1,24 @@ +type ramdump_app, domain; + +userdebug_or_eng(` + app_domain(ramdump_app) + + allow ramdump_app app_api_service:service_manager find; + + allow ramdump_app ramdump_vendor_data_file:file create_file_perms; + allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; + + set_prop(ramdump_app, vendor_ramdump_prop) + get_prop(ramdump_app, system_boot_reason_prop) + + # To access ramdumpfs. + allow ramdump_app mnt_vendor_file:dir search; + allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; + allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; + + # To access subsystem ramdump files and dirs. + allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; +') diff --git a/whitechapel/vendor/google/recovery.te b/whitechapel/vendor/google/recovery.te new file mode 100644 index 00000000..6eb97aa3 --- /dev/null +++ b/whitechapel/vendor/google/recovery.te @@ -0,0 +1,3 @@ +recovery_only(` + allow recovery sysfs_ota:file rw_file_perms; +') diff --git a/whitechapel/vendor/google/rfsd.te b/whitechapel/vendor/google/rfsd.te new file mode 100644 index 00000000..2f7102fc --- /dev/null +++ b/whitechapel/vendor/google/rfsd.te @@ -0,0 +1,39 @@ +type rfsd, domain; +type rfsd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(rfsd) + +# Allow to setuid from root to radio +allow rfsd self:capability { chown setuid }; + +# Allow to search block device and mnt dir for modem EFS partitions +allow rfsd mnt_vendor_file:dir search; +allow rfsd block_device:dir search; + +# Allow to operate with modem EFS file/dir +allow rfsd modem_efs_file:dir create_dir_perms; +allow rfsd modem_efs_file:file create_file_perms; + +allow rfsd radio_vendor_data_file:dir r_dir_perms; +allow rfsd radio_vendor_data_file:file r_file_perms; + +r_dir_file(rfsd, vendor_fw_file) + +# Allow to access rfsd log file/dir +allow rfsd vendor_log_file:dir search; +allow rfsd vendor_rfsd_log_file:dir create_dir_perms; +allow rfsd vendor_rfsd_log_file:file create_file_perms; + +# Allow to read/write modem block device +allow rfsd modem_block_device:blk_file rw_file_perms; + +# Allow to operate with radio device +allow rfsd radio_device:chr_file rw_file_perms; + +# Allow to set rild and modem property +set_prop(rfsd, vendor_modem_prop) +set_prop(rfsd, vendor_rild_prop) + +# Allow rfsd to access modem image file/dir +allow rfsd modem_img_file:dir r_dir_perms; +allow rfsd modem_img_file:file r_file_perms; +allow rfsd modem_img_file:lnk_file r_file_perms; diff --git a/whitechapel/vendor/google/ril_config_service.te b/whitechapel/vendor/google/ril_config_service.te new file mode 100644 index 00000000..0ac43317 --- /dev/null +++ b/whitechapel/vendor/google/ril_config_service.te @@ -0,0 +1,10 @@ +type ril_config_service_app, domain; +app_domain(ril_config_service_app) + +set_prop(ril_config_service_app, vendor_rild_prop) +allow ril_config_service_app app_api_service:service_manager find; +allow ril_config_service_app radio_service:service_manager find; +allow ril_config_service_app radio_vendor_data_file:dir rw_dir_perms; +allow ril_config_service_app radio_vendor_data_file:file create_file_perms; +dontaudit ril_config_service_app system_data_file:dir search; +dontaudit ril_config_service_app user_profile_root_file:dir search; diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te new file mode 100644 index 00000000..5dab0eff --- /dev/null +++ b/whitechapel/vendor/google/rild.te @@ -0,0 +1,35 @@ +set_prop(rild, vendor_rild_prop) + +get_prop(rild, vendor_persist_config_default_prop) +get_prop(rild, vendor_ro_config_default_prop) +set_prop(rild, vendor_sys_default_prop) + +get_prop(rild, sota_prop) +get_prop(rild, system_boot_reason_prop) + +allow rild proc_net:file rw_file_perms; +allow rild radio_vendor_data_file:dir create_dir_perms; +allow rild radio_vendor_data_file:file create_file_perms; +allow rild rild_vendor_data_file:dir create_dir_perms; +allow rild rild_vendor_data_file:file create_file_perms; +allow rild vendor_fw_file:file r_file_perms; +allow rild mnt_vendor_file:dir r_dir_perms; + +r_dir_file(rild, modem_img_file) + +binder_call(rild, bipchmgr) +binder_call(rild, gpsd) +binder_call(rild, hal_audio_default) +binder_call(rild, hal_secure_element_default) +binder_call(rild, platform_app) +binder_call(rild, modem_svc_sit) +binder_call(rild, vendor_ims_app) + +# for hal service +add_hwservice(rild, hal_exynos_rild_hwservice) +allow rild hal_audio_ext_hwservice:hwservice_manager find; + +# Allow rild to access files on modem img. +allow rild modem_img_file:dir r_dir_perms; +allow rild modem_img_file:file r_file_perms; +allow rild modem_img_file:lnk_file r_file_perms; diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te new file mode 100644 index 00000000..113ef312 --- /dev/null +++ b/whitechapel/vendor/google/rlsservice.te @@ -0,0 +1,28 @@ +type rlsservice, domain; +type rlsservice_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rlsservice) + +vndbinder_use(rlsservice) + +add_service(rlsservice, rls_service) + +# access rainbow sensor calibration files +allow rlsservice persist_file:dir search; +allow rlsservice persist_camera_file:dir search; +allow rlsservice persist_camera_file:file r_file_perms; +allow rlsservice mnt_vendor_file:dir search; + +# access device files +allow rlsservice rls_device:chr_file rw_file_perms; + +binder_call(rlsservice, hal_sensors_default) +binder_call(rlsservice, hal_camera_default) + +# Allow access to always-on compute device node +allow rlsservice device:dir { read watch }; +allow rlsservice aoc_device:chr_file rw_file_perms; + +# Allow use of the USF low latency transport +usf_low_latency_transport(rlsservice) + diff --git a/whitechapel/vendor/google/scd.te b/whitechapel/vendor/google/scd.te new file mode 100644 index 00000000..28aaee0a --- /dev/null +++ b/whitechapel/vendor/google/scd.te @@ -0,0 +1,17 @@ +type scd, domain; +type scd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(scd) + +# Allow scd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute scd mlstrustedsubject; + allow scd logger_app:unix_stream_socket connectto; +') + +# Allow a base set of permissions required for network access. +net_domain(scd); + +# Allow scd access data vendor gps files +allow scd vendor_gps_file:dir create_dir_perms; +allow scd vendor_gps_file:file create_file_perms; +allow scd vendor_gps_file:fifo_file create_file_perms; diff --git a/whitechapel/vendor/google/sced.te b/whitechapel/vendor/google/sced.te new file mode 100644 index 00000000..43292621 --- /dev/null +++ b/whitechapel/vendor/google/sced.te @@ -0,0 +1,23 @@ +type sced, domain; +type sced_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(sced) + +userdebug_or_eng(` +typeattribute sced vendor_executes_system_violators; + +hwbinder_use(sced) +binder_call(sced, dmd) +binder_call(sced, vendor_telephony_app) + +get_prop(sced, hwservicemanager_prop) +allow sced self:packet_socket create_socket_perms_no_ioctl; + +allow sced self:capability net_raw; +allow sced shell_exec:file rx_file_perms; +allow sced tcpdump_exec:file rx_file_perms; +allow sced vendor_shell_exec:file x_file_perms; +allow sced vendor_slog_file:dir create_dir_perms; +allow sced vendor_slog_file:file create_file_perms; +allow sced hidl_base_hwservice:hwservice_manager add; +allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; +') diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts new file mode 100644 index 00000000..34007864 --- /dev/null +++ b/whitechapel/vendor/google/seapp_contexts @@ -0,0 +1,46 @@ +# Samsung S.LSI telephony +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all + +# Samsung S.LSI IMS +user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all + +# coredump/ramdump +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + +# grilservice +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Hardware Info Collection +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user + +# Domain for omadm +user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all + +# Modem Diagnostic System +user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user + +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# RIL Config Service +user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file + +# CBRS setup app +user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user + +# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user + +# Qorvo UWB system app +user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all diff --git a/whitechapel/vendor/google/securedpud.slider.te b/whitechapel/vendor/google/securedpud.slider.te new file mode 100644 index 00000000..fd553a30 --- /dev/null +++ b/whitechapel/vendor/google/securedpud.slider.te @@ -0,0 +1,9 @@ +type securedpud_slider, domain; +type securedpud_slider_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(securedpud_slider) + +allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms; +allow securedpud_slider ion_device:chr_file r_file_perms; +allow securedpud_slider tee_device:chr_file rw_file_perms; +allow securedpud_slider tui_device:chr_file rw_file_perms; diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te new file mode 100644 index 00000000..c47e63f9 --- /dev/null +++ b/whitechapel/vendor/google/service.te @@ -0,0 +1,6 @@ +type hal_pixel_display_service, service_manager_type, vendor_service; +type uwb_vendor_service, service_manager_type, vendor_service; +type touch_context_service, service_manager_type, vendor_service; +type hal_uwb_service, service_manager_type, vendor_service; +type edgetpu_vendor_service, service_manager_type, vendor_service; +type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts new file mode 100644 index 00000000..4e005ec4 --- /dev/null +++ b/whitechapel/vendor/google/service_contexts @@ -0,0 +1,11 @@ +# EdgeTPU service +com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 +com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 + +# TPU NNAPI Service +android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 + +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 +com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 +uwb_vendor u:object_r:uwb_vendor_service:s0 +hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_service:s0 diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te new file mode 100644 index 00000000..484e1501 --- /dev/null +++ b/whitechapel/vendor/google/shell.te @@ -0,0 +1,7 @@ +allow shell eco_service:service_manager find; + +# Allow access to the SJTAG kernel interface from the shell +userdebug_or_eng(` + allow shell vendor_sjtag_debugfs:dir r_dir_perms; + allow shell vendor_sjtag_debugfs:file rw_file_perms; +') diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te new file mode 100644 index 00000000..37f571cd --- /dev/null +++ b/whitechapel/vendor/google/ssr_detector.te @@ -0,0 +1,20 @@ +type ssr_detector_app, domain; + +app_domain(ssr_detector_app) +allow ssr_detector_app app_api_service:service_manager find; +allow ssr_detector_app radio_service:service_manager find; + +allow ssr_detector_app system_app_data_file:dir r_dir_perms; + +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; +userdebug_or_eng(` + allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; + get_prop(ssr_detector_app, vendor_aoc_prop) + allow ssr_detector_app vendor_sjtag_debugfs:dir r_dir_perms; + allow ssr_detector_app vendor_sjtag_debugfs:file rw_file_perms; +') + +get_prop(ssr_detector_app, vendor_ssrdump_prop) +get_prop(ssr_detector_app, vendor_wifi_version) diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te new file mode 100644 index 00000000..315300c2 --- /dev/null +++ b/whitechapel/vendor/google/storageproxyd.te @@ -0,0 +1,9 @@ +type sg_device, dev_type; +type persist_ss_file, file_type, vendor_persist_type; + +allow tee persist_ss_file:dir r_dir_perms; +allow tee persist_file:dir r_dir_perms; +allow tee mnt_vendor_file:dir r_dir_perms; +allow tee tee_data_file:lnk_file r_file_perms; +allow tee sg_device:chr_file rw_file_perms; +allow tee self:capability { setgid setuid }; diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te new file mode 100644 index 00000000..b7542fd6 --- /dev/null +++ b/whitechapel/vendor/google/system_app.te @@ -0,0 +1,6 @@ +allow system_app sysfs_vendor_sched:file w_file_perms; + +allow system_app hal_wlc_hwservice:hwservice_manager find; +binder_call(system_app, hal_wlc) + +allow system_app fwk_stats_hwservice:hwservice_manager find; diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te new file mode 100644 index 00000000..001b8556 --- /dev/null +++ b/whitechapel/vendor/google/system_server.te @@ -0,0 +1,5 @@ +# Allow system server to send sensor data callbacks to GPS and camera HALs +binder_call(system_server, gpsd); +binder_call(system_server, hal_camera_default); +# Allow system server to find vendor uwb service +allow system_server uwb_vendor_service:service_manager find; diff --git a/whitechapel/vendor/google/tcpdump_logger.te b/whitechapel/vendor/google/tcpdump_logger.te new file mode 100644 index 00000000..f017cedf --- /dev/null +++ b/whitechapel/vendor/google/tcpdump_logger.te @@ -0,0 +1,20 @@ +type tcpdump_logger, domain; +type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(tcpdump_logger) + + allow tcpdump_logger self:capability net_raw; + allow tcpdump_logger self:packet_socket create_socket_perms; + allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; + allow tcpdump_logger tcpdump_exec:file rx_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger wifi_logging_data_file:file create_file_perms; + allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; + + set_prop(tcpdump_logger, vendor_tcpdump_log_prop) +') diff --git a/whitechapel/vendor/google/toolbox.te b/whitechapel/vendor/google/toolbox.te new file mode 100644 index 00000000..9fbbb7ab --- /dev/null +++ b/whitechapel/vendor/google/toolbox.te @@ -0,0 +1,3 @@ +allow toolbox ram_device:blk_file rw_file_perms; +allow toolbox per_boot_file:dir create_dir_perms; +allow toolbox per_boot_file:file create_file_perms; diff --git a/whitechapel/vendor/google/trusty_apploader.te b/whitechapel/vendor/google/trusty_apploader.te new file mode 100644 index 00000000..983e3a03 --- /dev/null +++ b/whitechapel/vendor/google/trusty_apploader.te @@ -0,0 +1,7 @@ +type trusty_apploader, domain; +type trusty_apploader_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(trusty_apploader) + +allow trusty_apploader ion_device:chr_file r_file_perms; +allow trusty_apploader tee_device:chr_file rw_file_perms; +allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/trusty_metricsd.te b/whitechapel/vendor/google/trusty_metricsd.te new file mode 100644 index 00000000..63fc85b6 --- /dev/null +++ b/whitechapel/vendor/google/trusty_metricsd.te @@ -0,0 +1,11 @@ +type trusty_metricsd, domain; +type trusty_metricsd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(trusty_metricsd) + +allow trusty_metricsd tee_device:chr_file rw_file_perms; + +# For Suez metrics collection +binder_use(trusty_metricsd) +binder_call(trusty_metricsd, system_server) +allow trusty_metricsd fwk_stats_service:service_manager find; diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te new file mode 100644 index 00000000..ad239702 --- /dev/null +++ b/whitechapel/vendor/google/twoshay.te @@ -0,0 +1,10 @@ +type twoshay, domain; +type twoshay_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(twoshay) + +allow twoshay touch_offload_device:chr_file rw_file_perms; +allow twoshay twoshay:capability sys_nice; + +binder_use(twoshay) +add_service(twoshay, touch_context_service) diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te new file mode 100644 index 00000000..cd7fb41a --- /dev/null +++ b/whitechapel/vendor/google/untrusted_app_all.te @@ -0,0 +1,10 @@ +# Allows applications to discover the EdgeTPU service. +allow untrusted_app_all edgetpu_app_service:service_manager find; + +# Allows applications to access the EdgeTPU device, except open, which is guarded +# by the EdgeTPU service. +allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; + +# Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap +# for secure video playback +allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/update_engine.te b/whitechapel/vendor/google/update_engine.te new file mode 100644 index 00000000..a403d9e4 --- /dev/null +++ b/whitechapel/vendor/google/update_engine.te @@ -0,0 +1,3 @@ +allow update_engine custom_ab_block_device:blk_file rw_file_perms; +allow update_engine modem_block_device:blk_file rw_file_perms; +allow update_engine proc_bootconfig:file r_file_perms; diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te new file mode 100644 index 00000000..aee5c49f --- /dev/null +++ b/whitechapel/vendor/google/uwb_vendor_app.te @@ -0,0 +1,12 @@ +type uwb_vendor_app, domain; + +app_domain(uwb_vendor_app) + +add_service(uwb_vendor_app, uwb_vendor_service) + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app hal_uwb_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; diff --git a/whitechapel/vendor/google/vcd.te b/whitechapel/vendor/google/vcd.te new file mode 100644 index 00000000..c4af485f --- /dev/null +++ b/whitechapel/vendor/google/vcd.te @@ -0,0 +1,11 @@ +type vcd, domain; +type vcd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(vcd) + +get_prop(vcd, vendor_rild_prop); +get_prop(vcd, vendor_persist_config_default_prop); + +allow vcd serial_device:chr_file rw_file_perms; +allow vcd radio_device:chr_file rw_file_perms; +allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; +allow vcd node:tcp_socket node_bind; diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te new file mode 100644 index 00000000..d2e671c3 --- /dev/null +++ b/whitechapel/vendor/google/vendor_ims_app.te @@ -0,0 +1,15 @@ +type vendor_ims_app, domain; +app_domain(vendor_ims_app) + +allow vendor_ims_app app_api_service:service_manager find; +allow vendor_ims_app audioserver_service:service_manager find; + +allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_ims_app radio_service:service_manager find; + +allow vendor_ims_app mediaserver_service:service_manager find; +allow vendor_ims_app cameraserver_service:service_manager find; + +binder_call(vendor_ims_app, rild) +set_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, radio_prop) diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te new file mode 100644 index 00000000..dedeaa7e --- /dev/null +++ b/whitechapel/vendor/google/vendor_init.te @@ -0,0 +1,36 @@ +set_prop(vendor_init, vendor_device_prop) +set_prop(vendor_init, vendor_modem_prop) +set_prop(vendor_init, vendor_cbd_prop) +set_prop(vendor_init, vendor_rild_prop) +set_prop(vendor_init, vendor_usb_config_prop) +set_prop(vendor_init, vendor_slog_prop) +set_prop(vendor_init, vendor_sys_default_prop) +set_prop(vendor_init, vendor_ims_prop) +set_prop(vendor_init, vendor_ssrdump_prop) +set_prop(vendor_init, vendor_ro_config_default_prop) +get_prop(vendor_init, vendor_touchpanel_prop) +set_prop(vendor_init, vendor_edgetpu_service_prop) +set_prop(vendor_init, vendor_tcpdump_log_prop) +set_prop(vendor_init, vendor_thermal_prop) + +allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init proc_sched:file write; +allow vendor_init bootdevice_sysdev:file create_file_perms; + +userdebug_or_eng(` + set_prop(vendor_init, logpersistd_logging_prop) +') + +# NFC vendor property +set_prop(vendor_init, vendor_nfc_prop) +# SecureElement vendor property +set_prop(vendor_init, vendor_secure_element_prop) +# Battery defender/harness/profile +get_prop(vendor_init, test_harness_prop) +get_prop(vendor_init, vendor_battery_profile_prop) +set_prop(vendor_init, vendor_battery_defender_prop) + +# Fingerprint property +userdebug_or_eng(` + set_prop(vendor_init, vendor_fingerprint_fake_prop) +') diff --git a/whitechapel/vendor/google/vendor_shell.te b/whitechapel/vendor/google/vendor_shell.te new file mode 100644 index 00000000..2ace587a --- /dev/null +++ b/whitechapel/vendor/google/vendor_shell.te @@ -0,0 +1 @@ +set_prop(vendor_shell, vendor_battery_profile_prop) diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te new file mode 100644 index 00000000..7d515a8a --- /dev/null +++ b/whitechapel/vendor/google/vendor_telephony_app.te @@ -0,0 +1,22 @@ +type vendor_telephony_app, domain; +app_domain(vendor_telephony_app) + +get_prop(vendor_telephony_app, vendor_rild_prop) +set_prop(vendor_telephony_app, vendor_persist_sys_default_prop) +set_prop(vendor_telephony_app, vendor_modem_prop) +set_prop(vendor_telephony_app, vendor_slog_prop) + +allow vendor_telephony_app vendor_slog_file:dir create_dir_perms; +allow vendor_telephony_app vendor_slog_file:file create_file_perms; + +allow vendor_telephony_app app_api_service:service_manager find; +allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find; +binder_call(vendor_telephony_app, dmd) +binder_call(vendor_telephony_app, sced) + +userdebug_or_eng(` +# Silent Logging +dontaudit vendor_telephony_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_app default_prop:file { getattr open read map }; +') diff --git a/whitechapel/vendor/google/vndservice.te b/whitechapel/vendor/google/vndservice.te new file mode 100644 index 00000000..f70a26fe --- /dev/null +++ b/whitechapel/vendor/google/vndservice.te @@ -0,0 +1,4 @@ +type rls_service, vndservice_manager_type; +type vendor_surfaceflinger_vndservice, vndservice_manager_type; +type vendor_displaycolor_service, vndservice_manager_type; +type eco_service, vndservice_manager_type; diff --git a/whitechapel/vendor/google/vndservice_contexts b/whitechapel/vendor/google/vndservice_contexts new file mode 100644 index 00000000..d44e1cb8 --- /dev/null +++ b/whitechapel/vendor/google/vndservice_contexts @@ -0,0 +1,4 @@ +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 +rlsservice u:object_r:rls_service:s0 +displaycolor u:object_r:vendor_displaycolor_service:s0 +media.ecoservice u:object_r:eco_service:s0 diff --git a/whitechapel/vendor/google/vold.te b/whitechapel/vendor/google/vold.te new file mode 100644 index 00000000..ecea1946 --- /dev/null +++ b/whitechapel/vendor/google/vold.te @@ -0,0 +1,6 @@ +allow vold sysfs_scsi_devices_0000:file rw_file_perms; +allow vold modem_efs_file:dir rw_dir_perms; +allow vold modem_userdata_file:dir rw_dir_perms; + +dontaudit vold dumpstate:fifo_file rw_file_perms; +dontaudit vold dumpstate:fd { use }; diff --git a/whitechapel/vendor/google/wifi_sniffer.te b/whitechapel/vendor/google/wifi_sniffer.te new file mode 100644 index 00000000..491162a0 --- /dev/null +++ b/whitechapel/vendor/google/wifi_sniffer.te @@ -0,0 +1,6 @@ +userdebug_or_eng(` + allow wifi_sniffer sysfs_wifi:dir search; + allow wifi_sniffer sysfs_wifi:file w_file_perms; + allow wifi_sniffer self:capability sys_module; + dontaudit wifi_sniffer sysfs_wifi:file getattr; +') diff --git a/whitechapel/vendor/google/wlcfwupdate.te b/whitechapel/vendor/google/wlcfwupdate.te new file mode 100644 index 00000000..37c29484 --- /dev/null +++ b/whitechapel/vendor/google/wlcfwupdate.te @@ -0,0 +1,12 @@ +# wlcfwupdate service +type wlcfwupdate, domain; +type wlcfwupdate_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(wlcfwupdate) + +allow wlcfwupdate sysfs_batteryinfo:dir search; +allow wlcfwupdate sysfs_batteryinfo:file r_file_perms; +allow wlcfwupdate sysfs_wlc:dir search; +allow wlcfwupdate sysfs_wlc:file rw_file_perms; +allow wlcfwupdate vendor_toolbox_exec:file execute_no_trans; +allow wlcfwupdate vendor_wlc_fwupdata_file:file execute_no_trans; From 0bad7bc81662699d5de41273261ed6ef1b572750 Mon Sep 17 00:00:00 2001 From: Hyunki Koo Date: Fri, 21 May 2021 16:04:23 +0900 Subject: [PATCH 004/900] change name 11110000.usb to 11210000.usb Bug: 188672439 Signed-off-by: Pat Tjin Signed-off-by: Hyunki Koo Change-Id: I2de4b90e65176e7c00404428c3659491363b0da9 --- whitechapel/vendor/google/genfs_contexts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index e532d855..0ef7b23f 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -67,7 +67,7 @@ genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 # Tethering -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/gadget/net u:object_r:sysfs_net:s0 # Vibrator genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a u:object_r:sysfs_vibrator:s0 @@ -90,7 +90,7 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 @@ -99,7 +99,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-s genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 # Touch genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 From c674d9f3e4a716621ca1ece1f59f376c464d0329 Mon Sep 17 00:00:00 2001 From: weichinweng Date: Mon, 31 May 2021 17:18:09 +0800 Subject: [PATCH 005/900] Change gs201 bluetooth uart port to dev/ttySAC18 Bug: 189727579 Test: Bluetooth can be turned ON from settings Change-Id: Ia261c207ac8d1c617c40765c432545a33cc55670 --- whitechapel/vendor/google/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 8ef29aa3..58f4a691 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -295,7 +295,7 @@ # Bluetooth /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 /dev/wbrc u:object_r:wb_coexistence_dev:s0 -/dev/ttySAC16 u:object_r:hci_attach_dev:s0 +/dev/ttySAC18 u:object_r:hci_attach_dev:s0 /dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 /dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 From 02ccab0539f53e26f2a1d7675314da4cf0891b74 Mon Sep 17 00:00:00 2001 From: Richard Hsu Date: Tue, 15 Jun 2021 12:05:13 -0700 Subject: [PATCH 006/900] [Bringup] Update SEPolicy for TPU (Janeiro) for PRO. Reuse the same SEPolicy for edgetpu gs101 for gs201. 1. gs101 sepolicy has been refactored into an edgetpu directory, which is meant to be reused. We only need to match the gs201 side to mirror that. This CL references Adam's ag/14911633. 2. In a separete CL, add /dev/janeiro into the common gs101 sepolicy. Bug: 191185522 Test: run_tflite_test_odc passes. https://paste.googleplex.com/5466657955774464 Change-Id: Idd9e47a3c8da70f9dd4696cb7db7d4439e9897d6 --- edgetpu/file_contexts | 2 + .../hal_neuralnetworks_darwinn.te | 14 ------- whitechapel/vendor/google/device.te | 3 -- .../vendor/google/edgetpu_app_service.te | 41 ------------------- whitechapel/vendor/google/edgetpu_logging.te | 15 ------- .../vendor/google/edgetpu_vendor_service.te | 28 ------------- whitechapel/vendor/google/file.te | 9 ---- whitechapel/vendor/google/file_contexts | 25 ----------- whitechapel/vendor/google/genfs_contexts | 4 -- .../google/hal_neuralnetworks_darwinn.te | 35 ---------------- whitechapel/vendor/google/property.te | 4 -- whitechapel/vendor/google/property_contexts | 3 -- whitechapel/vendor/google/service.te | 2 - whitechapel/vendor/google/service_contexts | 7 ---- .../vendor/google/untrusted_app_all.te | 7 ---- whitechapel/vendor/google/vendor_init.te | 1 - 16 files changed, 2 insertions(+), 198 deletions(-) create mode 100644 edgetpu/file_contexts delete mode 100644 whitechapel/vendor/google/edgetpu_app_service.te delete mode 100644 whitechapel/vendor/google/edgetpu_logging.te delete mode 100644 whitechapel/vendor/google/edgetpu_vendor_service.te delete mode 100644 whitechapel/vendor/google/hal_neuralnetworks_darwinn.te diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts new file mode 100644 index 00000000..7b5d25ab --- /dev/null +++ b/edgetpu/file_contexts @@ -0,0 +1,2 @@ +# EdgeTPU device (DarwiNN) +/dev/janeiro u:object_r:edgetpu_device:s0 diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te index 54fa8a2f..e69de29b 100644 --- a/tracking_denials/hal_neuralnetworks_darwinn.te +++ b/tracking_denials/hal_neuralnetworks_darwinn.te @@ -1,14 +0,0 @@ -# b/182524105 -dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -# b/183935302 -dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; -dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 5c6a2d88..039c242b 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -21,9 +21,6 @@ type tui_device, dev_type; # usbpd type logbuffer_device, dev_type; -# EdgeTPU device (DarwiNN) -type edgetpu_device, dev_type, mlstrustedobject; - #cpuctl type cpuctl_device, dev_type; diff --git a/whitechapel/vendor/google/edgetpu_app_service.te b/whitechapel/vendor/google/edgetpu_app_service.te deleted file mode 100644 index ffecdd1f..00000000 --- a/whitechapel/vendor/google/edgetpu_app_service.te +++ /dev/null @@ -1,41 +0,0 @@ -# EdgeTPU app server process which runs the EdgeTPU binder service. -type edgetpu_app_server, coredomain, domain; -type edgetpu_app_server_exec, exec_type, system_file_type, file_type; -init_daemon_domain(edgetpu_app_server) - -# The server will use binder calls. -binder_use(edgetpu_app_server); - -# The server will serve a binder service. -binder_service(edgetpu_app_server); - -# EdgeTPU binder service type declaration. -type edgetpu_app_service, service_manager_type; - -# EdgeTPU server to register the service to service_manager. -add_service(edgetpu_app_server, edgetpu_app_service); - -# EdgeTPU service needs to access /dev/abrolhos. -allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms; -allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms; -allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms; - -# Applications are not allowed to open the EdgeTPU device directly. -neverallow appdomain edgetpu_device:chr_file { open }; - -# Allow EdgeTPU service to access the Package Manager service. -allow edgetpu_app_server package_native_service:service_manager find; -binder_call(edgetpu_app_server, system_server); - -# Allow EdgeTPU service to read EdgeTPU service related system properties. -get_prop(edgetpu_app_server, vendor_edgetpu_service_prop); - -# Allow EdgeTPU service to generate Perfetto traces. -perfetto_producer(edgetpu_app_server); - -# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service. -allow edgetpu_app_server edgetpu_vendor_service:service_manager find; -binder_call(edgetpu_app_server, edgetpu_vendor_server); - -# Allow EdgeTPU service to log to stats service. (metrics) -allow edgetpu_app_server fwk_stats_service:service_manager find; diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/whitechapel/vendor/google/edgetpu_logging.te deleted file mode 100644 index 8c2f0dc7..00000000 --- a/whitechapel/vendor/google/edgetpu_logging.te +++ /dev/null @@ -1,15 +0,0 @@ -type edgetpu_logging, domain; -type edgetpu_logging_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(edgetpu_logging) - -# The logging service accesses /dev/abrolhos -allow edgetpu_logging edgetpu_device:chr_file rw_file_perms; - -# Allows the logging service to access /sys/class/edgetpu -allow edgetpu_logging sysfs_edgetpu:dir search; -allow edgetpu_logging sysfs_edgetpu:file rw_file_perms; - -# Allow TPU logging service to log to stats service. (metrics) -allow edgetpu_logging fwk_stats_service:service_manager find; -binder_call(edgetpu_logging, system_server); -binder_use(edgetpu_logging) diff --git a/whitechapel/vendor/google/edgetpu_vendor_service.te b/whitechapel/vendor/google/edgetpu_vendor_service.te deleted file mode 100644 index 538c47b9..00000000 --- a/whitechapel/vendor/google/edgetpu_vendor_service.te +++ /dev/null @@ -1,28 +0,0 @@ -# EdgeTPU vendor service. -type edgetpu_vendor_server, domain; -type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(edgetpu_vendor_server) - -# The vendor service will use binder calls. -binder_use(edgetpu_vendor_server); - -# The vendor service will serve a binder service. -binder_service(edgetpu_vendor_server); - -# EdgeTPU vendor service to register the service to service_manager. -add_service(edgetpu_vendor_server, edgetpu_vendor_service); - -# Allow communications between other vendor services. -allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map }; - -# Allow EdgeTPU vendor service to access its data files. -allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms; -allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms; - -# Allow EdgeTPU vendor service to access Android shared memory allocated -# by the camera hal for on-device compilation. -allow edgetpu_vendor_server hal_camera_default:fd use; - -# Allow EdgeTPU vendor service to read the kernel version. -# This is done inside the InitGoogle. -allow edgetpu_vendor_server proc_version:file r_file_perms; diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 5fd7861e..91b134de 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -134,15 +134,6 @@ type persist_camera_file, file_type; type vendor_camera_tuning_file, vendor_file_type, file_type; type vendor_camera_data_file, file_type, data_file_type; -# EdgeTPU hal data file -type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type; - -# EdgeTPU vendor service data file -type edgetpu_vendor_service_data_file, file_type, data_file_type; - -# EdgeTPU sysfs -type sysfs_edgetpu, sysfs_type, fs_type; - # Vendor sched files type sysfs_vendor_sched, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 58f4a691..be07af8d 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -345,8 +345,6 @@ # NeuralNetworks file contexts /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn u:object_r:hal_neuralnetworks_armnn_exec:s0 -/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0 -/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 # GRIL /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 @@ -364,29 +362,6 @@ # Citadel StrongBox /dev/gsc0 u:object_r:citadel_device:s0 -# EdgeTPU device (DarwiNN) -/dev/abrolhos u:object_r:edgetpu_device:s0 - -# EdgeTPU logging service -/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 - -# EdgeTPU service binaries and libraries -/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU vendor service -/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU runtime libraries -/vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU data files -/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 -/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 - # Tetheroffload Service /dev/dit2 u:object_r:vendor_toe_device:s0 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 0ef7b23f..531b9747 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -108,10 +108,6 @@ genfscon proc /fts/driver_test genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 -genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 - # Vendor sched files genfscon sysfs /kernel/vendor_sched/bg_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 genfscon sysfs /kernel/vendor_sched/bg_prefer_idle u:object_r:sysfs_vendor_sched:s0 diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te deleted file mode 100644 index 88a24db9..00000000 --- a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te +++ /dev/null @@ -1,35 +0,0 @@ -type hal_neuralnetworks_darwinn, domain; -hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks) - -type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_neuralnetworks_darwinn) - -# The TPU HAL looks for TPU instance in /dev/abrolhos -allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms; - -# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/. -allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms; - -# Allow DarwiNN service to access data files. -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms; -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms; - -# Allow DarwiNN service to access unix sockets for IPC. -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms }; - -# Register to hwbinder service. -# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te -hwbinder_use(hal_neuralnetworks_darwinn) -get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop) - -# Allow TPU HAL to read the kernel version. -# This is done inside the InitGoogle. -allow hal_neuralnetworks_darwinn proc_version:file r_file_perms; - -# Allow TPU NNAPI HAL to log to stats service. (metrics) -allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find; -binder_call(hal_neuralnetworks_darwinn, system_server); -binder_use(hal_neuralnetworks_darwinn) - -# TPU NNAPI to register the service to service_manager. -add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service); diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index f1e377f0..5f0c7062 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -26,10 +26,6 @@ vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_gps_prop) -# EdgeTPU service requires system public properties -# since it lives under /system_ext/. -system_public_prop(vendor_edgetpu_service_prop) - # Battery defender vendor_internal_prop(vendor_battery_defender_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 61497257..94d4065f 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -90,9 +90,6 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for gps vendor.gps u:object_r:vendor_gps_prop:s0 -# for EdgeTPU -vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 - # SecureElement persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index c47e63f9..99e99483 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -2,5 +2,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; type touch_context_service, service_manager_type, vendor_service; type hal_uwb_service, service_manager_type, vendor_service; -type edgetpu_vendor_service, service_manager_type, vendor_service; -type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 4e005ec4..687f8cc8 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,10 +1,3 @@ -# EdgeTPU service -com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 -com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 - -# TPU NNAPI Service -android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 - com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te index cd7fb41a..a4d8beb8 100644 --- a/whitechapel/vendor/google/untrusted_app_all.te +++ b/whitechapel/vendor/google/untrusted_app_all.te @@ -1,10 +1,3 @@ -# Allows applications to discover the EdgeTPU service. -allow untrusted_app_all edgetpu_app_service:service_manager find; - -# Allows applications to access the EdgeTPU device, except open, which is guarded -# by the EdgeTPU service. -allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; - # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap # for secure video playback allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index dedeaa7e..2759e77c 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -9,7 +9,6 @@ set_prop(vendor_init, vendor_ims_prop) set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_ro_config_default_prop) get_prop(vendor_init, vendor_touchpanel_prop) -set_prop(vendor_init, vendor_edgetpu_service_prop) set_prop(vendor_init, vendor_tcpdump_log_prop) set_prop(vendor_init, vendor_thermal_prop) From ba494ca01ddaeb8aa7a7abaf2b9ac6860135de2d Mon Sep 17 00:00:00 2001 From: Armelle Laine Date: Fri, 25 Jun 2021 05:39:07 +0000 Subject: [PATCH 007/900] Add se-policy to /dev/trusty-log0 Allows /dev/trusty-logs to be accessed by dumpstate hal Test: adb bugreport to include a trusty section in dumpstate_board.txt Bug: 192036703 Change-Id: Ib4e1825b4167880e05fed0afbc87d2d5f1595790 Signed-off-by: Armelle Laine --- whitechapel/vendor/google/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index be07af8d..380af288 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -336,6 +336,7 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:tee_data_file:s0 /dev/sg1 u:object_r:sg_device:s0 +/dev/trusty-log0 u:object_r:logbuffer_device:s0 # Battery /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 From d33073eba51a4faf9f6b9df3a7fe7d4a150a917a Mon Sep 17 00:00:00 2001 From: Ted Wang Date: Tue, 29 Jun 2021 16:39:31 +0800 Subject: [PATCH 008/900] Grant sepolicy for Bluetooth Ccc Timesync feature Add sepolicy rules for Bluetooth Ccc Timessync Bug: 191846449 Test: make Change-Id: Ibca95f7a9bd1da7b2c599d97f46856322e7f3487 --- whitechapel/vendor/google/genfs_contexts | 1 + whitechapel/vendor/google/hwservice_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 531b9747..e4a4b2b4 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -183,6 +183,7 @@ genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0 # ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts index c00e9572..0bcb1f64 100644 --- a/whitechapel/vendor/google/hwservice_contexts +++ b/whitechapel/vendor/google/hwservice_contexts @@ -26,6 +26,7 @@ vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_w # Bluetooth HAL extension hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0 # Fingerprint vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 From c6ac9f51a4e3977452c3a1c85040993a359ab747 Mon Sep 17 00:00:00 2001 From: Armelle Laine Date: Thu, 15 Jul 2021 00:10:50 +0000 Subject: [PATCH 009/900] Replace se-policy of the deprecated Keymaster HAL with Keymint HAL's Bug: 193715461 Test: `vendor.keymint-trusty` service up Change-Id: Ib5d5234a0501c93f56dbdfc2e4796d50e7f0be3a Signed-off-by: Armelle Laine --- whitechapel/vendor/google/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 380af288..95d5ac31 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -330,7 +330,7 @@ /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 -/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor u:object_r:hal_confirmationui_default_exec:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 From 0d404b7105e4c824b7f118a467bb154e4c5bfd19 Mon Sep 17 00:00:00 2001 From: Rick Yiu Date: Fri, 30 Jul 2021 00:45:03 +0000 Subject: [PATCH 010/900] gs201-sepolicy: Remove sysfs_vendor_sched Moved to system/sepolicy. Bug: 194656257 Test: build pass Change-Id: I5b392d001495d77408f2078f3a8e0f9d1eec6e65 --- whitechapel/vendor/google/file.te | 3 -- whitechapel/vendor/google/genfs_contexts | 52 ------------------------ 2 files changed, 55 deletions(-) diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 91b134de..c2fe2931 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -134,9 +134,6 @@ type persist_camera_file, file_type; type vendor_camera_tuning_file, vendor_file_type, file_type; type vendor_camera_data_file, file_type, data_file_type; -# Vendor sched files -type sysfs_vendor_sched, sysfs_type, fs_type; - # GPS type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index e4a4b2b4..f3d85c7b 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -108,58 +108,6 @@ genfscon proc /fts/driver_test genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 -# Vendor sched files -genfscon sysfs /kernel/vendor_sched/bg_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/bg_prefer_idle u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/bg_task_spreading u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/bg_uclamp_max u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/bg_uclamp_min u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/cam_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/cam_prefer_idle u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/cam_task_spreading u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/cam_uclamp_max u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/cam_uclamp_min u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/fg_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/fg_prefer_idle u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/fg_task_spreading u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/fg_uclamp_max u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/fg_uclamp_min u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/ta_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/ta_prefer_idle u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/ta_task_spreading u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/ta_uclamp_max u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/ta_uclamp_min u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sys_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sys_prefer_idle u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sys_task_spreading u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sys_uclamp_max u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sys_uclamp_min u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sysbg_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sysbg_prefer_idle u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sysbg_task_spreading u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sysbg_uclamp_max u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/sysbg_uclamp_min u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/nnapi_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/nnapi_prefer_idle u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/nnapi_task_spreading u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/nnapi_uclamp_max u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/nnapi_uclamp_min u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/clear_group u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/set_task_group_bg u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/set_task_group_cam u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/set_task_group_fg u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/set_task_group_nnapi u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/set_task_group_sys u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/set_task_group_sysbg u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/set_task_group_ta u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/high_capacity_start_cpu u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/uclamp_effective_stats u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/reset_uclamp_stats u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/uclamp_stats u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/uclamp_threshold u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/uclamp_util_diff_stats u:object_r:sysfs_vendor_sched:s0 -genfscon sysfs /kernel/vendor_sched/util_threshold u:object_r:sysfs_vendor_sched:s0 - # GPS genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 From 3652d4bedad26fedde3299b36bffada1bec1c8b6 Mon Sep 17 00:00:00 2001 From: Jiyong Park Date: Fri, 6 Aug 2021 19:59:28 +0900 Subject: [PATCH 011/900] Remove ndk_platform backend. Use the ndk backend. The ndk_platform backend will soon be deprecated because the ndk backend can serve the same purpose. This is to eliminate the confusion about having two variants (ndk and ndk_platform) for the same ndk backend. Bug: 161456198 Test: m Change-Id: Icc9af3798ac89742fa56b1cb37d8116d99b4a9c2 --- whitechapel/vendor/google/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 95d5ac31..ff999dde 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -378,7 +378,7 @@ /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/vulkan\.gs201\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 # Touch /dev/touch_offload u:object_r:touch_offload_device:s0 From da3b06d9c445cc4cd5f1b4c4382290f787c9767e Mon Sep 17 00:00:00 2001 From: Richard Hsu Date: Thu, 12 Aug 2021 15:33:57 -0700 Subject: [PATCH 012/900] [Bringup] Add Janeiro sysfs(s) to part of sysfs_edgetpu group For the logging service to access sysfs, the sysfs needs to be included in the sysfs_edgetpu group. This CL makes gs201 sepolicy on par with the gs101 version, by including janeiro (PRO) in the gs201 setup. gs101 genfs file: https://source.corp.google.com/sc-dev/device/google/gs101-sepolicy/edgetpu/genfs_contexts;l=2?q=sysfs_edgetpu&ct=os Bug: 196105736 Test: Restarted logging service on cloudripper. No AVC denial. Change-Id: I4d5fa33e1110c28904f7fffea0024d7688387b11 --- edgetpu/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 edgetpu/genfs_contexts diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts new file mode 100644 index 00000000..78e7e959 --- /dev/null +++ b/edgetpu/genfs_contexts @@ -0,0 +1,2 @@ +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 From 827b204adb3e3bd056609263ac1254157bf55b95 Mon Sep 17 00:00:00 2001 From: Ocean Chen Date: Mon, 16 Aug 2021 07:49:50 +0000 Subject: [PATCH 013/900] storage: update sepolicy for hardwareinfoservice Bug: 188793183 Test: run pixel/022 Change-Id: I921c4eae0744278896007183a7947f281925b24f --- tracking_denials/hardware_info_app.te | 4 ---- whitechapel/vendor/google/hardware_info_app.te | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te index 810cb701..8e02952f 100644 --- a/tracking_denials/hardware_info_app.te +++ b/tracking_denials/hardware_info_app.te @@ -1,12 +1,8 @@ # b/181177926 -dontaudit hardware_info_app sysfs_scsi_devices_0000:file { getattr }; -dontaudit hardware_info_app sysfs_scsi_devices_0000:file { open }; dontaudit hardware_info_app sysfs_batteryinfo:file { read }; dontaudit hardware_info_app sysfs:file { read }; dontaudit hardware_info_app sysfs:file { open }; dontaudit hardware_info_app sysfs:file { getattr }; -dontaudit hardware_info_app sysfs_scsi_devices_0000:dir { search }; -dontaudit hardware_info_app sysfs_scsi_devices_0000:file { read }; dontaudit hardware_info_app sysfs_batteryinfo:dir { search }; # b/181914888 dontaudit hardware_info_app sysfs_batteryinfo:file { open }; diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te index c5bfb879..382b531c 100644 --- a/whitechapel/vendor/google/hardware_info_app.te +++ b/whitechapel/vendor/google/hardware_info_app.te @@ -7,3 +7,7 @@ allow hardware_info_app app_api_service:service_manager find; # Display allow hardware_info_app sysfs_display:dir search; allow hardware_info_app sysfs_display:file r_file_perms; + +# Storage +allow hardware_info_app sysfs_scsi_devices_0000:dir search; +allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; \ No newline at end of file From 471fb507d18f488cee20a6067b0e25f298372ca1 Mon Sep 17 00:00:00 2001 From: Petri Gynther Date: Tue, 17 Aug 2021 17:15:27 -0700 Subject: [PATCH 014/900] Add vbmeta_vendor_[ab] to file_contexts Bug: 197026498 Change-Id: Icd6a6ac7b2cd302a7bc2032241ff1a540eaa5024 --- whitechapel/vendor/google/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index ff999dde..587b20fa 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -72,6 +72,7 @@ /dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/sda u:object_r:sda_block_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 From c1ffe9c177a92aa88d94837474788c606297c4b2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 17 Aug 2021 11:46:35 +0800 Subject: [PATCH 015/900] Initialize gs201 to zero Bug: 196916111 Test: boot to home with all services launched Change-Id: I3453fc01cec5fd7b2b2a44a6f20c64e818ce1acd --- OWNERS | 11 ++++ ambient/exo_app.te | 20 ------- ambient/seapp_contexts | 2 - display/common/file.te | 1 - display/common/file_contexts | 1 - display/gs101/genfs_contexts | 14 ----- .../gs101/hal_graphics_composer_default.te | 38 ------------ gs201-sepolicy.mk | 10 +--- {whitechapel/vendor/google => legacy}/aocd.te | 0 .../vendor/google => legacy}/aocdump.te | 0 .../vendor/google => legacy}/attributes | 0 .../vendor/google => legacy}/audioserver.te | 0 .../vendor/google => legacy}/bipchmgr.te | 0 .../vendor/google => legacy}/bootanim.te | 0 .../google => legacy}/bootdevice_sysdev.te | 0 {whitechapel/vendor/google => legacy}/cbd.te | 0 .../vendor/google => legacy}/cbrs_setup.te | 0 .../certs/com_google_mds.x509.pem | 0 .../certs/com_qorvo_uwb.x509.pem | 0 {whitechapel/vendor/google => legacy}/chre.te | 0 .../vendor/google => legacy}/con_monitor.te | 0 .../vendor/google => legacy}/device.te | 0 {whitechapel/vendor/google => legacy}/dmd.te | 0 legacy/domain.te | 23 +++++++ .../vendor/google => legacy}/dumpstate.te | 0 {whitechapel/vendor/google => legacy}/e2fs.te | 0 .../exo_camera_injection/dumpstate.te | 0 .../exo_camera_injection/exo_app.te | 0 .../exo_camera_injection/file_contexts | 0 .../hal_exo_camera_injection.te | 0 .../exo_camera_injection/hwservice.te | 0 .../exo_camera_injection/hwservice_contexts | 0 .../vendor/google => legacy}/fastbootd.te | 0 {whitechapel/vendor/google => legacy}/file.te | 13 ++++ .../vendor/google => legacy}/file_contexts | 11 ++++ {whitechapel/vendor/google => legacy}/fsck.te | 0 .../vendor/google => legacy}/genfs_contexts | 0 {whitechapel/vendor/google => legacy}/gpsd.te | 0 .../google => legacy}/grilservice_app.te | 0 .../google => legacy}/hal_audio_default.te | 0 .../hal_audiometricext_default.te | 0 .../hal_bluetooth_btlinux.te | 0 .../google => legacy}/hal_bootctl_default.te | 0 .../google => legacy}/hal_camera_default.te | 0 .../google => legacy}/hal_confirmationui.te | 0 .../google => legacy}/hal_contexthub.te | 0 .../google => legacy}/hal_drm_clearkey.te | 0 .../google => legacy}/hal_drm_default.te | 0 .../hal_dumpstate_default.te | 0 .../hal_fingerprint_default.te | 0 .../google => legacy}/hal_gnss_default.te | 0 .../hal_graphics_allocator_default.te | 0 .../hal_graphics_composer_default.te | 0 .../google => legacy}/hal_health_default.te | 0 .../hal_health_storage_default.te | 0 .../hal_neuralnetworks_armnn.te | 0 .../google => legacy}/hal_nfc_default.te | 0 .../google => legacy}/hal_power_default.te | 0 .../hal_power_stats_default.te | 0 .../google => legacy}/hal_radioext_default.te | 0 .../hal_secure_element_default.te | 0 .../hal_tetheroffload_default.te | 0 .../google => legacy}/hal_thermal_default.te | 0 .../vendor/google => legacy}/hal_usb_impl.te | 0 .../google => legacy}/hal_uwb_default.te | 0 .../hal_vendor_hwcservice_default.te | 0 .../vendor/google => legacy}/hal_wifi.te | 0 .../vendor/google => legacy}/hal_wifi_ext.te | 0 .../vendor/google => legacy}/hal_wlc.te | 0 .../google => legacy}/hardware_info_app.te | 0 .../google => legacy}/hbmsvmanager_app.te | 0 .../vendor/google => legacy}/hwservice.te | 0 .../google => legacy}/hwservice_contexts | 0 .../google => legacy}/hwservicemanager.te | 0 .../vendor/google => legacy}/incident.te | 0 .../google => legacy}/init-insmod-sh.te | 0 {whitechapel/vendor/google => legacy}/init.te | 0 .../vendor/google => legacy}/init_radio.te | 0 .../vendor/google => legacy}/installd.te | 0 .../vendor/google => legacy}/kernel.te | 0 legacy/keys.conf | 5 ++ {whitechapel/vendor/google => legacy}/lhd.te | 0 .../vendor/google => legacy}/logger_app.te | 0 .../google => legacy}/mac_permissions.xml | 0 .../vendor/google => legacy}/mediacodec.te | 0 .../google => legacy}/modem_diagnostics.te | 0 .../modem_logging_control.te | 0 .../vendor/google => legacy}/modem_svc_sit.te | 0 .../google => legacy}/netutils_wrapper.te | 0 .../vendor/google => legacy}/ofl_app.te | 0 .../vendor/google => legacy}/omadm.te | 0 .../google => legacy}/pixelstats_vendor.te | 0 .../vendor/google => legacy}/pktrouter.te | 0 .../vendor/google => legacy}/platform_app.te | 0 .../vendor/google => legacy}/priv_app.te | 0 .../vendor/google => legacy}/property.te | 0 .../google => legacy}/property_contexts | 0 .../vendor/google => legacy}/radio.te | 0 .../vendor/google => legacy}/ramdump_app.te | 0 .../vendor/google => legacy}/recovery.te | 0 {whitechapel/vendor/google => legacy}/rfsd.te | 0 .../google => legacy}/ril_config_service.te | 0 {whitechapel/vendor/google => legacy}/rild.te | 0 .../vendor/google => legacy}/rlsservice.te | 0 {whitechapel/vendor/google => legacy}/scd.te | 0 {whitechapel/vendor/google => legacy}/sced.te | 0 .../vendor/google => legacy}/seapp_contexts | 0 .../google => legacy}/securedpud.slider.te | 0 .../vendor/google => legacy}/service.te | 0 .../vendor/google => legacy}/service_contexts | 0 .../vendor/google => legacy}/shell.te | 0 .../vendor/google => legacy}/ssr_detector.te | 0 .../vendor/google => legacy}/storageproxyd.te | 0 .../vendor/google => legacy}/system_app.te | 0 .../vendor/google => legacy}/system_server.te | 0 .../google => legacy}/tcpdump_logger.te | 0 {usf => legacy}/te_macros | 0 .../vendor/google => legacy}/toolbox.te | 0 .../google => legacy}/trusty_apploader.te | 0 .../google => legacy}/trusty_metricsd.te | 0 .../vendor/google => legacy}/twoshay.te | 0 .../google => legacy}/untrusted_app_all.te | 0 .../vendor/google => legacy}/update_engine.te | 0 .../google => legacy}/uwb_vendor_app.te | 0 {whitechapel/vendor/google => legacy}/vcd.te | 0 .../google => legacy}/vendor_ims_app.te | 0 .../vendor/google => legacy}/vendor_init.te | 0 .../vendor/google => legacy}/vendor_shell.te | 0 .../google => legacy}/vendor_telephony_app.te | 0 .../vendor/google => legacy}/vndservice.te | 0 .../google => legacy}/vndservice_contexts | 0 {whitechapel/vendor/google => legacy}/vold.te | 0 .../vendor/google => legacy}/wifi_sniffer.te | 0 .../vendor/google => legacy}/wlcfwupdate.te | 0 private/dex2oat.te | 59 ------------------ private/gmscore_app.te | 2 - private/hal_dumpstate_default.te | 2 - private/incidentd.te | 14 ----- private/lpdumpd.te | 7 --- private/priv_app.te | 19 ------ private/untrusted_app_25.te | 2 - private/wait_for_keymaster.te | 2 - tracking_denials/dumpstate.te | 4 -- tracking_denials/gpsd.te | 11 ---- tracking_denials/hal_camera_default.te | 5 -- tracking_denials/hal_fingerprint_default.te | 15 ----- .../hal_graphics_composer_default.te | 3 - tracking_denials/hal_neuralnetworks_armnn.te | 33 ---------- .../hal_neuralnetworks_darwinn.te | 0 tracking_denials/hal_power_default.te | 12 ---- tracking_denials/hardware_info_app.te | 14 ----- tracking_denials/incidentd.te | 2 - tracking_denials/init.te | 3 - tracking_denials/ofl_app.te | 3 - tracking_denials/pixelstats_vendor.te | 7 --- tracking_denials/priv_app.te | 2 - tracking_denials/servicemanager.te | 3 - tracking_denials/surfaceflinger.te | 12 ---- tracking_denials/trusty_apploader.te | 3 - tracking_denials/untrusted_app.te | 4 -- tracking_denials/update_engine.te | 2 - tracking_denials/vendor_init.te | 2 - usf/file.te | 12 ---- usf/file_contexts | 10 ---- usf/sensor_hal.te | 60 ------------------- whitechapel/vendor/google/domain.te | 1 - whitechapel/vendor/google/keys.conf | 5 -- 167 files changed, 65 insertions(+), 419 deletions(-) create mode 100644 OWNERS delete mode 100644 ambient/exo_app.te delete mode 100644 ambient/seapp_contexts delete mode 100644 display/common/file.te delete mode 100644 display/common/file_contexts delete mode 100644 display/gs101/genfs_contexts delete mode 100644 display/gs101/hal_graphics_composer_default.te rename {whitechapel/vendor/google => legacy}/aocd.te (100%) rename {whitechapel/vendor/google => legacy}/aocdump.te (100%) rename {whitechapel/vendor/google => legacy}/attributes (100%) rename {whitechapel/vendor/google => legacy}/audioserver.te (100%) rename {whitechapel/vendor/google => legacy}/bipchmgr.te (100%) rename {whitechapel/vendor/google => legacy}/bootanim.te (100%) rename {whitechapel/vendor/google => legacy}/bootdevice_sysdev.te (100%) rename {whitechapel/vendor/google => legacy}/cbd.te (100%) rename {whitechapel/vendor/google => legacy}/cbrs_setup.te (100%) rename {whitechapel/vendor/google => legacy}/certs/com_google_mds.x509.pem (100%) rename {whitechapel/vendor/google => legacy}/certs/com_qorvo_uwb.x509.pem (100%) rename {whitechapel/vendor/google => legacy}/chre.te (100%) rename {whitechapel/vendor/google => legacy}/con_monitor.te (100%) rename {whitechapel/vendor/google => legacy}/device.te (100%) rename {whitechapel/vendor/google => legacy}/dmd.te (100%) create mode 100644 legacy/domain.te rename {whitechapel/vendor/google => legacy}/dumpstate.te (100%) rename {whitechapel/vendor/google => legacy}/e2fs.te (100%) rename {whitechapel/vendor/google => legacy}/exo_camera_injection/dumpstate.te (100%) rename {whitechapel/vendor/google => legacy}/exo_camera_injection/exo_app.te (100%) rename {whitechapel/vendor/google => legacy}/exo_camera_injection/file_contexts (100%) rename {whitechapel/vendor/google => legacy}/exo_camera_injection/hal_exo_camera_injection.te (100%) rename {whitechapel/vendor/google => legacy}/exo_camera_injection/hwservice.te (100%) rename {whitechapel/vendor/google => legacy}/exo_camera_injection/hwservice_contexts (100%) rename {whitechapel/vendor/google => legacy}/fastbootd.te (100%) rename {whitechapel/vendor/google => legacy}/file.te (93%) rename {whitechapel/vendor/google => legacy}/file_contexts (98%) rename {whitechapel/vendor/google => legacy}/fsck.te (100%) rename {whitechapel/vendor/google => legacy}/genfs_contexts (100%) rename {whitechapel/vendor/google => legacy}/gpsd.te (100%) rename {whitechapel/vendor/google => legacy}/grilservice_app.te (100%) rename {whitechapel/vendor/google => legacy}/hal_audio_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_audiometricext_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_bluetooth_btlinux.te (100%) rename {whitechapel/vendor/google => legacy}/hal_bootctl_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_camera_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_confirmationui.te (100%) rename {whitechapel/vendor/google => legacy}/hal_contexthub.te (100%) rename {whitechapel/vendor/google => legacy}/hal_drm_clearkey.te (100%) rename {whitechapel/vendor/google => legacy}/hal_drm_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_dumpstate_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_fingerprint_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_gnss_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_graphics_allocator_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_graphics_composer_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_health_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_health_storage_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_neuralnetworks_armnn.te (100%) rename {whitechapel/vendor/google => legacy}/hal_nfc_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_power_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_power_stats_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_radioext_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_secure_element_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_tetheroffload_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_thermal_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_usb_impl.te (100%) rename {whitechapel/vendor/google => legacy}/hal_uwb_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_vendor_hwcservice_default.te (100%) rename {whitechapel/vendor/google => legacy}/hal_wifi.te (100%) rename {whitechapel/vendor/google => legacy}/hal_wifi_ext.te (100%) rename {whitechapel/vendor/google => legacy}/hal_wlc.te (100%) rename {whitechapel/vendor/google => legacy}/hardware_info_app.te (100%) rename {whitechapel/vendor/google => legacy}/hbmsvmanager_app.te (100%) rename {whitechapel/vendor/google => legacy}/hwservice.te (100%) rename {whitechapel/vendor/google => legacy}/hwservice_contexts (100%) rename {whitechapel/vendor/google => legacy}/hwservicemanager.te (100%) rename {whitechapel/vendor/google => legacy}/incident.te (100%) rename {whitechapel/vendor/google => legacy}/init-insmod-sh.te (100%) rename {whitechapel/vendor/google => legacy}/init.te (100%) rename {whitechapel/vendor/google => legacy}/init_radio.te (100%) rename {whitechapel/vendor/google => legacy}/installd.te (100%) rename {whitechapel/vendor/google => legacy}/kernel.te (100%) create mode 100644 legacy/keys.conf rename {whitechapel/vendor/google => legacy}/lhd.te (100%) rename {whitechapel/vendor/google => legacy}/logger_app.te (100%) rename {whitechapel/vendor/google => legacy}/mac_permissions.xml (100%) rename {whitechapel/vendor/google => legacy}/mediacodec.te (100%) rename {whitechapel/vendor/google => legacy}/modem_diagnostics.te (100%) rename {whitechapel/vendor/google => legacy}/modem_logging_control.te (100%) rename {whitechapel/vendor/google => legacy}/modem_svc_sit.te (100%) rename {whitechapel/vendor/google => legacy}/netutils_wrapper.te (100%) rename {whitechapel/vendor/google => legacy}/ofl_app.te (100%) rename {whitechapel/vendor/google => legacy}/omadm.te (100%) rename {whitechapel/vendor/google => legacy}/pixelstats_vendor.te (100%) rename {whitechapel/vendor/google => legacy}/pktrouter.te (100%) rename {whitechapel/vendor/google => legacy}/platform_app.te (100%) rename {whitechapel/vendor/google => legacy}/priv_app.te (100%) rename {whitechapel/vendor/google => legacy}/property.te (100%) rename {whitechapel/vendor/google => legacy}/property_contexts (100%) rename {whitechapel/vendor/google => legacy}/radio.te (100%) rename {whitechapel/vendor/google => legacy}/ramdump_app.te (100%) rename {whitechapel/vendor/google => legacy}/recovery.te (100%) rename {whitechapel/vendor/google => legacy}/rfsd.te (100%) rename {whitechapel/vendor/google => legacy}/ril_config_service.te (100%) rename {whitechapel/vendor/google => legacy}/rild.te (100%) rename {whitechapel/vendor/google => legacy}/rlsservice.te (100%) rename {whitechapel/vendor/google => legacy}/scd.te (100%) rename {whitechapel/vendor/google => legacy}/sced.te (100%) rename {whitechapel/vendor/google => legacy}/seapp_contexts (100%) rename {whitechapel/vendor/google => legacy}/securedpud.slider.te (100%) rename {whitechapel/vendor/google => legacy}/service.te (100%) rename {whitechapel/vendor/google => legacy}/service_contexts (100%) rename {whitechapel/vendor/google => legacy}/shell.te (100%) rename {whitechapel/vendor/google => legacy}/ssr_detector.te (100%) rename {whitechapel/vendor/google => legacy}/storageproxyd.te (100%) rename {whitechapel/vendor/google => legacy}/system_app.te (100%) rename {whitechapel/vendor/google => legacy}/system_server.te (100%) rename {whitechapel/vendor/google => legacy}/tcpdump_logger.te (100%) rename {usf => legacy}/te_macros (100%) rename {whitechapel/vendor/google => legacy}/toolbox.te (100%) rename {whitechapel/vendor/google => legacy}/trusty_apploader.te (100%) rename {whitechapel/vendor/google => legacy}/trusty_metricsd.te (100%) rename {whitechapel/vendor/google => legacy}/twoshay.te (100%) rename {whitechapel/vendor/google => legacy}/untrusted_app_all.te (100%) rename {whitechapel/vendor/google => legacy}/update_engine.te (100%) rename {whitechapel/vendor/google => legacy}/uwb_vendor_app.te (100%) rename {whitechapel/vendor/google => legacy}/vcd.te (100%) rename {whitechapel/vendor/google => legacy}/vendor_ims_app.te (100%) rename {whitechapel/vendor/google => legacy}/vendor_init.te (100%) rename {whitechapel/vendor/google => legacy}/vendor_shell.te (100%) rename {whitechapel/vendor/google => legacy}/vendor_telephony_app.te (100%) rename {whitechapel/vendor/google => legacy}/vndservice.te (100%) rename {whitechapel/vendor/google => legacy}/vndservice_contexts (100%) rename {whitechapel/vendor/google => legacy}/vold.te (100%) rename {whitechapel/vendor/google => legacy}/wifi_sniffer.te (100%) rename {whitechapel/vendor/google => legacy}/wlcfwupdate.te (100%) delete mode 100644 private/dex2oat.te delete mode 100644 private/gmscore_app.te delete mode 100644 private/hal_dumpstate_default.te delete mode 100644 private/incidentd.te delete mode 100644 private/lpdumpd.te delete mode 100644 private/priv_app.te delete mode 100644 private/untrusted_app_25.te delete mode 100644 private/wait_for_keymaster.te delete mode 100644 tracking_denials/dumpstate.te delete mode 100644 tracking_denials/gpsd.te delete mode 100644 tracking_denials/hal_camera_default.te delete mode 100644 tracking_denials/hal_fingerprint_default.te delete mode 100644 tracking_denials/hal_graphics_composer_default.te delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te delete mode 100644 tracking_denials/hal_neuralnetworks_darwinn.te delete mode 100644 tracking_denials/hal_power_default.te delete mode 100644 tracking_denials/hardware_info_app.te delete mode 100644 tracking_denials/incidentd.te delete mode 100644 tracking_denials/init.te delete mode 100644 tracking_denials/ofl_app.te delete mode 100644 tracking_denials/pixelstats_vendor.te delete mode 100644 tracking_denials/priv_app.te delete mode 100644 tracking_denials/servicemanager.te delete mode 100644 tracking_denials/surfaceflinger.te delete mode 100644 tracking_denials/trusty_apploader.te delete mode 100644 tracking_denials/untrusted_app.te delete mode 100644 tracking_denials/update_engine.te delete mode 100644 tracking_denials/vendor_init.te delete mode 100644 usf/file.te delete mode 100644 usf/file_contexts delete mode 100644 usf/sensor_hal.te delete mode 100644 whitechapel/vendor/google/domain.te delete mode 100644 whitechapel/vendor/google/keys.conf diff --git a/OWNERS b/OWNERS new file mode 100644 index 00000000..a24d5fb4 --- /dev/null +++ b/OWNERS @@ -0,0 +1,11 @@ +adamshih@google.com +alanstokes@google.com +bowgotsai@google.com +jbires@google.com +jeffv@google.com +jgalenson@google.com +jiyong@google.com +rurumihong@google.com +sspatil@google.com +smoreland@google.com +trong@google.com diff --git a/ambient/exo_app.te b/ambient/exo_app.te deleted file mode 100644 index ef928f65..00000000 --- a/ambient/exo_app.te +++ /dev/null @@ -1,20 +0,0 @@ -type exo_app, coredomain, domain; - -app_domain(exo_app) -net_domain(exo_app) - -allow exo_app app_api_service:service_manager find; -allow exo_app audioserver_service:service_manager find; -allow exo_app cameraserver_service:service_manager find; -allow exo_app mediaserver_service:service_manager find; -allow exo_app radio_service:service_manager find; -allow exo_app fwk_stats_service:service_manager find; -allow exo_app mediametrics_service:service_manager find; -allow exo_app gpu_device:dir search; - -allow exo_app uhid_device:chr_file rw_file_perms; - -binder_call(exo_app, statsd) -binder_use(exo_app) - -get_prop(exo_app, device_config_runtime_native_boot_prop) diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts deleted file mode 100644 index 8024688c..00000000 --- a/ambient/seapp_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Domain for Exo app -user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all diff --git a/display/common/file.te b/display/common/file.te deleted file mode 100644 index 3734e33c..00000000 --- a/display/common/file.te +++ /dev/null @@ -1 +0,0 @@ -type persist_display_file, file_type, vendor_persist_type; diff --git a/display/common/file_contexts b/display/common/file_contexts deleted file mode 100644 index bca77466..00000000 --- a/display/common/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts deleted file mode 100644 index 6b155761..00000000 --- a/display/gs101/genfs_contexts +++ /dev/null @@ -1,14 +0,0 @@ -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible u:object_r:sysfs_display:s0 - -genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/1c300000.drmdecon/dqe/atc u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te deleted file mode 100644 index b5139133..00000000 --- a/display/gs101/hal_graphics_composer_default.te +++ /dev/null @@ -1,38 +0,0 @@ -allow hal_graphics_composer_default video_device:chr_file rw_file_perms; -add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) -hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) -allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; -vndbinder_use(hal_graphics_composer_default) - -userdebug_or_eng(` - allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms; - - # For HWC/libdisplaycolor to generate calibration file. - allow hal_graphics_composer_default persist_display_file:file create_file_perms; - allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms; -') - -# allow HWC/libdisplaycolor to read calibration data -allow hal_graphics_composer_default mnt_vendor_file:dir search; -allow hal_graphics_composer_default persist_file:dir search; -allow hal_graphics_composer_default persist_display_file:file r_file_perms; - -# allow HWC to r/w backlight -allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; -allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; - -# allow HWC to get vendor_persist_sys_default_prop -get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) - -# allow HWC to get vendor_display_prop -get_prop(hal_graphics_composer_default, vendor_display_prop) - -# allow HWC to access vendor_displaycolor_service -add_service(hal_graphics_composer_default, vendor_displaycolor_service) - -add_service(hal_graphics_composer_default, hal_pixel_display_service) -binder_use(hal_graphics_composer_default) -get_prop(hal_graphics_composer_default, boot_status_prop); - -# allow HWC to access vendor log file -allow hal_graphics_composer_default vendor_log_file:file create_file_perms; diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 17e22778..b775c68e 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -1,18 +1,12 @@ # sepolicy that are shared among devices using whitechapel -BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel/vendor/google +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/legacy # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private -# Display -BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/display/common -BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/display/gs201 - -# Micro sensor framework (usf) -BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/usf - # system_ext SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/private diff --git a/whitechapel/vendor/google/aocd.te b/legacy/aocd.te similarity index 100% rename from whitechapel/vendor/google/aocd.te rename to legacy/aocd.te diff --git a/whitechapel/vendor/google/aocdump.te b/legacy/aocdump.te similarity index 100% rename from whitechapel/vendor/google/aocdump.te rename to legacy/aocdump.te diff --git a/whitechapel/vendor/google/attributes b/legacy/attributes similarity index 100% rename from whitechapel/vendor/google/attributes rename to legacy/attributes diff --git a/whitechapel/vendor/google/audioserver.te b/legacy/audioserver.te similarity index 100% rename from whitechapel/vendor/google/audioserver.te rename to legacy/audioserver.te diff --git a/whitechapel/vendor/google/bipchmgr.te b/legacy/bipchmgr.te similarity index 100% rename from whitechapel/vendor/google/bipchmgr.te rename to legacy/bipchmgr.te diff --git a/whitechapel/vendor/google/bootanim.te b/legacy/bootanim.te similarity index 100% rename from whitechapel/vendor/google/bootanim.te rename to legacy/bootanim.te diff --git a/whitechapel/vendor/google/bootdevice_sysdev.te b/legacy/bootdevice_sysdev.te similarity index 100% rename from whitechapel/vendor/google/bootdevice_sysdev.te rename to legacy/bootdevice_sysdev.te diff --git a/whitechapel/vendor/google/cbd.te b/legacy/cbd.te similarity index 100% rename from whitechapel/vendor/google/cbd.te rename to legacy/cbd.te diff --git a/whitechapel/vendor/google/cbrs_setup.te b/legacy/cbrs_setup.te similarity index 100% rename from whitechapel/vendor/google/cbrs_setup.te rename to legacy/cbrs_setup.te diff --git a/whitechapel/vendor/google/certs/com_google_mds.x509.pem b/legacy/certs/com_google_mds.x509.pem similarity index 100% rename from whitechapel/vendor/google/certs/com_google_mds.x509.pem rename to legacy/certs/com_google_mds.x509.pem diff --git a/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem b/legacy/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem rename to legacy/certs/com_qorvo_uwb.x509.pem diff --git a/whitechapel/vendor/google/chre.te b/legacy/chre.te similarity index 100% rename from whitechapel/vendor/google/chre.te rename to legacy/chre.te diff --git a/whitechapel/vendor/google/con_monitor.te b/legacy/con_monitor.te similarity index 100% rename from whitechapel/vendor/google/con_monitor.te rename to legacy/con_monitor.te diff --git a/whitechapel/vendor/google/device.te b/legacy/device.te similarity index 100% rename from whitechapel/vendor/google/device.te rename to legacy/device.te diff --git a/whitechapel/vendor/google/dmd.te b/legacy/dmd.te similarity index 100% rename from whitechapel/vendor/google/dmd.te rename to legacy/dmd.te diff --git a/legacy/domain.te b/legacy/domain.te new file mode 100644 index 00000000..392e75c4 --- /dev/null +++ b/legacy/domain.te @@ -0,0 +1,23 @@ +allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms; +dontaudit domain file_type:file *; +dontaudit domain file_type:chr_file *; +dontaudit domain file_type:dir *; +dontaudit domain file_type:capability *; +dontaudit domain file_type:sock_file *; +dontaudit domain property_type:file *; +dontaudit domain property_type:property_service *; +dontaudit domain fs_type:chr_file *; +dontaudit domain fs_type:file *; +dontaudit domain fs_type:blk_file *; +dontaudit domain fs_type:dir *; +dontaudit domain fs_type:filesystem *; +dontaudit domain dev_type:file *; +dontaudit domain dev_type:chr_file *; +dontaudit domain dev_type:blk_file *; +dontaudit domain hwservice_manager_type:hwservice_manager *; +dontaudit domain service_manager_type:service_manager *; +dontaudit domain domain:capability *; +dontaudit domain domain:binder *; +dontaudit domain domain:socket_class_set *; +dontaudit fs_type fs_type:filesystem *; + diff --git a/whitechapel/vendor/google/dumpstate.te b/legacy/dumpstate.te similarity index 100% rename from whitechapel/vendor/google/dumpstate.te rename to legacy/dumpstate.te diff --git a/whitechapel/vendor/google/e2fs.te b/legacy/e2fs.te similarity index 100% rename from whitechapel/vendor/google/e2fs.te rename to legacy/e2fs.te diff --git a/whitechapel/vendor/google/exo_camera_injection/dumpstate.te b/legacy/exo_camera_injection/dumpstate.te similarity index 100% rename from whitechapel/vendor/google/exo_camera_injection/dumpstate.te rename to legacy/exo_camera_injection/dumpstate.te diff --git a/whitechapel/vendor/google/exo_camera_injection/exo_app.te b/legacy/exo_camera_injection/exo_app.te similarity index 100% rename from whitechapel/vendor/google/exo_camera_injection/exo_app.te rename to legacy/exo_camera_injection/exo_app.te diff --git a/whitechapel/vendor/google/exo_camera_injection/file_contexts b/legacy/exo_camera_injection/file_contexts similarity index 100% rename from whitechapel/vendor/google/exo_camera_injection/file_contexts rename to legacy/exo_camera_injection/file_contexts diff --git a/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te b/legacy/exo_camera_injection/hal_exo_camera_injection.te similarity index 100% rename from whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te rename to legacy/exo_camera_injection/hal_exo_camera_injection.te diff --git a/whitechapel/vendor/google/exo_camera_injection/hwservice.te b/legacy/exo_camera_injection/hwservice.te similarity index 100% rename from whitechapel/vendor/google/exo_camera_injection/hwservice.te rename to legacy/exo_camera_injection/hwservice.te diff --git a/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts b/legacy/exo_camera_injection/hwservice_contexts similarity index 100% rename from whitechapel/vendor/google/exo_camera_injection/hwservice_contexts rename to legacy/exo_camera_injection/hwservice_contexts diff --git a/whitechapel/vendor/google/fastbootd.te b/legacy/fastbootd.te similarity index 100% rename from whitechapel/vendor/google/fastbootd.te rename to legacy/fastbootd.te diff --git a/whitechapel/vendor/google/file.te b/legacy/file.te similarity index 93% rename from whitechapel/vendor/google/file.te rename to legacy/file.te index c2fe2931..c909ebc6 100644 --- a/whitechapel/vendor/google/file.te +++ b/legacy/file.te @@ -143,6 +143,7 @@ type sysfs_gps, sysfs_type, fs_type; # Display type sysfs_display, sysfs_type, fs_type; +type persist_display_file, file_type, vendor_persist_type; # Backlight type sysfs_backlight, sysfs_type, fs_type; @@ -196,3 +197,15 @@ type sysfs_pixelstats, fs_type, sysfs_type; # WLC FW type vendor_wlc_fwupdata_file, vendor_file_type, file_type; +# +# USF file SELinux type enforcements. +# + +# Declare the sensor registry persist file type. By convention, persist file +# types begin with "persist_". +type persist_sensor_reg_file, file_type, vendor_persist_type; + +# Declare the sensor registry data file type. By convention, data file types +# end with "data_file". +type sensor_reg_data_file, file_type, data_file_type; + diff --git a/whitechapel/vendor/google/file_contexts b/legacy/file_contexts similarity index 98% rename from whitechapel/vendor/google/file_contexts rename to legacy/file_contexts index 587b20fa..f2d89778 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/legacy/file_contexts @@ -380,6 +380,7 @@ /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/vulkan\.gs201\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 # Touch /dev/touch_offload u:object_r:touch_offload_device:s0 @@ -437,3 +438,13 @@ # WLC FW update /vendor/bin/wlc_upt/p9412_mtp u:object_r:vendor_wlc_fwupdata_file:s0 /vendor/bin/wlc_upt/wlc_fw_update\.sh u:object_r:wlcfwupdate_exec:s0 +# +# USF SELinux file security contexts. +# + +# Sensor registry persist files. +/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 + +# Sensor registry data files. +/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 + diff --git a/whitechapel/vendor/google/fsck.te b/legacy/fsck.te similarity index 100% rename from whitechapel/vendor/google/fsck.te rename to legacy/fsck.te diff --git a/whitechapel/vendor/google/genfs_contexts b/legacy/genfs_contexts similarity index 100% rename from whitechapel/vendor/google/genfs_contexts rename to legacy/genfs_contexts diff --git a/whitechapel/vendor/google/gpsd.te b/legacy/gpsd.te similarity index 100% rename from whitechapel/vendor/google/gpsd.te rename to legacy/gpsd.te diff --git a/whitechapel/vendor/google/grilservice_app.te b/legacy/grilservice_app.te similarity index 100% rename from whitechapel/vendor/google/grilservice_app.te rename to legacy/grilservice_app.te diff --git a/whitechapel/vendor/google/hal_audio_default.te b/legacy/hal_audio_default.te similarity index 100% rename from whitechapel/vendor/google/hal_audio_default.te rename to legacy/hal_audio_default.te diff --git a/whitechapel/vendor/google/hal_audiometricext_default.te b/legacy/hal_audiometricext_default.te similarity index 100% rename from whitechapel/vendor/google/hal_audiometricext_default.te rename to legacy/hal_audiometricext_default.te diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/legacy/hal_bluetooth_btlinux.te similarity index 100% rename from whitechapel/vendor/google/hal_bluetooth_btlinux.te rename to legacy/hal_bluetooth_btlinux.te diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/legacy/hal_bootctl_default.te similarity index 100% rename from whitechapel/vendor/google/hal_bootctl_default.te rename to legacy/hal_bootctl_default.te diff --git a/whitechapel/vendor/google/hal_camera_default.te b/legacy/hal_camera_default.te similarity index 100% rename from whitechapel/vendor/google/hal_camera_default.te rename to legacy/hal_camera_default.te diff --git a/whitechapel/vendor/google/hal_confirmationui.te b/legacy/hal_confirmationui.te similarity index 100% rename from whitechapel/vendor/google/hal_confirmationui.te rename to legacy/hal_confirmationui.te diff --git a/whitechapel/vendor/google/hal_contexthub.te b/legacy/hal_contexthub.te similarity index 100% rename from whitechapel/vendor/google/hal_contexthub.te rename to legacy/hal_contexthub.te diff --git a/whitechapel/vendor/google/hal_drm_clearkey.te b/legacy/hal_drm_clearkey.te similarity index 100% rename from whitechapel/vendor/google/hal_drm_clearkey.te rename to legacy/hal_drm_clearkey.te diff --git a/whitechapel/vendor/google/hal_drm_default.te b/legacy/hal_drm_default.te similarity index 100% rename from whitechapel/vendor/google/hal_drm_default.te rename to legacy/hal_drm_default.te diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/legacy/hal_dumpstate_default.te similarity index 100% rename from whitechapel/vendor/google/hal_dumpstate_default.te rename to legacy/hal_dumpstate_default.te diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/legacy/hal_fingerprint_default.te similarity index 100% rename from whitechapel/vendor/google/hal_fingerprint_default.te rename to legacy/hal_fingerprint_default.te diff --git a/whitechapel/vendor/google/hal_gnss_default.te b/legacy/hal_gnss_default.te similarity index 100% rename from whitechapel/vendor/google/hal_gnss_default.te rename to legacy/hal_gnss_default.te diff --git a/whitechapel/vendor/google/hal_graphics_allocator_default.te b/legacy/hal_graphics_allocator_default.te similarity index 100% rename from whitechapel/vendor/google/hal_graphics_allocator_default.te rename to legacy/hal_graphics_allocator_default.te diff --git a/whitechapel/vendor/google/hal_graphics_composer_default.te b/legacy/hal_graphics_composer_default.te similarity index 100% rename from whitechapel/vendor/google/hal_graphics_composer_default.te rename to legacy/hal_graphics_composer_default.te diff --git a/whitechapel/vendor/google/hal_health_default.te b/legacy/hal_health_default.te similarity index 100% rename from whitechapel/vendor/google/hal_health_default.te rename to legacy/hal_health_default.te diff --git a/whitechapel/vendor/google/hal_health_storage_default.te b/legacy/hal_health_storage_default.te similarity index 100% rename from whitechapel/vendor/google/hal_health_storage_default.te rename to legacy/hal_health_storage_default.te diff --git a/whitechapel/vendor/google/hal_neuralnetworks_armnn.te b/legacy/hal_neuralnetworks_armnn.te similarity index 100% rename from whitechapel/vendor/google/hal_neuralnetworks_armnn.te rename to legacy/hal_neuralnetworks_armnn.te diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/legacy/hal_nfc_default.te similarity index 100% rename from whitechapel/vendor/google/hal_nfc_default.te rename to legacy/hal_nfc_default.te diff --git a/whitechapel/vendor/google/hal_power_default.te b/legacy/hal_power_default.te similarity index 100% rename from whitechapel/vendor/google/hal_power_default.te rename to legacy/hal_power_default.te diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/legacy/hal_power_stats_default.te similarity index 100% rename from whitechapel/vendor/google/hal_power_stats_default.te rename to legacy/hal_power_stats_default.te diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/legacy/hal_radioext_default.te similarity index 100% rename from whitechapel/vendor/google/hal_radioext_default.te rename to legacy/hal_radioext_default.te diff --git a/whitechapel/vendor/google/hal_secure_element_default.te b/legacy/hal_secure_element_default.te similarity index 100% rename from whitechapel/vendor/google/hal_secure_element_default.te rename to legacy/hal_secure_element_default.te diff --git a/whitechapel/vendor/google/hal_tetheroffload_default.te b/legacy/hal_tetheroffload_default.te similarity index 100% rename from whitechapel/vendor/google/hal_tetheroffload_default.te rename to legacy/hal_tetheroffload_default.te diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/legacy/hal_thermal_default.te similarity index 100% rename from whitechapel/vendor/google/hal_thermal_default.te rename to legacy/hal_thermal_default.te diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/legacy/hal_usb_impl.te similarity index 100% rename from whitechapel/vendor/google/hal_usb_impl.te rename to legacy/hal_usb_impl.te diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/legacy/hal_uwb_default.te similarity index 100% rename from whitechapel/vendor/google/hal_uwb_default.te rename to legacy/hal_uwb_default.te diff --git a/whitechapel/vendor/google/hal_vendor_hwcservice_default.te b/legacy/hal_vendor_hwcservice_default.te similarity index 100% rename from whitechapel/vendor/google/hal_vendor_hwcservice_default.te rename to legacy/hal_vendor_hwcservice_default.te diff --git a/whitechapel/vendor/google/hal_wifi.te b/legacy/hal_wifi.te similarity index 100% rename from whitechapel/vendor/google/hal_wifi.te rename to legacy/hal_wifi.te diff --git a/whitechapel/vendor/google/hal_wifi_ext.te b/legacy/hal_wifi_ext.te similarity index 100% rename from whitechapel/vendor/google/hal_wifi_ext.te rename to legacy/hal_wifi_ext.te diff --git a/whitechapel/vendor/google/hal_wlc.te b/legacy/hal_wlc.te similarity index 100% rename from whitechapel/vendor/google/hal_wlc.te rename to legacy/hal_wlc.te diff --git a/whitechapel/vendor/google/hardware_info_app.te b/legacy/hardware_info_app.te similarity index 100% rename from whitechapel/vendor/google/hardware_info_app.te rename to legacy/hardware_info_app.te diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/legacy/hbmsvmanager_app.te similarity index 100% rename from whitechapel/vendor/google/hbmsvmanager_app.te rename to legacy/hbmsvmanager_app.te diff --git a/whitechapel/vendor/google/hwservice.te b/legacy/hwservice.te similarity index 100% rename from whitechapel/vendor/google/hwservice.te rename to legacy/hwservice.te diff --git a/whitechapel/vendor/google/hwservice_contexts b/legacy/hwservice_contexts similarity index 100% rename from whitechapel/vendor/google/hwservice_contexts rename to legacy/hwservice_contexts diff --git a/whitechapel/vendor/google/hwservicemanager.te b/legacy/hwservicemanager.te similarity index 100% rename from whitechapel/vendor/google/hwservicemanager.te rename to legacy/hwservicemanager.te diff --git a/whitechapel/vendor/google/incident.te b/legacy/incident.te similarity index 100% rename from whitechapel/vendor/google/incident.te rename to legacy/incident.te diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/legacy/init-insmod-sh.te similarity index 100% rename from whitechapel/vendor/google/init-insmod-sh.te rename to legacy/init-insmod-sh.te diff --git a/whitechapel/vendor/google/init.te b/legacy/init.te similarity index 100% rename from whitechapel/vendor/google/init.te rename to legacy/init.te diff --git a/whitechapel/vendor/google/init_radio.te b/legacy/init_radio.te similarity index 100% rename from whitechapel/vendor/google/init_radio.te rename to legacy/init_radio.te diff --git a/whitechapel/vendor/google/installd.te b/legacy/installd.te similarity index 100% rename from whitechapel/vendor/google/installd.te rename to legacy/installd.te diff --git a/whitechapel/vendor/google/kernel.te b/legacy/kernel.te similarity index 100% rename from whitechapel/vendor/google/kernel.te rename to legacy/kernel.te diff --git a/legacy/keys.conf b/legacy/keys.conf new file mode 100644 index 00000000..2681594f --- /dev/null +++ b/legacy/keys.conf @@ -0,0 +1,5 @@ +[@MDS] +ALL : device/google/gs201-sepolicy/legacy/certs/com_google_mds.x509.pem + +[@UWB] +ALL : device/google/gs201-sepolicy/legacy/certs/com_qorvo_uwb.x509.pem diff --git a/whitechapel/vendor/google/lhd.te b/legacy/lhd.te similarity index 100% rename from whitechapel/vendor/google/lhd.te rename to legacy/lhd.te diff --git a/whitechapel/vendor/google/logger_app.te b/legacy/logger_app.te similarity index 100% rename from whitechapel/vendor/google/logger_app.te rename to legacy/logger_app.te diff --git a/whitechapel/vendor/google/mac_permissions.xml b/legacy/mac_permissions.xml similarity index 100% rename from whitechapel/vendor/google/mac_permissions.xml rename to legacy/mac_permissions.xml diff --git a/whitechapel/vendor/google/mediacodec.te b/legacy/mediacodec.te similarity index 100% rename from whitechapel/vendor/google/mediacodec.te rename to legacy/mediacodec.te diff --git a/whitechapel/vendor/google/modem_diagnostics.te b/legacy/modem_diagnostics.te similarity index 100% rename from whitechapel/vendor/google/modem_diagnostics.te rename to legacy/modem_diagnostics.te diff --git a/whitechapel/vendor/google/modem_logging_control.te b/legacy/modem_logging_control.te similarity index 100% rename from whitechapel/vendor/google/modem_logging_control.te rename to legacy/modem_logging_control.te diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/legacy/modem_svc_sit.te similarity index 100% rename from whitechapel/vendor/google/modem_svc_sit.te rename to legacy/modem_svc_sit.te diff --git a/whitechapel/vendor/google/netutils_wrapper.te b/legacy/netutils_wrapper.te similarity index 100% rename from whitechapel/vendor/google/netutils_wrapper.te rename to legacy/netutils_wrapper.te diff --git a/whitechapel/vendor/google/ofl_app.te b/legacy/ofl_app.te similarity index 100% rename from whitechapel/vendor/google/ofl_app.te rename to legacy/ofl_app.te diff --git a/whitechapel/vendor/google/omadm.te b/legacy/omadm.te similarity index 100% rename from whitechapel/vendor/google/omadm.te rename to legacy/omadm.te diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/legacy/pixelstats_vendor.te similarity index 100% rename from whitechapel/vendor/google/pixelstats_vendor.te rename to legacy/pixelstats_vendor.te diff --git a/whitechapel/vendor/google/pktrouter.te b/legacy/pktrouter.te similarity index 100% rename from whitechapel/vendor/google/pktrouter.te rename to legacy/pktrouter.te diff --git a/whitechapel/vendor/google/platform_app.te b/legacy/platform_app.te similarity index 100% rename from whitechapel/vendor/google/platform_app.te rename to legacy/platform_app.te diff --git a/whitechapel/vendor/google/priv_app.te b/legacy/priv_app.te similarity index 100% rename from whitechapel/vendor/google/priv_app.te rename to legacy/priv_app.te diff --git a/whitechapel/vendor/google/property.te b/legacy/property.te similarity index 100% rename from whitechapel/vendor/google/property.te rename to legacy/property.te diff --git a/whitechapel/vendor/google/property_contexts b/legacy/property_contexts similarity index 100% rename from whitechapel/vendor/google/property_contexts rename to legacy/property_contexts diff --git a/whitechapel/vendor/google/radio.te b/legacy/radio.te similarity index 100% rename from whitechapel/vendor/google/radio.te rename to legacy/radio.te diff --git a/whitechapel/vendor/google/ramdump_app.te b/legacy/ramdump_app.te similarity index 100% rename from whitechapel/vendor/google/ramdump_app.te rename to legacy/ramdump_app.te diff --git a/whitechapel/vendor/google/recovery.te b/legacy/recovery.te similarity index 100% rename from whitechapel/vendor/google/recovery.te rename to legacy/recovery.te diff --git a/whitechapel/vendor/google/rfsd.te b/legacy/rfsd.te similarity index 100% rename from whitechapel/vendor/google/rfsd.te rename to legacy/rfsd.te diff --git a/whitechapel/vendor/google/ril_config_service.te b/legacy/ril_config_service.te similarity index 100% rename from whitechapel/vendor/google/ril_config_service.te rename to legacy/ril_config_service.te diff --git a/whitechapel/vendor/google/rild.te b/legacy/rild.te similarity index 100% rename from whitechapel/vendor/google/rild.te rename to legacy/rild.te diff --git a/whitechapel/vendor/google/rlsservice.te b/legacy/rlsservice.te similarity index 100% rename from whitechapel/vendor/google/rlsservice.te rename to legacy/rlsservice.te diff --git a/whitechapel/vendor/google/scd.te b/legacy/scd.te similarity index 100% rename from whitechapel/vendor/google/scd.te rename to legacy/scd.te diff --git a/whitechapel/vendor/google/sced.te b/legacy/sced.te similarity index 100% rename from whitechapel/vendor/google/sced.te rename to legacy/sced.te diff --git a/whitechapel/vendor/google/seapp_contexts b/legacy/seapp_contexts similarity index 100% rename from whitechapel/vendor/google/seapp_contexts rename to legacy/seapp_contexts diff --git a/whitechapel/vendor/google/securedpud.slider.te b/legacy/securedpud.slider.te similarity index 100% rename from whitechapel/vendor/google/securedpud.slider.te rename to legacy/securedpud.slider.te diff --git a/whitechapel/vendor/google/service.te b/legacy/service.te similarity index 100% rename from whitechapel/vendor/google/service.te rename to legacy/service.te diff --git a/whitechapel/vendor/google/service_contexts b/legacy/service_contexts similarity index 100% rename from whitechapel/vendor/google/service_contexts rename to legacy/service_contexts diff --git a/whitechapel/vendor/google/shell.te b/legacy/shell.te similarity index 100% rename from whitechapel/vendor/google/shell.te rename to legacy/shell.te diff --git a/whitechapel/vendor/google/ssr_detector.te b/legacy/ssr_detector.te similarity index 100% rename from whitechapel/vendor/google/ssr_detector.te rename to legacy/ssr_detector.te diff --git a/whitechapel/vendor/google/storageproxyd.te b/legacy/storageproxyd.te similarity index 100% rename from whitechapel/vendor/google/storageproxyd.te rename to legacy/storageproxyd.te diff --git a/whitechapel/vendor/google/system_app.te b/legacy/system_app.te similarity index 100% rename from whitechapel/vendor/google/system_app.te rename to legacy/system_app.te diff --git a/whitechapel/vendor/google/system_server.te b/legacy/system_server.te similarity index 100% rename from whitechapel/vendor/google/system_server.te rename to legacy/system_server.te diff --git a/whitechapel/vendor/google/tcpdump_logger.te b/legacy/tcpdump_logger.te similarity index 100% rename from whitechapel/vendor/google/tcpdump_logger.te rename to legacy/tcpdump_logger.te diff --git a/usf/te_macros b/legacy/te_macros similarity index 100% rename from usf/te_macros rename to legacy/te_macros diff --git a/whitechapel/vendor/google/toolbox.te b/legacy/toolbox.te similarity index 100% rename from whitechapel/vendor/google/toolbox.te rename to legacy/toolbox.te diff --git a/whitechapel/vendor/google/trusty_apploader.te b/legacy/trusty_apploader.te similarity index 100% rename from whitechapel/vendor/google/trusty_apploader.te rename to legacy/trusty_apploader.te diff --git a/whitechapel/vendor/google/trusty_metricsd.te b/legacy/trusty_metricsd.te similarity index 100% rename from whitechapel/vendor/google/trusty_metricsd.te rename to legacy/trusty_metricsd.te diff --git a/whitechapel/vendor/google/twoshay.te b/legacy/twoshay.te similarity index 100% rename from whitechapel/vendor/google/twoshay.te rename to legacy/twoshay.te diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/legacy/untrusted_app_all.te similarity index 100% rename from whitechapel/vendor/google/untrusted_app_all.te rename to legacy/untrusted_app_all.te diff --git a/whitechapel/vendor/google/update_engine.te b/legacy/update_engine.te similarity index 100% rename from whitechapel/vendor/google/update_engine.te rename to legacy/update_engine.te diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/legacy/uwb_vendor_app.te similarity index 100% rename from whitechapel/vendor/google/uwb_vendor_app.te rename to legacy/uwb_vendor_app.te diff --git a/whitechapel/vendor/google/vcd.te b/legacy/vcd.te similarity index 100% rename from whitechapel/vendor/google/vcd.te rename to legacy/vcd.te diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/legacy/vendor_ims_app.te similarity index 100% rename from whitechapel/vendor/google/vendor_ims_app.te rename to legacy/vendor_ims_app.te diff --git a/whitechapel/vendor/google/vendor_init.te b/legacy/vendor_init.te similarity index 100% rename from whitechapel/vendor/google/vendor_init.te rename to legacy/vendor_init.te diff --git a/whitechapel/vendor/google/vendor_shell.te b/legacy/vendor_shell.te similarity index 100% rename from whitechapel/vendor/google/vendor_shell.te rename to legacy/vendor_shell.te diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/legacy/vendor_telephony_app.te similarity index 100% rename from whitechapel/vendor/google/vendor_telephony_app.te rename to legacy/vendor_telephony_app.te diff --git a/whitechapel/vendor/google/vndservice.te b/legacy/vndservice.te similarity index 100% rename from whitechapel/vendor/google/vndservice.te rename to legacy/vndservice.te diff --git a/whitechapel/vendor/google/vndservice_contexts b/legacy/vndservice_contexts similarity index 100% rename from whitechapel/vendor/google/vndservice_contexts rename to legacy/vndservice_contexts diff --git a/whitechapel/vendor/google/vold.te b/legacy/vold.te similarity index 100% rename from whitechapel/vendor/google/vold.te rename to legacy/vold.te diff --git a/whitechapel/vendor/google/wifi_sniffer.te b/legacy/wifi_sniffer.te similarity index 100% rename from whitechapel/vendor/google/wifi_sniffer.te rename to legacy/wifi_sniffer.te diff --git a/whitechapel/vendor/google/wlcfwupdate.te b/legacy/wlcfwupdate.te similarity index 100% rename from whitechapel/vendor/google/wlcfwupdate.te rename to legacy/wlcfwupdate.te diff --git a/private/dex2oat.te b/private/dex2oat.te deleted file mode 100644 index 50d7852c..00000000 --- a/private/dex2oat.te +++ /dev/null @@ -1,59 +0,0 @@ -# b/187016929 -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat proc_filesystems:file read ; -dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat proc_filesystems:file read ; -dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; -dontaudit dex2oat vendor_overlay_file:file read ; diff --git a/private/gmscore_app.te b/private/gmscore_app.te deleted file mode 100644 index fa20f247..00000000 --- a/private/gmscore_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/177389198 -dontaudit gmscore_app adbd_prop:file *; diff --git a/private/hal_dumpstate_default.te b/private/hal_dumpstate_default.te deleted file mode 100644 index 83c75689..00000000 --- a/private/hal_dumpstate_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/176868217 -dontaudit hal_dumpstate adbd_prop:file *; diff --git a/private/incidentd.te b/private/incidentd.te deleted file mode 100644 index 1557f065..00000000 --- a/private/incidentd.te +++ /dev/null @@ -1,14 +0,0 @@ -# b/174961589 -dontaudit incidentd adbd_config_prop:file open ; -dontaudit incidentd adbd_prop:file getattr ; -dontaudit incidentd adbd_prop:file open ; -dontaudit incidentd adbd_config_prop:file open ; -dontaudit incidentd adbd_config_prop:file getattr ; -dontaudit incidentd adbd_config_prop:file map ; -dontaudit incidentd adbd_prop:file open ; -dontaudit incidentd adbd_prop:file getattr ; -dontaudit incidentd adbd_prop:file map ; -dontaudit incidentd apexd_prop:file open ; -dontaudit incidentd adbd_config_prop:file getattr ; -dontaudit incidentd adbd_config_prop:file map ; -dontaudit incidentd adbd_prop:file map ; diff --git a/private/lpdumpd.te b/private/lpdumpd.te deleted file mode 100644 index 86a101c5..00000000 --- a/private/lpdumpd.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/177176997 -dontaudit lpdumpd block_device:blk_file getattr ; -dontaudit lpdumpd block_device:blk_file getattr ; -dontaudit lpdumpd block_device:blk_file read ; -dontaudit lpdumpd block_device:blk_file getattr ; -dontaudit lpdumpd block_device:blk_file read ; -dontaudit lpdumpd block_device:blk_file read ; diff --git a/private/priv_app.te b/private/priv_app.te deleted file mode 100644 index 2ef1f969..00000000 --- a/private/priv_app.te +++ /dev/null @@ -1,19 +0,0 @@ -# b/178433525 -dontaudit priv_app adbd_prop:file { map }; -dontaudit priv_app adbd_prop:file { getattr }; -dontaudit priv_app adbd_prop:file { open }; -dontaudit priv_app ab_update_gki_prop:file { map }; -dontaudit priv_app ab_update_gki_prop:file { getattr }; -dontaudit priv_app ab_update_gki_prop:file { open }; -dontaudit priv_app aac_drc_prop:file { map }; -dontaudit priv_app aac_drc_prop:file { getattr }; -dontaudit priv_app aac_drc_prop:file { open }; -dontaudit priv_app adbd_prop:file { map }; -dontaudit priv_app aac_drc_prop:file { open }; -dontaudit priv_app aac_drc_prop:file { getattr }; -dontaudit priv_app aac_drc_prop:file { map }; -dontaudit priv_app ab_update_gki_prop:file { open }; -dontaudit priv_app ab_update_gki_prop:file { getattr }; -dontaudit priv_app ab_update_gki_prop:file { map }; -dontaudit priv_app adbd_prop:file { open }; -dontaudit priv_app adbd_prop:file { getattr }; diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te deleted file mode 100644 index f26e0815..00000000 --- a/private/untrusted_app_25.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/177389321 -dontaudit untrusted_app_25 adbd_prop:file *; diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te deleted file mode 100644 index 0e29999c..00000000 --- a/private/wait_for_keymaster.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/188114822 -dontaudit wait_for_keymaster servicemanager:binder transfer; diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te deleted file mode 100644 index 513736b9..00000000 --- a/tracking_denials/dumpstate.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/185723618 -dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -# b/187795940 -dontaudit dumpstate twoshay:binder call; diff --git a/tracking_denials/gpsd.te b/tracking_denials/gpsd.te deleted file mode 100644 index fe554396..00000000 --- a/tracking_denials/gpsd.te +++ /dev/null @@ -1,11 +0,0 @@ -# b/173969091 -dontaudit gpsd radio_prop:file { read }; -dontaudit gpsd radio_prop:file { open }; -dontaudit gpsd radio_prop:file { map }; -dontaudit gpsd radio_prop:file { map }; -dontaudit gpsd system_data_file:dir { search }; -dontaudit gpsd radio_prop:file { read }; -dontaudit gpsd radio_prop:file { open }; -dontaudit gpsd radio_prop:file { getattr }; -dontaudit gpsd system_data_file:dir { search }; -dontaudit gpsd radio_prop:file { getattr }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index 6ab5a51c..00000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/178980085 -dontaudit hal_camera_default system_data_file:dir { search }; -# b/180567725 -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te deleted file mode 100644 index e9c6ff2a..00000000 --- a/tracking_denials/hal_fingerprint_default.te +++ /dev/null @@ -1,15 +0,0 @@ -# b/183338543 -dontaudit hal_fingerprint_default system_data_root_file:file { read }; -dontaudit hal_fingerprint_default default_prop:file { getattr }; -dontaudit hal_fingerprint_default default_prop:file { map }; -dontaudit hal_fingerprint_default default_prop:file { open }; -dontaudit hal_fingerprint_default default_prop:file { read }; -dontaudit hal_fingerprint_default system_data_root_file:file { open }; -dontaudit hal_fingerprint_default system_data_root_file:file { read }; -dontaudit hal_fingerprint_default default_prop:file { map }; -dontaudit hal_fingerprint_default default_prop:file { getattr }; -dontaudit hal_fingerprint_default default_prop:file { open }; -dontaudit hal_fingerprint_default default_prop:file { read }; -dontaudit hal_fingerprint_default system_data_root_file:file { open }; -# b/187015705 -dontaudit hal_fingerprint_default property_socket:sock_file write; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te deleted file mode 100644 index ef727b51..00000000 --- a/tracking_denials/hal_graphics_composer_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/185723492 -dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use }; -dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index 9ebda637..00000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,33 +0,0 @@ -# b/171160755 -dontaudit hal_neuralnetworks_armnn traced:unix_stream_socket connectto ; -dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager add ; -dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager find ; -dontaudit hal_neuralnetworks_armnn hwservicemanager:binder transfer ; -dontaudit hal_neuralnetworks_armnn hwservicemanager:binder call ; -dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file map ; -dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file getattr ; -dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file open ; -dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file read ; -dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ; -dontaudit hal_neuralnetworks_armnn gpu_device:chr_file open ; -dontaudit hal_neuralnetworks_armnn gpu_device:chr_file getattr ; -dontaudit hal_neuralnetworks_armnn gpu_device:chr_file ioctl ; -dontaudit hal_neuralnetworks_armnn gpu_device:chr_file map ; -dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ; -dontaudit hal_neuralnetworks_armnn traced_producer_socket:sock_file write ; -dontaudit hal_neuralnetworks_armnn hidl_base_hwservice:hwservice_manager add ; -# b/171670122 -dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { read }; -dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { open }; -# b/180550063 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; -# b/180858476 -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te deleted file mode 100644 index e69de29b..00000000 diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index ab5c7ecd..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,12 +0,0 @@ -# b/171760921 -dontaudit hal_power_default hal_power_default:capability { dac_override }; -# b/178331773 -dontaudit hal_power_default sysfs:file { write }; -dontaudit hal_power_default sysfs:file { open }; -dontaudit hal_power_default sysfs:file { write }; -dontaudit hal_power_default sysfs:file { open }; -# b/178752616 -dontaudit hal_power_default sysfs:file { read }; -dontaudit hal_power_default sysfs:file { getattr }; -dontaudit hal_power_default sysfs:file { read }; -dontaudit hal_power_default sysfs:file { getattr }; diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te deleted file mode 100644 index 8e02952f..00000000 --- a/tracking_denials/hardware_info_app.te +++ /dev/null @@ -1,14 +0,0 @@ -# b/181177926 -dontaudit hardware_info_app sysfs_batteryinfo:file { read }; -dontaudit hardware_info_app sysfs:file { read }; -dontaudit hardware_info_app sysfs:file { open }; -dontaudit hardware_info_app sysfs:file { getattr }; -dontaudit hardware_info_app sysfs_batteryinfo:dir { search }; -# b/181914888 -dontaudit hardware_info_app sysfs_batteryinfo:file { open }; -dontaudit hardware_info_app sysfs_batteryinfo:file { getattr }; -dontaudit hardware_info_app vendor_regmap_debugfs:dir { search }; -# b/181915166 -dontaudit hardware_info_app sysfs_batteryinfo:file { getattr }; -dontaudit hardware_info_app sysfs_batteryinfo:file { open }; -dontaudit hardware_info_app vendor_regmap_debugfs:dir { search }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index a998712f..00000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/187015816 -dontaudit incidentd apex_info_file:file getattr; diff --git a/tracking_denials/init.te b/tracking_denials/init.te deleted file mode 100644 index 27d6f882..00000000 --- a/tracking_denials/init.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/180963348 -dontaudit init overlayfs_file:chr_file { unlink }; -dontaudit init overlayfs_file:file { rename }; diff --git a/tracking_denials/ofl_app.te b/tracking_denials/ofl_app.te deleted file mode 100644 index 525ebdad..00000000 --- a/tracking_denials/ofl_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/184005231 -dontaudit ofl_app default_prop:file { read }; - diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te deleted file mode 100644 index 4bc5f01f..00000000 --- a/tracking_denials/pixelstats_vendor.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/183338421 -dontaudit pixelstats_vendor sysfs_dma_heap:dir { search }; -dontaudit pixelstats_vendor sysfs_dma_heap:file { read }; -dontaudit pixelstats_vendor sysfs_dma_heap:file { open }; -dontaudit pixelstats_vendor sysfs_dma_heap:file { getattr }; -# b/188114896 -dontaudit pixelstats_vendor debugfs_mgm:dir read; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index bebe3936..00000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/187016930 -dontaudit priv_app fwk_stats_service:service_manager find ; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te deleted file mode 100644 index 0900dcdf..00000000 --- a/tracking_denials/servicemanager.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/182086688 -dontaudit servicemanager hal_sensors_default:binder { call }; -dontaudit servicemanager hal_sensors_default:binder { call }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te deleted file mode 100644 index 1f7fd2ad..00000000 --- a/tracking_denials/surfaceflinger.te +++ /dev/null @@ -1,12 +0,0 @@ -# b/176868297 -dontaudit surfaceflinger hal_graphics_composer_default:dir search ; -# b/177176899 -dontaudit surfaceflinger hal_graphics_composer_default:file open ; -dontaudit surfaceflinger hal_graphics_composer_default:file read ; -dontaudit surfaceflinger hal_graphics_composer_default:file getattr ; -dontaudit surfaceflinger hal_graphics_composer_default:file read ; -dontaudit surfaceflinger hal_graphics_composer_default:file open ; -dontaudit surfaceflinger hal_graphics_composer_default:file read ; -dontaudit surfaceflinger hal_graphics_composer_default:file open ; -dontaudit surfaceflinger hal_graphics_composer_default:file getattr ; -dontaudit surfaceflinger hal_graphics_composer_default:file getattr ; diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te deleted file mode 100644 index 3f6e9ae9..00000000 --- a/tracking_denials/trusty_apploader.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/182953825 -dontaudit trusty_apploader trusty_apploader:capability { dac_override }; -dontaudit trusty_apploader trusty_apploader:capability { dac_override }; diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te deleted file mode 100644 index 9b098f88..00000000 --- a/tracking_denials/untrusted_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/184593993 -dontaudit untrusted_app vendor_camera_prop:file { read }; -dontaudit untrusted_app vendor_camera_prop:file { read }; -dontaudit untrusted_app vendor_camera_prop:file { read }; diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te deleted file mode 100644 index 98e7b851..00000000 --- a/tracking_denials/update_engine.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/187016910 -dontaudit update_engine mnt_vendor_file:dir search ; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te deleted file mode 100644 index d2c20fe1..00000000 --- a/tracking_denials/vendor_init.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/176528557 -dontaudit vendor_init debugfs_trace_marker:file { getattr }; diff --git a/usf/file.te b/usf/file.te deleted file mode 100644 index e264c277..00000000 --- a/usf/file.te +++ /dev/null @@ -1,12 +0,0 @@ -# -# USF file SELinux type enforcements. -# - -# Declare the sensor registry persist file type. By convention, persist file -# types begin with "persist_". -type persist_sensor_reg_file, file_type, vendor_persist_type; - -# Declare the sensor registry data file type. By convention, data file types -# end with "data_file". -type sensor_reg_data_file, file_type, data_file_type; - diff --git a/usf/file_contexts b/usf/file_contexts deleted file mode 100644 index ff3d41d3..00000000 --- a/usf/file_contexts +++ /dev/null @@ -1,10 +0,0 @@ -# -# USF SELinux file security contexts. -# - -# Sensor registry persist files. -/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 - -# Sensor registry data files. -/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 - diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te deleted file mode 100644 index 233c5231..00000000 --- a/usf/sensor_hal.te +++ /dev/null @@ -1,60 +0,0 @@ -# -# USF sensor HAL SELinux type enforcements. -# - -# Allow reading of sensor registry persist files. -allow hal_sensors_default persist_file:dir search; -allow hal_sensors_default mnt_vendor_file:dir search; -r_dir_file(hal_sensors_default, persist_sensor_reg_file) - -# Allow creation and writing of sensor registry data files. -allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; -allow hal_sensors_default sensor_reg_data_file:file create_file_perms; - -# Allow access to the AoC communication driver. -allow hal_sensors_default aoc_device:chr_file rw_file_perms; - -# Allow access to the AoC clock and kernel boot time sys FS node. This is needed -# to synchronize the AP and AoC clock timestamps. -allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms; - -# Allow create thread to watch AOC's device. -allow hal_sensors_default device:dir r_dir_perms; - -# Allow access to the files of CDT information. -r_dir_file(hal_sensors_default, sysfs_chosen) - -# Allow display_info_service access to the backlight driver. -allow hal_sensors_default sysfs_leds:dir search; -allow hal_sensors_default sysfs_leds:file rw_file_perms; - -# Allow access to the power supply files for MagCC. -r_dir_file(hal_sensors_default, sysfs_batteryinfo) -allow hal_sensors_default sysfs_wlc:dir r_dir_perms; - -# Allow access to sensor service for sensor_listener. -binder_call(hal_sensors_default, system_server); - -# Allow access to the sysfs_aoc. -allow hal_sensors_default sysfs_aoc:dir search; -allow hal_sensors_default sysfs_aoc:file r_file_perms; - -# Allow use of the USF low latency transport. -usf_low_latency_transport(hal_sensors_default) - -# Allow sensor HAL to reset AOC. -allow hal_sensors_default sysfs_aoc_reset:file w_file_perms; - -# -# Suez type enforcements. -# - -# Allow SensorSuez to connect AIDL stats. -binder_use(hal_sensors_default); -allow hal_sensors_default fwk_stats_service:service_manager find; - -# Allow access to CHRE socket to connect to nanoapps. -unix_socket_connect(hal_sensors_default, chre, chre) - -# Allow sensor HAL to read lhbm. -allow hal_sensors_default sysfs_lhbm:file r_file_perms; diff --git a/whitechapel/vendor/google/domain.te b/whitechapel/vendor/google/domain.te deleted file mode 100644 index cffaf8cd..00000000 --- a/whitechapel/vendor/google/domain.te +++ /dev/null @@ -1 +0,0 @@ -allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms; diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf deleted file mode 100644 index 175d09de..00000000 --- a/whitechapel/vendor/google/keys.conf +++ /dev/null @@ -1,5 +0,0 @@ -[@MDS] -ALL : device/google/gs201-sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem - -[@UWB] -ALL : device/google/gs201-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem From c2582ecc0165f5f753e54481822a54b4223b0a93 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 17 Aug 2021 14:01:44 +0800 Subject: [PATCH 016/900] review dmd sepolicy Bug: 196916111 Test: boot with dmd launched successfully Change-Id: Ic962ab09dcd7697c27f9b2ab68400a0060573888 --- legacy/file.te | 2 -- legacy/file_contexts | 18 ------------------ legacy/hwservice.te | 3 --- legacy/hwservice_contexts | 3 --- legacy/modem_diagnostics.te | 3 --- legacy/modem_logging_control.te | 5 ----- legacy/property.te | 4 ---- legacy/property_contexts | 20 -------------------- legacy/sced.te | 1 - legacy/seapp_contexts | 11 ----------- legacy/vendor_telephony_app.te | 22 ---------------------- {legacy => whitechapel_pro}/dmd.te | 3 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 16 ++++++++++++++++ whitechapel_pro/hwservice.te | 3 +++ whitechapel_pro/hwservice_contexts | 4 ++++ whitechapel_pro/modem_diagnostics.te | 4 ++++ whitechapel_pro/modem_logging_control.te | 6 ++++++ whitechapel_pro/property.te | 4 ++++ whitechapel_pro/property_contexts | 21 +++++++++++++++++++++ whitechapel_pro/seapp_contexts | 3 +++ 21 files changed, 62 insertions(+), 95 deletions(-) delete mode 100644 legacy/vendor_telephony_app.te rename {legacy => whitechapel_pro}/dmd.te (91%) create mode 100644 whitechapel_pro/file.te create mode 100644 whitechapel_pro/file_contexts create mode 100644 whitechapel_pro/hwservice.te create mode 100644 whitechapel_pro/hwservice_contexts create mode 100644 whitechapel_pro/modem_diagnostics.te create mode 100644 whitechapel_pro/modem_logging_control.te create mode 100644 whitechapel_pro/property.te create mode 100644 whitechapel_pro/property_contexts create mode 100644 whitechapel_pro/seapp_contexts diff --git a/legacy/file.te b/legacy/file.te index c909ebc6..bdddc345 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -6,12 +6,10 @@ type vendor_media_data_file, file_type, data_file_type; # Exynos Log Files type vendor_log_file, file_type, data_file_type; type vendor_cbd_log_file, file_type, data_file_type; -type vendor_dmd_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_dump_log_file, file_type, data_file_type; type vendor_rild_log_file, file_type, data_file_type; type vendor_sced_log_file, file_type, data_file_type; -type vendor_slog_file, file_type, data_file_type, mlstrustedobject; type vendor_telephony_log_file, file_type, data_file_type; type vendor_vcd_log_file, file_type, data_file_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index f2d89778..e047da1f 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -87,14 +87,11 @@ /dev/nanohub u:object_r:vendor_nanohub_device:s0 /dev/nanohub_comms u:object_r:vendor_nanohub_device:s0 /dev/m2m1shot_scaler0 u:object_r:vendor_m2m1shot_device:s0 -/dev/radio0 u:object_r:radio_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 /dev/g2d u:object_r:graphics_device:s0 /dev/tsmux u:object_r:video_device:s0 /dev/repeater u:object_r:video_device:s0 -/dev/scsc_h4_0 u:object_r:radio_device:s0 -/dev/umts_boot0 u:object_r:radio_device:s0 /dev/tui-driver u:object_r:tui_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 @@ -108,17 +105,9 @@ /dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 # DM tools device -/dev/umts_dm0 u:object_r:radio_device:s0 -/dev/umts_router u:object_r:radio_device:s0 -# OEM IPC device -/dev/oem_ipc[0-7] u:object_r:radio_device:s0 # SIPC RIL device -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_ipc1 u:object_r:radio_device:s0 -/dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 # GPU device @@ -130,7 +119,6 @@ # Exynos Daemon Exec # /(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 -/(vendor|system/vendor)/bin/dmd u:object_r:dmd_exec:s0 /(vendor|system/vendor)/bin/hw/scd u:object_r:scd_exec:s0 /(vendor|system/vendor)/bin/hw/gpsd u:object_r:gpsd_exec:s0 /(vendor|system/vendor)/bin/hw/lhd u:object_r:lhd_exec:s0 @@ -154,13 +142,10 @@ # /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/log/cbd(/.*)? u:object_r:vendor_cbd_log_file:s0 -/data/vendor/log/dmd(/.*)? u:object_r:vendor_dmd_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/log/dump(/.*)? u:object_r:vendor_dump_log_file:s0 /data/vendor/log/rild(/.*)? u:object_r:vendor_rild_log_file:s0 /data/vendor/log/sced(/.*)? u:object_r:vendor_sced_log_file:s0 -/data/vendor/log/slog(/.*)? u:object_r:vendor_slog_file:s0 -/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/log/vcd(/.*)? u:object_r:vendor_vcd_log_file:s0 /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 @@ -255,9 +240,6 @@ /(vendor|system/vendor)/bin/chre u:object_r:chre_exec:s0 /dev/socket/chre u:object_r:chre_socket:s0 -# Modem logging -/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 - # TCP logging /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 diff --git a/legacy/hwservice.te b/legacy/hwservice.te index 7ac98578..5d1d6a31 100644 --- a/legacy/hwservice.te +++ b/legacy/hwservice.te @@ -1,9 +1,6 @@ type hal_vendor_telephony_hwservice, hwservice_manager_type; type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type; -# dmd servcie -type hal_vendor_oem_hwservice, hwservice_manager_type; - # rild service type hal_exynos_rild_hwservice, hwservice_manager_type; diff --git a/legacy/hwservice_contexts b/legacy/hwservice_contexts index 0bcb1f64..4f466bf0 100644 --- a/legacy/hwservice_contexts +++ b/legacy/hwservice_contexts @@ -2,9 +2,6 @@ vendor.samsung_slsi.hardware.radio::IOemSamsungslsi u:object_r vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 -# dmd HAL -vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 - # rild HAL vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 android.vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 diff --git a/legacy/modem_diagnostics.te b/legacy/modem_diagnostics.te index 7908be1b..8283106a 100644 --- a/legacy/modem_diagnostics.te +++ b/legacy/modem_diagnostics.te @@ -1,6 +1,3 @@ -type modem_diagnostic_app, domain; - -app_domain(modem_diagnostic_app) net_domain(modem_diagnostic_app) allow modem_diagnostic_app app_api_service:service_manager find; diff --git a/legacy/modem_logging_control.te b/legacy/modem_logging_control.te index 7392297f..4be189aa 100644 --- a/legacy/modem_logging_control.te +++ b/legacy/modem_logging_control.te @@ -1,8 +1,3 @@ -type modem_logging_control, domain; -type modem_logging_control_exec, vendor_file_type, exec_type, file_type; - -init_daemon_domain(modem_logging_control) - hwbinder_use(modem_logging_control) binder_call(modem_logging_control, dmd) diff --git a/legacy/property.te b/legacy/property.te index 5f0c7062..87b0f2d5 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -2,19 +2,15 @@ vendor_internal_prop(vendor_prop) vendor_internal_prop(vendor_ims_prop) vendor_internal_prop(vendor_rild_prop) -vendor_internal_prop(vendor_slog_prop) vendor_internal_prop(sensors_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_device_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_secure_element_prop) -vendor_internal_prop(vendor_modem_prop) -vendor_internal_prop(vendor_diag_prop) vendor_internal_prop(vendor_cbd_prop) # vendor defaults vendor_internal_prop(vendor_config_default_prop) vendor_internal_prop(vendor_ro_config_default_prop) -vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_sys_default_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index 94d4065f..74729096 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -33,14 +33,6 @@ vendor.debug.c2.dump.opt u:object_r:vendor_codec2_debug_prop:s0 persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 vendor.usb. u:object_r:vendor_usb_config_prop:s0 -# for modem -persist.vendor.modem. u:object_r:vendor_modem_prop:s0 -vendor.modem. u:object_r:vendor_modem_prop:s0 -vendor.sys.modem. u:object_r:vendor_modem_prop:s0 -ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 -vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 -persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 - # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 @@ -49,21 +41,9 @@ persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 vendor.cbd. u:object_r:vendor_cbd_prop:s0 persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 -# for slog -vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 -vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 -persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 - -# for dmd -persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 -persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 -vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 -vendor.sys.diag. u:object_r:vendor_diag_prop:s0 - # vendor default vendor.config. u:object_r:vendor_config_default_prop:s0 ro.vendor.config. u:object_r:vendor_ro_config_default_prop:s0 -persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 vendor.sys. u:object_r:vendor_sys_default_prop:s0 ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 diff --git a/legacy/sced.te b/legacy/sced.te index 43292621..c5382079 100644 --- a/legacy/sced.te +++ b/legacy/sced.te @@ -7,7 +7,6 @@ typeattribute sced vendor_executes_system_violators; hwbinder_use(sced) binder_call(sced, dmd) -binder_call(sced, vendor_telephony_app) get_prop(sced, hwservicemanager_prop) allow sced self:packet_socket create_socket_perms_no_ioctl; diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index 34007864..58aa0af7 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -1,11 +1,3 @@ -# Samsung S.LSI telephony -user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all - # Samsung S.LSI IMS user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all @@ -27,9 +19,6 @@ user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_in # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all -# Modem Diagnostic System -user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all diff --git a/legacy/vendor_telephony_app.te b/legacy/vendor_telephony_app.te deleted file mode 100644 index 7d515a8a..00000000 --- a/legacy/vendor_telephony_app.te +++ /dev/null @@ -1,22 +0,0 @@ -type vendor_telephony_app, domain; -app_domain(vendor_telephony_app) - -get_prop(vendor_telephony_app, vendor_rild_prop) -set_prop(vendor_telephony_app, vendor_persist_sys_default_prop) -set_prop(vendor_telephony_app, vendor_modem_prop) -set_prop(vendor_telephony_app, vendor_slog_prop) - -allow vendor_telephony_app vendor_slog_file:dir create_dir_perms; -allow vendor_telephony_app vendor_slog_file:file create_file_perms; - -allow vendor_telephony_app app_api_service:service_manager find; -allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find; -binder_call(vendor_telephony_app, dmd) -binder_call(vendor_telephony_app, sced) - -userdebug_or_eng(` -# Silent Logging -dontaudit vendor_telephony_app system_app_data_file:dir create_dir_perms; -dontaudit vendor_telephony_app system_app_data_file:file create_file_perms; -dontaudit vendor_telephony_app default_prop:file { getattr open read map }; -') diff --git a/legacy/dmd.te b/whitechapel_pro/dmd.te similarity index 91% rename from legacy/dmd.te rename to whitechapel_pro/dmd.te index 4f9cef1d..c247bb46 100644 --- a/legacy/dmd.te +++ b/whitechapel_pro/dmd.te @@ -21,8 +21,6 @@ set_prop(dmd, vendor_diag_prop) set_prop(dmd, vendor_slog_prop) set_prop(dmd, vendor_modem_prop) -get_prop(dmd, vendor_persist_config_default_prop) - # Grant to access hwservice manager get_prop(dmd, hwservicemanager_prop) allow dmd hidl_base_hwservice:hwservice_manager add; @@ -30,4 +28,3 @@ allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find }; binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) -binder_call(dmd, vendor_telephony_app) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te new file mode 100644 index 00000000..68cf69fa --- /dev/null +++ b/whitechapel_pro/file.te @@ -0,0 +1 @@ +type vendor_slog_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts new file mode 100644 index 00000000..4e3e2dc4 --- /dev/null +++ b/whitechapel_pro/file_contexts @@ -0,0 +1,16 @@ +# Binaries +/vendor/bin/dmd u:object_r:dmd_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 + +# Devices +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 + +# Data +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 diff --git a/whitechapel_pro/hwservice.te b/whitechapel_pro/hwservice.te new file mode 100644 index 00000000..f6d18508 --- /dev/null +++ b/whitechapel_pro/hwservice.te @@ -0,0 +1,3 @@ +# dmd servcie +type hal_vendor_oem_hwservice, hwservice_manager_type; + diff --git a/whitechapel_pro/hwservice_contexts b/whitechapel_pro/hwservice_contexts new file mode 100644 index 00000000..45a0ec09 --- /dev/null +++ b/whitechapel_pro/hwservice_contexts @@ -0,0 +1,4 @@ +# dmd HAL +vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 + + diff --git a/whitechapel_pro/modem_diagnostics.te b/whitechapel_pro/modem_diagnostics.te new file mode 100644 index 00000000..ade75068 --- /dev/null +++ b/whitechapel_pro/modem_diagnostics.te @@ -0,0 +1,4 @@ +type modem_diagnostic_app, domain; + +app_domain(modem_diagnostic_app) + diff --git a/whitechapel_pro/modem_logging_control.te b/whitechapel_pro/modem_logging_control.te new file mode 100644 index 00000000..3480fc12 --- /dev/null +++ b/whitechapel_pro/modem_logging_control.te @@ -0,0 +1,6 @@ +type modem_logging_control, domain; +type modem_logging_control_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(modem_logging_control) + + diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te new file mode 100644 index 00000000..b5eb25d5 --- /dev/null +++ b/whitechapel_pro/property.te @@ -0,0 +1,4 @@ +vendor_internal_prop(vendor_diag_prop) +vendor_internal_prop(vendor_slog_prop) +vendor_internal_prop(vendor_modem_prop) +vendor_internal_prop(vendor_persist_config_default_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts new file mode 100644 index 00000000..950bc1c0 --- /dev/null +++ b/whitechapel_pro/property_contexts @@ -0,0 +1,21 @@ +# for dmd +persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 +vendor.sys.diag. u:object_r:vendor_diag_prop:s0 + +# for slog +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 + +# for modem +persist.vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 +persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 + + +persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts new file mode 100644 index 00000000..937fd3d5 --- /dev/null +++ b/whitechapel_pro/seapp_contexts @@ -0,0 +1,3 @@ +# Modem Diagnostic System +user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user + From b12473a9decd275630290d372f2fa9e4c773f114 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 18 Aug 2021 10:54:51 +0800 Subject: [PATCH 017/900] review modem_diagnostic_app Bug: 196916111 Test: boot with modem_diagnostic_app running Change-Id: Ic79f2048f840845ba73cc4d0853371a50ce63317 --- legacy/file.te | 13 ------------- legacy/file_contexts | 7 ------- legacy/genfs_contexts | 3 --- legacy/init.te | 4 ---- legacy/property.te | 2 -- legacy/property_contexts | 13 ------------- whitechapel_pro/file.te | 17 +++++++++++++++++ whitechapel_pro/file_contexts | 7 +++++++ whitechapel_pro/genfs_contexts | 1 + whitechapel_pro/init.te | 3 +++ .../modem_diagnostic_app.te | 5 +++-- whitechapel_pro/modem_diagnostics.te | 4 ---- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 9 +++++++++ 14 files changed, 43 insertions(+), 48 deletions(-) create mode 100644 whitechapel_pro/genfs_contexts create mode 100644 whitechapel_pro/init.te rename legacy/modem_diagnostics.te => whitechapel_pro/modem_diagnostic_app.te (93%) delete mode 100644 whitechapel_pro/modem_diagnostics.te diff --git a/legacy/file.te b/legacy/file.te index bdddc345..ab44ecd5 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -40,9 +40,6 @@ type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; -# Exynos Firmware -type vendor_fw_file, vendor_file_type, file_type; - # ACPM type sysfs_acpm_stats, sysfs_type, fs_type; @@ -104,9 +101,6 @@ type persist_aoc_file, file_type, vendor_persist_type; type audio_vendor_data_file, file_type, data_file_type; type aoc_audio_file, file_type, vendor_file_type; -# Radio -type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject; - # RILD type rild_vendor_data_file, file_type, data_file_type; @@ -117,10 +111,6 @@ type modem_userdata_file, file_type; type sysfs_modem, sysfs_type, fs_type; type persist_modem_file, file_type, vendor_persist_type; - -type modem_img_file, contextmount_type, file_type, vendor_file_type; -allow modem_img_file self:filesystem associate; - # TCP logging type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; @@ -156,9 +146,6 @@ type sysfs_odpm, sysfs_type, fs_type; # bcl type sysfs_bcl, sysfs_type, fs_type; -# Chosen -type sysfs_chosen, sysfs_type, fs_type; - type sysfs_chip_id, sysfs_type, fs_type; type sysfs_spi, sysfs_type, fs_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index e047da1f..9e502339 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -31,9 +31,6 @@ # Wireless charger HAL /(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 -# Vendor Firmwares -/(vendor|system/vendor)/firmware(/.*)? u:object_r:vendor_fw_file:s0 - # # Exynos Block Devices # @@ -254,7 +251,6 @@ # modem mnt files /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 /mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 @@ -337,9 +333,6 @@ # R4 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_default_exec:s0 -# Radio files. -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 - # RILD files /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index f3d85c7b..b15a6288 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -155,9 +155,6 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mp # bcl sysfs files genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 -# Chosen -genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 - genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 diff --git a/legacy/init.te b/legacy/init.te index 5d6a6810..d61ea4bb 100644 --- a/legacy/init.te +++ b/legacy/init.te @@ -7,10 +7,6 @@ allow init custom_ab_block_device:lnk_file relabelto; # after loading sepolicy in the second stage. allow init boot_block_device:lnk_file relabelto; -allow init modem_img_file:dir mounton; -allow init mnt_vendor_file:dir mounton; -allow init modem_img_file:filesystem { getattr mount relabelfrom }; - allow init persist_file:dir mounton; allow init modem_efs_file:dir mounton; allow init modem_userdata_file:dir mounton; diff --git a/legacy/property.te b/legacy/property.te index 87b0f2d5..f9d639b7 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -1,13 +1,11 @@ # For Exynos Properties vendor_internal_prop(vendor_prop) vendor_internal_prop(vendor_ims_prop) -vendor_internal_prop(vendor_rild_prop) vendor_internal_prop(sensors_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_device_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_secure_element_prop) -vendor_internal_prop(vendor_cbd_prop) # vendor defaults vendor_internal_prop(vendor_config_default_prop) vendor_internal_prop(vendor_ro_config_default_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index 74729096..1b30aea4 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -1,12 +1,3 @@ -# for rild -persist.vendor.debug_level u:object_r:vendor_rild_prop:s0 -persist.vendor.ril. u:object_r:vendor_rild_prop:s0 -persist.vendor.radio. u:object_r:vendor_rild_prop:s0 -vendor.radio.ril. u:object_r:vendor_rild_prop:s0 -vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 -vendor.ril. u:object_r:vendor_rild_prop:s0 -ro.vendor.build.svn u:object_r:vendor_rild_prop:s0 - # for ims service vendor.charon. u:object_r:vendor_ims_prop:s0 vendor.pktrouter u:object_r:vendor_ims_prop:s0 @@ -37,10 +28,6 @@ vendor.usb. u:object_r:vendor_usb_config_prop:s0 vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -# for cbd -vendor.cbd. u:object_r:vendor_cbd_prop:s0 -persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 - # vendor default vendor.config. u:object_r:vendor_config_default_prop:s0 ro.vendor.config. u:object_r:vendor_ro_config_default_prop:s0 diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 68cf69fa..d7103146 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1 +1,18 @@ +# Data type vendor_slog_file, file_type, data_file_type; +type radio_vendor_data_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute vendor_slog_file mlstrustedobject; + typeattribute radio_vendor_data_file mlstrustedobject; +') + +# Exynos Firmware +type vendor_fw_file, vendor_file_type, file_type; + +# sysfs +type sysfs_chosen, sysfs_type, fs_type; + +# vendor extra images +type modem_img_file, contextmount_type, file_type, vendor_file_type; +allow modem_img_file self:filesystem associate; + diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4e3e2dc4..2a5abc69 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -2,6 +2,9 @@ /vendor/bin/dmd u:object_r:dmd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +# Vendor Firmwares +/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 + # Devices /dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/oem_ipc[0-7] u:object_r:radio_device:s0 @@ -14,3 +17,7 @@ # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 + +# Extra mount images +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts new file mode 100644 index 00000000..b0406efc --- /dev/null +++ b/whitechapel_pro/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te new file mode 100644 index 00000000..d68103af --- /dev/null +++ b/whitechapel_pro/init.te @@ -0,0 +1,3 @@ +allow init modem_img_file:dir mounton; +allow init mnt_vendor_file:dir mounton; +allow init modem_img_file:filesystem { getattr mount relabelfrom }; diff --git a/legacy/modem_diagnostics.te b/whitechapel_pro/modem_diagnostic_app.te similarity index 93% rename from legacy/modem_diagnostics.te rename to whitechapel_pro/modem_diagnostic_app.te index 8283106a..887b4285 100644 --- a/legacy/modem_diagnostics.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -1,3 +1,6 @@ +type modem_diagnostic_app, domain; + +app_domain(modem_diagnostic_app) net_domain(modem_diagnostic_app) allow modem_diagnostic_app app_api_service:service_manager find; @@ -19,8 +22,6 @@ userdebug_or_eng(` allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; - allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; - allow modem_diagnostic_app modem_img_file:dir r_dir_perms; allow modem_diagnostic_app modem_img_file:file r_file_perms; allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; diff --git a/whitechapel_pro/modem_diagnostics.te b/whitechapel_pro/modem_diagnostics.te deleted file mode 100644 index ade75068..00000000 --- a/whitechapel_pro/modem_diagnostics.te +++ /dev/null @@ -1,4 +0,0 @@ -type modem_diagnostic_app, domain; - -app_domain(modem_diagnostic_app) - diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index b5eb25d5..b9298425 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -2,3 +2,6 @@ vendor_internal_prop(vendor_diag_prop) vendor_internal_prop(vendor_slog_prop) vendor_internal_prop(vendor_modem_prop) vendor_internal_prop(vendor_persist_config_default_prop) +vendor_internal_prop(vendor_cbd_prop) +vendor_internal_prop(vendor_rild_prop) + diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 950bc1c0..8184dcae 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -17,5 +17,14 @@ ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +# for cbd +vendor.cbd. u:object_r:vendor_cbd_prop:s0 +persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 + +# for rild +persist.vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.radio.ril. u:object_r:vendor_rild_prop:s0 +vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 From e7538e644a1280d93efb80f5f588653bf7c6305b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 18 Aug 2021 11:21:15 +0800 Subject: [PATCH 018/900] review modem_logging_control Bug: 196916111 Test: boot with modem_logging_control launched Change-Id: I16c810298343310003a626397d88861f47c5a207 --- legacy/modem_logging_control.te | 12 ------------ whitechapel_pro/modem_logging_control.te | 11 +++++++++++ 2 files changed, 11 insertions(+), 12 deletions(-) delete mode 100644 legacy/modem_logging_control.te diff --git a/legacy/modem_logging_control.te b/legacy/modem_logging_control.te deleted file mode 100644 index 4be189aa..00000000 --- a/legacy/modem_logging_control.te +++ /dev/null @@ -1,12 +0,0 @@ -hwbinder_use(modem_logging_control) -binder_call(modem_logging_control, dmd) - -allow modem_logging_control radio_device:chr_file rw_file_perms; -allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find; -allow modem_logging_control radio_vendor_data_file:dir create_dir_perms; -allow modem_logging_control radio_vendor_data_file:file create_file_perms; -allow modem_logging_control vendor_slog_file:dir create_dir_perms; -allow modem_logging_control vendor_slog_file:file create_file_perms; - -set_prop(modem_logging_control, vendor_modem_prop) -get_prop(modem_logging_control, hwservicemanager_prop) diff --git a/whitechapel_pro/modem_logging_control.te b/whitechapel_pro/modem_logging_control.te index 3480fc12..7392297f 100644 --- a/whitechapel_pro/modem_logging_control.te +++ b/whitechapel_pro/modem_logging_control.te @@ -3,4 +3,15 @@ type modem_logging_control_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(modem_logging_control) +hwbinder_use(modem_logging_control) +binder_call(modem_logging_control, dmd) +allow modem_logging_control radio_device:chr_file rw_file_perms; +allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find; +allow modem_logging_control radio_vendor_data_file:dir create_dir_perms; +allow modem_logging_control radio_vendor_data_file:file create_file_perms; +allow modem_logging_control vendor_slog_file:dir create_dir_perms; +allow modem_logging_control vendor_slog_file:file create_file_perms; + +set_prop(modem_logging_control, vendor_modem_prop) +get_prop(modem_logging_control, hwservicemanager_prop) From 6dc0391fab5ed308091f14a8d4fb9d8e2e02cbd3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 18 Aug 2021 12:34:29 +0800 Subject: [PATCH 019/900] reuse gs101 pktrouter Bug: 196916111 Test: boot with pktrouter launched Change-Id: Ie901adcba877aa11fcae188e360538c38184db00 --- legacy/device.te | 1 - legacy/file_contexts | 4 ---- legacy/netutils_wrapper.te | 7 ------- legacy/pktrouter.te | 13 ------------- legacy/property.te | 1 - legacy/property_contexts | 4 ---- legacy/vendor_init.te | 1 - 7 files changed, 31 deletions(-) delete mode 100644 legacy/netutils_wrapper.te delete mode 100644 legacy/pktrouter.te diff --git a/legacy/device.te b/legacy/device.te index 039c242b..fa0bb724 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -12,7 +12,6 @@ type vendor_m2m1shot_device, dev_type; type vendor_gnss_device, dev_type; type vendor_nanohub_device, dev_type; type vendor_secmem_device, dev_type; -type pktrouter_device, dev_type; type vendor_toe_device, dev_type; type custom_ab_block_device, dev_type; type devinfo_block_device, dev_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 9e502339..4c70a385 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -110,7 +110,6 @@ # GPU device /dev/mali0 u:object_r:gpu_device:s0 /dev/s5p-smem u:object_r:vendor_secmem_device:s0 -/dev/umts_wfc[01] u:object_r:pktrouter_device:s0 # # Exynos Daemon Exec @@ -125,9 +124,6 @@ /(vendor|system/vendor)/bin/vcd u:object_r:vcd_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 -# WFC -/(vendor|system/vendor)/bin/wfc-pkt-router u:object_r:pktrouter_exec:s0 - # # Exynos Data Files # diff --git a/legacy/netutils_wrapper.te b/legacy/netutils_wrapper.te deleted file mode 100644 index ff1be58e..00000000 --- a/legacy/netutils_wrapper.te +++ /dev/null @@ -1,7 +0,0 @@ -allow netutils_wrapper pktrouter:fd use; -allow netutils_wrapper pktrouter:fifo_file write; -allow netutils_wrapper pktrouter:netlink_route_socket { read write }; -allow netutils_wrapper pktrouter:packet_socket { read write }; -allow netutils_wrapper pktrouter:rawip_socket { read write }; -allow netutils_wrapper pktrouter:udp_socket { read write }; -allow netutils_wrapper pktrouter_device:chr_file rw_file_perms; diff --git a/legacy/pktrouter.te b/legacy/pktrouter.te deleted file mode 100644 index e06c8db6..00000000 --- a/legacy/pktrouter.te +++ /dev/null @@ -1,13 +0,0 @@ -type pktrouter, domain; -type pktrouter_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(pktrouter) -net_domain(pktrouter) - -domain_auto_trans(pktrouter, netutils_wrapper_exec, netutils_wrapper); - -allow pktrouter pktrouter_device:chr_file rw_file_perms; -allow pktrouter self:netlink_route_socket nlmsg_write; -allow pktrouter self:packet_socket { bind create read write getattr shutdown}; -allow pktrouter self:capability net_raw; - -get_prop(pktrouter, vendor_ims_prop); diff --git a/legacy/property.te b/legacy/property.te index f9d639b7..80976174 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -1,6 +1,5 @@ # For Exynos Properties vendor_internal_prop(vendor_prop) -vendor_internal_prop(vendor_ims_prop) vendor_internal_prop(sensors_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_device_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index 1b30aea4..8db6f7d7 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -1,7 +1,3 @@ -# for ims service -vendor.charon. u:object_r:vendor_ims_prop:s0 -vendor.pktrouter u:object_r:vendor_ims_prop:s0 - # Ramdump persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index 2759e77c..8ac90b4c 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -5,7 +5,6 @@ set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_slog_prop) set_prop(vendor_init, vendor_sys_default_prop) -set_prop(vendor_init, vendor_ims_prop) set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_ro_config_default_prop) get_prop(vendor_init, vendor_touchpanel_prop) From 5656f81f62c7ef8c477f5f3e70af10dbd940d394 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 18 Aug 2021 12:59:29 +0800 Subject: [PATCH 020/900] reuse gs101 confirmation UI Bug: 196916111 Test: boot with confirmation UI started Change-Id: I39ff3c0eecb017bb78118a1f7b42c8ce87eda971 --- legacy/device.te | 1 - legacy/file_contexts | 2 -- legacy/hal_confirmationui.te | 13 ------------- legacy/securedpud.slider.te | 9 --------- 4 files changed, 25 deletions(-) delete mode 100644 legacy/hal_confirmationui.te delete mode 100644 legacy/securedpud.slider.te diff --git a/legacy/device.te b/legacy/device.te index fa0bb724..55205990 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -15,7 +15,6 @@ type vendor_secmem_device, dev_type; type vendor_toe_device, dev_type; type custom_ab_block_device, dev_type; type devinfo_block_device, dev_type; -type tui_device, dev_type; # usbpd type logbuffer_device, dev_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 4c70a385..53fe573f 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -89,7 +89,6 @@ /dev/g2d u:object_r:graphics_device:s0 /dev/tsmux u:object_r:video_device:s0 /dev/repeater u:object_r:video_device:s0 -/dev/tui-driver u:object_r:tui_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 /dev/logbuffer_wireless u:object_r:logbuffer_device:s0 @@ -306,7 +305,6 @@ /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor u:object_r:hal_confirmationui_default_exec:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:tee_data_file:s0 diff --git a/legacy/hal_confirmationui.te b/legacy/hal_confirmationui.te deleted file mode 100644 index a8f4ae8c..00000000 --- a/legacy/hal_confirmationui.te +++ /dev/null @@ -1,13 +0,0 @@ -allow hal_confirmationui_default tee_device:chr_file rw_file_perms; - -binder_call(hal_confirmationui_default, keystore) - -vndbinder_use(hal_confirmationui_default) -binder_call(hal_confirmationui_default, citadeld) -allow hal_confirmationui_default citadeld_service:service_manager find; - -allow hal_confirmationui_default input_device:chr_file rw_file_perms; -allow hal_confirmationui_default input_device:dir r_dir_perms; - -allow hal_confirmationui_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_confirmationui_default ion_device:chr_file r_file_perms; diff --git a/legacy/securedpud.slider.te b/legacy/securedpud.slider.te deleted file mode 100644 index fd553a30..00000000 --- a/legacy/securedpud.slider.te +++ /dev/null @@ -1,9 +0,0 @@ -type securedpud_slider, domain; -type securedpud_slider_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(securedpud_slider) - -allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms; -allow securedpud_slider ion_device:chr_file r_file_perms; -allow securedpud_slider tee_device:chr_file rw_file_perms; -allow securedpud_slider tui_device:chr_file rw_file_perms; From dcf0597594f42897646b33578df91a42daf859b2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 23 Aug 2021 11:45:31 +0800 Subject: [PATCH 021/900] review sced Bug: 196916111 Test: boot with sced started Change-Id: I9140b5bc0f7ad4efedbbbcf58f9e773e5246df74 --- legacy/file.te | 1 - legacy/file_contexts | 2 -- legacy/sced.te | 22 ---------------------- whitechapel_pro/file_contexts | 3 ++- whitechapel_pro/sced.te | 22 ++++++++++++++++++++++ 5 files changed, 24 insertions(+), 26 deletions(-) delete mode 100644 legacy/sced.te create mode 100644 whitechapel_pro/sced.te diff --git a/legacy/file.te b/legacy/file.te index ab44ecd5..a0b05219 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -9,7 +9,6 @@ type vendor_cbd_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_dump_log_file, file_type, data_file_type; type vendor_rild_log_file, file_type, data_file_type; -type vendor_sced_log_file, file_type, data_file_type; type vendor_telephony_log_file, file_type, data_file_type; type vendor_vcd_log_file, file_type, data_file_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 53fe573f..711c7d22 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -119,7 +119,6 @@ /(vendor|system/vendor)/bin/hw/lhd u:object_r:lhd_exec:s0 /(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 -/(vendor|system/vendor)/bin/sced u:object_r:sced_exec:s0 /(vendor|system/vendor)/bin/vcd u:object_r:vcd_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 @@ -137,7 +136,6 @@ /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/log/dump(/.*)? u:object_r:vendor_dump_log_file:s0 /data/vendor/log/rild(/.*)? u:object_r:vendor_rild_log_file:s0 -/data/vendor/log/sced(/.*)? u:object_r:vendor_sced_log_file:s0 /data/vendor/log/vcd(/.*)? u:object_r:vendor_vcd_log_file:s0 /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 diff --git a/legacy/sced.te b/legacy/sced.te deleted file mode 100644 index c5382079..00000000 --- a/legacy/sced.te +++ /dev/null @@ -1,22 +0,0 @@ -type sced, domain; -type sced_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(sced) - -userdebug_or_eng(` -typeattribute sced vendor_executes_system_violators; - -hwbinder_use(sced) -binder_call(sced, dmd) - -get_prop(sced, hwservicemanager_prop) -allow sced self:packet_socket create_socket_perms_no_ioctl; - -allow sced self:capability net_raw; -allow sced shell_exec:file rx_file_perms; -allow sced tcpdump_exec:file rx_file_perms; -allow sced vendor_shell_exec:file x_file_perms; -allow sced vendor_slog_file:dir create_dir_perms; -allow sced vendor_slog_file:file create_file_perms; -allow sced hidl_base_hwservice:hwservice_manager add; -allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; -') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2a5abc69..e23f0847 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -1,6 +1,7 @@ # Binaries /vendor/bin/dmd u:object_r:dmd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/sced u:object_r:sced_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -20,4 +21,4 @@ /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 # Extra mount images -/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/sced.te b/whitechapel_pro/sced.te new file mode 100644 index 00000000..07c5fa01 --- /dev/null +++ b/whitechapel_pro/sced.te @@ -0,0 +1,22 @@ +type sced, domain; +type sced_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(sced) + typeattribute sced vendor_executes_system_violators; + + hwbinder_use(sced) + binder_call(sced, dmd) + + get_prop(sced, hwservicemanager_prop) + allow sced self:packet_socket create_socket_perms_no_ioctl; + + allow sced self:capability net_raw; + allow sced shell_exec:file rx_file_perms; + allow sced tcpdump_exec:file rx_file_perms; + allow sced vendor_shell_exec:file x_file_perms; + allow sced vendor_slog_file:dir create_dir_perms; + allow sced vendor_slog_file:file create_file_perms; + allow sced hidl_base_hwservice:hwservice_manager add; + allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; +') From 72ad95d1eb6273b0a2dac851e5b2f7f3c8e3fee7 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 23 Aug 2021 14:05:23 +0800 Subject: [PATCH 022/900] review vcd and remove obsolete declarations Bug: 196916111 Test: boot with vcd started Change-Id: Ic82975e998dad4437c38afc625a7a88428417b7a --- legacy/file.te | 5 ----- legacy/file_contexts | 5 ----- legacy/vcd.te | 11 ----------- whitechapel_pro/file_contexts | 1 + whitechapel_pro/vcd.te | 12 ++++++++++++ 5 files changed, 13 insertions(+), 21 deletions(-) delete mode 100644 legacy/vcd.te create mode 100644 whitechapel_pro/vcd.te diff --git a/legacy/file.te b/legacy/file.te index a0b05219..17c8c0bb 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -5,12 +5,7 @@ type vendor_media_data_file, file_type, data_file_type; # Exynos Log Files type vendor_log_file, file_type, data_file_type; -type vendor_cbd_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; -type vendor_dump_log_file, file_type, data_file_type; -type vendor_rild_log_file, file_type, data_file_type; -type vendor_telephony_log_file, file_type, data_file_type; -type vendor_vcd_log_file, file_type, data_file_type; # app data files type vendor_test_data_file, file_type, data_file_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 711c7d22..7c759729 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -119,7 +119,6 @@ /(vendor|system/vendor)/bin/hw/lhd u:object_r:lhd_exec:s0 /(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 -/(vendor|system/vendor)/bin/vcd u:object_r:vcd_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 # @@ -132,11 +131,7 @@ # Exynos Log Files # /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 -/data/vendor/log/cbd(/.*)? u:object_r:vendor_cbd_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 -/data/vendor/log/dump(/.*)? u:object_r:vendor_dump_log_file:s0 -/data/vendor/log/rild(/.*)? u:object_r:vendor_rild_log_file:s0 -/data/vendor/log/vcd(/.*)? u:object_r:vendor_vcd_log_file:s0 /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 diff --git a/legacy/vcd.te b/legacy/vcd.te deleted file mode 100644 index c4af485f..00000000 --- a/legacy/vcd.te +++ /dev/null @@ -1,11 +0,0 @@ -type vcd, domain; -type vcd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(vcd) - -get_prop(vcd, vendor_rild_prop); -get_prop(vcd, vendor_persist_config_default_prop); - -allow vcd serial_device:chr_file rw_file_perms; -allow vcd radio_device:chr_file rw_file_perms; -allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; -allow vcd node:tcp_socket node_bind; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index e23f0847..b584a425 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -2,6 +2,7 @@ /vendor/bin/dmd u:object_r:dmd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/sced u:object_r:sced_exec:s0 +/vendor/bin/vcd u:object_r:vcd_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/vcd.te b/whitechapel_pro/vcd.te new file mode 100644 index 00000000..211d3675 --- /dev/null +++ b/whitechapel_pro/vcd.te @@ -0,0 +1,12 @@ +type vcd, domain; +type vcd_exec, vendor_file_type, exec_type, file_type; +userdebug_or_eng(` + init_daemon_domain(vcd) + + get_prop(vcd, vendor_rild_prop); + + allow vcd serial_device:chr_file rw_file_perms; + allow vcd radio_device:chr_file rw_file_perms; + allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; + allow vcd node:tcp_socket node_bind; +') From 6fc63f75c3bc9e6da793825d3be4cdcc785e8feb Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Mon, 23 Aug 2021 13:05:36 -0700 Subject: [PATCH 023/900] gs201-sepolicy: Rename hal_uwb -> hal_uwb_vendor Since we are now creating an AOSP HAL for uwb. Rename qorvo's internal HAL to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy rules. Bug: 195308730 Test: Compiles Change-Id: I0c06a9d191d6bf2f2e5c66f70be0c7f8e8aa96b4 --- legacy/file_contexts | 2 +- legacy/hal_uwb_default.te | 5 ----- legacy/hal_uwb_vendor_default.te | 5 +++++ legacy/service.te | 2 +- legacy/service_contexts | 2 +- legacy/uwb_vendor_app.te | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) delete mode 100644 legacy/hal_uwb_default.te create mode 100644 legacy/hal_uwb_vendor_default.te diff --git a/legacy/file_contexts b/legacy/file_contexts index 9e502339..253a50dd 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -331,7 +331,7 @@ # Uwb # R4 -/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_default_exec:s0 +/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 # RILD files /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/legacy/hal_uwb_default.te b/legacy/hal_uwb_default.te deleted file mode 100644 index f066aa4d..00000000 --- a/legacy/hal_uwb_default.te +++ /dev/null @@ -1,5 +0,0 @@ -type hal_uwb_default, domain; -type hal_uwb_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_uwb_default) - -add_service(hal_uwb_default, hal_uwb_service) diff --git a/legacy/hal_uwb_vendor_default.te b/legacy/hal_uwb_vendor_default.te new file mode 100644 index 00000000..d16424e9 --- /dev/null +++ b/legacy/hal_uwb_vendor_default.te @@ -0,0 +1,5 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) diff --git a/legacy/service.te b/legacy/service.te index 99e99483..357dffe4 100644 --- a/legacy/service.te +++ b/legacy/service.te @@ -1,4 +1,4 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; type touch_context_service, service_manager_type, vendor_service; -type hal_uwb_service, service_manager_type, vendor_service; +type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/legacy/service_contexts b/legacy/service_contexts index 687f8cc8..6fb9de1f 100644 --- a/legacy/service_contexts +++ b/legacy/service_contexts @@ -1,4 +1,4 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 -hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_service:s0 +hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/legacy/uwb_vendor_app.te b/legacy/uwb_vendor_app.te index aee5c49f..c33731a8 100644 --- a/legacy/uwb_vendor_app.te +++ b/legacy/uwb_vendor_app.te @@ -5,7 +5,7 @@ app_domain(uwb_vendor_app) add_service(uwb_vendor_app, uwb_vendor_service) allow uwb_vendor_app app_api_service:service_manager find; -allow uwb_vendor_app hal_uwb_service:service_manager find; +allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; allow uwb_vendor_app nfc_service:service_manager find; allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; From 1eeb466b559e3373d7ccbed1e6765c86a9a73a04 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 24 Aug 2021 11:32:45 +0800 Subject: [PATCH 024/900] modularize aocd Bug: 197585437 Test: boot with aoc started Change-Id: Ib8f3aad606f8a2c3d5d5a75287816ab4cb8318a8 --- {legacy => aoc}/aocd.te | 0 aoc/device.te | 2 ++ aoc/file.te | 8 ++++++++ aoc/file_contexts | 24 ++++++++++++++++++++++++ aoc/genfs_contexts | 5 +++++ aoc/property.te | 2 ++ aoc/property_contexts | 2 ++ legacy/device.te | 3 --- legacy/file.te | 7 ------- legacy/file_contexts | 21 --------------------- legacy/genfs_contexts | 6 ------ legacy/property.te | 3 --- legacy/property_contexts | 3 --- 13 files changed, 43 insertions(+), 43 deletions(-) rename {legacy => aoc}/aocd.te (100%) create mode 100644 aoc/device.te create mode 100644 aoc/file.te create mode 100644 aoc/file_contexts create mode 100644 aoc/genfs_contexts create mode 100644 aoc/property.te create mode 100644 aoc/property_contexts diff --git a/legacy/aocd.te b/aoc/aocd.te similarity index 100% rename from legacy/aocd.te rename to aoc/aocd.te diff --git a/aoc/device.te b/aoc/device.te new file mode 100644 index 00000000..bf9afb58 --- /dev/null +++ b/aoc/device.te @@ -0,0 +1,2 @@ +# AOC device +type aoc_device, dev_type; diff --git a/aoc/file.te b/aoc/file.te new file mode 100644 index 00000000..67f3e945 --- /dev/null +++ b/aoc/file.te @@ -0,0 +1,8 @@ +# sysfs +type sysfs_aoc_boottime, sysfs_type, fs_type; +type sysfs_aoc_firmware, sysfs_type, fs_type; +type sysfs_aoc, sysfs_type, fs_type; +type sysfs_aoc_reset, sysfs_type, fs_type; + +# persist +type persist_aoc_file, file_type, vendor_persist_type; diff --git a/aoc/file_contexts b/aoc/file_contexts new file mode 100644 index 00000000..6a4dea33 --- /dev/null +++ b/aoc/file_contexts @@ -0,0 +1,24 @@ +# AoC devices +/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-sound_trigger u:object_r:aoc_device:s0 +/dev/acd-hotword_notification u:object_r:aoc_device:s0 +/dev/acd-hotword_pcm u:object_r:aoc_device:s0 +/dev/acd-ambient_pcm u:object_r:aoc_device:s0 +/dev/acd-model_data u:object_r:aoc_device:s0 +/dev/acd-debug u:object_r:aoc_device:s0 +/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 +/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 +/dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-logging u:object_r:aoc_device:s0 +/dev/aoc u:object_r:aoc_device:s0 + +# AoC vendor binaries +/vendor/bin/aocd u:object_r:aocd_exec:s0 + +# Aoc persist files +/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts new file mode 100644 index 00000000..0ddd61d5 --- /dev/null +++ b/aoc/genfs_contexts @@ -0,0 +1,5 @@ +# AOC +genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 diff --git a/aoc/property.te b/aoc/property.te new file mode 100644 index 00000000..e6f9ddba --- /dev/null +++ b/aoc/property.te @@ -0,0 +1,2 @@ +# AoC +vendor_internal_prop(vendor_aoc_prop) diff --git a/aoc/property_contexts b/aoc/property_contexts new file mode 100644 index 00000000..08388735 --- /dev/null +++ b/aoc/property_contexts @@ -0,0 +1,2 @@ +# AoC +vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 diff --git a/legacy/device.te b/legacy/device.te index 55205990..5a2f4794 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -46,9 +46,6 @@ type vframe_heap_device, dmabuf_heap_device_type, dev_type; #vscaler-secure DMA-BUF heap type vscaler_heap_device, dmabuf_heap_device_type, dev_type; -# AOC device -type aoc_device, dev_type; - # Fingerprint device type fingerprint_device, dev_type; diff --git a/legacy/file.te b/legacy/file.te index 17c8c0bb..72311d99 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -83,15 +83,8 @@ type per_boot_file, file_type, data_file_type, core_data_file_type; type proc_touch, proc_type, fs_type, mlstrustedobject; type sysfs_touch, sysfs_type, fs_type; -# AOC -type sysfs_aoc_boottime, sysfs_type, fs_type; -type sysfs_aoc_firmware, sysfs_type, fs_type; -type sysfs_aoc, sysfs_type, fs_type; -type sysfs_aoc_reset, sysfs_type, fs_type; - # Audio type persist_audio_file, file_type, vendor_persist_type; -type persist_aoc_file, file_type, vendor_persist_type; type audio_vendor_data_file, file_type, data_file_type; type aoc_audio_file, file_type, vendor_file_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 7c759729..9adb249b 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -216,9 +216,6 @@ # Sensors /data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0 -/dev/acd-com.google.usf u:object_r:aoc_device:s0 -/dev/acd-logging u:object_r:aoc_device:s0 -/dev/aoc u:object_r:aoc_device:s0 # Contexthub /vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic u:object_r:hal_contexthub_default_exec:s0 @@ -267,24 +264,9 @@ /dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 # Audio -/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 /mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 /data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 /vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 -/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 -/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 -/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 -/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 -/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 -/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 -/dev/acd-sound_trigger u:object_r:aoc_device:s0 -/dev/acd-hotword_notification u:object_r:aoc_device:s0 -/dev/acd-hotword_pcm u:object_r:aoc_device:s0 -/dev/acd-ambient_pcm u:object_r:aoc_device:s0 -/dev/acd-model_data u:object_r:aoc_device:s0 -/dev/acd-debug u:object_r:aoc_device:s0 -/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 -/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 /dev/amcs u:object_r:amcs_device:s0 # AudioMetric @@ -307,9 +289,6 @@ # Battery /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 -# AoC file contexts. -/vendor/bin/aocd u:object_r:aocd_exec:s0 - # NeuralNetworks file contexts /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn u:object_r:hal_neuralnetworks_armnn_exec:s0 diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index b15a6288..461ada53 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -1,9 +1,3 @@ -# AOC -genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 -genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 -genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 -genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 - # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 # Battery diff --git a/legacy/property.te b/legacy/property.te index 80976174..ff408785 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -25,9 +25,6 @@ vendor_internal_prop(vendor_battery_defender_prop) # Battery profile for harness mode vendor_internal_prop(vendor_battery_profile_prop) -# AoC -vendor_internal_prop(vendor_aoc_prop) - # Logger vendor_internal_prop(vendor_logger_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index 8db6f7d7..d0da2cc2 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -65,9 +65,6 @@ vendor.battery.defender. u:object_r:vendor_battery_defend # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 -# AoC -vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 - # WiFi vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 From ee94f61357a74af6725bf9dc54542c0e535341a2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 24 Aug 2021 14:24:46 +0800 Subject: [PATCH 025/900] modularize aocdump Bug: 197585437 Test: build ROM with aocdump labeled correctly Change-Id: Ia2c2877a337bca6711d0f15a309b9012624ce76b --- {legacy => aoc}/aocdump.te | 3 --- aoc/file.te | 3 +++ aoc/file_contexts | 4 ++++ aoc/property.te | 2 ++ aoc/property_contexts | 8 ++++++++ legacy/file.te | 1 - legacy/file_contexts | 4 ---- legacy/property.te | 1 - legacy/property_contexts | 10 ---------- 9 files changed, 17 insertions(+), 19 deletions(-) rename {legacy => aoc}/aocdump.te (76%) diff --git a/legacy/aocdump.te b/aoc/aocdump.te similarity index 76% rename from legacy/aocdump.te rename to aoc/aocdump.te index ca468a35..90911424 100644 --- a/legacy/aocdump.te +++ b/aoc/aocdump.te @@ -6,14 +6,11 @@ userdebug_or_eng(` # Permit communication with AoC allow aocdump aoc_device:chr_file rw_file_perms; - allow aocdump radio_vendor_data_file:dir rw_dir_perms; - allow aocdump radio_vendor_data_file:file create_file_perms; allow aocdump wifi_logging_data_file:dir create_dir_perms; allow aocdump wifi_logging_data_file:file create_file_perms; set_prop(aocdump, vendor_audio_prop); r_dir_file(aocdump, proc_asound) allow aocdump self:unix_stream_socket create_stream_socket_perms; - allow aocdump property_socket:sock_file { write }; allow aocdump audio_vendor_data_file:sock_file { create unlink }; ') diff --git a/aoc/file.te b/aoc/file.te index 67f3e945..5d7031cb 100644 --- a/aoc/file.te +++ b/aoc/file.te @@ -6,3 +6,6 @@ type sysfs_aoc_reset, sysfs_type, fs_type; # persist type persist_aoc_file, file_type, vendor_persist_type; + +# data +type audio_vendor_data_file, file_type, data_file_type; diff --git a/aoc/file_contexts b/aoc/file_contexts index 6a4dea33..da9ab4cd 100644 --- a/aoc/file_contexts +++ b/aoc/file_contexts @@ -19,6 +19,10 @@ # AoC vendor binaries /vendor/bin/aocd u:object_r:aocd_exec:s0 +/vendor/bin/aocdump u:object_r:aocdump_exec:s0 # Aoc persist files /mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 + +# Audio data files +/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 diff --git a/aoc/property.te b/aoc/property.te index e6f9ddba..d38e3ec8 100644 --- a/aoc/property.te +++ b/aoc/property.te @@ -1,2 +1,4 @@ # AoC vendor_internal_prop(vendor_aoc_prop) +# Audio +vendor_internal_prop(vendor_audio_prop) diff --git a/aoc/property_contexts b/aoc/property_contexts index 08388735..cf460c23 100644 --- a/aoc/property_contexts +++ b/aoc/property_contexts @@ -1,2 +1,10 @@ # AoC vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 + +# for audio +vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 +vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 +persist.vendor.audio. u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 +vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 diff --git a/legacy/file.te b/legacy/file.te index 72311d99..777f6a35 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -85,7 +85,6 @@ type sysfs_touch, sysfs_type, fs_type; # Audio type persist_audio_file, file_type, vendor_persist_type; -type audio_vendor_data_file, file_type, data_file_type; type aoc_audio_file, file_type, vendor_file_type; # RILD diff --git a/legacy/file_contexts b/legacy/file_contexts index 9adb249b..21994bbd 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -226,9 +226,6 @@ /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 -# Audio logging -/vendor/bin/aocdump u:object_r:aocdump_exec:s0 - # modem_svc_sit files /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 /data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 @@ -265,7 +262,6 @@ # Audio /mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 -/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 /vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 /dev/amcs u:object_r:amcs_device:s0 diff --git a/legacy/property.te b/legacy/property.te index ff408785..4a7c01c6 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -11,7 +11,6 @@ vendor_internal_prop(vendor_ro_config_default_prop) vendor_internal_prop(vendor_sys_default_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) -vendor_internal_prop(vendor_audio_prop) vendor_internal_prop(vendor_codec2_debug_prop) vendor_internal_prop(vendor_display_prop) vendor_internal_prop(vendor_camera_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index d0da2cc2..ba12f0ef 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -31,16 +31,6 @@ vendor.sys. u:object_r:vendor_sys_default_prop:s0 ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 - -# for audio -vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 -vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 -persist.vendor.audio. u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 -vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 - - # for display ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 From d9c4ed7b59a9d38ed9531702369ebc91b05a4408 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 24 Aug 2021 15:00:24 +0800 Subject: [PATCH 026/900] modularize hal_audio_default Bug: 197585437 Test: boot with hal_audio_default initialized Change-Id: I90435ffa66d342ee5c96bcb872d2ebefe5b4ef7c --- aoc/device.te | 3 +++ aoc/file.te | 4 ++++ aoc/file_contexts | 5 +++++ aoc/hal_audio_default.te | 30 ++++++++++++++++++++++++++++++ aoc/hwservice.te | 2 ++ aoc/hwservice_contexts | 2 ++ legacy/device.te | 3 --- legacy/file.te | 4 ---- legacy/file_contexts | 5 ----- legacy/hal_audio_default.te | 30 ------------------------------ legacy/hwservice.te | 3 --- legacy/hwservice_contexts | 3 --- 12 files changed, 46 insertions(+), 48 deletions(-) create mode 100644 aoc/hal_audio_default.te create mode 100644 aoc/hwservice.te create mode 100644 aoc/hwservice_contexts diff --git a/aoc/device.te b/aoc/device.te index bf9afb58..fbd2b327 100644 --- a/aoc/device.te +++ b/aoc/device.te @@ -1,2 +1,5 @@ # AOC device type aoc_device, dev_type; + +# AMCS device +type amcs_device, dev_type; diff --git a/aoc/file.te b/aoc/file.te index 5d7031cb..4d392938 100644 --- a/aoc/file.te +++ b/aoc/file.te @@ -6,6 +6,10 @@ type sysfs_aoc_reset, sysfs_type, fs_type; # persist type persist_aoc_file, file_type, vendor_persist_type; +type persist_audio_file, file_type, vendor_persist_type; + +# vendor +type aoc_audio_file, file_type, vendor_file_type; # data type audio_vendor_data_file, file_type, data_file_type; diff --git a/aoc/file_contexts b/aoc/file_contexts index da9ab4cd..edd3ebb1 100644 --- a/aoc/file_contexts +++ b/aoc/file_contexts @@ -16,13 +16,18 @@ /dev/acd-com.google.usf u:object_r:aoc_device:s0 /dev/acd-logging u:object_r:aoc_device:s0 /dev/aoc u:object_r:aoc_device:s0 +/dev/amcs u:object_r:amcs_device:s0 # AoC vendor binaries /vendor/bin/aocd u:object_r:aocd_exec:s0 /vendor/bin/aocdump u:object_r:aocdump_exec:s0 +# AoC audio files +/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 + # Aoc persist files /mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 +/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 # Audio data files /data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te new file mode 100644 index 00000000..6334b93f --- /dev/null +++ b/aoc/hal_audio_default.te @@ -0,0 +1,30 @@ +vndbinder_use(hal_audio_default) +hwbinder_use(hal_audio_default) + +allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; +allow hal_audio_default audio_vendor_data_file:file create_file_perms; + +r_dir_file(hal_audio_default, aoc_audio_file); +r_dir_file(hal_audio_default, mnt_vendor_file); +r_dir_file(hal_audio_default, persist_audio_file); + +allow hal_audio_default persist_file:dir search; +allow hal_audio_default aoc_device:file rw_file_perms; +allow hal_audio_default aoc_device:chr_file rw_file_perms; + +allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; + +allow hal_audio_default amcs_device:file rw_file_perms; +allow hal_audio_default amcs_device:chr_file rw_file_perms; + +#allow access to DMABUF Heaps for AAudio API +allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; + +get_prop(hal_audio_default, vendor_audio_prop); + +userdebug_or_eng(` + allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; + allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; +') + +wakelock_use(hal_audio_default); diff --git a/aoc/hwservice.te b/aoc/hwservice.te new file mode 100644 index 00000000..15aaaf71 --- /dev/null +++ b/aoc/hwservice.te @@ -0,0 +1,2 @@ +# Audio +type hal_audio_ext_hwservice, hwservice_manager_type; diff --git a/aoc/hwservice_contexts b/aoc/hwservice_contexts new file mode 100644 index 00000000..8eadd213 --- /dev/null +++ b/aoc/hwservice_contexts @@ -0,0 +1,2 @@ +# Audio +vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 diff --git a/legacy/device.te b/legacy/device.te index 5a2f4794..a3af95f8 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -49,6 +49,3 @@ type vscaler_heap_device, dmabuf_heap_device_type, dev_type; # Fingerprint device type fingerprint_device, dev_type; -# AMCS device -type amcs_device, dev_type; - diff --git a/legacy/file.te b/legacy/file.te index 777f6a35..f7f9b42f 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -83,10 +83,6 @@ type per_boot_file, file_type, data_file_type, core_data_file_type; type proc_touch, proc_type, fs_type, mlstrustedobject; type sysfs_touch, sysfs_type, fs_type; -# Audio -type persist_audio_file, file_type, vendor_persist_type; -type aoc_audio_file, file_type, vendor_file_type; - # RILD type rild_vendor_data_file, file_type, data_file_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 21994bbd..99f31862 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -260,11 +260,6 @@ /dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 /dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 -# Audio -/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 -/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 -/dev/amcs u:object_r:amcs_device:s0 - # AudioMetric /(vendor|system/vendor)/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 diff --git a/legacy/hal_audio_default.te b/legacy/hal_audio_default.te index 5ee99469..31ed6a9b 100644 --- a/legacy/hal_audio_default.te +++ b/legacy/hal_audio_default.te @@ -1,31 +1 @@ -vndbinder_use(hal_audio_default) -hwbinder_use(hal_audio_default) - -allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; -allow hal_audio_default audio_vendor_data_file:file create_file_perms; - -r_dir_file(hal_audio_default, aoc_audio_file); -r_dir_file(hal_audio_default, mnt_vendor_file); -r_dir_file(hal_audio_default, persist_audio_file); - -allow hal_audio_default persist_file:dir search; -allow hal_audio_default aoc_device:file rw_file_perms; -allow hal_audio_default aoc_device:chr_file rw_file_perms; - -allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; - -allow hal_audio_default amcs_device:file rw_file_perms; -allow hal_audio_default amcs_device:chr_file rw_file_perms; allow hal_audio_default sysfs_pixelstats:file rw_file_perms; - -#allow access to DMABUF Heaps for AAudio API -allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; - -get_prop(hal_audio_default, vendor_audio_prop); - -userdebug_or_eng(` - allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; - allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; -') - -wakelock_use(hal_audio_default); diff --git a/legacy/hwservice.te b/legacy/hwservice.te index 5d1d6a31..81372fc2 100644 --- a/legacy/hwservice.te +++ b/legacy/hwservice.te @@ -7,9 +7,6 @@ type hal_exynos_rild_hwservice, hwservice_manager_type; # GRIL service type hal_radioext_hwservice, hwservice_manager_type; -# Audio -type hal_audio_ext_hwservice, hwservice_manager_type; - # WLC type hal_wlc_hwservice, hwservice_manager_type; diff --git a/legacy/hwservice_contexts b/legacy/hwservice_contexts index 4f466bf0..113d6623 100644 --- a/legacy/hwservice_contexts +++ b/legacy/hwservice_contexts @@ -14,9 +14,6 @@ android.hardware.media.c2::IConfigurable u:object_r:hal_c # GRIL HAL vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 -#Audio -vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 - # Wireless charger hal vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 From 7d4d5a8940c0497fd72492c4e451f368da05ca3b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 25 Aug 2021 15:38:27 +0800 Subject: [PATCH 027/900] modularize hal_audiometricext_default Bug: 197585437 Test: boot with hal_audiometricext_default initialized Change-Id: I3d9aa576af2faefd2b03b911141d5ffdafc7902e --- aoc/file.te | 1 + aoc/genfs_contexts | 11 +++++++++++ aoc/hal_audio_default.te | 1 + {legacy => aoc}/hal_audiometricext_default.te | 0 aoc/hwservice.te | 4 ++++ aoc/hwservice_contexts | 2 ++ legacy/file.te | 3 --- legacy/genfs_contexts | 9 --------- legacy/hal_audio_default.te | 1 - legacy/hwservice.te | 3 --- legacy/hwservice_contexts | 3 --- 11 files changed, 19 insertions(+), 19 deletions(-) rename {legacy => aoc}/hal_audiometricext_default.te (100%) delete mode 100644 legacy/hal_audio_default.te diff --git a/aoc/file.te b/aoc/file.te index 4d392938..fec17dcb 100644 --- a/aoc/file.te +++ b/aoc/file.te @@ -3,6 +3,7 @@ type sysfs_aoc_boottime, sysfs_type, fs_type; type sysfs_aoc_firmware, sysfs_type, fs_type; type sysfs_aoc, sysfs_type, fs_type; type sysfs_aoc_reset, sysfs_type, fs_type; +type sysfs_pixelstats, fs_type, sysfs_type; # persist type persist_aoc_file, file_type, vendor_persist_type; diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index 0ddd61d5..4be738a6 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -3,3 +3,14 @@ genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:ob genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 + +# pixelstat_vendor +genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 + diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te index 6334b93f..5ee99469 100644 --- a/aoc/hal_audio_default.te +++ b/aoc/hal_audio_default.te @@ -16,6 +16,7 @@ allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; allow hal_audio_default amcs_device:file rw_file_perms; allow hal_audio_default amcs_device:chr_file rw_file_perms; +allow hal_audio_default sysfs_pixelstats:file rw_file_perms; #allow access to DMABUF Heaps for AAudio API allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; diff --git a/legacy/hal_audiometricext_default.te b/aoc/hal_audiometricext_default.te similarity index 100% rename from legacy/hal_audiometricext_default.te rename to aoc/hal_audiometricext_default.te diff --git a/aoc/hwservice.te b/aoc/hwservice.te index 15aaaf71..b7bf5d92 100644 --- a/aoc/hwservice.te +++ b/aoc/hwservice.te @@ -1,2 +1,6 @@ # Audio type hal_audio_ext_hwservice, hwservice_manager_type; + +# AudioMetric +type hal_audiometricext_hwservice, hwservice_manager_type; + diff --git a/aoc/hwservice_contexts b/aoc/hwservice_contexts index 8eadd213..f06c8461 100644 --- a/aoc/hwservice_contexts +++ b/aoc/hwservice_contexts @@ -1,2 +1,4 @@ # Audio vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 +vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 + diff --git a/legacy/file.te b/legacy/file.te index f7f9b42f..4ef42471 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -159,9 +159,6 @@ type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject; # UWB vendor type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; -# PixelStats_vendor -type sysfs_pixelstats, fs_type, sysfs_type; - # WLC FW type vendor_wlc_fwupdata_file, vendor_file_type, file_type; # diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index 461ada53..1991004c 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -281,12 +281,3 @@ genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count # mediacodec genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_video:s0 -# pixelstat_vendor -genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 diff --git a/legacy/hal_audio_default.te b/legacy/hal_audio_default.te deleted file mode 100644 index 31ed6a9b..00000000 --- a/legacy/hal_audio_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_audio_default sysfs_pixelstats:file rw_file_perms; diff --git a/legacy/hwservice.te b/legacy/hwservice.te index 81372fc2..eb8e6211 100644 --- a/legacy/hwservice.te +++ b/legacy/hwservice.te @@ -16,6 +16,3 @@ type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservi # Fingerprint type hal_fingerprint_ext_hwservice, hwservice_manager_type; -# AudioMetric -type hal_audiometricext_hwservice, hwservice_manager_type; - diff --git a/legacy/hwservice_contexts b/legacy/hwservice_contexts index 113d6623..9962c75d 100644 --- a/legacy/hwservice_contexts +++ b/legacy/hwservice_contexts @@ -25,6 +25,3 @@ hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r # Fingerprint vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 -#Audio -vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 - From 8f611991f701639b9b8bac5de0df13653c9ccf76 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 27 Aug 2021 11:16:47 +0800 Subject: [PATCH 028/900] modularize scd Bug: 197914244 Test: boot with scd started Change-Id: If2c033e9aaf33b47f2fe5db3507fac052dcaef1a --- gps/file.te | 5 +++++ gps/file_contexts | 4 ++++ {legacy => gps}/scd.te | 0 legacy/file.te | 4 ---- legacy/file_contexts | 7 ------- 5 files changed, 9 insertions(+), 11 deletions(-) create mode 100644 gps/file.te create mode 100644 gps/file_contexts rename {legacy => gps}/scd.te (100%) diff --git a/gps/file.te b/gps/file.te new file mode 100644 index 00000000..c7a29a24 --- /dev/null +++ b/gps/file.te @@ -0,0 +1,5 @@ +type vendor_gps_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; +') + diff --git a/gps/file_contexts b/gps/file_contexts new file mode 100644 index 00000000..b39c2d40 --- /dev/null +++ b/gps/file_contexts @@ -0,0 +1,4 @@ +# gnss/gps data/log files +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 +# vendor binaries +/vendor/bin/hw/scd u:object_r:scd_exec:s0 diff --git a/legacy/scd.te b/gps/scd.te similarity index 100% rename from legacy/scd.te rename to gps/scd.te diff --git a/legacy/file.te b/legacy/file.te index 4ef42471..87cdc95a 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -105,10 +105,6 @@ type vendor_camera_tuning_file, vendor_file_type, file_type; type vendor_camera_data_file, file_type, data_file_type; # GPS -type vendor_gps_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute vendor_gps_file mlstrustedobject; -') type sysfs_gps, sysfs_type, fs_type; # Display diff --git a/legacy/file_contexts b/legacy/file_contexts index a36b57d7..033f9d3b 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -114,19 +114,12 @@ # Exynos Daemon Exec # /(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 -/(vendor|system/vendor)/bin/hw/scd u:object_r:scd_exec:s0 /(vendor|system/vendor)/bin/hw/gpsd u:object_r:gpsd_exec:s0 /(vendor|system/vendor)/bin/hw/lhd u:object_r:lhd_exec:s0 /(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 -# -# Exynos Data Files -# -# gnss/gps data/log files -/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 - # # Exynos Log Files # From 99ab56746a3dd3fbadce4be53d2d2dba4a084b41 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 27 Aug 2021 11:29:09 +0800 Subject: [PATCH 029/900] modularize lhd Bug: 197914244 Test: boot with lhd started Change-Id: I873a151e4dc6e512b8831b936c3e057ae544888c --- gps/device.te | 1 + gps/file.te | 1 + gps/file_contexts | 6 ++++++ gps/genfs_contexts | 3 +++ {legacy => gps}/lhd.te | 0 legacy/device.te | 1 - legacy/file.te | 3 --- legacy/file_contexts | 4 ---- legacy/genfs_contexts | 3 --- 9 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 gps/device.te create mode 100644 gps/genfs_contexts rename {legacy => gps}/lhd.te (100%) diff --git a/gps/device.te b/gps/device.te new file mode 100644 index 00000000..15d049fa --- /dev/null +++ b/gps/device.te @@ -0,0 +1 @@ +type vendor_gnss_device, dev_type; diff --git a/gps/file.te b/gps/file.te index c7a29a24..4ed25013 100644 --- a/gps/file.te +++ b/gps/file.te @@ -3,3 +3,4 @@ userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; ') +type sysfs_gps, sysfs_type, fs_type; diff --git a/gps/file_contexts b/gps/file_contexts index b39c2d40..cb6f452a 100644 --- a/gps/file_contexts +++ b/gps/file_contexts @@ -1,4 +1,10 @@ # gnss/gps data/log files /data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 + +# devices +/dev/bbd_control u:object_r:vendor_gnss_device:s0 +/dev/ttyBCM u:object_r:vendor_gnss_device:s0 + # vendor binaries /vendor/bin/hw/scd u:object_r:scd_exec:s0 +/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 diff --git a/gps/genfs_contexts b/gps/genfs_contexts new file mode 100644 index 00000000..1eab75b1 --- /dev/null +++ b/gps/genfs_contexts @@ -0,0 +1,3 @@ +# GPS +genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 + diff --git a/legacy/lhd.te b/gps/lhd.te similarity index 100% rename from legacy/lhd.te rename to gps/lhd.te diff --git a/legacy/device.te b/legacy/device.te index a3af95f8..5d640eab 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -9,7 +9,6 @@ type sda_block_device, dev_type; # Exynos devices type vendor_m2m1shot_device, dev_type; -type vendor_gnss_device, dev_type; type vendor_nanohub_device, dev_type; type vendor_secmem_device, dev_type; type vendor_toe_device, dev_type; diff --git a/legacy/file.te b/legacy/file.te index 87cdc95a..3a19a94a 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -104,9 +104,6 @@ type persist_camera_file, file_type; type vendor_camera_tuning_file, vendor_file_type, file_type; type vendor_camera_data_file, file_type, data_file_type; -# GPS -type sysfs_gps, sysfs_type, fs_type; - # Display type sysfs_display, sysfs_type, fs_type; type persist_display_file, file_type, vendor_persist_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 033f9d3b..aaec82de 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -77,10 +77,7 @@ # # Exynos Devices # -/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 -/dev/bbd_control u:object_r:vendor_gnss_device:s0 /dev/bbd_pwrstat u:object_r:power_stats_device:s0 -/dev/ttyBCM u:object_r:vendor_gnss_device:s0 /dev/nanohub u:object_r:vendor_nanohub_device:s0 /dev/nanohub_comms u:object_r:vendor_nanohub_device:s0 /dev/m2m1shot_scaler0 u:object_r:vendor_m2m1shot_device:s0 @@ -115,7 +112,6 @@ # /(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 /(vendor|system/vendor)/bin/hw/gpsd u:object_r:gpsd_exec:s0 -/(vendor|system/vendor)/bin/hw/lhd u:object_r:lhd_exec:s0 /(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index 1991004c..4976f731 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -102,9 +102,6 @@ genfscon proc /fts/driver_test genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 -# GPS -genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 - # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 From d646306b48e13b07ea077d82d583ffac6e6d8adb Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 27 Aug 2021 11:38:00 +0800 Subject: [PATCH 030/900] modularize hal_gnss_default Bug: 197914244 Test: boot with hal_gnss_default started Change-Id: I7b3d71fb9ae151363e3ce54587721ffe04d42b55 --- gps/file_contexts | 11 ++++++----- {legacy => gps}/hal_gnss_default.te | 0 legacy/file_contexts | 3 --- 3 files changed, 6 insertions(+), 8 deletions(-) rename {legacy => gps}/hal_gnss_default.te (100%) diff --git a/gps/file_contexts b/gps/file_contexts index cb6f452a..cce530c7 100644 --- a/gps/file_contexts +++ b/gps/file_contexts @@ -1,10 +1,11 @@ # gnss/gps data/log files -/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 # devices -/dev/bbd_control u:object_r:vendor_gnss_device:s0 -/dev/ttyBCM u:object_r:vendor_gnss_device:s0 +/dev/bbd_control u:object_r:vendor_gnss_device:s0 +/dev/ttyBCM u:object_r:vendor_gnss_device:s0 # vendor binaries -/vendor/bin/hw/scd u:object_r:scd_exec:s0 -/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 +/vendor/bin/hw/scd u:object_r:scd_exec:s0 +/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 +/vendor/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 diff --git a/legacy/hal_gnss_default.te b/gps/hal_gnss_default.te similarity index 100% rename from legacy/hal_gnss_default.te rename to gps/hal_gnss_default.te diff --git a/legacy/file_contexts b/legacy/file_contexts index aaec82de..4d956aa7 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -23,9 +23,6 @@ # HALs # /(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs201 u:object_r:hal_bootctl_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.1-service-brcm u:object_r:hal_gnss_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-brcm u:object_r:hal_gnss_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs201 u:object_r:hal_power_stats_default_exec:s0 # Wireless charger HAL From 49784e0285432580b9825979f7f5818ab4e3fd1b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 27 Aug 2021 12:08:37 +0800 Subject: [PATCH 031/900] modularize gpsd Bug: 197914244 Test: boot with gpsd started Change-Id: I4bcb0b55f95609a770810d676e8496c389b5cc73 --- gps/file_contexts | 1 + {legacy => gps}/gpsd.te | 4 ---- legacy/file_contexts | 1 - whitechapel_pro/gpsd.te | 3 +++ 4 files changed, 4 insertions(+), 5 deletions(-) rename {legacy => gps}/gpsd.te (85%) create mode 100644 whitechapel_pro/gpsd.te diff --git a/gps/file_contexts b/gps/file_contexts index cce530c7..8ae128e1 100644 --- a/gps/file_contexts +++ b/gps/file_contexts @@ -8,4 +8,5 @@ # vendor binaries /vendor/bin/hw/scd u:object_r:scd_exec:s0 /vendor/bin/hw/lhd u:object_r:lhd_exec:s0 +/vendor/bin/hw/gpsd u:object_r:gpsd_exec:s0 /vendor/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 diff --git a/legacy/gpsd.te b/gps/gpsd.te similarity index 85% rename from legacy/gpsd.te rename to gps/gpsd.te index 64591cba..9757395b 100644 --- a/legacy/gpsd.te +++ b/gps/gpsd.te @@ -16,10 +16,6 @@ allow gpsd vendor_gps_file:dir create_dir_perms; allow gpsd vendor_gps_file:file create_file_perms; allow gpsd vendor_gps_file:fifo_file create_file_perms; -# Allow gpsd to access rild -binder_call(gpsd, rild); -allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; - # Allow gpsd to access sensor service binder_call(gpsd, system_server); allow gpsd fwk_sensor_hwservice:hwservice_manager find; diff --git a/legacy/file_contexts b/legacy/file_contexts index 4d956aa7..7e8c5d11 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -108,7 +108,6 @@ # Exynos Daemon Exec # /(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 -/(vendor|system/vendor)/bin/hw/gpsd u:object_r:gpsd_exec:s0 /(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 diff --git a/whitechapel_pro/gpsd.te b/whitechapel_pro/gpsd.te new file mode 100644 index 00000000..15a8ac36 --- /dev/null +++ b/whitechapel_pro/gpsd.te @@ -0,0 +1,3 @@ +# Allow gpsd to access rild +binder_call(gpsd, rild); +allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; From 2220917375ae9a64cbf91a781cac00727355c6ec Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 30 Aug 2021 10:32:45 +0800 Subject: [PATCH 032/900] review bipchmgr Bug: 198102284 Test: boot with bipchmgr started Change-Id: I29a35ac4c93749481fe08edd3c1f25bffd013224 --- legacy/domain.te | 1 - legacy/hwservice_contexts | 5 ----- {legacy => whitechapel_pro}/bipchmgr.te | 0 whitechapel_pro/hwservice_contexts | 5 +++-- 4 files changed, 3 insertions(+), 8 deletions(-) rename {legacy => whitechapel_pro}/bipchmgr.te (100%) diff --git a/legacy/domain.te b/legacy/domain.te index 392e75c4..96283269 100644 --- a/legacy/domain.te +++ b/legacy/domain.te @@ -14,7 +14,6 @@ dontaudit domain fs_type:filesystem *; dontaudit domain dev_type:file *; dontaudit domain dev_type:chr_file *; dontaudit domain dev_type:blk_file *; -dontaudit domain hwservice_manager_type:hwservice_manager *; dontaudit domain service_manager_type:service_manager *; dontaudit domain domain:capability *; dontaudit domain domain:binder *; diff --git a/legacy/hwservice_contexts b/legacy/hwservice_contexts index 9962c75d..d9777f05 100644 --- a/legacy/hwservice_contexts +++ b/legacy/hwservice_contexts @@ -2,11 +2,6 @@ vendor.samsung_slsi.hardware.radio::IOemSamsungslsi u:object_r vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 -# rild HAL -vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 -android.vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 -vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 - # VIDEO android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0 android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 diff --git a/legacy/bipchmgr.te b/whitechapel_pro/bipchmgr.te similarity index 100% rename from legacy/bipchmgr.te rename to whitechapel_pro/bipchmgr.te diff --git a/whitechapel_pro/hwservice_contexts b/whitechapel_pro/hwservice_contexts index 45a0ec09..f89299c1 100644 --- a/whitechapel_pro/hwservice_contexts +++ b/whitechapel_pro/hwservice_contexts @@ -1,4 +1,5 @@ # dmd HAL -vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 - +vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 +# rild HAL +vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 From e1db507a06d1c79b8932b13f6625454831d129ee Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 30 Aug 2021 13:30:56 +0800 Subject: [PATCH 033/900] review cbrs app Bug: 198107733 Test: boot with app launched. Change-Id: I6e32a4ff04f84bba42060bffadf82466f1c7a749 --- legacy/seapp_contexts | 3 --- {legacy => whitechapel_pro}/cbrs_setup.te | 0 whitechapel_pro/seapp_contexts | 2 ++ 3 files changed, 2 insertions(+), 3 deletions(-) rename {legacy => whitechapel_pro}/cbrs_setup.te (100%) diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index 58aa0af7..1c0232c3 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -25,9 +25,6 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # RIL Config Service user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file -# CBRS setup app -user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user - # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user diff --git a/legacy/cbrs_setup.te b/whitechapel_pro/cbrs_setup.te similarity index 100% rename from legacy/cbrs_setup.te rename to whitechapel_pro/cbrs_setup.te diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 937fd3d5..5ff59d87 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -1,3 +1,5 @@ # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user +# CBRS setup app +user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user From ffc779eaa89bbc7123a7fbe503c392320e2f9256 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 30 Aug 2021 14:02:30 +0800 Subject: [PATCH 034/900] review chre Bug: 198109521 Test: boot with chre started Change-Id: Ibca6cc3ca0049a412d36e433cb5dcb3363d60527 --- legacy/file.te | 3 --- legacy/file_contexts | 2 -- {legacy => whitechapel_pro}/chre.te | 0 whitechapel_pro/file.te | 3 +++ whitechapel_pro/file_contexts | 2 ++ {legacy => whitechapel_pro}/hal_contexthub.te | 0 6 files changed, 5 insertions(+), 5 deletions(-) rename {legacy => whitechapel_pro}/chre.te (100%) rename {legacy => whitechapel_pro}/hal_contexthub.te (100%) diff --git a/legacy/file.te b/legacy/file.te index 3a19a94a..de51ba8b 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -51,9 +51,6 @@ type sysfs_nanoapp_cmd, sysfs_type, fs_type; # Fingerprint type sysfs_fingerprint, sysfs_type, fs_type; -# CHRE -type chre_socket, file_type; - # IOMMU type sysfs_iommu, sysfs_type, fs_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 7e8c5d11..1bfcc884 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -204,8 +204,6 @@ # Contexthub /vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/(vendor|system/vendor)/bin/chre u:object_r:chre_exec:s0 -/dev/socket/chre u:object_r:chre_socket:s0 # TCP logging /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 diff --git a/legacy/chre.te b/whitechapel_pro/chre.te similarity index 100% rename from legacy/chre.te rename to whitechapel_pro/chre.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index d7103146..308bc247 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -16,3 +16,6 @@ type sysfs_chosen, sysfs_type, fs_type; type modem_img_file, contextmount_type, file_type, vendor_file_type; allow modem_img_file self:filesystem associate; +# CHRE +type chre_socket, file_type; + diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index b584a425..f503b4ae 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -3,6 +3,7 @@ /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 +/vendor/bin/chre u:object_r:chre_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -16,6 +17,7 @@ /dev/umts_rfs0 u:object_r:radio_device:s0 /dev/umts_dm0 u:object_r:radio_device:s0 /dev/umts_router u:object_r:radio_device:s0 +/dev/socket/chre u:object_r:chre_socket:s0 # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 diff --git a/legacy/hal_contexthub.te b/whitechapel_pro/hal_contexthub.te similarity index 100% rename from legacy/hal_contexthub.te rename to whitechapel_pro/hal_contexthub.te From f5ed5632e2ce6ba1a174fea0443da9976f313fec Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 30 Aug 2021 14:27:49 +0800 Subject: [PATCH 035/900] review recovery related operations Bug: 196916111 Test: make sure the files are labeled correctly (ls -Z) Change-Id: I735de8b9635c7852a18ec8f32733cb0a0abd38f3 --- legacy/device.te | 2 - legacy/file.te | 1 - legacy/file_contexts | 2 - legacy/genfs_contexts | 3 -- whitechapel_pro/device.te | 2 + {legacy => whitechapel_pro}/fastbootd.te | 0 whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 38 ++++++++++--------- whitechapel_pro/genfs_contexts | 4 ++ .../hal_bootctl_default.te | 0 {legacy => whitechapel_pro}/recovery.te | 0 11 files changed, 27 insertions(+), 26 deletions(-) create mode 100644 whitechapel_pro/device.te rename {legacy => whitechapel_pro}/fastbootd.te (100%) rename {legacy => whitechapel_pro}/hal_bootctl_default.te (100%) rename {legacy => whitechapel_pro}/recovery.te (100%) diff --git a/legacy/device.te b/legacy/device.te index 5d640eab..7bf1b260 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -5,7 +5,6 @@ type modem_block_device, dev_type; type modem_userdata_block_device, dev_type; type persist_block_device, dev_type; type vendor_block_device, dev_type; -type sda_block_device, dev_type; # Exynos devices type vendor_m2m1shot_device, dev_type; @@ -13,7 +12,6 @@ type vendor_nanohub_device, dev_type; type vendor_secmem_device, dev_type; type vendor_toe_device, dev_type; type custom_ab_block_device, dev_type; -type devinfo_block_device, dev_type; # usbpd type logbuffer_device, dev_type; diff --git a/legacy/file.te b/legacy/file.te index de51ba8b..c7d1a681 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -32,7 +32,6 @@ type vendor_sjtag_debugfs, fs_type, debugfs_type; # Exynos sysfs type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; -type sysfs_ota, sysfs_type, fs_type; # ACPM type sysfs_acpm_stats, sysfs_type, fs_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 1bfcc884..6c86fe06 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -44,7 +44,6 @@ /dev/block/platform/14700000\.ufs/by-name/vendor u:object_r:vendor_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 @@ -68,7 +67,6 @@ /dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/sda u:object_r:sda_block_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 # diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index 4976f731..01de590b 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -189,9 +189,6 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wak genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -# OTA -genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 - # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te new file mode 100644 index 00000000..e2c1e04c --- /dev/null +++ b/whitechapel_pro/device.te @@ -0,0 +1,2 @@ +type sda_block_device, dev_type, bdev_type; +type devinfo_block_device, dev_type, bdev_type; diff --git a/legacy/fastbootd.te b/whitechapel_pro/fastbootd.te similarity index 100% rename from legacy/fastbootd.te rename to whitechapel_pro/fastbootd.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 308bc247..ce53d47c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -11,6 +11,7 @@ type vendor_fw_file, vendor_file_type, file_type; # sysfs type sysfs_chosen, sysfs_type, fs_type; +type sysfs_ota, sysfs_type, fs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index f503b4ae..95613c6b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -1,27 +1,29 @@ # Binaries -/vendor/bin/dmd u:object_r:dmd_exec:s0 -/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 -/vendor/bin/sced u:object_r:sced_exec:s0 -/vendor/bin/vcd u:object_r:vcd_exec:s0 -/vendor/bin/chre u:object_r:chre_exec:s0 +/vendor/bin/dmd u:object_r:dmd_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/sced u:object_r:sced_exec:s0 +/vendor/bin/vcd u:object_r:vcd_exec:s0 +/vendor/bin/chre u:object_r:chre_exec:s0 # Vendor Firmwares -/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 # Devices -/dev/ttyGS[0-3] u:object_r:serial_device:s0 -/dev/oem_ipc[0-7] u:object_r:radio_device:s0 -/dev/umts_boot0 u:object_r:radio_device:s0 -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_ipc1 u:object_r:radio_device:s0 -/dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/umts_dm0 u:object_r:radio_device:s0 -/dev/umts_router u:object_r:radio_device:s0 -/dev/socket/chre u:object_r:chre_socket:s0 +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 +/dev/socket/chre u:object_r:chre_socket:s0 +/dev/block/sda u:object_r:sda_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 # Data -/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 # Extra mount images -/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index b0406efc..cd5986d7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -1 +1,5 @@ genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 + +# OTA +genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 + diff --git a/legacy/hal_bootctl_default.te b/whitechapel_pro/hal_bootctl_default.te similarity index 100% rename from legacy/hal_bootctl_default.te rename to whitechapel_pro/hal_bootctl_default.te diff --git a/legacy/recovery.te b/whitechapel_pro/recovery.te similarity index 100% rename from legacy/recovery.te rename to whitechapel_pro/recovery.te From 3a8ed7968ca72e559ec59724960ed95d36c192da Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 1 Sep 2021 11:04:21 +0800 Subject: [PATCH 036/900] sscoredump: remove sepolicy Bug: 198365717 Test: build ROM with sscoredump started Change-Id: I3fd72ed6958bd0a95947dbf513f5ba658a229948 --- gs201-sepolicy.mk | 3 --- 1 file changed, 3 deletions(-) diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index b775c68e..48944087 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -23,9 +23,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext # PowerStats HAL BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats -# sscoredump -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump - # Sniffer Logger BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer From c6111a8666ebbe20f48af3a59f42a54c17640741 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Sep 2021 10:48:20 +0800 Subject: [PATCH 037/900] review cbd Bug: 198532074 Test: boot with cbd started Change-Id: Iced4bfaa9ea8e749cc0a8cb7a8da91abfc88d765 --- legacy/device.te | 1 - legacy/file.te | 3 --- legacy/file_contexts | 9 --------- legacy/vendor_init.te | 1 - {legacy => whitechapel_pro}/cbd.te | 4 ---- whitechapel_pro/device.te | 1 + whitechapel_pro/file.te | 6 ++++++ whitechapel_pro/file_contexts | 8 ++++++++ whitechapel_pro/vendor_init.te | 1 + 9 files changed, 16 insertions(+), 18 deletions(-) rename {legacy => whitechapel_pro}/cbd.te (93%) create mode 100644 whitechapel_pro/vendor_init.te diff --git a/legacy/device.te b/legacy/device.te index 7bf1b260..669892d6 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -1,7 +1,6 @@ # Block Devices type efs_block_device, dev_type; type fat_block_device, dev_type; -type modem_block_device, dev_type; type modem_userdata_block_device, dev_type; type persist_block_device, dev_type; type vendor_block_device, dev_type; diff --git a/legacy/file.te b/legacy/file.te index c7d1a681..6ba99f7f 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -84,10 +84,7 @@ type rild_vendor_data_file, file_type, data_file_type; # Modem type modem_stat_data_file, file_type, data_file_type; -type modem_efs_file, file_type; -type modem_userdata_file, file_type; type sysfs_modem, sysfs_type, fs_type; -type persist_modem_file, file_type, vendor_persist_type; # TCP logging type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; diff --git a/legacy/file_contexts b/legacy/file_contexts index 6c86fe06..6d0c5cef 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -36,8 +36,6 @@ /dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/fat u:object_r:fat_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem u:object_r:modem_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/system u:object_r:system_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 @@ -105,7 +103,6 @@ # # Exynos Daemon Exec # -/(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 /(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 @@ -211,12 +208,6 @@ /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 /data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 -# modem mnt files -/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 -/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 - # Kernel modules related /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index 8ac90b4c..759fa83d 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -1,6 +1,5 @@ set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) -set_prop(vendor_init, vendor_cbd_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_slog_prop) diff --git a/legacy/cbd.te b/whitechapel_pro/cbd.te similarity index 93% rename from legacy/cbd.te rename to whitechapel_pro/cbd.te index 23c4e576..835a0e1c 100644 --- a/legacy/cbd.te +++ b/whitechapel_pro/cbd.te @@ -6,10 +6,6 @@ set_prop(cbd, vendor_modem_prop) set_prop(cbd, vendor_cbd_prop) set_prop(cbd, vendor_rild_prop) -# Allow cbd to setuid from root to radio -# TODO: confirming with vendor via b/182334947 -allow cbd self:capability { setgid setuid }; - allow cbd mnt_vendor_file:dir r_dir_perms; allow cbd kmsg_device:chr_file rw_file_perms; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index e2c1e04c..5140108b 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -1,2 +1,3 @@ type sda_block_device, dev_type, bdev_type; type devinfo_block_device, dev_type, bdev_type; +type modem_block_device, dev_type, bdev_type; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index ce53d47c..69acff6e 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -17,6 +17,12 @@ type sysfs_ota, sysfs_type, fs_type; type modem_img_file, contextmount_type, file_type, vendor_file_type; allow modem_img_file self:filesystem associate; +# persist +type persist_modem_file, file_type, vendor_persist_type; + # CHRE type chre_socket, file_type; +# Modem +type modem_efs_file, file_type; +type modem_userdata_file, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 95613c6b..9a60b68e 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -4,6 +4,7 @@ /vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 +/vendor/bin/cbd u:object_r:cbd_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -20,10 +21,17 @@ /dev/socket/chre u:object_r:chre_socket:s0 /dev/block/sda u:object_r:sda_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +# Persist +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 + # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te new file mode 100644 index 00000000..4218745a --- /dev/null +++ b/whitechapel_pro/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_cbd_prop) From ee0c81fbc62e528fa28c291e520d19ca9e53ecf8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Sep 2021 11:34:58 +0800 Subject: [PATCH 038/900] review modem_svc_sit Bug: 198532074 Test: boot with modem_svc_sit started Change-Id: I3018491564eb3bb5dafc5e9ad6446f353d54b18b --- legacy/file.te | 4 ---- legacy/file_contexts | 4 ---- legacy/genfs_contexts | 3 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 2 ++ {legacy => whitechapel_pro}/modem_svc_sit.te | 3 --- 6 files changed, 3 insertions(+), 14 deletions(-) rename {legacy => whitechapel_pro}/modem_svc_sit.te (91%) diff --git a/legacy/file.te b/legacy/file.te index 6ba99f7f..f0920be4 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -82,10 +82,6 @@ type sysfs_touch, sysfs_type, fs_type; # RILD type rild_vendor_data_file, file_type, data_file_type; -# Modem -type modem_stat_data_file, file_type, data_file_type; -type sysfs_modem, sysfs_type, fs_type; - # TCP logging type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; diff --git a/legacy/file_contexts b/legacy/file_contexts index 6d0c5cef..1a683e76 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -204,10 +204,6 @@ /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 -# modem_svc_sit files -/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 -/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 - # Kernel modules related /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index 01de590b..e5ff5673 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -112,9 +112,6 @@ genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock # Display / LHBM (Local High Brightness Mode) genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_lhbm:s0 -# Modem -genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 - # Bluetooth genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 69acff6e..07ea9e8b 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,4 +1,5 @@ # Data +type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 9a60b68e..4f32b619 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -5,6 +5,7 @@ /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -26,6 +27,7 @@ # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 diff --git a/legacy/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te similarity index 91% rename from legacy/modem_svc_sit.te rename to whitechapel_pro/modem_svc_sit.te index eeba9976..0b872264 100644 --- a/legacy/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -5,9 +5,6 @@ init_daemon_domain(modem_svc_sit) hwbinder_use(modem_svc_sit) binder_call(modem_svc_sit, rild) -# Grant sysfs_modem access -allow modem_svc_sit sysfs_modem:file rw_file_perms; - # Grant radio device access allow modem_svc_sit radio_device:chr_file rw_file_perms; From 91d989bca4f4302b5313be43681e3b4fa4db508c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Sep 2021 12:49:38 +0800 Subject: [PATCH 039/900] review mount and block devices Bug: 196916111 Test: make sure all path under ufs is labeled Change-Id: Ic3e07e7341f838f54c483ab8b272407a70f1f8f2 --- legacy/device.te | 1 - legacy/file_contexts | 34 -------------------- legacy/init.te | 12 ------- legacy/vold.te | 2 -- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 26 +++++++++++++++ whitechapel_pro/init.te | 13 ++++++++ {legacy => whitechapel_pro}/update_engine.te | 0 whitechapel_pro/vold.te | 3 ++ 9 files changed, 43 insertions(+), 49 deletions(-) rename {legacy => whitechapel_pro}/update_engine.te (100%) create mode 100644 whitechapel_pro/vold.te diff --git a/legacy/device.te b/legacy/device.te index 669892d6..16c05a07 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -10,7 +10,6 @@ type vendor_m2m1shot_device, dev_type; type vendor_nanohub_device, dev_type; type vendor_secmem_device, dev_type; type vendor_toe_device, dev_type; -type custom_ab_block_device, dev_type; # usbpd type logbuffer_device, dev_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 1a683e76..f3fd4f09 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -31,40 +31,6 @@ # # Exynos Block Devices # -/dev/block/platform/14700000\.ufs/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/fat u:object_r:fat_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/system u:object_r:system_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor u:object_r:vendor_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dtb_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 # diff --git a/legacy/init.te b/legacy/init.te index d61ea4bb..5b0f7a7b 100644 --- a/legacy/init.te +++ b/legacy/init.te @@ -1,15 +1,3 @@ -allow init custom_ab_block_device:lnk_file relabelto; - -# This is needed for chaining a boot partition vbmeta -# descriptor, where init will probe the boot partition -# to read the chained vbmeta in the first-stage, then -# relabel /dev/block/by-name/boot_[a|b] to block_device -# after loading sepolicy in the second stage. -allow init boot_block_device:lnk_file relabelto; - -allow init persist_file:dir mounton; -allow init modem_efs_file:dir mounton; -allow init modem_userdata_file:dir mounton; allow init ram_device:blk_file w_file_perms; allow init per_boot_file:file ioctl; allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE }; diff --git a/legacy/vold.te b/legacy/vold.te index ecea1946..79bec3d2 100644 --- a/legacy/vold.te +++ b/legacy/vold.te @@ -1,6 +1,4 @@ allow vold sysfs_scsi_devices_0000:file rw_file_perms; -allow vold modem_efs_file:dir rw_dir_perms; -allow vold modem_userdata_file:dir rw_dir_perms; dontaudit vold dumpstate:fifo_file rw_file_perms; dontaudit vold dumpstate:fd { use }; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 5140108b..3b5feaf5 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -1,3 +1,4 @@ type sda_block_device, dev_type, bdev_type; type devinfo_block_device, dev_type, bdev_type; type modem_block_device, dev_type, bdev_type; +type custom_ab_block_device, dev_type, bdev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4f32b619..ca65d1a1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -21,8 +21,34 @@ /dev/umts_router u:object_r:radio_device:s0 /dev/socket/chre u:object_r:chre_socket:s0 /dev/block/sda u:object_r:sda_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te index d68103af..ed8fc1cf 100644 --- a/whitechapel_pro/init.te +++ b/whitechapel_pro/init.te @@ -1,3 +1,16 @@ allow init modem_img_file:dir mounton; allow init mnt_vendor_file:dir mounton; allow init modem_img_file:filesystem { getattr mount relabelfrom }; +allow init custom_ab_block_device:lnk_file relabelto; + +# This is needed for chaining a boot partition vbmeta +# descriptor, where init will probe the boot partition +# to read the chained vbmeta in the first-stage, then +# relabel /dev/block/by-name/boot_[a|b] to block_device +# after loading sepolicy in the second stage. +allow init boot_block_device:lnk_file relabelto; + +allow init persist_file:dir mounton; +allow init modem_efs_file:dir mounton; +allow init modem_userdata_file:dir mounton; + diff --git a/legacy/update_engine.te b/whitechapel_pro/update_engine.te similarity index 100% rename from legacy/update_engine.te rename to whitechapel_pro/update_engine.te diff --git a/whitechapel_pro/vold.te b/whitechapel_pro/vold.te new file mode 100644 index 00000000..40da1b01 --- /dev/null +++ b/whitechapel_pro/vold.te @@ -0,0 +1,3 @@ +allow vold modem_efs_file:dir rw_dir_perms; +allow vold modem_userdata_file:dir rw_dir_perms; + From a90c8fe1b51e83f2d94226105fac887a2c06fd89 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Sep 2021 13:24:46 +0800 Subject: [PATCH 040/900] review bootdevice_sysdev Bug: 196916111 Test: boot with bootdevice_sysdev labeled Change-Id: I938fe18718356bf4156bb55937528a1ca3e072fb --- legacy/file.te | 2 -- legacy/file_contexts | 5 ----- legacy/vendor_init.te | 1 - {legacy => whitechapel_pro}/bootdevice_sysdev.te | 0 whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/vendor_init.te | 2 ++ 7 files changed, 4 insertions(+), 8 deletions(-) rename {legacy => whitechapel_pro}/bootdevice_sysdev.te (100%) diff --git a/legacy/file.te b/legacy/file.te index f0920be4..4ceeeff7 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -70,8 +70,6 @@ type sysfs_scsi_devices_0000, sysfs_type, fs_type; type debugfs_f2fs, debugfs_type, fs_type; type proc_f2fs, proc_type, fs_type; -type bootdevice_sysdev, dev_type; - # ZRam type per_boot_file, file_type, data_file_type, core_data_file_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index f3fd4f09..c93aa364 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -28,11 +28,6 @@ # Wireless charger HAL /(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 -# -# Exynos Block Devices -# -/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 - # # Exynos Devices # diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index 759fa83d..b2e53a88 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -12,7 +12,6 @@ set_prop(vendor_init, vendor_thermal_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file write; -allow vendor_init bootdevice_sysdev:file create_file_perms; userdebug_or_eng(` set_prop(vendor_init, logpersistd_logging_prop) diff --git a/legacy/bootdevice_sysdev.te b/whitechapel_pro/bootdevice_sysdev.te similarity index 100% rename from legacy/bootdevice_sysdev.te rename to whitechapel_pro/bootdevice_sysdev.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 07ea9e8b..ed9626b8 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -13,6 +13,7 @@ type vendor_fw_file, vendor_file_type, file_type; # sysfs type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; +type bootdevice_sysdev, dev_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index ca65d1a1..c61ab7fd 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -19,6 +19,7 @@ /dev/umts_rfs0 u:object_r:radio_device:s0 /dev/umts_dm0 u:object_r:radio_device:s0 /dev/umts_router u:object_r:radio_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 /dev/block/sda u:object_r:sda_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 4218745a..250d228e 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -1 +1,3 @@ +allow vendor_init bootdevice_sysdev:file create_file_perms; + set_prop(vendor_init, vendor_cbd_prop) From ff91ffd98ab2b31533a71fff4d3379378e9db067 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Sep 2021 14:48:13 +0800 Subject: [PATCH 041/900] review rfsd Bug: 198532074 Test: boot with rfsd started Change-Id: I183c75b5fad35eec56fbca693896c94f7a1ca410 --- legacy/file.te | 4 ---- legacy/file_contexts | 6 ------ whitechapel_pro/file.te | 2 ++ whitechapel_pro/file_contexts | 2 ++ {legacy => whitechapel_pro}/rfsd.te | 3 --- 5 files changed, 4 insertions(+), 13 deletions(-) rename {legacy => whitechapel_pro}/rfsd.te (93%) diff --git a/legacy/file.te b/legacy/file.te index 4ceeeff7..e55ad46a 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -3,10 +3,6 @@ type vendor_cbd_boot_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; -# Exynos Log Files -type vendor_log_file, file_type, data_file_type; -type vendor_rfsd_log_file, file_type, data_file_type; - # app data files type vendor_test_data_file, file_type, data_file_type; type vendor_telephony_data_file, file_type, data_file_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index c93aa364..cc277636 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -68,12 +68,6 @@ /(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 -# -# Exynos Log Files -# -/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 -/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 - /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 # data files diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index ed9626b8..75fd4eed 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,4 +1,6 @@ # Data +type vendor_log_file, file_type, data_file_type; +type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c61ab7fd..0787e3de 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -55,6 +55,8 @@ /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 diff --git a/legacy/rfsd.te b/whitechapel_pro/rfsd.te similarity index 93% rename from legacy/rfsd.te rename to whitechapel_pro/rfsd.te index 2f7102fc..898e7fca 100644 --- a/legacy/rfsd.te +++ b/whitechapel_pro/rfsd.te @@ -2,9 +2,6 @@ type rfsd, domain; type rfsd_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(rfsd) -# Allow to setuid from root to radio -allow rfsd self:capability { chown setuid }; - # Allow to search block device and mnt dir for modem EFS partitions allow rfsd mnt_vendor_file:dir search; allow rfsd block_device:dir search; From 7295743ea69a3cdbf8d6d19eee26188f38463d1e Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Wed, 1 Sep 2021 18:57:17 +0800 Subject: [PATCH 042/900] Add file context for /dev/logbuffer_tcpm /dev/logbuffer_tcpm gets accessed by dumpstate while bugreport generation. (Port of ag/15019635) Bug: 189792358 Signed-off-by: Kyle Tso Change-Id: Id73f7c884f45364b5386a9fe13900cb94d914520 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 0787e3de..346eb110 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -19,6 +19,7 @@ /dev/umts_rfs0 u:object_r:radio_device:s0 /dev/umts_dm0 u:object_r:radio_device:s0 /dev/umts_router u:object_r:radio_device:s0 +/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 /dev/block/sda u:object_r:sda_block_device:s0 From 18fb79d460f6f924d74da7f60b9c13e36c0b0af7 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 3 Sep 2021 11:01:26 +0800 Subject: [PATCH 043/900] review rild Bug: 198532074 Test: boot with rild started Change-Id: Ic29d2cbbb9691f1386c024d1438fdd050ef14b8f --- legacy/file.te | 3 --- legacy/file_contexts | 10 ---------- legacy/property.te | 2 -- legacy/property_contexts | 2 -- legacy/vendor_init.te | 2 -- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 4 ++++ whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 1 + {legacy => whitechapel_pro}/rild.te | 8 +------- whitechapel_pro/vendor_init.te | 1 + 11 files changed, 9 insertions(+), 26 deletions(-) rename {legacy => whitechapel_pro}/rild.te (78%) diff --git a/legacy/file.te b/legacy/file.te index e55ad46a..4d8c9e05 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -73,9 +73,6 @@ type per_boot_file, file_type, data_file_type, core_data_file_type; type proc_touch, proc_type, fs_type, mlstrustedobject; type sysfs_touch, sysfs_type, fs_type; -# RILD -type rild_vendor_data_file, file_type, data_file_type; - # TCP logging type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; diff --git a/legacy/file_contexts b/legacy/file_contexts index cc277636..675299d5 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -61,13 +61,6 @@ /dev/mali0 u:object_r:gpu_device:s0 /dev/s5p-smem u:object_r:vendor_secmem_device:s0 -# -# Exynos Daemon Exec -# -/(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 -/(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 - /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 # data files @@ -213,9 +206,6 @@ # R4 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 -# RILD files -/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 - # Citadel StrongBox /dev/gsc0 u:object_r:citadel_device:s0 diff --git a/legacy/property.te b/legacy/property.te index 4a7c01c6..a66a947a 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -7,8 +7,6 @@ vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_secure_element_prop) # vendor defaults vendor_internal_prop(vendor_config_default_prop) -vendor_internal_prop(vendor_ro_config_default_prop) -vendor_internal_prop(vendor_sys_default_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_codec2_debug_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index ba12f0ef..7244e74b 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -26,8 +26,6 @@ persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 # vendor default vendor.config. u:object_r:vendor_config_default_prop:s0 -ro.vendor.config. u:object_r:vendor_ro_config_default_prop:s0 -vendor.sys. u:object_r:vendor_sys_default_prop:s0 ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index b2e53a88..94b7d9ec 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -3,9 +3,7 @@ set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_slog_prop) -set_prop(vendor_init, vendor_sys_default_prop) set_prop(vendor_init, vendor_ssrdump_prop) -set_prop(vendor_init, vendor_ro_config_default_prop) get_prop(vendor_init, vendor_touchpanel_prop) set_prop(vendor_init, vendor_tcpdump_log_prop) set_prop(vendor_init, vendor_thermal_prop) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 75fd4eed..923cdc62 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,4 +1,5 @@ # Data +type rild_vendor_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 346eb110..72ce51e6 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -6,6 +6,9 @@ /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/vendor/bin/rfsd u:object_r:rfsd_exec:s0 +/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -58,6 +61,7 @@ /data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index b9298425..3c806615 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -4,4 +4,5 @@ vendor_internal_prop(vendor_modem_prop) vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_carrier_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 8184dcae..f2af0320 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -26,5 +26,6 @@ persist.vendor.ril. u:object_r:vendor_rild_prop:s0 vendor.ril. u:object_r:vendor_rild_prop:s0 vendor.radio.ril. u:object_r:vendor_rild_prop:s0 vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 diff --git a/legacy/rild.te b/whitechapel_pro/rild.te similarity index 78% rename from legacy/rild.te rename to whitechapel_pro/rild.te index 5dab0eff..5f049d0c 100644 --- a/legacy/rild.te +++ b/whitechapel_pro/rild.te @@ -1,8 +1,5 @@ set_prop(rild, vendor_rild_prop) - -get_prop(rild, vendor_persist_config_default_prop) -get_prop(rild, vendor_ro_config_default_prop) -set_prop(rild, vendor_sys_default_prop) +get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) @@ -20,10 +17,7 @@ r_dir_file(rild, modem_img_file) binder_call(rild, bipchmgr) binder_call(rild, gpsd) binder_call(rild, hal_audio_default) -binder_call(rild, hal_secure_element_default) -binder_call(rild, platform_app) binder_call(rild, modem_svc_sit) -binder_call(rild, vendor_ims_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 250d228e..f0c6b6bf 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -1,3 +1,4 @@ allow vendor_init bootdevice_sysdev:file create_file_perms; +set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_cbd_prop) From b05c0902ad23a617c5e9c6ba33fb0126b25bbff2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 3 Sep 2021 11:24:45 +0800 Subject: [PATCH 044/900] refactor hal_secure_element 01-01 20:00:07.579 419 419 E SELinux : avc: denied { find } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_gto_ese2:s0 pid=748 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1 01-01 20:00:07.595 419 419 E SELinux : avc: denied { add } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_gto_ese2:s0 pid=748 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1 01-01 20:00:07.596 419 419 E SELinux : avc: denied { add } for interface=android.hidl.base::IBase sid=u:r:hal_secure_element_gto_ese2:s0 pid=748 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:hidl_base_hwservice:s0 tclass=hwservice_manager permissive=1 01-01 20:00:07.597 419 419 E SELinux : avc: denied { find } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_gto:s0 pid=749 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1 01-01 20:00:07.597 419 419 E SELinux : avc: denied { find } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_uicc:s0 pid=750 scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1 01-01 20:00:07.599 419 419 E SELinux : avc: denied { add } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_uicc:s0 pid=750 scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1 01-01 20:00:07.600 419 419 E SELinux : avc: denied { add } for interface=android.hidl.base::IBase sid=u:r:hal_secure_element_uicc:s0 pid=750 scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:object_r:hidl_base_hwservice:s0 tclass=hwservice_manager permissive=1 01-01 20:00:07.601 419 419 E SELinux : avc: denied { add } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_gto:s0 pid=749 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1 01-01 20:00:07.602 419 419 E SELinux : avc: denied { add } for interface=android.hidl.base::IBase sid=u:r:hal_secure_element_gto:s0 pid=749 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:hidl_base_hwservice:s0 tclass=hwservice_manager permissive=1 09-03 10:51:44.574 419 419 E SELinux : avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:hal_secure_element_uicc:s0 pid=750 scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=1 Bug: 198713948 Test: boot with secure_element started Change-Id: Ie79b80f3c0fbe21c898e6a67384d98a2cc282f93 Change-Id: I14d9f01b6ef901fd87e8927d691ce96a9b174ed3 --- legacy/file_contexts | 9 -- legacy/hal_secure_element_default.te | 10 -- whitechapel_pro/file_contexts | 129 +++++++++--------- whitechapel_pro/hal_secure_element_gto.te | 5 + .../hal_secure_element_gto_ese2.te | 5 + whitechapel_pro/hal_secure_element_uicc.te | 5 + 6 files changed, 82 insertions(+), 81 deletions(-) delete mode 100644 legacy/hal_secure_element_default.te create mode 100644 whitechapel_pro/hal_secure_element_gto.te create mode 100644 whitechapel_pro/hal_secure_element_gto_ese2.te create mode 100644 whitechapel_pro/hal_secure_element_uicc.te diff --git a/legacy/file_contexts b/legacy/file_contexts index 675299d5..5736d18b 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -160,15 +160,6 @@ /dev/st21nfc u:object_r:nfc_device:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 -# SecureElement -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st u:object_r:hal_secure_element_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_default_exec:s0 -/dev/st54j_se u:object_r:secure_element_device:s0 -/dev/st54spi u:object_r:secure_element_device:s0 -/dev/st33spi u:object_r:secure_element_device:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_default_exec:s0 - # Bluetooth /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 /dev/wbrc u:object_r:wb_coexistence_dev:s0 diff --git a/legacy/hal_secure_element_default.te b/legacy/hal_secure_element_default.te deleted file mode 100644 index dc048746..00000000 --- a/legacy/hal_secure_element_default.te +++ /dev/null @@ -1,10 +0,0 @@ -allow hal_secure_element_default secure_element_device:chr_file rw_file_perms; -allow hal_secure_element_default nfc_device:chr_file rw_file_perms; -set_prop(hal_secure_element_default, vendor_secure_element_prop) -set_prop(hal_secure_element_default, vendor_nfc_prop) -set_prop(hal_secure_element_default, vendor_modem_prop) - -# Allow hal_secure_element_default to access rild -binder_call(hal_secure_element_default, rild); -allow hal_secure_element_default hal_exynos_rild_hwservice:hwservice_manager find; - diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 72ce51e6..b94c9496 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -1,73 +1,78 @@ # Binaries -/vendor/bin/dmd u:object_r:dmd_exec:s0 -/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 -/vendor/bin/sced u:object_r:sced_exec:s0 -/vendor/bin/vcd u:object_r:vcd_exec:s0 -/vendor/bin/chre u:object_r:chre_exec:s0 -/vendor/bin/cbd u:object_r:cbd_exec:s0 -/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 -/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/rfsd u:object_r:rfsd_exec:s0 -/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 +/vendor/bin/dmd u:object_r:dmd_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/sced u:object_r:sced_exec:s0 +/vendor/bin/vcd u:object_r:vcd_exec:s0 +/vendor/bin/chre u:object_r:chre_exec:s0 +/vendor/bin/cbd u:object_r:cbd_exec:s0 +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/vendor/bin/rfsd u:object_r:rfsd_exec:s0 +/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 # Vendor Firmwares -/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 # Devices -/dev/ttyGS[0-3] u:object_r:serial_device:s0 -/dev/oem_ipc[0-7] u:object_r:radio_device:s0 -/dev/umts_boot0 u:object_r:radio_device:s0 -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_ipc1 u:object_r:radio_device:s0 -/dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/umts_dm0 u:object_r:radio_device:s0 -/dev/umts_router u:object_r:radio_device:s0 -/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 -/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 -/dev/socket/chre u:object_r:chre_socket:s0 -/dev/block/sda u:object_r:sda_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/st54spi u:object_r:secure_element_device:s0 +/dev/st33spi u:object_r:secure_element_device:s0 +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 +/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 +/dev/socket/chre u:object_r:chre_socket:s0 +/dev/block/sda u:object_r:sda_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 # Data -/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 -/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 -/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 -/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 -/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 # Persist -/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 # Extra mount images -/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 -/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 diff --git a/whitechapel_pro/hal_secure_element_gto.te b/whitechapel_pro/hal_secure_element_gto.te new file mode 100644 index 00000000..c7724c7c --- /dev/null +++ b/whitechapel_pro/hal_secure_element_gto.te @@ -0,0 +1,5 @@ +type hal_secure_element_gto, domain; +type hal_secure_element_gto_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_gto, hal_secure_element) +init_daemon_domain(hal_secure_element_gto) diff --git a/whitechapel_pro/hal_secure_element_gto_ese2.te b/whitechapel_pro/hal_secure_element_gto_ese2.te new file mode 100644 index 00000000..678810a4 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_gto_ese2.te @@ -0,0 +1,5 @@ +type hal_secure_element_gto_ese2, domain; +type hal_secure_element_gto_ese2_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_gto_ese2, hal_secure_element) +init_daemon_domain(hal_secure_element_gto_ese2) diff --git a/whitechapel_pro/hal_secure_element_uicc.te b/whitechapel_pro/hal_secure_element_uicc.te new file mode 100644 index 00000000..6e953cdd --- /dev/null +++ b/whitechapel_pro/hal_secure_element_uicc.te @@ -0,0 +1,5 @@ +type hal_secure_element_uicc, domain; +type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_uicc, hal_secure_element) +init_daemon_domain(hal_secure_element_uicc) From 98ebd6e7f19ff9bffe85c5b8e2abcd1dde5c61ae Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 3 Sep 2021 13:21:08 +0800 Subject: [PATCH 045/900] review tee Bug: 198723116 Test: boot with tee started Change-Id: Ib50698834d16887fa00bdbbaf81801f1067909ba --- legacy/file_contexts | 5 ----- whitechapel_pro/device.te | 1 + whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 5 +++++ legacy/storageproxyd.te => whitechapel_pro/tee.te | 8 ++++---- 5 files changed, 11 insertions(+), 9 deletions(-) rename legacy/storageproxyd.te => whitechapel_pro/tee.te (51%) diff --git a/legacy/file_contexts b/legacy/file_contexts index 5736d18b..e88e04a9 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -173,15 +173,10 @@ # Trusty /vendor/bin/securedpud.slider u:object_r:securedpud_slider_exec:s0 -/vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 -/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 -/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 -/mnt/vendor/persist/ss(/.*)? u:object_r:tee_data_file:s0 -/dev/sg1 u:object_r:sg_device:s0 /dev/trusty-log0 u:object_r:logbuffer_device:s0 # Battery diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 3b5feaf5..5a8323e1 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -2,3 +2,4 @@ type sda_block_device, dev_type, bdev_type; type devinfo_block_device, dev_type, bdev_type; type modem_block_device, dev_type, bdev_type; type custom_ab_block_device, dev_type, bdev_type; +type sg_device, dev_type; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 923cdc62..8391c9a7 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -24,6 +24,7 @@ allow modem_img_file self:filesystem associate; # persist type persist_modem_file, file_type, vendor_persist_type; +type persist_ss_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index b94c9496..e27fb544 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -12,11 +12,14 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 # Devices +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/sg1 u:object_r:sg_device:s0 /dev/st54spi u:object_r:secure_element_device:s0 /dev/st33spi u:object_r:secure_element_device:s0 /dev/ttyGS[0-3] u:object_r:serial_device:s0 @@ -67,9 +70,11 @@ /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/legacy/storageproxyd.te b/whitechapel_pro/tee.te similarity index 51% rename from legacy/storageproxyd.te rename to whitechapel_pro/tee.te index 315300c2..edce5e1f 100644 --- a/legacy/storageproxyd.te +++ b/whitechapel_pro/tee.te @@ -1,9 +1,9 @@ -type sg_device, dev_type; -type persist_ss_file, file_type, vendor_persist_type; +# Handle wake locks +wakelock_use(tee) -allow tee persist_ss_file:dir r_dir_perms; +allow tee persist_ss_file:file create_file_perms; +allow tee persist_ss_file:dir create_dir_perms; allow tee persist_file:dir r_dir_perms; allow tee mnt_vendor_file:dir r_dir_perms; allow tee tee_data_file:lnk_file r_file_perms; allow tee sg_device:chr_file rw_file_perms; -allow tee self:capability { setgid setuid }; From 6f97e91778e1e0823bc69130ffe779684841cfa3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 6 Sep 2021 10:59:10 +0800 Subject: [PATCH 046/900] review init.radio.sh Bug: 198532074 Test: boot with init.radio.sh started Change-Id: Ieb47925b319866cc648e4de9b34fc3153ba1717b --- legacy/file_contexts | 3 --- whitechapel_pro/file_contexts | 1 + {legacy => whitechapel_pro}/init_radio.te | 0 3 files changed, 1 insertion(+), 3 deletions(-) rename {legacy => whitechapel_pro}/init_radio.te (100%) diff --git a/legacy/file_contexts b/legacy/file_contexts index e88e04a9..fda25170 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -223,9 +223,6 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 -# ECC List -/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 - # Zram /data/per_boot(/.*)? u:object_r:per_boot_file:s0 diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index e27fb544..3dd754e7 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -13,6 +13,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/legacy/init_radio.te b/whitechapel_pro/init_radio.te similarity index 100% rename from legacy/init_radio.te rename to whitechapel_pro/init_radio.te From 2fc26d0a5ed627aa1f54119faee80417f4f1b210 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 6 Sep 2021 11:24:37 +0800 Subject: [PATCH 047/900] refactor ims app Bug: 198532074 Test: boot with those apps labeled correctly Change-Id: I15c559551b7af8a9688b4e489b6daeba032da308 --- legacy/seapp_contexts | 5 ----- legacy/vendor_ims_app.te | 15 --------------- whitechapel_pro/seapp_contexts | 7 +++++++ whitechapel_pro/vendor_ims_app.te | 4 ++++ whitechapel_pro/vendor_ims_remote_app.te | 4 ++++ whitechapel_pro/vendor_qualifiednetworks_app.te | 4 ++++ whitechapel_pro/vendor_rcs_app.te | 4 ++++ whitechapel_pro/vendor_rcs_service_app.te | 4 ++++ 8 files changed, 27 insertions(+), 20 deletions(-) delete mode 100644 legacy/vendor_ims_app.te create mode 100644 whitechapel_pro/vendor_ims_app.te create mode 100644 whitechapel_pro/vendor_ims_remote_app.te create mode 100644 whitechapel_pro/vendor_qualifiednetworks_app.te create mode 100644 whitechapel_pro/vendor_rcs_app.te create mode 100644 whitechapel_pro/vendor_rcs_service_app.te diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index 1c0232c3..79931cd9 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -1,8 +1,3 @@ -# Samsung S.LSI IMS -user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all - # coredump/ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all diff --git a/legacy/vendor_ims_app.te b/legacy/vendor_ims_app.te deleted file mode 100644 index d2e671c3..00000000 --- a/legacy/vendor_ims_app.te +++ /dev/null @@ -1,15 +0,0 @@ -type vendor_ims_app, domain; -app_domain(vendor_ims_app) - -allow vendor_ims_app app_api_service:service_manager find; -allow vendor_ims_app audioserver_service:service_manager find; - -allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; -allow vendor_ims_app radio_service:service_manager find; - -allow vendor_ims_app mediaserver_service:service_manager find; -allow vendor_ims_app cameraserver_service:service_manager find; - -binder_call(vendor_ims_app, rild) -set_prop(vendor_ims_app, vendor_rild_prop) -set_prop(vendor_ims_app, radio_prop) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 5ff59d87..4fdd3b55 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -1,3 +1,10 @@ +# Samsung S.LSI IMS +user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all + # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te new file mode 100644 index 00000000..99e52b27 --- /dev/null +++ b/whitechapel_pro/vendor_ims_app.te @@ -0,0 +1,4 @@ +type vendor_ims_app, domain; +app_domain(vendor_ims_app) + +allow vendor_ims_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_ims_remote_app.te b/whitechapel_pro/vendor_ims_remote_app.te new file mode 100644 index 00000000..f5d3846e --- /dev/null +++ b/whitechapel_pro/vendor_ims_remote_app.te @@ -0,0 +1,4 @@ +type vendor_ims_remote_app, domain; +app_domain(vendor_ims_remote_app) + +allow vendor_ims_remote_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_qualifiednetworks_app.te b/whitechapel_pro/vendor_qualifiednetworks_app.te new file mode 100644 index 00000000..1a18a8a7 --- /dev/null +++ b/whitechapel_pro/vendor_qualifiednetworks_app.te @@ -0,0 +1,4 @@ +type vendor_qualifiednetworks_app, domain; +app_domain(vendor_qualifiednetworks_app) + +allow vendor_qualifiednetworks_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_rcs_app.te b/whitechapel_pro/vendor_rcs_app.te new file mode 100644 index 00000000..f8de9376 --- /dev/null +++ b/whitechapel_pro/vendor_rcs_app.te @@ -0,0 +1,4 @@ +type vendor_rcs_app, domain; +app_domain(vendor_rcs_app) + +allow vendor_rcs_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_rcs_service_app.te b/whitechapel_pro/vendor_rcs_service_app.te new file mode 100644 index 00000000..3876d895 --- /dev/null +++ b/whitechapel_pro/vendor_rcs_service_app.te @@ -0,0 +1,4 @@ +type vendor_rcs_service_app, domain; +app_domain(vendor_rcs_service_app) + +allow vendor_rcs_service_app app_api_service:service_manager find; From aef3b66218d6f73c1f14ef8569cc33e2991bdb10 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 6 Sep 2021 11:31:36 +0800 Subject: [PATCH 048/900] review con_monitor bug: 198532074 Test: boot with the app labeled Change-Id: I1d268c292603aabb25e5e626f442b39a7ad7b4e7 --- legacy/seapp_contexts | 3 --- {legacy => whitechapel_pro}/con_monitor.te | 0 whitechapel_pro/seapp_contexts | 3 +++ 3 files changed, 3 insertions(+), 3 deletions(-) rename {legacy => whitechapel_pro}/con_monitor.te (100%) diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index 79931cd9..3033a973 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -14,9 +14,6 @@ user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_in # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # RIL Config Service user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file diff --git a/legacy/con_monitor.te b/whitechapel_pro/con_monitor.te similarity index 100% rename from legacy/con_monitor.te rename to whitechapel_pro/con_monitor.te diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 4fdd3b55..ca109ea3 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -5,6 +5,9 @@ user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user From 948098bcd63f958c7db5d4a291f575b291fb2105 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Sep 2021 10:52:40 +0800 Subject: [PATCH 049/900] review hal_radioext_default Bug: 198532074 Test: boot with hal_radioext_default started Change-Id: I083fd55749f0d82cabe527e7fa611ad2633d0ecd --- legacy/file.te | 1 - legacy/genfs_contexts | 6 ------ legacy/grilservice_app.te | 4 ---- legacy/hwservice.te | 3 --- legacy/hwservice_contexts | 3 --- legacy/seapp_contexts | 3 --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/grilservice_app.te | 4 ++++ {legacy => whitechapel_pro}/hal_radioext_default.te | 3 --- whitechapel_pro/hwservice.te | 3 +++ whitechapel_pro/hwservice_contexts | 3 +++ whitechapel_pro/seapp_contexts | 3 +++ 13 files changed, 18 insertions(+), 23 deletions(-) create mode 100644 whitechapel_pro/grilservice_app.te rename {legacy => whitechapel_pro}/hal_radioext_default.te (80%) diff --git a/legacy/file.te b/legacy/file.te index 4d8c9e05..f2726328 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -85,7 +85,6 @@ type vendor_camera_tuning_file, vendor_file_type, file_type; type vendor_camera_data_file, file_type, data_file_type; # Display -type sysfs_display, sysfs_type, fs_type; type persist_display_file, file_type, vendor_persist_type; # Backlight diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index e5ff5673..cbc266d7 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -102,12 +102,6 @@ genfscon proc /fts/driver_test genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 -# Display -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 - # TODO(b/184768835): remove this once the bug is fixed # Display / LHBM (Local High Brightness Mode) genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_lhbm:s0 diff --git a/legacy/grilservice_app.te b/legacy/grilservice_app.te index 50ff22a5..7c059ff3 100644 --- a/legacy/grilservice_app.te +++ b/legacy/grilservice_app.te @@ -1,7 +1,3 @@ -type grilservice_app, domain; -app_domain(grilservice_app) - -allow grilservice_app app_api_service:service_manager find; allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; diff --git a/legacy/hwservice.te b/legacy/hwservice.te index eb8e6211..b72da6e8 100644 --- a/legacy/hwservice.te +++ b/legacy/hwservice.te @@ -4,9 +4,6 @@ type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type; # rild service type hal_exynos_rild_hwservice, hwservice_manager_type; -# GRIL service -type hal_radioext_hwservice, hwservice_manager_type; - # WLC type hal_wlc_hwservice, hwservice_manager_type; diff --git a/legacy/hwservice_contexts b/legacy/hwservice_contexts index d9777f05..901c6af8 100644 --- a/legacy/hwservice_contexts +++ b/legacy/hwservice_contexts @@ -6,9 +6,6 @@ vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_conf android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0 android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 -# GRIL HAL -vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 - # Wireless charger hal vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index 3033a973..7a003c90 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -2,9 +2,6 @@ user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all -# grilservice -user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all - # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 8391c9a7..e12181d1 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -17,6 +17,7 @@ type vendor_fw_file, vendor_file_type, file_type; type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; +type sysfs_display, sysfs_type, fs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index cd5986d7..3cd39732 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -3,3 +3,7 @@ genfscon sysfs /firmware/devicetree/base/chosen u # OTA genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 +# Display +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 + diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te new file mode 100644 index 00000000..0a090cd4 --- /dev/null +++ b/whitechapel_pro/grilservice_app.te @@ -0,0 +1,4 @@ +type grilservice_app, domain; +app_domain(grilservice_app) + +allow grilservice_app app_api_service:service_manager find; diff --git a/legacy/hal_radioext_default.te b/whitechapel_pro/hal_radioext_default.te similarity index 80% rename from legacy/hal_radioext_default.te rename to whitechapel_pro/hal_radioext_default.te index eef71cf6..a5a0f3e8 100644 --- a/legacy/hal_radioext_default.te +++ b/whitechapel_pro/hal_radioext_default.te @@ -7,7 +7,6 @@ get_prop(hal_radioext_default, hwservicemanager_prop) add_hwservice(hal_radioext_default, hal_radioext_hwservice) binder_call(hal_radioext_default, grilservice_app) -binder_call(hal_radioext_default, hal_bluetooth_btlinux) # RW /dev/oem_ipc0 allow hal_radioext_default radio_device:chr_file rw_file_perms; @@ -17,5 +16,3 @@ allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; allow hal_radioext_default radio_vendor_data_file:file create_file_perms; allow hal_radioext_default sysfs_display:file rw_file_perms; -# Bluetooth -allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/whitechapel_pro/hwservice.te b/whitechapel_pro/hwservice.te index f6d18508..9c041ba7 100644 --- a/whitechapel_pro/hwservice.te +++ b/whitechapel_pro/hwservice.te @@ -1,3 +1,6 @@ # dmd servcie type hal_vendor_oem_hwservice, hwservice_manager_type; +# GRIL service +type hal_radioext_hwservice, hwservice_manager_type; + diff --git a/whitechapel_pro/hwservice_contexts b/whitechapel_pro/hwservice_contexts index f89299c1..6453a566 100644 --- a/whitechapel_pro/hwservice_contexts +++ b/whitechapel_pro/hwservice_contexts @@ -3,3 +3,6 @@ vendor.samsung_slsi.telephony.hardware.oemservice::IOemService # rild HAL vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 + +# GRIL HAL +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index ca109ea3..d72e7744 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -5,6 +5,9 @@ user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all +# grilservice +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all + # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all From 89923acb041b9978f618ec7fe60754a06f83bc17 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Sep 2021 11:27:34 +0800 Subject: [PATCH 050/900] review radio app Bug: 198532074 Test: boot with app correctly labeled Change-Id: Iba1f5c949052fafca8e629aba24484a7705f3f21 --- legacy/ril_config_service.te | 10 ---------- legacy/seapp_contexts | 6 ------ {legacy => whitechapel_pro}/omadm.te | 0 whitechapel_pro/seapp_contexts | 3 +++ 4 files changed, 3 insertions(+), 16 deletions(-) delete mode 100644 legacy/ril_config_service.te rename {legacy => whitechapel_pro}/omadm.te (100%) diff --git a/legacy/ril_config_service.te b/legacy/ril_config_service.te deleted file mode 100644 index 0ac43317..00000000 --- a/legacy/ril_config_service.te +++ /dev/null @@ -1,10 +0,0 @@ -type ril_config_service_app, domain; -app_domain(ril_config_service_app) - -set_prop(ril_config_service_app, vendor_rild_prop) -allow ril_config_service_app app_api_service:service_manager find; -allow ril_config_service_app radio_service:service_manager find; -allow ril_config_service_app radio_vendor_data_file:dir rw_dir_perms; -allow ril_config_service_app radio_vendor_data_file:file create_file_perms; -dontaudit ril_config_service_app system_data_file:dir search; -dontaudit ril_config_service_app user_profile_root_file:dir search; diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index 7a003c90..ec52bba8 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -8,12 +8,6 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app # Hardware Info Collection user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user -# Domain for omadm -user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all - -# RIL Config Service -user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file - # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user diff --git a/legacy/omadm.te b/whitechapel_pro/omadm.te similarity index 100% rename from legacy/omadm.te rename to whitechapel_pro/omadm.te diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index d72e7744..33935a17 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -5,6 +5,9 @@ user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all +# Domain for omadm +user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all + # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all From 95cc78f00429992bc1f2283d991ec7ba92897d4f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Sep 2021 12:17:23 +0800 Subject: [PATCH 051/900] review ofl_app Bug: 198532074 Test: boot with ofl app labeled correctly Change-Id: Ic00207c063e6c8771c2c6b077169ae1d25c77225 --- legacy/seapp_contexts | 3 --- {legacy => whitechapel_pro}/ofl_app.te | 0 whitechapel_pro/seapp_contexts | 3 +++ 3 files changed, 3 insertions(+), 3 deletions(-) rename {legacy => whitechapel_pro}/ofl_app.te (100%) diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index ec52bba8..a30552b7 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -8,8 +8,5 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app # Hardware Info Collection user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user -# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade -user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user - # Qorvo UWB system app user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all diff --git a/legacy/ofl_app.te b/whitechapel_pro/ofl_app.te similarity index 100% rename from legacy/ofl_app.te rename to whitechapel_pro/ofl_app.te diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 33935a17..520cbf12 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -5,6 +5,9 @@ user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all +# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user + # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all From cf1ea7aad54c3b7aadc77392c816cda3380d0fb1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Sep 2021 12:34:14 +0800 Subject: [PATCH 052/900] review block devices Bug: 196916111 Test: boot with those partition mounted with no avc error Change-Id: I6248be92d19abf37f5b901aa6101436832813f42 --- legacy/device.te | 3 --- whitechapel_pro/device.te | 3 +++ {legacy => whitechapel_pro}/e2fs.te | 0 {legacy => whitechapel_pro}/fsck.te | 0 4 files changed, 3 insertions(+), 3 deletions(-) rename {legacy => whitechapel_pro}/e2fs.te (100%) rename {legacy => whitechapel_pro}/fsck.te (100%) diff --git a/legacy/device.te b/legacy/device.te index 16c05a07..25f6abeb 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -1,8 +1,5 @@ # Block Devices -type efs_block_device, dev_type; type fat_block_device, dev_type; -type modem_userdata_block_device, dev_type; -type persist_block_device, dev_type; type vendor_block_device, dev_type; # Exynos devices diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 5a8323e1..168968bb 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -2,4 +2,7 @@ type sda_block_device, dev_type, bdev_type; type devinfo_block_device, dev_type, bdev_type; type modem_block_device, dev_type, bdev_type; type custom_ab_block_device, dev_type, bdev_type; +type persist_block_device, dev_type, bdev_type; +type efs_block_device, dev_type, bdev_type; +type modem_userdata_block_device, dev_type, bdev_type; type sg_device, dev_type; diff --git a/legacy/e2fs.te b/whitechapel_pro/e2fs.te similarity index 100% rename from legacy/e2fs.te rename to whitechapel_pro/e2fs.te diff --git a/legacy/fsck.te b/whitechapel_pro/fsck.te similarity index 100% rename from legacy/fsck.te rename to whitechapel_pro/fsck.te From ba469d27e49b082ea4215fe209e0195e14e9c952 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Sep 2021 13:04:43 +0800 Subject: [PATCH 053/900] remove obsolete devices Bug: 196916111 Test: build pass Change-Id: I3e0768802f4a49aad799e5053627f1f0328316f5 --- legacy/device.te | 7 ------- legacy/file_contexts | 4 ---- 2 files changed, 11 deletions(-) diff --git a/legacy/device.te b/legacy/device.te index 25f6abeb..8ec9f8ea 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -1,11 +1,4 @@ -# Block Devices -type fat_block_device, dev_type; -type vendor_block_device, dev_type; - # Exynos devices -type vendor_m2m1shot_device, dev_type; -type vendor_nanohub_device, dev_type; -type vendor_secmem_device, dev_type; type vendor_toe_device, dev_type; # usbpd diff --git a/legacy/file_contexts b/legacy/file_contexts index fda25170..3097fa29 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -32,9 +32,6 @@ # Exynos Devices # /dev/bbd_pwrstat u:object_r:power_stats_device:s0 -/dev/nanohub u:object_r:vendor_nanohub_device:s0 -/dev/nanohub_comms u:object_r:vendor_nanohub_device:s0 -/dev/m2m1shot_scaler0 u:object_r:vendor_m2m1shot_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 /dev/g2d u:object_r:graphics_device:s0 @@ -59,7 +56,6 @@ # GPU device /dev/mali0 u:object_r:gpu_device:s0 -/dev/s5p-smem u:object_r:vendor_secmem_device:s0 /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 From 0a091e530835bc34f348dc513ca4db2471b96b37 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Sep 2021 13:32:02 +0800 Subject: [PATCH 054/900] modulize drm modules Bug: 199232842 Test: boot with drm modules started Change-Id: Ic02f6c8498a4ac6cbda2b10b0e9647f733b54478 --- legacy/file.te | 3 --- legacy/file_contexts | 5 ----- legacy/hal_drm_default.te | 6 ------ widevine/file.te | 3 +++ widevine/file_contexts | 5 +++++ {legacy => widevine}/hal_drm_clearkey.te | 0 widevine/hal_drm_widevine.te | 10 ++++++++++ 7 files changed, 18 insertions(+), 14 deletions(-) delete mode 100644 legacy/hal_drm_default.te create mode 100644 widevine/file.te create mode 100644 widevine/file_contexts rename {legacy => widevine}/hal_drm_clearkey.te (100%) create mode 100644 widevine/hal_drm_widevine.te diff --git a/legacy/file.te b/legacy/file.te index f2726328..a2a26abc 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -58,9 +58,6 @@ type sysfs_wifi, sysfs_type, fs_type; # All files under /data/vendor/firmware/wifi type updated_wifi_firmware_data_file, file_type, data_file_type; -# Widevine DRM -type mediadrm_vendor_data_file, file_type, data_file_type; - # Storage Health HAL type sysfs_scsi_devices_0000, sysfs_type, fs_type; type debugfs_f2fs, debugfs_type, fs_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 3097fa29..0c685764 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -1,8 +1,6 @@ # # Exynos HAL # -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.4-service\.widevine u:object_r:hal_drm_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service u:object_r:hal_vendor_hwcservice_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 @@ -59,9 +57,6 @@ /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 -# data files -/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 - # Camera /vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google u:object_r:hal_camera_default_exec:s0 /vendor/lib64/camera u:object_r:vendor_camera_tuning_file:s0 diff --git a/legacy/hal_drm_default.te b/legacy/hal_drm_default.te deleted file mode 100644 index 30e443a8..00000000 --- a/legacy/hal_drm_default.te +++ /dev/null @@ -1,6 +0,0 @@ -# L3 -allow hal_drm_default mediadrm_vendor_data_file:file create_file_perms; -allow hal_drm_default mediadrm_vendor_data_file:dir create_dir_perms; - -# L1 -allow hal_drm_default dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/widevine/file.te b/widevine/file.te new file mode 100644 index 00000000..a1e4e0ec --- /dev/null +++ b/widevine/file.te @@ -0,0 +1,3 @@ +# Widevine DRM +type mediadrm_vendor_data_file, file_type, data_file_type; + diff --git a/widevine/file_contexts b/widevine/file_contexts new file mode 100644 index 00000000..e1529417 --- /dev/null +++ b/widevine/file_contexts @@ -0,0 +1,5 @@ +/vendor/bin/hw/android\.hardware\.drm@1\.4-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 + +# Data +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 diff --git a/legacy/hal_drm_clearkey.te b/widevine/hal_drm_clearkey.te similarity index 100% rename from legacy/hal_drm_clearkey.te rename to widevine/hal_drm_clearkey.te diff --git a/widevine/hal_drm_widevine.te b/widevine/hal_drm_widevine.te new file mode 100644 index 00000000..0e465719 --- /dev/null +++ b/widevine/hal_drm_widevine.te @@ -0,0 +1,10 @@ +type hal_drm_widevine, domain; +type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_drm_widevine) + +# L3 +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; + +# L1 +allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms; From 953c43b31adbb4ce8479cb36f0d1bcba03a96a7d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Sep 2021 10:59:16 +0800 Subject: [PATCH 055/900] remove untraceable rules Bug: 196916111 Test: boot to home 01-01 12:00:13.140 903 903 I Binder:903_1: type=1400 audit(0.0:9): avc: denied { quotaget } for scontext=u:r:installd:s0 tcontext=u:object_r:modem_img_file:s0 tclass=filesystem permissive=1 Change-Id: Iec8f2495b13df6b035af0cf11f67cd1525bcf9ea --- legacy/audioserver.te | 2 -- legacy/bootanim.te | 5 ----- legacy/dumpstate.te | 16 ---------------- legacy/radio.te | 1 - legacy/shell.te | 7 ------- legacy/system_app.te | 6 ------ legacy/system_server.te | 5 ----- legacy/toolbox.te | 3 --- {legacy => whitechapel_pro}/installd.te | 0 9 files changed, 45 deletions(-) delete mode 100644 legacy/audioserver.te delete mode 100644 legacy/bootanim.te delete mode 100644 legacy/dumpstate.te delete mode 100644 legacy/radio.te delete mode 100644 legacy/shell.te delete mode 100644 legacy/system_app.te delete mode 100644 legacy/system_server.te delete mode 100644 legacy/toolbox.te rename {legacy => whitechapel_pro}/installd.te (100%) diff --git a/legacy/audioserver.te b/legacy/audioserver.te deleted file mode 100644 index 69d7c1a4..00000000 --- a/legacy/audioserver.te +++ /dev/null @@ -1,2 +0,0 @@ -# allow access to ALSA MMAP FDs for AAudio API -allow audioserver audio_device:chr_file r_file_perms; diff --git a/legacy/bootanim.te b/legacy/bootanim.te deleted file mode 100644 index 7b3019df..00000000 --- a/legacy/bootanim.te +++ /dev/null @@ -1,5 +0,0 @@ -# TODO(b/62954877). On Android Wear, bootanim reads the time -# during boot to display. It currently gets that time from a file -# in /data/system. This should be moved. In the meantime, suppress -# this denial on phones since this functionality is not used. -dontaudit bootanim system_data_file:dir r_dir_perms; diff --git a/legacy/dumpstate.te b/legacy/dumpstate.te deleted file mode 100644 index 7c024e3d..00000000 --- a/legacy/dumpstate.te +++ /dev/null @@ -1,16 +0,0 @@ -dump_hal(hal_telephony) -dump_hal(hal_graphics_composer) - -userdebug_or_eng(` - allow dumpstate media_rw_data_file:file append; -') - -allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; -allow dumpstate persist_file:dir r_dir_perms; - -allow dumpstate modem_efs_file:dir getattr; -allow dumpstate modem_img_file:dir getattr; -allow dumpstate modem_userdata_file:dir getattr; -allow dumpstate fuse:dir search; - -dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; diff --git a/legacy/radio.te b/legacy/radio.te deleted file mode 100644 index ffa43521..00000000 --- a/legacy/radio.te +++ /dev/null @@ -1 +0,0 @@ -allow radio hal_exynos_rild_hwservice:hwservice_manager find; diff --git a/legacy/shell.te b/legacy/shell.te deleted file mode 100644 index 484e1501..00000000 --- a/legacy/shell.te +++ /dev/null @@ -1,7 +0,0 @@ -allow shell eco_service:service_manager find; - -# Allow access to the SJTAG kernel interface from the shell -userdebug_or_eng(` - allow shell vendor_sjtag_debugfs:dir r_dir_perms; - allow shell vendor_sjtag_debugfs:file rw_file_perms; -') diff --git a/legacy/system_app.te b/legacy/system_app.te deleted file mode 100644 index b7542fd6..00000000 --- a/legacy/system_app.te +++ /dev/null @@ -1,6 +0,0 @@ -allow system_app sysfs_vendor_sched:file w_file_perms; - -allow system_app hal_wlc_hwservice:hwservice_manager find; -binder_call(system_app, hal_wlc) - -allow system_app fwk_stats_hwservice:hwservice_manager find; diff --git a/legacy/system_server.te b/legacy/system_server.te deleted file mode 100644 index 001b8556..00000000 --- a/legacy/system_server.te +++ /dev/null @@ -1,5 +0,0 @@ -# Allow system server to send sensor data callbacks to GPS and camera HALs -binder_call(system_server, gpsd); -binder_call(system_server, hal_camera_default); -# Allow system server to find vendor uwb service -allow system_server uwb_vendor_service:service_manager find; diff --git a/legacy/toolbox.te b/legacy/toolbox.te deleted file mode 100644 index 9fbbb7ab..00000000 --- a/legacy/toolbox.te +++ /dev/null @@ -1,3 +0,0 @@ -allow toolbox ram_device:blk_file rw_file_perms; -allow toolbox per_boot_file:dir create_dir_perms; -allow toolbox per_boot_file:file create_file_perms; diff --git a/legacy/installd.te b/whitechapel_pro/installd.te similarity index 100% rename from legacy/installd.te rename to whitechapel_pro/installd.te From 2a422d71596476b999fce3ed72ef89705dd68a86 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Sep 2021 11:04:02 +0800 Subject: [PATCH 056/900] remove fingerprint policy Bug: 196916111 Test: boot ot home with fingerprint hal started Change-Id: I24a81eb5bae26120e66e7d77f9672566bb1f049b --- legacy/file_contexts | 6 -- legacy/hal_fingerprint_default.te | 14 --- whitechapel_pro/file_contexts | 147 +++++++++++++++--------------- 3 files changed, 74 insertions(+), 93 deletions(-) delete mode 100644 legacy/hal_fingerprint_default.te diff --git a/legacy/file_contexts b/legacy/file_contexts index 0c685764..f68c19d4 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -208,12 +208,6 @@ /dev/touch_offload u:object_r:touch_offload_device:s0 /vendor/bin/twoshay u:object_r:twoshay_exec:s0 -# Fingerprint -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 - # Zram /data/per_boot(/.*)? u:object_r:per_boot_file:s0 diff --git a/legacy/hal_fingerprint_default.te b/legacy/hal_fingerprint_default.te deleted file mode 100644 index c6d64d5d..00000000 --- a/legacy/hal_fingerprint_default.te +++ /dev/null @@ -1,14 +0,0 @@ -allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; -allow hal_fingerprint_default tee_device:chr_file rw_file_perms; -allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms; -allow hal_fingerprint_default sysfs_batteryinfo:dir search; -allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; -allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; -allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; -allow hal_fingerprint_default fwk_stats_service:service_manager find; -get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) -userdebug_or_eng(` - get_prop(hal_fingerprint_default, vendor_fingerprint_fake_prop) -') -add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 3dd754e7..a0a9c7dc 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -1,84 +1,85 @@ # Binaries -/vendor/bin/dmd u:object_r:dmd_exec:s0 -/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 -/vendor/bin/sced u:object_r:sced_exec:s0 -/vendor/bin/vcd u:object_r:vcd_exec:s0 -/vendor/bin/chre u:object_r:chre_exec:s0 -/vendor/bin/cbd u:object_r:cbd_exec:s0 -/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 -/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/rfsd u:object_r:rfsd_exec:s0 -/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 -/vendor/bin/storageproxyd u:object_r:tee_exec:s0 -/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 +/vendor/bin/dmd u:object_r:dmd_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/sced u:object_r:sced_exec:s0 +/vendor/bin/vcd u:object_r:vcd_exec:s0 +/vendor/bin/chre u:object_r:chre_exec:s0 +/vendor/bin/cbd u:object_r:cbd_exec:s0 +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/vendor/bin/rfsd u:object_r:rfsd_exec:s0 +/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 # Vendor Firmwares -/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 # Devices -/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 -/dev/sg1 u:object_r:sg_device:s0 -/dev/st54spi u:object_r:secure_element_device:s0 -/dev/st33spi u:object_r:secure_element_device:s0 -/dev/ttyGS[0-3] u:object_r:serial_device:s0 -/dev/oem_ipc[0-7] u:object_r:radio_device:s0 -/dev/umts_boot0 u:object_r:radio_device:s0 -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_ipc1 u:object_r:radio_device:s0 -/dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/umts_dm0 u:object_r:radio_device:s0 -/dev/umts_router u:object_r:radio_device:s0 -/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 -/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 -/dev/socket/chre u:object_r:chre_socket:s0 -/dev/block/sda u:object_r:sda_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/sg1 u:object_r:sg_device:s0 +/dev/st54spi u:object_r:secure_element_device:s0 +/dev/st33spi u:object_r:secure_element_device:s0 +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 +/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 +/dev/socket/chre u:object_r:chre_socket:s0 +/dev/block/sda u:object_r:sda_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 # Data -/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 -/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 -/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 -/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 -/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 -/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 # Persist -/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 -/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 # Extra mount images -/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 -/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 From 349700cece0d1f6d93c0cc4347e02bf6e664c003 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Sep 2021 11:59:57 +0800 Subject: [PATCH 057/900] remove twoshay It does not eexist on raven claw on Build ID 7726471 Bug: 196916111 Test: boot to home Change-Id: Ie358657de3f4dfd6704288798dc2a198f25ae419 --- legacy/file_contexts | 1 - legacy/hal_dumpstate_default.te | 1 - legacy/platform_app.te | 1 - legacy/twoshay.te | 10 ---------- 4 files changed, 13 deletions(-) delete mode 100644 legacy/twoshay.te diff --git a/legacy/file_contexts b/legacy/file_contexts index f68c19d4..04656075 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -206,7 +206,6 @@ # Touch /dev/touch_offload u:object_r:touch_offload_device:s0 -/vendor/bin/twoshay u:object_r:twoshay_exec:s0 # Zram /data/per_boot(/.*)? u:object_r:per_boot_file:s0 diff --git a/legacy/hal_dumpstate_default.te b/legacy/hal_dumpstate_default.te index 38381b15..d4cb32c8 100644 --- a/legacy/hal_dumpstate_default.te +++ b/legacy/hal_dumpstate_default.te @@ -59,7 +59,6 @@ allow hal_dumpstate_default sysfs_thermal:file r_file_perms; allow hal_dumpstate_default sysfs_thermal:lnk_file read; allow hal_dumpstate_default touch_context_service:service_manager find; -binder_call(hal_dumpstate_default, twoshay) # Modem logs allow hal_dumpstate_default modem_efs_file:dir search; diff --git a/legacy/platform_app.te b/legacy/platform_app.te index 14cf0554..d8fde3a3 100644 --- a/legacy/platform_app.te +++ b/legacy/platform_app.te @@ -11,7 +11,6 @@ allow platform_app fwk_stats_service:service_manager find; binder_use(platform_app) allow platform_app touch_context_service:service_manager find; -binder_call(platform_app, twoshay) # Fingerprint (UDFPS) GHBM/LHBM toggle get_prop(platform_app, fingerprint_ghbm_prop) diff --git a/legacy/twoshay.te b/legacy/twoshay.te deleted file mode 100644 index ad239702..00000000 --- a/legacy/twoshay.te +++ /dev/null @@ -1,10 +0,0 @@ -type twoshay, domain; -type twoshay_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(twoshay) - -allow twoshay touch_offload_device:chr_file rw_file_perms; -allow twoshay twoshay:capability sys_nice; - -binder_use(twoshay) -add_service(twoshay, touch_context_service) From 256795caa70d6da0e36aedd445e2ed10559c9344 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Sep 2021 11:54:56 +0800 Subject: [PATCH 058/900] review SSR app Bug: 198532074 Test: boot with SSR app labeled Change-Id: I7fd0765ffdcc5632be1c91a28de25c6e1e531e26 --- legacy/file.te | 1 - legacy/genfs_contexts | 1 - legacy/property.te | 4 ---- legacy/property_contexts | 8 -------- legacy/seapp_contexts | 1 - legacy/vendor_init.te | 1 - whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 8 ++++++++ whitechapel_pro/seapp_contexts | 3 +++ {legacy => whitechapel_pro}/ssr_detector.te | 2 -- whitechapel_pro/vendor_init.te | 1 + 11 files changed, 14 insertions(+), 18 deletions(-) rename {legacy => whitechapel_pro}/ssr_detector.te (84%) diff --git a/legacy/file.te b/legacy/file.te index a2a26abc..a2eb405b 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -23,7 +23,6 @@ type vendor_maxfg_debugfs, fs_type, debugfs_type; type vendor_charger_debugfs, fs_type, debugfs_type; type vendor_votable_debugfs, fs_type, debugfs_type; type vendor_battery_debugfs, fs_type, debugfs_type; -type vendor_sjtag_debugfs, fs_type, debugfs_type; # Exynos sysfs type sysfs_exynos_bts, sysfs_type, fs_type; diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index cbc266d7..51dcf58b 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -250,7 +250,6 @@ genfscon debugfs /usb genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 -genfscon debugfs /sjtag u:object_r:vendor_sjtag_debugfs:s0 # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/legacy/property.te b/legacy/property.te index a66a947a..28ce2e9f 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -1,7 +1,6 @@ # For Exynos Properties vendor_internal_prop(vendor_prop) vendor_internal_prop(sensors_prop) -vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_device_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_secure_element_prop) @@ -28,9 +27,6 @@ vendor_internal_prop(vendor_logger_prop) # NFC vendor_internal_prop(vendor_nfc_prop) -# WiFi -vendor_internal_prop(vendor_wifi_version) - # Touchpanel vendor_internal_prop(vendor_touchpanel_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index 7244e74b..c00cfe88 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -1,10 +1,6 @@ # Ramdump persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 -# SSR Detector -vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 -persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 - # Kernel modules related vendor.common.modules.ready u:object_r:vendor_device_prop:s0 vendor.device.modules.ready u:object_r:vendor_device_prop:s0 @@ -53,10 +49,6 @@ vendor.battery.defender. u:object_r:vendor_battery_defend # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 -# WiFi -vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 -vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 - # Touchpanel vendor.mfgapi.touchpanel.permission u:object_r:vendor_touchpanel_prop:s0 diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index a30552b7..90b10346 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -1,5 +1,4 @@ # coredump/ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all # HbmSVManager diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index 94b7d9ec..70d06de9 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -3,7 +3,6 @@ set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_slog_prop) -set_prop(vendor_init, vendor_ssrdump_prop) get_prop(vendor_init, vendor_touchpanel_prop) set_prop(vendor_init, vendor_tcpdump_log_prop) set_prop(vendor_init, vendor_thermal_prop) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 3c806615..5b1caef3 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -5,4 +5,6 @@ vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_rild_prop) vendor_internal_prop(vendor_carrier_prop) +vendor_internal_prop(vendor_ssrdump_prop) +vendor_internal_prop(vendor_wifi_version) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index f2af0320..9b013132 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -29,3 +29,11 @@ vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 + +# SSR Detector +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 + +# WiFi +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 + diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 520cbf12..23acc183 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -22,3 +22,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user + +# Sub System Ramdump +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user diff --git a/legacy/ssr_detector.te b/whitechapel_pro/ssr_detector.te similarity index 84% rename from legacy/ssr_detector.te rename to whitechapel_pro/ssr_detector.te index 37f571cd..ff3c40f9 100644 --- a/legacy/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -12,8 +12,6 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; get_prop(ssr_detector_app, vendor_aoc_prop) - allow ssr_detector_app vendor_sjtag_debugfs:dir r_dir_perms; - allow ssr_detector_app vendor_sjtag_debugfs:file rw_file_perms; ') get_prop(ssr_detector_app, vendor_ssrdump_prop) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index f0c6b6bf..c8a8d3c0 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -1,4 +1,5 @@ allow vendor_init bootdevice_sysdev:file create_file_perms; +set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_cbd_prop) From 01d2b965160b84a16fbfa2962c2aafe51fb8a2fc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Sep 2021 14:41:01 +0800 Subject: [PATCH 059/900] restart dauntless sepolicy Bug: 199685763 Test: build ROM with relevant modules labeled correctly Change-Id: I9d01ad1dea9da059cb91142adadd3f55f50cf9ca --- dauntless/citadel_provision.te | 6 ++++++ dauntless/citadeld.te | 4 ++++ dauntless/device.te | 1 + dauntless/file.te | 1 + dauntless/file_contexts | 9 +++++++++ dauntless/hal_identity_citadel.te | 4 ++++ dauntless/hal_keymint_citadel.te | 4 ++++ dauntless/hal_weaver_citadel.te | 4 ++++ dauntless/init_citadel.te | 4 ++++ dauntless/vndservice.te | 1 + gs201-sepolicy.mk | 4 ++-- legacy/file_contexts | 3 --- legacy/hal_dumpstate_default.te | 2 +- whitechapel_pro/vndservice.te | 1 + 14 files changed, 42 insertions(+), 6 deletions(-) create mode 100644 dauntless/citadel_provision.te create mode 100644 dauntless/citadeld.te create mode 100644 dauntless/device.te create mode 100644 dauntless/file.te create mode 100644 dauntless/file_contexts create mode 100644 dauntless/hal_identity_citadel.te create mode 100644 dauntless/hal_keymint_citadel.te create mode 100644 dauntless/hal_weaver_citadel.te create mode 100644 dauntless/init_citadel.te create mode 100644 dauntless/vndservice.te create mode 100644 whitechapel_pro/vndservice.te diff --git a/dauntless/citadel_provision.te b/dauntless/citadel_provision.te new file mode 100644 index 00000000..56050857 --- /dev/null +++ b/dauntless/citadel_provision.te @@ -0,0 +1,6 @@ +type citadel_provision, domain; +type citadel_provision_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(citadel_provision) +') diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te new file mode 100644 index 00000000..bd8e4e38 --- /dev/null +++ b/dauntless/citadeld.te @@ -0,0 +1,4 @@ +type citadeld, domain; +type citadeld_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(citadeld) diff --git a/dauntless/device.te b/dauntless/device.te new file mode 100644 index 00000000..f63186f4 --- /dev/null +++ b/dauntless/device.te @@ -0,0 +1 @@ +type citadel_device, dev_type; diff --git a/dauntless/file.te b/dauntless/file.te new file mode 100644 index 00000000..cfc0dea1 --- /dev/null +++ b/dauntless/file.te @@ -0,0 +1 @@ +type citadel_updater, vendor_file_type, file_type; diff --git a/dauntless/file_contexts b/dauntless/file_contexts new file mode 100644 index 00000000..76a25023 --- /dev/null +++ b/dauntless/file_contexts @@ -0,0 +1,9 @@ +/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 +/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 +/vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0 +/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 + +/dev/gsc0 u:object_r:citadel_device:s0 diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te new file mode 100644 index 00000000..7b2c37c3 --- /dev/null +++ b/dauntless/hal_identity_citadel.te @@ -0,0 +1,4 @@ +type hal_identity_citadel, domain; +type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_identity_citadel) diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te new file mode 100644 index 00000000..04680edf --- /dev/null +++ b/dauntless/hal_keymint_citadel.te @@ -0,0 +1,4 @@ +type hal_keymint_citadel, domain; +type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_keymint_citadel) diff --git a/dauntless/hal_weaver_citadel.te b/dauntless/hal_weaver_citadel.te new file mode 100644 index 00000000..5cd1c6a4 --- /dev/null +++ b/dauntless/hal_weaver_citadel.te @@ -0,0 +1,4 @@ +type hal_weaver_citadel, domain; +type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_weaver_citadel) diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te new file mode 100644 index 00000000..2c8246ba --- /dev/null +++ b/dauntless/init_citadel.te @@ -0,0 +1,4 @@ +type init_citadel, domain; +type init_citadel_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_citadel) diff --git a/dauntless/vndservice.te b/dauntless/vndservice.te new file mode 100644 index 00000000..880c09ca --- /dev/null +++ b/dauntless/vndservice.te @@ -0,0 +1 @@ +type citadeld_service, vndservice_manager_type; diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 48944087..3814171f 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -14,8 +14,8 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/priv # # Pixel-wide # -# Dauntless (uses Citadel policy currently) -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel +# Dauntless sepolicy (b/199685763) +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/dauntless # Wifi BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext diff --git a/legacy/file_contexts b/legacy/file_contexts index 04656075..5d97f4d9 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -183,9 +183,6 @@ # R4 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 -# Citadel StrongBox -/dev/gsc0 u:object_r:citadel_device:s0 - # Tetheroffload Service /dev/dit2 u:object_r:vendor_toe_device:s0 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 diff --git a/legacy/hal_dumpstate_default.te b/legacy/hal_dumpstate_default.te index d4cb32c8..06b14db5 100644 --- a/legacy/hal_dumpstate_default.te +++ b/legacy/hal_dumpstate_default.te @@ -84,7 +84,7 @@ allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; allow hal_dumpstate_default citadeld_service:service_manager find; -allow hal_dumpstate_default citadel_updater_exec:file execute_no_trans; +allow hal_dumpstate_default citadel_updater:file execute_no_trans; binder_call(hal_dumpstate_default, citadeld); allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te new file mode 100644 index 00000000..75c2bc5b --- /dev/null +++ b/whitechapel_pro/vndservice.te @@ -0,0 +1 @@ +type hal_power_stats_vendor_service, vndservice_manager_type; From d57c9cd1fc1110f1fae957744246e8998cf4a3d0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 16 Sep 2021 13:55:58 +0800 Subject: [PATCH 060/900] review graphics related sepolicy Bug: 196916111 Test: boot to home Change-Id: I43a875fb69e4237009b0515d8db6ebac8e2982b5 --- legacy/file_contexts | 15 --------------- legacy/hal_graphics_allocator_default.te | 4 ---- legacy/hal_graphics_composer_default.te | 6 ------ whitechapel_pro/file_contexts | 3 +++ {legacy => whitechapel_pro}/te_macros | 0 5 files changed, 3 insertions(+), 25 deletions(-) delete mode 100644 legacy/hal_graphics_allocator_default.te delete mode 100644 legacy/hal_graphics_composer_default.te rename {legacy => whitechapel_pro}/te_macros (100%) diff --git a/legacy/file_contexts b/legacy/file_contexts index 5d97f4d9..3eca74a0 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -6,12 +6,7 @@ /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 -/(vendor|system/vendor)/lib(64)?/libion_exynos\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 /vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 /vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 @@ -30,9 +25,6 @@ # Exynos Devices # /dev/bbd_pwrstat u:object_r:power_stats_device:s0 -/dev/dri/card0 u:object_r:graphics_device:s0 -/dev/fimg2d u:object_r:graphics_device:s0 -/dev/g2d u:object_r:graphics_device:s0 /dev/tsmux u:object_r:video_device:s0 /dev/repeater u:object_r:video_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 @@ -65,8 +57,6 @@ /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 -/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 @@ -194,11 +184,6 @@ /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 # Display -/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/hw/vulkan\.gs201\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 # Touch diff --git a/legacy/hal_graphics_allocator_default.te b/legacy/hal_graphics_allocator_default.te deleted file mode 100644 index 63a7dcfb..00000000 --- a/legacy/hal_graphics_allocator_default.te +++ /dev/null @@ -1,4 +0,0 @@ -allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default vframe_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; diff --git a/legacy/hal_graphics_composer_default.te b/legacy/hal_graphics_composer_default.te deleted file mode 100644 index 0562aa0e..00000000 --- a/legacy/hal_graphics_composer_default.te +++ /dev/null @@ -1,6 +0,0 @@ -allow hal_graphics_composer_default sysfs_display:dir search; -allow hal_graphics_composer_default sysfs_display:file rw_file_perms; - -# allow HWC to access power hal -binder_call(hal_graphics_composer_default, hal_power_default); -hal_client_domain(hal_graphics_composer_default, hal_power); diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index a0a9c7dc..9e50db98 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -20,6 +20,9 @@ /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 # Devices +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/fimg2d u:object_r:graphics_device:s0 +/dev/g2d u:object_r:graphics_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/sg1 u:object_r:sg_device:s0 /dev/st54spi u:object_r:secure_element_device:s0 diff --git a/legacy/te_macros b/whitechapel_pro/te_macros similarity index 100% rename from legacy/te_macros rename to whitechapel_pro/te_macros From 18db3d30dd22b324521a473ea53bbfcf729ebeb8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 16 Sep 2021 14:04:13 +0800 Subject: [PATCH 061/900] remove rlsservice The file does not exist Bug: 196916111 Test: boot to home Change-Id: I1bd4b13be5912c2620fbfae2913f01543a09915f --- legacy/file_contexts | 1 - legacy/hal_camera_default.te | 5 ----- legacy/rlsservice.te | 28 ---------------------------- legacy/vndservice_contexts | 1 - 4 files changed, 35 deletions(-) delete mode 100644 legacy/rlsservice.te diff --git a/legacy/file_contexts b/legacy/file_contexts index 3eca74a0..bf70d0cd 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -54,7 +54,6 @@ /vendor/lib64/camera u:object_r:vendor_camera_tuning_file:s0 /vendor/lib64/camera/ghawb_para_lut\.bin u:object_r:vendor_camera_tuning_file:s0 /vendor/lib64/camera/slider_.*\.binarypb u:object_r:vendor_camera_tuning_file:s0 -/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 diff --git a/legacy/hal_camera_default.te b/legacy/hal_camera_default.te index df210f6f..e1baf790 100644 --- a/legacy/hal_camera_default.te +++ b/legacy/hal_camera_default.te @@ -51,11 +51,6 @@ userdebug_or_eng(` set_prop(hal_camera_default, vendor_camera_debug_prop); ') - -# For camera hal to talk with rlsservice -allow hal_camera_default rls_service:service_manager find; -binder_call(hal_camera_default, rlsservice) - hal_client_domain(hal_camera_default, hal_graphics_allocator); hal_client_domain(hal_camera_default, hal_graphics_composer) hal_client_domain(hal_camera_default, hal_power); diff --git a/legacy/rlsservice.te b/legacy/rlsservice.te deleted file mode 100644 index 113ef312..00000000 --- a/legacy/rlsservice.te +++ /dev/null @@ -1,28 +0,0 @@ -type rlsservice, domain; -type rlsservice_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(rlsservice) - -vndbinder_use(rlsservice) - -add_service(rlsservice, rls_service) - -# access rainbow sensor calibration files -allow rlsservice persist_file:dir search; -allow rlsservice persist_camera_file:dir search; -allow rlsservice persist_camera_file:file r_file_perms; -allow rlsservice mnt_vendor_file:dir search; - -# access device files -allow rlsservice rls_device:chr_file rw_file_perms; - -binder_call(rlsservice, hal_sensors_default) -binder_call(rlsservice, hal_camera_default) - -# Allow access to always-on compute device node -allow rlsservice device:dir { read watch }; -allow rlsservice aoc_device:chr_file rw_file_perms; - -# Allow use of the USF low latency transport -usf_low_latency_transport(rlsservice) - diff --git a/legacy/vndservice_contexts b/legacy/vndservice_contexts index d44e1cb8..eda9b5e1 100644 --- a/legacy/vndservice_contexts +++ b/legacy/vndservice_contexts @@ -1,4 +1,3 @@ Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 -rlsservice u:object_r:rls_service:s0 displaycolor u:object_r:vendor_displaycolor_service:s0 media.ecoservice u:object_r:eco_service:s0 From 9ffc6d62b89cf78342f8e31116f8287cbc103dcd Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 16 Sep 2021 14:13:30 +0800 Subject: [PATCH 062/900] remove hal_camera_default The file does not exist on ROM 7736863 Bug: 196916111 Test: boot to home Change-Id: I40e64665c33869b93857798055ee1d8145a507aa --- legacy/file_contexts | 1 - legacy/hal_camera_default.te | 72 ------------------------------------ legacy/mediacodec.te | 1 - 3 files changed, 74 deletions(-) delete mode 100644 legacy/hal_camera_default.te diff --git a/legacy/file_contexts b/legacy/file_contexts index bf70d0cd..13556d9c 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -50,7 +50,6 @@ /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 # Camera -/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google u:object_r:hal_camera_default_exec:s0 /vendor/lib64/camera u:object_r:vendor_camera_tuning_file:s0 /vendor/lib64/camera/ghawb_para_lut\.bin u:object_r:vendor_camera_tuning_file:s0 /vendor/lib64/camera/slider_.*\.binarypb u:object_r:vendor_camera_tuning_file:s0 diff --git a/legacy/hal_camera_default.te b/legacy/hal_camera_default.te deleted file mode 100644 index e1baf790..00000000 --- a/legacy/hal_camera_default.te +++ /dev/null @@ -1,72 +0,0 @@ -type hal_camera_default_tmpfs, file_type; - -allow hal_camera_default self:global_capability_class_set sys_nice; - -binder_use(hal_camera_default); -vndbinder_use(hal_camera_default); - -allow hal_camera_default lwis_device:chr_file rw_file_perms; -allow hal_camera_default gpu_device:chr_file rw_file_perms; -allow hal_camera_default sysfs_chip_id:file r_file_perms; - -# Tuscany (face auth) code that is part of the camera HAL needs to allocate -# dma_bufs and access the Trusted Execution Environment device node -allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_camera_default tee_device:chr_file rw_file_perms; - -# Allow the camera hal to access the EdgeTPU service and the -# Android shared memory allocated by the EdgeTPU service for -# on-device compilation. -allow hal_camera_default edgetpu_device:chr_file rw_file_perms; -allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; -allow hal_camera_default sysfs_edgetpu:file r_file_perms; -allow hal_camera_default edgetpu_vendor_service:service_manager find; -binder_call(hal_camera_default, edgetpu_vendor_server) - -# Allow access to data files used by the camera HAL -allow hal_camera_default mnt_vendor_file:dir search; -allow hal_camera_default persist_file:dir search; -allow hal_camera_default persist_camera_file:dir search; -allow hal_camera_default persist_camera_file:file r_file_perms; -allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; -allow hal_camera_default vendor_camera_data_file:file create_file_perms; -allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms; -allow hal_camera_default vendor_camera_tuning_file:file r_file_perms; - -# Allow creating dump files for debugging in non-release builds -userdebug_or_eng(` - allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; - allow hal_camera_default vendor_camera_data_file:file create_file_perms; -') - -# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files -# compiled into the shared libraries with cc_embed_data rules -tmpfs_domain(hal_camera_default); - -# Allow access to camera-related system properties -get_prop(hal_camera_default, vendor_camera_prop); -get_prop(hal_camera_default, vendor_camera_debug_prop); -userdebug_or_eng(` - set_prop(hal_camera_default, vendor_camera_fatp_prop); - set_prop(hal_camera_default, vendor_camera_debug_prop); -') - -hal_client_domain(hal_camera_default, hal_graphics_allocator); -hal_client_domain(hal_camera_default, hal_graphics_composer) -hal_client_domain(hal_camera_default, hal_power); -hal_client_domain(hal_camera_default, hal_thermal); - -# Allow access to sensor service for sensor_listener -binder_call(hal_camera_default, system_server); - -# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering -allow hal_camera_default eco_service:service_manager find; -binder_call(hal_camera_default, mediacodec); - -# Allow camera HAL to query preferred camera frequencies from the radio HAL -# extensions to avoid interference with cellular antennas. -allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; -binder_call(hal_camera_default, hal_radioext_default); - -# Allow camera HAL to connect to the stats service. -allow hal_camera_default fwk_stats_service:service_manager find; diff --git a/legacy/mediacodec.te b/legacy/mediacodec.te index ed7c1adf..22d2e133 100644 --- a/legacy/mediacodec.te +++ b/legacy/mediacodec.te @@ -3,7 +3,6 @@ userdebug_or_eng(` ') add_service(mediacodec, eco_service) -allow mediacodec hal_camera_default:binder call; allow mediacodec sysfs_video:file r_file_perms; allow mediacodec sysfs_video:dir r_dir_perms; allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms; From 368ac5f679a7e23cbced3926831294fe6f7780c0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 17 Sep 2021 11:06:51 +0800 Subject: [PATCH 063/900] review hal_nfc_default Bug: 196916111 Test: boot to home with nfc hal started Change-Id: Iee8c30777f83788ff703c8094c03182171d713c5 --- legacy/file_contexts | 5 ----- legacy/property.te | 4 ---- legacy/property_contexts | 6 ------ legacy/vendor_init.te | 4 ---- whitechapel_pro/file_contexts | 3 +++ {legacy => whitechapel_pro}/hal_nfc_default.te | 0 whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 12 +++++++++--- 8 files changed, 14 insertions(+), 22 deletions(-) rename {legacy => whitechapel_pro}/hal_nfc_default.te (100%) diff --git a/legacy/file_contexts b/legacy/file_contexts index 13556d9c..6fbb7293 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -134,11 +134,6 @@ # Kernel modules related /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 -# NFC -/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 -/dev/st21nfc u:object_r:nfc_device:s0 -/data/nfc(/.*)? u:object_r:nfc_data_file:s0 - # Bluetooth /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 /dev/wbrc u:object_r:wb_coexistence_dev:s0 diff --git a/legacy/property.te b/legacy/property.te index 28ce2e9f..e3a9571c 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -3,7 +3,6 @@ vendor_internal_prop(vendor_prop) vendor_internal_prop(sensors_prop) vendor_internal_prop(vendor_device_prop) vendor_internal_prop(vendor_usb_config_prop) -vendor_internal_prop(vendor_secure_element_prop) # vendor defaults vendor_internal_prop(vendor_config_default_prop) vendor_internal_prop(vendor_ro_sys_default_prop) @@ -24,9 +23,6 @@ vendor_internal_prop(vendor_battery_profile_prop) # Logger vendor_internal_prop(vendor_logger_prop) -# NFC -vendor_internal_prop(vendor_nfc_prop) - # Touchpanel vendor_internal_prop(vendor_touchpanel_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index c00cfe88..4bd2217b 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -37,12 +37,6 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for gps vendor.gps u:object_r:vendor_gps_prop:s0 -# SecureElement -persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 - -# NFC -persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 - # Battery vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index 70d06de9..98263e5c 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -14,10 +14,6 @@ userdebug_or_eng(` set_prop(vendor_init, logpersistd_logging_prop) ') -# NFC vendor property -set_prop(vendor_init, vendor_nfc_prop) -# SecureElement vendor property -set_prop(vendor_init, vendor_secure_element_prop) # Battery defender/harness/profile get_prop(vendor_init, test_harness_prop) get_prop(vendor_init, vendor_battery_profile_prop) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 9e50db98..0b0b707b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -15,6 +15,7 @@ /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -25,6 +26,7 @@ /dev/g2d u:object_r:graphics_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/sg1 u:object_r:sg_device:s0 +/dev/st21nfc u:object_r:nfc_device:s0 /dev/st54spi u:object_r:secure_element_device:s0 /dev/st33spi u:object_r:secure_element_device:s0 /dev/ttyGS[0-3] u:object_r:serial_device:s0 @@ -76,6 +78,7 @@ /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 diff --git a/legacy/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te similarity index 100% rename from legacy/hal_nfc_default.te rename to whitechapel_pro/hal_nfc_default.te diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 5b1caef3..5ae7a7e0 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -7,4 +7,6 @@ vendor_internal_prop(vendor_rild_prop) vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) +vendor_internal_prop(vendor_nfc_prop) +vendor_internal_prop(vendor_secure_element_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 9b013132..e81c0e2a 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -31,9 +31,15 @@ ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 # SSR Detector -vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 + +# NFC +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 + +# SecureElement +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 # WiFi -vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 -vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 From 3f1c23ad58c2dd8f3da98d7e5ef3c12d853bb96f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 17 Sep 2021 12:46:12 +0800 Subject: [PATCH 064/900] rewrite hbmsv app This app has different sources for every device Bug: 196916111 Test: boot to home Change-Id: Iccbdc94eb68c03a5e7b5f1081e802b29c11cb5b0 --- legacy/hbmsvmanager_app.te | 11 ----------- legacy/seapp_contexts | 3 --- legacy/service.te | 1 - legacy/service_contexts | 1 - whitechapel_pro/hbmsvmanager_app.te | 3 +++ whitechapel_pro/seapp_contexts | 3 +++ 6 files changed, 6 insertions(+), 16 deletions(-) delete mode 100644 legacy/hbmsvmanager_app.te create mode 100644 whitechapel_pro/hbmsvmanager_app.te diff --git a/legacy/hbmsvmanager_app.te b/legacy/hbmsvmanager_app.te deleted file mode 100644 index 534f6c82..00000000 --- a/legacy/hbmsvmanager_app.te +++ /dev/null @@ -1,11 +0,0 @@ -type hbmsvmanager_app, domain, coredomain; - -app_domain(hbmsvmanager_app); - -allow hbmsvmanager_app hal_pixel_display_service:service_manager find; -binder_call(hbmsvmanager_app, hal_graphics_composer_default) - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index 90b10346..cf72b1a8 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -1,9 +1,6 @@ # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - # Hardware Info Collection user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user diff --git a/legacy/service.te b/legacy/service.te index 357dffe4..87dec4c0 100644 --- a/legacy/service.te +++ b/legacy/service.te @@ -1,4 +1,3 @@ -type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; type touch_context_service, service_manager_type, vendor_service; type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/legacy/service_contexts b/legacy/service_contexts index 6fb9de1f..6431f24d 100644 --- a/legacy/service_contexts +++ b/legacy/service_contexts @@ -1,4 +1,3 @@ -com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te new file mode 100644 index 00000000..06bfed6c --- /dev/null +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -0,0 +1,3 @@ +type hbmsvmanager_app, domain; +app_domain(hbmsvmanager_app); +allow hbmsvmanager_app app_api_service:service_manager find; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 23acc183..68701fe1 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -11,6 +11,9 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all From 889f58606b36b5f8eac2a3bd4643eafcccec5b19 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Sep 2021 10:12:51 +0800 Subject: [PATCH 065/900] remove untraceable rules Bug: 196916111 Test: boot to home Change-Id: I50ac7a469f76a25adca0ef3e3a9751a0e8afbd2a --- legacy/vold.te | 4 ---- legacy/wifi_sniffer.te | 6 ------ 2 files changed, 10 deletions(-) delete mode 100644 legacy/vold.te delete mode 100644 legacy/wifi_sniffer.te diff --git a/legacy/vold.te b/legacy/vold.te deleted file mode 100644 index 79bec3d2..00000000 --- a/legacy/vold.te +++ /dev/null @@ -1,4 +0,0 @@ -allow vold sysfs_scsi_devices_0000:file rw_file_perms; - -dontaudit vold dumpstate:fifo_file rw_file_perms; -dontaudit vold dumpstate:fd { use }; diff --git a/legacy/wifi_sniffer.te b/legacy/wifi_sniffer.te deleted file mode 100644 index 491162a0..00000000 --- a/legacy/wifi_sniffer.te +++ /dev/null @@ -1,6 +0,0 @@ -userdebug_or_eng(` - allow wifi_sniffer sysfs_wifi:dir search; - allow wifi_sniffer sysfs_wifi:file w_file_perms; - allow wifi_sniffer self:capability sys_module; - dontaudit wifi_sniffer sysfs_wifi:file getattr; -') From 54e3056f4c5bdf7cda6f6d4516a200ca04388172 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Sep 2021 10:17:06 +0800 Subject: [PATCH 066/900] review vendor_battery_profile_prop The action came from PTS Bug: 196916111 Test: boot to home Change-Id: I950fb0fa3fd959d3c176d5fc960b57f905034d67 --- legacy/property.te | 3 -- legacy/property_contexts | 3 -- legacy/vendor_init.te | 1 - legacy/vendor_shell.te | 1 - whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 55 ++++++++++++++++--------------- whitechapel_pro/vendor_init.te | 1 + whitechapel_pro/vendor_shell.te | 3 ++ 8 files changed, 34 insertions(+), 34 deletions(-) delete mode 100644 legacy/vendor_shell.te create mode 100644 whitechapel_pro/vendor_shell.te diff --git a/legacy/property.te b/legacy/property.te index e3a9571c..0218944d 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -17,9 +17,6 @@ vendor_internal_prop(vendor_gps_prop) # Battery defender vendor_internal_prop(vendor_battery_defender_prop) -# Battery profile for harness mode -vendor_internal_prop(vendor_battery_profile_prop) - # Logger vendor_internal_prop(vendor_logger_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index 4bd2217b..5a5cb4cc 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -40,9 +40,6 @@ vendor.gps u:object_r:vendor_gps_prop:s0 # Battery vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 -# test battery profile -persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 - # Touchpanel vendor.mfgapi.touchpanel.permission u:object_r:vendor_touchpanel_prop:s0 diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index 98263e5c..33303322 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -16,7 +16,6 @@ userdebug_or_eng(` # Battery defender/harness/profile get_prop(vendor_init, test_harness_prop) -get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_battery_defender_prop) # Fingerprint property diff --git a/legacy/vendor_shell.te b/legacy/vendor_shell.te deleted file mode 100644 index 2ace587a..00000000 --- a/legacy/vendor_shell.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(vendor_shell, vendor_battery_profile_prop) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 5ae7a7e0..6f716705 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -9,4 +9,5 @@ vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) +vendor_internal_prop(vendor_battery_profile_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index e81c0e2a..9a5b6bd3 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -1,45 +1,48 @@ # for dmd -persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 -persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 -vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 -vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 +vendor.sys.diag. u:object_r:vendor_diag_prop:s0 # for slog -vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 -vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 -persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 # for modem -persist.vendor.modem. u:object_r:vendor_modem_prop:s0 -vendor.modem. u:object_r:vendor_modem_prop:s0 -vendor.sys.modem. u:object_r:vendor_modem_prop:s0 -ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 -vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 -persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +persist.vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 +persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 # for cbd -vendor.cbd. u:object_r:vendor_cbd_prop:s0 -persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 +vendor.cbd. u:object_r:vendor_cbd_prop:s0 +persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 # for rild -persist.vendor.ril. u:object_r:vendor_rild_prop:s0 -vendor.ril. u:object_r:vendor_rild_prop:s0 -vendor.radio.ril. u:object_r:vendor_rild_prop:s0 -vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 -ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 +persist.vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.radio.ril. u:object_r:vendor_rild_prop:s0 +vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 -persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 +persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 # SSR Detector -vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 + +# test battery profile +persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 # NFC -persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 # SecureElement -persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 # WiFi -vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 -vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index c8a8d3c0..75cac346 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -3,3 +3,4 @@ allow vendor_init bootdevice_sysdev:file create_file_perms; set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_cbd_prop) +get_prop(vendor_init, vendor_battery_profile_prop) diff --git a/whitechapel_pro/vendor_shell.te b/whitechapel_pro/vendor_shell.te new file mode 100644 index 00000000..ae63f808 --- /dev/null +++ b/whitechapel_pro/vendor_shell.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + set_prop(vendor_shell, vendor_battery_profile_prop) +') From 87f3dd73e521e379eeca6ef2e2fcf04c97492e25 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Sep 2021 14:53:26 +0800 Subject: [PATCH 067/900] organize wifi_sniffer Bug: 196916111 Test: boot with wifi_sniffer started Change-Id: I9bd8c7d517a4c264758db52054033cde2d84bf95 --- gs201-sepolicy.mk | 3 --- 1 file changed, 3 deletions(-) diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 3814171f..087de580 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -23,8 +23,5 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext # PowerStats HAL BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats -# Sniffer Logger -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer - # Wifi Logger BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger From 48a9994ea4bd119be94fbaa8d42aca808ee03ec7 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Sep 2021 11:04:27 +0800 Subject: [PATCH 068/900] remove obsolete sepolicy setting ROM 7726471 does not have wlcfwupdate Bug: 196916111 Test: build pass Change-Id: I390552aa75a0139be2e23074f781c5aba513b4d5 --- legacy/file.te | 2 -- legacy/file_contexts | 3 --- legacy/wlcfwupdate.te | 12 ------------ 3 files changed, 17 deletions(-) delete mode 100644 legacy/wlcfwupdate.te diff --git a/legacy/file.te b/legacy/file.te index a2eb405b..7938444f 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -127,8 +127,6 @@ type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject; # UWB vendor type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; -# WLC FW -type vendor_wlc_fwupdata_file, vendor_file_type, file_type; # # USF file SELinux type enforcements. # diff --git a/legacy/file_contexts b/legacy/file_contexts index 6fbb7293..148e75b0 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -222,9 +222,6 @@ # Wifi Firmware config update /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -# WLC FW update -/vendor/bin/wlc_upt/p9412_mtp u:object_r:vendor_wlc_fwupdata_file:s0 -/vendor/bin/wlc_upt/wlc_fw_update\.sh u:object_r:wlcfwupdate_exec:s0 # # USF SELinux file security contexts. # diff --git a/legacy/wlcfwupdate.te b/legacy/wlcfwupdate.te deleted file mode 100644 index 37c29484..00000000 --- a/legacy/wlcfwupdate.te +++ /dev/null @@ -1,12 +0,0 @@ -# wlcfwupdate service -type wlcfwupdate, domain; -type wlcfwupdate_exec, vendor_file_type, exec_type, file_type; - -init_daemon_domain(wlcfwupdate) - -allow wlcfwupdate sysfs_batteryinfo:dir search; -allow wlcfwupdate sysfs_batteryinfo:file r_file_perms; -allow wlcfwupdate sysfs_wlc:dir search; -allow wlcfwupdate sysfs_wlc:file rw_file_perms; -allow wlcfwupdate vendor_toolbox_exec:file execute_no_trans; -allow wlcfwupdate vendor_wlc_fwupdata_file:file execute_no_trans; From 76b0758e9e8f4971dfc0bbd82630eec4788f4b2d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Sep 2021 11:36:00 +0800 Subject: [PATCH 069/900] review hal_thermal_default Bug: 196916111 Test: boot to home Change-Id: I6e804abe5761dae7a2563fbb514da293e7988fce --- legacy/hal_thermal_default.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 legacy/hal_thermal_default.te diff --git a/legacy/hal_thermal_default.te b/legacy/hal_thermal_default.te deleted file mode 100644 index 491035ee..00000000 --- a/legacy/hal_thermal_default.te +++ /dev/null @@ -1,3 +0,0 @@ -allow hal_thermal_default self:netlink_generic_socket create_socket_perms_no_ioctl; -allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; -allow hal_thermal_default sysfs_odpm:file r_file_perms; From 81ab5aceb9ab4e84fb682cd1c566a4eacf1a2ff1 Mon Sep 17 00:00:00 2001 From: Arthur Ishiguro Date: Thu, 23 Sep 2021 10:20:24 -0700 Subject: [PATCH 070/900] Add Context Hub AIDL to gs201 sepolicy Bug: 194285834 Test: None Change-Id: Ife9b43cad3b3c500f549e72b4deda1836f6d79a0 --- legacy/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/legacy/file_contexts b/legacy/file_contexts index 148e75b0..29769766 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -125,7 +125,7 @@ /data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0 # Contexthub -/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 # TCP logging /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 From 53641894ebb2dce72c448a36616fdde0af2c9fdd Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Sep 2021 11:41:51 +0800 Subject: [PATCH 071/900] use gs101 neuralnetwork armnn Bug: 196916111 Test: boot with armnn started Change-Id: I50b1968034c60f922e679205e68841d63aadf5ae --- legacy/file_contexts | 3 --- legacy/hal_neuralnetworks_armnn.te | 9 --------- 2 files changed, 12 deletions(-) delete mode 100644 legacy/hal_neuralnetworks_armnn.te diff --git a/legacy/file_contexts b/legacy/file_contexts index 29769766..c774cea4 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -156,9 +156,6 @@ # Battery /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 -# NeuralNetworks file contexts -/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn u:object_r:hal_neuralnetworks_armnn_exec:s0 - # GRIL /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 diff --git a/legacy/hal_neuralnetworks_armnn.te b/legacy/hal_neuralnetworks_armnn.te deleted file mode 100644 index c9872853..00000000 --- a/legacy/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_neuralnetworks_armnn, domain; -hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks) - -type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type; - -allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms; - -init_daemon_domain(hal_neuralnetworks_armnn) - From 962e580a3ca40e8440d849176dd32fd21b03368f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 27 Sep 2021 09:42:14 +0800 Subject: [PATCH 072/900] review hal_wlc Bug: 201230944 Test: boot with hal_wlc started Change-Id: I81d5ff7ed4745fb6d760f59c6acc50cc1732c95e --- legacy/file_contexts | 2 -- legacy/genfs_contexts | 38 -------------------------- legacy/hwservice.te | 3 -- legacy/hwservice_contexts | 3 -- legacy/platform_app.te | 3 -- whitechapel_pro/file_contexts | 1 + {legacy => whitechapel_pro}/hal_wlc.te | 6 +--- whitechapel_pro/hwservice.te | 3 ++ whitechapel_pro/hwservice_contexts | 3 ++ 9 files changed, 8 insertions(+), 54 deletions(-) rename {legacy => whitechapel_pro}/hal_wlc.te (67%) diff --git a/legacy/file_contexts b/legacy/file_contexts index c774cea4..b012c7cf 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -18,8 +18,6 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs201 u:object_r:hal_bootctl_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs201 u:object_r:hal_power_stats_default_exec:s0 -# Wireless charger HAL -/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 # # Exynos Devices diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index 51dcf58b..c6c005b1 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -1,46 +1,8 @@ # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 -# Battery -genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 -# Slider -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050 u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -# Whitefin -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050 u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply u:object_r:sysfs_batteryinfo:s0 -# R4 / P7 LunchBox -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 -# O6 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 - -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply u:object_r:sysfs_batteryinfo:s0 - # Storage genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 diff --git a/legacy/hwservice.te b/legacy/hwservice.te index b72da6e8..edb3763c 100644 --- a/legacy/hwservice.te +++ b/legacy/hwservice.te @@ -4,9 +4,6 @@ type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type; # rild service type hal_exynos_rild_hwservice, hwservice_manager_type; -# WLC -type hal_wlc_hwservice, hwservice_manager_type; - # Bluetooth HAL extension type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; diff --git a/legacy/hwservice_contexts b/legacy/hwservice_contexts index 901c6af8..4895c5b3 100644 --- a/legacy/hwservice_contexts +++ b/legacy/hwservice_contexts @@ -6,9 +6,6 @@ vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_conf android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0 android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 -# Wireless charger hal -vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 - # Bluetooth HAL extension hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 diff --git a/legacy/platform_app.te b/legacy/platform_app.te index d8fde3a3..acff39cd 100644 --- a/legacy/platform_app.te +++ b/legacy/platform_app.te @@ -1,9 +1,6 @@ binder_call(platform_app, rild) allow platform_app hal_exynos_rild_hwservice:hwservice_manager find; -allow platform_app hal_wlc_hwservice:hwservice_manager find; -binder_call(platform_app, hal_wlc) - allow platform_app nfc_service:service_manager find; allow platform_app uwb_service:service_manager find; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 0b0b707b..ee09864b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -16,6 +16,7 @@ /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/legacy/hal_wlc.te b/whitechapel_pro/hal_wlc.te similarity index 67% rename from legacy/hal_wlc.te rename to whitechapel_pro/hal_wlc.te index 891853c9..bd72d1dc 100644 --- a/legacy/hal_wlc.te +++ b/whitechapel_pro/hal_wlc.te @@ -6,11 +6,7 @@ hwbinder_use(hal_wlc) add_hwservice(hal_wlc, hal_wlc_hwservice) get_prop(hal_wlc, hwservicemanager_prop) -r_dir_file(hal_wlc, sysfs_batteryinfo) -allow hal_wlc sysfs_wlc:dir r_dir_perms; -allow hal_wlc sysfs_wlc:file rw_file_perms; - allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; binder_call(hal_wlc, platform_app) -binder_call(hal_wlc, system_app) \ No newline at end of file +binder_call(hal_wlc, system_app) diff --git a/whitechapel_pro/hwservice.te b/whitechapel_pro/hwservice.te index 9c041ba7..cdae523d 100644 --- a/whitechapel_pro/hwservice.te +++ b/whitechapel_pro/hwservice.te @@ -4,3 +4,6 @@ type hal_vendor_oem_hwservice, hwservice_manager_type; # GRIL service type hal_radioext_hwservice, hwservice_manager_type; +# WLC +type hal_wlc_hwservice, hwservice_manager_type; + diff --git a/whitechapel_pro/hwservice_contexts b/whitechapel_pro/hwservice_contexts index 6453a566..ab89ba82 100644 --- a/whitechapel_pro/hwservice_contexts +++ b/whitechapel_pro/hwservice_contexts @@ -1,6 +1,9 @@ # dmd HAL vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 +# Wireless charger hal +vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 + # rild HAL vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 From ad68e7dc96c8261a2d4e87ce1dfdcff6de3f95ca Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 27 Sep 2021 10:07:37 +0800 Subject: [PATCH 073/900] remove hal_health_default It will be easier to review it through boot test Bug: 201230944 Test: boot to home Change-Id: I5008c4054ce04f062a8ca01a1e2bfd4cfe8daf70 --- legacy/file.te | 4 ---- legacy/file_contexts | 8 -------- legacy/genfs_contexts | 14 -------------- legacy/hal_health_default.te | 14 -------------- legacy/property.te | 3 --- legacy/property_contexts | 3 --- whitechapel_pro/file.te | 2 ++ whitechapel_pro/file_contexts | 1 + whitechapel_pro/genfs_contexts | 16 ++++++++++++++++ whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 3 +++ 11 files changed, 23 insertions(+), 46 deletions(-) delete mode 100644 legacy/hal_health_default.te diff --git a/legacy/file.te b/legacy/file.te index 7938444f..089cb81a 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -58,7 +58,6 @@ type sysfs_wifi, sysfs_type, fs_type; type updated_wifi_firmware_data_file, file_type, data_file_type; # Storage Health HAL -type sysfs_scsi_devices_0000, sysfs_type, fs_type; type debugfs_f2fs, debugfs_type, fs_type; type proc_f2fs, proc_type, fs_type; @@ -99,9 +98,6 @@ type sysfs_bcl, sysfs_type, fs_type; type sysfs_chip_id, sysfs_type, fs_type; type sysfs_spi, sysfs_type, fs_type; -# Battery -type persist_battery_file, file_type, vendor_persist_type; - # CPU type sysfs_cpu, sysfs_type, fs_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index b012c7cf..5b23d699 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -110,11 +110,6 @@ /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 -# thermal sysfs files -/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0 -/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0 - - # IMS VoWiFi /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/vendor/VoWiFi(/.*)? u:object_r:vendor_ims_data_file:s0 @@ -151,9 +146,6 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /dev/trusty-log0 u:object_r:logbuffer_device:s0 -# Battery -/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 - # GRIL /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index c6c005b1..10f8d01f 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -7,20 +7,6 @@ genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 # Tethering genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/gadget/net u:object_r:sysfs_net:s0 diff --git a/legacy/hal_health_default.te b/legacy/hal_health_default.te deleted file mode 100644 index a684dcc2..00000000 --- a/legacy/hal_health_default.te +++ /dev/null @@ -1,14 +0,0 @@ -allow hal_health_default mnt_vendor_file:dir search; -allow hal_health_default persist_file:dir search; -allow hal_health_default persist_battery_file:file create_file_perms; -allow hal_health_default persist_battery_file:dir rw_dir_perms; - -set_prop(hal_health_default, vendor_battery_defender_prop) -r_dir_file(hal_health_default, sysfs_scsi_devices_0000) - -allow hal_health_default sysfs_wlc:dir search; -allow hal_health_default sysfs_batteryinfo:file w_file_perms; -allow hal_health_default sysfs_thermal:dir search; -allow hal_health_default sysfs_thermal:file w_file_perms; -allow hal_health_default sysfs_thermal:lnk_file read; -allow hal_health_default thermal_link_device:dir search; diff --git a/legacy/property.te b/legacy/property.te index 0218944d..67cdc061 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -14,9 +14,6 @@ vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_gps_prop) -# Battery defender -vendor_internal_prop(vendor_battery_defender_prop) - # Logger vendor_internal_prop(vendor_logger_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index 5a5cb4cc..60fe7594 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -37,9 +37,6 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for gps vendor.gps u:object_r:vendor_gps_prop:s0 -# Battery -vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 - # Touchpanel vendor.mfgapi.touchpanel.permission u:object_r:vendor_touchpanel_prop:s0 diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index e12181d1..27e8be52 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -18,6 +18,7 @@ type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; type sysfs_display, sysfs_type, fs_type; +type sysfs_scsi_devices_0000, sysfs_type, fs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; @@ -26,6 +27,7 @@ allow modem_img_file self:filesystem associate; # persist type persist_modem_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; +type persist_battery_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index ee09864b..274c6793 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -84,6 +84,7 @@ # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 +/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 3cd39732..28d6907e 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -7,3 +7,19 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +# Storage +genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 + diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 6f716705..ca8bd10c 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -10,4 +10,5 @@ vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) +vendor_internal_prop(vendor_battery_defender_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 9a5b6bd3..e0ea01fd 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -36,6 +36,9 @@ vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 +# Battery +vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 + # NFC persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 From 8c532b1a651d67f5a336538ca7772f312f42f1e7 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 27 Sep 2021 10:46:52 +0800 Subject: [PATCH 074/900] remove un-reviewable sepolicy Bug: 196916111 Test: boot to home Change-Id: Idac79eece3a2e36eca8ad1b1e0ffc8d771f445d3 --- legacy/hal_health_storage_default.te | 3 --- legacy/kernel.te | 9 --------- legacy/platform_app.te | 20 -------------------- legacy/priv_app.te | 9 --------- legacy/untrusted_app_all.te | 3 --- 5 files changed, 44 deletions(-) delete mode 100644 legacy/hal_health_storage_default.te delete mode 100644 legacy/kernel.te delete mode 100644 legacy/platform_app.te delete mode 100644 legacy/priv_app.te delete mode 100644 legacy/untrusted_app_all.te diff --git a/legacy/hal_health_storage_default.te b/legacy/hal_health_storage_default.te deleted file mode 100644 index 2aa0881e..00000000 --- a/legacy/hal_health_storage_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# Access to /sys/devices/platform/14700000.ufs/* -allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/legacy/kernel.te b/legacy/kernel.te deleted file mode 100644 index 0156784e..00000000 --- a/legacy/kernel.te +++ /dev/null @@ -1,9 +0,0 @@ -allow kernel vendor_fw_file:dir search; -allow kernel vendor_fw_file:file r_file_perms; - -# ZRam -allow kernel per_boot_file:file r_file_perms; - -# memlat needs permision to create/delete perf events when hotplug on/off -allow kernel self:capability2 perfmon; -allow kernel self:perf_event cpu; diff --git a/legacy/platform_app.te b/legacy/platform_app.te deleted file mode 100644 index acff39cd..00000000 --- a/legacy/platform_app.te +++ /dev/null @@ -1,20 +0,0 @@ -binder_call(platform_app, rild) -allow platform_app hal_exynos_rild_hwservice:hwservice_manager find; - -allow platform_app nfc_service:service_manager find; -allow platform_app uwb_service:service_manager find; - -allow platform_app fwk_stats_service:service_manager find; -binder_use(platform_app) - -allow platform_app touch_context_service:service_manager find; - -# Fingerprint (UDFPS) GHBM/LHBM toggle -get_prop(platform_app, fingerprint_ghbm_prop) - -# TODO(b/184768835): remove this once the bug is fixed -# Fingerprint (UDFPS) LHBM access -userdebug_or_eng(` - allow platform_app sysfs_leds:dir search; - allow platform_app sysfs_lhbm:file rw_file_perms; -') diff --git a/legacy/priv_app.te b/legacy/priv_app.te deleted file mode 100644 index a9b49c33..00000000 --- a/legacy/priv_app.te +++ /dev/null @@ -1,9 +0,0 @@ -# Allows privileged applications to discover the EdgeTPU service. -allow priv_app edgetpu_app_service:service_manager find; - -# Allows privileged applications to discover the NNAPI TPU service. -allow priv_app edgetpu_nnapi_service:service_manager find; - -# Allows privileged applications to access the EdgeTPU device, except open, -# which is guarded by the EdgeTPU service. -allow priv_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/legacy/untrusted_app_all.te b/legacy/untrusted_app_all.te deleted file mode 100644 index a4d8beb8..00000000 --- a/legacy/untrusted_app_all.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap -# for secure video playback -allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; From cc911a8963e614856404d66b9e77e6a374a5176b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 28 Sep 2021 13:19:35 +0800 Subject: [PATCH 075/900] remove obsolete setting Bug: 196916111 Test: boot to home Change-Id: I7488b9d0789a002457891e0287d394ca281e945d --- legacy/file_contexts | 1 - legacy/hal_vendor_hwcservice_default.te | 4 ---- 2 files changed, 5 deletions(-) delete mode 100644 legacy/hal_vendor_hwcservice_default.te diff --git a/legacy/file_contexts b/legacy/file_contexts index 5b23d699..545e2630 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -2,7 +2,6 @@ # Exynos HAL # /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service u:object_r:hal_vendor_hwcservice_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 diff --git a/legacy/hal_vendor_hwcservice_default.te b/legacy/hal_vendor_hwcservice_default.te deleted file mode 100644 index 0cd13b33..00000000 --- a/legacy/hal_vendor_hwcservice_default.te +++ /dev/null @@ -1,4 +0,0 @@ -type hal_vendor_hwcservice_default, domain; -type hal_vendor_hwcservice_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_vendor_hwcservice_default) - From 758dd9c309eb1d5adbf3a5354a7f2e10aa32bb89 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 28 Sep 2021 13:53:12 +0800 Subject: [PATCH 076/900] review hal_power_default related contexts Bug: 201230944 Test: make sure all contexts setting take effect Change-Id: I1e3be99700560583153e70efdd21de5356b97c74 --- legacy/device.te | 3 --- legacy/file.te | 6 ------ legacy/file_contexts | 4 ---- legacy/genfs_contexts | 10 ---------- legacy/hal_power_default.te | 12 ------------ legacy/property.te | 3 --- legacy/property_contexts | 6 ------ whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 5 ++++- 11 files changed, 9 insertions(+), 45 deletions(-) delete mode 100644 legacy/hal_power_default.te diff --git a/legacy/device.te b/legacy/device.te index 8ec9f8ea..11d87f51 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -4,9 +4,6 @@ type vendor_toe_device, dev_type; # usbpd type logbuffer_device, dev_type; -#cpuctl -type cpuctl_device, dev_type; - # Bt Wifi Coexistence device type wb_coexistence_dev, dev_type; diff --git a/legacy/file.te b/legacy/file.te index 089cb81a..55024373 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -101,12 +101,6 @@ type sysfs_spi, sysfs_type, fs_type; # CPU type sysfs_cpu, sysfs_type, fs_type; -# GPU -type sysfs_gpu, sysfs_type, fs_type; - -# Fabric -type sysfs_fabric, sysfs_type, fs_type; - # Memory type sysfs_memory, sysfs_type, fs_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 545e2630..f773d4fa 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -2,7 +2,6 @@ # Exynos HAL # /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 @@ -171,9 +170,6 @@ # Zram /data/per_boot(/.*)? u:object_r:per_boot_file:s0 -# cpuctl -/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 - # ODPM /data/vendor/powerstats(/.*)? u:object_r:odpm_config_file:s0 diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index 10f8d01f..116159b2 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -150,9 +150,6 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 -# Devfreq directory -genfscon sysfs /class/devfreq u:object_r:sysfs_devfreq_dir:s0 - # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 @@ -163,13 +160,6 @@ genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_t genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 -# Fabric -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 - -# GPU -genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 - # nvmem (Non Volatile Memory layer) genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem u:object_r:sysfs_memory:s0 diff --git a/legacy/hal_power_default.te b/legacy/hal_power_default.te deleted file mode 100644 index 4b95db79..00000000 --- a/legacy/hal_power_default.te +++ /dev/null @@ -1,12 +0,0 @@ -allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; -allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; -allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; -allow hal_power_default sysfs_vendor_sched:file rw_file_perms; -allow hal_power_default cpuctl_device:file rw_file_perms; -allow hal_power_default sysfs_gpu:file rw_file_perms; -allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms; -allow hal_power_default sysfs_fabric:file rw_file_perms; -allow hal_power_default sysfs_display:file rw_file_perms; -set_prop(hal_power_default, vendor_camera_prop) -set_prop(hal_power_default, vendor_camera_debug_prop) -set_prop(hal_power_default, vendor_camera_fatp_prop) diff --git a/legacy/property.te b/legacy/property.te index 67cdc061..f07518c6 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -9,9 +9,6 @@ vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_codec2_debug_prop) vendor_internal_prop(vendor_display_prop) -vendor_internal_prop(vendor_camera_prop) -vendor_internal_prop(vendor_camera_debug_prop) -vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_gps_prop) # Logger diff --git a/legacy/property_contexts b/legacy/property_contexts index 60fe7594..94d5b905 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -28,12 +28,6 @@ persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 # for display ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 -# for camera -persist.vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 -vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 - # for gps vendor.gps u:object_r:vendor_gps_prop:s0 diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 27e8be52..4715d437 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -19,6 +19,7 @@ type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; type sysfs_display, sysfs_type, fs_type; type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type sysfs_fabric, sysfs_type, fs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 28d6907e..187f25cd 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -1,5 +1,8 @@ genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +# Fabric +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 + # OTA genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ca8bd10c..91a5b7a1 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -11,4 +11,5 @@ vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_battery_defender_prop) +vendor_internal_prop(vendor_camera_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index e0ea01fd..e4417843 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -37,7 +37,7 @@ vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 # Battery -vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 +vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 # NFC persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 @@ -49,3 +49,6 @@ persist.vendor.se. u:object_r:vendor_secure_element_prop vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 +# Camera +vendor.camera. u:object_r:vendor_camera_prop:s0 + From fb11c9aaa06e8e62f46b9de9a42328fd13fdc441 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 28 Sep 2021 14:05:18 +0800 Subject: [PATCH 077/900] restore rlsservice 01-01 20:00:12.304 425 425 E SELinux : avc: denied { add } for pid=704 uid=1000 name=rlsservice scontext=u:r:rlsservice:s0 tcontext=u:object_r:default_android_vndservice:s0 tclass=service_manager permissive=1 01-01 20:00:11.374 1 1 I SELinux : Context u:object_r:rlsservice_exec:s0 is not valid (left unmapped). rlsservice uses apex, that's why it cannot be found in vendor.img Bug: 196916111 Test: boot with rlsservice started Change-Id: I8e052d75473f9431bbaeafb74d0e4043b02a1b51 --- legacy/vndservice.te | 1 - whitechapel_pro/rlsservice.te | 4 ++++ whitechapel_pro/vndservice.te | 3 ++- whitechapel_pro/vndservice_contexts | 1 + 4 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 whitechapel_pro/rlsservice.te create mode 100644 whitechapel_pro/vndservice_contexts diff --git a/legacy/vndservice.te b/legacy/vndservice.te index f70a26fe..322aaf44 100644 --- a/legacy/vndservice.te +++ b/legacy/vndservice.te @@ -1,4 +1,3 @@ -type rls_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; type vendor_displaycolor_service, vndservice_manager_type; type eco_service, vndservice_manager_type; diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te new file mode 100644 index 00000000..e15cc498 --- /dev/null +++ b/whitechapel_pro/rlsservice.te @@ -0,0 +1,4 @@ +type rlsservice, domain; +type rlsservice_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rlsservice) diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index 75c2bc5b..bc886191 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1 +1,2 @@ -type hal_power_stats_vendor_service, vndservice_manager_type; +type hal_power_stats_vendor_service, vndservice_manager_type; +type rls_service, vndservice_manager_type; diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts new file mode 100644 index 00000000..66cab482 --- /dev/null +++ b/whitechapel_pro/vndservice_contexts @@ -0,0 +1 @@ +rlsservice u:object_r:rls_service:s0 From 7ac4d6ae8ce2df9c4b8492199f9e0fe91b6ef2f5 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 28 Sep 2021 14:42:35 +0800 Subject: [PATCH 078/900] review hal_power_stats_default Bug: 201230944 Test: make sure all file contexts took effect Change-Id: Ifefb09f69b722747ccbb1c8cfbd423b27204e4e4 --- legacy/file.te | 16 ------------- legacy/file_contexts | 4 ---- legacy/genfs_contexts | 38 ------------------------------- legacy/hal_dumpstate_default.te | 1 - legacy/hal_power_stats_default.te | 20 ---------------- whitechapel_pro/file.te | 2 ++ whitechapel_pro/genfs_contexts | 6 +++++ 7 files changed, 8 insertions(+), 79 deletions(-) delete mode 100644 legacy/hal_power_stats_default.te diff --git a/legacy/file.te b/legacy/file.te index 55024373..f39684a5 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -28,9 +28,6 @@ type vendor_battery_debugfs, fs_type, debugfs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; -# ACPM -type sysfs_acpm_stats, sysfs_type, fs_type; - # Vendor tools type vendor_usf_stats, vendor_file_type, file_type; type vendor_usf_reg_edit, vendor_file_type, file_type; @@ -51,9 +48,6 @@ type sysfs_iommu, sysfs_type, fs_type; type sysfs_devicetree, sysfs_type, fs_type; type sysfs_mem, sysfs_type, fs_type; -# WiFi -type sysfs_wifi, sysfs_type, fs_type; - # All files under /data/vendor/firmware/wifi type updated_wifi_firmware_data_file, file_type, data_file_type; @@ -82,25 +76,15 @@ type vendor_camera_data_file, file_type, data_file_type; # Display type persist_display_file, file_type, vendor_persist_type; -# Backlight -type sysfs_backlight, sysfs_type, fs_type; - # Charger type sysfs_chargelevel, sysfs_type, fs_type; -# ODPM -type odpm_config_file, file_type, data_file_type; -type sysfs_odpm, sysfs_type, fs_type; - # bcl type sysfs_bcl, sysfs_type, fs_type; type sysfs_chip_id, sysfs_type, fs_type; type sysfs_spi, sysfs_type, fs_type; -# CPU -type sysfs_cpu, sysfs_type, fs_type; - # Memory type sysfs_memory, sysfs_type, fs_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index f773d4fa..9b04dedf 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -15,7 +15,6 @@ # /(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs201 u:object_r:hal_bootctl_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs201 u:object_r:hal_power_stats_default_exec:s0 # # Exynos Devices @@ -170,9 +169,6 @@ # Zram /data/per_boot(/.*)? u:object_r:per_boot_file:s0 -# ODPM -/data/vendor/powerstats(/.*)? u:object_r:odpm_config_file:s0 - # sensor direct DMA-BUF heap /dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index 116159b2..53fb3ea5 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -1,6 +1,3 @@ -# WiFi -genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 - genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 # Storage @@ -63,25 +60,6 @@ genfscon proc /bluetooth/sleep/btwrite genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0 -# ODPM -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 - -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 - # bcl sysfs files genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 @@ -128,28 +106,12 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wak genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -# ACPM -genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 - genfscon sysfs /devices/platform/10d40000.spi/spi_master u:object_r:sysfs_spi:s0 # Exynos genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 -# CPU -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/1c500000.mali/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/1c500000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 - # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 diff --git a/legacy/hal_dumpstate_default.te b/legacy/hal_dumpstate_default.te index 06b14db5..0c02ff48 100644 --- a/legacy/hal_dumpstate_default.te +++ b/legacy/hal_dumpstate_default.te @@ -5,7 +5,6 @@ allow hal_dumpstate_default sysfs_bcmdhd:dir search; allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms; allow hal_dumpstate_default sysfs_memory:file r_file_perms; -allow hal_dumpstate_default sysfs_cpu:file r_file_perms; vndbinder_use(hal_dumpstate_default) diff --git a/legacy/hal_power_stats_default.te b/legacy/hal_power_stats_default.te deleted file mode 100644 index 497350c6..00000000 --- a/legacy/hal_power_stats_default.te +++ /dev/null @@ -1,20 +0,0 @@ -allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; - -# getStats AIDL callback to each power entry -binder_call(hal_power_stats_default, hal_bluetooth_btlinux) - -r_dir_file(hal_power_stats_default, sysfs_iio_devices) -allow hal_power_stats_default odpm_config_file:dir search; -allow hal_power_stats_default odpm_config_file:file r_file_perms; -allow hal_power_stats_default sysfs_odpm:dir search; -allow hal_power_stats_default sysfs_odpm:file rw_file_perms; - -binder_call(hal_power_stats_default, citadeld) -r_dir_file(hal_power_stats_default, sysfs_aoc) -r_dir_file(hal_power_stats_default, sysfs_cpu) -r_dir_file(hal_power_stats_default, sysfs_leds) -r_dir_file(hal_power_stats_default, sysfs_acpm_stats) -r_dir_file(hal_power_stats_default, sysfs_wifi) -r_dir_file(hal_power_stats_default, sysfs_backlight) -r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4715d437..3169979e 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -20,6 +20,8 @@ type bootdevice_sysdev, dev_type; type sysfs_display, sysfs_type, fs_type; type sysfs_scsi_devices_0000, sysfs_type, fs_type; type sysfs_fabric, sysfs_type, fs_type; +type sysfs_acpm_stats, sysfs_type, fs_type; +type sysfs_wifi, sysfs_type, fs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 187f25cd..f11d6a37 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -1,5 +1,11 @@ genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +# WiFi +genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 + +# ACPM +genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 + # Fabric genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 From 82cdc92c8447c786513054f2c66ed5fe15a11e27 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 30 Sep 2021 11:00:43 +0800 Subject: [PATCH 079/900] review hal_usb Bug: 201599187 Test: boot with hal_usb_impl started Change-Id: I77875c6911f6582454d666a57ed59cc1e386885b --- legacy/file_contexts | 2 -- legacy/hal_usb_impl.te | 13 ------------- legacy/property.te | 1 - legacy/property_contexts | 4 ---- whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_usb_impl.te | 4 ++++ whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 4 ++++ 8 files changed, 10 insertions(+), 20 deletions(-) delete mode 100644 legacy/hal_usb_impl.te create mode 100644 whitechapel_pro/hal_usb_impl.te diff --git a/legacy/file_contexts b/legacy/file_contexts index 9b04dedf..b754bb1c 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -3,8 +3,6 @@ # /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 - /vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 /vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 diff --git a/legacy/hal_usb_impl.te b/legacy/hal_usb_impl.te deleted file mode 100644 index 14abf59c..00000000 --- a/legacy/hal_usb_impl.te +++ /dev/null @@ -1,13 +0,0 @@ -type hal_usb_impl, domain; -hal_server_domain(hal_usb_impl, hal_usb) -hal_server_domain(hal_usb_impl, hal_usb_gadget) - -type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_usb_impl) - -allow hal_usb_impl functionfs:dir { watch watch_reads }; -set_prop(hal_usb_impl, vendor_usb_config_prop) - -allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; -allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; -allow hal_usb_impl sysfs_extcon:dir search; diff --git a/legacy/property.te b/legacy/property.te index f07518c6..fb13217c 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -2,7 +2,6 @@ vendor_internal_prop(vendor_prop) vendor_internal_prop(sensors_prop) vendor_internal_prop(vendor_device_prop) -vendor_internal_prop(vendor_usb_config_prop) # vendor defaults vendor_internal_prop(vendor_config_default_prop) vendor_internal_prop(vendor_ro_sys_default_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index 94d5b905..b96a8fff 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -12,10 +12,6 @@ vendor.debug.c2.level u:object_r:vendor_codec2_debug_prop:s0 vendor.debug.c2.dump u:object_r:vendor_codec2_debug_prop:s0 vendor.debug.c2.dump.opt u:object_r:vendor_codec2_debug_prop:s0 -# USB HAL -persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 -vendor.usb. u:object_r:vendor_usb_config_prop:s0 - # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 274c6793..bebee40f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -17,6 +17,7 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 +/vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te new file mode 100644 index 00000000..3caf54a2 --- /dev/null +++ b/whitechapel_pro/hal_usb_impl.te @@ -0,0 +1,4 @@ +type hal_usb_impl, domain; + +type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_impl) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 91a5b7a1..cfff8cd5 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -12,4 +12,5 @@ vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_battery_defender_prop) vendor_internal_prop(vendor_camera_prop) +vendor_internal_prop(vendor_usb_config_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index e4417843..7bb71c66 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -4,6 +4,10 @@ persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +# USB HAL +persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 +vendor.usb. u:object_r:vendor_usb_config_prop:s0 + # for slog vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 From 5ec277bf7cbee51d357804caf912a5c8ed21df19 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 30 Sep 2021 11:13:35 +0800 Subject: [PATCH 080/900] review hal_wifi Bug: 201599426 Test: boot to home Change-Id: I05538169275a7e8dc7638e075114440abda8c11b --- legacy/file.te | 3 --- legacy/file_contexts | 3 --- legacy/hal_wifi.te | 3 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + 5 files changed, 2 insertions(+), 9 deletions(-) delete mode 100644 legacy/hal_wifi.te diff --git a/legacy/file.te b/legacy/file.te index f39684a5..5a688010 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -48,9 +48,6 @@ type sysfs_iommu, sysfs_type, fs_type; type sysfs_devicetree, sysfs_type, fs_type; type sysfs_mem, sysfs_type, fs_type; -# All files under /data/vendor/firmware/wifi -type updated_wifi_firmware_data_file, file_type, data_file_type; - # Storage Health HAL type debugfs_f2fs, debugfs_type, fs_type; type proc_f2fs, proc_type, fs_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index b754bb1c..a0c15b01 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -195,9 +195,6 @@ # Fingerprint /dev/goodix_fp u:object_r:fingerprint_device:s0 -# Wifi Firmware config update -/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 - # # USF SELinux file security contexts. # diff --git a/legacy/hal_wifi.te b/legacy/hal_wifi.te deleted file mode 100644 index e7f657ec..00000000 --- a/legacy/hal_wifi.te +++ /dev/null @@ -1,3 +0,0 @@ -# files in /data/vendor/firmware/wifi -allow hal_wifi updated_wifi_firmware_data_file:dir r_dir_perms; -allow hal_wifi updated_wifi_firmware_data_file:file r_file_perms; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 3169979e..e2368190 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,6 +5,7 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; +type updated_wifi_firmware_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_slog_file mlstrustedobject; typeattribute radio_vendor_data_file mlstrustedobject; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index bebee40f..b3c9348f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -81,6 +81,7 @@ /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 From 618ea304d4e2094a49fb63899e57ebf931f22415 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 30 Sep 2021 14:40:10 +0800 Subject: [PATCH 081/900] review tcpdump_logger Bug: 201599426 Test: boot with tcpdump_logger started Change-Id: I023f48ea45b8d5a2180c91577241e9d9410469a4 --- legacy/file.te | 3 --- legacy/file_contexts | 4 ---- legacy/property.te | 3 --- legacy/property_contexts | 6 ------ whitechapel_pro/file.te | 2 ++ whitechapel_pro/file_contexts | 8 +++++--- whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 4 ++++ {legacy => whitechapel_pro}/tcpdump_logger.te | 0 9 files changed, 12 insertions(+), 19 deletions(-) rename {legacy => whitechapel_pro}/tcpdump_logger.te (100%) diff --git a/legacy/file.te b/legacy/file.te index 5a688010..1f73ec66 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -59,9 +59,6 @@ type per_boot_file, file_type, data_file_type, core_data_file_type; type proc_touch, proc_type, fs_type, mlstrustedobject; type sysfs_touch, sysfs_type, fs_type; -# TCP logging -type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; - # Wireless type sysfs_wlc, sysfs_type, fs_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index a0c15b01..650a1858 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -115,10 +115,6 @@ # Contexthub /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -# TCP logging -/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 - # Kernel modules related /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 diff --git a/legacy/property.te b/legacy/property.te index fb13217c..465c1b11 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -16,8 +16,5 @@ vendor_internal_prop(vendor_logger_prop) # Touchpanel vendor_internal_prop(vendor_touchpanel_prop) -# TCP logging -vendor_internal_prop(vendor_tcpdump_log_prop) - # Fingerprint vendor_internal_prop(vendor_fingerprint_fake_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index b96a8fff..dfdea23f 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -30,11 +30,5 @@ vendor.gps u:object_r:vendor_gps_prop:s0 # Touchpanel vendor.mfgapi.touchpanel.permission u:object_r:vendor_touchpanel_prop:s0 -# Tcpdump_logger -persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 -vendor.tcpdump.log.ondemand u:object_r:vendor_tcpdump_log_prop:s0 -vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 -vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_prop:s0 - # Fingerprint vendor.fingerprint.disable.fake u:object_r:vendor_fingerprint_fake_prop:s0 diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index e2368190..5904ff5d 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -6,7 +6,9 @@ type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; +type tcpdump_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` + typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; typeattribute radio_vendor_data_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index b3c9348f..094d339b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -6,18 +6,19 @@ /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 -/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 +/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 -/vendor/bin/storageproxyd u:object_r:tee_exec:s0 -/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -82,6 +83,7 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index cfff8cd5..56d2ed93 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -13,4 +13,5 @@ vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_battery_defender_prop) vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_usb_config_prop) +vendor_internal_prop(vendor_tcpdump_log_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 7bb71c66..8aa7d100 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -4,6 +4,10 @@ persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +# Tcpdump_logger +persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 + # USB HAL persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 vendor.usb. u:object_r:vendor_usb_config_prop:s0 diff --git a/legacy/tcpdump_logger.te b/whitechapel_pro/tcpdump_logger.te similarity index 100% rename from legacy/tcpdump_logger.te rename to whitechapel_pro/tcpdump_logger.te From 3f619c21addeb4f03d049251bb3bb85b294205b4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 30 Sep 2021 14:10:18 +0800 Subject: [PATCH 082/900] centralize wifi_ext config Bug: 201599426 Test: boot with wifi_ext started Change-Id: I100363628bed970628cd3312a73f6d39bca533ef --- gs201-sepolicy.mk | 3 --- 1 file changed, 3 deletions(-) diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 087de580..2024e726 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -17,9 +17,6 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/priv # Dauntless sepolicy (b/199685763) BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/dauntless -# Wifi -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext - # PowerStats HAL BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats From 0a4f633d40159b906846cf89f3f1200aff04dd66 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 4 Oct 2021 09:49:44 +0800 Subject: [PATCH 083/900] remove hal_wifi_ext This is a shared module across qcom and google platform. It is hard to tell whether it always behaves the same. Bug: 201599426 Test: boot to home with hal_wifi_ext started Change-Id: Ica8fa1168ecc07e3fed34bfad1c8d113e42bef22 --- legacy/hal_wifi_ext.te | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 legacy/hal_wifi_ext.te diff --git a/legacy/hal_wifi_ext.te b/legacy/hal_wifi_ext.te deleted file mode 100644 index 959f71b6..00000000 --- a/legacy/hal_wifi_ext.te +++ /dev/null @@ -1,13 +0,0 @@ -# Allow wifi_ext to report callbacks to gril-service app -binder_call(hal_wifi_ext, grilservice_app) - -# Write wlan driver/fw version into property -set_prop(hal_wifi_ext, vendor_wifi_version) - -# Allow wifi_ext to read and write /data/vendor/firmware/wifi -allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; -allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; - -# Allow wifi_ext to read the updated firmware files from app -allow hal_wifi_ext priv_app:fd use; -allow hal_wifi_ext privapp_data_file:file { read map }; From 798b72ad9cd898c26ebaff59c143a05562739bab Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 4 Oct 2021 09:56:33 +0800 Subject: [PATCH 084/900] review hal_tetheroffload_default Bug: 201599426 Test: boot to home with hal_tetheroffload_default started Change-Id: I85491753dc7336eff285f61c71ad51840a13d7c3 --- legacy/device.te | 3 --- legacy/file_contexts | 4 ---- whitechapel_pro/device.te | 2 ++ whitechapel_pro/file_contexts | 2 ++ {legacy => whitechapel_pro}/hal_tetheroffload_default.te | 0 5 files changed, 4 insertions(+), 7 deletions(-) rename {legacy => whitechapel_pro}/hal_tetheroffload_default.te (100%) diff --git a/legacy/device.te b/legacy/device.te index 11d87f51..182fe4d5 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -1,6 +1,3 @@ -# Exynos devices -type vendor_toe_device, dev_type; - # usbpd type logbuffer_device, dev_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 650a1858..b7ab1342 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -144,10 +144,6 @@ # R4 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 -# Tetheroffload Service -/dev/dit2 u:object_r:vendor_toe_device:s0 -/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 - # pixelstats binary /vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 168968bb..30753c77 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -6,3 +6,5 @@ type persist_block_device, dev_type, bdev_type; type efs_block_device, dev_type, bdev_type; type modem_userdata_block_device, dev_type, bdev_type; type sg_device, dev_type; +type vendor_toe_device, dev_type; + diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 094d339b..e837d038 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -19,6 +19,7 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -27,6 +28,7 @@ /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 /dev/g2d u:object_r:graphics_device:s0 +/dev/dit2 u:object_r:vendor_toe_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/sg1 u:object_r:sg_device:s0 /dev/st21nfc u:object_r:nfc_device:s0 diff --git a/legacy/hal_tetheroffload_default.te b/whitechapel_pro/hal_tetheroffload_default.te similarity index 100% rename from legacy/hal_tetheroffload_default.te rename to whitechapel_pro/hal_tetheroffload_default.te From cccebb9eafdef7045ef7f62ff433df4b666a0cea Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 4 Oct 2021 10:03:25 +0800 Subject: [PATCH 085/900] remove bugreport related sepolicy Bug: 196916111 Test: adb bugreport Change-Id: If52a43baed4022ffb3ecb248067eb1f4712c5feb --- legacy/hal_dumpstate_default.te | 190 -------------------------------- legacy/incident.te | 4 - 2 files changed, 194 deletions(-) delete mode 100644 legacy/hal_dumpstate_default.te delete mode 100644 legacy/incident.te diff --git a/legacy/hal_dumpstate_default.te b/legacy/hal_dumpstate_default.te deleted file mode 100644 index 0c02ff48..00000000 --- a/legacy/hal_dumpstate_default.te +++ /dev/null @@ -1,190 +0,0 @@ -allow hal_dumpstate_default sysfs_exynos_bts:dir search; -allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; - -allow hal_dumpstate_default sysfs_bcmdhd:dir search; -allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms; - -allow hal_dumpstate_default sysfs_memory:file r_file_perms; - -vndbinder_use(hal_dumpstate_default) - -allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_gps_file:file r_file_perms; - -allow hal_dumpstate_default sysfs_wlc:dir search; -allow hal_dumpstate_default sysfs_wlc:file r_file_perms; - -allow hal_dumpstate_default shell_data_file:file getattr; - -allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; -allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; - -allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; - -# camera debugging dump file access -allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; - -allow hal_dumpstate_default vendor_log_file:dir search; - -allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; -allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; -allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; - -allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; - -allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; -allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; - -allow hal_dumpstate_default sysfs_spi:dir search; -allow hal_dumpstate_default sysfs_spi:file rw_file_perms; - -allow hal_dumpstate_default device:dir r_dir_perms; -allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; -allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; - -allow hal_dumpstate_default sysfs_wifi:dir search; -allow hal_dumpstate_default sysfs_wifi:file r_file_perms; - -# Touch sysfs interface -allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; -allow hal_dumpstate_default sysfs_touch:file rw_file_perms; -allow hal_dumpstate_default proc_touch:file rw_file_perms; - -allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; -allow hal_dumpstate_default sysfs_thermal:file r_file_perms; -allow hal_dumpstate_default sysfs_thermal:lnk_file read; - -allow hal_dumpstate_default touch_context_service:service_manager find; - -# Modem logs -allow hal_dumpstate_default modem_efs_file:dir search; -allow hal_dumpstate_default modem_efs_file:file r_file_perms; -allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; -allow hal_dumpstate_default vendor_slog_file:file r_file_perms; - -allow hal_dumpstate_default block_device:dir r_dir_perms; - -allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; -allow hal_dumpstate_default proc_f2fs:file r_file_perms; -allow hal_dumpstate_default proc_touch:file rw_file_perms; - -allow hal_dumpstate_default sysfs_batteryinfo:dir search; -allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; -allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; -allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; - -allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; -allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; - -allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; - -allow hal_dumpstate_default citadeld_service:service_manager find; -allow hal_dumpstate_default citadel_updater:file execute_no_trans; -binder_call(hal_dumpstate_default, citadeld); - -allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; -binder_call(hal_dumpstate_default, hal_graphics_composer_default); - -userdebug_or_eng(` - allow hal_dumpstate_default mnt_vendor_file:dir search; - allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; - allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; -') - -get_prop(hal_dumpstate_default, boottime_public_prop) -get_prop(hal_dumpstate_default, vendor_gps_prop) -set_prop(hal_dumpstate_default, vendor_modem_prop) -get_prop(hal_dumpstate_default, vendor_rild_prop) - -userdebug_or_eng(` - allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_ion_debugfs:file r_file_perms; - - allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; - allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; - - allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_dri_debugfs:dir search; - - allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; - - allow hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_usb_debugfs:file r_file_perms; - - allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; - - allow hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms; - - allow hal_dumpstate_default vendor_maxfg_debugfs:dir search; - allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; - - allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; - - allow hal_dumpstate_default debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; - - allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; - - allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; - allow hal_dumpstate_default sysfs_bcl:file r_file_perms; - allow hal_dumpstate_default sysfs_bcl:lnk_file read; - allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; - allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; - allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; - allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; - - set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) -') - -dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; -dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search; - -dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_usb_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search; -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; - -dontaudit hal_dumpstate_default mnt_vendor_file:dir r_dir_perms; -dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir search; -dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; - -dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; -dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; - -dontaudit hal_dumpstate_default rootfs:dir r_dir_perms; - -dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; -dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; -dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms; diff --git a/legacy/incident.te b/legacy/incident.te deleted file mode 100644 index 672606df..00000000 --- a/legacy/incident.te +++ /dev/null @@ -1,4 +0,0 @@ -userdebug_or_eng(` - allow incident logger_app:fd use; - allow incident media_rw_data_file:file append; -') From 16c10d6a33f4fa76548151322f018c228ac21e37 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 4 Oct 2021 10:22:56 +0800 Subject: [PATCH 086/900] review init-insmod-sh Bug: 196916111 Test: boot to home Change-Id: I085ff319e08c65cfc3d51fb480259fa137f8e3f3 --- legacy/file_contexts | 3 --- legacy/property.te | 1 - legacy/property_contexts | 6 ------ legacy/vendor_init.te | 1 - whitechapel_pro/file_contexts | 1 + {legacy => whitechapel_pro}/init-insmod-sh.te | 5 ----- whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 8 ++++++++ whitechapel_pro/vendor_init.te | 3 +++ 9 files changed, 14 insertions(+), 16 deletions(-) rename {legacy => whitechapel_pro}/init-insmod-sh.te (76%) diff --git a/legacy/file_contexts b/legacy/file_contexts index b7ab1342..d3c5e2b9 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -115,9 +115,6 @@ # Contexthub /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -# Kernel modules related -/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 - # Bluetooth /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 /dev/wbrc u:object_r:wb_coexistence_dev:s0 diff --git a/legacy/property.te b/legacy/property.te index 465c1b11..6f9cec26 100644 --- a/legacy/property.te +++ b/legacy/property.te @@ -1,7 +1,6 @@ # For Exynos Properties vendor_internal_prop(vendor_prop) vendor_internal_prop(sensors_prop) -vendor_internal_prop(vendor_device_prop) # vendor defaults vendor_internal_prop(vendor_config_default_prop) vendor_internal_prop(vendor_ro_sys_default_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts index dfdea23f..3e4b64ad 100644 --- a/legacy/property_contexts +++ b/legacy/property_contexts @@ -1,12 +1,6 @@ # Ramdump persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 -# Kernel modules related -vendor.common.modules.ready u:object_r:vendor_device_prop:s0 -vendor.device.modules.ready u:object_r:vendor_device_prop:s0 -vendor.all.modules.ready u:object_r:vendor_device_prop:s0 -vendor.all.devices.ready u:object_r:vendor_device_prop:s0 - # for codec2 vendor.debug.c2.level u:object_r:vendor_codec2_debug_prop:s0 vendor.debug.c2.dump u:object_r:vendor_codec2_debug_prop:s0 diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index 33303322..b18cf54a 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -1,4 +1,3 @@ -set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, vendor_usb_config_prop) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index e837d038..b2aa7980 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -11,6 +11,7 @@ /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 +/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 diff --git a/legacy/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te similarity index 76% rename from legacy/init-insmod-sh.te rename to whitechapel_pro/init-insmod-sh.te index 9b2da73d..e8424941 100644 --- a/legacy/init-insmod-sh.te +++ b/whitechapel_pro/init-insmod-sh.te @@ -3,14 +3,9 @@ type init-insmod-sh_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(init-insmod-sh) allow init-insmod-sh self:capability sys_module; -allow init-insmod-sh sysfs_leds:dir r_dir_perms; allow init-insmod-sh vendor_kernel_modules:system module_load; allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; set_prop(init-insmod-sh, vendor_device_prop) -userdebug_or_eng(` - allow init-insmod-sh vendor_regmap_debugfs:dir search; -') - dontaudit init-insmod-sh proc_cmdline:file r_file_perms; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 56d2ed93..a3b71457 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -14,4 +14,6 @@ vendor_internal_prop(vendor_battery_defender_prop) vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_tcpdump_log_prop) +vendor_internal_prop(vendor_device_prop) +vendor_internal_prop(vendor_ready_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 8aa7d100..01f2d7cf 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -4,6 +4,14 @@ persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +# Kernel modules related +vendor.common.modules.ready u:object_r:vendor_device_prop:s0 +vendor.device.modules.ready u:object_r:vendor_device_prop:s0 + +# Indicating signal that all modules and devices are ready +vendor.all.modules.ready u:object_r:vendor_ready_prop:s0 +vendor.all.devices.ready u:object_r:vendor_ready_prop:s0 + # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 75cac346..a55894f7 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -3,4 +3,7 @@ allow vendor_init bootdevice_sysdev:file create_file_perms; set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_cbd_prop) +set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) +get_prop(vendor_init, vendor_device_prop) + From fc82a2b2427409e311ce24a55306095be373dbd7 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Mon, 4 Oct 2021 16:43:02 +0800 Subject: [PATCH 087/900] fingerprint: Fix SELinux error Fix the following SELinux error: E init : Could not start service 'vendor.fps_hal' as part of class 'late_start': File /vendor/bin/hw/android.hardware.biometrics.fingerprint@2.1-service.goodix(labeled "u:object_r:vendor_file:s0") has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined. Bug: 201500671 Test: build and run on DUT. Change-Id: I85bd89edfaa6aaca003a5be21f4a045ce5944ab9 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index b2aa7980..8d3721ce 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -15,6 +15,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 From 9c8da5b91c4dd5879054281dabe0dd810628443d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 5 Oct 2021 10:54:31 +0800 Subject: [PATCH 088/900] remove uwb No uwb hal were found on ROM 7793030 Bug: 196916111 Test: Boot to home Change-Id: I89ce68505c13b8de080d7aec5fc594fd2ada11c6 --- legacy/file_contexts | 4 ---- legacy/hal_uwb_vendor_default.te | 5 ----- 2 files changed, 9 deletions(-) delete mode 100644 legacy/hal_uwb_vendor_default.te diff --git a/legacy/file_contexts b/legacy/file_contexts index d3c5e2b9..af917782 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -137,10 +137,6 @@ # GRIL /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 -# Uwb -# R4 -/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 - # pixelstats binary /vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 diff --git a/legacy/hal_uwb_vendor_default.te b/legacy/hal_uwb_vendor_default.te deleted file mode 100644 index d16424e9..00000000 --- a/legacy/hal_uwb_vendor_default.te +++ /dev/null @@ -1,5 +0,0 @@ -type hal_uwb_vendor_default, domain; -type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_uwb_vendor_default) - -add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) From 1d0b6d22bc080f8ced815f64851e46e689a38ee2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 5 Oct 2021 11:07:06 +0800 Subject: [PATCH 089/900] remove uwb app uwb app does not exist on ROM 7793030 Bug: 196916111 Test: boot to home Change-Id: I37d02e98589c7b3e894defa04de709ae0d904f09 --- legacy/seapp_contexts | 3 --- legacy/uwb_vendor_app.te | 12 ------------ 2 files changed, 15 deletions(-) delete mode 100644 legacy/uwb_vendor_app.te diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index cf72b1a8..580f308f 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -3,6 +3,3 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d # Hardware Info Collection user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user - -# Qorvo UWB system app -user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all diff --git a/legacy/uwb_vendor_app.te b/legacy/uwb_vendor_app.te deleted file mode 100644 index c33731a8..00000000 --- a/legacy/uwb_vendor_app.te +++ /dev/null @@ -1,12 +0,0 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) - -add_service(uwb_vendor_app, uwb_vendor_service) - -allow uwb_vendor_app app_api_service:service_manager find; -allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; From 791aeae701cfdbd41c9b343b4ecea6a5021a7c3c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 5 Oct 2021 11:18:29 +0800 Subject: [PATCH 090/900] review ramdump_app Bug: 196916111 Test: boot to home Change-Id: I756f9022a7c20392dd8d07d2be7c972395176629 --- legacy/seapp_contexts | 3 --- {legacy => whitechapel_pro}/ramdump_app.te | 0 whitechapel_pro/seapp_contexts | 3 +++ 3 files changed, 3 insertions(+), 3 deletions(-) rename {legacy => whitechapel_pro}/ramdump_app.te (100%) diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts index 580f308f..390f1601 100644 --- a/legacy/seapp_contexts +++ b/legacy/seapp_contexts @@ -1,5 +1,2 @@ -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # Hardware Info Collection user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user diff --git a/legacy/ramdump_app.te b/whitechapel_pro/ramdump_app.te similarity index 100% rename from legacy/ramdump_app.te rename to whitechapel_pro/ramdump_app.te diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 68701fe1..8ef7f82f 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -5,6 +5,9 @@ user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all +# coredump/ramdump +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user From 34693feadc0473f67c564ba759f2fa6653a9e816 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 5 Oct 2021 11:53:01 +0800 Subject: [PATCH 091/900] review mediacodec Bug: 196916111 Test: boot with google and samsung mediacodec running Change-Id: I7aaee5def774c8b7c19699f4da9b0b51f4869be9 --- legacy/file_contexts | 2 -- legacy/mediacodec.te | 8 -------- whitechapel_pro/file_contexts | 2 ++ whitechapel_pro/mediacodec_google.te | 4 ++++ whitechapel_pro/mediacodec_samsung.te | 4 ++++ 5 files changed, 10 insertions(+), 10 deletions(-) delete mode 100644 legacy/mediacodec.te create mode 100644 whitechapel_pro/mediacodec_google.te create mode 100644 whitechapel_pro/mediacodec_samsung.te diff --git a/legacy/file_contexts b/legacy/file_contexts index af917782..5ee83851 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -101,8 +101,6 @@ /dev/lwis-votf u:object_r:lwis_device:s0 # VIDEO -/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 -/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 # IMS VoWiFi diff --git a/legacy/mediacodec.te b/legacy/mediacodec.te deleted file mode 100644 index 22d2e133..00000000 --- a/legacy/mediacodec.te +++ /dev/null @@ -1,8 +0,0 @@ -userdebug_or_eng(` - set_prop(mediacodec, vendor_codec2_debug_prop) -') - -add_service(mediacodec, eco_service) -allow mediacodec sysfs_video:file r_file_perms; -allow mediacodec sysfs_video:dir r_dir_perms; -allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 8d3721ce..de2dfa33 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -12,6 +12,8 @@ /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te new file mode 100644 index 00000000..2ec5e99e --- /dev/null +++ b/whitechapel_pro/mediacodec_google.te @@ -0,0 +1,4 @@ +type mediacodec_google, domain; +type mediacodec_google_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(mediacodec_google) + diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te new file mode 100644 index 00000000..9ca76c9d --- /dev/null +++ b/whitechapel_pro/mediacodec_samsung.te @@ -0,0 +1,4 @@ +type mediacodec_samsung, domain; +type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(mediacodec_samsung) + From a787a30f8d7cc034d039a380f4e5abf8f2964c3d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 8 Oct 2021 10:48:04 +0800 Subject: [PATCH 092/900] review trusty domains Bug: 198723116 Test: boot to home with trusty domains started Change-Id: If5c6c0a75b6ad0eb032f637fd51ab2e4cea1e389 --- legacy/file_contexts | 2 -- whitechapel_pro/file_contexts | 2 ++ {legacy => whitechapel_pro}/trusty_apploader.te | 0 {legacy => whitechapel_pro}/trusty_metricsd.te | 0 4 files changed, 2 insertions(+), 2 deletions(-) rename {legacy => whitechapel_pro}/trusty_apploader.te (100%) rename {legacy => whitechapel_pro}/trusty_metricsd.te (100%) diff --git a/legacy/file_contexts b/legacy/file_contexts index 5ee83851..d7180d03 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -126,8 +126,6 @@ # Trusty /vendor/bin/securedpud.slider u:object_r:securedpud_slider_exec:s0 -/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 -/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /dev/trusty-log0 u:object_r:logbuffer_device:s0 diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index de2dfa33..888c5ba5 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -12,6 +12,8 @@ /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 +/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 +/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 diff --git a/legacy/trusty_apploader.te b/whitechapel_pro/trusty_apploader.te similarity index 100% rename from legacy/trusty_apploader.te rename to whitechapel_pro/trusty_apploader.te diff --git a/legacy/trusty_metricsd.te b/whitechapel_pro/trusty_metricsd.te similarity index 100% rename from legacy/trusty_metricsd.te rename to whitechapel_pro/trusty_metricsd.te From 37ca0bdfa4173ac660548ffdc1d09adbfeef63b4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 8 Oct 2021 10:56:54 +0800 Subject: [PATCH 093/900] review pixelstats_vendor Bug: 202462997 Test: boot with pixelstats_vendor started Change-Id: I1cd14413ea05362f3760e61b2d0d7b1db164a31c --- legacy/file_contexts | 3 --- legacy/pixelstats_vendor.te | 17 ----------------- 2 files changed, 20 deletions(-) delete mode 100644 legacy/pixelstats_vendor.te diff --git a/legacy/file_contexts b/legacy/file_contexts index d7180d03..b771c8d9 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -133,9 +133,6 @@ # GRIL /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 -# pixelstats binary -/vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 - # Vendor_kernel_modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 diff --git a/legacy/pixelstats_vendor.te b/legacy/pixelstats_vendor.te deleted file mode 100644 index ba063193..00000000 --- a/legacy/pixelstats_vendor.te +++ /dev/null @@ -1,17 +0,0 @@ -# pixelstats vendor -type pixelstats_vendor, domain; - -type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(pixelstats_vendor) - -unix_socket_connect(pixelstats_vendor, chre, chre) - -get_prop(pixelstats_vendor, hwservicemanager_prop) -hwbinder_use(pixelstats_vendor) - -binder_call(pixelstats_vendor, stats_service_server) -binder_use(pixelstats_vendor); -allow pixelstats_vendor fwk_stats_service:service_manager find; - -allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; -allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; From 9e0b7599b49720188d6e464213124344099d738f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 8 Oct 2021 11:33:40 +0800 Subject: [PATCH 094/900] review logger_app Bug: 196916111 Test: boot to home Change-Id: I882d0c302a44eb6c3467ced6fefa4437469d4c44 --- legacy/logger_app.te | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 legacy/logger_app.te diff --git a/legacy/logger_app.te b/legacy/logger_app.te deleted file mode 100644 index fac3b5ea..00000000 --- a/legacy/logger_app.te +++ /dev/null @@ -1,27 +0,0 @@ -userdebug_or_eng(` - allow logger_app radio_vendor_data_file:file create_file_perms; - allow logger_app radio_vendor_data_file:dir create_dir_perms; - allow logger_app vendor_slog_file:file {r_file_perms unlink}; - allow logger_app vendor_gps_file:file create_file_perms; - allow logger_app vendor_gps_file:dir create_dir_perms; - allow logger_app sysfs_sscoredump_level:file r_file_perms; - r_dir_file(logger_app, ramdump_vendor_data_file) - r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) - r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) - - get_prop(logger_app, usb_control_prop) - set_prop(logger_app, vendor_logger_prop) - set_prop(logger_app, vendor_modem_prop) - set_prop(logger_app, vendor_gps_prop) - set_prop(logger_app, vendor_audio_prop) - set_prop(logger_app, vendor_tcpdump_log_prop) - set_prop(logger_app, vendor_ramdump_prop) - set_prop(logger_app, vendor_ssrdump_prop) - set_prop(logger_app, vendor_rild_prop) - set_prop(logger_app, logpersistd_logging_prop) - set_prop(logger_app, logd_prop) - set_prop(logger_app, vendor_usb_config_prop) - set_prop(logger_app, vendor_wifi_sniffer_prop) - - dontaudit logger_app default_prop:file { read }; -') From 1aaa9d5be912b34d5ad0248fb08e981216a5e06f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 8 Oct 2021 11:39:38 +0800 Subject: [PATCH 095/900] review hardware_info_app Bug: 196916111 Test: boot with app correctly labeled Change-Id: I31335fff6356edeedc10ebd2e55b8ed62e39ee02 --- legacy/hardware_info_app.te | 13 ------------- legacy/seapp_contexts | 2 -- whitechapel_pro/hardware_info_app.te | 4 ++++ whitechapel_pro/seapp_contexts | 3 +++ 4 files changed, 7 insertions(+), 15 deletions(-) delete mode 100644 legacy/hardware_info_app.te delete mode 100644 legacy/seapp_contexts create mode 100644 whitechapel_pro/hardware_info_app.te diff --git a/legacy/hardware_info_app.te b/legacy/hardware_info_app.te deleted file mode 100644 index 382b531c..00000000 --- a/legacy/hardware_info_app.te +++ /dev/null @@ -1,13 +0,0 @@ -type hardware_info_app, domain; - -app_domain(hardware_info_app) - -allow hardware_info_app app_api_service:service_manager find; - -# Display -allow hardware_info_app sysfs_display:dir search; -allow hardware_info_app sysfs_display:file r_file_perms; - -# Storage -allow hardware_info_app sysfs_scsi_devices_0000:dir search; -allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; \ No newline at end of file diff --git a/legacy/seapp_contexts b/legacy/seapp_contexts deleted file mode 100644 index 390f1601..00000000 --- a/legacy/seapp_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Hardware Info Collection -user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te new file mode 100644 index 00000000..9b52417e --- /dev/null +++ b/whitechapel_pro/hardware_info_app.te @@ -0,0 +1,4 @@ +type hardware_info_app, domain; +app_domain(hardware_info_app) + +allow hardware_info_app app_api_service:service_manager find; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 8ef7f82f..00cf0c5b 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -5,6 +5,9 @@ user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all +# Hardware Info Collection +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user + # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all From cc27fae6e586a125c65e619d36d685e61eb4d003 Mon Sep 17 00:00:00 2001 From: Shiyong Li Date: Wed, 22 Sep 2021 16:08:28 +0000 Subject: [PATCH 096/900] allow hwc to access displaycolor service Fix the following violations: SELinux : avc: denied { add } for pid=487 uid=1000 name=displaycolor scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:vendor_displaycolor_service:s0 tclass=service_manager permissive=1 SELinux : avc: denied { find } for pid=487 uid=1000 name=displaycolor scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:vendor_displaycolor_service:s0 tclass=service_manager permissive=1 Bug: 199467938 Test: check avc denials while hwc loads calibration file Signed-off-by: Shiyong Li Change-Id: I43865b0a0fc406dc1955b58a80295c556d650797 --- whitechapel_pro/hal_graphics_composer_default.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 whitechapel_pro/hal_graphics_composer_default.te diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te new file mode 100644 index 00000000..4da87fbf --- /dev/null +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -0,0 +1,3 @@ +# allow HWC to access vendor_displaycolor_service +add_service(hal_graphics_composer_default, vendor_displaycolor_service) + From 5b51181f96c8d7cc791bcf4dfe2757a12585f383 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 12 Oct 2021 12:41:48 +0800 Subject: [PATCH 097/900] review grilservice_app Bug: 198532074 Test: boot with gril app started Change-Id: I9e21bee23ad2cbb7e6d0e7363780ba0fbf5adb3b --- legacy/grilservice_app.te | 8 -------- whitechapel_pro/grilservice_app.te | 8 ++++++++ 2 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 legacy/grilservice_app.te diff --git a/legacy/grilservice_app.te b/legacy/grilservice_app.te deleted file mode 100644 index 7c059ff3..00000000 --- a/legacy/grilservice_app.te +++ /dev/null @@ -1,8 +0,0 @@ -allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; -allow grilservice_app hal_radioext_hwservice:hwservice_manager find; -allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; -allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; -binder_call(grilservice_app, hal_bluetooth_btlinux) -binder_call(grilservice_app, hal_radioext_default) -binder_call(grilservice_app, hal_wifi_ext) -binder_call(grilservice_app, hal_audiometricext_default) diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te index 0a090cd4..50ff22a5 100644 --- a/whitechapel_pro/grilservice_app.te +++ b/whitechapel_pro/grilservice_app.te @@ -2,3 +2,11 @@ type grilservice_app, domain; app_domain(grilservice_app) allow grilservice_app app_api_service:service_manager find; +allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow grilservice_app hal_radioext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +binder_call(grilservice_app, hal_bluetooth_btlinux) +binder_call(grilservice_app, hal_radioext_default) +binder_call(grilservice_app, hal_wifi_ext) +binder_call(grilservice_app, hal_audiometricext_default) From 4d8c9e59408d37d3b8a17828bb6bcf576e0e825b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 12 Oct 2021 14:03:04 +0800 Subject: [PATCH 098/900] review legacy contexts and keys Bug: 196916111 Test: build pass and boot to home Change-Id: I1b709cf6617668418150f269359eaa28421c1d43 --- legacy/certs/com_qorvo_uwb.x509.pem | 29 ------------------- legacy/keys.conf | 5 ---- legacy/service.te | 3 -- legacy/service_contexts | 3 -- legacy/vndservice.te | 3 -- legacy/vndservice_contexts | 3 -- .../certs/com_google_mds.x509.pem | 0 whitechapel_pro/keys.conf | 3 ++ .../mac_permissions.xml | 3 -- 9 files changed, 3 insertions(+), 49 deletions(-) delete mode 100644 legacy/certs/com_qorvo_uwb.x509.pem delete mode 100644 legacy/keys.conf delete mode 100644 legacy/service.te delete mode 100644 legacy/service_contexts delete mode 100644 legacy/vndservice.te delete mode 100644 legacy/vndservice_contexts rename {legacy => whitechapel_pro}/certs/com_google_mds.x509.pem (100%) create mode 100644 whitechapel_pro/keys.conf rename {legacy => whitechapel_pro}/mac_permissions.xml (94%) diff --git a/legacy/certs/com_qorvo_uwb.x509.pem b/legacy/certs/com_qorvo_uwb.x509.pem deleted file mode 100644 index 0e7c9ed5..00000000 --- a/legacy/certs/com_qorvo_uwb.x509.pem +++ /dev/null @@ -1,29 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ -BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw -EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv -X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR -BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds -ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa -IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW -fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ -KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW -BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s -ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X -QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG -gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj -RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn -iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU -EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ -KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t -fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z -0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe -cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0 -6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg -NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY -ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp -BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh -NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz -lHV8gmlwBAuAx9ITcTJr ------END CERTIFICATE----- diff --git a/legacy/keys.conf b/legacy/keys.conf deleted file mode 100644 index 2681594f..00000000 --- a/legacy/keys.conf +++ /dev/null @@ -1,5 +0,0 @@ -[@MDS] -ALL : device/google/gs201-sepolicy/legacy/certs/com_google_mds.x509.pem - -[@UWB] -ALL : device/google/gs201-sepolicy/legacy/certs/com_qorvo_uwb.x509.pem diff --git a/legacy/service.te b/legacy/service.te deleted file mode 100644 index 87dec4c0..00000000 --- a/legacy/service.te +++ /dev/null @@ -1,3 +0,0 @@ -type uwb_vendor_service, service_manager_type, vendor_service; -type touch_context_service, service_manager_type, vendor_service; -type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/legacy/service_contexts b/legacy/service_contexts deleted file mode 100644 index 6431f24d..00000000 --- a/legacy/service_contexts +++ /dev/null @@ -1,3 +0,0 @@ -com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 -uwb_vendor u:object_r:uwb_vendor_service:s0 -hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/legacy/vndservice.te b/legacy/vndservice.te deleted file mode 100644 index 322aaf44..00000000 --- a/legacy/vndservice.te +++ /dev/null @@ -1,3 +0,0 @@ -type vendor_surfaceflinger_vndservice, vndservice_manager_type; -type vendor_displaycolor_service, vndservice_manager_type; -type eco_service, vndservice_manager_type; diff --git a/legacy/vndservice_contexts b/legacy/vndservice_contexts deleted file mode 100644 index eda9b5e1..00000000 --- a/legacy/vndservice_contexts +++ /dev/null @@ -1,3 +0,0 @@ -Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 -displaycolor u:object_r:vendor_displaycolor_service:s0 -media.ecoservice u:object_r:eco_service:s0 diff --git a/legacy/certs/com_google_mds.x509.pem b/whitechapel_pro/certs/com_google_mds.x509.pem similarity index 100% rename from legacy/certs/com_google_mds.x509.pem rename to whitechapel_pro/certs/com_google_mds.x509.pem diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf new file mode 100644 index 00000000..dac66f87 --- /dev/null +++ b/whitechapel_pro/keys.conf @@ -0,0 +1,3 @@ +[@MDS] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem + diff --git a/legacy/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml similarity index 94% rename from legacy/mac_permissions.xml rename to whitechapel_pro/mac_permissions.xml index 6cf15728..4b997c27 100644 --- a/legacy/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -24,7 +24,4 @@ - - - From dfbc96da034341e56eb65cc6896c91bf314e5215 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 12 Oct 2021 14:32:48 +0800 Subject: [PATCH 099/900] remove redundant exo sepolicy All exo sepolicy live in gs101 Bug: 196916111 Test: build pass Change-Id: I5c9a8af806c62ee74b4f2ab23bd60cd9706b2dae --- legacy/exo_camera_injection/dumpstate.te | 2 -- legacy/exo_camera_injection/exo_app.te | 3 --- legacy/exo_camera_injection/file_contexts | 1 - .../exo_camera_injection/hal_exo_camera_injection.te | 10 ---------- legacy/exo_camera_injection/hwservice.te | 1 - legacy/exo_camera_injection/hwservice_contexts | 1 - 6 files changed, 18 deletions(-) delete mode 100644 legacy/exo_camera_injection/dumpstate.te delete mode 100644 legacy/exo_camera_injection/exo_app.te delete mode 100644 legacy/exo_camera_injection/file_contexts delete mode 100644 legacy/exo_camera_injection/hal_exo_camera_injection.te delete mode 100644 legacy/exo_camera_injection/hwservice.te delete mode 100644 legacy/exo_camera_injection/hwservice_contexts diff --git a/legacy/exo_camera_injection/dumpstate.te b/legacy/exo_camera_injection/dumpstate.te deleted file mode 100644 index 1a5b393d..00000000 --- a/legacy/exo_camera_injection/dumpstate.te +++ /dev/null @@ -1,2 +0,0 @@ -# For collecting bugreports. -dump_hal(hal_camera) diff --git a/legacy/exo_camera_injection/exo_app.te b/legacy/exo_camera_injection/exo_app.te deleted file mode 100644 index a90de48e..00000000 --- a/legacy/exo_camera_injection/exo_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow exo app to find and bind exo camera injection hal. -allow exo_app hal_exo_camera_injection_hwservice:hwservice_manager find; -binder_call(exo_app, hal_exo_camera_injection) diff --git a/legacy/exo_camera_injection/file_contexts b/legacy/exo_camera_injection/file_contexts deleted file mode 100644 index cfcbd6ff..00000000 --- a/legacy/exo_camera_injection/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.0-service u:object_r:hal_exo_camera_injection_exec:s0 diff --git a/legacy/exo_camera_injection/hal_exo_camera_injection.te b/legacy/exo_camera_injection/hal_exo_camera_injection.te deleted file mode 100644 index 138d1b1d..00000000 --- a/legacy/exo_camera_injection/hal_exo_camera_injection.te +++ /dev/null @@ -1,10 +0,0 @@ -# TODO(b/180558115): It will moved to pixel-sepolicy after pixel 6 launches. -type hal_exo_camera_injection, domain; -hal_server_domain(hal_exo_camera_injection, hal_camera) - -type hal_exo_camera_injection_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_exo_camera_injection) - -hwbinder_use(hal_exo_camera_injection) -add_hwservice(hal_exo_camera_injection, hal_exo_camera_injection_hwservice) -allow hal_exo_camera_injection hal_graphics_mapper_hwservice:hwservice_manager find; diff --git a/legacy/exo_camera_injection/hwservice.te b/legacy/exo_camera_injection/hwservice.te deleted file mode 100644 index cea97689..00000000 --- a/legacy/exo_camera_injection/hwservice.te +++ /dev/null @@ -1 +0,0 @@ -type hal_exo_camera_injection_hwservice, hwservice_manager_type; diff --git a/legacy/exo_camera_injection/hwservice_contexts b/legacy/exo_camera_injection/hwservice_contexts deleted file mode 100644 index 59ccfe67..00000000 --- a/legacy/exo_camera_injection/hwservice_contexts +++ /dev/null @@ -1 +0,0 @@ -vendor.google.exo_camera_injection::IExoCameraInjection u:object_r:hal_exo_camera_injection_hwservice:s0 From 54b0addb16bc7a4b1d00e0e3286df71a311c1d82 Mon Sep 17 00:00:00 2001 From: Konstantin Vyshetsky Date: Mon, 11 Oct 2021 16:31:56 -0700 Subject: [PATCH 100/900] convert_to_f2fs.sh: add sepolicy Add entries for convert_to_f2fs.sh executable. Bug: 202511062 Signed-off-by: Konstantin Vyshetsky Change-Id: I76ca5e169efec06f7a856e3938f50cfee5e6a7f3 --- whitechapel_pro/convert-to-f2fs-sh.te | 10 ++++++++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 11 insertions(+) create mode 100644 whitechapel_pro/convert-to-f2fs-sh.te diff --git a/whitechapel_pro/convert-to-f2fs-sh.te b/whitechapel_pro/convert-to-f2fs-sh.te new file mode 100644 index 00000000..56fc1cc2 --- /dev/null +++ b/whitechapel_pro/convert-to-f2fs-sh.te @@ -0,0 +1,10 @@ +type convert-to-f2fs-sh, domain; + +type convert-to-f2fs-sh_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(convert-to-f2fs-sh) + +allow convert-to-f2fs-sh vendor_file:file execute_no_trans; +allow convert-to-f2fs-sh persist_block_device:blk_file r_file_perms; +allow convert-to-f2fs-sh block_device:dir search; +allow convert-to-f2fs-sh kernel:process setsched; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 888c5ba5..2d35785e 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -14,6 +14,7 @@ /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 +/vendor/bin/convert_to_f2fs\.sh u:object_r:convert-to-f2fs-sh_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 From bf900e2ae578506690d4399b78cb4e1308b79520 Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Tue, 12 Oct 2021 14:17:03 -0700 Subject: [PATCH 101/900] allow to convert /efs to f2fs Bug: 201348703 Signed-off-by: Jaegeuk Kim Change-Id: If69f1443a0ee4d46a468a33524e8a51f774b2d28 --- whitechapel_pro/convert-to-f2fs-sh.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/convert-to-f2fs-sh.te b/whitechapel_pro/convert-to-f2fs-sh.te index 56fc1cc2..15d983be 100644 --- a/whitechapel_pro/convert-to-f2fs-sh.te +++ b/whitechapel_pro/convert-to-f2fs-sh.te @@ -6,5 +6,6 @@ init_daemon_domain(convert-to-f2fs-sh) allow convert-to-f2fs-sh vendor_file:file execute_no_trans; allow convert-to-f2fs-sh persist_block_device:blk_file r_file_perms; +allow convert-to-f2fs-sh efs_block_device:blk_file r_file_perms; allow convert-to-f2fs-sh block_device:dir search; allow convert-to-f2fs-sh kernel:process setsched; From bfd5097be2f19f5efeeb9bbeef37111e6f7ae02b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 14 Oct 2021 10:48:50 +0800 Subject: [PATCH 102/900] dispatch service related error Bug: 202906787 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ifbdf1de156994572b8fedfd18180d3821ef1594c --- legacy/domain.te | 1 - tracking_denials/cbd.te | 2 ++ tracking_denials/citadeld.te | 3 +++ tracking_denials/hal_camera_default.te | 3 +++ tracking_denials/hal_drm_widevine.te | 4 ++++ tracking_denials/hal_fingerprint_default.te | 4 ++++ tracking_denials/hal_graphics_composer_default.te | 5 +++++ tracking_denials/hal_identity_citadel.te | 2 ++ tracking_denials/hal_keymint_citadel.te | 2 ++ tracking_denials/hal_secure_element_uicc.te | 2 ++ tracking_denials/hal_usb_impl.te | 8 ++++++++ tracking_denials/hal_vibrator_default.te | 3 +++ tracking_denials/hal_weaver_citadel.te | 9 +++++++++ tracking_denials/init_citadel.te | 2 ++ tracking_denials/mediacodec_google.te | 4 ++++ tracking_denials/mediacodec_samsung.te | 5 +++++ tracking_denials/platform_app.te | 2 ++ tracking_denials/priv_app.te | 2 ++ tracking_denials/rfsd.te | 2 ++ tracking_denials/rild.te | 2 ++ tracking_denials/rlsservice.te | 2 ++ tracking_denials/thermal_link_device.te | 2 ++ tracking_denials/vendor_ims_app.te | 2 ++ tracking_denials/vendor_rcs_app.te | 2 ++ whitechapel_pro/service.te | 1 + whitechapel_pro/service_contexts | 1 + whitechapel_pro/vndservice.te | 3 +++ whitechapel_pro/vndservice_contexts | 3 +++ 28 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 tracking_denials/cbd.te create mode 100644 tracking_denials/citadeld.te create mode 100644 tracking_denials/hal_camera_default.te create mode 100644 tracking_denials/hal_drm_widevine.te create mode 100644 tracking_denials/hal_fingerprint_default.te create mode 100644 tracking_denials/hal_graphics_composer_default.te create mode 100644 tracking_denials/hal_identity_citadel.te create mode 100644 tracking_denials/hal_keymint_citadel.te create mode 100644 tracking_denials/hal_secure_element_uicc.te create mode 100644 tracking_denials/hal_usb_impl.te create mode 100644 tracking_denials/hal_vibrator_default.te create mode 100644 tracking_denials/hal_weaver_citadel.te create mode 100644 tracking_denials/init_citadel.te create mode 100644 tracking_denials/mediacodec_google.te create mode 100644 tracking_denials/mediacodec_samsung.te create mode 100644 tracking_denials/platform_app.te create mode 100644 tracking_denials/priv_app.te create mode 100644 tracking_denials/rfsd.te create mode 100644 tracking_denials/rild.te create mode 100644 tracking_denials/rlsservice.te create mode 100644 tracking_denials/thermal_link_device.te create mode 100644 tracking_denials/vendor_ims_app.te create mode 100644 tracking_denials/vendor_rcs_app.te create mode 100644 whitechapel_pro/service.te create mode 100644 whitechapel_pro/service_contexts diff --git a/legacy/domain.te b/legacy/domain.te index 96283269..2073b47b 100644 --- a/legacy/domain.te +++ b/legacy/domain.te @@ -14,7 +14,6 @@ dontaudit domain fs_type:filesystem *; dontaudit domain dev_type:file *; dontaudit domain dev_type:chr_file *; dontaudit domain dev_type:blk_file *; -dontaudit domain service_manager_type:service_manager *; dontaudit domain domain:capability *; dontaudit domain domain:binder *; dontaudit domain domain:socket_class_set *; diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te new file mode 100644 index 00000000..93a18e25 --- /dev/null +++ b/tracking_denials/cbd.te @@ -0,0 +1,2 @@ +# b/202906831 +dontaudit cbd unlabeled:lnk_file { read }; diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te new file mode 100644 index 00000000..ed49ef56 --- /dev/null +++ b/tracking_denials/citadeld.te @@ -0,0 +1,3 @@ +# b/202906931 +dontaudit citadeld default_android_vndservice:service_manager { add }; +dontaudit citadeld hal_power_stats_vendor_service:service_manager { find }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te new file mode 100644 index 00000000..a272b76f --- /dev/null +++ b/tracking_denials/hal_camera_default.te @@ -0,0 +1,3 @@ +# b/202906784 +dontaudit hal_camera_default edgetpu_vendor_server:fd { use }; +dontaudit hal_camera_default hal_radioext_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te new file mode 100644 index 00000000..577c7424 --- /dev/null +++ b/tracking_denials/hal_drm_widevine.te @@ -0,0 +1,4 @@ +# b/202906980 +dontaudit hal_drm_widevine hal_drm_hwservice:hwservice_manager { add }; +dontaudit hal_drm_widevine hal_drm_hwservice:hwservice_manager { find }; +dontaudit hal_drm_widevine hidl_base_hwservice:hwservice_manager { add }; diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te new file mode 100644 index 00000000..238a3941 --- /dev/null +++ b/tracking_denials/hal_fingerprint_default.te @@ -0,0 +1,4 @@ +# b/202906981 +dontaudit hal_fingerprint_default block_device:dir { search }; +dontaudit hal_fingerprint_default hal_fingerprint_ext_hwservice:hwservice_manager { add }; +dontaudit hal_fingerprint_default hal_fingerprint_ext_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te new file mode 100644 index 00000000..7d081059 --- /dev/null +++ b/tracking_denials/hal_graphics_composer_default.te @@ -0,0 +1,5 @@ +# b/202906947 +dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { add }; +dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { find }; +dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add }; +dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { find }; diff --git a/tracking_denials/hal_identity_citadel.te b/tracking_denials/hal_identity_citadel.te new file mode 100644 index 00000000..c0c7e374 --- /dev/null +++ b/tracking_denials/hal_identity_citadel.te @@ -0,0 +1,2 @@ +# b/202906902 +dontaudit hal_identity_citadel default_android_vndservice:service_manager { find }; diff --git a/tracking_denials/hal_keymint_citadel.te b/tracking_denials/hal_keymint_citadel.te new file mode 100644 index 00000000..d9000fe0 --- /dev/null +++ b/tracking_denials/hal_keymint_citadel.te @@ -0,0 +1,2 @@ +# b/202907039 +dontaudit hal_keymint_citadel default_android_vndservice:service_manager { find }; diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te new file mode 100644 index 00000000..5b1d3c62 --- /dev/null +++ b/tracking_denials/hal_secure_element_uicc.te @@ -0,0 +1,2 @@ +# b/202902683 +dontaudit hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te new file mode 100644 index 00000000..df0efbdb --- /dev/null +++ b/tracking_denials/hal_usb_impl.te @@ -0,0 +1,8 @@ +# b/202906786 +dontaudit hal_usb_impl configfs:lnk_file { create }; +dontaudit hal_usb_impl configfs:lnk_file { read }; +dontaudit hal_usb_impl hal_usb_gadget_hwservice:hwservice_manager { add }; +dontaudit hal_usb_impl hal_usb_gadget_hwservice:hwservice_manager { find }; +dontaudit hal_usb_impl hal_usb_hwservice:hwservice_manager { add }; +dontaudit hal_usb_impl hal_usb_hwservice:hwservice_manager { find }; +dontaudit hal_usb_impl hidl_base_hwservice:hwservice_manager { add }; diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te new file mode 100644 index 00000000..b8fc9bd0 --- /dev/null +++ b/tracking_denials/hal_vibrator_default.te @@ -0,0 +1,3 @@ +# b/202906903 +dontaudit hal_vibrator_default input_device:dir { open }; +dontaudit hal_vibrator_default input_device:dir { read }; diff --git a/tracking_denials/hal_weaver_citadel.te b/tracking_denials/hal_weaver_citadel.te new file mode 100644 index 00000000..831deb80 --- /dev/null +++ b/tracking_denials/hal_weaver_citadel.te @@ -0,0 +1,9 @@ +# b/202907040 +dontaudit hal_weaver_citadel default_android_vndservice:service_manager { find }; +dontaudit hal_weaver_citadel hal_authsecret_hwservice:hwservice_manager { add }; +dontaudit hal_weaver_citadel hal_authsecret_hwservice:hwservice_manager { find }; +dontaudit hal_weaver_citadel hal_oemlock_hwservice:hwservice_manager { add }; +dontaudit hal_weaver_citadel hal_oemlock_hwservice:hwservice_manager { find }; +dontaudit hal_weaver_citadel hal_weaver_hwservice:hwservice_manager { add }; +dontaudit hal_weaver_citadel hal_weaver_hwservice:hwservice_manager { find }; +dontaudit hal_weaver_citadel hidl_base_hwservice:hwservice_manager { add }; diff --git a/tracking_denials/init_citadel.te b/tracking_denials/init_citadel.te new file mode 100644 index 00000000..4ac161ee --- /dev/null +++ b/tracking_denials/init_citadel.te @@ -0,0 +1,2 @@ +# b/202906904 +dontaudit init_citadel default_android_vndservice:service_manager { find }; diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te new file mode 100644 index 00000000..805c4984 --- /dev/null +++ b/tracking_denials/mediacodec_google.te @@ -0,0 +1,4 @@ +# b/202906901 +dontaudit mediacodec_google hal_codec2_hwservice:hwservice_manager { add }; +dontaudit mediacodec_google hal_codec2_hwservice:hwservice_manager { find }; +dontaudit mediacodec_google hidl_base_hwservice:hwservice_manager { add }; diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te new file mode 100644 index 00000000..05d5b618 --- /dev/null +++ b/tracking_denials/mediacodec_samsung.te @@ -0,0 +1,5 @@ +# b/202906949 +dontaudit mediacodec_samsung eco_service:service_manager { add }; +dontaudit mediacodec_samsung hal_codec2_hwservice:hwservice_manager { add }; +dontaudit mediacodec_samsung hal_codec2_hwservice:hwservice_manager { find }; +dontaudit mediacodec_samsung hidl_base_hwservice:hwservice_manager { add }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te new file mode 100644 index 00000000..3ded10b4 --- /dev/null +++ b/tracking_denials/platform_app.te @@ -0,0 +1,2 @@ +# b/202906787 +dontaudit platform_app hal_wlc_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 00000000..28914cba --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,2 @@ +# b/202906772 +dontaudit priv_app hal_exynos_rild_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/rfsd.te b/tracking_denials/rfsd.te new file mode 100644 index 00000000..72b14e68 --- /dev/null +++ b/tracking_denials/rfsd.te @@ -0,0 +1,2 @@ +# b/202906886 +dontaudit rfsd unlabeled:lnk_file { read }; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te new file mode 100644 index 00000000..5907bb39 --- /dev/null +++ b/tracking_denials/rild.te @@ -0,0 +1,2 @@ +# b/202907136 +dontaudit rild unlabeled:lnk_file { read }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te new file mode 100644 index 00000000..5646c336 --- /dev/null +++ b/tracking_denials/rlsservice.te @@ -0,0 +1,2 @@ +# b/202906997 +dontaudit rlsservice rls_service:service_manager { add }; diff --git a/tracking_denials/thermal_link_device.te b/tracking_denials/thermal_link_device.te new file mode 100644 index 00000000..0ed3944f --- /dev/null +++ b/tracking_denials/thermal_link_device.te @@ -0,0 +1,2 @@ +# b/202907037 +dontaudit thermal_link_device sysfs:filesystem { associate }; diff --git a/tracking_denials/vendor_ims_app.te b/tracking_denials/vendor_ims_app.te new file mode 100644 index 00000000..eed024ed --- /dev/null +++ b/tracking_denials/vendor_ims_app.te @@ -0,0 +1,2 @@ +# b/202906888 +dontaudit vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/vendor_rcs_app.te b/tracking_denials/vendor_rcs_app.te new file mode 100644 index 00000000..cd0570e0 --- /dev/null +++ b/tracking_denials/vendor_rcs_app.te @@ -0,0 +1,2 @@ +# b/202907058 +dontaudit vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager { find }; diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te new file mode 100644 index 00000000..9c935e9c --- /dev/null +++ b/whitechapel_pro/service.te @@ -0,0 +1 @@ +type hal_pixel_display_service, service_manager_type, vendor_service; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts new file mode 100644 index 00000000..9592f86f --- /dev/null +++ b/whitechapel_pro/service_contexts @@ -0,0 +1 @@ +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index bc886191..d1483600 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1,2 +1,5 @@ type hal_power_stats_vendor_service, vndservice_manager_type; type rls_service, vndservice_manager_type; +type vendor_displaycolor_service, vndservice_manager_type; +type vendor_surfaceflinger_vndservice, vndservice_manager_type; +type eco_service, vndservice_manager_type; diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts index 66cab482..e7fb4338 100644 --- a/whitechapel_pro/vndservice_contexts +++ b/whitechapel_pro/vndservice_contexts @@ -1 +1,4 @@ rlsservice u:object_r:rls_service:s0 +displaycolor u:object_r:vendor_displaycolor_service:s0 +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 +media.ecoservice u:object_r:eco_service:s0 From 0a570d1bc19de925ca9a3ff75b422fc612058ba4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 12 Oct 2021 14:19:59 +0800 Subject: [PATCH 103/900] review hw service settings Bug: 196916111 Test: boot to home Change-Id: I63bc13119cee3564fd577b12aba9042f484ec18f --- legacy/hwservice.te | 9 --------- legacy/hwservice_contexts | 11 ----------- whitechapel_pro/hwservice.te | 6 ++++++ whitechapel_pro/hwservice_contexts | 3 +++ {legacy => whitechapel_pro}/hwservicemanager.te | 0 5 files changed, 9 insertions(+), 20 deletions(-) rename {legacy => whitechapel_pro}/hwservicemanager.te (100%) diff --git a/legacy/hwservice.te b/legacy/hwservice.te index edb3763c..5e36cd0c 100644 --- a/legacy/hwservice.te +++ b/legacy/hwservice.te @@ -1,12 +1,3 @@ -type hal_vendor_telephony_hwservice, hwservice_manager_type; -type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type; - -# rild service -type hal_exynos_rild_hwservice, hwservice_manager_type; - # Bluetooth HAL extension type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; -# Fingerprint -type hal_fingerprint_ext_hwservice, hwservice_manager_type; - diff --git a/legacy/hwservice_contexts b/legacy/hwservice_contexts index 4895c5b3..df77e6f8 100644 --- a/legacy/hwservice_contexts +++ b/legacy/hwservice_contexts @@ -1,16 +1,5 @@ -vendor.samsung_slsi.hardware.radio::IOemSamsungslsi u:object_r:hal_telephony_hwservice:s0 -vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 -vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 - -# VIDEO -android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0 -android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 - # Bluetooth HAL extension hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0 -# Fingerprint -vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 - diff --git a/whitechapel_pro/hwservice.te b/whitechapel_pro/hwservice.te index cdae523d..983e5a3f 100644 --- a/whitechapel_pro/hwservice.te +++ b/whitechapel_pro/hwservice.te @@ -7,3 +7,9 @@ type hal_radioext_hwservice, hwservice_manager_type; # WLC type hal_wlc_hwservice, hwservice_manager_type; +# rild service +type hal_exynos_rild_hwservice, hwservice_manager_type; + +# Fingerprint +type hal_fingerprint_ext_hwservice, hwservice_manager_type; + diff --git a/whitechapel_pro/hwservice_contexts b/whitechapel_pro/hwservice_contexts index ab89ba82..0035ed49 100644 --- a/whitechapel_pro/hwservice_contexts +++ b/whitechapel_pro/hwservice_contexts @@ -1,6 +1,9 @@ # dmd HAL vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 +# Fingerprint +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 + # Wireless charger hal vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 diff --git a/legacy/hwservicemanager.te b/whitechapel_pro/hwservicemanager.te similarity index 100% rename from legacy/hwservicemanager.te rename to whitechapel_pro/hwservicemanager.te From 0b42f3ba82d209d88d9f1378a1e155240b82a501 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 14 Oct 2021 13:34:33 +0800 Subject: [PATCH 104/900] review file_contexts Bug: 203025336 Test: boot to home and check if the files are there Change-Id: I2b748b18cca389d7fdd8b1b472dcb1605e0ddaaa --- legacy/device.te | 3 -- legacy/file.te | 5 --- legacy/file_contexts | 59 ----------------------------------- whitechapel_pro/device.te | 1 + whitechapel_pro/file.te | 5 +++ whitechapel_pro/file_contexts | 34 ++++++++++++++++++++ 6 files changed, 40 insertions(+), 67 deletions(-) diff --git a/legacy/device.te b/legacy/device.te index 182fe4d5..b24e400f 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -7,9 +7,6 @@ type wb_coexistence_dev, dev_type; # Touch type touch_offload_device, dev_type; -# LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL -type lwis_device, dev_type; - # RLS device type rls_device, dev_type; diff --git a/legacy/file.te b/legacy/file.te index 1f73ec66..d2314ba2 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -28,11 +28,6 @@ type vendor_battery_debugfs, fs_type, debugfs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; -# Vendor tools -type vendor_usf_stats, vendor_file_type, file_type; -type vendor_usf_reg_edit, vendor_file_type, file_type; -type vendor_dumpsys, vendor_file_type, file_type; - # Sensors type nanohub_lock_file, file_type, data_file_type; type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject; diff --git a/legacy/file_contexts b/legacy/file_contexts index b771c8d9..0cfd17a2 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -1,13 +1,3 @@ -# -# Exynos HAL -# -/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 - -/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 -/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 -/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 - # # HALs # @@ -51,55 +41,6 @@ /dev/stmvl53l1_ranging u:object_r:rls_device:s0 -/dev/lwis-act0 u:object_r:lwis_device:s0 -/dev/lwis-act1 u:object_r:lwis_device:s0 -/dev/lwis-act-ak7377 u:object_r:lwis_device:s0 -/dev/lwis-act-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-act-sem1215sa u:object_r:lwis_device:s0 -/dev/lwis-csi u:object_r:lwis_device:s0 -/dev/lwis-dpm u:object_r:lwis_device:s0 -/dev/lwis-eeprom0 u:object_r:lwis_device:s0 -/dev/lwis-eeprom1 u:object_r:lwis_device:s0 -/dev/lwis-eeprom2 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-lc898128 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64s u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64s-imx355-inner u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64s-imx355-outer u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 -/dev/lwis-flash0 u:object_r:lwis_device:s0 -/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 -/dev/lwis-g3aa u:object_r:lwis_device:s0 -/dev/lwis-gdc0 u:object_r:lwis_device:s0 -/dev/lwis-gdc1 u:object_r:lwis_device:s0 -/dev/lwis-gtnr-align u:object_r:lwis_device:s0 -/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 -/dev/lwis-ipp u:object_r:lwis_device:s0 -/dev/lwis-itp u:object_r:lwis_device:s0 -/dev/lwis-mcsc u:object_r:lwis_device:s0 -/dev/lwis-ois-lc898128 u:object_r:lwis_device:s0 -/dev/lwis-ois-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-ois-sem1215sa u:object_r:lwis_device:s0 -/dev/lwis-pdp u:object_r:lwis_device:s0 -/dev/lwis-scsc u:object_r:lwis_device:s0 -/dev/lwis-sensor0 u:object_r:lwis_device:s0 -/dev/lwis-sensor1 u:object_r:lwis_device:s0 -/dev/lwis-sensor2 u:object_r:lwis_device:s0 -/dev/lwis-sensor-gn1 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx355 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx355-inner u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx355-outer u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx363 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 -/dev/lwis-slc u:object_r:lwis_device:s0 -/dev/lwis-top u:object_r:lwis_device:s0 -/dev/lwis-votf u:object_r:lwis_device:s0 - # VIDEO /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 30753c77..bb45e299 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -7,4 +7,5 @@ type efs_block_device, dev_type, bdev_type; type modem_userdata_block_device, dev_type, bdev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; +type lwis_device, dev_type; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 5904ff5d..e47d521b 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -38,6 +38,11 @@ type persist_battery_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; +# Vendor tools +type vendor_usf_stats, vendor_file_type, file_type; +type vendor_usf_reg_edit, vendor_file_type, file_type; +type vendor_dumpsys, vendor_file_type, file_type; + # Modem type modem_efs_file, file_type; type modem_userdata_file, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2d35785e..34cfef97 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -15,6 +15,9 @@ /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/convert_to_f2fs\.sh u:object_r:convert-to-f2fs-sh_exec:s0 +/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 +/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 +/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 @@ -32,6 +35,37 @@ /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 # Devices +/dev/lwis-act-ak7377 u:object_r:lwis_device:s0 +/dev/lwis-act-ak7377-imx386 u:object_r:lwis_device:s0 +/dev/lwis-act-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-csi u:object_r:lwis_device:s0 +/dev/lwis-dpm u:object_r:lwis_device:s0 +/dev/lwis-eeprom-lc898128 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-g3aa u:object_r:lwis_device:s0 +/dev/lwis-gdc0 u:object_r:lwis_device:s0 +/dev/lwis-gdc1 u:object_r:lwis_device:s0 +/dev/lwis-gtnr-align u:object_r:lwis_device:s0 +/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 +/dev/lwis-ipp u:object_r:lwis_device:s0 +/dev/lwis-itp u:object_r:lwis_device:s0 +/dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-lc898128 u:object_r:lwis_device:s0 +/dev/lwis-ois-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-pdp u:object_r:lwis_device:s0 +/dev/lwis-scsc u:object_r:lwis_device:s0 +/dev/lwis-sensor-3j1 u:object_r:lwis_device:s0 +/dev/lwis-sensor-gm5 u:object_r:lwis_device:s0 +/dev/lwis-sensor-gn1 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 +/dev/lwis-slc u:object_r:lwis_device:s0 +/dev/lwis-top u:object_r:lwis_device:s0 +/dev/lwis-votf u:object_r:lwis_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 /dev/g2d u:object_r:graphics_device:s0 From 0b4e85afe7c37861d0974fd9005eb85b68578d8e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 14 Oct 2021 13:57:18 +0800 Subject: [PATCH 105/900] review debugfs Bug: 203025336 Test: Boot to home with those files labeled Change-Id: Ibe758555512417953eb9726bdba05c4ac2ff2ccf --- legacy/file.te | 9 --------- legacy/genfs_contexts | 19 ------------------- whitechapel_pro/file.te | 11 +++++++++++ whitechapel_pro/genfs_contexts | 11 +++++++++++ 4 files changed, 22 insertions(+), 28 deletions(-) diff --git a/legacy/file.te b/legacy/file.te index d2314ba2..0ca5a442 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -12,17 +12,9 @@ type vendor_rpmbmock_data_file, file_type, data_file_type; # Exynos debugfs type vendor_ion_debugfs, fs_type, debugfs_type; -type vendor_dmabuf_debugfs, fs_type, debugfs_type; type vendor_page_pinner_debugfs, fs_type, debugfs_type, sysfs_type; type vendor_mali_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; -type vendor_pm_genpd_debugfs, fs_type, debugfs_type; -type vendor_regmap_debugfs, fs_type, debugfs_type; -type vendor_usb_debugfs, fs_type, debugfs_type; -type vendor_maxfg_debugfs, fs_type, debugfs_type; -type vendor_charger_debugfs, fs_type, debugfs_type; -type vendor_votable_debugfs, fs_type, debugfs_type; -type vendor_battery_debugfs, fs_type, debugfs_type; # Exynos sysfs type sysfs_exynos_bts, sysfs_type, fs_type; @@ -44,7 +36,6 @@ type sysfs_devicetree, sysfs_type, fs_type; type sysfs_mem, sysfs_type, fs_type; # Storage Health HAL -type debugfs_f2fs, debugfs_type, fs_type; type proc_f2fs, proc_type, fs_type; # ZRam diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index 53fb3ea5..aa9ac996 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -1,7 +1,4 @@ -genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 - # Storage -genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 @@ -135,22 +132,6 @@ genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -# debugfs - -genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /maxfg_base u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /maxfg_flip u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 -genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 -genfscon debugfs /ion u:object_r:vendor_ion_debugfs:s0 -genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 -genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 -genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 -genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 -genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 -genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 -genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 - # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index e47d521b..0a181917 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -26,6 +26,17 @@ type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; +# debugfs +type debugfs_f2fs, debugfs_type, fs_type; +type vendor_maxfg_debugfs, fs_type, debugfs_type; +type vendor_pm_genpd_debugfs, fs_type, debugfs_type; +type vendor_regmap_debugfs, fs_type, debugfs_type; +type vendor_usb_debugfs, fs_type, debugfs_type; +type vendor_charger_debugfs, fs_type, debugfs_type; +type vendor_votable_debugfs, fs_type, debugfs_type; +type vendor_battery_debugfs, fs_type, debugfs_type; +type vendor_dmabuf_debugfs, fs_type, debugfs_type; + # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; allow modem_img_file self:filesystem associate; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index f11d6a37..48d87a6b 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -32,3 +32,14 @@ genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +# debugfs +genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 +genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 +genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 +genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 +genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 +genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 +genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 + From c6a7058dc3eb19ef766ffa22035e00d4b7e54721 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Thu, 14 Oct 2021 13:50:18 -0700 Subject: [PATCH 106/900] Stop using the bdev_type SELinux attribute The bdev_type is being removed from all SELinux policy files. Hence this patch. Bug: 202520796 Test: Treehugger Change-Id: I475ff63b3f77f1bfe49519b76bb31b90c3216105 Signed-off-by: Bart Van Assche --- whitechapel_pro/device.te | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index bb45e299..57c41cd4 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -1,10 +1,10 @@ -type sda_block_device, dev_type, bdev_type; -type devinfo_block_device, dev_type, bdev_type; -type modem_block_device, dev_type, bdev_type; -type custom_ab_block_device, dev_type, bdev_type; -type persist_block_device, dev_type, bdev_type; -type efs_block_device, dev_type, bdev_type; -type modem_userdata_block_device, dev_type, bdev_type; +type sda_block_device, dev_type; +type devinfo_block_device, dev_type; +type modem_block_device, dev_type; +type custom_ab_block_device, dev_type; +type persist_block_device, dev_type; +type efs_block_device, dev_type; +type modem_userdata_block_device, dev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; From cf06f9ccbfe704a2ff5c685ef13d165a0aedefb4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 15 Oct 2021 10:23:51 +0800 Subject: [PATCH 107/900] review proc, tracefs, and system_suspend nodes Bug: 203025336 Test: check if each file path exists Change-Id: I980742978599c162a6c0d09fa2a3a07d97434981 --- legacy/file.te | 3 -- legacy/genfs_contexts | 68 ---------------------------------- whitechapel_pro/file.te | 3 ++ whitechapel_pro/genfs_contexts | 9 ++++- 4 files changed, 10 insertions(+), 73 deletions(-) diff --git a/legacy/file.te b/legacy/file.te index 0ca5a442..8a414f10 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -35,9 +35,6 @@ type sysfs_iommu, sysfs_type, fs_type; type sysfs_devicetree, sysfs_type, fs_type; type sysfs_mem, sysfs_type, fs_type; -# Storage Health HAL -type proc_f2fs, proc_type, fs_type; - # ZRam type per_boot_file, file_type, data_file_type, core_data_file_type; diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index aa9ac996..91bf2d17 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -1,7 +1,3 @@ -# Storage -genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 -genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 - # Tethering genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/gadget/net u:object_r:sysfs_net:s0 @@ -14,34 +10,9 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a u: # Fingerprint genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 -# System_suspend -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 - # Touch genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0 u:object_r:sysfs_touch:s0 -genfscon proc /fts/driver_test u:object_r:proc_touch:s0 -genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 # TODO(b/184768835): remove this once the bug is fixed @@ -67,42 +38,6 @@ genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id: genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 -# system_suspend wakeup nodes -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 - genfscon sysfs /devices/platform/10d40000.spi/spi_master u:object_r:sysfs_spi:s0 # Exynos @@ -132,9 +67,6 @@ genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -# tracefs -genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 - # sscoredump (per device) genfscon sysfs /devices/platform/abrolhos/sscoredump/sscd_abrolhos/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 0a181917..85835699 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -49,6 +49,9 @@ type persist_battery_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; +# Storage Health HAL +type proc_f2fs, proc_type, fs_type; + # Vendor tools type vendor_usf_stats, vendor_file_type, file_type; type vendor_usf_reg_edit, vendor_file_type, file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 48d87a6b..29f91a18 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -1,5 +1,8 @@ genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +# tracefs +genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 + # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 @@ -13,10 +16,12 @@ genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_m genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 # Display -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 # Storage +genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 From 37a0cb7547b1dfb66f52f538bf7ce841dff7501c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 15 Oct 2021 10:44:37 +0800 Subject: [PATCH 108/900] review sys file nodes Bug: 203025336 Test: check if the paths exist Change-Id: I5141545211e19d3c18b2c3bb315c10d33d5e3774 --- legacy/file.te | 9 --------- legacy/genfs_contexts | 37 ---------------------------------- whitechapel_pro/file.te | 5 +++++ whitechapel_pro/genfs_contexts | 14 +++++++++++++ 4 files changed, 19 insertions(+), 46 deletions(-) diff --git a/legacy/file.te b/legacy/file.te index 8a414f10..9641c879 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -16,10 +16,6 @@ type vendor_page_pinner_debugfs, fs_type, debugfs_type, sysfs_type; type vendor_mali_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; -# Exynos sysfs -type sysfs_exynos_bts, sysfs_type, fs_type; -type sysfs_exynos_bts_stats, sysfs_type, fs_type; - # Sensors type nanohub_lock_file, file_type, data_file_type; type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject; @@ -40,7 +36,6 @@ type per_boot_file, file_type, data_file_type, core_data_file_type; # Touch type proc_touch, proc_type, fs_type, mlstrustedobject; -type sysfs_touch, sysfs_type, fs_type; # Wireless type sysfs_wlc, sysfs_type, fs_type; @@ -56,10 +51,6 @@ type persist_display_file, file_type, vendor_persist_type; # Charger type sysfs_chargelevel, sysfs_type, fs_type; -# bcl -type sysfs_bcl, sysfs_type, fs_type; - -type sysfs_chip_id, sysfs_type, fs_type; type sysfs_spi, sysfs_type, fs_type; # Memory diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index 91bf2d17..bde1116f 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -1,24 +1,3 @@ -# Tethering -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/gadget/net u:object_r:sysfs_net:s0 - -# Vibrator -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0042 u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 - -# Fingerprint -genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 - -# Touch -genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 -genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0 u:object_r:sysfs_touch:s0 -genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 - -# TODO(b/184768835): remove this once the bug is fixed -# Display / LHBM (Local High Brightness Mode) -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_lhbm:s0 - # Bluetooth genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 @@ -28,22 +7,6 @@ genfscon proc /bluetooth/sleep/btwrite genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0 -# bcl sysfs files -genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 - -genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 - -genfscon sysfs /devices/platform/10d40000.spi/spi_master u:object_r:sysfs_spi:s0 - -# Exynos -genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 -genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 - # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 85835699..4e815ee0 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -25,6 +25,11 @@ type sysfs_scsi_devices_0000, sysfs_type, fs_type; type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; +type sysfs_exynos_bts, sysfs_type, fs_type; +type sysfs_exynos_bts_stats, sysfs_type, fs_type; +type sysfs_bcl, sysfs_type, fs_type; +type sysfs_chip_id, sysfs_type, fs_type; +type sysfs_touch, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 29f91a18..8b76c4da 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -1,4 +1,18 @@ +# Exynos +genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 +genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 + genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 + +# Touch +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 From e5b1c96b006f81ade6165cff729fe1560af7c5a6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 15 Oct 2021 11:04:19 +0800 Subject: [PATCH 109/900] review genfs_contexts besides bluetooth Bug: 203025336 Test: check each path's existence Change-Id: I0b45434f544fb243bd2810ea7abdb896056aed0e --- legacy/file.te | 9 --------- legacy/genfs_contexts | 34 ---------------------------------- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 25 +++++++++++++++++++++++++ 4 files changed, 26 insertions(+), 43 deletions(-) diff --git a/legacy/file.te b/legacy/file.te index 9641c879..c608b956 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -53,15 +53,6 @@ type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_spi, sysfs_type, fs_type; -# Memory -type sysfs_memory, sysfs_type, fs_type; - -# bcmdhd (Broadcom FullMAC wireless cards support) -type sysfs_bcmdhd, sysfs_type, fs_type; - -# Video -type sysfs_video, sysfs_type, fs_type; - # TODO(b/184768835): remove this once the bug is fixed # LHBM (Local High Brightness Mode) type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject; diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts index bde1116f..c3d6e365 100644 --- a/legacy/genfs_contexts +++ b/legacy/genfs_contexts @@ -7,37 +7,3 @@ genfscon proc /bluetooth/sleep/btwrite genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0 -# Devfreq current frequency -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 - -# nvmem (Non Volatile Memory layer) -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem u:object_r:sysfs_memory:s0 - -# Broadcom -genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 - -# Power Stats -genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 - -# sscoredump (per device) -genfscon sysfs /devices/platform/abrolhos/sscoredump/sscd_abrolhos/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 - -# mediacodec -genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_video:s0 - diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4e815ee0..a4f4692e 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -30,6 +30,7 @@ type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcl, sysfs_type, fs_type; type sysfs_chip_id, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; +type sysfs_bcmdhd, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 8b76c4da..9714258a 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -23,9 +23,34 @@ genfscon sysfs /wifi u # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 +# Broadcom +genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 + # Fabric genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 +# sscoredump (per device) +genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 + +# Power Stats +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 + +# Devfreq current frequency +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 + # OTA genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 From 11c3b49e36030bec846be8eb638406ecee6f1a3b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 15 Oct 2021 11:41:21 +0800 Subject: [PATCH 110/900] review file_contexts Bug: 203025336 Test: check if every path exists Change-Id: I156c4953a50d888e54249038b45992d134b4aaca --- aoc/file_contexts | 1 + legacy/file_contexts | 119 ---------------------------------- whitechapel_pro/file_contexts | 40 ++++++++++++ 3 files changed, 41 insertions(+), 119 deletions(-) diff --git a/aoc/file_contexts b/aoc/file_contexts index edd3ebb1..71fb097b 100644 --- a/aoc/file_contexts +++ b/aoc/file_contexts @@ -21,6 +21,7 @@ # AoC vendor binaries /vendor/bin/aocd u:object_r:aocd_exec:s0 /vendor/bin/aocdump u:object_r:aocdump_exec:s0 +/vendor/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 # AoC audio files /vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 diff --git a/legacy/file_contexts b/legacy/file_contexts index 0cfd17a2..af4bdea1 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -1,59 +1,3 @@ -# -# HALs -# -/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs201 u:object_r:hal_bootctl_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 - -# -# Exynos Devices -# -/dev/bbd_pwrstat u:object_r:power_stats_device:s0 -/dev/tsmux u:object_r:video_device:s0 -/dev/repeater u:object_r:video_device:s0 -/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 -/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 -/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 -/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 -/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 -/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 - -# DM tools device - - -# SIPC RIL device -/dev/watchdog0 u:object_r:watchdog_device:s0 - -# GPU device -/dev/mali0 u:object_r:gpu_device:s0 - -/persist/sensorcal\.json u:object_r:sensors_cal_file:s0 - -# Camera -/vendor/lib64/camera u:object_r:vendor_camera_tuning_file:s0 -/vendor/lib64/camera/ghawb_para_lut\.bin u:object_r:vendor_camera_tuning_file:s0 -/vendor/lib64/camera/slider_.*\.binarypb u:object_r:vendor_camera_tuning_file:s0 -/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 -/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 - -/dev/stmvl53l1_ranging u:object_r:rls_device:s0 - -# VIDEO -/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 - -# IMS VoWiFi -/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 -/data/vendor/VoWiFi(/.*)? u:object_r:vendor_ims_data_file:s0 - -# Sensors -/data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0 - -# Contexthub -/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 - # Bluetooth /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 /dev/wbrc u:object_r:wb_coexistence_dev:s0 @@ -61,66 +5,3 @@ /dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 /dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 -# AudioMetric -/(vendor|system/vendor)/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 - - -# Trusty -/vendor/bin/securedpud.slider u:object_r:securedpud_slider_exec:s0 -/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 -/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 -/dev/trusty-log0 u:object_r:logbuffer_device:s0 - -# GRIL -/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 - -# Vendor_kernel_modules -/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 - -# Display -/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 - -# Touch -/dev/touch_offload u:object_r:touch_offload_device:s0 - -# Zram -/data/per_boot(/.*)? u:object_r:per_boot_file:s0 - -# sensor direct DMA-BUF heap -/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 - -# Console -/dev/ttySAC0 u:object_r:tty_device:s0 - -# faceauth DMA-BUF heaps -/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 - -# vframe-secure DMA-BUF heap -/dev/dma_heap/vframe-secure u:object_r:vframe_heap_device:s0 - -# vscaler-secure DMA-BUF heap -/dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 - -# vstream-secure DMA-BUF heap -/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 - -# BigOcean -/dev/bigocean u:object_r:video_device:s0 - -# Fingerprint -/dev/goodix_fp u:object_r:fingerprint_device:s0 - -# -# USF SELinux file security contexts. -# - -# Sensor registry persist files. -/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 - -# Sensor registry data files. -/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 - diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 34cfef97..c7c26a4b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -18,6 +18,12 @@ /vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 /vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 @@ -34,7 +40,35 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +# Vendor kernel modules +/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 + # Devices +/dev/trusty-log0 u:object_r:logbuffer_device:s0 +/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 +/dev/ttySAC0 u:object_r:tty_device:s0 +/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:vframe_heap_device:s0 +/dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 +/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/bigocean u:object_r:video_device:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/touch_offload u:object_r:touch_offload_device:s0 +/dev/stmvl53l1_ranging u:object_r:rls_device:s0 +/dev/watchdog0 u:object_r:watchdog_device:s0 +/dev/mali0 u:object_r:gpu_device:s0 +/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 +/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 +/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 +/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 +/dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/lwis-act-ak7377 u:object_r:lwis_device:s0 /dev/lwis-act-ak7377-imx386 u:object_r:lwis_device:s0 /dev/lwis-act-sem1215sa u:object_r:lwis_device:s0 @@ -127,11 +161,17 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 +/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 +/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 +/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 +/data/per_boot(/.*)? u:object_r:per_boot_file:s0 +/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 +/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 From 37e4973df6a852db4bb5dd00b37485311e4cb0a1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 18 Oct 2021 10:31:31 +0800 Subject: [PATCH 111/900] review file declaration Bug: 203025336 Test: build pass Change-Id: I8cfec54ac035f41ccafc58f1ec0b125613e0742b --- legacy/device.te | 24 ------------------------ legacy/file.te | 28 ---------------------------- whitechapel_pro/device.te | 8 ++++++++ whitechapel_pro/file.te | 6 ++++++ 4 files changed, 14 insertions(+), 52 deletions(-) diff --git a/legacy/device.te b/legacy/device.te index b24e400f..a2563322 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -1,27 +1,3 @@ -# usbpd -type logbuffer_device, dev_type; - # Bt Wifi Coexistence device type wb_coexistence_dev, dev_type; -# Touch -type touch_offload_device, dev_type; - -# RLS device -type rls_device, dev_type; - -# sensor direct DMA-BUF heap -type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; - -#faceauth DMA-BUF heaps -type faceauth_heap_device, dmabuf_heap_device_type, dev_type; - -#vframe-secure DMA-BUF heap -type vframe_heap_device, dmabuf_heap_device_type, dev_type; - -#vscaler-secure DMA-BUF heap -type vscaler_heap_device, dmabuf_heap_device_type, dev_type; - -# Fingerprint device -type fingerprint_device, dev_type; - diff --git a/legacy/file.te b/legacy/file.te index c608b956..c4b5d5cc 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -1,13 +1,10 @@ # Exynos Data Files #type vendor_data_file, file_type, data_file_type; type vendor_cbd_boot_file, file_type, data_file_type; -type vendor_media_data_file, file_type, data_file_type; # app data files type vendor_test_data_file, file_type, data_file_type; type vendor_telephony_data_file, file_type, data_file_type; -type vendor_ims_data_file, file_type, data_file_type; -type vendor_misc_data_file, file_type, data_file_type; type vendor_rpmbmock_data_file, file_type, data_file_type; # Exynos debugfs @@ -18,8 +15,6 @@ type vendor_dri_debugfs, fs_type, debugfs_type; # Sensors type nanohub_lock_file, file_type, data_file_type; -type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject; -type sensors_cal_file, file_type; type sysfs_nanoapp_cmd, sysfs_type, fs_type; # Fingerprint @@ -31,23 +26,12 @@ type sysfs_iommu, sysfs_type, fs_type; type sysfs_devicetree, sysfs_type, fs_type; type sysfs_mem, sysfs_type, fs_type; -# ZRam -type per_boot_file, file_type, data_file_type, core_data_file_type; - # Touch type proc_touch, proc_type, fs_type, mlstrustedobject; # Wireless type sysfs_wlc, sysfs_type, fs_type; -# Camera -type persist_camera_file, file_type; -type vendor_camera_tuning_file, vendor_file_type, file_type; -type vendor_camera_data_file, file_type, data_file_type; - -# Display -type persist_display_file, file_type, vendor_persist_type; - # Charger type sysfs_chargelevel, sysfs_type, fs_type; @@ -60,15 +44,3 @@ type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject; # UWB vendor type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; -# -# USF file SELinux type enforcements. -# - -# Declare the sensor registry persist file type. By convention, persist file -# types begin with "persist_". -type persist_sensor_reg_file, file_type, vendor_persist_type; - -# Declare the sensor registry data file type. By convention, data file types -# end with "data_file". -type sensor_reg_data_file, file_type, data_file_type; - diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 57c41cd4..1f5e22ba 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -8,4 +8,12 @@ type modem_userdata_block_device, dev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; +type logbuffer_device, dev_type; +type rls_device, dev_type; +type touch_offload_device, dev_type; +type fingerprint_device, dev_type; +type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; +type faceauth_heap_device, dmabuf_heap_device_type, dev_type; +type vframe_heap_device, dmabuf_heap_device_type, dev_type; +type vscaler_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index a4f4692e..dea131d5 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -7,6 +7,11 @@ type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; +type vendor_camera_data_file, file_type, data_file_type; +type vendor_media_data_file, file_type, data_file_type; +type vendor_misc_data_file, file_type, data_file_type; +type sensor_reg_data_file, file_type, data_file_type; +type per_boot_file, file_type, data_file_type, core_data_file_type; userdebug_or_eng(` typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; @@ -51,6 +56,7 @@ allow modem_img_file self:filesystem associate; type persist_modem_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_battery_file, file_type, vendor_persist_type; +type persist_sensor_reg_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; From 503d402cb2b63ebf252f80d120a4831abe1c6414 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 18 Oct 2021 10:52:37 +0800 Subject: [PATCH 112/900] review the rest of file declaration Bug: 203025336 Test: build pass Change-Id: I330a8dd46bdf6b731d4f7f61544e1d1f1e59876c --- legacy/file.te | 46 -------------------------- legacy/vendor_init.te | 3 -- {legacy => whitechapel_pro}/attributes | 0 whitechapel_pro/file.te | 2 ++ 4 files changed, 2 insertions(+), 49 deletions(-) delete mode 100644 legacy/file.te rename {legacy => whitechapel_pro}/attributes (100%) diff --git a/legacy/file.te b/legacy/file.te deleted file mode 100644 index c4b5d5cc..00000000 --- a/legacy/file.te +++ /dev/null @@ -1,46 +0,0 @@ -# Exynos Data Files -#type vendor_data_file, file_type, data_file_type; -type vendor_cbd_boot_file, file_type, data_file_type; - -# app data files -type vendor_test_data_file, file_type, data_file_type; -type vendor_telephony_data_file, file_type, data_file_type; -type vendor_rpmbmock_data_file, file_type, data_file_type; - -# Exynos debugfs -type vendor_ion_debugfs, fs_type, debugfs_type; -type vendor_page_pinner_debugfs, fs_type, debugfs_type, sysfs_type; -type vendor_mali_debugfs, fs_type, debugfs_type; -type vendor_dri_debugfs, fs_type, debugfs_type; - -# Sensors -type nanohub_lock_file, file_type, data_file_type; -type sysfs_nanoapp_cmd, sysfs_type, fs_type; - -# Fingerprint -type sysfs_fingerprint, sysfs_type, fs_type; - -# IOMMU -type sysfs_iommu, sysfs_type, fs_type; - -type sysfs_devicetree, sysfs_type, fs_type; -type sysfs_mem, sysfs_type, fs_type; - -# Touch -type proc_touch, proc_type, fs_type, mlstrustedobject; - -# Wireless -type sysfs_wlc, sysfs_type, fs_type; - -# Charger -type sysfs_chargelevel, sysfs_type, fs_type; - -type sysfs_spi, sysfs_type, fs_type; - -# TODO(b/184768835): remove this once the bug is fixed -# LHBM (Local High Brightness Mode) -type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject; - -# UWB vendor -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; - diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index b18cf54a..b4739946 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -6,9 +6,6 @@ get_prop(vendor_init, vendor_touchpanel_prop) set_prop(vendor_init, vendor_tcpdump_log_prop) set_prop(vendor_init, vendor_thermal_prop) -allow vendor_init proc_dirty:file w_file_perms; -allow vendor_init proc_sched:file write; - userdebug_or_eng(` set_prop(vendor_init, logpersistd_logging_prop) ') diff --git a/legacy/attributes b/whitechapel_pro/attributes similarity index 100% rename from legacy/attributes rename to whitechapel_pro/attributes diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index dea131d5..48272ace 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -36,6 +36,8 @@ type sysfs_bcl, sysfs_type, fs_type; type sysfs_chip_id, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; +type sysfs_wlc, sysfs_type, fs_type; +type sysfs_chargelevel, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; From 90068020c378fc6fd07c631a4d895e6dcd9f0a4e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 18 Oct 2021 11:16:14 +0800 Subject: [PATCH 113/900] review property settings Bug: 203025336 Test: build pass Change-Id: I48bc1b0a5ffc4631fec04750c9b58bed8f15d39d --- legacy/property.te | 19 ------------------- legacy/property_contexts | 28 ---------------------------- legacy/vendor_init.te | 20 -------------------- whitechapel_pro/property.te | 4 ++++ whitechapel_pro/property_contexts | 10 ++++++++++ 5 files changed, 14 insertions(+), 67 deletions(-) delete mode 100644 legacy/property.te delete mode 100644 legacy/property_contexts delete mode 100644 legacy/vendor_init.te diff --git a/legacy/property.te b/legacy/property.te deleted file mode 100644 index 6f9cec26..00000000 --- a/legacy/property.te +++ /dev/null @@ -1,19 +0,0 @@ -# For Exynos Properties -vendor_internal_prop(vendor_prop) -vendor_internal_prop(sensors_prop) -# vendor defaults -vendor_internal_prop(vendor_config_default_prop) -vendor_internal_prop(vendor_ro_sys_default_prop) -vendor_internal_prop(vendor_persist_sys_default_prop) -vendor_internal_prop(vendor_codec2_debug_prop) -vendor_internal_prop(vendor_display_prop) -vendor_internal_prop(vendor_gps_prop) - -# Logger -vendor_internal_prop(vendor_logger_prop) - -# Touchpanel -vendor_internal_prop(vendor_touchpanel_prop) - -# Fingerprint -vendor_internal_prop(vendor_fingerprint_fake_prop) diff --git a/legacy/property_contexts b/legacy/property_contexts deleted file mode 100644 index 3e4b64ad..00000000 --- a/legacy/property_contexts +++ /dev/null @@ -1,28 +0,0 @@ -# Ramdump -persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 - -# for codec2 -vendor.debug.c2.level u:object_r:vendor_codec2_debug_prop:s0 -vendor.debug.c2.dump u:object_r:vendor_codec2_debug_prop:s0 -vendor.debug.c2.dump.opt u:object_r:vendor_codec2_debug_prop:s0 - -# for logger app -vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 - -# vendor default -vendor.config. u:object_r:vendor_config_default_prop:s0 -ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 -persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 - -# for display -ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 - -# for gps -vendor.gps u:object_r:vendor_gps_prop:s0 - -# Touchpanel -vendor.mfgapi.touchpanel.permission u:object_r:vendor_touchpanel_prop:s0 - -# Fingerprint -vendor.fingerprint.disable.fake u:object_r:vendor_fingerprint_fake_prop:s0 diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te deleted file mode 100644 index b4739946..00000000 --- a/legacy/vendor_init.te +++ /dev/null @@ -1,20 +0,0 @@ -set_prop(vendor_init, vendor_modem_prop) -set_prop(vendor_init, vendor_rild_prop) -set_prop(vendor_init, vendor_usb_config_prop) -set_prop(vendor_init, vendor_slog_prop) -get_prop(vendor_init, vendor_touchpanel_prop) -set_prop(vendor_init, vendor_tcpdump_log_prop) -set_prop(vendor_init, vendor_thermal_prop) - -userdebug_or_eng(` - set_prop(vendor_init, logpersistd_logging_prop) -') - -# Battery defender/harness/profile -get_prop(vendor_init, test_harness_prop) -set_prop(vendor_init, vendor_battery_defender_prop) - -# Fingerprint property -userdebug_or_eng(` - set_prop(vendor_init, vendor_fingerprint_fake_prop) -') diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index a3b71457..c7c31aa3 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -16,4 +16,8 @@ vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_tcpdump_log_prop) vendor_internal_prop(vendor_device_prop) vendor_internal_prop(vendor_ready_prop) +vendor_internal_prop(vendor_gps_prop) +vendor_internal_prop(vendor_ro_sys_default_prop) +vendor_internal_prop(vendor_persist_sys_default_prop) +vendor_internal_prop(vendor_logger_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 01f2d7cf..cede6efe 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -68,3 +68,13 @@ vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 # Camera vendor.camera. u:object_r:vendor_camera_prop:s0 +# for logger app +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 + +# vendor default +ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 +persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 + +# for gps +vendor.gps u:object_r:vendor_gps_prop:s0 + From e0107f4952b5fcd7762645c4a35993dd7c4a9382 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 18 Oct 2021 11:20:13 +0800 Subject: [PATCH 114/900] remove legacy sepolicy to have a clean start Bug: 196916111 Test: build pass and boot to home Change-Id: Idb220db3c1f8b35a9dfac15caf6114fa2e6737fe --- legacy/domain.te | 1 - legacy/init.te | 4 ---- 2 files changed, 5 deletions(-) delete mode 100644 legacy/init.te diff --git a/legacy/domain.te b/legacy/domain.te index 2073b47b..c6a611eb 100644 --- a/legacy/domain.te +++ b/legacy/domain.te @@ -1,4 +1,3 @@ -allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms; dontaudit domain file_type:file *; dontaudit domain file_type:chr_file *; dontaudit domain file_type:dir *; diff --git a/legacy/init.te b/legacy/init.te deleted file mode 100644 index 5b0f7a7b..00000000 --- a/legacy/init.te +++ /dev/null @@ -1,4 +0,0 @@ -allow init ram_device:blk_file w_file_perms; -allow init per_boot_file:file ioctl; -allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE }; -allow init sysfs_scsi_devices_0000:file w_file_perms; From 862eca15106b5075c9427c0aa6c05eaac4603923 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 18 Oct 2021 11:41:04 +0800 Subject: [PATCH 115/900] remove redundant bluetooth sepolicy Bug: 202790744 Test: boot with bluetooth hal started Change-Id: Ie78cb9caeabd6b202ff99f9896fe0ae6e57cabfe --- legacy/device.te | 3 --- legacy/file_contexts | 7 ------- legacy/genfs_contexts | 9 --------- legacy/hal_bluetooth_btlinux.te | 22 ---------------------- legacy/hwservice.te | 3 --- legacy/hwservice_contexts | 5 ----- 6 files changed, 49 deletions(-) delete mode 100644 legacy/device.te delete mode 100644 legacy/file_contexts delete mode 100644 legacy/genfs_contexts delete mode 100644 legacy/hal_bluetooth_btlinux.te delete mode 100644 legacy/hwservice.te delete mode 100644 legacy/hwservice_contexts diff --git a/legacy/device.te b/legacy/device.te deleted file mode 100644 index a2563322..00000000 --- a/legacy/device.te +++ /dev/null @@ -1,3 +0,0 @@ -# Bt Wifi Coexistence device -type wb_coexistence_dev, dev_type; - diff --git a/legacy/file_contexts b/legacy/file_contexts deleted file mode 100644 index af4bdea1..00000000 --- a/legacy/file_contexts +++ /dev/null @@ -1,7 +0,0 @@ -# Bluetooth -/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 -/dev/wbrc u:object_r:wb_coexistence_dev:s0 -/dev/ttySAC18 u:object_r:hci_attach_dev:s0 -/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 -/dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 - diff --git a/legacy/genfs_contexts b/legacy/genfs_contexts deleted file mode 100644 index c3d6e365..00000000 --- a/legacy/genfs_contexts +++ /dev/null @@ -1,9 +0,0 @@ -# Bluetooth -genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 -genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 -genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 -genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 -genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0 - diff --git a/legacy/hal_bluetooth_btlinux.te b/legacy/hal_bluetooth_btlinux.te deleted file mode 100644 index f348099e..00000000 --- a/legacy/hal_bluetooth_btlinux.te +++ /dev/null @@ -1,22 +0,0 @@ -add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice); -get_prop(hal_bluetooth_btlinux, boot_status_prop) - -allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms; -allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms; -allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms; -allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms; -binder_call(hal_bluetooth_btlinux, servicemanager) - -# power stats -vndbinder_use(hal_bluetooth_btlinux) -allow hal_bluetooth_btlinux hal_power_stats_vendor_service:service_manager find; -binder_call(hal_bluetooth_btlinux, hal_power_stats_default) - -allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; -allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; - -userdebug_or_eng(` - allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms; - allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:file create_file_perms; - allow hal_bluetooth_btlinux logbuffer_device:chr_file r_file_perms; -') diff --git a/legacy/hwservice.te b/legacy/hwservice.te deleted file mode 100644 index 5e36cd0c..00000000 --- a/legacy/hwservice.te +++ /dev/null @@ -1,3 +0,0 @@ -# Bluetooth HAL extension -type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; - diff --git a/legacy/hwservice_contexts b/legacy/hwservice_contexts deleted file mode 100644 index df77e6f8..00000000 --- a/legacy/hwservice_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Bluetooth HAL extension -hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 -hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 -hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0 - From a5f61547cf62b414ab2217de20866ce4e1591f25 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Oct 2021 09:33:29 +0800 Subject: [PATCH 116/900] remove legacy folder Bug: 196916111 Test: boot to home Change-Id: I33e4cf4a339092a31c951098e982c0bd38e53852 --- gs201-sepolicy.mk | 1 - {legacy => whitechapel_pro}/domain.te | 0 2 files changed, 1 deletion(-) rename {legacy => whitechapel_pro}/domain.te (100%) diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 2024e726..3fe859d1 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -1,6 +1,5 @@ # sepolicy that are shared among devices using whitechapel BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro -BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/legacy # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials diff --git a/legacy/domain.te b/whitechapel_pro/domain.te similarity index 100% rename from legacy/domain.te rename to whitechapel_pro/domain.te From a39f2e902e1e64a404ba87401e413f1b55e16e54 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Oct 2021 09:36:33 +0800 Subject: [PATCH 117/900] remove unlabeled dontaudits The log shows up when we remount the phone, causing modem images going back to default file contexts: "unlabeled" Bug: 202906831 Test: Boot to home with no relevant log Change-Id: I69baced268782d9b38c1a56c62b3c63ae55733e4 --- tracking_denials/cbd.te | 2 -- tracking_denials/rfsd.te | 2 -- tracking_denials/rild.te | 2 -- 3 files changed, 6 deletions(-) delete mode 100644 tracking_denials/cbd.te delete mode 100644 tracking_denials/rfsd.te delete mode 100644 tracking_denials/rild.te diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te deleted file mode 100644 index 93a18e25..00000000 --- a/tracking_denials/cbd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202906831 -dontaudit cbd unlabeled:lnk_file { read }; diff --git a/tracking_denials/rfsd.te b/tracking_denials/rfsd.te deleted file mode 100644 index 72b14e68..00000000 --- a/tracking_denials/rfsd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202906886 -dontaudit rfsd unlabeled:lnk_file { read }; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te deleted file mode 100644 index 5907bb39..00000000 --- a/tracking_denials/rild.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202907136 -dontaudit rild unlabeled:lnk_file { read }; From 56bef214d30e2a87a411f81fe3ddf5429e1d2c31 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Oct 2021 09:54:52 +0800 Subject: [PATCH 118/900] fix citadeld's service access Bug: 202906931 Test: boot with no relevant logs Change-Id: Ic65c6f218f69a1afa14fcd1b6eb0feacf48ea54f --- dauntless/citadeld.te | 3 +++ dauntless/vndservice_contexts | 1 + tracking_denials/citadeld.te | 3 --- 3 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 dauntless/vndservice_contexts delete mode 100644 tracking_denials/citadeld.te diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te index bd8e4e38..8fdbdf34 100644 --- a/dauntless/citadeld.te +++ b/dauntless/citadeld.te @@ -2,3 +2,6 @@ type citadeld, domain; type citadeld_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(citadeld) + +allow citadeld fwk_stats_service:service_manager find; +allow citadeld hal_power_stats_vendor_service:service_manager find; diff --git a/dauntless/vndservice_contexts b/dauntless/vndservice_contexts new file mode 100644 index 00000000..b4df996b --- /dev/null +++ b/dauntless/vndservice_contexts @@ -0,0 +1 @@ +android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te deleted file mode 100644 index ed49ef56..00000000 --- a/tracking_denials/citadeld.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/202906931 -dontaudit citadeld default_android_vndservice:service_manager { add }; -dontaudit citadeld hal_power_stats_vendor_service:service_manager { find }; From e9d02e08f53a6b89fc24858077800def2039f450 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Oct 2021 10:05:15 +0800 Subject: [PATCH 119/900] fix widevine drm access Bug: 202906980 Test: boot with no relevant logs Change-Id: Idc37f7e1441d9fae1f570bc53ff67a7a48656ed3 --- tracking_denials/hal_drm_widevine.te | 4 ---- widevine/hal_drm_widevine.te | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/hal_drm_widevine.te diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te deleted file mode 100644 index 577c7424..00000000 --- a/tracking_denials/hal_drm_widevine.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/202906980 -dontaudit hal_drm_widevine hal_drm_hwservice:hwservice_manager { add }; -dontaudit hal_drm_widevine hal_drm_hwservice:hwservice_manager { find }; -dontaudit hal_drm_widevine hidl_base_hwservice:hwservice_manager { add }; diff --git a/widevine/hal_drm_widevine.te b/widevine/hal_drm_widevine.te index 0e465719..1ecfa920 100644 --- a/widevine/hal_drm_widevine.te +++ b/widevine/hal_drm_widevine.te @@ -2,6 +2,8 @@ type hal_drm_widevine, domain; type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_drm_widevine) +hal_server_domain(hal_drm_widevine, hal_drm) + # L3 allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; From 4c20c40f50e57366c2aade9d34e8ca05c36e9a7b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Oct 2021 10:26:18 +0800 Subject: [PATCH 120/900] Fix hal_keymint_citadel service access 10-20 10:24:31.155 432 432 E SELinux : avc: denied { find } for pid=481 uid=1064 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_keymint_citadel:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=1 Bug: 202907039 Test: boot to home with no keymint errors Change-Id: I7935fe52a9774f8fca67336be9c9d47fe2675756 --- dauntless/hal_keymint_citadel.te | 4 ++++ dauntless/service_contexts | 2 ++ tracking_denials/hal_keymint_citadel.te | 2 -- 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 dauntless/service_contexts delete mode 100644 tracking_denials/hal_keymint_citadel.te diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te index 04680edf..29f528f1 100644 --- a/dauntless/hal_keymint_citadel.te +++ b/dauntless/hal_keymint_citadel.te @@ -2,3 +2,7 @@ type hal_keymint_citadel, domain; type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_keymint_citadel) + +hal_server_domain(hal_keymint_citadel, hal_keymint) + +allow hal_keymint_citadel citadeld_service:service_manager find; diff --git a/dauntless/service_contexts b/dauntless/service_contexts new file mode 100644 index 00000000..5639b588 --- /dev/null +++ b/dauntless/service_contexts @@ -0,0 +1,2 @@ +android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 +android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 diff --git a/tracking_denials/hal_keymint_citadel.te b/tracking_denials/hal_keymint_citadel.te deleted file mode 100644 index d9000fe0..00000000 --- a/tracking_denials/hal_keymint_citadel.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202907039 -dontaudit hal_keymint_citadel default_android_vndservice:service_manager { find }; From ecc3a24449de25916e0eade736cfa6cde40028df Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Oct 2021 10:35:18 +0800 Subject: [PATCH 121/900] fix identity service access 10-20 10:32:58.701 438 438 E SELinux : avc: denied { find } for pid=742 uid=9999 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_identity_citadel:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=1 Bug: 202906902 Test: boot to home with no relevant error Change-Id: Ia6e09343843f9a5c96e06998ba5c50fb64948d7f --- dauntless/hal_identity_citadel.te | 2 ++ tracking_denials/hal_identity_citadel.te | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/hal_identity_citadel.te diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te index 7b2c37c3..038a4c58 100644 --- a/dauntless/hal_identity_citadel.te +++ b/dauntless/hal_identity_citadel.te @@ -2,3 +2,5 @@ type hal_identity_citadel, domain; type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_identity_citadel) +hal_server_domain(hal_identity_citadel, hal_identity) +allow hal_identity_citadel citadeld_service:service_manager find; diff --git a/tracking_denials/hal_identity_citadel.te b/tracking_denials/hal_identity_citadel.te deleted file mode 100644 index c0c7e374..00000000 --- a/tracking_denials/hal_identity_citadel.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202906902 -dontaudit hal_identity_citadel default_android_vndservice:service_manager { find }; From fc1ec67aa450a0cd653d9867a6a0c17c8fe7f850 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Oct 2021 10:41:56 +0800 Subject: [PATCH 122/900] fix init_citadel service access Bug: 202906904 Test: boot to home with no relevant error Change-Id: I6729ced49cbbecbc33234e311fb81652a065fe39 --- dauntless/init_citadel.te | 1 + tracking_denials/init_citadel.te | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/init_citadel.te diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te index 2c8246ba..35a93bc7 100644 --- a/dauntless/init_citadel.te +++ b/dauntless/init_citadel.te @@ -2,3 +2,4 @@ type init_citadel, domain; type init_citadel_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(init_citadel) +allow init_citadel citadeld_service:service_manager find; diff --git a/tracking_denials/init_citadel.te b/tracking_denials/init_citadel.te deleted file mode 100644 index 4ac161ee..00000000 --- a/tracking_denials/init_citadel.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202906904 -dontaudit init_citadel default_android_vndservice:service_manager { find }; From 6dea3e084210b867f34a8b18ca71c989c10a47ba Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Thu, 7 Oct 2021 15:24:27 +0800 Subject: [PATCH 123/900] audio: add permission to request health/sensor data - Add audio hal into hal_health clients - allow audio hal to find fwk_sensor_hwservice SELinux : avc: denied { find } for interface=android.frameworks.sensorservice::ISensorManager sid=u:r:hal_audio_default:s0 pid=5907 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:fwk_sensor_hwservice:s0 tclass=hwservice_manager permissive=1 SELinux : avc: denied { find } for interface=android.hardware.health::IHealth sid=u:r:hal_audio_default:s0 pid=9875 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:hal_health_hwservice:s0 tclass=hwservice_manager permissive=1 audio.service: type=1400 audit(0.0:14): avc: denied { call } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_health_default:s0 tclass=binder permissive=1 audio.service: type=1400 audit(0.0:15): avc: denied { transfer } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_health_default:s0 tclass=binder permissive=1 Bug: 199382564 Bug: 199801586 Test: build pass Signed-off-by: Jasmine Cha Change-Id: I6c8d9cd73953b20905857368d740fd91e92c6928 --- aoc/hal_audio_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te index 5ee99469..1f3edbe2 100644 --- a/aoc/hal_audio_default.te +++ b/aoc/hal_audio_default.te @@ -23,6 +23,9 @@ allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; get_prop(hal_audio_default, vendor_audio_prop); +hal_client_domain(hal_audio_default, hal_health); +allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; + userdebug_or_eng(` allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; From 9cb1f625ba9a6b76c2114b7755075cf69e651d5e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 25 Oct 2021 11:09:06 +0800 Subject: [PATCH 124/900] fix hal_weaver_citadel denials Bug: 202907040 Test: boot with nno relevant errors Change-Id: Ieb7a57518b433cc6cd2849afb58c8616b409db13 --- dauntless/hal_weaver_citadel.te | 5 +++++ tracking_denials/hal_weaver_citadel.te | 9 --------- 2 files changed, 5 insertions(+), 9 deletions(-) delete mode 100644 tracking_denials/hal_weaver_citadel.te diff --git a/dauntless/hal_weaver_citadel.te b/dauntless/hal_weaver_citadel.te index 5cd1c6a4..26528c4b 100644 --- a/dauntless/hal_weaver_citadel.te +++ b/dauntless/hal_weaver_citadel.te @@ -2,3 +2,8 @@ type hal_weaver_citadel, domain; type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_weaver_citadel) +hal_server_domain(hal_weaver_citadel, hal_weaver) +hal_server_domain(hal_weaver_citadel, hal_oemlock) +hal_server_domain(hal_weaver_citadel, hal_authsecret) + +allow hal_weaver_citadel citadeld_service:service_manager find; diff --git a/tracking_denials/hal_weaver_citadel.te b/tracking_denials/hal_weaver_citadel.te deleted file mode 100644 index 831deb80..00000000 --- a/tracking_denials/hal_weaver_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/202907040 -dontaudit hal_weaver_citadel default_android_vndservice:service_manager { find }; -dontaudit hal_weaver_citadel hal_authsecret_hwservice:hwservice_manager { add }; -dontaudit hal_weaver_citadel hal_authsecret_hwservice:hwservice_manager { find }; -dontaudit hal_weaver_citadel hal_oemlock_hwservice:hwservice_manager { add }; -dontaudit hal_weaver_citadel hal_oemlock_hwservice:hwservice_manager { find }; -dontaudit hal_weaver_citadel hal_weaver_hwservice:hwservice_manager { add }; -dontaudit hal_weaver_citadel hal_weaver_hwservice:hwservice_manager { find }; -dontaudit hal_weaver_citadel hidl_base_hwservice:hwservice_manager { add }; From be8aedd6ac6c6422f6cace09a1ac6d6d69697c6c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 25 Oct 2021 11:24:26 +0800 Subject: [PATCH 125/900] fix hal_fingerprint_default denails 10-25 11:19:03.649 430 430 E SELinux : avc: denied { find } for pid=958 uid=1000 name=android.hardware.power.IPower/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:hal_power_service:s0 tclass=service_manager permissive=1 10-25 11:19:04.509 430 430 E SELinux : avc: denied { find } for pid=958 uid=1000 name=android.frameworks.stats.IStats/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=1 Bug: 202906981 Test: boot with no fingerprint errors Change-Id: I95dcda0698c7fcec1e4874b95b598bc987e83e58 --- tracking_denials/hal_fingerprint_default.te | 4 ---- whitechapel_pro/hal_fingerprint_default.te | 5 +++++ 2 files changed, 5 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/hal_fingerprint_default.te create mode 100644 whitechapel_pro/hal_fingerprint_default.te diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te deleted file mode 100644 index 238a3941..00000000 --- a/tracking_denials/hal_fingerprint_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/202906981 -dontaudit hal_fingerprint_default block_device:dir { search }; -dontaudit hal_fingerprint_default hal_fingerprint_ext_hwservice:hwservice_manager { add }; -dontaudit hal_fingerprint_default hal_fingerprint_ext_hwservice:hwservice_manager { find }; diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te new file mode 100644 index 00000000..4ddef392 --- /dev/null +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -0,0 +1,5 @@ +hal_client_domain(hal_fingerprint_default, hal_power) +add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) + +allow hal_fingerprint_default fwk_stats_service:service_manager find; +allow hal_fingerprint_default block_device:dir search; From 0ae5acc9042506431b8734d37eda6a2c3d4f4602 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 25 Oct 2021 11:31:39 +0800 Subject: [PATCH 126/900] fix graphics_composer services denials 10-25 11:28:32.230 438 438 E SELinux : avc: denied { add } for pid=500 uid=1000 name=com.google.hardware.pixel.display.IDisplay/default scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:hal_pixel_display_service:s0 tclass=service_manager permissive=1 10-25 11:28:33.787 438 438 E SELinux : avc: denied { find } for pid=500 uid=1000 name=android.hardware.power.IPower/default scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:hal_power_service:s0 tclass=service_manager permissive=1 Bug: 202906947 Test: boot with no graphics_composer errors Change-Id: I4174cbcacb7149427814ca67703799ab02b992e4 --- tracking_denials/hal_graphics_composer_default.te | 5 ----- whitechapel_pro/hal_graphics_composer_default.te | 4 ++++ 2 files changed, 4 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/hal_graphics_composer_default.te diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te deleted file mode 100644 index 7d081059..00000000 --- a/tracking_denials/hal_graphics_composer_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/202906947 -dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { add }; -dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { find }; -dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add }; -dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { find }; diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te index 4da87fbf..2f4e7eed 100644 --- a/whitechapel_pro/hal_graphics_composer_default.te +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -1,3 +1,7 @@ +hal_client_domain(hal_graphics_composer_default, hal_power) + # allow HWC to access vendor_displaycolor_service add_service(hal_graphics_composer_default, vendor_displaycolor_service) +add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) +add_service(hal_graphics_composer_default, hal_pixel_display_service) From abf31d56d671cefd319ee328cebed420732b34c8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 25 Oct 2021 11:36:15 +0800 Subject: [PATCH 127/900] fix secure element service access Bug: 202902683 Test: boot with no secure element errors Change-Id: I84ee827d356e6a99af192cce9178fb4f408de5ec --- tracking_denials/hal_secure_element_uicc.te | 2 -- whitechapel_pro/hal_secure_element_uicc.te | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/hal_secure_element_uicc.te diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te deleted file mode 100644 index 5b1d3c62..00000000 --- a/tracking_denials/hal_secure_element_uicc.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202902683 -dontaudit hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager { find }; diff --git a/whitechapel_pro/hal_secure_element_uicc.te b/whitechapel_pro/hal_secure_element_uicc.te index 6e953cdd..bcc4fac0 100644 --- a/whitechapel_pro/hal_secure_element_uicc.te +++ b/whitechapel_pro/hal_secure_element_uicc.te @@ -3,3 +3,5 @@ type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; hal_server_domain(hal_secure_element_uicc, hal_secure_element) init_daemon_domain(hal_secure_element_uicc) + +allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; From 5e572d5c726337693dab1c53ecdb7a3d1d91e476 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 25 Oct 2021 11:54:32 +0800 Subject: [PATCH 128/900] fix hal_camera_default service access 10-25 11:52:35.916 437 437 E SELinux : avc: denied { find } for pid=711 uid=1000 name=android.frameworks.stats.IStats/default scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=1 Bug: 202906784 Test: boot with no hal_camera_default errors Change-Id: I0e21cc11808b973c859ddc2ddebc0db81f999d9f --- tracking_denials/hal_camera_default.te | 3 --- whitechapel_pro/hal_camera_default.te | 7 +++++++ 2 files changed, 7 insertions(+), 3 deletions(-) delete mode 100644 tracking_denials/hal_camera_default.te create mode 100644 whitechapel_pro/hal_camera_default.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index a272b76f..00000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/202906784 -dontaudit hal_camera_default edgetpu_vendor_server:fd { use }; -dontaudit hal_camera_default hal_radioext_hwservice:hwservice_manager { find }; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te new file mode 100644 index 00000000..cfd7a3b0 --- /dev/null +++ b/whitechapel_pro/hal_camera_default.te @@ -0,0 +1,7 @@ +binder_call(hal_camera_default, edgetpu_vendor_server) + +allow hal_camera_default fwk_stats_service:service_manager find; + +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; From e171a156e2cae85fc1b728aacd72c31a984806ce Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 25 Oct 2021 12:03:26 +0800 Subject: [PATCH 129/900] fix mediacodec_google service access Bug: 202906901 Test: boot with no relevant errors Change-Id: I8ba645de225af4a25c52cc14eb05eb60a64ea202 --- tracking_denials/mediacodec_google.te | 4 ---- whitechapel_pro/mediacodec_google.te | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 tracking_denials/mediacodec_google.te diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te deleted file mode 100644 index 805c4984..00000000 --- a/tracking_denials/mediacodec_google.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/202906901 -dontaudit mediacodec_google hal_codec2_hwservice:hwservice_manager { add }; -dontaudit mediacodec_google hal_codec2_hwservice:hwservice_manager { find }; -dontaudit mediacodec_google hidl_base_hwservice:hwservice_manager { add }; diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te index 2ec5e99e..8ea19668 100644 --- a/whitechapel_pro/mediacodec_google.te +++ b/whitechapel_pro/mediacodec_google.te @@ -2,3 +2,4 @@ type mediacodec_google, domain; type mediacodec_google_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(mediacodec_google) +hal_server_domain(mediacodec_google, hal_codec2) From 23b637e2606cfd74569a53c5f6f665dfffb97d6c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 25 Oct 2021 12:04:23 +0800 Subject: [PATCH 130/900] fix mediacodec_samsung service access Bug: 202906949 Test: boot with no relevant errors Change-Id: I015c58f1b223978cb0e61377f5fc6930477c9a53 --- tracking_denials/mediacodec_samsung.te | 5 ----- whitechapel_pro/mediacodec_samsung.te | 2 ++ 2 files changed, 2 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/mediacodec_samsung.te diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te deleted file mode 100644 index 05d5b618..00000000 --- a/tracking_denials/mediacodec_samsung.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/202906949 -dontaudit mediacodec_samsung eco_service:service_manager { add }; -dontaudit mediacodec_samsung hal_codec2_hwservice:hwservice_manager { add }; -dontaudit mediacodec_samsung hal_codec2_hwservice:hwservice_manager { find }; -dontaudit mediacodec_samsung hidl_base_hwservice:hwservice_manager { add }; diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index 9ca76c9d..e34942a9 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -2,3 +2,5 @@ type mediacodec_samsung, domain; type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(mediacodec_samsung) +hal_server_domain(mediacodec_samsung, hal_codec2) +add_service(mediacodec_samsung, eco_service) From 68217c1ae6a9273f8ebcfa6d562b3a425af7b53f Mon Sep 17 00:00:00 2001 From: Max Kogan Date: Thu, 21 Oct 2021 17:13:13 -0700 Subject: [PATCH 131/900] sepolicy: gs201: allow dumpstate access AoC stats Merge changes from gs101 Bug: 203827311 Change-Id: I3028e8d2c162dde74b747cbfe6458cc37a9ad759 --- aoc/file.te | 1 + aoc/genfs_contexts | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/aoc/file.te b/aoc/file.te index fec17dcb..3e0baf8a 100644 --- a/aoc/file.te +++ b/aoc/file.te @@ -1,4 +1,5 @@ # sysfs +type sysfs_aoc_dumpstate, sysfs_type, fs_type; type sysfs_aoc_boottime, sysfs_type, fs_type; type sysfs_aoc_firmware, sysfs_type, fs_type; type sysfs_aoc, sysfs_type, fs_type; diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index 4be738a6..e4633a56 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -3,6 +3,17 @@ genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:ob genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes u:object_r:sysfs_aoc_dumpstate:s0 # pixelstat_vendor genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 From ee3287231f667b4ebbfa6f9f0dd42c094cb27bbc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 29 Oct 2021 10:12:28 +0800 Subject: [PATCH 132/900] fix hal_usb_impl service access Bug: 202906786 Test: boot with no relevant error Change-Id: I99178488a97aa2d0b3d7e4775c88b00321084d63 --- tracking_denials/hal_usb_impl.te | 8 -------- whitechapel_pro/hal_usb_impl.te | 2 ++ 2 files changed, 2 insertions(+), 8 deletions(-) delete mode 100644 tracking_denials/hal_usb_impl.te diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te deleted file mode 100644 index df0efbdb..00000000 --- a/tracking_denials/hal_usb_impl.te +++ /dev/null @@ -1,8 +0,0 @@ -# b/202906786 -dontaudit hal_usb_impl configfs:lnk_file { create }; -dontaudit hal_usb_impl configfs:lnk_file { read }; -dontaudit hal_usb_impl hal_usb_gadget_hwservice:hwservice_manager { add }; -dontaudit hal_usb_impl hal_usb_gadget_hwservice:hwservice_manager { find }; -dontaudit hal_usb_impl hal_usb_hwservice:hwservice_manager { add }; -dontaudit hal_usb_impl hal_usb_hwservice:hwservice_manager { find }; -dontaudit hal_usb_impl hidl_base_hwservice:hwservice_manager { add }; diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index 3caf54a2..52a799ee 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -2,3 +2,5 @@ type hal_usb_impl, domain; type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_usb_impl) +hal_server_domain(hal_usb_impl, hal_usb) +hal_server_domain(hal_usb_impl, hal_usb_gadget) From d73b97b7404bbb2c86f7364ead9831700d28b720 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 29 Oct 2021 10:17:57 +0800 Subject: [PATCH 133/900] fix vendor_rcs_app service access Bug: 202907058 Test: boot with no relevant error Change-Id: Ie435cdadc54cb59b09dadba890a9d1cbdb94b458 --- tracking_denials/vendor_rcs_app.te | 2 -- whitechapel_pro/vendor_rcs_app.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/vendor_rcs_app.te diff --git a/tracking_denials/vendor_rcs_app.te b/tracking_denials/vendor_rcs_app.te deleted file mode 100644 index cd0570e0..00000000 --- a/tracking_denials/vendor_rcs_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202907058 -dontaudit vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager { find }; diff --git a/whitechapel_pro/vendor_rcs_app.te b/whitechapel_pro/vendor_rcs_app.te index f8de9376..f3fe4f3d 100644 --- a/whitechapel_pro/vendor_rcs_app.te +++ b/whitechapel_pro/vendor_rcs_app.te @@ -2,3 +2,4 @@ type vendor_rcs_app, domain; app_domain(vendor_rcs_app) allow vendor_rcs_app app_api_service:service_manager find; +allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; From c9392bd4144636697f74a9081f16d516bd32c627 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 29 Oct 2021 10:19:38 +0800 Subject: [PATCH 134/900] fix vendor_ims_app service access Bug: 202906888 Test: boot with no relevant error Change-Id: I25e967bed593b017f11b647c23cfd148738227e0 --- tracking_denials/vendor_ims_app.te | 2 -- whitechapel_pro/vendor_ims_app.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/vendor_ims_app.te diff --git a/tracking_denials/vendor_ims_app.te b/tracking_denials/vendor_ims_app.te deleted file mode 100644 index eed024ed..00000000 --- a/tracking_denials/vendor_ims_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202906888 -dontaudit vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager { find }; diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index 99e52b27..bdbba20d 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -2,3 +2,4 @@ type vendor_ims_app, domain; app_domain(vendor_ims_app) allow vendor_ims_app app_api_service:service_manager find; +allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; From 73845f7fcdf42334fbca12fc8c759f32d5c507e6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 29 Oct 2021 10:21:00 +0800 Subject: [PATCH 135/900] fix rlsservice service access Bug: 202906997 Test: boot with no relevant error Change-Id: I964d11956b5f78c410aec230289abc1f6a045023 --- tracking_denials/rlsservice.te | 2 -- whitechapel_pro/rlsservice.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/rlsservice.te diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te deleted file mode 100644 index 5646c336..00000000 --- a/tracking_denials/rlsservice.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202906997 -dontaudit rlsservice rls_service:service_manager { add }; diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te index e15cc498..3dab5390 100644 --- a/whitechapel_pro/rlsservice.te +++ b/whitechapel_pro/rlsservice.te @@ -2,3 +2,4 @@ type rlsservice, domain; type rlsservice_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(rlsservice) +add_service(rlsservice, rls_service) From 8cc3f28ac13b881f2c6672c34ba3f9641c0a31eb Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 29 Oct 2021 10:47:01 +0800 Subject: [PATCH 136/900] fix wlc_hwservice access 10-29 10:38:01.270 440 440 E SELinux : avc: denied { find } for pid=1594 uid=10210 name=com.google.input.ITouchContextService/default scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:touch_service:s0 tclass=service_manager permissive=1 10-29 10:38:01.277 440 440 E SELinux : avc: denied { find } for pid=1594 uid=10210 name=com.google.hardware.pixel.display.IDisplay/default scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:hal_pixel_display_service:s0 tclass=service_manager permissive=1 Bug: 202906787 Test: boot with no relevant error Change-Id: I47ea0f1dfe6f3f7b024d4512e0ccd94bc0da93a1 --- tracking_denials/platform_app.te | 2 -- whitechapel_pro/platform_app.te | 2 ++ whitechapel_pro/service.te | 1 + whitechapel_pro/service_contexts | 1 + 4 files changed, 4 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/platform_app.te create mode 100644 whitechapel_pro/platform_app.te diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te deleted file mode 100644 index 3ded10b4..00000000 --- a/tracking_denials/platform_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202906787 -dontaudit platform_app hal_wlc_hwservice:hwservice_manager { find }; diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te new file mode 100644 index 00000000..58499c98 --- /dev/null +++ b/whitechapel_pro/platform_app.te @@ -0,0 +1,2 @@ +allow platform_app hal_pixel_display_service:service_manager find; +allow platform_app hal_wlc_hwservice:hwservice_manager find; diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index 9c935e9c..abeeedcd 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -1 +1,2 @@ type hal_pixel_display_service, service_manager_type, vendor_service; +type touch_service, service_manager_type, vendor_service; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index 9592f86f..cb6af7cc 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -1 +1,2 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 +com.google.input.ITouchContextService/default u:object_r:touch_service:s0 From de48018a88f5c6c7d4b3cadf3c539b6e3bd63eab Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 29 Oct 2021 11:10:43 +0800 Subject: [PATCH 137/900] remove errors that were filed on the wrong ROM ID Bug: 202906903 Bug: 202906772 Bug: 202907037 Test: boot with those errors appear again Change-Id: I5bc173c18b0d2a94ac2146e1c6e405c542e0c9ba --- tracking_denials/README.txt | 2 ++ tracking_denials/hal_vibrator_default.te | 3 --- tracking_denials/priv_app.te | 2 -- tracking_denials/thermal_link_device.te | 2 -- 4 files changed, 2 insertions(+), 7 deletions(-) create mode 100644 tracking_denials/README.txt delete mode 100644 tracking_denials/hal_vibrator_default.te delete mode 100644 tracking_denials/priv_app.te delete mode 100644 tracking_denials/thermal_link_device.te diff --git a/tracking_denials/README.txt b/tracking_denials/README.txt new file mode 100644 index 00000000..6cfc62df --- /dev/null +++ b/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te deleted file mode 100644 index b8fc9bd0..00000000 --- a/tracking_denials/hal_vibrator_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/202906903 -dontaudit hal_vibrator_default input_device:dir { open }; -dontaudit hal_vibrator_default input_device:dir { read }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 28914cba..00000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202906772 -dontaudit priv_app hal_exynos_rild_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/thermal_link_device.te b/tracking_denials/thermal_link_device.te deleted file mode 100644 index 0ed3944f..00000000 --- a/tracking_denials/thermal_link_device.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202907037 -dontaudit thermal_link_device sysfs:filesystem { associate }; From d6f5c71db98ea81efcdab7505637edc91a002c00 Mon Sep 17 00:00:00 2001 From: Rex Lin Date: Wed, 13 Oct 2021 13:47:10 +0800 Subject: [PATCH 138/900] Uwb: Create a new Uwb system service inherit from gs101-sepolicy Signed-off-by: Rex Lin Bug: 201232020 Test: ranging works Change-Id: I0567e6bda78a94c12da3401444faffb36586f331 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/file_contexts | 4 ++++ whitechapel_pro/hal_uwb_vendor.te | 14 ++++++++++++++ whitechapel_pro/hal_uwb_vendor_default.te | 11 +++++++++++ whitechapel_pro/service.te | 2 ++ whitechapel_pro/uwb_vendor_app.te | 22 ++++++++++++++++++++++ whitechapel_pro/vendor_uwb_init.te | 10 ++++++++++ 7 files changed, 66 insertions(+) create mode 100644 whitechapel_pro/hal_uwb_vendor.te create mode 100644 whitechapel_pro/hal_uwb_vendor_default.te create mode 100644 whitechapel_pro/uwb_vendor_app.te create mode 100644 whitechapel_pro/vendor_uwb_init.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 48272ace..3f6ae4ca 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -12,6 +12,8 @@ type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; +type uwb_data_vendor, file_type, data_file_type; userdebug_or_eng(` typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; @@ -59,6 +61,7 @@ type persist_modem_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_battery_file, file_type, vendor_persist_type; type persist_sensor_reg_file, file_type, vendor_persist_type; +type persist_uwb_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c7c26a4b..d6dcbfc8 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -18,6 +18,7 @@ /vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 /vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 +/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 @@ -36,6 +37,7 @@ /vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 +/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -166,12 +168,14 @@ /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 +/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 +/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/hal_uwb_vendor.te b/whitechapel_pro/hal_uwb_vendor.te new file mode 100644 index 00000000..6fda95ab --- /dev/null +++ b/whitechapel_pro/hal_uwb_vendor.te @@ -0,0 +1,14 @@ +# HwBinder IPC from client to server +binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) +binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) + +hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) + +binder_call(hal_uwb_vendor_server, servicemanager) + +# allow hal_uwb_vendor to set wpan interfaces up and down +allow hal_uwb_vendor self:udp_socket create_socket_perms; +allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; + +# allow hal_uwb_vendor to speak to nl802154 in the kernel +allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/whitechapel_pro/hal_uwb_vendor_default.te b/whitechapel_pro/hal_uwb_vendor_default.te new file mode 100644 index 00000000..f72e879d --- /dev/null +++ b/whitechapel_pro/hal_uwb_vendor_default.te @@ -0,0 +1,11 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) +binder_call(hal_uwb_vendor_default, uwb_vendor_app) + +allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index abeeedcd..53ef7f29 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -1,2 +1,4 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type touch_service, service_manager_type, vendor_service; +type hal_uwb_vendor_service, service_manager_type, vendor_service; +type uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te new file mode 100644 index 00000000..223383c1 --- /dev/null +++ b/whitechapel_pro/uwb_vendor_app.te @@ -0,0 +1,22 @@ +type uwb_vendor_app, domain; + +app_domain(uwb_vendor_app) + +add_service(uwb_vendor_app, uwb_vendor_service) + +not_recovery(` +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; +allow hal_uwb_vendor_default kernel:process setsched; + +binder_call(uwb_vendor_app, hal_uwb_vendor_default) +') diff --git a/whitechapel_pro/vendor_uwb_init.te b/whitechapel_pro/vendor_uwb_init.te new file mode 100644 index 00000000..716af19c --- /dev/null +++ b/whitechapel_pro/vendor_uwb_init.te @@ -0,0 +1,10 @@ +type vendor_uwb_init, domain; +type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_uwb_init) + +allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; +allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; + +allow vendor_uwb_init uwb_data_vendor:file create_file_perms; +allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; From 8550b06ea45aac559da72d234731dceaf51b46f9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 1 Nov 2021 10:39:07 +0800 Subject: [PATCH 139/900] update error on ROM 7870491 Bug: 204718569 Bug: 204718762 Bug: 204718449 Bug: 204718220 Bug: 204718450 Bug: 204718757 Bug: 204718809 Bug: 204718221 Bug: 204718782 Bug: 204718864 Bug: 204718865 Bug: 204717520 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ic0b136fe876bcf67a94d7c35927c6bd0c6506005 --- tracking_denials/citadeld.te | 2 ++ tracking_denials/hal_camera_default.te | 3 +++ tracking_denials/hal_sensors_default.te | 2 ++ tracking_denials/hal_uwb_vendor_default.te | 2 ++ tracking_denials/hal_vibrator_default.te | 3 +++ tracking_denials/hbmsvmanager_app.te | 2 ++ tracking_denials/mediacodec_samsung.te | 3 +++ tracking_denials/platform_app.te | 2 ++ tracking_denials/priv_app.te | 2 ++ tracking_denials/thermal_link_device.te | 2 ++ tracking_denials/vendor_qualifiednetworks_app.te | 2 ++ tracking_denials/zygote.te | 8 ++++++++ 12 files changed, 33 insertions(+) create mode 100644 tracking_denials/citadeld.te create mode 100644 tracking_denials/hal_camera_default.te create mode 100644 tracking_denials/hal_sensors_default.te create mode 100644 tracking_denials/hal_uwb_vendor_default.te create mode 100644 tracking_denials/hal_vibrator_default.te create mode 100644 tracking_denials/hbmsvmanager_app.te create mode 100644 tracking_denials/mediacodec_samsung.te create mode 100644 tracking_denials/platform_app.te create mode 100644 tracking_denials/priv_app.te create mode 100644 tracking_denials/thermal_link_device.te create mode 100644 tracking_denials/vendor_qualifiednetworks_app.te create mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te new file mode 100644 index 00000000..f90320d5 --- /dev/null +++ b/tracking_denials/citadeld.te @@ -0,0 +1,2 @@ +# b/204718569 +dontaudit citadeld citadeld_service:service_manager { add }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te new file mode 100644 index 00000000..44c2fe58 --- /dev/null +++ b/tracking_denials/hal_camera_default.te @@ -0,0 +1,3 @@ +# b/204718762 +dontaudit hal_camera_default edgetpu_vendor_service:service_manager { find }; +dontaudit hal_camera_default hal_power_service:service_manager { find }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te new file mode 100644 index 00000000..116d6d80 --- /dev/null +++ b/tracking_denials/hal_sensors_default.te @@ -0,0 +1,2 @@ +# b/204718449 +dontaudit hal_sensors_default fwk_stats_service:service_manager { find }; diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te new file mode 100644 index 00000000..2aa2dea0 --- /dev/null +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -0,0 +1,2 @@ +# b/204718220 +dontaudit hal_uwb_vendor_default default_android_service:service_manager { add }; diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te new file mode 100644 index 00000000..09a5a853 --- /dev/null +++ b/tracking_denials/hal_vibrator_default.te @@ -0,0 +1,3 @@ +# b/204718450 +dontaudit hal_vibrator_default input_device:dir { open }; +dontaudit hal_vibrator_default input_device:dir { read }; diff --git a/tracking_denials/hbmsvmanager_app.te b/tracking_denials/hbmsvmanager_app.te new file mode 100644 index 00000000..22a8102e --- /dev/null +++ b/tracking_denials/hbmsvmanager_app.te @@ -0,0 +1,2 @@ +# b/204718757 +dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find }; diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te new file mode 100644 index 00000000..1fa99a1b --- /dev/null +++ b/tracking_denials/mediacodec_samsung.te @@ -0,0 +1,3 @@ +# b/204718809 +dontaudit mediacodec_samsung system_server:fifo_file { append }; +dontaudit mediacodec_samsung system_server:fifo_file { write }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te new file mode 100644 index 00000000..6e1b0e1c --- /dev/null +++ b/tracking_denials/platform_app.te @@ -0,0 +1,2 @@ +# b/204718221 +dontaudit platform_app touch_service:service_manager { find }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 00000000..6276e04d --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,2 @@ +# b/204718782 +dontaudit priv_app hal_exynos_rild_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/thermal_link_device.te b/tracking_denials/thermal_link_device.te new file mode 100644 index 00000000..d79bfe60 --- /dev/null +++ b/tracking_denials/thermal_link_device.te @@ -0,0 +1,2 @@ +# b/204718864 +dontaudit thermal_link_device sysfs:filesystem { associate }; diff --git a/tracking_denials/vendor_qualifiednetworks_app.te b/tracking_denials/vendor_qualifiednetworks_app.te new file mode 100644 index 00000000..ec4ed9dc --- /dev/null +++ b/tracking_denials/vendor_qualifiednetworks_app.te @@ -0,0 +1,2 @@ +# b/204718865 +dontaudit vendor_qualifiednetworks_app radio_service:service_manager { find }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te new file mode 100644 index 00000000..c9fd8bba --- /dev/null +++ b/tracking_denials/zygote.te @@ -0,0 +1,8 @@ +# b/204717520 +dontaudit zygote activity_service:service_manager { find }; +dontaudit zygote content_capture_service:service_manager { find }; +dontaudit zygote default_android_service:service_manager { add }; +dontaudit zygote default_android_service:service_manager { find }; +dontaudit zygote game_service:service_manager { find }; +dontaudit zygote nfc_service:service_manager { find }; +dontaudit zygote radio_service:service_manager { find }; From c0d04c41b33884d9c35e2984e3e38ab7935b25cc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 1 Nov 2021 10:45:13 +0800 Subject: [PATCH 140/900] fix citadeld service access Bug: 204718569 Test: boot with no relevant error Change-Id: Iba8c01f34c4453c8001e56b25089b467c4de79ea --- dauntless/citadeld.te | 2 ++ tracking_denials/citadeld.te | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/citadeld.te diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te index 8fdbdf34..19749e36 100644 --- a/dauntless/citadeld.te +++ b/dauntless/citadeld.te @@ -3,5 +3,7 @@ type citadeld_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(citadeld) +add_service(citadeld, citadeld_service) + allow citadeld fwk_stats_service:service_manager find; allow citadeld hal_power_stats_vendor_service:service_manager find; diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te deleted file mode 100644 index f90320d5..00000000 --- a/tracking_denials/citadeld.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/204718569 -dontaudit citadeld citadeld_service:service_manager { add }; From d43e7773eedcda860dc8d3f59fe022126edd4721 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 1 Nov 2021 15:15:16 +0800 Subject: [PATCH 141/900] unleash error log related to property access Bug: 203621307 Test: boot with error revealed Change-Id: Id537726570bd5cce5716759316559bb792ab055b --- whitechapel_pro/domain.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te index c6a611eb..85cd1b9d 100644 --- a/whitechapel_pro/domain.te +++ b/whitechapel_pro/domain.te @@ -3,8 +3,6 @@ dontaudit domain file_type:chr_file *; dontaudit domain file_type:dir *; dontaudit domain file_type:capability *; dontaudit domain file_type:sock_file *; -dontaudit domain property_type:file *; -dontaudit domain property_type:property_service *; dontaudit domain fs_type:chr_file *; dontaudit domain fs_type:file *; dontaudit domain fs_type:blk_file *; From f2353c6aeda8120ece3f31ae58f835bdc98eb950 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 4 Nov 2021 14:09:41 +0800 Subject: [PATCH 142/900] update error on ROM 7882509 Bug: 205073232 Bug: 205072921 Bug: 205073231 Bug: 205073165 Bug: 205073003 Bug: 205073229 Bug: 205073167 Bug: 205073164 Bug: 205073230 Bug: 205073038 Bug: 205073024 Bug: 205073117 Bug: 205073023 Bug: 205072922 Bug: 205073166 Bug: 205072689 Bug: 205073025 Bug: 205070818 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I84cc72176363ed31203b7f7afe0720c3153d2cc6 --- tracking_denials/dmd.te | 5 +++++ tracking_denials/hal_camera_default.te | 7 +++++++ tracking_denials/hal_fingerprint_default.te | 9 +++++++++ tracking_denials/hal_graphics_composer_default.te | 5 +++++ tracking_denials/hal_health_default.te | 6 ++++++ tracking_denials/hal_keymint_citadel.te | 5 +++++ tracking_denials/hal_neuralnetworks_armnn.te | 3 +++ tracking_denials/hal_secure_element_gto.te | 2 ++ tracking_denials/hal_usb_impl.te | 5 +++++ tracking_denials/hal_wifi_ext.te | 2 ++ tracking_denials/platform_app.te | 6 ++++++ tracking_denials/priv_app.te | 4 ++++ tracking_denials/rild.te | 6 ++++++ tracking_denials/shell.te | 2 ++ tracking_denials/sscoredump.te | 5 +++++ tracking_denials/surfaceflinger.te | 2 ++ tracking_denials/vcd.te | 5 +++++ tracking_denials/vendor_init.te | 4 ++++ 18 files changed, 83 insertions(+) create mode 100644 tracking_denials/dmd.te create mode 100644 tracking_denials/hal_fingerprint_default.te create mode 100644 tracking_denials/hal_graphics_composer_default.te create mode 100644 tracking_denials/hal_health_default.te create mode 100644 tracking_denials/hal_keymint_citadel.te create mode 100644 tracking_denials/hal_neuralnetworks_armnn.te create mode 100644 tracking_denials/hal_secure_element_gto.te create mode 100644 tracking_denials/hal_usb_impl.te create mode 100644 tracking_denials/hal_wifi_ext.te create mode 100644 tracking_denials/rild.te create mode 100644 tracking_denials/shell.te create mode 100644 tracking_denials/sscoredump.te create mode 100644 tracking_denials/surfaceflinger.te create mode 100644 tracking_denials/vcd.te create mode 100644 tracking_denials/vendor_init.te diff --git a/tracking_denials/dmd.te b/tracking_denials/dmd.te new file mode 100644 index 00000000..de764e70 --- /dev/null +++ b/tracking_denials/dmd.te @@ -0,0 +1,5 @@ +# b/205073232 +dontaudit dmd vendor_persist_config_default_prop:file { getattr }; +dontaudit dmd vendor_persist_config_default_prop:file { map }; +dontaudit dmd vendor_persist_config_default_prop:file { open }; +dontaudit dmd vendor_persist_config_default_prop:file { read }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 44c2fe58..0e19b75f 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -1,3 +1,10 @@ # b/204718762 dontaudit hal_camera_default edgetpu_vendor_service:service_manager { find }; dontaudit hal_camera_default hal_power_service:service_manager { find }; +# b/205072921 +dontaudit hal_camera_default kernel:process { setsched }; +dontaudit hal_camera_default vendor_camera_prop:file { getattr }; +dontaudit hal_camera_default vendor_camera_prop:file { map }; +dontaudit hal_camera_default vendor_camera_prop:file { open }; +dontaudit hal_camera_default vendor_camera_prop:file { read }; +dontaudit hal_camera_default vendor_camera_prop:property_service { set }; diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te new file mode 100644 index 00000000..4f59448f --- /dev/null +++ b/tracking_denials/hal_fingerprint_default.te @@ -0,0 +1,9 @@ +# b/205073231 +dontaudit hal_fingerprint_default default_prop:file { getattr }; +dontaudit hal_fingerprint_default default_prop:file { map }; +dontaudit hal_fingerprint_default default_prop:file { open }; +dontaudit hal_fingerprint_default default_prop:file { read }; +dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { getattr }; +dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { map }; +dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { open }; +dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { read }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te new file mode 100644 index 00000000..d1df1af1 --- /dev/null +++ b/tracking_denials/hal_graphics_composer_default.te @@ -0,0 +1,5 @@ +# b/205073165 +dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { getattr }; +dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { map }; +dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { open }; +dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { read }; diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te new file mode 100644 index 00000000..828b5f21 --- /dev/null +++ b/tracking_denials/hal_health_default.te @@ -0,0 +1,6 @@ +# b/205073003 +dontaudit hal_health_default vendor_battery_defender_prop:file { getattr }; +dontaudit hal_health_default vendor_battery_defender_prop:file { map }; +dontaudit hal_health_default vendor_battery_defender_prop:file { open }; +dontaudit hal_health_default vendor_battery_defender_prop:file { read }; +dontaudit hal_health_default vendor_battery_defender_prop:property_service { set }; diff --git a/tracking_denials/hal_keymint_citadel.te b/tracking_denials/hal_keymint_citadel.te new file mode 100644 index 00000000..61da5a9d --- /dev/null +++ b/tracking_denials/hal_keymint_citadel.te @@ -0,0 +1,5 @@ +# b/205073229 +dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { getattr }; +dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { map }; +dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { open }; +dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { read }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te new file mode 100644 index 00000000..85e39d3c --- /dev/null +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -0,0 +1,3 @@ +# b/205073167 +dontaudit hal_neuralnetworks_armnn default_prop:file { open }; +dontaudit hal_neuralnetworks_armnn default_prop:file { read }; diff --git a/tracking_denials/hal_secure_element_gto.te b/tracking_denials/hal_secure_element_gto.te new file mode 100644 index 00000000..1019879e --- /dev/null +++ b/tracking_denials/hal_secure_element_gto.te @@ -0,0 +1,2 @@ +# b/205073164 +dontaudit hal_secure_element_gto vendor_secure_element_prop:property_service { set }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te new file mode 100644 index 00000000..b2971ad3 --- /dev/null +++ b/tracking_denials/hal_usb_impl.te @@ -0,0 +1,5 @@ +# b/205073230 +dontaudit hal_usb_impl vendor_usb_config_prop:file { getattr }; +dontaudit hal_usb_impl vendor_usb_config_prop:file { map }; +dontaudit hal_usb_impl vendor_usb_config_prop:file { open }; +dontaudit hal_usb_impl vendor_usb_config_prop:file { read }; diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te new file mode 100644 index 00000000..b75c1354 --- /dev/null +++ b/tracking_denials/hal_wifi_ext.te @@ -0,0 +1,2 @@ +# b/205073038 +dontaudit hal_wifi_ext vendor_wifi_version:property_service { set }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 6e1b0e1c..237f75c5 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -1,2 +1,8 @@ # b/204718221 dontaudit platform_app touch_service:service_manager { find }; +# b/205073024 +dontaudit platform_app default_prop:property_service { set }; +dontaudit platform_app fingerprint_ghbm_prop:file { getattr }; +dontaudit platform_app fingerprint_ghbm_prop:file { map }; +dontaudit platform_app fingerprint_ghbm_prop:file { open }; +dontaudit platform_app fingerprint_ghbm_prop:file { read }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 6276e04d..450db67c 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -1,2 +1,6 @@ # b/204718782 dontaudit priv_app hal_exynos_rild_hwservice:hwservice_manager { find }; +# b/205073117 +dontaudit priv_app vendor_default_prop:file { getattr }; +dontaudit priv_app vendor_default_prop:file { map }; +dontaudit priv_app vendor_default_prop:file { open }; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te new file mode 100644 index 00000000..875d5d24 --- /dev/null +++ b/tracking_denials/rild.te @@ -0,0 +1,6 @@ +# b/205073023 +dontaudit rild vendor_default_prop:property_service { set }; +dontaudit rild vendor_persist_config_default_prop:file { getattr }; +dontaudit rild vendor_persist_config_default_prop:file { map }; +dontaudit rild vendor_persist_config_default_prop:file { open }; +dontaudit rild vendor_persist_config_default_prop:file { read }; diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te new file mode 100644 index 00000000..bbe104e9 --- /dev/null +++ b/tracking_denials/shell.te @@ -0,0 +1,2 @@ +# b/205072922 +dontaudit shell property_type:file *; diff --git a/tracking_denials/sscoredump.te b/tracking_denials/sscoredump.te new file mode 100644 index 00000000..f3de0340 --- /dev/null +++ b/tracking_denials/sscoredump.te @@ -0,0 +1,5 @@ +# b/205073166 +dontaudit sscoredump vendor_persist_sys_default_prop:file { getattr }; +dontaudit sscoredump vendor_persist_sys_default_prop:file { map }; +dontaudit sscoredump vendor_persist_sys_default_prop:file { open }; +dontaudit sscoredump vendor_persist_sys_default_prop:file { read }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te new file mode 100644 index 00000000..a91a9131 --- /dev/null +++ b/tracking_denials/surfaceflinger.te @@ -0,0 +1,2 @@ +# b/205072689 +dontaudit surfaceflinger kernel:process { setsched }; diff --git a/tracking_denials/vcd.te b/tracking_denials/vcd.te new file mode 100644 index 00000000..66f5c0c9 --- /dev/null +++ b/tracking_denials/vcd.te @@ -0,0 +1,5 @@ +# b/205073025 +dontaudit vcd vendor_persist_config_default_prop:file { getattr }; +dontaudit vcd vendor_persist_config_default_prop:file { map }; +dontaudit vcd vendor_persist_config_default_prop:file { open }; +dontaudit vcd vendor_persist_config_default_prop:file { read }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te new file mode 100644 index 00000000..043d13b9 --- /dev/null +++ b/tracking_denials/vendor_init.te @@ -0,0 +1,4 @@ +# b/205070818 +dontaudit vendor_init vendor_device_prop:property_service { set }; +dontaudit vendor_init vendor_nfc_prop:property_service { set }; +dontaudit vendor_init vendor_secure_element_prop:property_service { set }; From 64af79f39a2a89eb2142a41119b344e55cc366ad Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 5 Nov 2021 10:36:11 +0800 Subject: [PATCH 143/900] update error on ROM 7886118 Bug: 205202540 Bug: 205202541 Bug: 205202542 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I21db6eb0ee47a9a4d002fc897c143eae0f0b614a --- tracking_denials/hal_neuralnetworks_armnn.te | 3 +++ tracking_denials/logger_app.te | 6 ++++++ tracking_denials/ssr_detector_app.te | 5 +++++ 3 files changed, 14 insertions(+) create mode 100644 tracking_denials/logger_app.te create mode 100644 tracking_denials/ssr_detector_app.te diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index 85e39d3c..8b5e1e3b 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -1,3 +1,6 @@ # b/205073167 dontaudit hal_neuralnetworks_armnn default_prop:file { open }; dontaudit hal_neuralnetworks_armnn default_prop:file { read }; +# b/205202540 +dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; +dontaudit hal_neuralnetworks_armnn default_prop:file { map }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te new file mode 100644 index 00000000..56b76b88 --- /dev/null +++ b/tracking_denials/logger_app.te @@ -0,0 +1,6 @@ +# b/205202541 +dontaudit logger_app vendor_gps_prop:property_service { set }; +dontaudit logger_app vendor_ssrdump_prop:file { getattr }; +dontaudit logger_app vendor_ssrdump_prop:file { map }; +dontaudit logger_app vendor_ssrdump_prop:file { open }; +dontaudit logger_app vendor_ssrdump_prop:file { read }; diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te new file mode 100644 index 00000000..dd4768b2 --- /dev/null +++ b/tracking_denials/ssr_detector_app.te @@ -0,0 +1,5 @@ +# b/205202542 +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; From 4c9dd893b818da483acb09e790113c3747eca63d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 5 Nov 2021 11:13:30 +0800 Subject: [PATCH 144/900] fix platform_app property access Bug: 205073024 Test: boot with no relevant error log Change-Id: Ia230b025b89981ed797c95cdf76fe7efd56d3fa7 --- private/property_contexts | 5 +++++ tracking_denials/platform_app.te | 6 ------ whitechapel_pro/platform_app.te | 6 ++++++ 3 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 private/property_contexts diff --git a/private/property_contexts b/private/property_contexts new file mode 100644 index 00000000..abcdd419 --- /dev/null +++ b/private/property_contexts @@ -0,0 +1,5 @@ +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 237f75c5..6e1b0e1c 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -1,8 +1,2 @@ # b/204718221 dontaudit platform_app touch_service:service_manager { find }; -# b/205073024 -dontaudit platform_app default_prop:property_service { set }; -dontaudit platform_app fingerprint_ghbm_prop:file { getattr }; -dontaudit platform_app fingerprint_ghbm_prop:file { map }; -dontaudit platform_app fingerprint_ghbm_prop:file { open }; -dontaudit platform_app fingerprint_ghbm_prop:file { read }; diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 58499c98..6ba51af9 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -1,2 +1,8 @@ allow platform_app hal_pixel_display_service:service_manager find; allow platform_app hal_wlc_hwservice:hwservice_manager find; + +# Fingerprint (UDFPS) GHBM/LHBM toggle +get_prop(platform_app, fingerprint_ghbm_prop) + +# allow systemui to set boot animation colors +set_prop(platform_app, bootanim_system_prop); From 0060a1335caba3efda89c955fcaae94371012b18 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 5 Nov 2021 11:25:01 +0800 Subject: [PATCH 145/900] let init.rc set GKI ready property Bug: 205070818 Test: boot with no relevant error Change-Id: I929a9d2cfbb5267b178fde09fc5e1f3dcc9ec3d0 --- tracking_denials/vendor_init.te | 1 - whitechapel_pro/vendor_init.te | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 043d13b9..60a0e443 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,4 +1,3 @@ # b/205070818 -dontaudit vendor_init vendor_device_prop:property_service { set }; dontaudit vendor_init vendor_nfc_prop:property_service { set }; dontaudit vendor_init vendor_secure_element_prop:property_service { set }; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index a55894f7..025fdef9 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -5,5 +5,5 @@ set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_cbd_prop) set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) -get_prop(vendor_init, vendor_device_prop) +set_prop(vendor_init, vendor_device_prop) From 5f1a03bf0ee0b6fed3fe8eb5115fd4772deeb3af Mon Sep 17 00:00:00 2001 From: Roger Wang Date: Fri, 5 Nov 2021 16:02:30 +0800 Subject: [PATCH 146/900] Wifi: Add sepolicy files for hal_wifi_ext service This commit adds the sepolicy related files for hal_wifi_ext service. avc msg: avc: denied { set } for property=vendor.wlan.firmware.version pid=682 uid=1010 gid=1010 scontext=u:r:hal_wifi_ext:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=1' avc: denied { call } for scontext=u:r:hal_wifi_ext:s0 tcontext=u:r:grilservice_app:s0:c143,c258,c512,c768 tclass=binder permissive=1 Bug: 205073038 Test: Check no avc_deny on hal_wifi_ext Change-Id: I5d9b59c56b723174543c0308dd6b0235e998e76c Signed-off-by: Roger Wang --- tracking_denials/hal_wifi_ext.te | 2 -- whitechapel_pro/hal_wifi_ext.te | 5 +++++ 2 files changed, 5 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/hal_wifi_ext.te create mode 100644 whitechapel_pro/hal_wifi_ext.te diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te deleted file mode 100644 index b75c1354..00000000 --- a/tracking_denials/hal_wifi_ext.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205073038 -dontaudit hal_wifi_ext vendor_wifi_version:property_service { set }; diff --git a/whitechapel_pro/hal_wifi_ext.te b/whitechapel_pro/hal_wifi_ext.te new file mode 100644 index 00000000..659239e8 --- /dev/null +++ b/whitechapel_pro/hal_wifi_ext.te @@ -0,0 +1,5 @@ +# Allow wifi_ext to report callbacks to gril-service app +binder_call(hal_wifi_ext, grilservice_app) + +# Write wlan driver/fw version into property +set_prop(hal_wifi_ext, vendor_wifi_version) From dd5b14c11830cd9bfbbe2022c3b5229ab9293528 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 5 Nov 2021 12:47:12 +0800 Subject: [PATCH 147/900] unleash error log related to device access Bug: 205212735 Test: boot with error revealed Change-Id: I49a995ecf3a050174c614453725fd51e09358688 --- whitechapel_pro/domain.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te index 85cd1b9d..ea02b432 100644 --- a/whitechapel_pro/domain.te +++ b/whitechapel_pro/domain.te @@ -8,9 +8,6 @@ dontaudit domain fs_type:file *; dontaudit domain fs_type:blk_file *; dontaudit domain fs_type:dir *; dontaudit domain fs_type:filesystem *; -dontaudit domain dev_type:file *; -dontaudit domain dev_type:chr_file *; -dontaudit domain dev_type:blk_file *; dontaudit domain domain:capability *; dontaudit domain domain:binder *; dontaudit domain domain:socket_class_set *; From 95c4e650c887647a01cd5ba8dbd74306ba9824d9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 9 Nov 2021 13:12:17 +0800 Subject: [PATCH 148/900] update error on ROM 7895525 Bug: 205657177 Bug: 205657040 Bug: 205657133 Bug: 205656936 Bug: 205656937 Bug: 205657024 Bug: 205655569 Bug: 205656951 Bug: 205657039 Bug: 205657063 Bug: 205657092 Bug: 205657025 Bug: 205655298 Bug: 205657135 Bug: 205657093 Bug: 205657132 Bug: 205657090 Bug: 205656950 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I71c27247f9a19fe23a3602bf29793b1f0efc8bc8 --- tracking_denials/citadeld.te | 10 ++++++++++ tracking_denials/convert-to-f2fs-sh.te | 5 +++++ tracking_denials/hal_camera_default.te | 19 +++++++++++++++++++ tracking_denials/hal_fingerprint_default.te | 10 ++++++++++ .../hal_graphics_composer_default.te | 6 ++++++ tracking_denials/hal_identity_citadel.te | 6 ++++++ tracking_denials/hal_keymint_citadel.te | 6 ++++++ tracking_denials/hal_secure_element_gto.te | 3 +++ .../hal_secure_element_gto_ese2.te | 3 +++ tracking_denials/hal_sensors_default.te | 3 +++ tracking_denials/hal_weaver_citadel.te | 6 ++++++ tracking_denials/init.te | 2 ++ tracking_denials/init_citadel.te | 6 ++++++ tracking_denials/mediacodec_google.te | 7 +++++++ tracking_denials/mediacodec_samsung.te | 7 +++++++ tracking_denials/rlsservice.te | 11 +++++++++++ tracking_denials/toolbox.te | 5 +++++ tracking_denials/vendor_init.te | 2 ++ 18 files changed, 117 insertions(+) create mode 100644 tracking_denials/citadeld.te create mode 100644 tracking_denials/convert-to-f2fs-sh.te create mode 100644 tracking_denials/hal_identity_citadel.te create mode 100644 tracking_denials/hal_secure_element_gto_ese2.te create mode 100644 tracking_denials/hal_weaver_citadel.te create mode 100644 tracking_denials/init.te create mode 100644 tracking_denials/init_citadel.te create mode 100644 tracking_denials/mediacodec_google.te create mode 100644 tracking_denials/rlsservice.te create mode 100644 tracking_denials/toolbox.te diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te new file mode 100644 index 00000000..c6b16b6e --- /dev/null +++ b/tracking_denials/citadeld.te @@ -0,0 +1,10 @@ +# b/205657177 +dontaudit citadeld citadel_device:chr_file { getattr }; +dontaudit citadeld citadel_device:chr_file { ioctl }; +dontaudit citadeld citadel_device:chr_file { open }; +dontaudit citadeld citadel_device:chr_file { read write }; +dontaudit citadeld vndbinder_device:chr_file { ioctl }; +dontaudit citadeld vndbinder_device:chr_file { map }; +dontaudit citadeld vndbinder_device:chr_file { open }; +dontaudit citadeld vndbinder_device:chr_file { read }; +dontaudit citadeld vndbinder_device:chr_file { write }; diff --git a/tracking_denials/convert-to-f2fs-sh.te b/tracking_denials/convert-to-f2fs-sh.te new file mode 100644 index 00000000..81f95f92 --- /dev/null +++ b/tracking_denials/convert-to-f2fs-sh.te @@ -0,0 +1,5 @@ +# b/205657040 +dontaudit convert-to-f2fs-sh kmsg_device:chr_file { open }; +dontaudit convert-to-f2fs-sh kmsg_device:chr_file { write }; +dontaudit convert-to-f2fs-sh modem_userdata_block_device:blk_file { open }; +dontaudit convert-to-f2fs-sh modem_userdata_block_device:blk_file { read }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 0e19b75f..227f0635 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -8,3 +8,22 @@ dontaudit hal_camera_default vendor_camera_prop:file { map }; dontaudit hal_camera_default vendor_camera_prop:file { open }; dontaudit hal_camera_default vendor_camera_prop:file { read }; dontaudit hal_camera_default vendor_camera_prop:property_service { set }; +# b/205657133 +dontaudit hal_camera_default edgetpu_device:chr_file { ioctl }; +dontaudit hal_camera_default edgetpu_device:chr_file { map }; +dontaudit hal_camera_default edgetpu_device:chr_file { open }; +dontaudit hal_camera_default edgetpu_device:chr_file { read write }; +dontaudit hal_camera_default gpu_device:chr_file { getattr }; +dontaudit hal_camera_default gpu_device:chr_file { ioctl }; +dontaudit hal_camera_default gpu_device:chr_file { map }; +dontaudit hal_camera_default gpu_device:chr_file { open }; +dontaudit hal_camera_default gpu_device:chr_file { read write }; +dontaudit hal_camera_default lwis_device:chr_file { ioctl }; +dontaudit hal_camera_default lwis_device:chr_file { open }; +dontaudit hal_camera_default lwis_device:chr_file { read }; +dontaudit hal_camera_default lwis_device:chr_file { write }; +dontaudit hal_camera_default vndbinder_device:chr_file { ioctl }; +dontaudit hal_camera_default vndbinder_device:chr_file { map }; +dontaudit hal_camera_default vndbinder_device:chr_file { open }; +dontaudit hal_camera_default vndbinder_device:chr_file { read }; +dontaudit hal_camera_default vndbinder_device:chr_file { write }; diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te index 4f59448f..cda5fa89 100644 --- a/tracking_denials/hal_fingerprint_default.te +++ b/tracking_denials/hal_fingerprint_default.te @@ -7,3 +7,13 @@ dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { getattr }; dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { map }; dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { open }; dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { read }; +# b/205656936 +dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { ioctl }; +dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { open }; +dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { read }; +dontaudit hal_fingerprint_default fingerprint_device:chr_file { ioctl }; +dontaudit hal_fingerprint_default fingerprint_device:chr_file { open }; +dontaudit hal_fingerprint_default fingerprint_device:chr_file { read write }; +dontaudit hal_fingerprint_default tee_device:chr_file { ioctl }; +dontaudit hal_fingerprint_default tee_device:chr_file { open }; +dontaudit hal_fingerprint_default tee_device:chr_file { read write }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index d1df1af1..96000e93 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -3,3 +3,9 @@ dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { g dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { map }; dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { open }; dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { read }; +# b/205656937 +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write }; diff --git a/tracking_denials/hal_identity_citadel.te b/tracking_denials/hal_identity_citadel.te new file mode 100644 index 00000000..15777759 --- /dev/null +++ b/tracking_denials/hal_identity_citadel.te @@ -0,0 +1,6 @@ +# b/205657024 +dontaudit hal_identity_citadel vndbinder_device:chr_file { ioctl }; +dontaudit hal_identity_citadel vndbinder_device:chr_file { map }; +dontaudit hal_identity_citadel vndbinder_device:chr_file { open }; +dontaudit hal_identity_citadel vndbinder_device:chr_file { read }; +dontaudit hal_identity_citadel vndbinder_device:chr_file { write }; diff --git a/tracking_denials/hal_keymint_citadel.te b/tracking_denials/hal_keymint_citadel.te index 61da5a9d..b2d1bcf4 100644 --- a/tracking_denials/hal_keymint_citadel.te +++ b/tracking_denials/hal_keymint_citadel.te @@ -3,3 +3,9 @@ dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { getattr }; dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { map }; dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { open }; dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { read }; +# b/205655569 +dontaudit hal_keymint_citadel vndbinder_device:chr_file { ioctl }; +dontaudit hal_keymint_citadel vndbinder_device:chr_file { map }; +dontaudit hal_keymint_citadel vndbinder_device:chr_file { open }; +dontaudit hal_keymint_citadel vndbinder_device:chr_file { read }; +dontaudit hal_keymint_citadel vndbinder_device:chr_file { write }; diff --git a/tracking_denials/hal_secure_element_gto.te b/tracking_denials/hal_secure_element_gto.te index 1019879e..866071c2 100644 --- a/tracking_denials/hal_secure_element_gto.te +++ b/tracking_denials/hal_secure_element_gto.te @@ -1,2 +1,5 @@ # b/205073164 dontaudit hal_secure_element_gto vendor_secure_element_prop:property_service { set }; +# b/205656951 +dontaudit hal_secure_element_gto secure_element_device:chr_file { open }; +dontaudit hal_secure_element_gto secure_element_device:chr_file { read write }; diff --git a/tracking_denials/hal_secure_element_gto_ese2.te b/tracking_denials/hal_secure_element_gto_ese2.te new file mode 100644 index 00000000..3c17e5b3 --- /dev/null +++ b/tracking_denials/hal_secure_element_gto_ese2.te @@ -0,0 +1,3 @@ +# b/205657039 +dontaudit hal_secure_element_gto_ese2 secure_element_device:chr_file { open }; +dontaudit hal_secure_element_gto_ese2 secure_element_device:chr_file { read write }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 116d6d80..8ddf66dc 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -1,2 +1,5 @@ # b/204718449 dontaudit hal_sensors_default fwk_stats_service:service_manager { find }; +# b/205657063 +dontaudit hal_sensors_default aoc_device:chr_file { open }; +dontaudit hal_sensors_default aoc_device:chr_file { read write }; diff --git a/tracking_denials/hal_weaver_citadel.te b/tracking_denials/hal_weaver_citadel.te new file mode 100644 index 00000000..4c0fbbab --- /dev/null +++ b/tracking_denials/hal_weaver_citadel.te @@ -0,0 +1,6 @@ +# b/205657092 +dontaudit hal_weaver_citadel vndbinder_device:chr_file { ioctl }; +dontaudit hal_weaver_citadel vndbinder_device:chr_file { map }; +dontaudit hal_weaver_citadel vndbinder_device:chr_file { open }; +dontaudit hal_weaver_citadel vndbinder_device:chr_file { read }; +dontaudit hal_weaver_citadel vndbinder_device:chr_file { write }; diff --git a/tracking_denials/init.te b/tracking_denials/init.te new file mode 100644 index 00000000..b5e0743d --- /dev/null +++ b/tracking_denials/init.te @@ -0,0 +1,2 @@ +# b/205657025 +dontaudit init ram_device:blk_file { write }; diff --git a/tracking_denials/init_citadel.te b/tracking_denials/init_citadel.te new file mode 100644 index 00000000..e372f034 --- /dev/null +++ b/tracking_denials/init_citadel.te @@ -0,0 +1,6 @@ +# b/205655298 +dontaudit init_citadel vndbinder_device:chr_file { ioctl }; +dontaudit init_citadel vndbinder_device:chr_file { map }; +dontaudit init_citadel vndbinder_device:chr_file { open }; +dontaudit init_citadel vndbinder_device:chr_file { read }; +dontaudit init_citadel vndbinder_device:chr_file { write }; diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te new file mode 100644 index 00000000..ba517318 --- /dev/null +++ b/tracking_denials/mediacodec_google.te @@ -0,0 +1,7 @@ +# b/205657135 +dontaudit mediacodec_google dmabuf_system_heap_device:chr_file { getattr }; +dontaudit mediacodec_google vndbinder_device:chr_file { ioctl }; +dontaudit mediacodec_google vndbinder_device:chr_file { map }; +dontaudit mediacodec_google vndbinder_device:chr_file { open }; +dontaudit mediacodec_google vndbinder_device:chr_file { read }; +dontaudit mediacodec_google vndbinder_device:chr_file { write }; diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te index 1fa99a1b..09e2f0ed 100644 --- a/tracking_denials/mediacodec_samsung.te +++ b/tracking_denials/mediacodec_samsung.te @@ -1,3 +1,10 @@ # b/204718809 dontaudit mediacodec_samsung system_server:fifo_file { append }; dontaudit mediacodec_samsung system_server:fifo_file { write }; +# b/205657093 +dontaudit mediacodec_samsung dmabuf_system_heap_device:chr_file { getattr }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { ioctl }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { map }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { open }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { read }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { write }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te new file mode 100644 index 00000000..138e57f3 --- /dev/null +++ b/tracking_denials/rlsservice.te @@ -0,0 +1,11 @@ +# b/205657132 +dontaudit rlsservice aoc_device:chr_file { getattr }; +dontaudit rlsservice aoc_device:chr_file { open }; +dontaudit rlsservice aoc_device:chr_file { read write }; +dontaudit rlsservice rls_device:chr_file { open }; +dontaudit rlsservice rls_device:chr_file { read write }; +dontaudit rlsservice vndbinder_device:chr_file { ioctl }; +dontaudit rlsservice vndbinder_device:chr_file { map }; +dontaudit rlsservice vndbinder_device:chr_file { open }; +dontaudit rlsservice vndbinder_device:chr_file { read }; +dontaudit rlsservice vndbinder_device:chr_file { write }; diff --git a/tracking_denials/toolbox.te b/tracking_denials/toolbox.te new file mode 100644 index 00000000..287e199c --- /dev/null +++ b/tracking_denials/toolbox.te @@ -0,0 +1,5 @@ +# b/205657090 +dontaudit toolbox ram_device:blk_file { getattr }; +dontaudit toolbox ram_device:blk_file { ioctl }; +dontaudit toolbox ram_device:blk_file { open }; +dontaudit toolbox ram_device:blk_file { read write }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 60a0e443..ae8feca2 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,3 +1,5 @@ # b/205070818 dontaudit vendor_init vendor_nfc_prop:property_service { set }; dontaudit vendor_init vendor_secure_element_prop:property_service { set }; +# b/205656950 +dontaudit vendor_init thermal_link_device:file { create }; From 7caaa15bd98219a268352c71d117015f52407c5b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 9 Nov 2021 14:10:25 +0800 Subject: [PATCH 149/900] unleash error log related to file access Bug: 205212735 Test: boot with error revealed Change-Id: I7cee80913ca621e7ab19f690eeb70d79e3d692dc --- whitechapel_pro/domain.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te index ea02b432..6f299343 100644 --- a/whitechapel_pro/domain.te +++ b/whitechapel_pro/domain.te @@ -1,7 +1,3 @@ -dontaudit domain file_type:file *; -dontaudit domain file_type:chr_file *; -dontaudit domain file_type:dir *; -dontaudit domain file_type:capability *; dontaudit domain file_type:sock_file *; dontaudit domain fs_type:chr_file *; dontaudit domain fs_type:file *; From 53371742c22dc5f3cf24ea0fa01783177ab726da Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 10 Nov 2021 11:05:45 +0800 Subject: [PATCH 150/900] update error on ROM 7900024 Bug: 205780088 Bug: 205779872 Bug: 205779877 Bug: 205780065 Bug: 205779906 Bug: 205779737 Bug: 205779871 Bug: 205780093 Bug: 205779850 Bug: 205779736 Bug: 205780090 Bug: 205779798 Bug: 205780186 Bug: 205779849 Bug: 205779799 Bug: 205780067 Bug: 205779581 Bug: 205779869 Bug: 205780068 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I979411b162c42ace670c35fcfd6ba286f0ea02fb --- tracking_denials/bootanim.te | 9 +++++++++ tracking_denials/cbd.te | 2 ++ tracking_denials/convert-to-f2fs-sh.te | 9 +++++++++ tracking_denials/hal_camera_default.te | 14 ++++++++++++++ tracking_denials/hal_graphics_composer_default.te | 3 +++ tracking_denials/hal_health_default.te | 3 +++ tracking_denials/hal_neuralnetworks_armnn.te | 2 ++ tracking_denials/hal_sensors_default.te | 6 ++++++ tracking_denials/hal_wifi_ext.te | 2 ++ tracking_denials/init_citadel.te | 3 +++ tracking_denials/kernel.te | 5 +++++ tracking_denials/logger_app.te | 9 +++++++++ tracking_denials/rlsservice.te | 5 +++++ tracking_denials/surfaceflinger.te | 9 +++++++++ tracking_denials/toolbox.te | 10 ++++++++++ tracking_denials/vendor_ims_app.te | 2 ++ tracking_denials/vendor_rcs_app.te | 2 ++ tracking_denials/vendor_rcs_service_app.te | 2 ++ tracking_denials/zygote.te | 7 +++++++ 19 files changed, 104 insertions(+) create mode 100644 tracking_denials/bootanim.te create mode 100644 tracking_denials/cbd.te create mode 100644 tracking_denials/hal_wifi_ext.te create mode 100644 tracking_denials/kernel.te create mode 100644 tracking_denials/vendor_ims_app.te create mode 100644 tracking_denials/vendor_rcs_app.te create mode 100644 tracking_denials/vendor_rcs_service_app.te diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te new file mode 100644 index 00000000..c2252620 --- /dev/null +++ b/tracking_denials/bootanim.te @@ -0,0 +1,9 @@ +# b/205780088 +dontaudit bootanim system_data_file:dir { read }; +dontaudit bootanim system_data_file:dir { search }; +dontaudit bootanim system_data_file:dir { watch }; +dontaudit bootanim vendor_file:file { execute }; +dontaudit bootanim vendor_file:file { getattr }; +dontaudit bootanim vendor_file:file { map }; +dontaudit bootanim vendor_file:file { open }; +dontaudit bootanim vendor_file:file { read }; diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te new file mode 100644 index 00000000..83f606c3 --- /dev/null +++ b/tracking_denials/cbd.te @@ -0,0 +1,2 @@ +# b/205779872 +dontaudit cbd persist_file:dir { search }; diff --git a/tracking_denials/convert-to-f2fs-sh.te b/tracking_denials/convert-to-f2fs-sh.te index 81f95f92..2478f01b 100644 --- a/tracking_denials/convert-to-f2fs-sh.te +++ b/tracking_denials/convert-to-f2fs-sh.te @@ -3,3 +3,12 @@ dontaudit convert-to-f2fs-sh kmsg_device:chr_file { open }; dontaudit convert-to-f2fs-sh kmsg_device:chr_file { write }; dontaudit convert-to-f2fs-sh modem_userdata_block_device:blk_file { open }; dontaudit convert-to-f2fs-sh modem_userdata_block_device:blk_file { read }; +# b/205779877 +dontaudit convert-to-f2fs-sh shell_exec:file { execute }; +dontaudit convert-to-f2fs-sh shell_exec:file { getattr }; +dontaudit convert-to-f2fs-sh shell_exec:file { map }; +dontaudit convert-to-f2fs-sh shell_exec:file { read }; +dontaudit convert-to-f2fs-sh toolbox_exec:file { execute }; +dontaudit convert-to-f2fs-sh toolbox_exec:file { execute_no_trans }; +dontaudit convert-to-f2fs-sh toolbox_exec:file { getattr }; +dontaudit convert-to-f2fs-sh toolbox_exec:file { read open }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 227f0635..b7c2ccc0 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -27,3 +27,17 @@ dontaudit hal_camera_default vndbinder_device:chr_file { map }; dontaudit hal_camera_default vndbinder_device:chr_file { open }; dontaudit hal_camera_default vndbinder_device:chr_file { read }; dontaudit hal_camera_default vndbinder_device:chr_file { write }; +# b/205780065 +dontaudit hal_camera_default apex_info_file:file { getattr }; +dontaudit hal_camera_default apex_info_file:file { open }; +dontaudit hal_camera_default apex_info_file:file { read }; +dontaudit hal_camera_default apex_info_file:file { watch }; +dontaudit hal_camera_default mnt_vendor_file:dir { search }; +dontaudit hal_camera_default persist_file:dir { search }; +dontaudit hal_camera_default system_data_file:dir { search }; +dontaudit hal_camera_default vendor_camera_data_file:dir { getattr }; +dontaudit hal_camera_default vendor_camera_data_file:dir { open }; +dontaudit hal_camera_default vendor_camera_data_file:dir { read }; +dontaudit hal_camera_default vendor_camera_data_file:dir { search }; +dontaudit hal_camera_default vendor_camera_data_file:file { open }; +dontaudit hal_camera_default vendor_camera_data_file:file { read }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index 96000e93..95a4c0a2 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -9,3 +9,6 @@ dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map }; dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open }; dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read }; dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write }; +# b/205779906 +dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search }; +dontaudit hal_graphics_composer_default persist_file:dir { search }; diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te index 828b5f21..6306f197 100644 --- a/tracking_denials/hal_health_default.te +++ b/tracking_denials/hal_health_default.te @@ -4,3 +4,6 @@ dontaudit hal_health_default vendor_battery_defender_prop:file { map }; dontaudit hal_health_default vendor_battery_defender_prop:file { open }; dontaudit hal_health_default vendor_battery_defender_prop:file { read }; dontaudit hal_health_default vendor_battery_defender_prop:property_service { set }; +# b/205779737 +dontaudit hal_health_default mnt_vendor_file:dir { search }; +dontaudit hal_health_default persist_file:dir { search }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index 8b5e1e3b..b58f29fe 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -4,3 +4,5 @@ dontaudit hal_neuralnetworks_armnn default_prop:file { read }; # b/205202540 dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; dontaudit hal_neuralnetworks_armnn default_prop:file { map }; +# b/205779871 +dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 8ddf66dc..05ccf8ac 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -3,3 +3,9 @@ dontaudit hal_sensors_default fwk_stats_service:service_manager { find }; # b/205657063 dontaudit hal_sensors_default aoc_device:chr_file { open }; dontaudit hal_sensors_default aoc_device:chr_file { read write }; +# b/205780093 +dontaudit hal_sensors_default mnt_vendor_file:dir { search }; +dontaudit hal_sensors_default persist_file:dir { search }; +dontaudit hal_sensors_default sensor_reg_data_file:dir { getattr }; +dontaudit hal_sensors_default sensor_reg_data_file:dir { open }; +dontaudit hal_sensors_default sensor_reg_data_file:dir { read }; diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te new file mode 100644 index 00000000..84b8edfd --- /dev/null +++ b/tracking_denials/hal_wifi_ext.te @@ -0,0 +1,2 @@ +# b/205779850 +dontaudit hal_wifi_ext updated_wifi_firmware_data_file:dir { search }; diff --git a/tracking_denials/init_citadel.te b/tracking_denials/init_citadel.te index e372f034..48e98d67 100644 --- a/tracking_denials/init_citadel.te +++ b/tracking_denials/init_citadel.te @@ -4,3 +4,6 @@ dontaudit init_citadel vndbinder_device:chr_file { map }; dontaudit init_citadel vndbinder_device:chr_file { open }; dontaudit init_citadel vndbinder_device:chr_file { read }; dontaudit init_citadel vndbinder_device:chr_file { write }; +# b/205779736 +dontaudit init_citadel citadel_updater:file { execute_no_trans }; +dontaudit init_citadel vendor_toolbox_exec:file { execute_no_trans }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te new file mode 100644 index 00000000..23a733c6 --- /dev/null +++ b/tracking_denials/kernel.te @@ -0,0 +1,5 @@ +# b/205780090 +dontaudit kernel per_boot_file:file { read }; +dontaudit kernel vendor_fw_file:dir { search }; +dontaudit kernel vendor_fw_file:file { open }; +dontaudit kernel vendor_fw_file:file { read }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 56b76b88..e9513bad 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -4,3 +4,12 @@ dontaudit logger_app vendor_ssrdump_prop:file { getattr }; dontaudit logger_app vendor_ssrdump_prop:file { map }; dontaudit logger_app vendor_ssrdump_prop:file { open }; dontaudit logger_app vendor_ssrdump_prop:file { read }; +# b/205779798 +dontaudit logger_app radio_vendor_data_file:dir { getattr }; +dontaudit logger_app radio_vendor_data_file:dir { open }; +dontaudit logger_app radio_vendor_data_file:dir { read }; +dontaudit logger_app radio_vendor_data_file:dir { remove_name }; +dontaudit logger_app radio_vendor_data_file:dir { search }; +dontaudit logger_app radio_vendor_data_file:dir { setattr }; +dontaudit logger_app radio_vendor_data_file:dir { write }; +dontaudit logger_app radio_vendor_data_file:file { unlink }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te index 138e57f3..2231fbb5 100644 --- a/tracking_denials/rlsservice.te +++ b/tracking_denials/rlsservice.te @@ -9,3 +9,8 @@ dontaudit rlsservice vndbinder_device:chr_file { map }; dontaudit rlsservice vndbinder_device:chr_file { open }; dontaudit rlsservice vndbinder_device:chr_file { read }; dontaudit rlsservice vndbinder_device:chr_file { write }; +# b/205780186 +dontaudit rlsservice apex_info_file:file { getattr }; +dontaudit rlsservice apex_info_file:file { open }; +dontaudit rlsservice apex_info_file:file { read }; +dontaudit rlsservice apex_info_file:file { watch }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te index a91a9131..e6135d38 100644 --- a/tracking_denials/surfaceflinger.te +++ b/tracking_denials/surfaceflinger.te @@ -1,2 +1,11 @@ # b/205072689 dontaudit surfaceflinger kernel:process { setsched }; +# b/205779849 +dontaudit surfaceflinger vendor_file:file { execute }; +dontaudit surfaceflinger vendor_file:file { getattr }; +dontaudit surfaceflinger vendor_file:file { map }; +dontaudit surfaceflinger vendor_file:file { open }; +dontaudit surfaceflinger vendor_file:file { read }; +dontaudit surfaceflinger vendor_fw_file:dir { search }; +dontaudit surfaceflinger vendor_fw_file:file { open }; +dontaudit surfaceflinger vendor_fw_file:file { read }; diff --git a/tracking_denials/toolbox.te b/tracking_denials/toolbox.te index 287e199c..44b4ec77 100644 --- a/tracking_denials/toolbox.te +++ b/tracking_denials/toolbox.te @@ -3,3 +3,13 @@ dontaudit toolbox ram_device:blk_file { getattr }; dontaudit toolbox ram_device:blk_file { ioctl }; dontaudit toolbox ram_device:blk_file { open }; dontaudit toolbox ram_device:blk_file { read write }; +# b/205779799 +dontaudit toolbox per_boot_file:dir { getattr }; +dontaudit toolbox per_boot_file:dir { open }; +dontaudit toolbox per_boot_file:dir { read }; +dontaudit toolbox per_boot_file:dir { remove_name }; +dontaudit toolbox per_boot_file:dir { rmdir }; +dontaudit toolbox per_boot_file:dir { search }; +dontaudit toolbox per_boot_file:dir { write }; +dontaudit toolbox per_boot_file:file { getattr }; +dontaudit toolbox per_boot_file:file { unlink }; diff --git a/tracking_denials/vendor_ims_app.te b/tracking_denials/vendor_ims_app.te new file mode 100644 index 00000000..2695c9c8 --- /dev/null +++ b/tracking_denials/vendor_ims_app.te @@ -0,0 +1,2 @@ +# b/205780067 +dontaudit vendor_ims_app radio_service:service_manager { find }; diff --git a/tracking_denials/vendor_rcs_app.te b/tracking_denials/vendor_rcs_app.te new file mode 100644 index 00000000..bc5dcaae --- /dev/null +++ b/tracking_denials/vendor_rcs_app.te @@ -0,0 +1,2 @@ +# b/205779581 +dontaudit vendor_rcs_app radio_service:service_manager { find }; diff --git a/tracking_denials/vendor_rcs_service_app.te b/tracking_denials/vendor_rcs_service_app.te new file mode 100644 index 00000000..da3c7dcf --- /dev/null +++ b/tracking_denials/vendor_rcs_service_app.te @@ -0,0 +1,2 @@ +# b/205779869 +dontaudit vendor_rcs_service_app radio_service:service_manager { find }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index c9fd8bba..4ebb49ce 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -6,3 +6,10 @@ dontaudit zygote default_android_service:service_manager { find }; dontaudit zygote game_service:service_manager { find }; dontaudit zygote nfc_service:service_manager { find }; dontaudit zygote radio_service:service_manager { find }; +# b/205780068 +dontaudit zygote user_profile_data_file:file { getattr }; +dontaudit zygote vendor_file:file { execute }; +dontaudit zygote vendor_file:file { getattr }; +dontaudit zygote vendor_file:file { map }; +dontaudit zygote vendor_file:file { open }; +dontaudit zygote vendor_file:file { read }; From e73b78bdd8c70c4030b8e7c391a317026cf5fee1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 10 Nov 2021 12:15:04 +0800 Subject: [PATCH 151/900] unleash the rest of error log not related to sysfs Bug: 205212735 Test: boot with error revealed Change-Id: I3e07ff8632e60cf93360907bccf5cacd16b8c5b9 --- whitechapel_pro/domain.te | 5 ----- 1 file changed, 5 deletions(-) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te index 6f299343..c8ed7c51 100644 --- a/whitechapel_pro/domain.te +++ b/whitechapel_pro/domain.te @@ -1,11 +1,6 @@ -dontaudit domain file_type:sock_file *; dontaudit domain fs_type:chr_file *; dontaudit domain fs_type:file *; dontaudit domain fs_type:blk_file *; dontaudit domain fs_type:dir *; dontaudit domain fs_type:filesystem *; -dontaudit domain domain:capability *; -dontaudit domain domain:binder *; -dontaudit domain domain:socket_class_set *; -dontaudit fs_type fs_type:filesystem *; From e3bb63ab1b8e07ba067ed0d5ff8e4993b736ef4b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 10 Nov 2021 13:51:34 +0800 Subject: [PATCH 152/900] Make display related libraries reachable Bug: 205780068 Bug: 205779849 Test: boot with no relevant error Change-Id: I806ecb779690346674816b793a5da21acf1be59b --- tracking_denials/surfaceflinger.te | 5 ----- tracking_denials/zygote.te | 7 ------- whitechapel_pro/file_contexts | 5 +++++ 3 files changed, 5 insertions(+), 12 deletions(-) diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te index e6135d38..3ccdc9c3 100644 --- a/tracking_denials/surfaceflinger.te +++ b/tracking_denials/surfaceflinger.te @@ -1,11 +1,6 @@ # b/205072689 dontaudit surfaceflinger kernel:process { setsched }; # b/205779849 -dontaudit surfaceflinger vendor_file:file { execute }; -dontaudit surfaceflinger vendor_file:file { getattr }; -dontaudit surfaceflinger vendor_file:file { map }; -dontaudit surfaceflinger vendor_file:file { open }; -dontaudit surfaceflinger vendor_file:file { read }; dontaudit surfaceflinger vendor_fw_file:dir { search }; dontaudit surfaceflinger vendor_fw_file:file { open }; dontaudit surfaceflinger vendor_fw_file:file { read }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index 4ebb49ce..c9fd8bba 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -6,10 +6,3 @@ dontaudit zygote default_android_service:service_manager { find }; dontaudit zygote game_service:service_manager { find }; dontaudit zygote nfc_service:service_manager { find }; dontaudit zygote radio_service:service_manager { find }; -# b/205780068 -dontaudit zygote user_profile_data_file:file { getattr }; -dontaudit zygote vendor_file:file { execute }; -dontaudit zygote vendor_file:file { getattr }; -dontaudit zygote vendor_file:file { map }; -dontaudit zygote vendor_file:file { open }; -dontaudit zygote vendor_file:file { read }; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index d6dcbfc8..f8414aed 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -42,6 +42,11 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +# Vendor libraries +/vendor/lib64/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libion_google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 + # Vendor kernel modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 From ab13d5a1f79d7f8f052b030f5d4e0705a369f928 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 11 Nov 2021 09:47:32 +0800 Subject: [PATCH 153/900] update error on ROM 7904131 Bug: 205904432 Bug: 205904322 Bug: 205904438 Bug: 205904406 Bug: 205904310 Bug: 205904436 Bug: 205904402 Bug: 205904552 Bug: 205904323 Bug: 205904442 Bug: 205904367 Bug: 205904452 Bug: 205904403 Bug: 205904379 Bug: 205904328 Bug: 205904286 Bug: 205904380 Bug: 205904401 Bug: 205904381 Bug: 205904208 Bug: 205904433 Bug: 205904327 Bug: 205904553 Bug: 205904361 Bug: 205904441 Bug: 205904324 Bug: 205904207 Bug: 205904404 Bug: 205904330 Bug: 205904439 Bug: 205904435 Bug: 205904384 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I64432a24d562d5868f21a317e5bfd6f25ad24900 --- tracking_denials/cbd.te | 2 ++ tracking_denials/citadeld.te | 6 ++++++ tracking_denials/convert-to-f2fs-sh.te | 2 ++ tracking_denials/hal_camera_default.te | 9 +++++++++ tracking_denials/hal_fingerprint_default.te | 4 ++++ tracking_denials/hal_graphics_composer_default.te | 6 ++++++ tracking_denials/hal_health_default.te | 3 +++ tracking_denials/hal_identity_citadel.te | 2 ++ tracking_denials/hal_keymint_citadel.te | 3 +++ tracking_denials/hal_power_default.te | 2 ++ tracking_denials/hal_power_stats_default.te | 2 ++ tracking_denials/hal_secure_element_gto.te | 3 +++ tracking_denials/hal_secure_element_uicc.te | 3 +++ tracking_denials/hal_sensors_default.te | 4 ++++ tracking_denials/hal_thermal_default.te | 7 +++++++ tracking_denials/hal_weaver_citadel.te | 3 +++ tracking_denials/hbmsvmanager_app.te | 2 ++ tracking_denials/init_citadel.te | 3 +++ tracking_denials/mediacodec_samsung.te | 3 +++ tracking_denials/nfc.te | 2 ++ tracking_denials/pixelstats_vendor.te | 2 ++ tracking_denials/platform_app.te | 2 ++ tracking_denials/priv_app.te | 3 +++ tracking_denials/rfsd.te | 3 +++ tracking_denials/rild.te | 5 +++++ tracking_denials/rlsservice.te | 3 +++ tracking_denials/servicemanager.te | 4 ++++ tracking_denials/system_server.te | 2 ++ tracking_denials/tee.te | 3 +++ tracking_denials/vendor_ims_app.te | 3 +++ tracking_denials/vendor_rcs_app.te | 3 +++ tracking_denials/zygote.te | 6 ++++++ 32 files changed, 110 insertions(+) create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/hal_power_stats_default.te create mode 100644 tracking_denials/hal_secure_element_uicc.te create mode 100644 tracking_denials/hal_thermal_default.te create mode 100644 tracking_denials/nfc.te create mode 100644 tracking_denials/pixelstats_vendor.te create mode 100644 tracking_denials/rfsd.te create mode 100644 tracking_denials/servicemanager.te create mode 100644 tracking_denials/system_server.te create mode 100644 tracking_denials/tee.te diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te index 83f606c3..6527506e 100644 --- a/tracking_denials/cbd.te +++ b/tracking_denials/cbd.te @@ -1,2 +1,4 @@ # b/205779872 dontaudit cbd persist_file:dir { search }; +# b/205904432 +dontaudit cbd cbd:capability { setuid }; diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te index c6b16b6e..a6a36f1e 100644 --- a/tracking_denials/citadeld.te +++ b/tracking_denials/citadeld.te @@ -8,3 +8,9 @@ dontaudit citadeld vndbinder_device:chr_file { map }; dontaudit citadeld vndbinder_device:chr_file { open }; dontaudit citadeld vndbinder_device:chr_file { read }; dontaudit citadeld vndbinder_device:chr_file { write }; +# b/205904322 +dontaudit citadeld servicemanager:binder { call }; +dontaudit citadeld servicemanager:binder { transfer }; +dontaudit citadeld system_server:binder { call }; +dontaudit citadeld vndservicemanager:binder { call }; +dontaudit citadeld vndservicemanager:binder { transfer }; diff --git a/tracking_denials/convert-to-f2fs-sh.te b/tracking_denials/convert-to-f2fs-sh.te index 2478f01b..6231c945 100644 --- a/tracking_denials/convert-to-f2fs-sh.te +++ b/tracking_denials/convert-to-f2fs-sh.te @@ -12,3 +12,5 @@ dontaudit convert-to-f2fs-sh toolbox_exec:file { execute }; dontaudit convert-to-f2fs-sh toolbox_exec:file { execute_no_trans }; dontaudit convert-to-f2fs-sh toolbox_exec:file { getattr }; dontaudit convert-to-f2fs-sh toolbox_exec:file { read open }; +# b/205904438 +dontaudit convert-to-f2fs-sh toolbox_exec:file { map }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index b7c2ccc0..451ff93a 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -41,3 +41,12 @@ dontaudit hal_camera_default vendor_camera_data_file:dir { read }; dontaudit hal_camera_default vendor_camera_data_file:dir { search }; dontaudit hal_camera_default vendor_camera_data_file:file { open }; dontaudit hal_camera_default vendor_camera_data_file:file { read }; +# b/205904406 +dontaudit hal_camera_default hal_camera_default:capability { sys_nice }; +dontaudit hal_camera_default hal_power_default:binder { call }; +dontaudit hal_camera_default hal_radioext_default:binder { call }; +dontaudit hal_camera_default init:unix_stream_socket { connectto }; +dontaudit hal_camera_default property_socket:sock_file { write }; +dontaudit hal_camera_default servicemanager:binder { call }; +dontaudit hal_camera_default servicemanager:binder { transfer }; +dontaudit hal_camera_default system_server:binder { call }; diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te index cda5fa89..43d1f3a2 100644 --- a/tracking_denials/hal_fingerprint_default.te +++ b/tracking_denials/hal_fingerprint_default.te @@ -17,3 +17,7 @@ dontaudit hal_fingerprint_default fingerprint_device:chr_file { read write }; dontaudit hal_fingerprint_default tee_device:chr_file { ioctl }; dontaudit hal_fingerprint_default tee_device:chr_file { open }; dontaudit hal_fingerprint_default tee_device:chr_file { read write }; +# b/205904310 +dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind }; +dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create }; +dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index 95a4c0a2..d416f72f 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -12,3 +12,9 @@ dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write }; # b/205779906 dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search }; dontaudit hal_graphics_composer_default persist_file:dir { search }; +# b/205904436 +dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { bind }; +dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { create }; +dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read }; +dontaudit hal_graphics_composer_default vndservicemanager:binder { call }; +dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer }; diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te index 6306f197..bd55c270 100644 --- a/tracking_denials/hal_health_default.te +++ b/tracking_denials/hal_health_default.te @@ -7,3 +7,6 @@ dontaudit hal_health_default vendor_battery_defender_prop:property_service { set # b/205779737 dontaudit hal_health_default mnt_vendor_file:dir { search }; dontaudit hal_health_default persist_file:dir { search }; +# b/205904402 +dontaudit hal_health_default init:unix_stream_socket { connectto }; +dontaudit hal_health_default property_socket:sock_file { write }; diff --git a/tracking_denials/hal_identity_citadel.te b/tracking_denials/hal_identity_citadel.te index 15777759..dd1af9bf 100644 --- a/tracking_denials/hal_identity_citadel.te +++ b/tracking_denials/hal_identity_citadel.te @@ -4,3 +4,5 @@ dontaudit hal_identity_citadel vndbinder_device:chr_file { map }; dontaudit hal_identity_citadel vndbinder_device:chr_file { open }; dontaudit hal_identity_citadel vndbinder_device:chr_file { read }; dontaudit hal_identity_citadel vndbinder_device:chr_file { write }; +# b/205904552 +dontaudit hal_identity_citadel vndservicemanager:binder { call }; diff --git a/tracking_denials/hal_keymint_citadel.te b/tracking_denials/hal_keymint_citadel.te index b2d1bcf4..6d19e0e5 100644 --- a/tracking_denials/hal_keymint_citadel.te +++ b/tracking_denials/hal_keymint_citadel.te @@ -9,3 +9,6 @@ dontaudit hal_keymint_citadel vndbinder_device:chr_file { map }; dontaudit hal_keymint_citadel vndbinder_device:chr_file { open }; dontaudit hal_keymint_citadel vndbinder_device:chr_file { read }; dontaudit hal_keymint_citadel vndbinder_device:chr_file { write }; +# b/205904323 +dontaudit hal_keymint_citadel citadeld:binder { call }; +dontaudit hal_keymint_citadel vndservicemanager:binder { call }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..05e3c0c1 --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,2 @@ +# b/205904442 +dontaudit hal_power_default hal_camera_default:binder { transfer }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te new file mode 100644 index 00000000..86e4dc43 --- /dev/null +++ b/tracking_denials/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# b/205904367 +dontaudit hal_power_stats_default hal_bluetooth_btlinux:binder { call }; diff --git a/tracking_denials/hal_secure_element_gto.te b/tracking_denials/hal_secure_element_gto.te index 866071c2..ea3e96f6 100644 --- a/tracking_denials/hal_secure_element_gto.te +++ b/tracking_denials/hal_secure_element_gto.te @@ -3,3 +3,6 @@ dontaudit hal_secure_element_gto vendor_secure_element_prop:property_service { s # b/205656951 dontaudit hal_secure_element_gto secure_element_device:chr_file { open }; dontaudit hal_secure_element_gto secure_element_device:chr_file { read write }; +# b/205904452 +dontaudit hal_secure_element_gto init:unix_stream_socket { connectto }; +dontaudit hal_secure_element_gto property_socket:sock_file { write }; diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te new file mode 100644 index 00000000..10323849 --- /dev/null +++ b/tracking_denials/hal_secure_element_uicc.te @@ -0,0 +1,3 @@ +# b/205904403 +dontaudit hal_secure_element_uicc rild:binder { call }; +dontaudit hal_secure_element_uicc rild:binder { transfer }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 05ccf8ac..06aaec58 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -9,3 +9,7 @@ dontaudit hal_sensors_default persist_file:dir { search }; dontaudit hal_sensors_default sensor_reg_data_file:dir { getattr }; dontaudit hal_sensors_default sensor_reg_data_file:dir { open }; dontaudit hal_sensors_default sensor_reg_data_file:dir { read }; +# b/205904379 +dontaudit hal_sensors_default chre:unix_stream_socket { connectto }; +dontaudit hal_sensors_default chre_socket:sock_file { write }; +dontaudit hal_sensors_default system_server:binder { call }; diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te new file mode 100644 index 00000000..abbd2f97 --- /dev/null +++ b/tracking_denials/hal_thermal_default.te @@ -0,0 +1,7 @@ +# b/205904328 +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { bind }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { create }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { getattr }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { read }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { setopt }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { write }; diff --git a/tracking_denials/hal_weaver_citadel.te b/tracking_denials/hal_weaver_citadel.te index 4c0fbbab..b847751f 100644 --- a/tracking_denials/hal_weaver_citadel.te +++ b/tracking_denials/hal_weaver_citadel.te @@ -4,3 +4,6 @@ dontaudit hal_weaver_citadel vndbinder_device:chr_file { map }; dontaudit hal_weaver_citadel vndbinder_device:chr_file { open }; dontaudit hal_weaver_citadel vndbinder_device:chr_file { read }; dontaudit hal_weaver_citadel vndbinder_device:chr_file { write }; +# b/205904286 +dontaudit hal_weaver_citadel citadeld:binder { call }; +dontaudit hal_weaver_citadel vndservicemanager:binder { call }; diff --git a/tracking_denials/hbmsvmanager_app.te b/tracking_denials/hbmsvmanager_app.te index 22a8102e..e015fa9b 100644 --- a/tracking_denials/hbmsvmanager_app.te +++ b/tracking_denials/hbmsvmanager_app.te @@ -1,2 +1,4 @@ # b/204718757 dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find }; +# b/205904380 +dontaudit hbmsvmanager_app hal_graphics_composer_default:binder { call }; diff --git a/tracking_denials/init_citadel.te b/tracking_denials/init_citadel.te index 48e98d67..587d4ea4 100644 --- a/tracking_denials/init_citadel.te +++ b/tracking_denials/init_citadel.te @@ -7,3 +7,6 @@ dontaudit init_citadel vndbinder_device:chr_file { write }; # b/205779736 dontaudit init_citadel citadel_updater:file { execute_no_trans }; dontaudit init_citadel vendor_toolbox_exec:file { execute_no_trans }; +# b/205904401 +dontaudit init_citadel citadeld:binder { call }; +dontaudit init_citadel vndservicemanager:binder { call }; diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te index 09e2f0ed..234242dd 100644 --- a/tracking_denials/mediacodec_samsung.te +++ b/tracking_denials/mediacodec_samsung.te @@ -8,3 +8,6 @@ dontaudit mediacodec_samsung vndbinder_device:chr_file { map }; dontaudit mediacodec_samsung vndbinder_device:chr_file { open }; dontaudit mediacodec_samsung vndbinder_device:chr_file { read }; dontaudit mediacodec_samsung vndbinder_device:chr_file { write }; +# b/205904381 +dontaudit mediacodec_samsung vndservicemanager:binder { call }; +dontaudit mediacodec_samsung vndservicemanager:binder { transfer }; diff --git a/tracking_denials/nfc.te b/tracking_denials/nfc.te new file mode 100644 index 00000000..3e17ff52 --- /dev/null +++ b/tracking_denials/nfc.te @@ -0,0 +1,2 @@ +# b/205904208 +dontaudit nfc zygote:binder { transfer }; diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te new file mode 100644 index 00000000..96c305a5 --- /dev/null +++ b/tracking_denials/pixelstats_vendor.te @@ -0,0 +1,2 @@ +# b/205904433 +dontaudit pixelstats_vendor servicemanager:binder { call }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 6e1b0e1c..0efc45bd 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -1,2 +1,4 @@ # b/204718221 dontaudit platform_app touch_service:service_manager { find }; +# b/205904327 +dontaudit platform_app hal_wlc:binder { call }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 450db67c..cee32be8 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -4,3 +4,6 @@ dontaudit priv_app hal_exynos_rild_hwservice:hwservice_manager { find }; dontaudit priv_app vendor_default_prop:file { getattr }; dontaudit priv_app vendor_default_prop:file { map }; dontaudit priv_app vendor_default_prop:file { open }; +# b/205904553 +dontaudit priv_app rild:binder { call }; +dontaudit priv_app rild:binder { transfer }; diff --git a/tracking_denials/rfsd.te b/tracking_denials/rfsd.te new file mode 100644 index 00000000..bf921ff4 --- /dev/null +++ b/tracking_denials/rfsd.te @@ -0,0 +1,3 @@ +# b/205904361 +dontaudit rfsd rfsd:capability { chown }; +dontaudit rfsd rfsd:capability { setuid }; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te index 875d5d24..532083f3 100644 --- a/tracking_denials/rild.te +++ b/tracking_denials/rild.te @@ -4,3 +4,8 @@ dontaudit rild vendor_persist_config_default_prop:file { getattr }; dontaudit rild vendor_persist_config_default_prop:file { map }; dontaudit rild vendor_persist_config_default_prop:file { open }; dontaudit rild vendor_persist_config_default_prop:file { read }; +# b/205904441 +dontaudit rild hal_secure_element_uicc:binder { call }; +dontaudit rild priv_app:binder { call }; +dontaudit rild vendor_ims_app:binder { call }; +dontaudit rild vendor_rcs_app:binder { call }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te index 2231fbb5..ba5e07a8 100644 --- a/tracking_denials/rlsservice.te +++ b/tracking_denials/rlsservice.te @@ -14,3 +14,6 @@ dontaudit rlsservice apex_info_file:file { getattr }; dontaudit rlsservice apex_info_file:file { open }; dontaudit rlsservice apex_info_file:file { read }; dontaudit rlsservice apex_info_file:file { watch }; +# b/205904324 +dontaudit rlsservice vndservicemanager:binder { call }; +dontaudit rlsservice vndservicemanager:binder { transfer }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te new file mode 100644 index 00000000..ed7eefbb --- /dev/null +++ b/tracking_denials/servicemanager.te @@ -0,0 +1,4 @@ +# b/205904207 +dontaudit servicemanager citadeld:binder { call }; +dontaudit servicemanager hal_camera_default:binder { call }; +dontaudit servicemanager hal_fingerprint_default:binder { call }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te new file mode 100644 index 00000000..03229278 --- /dev/null +++ b/tracking_denials/system_server.te @@ -0,0 +1,2 @@ +# b/205904404 +dontaudit system_server zygote:binder { call }; diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te new file mode 100644 index 00000000..e20f6584 --- /dev/null +++ b/tracking_denials/tee.te @@ -0,0 +1,3 @@ +# b/205904330 +dontaudit tee tee:capability { setgid }; +dontaudit tee tee:capability { setuid }; diff --git a/tracking_denials/vendor_ims_app.te b/tracking_denials/vendor_ims_app.te index 2695c9c8..9ef9ca82 100644 --- a/tracking_denials/vendor_ims_app.te +++ b/tracking_denials/vendor_ims_app.te @@ -1,2 +1,5 @@ # b/205780067 dontaudit vendor_ims_app radio_service:service_manager { find }; +# b/205904439 +dontaudit vendor_ims_app rild:binder { call }; +dontaudit vendor_ims_app rild:binder { transfer }; diff --git a/tracking_denials/vendor_rcs_app.te b/tracking_denials/vendor_rcs_app.te index bc5dcaae..7c6042eb 100644 --- a/tracking_denials/vendor_rcs_app.te +++ b/tracking_denials/vendor_rcs_app.te @@ -1,2 +1,5 @@ # b/205779581 dontaudit vendor_rcs_app radio_service:service_manager { find }; +# b/205904435 +dontaudit vendor_rcs_app rild:binder { call }; +dontaudit vendor_rcs_app rild:binder { transfer }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index c9fd8bba..7ec594d4 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -6,3 +6,9 @@ dontaudit zygote default_android_service:service_manager { find }; dontaudit zygote game_service:service_manager { find }; dontaudit zygote nfc_service:service_manager { find }; dontaudit zygote radio_service:service_manager { find }; +# b/205904384 +dontaudit zygote adbd:unix_stream_socket { connectto }; +dontaudit zygote nfc:binder { call }; +dontaudit zygote servicemanager:binder { call }; +dontaudit zygote system_server:binder { call }; +dontaudit zygote system_server:binder { transfer }; From b4393a0bf3cfe50ed22c2cf6624963c383498c90 Mon Sep 17 00:00:00 2001 From: Joseph Jang Date: Wed, 10 Nov 2021 17:03:27 +0800 Subject: [PATCH 154/900] Fix SELinux error coming from hal_identity_citadel Bug: 205657024 Change-Id: Ic23b631eb63cf13ba7e08215590e73386d2a3126 --- dauntless/hal_identity_citadel.te | 7 +++++-- tracking_denials/hal_identity_citadel.te | 8 -------- 2 files changed, 5 insertions(+), 10 deletions(-) delete mode 100644 tracking_denials/hal_identity_citadel.te diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te index 038a4c58..e29310c3 100644 --- a/dauntless/hal_identity_citadel.te +++ b/dauntless/hal_identity_citadel.te @@ -1,6 +1,9 @@ type hal_identity_citadel, domain; type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_identity_citadel) -hal_server_domain(hal_identity_citadel, hal_identity) +vndbinder_use(hal_identity_citadel) +binder_call(hal_identity_citadel, citadeld) allow hal_identity_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_identity_citadel, hal_identity) +init_daemon_domain(hal_identity_citadel) diff --git a/tracking_denials/hal_identity_citadel.te b/tracking_denials/hal_identity_citadel.te deleted file mode 100644 index dd1af9bf..00000000 --- a/tracking_denials/hal_identity_citadel.te +++ /dev/null @@ -1,8 +0,0 @@ -# b/205657024 -dontaudit hal_identity_citadel vndbinder_device:chr_file { ioctl }; -dontaudit hal_identity_citadel vndbinder_device:chr_file { map }; -dontaudit hal_identity_citadel vndbinder_device:chr_file { open }; -dontaudit hal_identity_citadel vndbinder_device:chr_file { read }; -dontaudit hal_identity_citadel vndbinder_device:chr_file { write }; -# b/205904552 -dontaudit hal_identity_citadel vndservicemanager:binder { call }; From 830fa53e9f3a7e1213d50d25d208e817cf75d884 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 12 Nov 2021 09:53:28 +0800 Subject: [PATCH 155/900] update error on ROM 7908395 Bug: 206045367 Bug: 206045604 Bug: 206045368 Bug: 206045605 Bug: 206045471 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I8b1a0ae9686f47d684428bb79650a7bb0dfe9904 --- tracking_denials/hal_uwb_vendor_default.te | 4 ++++ tracking_denials/logger_app.te | 9 +++++++++ tracking_denials/system_server.te | 2 ++ tracking_denials/vendor_init.te | 5 +++++ tracking_denials/zygote.te | 10 ++++++++++ 5 files changed, 30 insertions(+) diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te index 2aa2dea0..7fd11e03 100644 --- a/tracking_denials/hal_uwb_vendor_default.te +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -1,2 +1,6 @@ # b/204718220 dontaudit hal_uwb_vendor_default default_android_service:service_manager { add }; +# b/206045367 +dontaudit hal_uwb_vendor_default hal_uwb_vendor_default:capability { net_admin }; +dontaudit hal_uwb_vendor_default zygote:binder { call }; +dontaudit hal_uwb_vendor_default zygote:binder { transfer }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index e9513bad..134ed8db 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -13,3 +13,12 @@ dontaudit logger_app radio_vendor_data_file:dir { search }; dontaudit logger_app radio_vendor_data_file:dir { setattr }; dontaudit logger_app radio_vendor_data_file:dir { write }; dontaudit logger_app radio_vendor_data_file:file { unlink }; +# b/206045604 +dontaudit logger_app radio_vendor_data_file:dir { add_name }; +dontaudit logger_app radio_vendor_data_file:dir { create }; +dontaudit logger_app radio_vendor_data_file:dir { rmdir }; +dontaudit logger_app radio_vendor_data_file:file { create }; +dontaudit logger_app radio_vendor_data_file:file { getattr }; +dontaudit logger_app radio_vendor_data_file:file { setattr }; +dontaudit logger_app radio_vendor_data_file:file { write open }; +dontaudit logger_app vendor_gps_file:dir { search }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 03229278..a00372c9 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -1,2 +1,4 @@ # b/205904404 dontaudit system_server zygote:binder { call }; +# b/206045368 +dontaudit system_server zygote:binder { transfer }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index ae8feca2..69593d59 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -3,3 +3,8 @@ dontaudit vendor_init vendor_nfc_prop:property_service { set }; dontaudit vendor_init vendor_secure_element_prop:property_service { set }; # b/205656950 dontaudit vendor_init thermal_link_device:file { create }; +# b/206045605 +dontaudit vendor_init vendor_modem_prop:file { getattr }; +dontaudit vendor_init vendor_modem_prop:file { map }; +dontaudit vendor_init vendor_modem_prop:file { open }; +dontaudit vendor_init vendor_modem_prop:file { read }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index 7ec594d4..328a954b 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -12,3 +12,13 @@ dontaudit zygote nfc:binder { call }; dontaudit zygote servicemanager:binder { call }; dontaudit zygote system_server:binder { call }; dontaudit zygote system_server:binder { transfer }; +# b/206045471 +dontaudit zygote hal_uwb_vendor_default:binder { call }; +dontaudit zygote hal_uwb_vendor_default:binder { transfer }; +dontaudit zygote radio:binder { call }; +dontaudit zygote user_profile_data_file:file { getattr }; +dontaudit zygote vendor_file:file { execute }; +dontaudit zygote vendor_file:file { getattr }; +dontaudit zygote vendor_file:file { map }; +dontaudit zygote vendor_file:file { open }; +dontaudit zygote vendor_file:file { read }; From 5ff0c059b3c2a6e19ccc23b494ecc5b78146707d Mon Sep 17 00:00:00 2001 From: Long Ling Date: Mon, 25 Oct 2021 14:15:56 -0700 Subject: [PATCH 156/900] sepolicy: gs201: update label for hwc3 service Bug: 201321174 Change-Id: I5ecce6c513eecad22a463d52b7cfb718284f3c02 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index f8414aed..c87ff4a3 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -24,6 +24,7 @@ /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 From d99197dd196dd31b056abaeb6e19be843089f59a Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Mon, 8 Nov 2021 21:28:19 +0800 Subject: [PATCH 157/900] enable battery information dump Bug: 205071645 Signed-off-by: Jenny Ho Change-Id: If811765d51add03d8d7a1f5e8276d2f56c7922a7 --- whitechapel_pro/file_contexts | 8 ++++++++ whitechapel_pro/genfs_contexts | 3 +++ 2 files changed, 11 insertions(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c87ff4a3..0fbd6f89 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -76,6 +76,14 @@ /dev/logbuffer_maxq u:object_r:logbuffer_device:s0 /dev/logbuffer_rtx u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/lwis-act-ak7377 u:object_r:lwis_device:s0 /dev/lwis-act-ak7377-imx386 u:object_r:lwis_device:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 9714258a..dd765717 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -87,3 +87,6 @@ genfscon debugfs /google_charger u:object genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 +# C10 battery +genfscon sysfs /sys/devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 + From 014051a9f71a551fc8713d7b9aedb76f2e4fcfce Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Tue, 9 Nov 2021 17:27:48 +0800 Subject: [PATCH 158/900] create hal_health_default.te for Battery Defender access file node Bug: 205073003 Signed-off-by: Jenny Ho Change-Id: I946b85e8b595601f56df26c567d31df76f7a5a5b --- tracking_denials/hal_health_default.te | 9 --------- whitechapel_pro/hal_health_default.te | 1 + 2 files changed, 1 insertion(+), 9 deletions(-) create mode 100644 whitechapel_pro/hal_health_default.te diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te index bd55c270..93ffd671 100644 --- a/tracking_denials/hal_health_default.te +++ b/tracking_denials/hal_health_default.te @@ -1,12 +1,3 @@ -# b/205073003 -dontaudit hal_health_default vendor_battery_defender_prop:file { getattr }; -dontaudit hal_health_default vendor_battery_defender_prop:file { map }; -dontaudit hal_health_default vendor_battery_defender_prop:file { open }; -dontaudit hal_health_default vendor_battery_defender_prop:file { read }; -dontaudit hal_health_default vendor_battery_defender_prop:property_service { set }; # b/205779737 dontaudit hal_health_default mnt_vendor_file:dir { search }; dontaudit hal_health_default persist_file:dir { search }; -# b/205904402 -dontaudit hal_health_default init:unix_stream_socket { connectto }; -dontaudit hal_health_default property_socket:sock_file { write }; diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te new file mode 100644 index 00000000..0befac1b --- /dev/null +++ b/whitechapel_pro/hal_health_default.te @@ -0,0 +1 @@ +set_prop(hal_health_default, vendor_battery_defender_prop) From 8e6af6f9add3ce626337a85105baa0bd1cf31968 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 15 Nov 2021 10:28:38 +0800 Subject: [PATCH 159/900] update error on ROM 7914295 Bug: 206331617 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I3dcd875e127ff1d53554eb419259e8721c2ae628 --- tracking_denials/zygote.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index 328a954b..7f3db4ec 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -22,3 +22,5 @@ dontaudit zygote vendor_file:file { getattr }; dontaudit zygote vendor_file:file { map }; dontaudit zygote vendor_file:file { open }; dontaudit zygote vendor_file:file { read }; +# b/206331617 +dontaudit zygote servicemanager:binder { transfer }; From 1053cee4196814bf8e63ce6a410cc77a59467a37 Mon Sep 17 00:00:00 2001 From: chenpaul Date: Wed, 10 Nov 2021 14:14:53 +0800 Subject: [PATCH 160/900] Wifi: Add sepolicy files for hal_wifi_ext service avc denied log: avc: denied { search } for comm="wifi_ext@1.0-se" name="wifi" dev="dm-43" ino=365 scontext=u:r:hal_wifi_ext:s0 tcontext=u:object_r:updated_wifi_firmware_data_file:s0 tclass=dir permissive=1 Bug: 205779850 Test: pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest #scanAvcDeniedLogRightAfterReboot Change-Id: I0c41193b2b9c6a596f142f02c6fee4665fbf2011 --- tracking_denials/hal_wifi_ext.te | 2 -- whitechapel_pro/hal_wifi_ext.te | 4 ++++ 2 files changed, 4 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/hal_wifi_ext.te diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te deleted file mode 100644 index 84b8edfd..00000000 --- a/tracking_denials/hal_wifi_ext.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205779850 -dontaudit hal_wifi_ext updated_wifi_firmware_data_file:dir { search }; diff --git a/whitechapel_pro/hal_wifi_ext.te b/whitechapel_pro/hal_wifi_ext.te index 659239e8..9b52d7aa 100644 --- a/whitechapel_pro/hal_wifi_ext.te +++ b/whitechapel_pro/hal_wifi_ext.te @@ -3,3 +3,7 @@ binder_call(hal_wifi_ext, grilservice_app) # Write wlan driver/fw version into property set_prop(hal_wifi_ext, vendor_wifi_version) + +# Allow wifi_ext to read and write /data/vendor/firmware/wifi +allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; +allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; From 8423a70e124a21d58a5abd84fbdd49d3a79e2d85 Mon Sep 17 00:00:00 2001 From: Leo Liou Date: Mon, 15 Nov 2021 14:33:57 +0800 Subject: [PATCH 161/900] sepolicy: hal_health_default: fix avc denied logs avc: denied { search } for comm="health@2.1-serv" name="/" dev="sda1" ino=3 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 avc: denied { search } for name="/" dev="sda1" ino=3 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 avc: denied { search } for name="vendor" dev="tmpfs" ino=2 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 avc: denied { search } for comm="health@2.1-serv" name="vendor" dev="tmpfs" ino=2 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 Bug: 205779737 Test: local build pass Change-Id: I2be76d97e35bff4e22075641b9031872d628e980 Signed-off-by: Leo Liou --- tracking_denials/hal_health_default.te | 3 --- whitechapel_pro/hal_health_default.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) delete mode 100644 tracking_denials/hal_health_default.te diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te deleted file mode 100644 index 93ffd671..00000000 --- a/tracking_denials/hal_health_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/205779737 -dontaudit hal_health_default mnt_vendor_file:dir { search }; -dontaudit hal_health_default persist_file:dir { search }; diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 0befac1b..bdac85ac 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -1 +1,4 @@ +allow hal_health_default mnt_vendor_file:dir search; +allow hal_health_default persist_file:dir search; + set_prop(hal_health_default, vendor_battery_defender_prop) From 94f78934d92db2c9bdff9f716fdf99702d47ce0c Mon Sep 17 00:00:00 2001 From: Tommy Chiu Date: Mon, 15 Nov 2021 10:47:46 +0000 Subject: [PATCH 162/900] Keymint: Fix SELinux denial Also remove -dontaudit- configuration. Bug: 205073229 Bug: 205655569 Bug: 205904323 Change-Id: If8de3b4e6ee01488fdd563b702fbba1bd7c73ef0 --- dauntless/hal_keymint_citadel.te | 7 ++++--- tracking_denials/hal_keymint_citadel.te | 14 -------------- 2 files changed, 4 insertions(+), 17 deletions(-) delete mode 100644 tracking_denials/hal_keymint_citadel.te diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te index 29f528f1..e1a6177d 100644 --- a/dauntless/hal_keymint_citadel.te +++ b/dauntless/hal_keymint_citadel.te @@ -1,8 +1,9 @@ type hal_keymint_citadel, domain; type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_keymint_citadel) - hal_server_domain(hal_keymint_citadel, hal_keymint) - +init_daemon_domain(hal_keymint_citadel) +vndbinder_use(hal_keymint_citadel) +get_prop(hal_keymint_citadel, vendor_security_patch_level_prop) allow hal_keymint_citadel citadeld_service:service_manager find; +binder_call(hal_keymint_citadel, citadeld) diff --git a/tracking_denials/hal_keymint_citadel.te b/tracking_denials/hal_keymint_citadel.te deleted file mode 100644 index 6d19e0e5..00000000 --- a/tracking_denials/hal_keymint_citadel.te +++ /dev/null @@ -1,14 +0,0 @@ -# b/205073229 -dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { getattr }; -dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { map }; -dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { open }; -dontaudit hal_keymint_citadel vendor_security_patch_level_prop:file { read }; -# b/205655569 -dontaudit hal_keymint_citadel vndbinder_device:chr_file { ioctl }; -dontaudit hal_keymint_citadel vndbinder_device:chr_file { map }; -dontaudit hal_keymint_citadel vndbinder_device:chr_file { open }; -dontaudit hal_keymint_citadel vndbinder_device:chr_file { read }; -dontaudit hal_keymint_citadel vndbinder_device:chr_file { write }; -# b/205904323 -dontaudit hal_keymint_citadel citadeld:binder { call }; -dontaudit hal_keymint_citadel vndservicemanager:binder { call }; From 2ef225b9c57732e41fb07a309db9bb2641bb5fa9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 15 Nov 2021 11:36:24 +0800 Subject: [PATCH 163/900] label oemrilservice_app and grant relevant permission 11-15 11:32:41.059 442 442 E SELinux : avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:oemrilservice_app:s0:c195,c256,c512,c768 pid=1866 scontext=u:r:oemrilservice_app:s0:c195,c256,c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=1 11-15 11:32:41.060 1013 1013 I rild_exynos: type=1400 audit(0.0:5): avc: denied { call } for scontext=u:r:rild:s0 tcontext=u:r:oemrilservice_app:s0:c195,c256,c512,c768 tclass=binder permissive=1 11-15 11:32:41.368 1013 1013 I rild_exynos: type=1400 audit(0.0:6): avc: denied { call } for scontext=u:r:rild:s0 tcontext=u:r:oemrilservice_app:s0:c195,c256,c512,c768 tclass=binder permissive=1 11-15 11:32:41.890 441 441 E SELinux : avc: denied { find } for pid=1866 uid=10195 name=isub scontext=u:r:oemrilservice_app:s0:c195,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1 Bug: 205904553 Bug: 205073117 Bug: 204718782 Bug: 205904441 Test: boot with no relevant error log Change-Id: I258aa58b4d3c95b901405e9181138c0d68c2b154 --- tracking_denials/priv_app.te | 9 --------- tracking_denials/rild.te | 1 - whitechapel_pro/oemrilservice_app.te | 8 ++++++++ whitechapel_pro/rild.te | 1 + whitechapel_pro/seapp_contexts | 1 + 5 files changed, 10 insertions(+), 10 deletions(-) delete mode 100644 tracking_denials/priv_app.te create mode 100644 whitechapel_pro/oemrilservice_app.te diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index cee32be8..00000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/204718782 -dontaudit priv_app hal_exynos_rild_hwservice:hwservice_manager { find }; -# b/205073117 -dontaudit priv_app vendor_default_prop:file { getattr }; -dontaudit priv_app vendor_default_prop:file { map }; -dontaudit priv_app vendor_default_prop:file { open }; -# b/205904553 -dontaudit priv_app rild:binder { call }; -dontaudit priv_app rild:binder { transfer }; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te index 532083f3..312cca32 100644 --- a/tracking_denials/rild.te +++ b/tracking_denials/rild.te @@ -6,6 +6,5 @@ dontaudit rild vendor_persist_config_default_prop:file { open }; dontaudit rild vendor_persist_config_default_prop:file { read }; # b/205904441 dontaudit rild hal_secure_element_uicc:binder { call }; -dontaudit rild priv_app:binder { call }; dontaudit rild vendor_ims_app:binder { call }; dontaudit rild vendor_rcs_app:binder { call }; diff --git a/whitechapel_pro/oemrilservice_app.te b/whitechapel_pro/oemrilservice_app.te new file mode 100644 index 00000000..f11162dd --- /dev/null +++ b/whitechapel_pro/oemrilservice_app.te @@ -0,0 +1,8 @@ +type oemrilservice_app, domain; +app_domain(oemrilservice_app) + +allow oemrilservice_app app_api_service:service_manager find; +allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +allow oemrilservice_app radio_service:service_manager find; + +binder_call(oemrilservice_app, rild) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 5f049d0c..c931a996 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -18,6 +18,7 @@ binder_call(rild, bipchmgr) binder_call(rild, gpsd) binder_call(rild, hal_audio_default) binder_call(rild, modem_svc_sit) +binder_call(rild, oemrilservice_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 00cf0c5b..f7880eab 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -4,6 +4,7 @@ user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_re user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all +user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all # Hardware Info Collection user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user From d66ba1bd25d70622a71edf27b6855d334090e584 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 15 Nov 2021 11:54:46 +0800 Subject: [PATCH 164/900] allow system ui to call hal_wlc Bug: 205904327 Test: Boot with no relevant error log Change-Id: Ieeb3a27266055ead7fd8e0bb5aaa85c4137bccef --- tracking_denials/platform_app.te | 2 -- whitechapel_pro/platform_app.te | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 0efc45bd..6e1b0e1c 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -1,4 +1,2 @@ # b/204718221 dontaudit platform_app touch_service:service_manager { find }; -# b/205904327 -dontaudit platform_app hal_wlc:binder { call }; diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 6ba51af9..298ff8fd 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -6,3 +6,5 @@ get_prop(platform_app, fingerprint_ghbm_prop) # allow systemui to set boot animation colors set_prop(platform_app, bootanim_system_prop); + +binder_call(platform_app, hal_wlc) From af53f729cfc3532af415241f2e3785c72f6bf4f8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 15 Nov 2021 13:44:23 +0800 Subject: [PATCH 165/900] allow kernel to access firmware and zram Bug: 205780090 Test: boot with no relevant error log Change-Id: I272d9babfb0283e46cfc2e65e0bb85323bf8b7a2 --- tracking_denials/kernel.te | 5 ----- whitechapel_pro/kernel.te | 6 ++++++ 2 files changed, 6 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/kernel.te create mode 100644 whitechapel_pro/kernel.te diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te deleted file mode 100644 index 23a733c6..00000000 --- a/tracking_denials/kernel.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205780090 -dontaudit kernel per_boot_file:file { read }; -dontaudit kernel vendor_fw_file:dir { search }; -dontaudit kernel vendor_fw_file:file { open }; -dontaudit kernel vendor_fw_file:file { read }; diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te new file mode 100644 index 00000000..0958ba11 --- /dev/null +++ b/whitechapel_pro/kernel.te @@ -0,0 +1,6 @@ +allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:file r_file_perms; + +# ZRam +allow kernel per_boot_file:file r_file_perms; + From 32db046e67cc3e904146abf8fc1ef4839454f538 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 16 Nov 2021 11:02:46 +0800 Subject: [PATCH 166/900] suppress bootanim android watch behavior on phones Bug: 205780088 Test: boot with no relevant error log Change-Id: Ic928d3212a016984ff31f358486109022d82b1ee --- tracking_denials/bootanim.te | 9 --------- whitechapel_pro/bootanim.te | 5 +++++ 2 files changed, 5 insertions(+), 9 deletions(-) delete mode 100644 tracking_denials/bootanim.te create mode 100644 whitechapel_pro/bootanim.te diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te deleted file mode 100644 index c2252620..00000000 --- a/tracking_denials/bootanim.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/205780088 -dontaudit bootanim system_data_file:dir { read }; -dontaudit bootanim system_data_file:dir { search }; -dontaudit bootanim system_data_file:dir { watch }; -dontaudit bootanim vendor_file:file { execute }; -dontaudit bootanim vendor_file:file { getattr }; -dontaudit bootanim vendor_file:file { map }; -dontaudit bootanim vendor_file:file { open }; -dontaudit bootanim vendor_file:file { read }; diff --git a/whitechapel_pro/bootanim.te b/whitechapel_pro/bootanim.te new file mode 100644 index 00000000..7b3019df --- /dev/null +++ b/whitechapel_pro/bootanim.te @@ -0,0 +1,5 @@ +# TODO(b/62954877). On Android Wear, bootanim reads the time +# during boot to display. It currently gets that time from a file +# in /data/system. This should be moved. In the meantime, suppress +# this denial on phones since this functionality is not used. +dontaudit bootanim system_data_file:dir r_dir_perms; From bc651b87ce21723d45b4cdf1080ea4a7314286ac Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 16 Nov 2021 11:37:38 +0800 Subject: [PATCH 167/900] let citadel and camera hal use binder Bug: 205904207 Test: boot with no relevant error log Change-Id: I0544f0ea645c5e594279bfda5aef4714c7929d26 --- dauntless/citadeld.te | 1 + tracking_denials/citadeld.te | 2 -- tracking_denials/hal_camera_default.te | 2 -- tracking_denials/servicemanager.te | 2 -- whitechapel_pro/hal_camera_default.te | 1 + 5 files changed, 2 insertions(+), 6 deletions(-) diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te index 19749e36..f170c97b 100644 --- a/dauntless/citadeld.te +++ b/dauntless/citadeld.te @@ -4,6 +4,7 @@ type citadeld_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(citadeld) add_service(citadeld, citadeld_service) +binder_use(citadeld) allow citadeld fwk_stats_service:service_manager find; allow citadeld hal_power_stats_vendor_service:service_manager find; diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te index a6a36f1e..32621376 100644 --- a/tracking_denials/citadeld.te +++ b/tracking_denials/citadeld.te @@ -9,8 +9,6 @@ dontaudit citadeld vndbinder_device:chr_file { open }; dontaudit citadeld vndbinder_device:chr_file { read }; dontaudit citadeld vndbinder_device:chr_file { write }; # b/205904322 -dontaudit citadeld servicemanager:binder { call }; -dontaudit citadeld servicemanager:binder { transfer }; dontaudit citadeld system_server:binder { call }; dontaudit citadeld vndservicemanager:binder { call }; dontaudit citadeld vndservicemanager:binder { transfer }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 451ff93a..5520f0b4 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -47,6 +47,4 @@ dontaudit hal_camera_default hal_power_default:binder { call }; dontaudit hal_camera_default hal_radioext_default:binder { call }; dontaudit hal_camera_default init:unix_stream_socket { connectto }; dontaudit hal_camera_default property_socket:sock_file { write }; -dontaudit hal_camera_default servicemanager:binder { call }; -dontaudit hal_camera_default servicemanager:binder { transfer }; dontaudit hal_camera_default system_server:binder { call }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te index ed7eefbb..9ce026bc 100644 --- a/tracking_denials/servicemanager.te +++ b/tracking_denials/servicemanager.te @@ -1,4 +1,2 @@ # b/205904207 -dontaudit servicemanager citadeld:binder { call }; -dontaudit servicemanager hal_camera_default:binder { call }; dontaudit servicemanager hal_fingerprint_default:binder { call }; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index cfd7a3b0..72cb66e8 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -1,4 +1,5 @@ binder_call(hal_camera_default, edgetpu_vendor_server) +binder_use(hal_camera_default) allow hal_camera_default fwk_stats_service:service_manager find; From fded60a79e98aaa2b2c00e5cd1002dece652f38a Mon Sep 17 00:00:00 2001 From: Ruofei Ma Date: Fri, 12 Nov 2021 22:47:56 +0000 Subject: [PATCH 168/900] Add SELinux policy for mediacodec_google mediacodec_google represents google av1 decoder hal service. Bug: 205657135 Signed-off-by: Ruofei Ma Change-Id: Ied61107d1991a22b24170b055bf3613165cbe050 --- tracking_denials/mediacodec_google.te | 7 ------- whitechapel_pro/mediacodec_google.te | 26 +++++++++++++++++++++++++- 2 files changed, 25 insertions(+), 8 deletions(-) delete mode 100644 tracking_denials/mediacodec_google.te diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te deleted file mode 100644 index ba517318..00000000 --- a/tracking_denials/mediacodec_google.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/205657135 -dontaudit mediacodec_google dmabuf_system_heap_device:chr_file { getattr }; -dontaudit mediacodec_google vndbinder_device:chr_file { ioctl }; -dontaudit mediacodec_google vndbinder_device:chr_file { map }; -dontaudit mediacodec_google vndbinder_device:chr_file { open }; -dontaudit mediacodec_google vndbinder_device:chr_file { read }; -dontaudit mediacodec_google vndbinder_device:chr_file { write }; diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te index 8ea19668..c750ea75 100644 --- a/whitechapel_pro/mediacodec_google.te +++ b/whitechapel_pro/mediacodec_google.te @@ -1,5 +1,29 @@ type mediacodec_google, domain; -type mediacodec_google_exec, vendor_file_type, exec_type, file_type; +type mediacodec_google_exec, exec_type, vendor_file_type, file_type; + init_daemon_domain(mediacodec_google) +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(mediacodec_google) + hal_server_domain(mediacodec_google, hal_codec2) + +# mediacodec_google may use an input surface from a different Codec2 service +hal_client_domain(mediacodec_google, hal_codec2) + +hal_client_domain(mediacodec_google, hal_graphics_allocator) + +allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_google video_device:chr_file rw_file_perms; + +crash_dump_fallback(mediacodec_google) + +# mediacodec_google should never execute any executable without a domain transition +neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; +neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; \ No newline at end of file From 895dfe3008a1f03e2dd1648b1235b2fcfb0b786e Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Tue, 16 Nov 2021 17:00:13 +0800 Subject: [PATCH 169/900] Fix zram avc denied Bug: 205657025 Bug: 205657090 Bug: 205779799 Test: boot to home Signed-off-by: Randall Huang Change-Id: Ib23d40c2f9e96680108311d23aca708a8db4b67b --- tracking_denials/init.te | 2 -- tracking_denials/toolbox.te | 15 --------------- whitechapel_pro/init.te | 2 +- whitechapel_pro/toolbox.te | 3 +++ 4 files changed, 4 insertions(+), 18 deletions(-) delete mode 100644 tracking_denials/init.te delete mode 100644 tracking_denials/toolbox.te create mode 100644 whitechapel_pro/toolbox.te diff --git a/tracking_denials/init.te b/tracking_denials/init.te deleted file mode 100644 index b5e0743d..00000000 --- a/tracking_denials/init.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205657025 -dontaudit init ram_device:blk_file { write }; diff --git a/tracking_denials/toolbox.te b/tracking_denials/toolbox.te deleted file mode 100644 index 44b4ec77..00000000 --- a/tracking_denials/toolbox.te +++ /dev/null @@ -1,15 +0,0 @@ -# b/205657090 -dontaudit toolbox ram_device:blk_file { getattr }; -dontaudit toolbox ram_device:blk_file { ioctl }; -dontaudit toolbox ram_device:blk_file { open }; -dontaudit toolbox ram_device:blk_file { read write }; -# b/205779799 -dontaudit toolbox per_boot_file:dir { getattr }; -dontaudit toolbox per_boot_file:dir { open }; -dontaudit toolbox per_boot_file:dir { read }; -dontaudit toolbox per_boot_file:dir { remove_name }; -dontaudit toolbox per_boot_file:dir { rmdir }; -dontaudit toolbox per_boot_file:dir { search }; -dontaudit toolbox per_boot_file:dir { write }; -dontaudit toolbox per_boot_file:file { getattr }; -dontaudit toolbox per_boot_file:file { unlink }; diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te index ed8fc1cf..d43a6011 100644 --- a/whitechapel_pro/init.te +++ b/whitechapel_pro/init.te @@ -13,4 +13,4 @@ allow init boot_block_device:lnk_file relabelto; allow init persist_file:dir mounton; allow init modem_efs_file:dir mounton; allow init modem_userdata_file:dir mounton; - +allow init ram_device:blk_file w_file_perms; diff --git a/whitechapel_pro/toolbox.te b/whitechapel_pro/toolbox.te new file mode 100644 index 00000000..9fbbb7ab --- /dev/null +++ b/whitechapel_pro/toolbox.te @@ -0,0 +1,3 @@ +allow toolbox ram_device:blk_file rw_file_perms; +allow toolbox per_boot_file:dir create_dir_perms; +allow toolbox per_boot_file:file create_file_perms; From 4c66de3d3b8fcef4c9f57579a053d3c18a511cf3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 16 Nov 2021 14:03:31 +0800 Subject: [PATCH 170/900] allow pixelstats_vendor binder access Bug: 205904433 Test: boot with no relevant error logs Change-Id: I897a5feb41e8c127834fb3ed795aaeb5d3f3fc54 --- tracking_denials/pixelstats_vendor.te | 2 -- whitechapel_pro/pixelstats_vendor.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/pixelstats_vendor.te create mode 100644 whitechapel_pro/pixelstats_vendor.te diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te deleted file mode 100644 index 96c305a5..00000000 --- a/tracking_denials/pixelstats_vendor.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205904433 -dontaudit pixelstats_vendor servicemanager:binder { call }; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te new file mode 100644 index 00000000..e8d4b92d --- /dev/null +++ b/whitechapel_pro/pixelstats_vendor.te @@ -0,0 +1 @@ +binder_use(pixelstats_vendor) From e72ecd59d8e1d2f9d9cb83ea00c9d65d91d4578c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 16 Nov 2021 14:47:39 +0800 Subject: [PATCH 171/900] fix UWB app settings and zygote library access 11-16 14:46:01.647 446 446 E SELinux : avc: denied { add } for pid=2502 uid=1083 name=uwb_vendor scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 11-16 14:41:41.238 440 440 E SELinux : avc: denied { find } for pid=2555 uid=1083 name=hardware.qorvo.uwb.IUwb/default scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 Bug: 206331617 Bug: 206045471 Bug: 205904384 Test: boot with no zygote errors Change-Id: I5fe048434d430120334d172481b9cc07cff141dd --- tracking_denials/zygote.te | 26 ------------------ whitechapel_pro/certs/com_qorvo_uwb.x509.pem | 29 ++++++++++++++++++++ whitechapel_pro/file_contexts | 6 ++-- whitechapel_pro/keys.conf | 2 ++ whitechapel_pro/mac_permissions.xml | 3 ++ whitechapel_pro/seapp_contexts | 3 ++ whitechapel_pro/service_contexts | 2 ++ whitechapel_pro/vendor_uwb_init.te | 2 +- 8 files changed, 43 insertions(+), 30 deletions(-) delete mode 100644 tracking_denials/zygote.te create mode 100644 whitechapel_pro/certs/com_qorvo_uwb.x509.pem diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te deleted file mode 100644 index 7f3db4ec..00000000 --- a/tracking_denials/zygote.te +++ /dev/null @@ -1,26 +0,0 @@ -# b/204717520 -dontaudit zygote activity_service:service_manager { find }; -dontaudit zygote content_capture_service:service_manager { find }; -dontaudit zygote default_android_service:service_manager { add }; -dontaudit zygote default_android_service:service_manager { find }; -dontaudit zygote game_service:service_manager { find }; -dontaudit zygote nfc_service:service_manager { find }; -dontaudit zygote radio_service:service_manager { find }; -# b/205904384 -dontaudit zygote adbd:unix_stream_socket { connectto }; -dontaudit zygote nfc:binder { call }; -dontaudit zygote servicemanager:binder { call }; -dontaudit zygote system_server:binder { call }; -dontaudit zygote system_server:binder { transfer }; -# b/206045471 -dontaudit zygote hal_uwb_vendor_default:binder { call }; -dontaudit zygote hal_uwb_vendor_default:binder { transfer }; -dontaudit zygote radio:binder { call }; -dontaudit zygote user_profile_data_file:file { getattr }; -dontaudit zygote vendor_file:file { execute }; -dontaudit zygote vendor_file:file { getattr }; -dontaudit zygote vendor_file:file { map }; -dontaudit zygote vendor_file:file { open }; -dontaudit zygote vendor_file:file { read }; -# b/206331617 -dontaudit zygote servicemanager:binder { transfer }; diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem new file mode 100644 index 00000000..0e7c9ed5 --- /dev/null +++ b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv +X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds +ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa +IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW +fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ +KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW +BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s +ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X +QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG +gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj +RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn +iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ +KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t +fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z +0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe +cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0 +6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg +NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY +ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp +BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh +NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz +lHV8gmlwBAuAx9ITcTJr +-----END CERTIFICATE----- diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 0fbd6f89..d18bc9dd 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,9 +44,9 @@ /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 # Vendor libraries -/vendor/lib64/libdrm\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libion_google\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 # Vendor kernel modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index dac66f87..f67eb8f2 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -1,3 +1,5 @@ [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem +[@UWB] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 4b997c27..6cf15728 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -24,4 +24,7 @@ + + + diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index f7880eab..6aef28f7 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -33,5 +33,8 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user +# Qorvo UWB system app +user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index cb6af7cc..8f3c1900 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -1,2 +1,4 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_service:s0 +hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 +uwb_vendor u:object_r:uwb_vendor_service:s0 diff --git a/whitechapel_pro/vendor_uwb_init.te b/whitechapel_pro/vendor_uwb_init.te index 716af19c..f317b253 100644 --- a/whitechapel_pro/vendor_uwb_init.te +++ b/whitechapel_pro/vendor_uwb_init.te @@ -4,7 +4,7 @@ type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(vendor_uwb_init) allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; -allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; +allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; allow vendor_uwb_init uwb_data_vendor:file create_file_perms; allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; From 149dec3f700a65d68b748c16436c1ea9982317c9 Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Tue, 16 Nov 2021 02:46:17 +0000 Subject: [PATCH 172/900] selinux: hal_camera_default: fix avc denied logs avc: denied { transfer } for comm="android.hardwar" scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_camera_default:s0 tclass=binder permissive=1 Bug: 205904442 Test: local build pass Signed-off-by: Chungkai Mei Change-Id: I39e84cfa895b56d44f248015dddb5f99d099fd76 --- tracking_denials/hal_power_default.te | 2 -- whitechapel_pro/hal_camera_default.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/hal_power_default.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index 05e3c0c1..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205904442 -dontaudit hal_power_default hal_camera_default:binder { transfer }; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 72cb66e8..18e03066 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -1,3 +1,4 @@ +hal_client_domain(hal_camera_default, hal_power); binder_call(hal_camera_default, edgetpu_vendor_server) binder_use(hal_camera_default) From 966f3dc7a0428e33d0c106ce77e5b27c798150ec Mon Sep 17 00:00:00 2001 From: chenpaul Date: Wed, 17 Nov 2021 17:17:33 +0800 Subject: [PATCH 173/900] Remove wifi_logger related sepolicy settings Due to the fact that /vendor/bin/wifi_logger no longer exists on the P21 master branch any more, we remove obsolete sepolicy. Bug: 201599426 Test: wlan_logger in Pixel Logger is workable Change-Id: Iaa7e4da6564a4ea2b0938db34bb7efff6ed54ee0 --- gs201-sepolicy.mk | 3 --- 1 file changed, 3 deletions(-) diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 3fe859d1..7ab4a233 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -18,6 +18,3 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/dauntless # PowerStats HAL BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats - -# Wifi Logger -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger From 646216405f26eadf9d5035531deadcd567e99a24 Mon Sep 17 00:00:00 2001 From: George Chang Date: Thu, 18 Nov 2021 13:15:51 +0800 Subject: [PATCH 174/900] Fix SELinux error coming from vendor_init for nfc and se avc: denied { set } for property=persist.vendor.nfc.streset avc: denied { set } for property=persist.vendor.se.strese Bug: 205070818 Test: no nfc se vendor_init avc errors Change-Id: Id5002bd93e155d81cb8d56ba0cf38cb58b9409c6 --- tracking_denials/vendor_init.te | 3 --- whitechapel_pro/vendor_init.te | 5 +++++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 69593d59..41f0435c 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,6 +1,3 @@ -# b/205070818 -dontaudit vendor_init vendor_nfc_prop:property_service { set }; -dontaudit vendor_init vendor_secure_element_prop:property_service { set }; # b/205656950 dontaudit vendor_init thermal_link_device:file { create }; # b/206045605 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 025fdef9..53faecf6 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -7,3 +7,8 @@ set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) +# NFC vendor property +set_prop(vendor_init, vendor_nfc_prop) +# SecureElement vendor property +set_prop(vendor_init, vendor_secure_element_prop) + From 11994a8ca086327a309ee3412b109a6d95b78711 Mon Sep 17 00:00:00 2001 From: Shiyong Li Date: Tue, 16 Nov 2021 21:52:44 +0000 Subject: [PATCH 175/900] allow systemui to toggle display lhbm node Fix the following selinux violation: avc: denied { call } for scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:hal_graphics_composer_default:s0 tclass=binder permissive=1 app=com.android.systemui Bug: 205640231 Test: check avc logs while using udfps Signed-off-by: Shiyong Li Change-Id: I196ade950541d56affd3dc38568b0275f159c799 --- whitechapel_pro/platform_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 298ff8fd..4fc6b9fc 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -8,3 +8,6 @@ get_prop(platform_app, fingerprint_ghbm_prop) set_prop(platform_app, bootanim_system_prop); binder_call(platform_app, hal_wlc) + +# allow udfps of systemui access lhbm +binder_call(platform_app, hal_graphics_composer_default) From 6459d30fb1c62383e8b31e124218c96aa82df15d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 18 Nov 2021 12:01:41 +0800 Subject: [PATCH 176/900] unleash all SELinux error Bug: 205212735 Test: boot with all the selinux error showing up Change-Id: If34d16a26f788458510cf5d920e8978bc68211be --- whitechapel_pro/domain.te | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 whitechapel_pro/domain.te diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te deleted file mode 100644 index c8ed7c51..00000000 --- a/whitechapel_pro/domain.te +++ /dev/null @@ -1,6 +0,0 @@ -dontaudit domain fs_type:chr_file *; -dontaudit domain fs_type:file *; -dontaudit domain fs_type:blk_file *; -dontaudit domain fs_type:dir *; -dontaudit domain fs_type:filesystem *; - From 6dc46556e399797d9ea8a10fbe909c82140307eb Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 19 Nov 2021 12:46:57 +0800 Subject: [PATCH 177/900] update error on ROM 7930790 Bug: 207062875 Bug: 207062775 Bug: 207062209 Bug: 207062260 Bug: 207062874 Bug: 207062172 Bug: 207062562 Bug: 207062564 Bug: 207062210 Bug: 207062261 Bug: 207062541 Bug: 207062542 Bug: 207062207 Bug: 207062231 Bug: 207062151 Bug: 207062776 Bug: 207062777 Bug: 207062780 Bug: 207062877 Bug: 207062484 Bug: 207062781 Bug: 207062833 Bug: 207062258 Bug: 207062211 Bug: 207062229 Bug: 207062779 Bug: 207062232 Bug: 207062206 Bug: 207062540 Bug: 207062208 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I23da4247c6d3d24d193a8a7ce28da9ac1ea88842 --- tracking_denials/bluetooth.te | 2 ++ tracking_denials/hal_bluetooth_btlinux.te | 4 ++++ tracking_denials/hal_camera_default.te | 4 ++++ tracking_denials/hal_fingerprint_default.te | 8 +++++++ tracking_denials/hal_googlebattery.te | 4 ++++ .../hal_graphics_composer_default.te | 10 +++++++++ tracking_denials/hal_health_default.te | 9 ++++++++ tracking_denials/hal_power_default.te | 11 ++++++++++ tracking_denials/hal_power_stats_default.te | 11 ++++++++++ tracking_denials/hal_secure_element_gto.te | 5 +++++ tracking_denials/hal_sensors_default.te | 21 +++++++++++++++++++ tracking_denials/hal_usb_impl.te | 2 ++ tracking_denials/hal_vibrator_default.te | 8 +++++++ tracking_denials/hal_wlc.te | 5 +++++ tracking_denials/init-insmod-sh.te | 3 +++ tracking_denials/init.te | 5 +++++ tracking_denials/logd.te | 2 ++ tracking_denials/logger_app.te | 4 ++++ tracking_denials/logpersist.te | 2 ++ tracking_denials/nfc.te | 2 ++ tracking_denials/platform_app.te | 2 ++ tracking_denials/priv_app.te | 4 ++++ tracking_denials/rlsservice.te | 5 +++++ tracking_denials/surfaceflinger.te | 2 ++ tracking_denials/system_server.te | 6 ++++++ tracking_denials/system_suspend.te | 11 ++++++++++ tracking_denials/untrusted_app_30.te | 2 ++ tracking_denials/vendor_init.te | 3 +++ tracking_denials/vold.te | 2 ++ tracking_denials/zygote.te | 4 ++++ 30 files changed, 163 insertions(+) create mode 100644 tracking_denials/bluetooth.te create mode 100644 tracking_denials/hal_bluetooth_btlinux.te create mode 100644 tracking_denials/hal_googlebattery.te create mode 100644 tracking_denials/hal_health_default.te create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/hal_wlc.te create mode 100644 tracking_denials/init-insmod-sh.te create mode 100644 tracking_denials/init.te create mode 100644 tracking_denials/logd.te create mode 100644 tracking_denials/logpersist.te create mode 100644 tracking_denials/priv_app.te create mode 100644 tracking_denials/system_suspend.te create mode 100644 tracking_denials/untrusted_app_30.te create mode 100644 tracking_denials/vold.te create mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/bluetooth.te b/tracking_denials/bluetooth.te new file mode 100644 index 00000000..22734bef --- /dev/null +++ b/tracking_denials/bluetooth.te @@ -0,0 +1,2 @@ +# b/207062875 +dontaudit bluetooth sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te new file mode 100644 index 00000000..04eae4f5 --- /dev/null +++ b/tracking_denials/hal_bluetooth_btlinux.te @@ -0,0 +1,4 @@ +# b/207062775 +dontaudit hal_bluetooth_btlinux device:chr_file { ioctl }; +dontaudit hal_bluetooth_btlinux device:chr_file { open }; +dontaudit hal_bluetooth_btlinux device:chr_file { read write }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 5520f0b4..70436e89 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -48,3 +48,7 @@ dontaudit hal_camera_default hal_radioext_default:binder { call }; dontaudit hal_camera_default init:unix_stream_socket { connectto }; dontaudit hal_camera_default property_socket:sock_file { write }; dontaudit hal_camera_default system_server:binder { call }; +# b/207062209 +dontaudit hal_camera_default device:chr_file { ioctl }; +dontaudit hal_camera_default device:chr_file { open }; +dontaudit hal_camera_default device:chr_file { read }; diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te index 43d1f3a2..6698865e 100644 --- a/tracking_denials/hal_fingerprint_default.te +++ b/tracking_denials/hal_fingerprint_default.te @@ -21,3 +21,11 @@ dontaudit hal_fingerprint_default tee_device:chr_file { read write }; dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind }; dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create }; dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write }; +# b/207062260 +dontaudit hal_fingerprint_default default_prop:property_service { set }; +dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read }; +dontaudit hal_fingerprint_default init:unix_stream_socket { connectto }; +dontaudit hal_fingerprint_default property_socket:sock_file { write }; +dontaudit hal_fingerprint_default sysfs_chosen:dir { search }; +dontaudit hal_fingerprint_default sysfs_chosen:file { open }; +dontaudit hal_fingerprint_default sysfs_chosen:file { read }; diff --git a/tracking_denials/hal_googlebattery.te b/tracking_denials/hal_googlebattery.te new file mode 100644 index 00000000..928e009c --- /dev/null +++ b/tracking_denials/hal_googlebattery.te @@ -0,0 +1,4 @@ +# b/207062874 +dontaudit hal_googlebattery sysfs:file { getattr }; +dontaudit hal_googlebattery sysfs:file { open }; +dontaudit hal_googlebattery sysfs:file { read }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index d416f72f..b411cdab 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -18,3 +18,13 @@ dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_ko dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read }; dontaudit hal_graphics_composer_default vndservicemanager:binder { call }; dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer }; +# b/207062172 +dontaudit hal_graphics_composer_default boot_status_prop:file { getattr }; +dontaudit hal_graphics_composer_default boot_status_prop:file { map }; +dontaudit hal_graphics_composer_default boot_status_prop:file { open }; +dontaudit hal_graphics_composer_default boot_status_prop:file { read }; +dontaudit hal_graphics_composer_default sysfs:file { getattr }; +dontaudit hal_graphics_composer_default sysfs:file { open }; +dontaudit hal_graphics_composer_default sysfs:file { read }; +dontaudit hal_graphics_composer_default sysfs:file { write }; +dontaudit hal_graphics_composer_default sysfs_display:file { write }; diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te new file mode 100644 index 00000000..3cc7d0cb --- /dev/null +++ b/tracking_denials/hal_health_default.te @@ -0,0 +1,9 @@ +# b/207062562 +dontaudit hal_health_default sysfs:file { getattr }; +dontaudit hal_health_default sysfs:file { open }; +dontaudit hal_health_default sysfs:file { read }; +dontaudit hal_health_default sysfs:file { write }; +dontaudit hal_health_default sysfs_scsi_devices_0000:dir { search }; +dontaudit hal_health_default sysfs_scsi_devices_0000:file { getattr }; +dontaudit hal_health_default sysfs_scsi_devices_0000:file { open }; +dontaudit hal_health_default sysfs_scsi_devices_0000:file { read }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..a9984f9f --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,11 @@ +# b/207062564 +dontaudit hal_power_default sysfs:file { open }; +dontaudit hal_power_default sysfs:file { write }; +dontaudit hal_power_default sysfs_fs_f2fs:dir { search }; +dontaudit hal_power_default sysfs_fs_f2fs:file { open }; +dontaudit hal_power_default sysfs_fs_f2fs:file { write }; +dontaudit hal_power_default sysfs_scsi_devices_0000:file { open }; +dontaudit hal_power_default sysfs_scsi_devices_0000:file { write }; +dontaudit hal_power_default sysfs_vendor_sched:dir { search }; +dontaudit hal_power_default sysfs_vendor_sched:file { open }; +dontaudit hal_power_default sysfs_vendor_sched:file { write }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index 86e4dc43..3929f8d8 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -1,2 +1,13 @@ # b/205904367 dontaudit hal_power_stats_default hal_bluetooth_btlinux:binder { call }; +# b/207062210 +dontaudit hal_power_stats_default sysfs:file { getattr }; +dontaudit hal_power_stats_default sysfs:file { open }; +dontaudit hal_power_stats_default sysfs:file { read }; +dontaudit hal_power_stats_default sysfs_edgetpu:dir { search }; +dontaudit hal_power_stats_default sysfs_edgetpu:file { getattr }; +dontaudit hal_power_stats_default sysfs_edgetpu:file { open }; +dontaudit hal_power_stats_default sysfs_edgetpu:file { read }; +dontaudit hal_power_stats_default sysfs_iio_devices:dir { read open }; +dontaudit hal_power_stats_default sysfs_iio_devices:dir { read }; +dontaudit hal_power_stats_default sysfs_iio_devices:dir { search }; diff --git a/tracking_denials/hal_secure_element_gto.te b/tracking_denials/hal_secure_element_gto.te index ea3e96f6..d264971b 100644 --- a/tracking_denials/hal_secure_element_gto.te +++ b/tracking_denials/hal_secure_element_gto.te @@ -6,3 +6,8 @@ dontaudit hal_secure_element_gto secure_element_device:chr_file { read write }; # b/205904452 dontaudit hal_secure_element_gto init:unix_stream_socket { connectto }; dontaudit hal_secure_element_gto property_socket:sock_file { write }; +# b/207062261 +dontaudit hal_secure_element_gto vendor_secure_element_prop:file { getattr }; +dontaudit hal_secure_element_gto vendor_secure_element_prop:file { map }; +dontaudit hal_secure_element_gto vendor_secure_element_prop:file { open }; +dontaudit hal_secure_element_gto vendor_secure_element_prop:file { read }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 06aaec58..492754fb 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -13,3 +13,24 @@ dontaudit hal_sensors_default sensor_reg_data_file:dir { read }; dontaudit hal_sensors_default chre:unix_stream_socket { connectto }; dontaudit hal_sensors_default chre_socket:sock_file { write }; dontaudit hal_sensors_default system_server:binder { call }; +# b/207062541 +dontaudit hal_sensors_default device:dir { open }; +dontaudit hal_sensors_default device:dir { read }; +dontaudit hal_sensors_default device:dir { watch }; +dontaudit hal_sensors_default persist_sensor_reg_file:dir { getattr }; +dontaudit hal_sensors_default persist_sensor_reg_file:dir { open }; +dontaudit hal_sensors_default persist_sensor_reg_file:dir { read }; +dontaudit hal_sensors_default persist_sensor_reg_file:dir { search }; +dontaudit hal_sensors_default persist_sensor_reg_file:file { getattr }; +dontaudit hal_sensors_default persist_sensor_reg_file:file { open }; +dontaudit hal_sensors_default persist_sensor_reg_file:file { read }; +dontaudit hal_sensors_default sysfs:file { open }; +dontaudit hal_sensors_default sysfs:file { read }; +dontaudit hal_sensors_default sysfs:file { write }; +dontaudit hal_sensors_default sysfs_aoc:dir { search }; +dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr }; +dontaudit hal_sensors_default sysfs_aoc_boottime:file { open }; +dontaudit hal_sensors_default sysfs_aoc_boottime:file { read }; +dontaudit hal_sensors_default sysfs_chosen:dir { search }; +dontaudit hal_sensors_default sysfs_chosen:file { open }; +dontaudit hal_sensors_default sysfs_chosen:file { read }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te index b2971ad3..f561949c 100644 --- a/tracking_denials/hal_usb_impl.te +++ b/tracking_denials/hal_usb_impl.te @@ -3,3 +3,5 @@ dontaudit hal_usb_impl vendor_usb_config_prop:file { getattr }; dontaudit hal_usb_impl vendor_usb_config_prop:file { map }; dontaudit hal_usb_impl vendor_usb_config_prop:file { open }; dontaudit hal_usb_impl vendor_usb_config_prop:file { read }; +# b/207062542 +dontaudit hal_usb_impl functionfs:dir { watch watch_reads }; diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te index 09a5a853..c69e5c5b 100644 --- a/tracking_denials/hal_vibrator_default.te +++ b/tracking_denials/hal_vibrator_default.te @@ -1,3 +1,11 @@ # b/204718450 dontaudit hal_vibrator_default input_device:dir { open }; dontaudit hal_vibrator_default input_device:dir { read }; +# b/207062207 +dontaudit hal_vibrator_default proc_asound:dir { search }; +dontaudit hal_vibrator_default proc_asound:file { getattr }; +dontaudit hal_vibrator_default proc_asound:file { open }; +dontaudit hal_vibrator_default proc_asound:file { read }; +dontaudit hal_vibrator_default sysfs:file { getattr }; +dontaudit hal_vibrator_default sysfs:file { open }; +dontaudit hal_vibrator_default sysfs:file { read write }; diff --git a/tracking_denials/hal_wlc.te b/tracking_denials/hal_wlc.te new file mode 100644 index 00000000..13615090 --- /dev/null +++ b/tracking_denials/hal_wlc.te @@ -0,0 +1,5 @@ +# b/207062231 +dontaudit hal_wlc sysfs:file { getattr }; +dontaudit hal_wlc sysfs:file { open }; +dontaudit hal_wlc sysfs:file { read }; +dontaudit hal_wlc sysfs:file { write }; diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te new file mode 100644 index 00000000..e12715f9 --- /dev/null +++ b/tracking_denials/init-insmod-sh.te @@ -0,0 +1,3 @@ +# b/207062151 +dontaudit init-insmod-sh debugfs_mgm:dir { search }; +dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search }; diff --git a/tracking_denials/init.te b/tracking_denials/init.te new file mode 100644 index 00000000..d2dd9a08 --- /dev/null +++ b/tracking_denials/init.te @@ -0,0 +1,5 @@ +# b/207062776 +dontaudit init sysfs_scsi_devices_0000:file { open }; +dontaudit init sysfs_scsi_devices_0000:file { write }; +dontaudit init sysfs_vendor_sched:file { open }; +dontaudit init sysfs_vendor_sched:file { write }; diff --git a/tracking_denials/logd.te b/tracking_denials/logd.te new file mode 100644 index 00000000..1adadfb5 --- /dev/null +++ b/tracking_denials/logd.te @@ -0,0 +1,2 @@ +# b/207062777 +dontaudit logd sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 134ed8db..9a704fe2 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -22,3 +22,7 @@ dontaudit logger_app radio_vendor_data_file:file { getattr }; dontaudit logger_app radio_vendor_data_file:file { setattr }; dontaudit logger_app radio_vendor_data_file:file { write open }; dontaudit logger_app vendor_gps_file:dir { search }; +# b/207062780 +dontaudit logger_app vendor_gps_file:dir { getattr }; +dontaudit logger_app vendor_gps_file:dir { open }; +dontaudit logger_app vendor_gps_file:dir { read }; diff --git a/tracking_denials/logpersist.te b/tracking_denials/logpersist.te new file mode 100644 index 00000000..bf0c1af5 --- /dev/null +++ b/tracking_denials/logpersist.te @@ -0,0 +1,2 @@ +# b/207062877 +dontaudit logpersist sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/nfc.te b/tracking_denials/nfc.te index 3e17ff52..5033047c 100644 --- a/tracking_denials/nfc.te +++ b/tracking_denials/nfc.te @@ -1,2 +1,4 @@ # b/205904208 dontaudit nfc zygote:binder { transfer }; +# b/207062484 +dontaudit nfc sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 6e1b0e1c..9ba5f579 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -1,2 +1,4 @@ # b/204718221 dontaudit platform_app touch_service:service_manager { find }; +# b/207062781 +dontaudit platform_app sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 00000000..c966f4e6 --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,4 @@ +# b/207062833 +dontaudit priv_app vendor_default_prop:file { getattr }; +dontaudit priv_app vendor_default_prop:file { map }; +dontaudit priv_app vendor_default_prop:file { open }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te index ba5e07a8..604af460 100644 --- a/tracking_denials/rlsservice.te +++ b/tracking_denials/rlsservice.te @@ -17,3 +17,8 @@ dontaudit rlsservice apex_info_file:file { watch }; # b/205904324 dontaudit rlsservice vndservicemanager:binder { call }; dontaudit rlsservice vndservicemanager:binder { transfer }; +# b/207062258 +dontaudit rlsservice device:dir { read }; +dontaudit rlsservice device:dir { watch }; +dontaudit rlsservice sysfs:file { open }; +dontaudit rlsservice sysfs:file { read }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te index 3ccdc9c3..97f404c2 100644 --- a/tracking_denials/surfaceflinger.te +++ b/tracking_denials/surfaceflinger.te @@ -4,3 +4,5 @@ dontaudit surfaceflinger kernel:process { setsched }; dontaudit surfaceflinger vendor_fw_file:dir { search }; dontaudit surfaceflinger vendor_fw_file:file { open }; dontaudit surfaceflinger vendor_fw_file:file { read }; +# b/207062211 +dontaudit surfaceflinger sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index a00372c9..aef66509 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -2,3 +2,9 @@ dontaudit system_server zygote:binder { call }; # b/206045368 dontaudit system_server zygote:binder { transfer }; +# b/207062229 +dontaudit system_server sysfs:dir { open }; +dontaudit system_server sysfs:dir { read }; +dontaudit system_server sysfs:file { getattr }; +dontaudit system_server sysfs:file { open }; +dontaudit system_server sysfs:file { read }; diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te new file mode 100644 index 00000000..0c1c034e --- /dev/null +++ b/tracking_denials/system_suspend.te @@ -0,0 +1,11 @@ +# b/207062779 +dontaudit system_suspend_server sysfs:dir { open }; +dontaudit system_suspend_server sysfs:dir { read }; +dontaudit system_suspend_server sysfs:file { getattr }; +dontaudit system_suspend_server sysfs:file { open }; +dontaudit system_suspend_server sysfs:file { read }; +dontaudit system_suspend_server sysfs_aoc:dir { open }; +dontaudit system_suspend_server sysfs_aoc:dir { read }; +dontaudit system_suspend_server sysfs_aoc:file { getattr }; +dontaudit system_suspend_server sysfs_aoc:file { open }; +dontaudit system_suspend_server sysfs_aoc:file { read }; diff --git a/tracking_denials/untrusted_app_30.te b/tracking_denials/untrusted_app_30.te new file mode 100644 index 00000000..9236a012 --- /dev/null +++ b/tracking_denials/untrusted_app_30.te @@ -0,0 +1,2 @@ +# b/207062232 +dontaudit untrusted_app_30 sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 41f0435c..5367a488 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -5,3 +5,6 @@ dontaudit vendor_init vendor_modem_prop:file { getattr }; dontaudit vendor_init vendor_modem_prop:file { map }; dontaudit vendor_init vendor_modem_prop:file { open }; dontaudit vendor_init vendor_modem_prop:file { read }; +# b/207062206 +dontaudit vendor_init proc_dirty:file { write }; +dontaudit vendor_init proc_sched:file { write }; diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te new file mode 100644 index 00000000..82e8385e --- /dev/null +++ b/tracking_denials/vold.te @@ -0,0 +1,2 @@ +# b/207062540 +dontaudit vold sysfs_scsi_devices_0000:file { write }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te new file mode 100644 index 00000000..0c1eaba1 --- /dev/null +++ b/tracking_denials/zygote.te @@ -0,0 +1,4 @@ +# b/207062208 +dontaudit zygote sysfs_vendor_sched:dir { search }; +dontaudit zygote sysfs_vendor_sched:file { open }; +dontaudit zygote sysfs_vendor_sched:file { write }; From f317331d7afdd4ba9650834c963f517818800dc2 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Fri, 19 Nov 2021 15:11:45 +0800 Subject: [PATCH 178/900] allow init to set scsi tunables Bug: 206741894 Bug: 207062776 Test: boot to home Signed-off-by: Randall Huang Change-Id: Iff52af62e6495e4390c7f961f11b3d8702b09ef9 --- tracking_denials/init.te | 2 -- whitechapel_pro/init.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/init.te b/tracking_denials/init.te index d2dd9a08..7f2a01fe 100644 --- a/tracking_denials/init.te +++ b/tracking_denials/init.te @@ -1,5 +1,3 @@ # b/207062776 -dontaudit init sysfs_scsi_devices_0000:file { open }; -dontaudit init sysfs_scsi_devices_0000:file { write }; dontaudit init sysfs_vendor_sched:file { open }; dontaudit init sysfs_vendor_sched:file { write }; diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te index d43a6011..cfb875f6 100644 --- a/whitechapel_pro/init.te +++ b/whitechapel_pro/init.te @@ -14,3 +14,4 @@ allow init persist_file:dir mounton; allow init modem_efs_file:dir mounton; allow init modem_userdata_file:dir mounton; allow init ram_device:blk_file w_file_perms; +allow init sysfs_scsi_devices_0000:file w_file_perms; From a578c846fa5055f7e1b3d47e0af87b7e5fce2a9c Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Fri, 19 Nov 2021 16:31:09 +0800 Subject: [PATCH 179/900] storage: update sepolicy for storage suez Bug: 206741894 Bug: 188793183 Test: boot to home Signed-off-by: Randall Huang Change-Id: I206178e34156f0b02c4a5b743ac9467e7dafb74f --- tracking_denials/hal_health_default.te | 4 ---- tracking_denials/hal_power_default.te | 5 ----- whitechapel_pro/hal_health_default.te | 4 ++++ whitechapel_pro/hal_power_default.te | 4 ++++ whitechapel_pro/hal_power_stats_default.te | 2 ++ whitechapel_pro/hardware_info_app.te | 4 ++++ whitechapel_pro/pixelstats_vendor.te | 2 ++ 7 files changed, 16 insertions(+), 9 deletions(-) create mode 100644 whitechapel_pro/hal_power_default.te create mode 100644 whitechapel_pro/hal_power_stats_default.te diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te index 3cc7d0cb..a53e7d6a 100644 --- a/tracking_denials/hal_health_default.te +++ b/tracking_denials/hal_health_default.te @@ -3,7 +3,3 @@ dontaudit hal_health_default sysfs:file { getattr }; dontaudit hal_health_default sysfs:file { open }; dontaudit hal_health_default sysfs:file { read }; dontaudit hal_health_default sysfs:file { write }; -dontaudit hal_health_default sysfs_scsi_devices_0000:dir { search }; -dontaudit hal_health_default sysfs_scsi_devices_0000:file { getattr }; -dontaudit hal_health_default sysfs_scsi_devices_0000:file { open }; -dontaudit hal_health_default sysfs_scsi_devices_0000:file { read }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index a9984f9f..62741ebc 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,11 +1,6 @@ # b/207062564 dontaudit hal_power_default sysfs:file { open }; dontaudit hal_power_default sysfs:file { write }; -dontaudit hal_power_default sysfs_fs_f2fs:dir { search }; -dontaudit hal_power_default sysfs_fs_f2fs:file { open }; -dontaudit hal_power_default sysfs_fs_f2fs:file { write }; -dontaudit hal_power_default sysfs_scsi_devices_0000:file { open }; -dontaudit hal_power_default sysfs_scsi_devices_0000:file { write }; dontaudit hal_power_default sysfs_vendor_sched:dir { search }; dontaudit hal_power_default sysfs_vendor_sched:file { open }; dontaudit hal_power_default sysfs_vendor_sched:file { write }; diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index bdac85ac..57d3961d 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -2,3 +2,7 @@ allow hal_health_default mnt_vendor_file:dir search; allow hal_health_default persist_file:dir search; set_prop(hal_health_default, vendor_battery_defender_prop) + +# Access to /sys/devices/platform/14700000.ufs/* +allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te new file mode 100644 index 00000000..ade34a31 --- /dev/null +++ b/whitechapel_pro/hal_power_default.te @@ -0,0 +1,4 @@ +allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; +allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; + diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te new file mode 100644 index 00000000..f49572cc --- /dev/null +++ b/whitechapel_pro/hal_power_stats_default.te @@ -0,0 +1,2 @@ +allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te index 9b52417e..a2207af4 100644 --- a/whitechapel_pro/hardware_info_app.te +++ b/whitechapel_pro/hardware_info_app.te @@ -2,3 +2,7 @@ type hardware_info_app, domain; app_domain(hardware_info_app) allow hardware_info_app app_api_service:service_manager find; + +# Storage +allow hardware_info_app sysfs_scsi_devices_0000:dir search; +allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index e8d4b92d..de08a892 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -1 +1,3 @@ binder_use(pixelstats_vendor) + +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; From 78d0abfb738236cf6ba075f1cdca2600734d658b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 22 Nov 2021 09:59:08 +0800 Subject: [PATCH 180/900] update error on ROM 7935766 Bug: 207300335 Bug: 207300298 Bug: 207300281 Bug: 207300315 Bug: 207300261 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ia79829128db2286ec8ae9c20520be8a25c195cb0 --- tracking_denials/crash_dump.te | 7 +++++++ tracking_denials/hal_camera_default.te | 2 ++ tracking_denials/priv_app.te | 6 ++++++ tracking_denials/radio.te | 2 ++ tracking_denials/uwb_vendor_app.te | 5 +++++ 5 files changed, 22 insertions(+) create mode 100644 tracking_denials/crash_dump.te create mode 100644 tracking_denials/radio.te create mode 100644 tracking_denials/uwb_vendor_app.te diff --git a/tracking_denials/crash_dump.te b/tracking_denials/crash_dump.te new file mode 100644 index 00000000..b736b20d --- /dev/null +++ b/tracking_denials/crash_dump.te @@ -0,0 +1,7 @@ +# b/207300335 +dontaudit crash_dump hwservicemanager_prop:file { getattr }; +dontaudit crash_dump hwservicemanager_prop:file { map }; +dontaudit crash_dump hwservicemanager_prop:file { open }; +dontaudit crash_dump qemu_sf_lcd_density_prop:file { getattr }; +dontaudit crash_dump qemu_sf_lcd_density_prop:file { map }; +dontaudit crash_dump qemu_sf_lcd_density_prop:file { open }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 70436e89..44f87210 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -52,3 +52,5 @@ dontaudit hal_camera_default system_server:binder { call }; dontaudit hal_camera_default device:chr_file { ioctl }; dontaudit hal_camera_default device:chr_file { open }; dontaudit hal_camera_default device:chr_file { read }; +# b/207300298 +dontaudit hal_camera_default vendor_camera_data_file:file { getattr }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index c966f4e6..871e43f1 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -2,3 +2,9 @@ dontaudit priv_app vendor_default_prop:file { getattr }; dontaudit priv_app vendor_default_prop:file { map }; dontaudit priv_app vendor_default_prop:file { open }; +# b/207300281 +dontaudit priv_app vendor_file:file { execute }; +dontaudit priv_app vendor_file:file { getattr }; +dontaudit priv_app vendor_file:file { map }; +dontaudit priv_app vendor_file:file { open }; +dontaudit priv_app vendor_file:file { read }; diff --git a/tracking_denials/radio.te b/tracking_denials/radio.te new file mode 100644 index 00000000..a71d5772 --- /dev/null +++ b/tracking_denials/radio.te @@ -0,0 +1,2 @@ +# b/207300315 +dontaudit radio sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te new file mode 100644 index 00000000..57127193 --- /dev/null +++ b/tracking_denials/uwb_vendor_app.te @@ -0,0 +1,5 @@ +# b/207300261 +dontaudit uwb_vendor_app vendor_secure_element_prop:file { getattr }; +dontaudit uwb_vendor_app vendor_secure_element_prop:file { map }; +dontaudit uwb_vendor_app vendor_secure_element_prop:file { open }; +dontaudit uwb_vendor_app vendor_secure_element_prop:file { read }; From a1a5f118720894a0e57111f1345ba5abef4bdb05 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 22 Nov 2021 10:17:50 +0800 Subject: [PATCH 181/900] label google battery sysfs file Bug: 207062874 Test: boot with no relevant error log Change-Id: Ic5477f0deb24f0bd9c46aef70459f0b629cdb5ef --- tracking_denials/hal_googlebattery.te | 4 ---- whitechapel_pro/genfs_contexts | 4 ++-- 2 files changed, 2 insertions(+), 6 deletions(-) delete mode 100644 tracking_denials/hal_googlebattery.te diff --git a/tracking_denials/hal_googlebattery.te b/tracking_denials/hal_googlebattery.te deleted file mode 100644 index 928e009c..00000000 --- a/tracking_denials/hal_googlebattery.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/207062874 -dontaudit hal_googlebattery sysfs:file { getattr }; -dontaudit hal_googlebattery sysfs:file { open }; -dontaudit hal_googlebattery sysfs:file { read }; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index dd765717..d5fe24d5 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -88,5 +88,5 @@ genfscon debugfs /gvotables u:object genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 # C10 battery -genfscon sysfs /sys/devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 - +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 From d15185b2d72d3efd06d2caf0abf14a91c7446fda Mon Sep 17 00:00:00 2001 From: George Chang Date: Thu, 18 Nov 2021 11:46:41 +0800 Subject: [PATCH 182/900] Fix SELinux error coming from hal_secure_element_gto and gto_ese2 update hal_secure_element_st54spi/st33spi form gto/gto_ese2 hal_secure_element_gto.te => hal_secure_element_st54spi.te [ 10.846098] type=1400 audit(1637296724.408:40): avc: denied { map } for comm="android.hardwar" path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1 11-19 12:38:44.408 776 776 I android.hardwar: type=1400 audit(0.0:40): avc: denied { map } for path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1 11-19 12:38:44.408 776 776 I android.hardwar: type=1400 audit(0.0:39): avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1 11-19 12:38:44.408 776 776 I android.hardwar: type=1400 audit(0.0:38): avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1 11-19 12:38:44.408 776 776 I android.hardwar: type=1400 audit(0.0:37): avc: denied { read } for name="u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1 [ 10.846033] type=1400 audit(1637296724.408:37): avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1 [ 10.846072] type=1400 audit(1637296724.408:38): avc: denied { open } for comm="android.hardwar" path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1 [ 10.846086] type=1400 audit(1637296724.408:39): avc: denied { getattr } for comm="android.hardwar" path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1 11-11 09:38:59.132 785 785 I secure_element@: type=1400 audit(0.0:100): avc: denied { write } for name="property_service" dev="tmpfs" ino=357 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 11-11 09:38:59.132 785 785 I secure_element@: type=1400 audit(0.0:101): avc: denied { connectto } for path="/dev/socket/property_service" scontext=u:r:hal_secure_element_gto:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 [ 19.593472] type=1400 audit(1636594739.132:101): avc: denied { connectto } for comm="secure_element@" path="/dev/socket/property_service" scontext=u:r:hal_secure_element_gto:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 [ 19.593175] type=1400 audit(1636594739.132:100): avc: denied { write } for comm="secure_element@" name="property_service" dev="tmpfs" ino=357 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 11-09 12:04:08.620 786 786 I secure_element@: type=1400 audit(0.0:135): avc: denied { open } for path="/dev/st54spi" dev="tmpfs" ino=584 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1 [ 17.142141] type=1400 audit(1636430648.620:135): avc: denied { open } for comm="secure_element@" path="/dev/st54spi" dev="tmpfs" ino=584 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1 [ 17.141947] type=1400 audit(1636430648.620:134): avc: denied { read write } for comm="secure_element@" name="st54spi" dev="tmpfs" ino=584 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1 11-09 12:04:08.620 786 786 I secure_element@: type=1400 audit(0.0:134): avc: denied { read write } for name="st54spi" dev="tmpfs" ino=584 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1 11-04 13:27:24.564 1 1 I /system/bin/init: type=1107 audit(0.0:52): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.se.reset pid=772 uid=1068 gid=1068 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=property_service permissive=1' 11-19 10:22:25.052 797 797 I secure_element@: type=1400 audit(0.0:49): avc: denied { read write } for name="st21nfc" dev="tmpfs" ino=708 scontext=u:r:hal_secure_element_st54spi:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 11-19 10:22:25.052 797 797 I secure_element@: type=1400 audit(0.0:50): avc: denied { open } for path="/dev/st21nfc" dev="tmpfs" ino=708 scontext=u:r:hal_secure_element_st54spi:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 hal_secure_element_gto_ese2 => hal_secure_element_st33spi.te 11-09 12:04:09.140 771 771 I secure_element@: type=1400 audit(0.0:137): avc: denied { open } for path="/dev/st33spi" dev="tmpfs" ino=728 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1 [ 17.660987] type=1400 audit(1636430649.140:137): avc: denied { open } for comm="secure_element@" path="/dev/st33spi" dev="tmpfs" ino=728 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1 [ 17.660845] type=1400 audit(1636430649.140:136): avc: denied { read write } for comm="secure_element@" name="st33spi" dev="tmpfs" ino=728 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1 11-09 12:04:09.140 771 771 I secure_element@: type=1400 audit(0.0:136): avc: denied { read write } for name="st33spi" dev="tmpfs" ino=728 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1 Bug: 207062261 Bug: 205073164 Bug: 205656951 Bug: 205657039 Bug: 205904452 Test: check avc without secure_element Change-Id: I312299deb6d6bfa353e7936d41a723e75d3ea06b --- tracking_denials/hal_secure_element_gto.te | 13 ------------- tracking_denials/hal_secure_element_gto_ese2.te | 3 --- whitechapel_pro/device.te | 4 ++++ whitechapel_pro/file_contexts | 8 ++++---- whitechapel_pro/hal_secure_element_st33spi.te | 6 ++++++ whitechapel_pro/hal_secure_element_st54spi.te | 8 ++++++++ whitechapel_pro/ofl_app.te | 9 ++++++--- 7 files changed, 28 insertions(+), 23 deletions(-) delete mode 100644 tracking_denials/hal_secure_element_gto.te delete mode 100644 tracking_denials/hal_secure_element_gto_ese2.te create mode 100644 whitechapel_pro/hal_secure_element_st33spi.te create mode 100644 whitechapel_pro/hal_secure_element_st54spi.te diff --git a/tracking_denials/hal_secure_element_gto.te b/tracking_denials/hal_secure_element_gto.te deleted file mode 100644 index d264971b..00000000 --- a/tracking_denials/hal_secure_element_gto.te +++ /dev/null @@ -1,13 +0,0 @@ -# b/205073164 -dontaudit hal_secure_element_gto vendor_secure_element_prop:property_service { set }; -# b/205656951 -dontaudit hal_secure_element_gto secure_element_device:chr_file { open }; -dontaudit hal_secure_element_gto secure_element_device:chr_file { read write }; -# b/205904452 -dontaudit hal_secure_element_gto init:unix_stream_socket { connectto }; -dontaudit hal_secure_element_gto property_socket:sock_file { write }; -# b/207062261 -dontaudit hal_secure_element_gto vendor_secure_element_prop:file { getattr }; -dontaudit hal_secure_element_gto vendor_secure_element_prop:file { map }; -dontaudit hal_secure_element_gto vendor_secure_element_prop:file { open }; -dontaudit hal_secure_element_gto vendor_secure_element_prop:file { read }; diff --git a/tracking_denials/hal_secure_element_gto_ese2.te b/tracking_denials/hal_secure_element_gto_ese2.te deleted file mode 100644 index 3c17e5b3..00000000 --- a/tracking_denials/hal_secure_element_gto_ese2.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/205657039 -dontaudit hal_secure_element_gto_ese2 secure_element_device:chr_file { open }; -dontaudit hal_secure_element_gto_ese2 secure_element_device:chr_file { read write }; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 1f5e22ba..e6bb4fe0 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -17,3 +17,7 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; +# SecureElement SPI device +type st54spi_device, dev_type; +type st33spi_device, dev_type; + diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index d18bc9dd..45e7974a 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -28,8 +28,8 @@ /vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 @@ -123,8 +123,8 @@ /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/sg1 u:object_r:sg_device:s0 /dev/st21nfc u:object_r:nfc_device:s0 -/dev/st54spi u:object_r:secure_element_device:s0 -/dev/st33spi u:object_r:secure_element_device:s0 +/dev/st54spi u:object_r:st54spi_device:s0 +/dev/st33spi u:object_r:st33spi_device:s0 /dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/oem_ipc[0-7] u:object_r:radio_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 diff --git a/whitechapel_pro/hal_secure_element_st33spi.te b/whitechapel_pro/hal_secure_element_st33spi.te new file mode 100644 index 00000000..cecc8fe8 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_st33spi.te @@ -0,0 +1,6 @@ +type hal_secure_element_st33spi, domain; +hal_server_domain(hal_secure_element_st33spi, hal_secure_element) +type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st33spi) +allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms; + diff --git a/whitechapel_pro/hal_secure_element_st54spi.te b/whitechapel_pro/hal_secure_element_st54spi.te new file mode 100644 index 00000000..a3e74be3 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_st54spi.te @@ -0,0 +1,8 @@ +type hal_secure_element_st54spi, domain; +hal_server_domain(hal_secure_element_st54spi, hal_secure_element) +type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi) +allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) + diff --git a/whitechapel_pro/ofl_app.te b/whitechapel_pro/ofl_app.te index e3f61408..a9498165 100644 --- a/whitechapel_pro/ofl_app.te +++ b/whitechapel_pro/ofl_app.te @@ -11,7 +11,10 @@ userdebug_or_eng(` allow ofl_app radio_service:service_manager find; allow ofl_app surfaceflinger_service:service_manager find; - # Access to directly update firmware on secure_element - typeattribute secure_element_device mlstrustedobject; - allow ofl_app secure_element_device:chr_file rw_file_perms; + # Access to directly update firmware on st54spi_device + typeattribute st54spi_device mlstrustedobject; + allow ofl_app st54spi_device:chr_file rw_file_perms; + # Access to directly update firmware on st33spi_device + typeattribute st33spi_device mlstrustedobject; + allow ofl_app st33spi_device:chr_file rw_file_perms; ') From 3ba42745f4b75cc0d6ee8b0f5e6de15336b6ef98 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Mon, 22 Nov 2021 14:26:38 +0800 Subject: [PATCH 183/900] Allow vendor_init to modify read_ahead_kb Bug: 206741894 Bug: 207062206 Test: boot to home Signed-off-by: Randall Huang Change-Id: I6cc59722520df12aef103fc330f9acd8e800318d --- tracking_denials/vendor_init.te | 1 - whitechapel_pro/vendor_init.te | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 5367a488..6f615a22 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -6,5 +6,4 @@ dontaudit vendor_init vendor_modem_prop:file { map }; dontaudit vendor_init vendor_modem_prop:file { open }; dontaudit vendor_init vendor_modem_prop:file { read }; # b/207062206 -dontaudit vendor_init proc_dirty:file { write }; dontaudit vendor_init proc_sched:file { write }; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 53faecf6..39d9bf6f 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -7,6 +7,8 @@ set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) +allow vendor_init proc_dirty:file w_file_perms; + # NFC vendor property set_prop(vendor_init, vendor_nfc_prop) # SecureElement vendor property From a4a0b90afbe3173736da807791282a501b3e4917 Mon Sep 17 00:00:00 2001 From: Oleg Matcovschi Date: Fri, 19 Nov 2021 16:37:47 -0800 Subject: [PATCH 184/900] sepolicy: add persist.vendor.sys.ssr property context Bug: 205073166 Signed-off-by: Oleg Matcovschi Change-Id: I81794ab8d320affcfef8f77895712aaa840f7abc --- whitechapel_pro/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index cede6efe..52416407 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -48,6 +48,7 @@ persist.vendor.config. u:object_r:vendor_persist_config_defa # SSR Detector vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 From c90030d1f706472c6b7d8e1fd522797b62f0571d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 22 Nov 2021 13:18:09 +0800 Subject: [PATCH 185/900] label system_suspend wakeup files use "adb shell ls -l sys/class/wakeup" to get all paths Bug: 207062779 Test: boot with no relevant error log Change-Id: Ib43090cecf3d74e5c8b07e7e13de58cf6ee7ddbe --- tracking_denials/system_suspend.te | 11 ----------- whitechapel_pro/genfs_contexts | 30 ++++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 11 deletions(-) delete mode 100644 tracking_denials/system_suspend.te diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te deleted file mode 100644 index 0c1c034e..00000000 --- a/tracking_denials/system_suspend.te +++ /dev/null @@ -1,11 +0,0 @@ -# b/207062779 -dontaudit system_suspend_server sysfs:dir { open }; -dontaudit system_suspend_server sysfs:dir { read }; -dontaudit system_suspend_server sysfs:file { getattr }; -dontaudit system_suspend_server sysfs:file { open }; -dontaudit system_suspend_server sysfs:file { read }; -dontaudit system_suspend_server sysfs_aoc:dir { open }; -dontaudit system_suspend_server sysfs_aoc:dir { read }; -dontaudit system_suspend_server sysfs_aoc:file { getattr }; -dontaudit system_suspend_server sysfs_aoc:file { open }; -dontaudit system_suspend_server sysfs_aoc:file { read }; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index d5fe24d5..7f1db468 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -90,3 +90,33 @@ genfscon debugfs /google_battery u:object # C10 battery genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 + +# system suspend wakeup files +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-power-keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From ed245711ece3bc6947a0033a0f79dd1b7d96c089 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 22 Nov 2021 13:58:05 +0800 Subject: [PATCH 186/900] fix sysfs_vendor_sched access Bug: 207062776 Bug: 207062777 Bug: 207062877 Bug: 207062211 Bug: 207062232 Bug: 207062208 Test: boot with no relevant access Change-Id: I585653383ad0061fc6e9669c0590432c235f7e14 --- tracking_denials/hal_power_default.te | 3 --- tracking_denials/init.te | 3 --- tracking_denials/logd.te | 2 -- tracking_denials/logpersist.te | 2 -- tracking_denials/surfaceflinger.te | 2 -- tracking_denials/untrusted_app_30.te | 2 -- tracking_denials/zygote.te | 4 ---- whitechapel_pro/domain.te | 2 ++ whitechapel_pro/untrusted_app_all.te | 1 + 9 files changed, 3 insertions(+), 18 deletions(-) delete mode 100644 tracking_denials/init.te delete mode 100644 tracking_denials/logd.te delete mode 100644 tracking_denials/logpersist.te delete mode 100644 tracking_denials/untrusted_app_30.te delete mode 100644 tracking_denials/zygote.te create mode 100644 whitechapel_pro/domain.te create mode 100644 whitechapel_pro/untrusted_app_all.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index 62741ebc..0864301a 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,6 +1,3 @@ # b/207062564 dontaudit hal_power_default sysfs:file { open }; dontaudit hal_power_default sysfs:file { write }; -dontaudit hal_power_default sysfs_vendor_sched:dir { search }; -dontaudit hal_power_default sysfs_vendor_sched:file { open }; -dontaudit hal_power_default sysfs_vendor_sched:file { write }; diff --git a/tracking_denials/init.te b/tracking_denials/init.te deleted file mode 100644 index 7f2a01fe..00000000 --- a/tracking_denials/init.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/207062776 -dontaudit init sysfs_vendor_sched:file { open }; -dontaudit init sysfs_vendor_sched:file { write }; diff --git a/tracking_denials/logd.te b/tracking_denials/logd.te deleted file mode 100644 index 1adadfb5..00000000 --- a/tracking_denials/logd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207062777 -dontaudit logd sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/logpersist.te b/tracking_denials/logpersist.te deleted file mode 100644 index bf0c1af5..00000000 --- a/tracking_denials/logpersist.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207062877 -dontaudit logpersist sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te index 97f404c2..3ccdc9c3 100644 --- a/tracking_denials/surfaceflinger.te +++ b/tracking_denials/surfaceflinger.te @@ -4,5 +4,3 @@ dontaudit surfaceflinger kernel:process { setsched }; dontaudit surfaceflinger vendor_fw_file:dir { search }; dontaudit surfaceflinger vendor_fw_file:file { open }; dontaudit surfaceflinger vendor_fw_file:file { read }; -# b/207062211 -dontaudit surfaceflinger sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/untrusted_app_30.te b/tracking_denials/untrusted_app_30.te deleted file mode 100644 index 9236a012..00000000 --- a/tracking_denials/untrusted_app_30.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207062232 -dontaudit untrusted_app_30 sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te deleted file mode 100644 index 0c1eaba1..00000000 --- a/tracking_denials/zygote.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/207062208 -dontaudit zygote sysfs_vendor_sched:dir { search }; -dontaudit zygote sysfs_vendor_sched:file { open }; -dontaudit zygote sysfs_vendor_sched:file { write }; diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te new file mode 100644 index 00000000..3e1cbbb7 --- /dev/null +++ b/whitechapel_pro/domain.te @@ -0,0 +1,2 @@ +allow {domain -appdomain -rs} sysfs_vendor_sched:dir r_dir_perms; +allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/untrusted_app_all.te b/whitechapel_pro/untrusted_app_all.te new file mode 100644 index 00000000..47d4d1bd --- /dev/null +++ b/whitechapel_pro/untrusted_app_all.te @@ -0,0 +1 @@ +dontaudit untrusted_app_all sysfs_vendor_sched:dir search; From a2b1ca5f7ea8efe217e6331c25cb1aba24072839 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Mon, 22 Nov 2021 15:55:12 +0800 Subject: [PATCH 187/900] Fix selinux for adb bugreport Bug: 206741894 Test: adb bugreport Signed-off-by: Randall Huang Change-Id: If82f30392676f414a79ddabe27d73ce751d61eee --- whitechapel_pro/dumpstate.te | 5 +++++ whitechapel_pro/hal_dumpstate_default.te | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 whitechapel_pro/dumpstate.te create mode 100644 whitechapel_pro/hal_dumpstate_default.te diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te new file mode 100644 index 00000000..e11e8f7d --- /dev/null +++ b/whitechapel_pro/dumpstate.te @@ -0,0 +1,5 @@ +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate persist_file:dir r_dir_perms; +allow dumpstate modem_efs_file:dir r_dir_perms; +allow dumpstate modem_userdata_file:dir r_dir_perms; +allow dumpstate modem_img_file:dir r_dir_perms; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te new file mode 100644 index 00000000..a80aacf8 --- /dev/null +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -0,0 +1,5 @@ +allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; +allow hal_dumpstate_default proc_f2fs:file r_file_perms; + +allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; From 8a4d5bd3b523a5e5dce45bdffc94bb1c3500efeb Mon Sep 17 00:00:00 2001 From: George Chang Date: Mon, 22 Nov 2021 14:33:14 +0800 Subject: [PATCH 188/900] Fix nfc avc denials for sysfs_vendor_sched 11-19 12:38:54.416 2631 2631 I com.android.nfc: type=1400 audit(0.0:404): avc: denied { search } for comm=4173796E635461736B202331 name="vendor_sched" dev="sysfs" ino=45736 scontext=u:r:nfc:s0 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=dir permissive=1 Bug: 207062484 Test: check avc without nfc Change-Id: I50507934c071745e257434f512d9dc835790e669 --- tracking_denials/nfc.te | 2 -- whitechapel_pro/nfc.te | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) create mode 100644 whitechapel_pro/nfc.te diff --git a/tracking_denials/nfc.te b/tracking_denials/nfc.te index 5033047c..3e17ff52 100644 --- a/tracking_denials/nfc.te +++ b/tracking_denials/nfc.te @@ -1,4 +1,2 @@ # b/205904208 dontaudit nfc zygote:binder { transfer }; -# b/207062484 -dontaudit nfc sysfs_vendor_sched:dir { search }; diff --git a/whitechapel_pro/nfc.te b/whitechapel_pro/nfc.te new file mode 100644 index 00000000..febd851a --- /dev/null +++ b/whitechapel_pro/nfc.te @@ -0,0 +1,2 @@ +allow nfc sysfs_vendor_sched:dir r_dir_perms; +allow nfc sysfs_vendor_sched:file w_file_perms; From 1a57e5c34623e19ddee6d330c1decbc10f168cee Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Mon, 22 Nov 2021 16:51:42 +0800 Subject: [PATCH 189/900] Fix selinux for vold idle-maint Bug: 206741894 Bug: 207062776 Test: adb shell sm idle-maint run Signed-off-by: Randall Huang Change-Id: Ieb55fe439d3250b6d819381c4bc97e3e895ac23f --- tracking_denials/vold.te | 2 -- whitechapel_pro/genfs_contexts | 1 + whitechapel_pro/hal_health_storage_default.te | 3 +++ whitechapel_pro/vold.te | 2 ++ 4 files changed, 6 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/vold.te create mode 100644 whitechapel_pro/hal_health_storage_default.te diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te deleted file mode 100644 index 82e8385e..00000000 --- a/tracking_denials/vold.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207062540 -dontaudit vold sysfs_scsi_devices_0000:file { write }; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7f1db468..9a3b800b 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -75,6 +75,7 @@ genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 # debugfs genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 diff --git a/whitechapel_pro/hal_health_storage_default.te b/whitechapel_pro/hal_health_storage_default.te new file mode 100644 index 00000000..2aa0881e --- /dev/null +++ b/whitechapel_pro/hal_health_storage_default.te @@ -0,0 +1,3 @@ +# Access to /sys/devices/platform/14700000.ufs/* +allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/whitechapel_pro/vold.te b/whitechapel_pro/vold.te index 40da1b01..64ebf996 100644 --- a/whitechapel_pro/vold.te +++ b/whitechapel_pro/vold.te @@ -1,3 +1,5 @@ allow vold modem_efs_file:dir rw_dir_perms; allow vold modem_userdata_file:dir rw_dir_perms; +allow vold sysfs_scsi_devices_0000:file rw_file_perms; + From 48435ccfaa0e8afa9f69a7e6bf886c37f9e69735 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 22 Nov 2021 14:11:40 +0800 Subject: [PATCH 190/900] let uwb app access secure element property Bug: 207300261 Test: boot with no relevant error log Change-Id: I10f505d1ef3cbbc118082e5c44381c1b55389da3 --- tracking_denials/uwb_vendor_app.te | 5 ----- whitechapel_pro/uwb_vendor_app.te | 1 + 2 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 tracking_denials/uwb_vendor_app.te diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te deleted file mode 100644 index 57127193..00000000 --- a/tracking_denials/uwb_vendor_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/207300261 -dontaudit uwb_vendor_app vendor_secure_element_prop:file { getattr }; -dontaudit uwb_vendor_app vendor_secure_element_prop:file { map }; -dontaudit uwb_vendor_app vendor_secure_element_prop:file { open }; -dontaudit uwb_vendor_app vendor_secure_element_prop:file { read }; diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index 223383c1..66237edc 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -18,5 +18,6 @@ allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; +get_prop(uwb_vendor_app, vendor_secure_element_prop) binder_call(uwb_vendor_app, hal_uwb_vendor_default) ') From f6f699700c95ba6d2c2bc977058ddd20fe7c5dbb Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 23 Nov 2021 11:15:12 +0800 Subject: [PATCH 191/900] update error on ROM 7938763 Bug: 207431041 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I775a28827b107d43b47d3486e70f87a36a6babcc --- tracking_denials/logger_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 9a704fe2..fe3f6f02 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -26,3 +26,5 @@ dontaudit logger_app vendor_gps_file:dir { search }; dontaudit logger_app vendor_gps_file:dir { getattr }; dontaudit logger_app vendor_gps_file:dir { open }; dontaudit logger_app vendor_gps_file:dir { read }; +# b/207431041 +dontaudit logger_app sysfs_vendor_sched:dir { search }; From 851a7bb16be17c403013ee9d21ea00122d9bcd83 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 23 Nov 2021 11:41:50 +0800 Subject: [PATCH 192/900] label extcon and remove obsolete zygote error Bug: 205904404 Bug: 206045368 Bug: 207062229 Test: boot with no relevant error logs Change-Id: If4c2f5591907bfcab2fd638f1222f84377270623 --- tracking_denials/system_server.te | 10 ---------- whitechapel_pro/genfs_contexts | 3 +++ 2 files changed, 3 insertions(+), 10 deletions(-) delete mode 100644 tracking_denials/system_server.te diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te deleted file mode 100644 index aef66509..00000000 --- a/tracking_denials/system_server.te +++ /dev/null @@ -1,10 +0,0 @@ -# b/205904404 -dontaudit system_server zygote:binder { call }; -# b/206045368 -dontaudit system_server zygote:binder { transfer }; -# b/207062229 -dontaudit system_server sysfs:dir { open }; -dontaudit system_server sysfs:dir { read }; -dontaudit system_server sysfs:file { getattr }; -dontaudit system_server sysfs:file { open }; -dontaudit system_server sysfs:file { read }; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 9a3b800b..7ea10d32 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -92,6 +92,9 @@ genfscon debugfs /google_battery u:object genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +# Extcon +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 + # system suspend wakeup files genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From e5e4f9f2b7e2451c16540cf61d0659ad1f982eb8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 23 Nov 2021 11:59:01 +0800 Subject: [PATCH 193/900] make libOpenCL reachable Bug: 207300281 Test: boot with no relevant error log Change-Id: I294d23e2b29afd62da5c2327175f0c163da98cf0 --- tracking_denials/priv_app.te | 6 ------ whitechapel_pro/file_contexts | 2 ++ 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 871e43f1..c966f4e6 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -2,9 +2,3 @@ dontaudit priv_app vendor_default_prop:file { getattr }; dontaudit priv_app vendor_default_prop:file { map }; dontaudit priv_app vendor_default_prop:file { open }; -# b/207300281 -dontaudit priv_app vendor_file:file { execute }; -dontaudit priv_app vendor_file:file { getattr }; -dontaudit priv_app vendor_file:file { map }; -dontaudit priv_app vendor_file:file { open }; -dontaudit priv_app vendor_file:file { read }; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 45e7974a..ba273e33 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -47,6 +47,8 @@ /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 # Vendor kernel modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 From 3dc2515efef643376ab67a0d5828e0c49405ada8 Mon Sep 17 00:00:00 2001 From: George Chang Date: Mon, 22 Nov 2021 11:16:59 +0800 Subject: [PATCH 194/900] Update SecureElement sysfs_st33spi Sepolicy Add rules for sysfs_st33spi Bug: 205250948 Test: check avc without secure_element Change-Id: I1ccf39ca09c6b19a597114f04803800d38fdf774 --- whitechapel_pro/file.te | 4 ++++ whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/vendor_init.te | 1 + 3 files changed, 9 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 3f6ae4ca..a7818a5a 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -77,3 +77,7 @@ type vendor_dumpsys, vendor_file_type, file_type; # Modem type modem_efs_file, file_type; type modem_userdata_file, file_type; + +# SecureElement +type sysfs_st33spi, sysfs_type, fs_type; + diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7ea10d32..82b62db5 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -124,3 +124,7 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 + +#SecureElement +genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 + diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 39d9bf6f..68ac08be 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -13,4 +13,5 @@ allow vendor_init proc_dirty:file w_file_perms; set_prop(vendor_init, vendor_nfc_prop) # SecureElement vendor property set_prop(vendor_init, vendor_secure_element_prop) +allow vendor_init sysfs_st33spi:file w_file_perms; From 5e2ac8ab48e42a7428e738a94f7089b226ad6b08 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Mon, 22 Nov 2021 12:03:05 +0800 Subject: [PATCH 195/900] Fix modem related avc errors avc: denied { read } for name="u:object_r:vendor_modem_prop:s0" dev="tmpfs" ino=317 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_modem_prop:s0 tclass=file permissive=1 avc: denied { read } for comm="dmd" name="u:object_r:vendor_persist_config_default_prop:s0" dev="tmpfs" ino=319 scontext=u:r:dmd:s0 tcontext=u:object_r:vendor_persist_config_default_prop:s0 tclass=file permissive=1 avc: denied { read } for name="u:object_r:vendor_persist_config_default_prop:s0" dev="tmpfs" ino=319 scontext=u:r:vcd:s0 tcontext=u:object_r:vendor_persist_config_default_prop:s0 tclass=file permissive=1 Bug: 205073232 Bug: 205073025 Bug: 206045605 Change-Id: I3f76a138b4d6eeffb488fb5e5e15985ac6ef707d --- tracking_denials/dmd.te | 5 ----- tracking_denials/vcd.te | 5 ----- tracking_denials/vendor_init.te | 5 ----- whitechapel_pro/dmd.te | 1 + whitechapel_pro/property_contexts | 1 + whitechapel_pro/vcd.te | 1 + whitechapel_pro/vendor_init.te | 1 + 7 files changed, 4 insertions(+), 15 deletions(-) delete mode 100644 tracking_denials/dmd.te delete mode 100644 tracking_denials/vcd.te diff --git a/tracking_denials/dmd.te b/tracking_denials/dmd.te deleted file mode 100644 index de764e70..00000000 --- a/tracking_denials/dmd.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205073232 -dontaudit dmd vendor_persist_config_default_prop:file { getattr }; -dontaudit dmd vendor_persist_config_default_prop:file { map }; -dontaudit dmd vendor_persist_config_default_prop:file { open }; -dontaudit dmd vendor_persist_config_default_prop:file { read }; diff --git a/tracking_denials/vcd.te b/tracking_denials/vcd.te deleted file mode 100644 index 66f5c0c9..00000000 --- a/tracking_denials/vcd.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205073025 -dontaudit vcd vendor_persist_config_default_prop:file { getattr }; -dontaudit vcd vendor_persist_config_default_prop:file { map }; -dontaudit vcd vendor_persist_config_default_prop:file { open }; -dontaudit vcd vendor_persist_config_default_prop:file { read }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 6f615a22..c6a4b4d3 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,9 +1,4 @@ # b/205656950 dontaudit vendor_init thermal_link_device:file { create }; -# b/206045605 -dontaudit vendor_init vendor_modem_prop:file { getattr }; -dontaudit vendor_init vendor_modem_prop:file { map }; -dontaudit vendor_init vendor_modem_prop:file { open }; -dontaudit vendor_init vendor_modem_prop:file { read }; # b/207062206 dontaudit vendor_init proc_sched:file { write }; diff --git a/whitechapel_pro/dmd.te b/whitechapel_pro/dmd.te index c247bb46..1cb17dc7 100644 --- a/whitechapel_pro/dmd.te +++ b/whitechapel_pro/dmd.te @@ -20,6 +20,7 @@ allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; set_prop(dmd, vendor_diag_prop) set_prop(dmd, vendor_slog_prop) set_prop(dmd, vendor_modem_prop) +get_prop(dmd, vendor_persist_config_default_prop) # Grant to access hwservice manager get_prop(dmd, hwservicemanager_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 52416407..417f0e43 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -42,6 +42,7 @@ persist.vendor.ril. u:object_r:vendor_rild_prop:s0 vendor.ril. u:object_r:vendor_rild_prop:s0 vendor.radio.ril. u:object_r:vendor_rild_prop:s0 vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +persist.vendor.radio. u:object_r:vendor_rild_prop:s0 ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 diff --git a/whitechapel_pro/vcd.te b/whitechapel_pro/vcd.te index 211d3675..c5c229ee 100644 --- a/whitechapel_pro/vcd.te +++ b/whitechapel_pro/vcd.te @@ -4,6 +4,7 @@ userdebug_or_eng(` init_daemon_domain(vcd) get_prop(vcd, vendor_rild_prop); + get_prop(vcd, vendor_persist_config_default_prop); allow vcd serial_device:chr_file rw_file_perms; allow vcd radio_device:chr_file rw_file_perms; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 68ac08be..e2ec60fa 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -6,6 +6,7 @@ set_prop(vendor_init, vendor_cbd_prop) set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) +set_prop(vendor_init, vendor_modem_prop) allow vendor_init proc_dirty:file w_file_perms; From 742cbc29b834329e15bba5c43597161733668596 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Mon, 22 Nov 2021 12:46:24 +0800 Subject: [PATCH 196/900] ssr_detector_app: fix avc error avc: denied { read } for name="u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=320 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1 Bug: 205202542 Change-Id: I84cbdb9d85ab58219554bfe0da35a00464a955ff From 7599ba8e55c7338f7800c89b861795007a8a0228 Mon Sep 17 00:00:00 2001 From: Firman Hadi Prayoga Date: Tue, 23 Nov 2021 19:48:29 +0800 Subject: [PATCH 197/900] Add /dev/lwis-eeprom-m24c64x-3j1 entry to selinux policy. lwis-eeprom-m24c64x-3j1 used by camera hal to access P22 front camere EEPROM device. Bug: 207062209 Fix: 207062209 Test: Boot, no avc denied logs for eeprom Change-Id: Ia12da5dbed1baef6d8a8ab2bf421b2987639e826 --- tracking_denials/hal_camera_default.te | 4 ---- whitechapel_pro/file_contexts | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 44f87210..a9d13c62 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -48,9 +48,5 @@ dontaudit hal_camera_default hal_radioext_default:binder { call }; dontaudit hal_camera_default init:unix_stream_socket { connectto }; dontaudit hal_camera_default property_socket:sock_file { write }; dontaudit hal_camera_default system_server:binder { call }; -# b/207062209 -dontaudit hal_camera_default device:chr_file { ioctl }; -dontaudit hal_camera_default device:chr_file { open }; -dontaudit hal_camera_default device:chr_file { read }; # b/207300298 dontaudit hal_camera_default vendor_camera_data_file:file { getattr }; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index ba273e33..990bb541 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -93,6 +93,7 @@ /dev/lwis-csi u:object_r:lwis_device:s0 /dev/lwis-dpm u:object_r:lwis_device:s0 /dev/lwis-eeprom-lc898128 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-3j1 u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 /dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 From 5e6beee1e646f1828b16a4e9350e0fee4a4606ea Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 24 Nov 2021 10:41:32 +0800 Subject: [PATCH 198/900] update error on ROM 7941916 Bug: 207571335 Bug: 207571546 Bug: 207571417 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I7b75837d13b532793ccbc326379c1d95aada429b --- tracking_denials/hal_power_stats_default.te | 7 +++++++ tracking_denials/logger_app.te | 4 ++++ tracking_denials/ssr_detector_app.te | 7 +++++++ 3 files changed, 18 insertions(+) diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index 3929f8d8..c5e490dc 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -11,3 +11,10 @@ dontaudit hal_power_stats_default sysfs_edgetpu:file { read }; dontaudit hal_power_stats_default sysfs_iio_devices:dir { read open }; dontaudit hal_power_stats_default sysfs_iio_devices:dir { read }; dontaudit hal_power_stats_default sysfs_iio_devices:dir { search }; +# b/207571335 +dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search }; +dontaudit hal_power_stats_default sysfs_acpm_stats:file { read }; +dontaudit hal_power_stats_default sysfs_aoc:dir { search }; +dontaudit hal_power_stats_default sysfs_aoc:file { getattr }; +dontaudit hal_power_stats_default sysfs_aoc:file { open }; +dontaudit hal_power_stats_default sysfs_aoc:file { read }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index fe3f6f02..34a5eb92 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -28,3 +28,7 @@ dontaudit logger_app vendor_gps_file:dir { open }; dontaudit logger_app vendor_gps_file:dir { read }; # b/207431041 dontaudit logger_app sysfs_vendor_sched:dir { search }; +# b/207571546 +dontaudit logger_app vendor_gps_file:dir { remove_name }; +dontaudit logger_app vendor_gps_file:dir { write }; +dontaudit logger_app vendor_gps_file:file { unlink }; diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te index dd4768b2..182b08e1 100644 --- a/tracking_denials/ssr_detector_app.te +++ b/tracking_denials/ssr_detector_app.te @@ -3,3 +3,10 @@ dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; +# b/207571417 +dontaudit ssr_detector_app cgroup:file { open }; +dontaudit ssr_detector_app cgroup:file { write }; +dontaudit ssr_detector_app sysfs:file { getattr }; +dontaudit ssr_detector_app sysfs:file { open }; +dontaudit ssr_detector_app sysfs:file { read }; +dontaudit ssr_detector_app sysfs:file { write }; From 0df2e47cb15c47a4a65fe42b5e6a2f93bcb6461d Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Tue, 23 Nov 2021 22:53:19 +0800 Subject: [PATCH 199/900] Allow mediacodec_samsung can route /dev/binder traffic to /dev/vndbinder This patch fixes the following denial: avc: denied { call } for scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:r:vndservicemanager:s0 tclass=binder permissive=1 avc: denied { transfer } for scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:r:vndservicemanager:s0 tclass=binder permissive=1 Bug: 205904381 Test: boot to home Change-Id: Ie2c0577bdf987466b4f729d9f78d1a6704cd9d24 --- tracking_denials/mediacodec_samsung.te | 3 --- whitechapel_pro/mediacodec_samsung.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te index 234242dd..09e2f0ed 100644 --- a/tracking_denials/mediacodec_samsung.te +++ b/tracking_denials/mediacodec_samsung.te @@ -8,6 +8,3 @@ dontaudit mediacodec_samsung vndbinder_device:chr_file { map }; dontaudit mediacodec_samsung vndbinder_device:chr_file { open }; dontaudit mediacodec_samsung vndbinder_device:chr_file { read }; dontaudit mediacodec_samsung vndbinder_device:chr_file { write }; -# b/205904381 -dontaudit mediacodec_samsung vndservicemanager:binder { call }; -dontaudit mediacodec_samsung vndservicemanager:binder { transfer }; diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index e34942a9..5ffa9203 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -4,3 +4,6 @@ init_daemon_domain(mediacodec_samsung) hal_server_domain(mediacodec_samsung, hal_codec2) add_service(mediacodec_samsung, eco_service) + +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(mediacodec_samsung) From f2b1870b23c5b038a033e315b233981ef11f8307 Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Tue, 23 Nov 2021 21:30:55 +0800 Subject: [PATCH 200/900] Allow mediacodec_samsung to access video device and system-uncached DMA-BUF heap This patch fixes the following denial: avc: denied { getattr } for path="/dev/dma_heap/system-uncached" \ dev="tmpfs" ino=487 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { getattr } for path="/dev/video6" dev="tmpfs" ino=477 \ scontext=u:r:mediacodec_samsung:s0 tcontext=u:object_r:video_device:s0 \ tclass=chr_file permissive=1 avc: denied { read write } for name="video6" dev="tmpfs" ino=477 \ scontext=u:r:mediacodec_samsung:s0 tcontext=u:object_r:video_device:s0 \ tclass=chr_file permissive=1 avc: denied { open } for path="/dev/video6" dev="tmpfs" ino=477 \ scontext=u:r:mediacodec_samsung:s0 tcontext=u:object_r:video_device:s0 \ tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/video6" dev="tmpfs" ino=477 \ ioctlcmd=0x561b scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=1 Bug: 205657093 Test: video playback / screen recording Change-Id: Ia09bd29652b8197b4d5009f84077f6d5bb5551e2 --- tracking_denials/mediacodec_samsung.te | 7 ------- whitechapel_pro/mediacodec_samsung.te | 3 +++ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te index 09e2f0ed..1fa99a1b 100644 --- a/tracking_denials/mediacodec_samsung.te +++ b/tracking_denials/mediacodec_samsung.te @@ -1,10 +1,3 @@ # b/204718809 dontaudit mediacodec_samsung system_server:fifo_file { append }; dontaudit mediacodec_samsung system_server:fifo_file { write }; -# b/205657093 -dontaudit mediacodec_samsung dmabuf_system_heap_device:chr_file { getattr }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { ioctl }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { map }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { open }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { read }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { write }; diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index 5ffa9203..9ee40b63 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -7,3 +7,6 @@ add_service(mediacodec_samsung, eco_service) # can route /dev/binder traffic to /dev/vndbinder vndbinder_use(mediacodec_samsung) + +allow mediacodec_samsung video_device:chr_file rw_file_perms; +allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; From fae7e198931292bddc0c264023029c89ea69f714 Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Tue, 23 Nov 2021 21:48:05 +0800 Subject: [PATCH 201/900] Allow mediacodec_samsung to access graphics allocator avc: denied { find } for interface=android.hardware.graphics.mapper::IMapper \ sid=u:r:mediacodec_samsung:s0 pid=792 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:hal_graphics_mapper_hwservice:s0 tclass=hwservice_manager permissive=1 avc: denied { use } for path="/dmabuf:" dev="dmabuf" ino=94523 \ scontext=u:r:mediacodec_samsung:s0 tcontext=u:r:hal_graphics_allocator_default:s0 \ tclass=fd permissive=1 Bug: 205657093 Test: video playback / screen recording Change-Id: I6c64b4d2483b146358ef678c56aec68dd86eb878 --- whitechapel_pro/mediacodec_samsung.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index 9ee40b63..82a48271 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -10,3 +10,6 @@ vndbinder_use(mediacodec_samsung) allow mediacodec_samsung video_device:chr_file rw_file_perms; allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; + +# can use graphics allocator +hal_client_domain(mediacodec_samsung, hal_graphics_allocator) From ecdcc0f73981c26075c078c022017bbf637f862f Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Tue, 23 Nov 2021 22:20:27 +0800 Subject: [PATCH 202/900] Allow mediacodec_samsung to fallback crash dump avc: denied { write } for name="tombstoned_crash" \ dev="tmpfs" ino=948 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:tombstoned_crash_socket:s0 \ tclass=sock_file permissive=1 avc: denied { connectto } for path="/dev/socket/tombstoned_crash" \ scontext=u:r:mediacodec_samsung:s0 tcontext=u:r:tombstoned:s0 \ tclass=unix_stream_socket permissive=1 avc: denied { write } for path="pipe:[63031]" dev="pipefs" ino=63031 \ scontext=u:r:mediacodec_samsung:s0 tcontext=u:r:system_server:s0 \ tclass=fifo_file permissive=1 avc: denied { append } for path="pipe:[63031]" dev="pipefs" ino=63031 \ scontext=u:r:mediacodec_samsung:s0 tcontext=u:r:system_server:s0 \ tclass=fifo_file permissive= Bug: 204718809 Test: boot to home Change-Id: Iad67f936ac9d6d11e5f5646918074153372b8b00 --- tracking_denials/mediacodec_samsung.te | 3 --- whitechapel_pro/mediacodec_samsung.te | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) delete mode 100644 tracking_denials/mediacodec_samsung.te diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te deleted file mode 100644 index 1fa99a1b..00000000 --- a/tracking_denials/mediacodec_samsung.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/204718809 -dontaudit mediacodec_samsung system_server:fifo_file { append }; -dontaudit mediacodec_samsung system_server:fifo_file { write }; diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index 82a48271..253a8615 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -13,3 +13,5 @@ allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; # can use graphics allocator hal_client_domain(mediacodec_samsung, hal_graphics_allocator) + +crash_dump_fallback(mediacodec_samsung) From 4bb1061c2db60be99ce9e691fc01a8b04ce379a4 Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Tue, 23 Nov 2021 22:34:55 +0800 Subject: [PATCH 203/900] Add SELinux policy for mediacodec_samsung mediacodec_samsung is separated from mediacodec for mfc encoder/decoder. Add assumption from mediacodec.te as well. Bug: 204718809 Test: boot to home Change-Id: I67ce385903cf5abd2ba9dc62b7229320b3f7daa9 --- whitechapel_pro/mediacodec_samsung.te | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index 253a8615..446693e6 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -15,3 +15,13 @@ allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; hal_client_domain(mediacodec_samsung, hal_graphics_allocator) crash_dump_fallback(mediacodec_samsung) + +# mediacodec_samsung should never execute any executable without a domain transition +neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *; +neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *; From f80cb8ae4eb5f711863af8a92898d28ffc9762e4 Mon Sep 17 00:00:00 2001 From: Kyle Lin Date: Wed, 24 Nov 2021 10:28:01 +0800 Subject: [PATCH 204/900] Add policy for memlat governor needs create/delete perf events [46756.223414] type=1400 audit(1637720953.624:1227238): avc: denied { cpu } for comm="cpuhp/3" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1 [46791.079905] type=1400 audit(1637720988.480:1228172): avc: denied { cpu } for comm="cpuhp/5" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1 [46831.825465] type=1400 audit(1637721029.228:1230804): avc: denied { cpu } for comm="cpuhp/4" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1 [47068.752724] type=1400 audit(1637721266.152:1237844): avc: denied { cpu } for comm="cpuhp/3" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1 [47227.488992] type=1400 audit(1637721424.888:1241154): avc: denied { cpu } for comm="cpuhp/7" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1 Bug: 207047575 Test: build, boot and check warning message Change-Id: I735d5cfa5eb5614114d83a7892123d37c980d531 --- whitechapel_pro/kernel.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index 0958ba11..0156784e 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -4,3 +4,6 @@ allow kernel vendor_fw_file:file r_file_perms; # ZRam allow kernel per_boot_file:file r_file_perms; +# memlat needs permision to create/delete perf events when hotplug on/off +allow kernel self:capability2 perfmon; +allow kernel self:perf_event cpu; From 48d1b71ab1a9f09f97b3b4cbc186c776e67ee4fa Mon Sep 17 00:00:00 2001 From: Oleg Matcovschi Date: Tue, 23 Nov 2021 10:55:07 -0800 Subject: [PATCH 205/900] sepolicy: Remove sscoredump tracking denials file Bug: 205073166 Signed-off-by: Oleg Matcovschi Change-Id: I67d2500a5323203577c7fb90741c8dfec1cffd83 --- tracking_denials/sscoredump.te | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 tracking_denials/sscoredump.te diff --git a/tracking_denials/sscoredump.te b/tracking_denials/sscoredump.te deleted file mode 100644 index f3de0340..00000000 --- a/tracking_denials/sscoredump.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205073166 -dontaudit sscoredump vendor_persist_sys_default_prop:file { getattr }; -dontaudit sscoredump vendor_persist_sys_default_prop:file { map }; -dontaudit sscoredump vendor_persist_sys_default_prop:file { open }; -dontaudit sscoredump vendor_persist_sys_default_prop:file { read }; From 81fb5ecc316189ef49257f810c3199938f066197 Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Wed, 24 Nov 2021 16:18:32 +0800 Subject: [PATCH 206/900] Allow mediacodec_samsung to access mfc sysfs file avc: denied { read } for name="name" dev="sysfs" \ ino=61284 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { open } for \ path="/sys/devices/platform/mfc/video4linux/video6/name" \ dev="sysfs" ino=61284 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { getattr } for \ path="/sys/devices/platform/mfc/video4linux/video6/name" \ dev="sysfs" ino=61284 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 Bug: 204718809 Test: video playback / camera recording Change-Id: I95c937375aa7ae19aef61af6b0f1aef73bd8957d --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/mediacodec_samsung.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index a7818a5a..5de2bdf1 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -40,6 +40,7 @@ type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; +type sysfs_mfc, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 82b62db5..913b675c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -58,6 +58,9 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +# mediacodec_samsung +genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 + # Storage genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index 446693e6..b1e09f50 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -11,6 +11,9 @@ vndbinder_use(mediacodec_samsung) allow mediacodec_samsung video_device:chr_file rw_file_perms; allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_samsung sysfs_mfc:file r_file_perms; +allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; + # can use graphics allocator hal_client_domain(mediacodec_samsung, hal_graphics_allocator) From 1bb2fac3f680fe8a01d0f8d20f862ffe3cf51429 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 25 Nov 2021 10:21:16 +0800 Subject: [PATCH 207/900] update error on ROM 7945168 Bug: 207720645 Bug: 207720720 Bug: 207721033 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Iba41496590f1b82a51897c62e1cb74a224e484a5 --- tracking_denials/flags_health_check.te | 2 ++ tracking_denials/hal_power_stats_default.te | 7 +++++++ tracking_denials/hal_sensors_default.te | 5 +++++ 3 files changed, 14 insertions(+) create mode 100644 tracking_denials/flags_health_check.te diff --git a/tracking_denials/flags_health_check.te b/tracking_denials/flags_health_check.te new file mode 100644 index 00000000..60c3e829 --- /dev/null +++ b/tracking_denials/flags_health_check.te @@ -0,0 +1,2 @@ +# b/207720645 +dontaudit flags_health_check property_type:file *; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index c5e490dc..ff6abb06 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -18,3 +18,10 @@ dontaudit hal_power_stats_default sysfs_aoc:dir { search }; dontaudit hal_power_stats_default sysfs_aoc:file { getattr }; dontaudit hal_power_stats_default sysfs_aoc:file { open }; dontaudit hal_power_stats_default sysfs_aoc:file { read }; +# b/207720720 +dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr }; +dontaudit hal_power_stats_default sysfs_acpm_stats:file { open }; +dontaudit hal_power_stats_default sysfs_wifi:dir { search }; +dontaudit hal_power_stats_default sysfs_wifi:file { getattr }; +dontaudit hal_power_stats_default sysfs_wifi:file { open }; +dontaudit hal_power_stats_default sysfs_wifi:file { read }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 492754fb..da3d3517 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -34,3 +34,8 @@ dontaudit hal_sensors_default sysfs_aoc_boottime:file { read }; dontaudit hal_sensors_default sysfs_chosen:dir { search }; dontaudit hal_sensors_default sysfs_chosen:file { open }; dontaudit hal_sensors_default sysfs_chosen:file { read }; +# b/207721033 +dontaudit hal_sensors_default sensor_reg_data_file:dir { search }; +dontaudit hal_sensors_default sensor_reg_data_file:file { getattr }; +dontaudit hal_sensors_default sensor_reg_data_file:file { open }; +dontaudit hal_sensors_default sensor_reg_data_file:file { read }; From 2720d2ac3850672c9680fb2254531742d01732a2 Mon Sep 17 00:00:00 2001 From: yixuanjiang Date: Tue, 16 Nov 2021 14:54:18 +0800 Subject: [PATCH 208/900] aoc: add audio property for audio aocdump feature Bug: 204080552 Test: local Signed-off-by: yixuanjiang Change-Id: Ie638676d86a20eafbc6975df03ebbbcf5ec193ac --- aoc/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/property_contexts b/aoc/property_contexts index cf460c23..d5028300 100644 --- a/aoc/property_contexts +++ b/aoc/property_contexts @@ -8,3 +8,4 @@ persist.vendor.audio. u:object_r:vendor_audio_prop:s0 vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 +vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 From 8d3c4a7b4efa248086199b3f73ec4dbd86f5a847 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Sun, 14 Nov 2021 20:48:27 +0800 Subject: [PATCH 209/900] fingerprint: Fix avc errors Bug: 207062260 Test: boot with no relevant error on C10 Change-Id: I6d3b74c34d2344c4e889afaf8bb99278785e5416 --- tracking_denials/hal_fingerprint_default.te | 31 --------------------- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_fingerprint_default.te | 18 ++++++++++-- whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 3 ++ whitechapel_pro/vendor_init.te | 2 ++ 7 files changed, 25 insertions(+), 33 deletions(-) delete mode 100644 tracking_denials/hal_fingerprint_default.te diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te deleted file mode 100644 index 6698865e..00000000 --- a/tracking_denials/hal_fingerprint_default.te +++ /dev/null @@ -1,31 +0,0 @@ -# b/205073231 -dontaudit hal_fingerprint_default default_prop:file { getattr }; -dontaudit hal_fingerprint_default default_prop:file { map }; -dontaudit hal_fingerprint_default default_prop:file { open }; -dontaudit hal_fingerprint_default default_prop:file { read }; -dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { getattr }; -dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { map }; -dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { open }; -dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { read }; -# b/205656936 -dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { ioctl }; -dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { open }; -dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { read }; -dontaudit hal_fingerprint_default fingerprint_device:chr_file { ioctl }; -dontaudit hal_fingerprint_default fingerprint_device:chr_file { open }; -dontaudit hal_fingerprint_default fingerprint_device:chr_file { read write }; -dontaudit hal_fingerprint_default tee_device:chr_file { ioctl }; -dontaudit hal_fingerprint_default tee_device:chr_file { open }; -dontaudit hal_fingerprint_default tee_device:chr_file { read write }; -# b/205904310 -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write }; -# b/207062260 -dontaudit hal_fingerprint_default default_prop:property_service { set }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read }; -dontaudit hal_fingerprint_default init:unix_stream_socket { connectto }; -dontaudit hal_fingerprint_default property_socket:sock_file { write }; -dontaudit hal_fingerprint_default sysfs_chosen:dir { search }; -dontaudit hal_fingerprint_default sysfs_chosen:file { open }; -dontaudit hal_fingerprint_default sysfs_chosen:file { read }; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index e6bb4fe0..d84d4c31 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -5,6 +5,7 @@ type custom_ab_block_device, dev_type; type persist_block_device, dev_type; type efs_block_device, dev_type; type modem_userdata_block_device, dev_type; +type mfg_data_block_device, dev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 990bb541..b50d2f10 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -155,6 +155,7 @@ /dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te index 4ddef392..8cb3ea83 100644 --- a/whitechapel_pro/hal_fingerprint_default.te +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -1,5 +1,19 @@ -hal_client_domain(hal_fingerprint_default, hal_power) -add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; allow hal_fingerprint_default fwk_stats_service:service_manager find; +get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) +add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_default, hal_power); + +# Allow access to the files of CDT information. +r_dir_file(hal_fingerprint_default, sysfs_chosen) + +# Allow fingerprint to access calibration blk device. +allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms; allow hal_fingerprint_default block_device:dir search; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index c7c31aa3..4cc19982 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -21,3 +21,5 @@ vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_logger_prop) +# Fingerprint +vendor_internal_prop(vendor_fingerprint_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 417f0e43..f07c0112 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -80,3 +80,6 @@ persist.vendor.sys. u:object_r:vendor_persist_sys_default # for gps vendor.gps u:object_r:vendor_gps_prop:s0 +# Fingerprint +vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 +vendor.gf. u:object_r:vendor_fingerprint_prop:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index e2ec60fa..d3f89291 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -16,3 +16,5 @@ set_prop(vendor_init, vendor_nfc_prop) set_prop(vendor_init, vendor_secure_element_prop) allow vendor_init sysfs_st33spi:file w_file_perms; +# Fingerprint property +set_prop(vendor_init, vendor_fingerprint_prop) From 115e8e09905a244933904a5f0272ce9cd44a9f14 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Thu, 25 Nov 2021 16:04:38 +0800 Subject: [PATCH 210/900] sepolicy: Remove tracking denials files and fix avc problems 11-25 14:00:09.300 1000 764 764 I android.hardwar: type=1400 audit(0.0:3): avc: denied { getattr } for path="/sys/devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/capacity" dev="sysfs" ino=68496 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 11-25 14:00:09.300 1000 764 764 I android.hardwar: type=1400 audit(0.0:5): avc: denied { open } for path="/sys/devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/type" dev="sysfs" ino=67693 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 11-25 14:00:09.348 1000 764 764 I health@2.1-serv: type=1400 audit(0.0:7): avc: denied { open } for path="/sys/devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/online" dev="sysfs" ino=68490 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 11-25 14:00:09.348 1000 764 764 I health@2.1-serv: type=1400 audit(0.0:8): avc: denied { getattr } for path="/sys/devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/online" dev="sysfs" ino=68490 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 ... 11-25 14:28:35.996 1000 768 768 I android.hardwar: type=1400 audit(0.0:3): avc: denied { search } for name="i2c-p9412" dev="sysfs" ino=58948 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1 11-25 14:28:36.020 1000 768 768 I health@2.1-serv: type=1400 audit(0.0:4): avc: denied { search } for name="i2c-p9412" dev="sysfs" ino=58948 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1 ... 11-26 11:11:36.172 1000 751 751 I android.hardwar: type=1400 audit(0.0:3): avc: denied { read } for name="type" dev="sysfs" ino=68359 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 11-26 11:11:36.172 1000 751 751 I android.hardwar: type=1400 audit(0.0:4): avc: denied { open } for path="/sys/devices/platform/google,cpm/power_supply/gcpm_pps/type" dev="sysfs" ino=68359 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 11-26 11:11:36.172 1000 751 751 I android.hardwar: type=1400 audit(0.0:5): avc: denied { getattr } for path="/sys/devices/platform/google,cpm/power_supply/gcpm_pps/type" dev="sysfs" ino=68359 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 Bug:207062562 Bug:207062231 Test: adb bugreport and check avc problem Change-Id: I253f1cbe00650fdb96aced69edc8eaafa06ff6f9 Signed-off-by: Ted Lin --- tracking_denials/hal_health_default.te | 5 ----- tracking_denials/hal_wlc.te | 5 ----- whitechapel_pro/genfs_contexts | 14 +++++++++++--- whitechapel_pro/hal_health_default.te | 3 +++ whitechapel_pro/hal_wlc.te | 4 ++++ 5 files changed, 18 insertions(+), 13 deletions(-) delete mode 100644 tracking_denials/hal_health_default.te delete mode 100644 tracking_denials/hal_wlc.te diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te deleted file mode 100644 index a53e7d6a..00000000 --- a/tracking_denials/hal_health_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/207062562 -dontaudit hal_health_default sysfs:file { getattr }; -dontaudit hal_health_default sysfs:file { open }; -dontaudit hal_health_default sysfs:file { read }; -dontaudit hal_health_default sysfs:file { write }; diff --git a/tracking_denials/hal_wlc.te b/tracking_denials/hal_wlc.te deleted file mode 100644 index 13615090..00000000 --- a/tracking_denials/hal_wlc.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/207062231 -dontaudit hal_wlc sysfs:file { getattr }; -dontaudit hal_wlc sysfs:file { open }; -dontaudit hal_wlc sysfs:file { read }; -dontaudit hal_wlc sysfs:file { write }; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 913b675c..dfe87d35 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -91,9 +91,17 @@ genfscon debugfs /google_charger u:object genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 -# C10 battery -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +# Battery +genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 + +# P22 battery +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 # Extcon genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 57d3961d..a4294ee5 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -6,3 +6,6 @@ set_prop(hal_health_default, vendor_battery_defender_prop) # Access to /sys/devices/platform/14700000.ufs/* allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; + +allow hal_health_default sysfs_wlc:dir search; +allow hal_health_default sysfs_batteryinfo:file w_file_perms; diff --git a/whitechapel_pro/hal_wlc.te b/whitechapel_pro/hal_wlc.te index bd72d1dc..80eb1674 100644 --- a/whitechapel_pro/hal_wlc.te +++ b/whitechapel_pro/hal_wlc.te @@ -6,6 +6,10 @@ hwbinder_use(hal_wlc) add_hwservice(hal_wlc, hal_wlc_hwservice) get_prop(hal_wlc, hwservicemanager_prop) +r_dir_file(hal_wlc, sysfs_batteryinfo) +allow hal_wlc sysfs_wlc:dir r_dir_perms; +allow hal_wlc sysfs_wlc:file rw_file_perms; + allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; binder_call(hal_wlc, platform_app) From 7bbd1fb38a294b63c9564eb4082d6ca9a907979f Mon Sep 17 00:00:00 2001 From: chungkai Date: Thu, 25 Nov 2021 05:39:53 +0000 Subject: [PATCH 211/900] Allow vendor_init to modify proc_sched Bug: 207062206 Test: Boot to home Signed-off-by: chungkai Change-Id: I5d51e322c1522046623046051e8090fc64bedee5 --- tracking_denials/vendor_init.te | 2 -- whitechapel_pro/vendor_init.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index c6a4b4d3..ea8ff1e4 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,4 +1,2 @@ # b/205656950 dontaudit vendor_init thermal_link_device:file { create }; -# b/207062206 -dontaudit vendor_init proc_sched:file { write }; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index d3f89291..e83d6535 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -9,6 +9,7 @@ set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init proc_sched:file w_file_perms; # NFC vendor property set_prop(vendor_init, vendor_nfc_prop) From 9721a3076eb558315acc320e294cf781327515e1 Mon Sep 17 00:00:00 2001 From: chungkai Date: Thu, 25 Nov 2021 07:35:14 +0000 Subject: [PATCH 212/900] Fix avc denials for sysfs_vendor_sched Bug: 207300315 Bug: 207062875 Bug: 207062781 Test: build pass Signed-off-by: chungkai Change-Id: I17212c840c725f66d91f337c57af8e72e5e08b8c --- tracking_denials/bluetooth.te | 2 -- tracking_denials/platform_app.te | 2 -- tracking_denials/radio.te | 2 -- whitechapel_pro/bluetooth.te | 2 ++ whitechapel_pro/platform_app.te | 2 ++ whitechapel_pro/radio.te | 2 ++ 6 files changed, 6 insertions(+), 6 deletions(-) delete mode 100644 tracking_denials/bluetooth.te delete mode 100644 tracking_denials/radio.te create mode 100644 whitechapel_pro/bluetooth.te create mode 100644 whitechapel_pro/radio.te diff --git a/tracking_denials/bluetooth.te b/tracking_denials/bluetooth.te deleted file mode 100644 index 22734bef..00000000 --- a/tracking_denials/bluetooth.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207062875 -dontaudit bluetooth sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 9ba5f579..6e1b0e1c 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -1,4 +1,2 @@ # b/204718221 dontaudit platform_app touch_service:service_manager { find }; -# b/207062781 -dontaudit platform_app sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/radio.te b/tracking_denials/radio.te deleted file mode 100644 index a71d5772..00000000 --- a/tracking_denials/radio.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207300315 -dontaudit radio sysfs_vendor_sched:dir { search }; diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te new file mode 100644 index 00000000..b3b17416 --- /dev/null +++ b/whitechapel_pro/bluetooth.te @@ -0,0 +1,2 @@ +allow bluetooth sysfs_vendor_sched:dir r_dir_perms; +allow bluetooth sysfs_vendor_sched:file w_file_perms; \ No newline at end of file diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 4fc6b9fc..0cf0ae46 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -1,5 +1,7 @@ allow platform_app hal_pixel_display_service:service_manager find; allow platform_app hal_wlc_hwservice:hwservice_manager find; +allow platform_app sysfs_vendor_sched:dir r_dir_perms; +allow platform_app sysfs_vendor_sched:file w_file_perms; # Fingerprint (UDFPS) GHBM/LHBM toggle get_prop(platform_app, fingerprint_ghbm_prop) diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te new file mode 100644 index 00000000..09b4c7e4 --- /dev/null +++ b/whitechapel_pro/radio.te @@ -0,0 +1,2 @@ +allow radio sysfs_vendor_sched:dir r_dir_perms; +allow radio sysfs_vendor_sched:file w_file_perms; \ No newline at end of file From 8cd52d9d33d33bbb073e3db043f78a5a2912100d Mon Sep 17 00:00:00 2001 From: Midas Chien Date: Wed, 24 Nov 2021 21:34:09 +0800 Subject: [PATCH 213/900] Allowed PowerHAL service access Display node Bug: 207615889 Test: PowerHAL can access early_wakeup node in enforcing mode Change-Id: I190e49f07c0c23c576a9fb8444ffb7c68eedf3ac --- whitechapel_pro/genfs_contexts | 2 ++ whitechapel_pro/hal_power_default.te | 1 + 2 files changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index dfe87d35..00208167 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -57,6 +57,8 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 # mediacodec_samsung genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te index ade34a31..fca47245 100644 --- a/whitechapel_pro/hal_power_default.te +++ b/whitechapel_pro/hal_power_default.te @@ -1,4 +1,5 @@ allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; +allow hal_power_default sysfs_display:file rw_file_perms; From 24eafb45c88673b776b2f1ec5d5ee9d36af64eed Mon Sep 17 00:00:00 2001 From: yawensu Date: Mon, 29 Nov 2021 13:05:08 +0800 Subject: [PATCH 214/900] Fix SELinux error in vendor_qualifiednetworks_app. SELinux : avc: denied { find } for pid=1763 uid=10201 name=isub scontext=u:r:vendor_qualifiednetworks_app:s0:c201,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1 Bug: 204718865 Test: The error is gone after applying the patch. Change-Id: I77d5f550614e1d63ab1547fc8d0ad1b70f72bed8 --- tracking_denials/vendor_qualifiednetworks_app.te | 2 -- whitechapel_pro/vendor_qualifiednetworks_app.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/vendor_qualifiednetworks_app.te diff --git a/tracking_denials/vendor_qualifiednetworks_app.te b/tracking_denials/vendor_qualifiednetworks_app.te deleted file mode 100644 index ec4ed9dc..00000000 --- a/tracking_denials/vendor_qualifiednetworks_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/204718865 -dontaudit vendor_qualifiednetworks_app radio_service:service_manager { find }; diff --git a/whitechapel_pro/vendor_qualifiednetworks_app.te b/whitechapel_pro/vendor_qualifiednetworks_app.te index 1a18a8a7..e48601a8 100644 --- a/whitechapel_pro/vendor_qualifiednetworks_app.te +++ b/whitechapel_pro/vendor_qualifiednetworks_app.te @@ -2,3 +2,4 @@ type vendor_qualifiednetworks_app, domain; app_domain(vendor_qualifiednetworks_app) allow vendor_qualifiednetworks_app app_api_service:service_manager find; +allow vendor_qualifiednetworks_app radio_service:service_manager find; From 262709f2ba8bf38cfbfbce52c9fd4ea29f627a2e Mon Sep 17 00:00:00 2001 From: davidycchen Date: Tue, 30 Nov 2021 17:54:21 +0800 Subject: [PATCH 215/900] allow hal_dumpstate_default to access touch sysfs node avc: denied { open } for comm="sh" path="/sys/devices/platform/10d10000.spi/spi_master/spi0/spi0.0/ synaptics_tcm.0/sysfs/force_active" dev="sysfs" ino=89691 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 Bug: 199104466 Test: trigger bugreport and check log. Signed-off-by: davidycchen Change-Id: If35d651b2c8ca375f7f9cc36403eb02911912ebb --- whitechapel_pro/genfs_contexts | 3 ++- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 00208167..5b2fcd66 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -12,7 +12,8 @@ genfscon sysfs /devices/system/chip-id/revision u genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 # Touch -genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index a80aacf8..e3e503b2 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -3,3 +3,6 @@ allow hal_dumpstate_default proc_f2fs:file r_file_perms; allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; + +allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; +allow hal_dumpstate_default sysfs_touch:file rw_file_perms; From f8d59b9305cc15402f67107ef0784aca8add4212 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 1 Dec 2021 11:04:38 +0800 Subject: [PATCH 216/900] update error on ROM 7957241 Bug: 208527900 Bug: 208527968 Bug: 208527969 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ic6de1f2232c1c0efd210bfe19ebac11207f72198 --- tracking_denials/gmscore_app.te | 3 +++ tracking_denials/hal_usb_impl.te | 7 +++++++ tracking_denials/priv_app.te | 6 ++++++ 3 files changed, 16 insertions(+) create mode 100644 tracking_denials/gmscore_app.te diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te new file mode 100644 index 00000000..356e8f73 --- /dev/null +++ b/tracking_denials/gmscore_app.te @@ -0,0 +1,3 @@ +# b/208527900 +dontaudit gmscore_app modem_img_file:filesystem { getattr }; +dontaudit gmscore_app property_type:file *; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te index f561949c..3d47cf93 100644 --- a/tracking_denials/hal_usb_impl.te +++ b/tracking_denials/hal_usb_impl.te @@ -5,3 +5,10 @@ dontaudit hal_usb_impl vendor_usb_config_prop:file { open }; dontaudit hal_usb_impl vendor_usb_config_prop:file { read }; # b/207062542 dontaudit hal_usb_impl functionfs:dir { watch watch_reads }; +# b/208527968 +dontaudit hal_usb_impl sysfs_batteryinfo:dir { open }; +dontaudit hal_usb_impl sysfs_batteryinfo:dir { read }; +dontaudit hal_usb_impl sysfs_batteryinfo:dir { search }; +dontaudit hal_usb_impl sysfs_batteryinfo:file { getattr }; +dontaudit hal_usb_impl sysfs_batteryinfo:file { open }; +dontaudit hal_usb_impl sysfs_batteryinfo:file { read }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index c966f4e6..17ce5570 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -2,3 +2,9 @@ dontaudit priv_app vendor_default_prop:file { getattr }; dontaudit priv_app vendor_default_prop:file { map }; dontaudit priv_app vendor_default_prop:file { open }; +# b/208527969 +dontaudit priv_app vendor_file:file { execute }; +dontaudit priv_app vendor_file:file { getattr }; +dontaudit priv_app vendor_file:file { map }; +dontaudit priv_app vendor_file:file { open }; +dontaudit priv_app vendor_file:file { read }; From 097157613ae21176aeff6da0f5da49843d328ff0 Mon Sep 17 00:00:00 2001 From: George Chang Date: Tue, 30 Nov 2021 19:47:27 +0800 Subject: [PATCH 217/900] Fix SELinux error coming from hal_secure_element_uicc 11-11 09:38:59.168 794 794 I secure_element@: type=1400 audit(0.0:102): avc: denied { call } for scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1 [ 19.632309] type=1400 audit(1636594739.168:103): avc: denied { transfer } for comm="secure_element@" scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1 [ 19.631474] type=1400 audit(1636594739.168:102): avc: denied { call } for comm="secure_element@" scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1 11-11 09:38:59.168 794 794 I secure_element@: type=1400 audit(0.0:103): avc: denied { transfer } for scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1 [ 19.633481] type=1400 audit(1636594739.172:104): avc: denied { call } for comm="rild_exynos" scontext=u:r:rild:s0 tcontext=u:r:hal_secure_element_uicc:s0 tclass=binder permissive=1 11-11 09:38:59.172 971 971 I rild_exynos: type=1400 audit(0.0:104): avc: denied { call } for scontext=u:r:rild:s0 tcontext=u:r:hal_secure_element_uicc:s0 tclass=binder permissive=1 Bug: 205904403 Test: check avc Change-Id: I9186714d81e21ba8920aaa900a92f542e98ceddb --- tracking_denials/hal_secure_element_uicc.te | 3 --- tracking_denials/rild.te | 1 - whitechapel_pro/hal_secure_element_uicc.te | 4 ++++ whitechapel_pro/rild.te | 1 + 4 files changed, 5 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/hal_secure_element_uicc.te diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te deleted file mode 100644 index 10323849..00000000 --- a/tracking_denials/hal_secure_element_uicc.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/205904403 -dontaudit hal_secure_element_uicc rild:binder { call }; -dontaudit hal_secure_element_uicc rild:binder { transfer }; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te index 312cca32..cb423e91 100644 --- a/tracking_denials/rild.te +++ b/tracking_denials/rild.te @@ -5,6 +5,5 @@ dontaudit rild vendor_persist_config_default_prop:file { map }; dontaudit rild vendor_persist_config_default_prop:file { open }; dontaudit rild vendor_persist_config_default_prop:file { read }; # b/205904441 -dontaudit rild hal_secure_element_uicc:binder { call }; dontaudit rild vendor_ims_app:binder { call }; dontaudit rild vendor_rcs_app:binder { call }; diff --git a/whitechapel_pro/hal_secure_element_uicc.te b/whitechapel_pro/hal_secure_element_uicc.te index bcc4fac0..c91ae3bb 100644 --- a/whitechapel_pro/hal_secure_element_uicc.te +++ b/whitechapel_pro/hal_secure_element_uicc.te @@ -4,4 +4,8 @@ type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; hal_server_domain(hal_secure_element_uicc, hal_secure_element) init_daemon_domain(hal_secure_element_uicc) +# Allow hal_secure_element_default to access rild +binder_call(hal_secure_element_default, rild); allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; + + diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index c931a996..d30f4a91 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -19,6 +19,7 @@ binder_call(rild, gpsd) binder_call(rild, hal_audio_default) binder_call(rild, modem_svc_sit) binder_call(rild, oemrilservice_app) +binder_call(rild, hal_secure_element_uicc) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) From 0546c79a47ce21a33f7b8103104936eee0be51c7 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 1 Dec 2021 14:47:02 +0800 Subject: [PATCH 218/900] make some libraries app reachable Bug: 208527969 Test: boot with no relevant error log Change-Id: Ic21fcecd4a9ff3d293dafe1e7a9dbebd0e736852 --- tracking_denials/priv_app.te | 6 ------ whitechapel_pro/file_contexts | 3 +++ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 17ce5570..c966f4e6 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -2,9 +2,3 @@ dontaudit priv_app vendor_default_prop:file { getattr }; dontaudit priv_app vendor_default_prop:file { map }; dontaudit priv_app vendor_default_prop:file { open }; -# b/208527969 -dontaudit priv_app vendor_file:file { execute }; -dontaudit priv_app vendor_file:file { getattr }; -dontaudit priv_app vendor_file:file { map }; -dontaudit priv_app vendor_file:file { open }; -dontaudit priv_app vendor_file:file { read }; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index b50d2f10..c838b478 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -49,6 +49,9 @@ /vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 # Vendor kernel modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 From 316d846ac4785c4c75ca7c286a0ccb71943542a6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 1 Dec 2021 14:49:01 +0800 Subject: [PATCH 219/900] copy euiccpixel_app setting to gs201 12-01 13:56:53.328 7682 7682 I Thread-2: type=1400 audit(0.0:44): avc: denied { map } for path="/dev/__properties__/u:object_r:dck_prop:s0" dev="tmpfs" ino=136 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:dck_prop:s0 tclass=file permissive=1 app=com.google.euiccpixel There is only one source of code in vendor/unbundled_google/packages/EuiccSupportPixelPrebuilt/Android.mk Bug: 208527969 Test: no relevant error logs were found any more Change-Id: I06b1cdcfb9109956f9c65dede1208310d2b79c48 --- .../certs/EuiccSupportPixel.x509.pem | 29 +++++++++++++++++++ whitechapel_pro/euiccpixel_app.te | 24 +++++++++++++++ whitechapel_pro/keys.conf | 3 ++ whitechapel_pro/mac_permissions.xml | 3 ++ whitechapel_pro/seapp_contexts | 3 ++ 5 files changed, 62 insertions(+) create mode 100644 whitechapel_pro/certs/EuiccSupportPixel.x509.pem create mode 100644 whitechapel_pro/euiccpixel_app.te diff --git a/whitechapel_pro/certs/EuiccSupportPixel.x509.pem b/whitechapel_pro/certs/EuiccSupportPixel.x509.pem new file mode 100644 index 00000000..d11ad3d0 --- /dev/null +++ b/whitechapel_pro/certs/EuiccSupportPixel.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw +b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v +Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC +IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb +WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/ +amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK +aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0 +oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho ++9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td +5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK +rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki +uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag +ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV +HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5 +FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9 +Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp +ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL +EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB +GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U +XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0 +IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj +pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon +A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU +0JD1T1qdCm3aUSEmFgEA4rOL/0K3 +-----END CERTIFICATE----- diff --git a/whitechapel_pro/euiccpixel_app.te b/whitechapel_pro/euiccpixel_app.te new file mode 100644 index 00000000..a59581eb --- /dev/null +++ b/whitechapel_pro/euiccpixel_app.te @@ -0,0 +1,24 @@ +# EuiccSupportPixel app + +type euiccpixel_app, domain; +app_domain(euiccpixel_app) + +allow euiccpixel_app app_api_service:service_manager find; +allow euiccpixel_app radio_service:service_manager find; +allow euiccpixel_app nfc_service:service_manager find; + +set_prop(euiccpixel_app, vendor_secure_element_prop) +set_prop(euiccpixel_app, vendor_modem_prop) +get_prop(euiccpixel_app, dck_prop) + +userdebug_or_eng(` + net_domain(euiccpixel_app) + + # Access to directly upgrade firmware on st54spi_device used for engineering devices + typeattribute st54spi_device mlstrustedobject; + allow euiccpixel_app st54spi_device:chr_file rw_file_perms; + # Access to directly upgrade firmware on st33spi_device used for engineering devices + typeattribute st33spi_device mlstrustedobject; + allow euiccpixel_app st33spi_device:chr_file rw_file_perms; +') + diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index f67eb8f2..c8154db0 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -3,3 +3,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem [@UWB] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem + +[@EUICCSUPPORTPIXEL] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 6cf15728..6cb7113c 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -27,4 +27,7 @@ + + + diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 6aef28f7..829915c3 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -36,5 +36,8 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= # Qorvo UWB system app user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all +# Domain for EuiccSupportPixel +user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all + # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user From 390b8cfa91c9a430cb05991c67ca2d06e7e00c36 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Dec 2021 09:52:57 +0800 Subject: [PATCH 220/900] update error on ROM 7961148 Bug: 208715886 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I898382e65a8f321a07984c67cca642b9710d1612 --- tracking_denials/hal_secure_element_uicc.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/hal_secure_element_uicc.te diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te new file mode 100644 index 00000000..c467a467 --- /dev/null +++ b/tracking_denials/hal_secure_element_uicc.te @@ -0,0 +1,2 @@ +# b/208715886 +dontaudit hal_secure_element_uicc rild:binder { call }; From cfbef530da75e16b2bafdb466cd683242e92c3c5 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Dec 2021 11:19:39 +0800 Subject: [PATCH 221/900] update error on ROM 7961148 Bug: 208721809 Bug: 208721525 Bug: 208721677 Bug: 208721526 Bug: 208721638 Bug: 208721505 Bug: 208721729 Bug: 208721710 Bug: 208721673 Bug: 208721679 Bug: 208721707 Bug: 208721808 Bug: 208721636 Bug: 208721768 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ida37756678645dea41d343ede41868ce717fe9da --- tracking_denials/dumpstate.te | 9 ++++ tracking_denials/hal_bluetooth_btlinux.te | 2 + tracking_denials/hal_dumpstate_default.te | 51 +++++++++++++++++++ .../hal_graphics_composer_default.te | 3 ++ tracking_denials/hal_health_default.te | 5 ++ tracking_denials/hal_uwb_vendor_default.te | 3 ++ tracking_denials/hal_vibrator_default.te | 6 +++ tracking_denials/hardware_info_app.te | 4 ++ tracking_denials/incidentd.te | 7 +++ tracking_denials/logger_app.te | 9 ++++ tracking_denials/permissioncontroller_app.te | 2 + tracking_denials/surfaceflinger.te | 2 + tracking_denials/system_app.te | 9 ++++ tracking_denials/vold.te | 3 ++ 14 files changed, 115 insertions(+) create mode 100644 tracking_denials/dumpstate.te create mode 100644 tracking_denials/hal_dumpstate_default.te create mode 100644 tracking_denials/hal_health_default.te create mode 100644 tracking_denials/hardware_info_app.te create mode 100644 tracking_denials/incidentd.te create mode 100644 tracking_denials/permissioncontroller_app.te create mode 100644 tracking_denials/system_app.te create mode 100644 tracking_denials/vold.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 00000000..2ac7e19a --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,9 @@ +# b/208721809 +dontaudit dumpstate fuse:dir { search }; +dontaudit dumpstate hal_graphics_composer_default:binder { call }; +dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; +dontaudit dumpstate hal_uwb_vendor_default:binder { call }; +dontaudit dumpstate modem_img_file:filesystem { getattr }; +dontaudit dumpstate vendor_dmabuf_debugfs:file { open }; +dontaudit dumpstate vendor_dmabuf_debugfs:file { read }; +dontaudit dumpstate vold:binder { call }; diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te index 04eae4f5..7848e458 100644 --- a/tracking_denials/hal_bluetooth_btlinux.te +++ b/tracking_denials/hal_bluetooth_btlinux.te @@ -2,3 +2,5 @@ dontaudit hal_bluetooth_btlinux device:chr_file { ioctl }; dontaudit hal_bluetooth_btlinux device:chr_file { open }; dontaudit hal_bluetooth_btlinux device:chr_file { read write }; +# b/208721525 +dontaudit hal_bluetooth_btlinux device:chr_file { getattr }; diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te new file mode 100644 index 00000000..82964570 --- /dev/null +++ b/tracking_denials/hal_dumpstate_default.te @@ -0,0 +1,51 @@ +# b/208721677 +dontaudit hal_dumpstate_default boottime_public_prop:file { open }; +dontaudit hal_dumpstate_default boottime_public_prop:file { read }; +dontaudit hal_dumpstate_default citadeld_service:service_manager { find }; +dontaudit hal_dumpstate_default debugfs:file { open }; +dontaudit hal_dumpstate_default debugfs:file { read }; +dontaudit hal_dumpstate_default debugfs_f2fs:dir { search }; +dontaudit hal_dumpstate_default debugfs_f2fs:file { open }; +dontaudit hal_dumpstate_default debugfs_f2fs:file { read }; +dontaudit hal_dumpstate_default logbuffer_device:chr_file { getattr }; +dontaudit hal_dumpstate_default logbuffer_device:chr_file { open }; +dontaudit hal_dumpstate_default logbuffer_device:chr_file { read }; +dontaudit hal_dumpstate_default modem_stat_data_file:file { open }; +dontaudit hal_dumpstate_default modem_stat_data_file:file { read }; +dontaudit hal_dumpstate_default radio_vendor_data_file:dir { getattr }; +dontaudit hal_dumpstate_default radio_vendor_data_file:dir { open }; +dontaudit hal_dumpstate_default radio_vendor_data_file:dir { read }; +dontaudit hal_dumpstate_default radio_vendor_data_file:dir { search }; +dontaudit hal_dumpstate_default radio_vendor_data_file:dir { write }; +dontaudit hal_dumpstate_default radio_vendor_data_file:file { getattr }; +dontaudit hal_dumpstate_default radio_vendor_data_file:file { open }; +dontaudit hal_dumpstate_default radio_vendor_data_file:file { read }; +dontaudit hal_dumpstate_default radio_vendor_data_file:file { setattr }; +dontaudit hal_dumpstate_default sysfs:file { read }; +dontaudit hal_dumpstate_default sysfs_acpm_stats:dir { open }; +dontaudit hal_dumpstate_default sysfs_acpm_stats:dir { read }; +dontaudit hal_dumpstate_default sysfs_acpm_stats:dir { search }; +dontaudit hal_dumpstate_default sysfs_acpm_stats:file { open }; +dontaudit hal_dumpstate_default sysfs_acpm_stats:file { read }; +dontaudit hal_dumpstate_default sysfs_bcl:dir { open }; +dontaudit hal_dumpstate_default sysfs_bcl:dir { read }; +dontaudit hal_dumpstate_default sysfs_bcl:dir { search }; +dontaudit hal_dumpstate_default sysfs_bcl:file { getattr }; +dontaudit hal_dumpstate_default sysfs_bcl:file { read }; +dontaudit hal_dumpstate_default sysfs_chip_id:file { open }; +dontaudit hal_dumpstate_default sysfs_chip_id:file { read }; +dontaudit hal_dumpstate_default sysfs_thermal:dir { open }; +dontaudit hal_dumpstate_default sysfs_thermal:dir { read }; +dontaudit hal_dumpstate_default sysfs_thermal:dir { search }; +dontaudit hal_dumpstate_default sysfs_thermal:file { open }; +dontaudit hal_dumpstate_default sysfs_thermal:file { read }; +dontaudit hal_dumpstate_default sysfs_wifi:dir { search }; +dontaudit hal_dumpstate_default sysfs_wifi:file { open }; +dontaudit hal_dumpstate_default sysfs_wifi:file { read }; +dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find }; +dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open }; +dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read }; +dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; +dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; +dontaudit hal_dumpstate_default vendor_toolbox_exec:file { execute_no_trans }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { read }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index b411cdab..87535c37 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -28,3 +28,6 @@ dontaudit hal_graphics_composer_default sysfs:file { open }; dontaudit hal_graphics_composer_default sysfs:file { read }; dontaudit hal_graphics_composer_default sysfs:file { write }; dontaudit hal_graphics_composer_default sysfs_display:file { write }; +# b/208721526 +dontaudit hal_graphics_composer_default dumpstate:fd { use }; +dontaudit hal_graphics_composer_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te new file mode 100644 index 00000000..d36ba385 --- /dev/null +++ b/tracking_denials/hal_health_default.te @@ -0,0 +1,5 @@ +# b/208721638 +dontaudit hal_health_default sysfs_thermal:dir { search }; +dontaudit hal_health_default sysfs_thermal:file { open }; +dontaudit hal_health_default sysfs_thermal:file { write }; +dontaudit hal_health_default thermal_link_device:dir { search }; diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te index 7fd11e03..2ec596a2 100644 --- a/tracking_denials/hal_uwb_vendor_default.te +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -4,3 +4,6 @@ dontaudit hal_uwb_vendor_default default_android_service:service_manager { add } dontaudit hal_uwb_vendor_default hal_uwb_vendor_default:capability { net_admin }; dontaudit hal_uwb_vendor_default zygote:binder { call }; dontaudit hal_uwb_vendor_default zygote:binder { transfer }; +# b/208721505 +dontaudit hal_uwb_vendor_default dumpstate:fd { use }; +dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te index c69e5c5b..173aeb60 100644 --- a/tracking_denials/hal_vibrator_default.te +++ b/tracking_denials/hal_vibrator_default.te @@ -9,3 +9,9 @@ dontaudit hal_vibrator_default proc_asound:file { read }; dontaudit hal_vibrator_default sysfs:file { getattr }; dontaudit hal_vibrator_default sysfs:file { open }; dontaudit hal_vibrator_default sysfs:file { read write }; +# b/208721729 +#dontaudit hal_vibrator_default fastbootd_protocol_prop:file { getattr }; +#dontaudit hal_vibrator_default fastbootd_protocol_prop:file { map }; +#dontaudit hal_vibrator_default fastbootd_protocol_prop:file { open }; +dontaudit hal_vibrator_default ffs_config_prop:file { getattr }; +dontaudit hal_vibrator_default ffs_config_prop:file { open }; diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te new file mode 100644 index 00000000..a79e1d94 --- /dev/null +++ b/tracking_denials/hardware_info_app.te @@ -0,0 +1,4 @@ +# b/208721710 +dontaudit hardware_info_app sysfs:file { getattr }; +dontaudit hardware_info_app sysfs:file { open }; +dontaudit hardware_info_app sysfs:file { read }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 00000000..556c5ae0 --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,7 @@ +# b/208721673 +dontaudit incidentd aac_drc_prop:file { getattr }; +dontaudit incidentd aac_drc_prop:file { map }; +dontaudit incidentd aac_drc_prop:file { open }; +dontaudit incidentd ab_update_gki_prop:file { getattr }; +dontaudit incidentd ab_update_gki_prop:file { map }; +dontaudit incidentd ab_update_gki_prop:file { open }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 34a5eb92..a29fe89b 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -32,3 +32,12 @@ dontaudit logger_app sysfs_vendor_sched:dir { search }; dontaudit logger_app vendor_gps_file:dir { remove_name }; dontaudit logger_app vendor_gps_file:dir { write }; dontaudit logger_app vendor_gps_file:file { unlink }; +# b/208721679 +dontaudit logger_app vendor_default_prop:file { getattr }; +dontaudit logger_app vendor_default_prop:file { map }; +dontaudit logger_app vendor_default_prop:file { open }; +dontaudit logger_app vendor_modem_prop:file { getattr }; +dontaudit logger_app vendor_modem_prop:file { map }; +dontaudit logger_app vendor_modem_prop:file { open }; +dontaudit logger_app vendor_modem_prop:file { read }; +dontaudit logger_app vendor_modem_prop:property_service { set }; diff --git a/tracking_denials/permissioncontroller_app.te b/tracking_denials/permissioncontroller_app.te new file mode 100644 index 00000000..4aa2b9c9 --- /dev/null +++ b/tracking_denials/permissioncontroller_app.te @@ -0,0 +1,2 @@ +# b/208721707 +#dontaudit permissioncontroller_app sysfs_vendor_sched:dir { search }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te index 3ccdc9c3..b36f5aef 100644 --- a/tracking_denials/surfaceflinger.te +++ b/tracking_denials/surfaceflinger.te @@ -4,3 +4,5 @@ dontaudit surfaceflinger kernel:process { setsched }; dontaudit surfaceflinger vendor_fw_file:dir { search }; dontaudit surfaceflinger vendor_fw_file:file { open }; dontaudit surfaceflinger vendor_fw_file:file { read }; +# b/208721808 +dontaudit surfaceflinger hal_graphics_composer_default:dir { search }; diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te new file mode 100644 index 00000000..a3d62aac --- /dev/null +++ b/tracking_denials/system_app.te @@ -0,0 +1,9 @@ +# b/208721636 +dontaudit system_app sysfs_vendor_sched:dir { search }; +dontaudit system_app vendor_default_prop:file { getattr }; +dontaudit system_app vendor_default_prop:file { map }; +dontaudit system_app vendor_default_prop:file { open }; +dontaudit system_app vendor_slog_file:dir { search }; +dontaudit system_app vendor_slog_prop:file { getattr }; +dontaudit system_app vendor_slog_prop:file { map }; +dontaudit system_app vendor_slog_prop:file { open }; diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te new file mode 100644 index 00000000..9d7b7a87 --- /dev/null +++ b/tracking_denials/vold.te @@ -0,0 +1,3 @@ +# b/208721768 +dontaudit vold dumpstate:fd { use }; +dontaudit vold dumpstate:fifo_file { write }; From e25c4dca39283842f408616eaec6aa091b3d509b Mon Sep 17 00:00:00 2001 From: Roger Fang Date: Wed, 1 Dec 2021 15:20:11 +0800 Subject: [PATCH 222/900] sepolicy: add permission for the hardware info putDsp function Bug: 202814070 Test: Manually test passed Signed-off-by: Roger Fang Change-Id: I15b8fa09fddc89dcbe7893ef73fea72ac6ae63e4 --- aoc/genfs_contexts | 1 + whitechapel_pro/hardware_info_app.te | 3 +++ 2 files changed, 4 insertions(+) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index e4633a56..46773bb0 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -24,4 +24,5 @@ genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:ob genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te index a2207af4..d89c53ab 100644 --- a/whitechapel_pro/hardware_info_app.te +++ b/whitechapel_pro/hardware_info_app.te @@ -6,3 +6,6 @@ allow hardware_info_app app_api_service:service_manager find; # Storage allow hardware_info_app sysfs_scsi_devices_0000:dir search; allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; + +# Audio +allow hardware_info_app sysfs_pixelstats:file r_file_perms; From ad3e880a3f4cea75e7f52ce493ccb0280960b1a0 Mon Sep 17 00:00:00 2001 From: Roger Fang Date: Wed, 1 Dec 2021 15:51:16 +0800 Subject: [PATCH 223/900] sepolicy: Add suez audio sepolicy pixelstats-vend: type=1400 audit(0.0:30): avc: denied { read } for name="codec_state" dev="sysfs" ino=83880 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_pixelstats:s0 tclass=file permissive=1 pixelstats-vend: type=1400 audit(0.0:31): avc: denied { open } for path="/sys/devices/platform/audiometrics/codec_state" dev="sysfs" ino=83880 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_pixelstats:s0 tclass=file permissive=1 pixelstats-vend: type=1400 audit(0.0:32): avc: denied { getattr } for path="/sys/devices/platform/audiometrics/codec_state" dev="sysfs" ino=83880 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_pixelstats:s0 tclass=file permissive=1 Bug: 206007421 Test: build passed and no avc deniel logs Signed-off-by: Roger Fang Change-Id: Ib5f5dd248e276f470e213cc053728cbf70c20dbf --- whitechapel_pro/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index de08a892..392c3b1c 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -1,3 +1,4 @@ binder_use(pixelstats_vendor) allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; +allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; From b2d162fda78e4a9e4635663e0ff4241792ed7d02 Mon Sep 17 00:00:00 2001 From: George Chang Date: Thu, 2 Dec 2021 11:03:07 +0800 Subject: [PATCH 224/900] Fix SELinux error coming from hal_secure_element_uicc 12-02 09:45:55.564 796 796 I secure_element@: type=1400 audit(0.0:3): avc: denied { call } for scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1 [ 11.030503] type=1400 audit(1638409555.564:3): avc: denied { call } for comm="secure_element@" scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1 Bug: 208715886 Test: check avc Change-Id: I701b36fbb58f1c071f1dbc394048dad467ac6c4c --- tracking_denials/hal_secure_element_uicc.te | 2 -- whitechapel_pro/hal_secure_element_uicc.te | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/hal_secure_element_uicc.te diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te deleted file mode 100644 index c467a467..00000000 --- a/tracking_denials/hal_secure_element_uicc.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/208715886 -dontaudit hal_secure_element_uicc rild:binder { call }; diff --git a/whitechapel_pro/hal_secure_element_uicc.te b/whitechapel_pro/hal_secure_element_uicc.te index c91ae3bb..fe535320 100644 --- a/whitechapel_pro/hal_secure_element_uicc.te +++ b/whitechapel_pro/hal_secure_element_uicc.te @@ -4,8 +4,8 @@ type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; hal_server_domain(hal_secure_element_uicc, hal_secure_element) init_daemon_domain(hal_secure_element_uicc) -# Allow hal_secure_element_default to access rild -binder_call(hal_secure_element_default, rild); +# Allow hal_secure_element_uicc to access rild +binder_call(hal_secure_element_uicc, rild); allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; From abc92ffabeb1ccc87d53f00f615650e977491214 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 2 Dec 2021 13:42:18 +0800 Subject: [PATCH 225/900] fix vold selinux error Bug: 208721768 Test: boot to home Signed-off-by: Randall Huang Change-Id: I22060550896722e9c8eab4acdaf39dbeb12026ce --- tracking_denials/vold.te | 3 --- whitechapel_pro/vold.te | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) delete mode 100644 tracking_denials/vold.te diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te deleted file mode 100644 index 9d7b7a87..00000000 --- a/tracking_denials/vold.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/208721768 -dontaudit vold dumpstate:fd { use }; -dontaudit vold dumpstate:fifo_file { write }; diff --git a/whitechapel_pro/vold.te b/whitechapel_pro/vold.te index 64ebf996..1306d7ca 100644 --- a/whitechapel_pro/vold.te +++ b/whitechapel_pro/vold.te @@ -3,3 +3,5 @@ allow vold modem_userdata_file:dir rw_dir_perms; allow vold sysfs_scsi_devices_0000:file rw_file_perms; +dontaudit vold dumpstate:fifo_file rw_file_perms; +dontaudit vold dumpstate:fd use ; From b466b688e08cda936f9212994526c8a7e3534f17 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 3 Dec 2021 09:59:56 +0800 Subject: [PATCH 226/900] update error on ROM 7964913 Bug: 208909191 Bug: 208909124 Bug: 208909174 Bug: 208909175 Bug: 208909060 Bug: 208909270 Bug: 208909232 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I7e3edb49e5a191a2fc9e34f7232d754ecd2fed00 --- tracking_denials/dumpstate.te | 2 ++ tracking_denials/hal_dumpstate_default.te | 28 +++++++++++++++++++++++ tracking_denials/hal_power_default.te | 6 +++++ tracking_denials/hal_sensors_default.te | 2 ++ tracking_denials/hardware_info_app.te | 6 +++++ tracking_denials/incidentd.te | 2 ++ tracking_denials/surfaceflinger.te | 4 ++++ 7 files changed, 50 insertions(+) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 2ac7e19a..e9bac84e 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -7,3 +7,5 @@ dontaudit dumpstate modem_img_file:filesystem { getattr }; dontaudit dumpstate vendor_dmabuf_debugfs:file { open }; dontaudit dumpstate vendor_dmabuf_debugfs:file { read }; dontaudit dumpstate vold:binder { call }; +# b/208909191 +dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr }; diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 82964570..ced4632a 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -49,3 +49,31 @@ dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; dontaudit hal_dumpstate_default vendor_toolbox_exec:file { execute_no_trans }; dontaudit hal_dumpstate_default vndbinder_device:chr_file { read }; +# b/208909124 +dontaudit hal_dumpstate_default property_type:file *; +dontaudit hal_dumpstate_default mnt_vendor_file:dir { search }; +dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir { search }; +dontaudit hal_dumpstate_default shell_data_file:file { getattr }; +dontaudit hal_dumpstate_default sysfs:file { open }; +dontaudit hal_dumpstate_default sysfs_aoc:dir { search }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { open }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { read }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { search }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:file { open }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:file { read }; +dontaudit hal_dumpstate_default sysfs_exynos_bts:dir { search }; +dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { open }; +dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { read }; +dontaudit hal_dumpstate_default sysfs_wlc:dir { search }; +dontaudit hal_dumpstate_default vendor_charger_debugfs:dir { open }; +dontaudit hal_dumpstate_default vendor_charger_debugfs:dir { read }; +dontaudit hal_dumpstate_default vendor_charger_debugfs:dir { search }; +dontaudit hal_dumpstate_default vendor_charger_debugfs:file { getattr }; +dontaudit hal_dumpstate_default vendor_charger_debugfs:file { read }; +dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { open }; +dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { read }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { ioctl }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { map }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { open }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { write }; +dontaudit hal_dumpstate_default vndservicemanager:binder { call }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index 0864301a..13de8e91 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,3 +1,9 @@ # b/207062564 dontaudit hal_power_default sysfs:file { open }; dontaudit hal_power_default sysfs:file { write }; +# b/208909174 +dontaudit hal_power_default hal_power_default:capability { dac_read_search }; +dontaudit hal_power_default sysfs:file { getattr }; +dontaudit hal_power_default sysfs:file { read }; +dontaudit hal_power_default sysfs_vendor_sched:file { getattr }; +dontaudit hal_power_default sysfs_vendor_sched:file { read }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index da3d3517..67c4a537 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -39,3 +39,5 @@ dontaudit hal_sensors_default sensor_reg_data_file:dir { search }; dontaudit hal_sensors_default sensor_reg_data_file:file { getattr }; dontaudit hal_sensors_default sensor_reg_data_file:file { open }; dontaudit hal_sensors_default sensor_reg_data_file:file { read }; +# b/208909175 +dontaudit hal_sensors_default aoc_device:chr_file { getattr }; diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te index a79e1d94..58b70ca5 100644 --- a/tracking_denials/hardware_info_app.te +++ b/tracking_denials/hardware_info_app.te @@ -2,3 +2,9 @@ dontaudit hardware_info_app sysfs:file { getattr }; dontaudit hardware_info_app sysfs:file { open }; dontaudit hardware_info_app sysfs:file { read }; +# b/208909060 +dontaudit hardware_info_app sysfs_batteryinfo:dir { search }; +dontaudit hardware_info_app sysfs_batteryinfo:file { getattr }; +dontaudit hardware_info_app sysfs_batteryinfo:file { open }; +dontaudit hardware_info_app sysfs_batteryinfo:file { read }; +dontaudit hardware_info_app vendor_regmap_debugfs:dir { search }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te index 556c5ae0..7700a310 100644 --- a/tracking_denials/incidentd.te +++ b/tracking_denials/incidentd.te @@ -5,3 +5,5 @@ dontaudit incidentd aac_drc_prop:file { open }; dontaudit incidentd ab_update_gki_prop:file { getattr }; dontaudit incidentd ab_update_gki_prop:file { map }; dontaudit incidentd ab_update_gki_prop:file { open }; +# b/208909270 +dontaudit incidentd property_type:file *; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te index b36f5aef..1323e631 100644 --- a/tracking_denials/surfaceflinger.te +++ b/tracking_denials/surfaceflinger.te @@ -6,3 +6,7 @@ dontaudit surfaceflinger vendor_fw_file:file { open }; dontaudit surfaceflinger vendor_fw_file:file { read }; # b/208721808 dontaudit surfaceflinger hal_graphics_composer_default:dir { search }; +# b/208909232 +dontaudit surfaceflinger hal_graphics_composer_default:file { getattr }; +dontaudit surfaceflinger hal_graphics_composer_default:file { open }; +dontaudit surfaceflinger hal_graphics_composer_default:file { read }; From d3d316704ec4e65fc92e40e17b405c993e470e37 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 6 Dec 2021 09:33:01 +0800 Subject: [PATCH 227/900] update error on ROM 7971030 Bug: 209329856 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I2e0c33b1fae3fcaad2ead33406d656a8a538d90d --- tracking_denials/priv_app.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index c966f4e6..6e133e5b 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -2,3 +2,8 @@ dontaudit priv_app vendor_default_prop:file { getattr }; dontaudit priv_app vendor_default_prop:file { map }; dontaudit priv_app vendor_default_prop:file { open }; +# b/209329856 +dontaudit priv_app vendor_apex_file:dir { search }; +dontaudit priv_app vendor_apex_file:file { getattr }; +dontaudit priv_app vendor_apex_file:file { open }; +dontaudit priv_app vendor_apex_file:file { read }; From 474da130f96053e90e65e2debaf6c1f768d20219 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 6 Dec 2021 10:24:35 +0800 Subject: [PATCH 228/900] remove redundant bug incidentd always access all system property during permissive mode Bug: 208721673 Test: do bugreport with no relevant logs Change-Id: I0b5395ad5639980c0793744399d27b7eb4651afb --- tracking_denials/incidentd.te | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te index 7700a310..c7dca6ee 100644 --- a/tracking_denials/incidentd.te +++ b/tracking_denials/incidentd.te @@ -1,9 +1,2 @@ # b/208721673 -dontaudit incidentd aac_drc_prop:file { getattr }; -dontaudit incidentd aac_drc_prop:file { map }; -dontaudit incidentd aac_drc_prop:file { open }; -dontaudit incidentd ab_update_gki_prop:file { getattr }; -dontaudit incidentd ab_update_gki_prop:file { map }; -dontaudit incidentd ab_update_gki_prop:file { open }; -# b/208909270 dontaudit incidentd property_type:file *; From d69e2703f51cfb91f6d3feb6e04d24949d650f01 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 6 Dec 2021 10:36:11 +0800 Subject: [PATCH 229/900] dump hal_graphics_composer Bug: 208909191 Test: do bugreport with no relevant error logs Change-Id: I5d89e6a1a40c856d8717d07040362aec5a88fa59 --- tracking_denials/dumpstate.te | 5 ----- whitechapel_pro/dumpstate.te | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index e9bac84e..b709173a 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,11 +1,6 @@ # b/208721809 dontaudit dumpstate fuse:dir { search }; -dontaudit dumpstate hal_graphics_composer_default:binder { call }; dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; dontaudit dumpstate hal_uwb_vendor_default:binder { call }; dontaudit dumpstate modem_img_file:filesystem { getattr }; -dontaudit dumpstate vendor_dmabuf_debugfs:file { open }; -dontaudit dumpstate vendor_dmabuf_debugfs:file { read }; dontaudit dumpstate vold:binder { call }; -# b/208909191 -dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr }; diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te index e11e8f7d..05f0b107 100644 --- a/whitechapel_pro/dumpstate.te +++ b/whitechapel_pro/dumpstate.te @@ -1,5 +1,13 @@ +dump_hal(hal_graphics_composer) + +userdebug_or_eng(` + allow dumpstate vendor_dmabuf_debugfs:file r_file_perms; +') + allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; allow dumpstate persist_file:dir r_dir_perms; allow dumpstate modem_efs_file:dir r_dir_perms; allow dumpstate modem_userdata_file:dir r_dir_perms; allow dumpstate modem_img_file:dir r_dir_perms; + +dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; From ccabcd4a24d150a7bb13b0932695e771b7cd4e80 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 6 Dec 2021 11:27:22 +0800 Subject: [PATCH 230/900] label telephony apps Bug: 208721636 Test: boot with error log changed from system_app to right ones Change-Id: Ia65b2c8f1759866eca8fcd12dcbed4cedaa61ea2 --- tracking_denials/system_app.te | 9 --------- whitechapel_pro/seapp_contexts | 8 ++++++++ whitechapel_pro/vendor_silentlogging_remote_app.te | 4 ++++ whitechapel_pro/vendor_telephony_debug_app.te | 4 ++++ whitechapel_pro/vendor_telephony_network_test_app.te | 4 ++++ whitechapel_pro/vendor_telephony_silentlogging_app.te | 4 ++++ whitechapel_pro/vendor_telephony_test_app.te | 4 ++++ whitechapel_pro/vendor_telephony_uartswitch_app.te | 4 ++++ 8 files changed, 32 insertions(+), 9 deletions(-) delete mode 100644 tracking_denials/system_app.te create mode 100644 whitechapel_pro/vendor_silentlogging_remote_app.te create mode 100644 whitechapel_pro/vendor_telephony_debug_app.te create mode 100644 whitechapel_pro/vendor_telephony_network_test_app.te create mode 100644 whitechapel_pro/vendor_telephony_silentlogging_app.te create mode 100644 whitechapel_pro/vendor_telephony_test_app.te create mode 100644 whitechapel_pro/vendor_telephony_uartswitch_app.te diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te deleted file mode 100644 index a3d62aac..00000000 --- a/tracking_denials/system_app.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/208721636 -dontaudit system_app sysfs_vendor_sched:dir { search }; -dontaudit system_app vendor_default_prop:file { getattr }; -dontaudit system_app vendor_default_prop:file { map }; -dontaudit system_app vendor_default_prop:file { open }; -dontaudit system_app vendor_slog_file:dir { search }; -dontaudit system_app vendor_slog_prop:file { getattr }; -dontaudit system_app vendor_slog_prop:file { map }; -dontaudit system_app vendor_slog_prop:file { open }; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 829915c3..a82cd82e 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -6,6 +6,14 @@ user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app level user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all +# Samsung S.LSI telephony +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_uartswitch_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_network_test_app levelFrom=all + # Hardware Info Collection user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user diff --git a/whitechapel_pro/vendor_silentlogging_remote_app.te b/whitechapel_pro/vendor_silentlogging_remote_app.te new file mode 100644 index 00000000..427f44d3 --- /dev/null +++ b/whitechapel_pro/vendor_silentlogging_remote_app.te @@ -0,0 +1,4 @@ +type vendor_silentlogging_remote_app, domain; +app_domain(vendor_silentlogging_remote_app) + +allow vendor_silentlogging_remote_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_debug_app.te b/whitechapel_pro/vendor_telephony_debug_app.te new file mode 100644 index 00000000..946460cc --- /dev/null +++ b/whitechapel_pro/vendor_telephony_debug_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_debug_app, domain; +app_domain(vendor_telephony_debug_app) + +allow vendor_telephony_debug_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_network_test_app.te b/whitechapel_pro/vendor_telephony_network_test_app.te new file mode 100644 index 00000000..3c34309e --- /dev/null +++ b/whitechapel_pro/vendor_telephony_network_test_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_network_test_app, domain; +app_domain(vendor_telephony_network_test_app) + +allow vendor_telephony_network_test_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_silentlogging_app.te b/whitechapel_pro/vendor_telephony_silentlogging_app.te new file mode 100644 index 00000000..53d1cb66 --- /dev/null +++ b/whitechapel_pro/vendor_telephony_silentlogging_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_silentlogging_app, domain; +app_domain(vendor_telephony_silentlogging_app) + +allow vendor_telephony_silentlogging_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_test_app.te b/whitechapel_pro/vendor_telephony_test_app.te new file mode 100644 index 00000000..ea182093 --- /dev/null +++ b/whitechapel_pro/vendor_telephony_test_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_test_app, domain; +app_domain(vendor_telephony_test_app) + +allow vendor_telephony_test_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_uartswitch_app.te b/whitechapel_pro/vendor_telephony_uartswitch_app.te new file mode 100644 index 00000000..c0ad6054 --- /dev/null +++ b/whitechapel_pro/vendor_telephony_uartswitch_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_uartswitch_app, domain; +app_domain(vendor_telephony_uartswitch_app) + +allow vendor_telephony_uartswitch_app app_api_service:service_manager find; From 3dad021ae8222171ad9f1a7b1b1ec655e465c658 Mon Sep 17 00:00:00 2001 From: Robb Glasser Date: Fri, 3 Dec 2021 13:26:16 -0800 Subject: [PATCH 231/900] Fix sensors hal selinux denials on C10. Bug: 205657063 Bug: 205780093 Bug: 204718449 Bug: 205904379 Bug: 207721033 Bug: 207062541 Bug: 208909175 Test: SELinuxTest#scanAvcDeniedLogRightAfterReboot on C10 Change-Id: I678ac355fc09da56bc7718c4d70fb40d4cd79de0 --- tracking_denials/hal_sensors_default.te | 43 ------------------------- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 6 ++++ whitechapel_pro/hal_sensors_default.te | 41 +++++++++++++++++++++++ 4 files changed, 48 insertions(+), 43 deletions(-) delete mode 100644 tracking_denials/hal_sensors_default.te create mode 100644 whitechapel_pro/hal_sensors_default.te diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te deleted file mode 100644 index 67c4a537..00000000 --- a/tracking_denials/hal_sensors_default.te +++ /dev/null @@ -1,43 +0,0 @@ -# b/204718449 -dontaudit hal_sensors_default fwk_stats_service:service_manager { find }; -# b/205657063 -dontaudit hal_sensors_default aoc_device:chr_file { open }; -dontaudit hal_sensors_default aoc_device:chr_file { read write }; -# b/205780093 -dontaudit hal_sensors_default mnt_vendor_file:dir { search }; -dontaudit hal_sensors_default persist_file:dir { search }; -dontaudit hal_sensors_default sensor_reg_data_file:dir { getattr }; -dontaudit hal_sensors_default sensor_reg_data_file:dir { open }; -dontaudit hal_sensors_default sensor_reg_data_file:dir { read }; -# b/205904379 -dontaudit hal_sensors_default chre:unix_stream_socket { connectto }; -dontaudit hal_sensors_default chre_socket:sock_file { write }; -dontaudit hal_sensors_default system_server:binder { call }; -# b/207062541 -dontaudit hal_sensors_default device:dir { open }; -dontaudit hal_sensors_default device:dir { read }; -dontaudit hal_sensors_default device:dir { watch }; -dontaudit hal_sensors_default persist_sensor_reg_file:dir { getattr }; -dontaudit hal_sensors_default persist_sensor_reg_file:dir { open }; -dontaudit hal_sensors_default persist_sensor_reg_file:dir { read }; -dontaudit hal_sensors_default persist_sensor_reg_file:dir { search }; -dontaudit hal_sensors_default persist_sensor_reg_file:file { getattr }; -dontaudit hal_sensors_default persist_sensor_reg_file:file { open }; -dontaudit hal_sensors_default persist_sensor_reg_file:file { read }; -dontaudit hal_sensors_default sysfs:file { open }; -dontaudit hal_sensors_default sysfs:file { read }; -dontaudit hal_sensors_default sysfs:file { write }; -dontaudit hal_sensors_default sysfs_aoc:dir { search }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { open }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { read }; -dontaudit hal_sensors_default sysfs_chosen:dir { search }; -dontaudit hal_sensors_default sysfs_chosen:file { open }; -dontaudit hal_sensors_default sysfs_chosen:file { read }; -# b/207721033 -dontaudit hal_sensors_default sensor_reg_data_file:dir { search }; -dontaudit hal_sensors_default sensor_reg_data_file:file { getattr }; -dontaudit hal_sensors_default sensor_reg_data_file:file { open }; -dontaudit hal_sensors_default sensor_reg_data_file:file { read }; -# b/208909175 -dontaudit hal_sensors_default aoc_device:chr_file { getattr }; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 5de2bdf1..4c28c14d 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -41,6 +41,7 @@ type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; +type sysfs_sensors, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 5b2fcd66..4e4fa0cc 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -142,3 +142,9 @@ genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 +# Sensors HAL +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_sensors:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/brightness u:object_r:sysfs_sensors:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_sensors:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/state u:object_r:sysfs_sensors:s0 + diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te new file mode 100644 index 00000000..8cd69b22 --- /dev/null +++ b/whitechapel_pro/hal_sensors_default.te @@ -0,0 +1,41 @@ +# +# USF sensor HAL SELinux type enforcements. +# + +# Allow access to the AoC communication driver. +allow hal_sensors_default aoc_device:chr_file rw_file_perms; + +# Allow access to CHRE socket to connect to nanoapps. +allow hal_sensors_default chre:unix_stream_socket connectto; +allow hal_sensors_default chre_socket:sock_file write; + +# Allow create thread to watch AOC's device. +allow hal_sensors_default device:dir r_dir_perms; + +# Allow SensorSuez to connect AIDL stats. +allow hal_sensors_default fwk_stats_service:service_manager find; + +# Allow reading of sensor registry persist files and camera persist files. +allow hal_sensors_default mnt_vendor_file:dir search; +allow hal_sensors_default persist_file:dir search; +allow hal_sensors_default persist_file:file r_file_perms; +allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; +allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; + +# Allow creation and writing of sensor registry data files. +allow hal_sensors_default sensor_reg_data_file:dir r_dir_perms; + +# Allow access to the display info for ALS. +allow hal_sensors_default sysfs_sensors:file rw_file_perms; + +# Allow access to the AoC clock and kernel boot time sys FS node. This is needed +# to synchronize the AP and AoC clock timestamps. +allow hal_sensors_default sysfs_aoc:dir search; +allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; + +# Allow access to the files of CDT information. +allow hal_sensors_default sysfs_chosen:dir search; +allow hal_sensors_default sysfs_chosen:file r_file_perms; + +# Allow access to sensor service for sensor_listener. +binder_call(hal_sensors_default, system_server); From 82e4faa61a4f0757a70c59828654a873a68ad557 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Dec 2021 11:05:24 +0800 Subject: [PATCH 232/900] update error on ROM 7978521 Bug: 209705194 Bug: 209704948 Bug: 209703854 Bug: 209705394 Bug: 209705335 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Id30e22a1d210f1aabdf8014cef5c5e009e00199c --- tracking_denials/hal_graphics_composer_default.te | 4 ++++ tracking_denials/hal_power_stats_default.te | 3 +++ tracking_denials/priv_app.te | 6 ++++++ tracking_denials/rlsservice.te | 3 +++ tracking_denials/system_suspend.te | 6 ++++++ 5 files changed, 22 insertions(+) create mode 100644 tracking_denials/system_suspend.te diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index 87535c37..71e93ce4 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -31,3 +31,7 @@ dontaudit hal_graphics_composer_default sysfs_display:file { write }; # b/208721526 dontaudit hal_graphics_composer_default dumpstate:fd { use }; dontaudit hal_graphics_composer_default dumpstate:fifo_file { write }; +# b/209705194 +dontaudit hal_graphics_composer_default sysfs_sensors:file { getattr }; +dontaudit hal_graphics_composer_default sysfs_sensors:file { open }; +dontaudit hal_graphics_composer_default sysfs_sensors:file { write }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index ff6abb06..bd54b733 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -25,3 +25,6 @@ dontaudit hal_power_stats_default sysfs_wifi:dir { search }; dontaudit hal_power_stats_default sysfs_wifi:file { getattr }; dontaudit hal_power_stats_default sysfs_wifi:file { open }; dontaudit hal_power_stats_default sysfs_wifi:file { read }; +# b/209704948 +dontaudit hal_power_stats_default sysfs_sensors:file { open }; +dontaudit hal_power_stats_default sysfs_sensors:file { read }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 6e133e5b..f57731e9 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -7,3 +7,9 @@ dontaudit priv_app vendor_apex_file:dir { search }; dontaudit priv_app vendor_apex_file:file { getattr }; dontaudit priv_app vendor_apex_file:file { open }; dontaudit priv_app vendor_apex_file:file { read }; +# b/209703854 +dontaudit priv_app vendor_file:file { execute }; +dontaudit priv_app vendor_file:file { getattr }; +dontaudit priv_app vendor_file:file { map }; +dontaudit priv_app vendor_file:file { open }; +dontaudit priv_app vendor_file:file { read }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te index 604af460..e0a6630a 100644 --- a/tracking_denials/rlsservice.te +++ b/tracking_denials/rlsservice.te @@ -22,3 +22,6 @@ dontaudit rlsservice device:dir { read }; dontaudit rlsservice device:dir { watch }; dontaudit rlsservice sysfs:file { open }; dontaudit rlsservice sysfs:file { read }; +# b/209705394 +dontaudit rlsservice sysfs_sensors:file { open }; +dontaudit rlsservice sysfs_sensors:file { read }; diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te new file mode 100644 index 00000000..d8120564 --- /dev/null +++ b/tracking_denials/system_suspend.te @@ -0,0 +1,6 @@ +# b/209705335 +dontaudit system_suspend_server sysfs:dir { open }; +dontaudit system_suspend_server sysfs:dir { read }; +dontaudit system_suspend_server sysfs:file { getattr }; +dontaudit system_suspend_server sysfs:file { open }; +dontaudit system_suspend_server sysfs:file { read }; From 1fb766e7a33efabdbc79145ff4a3613908eb7be8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Dec 2021 13:16:07 +0800 Subject: [PATCH 233/900] update system_suspend wakeup files Bug: 209705335 Test: boot with no relevant errors Change-Id: I8d9d9b72449319184167790859c655e0695c4c98 --- tracking_denials/system_suspend.te | 6 ------ whitechapel_pro/genfs_contexts | 5 +++++ 2 files changed, 5 insertions(+), 6 deletions(-) delete mode 100644 tracking_denials/system_suspend.te diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te deleted file mode 100644 index d8120564..00000000 --- a/tracking_denials/system_suspend.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/209705335 -dontaudit system_suspend_server sysfs:dir { open }; -dontaudit system_suspend_server sysfs:dir { read }; -dontaudit system_suspend_server sysfs:file { getattr }; -dontaudit system_suspend_server sysfs:file { open }; -dontaudit system_suspend_server sysfs:file { read }; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 4e4fa0cc..c82d97a6 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -138,6 +138,11 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 From 4820dcfdba2437212e13e2404c2cd3704b9f181b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Dec 2021 13:17:52 +0800 Subject: [PATCH 234/900] make libraries app-reachable Bug: 209703854 Test: Boot with no relevant errors Change-Id: I5f0d6ed1b578d1684c476bc07d81baaf91005bc6 --- tracking_denials/priv_app.te | 6 ------ whitechapel_pro/file_contexts | 3 +++ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index f57731e9..6e133e5b 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -7,9 +7,3 @@ dontaudit priv_app vendor_apex_file:dir { search }; dontaudit priv_app vendor_apex_file:file { getattr }; dontaudit priv_app vendor_apex_file:file { open }; dontaudit priv_app vendor_apex_file:file { read }; -# b/209703854 -dontaudit priv_app vendor_file:file { execute }; -dontaudit priv_app vendor_file:file { getattr }; -dontaudit priv_app vendor_file:file { map }; -dontaudit priv_app vendor_file:file { open }; -dontaudit priv_app vendor_file:file { read }; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c838b478..53f74a87 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -52,6 +52,9 @@ /vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 # Vendor kernel modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 From 6004d5876013f786408647d22f481f68d7b2f7a8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Dec 2021 13:19:38 +0800 Subject: [PATCH 235/900] label camera app Bug: 209329856 Test: boot with google camera's label changed Change-Id: Iff83bf8f42f9e6f9588fc5f45852a11608dc4445 --- tracking_denials/priv_app.te | 5 ----- whitechapel_pro/certs/app.x509.pem | 27 +++++++++++++++++++++++++++ whitechapel_pro/google_camera_app.te | 4 ++++ whitechapel_pro/keys.conf | 3 +++ whitechapel_pro/mac_permissions.xml | 3 +++ whitechapel_pro/seapp_contexts | 4 ++++ 6 files changed, 41 insertions(+), 5 deletions(-) create mode 100644 whitechapel_pro/certs/app.x509.pem create mode 100644 whitechapel_pro/google_camera_app.te diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 6e133e5b..c966f4e6 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -2,8 +2,3 @@ dontaudit priv_app vendor_default_prop:file { getattr }; dontaudit priv_app vendor_default_prop:file { map }; dontaudit priv_app vendor_default_prop:file { open }; -# b/209329856 -dontaudit priv_app vendor_apex_file:dir { search }; -dontaudit priv_app vendor_apex_file:file { getattr }; -dontaudit priv_app vendor_apex_file:file { open }; -dontaudit priv_app vendor_apex_file:file { read }; diff --git a/whitechapel_pro/certs/app.x509.pem b/whitechapel_pro/certs/app.x509.pem new file mode 100644 index 00000000..8e3e6273 --- /dev/null +++ b/whitechapel_pro/certs/app.x509.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g +VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE +AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe +Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G +A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p +ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI +hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR +24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy +xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X +W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC +69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA +cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw +HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c +xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE +CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH +QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG +CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud +EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP +zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla +XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a +IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a +ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW +Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs= +-----END CERTIFICATE----- diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te new file mode 100644 index 00000000..df2e4699 --- /dev/null +++ b/whitechapel_pro/google_camera_app.te @@ -0,0 +1,4 @@ +type google_camera_app, domain, coredomain; +app_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index c8154db0..80522c4e 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -1,3 +1,6 @@ +[@GOOGLE] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem + [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 6cb7113c..821f660c 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -21,6 +21,9 @@ - The default tag is consulted last if needed. --> + + + diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index a82cd82e..4abc2c39 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -49,3 +49,7 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user + +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + From 60633eef542c331ba2427566b2e6965bedd3282b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 9 Dec 2021 11:02:26 +0800 Subject: [PATCH 236/900] update error on ROM 7982728 Bug: 209889068 Bug: 209890345 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I6177759eeaf641c0515db9f070a20c343ee740ac --- tracking_denials/google_camera_app.te | 10 ++++++++++ tracking_denials/hal_graphics_composer_default.te | 3 +++ 2 files changed, 13 insertions(+) create mode 100644 tracking_denials/google_camera_app.te diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te new file mode 100644 index 00000000..a4661e61 --- /dev/null +++ b/tracking_denials/google_camera_app.te @@ -0,0 +1,10 @@ +# b/209889068 +dontaudit google_camera_app cameraserver_service:service_manager { find }; +dontaudit google_camera_app edgetpu_app_service:service_manager { find }; +dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; +dontaudit google_camera_app edgetpu_device:chr_file { map }; +dontaudit google_camera_app edgetpu_device:chr_file { read write }; +dontaudit google_camera_app mediaserver_service:service_manager { find }; +dontaudit google_camera_app vendor_default_prop:file { getattr }; +dontaudit google_camera_app vendor_default_prop:file { map }; +dontaudit google_camera_app vendor_default_prop:file { open }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index 71e93ce4..88c6aaba 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -35,3 +35,6 @@ dontaudit hal_graphics_composer_default dumpstate:fifo_file { write }; dontaudit hal_graphics_composer_default sysfs_sensors:file { getattr }; dontaudit hal_graphics_composer_default sysfs_sensors:file { open }; dontaudit hal_graphics_composer_default sysfs_sensors:file { write }; +# b/209890345 +dontaudit hal_graphics_composer_default sysfs_display:file { getattr }; +dontaudit hal_graphics_composer_default sysfs_display:file { open }; From a4f16bf147d279040cd070ec5961d7b7e57fc590 Mon Sep 17 00:00:00 2001 From: Midas Chien Date: Wed, 8 Dec 2021 19:53:37 +0800 Subject: [PATCH 237/900] allow hwc to access sysfs_display Bug: 207615889 Test: check avc denials while hwc access early wakeup node Change-Id: I453e50de739c31b1075f81fb4c1195a5dffd4d75 --- whitechapel_pro/hal_graphics_composer_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te index 2f4e7eed..84d923f6 100644 --- a/whitechapel_pro/hal_graphics_composer_default.te +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -5,3 +5,5 @@ add_service(hal_graphics_composer_default, vendor_displaycolor_service) add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) add_service(hal_graphics_composer_default, hal_pixel_display_service) +allow hal_graphics_composer_default sysfs_display:dir search; +allow hal_graphics_composer_default sysfs_display:file rw_file_perms; From 8bae2535016e9fbe47eede60b8b6bf76911f8d7b Mon Sep 17 00:00:00 2001 From: Shiyong Li Date: Thu, 9 Dec 2021 00:06:28 +0000 Subject: [PATCH 238/900] allow android.hardware.power.stats-service.pixel to access display sysfs Fix the follwoing violations: avc: denied { read } for name="state" dev="sysfs" ino=68654 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_sensors:s0 tclass=file ... avc: denied { open } for path= "/sys/devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/state" dev="sysfs" ino=68654 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_sensors:s0 tclass=file Bug: 209704948 Change-Id: Iad586164811457d09f6c0e81c67c0f217b77ccc2 Signed-off-by: Shiyong Li --- tracking_denials/hal_power_stats_default.te | 3 --- whitechapel_pro/hal_power_stats_default.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index bd54b733..ff6abb06 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -25,6 +25,3 @@ dontaudit hal_power_stats_default sysfs_wifi:dir { search }; dontaudit hal_power_stats_default sysfs_wifi:file { getattr }; dontaudit hal_power_stats_default sysfs_wifi:file { open }; dontaudit hal_power_stats_default sysfs_wifi:file { read }; -# b/209704948 -dontaudit hal_power_stats_default sysfs_sensors:file { open }; -dontaudit hal_power_stats_default sysfs_sensors:file { read }; diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index f49572cc..389437aa 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -1,2 +1,5 @@ allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; + +# allowed to access dislay stats sysfs node +allow hal_power_stats_default sysfs_sensors:file r_file_perms; From deb9d361cd2f586a183edc69615b6f5e005be96a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Thu, 9 Dec 2021 16:30:37 -0800 Subject: [PATCH 239/900] Add sepolicy for camera persist files. Bug: 208866457 Test: Verified label for /mnt/vendor/persist/camera on P10 Change-Id: Id4af051ea2e783bed7cabfd2be80bdac994a11ab --- whitechapel_pro/file.te | 6 +++--- whitechapel_pro/file_contexts | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4c28c14d..ab8e7bce 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -59,10 +59,11 @@ type modem_img_file, contextmount_type, file_type, vendor_file_type; allow modem_img_file self:filesystem associate; # persist -type persist_modem_file, file_type, vendor_persist_type; -type persist_ss_file, file_type, vendor_persist_type; type persist_battery_file, file_type, vendor_persist_type; +type persist_camera_file, file_type, vendor_persist_type; +type persist_modem_file, file_type, vendor_persist_type; type persist_sensor_reg_file, file_type, vendor_persist_type; +type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; # CHRE @@ -82,4 +83,3 @@ type modem_userdata_file, file_type; # SecureElement type sysfs_st33spi, sysfs_type, fs_type; - diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 53f74a87..0920f239 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -195,10 +195,11 @@ /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 # Persist -/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 -/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 # Extra mount images From 0d52e28b50f9deb652ea0c66ffccdeaa756b05a3 Mon Sep 17 00:00:00 2001 From: chungkai Date: Wed, 8 Dec 2021 10:40:02 +0000 Subject: [PATCH 240/900] Fix avc denials for permissioncontroller_app avc: denied { search } for name="vendor_sched" dev="sysfs" ino=46151 scontext=u:r:permissioncontroller_app:s0:c240,c256,c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=dir permissive=1 app=com.google.android.permissioncontroller Test: boot to home Bug: 208909174 Signed-off-by: chungkai Change-Id: I4fb27d02318459546eded3cf15da380d26477ef2 --- private/permissioncontroller_app.te | 2 ++ tracking_denials/permissioncontroller_app.te | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) create mode 100644 private/permissioncontroller_app.te delete mode 100644 tracking_denials/permissioncontroller_app.te diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te new file mode 100644 index 00000000..6a4b6fd4 --- /dev/null +++ b/private/permissioncontroller_app.te @@ -0,0 +1,2 @@ +allow permissioncontroller_app sysfs_vendor_sched:dir r_dir_perms; +allow permissioncontroller_app sysfs_vendor_sched:file w_file_perms; diff --git a/tracking_denials/permissioncontroller_app.te b/tracking_denials/permissioncontroller_app.te deleted file mode 100644 index 4aa2b9c9..00000000 --- a/tracking_denials/permissioncontroller_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/208721707 -#dontaudit permissioncontroller_app sysfs_vendor_sched:dir { search }; From 233cdab535b2d1fcdde76b1fc9494f2d4ed716ef Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 10 Dec 2021 11:39:11 +0800 Subject: [PATCH 241/900] update error on ROM 7987555 Bug: 210067468 Bug: 210067282 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I921568297189f2c90951448a2f15f7fb8e597dfc --- tracking_denials/hal_camera_default.te | 2 ++ tracking_denials/hal_sensors_default.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 tracking_denials/hal_sensors_default.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index a9d13c62..5424bf1a 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -50,3 +50,5 @@ dontaudit hal_camera_default property_socket:sock_file { write }; dontaudit hal_camera_default system_server:binder { call }; # b/207300298 dontaudit hal_camera_default vendor_camera_data_file:file { getattr }; +# b/210067468 +dontaudit hal_camera_default persist_camera_file:dir { search }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te new file mode 100644 index 00000000..45036f7e --- /dev/null +++ b/tracking_denials/hal_sensors_default.te @@ -0,0 +1,2 @@ +# b/210067282 +dontaudit hal_sensors_default persist_camera_file:dir { search }; From 8edf4a3e831d13fcb01b9ac00309b401dfde78e4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Dec 2021 11:41:59 +0800 Subject: [PATCH 242/900] update error on ROM 7993545 Bug: 210363983 Bug: 210363938 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I41b6acd2513bc031efe128be8154b1e1aacfcd8b --- tracking_denials/clatd.te | 3 +++ tracking_denials/priv_app.te | 5 +++++ 2 files changed, 8 insertions(+) create mode 100644 tracking_denials/clatd.te diff --git a/tracking_denials/clatd.te b/tracking_denials/clatd.te new file mode 100644 index 00000000..3c27ad97 --- /dev/null +++ b/tracking_denials/clatd.te @@ -0,0 +1,3 @@ +# b/210363983 +#dontaudit clatd netd:rawip_socket { read write }; +#dontaudit clatd netd:rawip_socket { setopt }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index c966f4e6..b956419b 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -2,3 +2,8 @@ dontaudit priv_app vendor_default_prop:file { getattr }; dontaudit priv_app vendor_default_prop:file { map }; dontaudit priv_app vendor_default_prop:file { open }; +# b/210363938 +dontaudit priv_app vendor_apex_file:dir { search }; +dontaudit priv_app vendor_apex_file:file { getattr }; +dontaudit priv_app vendor_apex_file:file { open }; +dontaudit priv_app vendor_apex_file:file { read }; From 361962851f78ea4ca4d3bf72932e5df6012535d7 Mon Sep 17 00:00:00 2001 From: gwenlin Date: Fri, 3 Dec 2021 11:32:51 -0500 Subject: [PATCH 243/900] Add permission for binding rild and grilservice Bug: 208371668 Test: build Change-Id: Ib5310032194fc4a13326db5002060a204d5f5b27 --- whitechapel_pro/grilservice_app.te | 2 ++ whitechapel_pro/rild.te | 1 + 2 files changed, 3 insertions(+) diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te index 50ff22a5..6e0dd667 100644 --- a/whitechapel_pro/grilservice_app.te +++ b/whitechapel_pro/grilservice_app.te @@ -6,7 +6,9 @@ allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; binder_call(grilservice_app, hal_bluetooth_btlinux) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) binder_call(grilservice_app, hal_audiometricext_default) +binder_call(grilservice_app, rild) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index d30f4a91..4516c17c 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -20,6 +20,7 @@ binder_call(rild, hal_audio_default) binder_call(rild, modem_svc_sit) binder_call(rild, oemrilservice_app) binder_call(rild, hal_secure_element_uicc) +binder_call(rild, grilservice_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) From 7fd619a67ce0c77b9862e46276da472d03e84472 Mon Sep 17 00:00:00 2001 From: Joel Galenson Date: Tue, 21 Dec 2021 07:37:30 -0800 Subject: [PATCH 244/900] Include core policy OWNERS Test: None Change-Id: Ic8704a9152985ed5046abc5abbd0890808b7fe95 --- OWNERS | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/OWNERS b/OWNERS index a24d5fb4..791abb4a 100644 --- a/OWNERS +++ b/OWNERS @@ -1,11 +1,3 @@ -adamshih@google.com -alanstokes@google.com -bowgotsai@google.com -jbires@google.com -jeffv@google.com -jgalenson@google.com -jiyong@google.com +include platform/system/sepolicy:/OWNERS + rurumihong@google.com -sspatil@google.com -smoreland@google.com -trong@google.com From 02775432c278b212ad34c4f64d27622d9d64e52e Mon Sep 17 00:00:00 2001 From: neoyu Date: Mon, 27 Dec 2021 10:33:25 +0800 Subject: [PATCH 245/900] Fix SELinux errors for vendor_rcs_app avc: denied { call } for comm="nnon.rcsservice" scontext=u:r:vendor_rcs_app:s0:c193,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.shannon.rcsservice nnon.rcsservice: type=1400 audit(0.0:116): avc: denied { call } for scontext=u:r:vendor_rcs_app:s0:c193,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.shannon.rcsservice avc: denied { transfer } for scontext=u:r:vendor_rcs_app:s0:c193,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.shannon.rcsservice avc: denied { transfer } for comm="nnon.rcsservice" scontext=u:r:vendor_rcs_app:s0:c193,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.shannon.rcsservice Bug: 205904435 Test: manual Change-Id: Ia988e89ac3ccb543cefabfc289e446db09e01c2b --- tracking_denials/vendor_rcs_app.te | 5 ----- whitechapel_pro/vendor_rcs_app.te | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/vendor_rcs_app.te diff --git a/tracking_denials/vendor_rcs_app.te b/tracking_denials/vendor_rcs_app.te deleted file mode 100644 index 7c6042eb..00000000 --- a/tracking_denials/vendor_rcs_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205779581 -dontaudit vendor_rcs_app radio_service:service_manager { find }; -# b/205904435 -dontaudit vendor_rcs_app rild:binder { call }; -dontaudit vendor_rcs_app rild:binder { transfer }; diff --git a/whitechapel_pro/vendor_rcs_app.te b/whitechapel_pro/vendor_rcs_app.te index f3fe4f3d..b0a46284 100644 --- a/whitechapel_pro/vendor_rcs_app.te +++ b/whitechapel_pro/vendor_rcs_app.te @@ -2,4 +2,7 @@ type vendor_rcs_app, domain; app_domain(vendor_rcs_app) allow vendor_rcs_app app_api_service:service_manager find; +allow vendor_rcs_app radio_service:service_manager find; allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; + +binder_call(vendor_rcs_app, rild) From 186040a5e9f844cc77d01f6be6e42c5da01c7cd5 Mon Sep 17 00:00:00 2001 From: neoyu Date: Mon, 27 Dec 2021 11:58:19 +0800 Subject: [PATCH 246/900] Fix SELinux errors for vendor_ims_app avc: denied { find } for pid=1813 uid=10213 name=isub scontext=u:r:vendor_ims_app:s0:c213,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1 avc: denied { call } for scontext=u:r:vendor_ims_app:s0:c213,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.shannon.imsservice avc: denied { transfer } for comm="nnon.imsservice" scontext=u:r:vendor_ims_app:s0:c213,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.shannon.imsservice avc: denied { transfer } for scontext=u:r:vendor_ims_app:s0:c213,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.shannon.imsservice avc: denied { call } for comm="nnon.imsservice" scontext=u:r:vendor_ims_app:s0:c213,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.shannon.imsservice avc: denied { call } for comm="ImsConnectivity" scontext=u:r:vendor_ims_app:s0:c213,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.shannon.imsservice Bug: 205780067 Bug: 205904439 Test: manual Change-Id: I50b0861994f19801068a2559ac35521095a18339 --- tracking_denials/vendor_ims_app.te | 5 ----- whitechapel_pro/vendor_ims_app.te | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/vendor_ims_app.te diff --git a/tracking_denials/vendor_ims_app.te b/tracking_denials/vendor_ims_app.te deleted file mode 100644 index 9ef9ca82..00000000 --- a/tracking_denials/vendor_ims_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205780067 -dontaudit vendor_ims_app radio_service:service_manager { find }; -# b/205904439 -dontaudit vendor_ims_app rild:binder { call }; -dontaudit vendor_ims_app rild:binder { transfer }; diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index bdbba20d..9325a2b7 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -3,3 +3,6 @@ app_domain(vendor_ims_app) allow vendor_ims_app app_api_service:service_manager find; allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_ims_app radio_service:service_manager find; + +binder_call(vendor_ims_app, rild) From ad89088b6ea2c974a647ab43d4523e5da8229b68 Mon Sep 17 00:00:00 2001 From: neoyu Date: Tue, 28 Dec 2021 14:32:42 +0800 Subject: [PATCH 247/900] Fix SELinux errors for rild avc: denied { call } for comm="rild_exynos" scontext=u:r:rild:s0 tcontext=u:r:vendor_ims_app:s0:c213,c256,c512,c768 tclass=binder permissive=1 avc: denied { call } for comm="rild_exynos" scontext=u:r:rild:s0 tcontext=u:r:vendor_rcs_app:s0:c193,c256,c512,c768 tclass=binder permissive=1 Bug: 205904441 Test: manual Change-Id: I02339f8d7ef7004091244c9c8708a759da05d751 --- tracking_denials/rild.te | 3 --- whitechapel_pro/rild.te | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te index cb423e91..875d5d24 100644 --- a/tracking_denials/rild.te +++ b/tracking_denials/rild.te @@ -4,6 +4,3 @@ dontaudit rild vendor_persist_config_default_prop:file { getattr }; dontaudit rild vendor_persist_config_default_prop:file { map }; dontaudit rild vendor_persist_config_default_prop:file { open }; dontaudit rild vendor_persist_config_default_prop:file { read }; -# b/205904441 -dontaudit rild vendor_ims_app:binder { call }; -dontaudit rild vendor_rcs_app:binder { call }; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 4516c17c..4ccc6ccb 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -18,6 +18,8 @@ binder_call(rild, bipchmgr) binder_call(rild, gpsd) binder_call(rild, hal_audio_default) binder_call(rild, modem_svc_sit) +binder_call(rild, vendor_ims_app) +binder_call(rild, vendor_rcs_app) binder_call(rild, oemrilservice_app) binder_call(rild, hal_secure_element_uicc) binder_call(rild, grilservice_app) From 66f8039b5d938c884171e66d3986e8ae61d02f02 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Fri, 24 Dec 2021 14:49:47 +0800 Subject: [PATCH 248/900] HardwareInfo: Add sepolicy for battery 12-03 09:57:39.480 7907 7907 I id.hardwareinfo: type=1400 audit(0.0:11): avc: denied { getattr } for path="/sys/devices/platform/google,battery/power_supply/battery/serial_number" dev="sysfs" ino=66176 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 12-03 09:57:39.480 7907 7907 I id.hardwareinfo: type=1400 audit(0.0:10): avc: denied { open } for path="/sys/devices/platform/google,battery/power_supply/battery/serial_number" dev="sysfs" ino=66176 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 12-03 09:57:39.480 7907 7907 I id.hardwareinfo: type=1400 audit(0.0:9): avc: denied { read } for name="serial_number" dev="sysfs" ino=66176 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 Bug:208909060 Test: adb bugreport Change-Id: Ide376401ada800718acf35db11ce79a5e63fe75d Signed-off-by: Ted Lin --- tracking_denials/hardware_info_app.te | 4 ---- whitechapel_pro/hardware_info_app.te | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te index 58b70ca5..1c5ae7ed 100644 --- a/tracking_denials/hardware_info_app.te +++ b/tracking_denials/hardware_info_app.te @@ -3,8 +3,4 @@ dontaudit hardware_info_app sysfs:file { getattr }; dontaudit hardware_info_app sysfs:file { open }; dontaudit hardware_info_app sysfs:file { read }; # b/208909060 -dontaudit hardware_info_app sysfs_batteryinfo:dir { search }; -dontaudit hardware_info_app sysfs_batteryinfo:file { getattr }; -dontaudit hardware_info_app sysfs_batteryinfo:file { open }; -dontaudit hardware_info_app sysfs_batteryinfo:file { read }; dontaudit hardware_info_app vendor_regmap_debugfs:dir { search }; diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te index d89c53ab..57a90358 100644 --- a/whitechapel_pro/hardware_info_app.te +++ b/whitechapel_pro/hardware_info_app.te @@ -9,3 +9,7 @@ allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; # Audio allow hardware_info_app sysfs_pixelstats:file r_file_perms; + +# Batteryinfo +allow hardware_info_app sysfs_batteryinfo:dir search; +allow hardware_info_app sysfs_batteryinfo:file r_file_perms; From 8b48664bdc6aeb352a50fea2a608bc04e2ce1d34 Mon Sep 17 00:00:00 2001 From: neoyu Date: Thu, 30 Dec 2021 11:37:39 +0800 Subject: [PATCH 249/900] Fix SELinux errors for rild avc: denied { read } for comm="rild_exynos" name="u:object_r:vendor_persist_config_default_prop:s0" dev="tmpfs" ino=319 scontext=u:r:rild:s0 tcontext=u:object_r:vendor_persist_config_default_prop:s0 tclass=file permissive=1 avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_persist_config_default_prop:s0" dev="tmpfs" ino=319 scontext=u:r:rild:s0 tcontext=u:object_r:vendor_persist_config_default_prop:s0 tclass=file permissive=1 avc: denied { map } for path="/dev/__properties__/u:object_r:vendor_persist_config_default_prop:s0" dev="tmpfs" ino=319 scontext=u:r:rild:s0 tcontext=u:object_r:vendor_persist_config_default_prop:s0 tclass=file permissive=1 avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_persist_config_default_prop:s0" dev="tmpfs" ino=319 scontext=u:r:rild:s0 tcontext=u:object_r:vendor_persist_config_default_prop:s0 tclass=file permissive=1 Bug: 205073023 Test: manual Change-Id: I2687c443b2830cf08210726f5b2e266c55793d41 --- tracking_denials/rild.te | 6 ------ whitechapel_pro/rild.te | 1 + 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 tracking_denials/rild.te diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te deleted file mode 100644 index 875d5d24..00000000 --- a/tracking_denials/rild.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/205073023 -dontaudit rild vendor_default_prop:property_service { set }; -dontaudit rild vendor_persist_config_default_prop:file { getattr }; -dontaudit rild vendor_persist_config_default_prop:file { map }; -dontaudit rild vendor_persist_config_default_prop:file { open }; -dontaudit rild vendor_persist_config_default_prop:file { read }; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 4ccc6ccb..766118ef 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -1,4 +1,5 @@ set_prop(rild, vendor_rild_prop) +get_prop(rild, vendor_persist_config_default_prop) get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) From 7fe7e43582d53d88ae06a60a209e64c7f442c591 Mon Sep 17 00:00:00 2001 From: chungkai Date: Mon, 6 Dec 2021 11:26:51 +0000 Subject: [PATCH 250/900] Fix avc denials for powerhal Test: build pass Bug: 208909174 Signed-off-by: chungkai Change-Id: I565df75c22d66199e6966dfac4af2e19b88606a0 --- tracking_denials/hal_power_default.te | 8 +------- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/hal_power_default.te | 3 ++- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index 13de8e91..b3e7c1d0 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,9 +1,3 @@ -# b/207062564 -dontaudit hal_power_default sysfs:file { open }; -dontaudit hal_power_default sysfs:file { write }; # b/208909174 dontaudit hal_power_default hal_power_default:capability { dac_read_search }; -dontaudit hal_power_default sysfs:file { getattr }; -dontaudit hal_power_default sysfs:file { read }; -dontaudit hal_power_default sysfs_vendor_sched:file { getattr }; -dontaudit hal_power_default sysfs_vendor_sched:file { read }; + diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index ab8e7bce..7b886d77 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -83,3 +83,6 @@ type modem_userdata_file, file_type; # SecureElement type sysfs_st33spi, sysfs_type, fs_type; + +# GPU +type sysfs_gpu, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index c82d97a6..ae434622 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -27,6 +27,9 @@ genfscon sysfs /devices/platform/acpm_stats u # Broadcom genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 +# GPU +genfscon sysfs /devices/platform/28000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 + # Fabric genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te index fca47245..e8f427d5 100644 --- a/whitechapel_pro/hal_power_default.te +++ b/whitechapel_pro/hal_power_default.te @@ -2,4 +2,5 @@ allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; allow hal_power_default sysfs_display:file rw_file_perms; - +allow hal_power_default sysfs_vendor_sched:file r_file_perms; +allow hal_power_default sysfs_gpu:file rw_file_perms; From b627a2f18b0eb7e1541f90fc4a122db1053eea91 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 3 Jan 2022 10:36:37 +0800 Subject: [PATCH 251/900] Grant citadeld access Test: boot to home under enforcing mode Bug: 205657177 Bug: 205904322 Change-Id: I49a7f14d4948f94814067e7ef137186610547033 --- dauntless/citadeld.te | 2 ++ tracking_denials/citadeld.te | 12 ------------ 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te index f170c97b..c2dbf74d 100644 --- a/dauntless/citadeld.te +++ b/dauntless/citadeld.te @@ -5,6 +5,8 @@ init_daemon_domain(citadeld) add_service(citadeld, citadeld_service) binder_use(citadeld) +vndbinder_use(citadeld) +allow citadeld citadel_device:chr_file rw_file_perms; allow citadeld fwk_stats_service:service_manager find; allow citadeld hal_power_stats_vendor_service:service_manager find; diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te index 32621376..d357ce9a 100644 --- a/tracking_denials/citadeld.te +++ b/tracking_denials/citadeld.te @@ -1,14 +1,2 @@ -# b/205657177 -dontaudit citadeld citadel_device:chr_file { getattr }; -dontaudit citadeld citadel_device:chr_file { ioctl }; -dontaudit citadeld citadel_device:chr_file { open }; -dontaudit citadeld citadel_device:chr_file { read write }; -dontaudit citadeld vndbinder_device:chr_file { ioctl }; -dontaudit citadeld vndbinder_device:chr_file { map }; -dontaudit citadeld vndbinder_device:chr_file { open }; -dontaudit citadeld vndbinder_device:chr_file { read }; -dontaudit citadeld vndbinder_device:chr_file { write }; # b/205904322 dontaudit citadeld system_server:binder { call }; -dontaudit citadeld vndservicemanager:binder { call }; -dontaudit citadeld vndservicemanager:binder { transfer }; From 70d78900fd33ff066ddb7df56777972df1defb4b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 3 Jan 2022 10:34:49 +0800 Subject: [PATCH 252/900] Grant init_citadel access Test: boot to home under enforcing mode Bug: 205655298 Bug: 205779736 Bug: 205904401 Change-Id: Ia7c1033240970122f3af79428bdb9012dcbc9d45 --- dauntless/init_citadel.te | 10 ++++++++++ tracking_denials/init_citadel.te | 12 ------------ 2 files changed, 10 insertions(+), 12 deletions(-) delete mode 100644 tracking_denials/init_citadel.te diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te index 35a93bc7..2e986d08 100644 --- a/dauntless/init_citadel.te +++ b/dauntless/init_citadel.te @@ -2,4 +2,14 @@ type init_citadel, domain; type init_citadel_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(init_citadel) + +# Citadel communication must be via citadeld +vndbinder_use(init_citadel) +binder_call(init_citadel, citadeld) allow init_citadel citadeld_service:service_manager find; + +# Many standard utils are actually vendor_toolbox (like xxd) +allow init_citadel vendor_toolbox_exec:file rx_file_perms; + +# init_citadel needs to invoke citadel_updater +allow init_citadel citadel_updater:file rx_file_perms; diff --git a/tracking_denials/init_citadel.te b/tracking_denials/init_citadel.te deleted file mode 100644 index 587d4ea4..00000000 --- a/tracking_denials/init_citadel.te +++ /dev/null @@ -1,12 +0,0 @@ -# b/205655298 -dontaudit init_citadel vndbinder_device:chr_file { ioctl }; -dontaudit init_citadel vndbinder_device:chr_file { map }; -dontaudit init_citadel vndbinder_device:chr_file { open }; -dontaudit init_citadel vndbinder_device:chr_file { read }; -dontaudit init_citadel vndbinder_device:chr_file { write }; -# b/205779736 -dontaudit init_citadel citadel_updater:file { execute_no_trans }; -dontaudit init_citadel vendor_toolbox_exec:file { execute_no_trans }; -# b/205904401 -dontaudit init_citadel citadeld:binder { call }; -dontaudit init_citadel vndservicemanager:binder { call }; From be9bc5e2dabf3f8fb81f391f10aa37061b204d02 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 3 Jan 2022 10:32:22 +0800 Subject: [PATCH 253/900] Grant hal_weaver_citadel access to vndbinder and citadeld Test: boot to home under enforcing mode Bug: 205657092 Bug: 205904286 Change-Id: Ic6f46f0c827d202fd81fb744f4ec3241b24396d6 --- dauntless/hal_weaver_citadel.te | 2 ++ tracking_denials/hal_weaver_citadel.te | 9 --------- 2 files changed, 2 insertions(+), 9 deletions(-) delete mode 100644 tracking_denials/hal_weaver_citadel.te diff --git a/dauntless/hal_weaver_citadel.te b/dauntless/hal_weaver_citadel.te index 26528c4b..c47287b9 100644 --- a/dauntless/hal_weaver_citadel.te +++ b/dauntless/hal_weaver_citadel.te @@ -5,5 +5,7 @@ init_daemon_domain(hal_weaver_citadel) hal_server_domain(hal_weaver_citadel, hal_weaver) hal_server_domain(hal_weaver_citadel, hal_oemlock) hal_server_domain(hal_weaver_citadel, hal_authsecret) +vndbinder_use(hal_weaver_citadel) +binder_call(hal_weaver_citadel, citadeld) allow hal_weaver_citadel citadeld_service:service_manager find; diff --git a/tracking_denials/hal_weaver_citadel.te b/tracking_denials/hal_weaver_citadel.te deleted file mode 100644 index b847751f..00000000 --- a/tracking_denials/hal_weaver_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/205657092 -dontaudit hal_weaver_citadel vndbinder_device:chr_file { ioctl }; -dontaudit hal_weaver_citadel vndbinder_device:chr_file { map }; -dontaudit hal_weaver_citadel vndbinder_device:chr_file { open }; -dontaudit hal_weaver_citadel vndbinder_device:chr_file { read }; -dontaudit hal_weaver_citadel vndbinder_device:chr_file { write }; -# b/205904286 -dontaudit hal_weaver_citadel citadeld:binder { call }; -dontaudit hal_weaver_citadel vndservicemanager:binder { call }; From 37710df1c0dce8a501eb1944c509f2375afae4a2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 3 Jan 2022 15:02:48 +0800 Subject: [PATCH 254/900] remove obsolete sepolicy Bug: 205904207 Test: boot with no relevant errors Change-Id: Id2baad991e43784f5b999e6ae1f0141352acdbca --- tracking_denials/servicemanager.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/servicemanager.te diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te deleted file mode 100644 index 9ce026bc..00000000 --- a/tracking_denials/servicemanager.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205904207 -dontaudit servicemanager hal_fingerprint_default:binder { call }; From c8f6c81670fabbb24968429be3c0c095b136e046 Mon Sep 17 00:00:00 2001 From: horngchuang Date: Tue, 28 Dec 2021 17:17:08 +0800 Subject: [PATCH 255/900] Add imx787 sensor entry to selinux policy /dev/lwis-sensor-imx787 used by rear-cam sensor Bug: 210654152 Test: local build Pass, boot to Home Change-Id: Ia15ad131d763190d3ecbfee397f0de33987ddb65 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 0920f239..357a9e95 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -122,6 +122,7 @@ /dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 /dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 /dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx787 u:object_r:lwis_device:s0 /dev/lwis-slc u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 /dev/lwis-votf u:object_r:lwis_device:s0 From bec2f8f10d675932a2d1836badb097e6d8954ee9 Mon Sep 17 00:00:00 2001 From: JimiChen Date: Thu, 23 Dec 2021 16:48:29 +0800 Subject: [PATCH 256/900] Add permision for new sensors and eeproms sensor: imx712 and imx712-uw eeprom: m24c64x-imx712 and m24c64x-imx712-uw Bug: 210657475 Bug: 210569509 Test: build okay Change-Id: Ide8429ce41a34b5c27b23eea1095bae93c5b88c4 --- whitechapel_pro/file_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 357a9e95..175a446f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -102,6 +102,8 @@ /dev/lwis-eeprom-m24c64x-3j1 u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx712 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx712-uw u:object_r:lwis_device:s0 /dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 /dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 /dev/lwis-g3aa u:object_r:lwis_device:s0 @@ -122,6 +124,8 @@ /dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 /dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 /dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx712 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx712-uw u:object_r:lwis_device:s0 /dev/lwis-sensor-imx787 u:object_r:lwis_device:s0 /dev/lwis-slc u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 From a781d5020beea2605f878c8a72f91c6545221143 Mon Sep 17 00:00:00 2001 From: Shiyong Li Date: Wed, 5 Jan 2022 01:31:49 +0000 Subject: [PATCH 257/900] consolidate display sysfs nodes into one context Bug: 209890345 Bug: 209705194 Test: check selinux denial info Signed-off-by: Shiyong Li Change-Id: I208f84caf0cbcd18bb3da8004362e6f996cbaba5 --- tracking_denials/hal_graphics_composer_default.te | 8 -------- tracking_denials/rlsservice.te | 4 ++-- whitechapel_pro/file.te | 1 - whitechapel_pro/genfs_contexts | 11 ++++------- whitechapel_pro/hal_power_stats_default.te | 2 +- whitechapel_pro/hal_sensors_default.te | 2 +- 6 files changed, 8 insertions(+), 20 deletions(-) diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index 88c6aaba..a8333447 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -27,14 +27,6 @@ dontaudit hal_graphics_composer_default sysfs:file { getattr }; dontaudit hal_graphics_composer_default sysfs:file { open }; dontaudit hal_graphics_composer_default sysfs:file { read }; dontaudit hal_graphics_composer_default sysfs:file { write }; -dontaudit hal_graphics_composer_default sysfs_display:file { write }; # b/208721526 dontaudit hal_graphics_composer_default dumpstate:fd { use }; dontaudit hal_graphics_composer_default dumpstate:fifo_file { write }; -# b/209705194 -dontaudit hal_graphics_composer_default sysfs_sensors:file { getattr }; -dontaudit hal_graphics_composer_default sysfs_sensors:file { open }; -dontaudit hal_graphics_composer_default sysfs_sensors:file { write }; -# b/209890345 -dontaudit hal_graphics_composer_default sysfs_display:file { getattr }; -dontaudit hal_graphics_composer_default sysfs_display:file { open }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te index e0a6630a..ad6ff243 100644 --- a/tracking_denials/rlsservice.te +++ b/tracking_denials/rlsservice.te @@ -23,5 +23,5 @@ dontaudit rlsservice device:dir { watch }; dontaudit rlsservice sysfs:file { open }; dontaudit rlsservice sysfs:file { read }; # b/209705394 -dontaudit rlsservice sysfs_sensors:file { open }; -dontaudit rlsservice sysfs_sensors:file { read }; +dontaudit rlsservice sysfs_display:file { open }; +dontaudit rlsservice sysfs_display:file { read }; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 7b886d77..1bf69ad1 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -41,7 +41,6 @@ type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; -type sysfs_sensors, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ae434622..86f3dbd8 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -60,6 +60,10 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/brightness u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 @@ -149,10 +153,3 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mp #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 - -# Sensors HAL -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_sensors:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/brightness u:object_r:sysfs_sensors:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_sensors:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/state u:object_r:sysfs_sensors:s0 - diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index 389437aa..aa17ffe1 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -2,4 +2,4 @@ allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; # allowed to access dislay stats sysfs node -allow hal_power_stats_default sysfs_sensors:file r_file_perms; +allow hal_power_stats_default sysfs_display:file r_file_perms; diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index 8cd69b22..c412b3db 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -26,7 +26,7 @@ allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; allow hal_sensors_default sensor_reg_data_file:dir r_dir_perms; # Allow access to the display info for ALS. -allow hal_sensors_default sysfs_sensors:file rw_file_perms; +allow hal_sensors_default sysfs_display:file rw_file_perms; # Allow access to the AoC clock and kernel boot time sys FS node. This is needed # to synchronize the AP and AoC clock timestamps. From 5134bb20942122b9b34c63bed4bcf4eb5c86ba6f Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Wed, 29 Dec 2021 15:16:04 -0800 Subject: [PATCH 258/900] Revert converting ext4 to f2fs Revert the below commits: commit bf900e2ae578 "allow to convert /efs to f2fs" commit 54b0addb16bc "convert_to_f2fs.sh: add sepolicy" And, tracking_denials WA. Bug: 207031989 Signed-off-by: Jaegeuk Kim Change-Id: Id3dd1c5b8cad962845fd7a88b9069315819e5f3d --- tracking_denials/convert-to-f2fs-sh.te | 16 ---------------- whitechapel_pro/convert-to-f2fs-sh.te | 11 ----------- whitechapel_pro/file_contexts | 1 - 3 files changed, 28 deletions(-) delete mode 100644 tracking_denials/convert-to-f2fs-sh.te delete mode 100644 whitechapel_pro/convert-to-f2fs-sh.te diff --git a/tracking_denials/convert-to-f2fs-sh.te b/tracking_denials/convert-to-f2fs-sh.te deleted file mode 100644 index 6231c945..00000000 --- a/tracking_denials/convert-to-f2fs-sh.te +++ /dev/null @@ -1,16 +0,0 @@ -# b/205657040 -dontaudit convert-to-f2fs-sh kmsg_device:chr_file { open }; -dontaudit convert-to-f2fs-sh kmsg_device:chr_file { write }; -dontaudit convert-to-f2fs-sh modem_userdata_block_device:blk_file { open }; -dontaudit convert-to-f2fs-sh modem_userdata_block_device:blk_file { read }; -# b/205779877 -dontaudit convert-to-f2fs-sh shell_exec:file { execute }; -dontaudit convert-to-f2fs-sh shell_exec:file { getattr }; -dontaudit convert-to-f2fs-sh shell_exec:file { map }; -dontaudit convert-to-f2fs-sh shell_exec:file { read }; -dontaudit convert-to-f2fs-sh toolbox_exec:file { execute }; -dontaudit convert-to-f2fs-sh toolbox_exec:file { execute_no_trans }; -dontaudit convert-to-f2fs-sh toolbox_exec:file { getattr }; -dontaudit convert-to-f2fs-sh toolbox_exec:file { read open }; -# b/205904438 -dontaudit convert-to-f2fs-sh toolbox_exec:file { map }; diff --git a/whitechapel_pro/convert-to-f2fs-sh.te b/whitechapel_pro/convert-to-f2fs-sh.te deleted file mode 100644 index 15d983be..00000000 --- a/whitechapel_pro/convert-to-f2fs-sh.te +++ /dev/null @@ -1,11 +0,0 @@ -type convert-to-f2fs-sh, domain; - -type convert-to-f2fs-sh_exec, vendor_file_type, exec_type, file_type; - -init_daemon_domain(convert-to-f2fs-sh) - -allow convert-to-f2fs-sh vendor_file:file execute_no_trans; -allow convert-to-f2fs-sh persist_block_device:blk_file r_file_perms; -allow convert-to-f2fs-sh efs_block_device:blk_file r_file_perms; -allow convert-to-f2fs-sh block_device:dir search; -allow convert-to-f2fs-sh kernel:process setsched; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 175a446f..5f063b9c 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -14,7 +14,6 @@ /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 -/vendor/bin/convert_to_f2fs\.sh u:object_r:convert-to-f2fs-sh_exec:s0 /vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 /vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 From 4f08892ca13a2a2700fb49010ad3a169bd37323d Mon Sep 17 00:00:00 2001 From: yawensu Date: Mon, 10 Jan 2022 09:50:53 +0800 Subject: [PATCH 259/900] Fix SELinux errors for vendor_rcs_service_app avc: denied { find } for pid=2194 uid=10193 name=isub scontext=u:r:vendor_rcs_service_app:s0:c193,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1 Bug: 205779869 Test: Manual. Change-Id: I8589a0178500ee4ced318fbb487aad585758a3f3 --- tracking_denials/vendor_rcs_service_app.te | 2 -- whitechapel_pro/vendor_rcs_service_app.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/vendor_rcs_service_app.te diff --git a/tracking_denials/vendor_rcs_service_app.te b/tracking_denials/vendor_rcs_service_app.te deleted file mode 100644 index da3c7dcf..00000000 --- a/tracking_denials/vendor_rcs_service_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205779869 -dontaudit vendor_rcs_service_app radio_service:service_manager { find }; diff --git a/whitechapel_pro/vendor_rcs_service_app.te b/whitechapel_pro/vendor_rcs_service_app.te index 3876d895..a7ae221f 100644 --- a/whitechapel_pro/vendor_rcs_service_app.te +++ b/whitechapel_pro/vendor_rcs_service_app.te @@ -2,3 +2,4 @@ type vendor_rcs_service_app, domain; app_domain(vendor_rcs_service_app) allow vendor_rcs_service_app app_api_service:service_manager find; +allow vendor_rcs_service_app radio_service:service_manager find; From ebe7b7c9a584ca62ded2d27f166606896969d1e5 Mon Sep 17 00:00:00 2001 From: horngchuang Date: Fri, 7 Jan 2022 16:14:45 +0800 Subject: [PATCH 260/900] Remove l10 specific camera component sepolicy settings Move these settings to L10 specific folder Bug: 210598444 Test: build okay Change-Id: I517d5414f64a32098fd8e5bfa6554f2272680826 --- whitechapel_pro/file_contexts | 5 ----- 1 file changed, 5 deletions(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5f063b9c..233614f2 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -101,8 +101,6 @@ /dev/lwis-eeprom-m24c64x-3j1 u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 /dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx712 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx712-uw u:object_r:lwis_device:s0 /dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 /dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 /dev/lwis-g3aa u:object_r:lwis_device:s0 @@ -123,9 +121,6 @@ /dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 /dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 /dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx712 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx712-uw u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx787 u:object_r:lwis_device:s0 /dev/lwis-slc u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 /dev/lwis-votf u:object_r:lwis_device:s0 From af12430ab37112bb81e1ffda4ea1e143b0b9c2af Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 10 Jan 2022 13:13:02 +0800 Subject: [PATCH 261/900] update error on ROM 8058425 Bug: 213817227 Bug: 213817228 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I8d4eaf583b7b012e55705eb99684f97af2dd611f --- tracking_denials/kernel.te | 2 ++ tracking_denials/rlsservice.te | 4 ++++ 2 files changed, 6 insertions(+) create mode 100644 tracking_denials/kernel.te diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te new file mode 100644 index 00000000..213ac540 --- /dev/null +++ b/tracking_denials/kernel.te @@ -0,0 +1,2 @@ +# b/213817227 +dontaudit kernel vendor_battery_debugfs:dir { search }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te index ad6ff243..c6dacec7 100644 --- a/tracking_denials/rlsservice.te +++ b/tracking_denials/rlsservice.te @@ -25,3 +25,7 @@ dontaudit rlsservice sysfs:file { read }; # b/209705394 dontaudit rlsservice sysfs_display:file { open }; dontaudit rlsservice sysfs_display:file { read }; +# b/213817228 +dontaudit rlsservice mnt_vendor_file:dir { search }; +dontaudit rlsservice persist_camera_file:dir { search }; +dontaudit rlsservice persist_file:dir { search }; From 9b8f698ee88b1334c359d255db2452930c4fa8b5 Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Mon, 10 Jan 2022 18:30:47 +0800 Subject: [PATCH 262/900] Fix avc denials for USB hals Bug: 205073230 Bug: 207062542 Bug: 208527968 Test: no avc log for hal_usb_impl Change-Id: I840d8cb69ed9189f2697d13ae43b4bdeb25cd616 --- tracking_denials/hal_usb_impl.te | 14 -------------- whitechapel_pro/hal_usb_impl.te | 6 ++++++ 2 files changed, 6 insertions(+), 14 deletions(-) delete mode 100644 tracking_denials/hal_usb_impl.te diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te deleted file mode 100644 index 3d47cf93..00000000 --- a/tracking_denials/hal_usb_impl.te +++ /dev/null @@ -1,14 +0,0 @@ -# b/205073230 -dontaudit hal_usb_impl vendor_usb_config_prop:file { getattr }; -dontaudit hal_usb_impl vendor_usb_config_prop:file { map }; -dontaudit hal_usb_impl vendor_usb_config_prop:file { open }; -dontaudit hal_usb_impl vendor_usb_config_prop:file { read }; -# b/207062542 -dontaudit hal_usb_impl functionfs:dir { watch watch_reads }; -# b/208527968 -dontaudit hal_usb_impl sysfs_batteryinfo:dir { open }; -dontaudit hal_usb_impl sysfs_batteryinfo:dir { read }; -dontaudit hal_usb_impl sysfs_batteryinfo:dir { search }; -dontaudit hal_usb_impl sysfs_batteryinfo:file { getattr }; -dontaudit hal_usb_impl sysfs_batteryinfo:file { open }; -dontaudit hal_usb_impl sysfs_batteryinfo:file { read }; diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index 52a799ee..067baf3c 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -4,3 +4,9 @@ type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_usb_impl) hal_server_domain(hal_usb_impl, hal_usb) hal_server_domain(hal_usb_impl, hal_usb_gadget) + +set_prop(hal_usb_impl, vendor_usb_config_prop) +allow hal_usb_impl functionfs:dir { watch watch_reads }; + +allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; From 89bec046aae19e6597565301812880f155f31958 Mon Sep 17 00:00:00 2001 From: TeYuan Wang Date: Mon, 10 Jan 2022 13:46:46 +0800 Subject: [PATCH 263/900] Label TMU as sysfs_thermal Bug: 202805103 Test: switch thermal tj property and check thermal threshold Change-Id: Ie1d20912f6111cbb85c04fce5a39e2be803e530f --- whitechapel_pro/genfs_contexts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 86f3dbd8..a37d03ce 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -153,3 +153,11 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mp #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 + +# Thermal +genfscon sysfs /devices/platform/100a0000.LITTLE u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.MID u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.BIG u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.ISP u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 From d799f2f773eebb5d4787fdf54518ac2416e217a6 Mon Sep 17 00:00:00 2001 From: Yifan Hong Date: Wed, 5 Jan 2022 14:57:31 -0800 Subject: [PATCH 264/900] Implement health AIDL HAL. Test: VTS Test: manual charger mode Test: recovery Bug: 213273090 Change-Id: I823e202f8877ad04e7fb5508358682bc6458f7c1 --- gs201-sepolicy.mk | 3 +++ health/file_contexts | 1 + 2 files changed, 4 insertions(+) create mode 100644 health/file_contexts diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 7ab4a233..664b851f 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -18,3 +18,6 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/dauntless # PowerStats HAL BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats + +# Health HAL +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/health diff --git a/health/file_contexts b/health/file_contexts new file mode 100644 index 00000000..909de880 --- /dev/null +++ b/health/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.health-service\.gs201 u:object_r:hal_health_default_exec:s0 From 673d412421ede6c9943a38a95e485c6a11c96bf3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 12 Jan 2022 11:14:35 +0800 Subject: [PATCH 265/900] update error on ROM 8069652 Bug: 214121738 Bug: 214122471 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I8db4e1c7d5a2cf50798c63a3a1eda0fa82b89f5a --- tracking_denials/hal_power_default.te | 6 ++++++ tracking_denials/servicemanager.te | 2 ++ 2 files changed, 8 insertions(+) create mode 100644 tracking_denials/servicemanager.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index b3e7c1d0..1a5f28e8 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,3 +1,9 @@ # b/208909174 dontaudit hal_power_default hal_power_default:capability { dac_read_search }; +# b/214121738 +dontaudit hal_power_default sysfs:file { open }; +dontaudit hal_power_default sysfs:file { write }; +dontaudit hal_power_default sysfs_fabric:file { open }; +dontaudit hal_power_default sysfs_fabric:file { write }; +dontaudit hal_power_default vendor_camera_prop:property_service { set }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te new file mode 100644 index 00000000..72e6e6e9 --- /dev/null +++ b/tracking_denials/servicemanager.te @@ -0,0 +1,2 @@ +# b/214122471 +dontaudit servicemanager hal_fingerprint_default:binder { call }; From 72dc78222f8db9806bf97baaa48afbdb4d9e256c Mon Sep 17 00:00:00 2001 From: linpeter Date: Thu, 6 Jan 2022 16:36:12 +0800 Subject: [PATCH 266/900] update display sepolicy Bug: 205073165 Bug: 205656937 Bug: 205779906 Bug: 205904436 Bug: 207062172 Bug: 208721526 Bug: 204718757 Bug: 205904380 Bug: 213133646 test: check avc denied with hal_graphics_composer_default, hbmsvmanager_app Change-Id: I964a62fa6570fd9056b420efae7bf2fcbbe9fc9f --- tracking_denials/hal_dumpstate_default.te | 1 - .../hal_graphics_composer_default.te | 32 --------------- tracking_denials/hbmsvmanager_app.te | 4 -- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/genfs_contexts | 20 ++++++++-- whitechapel_pro/hal_dumpstate_default.te | 3 ++ .../hal_graphics_composer_default.te | 40 +++++++++++++++++++ whitechapel_pro/hbmsvmanager_app.te | 11 +++++ whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 3 ++ 11 files changed, 76 insertions(+), 41 deletions(-) delete mode 100644 tracking_denials/hal_graphics_composer_default.te delete mode 100644 tracking_denials/hbmsvmanager_app.te diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index ced4632a..e0535f63 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -42,7 +42,6 @@ dontaudit hal_dumpstate_default sysfs_thermal:file { read }; dontaudit hal_dumpstate_default sysfs_wifi:dir { search }; dontaudit hal_dumpstate_default sysfs_wifi:file { open }; dontaudit hal_dumpstate_default sysfs_wifi:file { read }; -dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find }; dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open }; dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read }; dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te deleted file mode 100644 index a8333447..00000000 --- a/tracking_denials/hal_graphics_composer_default.te +++ /dev/null @@ -1,32 +0,0 @@ -# b/205073165 -dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { getattr }; -dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { map }; -dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { open }; -dontaudit hal_graphics_composer_default vendor_persist_sys_default_prop:file { read }; -# b/205656937 -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write }; -# b/205779906 -dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search }; -dontaudit hal_graphics_composer_default persist_file:dir { search }; -# b/205904436 -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { bind }; -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { create }; -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read }; -dontaudit hal_graphics_composer_default vndservicemanager:binder { call }; -dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer }; -# b/207062172 -dontaudit hal_graphics_composer_default boot_status_prop:file { getattr }; -dontaudit hal_graphics_composer_default boot_status_prop:file { map }; -dontaudit hal_graphics_composer_default boot_status_prop:file { open }; -dontaudit hal_graphics_composer_default boot_status_prop:file { read }; -dontaudit hal_graphics_composer_default sysfs:file { getattr }; -dontaudit hal_graphics_composer_default sysfs:file { open }; -dontaudit hal_graphics_composer_default sysfs:file { read }; -dontaudit hal_graphics_composer_default sysfs:file { write }; -# b/208721526 -dontaudit hal_graphics_composer_default dumpstate:fd { use }; -dontaudit hal_graphics_composer_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hbmsvmanager_app.te b/tracking_denials/hbmsvmanager_app.te deleted file mode 100644 index e015fa9b..00000000 --- a/tracking_denials/hbmsvmanager_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/204718757 -dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find }; -# b/205904380 -dontaudit hbmsvmanager_app hal_graphics_composer_default:binder { call }; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 1bf69ad1..c72cba22 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -64,6 +64,7 @@ type persist_modem_file, file_type, vendor_persist_type; type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; +type persist_display_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 233614f2..47fbb359 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -200,6 +200,7 @@ /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a37d03ce..bf63687c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -60,14 +60,26 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/brightness u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 + +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 + + # mediacodec_samsung genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index e3e503b2..228cf2ba 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -6,3 +6,6 @@ allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; allow hal_dumpstate_default sysfs_touch:file rw_file_perms; + +allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; +binder_call(hal_dumpstate_default, hal_graphics_composer_default); diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te index 84d923f6..5d596037 100644 --- a/whitechapel_pro/hal_graphics_composer_default.te +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -1,9 +1,49 @@ +# allow HWC to access power hal hal_client_domain(hal_graphics_composer_default, hal_power) # allow HWC to access vendor_displaycolor_service add_service(hal_graphics_composer_default, vendor_displaycolor_service) + add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) + add_service(hal_graphics_composer_default, hal_pixel_display_service) +# access sysfs R/W allow hal_graphics_composer_default sysfs_display:dir search; allow hal_graphics_composer_default sysfs_display:file rw_file_perms; + +userdebug_or_eng(` +# allow HWC to access vendor log file + allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms; + allow hal_graphics_composer_default vendor_log_file:file create_file_perms; +# For HWC/libdisplaycolor to generate calibration file. + allow hal_graphics_composer_default persist_display_file:file create_file_perms; + allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms; +') + +# allow HWC/libdisplaycolor to read calibration data +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default persist_file:dir search; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:dir search; + +# allow HWC to r/w backlight +allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; + +# allow HWC to get vendor_persist_sys_default_prop +get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) + +# allow HWC to get vendor_display_prop +get_prop(hal_graphics_composer_default, vendor_display_prop) + +# boot stauts prop +get_prop(hal_graphics_composer_default, boot_status_prop); + +# allow HWC to output to dumpstate via pipe fd +allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; +allow hal_graphics_composer_default hal_dumpstate_default:fd use; + +# socket / vnd service +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +vndbinder_use(hal_graphics_composer_default) diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index 06bfed6c..b8f6a6be 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -1,3 +1,14 @@ type hbmsvmanager_app, domain; + app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app sysfs_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app sysfs_vendor_sched:file w_file_perms; + +allow hbmsvmanager_app hal_pixel_display_service:service_manager find; +binder_call(hbmsvmanager_app, hal_graphics_composer_default) + +# Standard system services allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 4cc19982..f3e0c86d 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -20,6 +20,7 @@ vendor_internal_prop(vendor_gps_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_logger_prop) +vendor_internal_prop(vendor_display_prop) # Fingerprint vendor_internal_prop(vendor_fingerprint_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index f07c0112..64880da5 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -67,6 +67,9 @@ persist.vendor.se. u:object_r:vendor_secure_element_prop vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 +# for display +ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 + # Camera vendor.camera. u:object_r:vendor_camera_prop:s0 From 431ba370387b5d4d9ac9c801cf5c97e963059030 Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Thu, 6 Jan 2022 15:07:59 +0800 Subject: [PATCH 267/900] audio: add sepolicy for getting thermal event type=1400 audit(0.0:15): avc: denied { call } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1 type=1400 audit(0.0:16): avc: denied { transfer } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1 Bug: 204271308 Test: build pass Signed-off-by: Jasmine Cha Change-Id: I73070815b1ab73a58fd776e1301a5d4a8e198109 --- aoc/hal_audio_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te index 1f3edbe2..0755cba1 100644 --- a/aoc/hal_audio_default.te +++ b/aoc/hal_audio_default.te @@ -24,6 +24,7 @@ allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; get_prop(hal_audio_default, vendor_audio_prop); hal_client_domain(hal_audio_default, hal_health); +hal_client_domain(hal_audio_default, hal_thermal); allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; userdebug_or_eng(` From f442239ffd574581da556104d252528582c0c452 Mon Sep 17 00:00:00 2001 From: chloedai Date: Thu, 13 Jan 2022 20:44:47 +0800 Subject: [PATCH 268/900] Remove nfc.te type=1400 audit(0.0:186): avc: denied { transfer } for scontext=u:r:nfc:s0 tcontext=u:r:zygote:s0 tclass=binder permissive=1 type=1400 audit(1636594745.812:186): avc: denied { transfer } for comm="Binder:2617_2" scontext=u:r:nfc:s0 tcontext=u:r:zygote:s0 tclass=binder permissive=1 Bug: 205904208 Test: Run test and check "avc: denied { transfer }" error in avc log Change-Id: I38f396de7d18eb32cc1c6ff6b30ee51122f4c3b0 --- tracking_denials/nfc.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/nfc.te diff --git a/tracking_denials/nfc.te b/tracking_denials/nfc.te deleted file mode 100644 index 3e17ff52..00000000 --- a/tracking_denials/nfc.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205904208 -dontaudit nfc zygote:binder { transfer }; From 8b241f5c355bf181052ff3bcd4be248f787698a8 Mon Sep 17 00:00:00 2001 From: Siddharth Kapoor Date: Thu, 13 Jan 2022 18:45:29 +0800 Subject: [PATCH 269/900] Update selinux for init-insmod-sh needed for gpu probe Bug: 207062151 Test: related avc denials not noticed in the device logs Change-Id: I87ff2251fd7d92f8b0eb3fac43889758788b702f Signed-off-by: Siddharth Kapoor --- tracking_denials/init-insmod-sh.te | 3 --- whitechapel_pro/init-insmod-sh.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) delete mode 100644 tracking_denials/init-insmod-sh.te diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te deleted file mode 100644 index e12715f9..00000000 --- a/tracking_denials/init-insmod-sh.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/207062151 -dontaudit init-insmod-sh debugfs_mgm:dir { search }; -dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search }; diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te index e8424941..1b85c561 100644 --- a/whitechapel_pro/init-insmod-sh.te +++ b/whitechapel_pro/init-insmod-sh.te @@ -9,3 +9,6 @@ allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; set_prop(init-insmod-sh, vendor_device_prop) dontaudit init-insmod-sh proc_cmdline:file r_file_perms; + +allow init-insmod-sh debugfs_mgm:dir search; +allow init-insmod-sh vendor_regmap_debugfs:dir search; From 22786d49a46c36edae37821a518ce3aa1ae86dac Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 14 Jan 2022 11:30:48 +0800 Subject: [PATCH 270/900] update error on ROM 8078837 Bug: 214473134 Bug: 214473005 Bug: 214473093 Bug: 214472867 Bug: 214472869 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I8a84883655b6b259b0079d947496616974beb944 --- tracking_denials/hal_graphics_composer_default.te | 5 +++++ tracking_denials/hal_power_stats_default.te | 4 ++++ tracking_denials/hal_sensors_default.te | 7 +++++++ tracking_denials/rebalance_interrupts_vendor.te | 2 ++ tracking_denials/rlsservice.te | 4 ++++ 5 files changed, 22 insertions(+) create mode 100644 tracking_denials/hal_graphics_composer_default.te create mode 100644 tracking_denials/rebalance_interrupts_vendor.te diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te new file mode 100644 index 00000000..daaf15f8 --- /dev/null +++ b/tracking_denials/hal_graphics_composer_default.te @@ -0,0 +1,5 @@ +# b/214473134 +dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { getattr }; +dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { map }; +dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { open }; +dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { read }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index ff6abb06..7a5fff14 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -25,3 +25,7 @@ dontaudit hal_power_stats_default sysfs_wifi:dir { search }; dontaudit hal_power_stats_default sysfs_wifi:file { getattr }; dontaudit hal_power_stats_default sysfs_wifi:file { open }; dontaudit hal_power_stats_default sysfs_wifi:file { read }; +# b/214473005 +dontaudit hal_power_stats_default sysfs_leds:dir { search }; +dontaudit hal_power_stats_default sysfs_leds:file { open }; +dontaudit hal_power_stats_default sysfs_leds:file { read }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 45036f7e..a12a0ad9 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -1,2 +1,9 @@ # b/210067282 dontaudit hal_sensors_default persist_camera_file:dir { search }; +# b/214473093 +dontaudit hal_sensors_default sensor_reg_data_file:file { getattr }; +dontaudit hal_sensors_default sensor_reg_data_file:file { open }; +dontaudit hal_sensors_default sensor_reg_data_file:file { read }; +dontaudit hal_sensors_default sysfs_leds:dir { search }; +dontaudit hal_sensors_default sysfs_leds:file { open }; +dontaudit hal_sensors_default sysfs_leds:file { read }; diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te new file mode 100644 index 00000000..b9b246ce --- /dev/null +++ b/tracking_denials/rebalance_interrupts_vendor.te @@ -0,0 +1,2 @@ +# b/214472867 +dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te index c6dacec7..deb07475 100644 --- a/tracking_denials/rlsservice.te +++ b/tracking_denials/rlsservice.te @@ -29,3 +29,7 @@ dontaudit rlsservice sysfs_display:file { read }; dontaudit rlsservice mnt_vendor_file:dir { search }; dontaudit rlsservice persist_camera_file:dir { search }; dontaudit rlsservice persist_file:dir { search }; +# b/214472869 +dontaudit rlsservice sysfs_leds:dir { search }; +dontaudit rlsservice sysfs_leds:file { open }; +dontaudit rlsservice sysfs_leds:file { read }; From 96339224614d9a18702004ff114132d0c559b34a Mon Sep 17 00:00:00 2001 From: Xu Han Date: Thu, 13 Jan 2022 09:33:15 -0800 Subject: [PATCH 271/900] Fix rlsserive selinux denials Bug: 213817228 Test: check "avc denied" log with camera streaming. Change-Id: Id255ffab3ca145cb0708b701e2afccdcd76ef4ea --- tracking_denials/rlsservice.te | 35 --------------------------- whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_camera_default.te | 4 +++ whitechapel_pro/rlsservice.te | 25 +++++++++++++++++++ 4 files changed, 30 insertions(+), 35 deletions(-) delete mode 100644 tracking_denials/rlsservice.te diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te deleted file mode 100644 index deb07475..00000000 --- a/tracking_denials/rlsservice.te +++ /dev/null @@ -1,35 +0,0 @@ -# b/205657132 -dontaudit rlsservice aoc_device:chr_file { getattr }; -dontaudit rlsservice aoc_device:chr_file { open }; -dontaudit rlsservice aoc_device:chr_file { read write }; -dontaudit rlsservice rls_device:chr_file { open }; -dontaudit rlsservice rls_device:chr_file { read write }; -dontaudit rlsservice vndbinder_device:chr_file { ioctl }; -dontaudit rlsservice vndbinder_device:chr_file { map }; -dontaudit rlsservice vndbinder_device:chr_file { open }; -dontaudit rlsservice vndbinder_device:chr_file { read }; -dontaudit rlsservice vndbinder_device:chr_file { write }; -# b/205780186 -dontaudit rlsservice apex_info_file:file { getattr }; -dontaudit rlsservice apex_info_file:file { open }; -dontaudit rlsservice apex_info_file:file { read }; -dontaudit rlsservice apex_info_file:file { watch }; -# b/205904324 -dontaudit rlsservice vndservicemanager:binder { call }; -dontaudit rlsservice vndservicemanager:binder { transfer }; -# b/207062258 -dontaudit rlsservice device:dir { read }; -dontaudit rlsservice device:dir { watch }; -dontaudit rlsservice sysfs:file { open }; -dontaudit rlsservice sysfs:file { read }; -# b/209705394 -dontaudit rlsservice sysfs_display:file { open }; -dontaudit rlsservice sysfs_display:file { read }; -# b/213817228 -dontaudit rlsservice mnt_vendor_file:dir { search }; -dontaudit rlsservice persist_camera_file:dir { search }; -dontaudit rlsservice persist_file:dir { search }; -# b/214472869 -dontaudit rlsservice sysfs_leds:dir { search }; -dontaudit rlsservice sysfs_leds:file { open }; -dontaudit rlsservice sysfs_leds:file { read }; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 47fbb359..d1e979f1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -38,6 +38,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 18e03066..74b8a027 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -7,3 +7,7 @@ allow hal_camera_default fwk_stats_service:service_manager find; # Allow camera HAL to query preferred camera frequencies from the radio HAL # extensions to avoid interference with cellular antennas. allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; + +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te index 3dab5390..2297900c 100644 --- a/whitechapel_pro/rlsservice.te +++ b/whitechapel_pro/rlsservice.te @@ -2,4 +2,29 @@ type rlsservice, domain; type rlsservice_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(rlsservice) +vndbinder_use(rlsservice) add_service(rlsservice, rls_service) + + +# access rainbow sensor calibration files +allow rlsservice persist_file:dir search; +allow rlsservice persist_camera_file:dir search; +allow rlsservice persist_camera_file:file r_file_perms; +allow rlsservice mnt_vendor_file:dir search; + +# access device files +allow rlsservice rls_device:chr_file rw_file_perms; + +binder_call(rlsservice, hal_camera_default) + +# Allow access to display backlight information +allow rlsservice sysfs_leds:dir search; +allow rlsservice sysfs_leds:file r_file_perms; + +# Allow access to always-on compute device node +allow rlsservice device:dir r_file_perms; +allow rlsservice aoc_device:chr_file rw_file_perms; + +# For observing apex file changes +allow rlsservice apex_info_file:file r_file_perms; + From 5bf8862b01f8c65a5fecd595c7a744aee081167b Mon Sep 17 00:00:00 2001 From: Matt Buckley Date: Fri, 14 Jan 2022 20:20:24 +0000 Subject: [PATCH 272/900] Allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags For the hardware composer and surfaceflinger to coordinate on certain features, it is necessary for the hardware composer to be able to read the surface_flinger_native_boot_prop to know what should be enabled. Bug: b/214473134 Test: None Change-Id: If03dae54ea17a8131c489f56092c0edd974ea41b --- whitechapel_pro/hal_graphics_composer_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te index 5d596037..84faa9dc 100644 --- a/whitechapel_pro/hal_graphics_composer_default.te +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -47,3 +47,6 @@ allow hal_graphics_composer_default hal_dumpstate_default:fd use; # socket / vnd service allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; vndbinder_use(hal_graphics_composer_default) + +# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags +get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) From 0b322cac3db14bc3978f3907666132f9ede8ea9b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 13 Jan 2022 12:06:00 +0800 Subject: [PATCH 273/900] make GPU mali firmware accessible Bug: 205779849 Test: boot with no relevant log. Change-Id: I0cc1c1f84df44b5fbed239d6771937f62861bdb2 --- tracking_denials/surfaceflinger.te | 12 ------------ whitechapel_pro/file_contexts | 1 + whitechapel_pro/surfaceflinger.te | 1 + 3 files changed, 2 insertions(+), 12 deletions(-) delete mode 100644 tracking_denials/surfaceflinger.te create mode 100644 whitechapel_pro/surfaceflinger.te diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te deleted file mode 100644 index 1323e631..00000000 --- a/tracking_denials/surfaceflinger.te +++ /dev/null @@ -1,12 +0,0 @@ -# b/205072689 -dontaudit surfaceflinger kernel:process { setsched }; -# b/205779849 -dontaudit surfaceflinger vendor_fw_file:dir { search }; -dontaudit surfaceflinger vendor_fw_file:file { open }; -dontaudit surfaceflinger vendor_fw_file:file { read }; -# b/208721808 -dontaudit surfaceflinger hal_graphics_composer_default:dir { search }; -# b/208909232 -dontaudit surfaceflinger hal_graphics_composer_default:file { getattr }; -dontaudit surfaceflinger hal_graphics_composer_default:file { open }; -dontaudit surfaceflinger hal_graphics_composer_default:file { read }; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index d1e979f1..5dce809d 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -42,6 +42,7 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +/vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 diff --git a/whitechapel_pro/surfaceflinger.te b/whitechapel_pro/surfaceflinger.te new file mode 100644 index 00000000..9629299b --- /dev/null +++ b/whitechapel_pro/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger vendor_fw_file:dir search; From 42ac322b3d3c12ce1bff06f9f63fc19dd32809c5 Mon Sep 17 00:00:00 2001 From: linjoey Date: Thu, 13 Jan 2022 00:06:20 +0800 Subject: [PATCH 274/900] Add vulkan and gralloc sepolicy. Bug: 206891640 Test: Test CTS testVulkanHardwareFeatures passed. Change-Id: Ia14aa691d6dbfad40344895c9e6a63a267754864 --- whitechapel_pro/file_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5dce809d..54517020 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -57,6 +57,10 @@ /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 +# Graphics +/vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.gs201\.so u:object_r:same_process_hal_file:s0 + # Vendor kernel modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 From d9a2fb85064f3e6d908bf22db352526e23c12d49 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 17 Jan 2022 11:20:07 +0800 Subject: [PATCH 275/900] grant systemui app access to touch service Bug: 204718221 Test: boot with no relevant error Change-Id: Ic320cf682e481522ef9acad6c4eb63891c84c80c --- tracking_denials/platform_app.te | 2 -- whitechapel_pro/platform_app.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/platform_app.te diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te deleted file mode 100644 index 6e1b0e1c..00000000 --- a/tracking_denials/platform_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/204718221 -dontaudit platform_app touch_service:service_manager { find }; diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 0cf0ae46..f6c8d8ed 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -1,5 +1,6 @@ allow platform_app hal_pixel_display_service:service_manager find; allow platform_app hal_wlc_hwservice:hwservice_manager find; +allow platform_app touch_service:service_manager find; allow platform_app sysfs_vendor_sched:dir r_dir_perms; allow platform_app sysfs_vendor_sched:file w_file_perms; From 56df08e495bf2dac78d90a12670bf5c5454e5b50 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 17 Jan 2022 14:54:54 +0800 Subject: [PATCH 276/900] fix dumpstate permission Bug: 208721809 Test: run bugreport under enforcing mode and found no relevant errors Change-Id: I106d95fd01b321af815ef8e580305702be716021 --- tracking_denials/dumpstate.te | 6 ------ whitechapel_pro/dumpstate.te | 3 +++ 2 files changed, 3 insertions(+), 6 deletions(-) delete mode 100644 tracking_denials/dumpstate.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te deleted file mode 100644 index b709173a..00000000 --- a/tracking_denials/dumpstate.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/208721809 -dontaudit dumpstate fuse:dir { search }; -dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -dontaudit dumpstate hal_uwb_vendor_default:binder { call }; -dontaudit dumpstate modem_img_file:filesystem { getattr }; -dontaudit dumpstate vold:binder { call }; diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te index 05f0b107..ea7108e6 100644 --- a/whitechapel_pro/dumpstate.te +++ b/whitechapel_pro/dumpstate.te @@ -1,4 +1,6 @@ +dump_hal(hal_health) dump_hal(hal_graphics_composer) +dump_hal(hal_uwb_vendor) userdebug_or_eng(` allow dumpstate vendor_dmabuf_debugfs:file r_file_perms; @@ -9,5 +11,6 @@ allow dumpstate persist_file:dir r_dir_perms; allow dumpstate modem_efs_file:dir r_dir_perms; allow dumpstate modem_userdata_file:dir r_dir_perms; allow dumpstate modem_img_file:dir r_dir_perms; +allow dumpstate fuse:dir search; dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; From dd55e32ba14ed82c734141d975ff82a755f72a85 Mon Sep 17 00:00:00 2001 From: joenchen Date: Thu, 13 Jan 2022 06:13:56 +0000 Subject: [PATCH 277/900] Label min_vrefresh and idle_delay_ms as sysfs_display Bug: 213299701 Test: Check the files label by "adb shell ls -Z" Change-Id: I4c10582ec7dee516b54fb8aac77dafa825aaa93d --- whitechapel_pro/genfs_contexts | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index bf63687c..9ab6242b 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -59,10 +59,12 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 # Display -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 From 59a7bf0bb7ad42dd57dc2f83f5e7e021166994b8 Mon Sep 17 00:00:00 2001 From: Matt Buckley Date: Mon, 17 Jan 2022 20:13:11 +0000 Subject: [PATCH 278/900] SEPolicy access issue for hal_graphics_composer_default should be fixed with ag/16631829 Bug: b/214473134 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Id790bbfb9db534b86c4c5ae4564cfb2d5771ec4b --- tracking_denials/hal_graphics_composer_default.te | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 tracking_denials/hal_graphics_composer_default.te diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te deleted file mode 100644 index daaf15f8..00000000 --- a/tracking_denials/hal_graphics_composer_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/214473134 -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { getattr }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { map }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { open }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { read }; From 72a1bebd3d0337070d94b33b9932dc689cb18856 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 18 Jan 2022 11:54:55 +0800 Subject: [PATCH 279/900] update error on ROM 8088139 Bug: 215042694 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I741e1e101f050fe915142ec1699d2bbc553f14d7 --- tracking_denials/surfaceflinger.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/surfaceflinger.te diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te new file mode 100644 index 00000000..92d4c155 --- /dev/null +++ b/tracking_denials/surfaceflinger.te @@ -0,0 +1,2 @@ +# b/215042694 +dontaudit surfaceflinger kernel:process { setsched }; From b2f810f9dd2a1c9c8078042efc638384e1d0273e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 18 Jan 2022 14:59:25 +0800 Subject: [PATCH 280/900] sort tracking file to review it easily Bug: 208909124 Bug: 208721677 Test: boot with no relevant error when taking a bugreport Change-Id: I5dc5d5cdbae329372f58f056dcf10e205ee7e02a --- tracking_denials/hal_dumpstate_default.te | 92 ++++++++++++++++------- whitechapel_pro/hal_dumpstate_default.te | 1 + 2 files changed, 64 insertions(+), 29 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index e0535f63..77a56853 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -1,39 +1,73 @@ # b/208721677 +# b/208909124 +dontaudit hal_dumpstate_default aoc_device:chr_file { getattr open read write }; dontaudit hal_dumpstate_default boottime_public_prop:file { open }; dontaudit hal_dumpstate_default boottime_public_prop:file { read }; +dontaudit hal_dumpstate_default citadeld:binder call; dontaudit hal_dumpstate_default citadeld_service:service_manager { find }; -dontaudit hal_dumpstate_default debugfs:file { open }; -dontaudit hal_dumpstate_default debugfs:file { read }; +dontaudit hal_dumpstate_default citadel_updater:file execute_no_trans; +dontaudit hal_dumpstate_default debugfs:dir { open read }; dontaudit hal_dumpstate_default debugfs_f2fs:dir { search }; dontaudit hal_dumpstate_default debugfs_f2fs:file { open }; dontaudit hal_dumpstate_default debugfs_f2fs:file { read }; +dontaudit hal_dumpstate_default debugfs:file { open }; +dontaudit hal_dumpstate_default debugfs:file { read }; +dontaudit hal_dumpstate_default device:dir read; +dontaudit hal_dumpstate_default device:dir watch; dontaudit hal_dumpstate_default logbuffer_device:chr_file { getattr }; dontaudit hal_dumpstate_default logbuffer_device:chr_file { open }; dontaudit hal_dumpstate_default logbuffer_device:chr_file { read }; +dontaudit hal_dumpstate_default mnt_vendor_file:dir { search }; +dontaudit hal_dumpstate_default modem_efs_file:dir search; +dontaudit hal_dumpstate_default modem_efs_file:file { open read }; +dontaudit hal_dumpstate_default modem_stat_data_file:file getattr; dontaudit hal_dumpstate_default modem_stat_data_file:file { open }; dontaudit hal_dumpstate_default modem_stat_data_file:file { read }; +dontaudit hal_dumpstate_default property_type:file *; +dontaudit hal_dumpstate_default radio_vendor_data_file:dir add_name; +dontaudit hal_dumpstate_default radio_vendor_data_file:dir create; dontaudit hal_dumpstate_default radio_vendor_data_file:dir { getattr }; dontaudit hal_dumpstate_default radio_vendor_data_file:dir { open }; dontaudit hal_dumpstate_default radio_vendor_data_file:dir { read }; +dontaudit hal_dumpstate_default radio_vendor_data_file:dir { remove_name rmdir }; dontaudit hal_dumpstate_default radio_vendor_data_file:dir { search }; dontaudit hal_dumpstate_default radio_vendor_data_file:dir { write }; +dontaudit hal_dumpstate_default radio_vendor_data_file:file { create write }; dontaudit hal_dumpstate_default radio_vendor_data_file:file { getattr }; dontaudit hal_dumpstate_default radio_vendor_data_file:file { open }; dontaudit hal_dumpstate_default radio_vendor_data_file:file { read }; dontaudit hal_dumpstate_default radio_vendor_data_file:file { setattr }; -dontaudit hal_dumpstate_default sysfs:file { read }; +dontaudit hal_dumpstate_default radio_vendor_data_file:file unlink; +dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir { search }; +dontaudit hal_dumpstate_default shell_data_file:file { getattr }; +dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir { open read }; +dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir search; dontaudit hal_dumpstate_default sysfs_acpm_stats:dir { open }; dontaudit hal_dumpstate_default sysfs_acpm_stats:dir { read }; dontaudit hal_dumpstate_default sysfs_acpm_stats:dir { search }; dontaudit hal_dumpstate_default sysfs_acpm_stats:file { open }; dontaudit hal_dumpstate_default sysfs_acpm_stats:file { read }; +dontaudit hal_dumpstate_default sysfs_aoc:dir { search }; +dontaudit hal_dumpstate_default sysfs_aoc_dumpstate:file { open read }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { open }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { read }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { search }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:file getattr; +dontaudit hal_dumpstate_default sysfs_batteryinfo:file { open }; +dontaudit hal_dumpstate_default sysfs_batteryinfo:file { read }; dontaudit hal_dumpstate_default sysfs_bcl:dir { open }; dontaudit hal_dumpstate_default sysfs_bcl:dir { read }; dontaudit hal_dumpstate_default sysfs_bcl:dir { search }; dontaudit hal_dumpstate_default sysfs_bcl:file { getattr }; +dontaudit hal_dumpstate_default sysfs_bcl:file open; dontaudit hal_dumpstate_default sysfs_bcl:file { read }; dontaudit hal_dumpstate_default sysfs_chip_id:file { open }; dontaudit hal_dumpstate_default sysfs_chip_id:file { read }; +dontaudit hal_dumpstate_default sysfs_exynos_bts:dir { search }; +dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { open }; +dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { read }; +dontaudit hal_dumpstate_default sysfs:file { open }; +dontaudit hal_dumpstate_default sysfs:file { read }; dontaudit hal_dumpstate_default sysfs_thermal:dir { open }; dontaudit hal_dumpstate_default sysfs_thermal:dir { read }; dontaudit hal_dumpstate_default sysfs_thermal:dir { search }; @@ -42,37 +76,37 @@ dontaudit hal_dumpstate_default sysfs_thermal:file { read }; dontaudit hal_dumpstate_default sysfs_wifi:dir { search }; dontaudit hal_dumpstate_default sysfs_wifi:file { open }; dontaudit hal_dumpstate_default sysfs_wifi:file { read }; -dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open }; -dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read }; -dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; -dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; -dontaudit hal_dumpstate_default vendor_toolbox_exec:file { execute_no_trans }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { read }; -# b/208909124 -dontaudit hal_dumpstate_default property_type:file *; -dontaudit hal_dumpstate_default mnt_vendor_file:dir { search }; -dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir { search }; -dontaudit hal_dumpstate_default shell_data_file:file { getattr }; -dontaudit hal_dumpstate_default sysfs:file { open }; -dontaudit hal_dumpstate_default sysfs_aoc:dir { search }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { open }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { read }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { search }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:file { open }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:file { read }; -dontaudit hal_dumpstate_default sysfs_exynos_bts:dir { search }; -dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { open }; -dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { read }; dontaudit hal_dumpstate_default sysfs_wlc:dir { search }; +dontaudit hal_dumpstate_default sysfs_wlc:file { open read }; +dontaudit hal_dumpstate_default vendor_battery_debugfs:dir { open read }; +dontaudit hal_dumpstate_default vendor_battery_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_battery_debugfs:file { getattr open read }; +dontaudit hal_dumpstate_default vendor_camera_data_file:dir search; dontaudit hal_dumpstate_default vendor_charger_debugfs:dir { open }; dontaudit hal_dumpstate_default vendor_charger_debugfs:dir { read }; dontaudit hal_dumpstate_default vendor_charger_debugfs:dir { search }; dontaudit hal_dumpstate_default vendor_charger_debugfs:file { getattr }; +dontaudit hal_dumpstate_default vendor_charger_debugfs:file open; dontaudit hal_dumpstate_default vendor_charger_debugfs:file { read }; +dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open }; +dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read }; +dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; +dontaudit hal_dumpstate_default vendor_gps_file:dir { open read search }; +dontaudit hal_dumpstate_default vendor_gps_file:file getattr; +dontaudit hal_dumpstate_default vendor_gps_file:file { open read }; +dontaudit hal_dumpstate_default vendor_log_file:dir search; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file { open read }; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { open }; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { read }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { ioctl }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { map }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { open }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { write }; -dontaudit hal_dumpstate_default vndservicemanager:binder { call }; +dontaudit hal_dumpstate_default vendor_rfsd_log_file:dir { open read search }; +dontaudit hal_dumpstate_default vendor_rfsd_log_file:file { getattr open read }; +dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; +dontaudit hal_dumpstate_default vendor_slog_file:file { getattr read }; +dontaudit hal_dumpstate_default vendor_slog_file:file open; +dontaudit hal_dumpstate_default vendor_toolbox_exec:file { execute_no_trans }; +dontaudit hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; +dontaudit hal_dumpstate_default vendor_usf_stats:file execute_no_trans; +dontaudit hal_dumpstate_default vendor_votable_debugfs:dir { open read }; +dontaudit hal_dumpstate_default vendor_votable_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_votable_debugfs:file { getattr open read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 228cf2ba..73fd2cd3 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -9,3 +9,4 @@ allow hal_dumpstate_default sysfs_touch:file rw_file_perms; allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); +vndbinder_use(hal_dumpstate_default) From ca13b6a9bfece7ee21e353fec62833520503bda5 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Tue, 18 Jan 2022 21:17:42 +0800 Subject: [PATCH 281/900] hardwareinfo: add sepolicy for display Bug: 203593024 Test: 1. rm -r /data/data/com.google.android.hardwareinfo/ 2. Connect wifi and reboot 3. Check hardwareinfo, there is no avc denied logs Change-Id: I44db881286946a283f320302efd6e662fcdae683 --- whitechapel_pro/hardware_info_app.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te index 57a90358..1da5b988 100644 --- a/whitechapel_pro/hardware_info_app.te +++ b/whitechapel_pro/hardware_info_app.te @@ -13,3 +13,7 @@ allow hardware_info_app sysfs_pixelstats:file r_file_perms; # Batteryinfo allow hardware_info_app sysfs_batteryinfo:dir search; allow hardware_info_app sysfs_batteryinfo:file r_file_perms; + +# Display +allow hardware_info_app sysfs_display:dir search; +allow hardware_info_app sysfs_display:file r_file_perms; From 11d9e265ee83196950bc63209206557305507953 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 19 Jan 2022 10:47:44 +0800 Subject: [PATCH 282/900] be able to dump aoc device Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: Icbb2364638dbabe9bcccd744413d5c679b35d058 --- tracking_denials/hal_dumpstate_default.te | 3 --- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 77a56853..cfc11268 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -1,6 +1,5 @@ # b/208721677 # b/208909124 -dontaudit hal_dumpstate_default aoc_device:chr_file { getattr open read write }; dontaudit hal_dumpstate_default boottime_public_prop:file { open }; dontaudit hal_dumpstate_default boottime_public_prop:file { read }; dontaudit hal_dumpstate_default citadeld:binder call; @@ -12,8 +11,6 @@ dontaudit hal_dumpstate_default debugfs_f2fs:file { open }; dontaudit hal_dumpstate_default debugfs_f2fs:file { read }; dontaudit hal_dumpstate_default debugfs:file { open }; dontaudit hal_dumpstate_default debugfs:file { read }; -dontaudit hal_dumpstate_default device:dir read; -dontaudit hal_dumpstate_default device:dir watch; dontaudit hal_dumpstate_default logbuffer_device:chr_file { getattr }; dontaudit hal_dumpstate_default logbuffer_device:chr_file { open }; dontaudit hal_dumpstate_default logbuffer_device:chr_file { read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 73fd2cd3..8d747b6b 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default device:dir r_dir_perms; +allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; + allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; allow hal_dumpstate_default proc_f2fs:file r_file_perms; From b8053f6b6e2daebf4e27bbf19898ef4e6df36626 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 19 Jan 2022 11:07:38 +0800 Subject: [PATCH 283/900] Be able to dump citadel info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I4f76a17004b81adbddeb7557e50f488b471aa3c7 --- tracking_denials/hal_dumpstate_default.te | 3 --- whitechapel_pro/hal_dumpstate_default.te | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index cfc11268..2b9e0faa 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -2,9 +2,6 @@ # b/208909124 dontaudit hal_dumpstate_default boottime_public_prop:file { open }; dontaudit hal_dumpstate_default boottime_public_prop:file { read }; -dontaudit hal_dumpstate_default citadeld:binder call; -dontaudit hal_dumpstate_default citadeld_service:service_manager { find }; -dontaudit hal_dumpstate_default citadel_updater:file execute_no_trans; dontaudit hal_dumpstate_default debugfs:dir { open read }; dontaudit hal_dumpstate_default debugfs_f2fs:dir { search }; dontaudit hal_dumpstate_default debugfs_f2fs:file { open }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 8d747b6b..7416f8a2 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,7 @@ +allow hal_dumpstate_default citadeld_service:service_manager find; +allow hal_dumpstate_default citadel_updater:file execute_no_trans; +binder_call(hal_dumpstate_default, citadeld); + allow hal_dumpstate_default device:dir r_dir_perms; allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; From 5b00a6c8a23ceddee4f27c76ed72c07a8c584752 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 19 Jan 2022 11:16:48 +0800 Subject: [PATCH 284/900] Be able to dump logbuffer Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: Ieae4d64b497e911a6c8048f789e364cd1b9d2f4b --- tracking_denials/hal_dumpstate_default.te | 3 --- whitechapel_pro/hal_dumpstate_default.te | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 2b9e0faa..f7bcdfb3 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -8,9 +8,6 @@ dontaudit hal_dumpstate_default debugfs_f2fs:file { open }; dontaudit hal_dumpstate_default debugfs_f2fs:file { read }; dontaudit hal_dumpstate_default debugfs:file { open }; dontaudit hal_dumpstate_default debugfs:file { read }; -dontaudit hal_dumpstate_default logbuffer_device:chr_file { getattr }; -dontaudit hal_dumpstate_default logbuffer_device:chr_file { open }; -dontaudit hal_dumpstate_default logbuffer_device:chr_file { read }; dontaudit hal_dumpstate_default mnt_vendor_file:dir { search }; dontaudit hal_dumpstate_default modem_efs_file:dir search; dontaudit hal_dumpstate_default modem_efs_file:file { open read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 7416f8a2..c34632d4 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,5 @@ +allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; + allow hal_dumpstate_default citadeld_service:service_manager find; allow hal_dumpstate_default citadel_updater:file execute_no_trans; binder_call(hal_dumpstate_default, citadeld); From f72d021bd0d13dc77b03f35d2daf18677a198abc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 19 Jan 2022 11:22:59 +0800 Subject: [PATCH 285/900] Be able to dump modem info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I0b9384ec4ddda5d3d49a451c529c03fc4d53da8f --- tracking_denials/hal_dumpstate_default.te | 5 ----- whitechapel_pro/hal_dumpstate_default.te | 4 ++++ 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index f7bcdfb3..8a90e832 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -9,11 +9,6 @@ dontaudit hal_dumpstate_default debugfs_f2fs:file { read }; dontaudit hal_dumpstate_default debugfs:file { open }; dontaudit hal_dumpstate_default debugfs:file { read }; dontaudit hal_dumpstate_default mnt_vendor_file:dir { search }; -dontaudit hal_dumpstate_default modem_efs_file:dir search; -dontaudit hal_dumpstate_default modem_efs_file:file { open read }; -dontaudit hal_dumpstate_default modem_stat_data_file:file getattr; -dontaudit hal_dumpstate_default modem_stat_data_file:file { open }; -dontaudit hal_dumpstate_default modem_stat_data_file:file { read }; dontaudit hal_dumpstate_default property_type:file *; dontaudit hal_dumpstate_default radio_vendor_data_file:dir add_name; dontaudit hal_dumpstate_default radio_vendor_data_file:dir create; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index c34632d4..1980d6ad 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,7 @@ +allow hal_dumpstate_default modem_efs_file:dir search; +allow hal_dumpstate_default modem_efs_file:file r_file_perms; +allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; + allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; allow hal_dumpstate_default citadeld_service:service_manager find; From 03fbacc6acbdd8b419dd4e75f02de20e4a9feba0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 19 Jan 2022 11:38:06 +0800 Subject: [PATCH 286/900] Be able to dump radio info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I6a83029e9e0d0c42892b64a8acfa60cc514efba9 --- tracking_denials/hal_dumpstate_default.te | 14 -------------- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 8a90e832..7cb91199 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -10,20 +10,6 @@ dontaudit hal_dumpstate_default debugfs:file { open }; dontaudit hal_dumpstate_default debugfs:file { read }; dontaudit hal_dumpstate_default mnt_vendor_file:dir { search }; dontaudit hal_dumpstate_default property_type:file *; -dontaudit hal_dumpstate_default radio_vendor_data_file:dir add_name; -dontaudit hal_dumpstate_default radio_vendor_data_file:dir create; -dontaudit hal_dumpstate_default radio_vendor_data_file:dir { getattr }; -dontaudit hal_dumpstate_default radio_vendor_data_file:dir { open }; -dontaudit hal_dumpstate_default radio_vendor_data_file:dir { read }; -dontaudit hal_dumpstate_default radio_vendor_data_file:dir { remove_name rmdir }; -dontaudit hal_dumpstate_default radio_vendor_data_file:dir { search }; -dontaudit hal_dumpstate_default radio_vendor_data_file:dir { write }; -dontaudit hal_dumpstate_default radio_vendor_data_file:file { create write }; -dontaudit hal_dumpstate_default radio_vendor_data_file:file { getattr }; -dontaudit hal_dumpstate_default radio_vendor_data_file:file { open }; -dontaudit hal_dumpstate_default radio_vendor_data_file:file { read }; -dontaudit hal_dumpstate_default radio_vendor_data_file:file { setattr }; -dontaudit hal_dumpstate_default radio_vendor_data_file:file unlink; dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir { search }; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir { open read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 1980d6ad..86b6797e 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; +allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; + allow hal_dumpstate_default modem_efs_file:dir search; allow hal_dumpstate_default modem_efs_file:file r_file_perms; allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; From 7897e0f6ca092d72c1495cc10975ffbcdad45359 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 19 Jan 2022 11:49:45 +0800 Subject: [PATCH 287/900] Be able to dump ramdump info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I0cd8ca483df669505f11ff6fdd19cc15cb9959e1 --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/hal_dumpstate_default.te | 6 ++++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 7cb91199..dd988819 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -8,9 +8,7 @@ dontaudit hal_dumpstate_default debugfs_f2fs:file { open }; dontaudit hal_dumpstate_default debugfs_f2fs:file { read }; dontaudit hal_dumpstate_default debugfs:file { open }; dontaudit hal_dumpstate_default debugfs:file { read }; -dontaudit hal_dumpstate_default mnt_vendor_file:dir { search }; dontaudit hal_dumpstate_default property_type:file *; -dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir { search }; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir { open read }; dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir search; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 86b6797e..70319abc 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -26,3 +26,9 @@ allow hal_dumpstate_default sysfs_touch:file rw_file_perms; allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); vndbinder_use(hal_dumpstate_default) + +userdebug_or_eng(` + allow hal_dumpstate_default mnt_vendor_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; +') From 7717461bb265a0d75e6dc854f024e4a6da4efdb0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 09:38:19 +0800 Subject: [PATCH 288/900] be able to dump acpm Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I2435fea779977313e2f731733463c5c4313fda3c --- tracking_denials/hal_dumpstate_default.te | 5 ----- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index dd988819..f0a79c7a 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -12,11 +12,6 @@ dontaudit hal_dumpstate_default property_type:file *; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir { open read }; dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir search; -dontaudit hal_dumpstate_default sysfs_acpm_stats:dir { open }; -dontaudit hal_dumpstate_default sysfs_acpm_stats:dir { read }; -dontaudit hal_dumpstate_default sysfs_acpm_stats:dir { search }; -dontaudit hal_dumpstate_default sysfs_acpm_stats:file { open }; -dontaudit hal_dumpstate_default sysfs_acpm_stats:file { read }; dontaudit hal_dumpstate_default sysfs_aoc:dir { search }; dontaudit hal_dumpstate_default sysfs_aoc_dumpstate:file { open read }; dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { open }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 70319abc..e62351a2 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; +allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; + allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; From db22459b69d2700c509c80054d81c35e9bb94722 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 09:40:33 +0800 Subject: [PATCH 289/900] be able to dump battery info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I3705ee59b37d34c7d676943ca8f0c9995ef0262e --- tracking_denials/hal_dumpstate_default.te | 6 ------ whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index f0a79c7a..db61e9c6 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -14,12 +14,6 @@ dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir { open dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir search; dontaudit hal_dumpstate_default sysfs_aoc:dir { search }; dontaudit hal_dumpstate_default sysfs_aoc_dumpstate:file { open read }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { open }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { read }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:dir { search }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:file getattr; -dontaudit hal_dumpstate_default sysfs_batteryinfo:file { open }; -dontaudit hal_dumpstate_default sysfs_batteryinfo:file { read }; dontaudit hal_dumpstate_default sysfs_bcl:dir { open }; dontaudit hal_dumpstate_default sysfs_bcl:dir { read }; dontaudit hal_dumpstate_default sysfs_bcl:dir { search }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index e62351a2..cd9e1cc5 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; +allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; + allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; From e8da0e146fb11c290141e843ddbee2a232fc48af Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 09:43:54 +0800 Subject: [PATCH 290/900] be able to dump bcl in userdebug ROM only Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: Id8127d495ff1b332284beda1e411b2327ec8625f --- tracking_denials/hal_dumpstate_default.te | 6 ------ whitechapel_pro/hal_dumpstate_default.te | 6 ++++++ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index db61e9c6..d219fba7 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -14,12 +14,6 @@ dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir { open dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir search; dontaudit hal_dumpstate_default sysfs_aoc:dir { search }; dontaudit hal_dumpstate_default sysfs_aoc_dumpstate:file { open read }; -dontaudit hal_dumpstate_default sysfs_bcl:dir { open }; -dontaudit hal_dumpstate_default sysfs_bcl:dir { read }; -dontaudit hal_dumpstate_default sysfs_bcl:dir { search }; -dontaudit hal_dumpstate_default sysfs_bcl:file { getattr }; -dontaudit hal_dumpstate_default sysfs_bcl:file open; -dontaudit hal_dumpstate_default sysfs_bcl:file { read }; dontaudit hal_dumpstate_default sysfs_chip_id:file { open }; dontaudit hal_dumpstate_default sysfs_chip_id:file { read }; dontaudit hal_dumpstate_default sysfs_exynos_bts:dir { search }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index cd9e1cc5..4796bbd4 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -37,4 +37,10 @@ userdebug_or_eng(` allow hal_dumpstate_default mnt_vendor_file:dir search; allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; + allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; + allow hal_dumpstate_default sysfs_bcl:file r_file_perms; + ') + +dontaudit hal_dumpstate_default sysfs_bcl:dir { open }; +dontaudit hal_dumpstate_default sysfs_bcl:file { read }; From f884bc1f195c545a5a3273e44cf5154ddfd0932e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 09:45:42 +0800 Subject: [PATCH 291/900] be able to dump wifi info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I3d0c257a20cfd6da6572cd01e76416dfa56c3c23 --- tracking_denials/hal_dumpstate_default.te | 3 --- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index d219fba7..dad0f3a0 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -26,9 +26,6 @@ dontaudit hal_dumpstate_default sysfs_thermal:dir { read }; dontaudit hal_dumpstate_default sysfs_thermal:dir { search }; dontaudit hal_dumpstate_default sysfs_thermal:file { open }; dontaudit hal_dumpstate_default sysfs_thermal:file { read }; -dontaudit hal_dumpstate_default sysfs_wifi:dir { search }; -dontaudit hal_dumpstate_default sysfs_wifi:file { open }; -dontaudit hal_dumpstate_default sysfs_wifi:file { read }; dontaudit hal_dumpstate_default sysfs_wlc:dir { search }; dontaudit hal_dumpstate_default sysfs_wlc:file { open read }; dontaudit hal_dumpstate_default vendor_battery_debugfs:dir { open read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 4796bbd4..8999a165 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; +allow hal_dumpstate_default sysfs_wifi:file r_file_perms; + allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; From dee839cecde3313b06f07d255e7aed5f9f918830 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 09:47:40 +0800 Subject: [PATCH 292/900] be able to dump thermal Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I6f8e2ce3b64220efba4172ef6fe05cc3fdbb6cf3 --- tracking_denials/hal_dumpstate_default.te | 5 ----- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index dad0f3a0..267ed54c 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -21,11 +21,6 @@ dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { open }; dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { read }; dontaudit hal_dumpstate_default sysfs:file { open }; dontaudit hal_dumpstate_default sysfs:file { read }; -dontaudit hal_dumpstate_default sysfs_thermal:dir { open }; -dontaudit hal_dumpstate_default sysfs_thermal:dir { read }; -dontaudit hal_dumpstate_default sysfs_thermal:dir { search }; -dontaudit hal_dumpstate_default sysfs_thermal:file { open }; -dontaudit hal_dumpstate_default sysfs_thermal:file { read }; dontaudit hal_dumpstate_default sysfs_wlc:dir { search }; dontaudit hal_dumpstate_default sysfs_wlc:file { open read }; dontaudit hal_dumpstate_default vendor_battery_debugfs:dir { open read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 8999a165..86434b07 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; +allow hal_dumpstate_default sysfs_thermal:file r_file_perms; + allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; allow hal_dumpstate_default sysfs_wifi:file r_file_perms; From 24177266744d9bae39d3a70244843499ff0b522a Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 09:49:44 +0800 Subject: [PATCH 293/900] be able to dump crashinfo Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: Id01348da754d39f36262a7757d8c65ee746032c3 --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 267ed54c..b364bcfe 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -10,8 +10,6 @@ dontaudit hal_dumpstate_default debugfs:file { open }; dontaudit hal_dumpstate_default debugfs:file { read }; dontaudit hal_dumpstate_default property_type:file *; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; -dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir { open read }; -dontaudit hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir search; dontaudit hal_dumpstate_default sysfs_aoc:dir { search }; dontaudit hal_dumpstate_default sysfs_aoc_dumpstate:file { open read }; dontaudit hal_dumpstate_default sysfs_chip_id:file { open }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 86434b07..e4833c35 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; + allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; allow hal_dumpstate_default sysfs_thermal:file r_file_perms; From 93000fdd06379c9fa7c4efcf8aeafbe1591bcf97 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 09:52:05 +0800 Subject: [PATCH 294/900] be able to dump aoc info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I60cb5cce8b6cb7e417ee3efdeceeaafc2f071dfa --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index b364bcfe..281249f9 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -10,8 +10,6 @@ dontaudit hal_dumpstate_default debugfs:file { open }; dontaudit hal_dumpstate_default debugfs:file { read }; dontaudit hal_dumpstate_default property_type:file *; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; -dontaudit hal_dumpstate_default sysfs_aoc:dir { search }; -dontaudit hal_dumpstate_default sysfs_aoc_dumpstate:file { open read }; dontaudit hal_dumpstate_default sysfs_chip_id:file { open }; dontaudit hal_dumpstate_default sysfs_chip_id:file { read }; dontaudit hal_dumpstate_default sysfs_exynos_bts:dir { search }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index e4833c35..eacb4398 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; + allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; From 75ad9a3fcc61f450eb0c7cda19ad72a7a08a39a0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 10:04:56 +0800 Subject: [PATCH 295/900] be able to dump exynos info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I72ca4c8715130558d8dd3dccbf941dde6b9f064e --- tracking_denials/hal_dumpstate_default.te | 3 --- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 281249f9..554a8038 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -12,9 +12,6 @@ dontaudit hal_dumpstate_default property_type:file *; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; dontaudit hal_dumpstate_default sysfs_chip_id:file { open }; dontaudit hal_dumpstate_default sysfs_chip_id:file { read }; -dontaudit hal_dumpstate_default sysfs_exynos_bts:dir { search }; -dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { open }; -dontaudit hal_dumpstate_default sysfs_exynos_bts_stats:file { read }; dontaudit hal_dumpstate_default sysfs:file { open }; dontaudit hal_dumpstate_default sysfs:file { read }; dontaudit hal_dumpstate_default sysfs_wlc:dir { search }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index eacb4398..2662402a 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; +allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; + allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; From 8518e2e1ce56f4c28776f26d76928b7a1a2c66a3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 10:06:11 +0800 Subject: [PATCH 296/900] be able to dump wireless charging info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: Ie4e19a322a312e183e23197f600a527ee5ceed4d --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 554a8038..cd52a39e 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -14,8 +14,6 @@ dontaudit hal_dumpstate_default sysfs_chip_id:file { open }; dontaudit hal_dumpstate_default sysfs_chip_id:file { read }; dontaudit hal_dumpstate_default sysfs:file { open }; dontaudit hal_dumpstate_default sysfs:file { read }; -dontaudit hal_dumpstate_default sysfs_wlc:dir { search }; -dontaudit hal_dumpstate_default sysfs_wlc:file { open read }; dontaudit hal_dumpstate_default vendor_battery_debugfs:dir { open read }; dontaudit hal_dumpstate_default vendor_battery_debugfs:dir search; dontaudit hal_dumpstate_default vendor_battery_debugfs:file { getattr open read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 2662402a..8b5e1865 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_wlc:file r_file_perms; + allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; From bfe1d014a2d6e88ffe3f9cf595b8fc0103eca127 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 10:08:25 +0800 Subject: [PATCH 297/900] be able to dump chip id Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: Ie539ab9afac80ea58e418a6fbe503ad822299b3f --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/hal_dumpstate_default.te | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index cd52a39e..4fa6e17b 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -10,8 +10,6 @@ dontaudit hal_dumpstate_default debugfs:file { open }; dontaudit hal_dumpstate_default debugfs:file { read }; dontaudit hal_dumpstate_default property_type:file *; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; -dontaudit hal_dumpstate_default sysfs_chip_id:file { open }; -dontaudit hal_dumpstate_default sysfs_chip_id:file { read }; dontaudit hal_dumpstate_default sysfs:file { open }; dontaudit hal_dumpstate_default sysfs:file { read }; dontaudit hal_dumpstate_default vendor_battery_debugfs:dir { open read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 8b5e1865..bdb7fe81 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,5 @@ +allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; + allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; allow hal_dumpstate_default sysfs_wlc:file r_file_perms; From 43d7a148d5d2be94351861ed2dede7634c6ef73b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 10:10:19 +0800 Subject: [PATCH 298/900] be able to dump GPS Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: Ied6d86090e3ae29c0b49c4880a515669940c5706 --- tracking_denials/hal_dumpstate_default.te | 3 --- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 4fa6e17b..2c7ecc1f 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -25,9 +25,6 @@ dontaudit hal_dumpstate_default vendor_charger_debugfs:file { read }; dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open }; dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read }; dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; -dontaudit hal_dumpstate_default vendor_gps_file:dir { open read search }; -dontaudit hal_dumpstate_default vendor_gps_file:file getattr; -dontaudit hal_dumpstate_default vendor_gps_file:file { open read }; dontaudit hal_dumpstate_default vendor_log_file:dir search; dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search; dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file { open read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index bdb7fe81..2e9e4a50 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_gps_file:file r_file_perms; + allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; From 0e96eb0865635f6da9a1dbfefe48f9b1ace13b48 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 10:11:38 +0800 Subject: [PATCH 299/900] be able to dump rfsd info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: Idbe125d76392a8c04b3fa5f475e0c3aa2f9a199c --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 2c7ecc1f..9b80d0af 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -30,8 +30,6 @@ dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search; dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file { open read }; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { open }; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { read }; -dontaudit hal_dumpstate_default vendor_rfsd_log_file:dir { open read search }; -dontaudit hal_dumpstate_default vendor_rfsd_log_file:file { getattr open read }; dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; dontaudit hal_dumpstate_default vendor_slog_file:file { getattr read }; dontaudit hal_dumpstate_default vendor_slog_file:file open; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 2e9e4a50..4dbf76d4 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; + allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; From f6dd48e07b052dec9e26eedf798b6dc901ca8ae6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 10:14:02 +0800 Subject: [PATCH 300/900] be able to dump modem silent log Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: Iec520b21d904fa4119a4111fe4de659c28634826 --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/hal_dumpstate_default.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 9b80d0af..a0cc0e31 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -31,8 +31,6 @@ dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file { open read }; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { open }; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { read }; dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; -dontaudit hal_dumpstate_default vendor_slog_file:file { getattr read }; -dontaudit hal_dumpstate_default vendor_slog_file:file open; dontaudit hal_dumpstate_default vendor_toolbox_exec:file { execute_no_trans }; dontaudit hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; dontaudit hal_dumpstate_default vendor_usf_stats:file execute_no_trans; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 4dbf76d4..14cced06 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -36,6 +36,7 @@ allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; allow hal_dumpstate_default modem_efs_file:dir search; allow hal_dumpstate_default modem_efs_file:file r_file_perms; allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; +allow hal_dumpstate_default vendor_slog_file:file r_file_perms; allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; From 8209221242c1ca2f7c05071951a20851b41fb81b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 10:15:42 +0800 Subject: [PATCH 301/900] be able to run usf dump binary Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I83687a284c4a27e723e31ce19edd2cbceaa69ab8 --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index a0cc0e31..8e88c4b2 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -32,8 +32,6 @@ dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { open }; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { read }; dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; dontaudit hal_dumpstate_default vendor_toolbox_exec:file { execute_no_trans }; -dontaudit hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; -dontaudit hal_dumpstate_default vendor_usf_stats:file execute_no_trans; dontaudit hal_dumpstate_default vendor_votable_debugfs:dir { open read }; dontaudit hal_dumpstate_default vendor_votable_debugfs:dir search; dontaudit hal_dumpstate_default vendor_votable_debugfs:file { getattr open read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 14cced06..0de4e15b 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; +allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; + allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; From 36dc06e08ab0b29a48a091fa94572d10f9dd7cd9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 11:10:13 +0800 Subject: [PATCH 302/900] be able to dump debugfs info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I4f7fc7a8f0029f1c1f398403d938bd6b7b96a43e --- tracking_denials/hal_dumpstate_default.te | 25 +--------------- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 35 +++++++++++++++++++++-- 4 files changed, 35 insertions(+), 27 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 8e88c4b2..40d89393 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -2,36 +2,13 @@ # b/208909124 dontaudit hal_dumpstate_default boottime_public_prop:file { open }; dontaudit hal_dumpstate_default boottime_public_prop:file { read }; -dontaudit hal_dumpstate_default debugfs:dir { open read }; -dontaudit hal_dumpstate_default debugfs_f2fs:dir { search }; -dontaudit hal_dumpstate_default debugfs_f2fs:file { open }; -dontaudit hal_dumpstate_default debugfs_f2fs:file { read }; -dontaudit hal_dumpstate_default debugfs:file { open }; -dontaudit hal_dumpstate_default debugfs:file { read }; dontaudit hal_dumpstate_default property_type:file *; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; dontaudit hal_dumpstate_default sysfs:file { open }; dontaudit hal_dumpstate_default sysfs:file { read }; -dontaudit hal_dumpstate_default vendor_battery_debugfs:dir { open read }; -dontaudit hal_dumpstate_default vendor_battery_debugfs:dir search; -dontaudit hal_dumpstate_default vendor_battery_debugfs:file { getattr open read }; dontaudit hal_dumpstate_default vendor_camera_data_file:dir search; -dontaudit hal_dumpstate_default vendor_charger_debugfs:dir { open }; -dontaudit hal_dumpstate_default vendor_charger_debugfs:dir { read }; -dontaudit hal_dumpstate_default vendor_charger_debugfs:dir { search }; -dontaudit hal_dumpstate_default vendor_charger_debugfs:file { getattr }; -dontaudit hal_dumpstate_default vendor_charger_debugfs:file open; -dontaudit hal_dumpstate_default vendor_charger_debugfs:file { read }; -dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { open }; -dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file { read }; dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; dontaudit hal_dumpstate_default vendor_log_file:dir search; -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search; -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file { open read }; -dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { open }; -dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file { read }; dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; dontaudit hal_dumpstate_default vendor_toolbox_exec:file { execute_no_trans }; -dontaudit hal_dumpstate_default vendor_votable_debugfs:dir { open read }; -dontaudit hal_dumpstate_default vendor_votable_debugfs:dir search; -dontaudit hal_dumpstate_default vendor_votable_debugfs:file { getattr open read }; + diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index c72cba22..dfd0d49e 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -52,6 +52,7 @@ type vendor_charger_debugfs, fs_type, debugfs_type; type vendor_votable_debugfs, fs_type, debugfs_type; type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_dmabuf_debugfs, fs_type, debugfs_type; +type vendor_dri_debugfs, fs_type, debugfs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 9ab6242b..c2e10895 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -114,6 +114,7 @@ genfscon debugfs /usb u:object genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 +genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 # Battery genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 0de4e15b..88e7def3 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -69,8 +69,37 @@ userdebug_or_eng(` allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; allow hal_dumpstate_default sysfs_bcl:file r_file_perms; - + allow hal_dumpstate_default debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; + allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; + allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; + allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; ') -dontaudit hal_dumpstate_default sysfs_bcl:dir { open }; -dontaudit hal_dumpstate_default sysfs_bcl:file { read }; +dontaudit hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; +dontaudit hal_dumpstate_default debugfs_f2fs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; +dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; From f56dba1b2481076bebc36709669a9fb8549e37d4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 14:11:25 +0800 Subject: [PATCH 303/900] be able to dump CPU info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I14abe138b6ad4a842edb143318cc5d867d575ec3 --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 11 +++++++++++ whitechapel_pro/hal_dumpstate_default.te | 2 ++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 40d89393..df44e8f9 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -4,8 +4,6 @@ dontaudit hal_dumpstate_default boottime_public_prop:file { open }; dontaudit hal_dumpstate_default boottime_public_prop:file { read }; dontaudit hal_dumpstate_default property_type:file *; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; -dontaudit hal_dumpstate_default sysfs:file { open }; -dontaudit hal_dumpstate_default sysfs:file { read }; dontaudit hal_dumpstate_default vendor_camera_data_file:dir search; dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; dontaudit hal_dumpstate_default vendor_log_file:dir search; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index dfd0d49e..4fd65e96 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -41,6 +41,7 @@ type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; +type sysfs_cpu, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index c2e10895..f7ed4ab3 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -11,6 +11,17 @@ genfscon sysfs /devices/system/chip-id/product_id u genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 +# CPU +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 + # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 88e7def3..210b72c3 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,5 @@ +allow hal_dumpstate_default sysfs_cpu:file r_file_perms; + allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; From 26778aff7b6ba266d03d63b08aed55679033d7e0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 14:17:00 +0800 Subject: [PATCH 304/900] be able to dump camera info Bug: 208721677 Bug: 208909124 Test: do adb bugreport with no relevant error log Change-Id: I90a4c971c50290c38f7913dc18404daf0270b907 --- tracking_denials/hal_dumpstate_default.te | 1 - whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index df44e8f9..72668cfe 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -4,7 +4,6 @@ dontaudit hal_dumpstate_default boottime_public_prop:file { open }; dontaudit hal_dumpstate_default boottime_public_prop:file { read }; dontaudit hal_dumpstate_default property_type:file *; dontaudit hal_dumpstate_default shell_data_file:file { getattr }; -dontaudit hal_dumpstate_default vendor_camera_data_file:dir search; dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; dontaudit hal_dumpstate_default vendor_log_file:dir search; dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 210b72c3..bce77139 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,3 +1,6 @@ +allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; + allow hal_dumpstate_default sysfs_cpu:file r_file_perms; allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; From 3062ac34cd79454bc3854404e0aa650aa90c0324 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Jan 2022 14:43:24 +0800 Subject: [PATCH 305/900] allow storageproxyd to set itself to system Bug: 205904330 Test: boot to home under enforcing mode Change-Id: I48272f6507f6cdb930f734b86d3b21b0e553cac0 --- tracking_denials/tee.te | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te index e20f6584..9a1070ab 100644 --- a/tracking_denials/tee.te +++ b/tracking_denials/tee.te @@ -1,3 +1,2 @@ -# b/205904330 -dontaudit tee tee:capability { setgid }; -dontaudit tee tee:capability { setuid }; +# TODO(b/205904330): avoid using setuid, setgid permission +allow tee tee:capability { setuid setgid }; From 35abe981246238b2f708462fce7f660be2c450ea Mon Sep 17 00:00:00 2001 From: Devika Krishnadas Date: Thu, 20 Jan 2022 22:51:17 +0800 Subject: [PATCH 306/900] Edit vframe-secure policy Bug: 215417614 Test: GL2SecureRendering.apk Signed-off-by: Devika Krishnadas Change-Id: Ief75b8581887d28916d512ec90acc575311276db --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 54517020..f439a185 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -73,7 +73,7 @@ /dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/vframe-secure u:object_r:vframe_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/bigocean u:object_r:video_device:s0 From 492f8a39f4bc1de0fbd79adfd416e0df496d0b17 Mon Sep 17 00:00:00 2001 From: William Tai Date: Thu, 20 Jan 2022 15:59:40 +0800 Subject: [PATCH 307/900] allow android.hardware.power.stats-service.pixel to access sysfs_leds 01-20 15:26:18.272 760 760 I android.hardwar: type=1400 audit(0.0:8): avc: denied { search } for name="backlight" dev="sysfs" ino=69387 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1 01-20 15:26:18.272 760 760 I android.hardwar: type=1400 audit(0.0:9): avc: denied { read } for name="state" dev="sysfs" ino=69419 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1 01-20 15:26:18.272 760 760 I android.hardwar: type=1400 audit(0.0:10): avc: denied { open } for path="/sys/devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/state" dev="sysfs" ino=69419 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1 Bug: 214473005 Test: no avc denied error during bootup Change-Id: I5b8a232202a8f1c5b10878c10be9bec3329fb7ad --- tracking_denials/hal_power_stats_default.te | 4 ---- whitechapel_pro/hal_power_stats_default.te | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index 7a5fff14..ff6abb06 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -25,7 +25,3 @@ dontaudit hal_power_stats_default sysfs_wifi:dir { search }; dontaudit hal_power_stats_default sysfs_wifi:file { getattr }; dontaudit hal_power_stats_default sysfs_wifi:file { open }; dontaudit hal_power_stats_default sysfs_wifi:file { read }; -# b/214473005 -dontaudit hal_power_stats_default sysfs_leds:dir { search }; -dontaudit hal_power_stats_default sysfs_leds:file { open }; -dontaudit hal_power_stats_default sysfs_leds:file { read }; diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index aa17ffe1..7733ffdb 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -3,3 +3,5 @@ allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; # allowed to access dislay stats sysfs node allow hal_power_stats_default sysfs_display:file r_file_perms; + +r_dir_file(hal_power_stats_default, sysfs_leds) From cf275e10c66b819492308f5edd7415c71af98207 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 21 Jan 2022 12:53:37 +0800 Subject: [PATCH 308/900] fix sim card related permission [ 21.176786] type=1107 audit(1642737478.108:25): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.radio.allowed_types_loaded0 pid=1931 uid=10205 gid=10205 scontext=u:r:oemrilservice_app:s0:c205,c256,c512,c768 tcontext=u:object_r:vendor_rild_prop:s0 tclass=property_service permissive=1' [ 32.319439] type=1400 audit(1642737489.248:28): avc: denied { read } for comm="pool-4-thread-1" name="u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=321 scontext=u:r:vendor_ims_app:s0:c212,c256,c512,c768 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1 app=com.shannon.imsservice Bug: 205214899 Test: boot to home with sim card inserted Change-Id: Id54441adc109d6977013abdc94c31d9b46bc203b --- whitechapel_pro/oemrilservice_app.te | 1 + whitechapel_pro/property_contexts | 2 +- whitechapel_pro/vendor_ims_app.te | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/oemrilservice_app.te b/whitechapel_pro/oemrilservice_app.te index f11162dd..b055dbea 100644 --- a/whitechapel_pro/oemrilservice_app.te +++ b/whitechapel_pro/oemrilservice_app.te @@ -6,3 +6,4 @@ allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find; allow oemrilservice_app radio_service:service_manager find; binder_call(oemrilservice_app, rild) +set_prop(oemrilservice_app, vendor_rild_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 64880da5..3dd44ea5 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -40,7 +40,7 @@ persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 # for rild persist.vendor.ril. u:object_r:vendor_rild_prop:s0 vendor.ril. u:object_r:vendor_rild_prop:s0 -vendor.radio.ril. u:object_r:vendor_rild_prop:s0 +vendor.radio. u:object_r:vendor_rild_prop:s0 vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 persist.vendor.radio. u:object_r:vendor_rild_prop:s0 ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index 9325a2b7..b226dc37 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -6,3 +6,4 @@ allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; allow vendor_ims_app radio_service:service_manager find; binder_call(vendor_ims_app, rild) +get_prop(vendor_ims_app, vendor_rild_prop) From 13bd5ff5df48bd7ec45ebdfca73f41440af2c28f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 21 Jan 2022 13:00:12 +0800 Subject: [PATCH 309/900] let vendor_init set usb property [ 6.419785] type=1107 audit(1642741073.304:7): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.usb.rndis.config pid=352 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=property_service permissive=0' Bug: 205214899 Test: unplug and plug in usb with no relevant error Change-Id: I8104ba9f0e0cb5b8b0d5e66964d9306d39d4c296 Change-Id: Ib76f7cae9015bcbd255d79edc099072a58860028 --- whitechapel_pro/vendor_init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index e83d6535..996a44fd 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -7,6 +7,7 @@ set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) +set_prop(vendor_init, vendor_usb_config_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; From a7e3b39ca4e6938aaa497ded924307f7cf01b802 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Fri, 21 Jan 2022 11:39:36 +0800 Subject: [PATCH 310/900] sepolicy: allow PowerStats HAL to call BT HAL Bug: 205904367 Test: dump power stats with no relevant avc error Change-Id: Idc7ecbc7e3571011c8c12c421bdce0015e78135f Signed-off-by: Darren Hsu --- tracking_denials/hal_power_stats_default.te | 2 -- whitechapel_pro/hal_power_stats_default.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index ff6abb06..95b2784c 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -1,5 +1,3 @@ -# b/205904367 -dontaudit hal_power_stats_default hal_bluetooth_btlinux:binder { call }; # b/207062210 dontaudit hal_power_stats_default sysfs:file { getattr }; dontaudit hal_power_stats_default sysfs:file { open }; diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index 7733ffdb..028fa1e3 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -5,3 +5,6 @@ allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; allow hal_power_stats_default sysfs_display:file r_file_perms; r_dir_file(hal_power_stats_default, sysfs_leds) + +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_btlinux) From 89f14a9496f3ef451e1ba78987073ebb7cb66b1f Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Fri, 21 Jan 2022 15:01:52 +0800 Subject: [PATCH 311/900] sepolicy: allow PowerStats HAL to access below sysfs aoc, acpm_stats, cpu, edgetpu, iio_devices, odpm, wifi and ufs (All avc logs are listed in b/207598247#comment2) Bug: 207062210 Bug: 207571335 Bug: 207720720 Bug: 207598247 Test: dump power stats with no relevant avc error Change-Id: I9c99af2d06461a2f86ef02d76b3aa8ea669e58e9 Signed-off-by: Darren Hsu --- tracking_denials/hal_power_stats_default.te | 25 --------------------- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 19 +++++++++++++--- whitechapel_pro/hal_power_stats_default.te | 11 ++++++--- 4 files changed, 25 insertions(+), 31 deletions(-) delete mode 100644 tracking_denials/hal_power_stats_default.te diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te deleted file mode 100644 index 95b2784c..00000000 --- a/tracking_denials/hal_power_stats_default.te +++ /dev/null @@ -1,25 +0,0 @@ -# b/207062210 -dontaudit hal_power_stats_default sysfs:file { getattr }; -dontaudit hal_power_stats_default sysfs:file { open }; -dontaudit hal_power_stats_default sysfs:file { read }; -dontaudit hal_power_stats_default sysfs_edgetpu:dir { search }; -dontaudit hal_power_stats_default sysfs_edgetpu:file { getattr }; -dontaudit hal_power_stats_default sysfs_edgetpu:file { open }; -dontaudit hal_power_stats_default sysfs_edgetpu:file { read }; -dontaudit hal_power_stats_default sysfs_iio_devices:dir { read open }; -dontaudit hal_power_stats_default sysfs_iio_devices:dir { read }; -dontaudit hal_power_stats_default sysfs_iio_devices:dir { search }; -# b/207571335 -dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search }; -dontaudit hal_power_stats_default sysfs_acpm_stats:file { read }; -dontaudit hal_power_stats_default sysfs_aoc:dir { search }; -dontaudit hal_power_stats_default sysfs_aoc:file { getattr }; -dontaudit hal_power_stats_default sysfs_aoc:file { open }; -dontaudit hal_power_stats_default sysfs_aoc:file { read }; -# b/207720720 -dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr }; -dontaudit hal_power_stats_default sysfs_acpm_stats:file { open }; -dontaudit hal_power_stats_default sysfs_wifi:dir { search }; -dontaudit hal_power_stats_default sysfs_wifi:file { getattr }; -dontaudit hal_power_stats_default sysfs_wifi:file { open }; -dontaudit hal_power_stats_default sysfs_wifi:file { read }; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4fd65e96..2aa1cf06 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -42,6 +42,7 @@ type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; +type sysfs_odpm, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index f7ed4ab3..c88c56dd 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -21,6 +21,8 @@ genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_c genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/28000000.mali/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 @@ -52,9 +54,20 @@ genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 # Power Stats -genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 + +# Power ODPM +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index 028fa1e3..ae332280 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -1,10 +1,15 @@ -allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; - # allowed to access dislay stats sysfs node allow hal_power_stats_default sysfs_display:file r_file_perms; +r_dir_file(hal_power_stats_default, sysfs_aoc) +r_dir_file(hal_power_stats_default, sysfs_acpm_stats) +r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_edgetpu) +r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) +r_dir_file(hal_power_stats_default, sysfs_odpm) +r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) +r_dir_file(hal_power_stats_default, sysfs_wifi) # getStateResidency AIDL callback for Bluetooth HAL binder_call(hal_power_stats_default, hal_bluetooth_btlinux) From a846416750950703a0e1da3765bf612de07f4fbd Mon Sep 17 00:00:00 2001 From: Jagadeesh Pakaravoor Date: Thu, 7 Oct 2021 07:57:23 -0700 Subject: [PATCH 312/900] camera_hal: allow changing kthread priority Allow changing kthread priority during insmod for camera-hal/LWIS. Bug: 199950581 Test: boot, local camera testing Change-Id: If59bfe101cab17854a5472ef388411bd19ef0a68 --- whitechapel_pro/init-insmod-sh.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te index 1b85c561..ca98618c 100644 --- a/whitechapel_pro/init-insmod-sh.te +++ b/whitechapel_pro/init-insmod-sh.te @@ -6,6 +6,9 @@ allow init-insmod-sh self:capability sys_module; allow init-insmod-sh vendor_kernel_modules:system module_load; allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; +allow init-insmod-sh self:capability sys_nice; +allow init-insmod-sh kernel:process setsched; + set_prop(init-insmod-sh, vendor_device_prop) dontaudit init-insmod-sh proc_cmdline:file r_file_perms; From c050b6697640f3974e342178dab784f1034e756e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 21 Jan 2022 13:22:19 +0800 Subject: [PATCH 313/900] update error on ROM 8101782 Bug: 215649341 Bug: 215649571 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I1469117c6b9479fe40aa16975b00bcbe23ced015 --- tracking_denials/tee.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te index 9a1070ab..3a56e037 100644 --- a/tracking_denials/tee.te +++ b/tracking_denials/tee.te @@ -1,2 +1,5 @@ # TODO(b/205904330): avoid using setuid, setgid permission allow tee tee:capability { setuid setgid }; +# b/215649571 +dontaudit tee gsi_metadata_file:dir { search }; +dontaudit tee metadata_file:dir { search }; From 019c8e6fcfdf218c7a6a54982374244b2b9ea29a Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Fri, 21 Jan 2022 09:20:09 -0800 Subject: [PATCH 314/900] Allow TEE storageproxyd permissions needed for DSU handling Allows the vendor TEE access to GSI metadata files (which are publicly readable). Storageproxyd needs access to this metadata to determine if a GSI image is currently booted. Also allows the TEE domain to make new directories in its data path. Test: access /metadata/gsi/dsu/booted from storageproxyd Bug: 203719297 Change-Id: Ief6166aaa20ccab27dc7864373722383efae0718 --- whitechapel_pro/tee.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index edce5e1f..f93bf59e 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -5,5 +5,9 @@ allow tee persist_ss_file:file create_file_perms; allow tee persist_ss_file:dir create_dir_perms; allow tee persist_file:dir r_dir_perms; allow tee mnt_vendor_file:dir r_dir_perms; +allow tee tee_data_file:dir rw_dir_perms; allow tee tee_data_file:lnk_file r_file_perms; allow tee sg_device:chr_file rw_file_perms; + +# Allow storageproxyd access to gsi_public_metadata_file +read_fstab(tee) From 6733f9667d6afe2dd3e62a33043493b58d6ca03b Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Tue, 11 Jan 2022 18:35:28 +0800 Subject: [PATCH 315/900] add sepolicy for set_usb_irq.sh Bug: 202103325 Test: build pass (synced from commit 714075eba72067489d08c36b87bfed9656092b2c) Change-Id: I309e24a5084ed33278d3fbe49e4ad1cc91b1255a --- whitechapel_pro/file_contexts | 3 +++ whitechapel_pro/set-usb-irq-sh.te | 13 +++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 whitechapel_pro/set-usb-irq-sh.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index f439a185..1d2dd7b3 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -213,3 +213,6 @@ /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 + +# USB +/vendor/bin/hw/set_usb_irq\.sh u:object_r:set-usb-irq-sh_exec:s0 diff --git a/whitechapel_pro/set-usb-irq-sh.te b/whitechapel_pro/set-usb-irq-sh.te new file mode 100644 index 00000000..a00fe3bb --- /dev/null +++ b/whitechapel_pro/set-usb-irq-sh.te @@ -0,0 +1,13 @@ +type set-usb-irq-sh, domain; +type set-usb-irq-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(set-usb-irq-sh) + +allow set-usb-irq-sh vendor_toolbox_exec:file execute_no_trans; + +allow set-usb-irq-sh proc_irq:dir r_dir_perms; +allow set-usb-irq-sh proc_irq:file w_file_perms; + +# AFAICT this happens if /proc/irq updates as we're running +# and we end up trying to write into non-existing file, +# which implies creation... +dontaudit set-usb-irq-sh self:capability dac_override; From 9748ae74c2a893d0d916df3d94258231ee489968 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Thu, 13 Jan 2022 16:40:42 +0800 Subject: [PATCH 316/900] Using dontaudit to fix the avc on boot test [ 1.950092] audit: type=1400 audit(1641787406.988:2): avc: denied { search } for pid=49 comm="kworker/7:0" name="google_battery" dev="debugfs" ino=36095 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_battery_debugfs:s0 tclass=dir permissive=1 Bug: 213817227 Test: check bugreport Change-Id: Ia056856476a17feb40c20c21cf1515e0feddfc17 Signed-off-by: Ted Lin --- whitechapel_pro/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index 0156784e..c34e7f72 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -7,3 +7,5 @@ allow kernel per_boot_file:file r_file_perms; # memlat needs permision to create/delete perf events when hotplug on/off allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; + +dontaudit kernel vendor_battery_debugfs:dir search; From 6c24e3f9ba78936c31dfa90b9412e53c6c929998 Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Fri, 21 Jan 2022 06:35:52 +0000 Subject: [PATCH 317/900] sepolicy: fix avc denied for logger app Bug: 205202541 Bug: 205779798 Bug: 207062780 Bug: 206045604 Bug: 207571546 Bug: 207431041 Bug: 208721679 Test: flash forrest build, no avc denied log on logger app Change-Id: I6be694f727d619ba89eaa4d006c74ba4dc582095 --- tracking_denials/logger_app.te | 43 ---------------------------------- whitechapel_pro/logger_app.te | 29 +++++++++++++++++++++++ 2 files changed, 29 insertions(+), 43 deletions(-) delete mode 100644 tracking_denials/logger_app.te create mode 100644 whitechapel_pro/logger_app.te diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te deleted file mode 100644 index a29fe89b..00000000 --- a/tracking_denials/logger_app.te +++ /dev/null @@ -1,43 +0,0 @@ -# b/205202541 -dontaudit logger_app vendor_gps_prop:property_service { set }; -dontaudit logger_app vendor_ssrdump_prop:file { getattr }; -dontaudit logger_app vendor_ssrdump_prop:file { map }; -dontaudit logger_app vendor_ssrdump_prop:file { open }; -dontaudit logger_app vendor_ssrdump_prop:file { read }; -# b/205779798 -dontaudit logger_app radio_vendor_data_file:dir { getattr }; -dontaudit logger_app radio_vendor_data_file:dir { open }; -dontaudit logger_app radio_vendor_data_file:dir { read }; -dontaudit logger_app radio_vendor_data_file:dir { remove_name }; -dontaudit logger_app radio_vendor_data_file:dir { search }; -dontaudit logger_app radio_vendor_data_file:dir { setattr }; -dontaudit logger_app radio_vendor_data_file:dir { write }; -dontaudit logger_app radio_vendor_data_file:file { unlink }; -# b/206045604 -dontaudit logger_app radio_vendor_data_file:dir { add_name }; -dontaudit logger_app radio_vendor_data_file:dir { create }; -dontaudit logger_app radio_vendor_data_file:dir { rmdir }; -dontaudit logger_app radio_vendor_data_file:file { create }; -dontaudit logger_app radio_vendor_data_file:file { getattr }; -dontaudit logger_app radio_vendor_data_file:file { setattr }; -dontaudit logger_app radio_vendor_data_file:file { write open }; -dontaudit logger_app vendor_gps_file:dir { search }; -# b/207062780 -dontaudit logger_app vendor_gps_file:dir { getattr }; -dontaudit logger_app vendor_gps_file:dir { open }; -dontaudit logger_app vendor_gps_file:dir { read }; -# b/207431041 -dontaudit logger_app sysfs_vendor_sched:dir { search }; -# b/207571546 -dontaudit logger_app vendor_gps_file:dir { remove_name }; -dontaudit logger_app vendor_gps_file:dir { write }; -dontaudit logger_app vendor_gps_file:file { unlink }; -# b/208721679 -dontaudit logger_app vendor_default_prop:file { getattr }; -dontaudit logger_app vendor_default_prop:file { map }; -dontaudit logger_app vendor_default_prop:file { open }; -dontaudit logger_app vendor_modem_prop:file { getattr }; -dontaudit logger_app vendor_modem_prop:file { map }; -dontaudit logger_app vendor_modem_prop:file { open }; -dontaudit logger_app vendor_modem_prop:file { read }; -dontaudit logger_app vendor_modem_prop:property_service { set }; diff --git a/whitechapel_pro/logger_app.te b/whitechapel_pro/logger_app.te new file mode 100644 index 00000000..cae88332 --- /dev/null +++ b/whitechapel_pro/logger_app.te @@ -0,0 +1,29 @@ +userdebug_or_eng(` + allow logger_app radio_vendor_data_file:file create_file_perms; + allow logger_app radio_vendor_data_file:dir create_dir_perms; + allow logger_app vendor_slog_file:file {r_file_perms unlink}; + allow logger_app vendor_gps_file:file create_file_perms; + allow logger_app vendor_gps_file:dir create_dir_perms; + allow logger_app sysfs_sscoredump_level:file r_file_perms; + r_dir_file(logger_app, ramdump_vendor_data_file) + r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) + r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) + + get_prop(logger_app, usb_control_prop) + set_prop(logger_app, vendor_logger_prop) + set_prop(logger_app, vendor_modem_prop) + set_prop(logger_app, vendor_gps_prop) + set_prop(logger_app, vendor_audio_prop) + set_prop(logger_app, vendor_tcpdump_log_prop) + set_prop(logger_app, vendor_ramdump_prop) + set_prop(logger_app, vendor_ssrdump_prop) + set_prop(logger_app, vendor_rild_prop) + set_prop(logger_app, logpersistd_logging_prop) + set_prop(logger_app, logd_prop) + set_prop(logger_app, vendor_usb_config_prop) + set_prop(logger_app, vendor_wifi_sniffer_prop) + + dontaudit logger_app default_prop:file r_file_perms; + dontaudit logger_app sysfs_vendor_sched:dir search; + dontaudit logger_app sysfs_vendor_sched:file write; +') From 213dbe2a394623d6ed7a6ffdda473a42f89aeb87 Mon Sep 17 00:00:00 2001 From: TeYuan Wang Date: Tue, 25 Jan 2022 14:55:35 +0800 Subject: [PATCH 318/900] Add sepolicy for thermalHAL power link feature Bug: 204522993 Test: thermalHAL can read ODPM data under enforcing mode Change-Id: I58ad63003a68421b25b65fe5c43fa2c3a50696c4 --- whitechapel_pro/hal_thermal_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 whitechapel_pro/hal_thermal_default.te diff --git a/whitechapel_pro/hal_thermal_default.te b/whitechapel_pro/hal_thermal_default.te new file mode 100644 index 00000000..9852a767 --- /dev/null +++ b/whitechapel_pro/hal_thermal_default.te @@ -0,0 +1,2 @@ +allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; +allow hal_thermal_default sysfs_odpm:file r_file_perms; From 0f6ba3f80646a43cce5c9b4986bc388c09365083 Mon Sep 17 00:00:00 2001 From: TeYuan Wang Date: Tue, 25 Jan 2022 17:58:52 +0800 Subject: [PATCH 319/900] remove thermal_link_device tracking_denials rules we remove the thermal zone policy change by ag/16713094, so we do not need this tracking_denials rules anymore Bug: 202907037 Test: no avc denied log found Change-Id: I5fe8b0d94c9fddac02e92fcd611b7098f0e68971 --- tracking_denials/thermal_link_device.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/thermal_link_device.te diff --git a/tracking_denials/thermal_link_device.te b/tracking_denials/thermal_link_device.te deleted file mode 100644 index d79bfe60..00000000 --- a/tracking_denials/thermal_link_device.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/204718864 -dontaudit thermal_link_device sysfs:filesystem { associate }; From 2e64171fe1892626dc1b44a706f352be72d4b4e0 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Wed, 12 Jan 2022 15:26:20 +0800 Subject: [PATCH 320/900] Remove the tracking for regmap read on hardwareinfo Bug: 208909060 Test: adb bugreport Change-Id: Id81634ccf58a984e8b9ac54e400a1f8035b1304a Signed-off-by: Ted Lin --- tracking_denials/hardware_info_app.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te index 1c5ae7ed..a79e1d94 100644 --- a/tracking_denials/hardware_info_app.te +++ b/tracking_denials/hardware_info_app.te @@ -2,5 +2,3 @@ dontaudit hardware_info_app sysfs:file { getattr }; dontaudit hardware_info_app sysfs:file { open }; dontaudit hardware_info_app sysfs:file { read }; -# b/208909060 -dontaudit hardware_info_app vendor_regmap_debugfs:dir { search }; From cdee7b6e789d63e59ddb0e2288aa9abfde7213e5 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Thu, 13 Jan 2022 16:30:37 +0800 Subject: [PATCH 321/900] fix avc denied for charge_stats 01-13 11:05:03.196 1000 3806 3806 I pixelstats-vend: type=1400 audit(0.0:32): avc: denied { search } for name="i2c-p9412" dev="sysfs" ino=59835 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1 01-13 11:05:03.196 1000 3806 3806 I pixelstats-vend: type=1400 audit(0.0:33): avc: denied { read } for name="charge_stats" dev="sysfs" ino=70092 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=1 01-13 11:05:03.196 1000 3806 3806 I pixelstats-vend: type=1400 audit(0.0:34): avc: denied { open } for path="/sys/devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/charge_stats" dev="sysfs" ino=70092 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=1 01-13 11:05:03.196 1000 3806 3806 I pixelstats-vend: type=1400 audit(0.0:35): avc: denied { getattr } for path="/sys/devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/charge_stats" dev="sysfs" ino=70092 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=1 Bug:208909060 Test: adb bugreport Change-Id: Idf43a85d07727bbeb8c3f34475da6f697573bfed Signed-off-by: Ted Lin --- whitechapel_pro/pixelstats_vendor.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 392c3b1c..a88db935 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -2,3 +2,7 @@ binder_use(pixelstats_vendor) allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; + +# Wireless charge +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; From ef2c46c2f4c7b680938074c8d04ce30a72596cc9 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Fri, 14 Jan 2022 09:51:13 -0800 Subject: [PATCH 322/900] Allow logd to read the Trusty log Bug: 190050919 Test: run Change-Id: I52c1bfadbbe7d2a471bd8e9be995284f8887543a --- whitechapel_pro/logd.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 whitechapel_pro/logd.te diff --git a/whitechapel_pro/logd.te b/whitechapel_pro/logd.te new file mode 100644 index 00000000..0317a672 --- /dev/null +++ b/whitechapel_pro/logd.te @@ -0,0 +1 @@ +r_dir_file(logd, logbuffer_device) From b76b5e3872f02824007d8dc5e69c145830622a6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Tue, 25 Jan 2022 21:34:37 +0000 Subject: [PATCH 323/900] Add camera HAL sepolicy based on previous chip family. The camera HAL code is reused from the previous chip and needs to perform the same operations as previously, with the following differences: - The interrupt affinity workaround may no longer be necessary due to image sensor changes, so the ability to set interrupt affinity is removed. - Access to some files that were only present before the APEX migration is removed. - vendor_camera_tuning_file is no longer needed. - TEE access for face auth is removed for now. Bug: 205904406 Bug: 205657132 Bug: 205780186 Bug: 205072921 Bug: 205657133 Bug: 205780065 Bug: 204718762 Bug: 207300298 Bug: 209889068 Bug: 210067468 Test: Ensure that the policy builds; I don't have access to target hardware at the moment. Change-Id: Ia70b98d4e1f3a156a5e719f0d069a90579b6a247 --- tracking_denials/hal_camera_default.te | 47 --------------- whitechapel_pro/hal_camera_default.te | 79 ++++++++++++++++++++++++-- whitechapel_pro/property.te | 2 + whitechapel_pro/property_contexts | 3 + 4 files changed, 78 insertions(+), 53 deletions(-) diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 5424bf1a..d6001c38 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -1,54 +1,7 @@ -# b/204718762 -dontaudit hal_camera_default edgetpu_vendor_service:service_manager { find }; -dontaudit hal_camera_default hal_power_service:service_manager { find }; # b/205072921 dontaudit hal_camera_default kernel:process { setsched }; -dontaudit hal_camera_default vendor_camera_prop:file { getattr }; -dontaudit hal_camera_default vendor_camera_prop:file { map }; -dontaudit hal_camera_default vendor_camera_prop:file { open }; -dontaudit hal_camera_default vendor_camera_prop:file { read }; -dontaudit hal_camera_default vendor_camera_prop:property_service { set }; -# b/205657133 -dontaudit hal_camera_default edgetpu_device:chr_file { ioctl }; -dontaudit hal_camera_default edgetpu_device:chr_file { map }; -dontaudit hal_camera_default edgetpu_device:chr_file { open }; -dontaudit hal_camera_default edgetpu_device:chr_file { read write }; -dontaudit hal_camera_default gpu_device:chr_file { getattr }; -dontaudit hal_camera_default gpu_device:chr_file { ioctl }; -dontaudit hal_camera_default gpu_device:chr_file { map }; -dontaudit hal_camera_default gpu_device:chr_file { open }; -dontaudit hal_camera_default gpu_device:chr_file { read write }; -dontaudit hal_camera_default lwis_device:chr_file { ioctl }; -dontaudit hal_camera_default lwis_device:chr_file { open }; -dontaudit hal_camera_default lwis_device:chr_file { read }; -dontaudit hal_camera_default lwis_device:chr_file { write }; -dontaudit hal_camera_default vndbinder_device:chr_file { ioctl }; -dontaudit hal_camera_default vndbinder_device:chr_file { map }; -dontaudit hal_camera_default vndbinder_device:chr_file { open }; -dontaudit hal_camera_default vndbinder_device:chr_file { read }; -dontaudit hal_camera_default vndbinder_device:chr_file { write }; # b/205780065 -dontaudit hal_camera_default apex_info_file:file { getattr }; -dontaudit hal_camera_default apex_info_file:file { open }; -dontaudit hal_camera_default apex_info_file:file { read }; -dontaudit hal_camera_default apex_info_file:file { watch }; -dontaudit hal_camera_default mnt_vendor_file:dir { search }; -dontaudit hal_camera_default persist_file:dir { search }; dontaudit hal_camera_default system_data_file:dir { search }; -dontaudit hal_camera_default vendor_camera_data_file:dir { getattr }; -dontaudit hal_camera_default vendor_camera_data_file:dir { open }; -dontaudit hal_camera_default vendor_camera_data_file:dir { read }; -dontaudit hal_camera_default vendor_camera_data_file:dir { search }; -dontaudit hal_camera_default vendor_camera_data_file:file { open }; -dontaudit hal_camera_default vendor_camera_data_file:file { read }; # b/205904406 -dontaudit hal_camera_default hal_camera_default:capability { sys_nice }; -dontaudit hal_camera_default hal_power_default:binder { call }; -dontaudit hal_camera_default hal_radioext_default:binder { call }; dontaudit hal_camera_default init:unix_stream_socket { connectto }; dontaudit hal_camera_default property_socket:sock_file { write }; -dontaudit hal_camera_default system_server:binder { call }; -# b/207300298 -dontaudit hal_camera_default vendor_camera_data_file:file { getattr }; -# b/210067468 -dontaudit hal_camera_default persist_camera_file:dir { search }; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 74b8a027..048368a8 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -1,13 +1,80 @@ -hal_client_domain(hal_camera_default, hal_power); +type hal_camera_default_tmpfs, file_type; + +allow hal_camera_default self:global_capability_class_set sys_nice; + +binder_use(hal_camera_default); +vndbinder_use(hal_camera_default); + +allow hal_camera_default lwis_device:chr_file rw_file_perms; +allow hal_camera_default gpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_chip_id:file r_file_perms; + +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; +allow hal_camera_default sysfs_edgetpu:file r_file_perms; +allow hal_camera_default edgetpu_vendor_service:service_manager find; binder_call(hal_camera_default, edgetpu_vendor_server) -binder_use(hal_camera_default) -allow hal_camera_default fwk_stats_service:service_manager find; +# Allow access to data files used by the camera HAL +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default persist_camera_file:dir rw_dir_perms; +allow hal_camera_default persist_camera_file:file create_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; -# Allow camera HAL to query preferred camera frequencies from the radio HAL -# extensions to avoid interference with cellular antennas. -allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +# Allow creating dump files for debugging in non-release builds +userdebug_or_eng(` + allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; + allow hal_camera_default vendor_camera_data_file:file create_file_perms; +') + +# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files +# compiled into the shared libraries with cc_embed_data rules +tmpfs_domain(hal_camera_default); + +# Allow access to camera-related system properties +set_prop(hal_camera_default, vendor_camera_prop); +set_prop(hal_camera_default, log_tag_prop); +get_prop(hal_camera_default, vendor_camera_debug_prop); +userdebug_or_eng(` + set_prop(hal_camera_default, vendor_camera_fatp_prop); + set_prop(hal_camera_default, vendor_camera_debug_prop); +') # For camera hal to talk with rlsservice allow hal_camera_default rls_service:service_manager find; binder_call(hal_camera_default, rlsservice) + +hal_client_domain(hal_camera_default, hal_graphics_allocator); +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power); +hal_client_domain(hal_camera_default, hal_thermal); + +# Allow access to sensor service for sensor_listener +binder_call(hal_camera_default, system_server); + +# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering +allow hal_camera_default eco_service:service_manager find; +binder_call(hal_camera_default, mediacodec); + +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +binder_call(hal_camera_default, hal_radioext_default); + +# Allow camera HAL to connect to the stats service. +allow hal_camera_default fwk_stats_service:service_manager find; + +# For observing apex file changes +allow hal_camera_default apex_info_file:file r_file_perms; + +# Allow camera HAL to query current device clock frequencies. +allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; + +# allow camera HAL to read backlight of display +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file r_file_perms; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index f3e0c86d..bdad98e9 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -12,6 +12,8 @@ vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_battery_defender_prop) vendor_internal_prop(vendor_camera_prop) +vendor_internal_prop(vendor_camera_debug_prop) +vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_tcpdump_log_prop) vendor_internal_prop(vendor_device_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 3dd44ea5..d1362f28 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -71,7 +71,10 @@ vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 # Camera +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 +vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for logger app persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 From 362074c629107a0156cf02c76191e84c11c8e177 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 27 Jan 2022 13:29:05 -0800 Subject: [PATCH 324/900] Really allow logd to read the Trusty log The previous change was missing some permissions. Bug: 190050919 Test: run Change-Id: I09d50b663a926cb616279e4a741d34598ca80ab7 --- whitechapel_pro/logd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/logd.te b/whitechapel_pro/logd.te index 0317a672..cc55e204 100644 --- a/whitechapel_pro/logd.te +++ b/whitechapel_pro/logd.te @@ -1 +1,2 @@ r_dir_file(logd, logbuffer_device) +allow logd logbuffer_device:chr_file r_file_perms; From 92d0030e6a9120820c1afb7d2065be7347d792b9 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Tue, 25 Jan 2022 16:21:32 +0800 Subject: [PATCH 325/900] hardwareinfo: add sepolicy for SoC Bug: 208721710 Test: search avc in logcat Change-Id: I3828d39981666db98e6a34aa70ae39b7f126e495 Signed-off-by: Denny cy Lee --- tracking_denials/hardware_info_app.te | 4 ---- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/hardware_info_app.te | 4 ++++ 4 files changed, 8 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/hardware_info_app.te diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te deleted file mode 100644 index a79e1d94..00000000 --- a/tracking_denials/hardware_info_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/208721710 -dontaudit hardware_info_app sysfs:file { getattr }; -dontaudit hardware_info_app sysfs:file { open }; -dontaudit hardware_info_app sysfs:file { read }; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 2aa1cf06..3b498495 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -43,6 +43,7 @@ type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; type sysfs_odpm, sysfs_type, fs_type; +type sysfs_soc, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index c88c56dd..71edacdb 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -24,6 +24,9 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo genfscon sysfs /devices/platform/28000000.mali/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 +genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 + # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te index 1da5b988..41a08577 100644 --- a/whitechapel_pro/hardware_info_app.te +++ b/whitechapel_pro/hardware_info_app.te @@ -17,3 +17,7 @@ allow hardware_info_app sysfs_batteryinfo:file r_file_perms; # Display allow hardware_info_app sysfs_display:dir search; allow hardware_info_app sysfs_display:file r_file_perms; + +# SoC +allow hardware_info_app sysfs_soc:file r_file_perms; +allow hardware_info_app sysfs_chip_id:file r_file_perms; From b1177899bd2e5e3c13c2daa1cd3ae7f9acd2d85a Mon Sep 17 00:00:00 2001 From: chungkai Date: Tue, 8 Feb 2022 08:43:31 +0000 Subject: [PATCH 326/900] Fix avc denials for powerhal Test: boot to home screen Bug: 214121738 Signed-off-by: chungkai Change-Id: Ic5e14f7c8d321278c2c39797126db930a0dc93f3 --- tracking_denials/hal_power_default.te | 7 ------- whitechapel_pro/hal_power_default.te | 2 ++ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index 1a5f28e8..a426fa0d 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,9 +1,2 @@ # b/208909174 dontaudit hal_power_default hal_power_default:capability { dac_read_search }; - -# b/214121738 -dontaudit hal_power_default sysfs:file { open }; -dontaudit hal_power_default sysfs:file { write }; -dontaudit hal_power_default sysfs_fabric:file { open }; -dontaudit hal_power_default sysfs_fabric:file { write }; -dontaudit hal_power_default vendor_camera_prop:property_service { set }; diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te index e8f427d5..8bbaa70d 100644 --- a/whitechapel_pro/hal_power_default.te +++ b/whitechapel_pro/hal_power_default.te @@ -4,3 +4,5 @@ allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; allow hal_power_default sysfs_display:file rw_file_perms; allow hal_power_default sysfs_vendor_sched:file r_file_perms; allow hal_power_default sysfs_gpu:file rw_file_perms; +allow hal_power_default sysfs_fabric:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop) \ No newline at end of file From 08db42d941f7b01938d57a5d12763ee8afc4364f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 9 Feb 2022 10:01:24 +0800 Subject: [PATCH 327/900] update error on ROM 8162414 Bug: 218585004 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I9ac82ab564eb4399a88516427f1cdc735a257da2 --- tracking_denials/hal_camera_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index d6001c38..5f2df0ef 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -5,3 +5,6 @@ dontaudit hal_camera_default system_data_file:dir { search }; # b/205904406 dontaudit hal_camera_default init:unix_stream_socket { connectto }; dontaudit hal_camera_default property_socket:sock_file { write }; +# b/218585004 +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; From 239885a3068c27587ab6a83faf85606de8c4c702 Mon Sep 17 00:00:00 2001 From: Ankit Goyal Date: Mon, 7 Feb 2022 14:05:45 -0800 Subject: [PATCH 328/900] Rename vulkan library to be platform agnostic Bug: 174232579 Test: Boots to home Change-Id: Ib8618f4f8e1fc47753039f1143269211df0c42be --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 1d2dd7b3..4c7ec667 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -59,7 +59,7 @@ # Graphics /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/hw/vulkan\.gs201\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 # Vendor kernel modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 From bfda745e2654fb37fa1ee5579b24e7c6769f5622 Mon Sep 17 00:00:00 2001 From: davidycchen Date: Tue, 16 Nov 2021 11:07:23 +0800 Subject: [PATCH 329/900] Remove touch_offload_device declaration touch_offload_device is already declare in hardware/google/pixel-sepolicy/input. device/google/gs201-sepolicy/whitechapel_pro/device.te:14:ERROR 'Duplicate declaration of type' at token ';' on line 76173: type rls_device, dev_type; type touch_offload_device, dev_type; Bug: 199104528 Test: build pass Signed-off-by: davidycchen Change-Id: I3cedb25473d8327eb42d3b65cf714cf5dc22712f --- whitechapel_pro/device.te | 1 - whitechapel_pro/file_contexts | 1 - 2 files changed, 2 deletions(-) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index d84d4c31..a5fc57c6 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -11,7 +11,6 @@ type vendor_toe_device, dev_type; type lwis_device, dev_type; type logbuffer_device, dev_type; type rls_device, dev_type; -type touch_offload_device, dev_type; type fingerprint_device, dev_type; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4c7ec667..4f0451e4 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -78,7 +78,6 @@ /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/bigocean u:object_r:video_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 -/dev/touch_offload u:object_r:touch_offload_device:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 /dev/mali0 u:object_r:gpu_device:s0 From 7b7394be79ced3e5be86d43d6286b0062915ad54 Mon Sep 17 00:00:00 2001 From: davidycchen Date: Tue, 18 Jan 2022 15:47:26 +0800 Subject: [PATCH 330/900] Remove touch_service Remove touch_service here because we already define in hardware/google/pixel-sepolicy/input and add by ag/16251913. Bug: 199104528 Test: No any related error. Signed-off-by: davidycchen Change-Id: I3e5f705f6d3cde18d9495cb110e16c4152fe3d4f --- whitechapel_pro/platform_app.te | 1 - whitechapel_pro/service.te | 1 - whitechapel_pro/service_contexts | 1 - 3 files changed, 3 deletions(-) diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index f6c8d8ed..0cf0ae46 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -1,6 +1,5 @@ allow platform_app hal_pixel_display_service:service_manager find; allow platform_app hal_wlc_hwservice:hwservice_manager find; -allow platform_app touch_service:service_manager find; allow platform_app sysfs_vendor_sched:dir r_dir_perms; allow platform_app sysfs_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index 53ef7f29..a4ba9973 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -1,4 +1,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service; -type touch_service, service_manager_type, vendor_service; type hal_uwb_vendor_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index 8f3c1900..98d9fad8 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -1,4 +1,3 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 -com.google.input.ITouchContextService/default u:object_r:touch_service:s0 hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 From cd4f508c92e8ef8e99f707093b754747a98d1a4f Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Fri, 21 Jan 2022 17:35:54 +0800 Subject: [PATCH 331/900] Grant hal_dumpstate_default access Bug: 208721677 Bug: 208909124 Test: pts-tradefed run pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest#scanBugreport Change-Id: Ie5463e96958a95431630941c19b7888a3eea2e3e --- tracking_denials/hal_dumpstate_default.te | 11 ----------- whitechapel_pro/hal_dumpstate_default.te | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 11 deletions(-) delete mode 100644 tracking_denials/hal_dumpstate_default.te diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te deleted file mode 100644 index 72668cfe..00000000 --- a/tracking_denials/hal_dumpstate_default.te +++ /dev/null @@ -1,11 +0,0 @@ -# b/208721677 -# b/208909124 -dontaudit hal_dumpstate_default boottime_public_prop:file { open }; -dontaudit hal_dumpstate_default boottime_public_prop:file { read }; -dontaudit hal_dumpstate_default property_type:file *; -dontaudit hal_dumpstate_default shell_data_file:file { getattr }; -dontaudit hal_dumpstate_default vendor_dumpsys:file { execute_no_trans }; -dontaudit hal_dumpstate_default vendor_log_file:dir search; -dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans }; -dontaudit hal_dumpstate_default vendor_toolbox_exec:file { execute_no_trans }; - diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index bce77139..cad7c3a1 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -68,6 +68,21 @@ allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); vndbinder_use(hal_dumpstate_default) +allow hal_dumpstate_default shell_data_file:file getattr; + +allow hal_dumpstate_default vendor_log_file:dir search; +allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; + +allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; +allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; + +get_prop(hal_dumpstate_default, boottime_public_prop) +get_prop(hal_dumpstate_default, vendor_camera_prop) +get_prop(hal_dumpstate_default, vendor_gps_prop) +set_prop(hal_dumpstate_default, vendor_modem_prop) +get_prop(hal_dumpstate_default, vendor_rild_prop) +get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) + userdebug_or_eng(` allow hal_dumpstate_default mnt_vendor_file:dir search; allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; From 9cc70410c553e46f17260bd81e45ae3d6f5ab12c Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Thu, 10 Feb 2022 01:56:02 +0800 Subject: [PATCH 332/900] Add required sepolicy rules for Camera function Bug: 218499972 Test: Switch to Enforcing mode Take a picture, camera recording Change-Id: I57f3e8454ece6906624f028b7a3771ffddcaa963 --- tracking_denials/google_camera_app.te | 2 -- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 5 +++++ whitechapel_pro/google_camera_app.te | 5 +++++ whitechapel_pro/hal_camera_default.te | 1 + whitechapel_pro/hal_graphics_allocator_default.te | 1 + whitechapel_pro/hal_graphics_composer_default.te | 2 ++ whitechapel_pro/hal_power_default.te | 3 ++- whitechapel_pro/mediacodec_samsung.te | 2 ++ whitechapel_pro/system_server.te | 1 + 10 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 whitechapel_pro/hal_graphics_allocator_default.te create mode 100644 whitechapel_pro/system_server.te diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index a4661e61..72796c22 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -1,10 +1,8 @@ # b/209889068 -dontaudit google_camera_app cameraserver_service:service_manager { find }; dontaudit google_camera_app edgetpu_app_service:service_manager { find }; dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; dontaudit google_camera_app edgetpu_device:chr_file { map }; dontaudit google_camera_app edgetpu_device:chr_file { read write }; -dontaudit google_camera_app mediaserver_service:service_manager { find }; dontaudit google_camera_app vendor_default_prop:file { getattr }; dontaudit google_camera_app vendor_default_prop:file { map }; dontaudit google_camera_app vendor_default_prop:file { open }; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 3b498495..971e4657 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -44,6 +44,7 @@ type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; type sysfs_odpm, sysfs_type, fs_type; type sysfs_soc, sysfs_type, fs_type; +type sysfs_camera, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 71edacdb..6c5f59e5 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -48,6 +48,7 @@ genfscon sysfs /devices/platform/28000000.mali/hint_min_freq u # Fabric genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0 # sscoredump (per device) genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 @@ -203,3 +204,7 @@ genfscon sysfs /devices/platform/100a0000.BIG u:obje genfscon sysfs /devices/platform/100a0000.ISP u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 + +# Camera +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index df2e4699..43ea14e3 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -2,3 +2,8 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 048368a8..3c90bf32 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -60,6 +60,7 @@ binder_call(hal_camera_default, system_server); # Allow Binder calls to ECO service, needed by Entropy-Aware Filtering allow hal_camera_default eco_service:service_manager find; binder_call(hal_camera_default, mediacodec); +binder_call(hal_camera_default, mediacodec_samsung); # Allow camera HAL to query preferred camera frequencies from the radio HAL # extensions to avoid interference with cellular antennas. diff --git a/whitechapel_pro/hal_graphics_allocator_default.te b/whitechapel_pro/hal_graphics_allocator_default.te new file mode 100644 index 00000000..05f9508d --- /dev/null +++ b/whitechapel_pro/hal_graphics_allocator_default.te @@ -0,0 +1 @@ +allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te index 84faa9dc..44c01530 100644 --- a/whitechapel_pro/hal_graphics_composer_default.te +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -1,6 +1,8 @@ # allow HWC to access power hal hal_client_domain(hal_graphics_composer_default, hal_power) +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) + # allow HWC to access vendor_displaycolor_service add_service(hal_graphics_composer_default, vendor_displaycolor_service) diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te index 8bbaa70d..eaaf8009 100644 --- a/whitechapel_pro/hal_power_default.te +++ b/whitechapel_pro/hal_power_default.te @@ -5,4 +5,5 @@ allow hal_power_default sysfs_display:file rw_file_perms; allow hal_power_default sysfs_vendor_sched:file r_file_perms; allow hal_power_default sysfs_gpu:file rw_file_perms; allow hal_power_default sysfs_fabric:file rw_file_perms; -set_prop(hal_power_default, vendor_camera_prop) \ No newline at end of file +allow hal_power_default sysfs_camera:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop) diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index b1e09f50..6ac0ca35 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -17,6 +17,8 @@ allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; # can use graphics allocator hal_client_domain(mediacodec_samsung, hal_graphics_allocator) +binder_call(mediacodec_samsung, hal_camera_default) + crash_dump_fallback(mediacodec_samsung) # mediacodec_samsung should never execute any executable without a domain transition diff --git a/whitechapel_pro/system_server.te b/whitechapel_pro/system_server.te new file mode 100644 index 00000000..0e0a159b --- /dev/null +++ b/whitechapel_pro/system_server.te @@ -0,0 +1 @@ +binder_call(system_server, hal_camera_default); From e01b568cfeed14bc35c646f9a9722ff0af21bf96 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 11 Feb 2022 10:12:57 +0800 Subject: [PATCH 333/900] update error on ROM 8172195 Bug: 218934377 Bug: 218930975 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I125453803e0c827c45ad9551616366b96cc89816 --- tracking_denials/hal_power_default.te | 3 +++ tracking_denials/hal_sensors_default.te | 3 +++ 2 files changed, 6 insertions(+) diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index a426fa0d..bf54dbf8 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,2 +1,5 @@ # b/208909174 dontaudit hal_power_default hal_power_default:capability { dac_read_search }; +# b/218934377 +dontaudit hal_power_default sysfs:file { open }; +dontaudit hal_power_default sysfs:file { write }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index a12a0ad9..0b279ba0 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -7,3 +7,6 @@ dontaudit hal_sensors_default sensor_reg_data_file:file { read }; dontaudit hal_sensors_default sysfs_leds:dir { search }; dontaudit hal_sensors_default sysfs_leds:file { open }; dontaudit hal_sensors_default sysfs_leds:file { read }; +# b/218930975 +dontaudit hal_sensors_default hal_graphics_composer_default:binder { call }; +dontaudit hal_sensors_default hal_pixel_display_service:service_manager { find }; From 436106d52f01a626a5175199409f338293d5ba03 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 11 Feb 2022 12:12:37 +0800 Subject: [PATCH 334/900] Let citadel talk to system_server Bug: 205904322 Test: no request loop caused by citadeld Change-Id: Ia258ed2555d82eb2ea2b139a266c8f76d3b29d06 --- dauntless/citadeld.te | 1 + tracking_denials/citadeld.te | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/citadeld.te diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te index c2dbf74d..86cb61c7 100644 --- a/dauntless/citadeld.te +++ b/dauntless/citadeld.te @@ -6,6 +6,7 @@ init_daemon_domain(citadeld) add_service(citadeld, citadeld_service) binder_use(citadeld) vndbinder_use(citadeld) +binder_call(citadeld, system_server) allow citadeld citadel_device:chr_file rw_file_perms; allow citadeld fwk_stats_service:service_manager find; diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te deleted file mode 100644 index d357ce9a..00000000 --- a/tracking_denials/citadeld.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205904322 -dontaudit citadeld system_server:binder { call }; From 549512a38e6eeef736f13b1c30477592bd171faa Mon Sep 17 00:00:00 2001 From: Mars Lin Date: Thu, 10 Feb 2022 20:00:25 +0800 Subject: [PATCH 335/900] Add sepolicy for CatEngine Bug: 187989782 Test: Run CAT adb check log Change-Id: Ib715ac2fb8efc8ad79fe190942dcfae716291d2b --- whitechapel_pro/cat_engine_service_app.te | 7 +++++++ whitechapel_pro/seapp_contexts | 2 ++ 2 files changed, 9 insertions(+) create mode 100644 whitechapel_pro/cat_engine_service_app.te diff --git a/whitechapel_pro/cat_engine_service_app.te b/whitechapel_pro/cat_engine_service_app.te new file mode 100644 index 00000000..e300b90a --- /dev/null +++ b/whitechapel_pro/cat_engine_service_app.te @@ -0,0 +1,7 @@ +type cat_engine_service_app, domain; + +userdebug_or_eng(` + app_domain(cat_engine_service_app) + get_prop(cat_engine_service_app, vendor_rild_prop) + allow cat_engine_service_app system_app_data_file:dir r_dir_perms; +') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 4abc2c39..81577b60 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -53,3 +53,5 @@ user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detecto # Google Camera user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all +# Domain for CatEngineService +user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all From 015d77ab54195071f86f3aba163ecb57655e4af5 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 14 Feb 2022 08:54:30 +0800 Subject: [PATCH 336/900] update error on ROM 8179635 Bug: 219369324 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Iee33b4d8cefca3b91caa0fce1ed1d4a0686a05a2 --- tracking_denials/hal_power_stats_default.te | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 tracking_denials/hal_power_stats_default.te diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te new file mode 100644 index 00000000..a6279d5e --- /dev/null +++ b/tracking_denials/hal_power_stats_default.te @@ -0,0 +1,4 @@ +# b/219369324 +dontaudit hal_power_stats_default sysfs:file { getattr }; +dontaudit hal_power_stats_default sysfs:file { open }; +dontaudit hal_power_stats_default sysfs:file { read }; From 76b772519a655bf7c46150f884cf75428fe37200 Mon Sep 17 00:00:00 2001 From: Rick Yiu Date: Fri, 11 Feb 2022 19:19:41 +0800 Subject: [PATCH 337/900] Allow dumping vendor groups values Fix: I dumpstate@1.1-s: type=1400 audit(0.0:37): avc: denied { search } for name="vendor_sched" dev="proc" ino=4026532870 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:proc_vendor_sched:s0 tclass=dir permissive=1 I dumpstate@1.1-s: type=1400 audit(0.0:38): avc: denied { read } for name="dump_task" dev="proc" ino=4026532871 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:proc_vendor_sched:s0 tclass=file permissive=1 I dumpstate@1.1-s: type=1400 audit(0.0:39): avc: denied { open } for path="/proc/vendor_sched/dump_task" dev="proc" ino=4026532871 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:proc_vendor_sched:s0 tclass=file permissive=1 Bug: 216844247 Test: build pass Change-Id: Icfecf373aa7b49d504d9ed4e15dcbfe2a53d47d3 --- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index cad7c3a1..442feb25 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -76,6 +76,9 @@ allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; +allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; +allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; + get_prop(hal_dumpstate_default, boottime_public_prop) get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) From 58b6e68d51771d0a3b9ae0743a29d9303b3e0094 Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Mon, 14 Feb 2022 19:26:36 +0800 Subject: [PATCH 338/900] Add required sepolicy rules for Sensor function Bug: 210067282 Bug: 214473093 Bug: 218930975 Bug: 218499995 Test: run pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest#checkSensors Change-Id: I21bbbe35b8c487e9de46b03c508a483134c0b1b8 --- tracking_denials/hal_sensors_default.te | 6 ------ whitechapel_pro/hal_sensors_default.te | 8 ++++++++ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 0b279ba0..8bff1569 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -1,12 +1,6 @@ -# b/210067282 -dontaudit hal_sensors_default persist_camera_file:dir { search }; # b/214473093 dontaudit hal_sensors_default sensor_reg_data_file:file { getattr }; dontaudit hal_sensors_default sensor_reg_data_file:file { open }; dontaudit hal_sensors_default sensor_reg_data_file:file { read }; -dontaudit hal_sensors_default sysfs_leds:dir { search }; -dontaudit hal_sensors_default sysfs_leds:file { open }; -dontaudit hal_sensors_default sysfs_leds:file { read }; # b/218930975 dontaudit hal_sensors_default hal_graphics_composer_default:binder { call }; -dontaudit hal_sensors_default hal_pixel_display_service:service_manager { find }; diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index c412b3db..7ad1d715 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -21,6 +21,7 @@ allow hal_sensors_default persist_file:dir search; allow hal_sensors_default persist_file:file r_file_perms; allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; +r_dir_file(hal_sensors_default, persist_camera_file) # Allow creation and writing of sensor registry data files. allow hal_sensors_default sensor_reg_data_file:dir r_dir_perms; @@ -39,3 +40,10 @@ allow hal_sensors_default sysfs_chosen:file r_file_perms; # Allow access to sensor service for sensor_listener. binder_call(hal_sensors_default, system_server); + +# Allow sensor HAL to access the display service HAL +allow hal_sensors_default hal_pixel_display_service:service_manager find; + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_leds:dir search; +allow hal_sensors_default sysfs_leds:file r_file_perms; From 027e04ab2ba57d17e87dacd7f299028f4dfa475b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 15 Feb 2022 12:01:48 +0800 Subject: [PATCH 339/900] update error on ROM 8184037 Bug: 219632839 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ie3a2325f2e80aea94d7ca79257f5bf3db8578259 --- tracking_denials/cat_engine_service_app.te | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 tracking_denials/cat_engine_service_app.te diff --git a/tracking_denials/cat_engine_service_app.te b/tracking_denials/cat_engine_service_app.te new file mode 100644 index 00000000..295d91a3 --- /dev/null +++ b/tracking_denials/cat_engine_service_app.te @@ -0,0 +1,5 @@ +# b/219632839 +dontaudit cat_engine_service_app activity_service:service_manager { find }; +dontaudit cat_engine_service_app content_capture_service:service_manager { find }; +dontaudit cat_engine_service_app game_service:service_manager { find }; +dontaudit cat_engine_service_app netstats_service:service_manager { find }; From 501767b17418c3b30887b3705111ea17533f945e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 15 Feb 2022 13:25:40 +0800 Subject: [PATCH 340/900] remove bt obsolete sepolicy Bug: 207062775 Bug: 208721525 Test: do bt connection under enforcing mode Change-Id: I787bfcffdb8cfcff7276d8d183c04d985296ff1c --- tracking_denials/hal_bluetooth_btlinux.te | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 tracking_denials/hal_bluetooth_btlinux.te diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te deleted file mode 100644 index 7848e458..00000000 --- a/tracking_denials/hal_bluetooth_btlinux.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/207062775 -dontaudit hal_bluetooth_btlinux device:chr_file { ioctl }; -dontaudit hal_bluetooth_btlinux device:chr_file { open }; -dontaudit hal_bluetooth_btlinux device:chr_file { read write }; -# b/208721525 -dontaudit hal_bluetooth_btlinux device:chr_file { getattr }; From a320d9b57505701567bc09b2495529dffc97859e Mon Sep 17 00:00:00 2001 From: Mars Lin Date: Tue, 15 Feb 2022 15:14:18 +0800 Subject: [PATCH 341/900] Add required sepolicy rules for CatEngine Fix: 02-15 11:55:44.005 431 431 E SELinux : avc: denied { find } for pid=3009 uid=1000 name=activity scontext=u:r:cat_engine_service_app:s0:c232,c259,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1 02-15 11:55:44.082 431 431 E SELinux : avc: denied { find } for pid=3009 uid=1000 name=game scontext=u:r:cat_engine_service_app:s0:c232,c259,c512,c768 tcontext=u:object_r:game_service:s0 tclass=service_manager permissive=1 02-15 11:55:44.087 431 431 E SELinux : avc: denied { find } for pid=3009 uid=1000 name=netstats scontext=u:r:cat_engine_service_app:s0:c232,c259,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1 02-15 11:55:44.092 431 431 E SELinux : avc: denied { find } for pid=3009 uid=1000 name=content_capture scontext=u:r:cat_engine_service_app:s0:c232,c259,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1 Bug: 219632839 Test: pts-tradefed run pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I1db9b29e3a3c7dae782bced3427e7c24c5dee945 --- tracking_denials/cat_engine_service_app.te | 5 ----- whitechapel_pro/cat_engine_service_app.te | 1 + 2 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 tracking_denials/cat_engine_service_app.te diff --git a/tracking_denials/cat_engine_service_app.te b/tracking_denials/cat_engine_service_app.te deleted file mode 100644 index 295d91a3..00000000 --- a/tracking_denials/cat_engine_service_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/219632839 -dontaudit cat_engine_service_app activity_service:service_manager { find }; -dontaudit cat_engine_service_app content_capture_service:service_manager { find }; -dontaudit cat_engine_service_app game_service:service_manager { find }; -dontaudit cat_engine_service_app netstats_service:service_manager { find }; diff --git a/whitechapel_pro/cat_engine_service_app.te b/whitechapel_pro/cat_engine_service_app.te index e300b90a..eacf9621 100644 --- a/whitechapel_pro/cat_engine_service_app.te +++ b/whitechapel_pro/cat_engine_service_app.te @@ -3,5 +3,6 @@ type cat_engine_service_app, domain; userdebug_or_eng(` app_domain(cat_engine_service_app) get_prop(cat_engine_service_app, vendor_rild_prop) + allow cat_engine_service_app app_api_service:service_manager find; allow cat_engine_service_app system_app_data_file:dir r_dir_perms; ') From 1420e3d5d742834b3d5e43e302cbd7c92c90cb3a Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Tue, 15 Feb 2022 17:08:52 +0800 Subject: [PATCH 342/900] rfsd: fix avc errors [ 8.024353] type=1400 audit(1636594727.560:42): avc: denied { chown } for comm="rfsd" capability=0 scontext=u:r:rfsd:s0 tcontext=u:r:rfsd:s0 tclass=capability permissive=1 [ 8.027666] type=1400 audit(1636594727.564:43): avc: denied { setuid } for comm="rfsd" capability=7 scontext=u:r:rfsd:s0 tcontext=u:r:rfsd:s0 tclass=capability permissive=1 Bug: 205904361 Change-Id: I6e30a9622b930273fbc524e6bc84f2112f79f11c --- tracking_denials/rfsd.te | 3 --- whitechapel_pro/rfsd.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) delete mode 100644 tracking_denials/rfsd.te diff --git a/tracking_denials/rfsd.te b/tracking_denials/rfsd.te deleted file mode 100644 index bf921ff4..00000000 --- a/tracking_denials/rfsd.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/205904361 -dontaudit rfsd rfsd:capability { chown }; -dontaudit rfsd rfsd:capability { setuid }; diff --git a/whitechapel_pro/rfsd.te b/whitechapel_pro/rfsd.te index 898e7fca..2d1f0928 100644 --- a/whitechapel_pro/rfsd.te +++ b/whitechapel_pro/rfsd.te @@ -2,6 +2,9 @@ type rfsd, domain; type rfsd_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(rfsd) +# Allow to setuid from root to radio and chown of modem efs files +allow rfsd self:capability { chown setuid }; + # Allow to search block device and mnt dir for modem EFS partitions allow rfsd mnt_vendor_file:dir search; allow rfsd block_device:dir search; From c5f0e9723f0703092c24e2d115db5e8ea3cbdb2b Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Tue, 15 Feb 2022 17:03:06 +0800 Subject: [PATCH 343/900] cbd: fix avc errors avc: denied { search } for comm="cbd" name="/" dev="sda1" ino=3 scontext=u:r:cbd:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 avc: denied { setuid } for comm="cbd" capability=7 scontext=u:r:cbd:s0 tcontext=u:r:cbd:s0 tclass=capability permissive=1 Bug: 205779872 Bug: 205904432 Change-Id: I09f1ac5473b728d5e6f38b01dc83f4b9c4c8fbcc --- tracking_denials/cbd.te | 4 ---- whitechapel_pro/cbd.te | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/cbd.te diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te deleted file mode 100644 index 6527506e..00000000 --- a/tracking_denials/cbd.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/205779872 -dontaudit cbd persist_file:dir { search }; -# b/205904432 -dontaudit cbd cbd:capability { setuid }; diff --git a/whitechapel_pro/cbd.te b/whitechapel_pro/cbd.te index 835a0e1c..c4cfe7a6 100644 --- a/whitechapel_pro/cbd.te +++ b/whitechapel_pro/cbd.te @@ -6,6 +6,9 @@ set_prop(cbd, vendor_modem_prop) set_prop(cbd, vendor_cbd_prop) set_prop(cbd, vendor_rild_prop) +# Allow cbd to set gid/uid from too to radio +allow cbd self:capability { setgid setuid }; + allow cbd mnt_vendor_file:dir r_dir_perms; allow cbd kmsg_device:chr_file rw_file_perms; @@ -27,6 +30,7 @@ allow cbd proc_cmdline:file r_file_perms; allow cbd persist_modem_file:dir create_dir_perms; allow cbd persist_modem_file:file create_file_perms; +allow cbd persist_file:dir search; allow cbd radio_vendor_data_file:dir create_dir_perms; allow cbd radio_vendor_data_file:file create_file_perms; From 2d7c980fa636b75c7b410e792e23b1315b16a6ed Mon Sep 17 00:00:00 2001 From: chungkai Date: Fri, 11 Feb 2022 06:44:48 +0000 Subject: [PATCH 344/900] Fix avc denials for powerhal selinux policy is already added by other commit "9cc7041", so remove the previous setting. Test: boot to home screen Bug: 218934377 Signed-off-by: chungkai Change-Id: Id11ee7b4ae216a54e7051190f8ca382e97a76ade --- tracking_denials/hal_power_default.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index bf54dbf8..a426fa0d 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,5 +1,2 @@ # b/208909174 dontaudit hal_power_default hal_power_default:capability { dac_read_search }; -# b/218934377 -dontaudit hal_power_default sysfs:file { open }; -dontaudit hal_power_default sysfs:file { write }; From b2c284177a568dbaf219cae81250c83cae127304 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 16 Feb 2022 13:01:30 +0800 Subject: [PATCH 345/900] label sysfs_fabric to target_load [ 11.149987] type=1400 audit(1644984050.124:9): avc: denied { open } for comm="NodeLooperThrea" path="/sys/devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load" dev="sysfs" ino=48615 scontext=u:r:hal_power_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 Bug: 218500026 Test: boot with no error loop under enforcing mode Change-Id: Ie2f78f8ee39233e0c1f83fc2ba654f4a116e12a4 --- whitechapel_pro/genfs_contexts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6c5f59e5..d0b111a8 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -47,8 +47,9 @@ genfscon sysfs /module/bcmdhd4389 u genfscon sysfs /devices/platform/28000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 # Fabric -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 # sscoredump (per device) genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 From 064c6a86e0e8998090be4bee440788af12df1769 Mon Sep 17 00:00:00 2001 From: Junkyu Kang Date: Fri, 21 Jan 2022 09:35:13 +0000 Subject: [PATCH 346/900] Add persist.vendor.gps to sepolicy Bug: 196002632 Test: PixelLogger can modify persist.vendor.gps.* Change-Id: I17f16d1f147287abf86b18452743842594be7531 --- whitechapel_pro/property_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index d1362f28..6dcddc85 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -84,7 +84,8 @@ ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 # for gps -vendor.gps u:object_r:vendor_gps_prop:s0 +vendor.gps. u:object_r:vendor_gps_prop:s0 +persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Fingerprint vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 From efbd9fa0b2428d3ffbedf9abbd2bab9ea52bafc0 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Tue, 15 Feb 2022 15:47:45 +0800 Subject: [PATCH 347/900] sepolicy: hwinfo: Add battery fuel gauge permission Bug: 208909060 Bug: 219660742 Bug: 219660741 Test: check dmeg and search "avc: denied { search } for comm="id.hardwareinfo" vendor_maxfg_debugfs avc gone after apply patch Change-Id: I3399e696b59218e62c4d1adcc2a12f5d6ee5c8cc Signed-off-by: Denny cy Lee --- whitechapel_pro/hardware_info_app.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te index 41a08577..ef9c2306 100644 --- a/whitechapel_pro/hardware_info_app.te +++ b/whitechapel_pro/hardware_info_app.te @@ -21,3 +21,9 @@ allow hardware_info_app sysfs_display:file r_file_perms; # SoC allow hardware_info_app sysfs_soc:file r_file_perms; allow hardware_info_app sysfs_chip_id:file r_file_perms; + +# Fuel +userdebug_or_eng(` + allow hardware_info_app vendor_maxfg_debugfs:dir search; + allow hardware_info_app vendor_maxfg_debugfs:file r_file_perms; +') From c8c1f766d29f58c3b17611c8728484853342422d Mon Sep 17 00:00:00 2001 From: Midas Chien Date: Wed, 16 Feb 2022 16:32:13 +0800 Subject: [PATCH 348/900] Allow composer to read panel_idle sysfs node Change panel_idle selinux type to sysfs_display to allow composer can access it. Bug: 198808492 Test: ls -Z to check selinux type Test: make sure composer can access it Change-Id: Ic2bd697c79b398b8093dd00598b1076e3ea3aec2 --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index d0b111a8..ba3dc909 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -91,6 +91,7 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 From 4041f814bed47dcefb9d40d1aa6b8b5176fe0d9e Mon Sep 17 00:00:00 2001 From: Peter Csaszar Date: Mon, 14 Feb 2022 20:29:23 -0800 Subject: [PATCH 349/900] pixel-selinux: add SJTAG policies These are the SELinux policies for the sysfs files of the SJTAG kernel interface. The files are in the following directories: /sys/devices/platform/sjtag_ap/interface/ /sys/devices/platform/sjtag_gsa/interface/ Bug: 207571417 Signed-off-by: Peter Csaszar Change-Id: I5ec50d9ff7cd0e08ade7acce21e73751e93a0aff --- whitechapel_pro/file.te | 11 +++++++++++ whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/shell.te | 5 +++++ whitechapel_pro/ssr_detector.te | 5 +++++ 4 files changed, 25 insertions(+) create mode 100644 whitechapel_pro/shell.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 971e4657..e4248525 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -91,3 +91,14 @@ type sysfs_st33spi, sysfs_type, fs_type; # GPU type sysfs_gpu, sysfs_type, fs_type; + +# Vendor sched files +userdebug_or_eng(` + typeattribute sysfs_vendor_sched mlstrustedobject; +') + +# SJTAG +type sysfs_sjtag, fs_type, sysfs_type; +userdebug_or_eng(` + typeattribute sysfs_sjtag mlstrustedobject; +') diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ba3dc909..f7f43487 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -210,3 +210,7 @@ genfscon sysfs /devices/platform/100b0000.TPU u:obje # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 + +# SJTAG +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te new file mode 100644 index 00000000..978a5426 --- /dev/null +++ b/whitechapel_pro/shell.te @@ -0,0 +1,5 @@ +# Allow access to the SJTAG kernel interface from the shell +userdebug_or_eng(` + allow shell sysfs_sjtag:dir r_dir_perms; + allow shell sysfs_sjtag:file rw_file_perms; +') diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index ff3c40f9..793e51b6 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -12,6 +12,11 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; get_prop(ssr_detector_app, vendor_aoc_prop) + allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; + allow ssr_detector_app sysfs_sjtag:file rw_file_perms; + allow ssr_detector_app sysfs_vendor_sched:dir search; + allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms; + allow ssr_detector_app cgroup:file write; ') get_prop(ssr_detector_app, vendor_ssrdump_prop) From 0d22c86fef5a77dd7cd03873274e04833ee4794a Mon Sep 17 00:00:00 2001 From: neoyu Date: Thu, 17 Feb 2022 12:55:26 +0800 Subject: [PATCH 350/900] Fix SELinux errors for ims avc: denied { write } for name="property_service" dev="tmpfs" ino=362 scontext=u:r:vendor_ims_app:s0:c208,c256,c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 app=com.shannon.imsservice avc: denied { set } for property=persist.radio.call.audio.output pid=1920 uid=10216 gid=10216 scontext=u:r:vendor_ims_app:s0:c216,c256,c512,c768 tcontext=u:object_r:radio_prop:s0 tclass=property_service permissive=0' Bug: 219954530 Test: manual Change-Id: I3e7f6781718c3967f7842b074b0ef91818508af2 --- whitechapel_pro/vendor_ims_app.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index b226dc37..b109fcc1 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -6,4 +6,5 @@ allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; allow vendor_ims_app radio_service:service_manager find; binder_call(vendor_ims_app, rild) -get_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, radio_prop) From 453b37ebdc0a9614e09ffbc03592a8350fcb524f Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Thu, 17 Feb 2022 14:29:35 +0800 Subject: [PATCH 351/900] Remove the sepolicy for tetheroffload service Test: m checkvintf run vts -m VtsHalTetheroffloadControlV1_0TargetTest Bug: 207076973 Bug: 214494717 Change-Id: I5ecec46512ff4e1ae6c52147cfa0179e5fc93420 --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_tetheroffload_default.te | 17 ----------------- 2 files changed, 18 deletions(-) delete mode 100644 whitechapel_pro/hal_tetheroffload_default.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4f0451e4..845d50c1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -36,7 +36,6 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/whitechapel_pro/hal_tetheroffload_default.te b/whitechapel_pro/hal_tetheroffload_default.te deleted file mode 100644 index 00ae3214..00000000 --- a/whitechapel_pro/hal_tetheroffload_default.te +++ /dev/null @@ -1,17 +0,0 @@ -# associate netdomain to use for accessing internet sockets -net_domain(hal_tetheroffload_default) - -# Allow operations with TOE device -allow hal_tetheroffload_default vendor_toe_device:chr_file rw_file_perms; - -# Allow NETLINK and socket -allow hal_tetheroffload_default self:{ - netlink_socket - netlink_generic_socket - unix_dgram_socket -} create_socket_perms_no_ioctl; - -# Register to hwbinder service -add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice) -hwbinder_use(hal_tetheroffload_default) -get_prop(hal_tetheroffload_default, hwservicemanager_prop) From 28817da2a32955da540721c773921c0cfa608e8f Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Fri, 18 Feb 2022 13:24:38 +0000 Subject: [PATCH 352/900] Allow mediacodec_samsung to access gpu device avc: denied { getattr } for path="/dev/mali0" dev="tmpfs" \ ino=1042 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { read write } for name="mali0" dev="tmpfs" \ ino=1042 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/mali0" dev="tmpfs" \ ino=1042 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/mali0" dev="tmpfs" \ ino=1042 ioctlcmd=0x8034 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { map } for path="/dev/mali0" dev="tmpfs" \ ino=1042 scontext=u:r:mediacodec_samsung:s0 \ tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 Bug: 205772037 Test: demo-transformer HDR editing Change-Id: Ib5d075bfd1247112c803f01db430d93259fd9e7f --- whitechapel_pro/mediacodec_samsung.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index 6ac0ca35..2c5d7ede 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -10,6 +10,7 @@ vndbinder_use(mediacodec_samsung) allow mediacodec_samsung video_device:chr_file rw_file_perms; allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_samsung gpu_device:chr_file rw_file_perms; allow mediacodec_samsung sysfs_mfc:file r_file_perms; allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; From e65363450c0bbe739f4e5fe074eace1ef117d218 Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Thu, 17 Feb 2022 07:43:29 +0000 Subject: [PATCH 353/900] Adds logging related properties for logger app Bug: 220073302 Change-Id: I3917ce13f51a5ccb3304eb2db860f4da8424438b --- whitechapel_pro/property_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 6dcddc85..18e9f4ca 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -77,7 +77,9 @@ vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # vendor default ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 From 2b6835e404dcb4d7d3a0af4b3bc9ee87a97a6849 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 21 Feb 2022 09:20:42 +0800 Subject: [PATCH 354/900] update error on ROM 8205122 Bug: 220636850 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I201f9e84eca676b9f7aa5d09356bce384df1fa4b --- tracking_denials/priv_app.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index b956419b..5784c9bd 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -7,3 +7,7 @@ dontaudit priv_app vendor_apex_file:dir { search }; dontaudit priv_app vendor_apex_file:file { getattr }; dontaudit priv_app vendor_apex_file:file { open }; dontaudit priv_app vendor_apex_file:file { read }; +# b/220636850 +dontaudit priv_app default_prop:property_service { set }; +dontaudit priv_app init:unix_stream_socket { connectto }; +dontaudit priv_app property_socket:sock_file { write }; From e909ddabea7de3c82ede69391f05e27478356d38 Mon Sep 17 00:00:00 2001 From: neoyu Date: Thu, 17 Feb 2022 12:55:26 +0800 Subject: [PATCH 355/900] Fix SELinux errors for ims avc: denied { write } for name="property_service" dev="tmpfs" ino=362 scontext=u:r:vendor_ims_app:s0:c208,c256,c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 app=com.shannon.imsservice avc: denied { set } for property=persist.radio.call.audio.output pid=1920 uid=10216 gid=10216 scontext=u:r:vendor_ims_app:s0:c216,c256,c512,c768 tcontext=u:object_r:radio_prop:s0 tclass=property_service permissive=0' Bug: 219954530 Test: manual Change-Id: I3e7f6781718c3967f7842b074b0ef91818508af2 (cherry picked from commit 0d22c86fef5a77dd7cd03873274e04833ee4794a) Merged-In: I3e7f6781718c3967f7842b074b0ef91818508af2 --- whitechapel_pro/vendor_ims_app.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index b226dc37..b109fcc1 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -6,4 +6,5 @@ allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; allow vendor_ims_app radio_service:service_manager find; binder_call(vendor_ims_app, rild) -get_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, radio_prop) From ad0a033f97e2d517e2f5390fa1ec626fabb7d60e Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Mon, 21 Feb 2022 03:42:32 +0000 Subject: [PATCH 356/900] Allow hal_graphics_allocator to access dmabuf_system_secure_heap_device avc: denied { ioctl } for path="/dev/dma_heap/vframe-secure" dev="tmpfs" \ ino=801 ioctlcmd=0x4800 scontext=u:r:hal_graphics_allocator_default:s0 \ tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 \ tclass=chr_file permissive=0 Bug: 199467922 Test: ExoPlayer secure playback Change-Id: I9e6e1bba6d01c1a416a440e8ad425a5cf2ac19c5 --- whitechapel_pro/hal_graphics_allocator_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_graphics_allocator_default.te b/whitechapel_pro/hal_graphics_allocator_default.te index 05f9508d..2889a800 100644 --- a/whitechapel_pro/hal_graphics_allocator_default.te +++ b/whitechapel_pro/hal_graphics_allocator_default.te @@ -1 +1,2 @@ allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; From 84d53775e15d032088f59158a4f30e68eb27cf51 Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Mon, 21 Feb 2022 04:10:33 +0000 Subject: [PATCH 357/900] Allow hal_graphics_allocator to access vscaler_heap_device avc: denied { read } for name="vscaler-secure" dev="tmpfs" \ ino=458 scontext=u:r:hal_graphics_allocator_default:s0 \ tcontext=u:object_r:vscaler_heap_device:s0 \ tclass=chr_file permissive=0 Bug: 199467922 Test: ExoPlayer secure playback Change-Id: I2b3be9f4f038317eb456a20b33e555e8d5db2678 --- whitechapel_pro/hal_graphics_allocator_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_graphics_allocator_default.te b/whitechapel_pro/hal_graphics_allocator_default.te index 2889a800..b55caabc 100644 --- a/whitechapel_pro/hal_graphics_allocator_default.te +++ b/whitechapel_pro/hal_graphics_allocator_default.te @@ -1,2 +1,3 @@ allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; From bc3924f61de5040c0884d80cc8d42ed084d956be Mon Sep 17 00:00:00 2001 From: Tai Kuo Date: Fri, 18 Feb 2022 19:39:12 +0800 Subject: [PATCH 358/900] Remove hal_vibrator_default avc tracking denials Bug: 204718450 Bug: 207062207 Bug: 208721729 Test: pts-tradefed run pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: Icb3d6a48fc9fbb6e6644d1d65150436f7c0c8c3f --- tracking_denials/hal_vibrator_default.te | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te deleted file mode 100644 index 173aeb60..00000000 --- a/tracking_denials/hal_vibrator_default.te +++ /dev/null @@ -1,17 +0,0 @@ -# b/204718450 -dontaudit hal_vibrator_default input_device:dir { open }; -dontaudit hal_vibrator_default input_device:dir { read }; -# b/207062207 -dontaudit hal_vibrator_default proc_asound:dir { search }; -dontaudit hal_vibrator_default proc_asound:file { getattr }; -dontaudit hal_vibrator_default proc_asound:file { open }; -dontaudit hal_vibrator_default proc_asound:file { read }; -dontaudit hal_vibrator_default sysfs:file { getattr }; -dontaudit hal_vibrator_default sysfs:file { open }; -dontaudit hal_vibrator_default sysfs:file { read write }; -# b/208721729 -#dontaudit hal_vibrator_default fastbootd_protocol_prop:file { getattr }; -#dontaudit hal_vibrator_default fastbootd_protocol_prop:file { map }; -#dontaudit hal_vibrator_default fastbootd_protocol_prop:file { open }; -dontaudit hal_vibrator_default ffs_config_prop:file { getattr }; -dontaudit hal_vibrator_default ffs_config_prop:file { open }; From 26aa7c150e86cb729d73d3d3f4440e70331aa14d Mon Sep 17 00:00:00 2001 From: neoyu Date: Fri, 18 Feb 2022 18:47:12 +0800 Subject: [PATCH 359/900] Fix SELinux errors for rild avc: denied { set } for property=vendor.sys.modem_reset pid=990 uid=1001 gid=1001 scontext=u:r:rild:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0' Bug: 220261262 Test: manual Change-Id: I2bd616345f665c0cffd1ee73db790708f9cbca06 --- whitechapel_pro/property_contexts | 1 + whitechapel_pro/rild.te | 1 + 2 files changed, 2 insertions(+) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 6dcddc85..e854d7c7 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -29,6 +29,7 @@ persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 persist.vendor.modem. u:object_r:vendor_modem_prop:s0 vendor.modem. u:object_r:vendor_modem_prop:s0 vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem_reset u:object_r:vendor_modem_prop:s0 ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 766118ef..89ed610d 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -1,4 +1,5 @@ set_prop(rild, vendor_rild_prop) +set_prop(rild, vendor_modem_prop) get_prop(rild, vendor_persist_config_default_prop) get_prop(rild, vendor_carrier_prop) From 7a34798ea47f74885ff011036c20410d2bfb1d1b Mon Sep 17 00:00:00 2001 From: neoyu Date: Mon, 21 Feb 2022 14:58:29 +0800 Subject: [PATCH 360/900] Fix SELinux errors for vendor_init avc: denied { set } for property=logd.logpersistd pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:logpersistd_logging_prop:s0 tclass=property_service permissive=0' avc: denied { set } for property=logd.logpersistd.size pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:logpersistd_logging_prop:s0 tclass=property_service permissive=0' avc: denied { set } for property=persist.vendor.ril.use.iccid_to_plmn pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=property_service permissive=0' avc: denied { set } for property=persist.vendor.ril.emergencynumber.mode pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=property_service permissive=0' avc: denied { set } for property=persist.vendor.ril.log_mask pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=property_service permissive=0' avc: denied { set } for property=persist.vendor.ril.log.base_dir pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=property_service permissive=0' avc: denied { set } for property=persist.vendor.ril.log.chunk_size pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=property_service permissive=0' Bug: 220261262 Test: manual Change-Id: Ieb6673234f913af25e275e61404098a0deccbed2 --- whitechapel_pro/vendor_init.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 996a44fd..f9a11edf 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -8,6 +8,8 @@ get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_usb_config_prop) +set_prop(vendor_init, vendor_rild_prop) +set_prop(vendor_init, logpersistd_logging_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; From 2c914cd02c6aa40ac3f7ef086e24d47b0d86e319 Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Mon, 21 Feb 2022 07:49:47 +0000 Subject: [PATCH 361/900] Adds mnt file and batt info permissions for modem app Bug: 220076340 Change-Id: Icd02d4f8757719afed020c27a90812921d5f37ec --- whitechapel_pro/modem_diagnostic_app.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te index 887b4285..9fa772b4 100644 --- a/whitechapel_pro/modem_diagnostic_app.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -22,9 +22,14 @@ userdebug_or_eng(` allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; + allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; + allow modem_diagnostic_app modem_img_file:dir r_dir_perms; allow modem_diagnostic_app modem_img_file:file r_file_perms; allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; ') From 62d5b40d35c8dd1fd98416e3a482bcc3ebe495dc Mon Sep 17 00:00:00 2001 From: Jack Yu Date: Fri, 18 Feb 2022 21:43:46 +0800 Subject: [PATCH 362/900] uwb: permissions for factory uwb calibration file Allow nfc hal accessing /data/vendor/uwb. Bug: 220167093 Test: build pass Change-Id: I33093231577b71c24d5bf6f980c7021cc546fa98 --- whitechapel_pro/hal_nfc_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te index f98e78c6..174b5383 100644 --- a/whitechapel_pro/hal_nfc_default.te +++ b/whitechapel_pro/hal_nfc_default.te @@ -7,3 +7,6 @@ set_prop(hal_nfc_default, vendor_secure_element_prop) # Modem property set_prop(hal_nfc_default, vendor_modem_prop) +# Access uwb cal for SecureRanging Applet +allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; +allow hal_nfc_default uwb_data_vendor:file r_file_perms; From 9d12b77b670d428aefb96687719000a891c8e1d5 Mon Sep 17 00:00:00 2001 From: neoyu Date: Mon, 21 Feb 2022 15:33:47 +0800 Subject: [PATCH 363/900] Fix SELinux errors for ims Sync different parts from P21 to P22 Bug: 220244357 Test: manual Change-Id: Idf8e5e612b46370812be0907e75e9ae43f37ab7b --- whitechapel_pro/vendor_ims_app.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index b109fcc1..8d655747 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -2,9 +2,15 @@ type vendor_ims_app, domain; app_domain(vendor_ims_app) allow vendor_ims_app app_api_service:service_manager find; +allow vendor_ims_app audioserver_service:service_manager find; + allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; allow vendor_ims_app radio_service:service_manager find; +allow vendor_ims_app mediaserver_service:service_manager find; +allow vendor_ims_app cameraserver_service:service_manager find; +allow vendor_ims_app mediametrics_service:service_manager find; + binder_call(vendor_ims_app, rild) set_prop(vendor_ims_app, vendor_rild_prop) set_prop(vendor_ims_app, radio_prop) From b322df9960def7502589ee99912df7852c15384a Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 22 Feb 2022 13:05:53 +0800 Subject: [PATCH 364/900] Let GPU reload 02-22 12:59:47.955 15 15 I mali 28000000.mali: reloading firmware 02-22 12:59:47.955 15 15 W mali 28000000.mali: loading /vendor/firmware/mali_csffw.bin failed with error -13 02-22 12:59:47.955 15 15 W mali 28000000.mali: Direct firmware load for mali_csffw.bin failed with error -2 02-22 12:59:47.955 15 15 E mali 28000000.mali: Failed to reload firmware image 'mali_csffw.bin' 02-22 12:59:47.920 15 15 W kworker/0:1: type=1400 audit(0.0:10): avc: denied { read } for name="mali_csffw.bin" dev="dm-4" ino=5689716 scontext=u:r:kernel:s0 tcontext=u:object_r:same_process_hal_file:s0 tclass=file permissive=0 Bug: 220801802 Test: device can resume after an hour of suspend. Change-Id: Ib252d6b1ac50ba7578a2ebf8cd8745004c385378 --- tracking_denials/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 213ac540..94b36310 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,2 +1,4 @@ # b/213817227 dontaudit kernel vendor_battery_debugfs:dir { search }; +# b/220801802 +allow kernel same_process_hal_file:file r_file_perms; From 7997d6a8a0829b08fcb61370aaac56b58beb6f68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Thu, 17 Feb 2022 06:47:07 -0800 Subject: [PATCH 365/900] Camera: add setsched capability. The camera HAL needs to increase the priority of some threads to reduce frame drops. Bug: 205072921 Test: Inspected logcat on P10 Change-Id: Ife5194c780a91f32d718f8db38e41f2f47fb929f --- tracking_denials/hal_camera_default.te | 5 ----- whitechapel_pro/hal_camera_default.te | 1 + 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 5f2df0ef..f423e497 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -1,10 +1,5 @@ -# b/205072921 -dontaudit hal_camera_default kernel:process { setsched }; # b/205780065 dontaudit hal_camera_default system_data_file:dir { search }; -# b/205904406 -dontaudit hal_camera_default init:unix_stream_socket { connectto }; -dontaudit hal_camera_default property_socket:sock_file { write }; # b/218585004 dontaudit hal_camera_default traced:unix_stream_socket { connectto }; dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 3c90bf32..5fcb5547 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -1,6 +1,7 @@ type hal_camera_default_tmpfs, file_type; allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default kernel:process setsched; binder_use(hal_camera_default); vndbinder_use(hal_camera_default); From 5b6a5292c3f92a880dfa769eeaa90d5a52279e94 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Tue, 22 Feb 2022 10:54:06 +0800 Subject: [PATCH 366/900] hal_health_default: Fix avc denials 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2270): avc: denied { search } for name="thermal" dev="tmpfs" ino=1028 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:thermal_link_device:s0 tclass=dir permissive=1 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2271): avc: denied { search } for name="thermal" dev="sysfs" ino=16790 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2273): avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone13/mode" dev="sysfs" ino=17285 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2272): avc: denied { write } for name="mode" dev="sysfs" ino=17285 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 Bug:208721638 Test: adb bugreport Change-Id: I4d9491862ff1bcc88f89b1478497ac569e3d1df1 Signed-off-by: Ted Lin --- tracking_denials/hal_health_default.te | 5 ----- whitechapel_pro/hal_health_default.te | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/hal_health_default.te diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te deleted file mode 100644 index d36ba385..00000000 --- a/tracking_denials/hal_health_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/208721638 -dontaudit hal_health_default sysfs_thermal:dir { search }; -dontaudit hal_health_default sysfs_thermal:file { open }; -dontaudit hal_health_default sysfs_thermal:file { write }; -dontaudit hal_health_default thermal_link_device:dir { search }; diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index a4294ee5..e7406a76 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -9,3 +9,6 @@ allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; +allow hal_health_default sysfs_thermal:dir search; +allow hal_health_default sysfs_thermal:file w_file_perms; +allow hal_health_default thermal_link_device:dir search; From 727d070b13dbcfbc8debe0d7418429110782b192 Mon Sep 17 00:00:00 2001 From: Robb Glasser Date: Fri, 18 Feb 2022 16:36:37 -0800 Subject: [PATCH 367/900] Fix sensors_hal selinux denials. Bug: 214473093 Bug: 218930975 Bug: 210067282 Test: com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: Ifd865efd0544f246d1c188f3edce9f05f27313d2 --- tracking_denials/hal_sensors_default.te | 6 ------ whitechapel_pro/hal_sensors_default.te | 1 + 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 tracking_denials/hal_sensors_default.te diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te deleted file mode 100644 index 8bff1569..00000000 --- a/tracking_denials/hal_sensors_default.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/214473093 -dontaudit hal_sensors_default sensor_reg_data_file:file { getattr }; -dontaudit hal_sensors_default sensor_reg_data_file:file { open }; -dontaudit hal_sensors_default sensor_reg_data_file:file { read }; -# b/218930975 -dontaudit hal_sensors_default hal_graphics_composer_default:binder { call }; diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index 7ad1d715..a29bb730 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -25,6 +25,7 @@ r_dir_file(hal_sensors_default, persist_camera_file) # Allow creation and writing of sensor registry data files. allow hal_sensors_default sensor_reg_data_file:dir r_dir_perms; +allow hal_sensors_default sensor_reg_data_file:file r_file_perms; # Allow access to the display info for ALS. allow hal_sensors_default sysfs_display:file rw_file_perms; From b158d7b08875efb758a44e08cf72eafcf5437d97 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 23 Feb 2022 09:58:37 +0800 Subject: [PATCH 368/900] avoid pixellogger from crashing Bug: 220935985 Test: pixellogger stays alive for 2 minutes Change-Id: I9f70f1a936731332ada3abfa945e60f8aff58279 --- whitechapel_pro/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index e854d7c7..ca180174 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -79,6 +79,7 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for logger app persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 # vendor default ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 From 38847385386d57b40a9822bdcef7a11de1a1e4e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Tue, 22 Feb 2022 12:44:43 -0800 Subject: [PATCH 369/900] Camera: re-add TEE access. Face auth is being investigated for Android T, so this access is still needed. It was initially omitted from ag/16719985 because it did not launch in Android S. Bug: 220886644 Test: build for P10 Change-Id: I61ecc685397fcab6f356e98abfc88e8cb34254f4 --- whitechapel_pro/hal_camera_default.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 5fcb5547..f604875f 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -10,6 +10,11 @@ allow hal_camera_default lwis_device:chr_file rw_file_perms; allow hal_camera_default gpu_device:chr_file rw_file_perms; allow hal_camera_default sysfs_chip_id:file r_file_perms; +# Face authentication code that is part of the camera HAL needs to allocate +# dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; + # Allow the camera hal to access the EdgeTPU service and the # Android shared memory allocated by the EdgeTPU service for # on-device compilation. From 7ba8b12bb819ca5ff42c440f2b67cd4e036cee1b Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Thu, 17 Feb 2022 07:43:29 +0000 Subject: [PATCH 370/900] Adds logging related properties for logger app Bug: 220073302 Merged-In: I3917ce13f51a5ccb3304eb2db860f4da8424438b Change-Id: I3917ce13f51a5ccb3304eb2db860f4da8424438b (cherry picked from commit e65363450c0bbe739f4e5fe074eace1ef117d218) --- whitechapel_pro/property_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index ca180174..b39184a5 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -78,8 +78,9 @@ vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for logger app -persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # vendor default ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 From e6af74a6c4f56c7c25394ed6d97812cb4aede3cc Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Mon, 21 Feb 2022 07:49:47 +0000 Subject: [PATCH 371/900] Adds mnt file and batt info permissions for modem app Bug: 220076340 Merged-In: Icd02d4f8757719afed020c27a90812921d5f37ec Change-Id: Icd02d4f8757719afed020c27a90812921d5f37ec (cherry picked from commit 2c914cd02c6aa40ac3f7ef086e24d47b0d86e319) --- whitechapel_pro/modem_diagnostic_app.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te index 887b4285..9fa772b4 100644 --- a/whitechapel_pro/modem_diagnostic_app.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -22,9 +22,14 @@ userdebug_or_eng(` allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; + allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; + allow modem_diagnostic_app modem_img_file:dir r_dir_perms; allow modem_diagnostic_app modem_img_file:file r_file_perms; allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; ') From 8f90cf54080a41c7f85322a39b56291eb7887abc Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Wed, 23 Feb 2022 16:05:33 +0800 Subject: [PATCH 372/900] Allow hal_power_stats to read UWB sysfs nodes Bug: 219369324 Test: Dump power stats and see no avc denials Change-Id: Ib1ac15867f51069bef3f68e91bf65b842b7c0734 Signed-off-by: Darren Hsu --- tracking_denials/hal_power_stats_default.te | 4 ---- whitechapel_pro/genfs_contexts | 9 +++++---- 2 files changed, 5 insertions(+), 8 deletions(-) delete mode 100644 tracking_denials/hal_power_stats_default.te diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te deleted file mode 100644 index a6279d5e..00000000 --- a/tracking_denials/hal_power_stats_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/219369324 -dontaudit hal_power_stats_default sysfs:file { getattr }; -dontaudit hal_power_stats_default sysfs:file { open }; -dontaudit hal_power_stats_default sysfs:file { read }; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ba3dc909..890ac47c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -59,10 +59,11 @@ genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 # Power Stats -genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 # Power ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 From 97a25bf259e89abb1917f1646ce7df2496faafe1 Mon Sep 17 00:00:00 2001 From: Jack Yu Date: Fri, 18 Feb 2022 21:43:46 +0800 Subject: [PATCH 373/900] uwb: permissions for factory uwb calibration file Allow nfc hal accessing /data/vendor/uwb. Bug: 220167093 Test: build pass Merged-In: I33093231577b71c24d5bf6f980c7021cc546fa98 Change-Id: I33093231577b71c24d5bf6f980c7021cc546fa98 --- whitechapel_pro/hal_nfc_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te index f98e78c6..174b5383 100644 --- a/whitechapel_pro/hal_nfc_default.te +++ b/whitechapel_pro/hal_nfc_default.te @@ -7,3 +7,6 @@ set_prop(hal_nfc_default, vendor_secure_element_prop) # Modem property set_prop(hal_nfc_default, vendor_modem_prop) +# Access uwb cal for SecureRanging Applet +allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; +allow hal_nfc_default uwb_data_vendor:file r_file_perms; From 5fb066e1438406dc399c76ad362b5bb550ff67ea Mon Sep 17 00:00:00 2001 From: Joseph Jang Date: Wed, 23 Feb 2022 05:45:43 +0000 Subject: [PATCH 374/900] identity: Add sepolicy permission for hal_identity_citadel to find hal_remotelyprovisionedcomponent_service log: SELinux : avc: denied { find } for pid=885 uid=9999 name=android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox scontext=u:r:hal_identity_citadel:s0 tcontext=u:object_r:hal_remotelyprovisionedcomponent_service:s0 tclass=service_manager permissive=0 Bug: 218613398 Change-Id: I124ea5898609a3f68bee13b6db931878252d4081 --- dauntless/hal_identity_citadel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te index e29310c3..c181e27c 100644 --- a/dauntless/hal_identity_citadel.te +++ b/dauntless/hal_identity_citadel.te @@ -4,6 +4,8 @@ type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; vndbinder_use(hal_identity_citadel) binder_call(hal_identity_citadel, citadeld) allow hal_identity_citadel citadeld_service:service_manager find; +allow hal_identity_citadel hal_keymint_citadel:binder call; hal_server_domain(hal_identity_citadel, hal_identity) +hal_server_domain(hal_identity_citadel, hal_keymint) init_daemon_domain(hal_identity_citadel) From 4443c79bbb3c96fc675b55230751ae427912d1ba Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Thu, 17 Feb 2022 14:29:35 +0800 Subject: [PATCH 375/900] Remove the sepolicy for tetheroffload service Test: m checkvintf run vts -m VtsHalTetheroffloadControlV1_0TargetTest Bug: 207076973 Bug: 214494717 Change-Id: I5ecec46512ff4e1ae6c52147cfa0179e5fc93420 Merged-In: I5ecec46512ff4e1ae6c52147cfa0179e5fc93420 --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_tetheroffload_default.te | 17 ----------------- 2 files changed, 18 deletions(-) delete mode 100644 whitechapel_pro/hal_tetheroffload_default.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4f0451e4..845d50c1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -36,7 +36,6 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/whitechapel_pro/hal_tetheroffload_default.te b/whitechapel_pro/hal_tetheroffload_default.te deleted file mode 100644 index 00ae3214..00000000 --- a/whitechapel_pro/hal_tetheroffload_default.te +++ /dev/null @@ -1,17 +0,0 @@ -# associate netdomain to use for accessing internet sockets -net_domain(hal_tetheroffload_default) - -# Allow operations with TOE device -allow hal_tetheroffload_default vendor_toe_device:chr_file rw_file_perms; - -# Allow NETLINK and socket -allow hal_tetheroffload_default self:{ - netlink_socket - netlink_generic_socket - unix_dgram_socket -} create_socket_perms_no_ioctl; - -# Register to hwbinder service -add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice) -hwbinder_use(hal_tetheroffload_default) -get_prop(hal_tetheroffload_default, hwservicemanager_prop) From 4bbc6969e5edf5965126b5f6e499dd66703d158e Mon Sep 17 00:00:00 2001 From: Zachary Iqbal Date: Wed, 23 Feb 2022 15:57:30 -0800 Subject: [PATCH 376/900] Give gralloc access to the faceauth_heap_device. Notes: - This is required for face authentication. Fixes: 221098313 Test: Built locally. Change-Id: I6292c76c0809f091108ac73bef2d9e2db430a680 --- whitechapel_pro/hal_graphics_allocator_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_graphics_allocator_default.te b/whitechapel_pro/hal_graphics_allocator_default.te index b55caabc..9791dae6 100644 --- a/whitechapel_pro/hal_graphics_allocator_default.te +++ b/whitechapel_pro/hal_graphics_allocator_default.te @@ -1,3 +1,4 @@ allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; From 7cb9cc182b15d45f72d982a351e450474f0a9c09 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Thu, 24 Feb 2022 14:40:38 +0800 Subject: [PATCH 377/900] Add missing vendor_logger_prop rule init : Do not have permissions to set 'persist.vendor.verbose_logging_enabled' to 'true' in property file '/vendor/build.prop': SELinux permission check failed Bug: 221173724 Bug: 221154649 Change-Id: Ic35e6f1d40f15efefead4530f8d320b72d7366e4 --- whitechapel_pro/hal_dumpstate_default.te | 1 + whitechapel_pro/vendor_init.te | 1 + 2 files changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 442feb25..594442d6 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -85,6 +85,7 @@ get_prop(hal_dumpstate_default, vendor_gps_prop) set_prop(hal_dumpstate_default, vendor_modem_prop) get_prop(hal_dumpstate_default, vendor_rild_prop) get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) +set_prop(hal_dumpstate_default, vendor_logger_prop) userdebug_or_eng(` allow hal_dumpstate_default mnt_vendor_file:dir search; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index f9a11edf..f936f4e0 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -10,6 +10,7 @@ set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, logpersistd_logging_prop) +set_prop(vendor_init, vendor_logger_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; From 775523d1eb5976c85c36c9d5632ff199686e48e6 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Mon, 21 Feb 2022 20:34:39 -0800 Subject: [PATCH 378/900] android.hardware.usb.IUsb AIDL migration android.hardware.usb.IUsb is migrated to AIDL and runs in its own process. android.hardware.usb.gadget.IUsbGadget is now published in its own exclusive process (android.hardware.usb.gadget-service). Creating file_context and moving the selinux linux rules for IUsbGadget implementation. [ 37.177042] type=1400 audit(1645536157.528:3): avc: denied { wake_alarm } for comm="android.hardwar" capability=35 scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_usb_impl:s0 tclass=capability2 permissive=1 [ 37.177139] type=1400 audit(1645536157.528:4): avc: denied { block_suspend } for comm="android.hardwar" capability=36 scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_usb_impl:s0 tclass=capability2 permissive=1 [ 39.936357] type=1400 audit(1645536160.292:5): avc: denied { call } for comm="HwBinder:875_1" scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1 [ 39.936403] type=1400 audit(1645536160.292:6): avc: denied { transfer } for comm="HwBinder:875_1" scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1 ... [ 42.845054] type=1400 audit(1645550991.268:8): avc: denied { read } for comm="HwBinder:860_1" name="u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 42.877781] type=1400 audit(1645550991.268:9): avc: denied { open } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 42.915532] type=1400 audit(1645550991.268:10): avc: denied { getattr } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 42.962130] type=1400 audit(1645550991.268:11): avc: denied { map } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 43.003097] type=1400 audit(1645550991.268:12): avc: denied { watch watch_reads } for comm="HwBinder:860_1" path="/dev/usb-ffs/adb" dev="functionfs" ino=40814 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 [ 43.024529] type=1400 audit(1645550991.268:13): avc: denied { write } for comm="HwBinder:860_1" name="property_service" dev="tmpfs" ino=376 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 [ 43.057605] type=1400 audit(1645550991.268:14): avc: denied { connectto } for comm="HwBinder:860_1" path="/dev/socket/property_service" scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 [ 43.084549] type=1107 audit(1645550991.268:15): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.usb.dwc3_irq pid=860 uid=0 gid=0 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=property_service permissive=1' Bug: 200993386 Change-Id: Ia8c24610244856490c8271433710afb57d3da157 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/file_contexts | 3 ++- whitechapel_pro/genfs_contexts | 5 +++++ whitechapel_pro/hal_usb_gadget_impl.te | 10 ++++++++++ whitechapel_pro/hal_usb_impl.te | 14 ++++++++++++++ 5 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 whitechapel_pro/hal_usb_gadget_impl.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index e4248525..c242e448 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -102,3 +102,6 @@ type sysfs_sjtag, fs_type, sysfs_type; userdebug_or_eng(` typeattribute sysfs_sjtag mlstrustedobject; ') + +# USB-C throttling stats +type sysfs_usbc_throttling_stats, sysfs_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 845d50c1..ec661202 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -34,7 +34,8 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 -/vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 4b3b3ca2..b77832f3 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -215,3 +215,8 @@ genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_t # SJTAG genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 + +# USB-C throttling stats +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/whitechapel_pro/hal_usb_gadget_impl.te new file mode 100644 index 00000000..83dff037 --- /dev/null +++ b/whitechapel_pro/hal_usb_gadget_impl.te @@ -0,0 +1,10 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index 067baf3c..a5da3ce1 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -10,3 +10,17 @@ allow hal_usb_impl functionfs:dir { watch watch_reads }; allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; + +# Needed for reporting Usb Overheat suez event through statsd +allow hal_usb_impl fwk_stats_service:service_manager find; +binder_call(hal_usb_impl, servicemanager) + +# Needed for monitoring usb port temperature +allow hal_usb_impl self:capability2 wake_alarm; +wakelock_use(hal_usb_impl); + +# For interfacing with ThermalHAL +hal_client_domain(hal_usb_impl, hal_thermal); + +# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; From e44f3c867c19a4310bf6f30177a2f351bd60eccd Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Thu, 24 Feb 2022 14:42:19 +0000 Subject: [PATCH 379/900] Fix avc denied for vendor silent logging app log: avc: denied { getattr } for comm="y.silentlogging" path="/data/user/0/com.samsung.slsi.telephony.silentlogging" dev="dm-42" ino=6793 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 avc: denied { search } for comm="y.silentlogging" name="com.samsung.slsi.telephony.silentlogging" dev="dm-42" ino=6793 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 denied { read } for comm="y.silentlogging" name="u:object_r:vendor_slog_prop:s0" dev="tmpfs" ino=338 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_prop:s0 tclass=file permissive=0 avc: denied { search } for comm="y.silentlogging" name="slog" dev="dm-42" ino=314 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=0 avc: denied { read } for comm="y.silentlogging" name="u:object_r:default_prop:s0" dev="tmpfs" ino=150 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.oemservice::IOemService sid=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 pid=7322 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:hal_vendor_oem_hwservice:s0 tclass=hwservice_manager permissive=0 avc: denied { call } for comm="y.silentlogging" scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:r:dmd:s0 tclass=binder permissive=0 avc: denied { call } for comm="y.silentlogging" scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:r:sced:s0 tclass=binder permissive=0 avc: denied { read } for comm="getenforce" name="enforce" dev="selinuxfs" ino=4 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=0 avc: denied { set } for property=persist.vendor.modem.logging.shannon_app pid=7279 uid=1000 gid=1000 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_modem_prop:s0 tclass=property_service permissive=0' avc: denied { call } for comm="HwBinder:1001_1" scontext=u:r:sced:s0 tcontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tclass=binder permissive=0 avc: denied { call } for scontext=u:r:dmd:s0 tcontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tclass=binder permissive=0 avc: denied { getattr } for comm="tlogging:remote" path="/data/user/0/com.samsung.slsi.telephony.silentlogging" dev="dm-42" ino=6793 scontext=u:r:vendor_silentlogging_remote_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 avc: denied { read } for name="slog" dev="dm-42" ino=314 scontext=u:r:vendor_silentlogging_remote_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=0 Test: flash TH build then run basic test of silent logging app Bug: 220847487 Change-Id: Ib5ac1e796e8e816d024cebc584b5699ab8ed1162 --- whitechapel_pro/dmd.te | 1 + whitechapel_pro/sced.te | 1 + .../vendor_silentlogging_remote_app.te | 9 +++++++++ .../vendor_telephony_silentlogging_app.te | 17 +++++++++++++++++ 4 files changed, 28 insertions(+) diff --git a/whitechapel_pro/dmd.te b/whitechapel_pro/dmd.te index 1cb17dc7..76177b50 100644 --- a/whitechapel_pro/dmd.te +++ b/whitechapel_pro/dmd.te @@ -29,3 +29,4 @@ allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find }; binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) +binder_call(dmd, vendor_telephony_silentlogging_app) diff --git a/whitechapel_pro/sced.te b/whitechapel_pro/sced.te index 07c5fa01..2b08973a 100644 --- a/whitechapel_pro/sced.te +++ b/whitechapel_pro/sced.te @@ -7,6 +7,7 @@ userdebug_or_eng(` hwbinder_use(sced) binder_call(sced, dmd) + binder_call(sced, vendor_telephony_silentlogging_app) get_prop(sced, hwservicemanager_prop) allow sced self:packet_socket create_socket_perms_no_ioctl; diff --git a/whitechapel_pro/vendor_silentlogging_remote_app.te b/whitechapel_pro/vendor_silentlogging_remote_app.te index 427f44d3..885fb6a7 100644 --- a/whitechapel_pro/vendor_silentlogging_remote_app.te +++ b/whitechapel_pro/vendor_silentlogging_remote_app.te @@ -1,4 +1,13 @@ type vendor_silentlogging_remote_app, domain; app_domain(vendor_silentlogging_remote_app) +allow vendor_silentlogging_remote_app vendor_slog_file:dir create_dir_perms; +allow vendor_silentlogging_remote_app vendor_slog_file:file create_file_perms; + allow vendor_silentlogging_remote_app app_api_service:service_manager find; + +userdebug_or_eng(` +# Silent Logging Remote +dontaudit vendor_silentlogging_remote_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_silentlogging_remote_app system_app_data_file:file create_file_perms; +') diff --git a/whitechapel_pro/vendor_telephony_silentlogging_app.te b/whitechapel_pro/vendor_telephony_silentlogging_app.te index 53d1cb66..583f408f 100644 --- a/whitechapel_pro/vendor_telephony_silentlogging_app.te +++ b/whitechapel_pro/vendor_telephony_silentlogging_app.te @@ -1,4 +1,21 @@ type vendor_telephony_silentlogging_app, domain; app_domain(vendor_telephony_silentlogging_app) +set_prop(vendor_telephony_silentlogging_app, vendor_modem_prop) +set_prop(vendor_telephony_silentlogging_app, vendor_slog_prop) + +allow vendor_telephony_silentlogging_app vendor_slog_file:dir create_dir_perms; +allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms; + allow vendor_telephony_silentlogging_app app_api_service:service_manager find; +allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; +binder_call(vendor_telephony_silentlogging_app, dmd) +binder_call(vendor_telephony_silentlogging_app, sced) + +userdebug_or_eng(` +# Silent Logging +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_silentlogging_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_silentlogging_app default_prop:file { getattr open read map }; +allow vendor_telephony_silentlogging_app selinuxfs:file { read open }; +') From 172271fdbc35bb63748a47bad56bdcfcdec4132e Mon Sep 17 00:00:00 2001 From: Yu-Chi Cheng Date: Fri, 25 Feb 2022 12:45:09 -0800 Subject: [PATCH 380/900] Allowed GCA to access EdgeTPU for P22 devices. This change includes the google_camera_app domain into the EdgeTPU selinux rules. With it the GCA is now able to access EdgeTPU. Bug: 221020793 Test: verified GCA to work on P22. Change-Id: I69010e2a8cca1429df402ae587b939d38e20a287 --- edgetpu/google_camera_app.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 edgetpu/google_camera_app.te diff --git a/edgetpu/google_camera_app.te b/edgetpu/google_camera_app.te new file mode 100644 index 00000000..a0ad7316 --- /dev/null +++ b/edgetpu/google_camera_app.te @@ -0,0 +1,3 @@ +# Allows GCA to find and access the EdgeTPU. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; From be9276466974f64b198701ea89b91b7e119de5be Mon Sep 17 00:00:00 2001 From: YiHo Cheng Date: Fri, 25 Feb 2022 22:38:02 +0800 Subject: [PATCH 381/900] thermal: Label tmu register dump sysfs Allow dumpstate to access tmu register dump sysfs [ 174.114566] type=1400 audit(1645790696.920:13): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_reg_dump_state" dev="sysfs" ino=65178 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 174.115092] type=1400 audit(1645790696.920:14): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_reg_dump_current_temp" dev="sysfs" in o=65179 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 174.115208] type=1400 audit(1645790696.920:15): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_top_reg_dump_rise_thres" dev="sysfs" ino=65180 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 174.115398] type=1400 audit(1645790696.920:16): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_top_reg_dump_fall_thres" dev="sysfs" ino=65182 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 [ 174.115498] type=1400 audit(1645790696.920:17): avc: denied { read } for comm="dumpstate@1.1-s" name="tmu_sub_reg_dump_rise_thres" dev="sysfs" ino=65181 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 215040856 Test: check tmu register dump sysfs output in dumpstate Change-Id: Ica48e37344a69264d4b4367af7856ec20b566a9e --- whitechapel_pro/genfs_contexts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 890ac47c..07afc0c3 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -208,6 +208,13 @@ genfscon sysfs /devices/platform/100a0000.ISP u:obje genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 + # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 From fc08341bd6164ed4fcbdfce37f17622a713d093b Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Mon, 21 Feb 2022 20:34:39 -0800 Subject: [PATCH 382/900] android.hardware.usb.IUsb AIDL migration Cherry-pick of <775523d1eb5976c85c36c9d5632ff199686e48e6> android.hardware.usb.IUsb is migrated to AIDL and runs in its own process. android.hardware.usb.gadget.IUsbGadget is now published in its own exclusive process (android.hardware.usb.gadget-service). Creating file_context and moving the selinux linux rules for IUsbGadget implementation. [ 37.177042] type=1400 audit(1645536157.528:3): avc: denied { wake_alarm } for comm="android.hardwar" capability=35 scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_usb_impl:s0 tclass=capability2 permissive=1 [ 37.177139] type=1400 audit(1645536157.528:4): avc: denied { block_suspend } for comm="android.hardwar" capability=36 scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_usb_impl:s0 tclass=capability2 permissive=1 [ 39.936357] type=1400 audit(1645536160.292:5): avc: denied { call } for comm="HwBinder:875_1" scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1 [ 39.936403] type=1400 audit(1645536160.292:6): avc: denied { transfer } for comm="HwBinder:875_1" scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1 ... [ 42.845054] type=1400 audit(1645550991.268:8): avc: denied { read } for comm="HwBinder:860_1" name="u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 42.877781] type=1400 audit(1645550991.268:9): avc: denied { open } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 42.915532] type=1400 audit(1645550991.268:10): avc: denied { getattr } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 42.962130] type=1400 audit(1645550991.268:11): avc: denied { map } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 [ 43.003097] type=1400 audit(1645550991.268:12): avc: denied { watch watch_reads } for comm="HwBinder:860_1" path="/dev/usb-ffs/adb" dev="functionfs" ino=40814 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 [ 43.024529] type=1400 audit(1645550991.268:13): avc: denied { write } for comm="HwBinder:860_1" name="property_service" dev="tmpfs" ino=376 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 [ 43.057605] type=1400 audit(1645550991.268:14): avc: denied { connectto } for comm="HwBinder:860_1" path="/dev/socket/property_service" scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 [ 43.084549] type=1107 audit(1645550991.268:15): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.usb.dwc3_irq pid=860 uid=0 gid=0 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=property_service permissive=1' Bug: 200993386 Change-Id: Ia8c24610244856490c8271433710afb57d3da157 Merged-In: Ia8c24610244856490c8271433710afb57d3da157 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/file_contexts | 3 ++- whitechapel_pro/genfs_contexts | 5 +++++ whitechapel_pro/hal_usb_gadget_impl.te | 10 ++++++++++ whitechapel_pro/hal_usb_impl.te | 14 ++++++++++++++ 5 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 whitechapel_pro/hal_usb_gadget_impl.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 971e4657..c6c274f3 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -91,3 +91,6 @@ type sysfs_st33spi, sysfs_type, fs_type; # GPU type sysfs_gpu, sysfs_type, fs_type; + +# USB-C throttling stats +type sysfs_usbc_throttling_stats, sysfs_type, fs_type; \ No newline at end of file diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 845d50c1..ec661202 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -34,7 +34,8 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 -/vendor/bin/hw/android\.hardware\.usb@1\.3-service\.gs201 u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 07afc0c3..d16b9954 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -218,3 +218,8 @@ genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:obj # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 + +# USB-C throttling stats +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/whitechapel_pro/hal_usb_gadget_impl.te new file mode 100644 index 00000000..83dff037 --- /dev/null +++ b/whitechapel_pro/hal_usb_gadget_impl.te @@ -0,0 +1,10 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index 067baf3c..a5da3ce1 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -10,3 +10,17 @@ allow hal_usb_impl functionfs:dir { watch watch_reads }; allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; + +# Needed for reporting Usb Overheat suez event through statsd +allow hal_usb_impl fwk_stats_service:service_manager find; +binder_call(hal_usb_impl, servicemanager) + +# Needed for monitoring usb port temperature +allow hal_usb_impl self:capability2 wake_alarm; +wakelock_use(hal_usb_impl); + +# For interfacing with ThermalHAL +hal_client_domain(hal_usb_impl, hal_thermal); + +# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; From b7790aa7a8decc97eb72ec4613342bb2c69813b5 Mon Sep 17 00:00:00 2001 From: Tommy Chiu Date: Tue, 1 Mar 2022 11:52:56 +0800 Subject: [PATCH 383/900] RKP: Add IRemotelyProvisionedComponent service Bug: 212643050 Bug: 221503025 Change-Id: I7932ba96d0d7dd603d360cd7319997a7c108500a --- dauntless/service_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/dauntless/service_contexts b/dauntless/service_contexts index 5639b588..ac6a1867 100644 --- a/dauntless/service_contexts +++ b/dauntless/service_contexts @@ -1,2 +1,3 @@ android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 +android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox u:object_r:hal_remotelyprovisionedcomponent_service:s0 From a1f0d2aa9a69b09a022c1aafbf9d3a5d9e95ed8a Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Tue, 1 Mar 2022 07:27:43 -0800 Subject: [PATCH 384/900] gs-sepolicy: Fix legacy UWB stack sepolicy rules This rule was present on previous devices. Denial logs: 02-24 09:22:08.214 427 427 E SELinux : avc: denied { find } for pid=1479 uid=1000 name=uwb_vendor scontext=u:r:system_server:s0 tcontext=u:object_r:uwb_vendor_service:s0 tclass=service_manager permissive=0 Bug: 221292100 Test: Compiles Change-Id: I6de4000a9cebf46a0d94032aade7b2d40b94ca16 --- whitechapel_pro/system_server.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/whitechapel_pro/system_server.te b/whitechapel_pro/system_server.te index 0e0a159b..6e797f55 100644 --- a/whitechapel_pro/system_server.te +++ b/whitechapel_pro/system_server.te @@ -1 +1,7 @@ binder_call(system_server, hal_camera_default); + +# Allow system server to find vendor uwb service. In the legacy +# UWB stack, system_server talks directly to the vendor stack. +# TODO(b/186585880): This will be obsoleted when the new UCI stack for +# UWB lands. +allow system_server uwb_vendor_service:service_manager find; From b1c5fcff3d6f79249f74523ae7c2694dec0746fe Mon Sep 17 00:00:00 2001 From: sukiliu Date: Fri, 25 Feb 2022 18:14:29 +0800 Subject: [PATCH 385/900] update error on ROM 8223177 Bug: 221384981 Bug: 221384939 Bug: 221384996 Bug: 221384768 Bug: 221384770 Bug: 221384860 Test: PtsSELinuxTestCases Change-Id: I50916dca7548bce0e77d90a36ad8f9ba1ca7c711 --- tracking_denials/dumpstate.te | 4 ++++ tracking_denials/hal_dumpstate_default.te | 2 ++ tracking_denials/hal_power_default.te | 2 ++ tracking_denials/init.te | 2 ++ tracking_denials/vendor_init.te | 2 ++ tracking_denials/vendor_telephony_silentlogging_app.te | 3 +++ 6 files changed, 15 insertions(+) create mode 100644 tracking_denials/dumpstate.te create mode 100644 tracking_denials/hal_dumpstate_default.te create mode 100644 tracking_denials/init.te create mode 100644 tracking_denials/vendor_telephony_silentlogging_app.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 00000000..1b424e58 --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,4 @@ +# b/221384768 +dontaudit dumpstate app_zygote:process { signal }; +dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; +dontaudit dumpstate sysfs:file { read }; diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te new file mode 100644 index 00000000..dac6fba0 --- /dev/null +++ b/tracking_denials/hal_dumpstate_default.te @@ -0,0 +1,2 @@ +# b/221384770 +dontaudit hal_dumpstate_default vendor_camera_debug_prop:file { read }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index a426fa0d..731d4baa 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -1,2 +1,4 @@ # b/208909174 dontaudit hal_power_default hal_power_default:capability { dac_read_search }; +# b/221384860 +dontaudit hal_power_default hal_power_default:capability { dac_override }; diff --git a/tracking_denials/init.te b/tracking_denials/init.te new file mode 100644 index 00000000..2dac3b47 --- /dev/null +++ b/tracking_denials/init.te @@ -0,0 +1,2 @@ +# b/221384981 +dontaudit init overlayfs_file:file { rename }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index ea8ff1e4..462f3986 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,2 +1,4 @@ # b/205656950 dontaudit vendor_init thermal_link_device:file { create }; +# b/221384939 +dontaudit vendor_init vendor_battery_defender_prop:property_service { set }; diff --git a/tracking_denials/vendor_telephony_silentlogging_app.te b/tracking_denials/vendor_telephony_silentlogging_app.te new file mode 100644 index 00000000..a74e3e3a --- /dev/null +++ b/tracking_denials/vendor_telephony_silentlogging_app.te @@ -0,0 +1,3 @@ +# b/221384996 +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { getattr }; +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { search }; From 94d7f6cce6e8a19dd23966cefc603b4bbc689216 Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Tue, 1 Mar 2022 12:00:15 +0000 Subject: [PATCH 386/900] Fix avc denied for slsi engineermode app log: avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:platform_app:s0:c512,c768 pid=5111 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0 avc: denied { call } for comm="si.engineermode" scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=0 app=com.samsung.slsi.engineermode avc: denied { call } for comm="HwBinder:1016_1" scontext=u:r:rild:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=binder permissive=0 avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=154 scontext=u:r:vendor_engineermode_app:s0:c225,c256,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.samsung.slsi.engineermode Test: side load the trail build sepolicy, then check the app Bug: 221482792 Change-Id: I84768ed128a2b8c57d6a3e0a0f0aa8c4d4b91857 --- whitechapel_pro/rild.te | 1 + whitechapel_pro/seapp_contexts | 3 +++ whitechapel_pro/vendor_engineermode_app.te | 12 ++++++++++++ 3 files changed, 16 insertions(+) create mode 100644 whitechapel_pro/vendor_engineermode_app.te diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 89ed610d..d8c8c290 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -25,6 +25,7 @@ binder_call(rild, vendor_rcs_app) binder_call(rild, oemrilservice_app) binder_call(rild, hal_secure_element_uicc) binder_call(rild, grilservice_app) +binder_call(rild, vendor_engineermode_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 81577b60..88789fc7 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -14,6 +14,9 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=ve user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_network_test_app levelFrom=all +# Samsung S.LSI engineer mode +user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all + # Hardware Info Collection user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user diff --git a/whitechapel_pro/vendor_engineermode_app.te b/whitechapel_pro/vendor_engineermode_app.te new file mode 100644 index 00000000..d35403a2 --- /dev/null +++ b/whitechapel_pro/vendor_engineermode_app.te @@ -0,0 +1,12 @@ +type vendor_engineermode_app, domain; +app_domain(vendor_engineermode_app) + +binder_call(vendor_engineermode_app, rild) + +allow vendor_engineermode_app app_api_service:service_manager find; +allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find; + +userdebug_or_eng(` + dontaudit vendor_engineermode_app default_prop:file r_file_perms; +') + From 2d43200489e87745566895c6ed72bbc9c4fdcbd7 Mon Sep 17 00:00:00 2001 From: Siddharth Kapoor Date: Wed, 2 Mar 2022 17:03:34 +0800 Subject: [PATCH 387/900] Add libgpudataproducer as sphal Bug: 222042714 Test: CtsGpuProfilingDataTestCases passes on User build Signed-off-by: Siddharth Kapoor Change-Id: I1997f3e66327486f15b1aa742aa8e82855b07e05 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index ec661202..b30cee19 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -60,6 +60,7 @@ # Graphics /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 # Vendor kernel modules /vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 From 129ef29bc8f2c3524de13a9b2e9d8e22d5da4d77 Mon Sep 17 00:00:00 2001 From: Robert Lee Date: Wed, 2 Mar 2022 14:45:47 +0800 Subject: [PATCH 388/900] Fix selinux error for aocd allow write permission to fix following error auditd : type=1400 audit(0.0:4): avc: denied { write } for comm="aocd" name="aoc" dev="tmpfs" ino=497 scontext=u:r:aocd:s0 tcontext=u:object_r:aoc_device:s0 tclass=chr_file permissive=0 Bug: 198490099 Test: no avc deny when enable no_ap_restart Change-Id: I06dc99f1a5859589b33f89ce435745d15e2e5749 Signed-off-by: Robert Lee --- aoc/aocd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aoc/aocd.te b/aoc/aocd.te index 79add165..69b0af0d 100644 --- a/aoc/aocd.te +++ b/aoc/aocd.te @@ -12,7 +12,7 @@ allow aocd sysfs_aoc:dir search; allow aocd sysfs_aoc_firmware:file w_file_perms; # dev operations -allow aocd aoc_device:chr_file r_file_perms; +allow aocd aoc_device:chr_file rw_file_perms; # allow inotify to watch for additions/removals from /dev allow aocd device:dir r_dir_perms; From e95f5edafeff8816f386eb7ac83ecbc4a8c61b2b Mon Sep 17 00:00:00 2001 From: Nishok Kumar S Date: Thu, 24 Feb 2022 17:20:52 +0000 Subject: [PATCH 389/900] Allow camera HAL and GCA to access Aurora GXP device. The camera HAL and Google Camera App need selinux permission to run workloads on Aurora DSP. This change adds the selinux rules too allow these clients to access the GXP device and load firmware onto DSP cores in order to execute workloads on DSP. Bug: 220086991 Test: Verified that the camera HAL service and GCA app is able to access the GXP device and load GXP firmware. Change-Id: I1bd327cfbe5b37c88154acda54bf6c396e939289 --- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 3 +++ whitechapel_pro/google_camera_app.te | 6 ++++++ whitechapel_pro/hal_camera_default.te | 3 +++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index a5fc57c6..d327aa60 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -12,6 +12,7 @@ type lwis_device, dev_type; type logbuffer_device, dev_type; type rls_device, dev_type; type fingerprint_device, dev_type; +type gxp_device, dev_type, mlstrustedobject; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index b30cee19..5ad46436 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -43,6 +43,7 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 /vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 +/vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 @@ -56,6 +57,7 @@ /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 # Graphics /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 @@ -133,6 +135,7 @@ /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 /dev/g2d u:object_r:graphics_device:s0 +/dev/gxp u:object_r:gxp_device:s0 /dev/dit2 u:object_r:vendor_toe_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/sg1 u:object_r:sg_device:s0 diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 43ea14e3..ad097810 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -7,3 +7,9 @@ allow google_camera_app cameraserver_service:service_manager find; allow google_camera_app mediaextractor_service:service_manager find; allow google_camera_app mediametrics_service:service_manager find; allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the GXP device. +allow google_camera_app gxp_device:chr_file rw_file_perms; + +# Allows camera app to search for GXP firmware file. +allow google_camera_app vendor_fw_file:dir search; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index f604875f..779157ca 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -24,6 +24,9 @@ allow hal_camera_default sysfs_edgetpu:file r_file_perms; allow hal_camera_default edgetpu_vendor_service:service_manager find; binder_call(hal_camera_default, edgetpu_vendor_server) +# Allow the camera hal to access the GXP device. +allow hal_camera_default gxp_device:chr_file rw_file_perms; + # Allow access to data files used by the camera HAL allow hal_camera_default mnt_vendor_file:dir search; allow hal_camera_default persist_file:dir search; From b3a10db9d6dd7c3392ebd1bab3b6ffcf889542e7 Mon Sep 17 00:00:00 2001 From: Devin Moore Date: Tue, 1 Mar 2022 18:15:33 +0000 Subject: [PATCH 390/900] Add the init_boot partition sepolicy Tagging the partition as a boot_block_device so everything that had permission to read/write to the boot partition now also has permissions for this new init_boot partition. This is required for update_engine to be able to write to init_boot on builds that are enforcing sepolicy. Bug: 222052598 Test: adb shell setenforce 1 && update_device.py ota.zip Change-Id: Ic991fa314c8a6fdb848199a626852a68a57d1df5 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5ad46436..f86fa5f1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -159,6 +159,7 @@ /dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 From 990294708f848e4f8673a5ae07c54822e3309571 Mon Sep 17 00:00:00 2001 From: Robb Glasser Date: Tue, 1 Mar 2022 18:20:04 -0800 Subject: [PATCH 391/900] Add hal_graphics_composer_default to sensors sepolicy. Bug: 221396170 Test: No avc denial. Change-Id: I23299524dec50d8c589c6acc9da8b3c8c3399f97 --- whitechapel_pro/hal_sensors_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index a29bb730..69190603 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -48,3 +48,6 @@ allow hal_sensors_default hal_pixel_display_service:service_manager find; # Allow display_info_service access to the backlight driver. allow hal_sensors_default sysfs_leds:dir search; allow hal_sensors_default sysfs_leds:file r_file_perms; + +# Allow sensor HAL to access the graphics composer. +binder_call(hal_sensors_default, hal_graphics_composer_default); From ac44b340d35296831f1ab482f24130f5ef525384 Mon Sep 17 00:00:00 2001 From: Devin Moore Date: Tue, 1 Mar 2022 18:15:33 +0000 Subject: [PATCH 392/900] Add the init_boot partition sepolicy Tagging the partition as a boot_block_device so everything that had permission to read/write to the boot partition now also has permissions for this new init_boot partition. This is required for update_engine to be able to write to init_boot on builds that are enforcing sepolicy. Bug: 222052598 Test: adb shell setenforce 1 && update_device.py ota.zip Merged-In: Ic991fa314c8a6fdb848199a626852a68a57d1df5 Change-Id: Ic991fa314c8a6fdb848199a626852a68a57d1df5 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5ad46436..f86fa5f1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -159,6 +159,7 @@ /dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 From e2395610618e17fe98014e46198e23848771cb7c Mon Sep 17 00:00:00 2001 From: Ruofei Ma Date: Thu, 3 Mar 2022 04:51:39 +0000 Subject: [PATCH 393/900] Allow mediacodec_google to access secure dma heap The change is for following error: HwBinder:867_1: type=1400 audit(0.0:9): avc: denied { read } for name="vframe-secure" dev="tmpfs" ino=425 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=0 Bug:221500257 Change-Id: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009 --- whitechapel_pro/mediacodec_google.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te index c750ea75..21aea333 100644 --- a/whitechapel_pro/mediacodec_google.te +++ b/whitechapel_pro/mediacodec_google.te @@ -14,6 +14,7 @@ hal_client_domain(mediacodec_google, hal_codec2) hal_client_domain(mediacodec_google, hal_graphics_allocator) allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; allow mediacodec_google video_device:chr_file rw_file_perms; crash_dump_fallback(mediacodec_google) From c3612c709770437ee4202276f4d6013699aa2582 Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Thu, 3 Mar 2022 17:53:16 +0000 Subject: [PATCH 394/900] Allow modem diagnostic app to access default prop log: avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=154 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.google.mds Bug: 222509956 Change-Id: I50302b38f074e3f1a078ee48896154353e0937b6 --- whitechapel_pro/modem_diagnostic_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te index 9fa772b4..8c4a0cac 100644 --- a/whitechapel_pro/modem_diagnostic_app.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -32,4 +32,6 @@ userdebug_or_eng(` allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; allow modem_diagnostic_app sysfs_batteryinfo:dir search; + + dontaudit modem_diagnostic_app default_prop:file r_file_perms; ') From 450f61d51b6c25724d362cc78c015cc737e18f1f Mon Sep 17 00:00:00 2001 From: Jack Yu Date: Thu, 3 Mar 2022 21:36:28 +0800 Subject: [PATCH 395/900] Allow platform_app to access Nfc service Fix selinux denial below. avc: denied { find } for pid=11183 uid=10224 name=nfc scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:nfc_service:s0 tclass=service_manager permissive=0 Bug: 222387662 Test: build pass Change-Id: If97d8141acab23b4e13ea65ce28589195ef7ad9e --- whitechapel_pro/platform_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 0cf0ae46..7b16577d 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -1,5 +1,6 @@ allow platform_app hal_pixel_display_service:service_manager find; allow platform_app hal_wlc_hwservice:hwservice_manager find; +allow platform_app nfc_service:service_manager find; allow platform_app sysfs_vendor_sched:dir r_dir_perms; allow platform_app sysfs_vendor_sched:file w_file_perms; From 1616b974658b5ec57f90cb4cd1be3860d0f8b5ea Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 4 Mar 2022 10:32:34 +0800 Subject: [PATCH 396/900] grant bugreport access to camera debug system property Bug: 221384770 Test: do bugreport without seeing relevant error Change-Id: Ie27ac5f2c6e13ec31ccec2adb11762dacab1fbdf --- tracking_denials/hal_dumpstate_default.te | 2 -- whitechapel_pro/hal_dumpstate_default.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/hal_dumpstate_default.te diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te deleted file mode 100644 index dac6fba0..00000000 --- a/tracking_denials/hal_dumpstate_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/221384770 -dontaudit hal_dumpstate_default vendor_camera_debug_prop:file { read }; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 594442d6..c9fd1ac0 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -79,6 +79,7 @@ allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; +get_prop(hal_dumpstate_default, vendor_camera_debug_prop); get_prop(hal_dumpstate_default, boottime_public_prop) get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) From 801b87fe71f2e98d80e826241069cc749dcee099 Mon Sep 17 00:00:00 2001 From: millerliang Date: Wed, 2 Mar 2022 11:33:37 +0800 Subject: [PATCH 397/900] Fix AAudio avc denied I auditd : type=1400 audit(0.0:35): avc: denied { map } for comm="binder:896_4" path="/dev/snd/pcmC0D0p" dev="tmpfs" ino=1138 scontext=u:r:audioserver:s0 tcontext=u:object_r:audio_device:s0 tclass=chr_file permissive=0 E SELinux : avc: denied { find } for pid=887 uid=1041 name=audio scontext=u:r:audioserver:s0 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=0 Bug: 222191260 Test: Flash TH ROM and test it by the following command Test: test_steal_exclusive -c0 Signed-off-by: millerliang Change-Id: I8ea6741f3682b568de089d040d511b68938374ab --- whitechapel_pro/audioserver.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 whitechapel_pro/audioserver.te diff --git a/whitechapel_pro/audioserver.te b/whitechapel_pro/audioserver.te new file mode 100644 index 00000000..c7d69097 --- /dev/null +++ b/whitechapel_pro/audioserver.te @@ -0,0 +1,3 @@ +# allow access to ALSA MMAP FDs for AAudio API +allow audioserver audio_device:chr_file r_file_perms; +allow audioserver audio_service:service_manager find; From bef935f43d741e09e39e1b8b32744fba0eaa2f66 Mon Sep 17 00:00:00 2001 From: Midas Chien Date: Sun, 20 Feb 2022 17:43:36 +0800 Subject: [PATCH 398/900] Allow composer to read panel_idle_handle_exit sysfs node Change panel_idle_exit_handle selinux type to sysfs_display to allow composer to access it. Bug: 202182467 Test: ls -Z to check selinux type Test: composer can access it in enforce mode Change-Id: I5e6c5036a946417c782f1389f4423cce69c4df77 --- whitechapel_pro/genfs_contexts | 35 +++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index d16b9954..74baef98 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -89,28 +89,29 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 # Display -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 -genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 # mediacodec_samsung From 9ba4c9120deed8bdd14f336a94e0dee63e7adbee Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 4 Mar 2022 13:49:14 +0800 Subject: [PATCH 399/900] remove obsolete code after SELinux is enforced Bug: 207720645 Bug: 208527900 Bug: 208721673 Bug: 205072922 Test: boot with no relevant errors Change-Id: I68931cc24c55beea52c246a06f268ea2be7d1ecf --- tracking_denials/flags_health_check.te | 2 -- tracking_denials/gmscore_app.te | 3 --- tracking_denials/incidentd.te | 2 -- tracking_denials/shell.te | 2 -- 4 files changed, 9 deletions(-) delete mode 100644 tracking_denials/flags_health_check.te delete mode 100644 tracking_denials/gmscore_app.te delete mode 100644 tracking_denials/incidentd.te delete mode 100644 tracking_denials/shell.te diff --git a/tracking_denials/flags_health_check.te b/tracking_denials/flags_health_check.te deleted file mode 100644 index 60c3e829..00000000 --- a/tracking_denials/flags_health_check.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/207720645 -dontaudit flags_health_check property_type:file *; diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te deleted file mode 100644 index 356e8f73..00000000 --- a/tracking_denials/gmscore_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/208527900 -dontaudit gmscore_app modem_img_file:filesystem { getattr }; -dontaudit gmscore_app property_type:file *; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index c7dca6ee..00000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/208721673 -dontaudit incidentd property_type:file *; diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te deleted file mode 100644 index bbe104e9..00000000 --- a/tracking_denials/shell.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205072922 -dontaudit shell property_type:file *; From 9fe6aa97af4d094b1b00b21952857bc20cfd7ba2 Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Thu, 3 Mar 2022 13:15:59 -0800 Subject: [PATCH 400/900] Don't audit storageproxyd unlabeled access Test: m sepolicy Bug: 197502330 Change-Id: Ibe7292dc659dd454d3c842f6c48d2d90bc77117d --- whitechapel_pro/tee.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index f93bf59e..58228b5a 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -11,3 +11,7 @@ allow tee sg_device:chr_file rw_file_perms; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) + +# storageproxyd starts before /data is mounted. It handles /data not being there +# gracefully. However, attempts to access /data trigger a denial. +dontaudit tee unlabeled:dir { search }; From 94995cd0d344b503b1d4a6b2ab646e0943bc56aa Mon Sep 17 00:00:00 2001 From: Tommy Chiu Date: Fri, 4 Mar 2022 16:50:01 +0800 Subject: [PATCH 401/900] sepolicy: add permissions to let recovery wipe citadel This gives recovery the ability to remove user data from citadel in the same manner as issuing a `fastboot -w` does. This doesn't allow for resetting FRP data, just user data. audit: type=1400 audit(1646379959.016:9): avc: denied { getattr } for pid=348 comm="recovery" path="/dev/gsc0" dev="tmpfs" ino=754 scontext=u:r:recovery:s0 tcontext=u:object_r:citadel_device:s0 tclass=chr_file permissive=0 Bug: 222005928 Change-Id: Ia6113999aecacbbbb31d7a8659a45c0e5a0db2c9 --- whitechapel_pro/recovery.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/recovery.te b/whitechapel_pro/recovery.te index 6eb97aa3..bfa3c7dc 100644 --- a/whitechapel_pro/recovery.te +++ b/whitechapel_pro/recovery.te @@ -1,3 +1,4 @@ recovery_only(` allow recovery sysfs_ota:file rw_file_perms; + allow recovery citadel_device:chr_file rw_file_perms; ') From 455c3c165348fa9ea65c65b004d4dda1426d04be Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Tue, 1 Mar 2022 21:54:40 +0800 Subject: [PATCH 402/900] Allow hal_usb_gadget_impl to access proc_irq Bug: 220996010 Test: build pass Change-Id: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891 --- whitechapel_pro/hal_usb_gadget_impl.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/whitechapel_pro/hal_usb_gadget_impl.te index 83dff037..30041467 100644 --- a/whitechapel_pro/hal_usb_gadget_impl.te +++ b/whitechapel_pro/hal_usb_gadget_impl.te @@ -8,3 +8,10 @@ init_daemon_domain(hal_usb_gadget_impl) allow hal_usb_gadget_impl configfs:dir { create rmdir }; allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) + +# parser the number of dwc3 irq +allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; + +# change irq to other cores +allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; +allow hal_usb_gadget_impl proc_irq:file w_file_perms; From 67e8f968b27547e97e3a0832cb77b78b52c3b0e6 Mon Sep 17 00:00:00 2001 From: Ruofei Ma Date: Thu, 3 Mar 2022 04:51:39 +0000 Subject: [PATCH 403/900] Allow mediacodec_google to access secure dma heap The change is for following error: HwBinder:867_1: type=1400 audit(0.0:9): avc: denied { read } for name="vframe-secure" dev="tmpfs" ino=425 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file permissive=0 Bug:221500257 Change-Id: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009 (cherry picked from commit e2395610618e17fe98014e46198e23848771cb7c) Merged-In: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009 --- whitechapel_pro/mediacodec_google.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te index c750ea75..21aea333 100644 --- a/whitechapel_pro/mediacodec_google.te +++ b/whitechapel_pro/mediacodec_google.te @@ -14,6 +14,7 @@ hal_client_domain(mediacodec_google, hal_codec2) hal_client_domain(mediacodec_google, hal_graphics_allocator) allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; allow mediacodec_google video_device:chr_file rw_file_perms; crash_dump_fallback(mediacodec_google) From 47b4ca882da9b0dc6923edd0364fd4088d8e8999 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 7 Mar 2022 10:42:19 +0800 Subject: [PATCH 404/900] init: change overlayfs_file rule to dontaudit Workaround for modem_img being unlabeled after disable-verity. Bug: 193113005 Bug: 221384981 Test: remount with no avc error Change-Id: Ie2479470c095f4ee2a9508714565b1088a8d7dce --- tracking_denials/init.te | 2 -- whitechapel_pro/init.te | 4 ++++ 2 files changed, 4 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/init.te diff --git a/tracking_denials/init.te b/tracking_denials/init.te deleted file mode 100644 index 2dac3b47..00000000 --- a/tracking_denials/init.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/221384981 -dontaudit init overlayfs_file:file { rename }; diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te index cfb875f6..3175db8c 100644 --- a/whitechapel_pro/init.te +++ b/whitechapel_pro/init.te @@ -15,3 +15,7 @@ allow init modem_efs_file:dir mounton; allow init modem_userdata_file:dir mounton; allow init ram_device:blk_file w_file_perms; allow init sysfs_scsi_devices_0000:file w_file_perms; + +# Workaround for b/193113005 that modem_img unlabeled after disable-verity +dontaudit init overlayfs_file:file rename; +dontaudit init overlayfs_file:chr_file unlink; From db1196932e2498505265b3219f822506c32f76a3 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Tue, 8 Mar 2022 12:55:22 +0800 Subject: [PATCH 405/900] dumpstate: Grant to access media_rw_data_file avc: denied { append } for comm="binder:1426_9" dev="dm-43" ino=15392 scontext=u:r:dumpstate:s0 tcontext=u:object_r:media_rw_data_file:s0:c232,c256,c512,c768 tclass=file permissive=0 Bug: 222209243 Change-Id: I38efe11117c15f99ad1bce54cafbd0f3b038eff2 --- whitechapel_pro/dumpstate.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te index ea7108e6..6df0265a 100644 --- a/whitechapel_pro/dumpstate.te +++ b/whitechapel_pro/dumpstate.te @@ -4,6 +4,7 @@ dump_hal(hal_uwb_vendor) userdebug_or_eng(` allow dumpstate vendor_dmabuf_debugfs:file r_file_perms; + allow dumpstate media_rw_data_file:file append; ') allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; From 07bf62c38731f5a93a5ff8ec1cc24da04c9d0cf6 Mon Sep 17 00:00:00 2001 From: Michael Eastwood Date: Fri, 4 Mar 2022 08:12:06 -0800 Subject: [PATCH 406/900] Update SELinux policy to allow camera HAL to send Perfetto trace packets Example denials: 03-04 04:25:37.524 823 823 I TracingMuxer: type=1400 audit(0.0:31): avc: denied { use } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:r:tr aced:s0 tclass=fd permissive=1 03-04 04:25:37.524 823 823 I TracingMuxer: type=1400 audit(0.0:32): avc: denied { read write } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext =u:object_r:traced_tmpfs:s0 tclass=file permissive=1 03-04 04:25:37.524 823 823 I TracingMuxer: type=1400 audit(0.0:33): avc: denied { getattr } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u: object_r:traced_tmpfs:s0 tclass=file permissive=1 03-04 04:25:37.524 823 823 I TracingMuxer: type=1400 audit(0.0:34): avc: denied { map } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1 Bug: 222684359 Test: Build and push new SELinux policy. Verify that trace packets are received by Perfetto. Change-Id: I443e84c5bcc701c1c983db19280719655ff02080 --- whitechapel_pro/hal_camera_default.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 779157ca..92c629ed 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -85,6 +85,9 @@ allow hal_camera_default apex_info_file:file r_file_perms; # Allow camera HAL to query current device clock frequencies. allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; -# allow camera HAL to read backlight of display +# Allow camera HAL to read backlight of display allow hal_camera_default sysfs_leds:dir r_dir_perms; allow hal_camera_default sysfs_leds:file r_file_perms; + +# Allow camera HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(hal_camera_default)') From b82a5ab98bb498d3c3c30d8967a9fc0467e3ac19 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Tue, 8 Mar 2022 17:28:55 +0800 Subject: [PATCH 407/900] Update avc error on ROM 8268341 Bug: 223332748 Bug: 208721808 Test: PtsSELinuxTestCases Change-Id: Ie3c6fdb9c8f29cac41db2750e71d3163132d4951 --- tracking_denials/dumpstate.te | 2 ++ tracking_denials/surfaceflinger.te | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 1b424e58..dbc612ce 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -2,3 +2,5 @@ dontaudit dumpstate app_zygote:process { signal }; dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; dontaudit dumpstate sysfs:file { read }; +# b/223332748 +dontaudit dumpstate system_dlkm_file:dir { getattr }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te index 92d4c155..cd7b63d9 100644 --- a/tracking_denials/surfaceflinger.te +++ b/tracking_denials/surfaceflinger.te @@ -1,2 +1,4 @@ # b/215042694 dontaudit surfaceflinger kernel:process { setsched }; +# b/208721808 +dontaudit surfaceflinger hal_graphics_composer_default:dir { search }; From 1f72ffdec6dd1edf94fe13f38317f03cd4316f03 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Wed, 9 Mar 2022 10:21:40 +0800 Subject: [PATCH 408/900] incident: Fix avc errors avc: denied { use } for comm="incident" dev="dm-47" ino=10911 scontext=u:r:incident:s0 tcontext=u:r:logger_app:s0:c239,c256,c512,c768 tclass=fd avc: denied { append } for dev="dm-7" ino=12639 scontext=u:r:incident:s0 tcontext=u:object_r:media_rw_data_file:s0:c30,c257,c512,c768 tclass=file Bug: 222209243 Change-Id: I9e622e2af1a036eab818cd2b66c07b137fe9cc99 --- whitechapel_pro/incident.te | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 whitechapel_pro/incident.te diff --git a/whitechapel_pro/incident.te b/whitechapel_pro/incident.te new file mode 100644 index 00000000..672606df --- /dev/null +++ b/whitechapel_pro/incident.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + allow incident logger_app:fd use; + allow incident media_rw_data_file:file append; +') From 284b775f2174192e75483aa5588f88310e67f3d6 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Tue, 8 Mar 2022 14:57:15 +0800 Subject: [PATCH 409/900] sepolicy: fix VTS failure for SuspendSepolicyTests Label the common parent wakeup path instead of each individual wakeup source to avoid bloating the genfs contexts. Bug: 221174227 Test: run vts -m SuspendSepolicyTests Change-Id: I38e3a349af04f83e63735ea7ca010cf634c2f1ab --- whitechapel_pro/genfs_contexts | 40 +++++++++++++++------------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 74baef98..8de64906 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -164,39 +164,33 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 # system suspend wakeup files -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-power-keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 From e989d0087a81672c593aab5a74d9d8e7efaef216 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 9 Mar 2022 13:30:17 +0800 Subject: [PATCH 410/900] Remove obsolete sepolicy Bug: 207300335 Test: do bugreport without relevant error log showing up Change-Id: I38e4544c59c49543e746775ec686874ee8ae2473 --- tracking_denials/crash_dump.te | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 tracking_denials/crash_dump.te diff --git a/tracking_denials/crash_dump.te b/tracking_denials/crash_dump.te deleted file mode 100644 index b736b20d..00000000 --- a/tracking_denials/crash_dump.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/207300335 -dontaudit crash_dump hwservicemanager_prop:file { getattr }; -dontaudit crash_dump hwservicemanager_prop:file { map }; -dontaudit crash_dump hwservicemanager_prop:file { open }; -dontaudit crash_dump qemu_sf_lcd_density_prop:file { getattr }; -dontaudit crash_dump qemu_sf_lcd_density_prop:file { map }; -dontaudit crash_dump qemu_sf_lcd_density_prop:file { open }; From ab8e1fdc584872875d463ac0f24bb7f178cfc004 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Wed, 9 Mar 2022 16:19:10 +0800 Subject: [PATCH 411/900] sepolicy: label wakeup source for usbc port Bug: 223475365 Test: run vts -m SuspendSepolicyTests Change-Id: I2116c5f4fd19c5995f1612d593532cc7e065a560 Signed-off-by: Darren Hsu --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 8de64906..fa8345a1 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -191,6 +191,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 From dc99069f1e63c026ad1b627d38c11019e528b3f6 Mon Sep 17 00:00:00 2001 From: Taeju Park Date: Thu, 10 Mar 2022 04:10:12 +0000 Subject: [PATCH 412/900] Allow accessing power_policy sysfs node for GPU Bug: 223440487 Signed-off-by: Taeju Park Change-Id: Iae2e4a0dc8d474d04200e79b4b4014010eedb147 --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index fa8345a1..348016c0 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -45,6 +45,7 @@ genfscon sysfs /module/bcmdhd4389 u # GPU genfscon sysfs /devices/platform/28000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/28000000.mali/power_policy u:object_r:sysfs_gpu:s0 # Fabric genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 From cec1d2a76985ed9918287cb43c2e096a6bca622f Mon Sep 17 00:00:00 2001 From: Ramji Jiyani Date: Sun, 13 Mar 2022 18:30:34 -0700 Subject: [PATCH 413/900] dumpstate: Remove do not audit for /system_dlkm FixedBy: http://aosp/2022375 Bug: 223332748 Test: atest SELinuxHostTest#testNoBugreportDenials Signed-off-by: Ramji Jiyani Change-Id: I46e427cccec27118fad4440dc6822196d26f4a1b --- tracking_denials/dumpstate.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index dbc612ce..1b424e58 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -2,5 +2,3 @@ dontaudit dumpstate app_zygote:process { signal }; dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; dontaudit dumpstate sysfs:file { read }; -# b/223332748 -dontaudit dumpstate system_dlkm_file:dir { getattr }; From e02f501377a60d5458b83bbd81bd936ccd0872bf Mon Sep 17 00:00:00 2001 From: Chungjui Fan Date: Thu, 10 Mar 2022 22:50:51 +0800 Subject: [PATCH 414/900] sepolicy: allow fastbootd to access gsc device node audit: type=1400 audit(1646614793.912:8): avc: denied { getattr } for pid=347 comm="fastbootd" path="/dev/gsc0" dev="tmpfs" ino=469 scontext=u:r:fastbootd:s0 tcontext=u:object_r:citadel_device:s0 tclass=chr_file permissive=0 Bug: 221410358 Test: fastboot -w in fastbootd mode Change-Id: I5680515865c2656ffa91dfe593459aab1ade81cb Signed-off-by: Chungjui Fan --- whitechapel_pro/fastbootd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/fastbootd.te b/whitechapel_pro/fastbootd.te index c1c4de7b..0d215a84 100644 --- a/whitechapel_pro/fastbootd.te +++ b/whitechapel_pro/fastbootd.te @@ -3,4 +3,5 @@ recovery_only(` allow fastbootd devinfo_block_device:blk_file rw_file_perms; allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; +allow fastbootd citadel_device:chr_file rw_file_perms; ') From e42c7120dd5317aa463ebd2b1d301a0a4442954d Mon Sep 17 00:00:00 2001 From: Tim Lin Date: Thu, 10 Mar 2022 18:37:11 +0800 Subject: [PATCH 415/900] ril: dump radio hal from user build. To get radio hal debug info on user build as we do on previous Pixels. Bug: 221391981 Test: Trigger bugreport on USERDEBUG with dumpstate.unroot set to true and check IRadio log Change-Id: I354d5770272b518761db4aab8da726de97e472bb --- whitechapel_pro/dumpstate.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te index 6df0265a..5caeac78 100644 --- a/whitechapel_pro/dumpstate.te +++ b/whitechapel_pro/dumpstate.te @@ -1,5 +1,6 @@ dump_hal(hal_health) dump_hal(hal_graphics_composer) +dump_hal(hal_telephony) dump_hal(hal_uwb_vendor) userdebug_or_eng(` From 5ddc8be4f43f73354946caa442a82e1435a7ddda Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Sat, 5 Mar 2022 09:23:40 -0800 Subject: [PATCH 416/900] gs-sepolicy(uwb): Allow uwb hal permission to net_admin This was alloed under gs101-sepolicy. There is an ongoing discussion on how to resolve this for the long term in b/190461440. But, without this uwb functionality is broken on new devices. Bug: 206045367 Bug: 222194886 Change-Id: I6729352f2b7bb93b01990a790e62aa69f60342fe --- tracking_denials/hal_uwb_vendor_default.te | 1 - whitechapel_pro/hal_uwb_vendor.te | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te index 2ec596a2..25e0a748 100644 --- a/tracking_denials/hal_uwb_vendor_default.te +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -1,7 +1,6 @@ # b/204718220 dontaudit hal_uwb_vendor_default default_android_service:service_manager { add }; # b/206045367 -dontaudit hal_uwb_vendor_default hal_uwb_vendor_default:capability { net_admin }; dontaudit hal_uwb_vendor_default zygote:binder { call }; dontaudit hal_uwb_vendor_default zygote:binder { transfer }; # b/208721505 diff --git a/whitechapel_pro/hal_uwb_vendor.te b/whitechapel_pro/hal_uwb_vendor.te index 6fda95ab..dc11d6b8 100644 --- a/whitechapel_pro/hal_uwb_vendor.te +++ b/whitechapel_pro/hal_uwb_vendor.te @@ -9,6 +9,8 @@ binder_call(hal_uwb_vendor_server, servicemanager) # allow hal_uwb_vendor to set wpan interfaces up and down allow hal_uwb_vendor self:udp_socket create_socket_perms; allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; +# TODO(b/190461440): Find a long term solution for this. +allow hal_uwb_vendor self:global_capability_class_set { net_admin }; # allow hal_uwb_vendor to speak to nl802154 in the kernel allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; From c5710ad18ee930f3f4fd5e985ce707b92f68da17 Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Thu, 24 Feb 2022 07:13:01 -0800 Subject: [PATCH 417/900] gs-sepolicy(uwb): Changes for new UCI stack 1. Rename uwb vendor app. 2. Rename uwb vendor HAL binary name & service name. 3. Allow vendor HAL to host the AOSP UWB HAL service. 4. Allow NFC HAL to access uwb calibration files. Bug: 186585880 Bug: 204718220 Bug: 206045367 Test: Manual Tests Change-Id: Ib0456617d0f5cf116d11a9412f47f36e2b8df570 --- tracking_denials/hal_uwb_vendor_default.te | 5 ----- whitechapel_pro/file_contexts | 2 +- whitechapel_pro/hal_nfc_default.te | 3 +++ whitechapel_pro/hal_uwb_vendor_default.te | 3 +++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/seapp_contexts | 3 ++- whitechapel_pro/service_contexts | 2 +- 8 files changed, 16 insertions(+), 8 deletions(-) diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te index 25e0a748..2e0025fc 100644 --- a/tracking_denials/hal_uwb_vendor_default.te +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -1,8 +1,3 @@ -# b/204718220 -dontaudit hal_uwb_vendor_default default_android_service:service_manager { add }; -# b/206045367 -dontaudit hal_uwb_vendor_default zygote:binder { call }; -dontaudit hal_uwb_vendor_default zygote:binder { transfer }; # b/208721505 dontaudit hal_uwb_vendor_default dumpstate:fd { use }; dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write }; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index f86fa5f1..51a23da5 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -37,7 +37,7 @@ /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/hw/hardware\.qorvo\.uwb-service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 # Vendor Firmwares diff --git a/whitechapel_pro/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te index 174b5383..247ca3d7 100644 --- a/whitechapel_pro/hal_nfc_default.te +++ b/whitechapel_pro/hal_nfc_default.te @@ -10,3 +10,6 @@ set_prop(hal_nfc_default, vendor_modem_prop) # Access uwb cal for SecureRanging Applet allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; allow hal_nfc_default uwb_data_vendor:file r_file_perms; + +# allow nfc to read uwb calibration file +get_prop(hal_nfc_default, vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/hal_uwb_vendor_default.te b/whitechapel_pro/hal_uwb_vendor_default.te index f72e879d..b287433f 100644 --- a/whitechapel_pro/hal_uwb_vendor_default.te +++ b/whitechapel_pro/hal_uwb_vendor_default.te @@ -2,6 +2,7 @@ type hal_uwb_vendor_default, domain; type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_uwb_vendor_default) +hal_server_domain(hal_uwb_vendor_default, hal_uwb) add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) @@ -9,3 +10,5 @@ binder_call(hal_uwb_vendor_default, uwb_vendor_app) allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; + +get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index bdad98e9..5ddaf882 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -26,3 +26,6 @@ vendor_internal_prop(vendor_display_prop) # Fingerprint vendor_internal_prop(vendor_fingerprint_prop) + +# UWB calibration +system_vendor_config_prop(vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index b39184a5..58aaff88 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -93,3 +93,6 @@ persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Fingerprint vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.gf. u:object_r:vendor_fingerprint_prop:s0 + +#uwb +ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 88789fc7..2bd4f06a 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -45,7 +45,8 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user # Qorvo UWB system app -user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index 98d9fad8..94f813d8 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -1,3 +1,3 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 -hardware.qorvo.uwb.IUwb/default u:object_r:hal_uwb_vendor_service:s0 +hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 From 6d25430600be07945521c3c0cf434fa181b9bdad Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Thu, 10 Mar 2022 14:36:21 +0800 Subject: [PATCH 418/900] sepolicy: reorder genfs labels for system suspend Bug: 223683748 Test: check bugreport without relevant avc denials Change-Id: I295d3dfb96cc87e8faaf16f949918445cc3a0d44 Signed-off-by: Darren Hsu --- whitechapel_pro/genfs_contexts | 54 +++++++++++++++++----------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 348016c0..31f827a7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -165,34 +165,34 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 # system suspend wakeup files -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 From 38c2803c5453724a55d8cb4ea0eb3d8e728e3f26 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Tue, 8 Mar 2022 16:27:45 +0800 Subject: [PATCH 419/900] Sepolicy: add pixelstats/HardwareInfo sepolicy avc denials to fix (after apply ag/17120763) [ 50.171564] type=1400 audit(1647222380.884:28): avc: denied { read } for comm="pixelstats-vend" name="battery_history" dev="tmpfs" ino=639 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 [ 54.519375] type=1400 audit(1647222385.228:29): avc: denied { read } for comm="id.hardwareinfo" name="battery_history" dev="tmpfs" ino=639 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 app=com.google.android.hardwareinfo Bug: 222019890 Test: manually check debug logcat Change-Id: I0e4f3f3a66783383b0d1327cec4dcd145ae9a7af --- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/hardware_info_app.te | 3 +++ whitechapel_pro/pixelstats_vendor.te | 3 +++ 4 files changed, 8 insertions(+) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index d327aa60..68bb8a47 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -17,6 +17,7 @@ type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; +type battery_history_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 51a23da5..c658ab6b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,6 +202,7 @@ /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/dev/battery_history u:object_r:battery_history_device:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te index ef9c2306..38f79c80 100644 --- a/whitechapel_pro/hardware_info_app.te +++ b/whitechapel_pro/hardware_info_app.te @@ -27,3 +27,6 @@ userdebug_or_eng(` allow hardware_info_app vendor_maxfg_debugfs:dir search; allow hardware_info_app vendor_maxfg_debugfs:file r_file_perms; ') + +# Batery history +allow hardware_info_app battery_history_device:chr_file r_file_perms; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index a88db935..645b6ae2 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -6,3 +6,6 @@ allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; # Wireless charge allow pixelstats_vendor sysfs_wlc:dir search; allow pixelstats_vendor sysfs_wlc:file rw_file_perms; + +# Batery history +allow pixelstats_vendor battery_history_device:chr_file r_file_perms; From bedd866505fd49a20b5d81f8705d67184866fc6e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 16 Mar 2022 14:08:09 +0800 Subject: [PATCH 420/900] reject mnt_vendor_file access in user ROM Bug: 224429437 Test: android.security.cts.SELinuxHostTest#testNoBugreportDenials Change-Id: I318f11866f7b9c6cc0b7ecf151f789f35ab290cd --- whitechapel_pro/hal_dumpstate_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index c9fd1ac0..0e4c34cf 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -111,6 +111,7 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; ') +dontaudit hal_dumpstate_default mnt_vendor_file:dir search; dontaudit hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; From 2cc598cc9bf9d98e5e1ba4b520641d8b5e4d2105 Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 10 Mar 2022 19:18:26 -0800 Subject: [PATCH 421/900] health: Add sysfs_thermal access health-service has trouble accessing /dev/thermal. This change fixes this. Bug: 223928339 Test: dev/thermal/tz-by-name/soc/mode error:Permission denied no longer exist Signed-off-by: George Lee Change-Id: I6077e841d179b6cda50d578e584dd249ce970db0 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 31f827a7..1d0bd2fd 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -212,6 +212,8 @@ genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:obj genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 + # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 From 296823785dae503fbf55b4a97d6d05a0b68ae430 Mon Sep 17 00:00:00 2001 From: Mason Wang Date: Thu, 17 Mar 2022 13:38:06 +0800 Subject: [PATCH 422/900] vendor_init: Fix touch avc denial of high_sensitivity.[DO NOT MERGE] Fixed following avc denial: avc: denied { write } for name="high_sensitivity" dev="proc" ino=4026534550 scontext=u:r:vendor_init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 //The file node is proc/focaltech_touch/high_sensitivity Bug: 199105136 Test: Verify pass by checking device log are w/o above errors while switching setting/display/increase touch sensitivity. Change-Id: I8dbe4190056767407413082580320593292725fe --- whitechapel_pro/file.te | 5 ++++- whitechapel_pro/genfs_contexts | 3 ++- whitechapel_pro/vendor_init.te | 3 +++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index c6c274f3..798b1e1f 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -93,4 +93,7 @@ type sysfs_st33spi, sysfs_type, fs_type; type sysfs_gpu, sysfs_type, fs_type; # USB-C throttling stats -type sysfs_usbc_throttling_stats, sysfs_type, fs_type; \ No newline at end of file +type sysfs_usbc_throttling_stats, sysfs_type, fs_type; + +# Touch +type proc_touch, proc_type, fs_type; \ No newline at end of file diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 1d0bd2fd..a2219599 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -29,7 +29,8 @@ genfscon sysfs /devices/soc0/revision u # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 -genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon proc /focaltech_touch u:object_r:proc_touch:s0 # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index f936f4e0..4410e6d9 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -23,3 +23,6 @@ allow vendor_init sysfs_st33spi:file w_file_perms; # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) + +# Touch +allow vendor_init proc_touch:file w_file_perms; From 9206ceb2277fce0a43b595c7aec17bd86e300825 Mon Sep 17 00:00:00 2001 From: yixuanjiang Date: Thu, 17 Mar 2022 16:08:20 +0800 Subject: [PATCH 423/900] audio: sync aocdump setting from gs101 Bug: 225309469 Test: local Signed-off-by: yixuanjiang Change-Id: Ia9be16c74de666c945d76ca514423b030c0f90d0 --- aoc/aocdump.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aoc/aocdump.te b/aoc/aocdump.te index 90911424..0801ec0e 100644 --- a/aoc/aocdump.te +++ b/aoc/aocdump.te @@ -6,6 +6,8 @@ userdebug_or_eng(` # Permit communication with AoC allow aocdump aoc_device:chr_file rw_file_perms; + allow aocdump radio_vendor_data_file:dir rw_dir_perms; + allow aocdump radio_vendor_data_file:file create_file_perms; allow aocdump wifi_logging_data_file:dir create_dir_perms; allow aocdump wifi_logging_data_file:file create_file_perms; set_prop(aocdump, vendor_audio_prop); From b92095e32262ae3a87074a1d75fc704b22d6b0a3 Mon Sep 17 00:00:00 2001 From: Sam Dubey Date: Mon, 21 Mar 2022 04:42:09 +0000 Subject: [PATCH 424/900] Temporarily don't audit init for modem_img_file Change-Id: I2c9c788119b20b8a37e71a971997f16a7fe6165b Fix: 225279974 --- tracking_denials/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 462f3986..a6d52a30 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -2,3 +2,6 @@ dontaudit vendor_init thermal_link_device:file { create }; # b/221384939 dontaudit vendor_init vendor_battery_defender_prop:property_service { set }; +# b/225279974 +dontaudit vendor_init modem_img_file:filesystem { getattr }; + From 500e7624e9b09f86fb5585d5adb2a4885554d565 Mon Sep 17 00:00:00 2001 From: Mason Wang Date: Thu, 17 Mar 2022 18:02:50 +0800 Subject: [PATCH 425/900] vendor_init: Fix touch avc denial of high_sensitivity. Fixed following avc denial: avc: denied { write } for name="high_sensitivity" dev="proc" ino=4026534550 scontext=u:r:vendor_init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 //The file node is proc/focaltech_touch/high_sensitivity Bug: 199105136 Test: Verify pass by checking device log are w/o above errors while switching setting/display/increase touch sensitivity. Change-Id: I8dbe4190056767407413082580320593292725fe --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 3 ++- whitechapel_pro/vendor_init.te | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index c242e448..6b7de845 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -105,3 +105,6 @@ userdebug_or_eng(` # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; + +# Touch +type proc_touch, proc_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index d9fd9901..a7282706 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -29,7 +29,8 @@ genfscon sysfs /devices/soc0/revision u # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 -genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon proc /focaltech_touch u:object_r:proc_touch:s0 # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index f936f4e0..4410e6d9 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -23,3 +23,6 @@ allow vendor_init sysfs_st33spi:file w_file_perms; # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) + +# Touch +allow vendor_init proc_touch:file w_file_perms; From 046601d414eafe52a74bc255cd760ce42791e7f0 Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Mon, 21 Mar 2022 09:18:28 -0700 Subject: [PATCH 426/900] gs-policy: Remove obsolete uwb vendor service rules This service no longer exists in the UCI stack. Bug: 186585880 Test: Manual UWB tests Change-Id: I279824be6f51470364ad61833b797aa23cbea859 --- whitechapel_pro/service.te | 1 - whitechapel_pro/service_contexts | 1 - whitechapel_pro/system_server.te | 6 ------ whitechapel_pro/uwb_vendor_app.te | 2 -- 4 files changed, 10 deletions(-) diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index a4ba9973..8d5dc1ee 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -1,3 +1,2 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type hal_uwb_vendor_service, service_manager_type, vendor_service; -type uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index 94f813d8..5df34411 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -1,3 +1,2 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 -uwb_vendor u:object_r:uwb_vendor_service:s0 diff --git a/whitechapel_pro/system_server.te b/whitechapel_pro/system_server.te index 6e797f55..0e0a159b 100644 --- a/whitechapel_pro/system_server.te +++ b/whitechapel_pro/system_server.te @@ -1,7 +1 @@ binder_call(system_server, hal_camera_default); - -# Allow system server to find vendor uwb service. In the legacy -# UWB stack, system_server talks directly to the vendor stack. -# TODO(b/186585880): This will be obsoleted when the new UCI stack for -# UWB lands. -allow system_server uwb_vendor_service:service_manager find; diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index 66237edc..364bee36 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -2,8 +2,6 @@ type uwb_vendor_app, domain; app_domain(uwb_vendor_app) -add_service(uwb_vendor_app, uwb_vendor_service) - not_recovery(` hal_client_domain(uwb_vendor_app, hal_uwb_vendor) From 466adbb2daf58e6a9fc0848191aa4cb10f6c5bc8 Mon Sep 17 00:00:00 2001 From: Peter Csaszar Date: Mon, 14 Feb 2022 20:29:23 -0800 Subject: [PATCH 427/900] pixel-selinux: Port PRO SJTAG policies to tm-dev These are the SELinux policies for the sysfs files of the SJTAG kernel interface for WHI-PRO-based devices, now migrated to the tm-dev branch. The files are in the following directories: /sys/devices/platform/sjtag_ap/interface/ /sys/devices/platform/sjtag_gsa/interface/ Bug: 207571417 Bug: 224022297 Signed-off-by: Peter Csaszar Merged-in: I5ec50d9ff7cd0e08ade7acce21e73751e93a0aff Change-Id: I56da5763c31ab098859cbc633660897646fe7f3e --- whitechapel_pro/file.te | 13 ++++++++++++- whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/shell.te | 5 +++++ whitechapel_pro/ssr_detector.te | 5 +++++ 4 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 whitechapel_pro/shell.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 798b1e1f..25b31271 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -96,4 +96,15 @@ type sysfs_gpu, sysfs_type, fs_type; type sysfs_usbc_throttling_stats, sysfs_type, fs_type; # Touch -type proc_touch, proc_type, fs_type; \ No newline at end of file +type proc_touch, proc_type, fs_type; + +# Vendor sched files +userdebug_or_eng(` + typeattribute sysfs_vendor_sched mlstrustedobject; +') + +# SJTAG +type sysfs_sjtag, fs_type, sysfs_type; +userdebug_or_eng(` + typeattribute sysfs_sjtag mlstrustedobject; +') diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a2219599..e4c6cb1c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -223,3 +223,7 @@ genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_t genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 + +# SJTAG +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te new file mode 100644 index 00000000..978a5426 --- /dev/null +++ b/whitechapel_pro/shell.te @@ -0,0 +1,5 @@ +# Allow access to the SJTAG kernel interface from the shell +userdebug_or_eng(` + allow shell sysfs_sjtag:dir r_dir_perms; + allow shell sysfs_sjtag:file rw_file_perms; +') diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index ff3c40f9..793e51b6 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -12,6 +12,11 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; get_prop(ssr_detector_app, vendor_aoc_prop) + allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; + allow ssr_detector_app sysfs_sjtag:file rw_file_perms; + allow ssr_detector_app sysfs_vendor_sched:dir search; + allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms; + allow ssr_detector_app cgroup:file write; ') get_prop(ssr_detector_app, vendor_ssrdump_prop) From 997b8974ef445e3eda4ee104ac7fa1a2975affd8 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Wed, 8 Dec 2021 07:05:51 +0800 Subject: [PATCH 428/900] Allow hal_fingerprint_default to access fwk_sensor_hwservice Fix the following avc denial: avc: denied { find } for interface=android.frameworks.sensorservice::ISensorManager sid=u:r:hal_fingerprint_default:s0 pid=1258 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:fwk_sensor_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 197789721 Test: build and test fingerprint on device. Change-Id: I7494f28e69e5a1b660dc7fbaa528b1088048723b (cherry picked from commit 9b54bf3665abce7a6f5f5df22069a8ef081ad80e) --- whitechapel_pro/hal_fingerprint_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te index 8cb3ea83..7d5f4f2c 100644 --- a/whitechapel_pro/hal_fingerprint_default.te +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -17,3 +17,7 @@ r_dir_file(hal_fingerprint_default, sysfs_chosen) # Allow fingerprint to access calibration blk device. allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms; allow hal_fingerprint_default block_device:dir search; + +# Allow fingerprint to access fwk_sensor_hwservice +allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; + From 6dd3de7813c4cfedcfa656086da206a350815942 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Mon, 21 Mar 2022 21:28:03 +0800 Subject: [PATCH 429/900] vendor_init: fix avc error avc: denied { getattr } for comm="init" name="/" dev="sda19" ino=2 scontext=u:r:vendor_init:s0 tcontext=u:object_r:modem_img_file:s0 tclass=filesystem permissive=0 Bug: 225151104 Change-Id: I508aa6b85039edc4b5a8746aaa602f1131768630 --- tracking_denials/vendor_init.te | 2 -- whitechapel_pro/vendor_init.te | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index a6d52a30..0bcad4ed 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -2,6 +2,4 @@ dontaudit vendor_init thermal_link_device:file { create }; # b/221384939 dontaudit vendor_init vendor_battery_defender_prop:property_service { set }; -# b/225279974 -dontaudit vendor_init modem_img_file:filesystem { getattr }; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 4410e6d9..a8626fcf 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -26,3 +26,5 @@ set_prop(vendor_init, vendor_fingerprint_prop) # Touch allow vendor_init proc_touch:file w_file_perms; + +allow vendor_init modem_img_file:filesystem { getattr }; From 278d110fba464f89239be6da40ababe4a8389d86 Mon Sep 17 00:00:00 2001 From: Yabin Cui Date: Fri, 18 Mar 2022 15:10:59 -0700 Subject: [PATCH 430/900] Add SOC specific ETM sysfs paths Bug: 225403280 Test: run profcollectd on c10 Change-Id: I10c8d250cf88b371ee573561d6678fc24f4e440c --- whitechapel_pro/genfs_contexts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a7282706..e0e63300 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -227,3 +227,13 @@ genfscon sysfs /devices/platform/sjtag_gsa/interface u:obje genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 + +# Coresight ETM +genfscon sysfs /devices/platform/2b840000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2b940000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2ba40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bb40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 From ae6f085676a21b44d25563c112f5ca2f901c3475 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Tue, 22 Mar 2022 15:52:23 +0800 Subject: [PATCH 431/900] modem_svc_sit: fix avc error avc: denied { write } for comm="modem_svc_sit" name="modem_stat" dev="dm-46" ino=333 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0 Bug: 225149029 Change-Id: Id1045d9488a200b6c64abbe02cf5e65926ba0203 --- whitechapel_pro/file_contexts | 2 +- whitechapel_pro/modem_svc_sit.te | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c658ab6b..08f28834 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -188,7 +188,7 @@ # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 -/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 +/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 0b872264..d3e79c93 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -11,6 +11,7 @@ allow modem_svc_sit radio_device:chr_file rw_file_perms; # Grant vendor radio and modem file/dir creation permission allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms; allow modem_svc_sit radio_vendor_data_file:file create_file_perms; +allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; allow modem_svc_sit modem_stat_data_file:file create_file_perms; allow modem_svc_sit mnt_vendor_file:dir search; From 17981f9fc0b58fdc3a2639bebf768557f9a38070 Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 21 Mar 2022 20:36:32 -0700 Subject: [PATCH 432/900] health: Grant sysfs_thermal access to health health-service has trouble accessing /dev/thermal. This change fixes this. Bug: 226009696 Test: dev/thermal/tz-by-name/soc/mode error:Permission denied no longer exist Signed-off-by: George Lee Change-Id: I8d112cb12f3aeb1c8d5433ca69415d0413f070a2 Merged-In: I4d9491862ff1bcc88f89b1478497ac569e3d1df1 --- whitechapel_pro/genfs_contexts | 2 -- whitechapel_pro/hal_health_default.te | 4 ++++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index e4c6cb1c..b1ebf4b2 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -213,8 +213,6 @@ genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:obj genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 -genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 - # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index a4294ee5..0e393765 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -9,3 +9,7 @@ allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; +allow hal_health_default sysfs_thermal:dir search; +allow hal_health_default sysfs_thermal:file w_file_perms; +allow hal_health_default sysfs_thermal:lnk_file read; +allow hal_health_default thermal_link_device:dir search; From 02c1ef8b85f4c6f0d7c3354e2baba492bcda5589 Mon Sep 17 00:00:00 2001 From: Yabin Cui Date: Fri, 18 Mar 2022 15:10:59 -0700 Subject: [PATCH 433/900] Add SOC specific ETM sysfs paths Bug: 225403280 Test: run profcollectd on c10 Change-Id: I10c8d250cf88b371ee573561d6678fc24f4e440c Merged-In: I10c8d250cf88b371ee573561d6678fc24f4e440c --- whitechapel_pro/genfs_contexts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index b1ebf4b2..034ab591 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -225,3 +225,13 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time # SJTAG genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 + +# Coresight ETM +genfscon sysfs /devices/platform/2b840000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2b940000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2ba40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bb40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 From de2696eb721761eb0dac1f689325e98a8774b351 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 23 Mar 2022 11:53:35 +0800 Subject: [PATCH 434/900] enforce debugfs constraint on userdebug build Bug: 225815474 Test: build pass Change-Id: If9e32d4b67c342b56eea39701518a520a62df199 --- tracking_denials/hardware_info_app.te | 2 ++ tracking_denials/vendor_init.te | 2 ++ whitechapel_pro/dumpstate.te | 1 - whitechapel_pro/hardware_info_app.te | 6 ------ 4 files changed, 4 insertions(+), 7 deletions(-) create mode 100644 tracking_denials/hardware_info_app.te diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te new file mode 100644 index 00000000..2975d243 --- /dev/null +++ b/tracking_denials/hardware_info_app.te @@ -0,0 +1,2 @@ +# b/208909060 +dontaudit hardware_info_app vendor_maxfg_debugfs:dir search; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 0bcad4ed..1652b7a1 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -2,4 +2,6 @@ dontaudit vendor_init thermal_link_device:file { create }; # b/221384939 dontaudit vendor_init vendor_battery_defender_prop:property_service { set }; +# b/226271913 +dontaudit vendor_init vendor_maxfg_debugfs:file setattr; diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te index 5caeac78..8ff47509 100644 --- a/whitechapel_pro/dumpstate.te +++ b/whitechapel_pro/dumpstate.te @@ -4,7 +4,6 @@ dump_hal(hal_telephony) dump_hal(hal_uwb_vendor) userdebug_or_eng(` - allow dumpstate vendor_dmabuf_debugfs:file r_file_perms; allow dumpstate media_rw_data_file:file append; ') diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te index 38f79c80..751bb885 100644 --- a/whitechapel_pro/hardware_info_app.te +++ b/whitechapel_pro/hardware_info_app.te @@ -22,11 +22,5 @@ allow hardware_info_app sysfs_display:file r_file_perms; allow hardware_info_app sysfs_soc:file r_file_perms; allow hardware_info_app sysfs_chip_id:file r_file_perms; -# Fuel -userdebug_or_eng(` - allow hardware_info_app vendor_maxfg_debugfs:dir search; - allow hardware_info_app vendor_maxfg_debugfs:file r_file_perms; -') - # Batery history allow hardware_info_app battery_history_device:chr_file r_file_perms; From 0adad90ab6b72af488ece4a7396cb2f9d2c147cd Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Tue, 22 Feb 2022 10:54:06 +0800 Subject: [PATCH 435/900] hal_health_default: Fix avc denials 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2270): avc: denied { search } for name="thermal" dev="tmpfs" ino=1028 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:thermal_link_device:s0 tclass=dir permissive=1 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2271): avc: denied { search } for name="thermal" dev="sysfs" ino=16790 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2273): avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone13/mode" dev="sysfs" ino=17285 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 12-02 11:15:45.224 756 756 I health@2.1-serv: type=1400 audit(0.0:2272): avc: denied { write } for name="mode" dev="sysfs" ino=17285 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 Bug:208721638 Test: adb bugreport Change-Id: I4d9491862ff1bcc88f89b1478497ac569e3d1df1 Signed-off-by: Ted Lin (cherry picked from commit 5b6a5292c3f92a880dfa769eeaa90d5a52279e94) --- tracking_denials/hal_health_default.te | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 tracking_denials/hal_health_default.te diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te deleted file mode 100644 index d36ba385..00000000 --- a/tracking_denials/hal_health_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/208721638 -dontaudit hal_health_default sysfs_thermal:dir { search }; -dontaudit hal_health_default sysfs_thermal:file { open }; -dontaudit hal_health_default sysfs_thermal:file { write }; -dontaudit hal_health_default thermal_link_device:dir { search }; From e0b06b9cbdb3d104202963f26213c64568f60cd1 Mon Sep 17 00:00:00 2001 From: Holmes Chou Date: Tue, 11 Jan 2022 10:24:01 +0800 Subject: [PATCH 436/900] camera: use codename for camera modules use codename for camera modules Bug: 209866857 Test: GCA, adb logcat Change-Id: I55f6998d18a904c83ecdf328d1b0e5ca6a01427f --- whitechapel_pro/file_contexts | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 08f28834..ae455880 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -100,16 +100,16 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/bbd_pwrstat u:object_r:power_stats_device:s0 -/dev/lwis-act-ak7377 u:object_r:lwis_device:s0 -/dev/lwis-act-ak7377-imx386 u:object_r:lwis_device:s0 -/dev/lwis-act-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-act-jotnar u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 /dev/lwis-csi u:object_r:lwis_device:s0 /dev/lwis-dpm u:object_r:lwis_device:s0 -/dev/lwis-eeprom-lc898128 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-3j1 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 /dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 /dev/lwis-g3aa u:object_r:lwis_device:s0 /dev/lwis-gdc0 u:object_r:lwis_device:s0 @@ -119,16 +119,16 @@ /dev/lwis-ipp u:object_r:lwis_device:s0 /dev/lwis-itp u:object_r:lwis_device:s0 /dev/lwis-mcsc u:object_r:lwis_device:s0 -/dev/lwis-ois-lc898128 u:object_r:lwis_device:s0 -/dev/lwis-ois-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-ois-jotnar u:object_r:lwis_device:s0 /dev/lwis-pdp u:object_r:lwis_device:s0 /dev/lwis-scsc u:object_r:lwis_device:s0 -/dev/lwis-sensor-3j1 u:object_r:lwis_device:s0 -/dev/lwis-sensor-gm5 u:object_r:lwis_device:s0 -/dev/lwis-sensor-gn1 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 +/dev/lwis-sensor-buraq u:object_r:lwis_device:s0 +/dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-kraken u:object_r:lwis_device:s0 +/dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 +/dev/lwis-sensor-nagual u:object_r:lwis_device:s0 +/dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 /dev/lwis-slc u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 /dev/lwis-votf u:object_r:lwis_device:s0 From 4fa67857c38196a7101eaacfb217c3f5a70a3407 Mon Sep 17 00:00:00 2001 From: chungkai Date: Wed, 23 Mar 2022 08:18:08 +0000 Subject: [PATCH 437/900] sched: move sysfs to procfs Modify name from sysfs_vendor_sched to proc_vendor_sched Test: without avc denial Bug: 216207007 Signed-off-by: chungkai Change-Id: I96dc6eb76dd533ff6fd54c27be7e4bc32bf5dbc7 --- private/permissioncontroller_app.te | 4 ++-- whitechapel_pro/bluetooth.te | 4 ++-- whitechapel_pro/domain.te | 4 ++-- whitechapel_pro/hal_power_default.te | 2 +- whitechapel_pro/hbmsvmanager_app.te | 4 ++-- whitechapel_pro/logger_app.te | 4 ++-- whitechapel_pro/nfc.te | 4 ++-- whitechapel_pro/platform_app.te | 4 ++-- whitechapel_pro/radio.te | 4 ++-- whitechapel_pro/untrusted_app_all.te | 2 +- 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te index 6a4b6fd4..c5feec95 100644 --- a/private/permissioncontroller_app.te +++ b/private/permissioncontroller_app.te @@ -1,2 +1,2 @@ -allow permissioncontroller_app sysfs_vendor_sched:dir r_dir_perms; -allow permissioncontroller_app sysfs_vendor_sched:file w_file_perms; +allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms; +allow permissioncontroller_app proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te index b3b17416..9d909045 100644 --- a/whitechapel_pro/bluetooth.te +++ b/whitechapel_pro/bluetooth.te @@ -1,2 +1,2 @@ -allow bluetooth sysfs_vendor_sched:dir r_dir_perms; -allow bluetooth sysfs_vendor_sched:file w_file_perms; \ No newline at end of file +allow bluetooth proc_vendor_sched:dir r_dir_perms; +allow bluetooth proc_vendor_sched:file w_file_perms; \ No newline at end of file diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te index 3e1cbbb7..fd876e09 100644 --- a/whitechapel_pro/domain.te +++ b/whitechapel_pro/domain.te @@ -1,2 +1,2 @@ -allow {domain -appdomain -rs} sysfs_vendor_sched:dir r_dir_perms; -allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms; +allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; +allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te index eaaf8009..076de46b 100644 --- a/whitechapel_pro/hal_power_default.te +++ b/whitechapel_pro/hal_power_default.te @@ -2,7 +2,7 @@ allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; allow hal_power_default sysfs_display:file rw_file_perms; -allow hal_power_default sysfs_vendor_sched:file r_file_perms; +allow hal_power_default proc_vendor_sched:file r_file_perms; allow hal_power_default sysfs_gpu:file rw_file_perms; allow hal_power_default sysfs_fabric:file rw_file_perms; allow hal_power_default sysfs_camera:file rw_file_perms; diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index b8f6a6be..3ed4f823 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -2,8 +2,8 @@ type hbmsvmanager_app, domain; app_domain(hbmsvmanager_app); -allow hbmsvmanager_app sysfs_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app sysfs_vendor_sched:file w_file_perms; +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) diff --git a/whitechapel_pro/logger_app.te b/whitechapel_pro/logger_app.te index cae88332..9809f309 100644 --- a/whitechapel_pro/logger_app.te +++ b/whitechapel_pro/logger_app.te @@ -24,6 +24,6 @@ userdebug_or_eng(` set_prop(logger_app, vendor_wifi_sniffer_prop) dontaudit logger_app default_prop:file r_file_perms; - dontaudit logger_app sysfs_vendor_sched:dir search; - dontaudit logger_app sysfs_vendor_sched:file write; + dontaudit logger_app proc_vendor_sched:dir search; + dontaudit logger_app proc_vendor_sched:file write; ') diff --git a/whitechapel_pro/nfc.te b/whitechapel_pro/nfc.te index febd851a..80784434 100644 --- a/whitechapel_pro/nfc.te +++ b/whitechapel_pro/nfc.te @@ -1,2 +1,2 @@ -allow nfc sysfs_vendor_sched:dir r_dir_perms; -allow nfc sysfs_vendor_sched:file w_file_perms; +allow nfc proc_vendor_sched:dir r_dir_perms; +allow nfc proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 7b16577d..356167ab 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -1,8 +1,8 @@ allow platform_app hal_pixel_display_service:service_manager find; allow platform_app hal_wlc_hwservice:hwservice_manager find; allow platform_app nfc_service:service_manager find; -allow platform_app sysfs_vendor_sched:dir r_dir_perms; -allow platform_app sysfs_vendor_sched:file w_file_perms; +allow platform_app proc_vendor_sched:dir r_dir_perms; +allow platform_app proc_vendor_sched:file w_file_perms; # Fingerprint (UDFPS) GHBM/LHBM toggle get_prop(platform_app, fingerprint_ghbm_prop) diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 09b4c7e4..8cb144d9 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,2 +1,2 @@ -allow radio sysfs_vendor_sched:dir r_dir_perms; -allow radio sysfs_vendor_sched:file w_file_perms; \ No newline at end of file +allow radio proc_vendor_sched:dir r_dir_perms; +allow radio proc_vendor_sched:file w_file_perms; \ No newline at end of file diff --git a/whitechapel_pro/untrusted_app_all.te b/whitechapel_pro/untrusted_app_all.te index 47d4d1bd..ec95276c 100644 --- a/whitechapel_pro/untrusted_app_all.te +++ b/whitechapel_pro/untrusted_app_all.te @@ -1 +1 @@ -dontaudit untrusted_app_all sysfs_vendor_sched:dir search; +dontaudit untrusted_app_all proc_vendor_sched:dir search; From 967571ee60acefde1469359b876120e6a70047ee Mon Sep 17 00:00:00 2001 From: Chris Kuiper Date: Wed, 23 Mar 2022 22:25:48 -0700 Subject: [PATCH 438/900] Add rules to allow Sensor HAL write access to als_table Sensor HAL needs write access to /sys/class/backlight/panel0-backlight/als_table. Bug: 226435017 Test: Observing logs Change-Id: Idb592d601b92c6814493e0d28384e1013935b72f --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 37 +++++++++++++------------- whitechapel_pro/hal_sensors_default.te | 3 +++ 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 25b31271..75f16663 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -45,6 +45,7 @@ type sysfs_cpu, sysfs_type, fs_type; type sysfs_odpm, sysfs_type, fs_type; type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; +type sysfs_write_leds, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 034ab591..af411701 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -91,30 +91,31 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 # Display -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 -genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 # mediacodec_samsung genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index 69190603..f4231fb7 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -51,3 +51,6 @@ allow hal_sensors_default sysfs_leds:file r_file_perms; # Allow sensor HAL to access the graphics composer. binder_call(hal_sensors_default, hal_graphics_composer_default); + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_write_leds:file rw_file_perms; From 4b75aab4b8f765d8cdad82af4c805dae563a1b86 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Fri, 18 Mar 2022 15:59:40 +0800 Subject: [PATCH 439/900] Remove the tracking for vendor_battery_defender The function is disabled. Bug: 221384939 Test: adb bugreport Change-Id: If8e8b8165329eb9ede86cb62f419a8cf06abb536 Signed-off-by: Ted Lin --- tracking_denials/vendor_init.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 1652b7a1..850099a9 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,7 +1,4 @@ # b/205656950 dontaudit vendor_init thermal_link_device:file { create }; -# b/221384939 -dontaudit vendor_init vendor_battery_defender_prop:property_service { set }; # b/226271913 dontaudit vendor_init vendor_maxfg_debugfs:file setattr; - From 85710448f323246f5bc865538673d9b1212b0f47 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Thu, 24 Mar 2022 15:03:08 +0800 Subject: [PATCH 440/900] Allow hal_power_stats to read sysfs_aoc_dumpstate avc: denied { read } for comm="android.hardwar" name="restart_count" dev="sysfs" ino=72823 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc_dumpstate:s0 tclass=file permissive=0 Bug: 226173008 Test: check bugreport without avc denials Change-Id: I35d886dd05fdad821e38810fd848c7f451893e3f Signed-off-by: Darren Hsu --- whitechapel_pro/hal_power_stats_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index ae332280..4451f88a 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -2,6 +2,7 @@ allow hal_power_stats_default sysfs_display:file r_file_perms; r_dir_file(hal_power_stats_default, sysfs_aoc) +r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) r_dir_file(hal_power_stats_default, sysfs_acpm_stats) r_dir_file(hal_power_stats_default, sysfs_cpu) r_dir_file(hal_power_stats_default, sysfs_edgetpu) From ab9ec222678cc7cec453a8f535a39a54202be788 Mon Sep 17 00:00:00 2001 From: Lucas Wei Date: Mon, 21 Mar 2022 15:38:17 +0800 Subject: [PATCH 441/900] Label vendor_kernel_boot with boot_block_device for OTA updating Label with boot_block_device to allow further operations on vendor_kernel_boot including OTA updating. This is required for update_engine to be able to write to vendor_kernel_boot on builds that are enforcing sepolicy. Bug: 214409109 Signed-off-by: Lucas Wei Change-Id: If239690ee168ecfd5c5b755451e389a4523c79b8 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index ae455880..efb7ce3b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -184,6 +184,7 @@ /dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 From e5cc5f793758c0718362483d5cb2bd8f450d3bd7 Mon Sep 17 00:00:00 2001 From: Omer Osman Date: Tue, 22 Feb 2022 22:04:15 +0000 Subject: [PATCH 442/900] Add hidraw device and Dynamic Sensor SE Linux policy Test: Incoming HID data from Pixel Buds Change-Id: I77489100e13d892fb7d3a7cee9734de044795dec --- whitechapel_pro/device.te | 3 +++ whitechapel_pro/file_contexts | 4 ++++ whitechapel_pro/hal_sensors_default.te | 6 ++++++ whitechapel_pro/property.te | 4 ++++ whitechapel_pro/property_contexts | 4 ++++ 5 files changed, 21 insertions(+) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 68bb8a47..6b81f2a1 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -23,3 +23,6 @@ type battery_history_device, dev_type; type st54spi_device, dev_type; type st33spi_device, dev_type; +# Raw HID device +type hidraw_device, dev_type; + diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index efb7ce3b..67ceea77 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -222,3 +222,7 @@ # USB /vendor/bin/hw/set_usb_irq\.sh u:object_r:set-usb-irq-sh_exec:s0 + +# Raw HID device +/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 + diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index f4231fb7..65f2db8a 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -12,6 +12,12 @@ allow hal_sensors_default chre_socket:sock_file write; # Allow create thread to watch AOC's device. allow hal_sensors_default device:dir r_dir_perms; +# Allow access for dynamic sensor properties. +get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) + +# Allow access to raw HID devices for dynamic sensors. +allow hal_sensors_default hidraw_device:chr_file rw_file_perms; + # Allow SensorSuez to connect AIDL stats. allow hal_sensors_default fwk_stats_service:service_manager find; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 5ddaf882..00ffa07d 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -29,3 +29,7 @@ vendor_internal_prop(vendor_fingerprint_prop) # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) + +# Dynamic sensor +vendor_internal_prop(vendor_dynamic_sensor_prop) + diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 58aaff88..cca975dd 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -96,3 +96,7 @@ vendor.gf. u:object_r:vendor_fingerprint_prop:s0 #uwb ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string + +# Dynamic sensor +vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 + From 5cc8837eb673cda0ca7632dfb0946ceb37cd83a0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 28 Mar 2022 10:54:51 +0800 Subject: [PATCH 443/900] update error on ROM 8365560 Bug: 227121550 Bug: 227122249 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Iab96c7644e6c99d700a5f7b42fba30032d3624b7 --- tracking_denials/hal_radioext_default.te | 2 ++ tracking_denials/kernel.te | 3 +++ 2 files changed, 5 insertions(+) create mode 100644 tracking_denials/hal_radioext_default.te diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te new file mode 100644 index 00000000..74a400df --- /dev/null +++ b/tracking_denials/hal_radioext_default.te @@ -0,0 +1,2 @@ +# b/227122249 +dontaudit hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 94b36310..10d7e52b 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -2,3 +2,6 @@ dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 allow kernel same_process_hal_file:file r_file_perms; +# b/227121550 +dontaudit kernel vendor_usb_debugfs:dir { search }; +dontaudit kernel vendor_votable_debugfs:dir { search }; From 3496931400313534f098f03d3a15d9263d56820d Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Fri, 25 Mar 2022 12:49:41 -0700 Subject: [PATCH 444/900] sepolicy: allow dump page_pinner Provide necessary sepolicy for dumpreport to access page_pinner information in /sys/kernel/debug/page_pinner/{longterm_pinner, alloc_contig_failed} Bug: 226956571 Test: Run "adb bugreport " and verify it contains the output from page_pinner. Signed-off-by: Minchan Kim Change-Id: I7b00d4930fbaa2061537cd8c84616c1053c829cf --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 75f16663..c16169b8 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -58,6 +58,7 @@ type vendor_votable_debugfs, fs_type, debugfs_type; type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_dmabuf_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; +type vendor_page_pinner_debugfs, fs_type, debugfs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index af411701..ed884251 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -150,6 +150,7 @@ genfscon debugfs /google_charger u:object genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 +genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 # Battery genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 0e4c34cf..c32f7ba9 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -109,6 +109,8 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; + allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; ') dontaudit hal_dumpstate_default mnt_vendor_file:dir search; @@ -129,3 +131,5 @@ dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; From 32f2e4b0e7c7947cf419bb53fd9c2018ddcd287a Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Fri, 25 Mar 2022 14:55:31 +0800 Subject: [PATCH 445/900] Allow hal_fingerprint_default to access sysfs_display Fix the following avc denial: avc: denied { read } for name="panel_name" dev="sysfs" ino=71133 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=0 Bug: 223687187 Test: build and test fingerprint on device. Change-Id: Ief1ccc7e2fa6b8b4dc1ecbd6d446cc49ee3936ce --- whitechapel_pro/hal_fingerprint_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te index 7d5f4f2c..fa03d984 100644 --- a/whitechapel_pro/hal_fingerprint_default.te +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -21,3 +21,5 @@ allow hal_fingerprint_default block_device:dir search; # Allow fingerprint to access fwk_sensor_hwservice allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; +# Allow fingerprint to read sysfs_display +allow hal_fingerprint_default sysfs_display:file r_file_perms; From 3fdb24bdc19bd914dfab0f5120012e1f3c068232 Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Tue, 29 Mar 2022 15:45:11 +0800 Subject: [PATCH 446/900] Revert "add sepolicy for set_usb_irq.sh" This reverts commit 6733f9667d6afe2dd3e62a33043493b58d6ca03b. Bug: 225789036 Test: build pass Change-Id: If43c8db71c737d509b1dfd098503f564a06bf046 --- whitechapel_pro/file_contexts | 4 ---- whitechapel_pro/set-usb-irq-sh.te | 13 ------------- 2 files changed, 17 deletions(-) delete mode 100644 whitechapel_pro/set-usb-irq-sh.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 67ceea77..3b31f641 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -220,9 +220,5 @@ /mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 -# USB -/vendor/bin/hw/set_usb_irq\.sh u:object_r:set-usb-irq-sh_exec:s0 - # Raw HID device /dev/hidraw[0-9]* u:object_r:hidraw_device:s0 - diff --git a/whitechapel_pro/set-usb-irq-sh.te b/whitechapel_pro/set-usb-irq-sh.te deleted file mode 100644 index a00fe3bb..00000000 --- a/whitechapel_pro/set-usb-irq-sh.te +++ /dev/null @@ -1,13 +0,0 @@ -type set-usb-irq-sh, domain; -type set-usb-irq-sh_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(set-usb-irq-sh) - -allow set-usb-irq-sh vendor_toolbox_exec:file execute_no_trans; - -allow set-usb-irq-sh proc_irq:dir r_dir_perms; -allow set-usb-irq-sh proc_irq:file w_file_perms; - -# AFAICT this happens if /proc/irq updates as we're running -# and we end up trying to write into non-existing file, -# which implies creation... -dontaudit set-usb-irq-sh self:capability dac_override; From 3d3ae38c43c87b53e302cbb1a34ee448067b3deb Mon Sep 17 00:00:00 2001 From: sukiliu Date: Wed, 30 Mar 2022 12:40:02 +0800 Subject: [PATCH 447/900] Update avc error on ROM 8378382 Bug: 226850644 Test: PtsSELinuxTestCases Change-Id: Ie6c6d8979dc63ebda7c699f10c2abb369a048ab0 --- tracking_denials/incidentd.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/incidentd.te diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 00000000..90b1025f --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,2 @@ +# b/226850644 +dontaudit incidentd debugfs_wakeup_sources:file { read }; From 6379865b9d662442de99ea292b4686aed852a5ad Mon Sep 17 00:00:00 2001 From: sukiliu Date: Wed, 30 Mar 2022 14:54:36 +0800 Subject: [PATCH 448/900] Update avc error on ROM 8374246 Bug: 227286343 Test: forrest with boot test Change-Id: I44e32ac8d141dcb14c79ea4d8e78df3f88485dab --- tracking_denials/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 10d7e52b..ccf2a232 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -5,3 +5,5 @@ allow kernel same_process_hal_file:file r_file_perms; # b/227121550 dontaudit kernel vendor_usb_debugfs:dir { search }; dontaudit kernel vendor_votable_debugfs:dir { search }; +# b/227286343 +dontaudit kernel vendor_regmap_debugfs:dir { search }; From 8e9be24a8162e1cd6bd4751e8645f45a0c4e11c0 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Wed, 30 Mar 2022 16:12:59 +0800 Subject: [PATCH 449/900] hal_dumpstate_default: fix avc error avc: denied { search } for comm="dumpstate@1.1-s" name="modem_stat" dev="dm-42" ino=328 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:modem_stat_data_file:s0 tclass=dir Bug: 227424943 Change-Id: I44e2337129e814ed176ac270ae6c35e34089aa74 --- whitechapel_pro/hal_dumpstate_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index c32f7ba9..3bc4e128 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -43,6 +43,7 @@ allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; allow hal_dumpstate_default modem_efs_file:dir search; allow hal_dumpstate_default modem_efs_file:file r_file_perms; +allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms; allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; allow hal_dumpstate_default vendor_slog_file:file r_file_perms; From b36cf348d07aee685d86197cc1d8972c5be2ae71 Mon Sep 17 00:00:00 2001 From: Ocean Chen Date: Thu, 10 Mar 2022 15:09:06 +0800 Subject: [PATCH 450/900] sepolicy: add smart_idle_maint_enabled_prop for pixelstats pixelstats get this sysprop hit the avc denied persist.device_config.storage_native_boot.smart_idle_maint_enabled pixelstats-vend: type=1400 audit(0.0:22): avc: denied { read } for name="u:object_r:device_config_storage_native_boot_prop:s0" dev="tmpfs" ino=171 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:device_config_storage_native_boot_prop:s0 tclass=file permissive=0 Bug: 215443809 Test: local build and run pixelstats Signed-off-by: Ocean Chen Change-Id: Iedb4fa00c5e18cda6c799c3461bf8298bcf357eb --- whitechapel_pro/pixelstats_vendor.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 645b6ae2..69674fb8 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -9,3 +9,6 @@ allow pixelstats_vendor sysfs_wlc:file rw_file_perms; # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; + +# storage smart idle maintenance +get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); From 2dc6f70afc2ffa5255e81417632374c1e14eab2e Mon Sep 17 00:00:00 2001 From: chungkai Date: Wed, 30 Mar 2022 08:07:22 +0000 Subject: [PATCH 451/900] sched: move sysfs to procfs Modify name from sysfs_vendor_sched to proc_vendor_sched Test: without avc denial Bug: 216207007 Signed-off-by: chungkai Change-Id: Ieb829e96ac1db2a1aa28fc416182450d128cac5c --- whitechapel_pro/file.te | 2 +- whitechapel_pro/ssr_detector.te | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index c16169b8..fd6761d3 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -102,7 +102,7 @@ type proc_touch, proc_type, fs_type; # Vendor sched files userdebug_or_eng(` - typeattribute sysfs_vendor_sched mlstrustedobject; + typeattribute proc_vendor_sched mlstrustedobject; ') # SJTAG diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index 793e51b6..60ec1bb5 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -14,8 +14,8 @@ userdebug_or_eng(` get_prop(ssr_detector_app, vendor_aoc_prop) allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app sysfs_vendor_sched:dir search; - allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms; + allow ssr_detector_app proc_vendor_sched:dir search; + allow ssr_detector_app proc_vendor_sched:file rw_file_perms; allow ssr_detector_app cgroup:file write; ') From 9211922e706b752917bcf5dbe791d7c8ea0ee4c6 Mon Sep 17 00:00:00 2001 From: Taesoon Park Date: Fri, 11 Mar 2022 13:17:43 +0900 Subject: [PATCH 452/900] Add permission to access vendor.ims property to vendor ims app Vendor IMS Service read a SystemProperty starts with persist.vendor.ims prefix, but it does not have a permission to access it. This change create a permission to access the SystemProperties start with 'persist.vendor.ims.' prefix from vendor ims service. Bug: 204714230 Test: Test results in b/225430461#comment40 enabling the property Signed-off-by: Taesoon Park Change-Id: Ied50f377a3069eac65836ea999dfe021f4e4ed5d --- whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 2 ++ whitechapel_pro/vendor_ims_app.te | 1 + 3 files changed, 4 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 00ffa07d..bc898f47 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -11,6 +11,7 @@ vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_battery_defender_prop) +vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index cca975dd..2bad7c56 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -100,3 +100,5 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 +# for ims service +persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index 8d655747..38e63646 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -14,3 +14,4 @@ allow vendor_ims_app mediametrics_service:service_manager find; binder_call(vendor_ims_app, rild) set_prop(vendor_ims_app, vendor_rild_prop) set_prop(vendor_ims_app, radio_prop) +get_prop(vendor_ims_app, vendor_imssvc_prop) From 97326bf38bb4ce1345c03f30b00eafa50b48c675 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Fri, 1 Apr 2022 11:54:12 +0800 Subject: [PATCH 453/900] Update avc error on ROM 8388849 Bug: 221384939 Bug: 227694693 Bug: 227695036 Test: PtsSELinuxTestCases Change-Id: I0768e29a0a162c6f568a5186602b01f1375a1ca5 --- tracking_denials/dumpstate.te | 2 ++ tracking_denials/hal_sensors_default.te | 2 ++ tracking_denials/vendor_init.te | 2 ++ 3 files changed, 6 insertions(+) create mode 100644 tracking_denials/hal_sensors_default.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 1b424e58..aaff71e5 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -2,3 +2,5 @@ dontaudit dumpstate app_zygote:process { signal }; dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; dontaudit dumpstate sysfs:file { read }; +# b/227694693 +dontaudit dumpstate incident:process { signal }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te new file mode 100644 index 00000000..fb1bb237 --- /dev/null +++ b/tracking_denials/hal_sensors_default.te @@ -0,0 +1,2 @@ +# b/227695036 +dontaudit hal_sensors_default sensor_reg_data_file:dir { write }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 850099a9..05adec72 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -2,3 +2,5 @@ dontaudit vendor_init thermal_link_device:file { create }; # b/226271913 dontaudit vendor_init vendor_maxfg_debugfs:file setattr; +# b/221384939 +dontaudit vendor_init vendor_battery_defender_prop:property_service { set } ; From ede5e0944a82b70e4ce6ece5714a8e4d38423ade Mon Sep 17 00:00:00 2001 From: Anthony Stange Date: Tue, 29 Mar 2022 15:03:50 +0000 Subject: [PATCH 454/900] Add BT HAL SELinux policy Bug: 193474802 Test: presubmits Change-Id: I0ce730c119b60fdfec6e31dea88f5edbf69048ed --- whitechapel_pro/bluetooth.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te index 9d909045..3795e299 100644 --- a/whitechapel_pro/bluetooth.te +++ b/whitechapel_pro/bluetooth.te @@ -1,2 +1,5 @@ allow bluetooth proc_vendor_sched:dir r_dir_perms; -allow bluetooth proc_vendor_sched:file w_file_perms; \ No newline at end of file +allow bluetooth proc_vendor_sched:file w_file_perms; + +allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; +allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file From ece8953942faccc6a3f28ff94f7d83c4fccc63bf Mon Sep 17 00:00:00 2001 From: samou Date: Wed, 9 Mar 2022 09:51:55 +0000 Subject: [PATCH 455/900] Move ODPM file rule to pixel sepolicy Bug: 213257759 Change-Id: I24105669b076061780addf5b038607f4d1957ee5 --- whitechapel_pro/file.te | 1 - whitechapel_pro/hal_power_stats_default.te | 1 - whitechapel_pro/hal_thermal_default.te | 1 - 3 files changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index fd6761d3..3d894e3d 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -42,7 +42,6 @@ type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; -type sysfs_odpm, sysfs_type, fs_type; type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index 4451f88a..3365228b 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -8,7 +8,6 @@ r_dir_file(hal_power_stats_default, sysfs_cpu) r_dir_file(hal_power_stats_default, sysfs_edgetpu) r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) -r_dir_file(hal_power_stats_default, sysfs_odpm) r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) r_dir_file(hal_power_stats_default, sysfs_wifi) diff --git a/whitechapel_pro/hal_thermal_default.te b/whitechapel_pro/hal_thermal_default.te index 9852a767..5e597c7c 100644 --- a/whitechapel_pro/hal_thermal_default.te +++ b/whitechapel_pro/hal_thermal_default.te @@ -1,2 +1 @@ allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; -allow hal_thermal_default sysfs_odpm:file r_file_perms; From 882527f08bc6d09aa359e91aae5daa521af885cc Mon Sep 17 00:00:00 2001 From: Mason Wang Date: Thu, 31 Mar 2022 22:10:26 +0800 Subject: [PATCH 456/900] hal_dumpstate_default: Fix avc denial of focaltech_touch. Fixed following avc denial: avc: denied { read } for name="focaltech_touch" dev="proc" ino=4026535419 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:proc_touch:s0 tclass=dir permissive=0 Bug: 199105131 Test: Verify pass by checking device log are w/o above errors when trigger bugreport. Change-Id: Id2af1f59cd397f0332fba94f68d9940f612a8e81 --- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 3bc4e128..f5ebec11 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -65,6 +65,9 @@ allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; allow hal_dumpstate_default sysfs_touch:file rw_file_perms; +allow hal_dumpstate_default proc_touch:dir r_dir_perms; +allow hal_dumpstate_default proc_touch:file rw_file_perms; + allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); vndbinder_use(hal_dumpstate_default) From 18f8d933abe383bccfbf8587107727ec8cbb31f7 Mon Sep 17 00:00:00 2001 From: Jeremy DeHaan Date: Tue, 5 Apr 2022 21:29:42 +0000 Subject: [PATCH 457/900] Update selinux policy for display information Two new sysfs nodes were added to sysfs_display type and permission to access sysfs_display nodes was added for the dumpstate service. This allows display information to be captured during bug report generation. Bug: 225376485 Test: Manual - ran 'adb bugreport' Change-Id: Ib121b0b21aa326e791e67c5bd24b3e70979a554c --- whitechapel_pro/genfs_contexts | 2 ++ whitechapel_pro/hal_dumpstate_default.te | 3 +++ 2 files changed, 5 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ed884251..7e839e83 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -101,10 +101,12 @@ genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index f5ebec11..4f0922fa 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -70,6 +70,9 @@ allow hal_dumpstate_default proc_touch:file rw_file_perms; allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); +allow hal_dumpstate_default sysfs_display:dir r_dir_perms; +allow hal_dumpstate_default sysfs_display:file r_file_perms; + vndbinder_use(hal_dumpstate_default) allow hal_dumpstate_default shell_data_file:file getattr; From 15f80f57bfaea35e44ed96eb14c37395037e7bd3 Mon Sep 17 00:00:00 2001 From: Siddharth Kapoor Date: Thu, 7 Apr 2022 03:29:56 +0000 Subject: [PATCH 458/900] Revert "Move ODPM file rule to pixel sepolicy" Revert "Move ODPM file rule to pixel sepolicy" Revert "Move ODPM file rule to pixel sepolicy" Revert submission 17215583-odpm_sepolicy_refactor-tm-dev Reason for revert: build failure tracked in b/228261711 Reverted Changes: Ic9a89950a:Move ODPM file rule to pixel sepolicy I24105669b:Move ODPM file rule to pixel sepolicy I044a285ff:Move ODPM file rule to pixel sepolicy Change-Id: Idbf5cd106f229c8a72b2ecbc6e5ffd20d9e06805 --- whitechapel_pro/file.te | 1 + whitechapel_pro/hal_power_stats_default.te | 1 + whitechapel_pro/hal_thermal_default.te | 1 + 3 files changed, 3 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 3d894e3d..fd6761d3 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -42,6 +42,7 @@ type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; +type sysfs_odpm, sysfs_type, fs_type; type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index 3365228b..4451f88a 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -8,6 +8,7 @@ r_dir_file(hal_power_stats_default, sysfs_cpu) r_dir_file(hal_power_stats_default, sysfs_edgetpu) r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) +r_dir_file(hal_power_stats_default, sysfs_odpm) r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) r_dir_file(hal_power_stats_default, sysfs_wifi) diff --git a/whitechapel_pro/hal_thermal_default.te b/whitechapel_pro/hal_thermal_default.te index 5e597c7c..9852a767 100644 --- a/whitechapel_pro/hal_thermal_default.te +++ b/whitechapel_pro/hal_thermal_default.te @@ -1 +1,2 @@ allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; +allow hal_thermal_default sysfs_odpm:file r_file_perms; From 1e88b530fa7b45d707e34a8743a5ab07d2521eed Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 6 Apr 2022 09:41:31 +0800 Subject: [PATCH 459/900] let sensor access aoc 04-03 05:57:12.776 859 859 I auditd : type=1400 audit(0.0:7): avc: denied { read } for comm="UsfHalWorker" name="services" dev="sysfs" ino=69355 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_aoc_dumpstate:s0 tclass=file permissive=0 04-03 05:57:12.776 859 859 I auditd : type=1400 audit(0.0:8): avc: denied { write } for comm="UsfHalWorker" name="reset" dev="sysfs" ino=69363 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_aoc_reset:s0 tclass=file permissive=0 Bug: 228030183 Bug: 228030193 Test: boot with no relevant errors Change-Id: I87fd1aa1dc9b9cf42b23fb0e7f5d4e5b6f845610 --- whitechapel_pro/hal_sensors_default.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index 65f2db8a..b33741e5 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -48,6 +48,12 @@ allow hal_sensors_default sysfs_chosen:file r_file_perms; # Allow access to sensor service for sensor_listener. binder_call(hal_sensors_default, system_server); +# Allow sensor HAL to reset AOC. +allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; + +# Allow sensor HAL to read AoC dumpstate. +allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; + # Allow sensor HAL to access the display service HAL allow hal_sensors_default hal_pixel_display_service:service_manager find; From a1c2f220a745be432f377d6c1975bb9d2e7f5287 Mon Sep 17 00:00:00 2001 From: Adrian Salido Date: Fri, 4 Mar 2022 20:15:25 +0000 Subject: [PATCH 460/900] allow hwc access to persistent vendor display sysprop Test: check avc denials while switching resolution Bug: 217399988 Change-Id: Ia3a3ab394ec23ea3150a8cf4638e045cd1e9cac9 --- whitechapel_pro/hal_graphics_composer_default.te | 4 ++-- whitechapel_pro/property_contexts | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te index 44c01530..61972c75 100644 --- a/whitechapel_pro/hal_graphics_composer_default.te +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -36,8 +36,8 @@ allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; # allow HWC to get vendor_persist_sys_default_prop get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) -# allow HWC to get vendor_display_prop -get_prop(hal_graphics_composer_default, vendor_display_prop) +# allow HWC to get/set vendor_display_prop +set_prop(hal_graphics_composer_default, vendor_display_prop) # boot stauts prop get_prop(hal_graphics_composer_default, boot_status_prop); diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 2bad7c56..ce737004 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -70,6 +70,7 @@ vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 # for display ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 +persist.vendor.display. u:object_r:vendor_display_prop:s0 # Camera persist.vendor.camera. u:object_r:vendor_camera_prop:s0 From fb466b491595531f185660b459ddc2a015ded85f Mon Sep 17 00:00:00 2001 From: chungkai Date: Thu, 31 Mar 2022 09:00:23 +0000 Subject: [PATCH 461/900] genfs_contexts: fix path for i2c peripheral device paths are changed when we enable parallel module loading and reorder the initializtaion of devices. Test: without avc denial Bug: 227541760 Signed-off-by: chungkai Change-Id: Icd74392e0684ac5614a83d14b936be880148f919 --- whitechapel_pro/genfs_contexts | 76 +++++++++++++++++++++++++++++----- 1 file changed, 66 insertions(+), 10 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ed884251..1ac67690 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -64,18 +64,27 @@ genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 # Power ODPM -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 @@ -159,16 +168,37 @@ genfscon sysfs /devices/platform/google,charger genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 # P22 battery +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 # Extcon genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 + +# Haptics +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 # system suspend wakeup files -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 @@ -177,10 +207,31 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/main-c genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 @@ -188,6 +239,11 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 From 2a3100de6eea80ece36d2ad07509f0febb6a0c40 Mon Sep 17 00:00:00 2001 From: chungkai Date: Wed, 6 Apr 2022 11:02:13 +0000 Subject: [PATCH 462/900] sepolicy: ignore avc denial dont audit since it's debugfs Bug: 228181404 Test: forrest with boot test Signed-off-by: chungkai Change-Id: I77a385b73b5a9edafefa8e7d34a351594cd5cd06 --- tracking_denials/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index ccf2a232..d75b1fb1 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -7,3 +7,5 @@ dontaudit kernel vendor_usb_debugfs:dir { search }; dontaudit kernel vendor_votable_debugfs:dir { search }; # b/227286343 dontaudit kernel vendor_regmap_debugfs:dir { search }; +# b/228181404 +dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file From 5ce2f99f3868b9b4c5b088148e47d9c4ab9bc1e0 Mon Sep 17 00:00:00 2001 From: Stephane Lee Date: Mon, 4 Apr 2022 18:22:47 -0700 Subject: [PATCH 463/900] ODPM: Add ODPM config file to be read by powerstats 2.0 Test: Ensure that there are no sepolicy errors when /data/vendor/powerstats/odpm_config exists Bug: 228112997 Change-Id: I094c29c4d1a82bccfabde7a5511f4aa833c2cd35 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_power_stats_default.te | 5 +++++ 3 files changed, 7 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index fd6761d3..b42bf4ee 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -14,6 +14,7 @@ type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; +type powerstats_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 3b31f641..ae1d4f23 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -204,6 +204,7 @@ /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /dev/battery_history u:object_r:battery_history_device:s0 +/data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index 4451f88a..4160fcda 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -11,6 +11,11 @@ r_dir_file(hal_power_stats_default, sysfs_leds) r_dir_file(hal_power_stats_default, sysfs_odpm) r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) r_dir_file(hal_power_stats_default, sysfs_wifi) +r_dir_file(hal_power_stats_default, powerstats_vendor_data_file) + +# Rail selection requires read/write permissions +allow hal_power_stats_default sysfs_odpm:dir search; +allow hal_power_stats_default sysfs_odpm:file rw_file_perms; # getStateResidency AIDL callback for Bluetooth HAL binder_call(hal_power_stats_default, hal_bluetooth_btlinux) From 73b95396fd495c4fe363590d5e5d2d85236901a5 Mon Sep 17 00:00:00 2001 From: Stephane Lee Date: Mon, 21 Mar 2022 17:48:27 -0700 Subject: [PATCH 464/900] Fix off-mode (charger) sepolicy for the health interface Bug: 223537397 Test: Ensure that there are no selinux errors for charger_vendor in off-mode charging Change-Id: I9074079a7ba67813da6b6ad7b110d964b9b7db6d --- whitechapel_pro/charger_vendor.te | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 whitechapel_pro/charger_vendor.te diff --git a/whitechapel_pro/charger_vendor.te b/whitechapel_pro/charger_vendor.te new file mode 100644 index 00000000..df59b717 --- /dev/null +++ b/whitechapel_pro/charger_vendor.te @@ -0,0 +1,10 @@ +allow charger_vendor mnt_vendor_file:dir search; +allow charger_vendor sysfs_batteryinfo:file w_file_perms; +allow charger_vendor persist_file:dir search; +allow charger_vendor persist_battery_file:dir search; +allow charger_vendor persist_battery_file:file rw_file_perms; +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; +allow charger_vendor sysfs_thermal:file w_file_perms; +allow charger_vendor sysfs_thermal:lnk_file read; +allow charger_vendor thermal_link_device:dir search; +set_prop(charger_vendor, vendor_battery_defender_prop) From 28a0ab4015d423e59de8f7eecf8ea7fa591eb575 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 11 Apr 2022 11:04:19 +0800 Subject: [PATCH 465/900] remove obsolete error Bug: 207062833 Bug: 210363938 Bug: 220636850 Test: boot with no relevant error log Change-Id: I4901be83358e860b4a699ce44013fa1b255ceaa5 --- tracking_denials/priv_app.te | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 tracking_denials/priv_app.te diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 5784c9bd..00000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,13 +0,0 @@ -# b/207062833 -dontaudit priv_app vendor_default_prop:file { getattr }; -dontaudit priv_app vendor_default_prop:file { map }; -dontaudit priv_app vendor_default_prop:file { open }; -# b/210363938 -dontaudit priv_app vendor_apex_file:dir { search }; -dontaudit priv_app vendor_apex_file:file { getattr }; -dontaudit priv_app vendor_apex_file:file { open }; -dontaudit priv_app vendor_apex_file:file { read }; -# b/220636850 -dontaudit priv_app default_prop:property_service { set }; -dontaudit priv_app init:unix_stream_socket { connectto }; -dontaudit priv_app property_socket:sock_file { write }; From c750a64e4cb5a475f06d4e0875619582f841f5d5 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Fri, 8 Apr 2022 12:35:21 +0800 Subject: [PATCH 466/900] Label AoC wakeup for system suspend Bug: 227531769 Test: do bugreport without avc denials Change-Id: Ie3efd407ff629b583e37c0b5af430c9a9daf8691 Signed-off-by: Darren Hsu --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 1ac67690..8db4e31e 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -233,6 +233,7 @@ genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 From 2a8ed004f69a24a982417b0b571c7edcf058fd1e Mon Sep 17 00:00:00 2001 From: Grace Chen Date: Wed, 23 Mar 2022 14:53:03 -0700 Subject: [PATCH 467/900] Add selinux permissions to r/w sysfs st33spi_state Bug: 228508704 Test: Confirm can r/w to sysfs file Change-Id: If96f15f53ee510bf361a2bec5f006d67b178981e --- whitechapel_pro/euiccpixel_app.te | 2 ++ whitechapel_pro/file.te | 1 + 2 files changed, 3 insertions(+) diff --git a/whitechapel_pro/euiccpixel_app.te b/whitechapel_pro/euiccpixel_app.te index a59581eb..303f8f36 100644 --- a/whitechapel_pro/euiccpixel_app.te +++ b/whitechapel_pro/euiccpixel_app.te @@ -6,6 +6,8 @@ app_domain(euiccpixel_app) allow euiccpixel_app app_api_service:service_manager find; allow euiccpixel_app radio_service:service_manager find; allow euiccpixel_app nfc_service:service_manager find; +allow euiccpixel_app sysfs_st33spi:dir search; +allow euiccpixel_app sysfs_st33spi:file rw_file_perms; set_prop(euiccpixel_app, vendor_secure_element_prop) set_prop(euiccpixel_app, vendor_modem_prop) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index b42bf4ee..361828ff 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -91,6 +91,7 @@ type modem_userdata_file, file_type; # SecureElement type sysfs_st33spi, sysfs_type, fs_type; +typeattribute sysfs_st33spi mlstrustedobject; # GPU type sysfs_gpu, sysfs_type, fs_type; From 68f1d4fb71eb3f7cada2cefc7fbfc40933dca567 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Mon, 11 Apr 2022 13:57:50 +0800 Subject: [PATCH 468/900] sepolicy: label charger wakeup for system suspend Bug: 226887726 Test: do bugreport without avc denials Change-Id: I0b57cfdddb81c1685f6a054944c064e02c099637 Signed-off-by: Darren Hsu --- whitechapel_pro/genfs_contexts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 8db4e31e..038a137d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -199,6 +199,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object # system suspend wakeup files genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 @@ -221,6 +222,15 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/main-c genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 From e914d6fcc359f541a336caefc3efd8adecc61548 Mon Sep 17 00:00:00 2001 From: Albert Wang Date: Mon, 11 Apr 2022 15:22:08 +0800 Subject: [PATCH 469/900] Add more xHCI wakeup path for suspend_control To addressdd the xHCI wakeup nodes permission problem, add new nodes: /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb3 /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2 /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb3 /devices/platform/11210000.usb/wakeup Bug: 228791172 Test: verified with forrest test build Signed-off-by: Albert Wang Change-Id: I457e64c252ec3573ab15923898c469472fc3b9b6 --- whitechapel_pro/genfs_contexts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index aae0a18f..b97ec9a5 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -242,6 +242,13 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 From aab4f72223d75dfff2cff2fff0df400d58267591 Mon Sep 17 00:00:00 2001 From: Wayne Lin Date: Tue, 12 Apr 2022 11:56:12 +0800 Subject: [PATCH 470/900] gps: allow system server to send sensor data callback to GPS avc: denied { call } for scontext=u:r:system_server:s0 tcontext=u:r:gpsd:s0 tclass=binder permissive=0 Bug: 224772976 Test: build pass, verify no avc denied and gpsd can receive sensor callback Change-Id: If3b58b5527f67732ea60b3dd943ae472aebb7aed --- whitechapel_pro/system_server.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/system_server.te b/whitechapel_pro/system_server.te index 0e0a159b..93defe77 100644 --- a/whitechapel_pro/system_server.te +++ b/whitechapel_pro/system_server.te @@ -1 +1,4 @@ binder_call(system_server, hal_camera_default); + +# Allow system server to send sensor data callbacks to GPS +binder_call(system_server, gpsd); From cf2cc47e7966dcadbce71c9eb15925d1fa303da3 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Wed, 13 Apr 2022 13:34:04 +0800 Subject: [PATCH 471/900] sepolicy: lable p9412 wakeup for system suspend Bug: 226887726 Bug: 228947596 Test: do bugreport without avc denials Change-Id: Ic8eab625a20c60a4bf78403ef10465074d782821 Signed-off-by: Darren Hsu --- whitechapel_pro/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 038a137d..50697a6d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -200,6 +200,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object # system suspend wakeup files genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 @@ -231,6 +232,8 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_sup genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 From 38151187bf66583734637a32be436df226133ce9 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Tue, 5 Apr 2022 18:49:06 +0000 Subject: [PATCH 472/900] Pixel 2022: MediaDrm AIDL sepolicy Bug: 219538389 Bug: 221180205 Change-Id: I985230093d692fcf948049455fa465fce116d2a6 Test: atest VtsAidlHalDrmTargetTest --- widevine/file_contexts | 6 +++--- widevine/service_contexts | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 widevine/service_contexts diff --git a/widevine/file_contexts b/widevine/file_contexts index e1529417..92aed3c3 100644 --- a/widevine/file_contexts +++ b/widevine/file_contexts @@ -1,5 +1,5 @@ -/vendor/bin/hw/android\.hardware\.drm@1\.4-service\.widevine u:object_r:hal_drm_widevine_exec:s0 -/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/vendor/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 # Data -/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 diff --git a/widevine/service_contexts b/widevine/service_contexts new file mode 100644 index 00000000..6989dde8 --- /dev/null +++ b/widevine/service_contexts @@ -0,0 +1 @@ +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 From f1a9fb4da27e837b229e243fd98dc30e65350e23 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Wed, 6 Apr 2022 15:37:40 +0800 Subject: [PATCH 473/900] sepolicy: add sepolicy for disable.battery.defender Bug: 221384939 Signed-off-by: Jenny Ho Change-Id: Iba8f4e7abca98b5805eb75ba386c90581269f749 --- tracking_denials/vendor_init.te | 2 -- whitechapel_pro/vendor_init.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 05adec72..850099a9 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -2,5 +2,3 @@ dontaudit vendor_init thermal_link_device:file { create }; # b/226271913 dontaudit vendor_init vendor_maxfg_debugfs:file setattr; -# b/221384939 -dontaudit vendor_init vendor_battery_defender_prop:property_service { set } ; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index a8626fcf..2b5e6740 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -28,3 +28,6 @@ set_prop(vendor_init, vendor_fingerprint_prop) allow vendor_init proc_touch:file w_file_perms; allow vendor_init modem_img_file:filesystem { getattr }; + +# Battery +set_prop(vendor_init, vendor_battery_defender_prop) From d8eab32b498263fd789c3989c9f725a14f5751fc Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Fri, 8 Apr 2022 07:57:16 +0000 Subject: [PATCH 474/900] Sepolicy: Pixel stats orientationCollector sepolicy Bug: 228547969 Test: adb shell cmd stats print-logs;[do wireless charge], and below log found 03-31 22:52:21.798 801 809 I statsd : { uid(1000) 1648738341 240287209019 (105009)0x10000->[S] 0x20000->0[I] } Signed-off-by: Denny cy Lee Change-Id: I5ef5279ba7c8bf0fd3d4cf0155f5bcad79eeb6b2 --- whitechapel_pro/pixelstats_vendor.te | 4 ++++ whitechapel_pro/system_server.te | 3 +++ 2 files changed, 7 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 69674fb8..db443835 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -6,6 +6,10 @@ allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; # Wireless charge allow pixelstats_vendor sysfs_wlc:dir search; allow pixelstats_vendor sysfs_wlc:file rw_file_perms; +# Wireless charge/OrientationCollector +get_prop(pixelstats_vendor, hwservicemanager_prop); +hwbinder_use(pixelstats_vendor); +allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; diff --git a/whitechapel_pro/system_server.te b/whitechapel_pro/system_server.te index 93defe77..efc0a103 100644 --- a/whitechapel_pro/system_server.te +++ b/whitechapel_pro/system_server.te @@ -2,3 +2,6 @@ binder_call(system_server, hal_camera_default); # Allow system server to send sensor data callbacks to GPS binder_call(system_server, gpsd); + +# pixelstats_vendor/OrientationCollector +binder_call(system_server, pixelstats_vendor); From f0810342eb7f1698db6a5aa8fe6f8425d54293be Mon Sep 17 00:00:00 2001 From: sukiliu Date: Thu, 14 Apr 2022 10:13:10 +0800 Subject: [PATCH 475/900] Update avc error on ROM 8449600 Bug: 229167195 Test: PtsSELinuxTestCases Change-Id: I0b6cb1142aff6fbfbe828e014a5d9aad91b9817f --- tracking_denials/hal_secure_element_st33spi.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/hal_secure_element_st33spi.te diff --git a/tracking_denials/hal_secure_element_st33spi.te b/tracking_denials/hal_secure_element_st33spi.te new file mode 100644 index 00000000..da4b099d --- /dev/null +++ b/tracking_denials/hal_secure_element_st33spi.te @@ -0,0 +1,2 @@ +# b/229167195 +dontaudit hal_secure_element_st33spi vendor_secure_element_prop:file { read }; From 951bad233c91772cc19dcde7cdc657219a91297d Mon Sep 17 00:00:00 2001 From: TeYuan Wang Date: Wed, 13 Apr 2022 17:25:40 +0800 Subject: [PATCH 476/900] sepolicy: label AUR as sysfs_thermal Bug: 171499494 Test: adb shell ls -Z /sys/devices/platform/100b0000.AUR Change-Id: I0aa1b95c11d2af5fa2175c582068daad51360485 --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 50697a6d..e5f7faae 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -277,6 +277,7 @@ genfscon sysfs /devices/platform/100a0000.BIG u:obje genfscon sysfs /devices/platform/100a0000.ISP u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.AUR u:object_r:sysfs_thermal:s0 genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0 genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0 From fbdb09a2f0aae8860c6eb2408ffe23c00173659c Mon Sep 17 00:00:00 2001 From: chungkai Date: Thu, 14 Apr 2022 03:45:52 +0000 Subject: [PATCH 477/900] sepolicy: fix avc denials add potential paths for i2c peripheral devices sine we enable parallel module loading Bug: 226887726 Test: do bugreport without avc denials Signed-off-by: chungkai Change-Id: Ifc618e315e9d28cab6f602ce2c99ac7fe35fc189 --- whitechapel_pro/genfs_contexts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index e5f7faae..023344a2 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -64,7 +64,10 @@ genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 # Power ODPM @@ -168,6 +171,9 @@ genfscon sysfs /devices/platform/google,charger genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 # P22 battery +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 @@ -198,6 +204,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 # system suspend wakeup files +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 From 403643929de0b278ecf66f75a1f84f74f0ad42c7 Mon Sep 17 00:00:00 2001 From: Anthony Stange Date: Tue, 12 Apr 2022 20:57:25 +0000 Subject: [PATCH 478/900] Update SELinux to allow CHRE to talk to the Wifi HAL Bug: 206614765 Test: Run locally Change-Id: I2cab195d533e3e2c390094bd09b15b5e761eadf0 --- whitechapel_pro/chre.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index 7eca5e43..319f17dd 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -15,3 +15,6 @@ allow chre device:dir r_dir_perms; # Allow CHRE to use the USF low latency transport usf_low_latency_transport(chre) +# Allow CHRE to talk to the WiFi HAL +allow chre hal_wifi_ext:binder { call transfer }; +allow chre hal_wifi_ext_hwservice:hwservice_manager find; \ No newline at end of file From 1a0b0ce0c47898f64ccd9ddf98e5d8f9a210979c Mon Sep 17 00:00:00 2001 From: Harpreet Eli Sangha Date: Thu, 14 Apr 2022 16:52:41 +0900 Subject: [PATCH 479/900] Add CccDkTimeSyncService for Digital Key Support Test: Build and Run Bug: 226659256 Signed-off-by: Harpreet Eli Sangha Change-Id: I9dd53a864d53e525282bc49c13b09157fc8d2ece --- whitechapel_pro/cccdk_timesync_app.te | 10 ++++++++++ whitechapel_pro/seapp_contexts | 3 +++ 2 files changed, 13 insertions(+) create mode 100644 whitechapel_pro/cccdk_timesync_app.te diff --git a/whitechapel_pro/cccdk_timesync_app.te b/whitechapel_pro/cccdk_timesync_app.te new file mode 100644 index 00000000..f6e514d9 --- /dev/null +++ b/whitechapel_pro/cccdk_timesync_app.te @@ -0,0 +1,10 @@ +type vendor_cccdktimesync_app, domain; +app_domain(vendor_cccdktimesync_app) + +allow vendor_cccdktimesync_app app_api_service:service_manager find; + +binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; + +# allow the HAL to call our registered callbacks +binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 2bd4f06a..f2fd47f9 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -59,3 +59,6 @@ user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera doma # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all + +# CccDkTimeSyncService +user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all From 81d9623cbe94e4f591d4d38f97293e20cb637d5b Mon Sep 17 00:00:00 2001 From: sukiliu Date: Thu, 14 Apr 2022 18:29:07 +0800 Subject: [PATCH 480/900] Update avc error on ROM 8453400 Bug: 229209076 Test: PtsSELinuxTestCases Change-Id: I05f06fe0d62cbfbd4783ba9c57dea7d7a7a35fca --- tracking_denials/hal_drm_widevine.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/hal_drm_widevine.te diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te new file mode 100644 index 00000000..cfe7fcf7 --- /dev/null +++ b/tracking_denials/hal_drm_widevine.te @@ -0,0 +1,2 @@ +# b/229209076 +dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; From d37777dd336a11cc2bee49d8609aa9c4f1a152b9 Mon Sep 17 00:00:00 2001 From: chungkai Date: Thu, 14 Apr 2022 09:45:04 +0000 Subject: [PATCH 481/900] sepolicy: fix avc denials add potential paths for i2c peripheral devices sine we enable parallel module loading Bug: 226887726 Test: do bugreport without avc denials Signed-off-by: chungkai Change-Id: If2ac4c137c1ea074907c363424e6018a5fd646e8 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 023344a2..f30ea261 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -64,6 +64,7 @@ genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 @@ -204,6 +205,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 # system suspend wakeup files +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 From d80900ae174f12f2b286a4b32126bcd919648f34 Mon Sep 17 00:00:00 2001 From: chungkai Date: Fri, 15 Apr 2022 01:27:56 +0000 Subject: [PATCH 482/900] sepolicy: fix avc denials add potential paths for i2c peripheral devices sine we enable parallel module loading Bug: 228947596 Test: do bugreport without avc denials Signed-off-by: chungkai Change-Id: I2e9fa011c049e32011c5880218dd679e03316e24 --- whitechapel_pro/genfs_contexts | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index f30ea261..e4428b08 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -172,7 +172,10 @@ genfscon sysfs /devices/platform/google,charger genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 # P22 battery -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 @@ -193,24 +196,42 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 # Extcon +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 # Haptics +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 # system suspend wakeup files +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 From a79b98eb25b56c760ee779c462d1f09bc91f7406 Mon Sep 17 00:00:00 2001 From: Oleg Matcovschi Date: Thu, 14 Apr 2022 11:41:54 -0700 Subject: [PATCH 483/900] selinux: remove dpm_[ab] from custom_ab_block_device's Signed-off-by: Oleg Matcovschi Change-Id: I774065f331b1f2970b0fee5a41faa097fa88caf8 --- whitechapel_pro/file_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index ae1d4f23..5d93973e 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -161,7 +161,6 @@ /dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 From 2dc0bbd55b21b605fbb48c8ac9d75b59b17cc164 Mon Sep 17 00:00:00 2001 From: Joshua McCloskey Date: Wed, 6 Apr 2022 22:27:24 +0000 Subject: [PATCH 484/900] Allow platform apps to access FP Hal Bug: 227247855 Test: Verified manually that the fingerprint extension is working. Change-Id: Id5550ca770942d02ad0796ed0d4e8584c434b680 --- system_ext/private/platform_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 system_ext/private/platform_app.te diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 00000000..20042f25 --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# allow systemui access to fingerprint +hal_client_domain(platform_app, hal_fingerprint) From aa794b4e436ac4a3d5a5b9349809d500eb50e72d Mon Sep 17 00:00:00 2001 From: sukiliu Date: Fri, 15 Apr 2022 17:11:57 +0800 Subject: [PATCH 485/900] Update avc error on ROM 8459635 Bug: 229354991 Test: PtsSELinuxTestCases Change-Id: I6b5d7d5b1368021bd927dedf786081c600289974 --- tracking_denials/untrusted_app.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 tracking_denials/untrusted_app.te diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te new file mode 100644 index 00000000..337bab8f --- /dev/null +++ b/tracking_denials/untrusted_app.te @@ -0,0 +1,3 @@ +# b/229354991 +dontaudit untrusted_app isolated_app:process { getsched }; +dontaudit untrusted_app shell_test_data_file:dir { search }; From 9bc45b2d601fe26b821f9ab768e93be66b441631 Mon Sep 17 00:00:00 2001 From: Jerry Huang Date: Wed, 13 Apr 2022 16:58:45 +0800 Subject: [PATCH 486/900] Allow mediacodec_google to access gpu_device Bug: 228794372 Test: android.media.decoder.cts.DecoderTest#testAV1HdrToSdr The change is for following error: 04-08 17:02:44.020 1046 7284 7284 W HwBinder:7284_3: type=1400 audit(0.0:70491): avc: denied { getattr } for path="/dev/mali0" dev="tmpfs" ino=1052 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=0 04-08 17:02:44.028 1046 7284 7284 W HwBinder:7284_3: type=1400 audit(0.0:70492): avc: denied { getattr } for path="/dev/mali0" dev="tmpfs" ino=1052 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=0 04-08 17:02:44.040 1046 7284 7284 W HwBinder:7284_3: type=1400 audit(0.0:70493): avc: denied { getattr } for path="/dev/mali0" dev="tmpfs" ino=1052 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=0 04-08 17:02:44.048 1046 7284 7284 W HwBinder:7284_3: type=1400 audit(0.0:70494): avc: denied { getattr } for path="/dev/mali0" dev="tmpfs" ino=1052 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=0 Change-Id: Ie22903807fcc12d931cbdd36678ae1d4a3776a3d --- whitechapel_pro/mediacodec_google.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te index 21aea333..fb719b16 100644 --- a/whitechapel_pro/mediacodec_google.te +++ b/whitechapel_pro/mediacodec_google.te @@ -16,6 +16,7 @@ hal_client_domain(mediacodec_google, hal_graphics_allocator) allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; allow mediacodec_google video_device:chr_file rw_file_perms; +allow mediacodec_google gpu_device:chr_file rw_file_perms; crash_dump_fallback(mediacodec_google) @@ -27,4 +28,4 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; -neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; \ No newline at end of file +neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; From 09ef2e08c53008d276b96d23ad91e74fd2ca4307 Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Thu, 7 Apr 2022 23:34:50 +0800 Subject: [PATCH 487/900] Update the SELinux context for dumpstate HAL service Test: atest VtsHalDumpstateTargetTest pass Bug: 223118410 Change-Id: Ie237579f974bab8bf8d35211367457be178a262b --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5d93973e..6858daaa 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -24,7 +24,7 @@ /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 From 6ab671ae18e1cfc1378fa50ac01b9aa6ae617456 Mon Sep 17 00:00:00 2001 From: Jason Macnak Date: Thu, 24 Feb 2022 22:17:51 +0000 Subject: [PATCH 488/900] Remove sysfs_gpu type definition ... as it has moved to system/sepolicy. Bug: b/161819018 Test: presubmit Change-Id: I107f92617bea56590b5af351341cc1c3b2844360 --- whitechapel_pro/file.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index aa4db136..98adac1a 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -93,9 +93,6 @@ type modem_userdata_file, file_type; type sysfs_st33spi, sysfs_type, fs_type; typeattribute sysfs_st33spi mlstrustedobject; -# GPU -type sysfs_gpu, sysfs_type, fs_type; - # Vendor sched files userdebug_or_eng(` typeattribute proc_vendor_sched mlstrustedobject; From eaeec28c23cf62f9aa6520dfceb127a04bc34e61 Mon Sep 17 00:00:00 2001 From: chiayupei Date: Mon, 11 Apr 2022 19:45:06 +0800 Subject: [PATCH 489/900] hal_sensors_default: Allow sensors HAL to access AoC sysfs and properties. Bug: 202901227 Test: Verify pass by checking device log. Signed-off-by: chiayupei Change-Id: I67e0fcc4ad89ff3c1945f6fdd83d01f14fcdcbec --- whitechapel_pro/hal_sensors_default.te | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index b33741e5..4e1b8ca1 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -36,9 +36,18 @@ allow hal_sensors_default sensor_reg_data_file:file r_file_perms; # Allow access to the display info for ALS. allow hal_sensors_default sysfs_display:file rw_file_perms; +# Allow access to the sysfs_aoc. +allow hal_sensors_default sysfs_aoc:dir search; +allow hal_sensors_default sysfs_aoc:file r_file_perms; + +# Allow access for AoC properties. +get_prop(hal_sensors_default, vendor_aoc_prop) + +# Allow sensor HAL to read AoC dumpstate. +allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; + # Allow access to the AoC clock and kernel boot time sys FS node. This is needed # to synchronize the AP and AoC clock timestamps. -allow hal_sensors_default sysfs_aoc:dir search; allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; # Allow access to the files of CDT information. From 55f4e61c8c95d0ecd31dc0e611a7f42bb4b5d171 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Thu, 14 Apr 2022 11:59:16 +0800 Subject: [PATCH 490/900] Sepolicy: add the system_app.te for hal_wlc 04-11 20:28:15.435 523 523 I auditd : avc: denied { find } for interface=vendor.google.wireless_charger::IWirelessCharger sid=u:r:system_app:s0 pid=3755 scontext=u:r:system_app:s0 tcontext=u:object_r:hal_wlc_hwservice:s0 tclass=hwservice_manager permissive=0 Bug:229036607 Test: adb bugreport Change-Id: I40562204b3517b2861b2a52466f9cde04a5321c5 Signed-off-by: Ted Lin --- whitechapel_pro/system_app.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 whitechapel_pro/system_app.te diff --git a/whitechapel_pro/system_app.te b/whitechapel_pro/system_app.te new file mode 100644 index 00000000..cb6287b9 --- /dev/null +++ b/whitechapel_pro/system_app.te @@ -0,0 +1 @@ +allow system_app hal_wlc_hwservice:hwservice_manager find; From a77fc2a6df1052c50c9bd83f7506308195c41f88 Mon Sep 17 00:00:00 2001 From: Jason Macnak Date: Thu, 31 Mar 2022 09:39:55 -0700 Subject: [PATCH 491/900] Remove sysfs_gpu type definition ... as it has moved to system/sepolicy. Bug: b/161819018 Test: presubmit Change-Id: I107f92617bea56590b5af351341cc1c3b2844360 Merged-In: I107f92617bea56590b5af351341cc1c3b2844360 --- whitechapel_pro/file.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index b42bf4ee..d986a56a 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -92,9 +92,6 @@ type modem_userdata_file, file_type; # SecureElement type sysfs_st33spi, sysfs_type, fs_type; -# GPU -type sysfs_gpu, sysfs_type, fs_type; - # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; From abdd44b0fddd9e1e736e99f20f8fc9e5975a88da Mon Sep 17 00:00:00 2001 From: sukiliu Date: Tue, 19 Apr 2022 10:59:17 +0800 Subject: [PATCH 492/900] Update avc error on ROM 8468959 Bug: 229677756 Test: PtsSELinuxTestCases Change-Id: I0423fa9c02e1e16ecf8ec32d89046704f2667d64 --- tracking_denials/servicemanager.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te index 72e6e6e9..4b54ceb1 100644 --- a/tracking_denials/servicemanager.te +++ b/tracking_denials/servicemanager.te @@ -1,2 +1,4 @@ # b/214122471 dontaudit servicemanager hal_fingerprint_default:binder { call }; +# b/229677756 +dontaudit servicemanager hal_dumpstate_default:binder { call }; From 32bf1ffbf74078ac5eaa636219b68c1dd812da8e Mon Sep 17 00:00:00 2001 From: chungkai Date: Mon, 18 Apr 2022 13:55:53 +0000 Subject: [PATCH 493/900] sepolicy: fix avc denials add potential paths for i2c peripheral devices sine we enable parallel module loading Bug: 226887726 Test: do bugreport without avc denials Signed-off-by: chungkai Change-Id: I4af39bb6e620a59e02417a06c1dabd45df360fc3 --- whitechapel_pro/genfs_contexts | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index e4428b08..7d6bcae2 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -64,6 +64,8 @@ genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 @@ -172,6 +174,9 @@ genfscon sysfs /devices/platform/google,charger genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 # P22 battery +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 @@ -190,12 +195,16 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 # Extcon +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 @@ -204,6 +213,7 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/extcon genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 # Haptics +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 @@ -211,6 +221,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 # system suspend wakeup files +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 @@ -218,6 +229,13 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 @@ -260,6 +278,8 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 From 2b189b45afe75e50ee453507f2faa5c6702fd27b Mon Sep 17 00:00:00 2001 From: Labib Date: Tue, 19 Apr 2022 18:35:04 +0800 Subject: [PATCH 494/900] Let RadioExt talk to bt hal Bug: 227122249 Test: Manual Change-Id: I9f41615e8e862af147d6f47e5e4c4e0dde40c233 --- tracking_denials/hal_radioext_default.te | 2 -- whitechapel_pro/hal_radioext_default.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/hal_radioext_default.te diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te deleted file mode 100644 index 74a400df..00000000 --- a/tracking_denials/hal_radioext_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/227122249 -dontaudit hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager { find }; diff --git a/whitechapel_pro/hal_radioext_default.te b/whitechapel_pro/hal_radioext_default.te index a5a0f3e8..eef71cf6 100644 --- a/whitechapel_pro/hal_radioext_default.te +++ b/whitechapel_pro/hal_radioext_default.te @@ -7,6 +7,7 @@ get_prop(hal_radioext_default, hwservicemanager_prop) add_hwservice(hal_radioext_default, hal_radioext_hwservice) binder_call(hal_radioext_default, grilservice_app) +binder_call(hal_radioext_default, hal_bluetooth_btlinux) # RW /dev/oem_ipc0 allow hal_radioext_default radio_device:chr_file rw_file_perms; @@ -16,3 +17,5 @@ allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; allow hal_radioext_default radio_vendor_data_file:file create_file_perms; allow hal_radioext_default sysfs_display:file rw_file_perms; +# Bluetooth +allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; From 3a95426f78876b1d85847557198b2d3bc135e9c0 Mon Sep 17 00:00:00 2001 From: Stephane Lee Date: Tue, 19 Apr 2022 13:25:03 -0700 Subject: [PATCH 495/900] Add hwservicemanager to pixelstats permissions Bug: 227199213 Test: Ensure there are no more selinux errors Change-Id: I1d961096df49f82302d7ff14fec809232e5afd28 --- whitechapel_pro/pixelstats_vendor.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index db443835..d16acc0b 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -1,5 +1,8 @@ binder_use(pixelstats_vendor) +get_prop(pixelstats_vendor, hwservicemanager_prop) +hwbinder_use(pixelstats_vendor) + allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; From 5c9592e973b80520eaf785de9401041b6747d9b7 Mon Sep 17 00:00:00 2001 From: Wayne Lin Date: Tue, 12 Apr 2022 11:44:39 +0800 Subject: [PATCH 496/900] gps: refine gps sepolicy Bug: 228903885 Test: build pass and no avc denied in gpsd Change-Id: Id0821b1335d316899e3a32b56a0e1c0feb4ba2b6 --- gps/gpsd.te | 4 ++++ whitechapel_pro/gpsd.te | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) delete mode 100644 whitechapel_pro/gpsd.te diff --git a/gps/gpsd.te b/gps/gpsd.te index 9757395b..64591cba 100644 --- a/gps/gpsd.te +++ b/gps/gpsd.te @@ -16,6 +16,10 @@ allow gpsd vendor_gps_file:dir create_dir_perms; allow gpsd vendor_gps_file:file create_file_perms; allow gpsd vendor_gps_file:fifo_file create_file_perms; +# Allow gpsd to access rild +binder_call(gpsd, rild); +allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; + # Allow gpsd to access sensor service binder_call(gpsd, system_server); allow gpsd fwk_sensor_hwservice:hwservice_manager find; diff --git a/whitechapel_pro/gpsd.te b/whitechapel_pro/gpsd.te deleted file mode 100644 index 15a8ac36..00000000 --- a/whitechapel_pro/gpsd.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow gpsd to access rild -binder_call(gpsd, rild); -allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; From 4d163d5b3211cf8acfdc0658cd4aef16716358b6 Mon Sep 17 00:00:00 2001 From: Wayne Lin Date: Tue, 12 Apr 2022 12:48:01 +0800 Subject: [PATCH 497/900] gps: sync sepolicy from gs101 to allow gps access pps gpio Bug: 228903885 Test: build pass Change-Id: Ic555a0640872ae0dc1a69a9d4a11027d4364464a --- gps/file.te | 1 + gps/genfs_contexts | 1 + gps/gpsd.te | 3 +++ 3 files changed, 5 insertions(+) diff --git a/gps/file.te b/gps/file.te index 4ed25013..537afdbc 100644 --- a/gps/file.te +++ b/gps/file.te @@ -4,3 +4,4 @@ userdebug_or_eng(` ') type sysfs_gps, sysfs_type, fs_type; +type sysfs_gps_assert, sysfs_type, fs_type; diff --git a/gps/genfs_contexts b/gps/genfs_contexts index 1eab75b1..49dfdd05 100644 --- a/gps/genfs_contexts +++ b/gps/genfs_contexts @@ -1,3 +1,4 @@ # GPS genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 +genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed u:object_r:sysfs_gps_assert:s0 diff --git a/gps/gpsd.te b/gps/gpsd.te index 64591cba..791a02e4 100644 --- a/gps/gpsd.te +++ b/gps/gpsd.te @@ -23,3 +23,6 @@ allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; # Allow gpsd to access sensor service binder_call(gpsd, system_server); allow gpsd fwk_sensor_hwservice:hwservice_manager find; + +# Allow gpsd to access pps gpio +allow gpsd sysfs_gps_assert:file r_file_perms; From 5f4f4de205ad26619e02e836b360b845734c81b3 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Wed, 6 Apr 2022 12:53:39 +0000 Subject: [PATCH 498/900] Add SEPolicy settings for android logging/tracing service for GXP Change-Id: I3c9574dca5e52356b77172c886ac8971584d3012 --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/gxp_logging.te | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100644 whitechapel_pro/gxp_logging.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 6858daaa..294a1b82 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -36,6 +36,7 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/whitechapel_pro/gxp_logging.te b/whitechapel_pro/gxp_logging.te new file mode 100644 index 00000000..476db5ac --- /dev/null +++ b/whitechapel_pro/gxp_logging.te @@ -0,0 +1,6 @@ +type gxp_logging, domain; +type gxp_logging_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gxp_logging) + +# The logging service accesses /dev/gxp +allow gxp_logging gxp_device:chr_file rw_file_perms; From 9fdfcb53b57ce049d450c11a489dbbed7172b9ff Mon Sep 17 00:00:00 2001 From: Stephane Lee Date: Wed, 20 Apr 2022 19:43:31 -0700 Subject: [PATCH 499/900] Fix boot issues with hal_thermal_default Bug: 229895015 Test: Ensure the device boots, verify permissions with ls -AlZ Change-Id: I0f95bb7eb58e6ce22a0f66a70408fdf56d94b1b3 --- whitechapel_pro/genfs_contexts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7d6bcae2..6c35107f 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -82,6 +82,10 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 @@ -91,6 +95,10 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From 4db0feed323e4d8ff20e85a32e910ddcc257c22e Mon Sep 17 00:00:00 2001 From: chungkai Date: Thu, 21 Apr 2022 02:09:59 +0000 Subject: [PATCH 500/900] genfs_contexts: fix path for i2c peripheral device add original paths since we reverted enable load module in parallel for other issues Test: without avc denial Bug: 229670628 Signed-off-by: chungkai Change-Id: Ie7a2a78eae5d6965beedc0de640ec56acb6a7b2a --- whitechapel_pro/genfs_contexts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6c35107f..1d2ffeb5 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -100,6 +100,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 From ac45672cc5e3eef249c57db3d3576b40ba0b5d20 Mon Sep 17 00:00:00 2001 From: "Chung-Kai (Michael) Mei" Date: Thu, 21 Apr 2022 07:19:29 +0000 Subject: [PATCH 501/900] Revert "genfs_contexts: fix path for i2c peripheral device" This reverts commit 4db0feed323e4d8ff20e85a32e910ddcc257c22e. Reason for revert: related patch is merged, so it's duplicated Fix: 229940065 Change-Id: I898dd52f4857983323fec9f72e797bd2f759f724 --- whitechapel_pro/genfs_contexts | 9 --------- 1 file changed, 9 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 1d2ffeb5..6c35107f 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -100,15 +100,6 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 - # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 From 3135c26574ab259ea7bf7c5b596e2fe790a88549 Mon Sep 17 00:00:00 2001 From: George Chang Date: Mon, 18 Apr 2022 22:55:29 +0800 Subject: [PATCH 502/900] Remove st33spi tracking_denial Fixed by remove property access from st33spi hal aosp/2064213 Bug: 229167195 Test: PtsSELinuxTestCases Change-Id: Icee8bea36ad68e60a32cfa8c35a2ab9ff6ee515a --- tracking_denials/hal_secure_element_st33spi.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_secure_element_st33spi.te diff --git a/tracking_denials/hal_secure_element_st33spi.te b/tracking_denials/hal_secure_element_st33spi.te deleted file mode 100644 index da4b099d..00000000 --- a/tracking_denials/hal_secure_element_st33spi.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/229167195 -dontaudit hal_secure_element_st33spi vendor_secure_element_prop:file { read }; From a36285b0deed0c1227b8fd5dbcad4eae6c08adb5 Mon Sep 17 00:00:00 2001 From: Quang Luong Date: Fri, 22 Apr 2022 00:06:23 +0000 Subject: [PATCH 503/900] Revert "Add SEPolicy settings for android logging/tracing servic..." Revert submission 17817048-gxp-firmware-log-trace-metrics-service Reason for revert: breaks CTS tests: b/230031232 Reverted Changes: I3c9574dca:Add SEPolicy settings for android logging/tracing ... I6bced8246:Add Firmware Log/Trace service to GXP project outp... Icfc0ca30f:Add gxp_logging_service as an android service Change-Id: I4ae6a63b6e2b58a094f45771de87fc3799f99e67 --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/gxp_logging.te | 6 ------ 2 files changed, 7 deletions(-) delete mode 100644 whitechapel_pro/gxp_logging.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 294a1b82..6858daaa 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -36,7 +36,6 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/whitechapel_pro/gxp_logging.te b/whitechapel_pro/gxp_logging.te deleted file mode 100644 index 476db5ac..00000000 --- a/whitechapel_pro/gxp_logging.te +++ /dev/null @@ -1,6 +0,0 @@ -type gxp_logging, domain; -type gxp_logging_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(gxp_logging) - -# The logging service accesses /dev/gxp -allow gxp_logging gxp_device:chr_file rw_file_perms; From 90f4106b80ab47ab38265c8816d5bd26b2a59bfd Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Sat, 23 Apr 2022 21:09:22 -0700 Subject: [PATCH 504/900] Grant trusty to power hal Bug: 229350721 Test: UDFPS with stress Signed-off-by: Wei Wang Change-Id: Ia88d6cff1d21940e22ae5122dbfcf52de27ad700 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/hal_power_default.te | 1 + 3 files changed, 8 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 61511765..a9f38963 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -24,6 +24,9 @@ userdebug_or_eng(` # Exynos Firmware type vendor_fw_file, vendor_file_type, file_type; +# Trusty +type sysfs_trusty, sysfs_type, fs_type; + # sysfs type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 73872f40..cac716b9 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -375,3 +375,7 @@ genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 + +# Trusty +genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 +genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te index 076de46b..807d9a47 100644 --- a/whitechapel_pro/hal_power_default.te +++ b/whitechapel_pro/hal_power_default.te @@ -6,4 +6,5 @@ allow hal_power_default proc_vendor_sched:file r_file_perms; allow hal_power_default sysfs_gpu:file rw_file_perms; allow hal_power_default sysfs_fabric:file rw_file_perms; allow hal_power_default sysfs_camera:file rw_file_perms; +allow hal_power_default sysfs_trusty:file rw_file_perms; set_prop(hal_power_default, vendor_camera_prop) From a492311ba4fc412aa974aa1648dde4f375103209 Mon Sep 17 00:00:00 2001 From: Stephane Lee Date: Mon, 25 Apr 2022 16:24:33 -0700 Subject: [PATCH 505/900] Allow hal_thermal_default to read iio/odpm sysfs nodes Bug: 230031671 Test: There are no errors for iio or odpm nodes Change-Id: Ifb204fa7b535c001838c7008b30b6e41744a01d1 --- whitechapel_pro/hal_thermal_default.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/hal_thermal_default.te b/whitechapel_pro/hal_thermal_default.te index 9852a767..a573a2ae 100644 --- a/whitechapel_pro/hal_thermal_default.te +++ b/whitechapel_pro/hal_thermal_default.te @@ -1,2 +1,2 @@ -allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; -allow hal_thermal_default sysfs_odpm:file r_file_perms; +r_dir_file(hal_thermal_default, sysfs_iio_devices) +r_dir_file(hal_thermal_default, sysfs_odpm) From 85e5caf85e9d5b296231b0a985dc88bd161db601 Mon Sep 17 00:00:00 2001 From: Stephane Lee Date: Thu, 21 Apr 2022 13:03:06 -0700 Subject: [PATCH 506/900] Fix permissions for ODPM permanently by adding all buses You don't need wildcards on genfs, just need the base path Bug: 229895015 Test: Ensure the device boots, verify permissions with ls -AlZ Change-Id: Ib59693f0404db4e28b9959fcdf1cc4d483c5d1b1 --- whitechapel_pro/genfs_contexts | 42 +++++++++++++++------------------- 1 file changed, 18 insertions(+), 24 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index cac716b9..a2352a4d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -74,31 +74,25 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/power_stats genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 # Power ODPM -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From d85f93ec30636bf57037443ea4690cbbafe0ff73 Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Wed, 27 Apr 2022 13:18:28 -0700 Subject: [PATCH 507/900] allow udfps hal to access trusty Bug: 229350721 Bug: 230492593 Test: UDFPS with stress Signed-off-by: Wei Wang Change-Id: Ib1abe0e0318689528a6658f3597f1c11ad9fa1c3 --- whitechapel_pro/hal_fingerprint_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te index fa03d984..4a64b22c 100644 --- a/whitechapel_pro/hal_fingerprint_default.te +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -23,3 +23,6 @@ allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; # Allow fingerprint to read sysfs_display allow hal_fingerprint_default sysfs_display:file r_file_perms; + +# Allow fingerprint to access trusty sysfs +allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; From 4c8dbb65b8170a7f9971d1ff0969fe9aaa34e153 Mon Sep 17 00:00:00 2001 From: Labib Date: Wed, 27 Apr 2022 17:42:39 +0800 Subject: [PATCH 508/900] Give RadioExt permission to write to sysfs node Bug: 212601547 Test: Manual Change-Id: I8c7341833aeacebfedba6e8e05d2696012043d32 --- whitechapel_pro/genfs_contexts | 1 + whitechapel_pro/hal_radioext_default.te | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6c35107f..56cbee6a 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -119,6 +119,7 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefres genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/osc2_clk_khz u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 diff --git a/whitechapel_pro/hal_radioext_default.te b/whitechapel_pro/hal_radioext_default.te index eef71cf6..fb6bc03d 100644 --- a/whitechapel_pro/hal_radioext_default.te +++ b/whitechapel_pro/hal_radioext_default.te @@ -12,7 +12,7 @@ binder_call(hal_radioext_default, hal_bluetooth_btlinux) # RW /dev/oem_ipc0 allow hal_radioext_default radio_device:chr_file rw_file_perms; -# RW MIPI Freq files +# RW Freq Config files allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; allow hal_radioext_default radio_vendor_data_file:file create_file_perms; allow hal_radioext_default sysfs_display:file rw_file_perms; From 0d31f7bcd7d13162427e2c172648195dcd275d07 Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 30 Mar 2022 22:34:13 +0800 Subject: [PATCH 509/900] Update nfc from hidl to aidl service Bug: 216290344 Test: atest NfcNciInstrumentationTests Test: atest VtsAidlHalNfcTargetTest Change-Id: I90b8499b05e0226298ee8f04d84f55390299e8c8 --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 6858daaa..cbba7deb 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -32,7 +32,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 From 86351764371e22864cc1dc59170a7fb3695bb6ff Mon Sep 17 00:00:00 2001 From: George Chang Date: Fri, 29 Apr 2022 15:37:46 +0000 Subject: [PATCH 510/900] Revert "Update nfc from hidl to aidl service" This reverts commit 0d31f7bcd7d13162427e2c172648195dcd275d07. Reason for revert: Broken tests Bug: 230834308 Change-Id: If695e38eb11b65018768f15aeb4346ba818b058a --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index cbba7deb..6858daaa 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -32,7 +32,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 From 5e426a95d00d68ef6c1e5227877dfaafa24dc180 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Thu, 28 Apr 2022 10:07:52 +0800 Subject: [PATCH 511/900] sepolicy: allow access debugfs charger register dump Bug: 230360103 Signed-off-by: Jenny Ho Change-Id: Ieedff4d6475706d4d932913e6d647ca401e56966 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7a713590..9c989045 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -167,6 +167,8 @@ genfscon debugfs /pm_genpd/pm_genpd_summary u:object genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77759_chg u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 From 31624072102732ebcd43977dfa3397d1fee63edf Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Wed, 20 Apr 2022 02:38:32 +0800 Subject: [PATCH 512/900] Allow hal_fingerprint_default to access hal_pixel_display_service Fix the following avc denial: avc: denied { find } for pid=1158 uid=1000 name=com.google.hardware.pixel.display.IDisplay/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:hal_pixel_display_service:s0 tclass=service_manager permissive=0 avc: denied { call } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_graphics_composer_default:s0 tclass=binder permissive=0 Bug: 229716695 Bug: 224573604 Test: build and test fingerprint on device Change-Id: I104af7f50715090fe0c2aa6845848bf77ab3e3ae --- whitechapel_pro/hal_fingerprint_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te index 4a64b22c..ec02f9c4 100644 --- a/whitechapel_pro/hal_fingerprint_default.te +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -26,3 +26,7 @@ allow hal_fingerprint_default sysfs_display:file r_file_perms; # Allow fingerprint to access trusty sysfs allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; + +# Allow fingerprint to access display hal +allow hal_fingerprint_default hal_pixel_display_service:service_manager find; +binder_call(hal_fingerprint_default, hal_graphics_composer_default) From aeb9bd0406de5d986faed8e60c6a5efb7061c3d9 Mon Sep 17 00:00:00 2001 From: eddielan Date: Fri, 6 May 2022 11:05:38 +0800 Subject: [PATCH 513/900] sepolicy: Add SW35 HIDL factory service into sepolicy Bug: 231549391 Test: Build Pass Change-Id: If5c1bc5ddf6a1fa753ac65b6b4c5983775f2f704 --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/fingerprint_factory_service.te | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 whitechapel_pro/fingerprint_factory_service.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 6858daaa..9dc48c15 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -39,6 +39,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/fingerprint_factory_service.te b/whitechapel_pro/fingerprint_factory_service.te new file mode 100644 index 00000000..86ab35cc --- /dev/null +++ b/whitechapel_pro/fingerprint_factory_service.te @@ -0,0 +1,3 @@ +type fingerprint_factory_service, service_manager_type; +type fingerprint_factory_service_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(fingerprint_factory_service) From eb1d4ec87c611c6a155bb8646eda1131a92c1d7b Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 30 Mar 2022 22:34:13 +0800 Subject: [PATCH 514/900] Update nfc from hidl to aidl service Bug: 216290344 Test: atest NfcNciInstrumentationTests Test: atest VtsAidlHalNfcTargetTest Change-Id: If1f57af334033f9bd7174c052767715c9916700f --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 9dc48c15..efd0e085 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -32,7 +32,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 From 7f89d68af245bafa5803632eb0da2ad0e38f33a3 Mon Sep 17 00:00:00 2001 From: Asad Abbas Ali Date: Thu, 5 May 2022 20:20:53 +0000 Subject: [PATCH 515/900] Allow chre to communicate with fwk_stats_service. Bug: 230788686 Test: Logged atoms using CHRE + log atom extension. Change-Id: I45a207996a28bbe61bbfd4288eaf28e2257cdf52 --- whitechapel_pro/chre.te | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index 319f17dd..6d826217 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -17,4 +17,8 @@ usf_low_latency_transport(chre) # Allow CHRE to talk to the WiFi HAL allow chre hal_wifi_ext:binder { call transfer }; -allow chre hal_wifi_ext_hwservice:hwservice_manager find; \ No newline at end of file +allow chre hal_wifi_ext_hwservice:hwservice_manager find; + +# Allow CHRE host to talk to stats service +allow chre fwk_stats_service:service_manager find; +binder_call(chre, stats_service_server) From 26b2d2e33ee14ed8a3f482cab9197e27cd69c50e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Tue, 10 May 2022 05:35:27 +0000 Subject: [PATCH 516/900] Add dontaudit statements to camera HAL policy. The autogenerated dontaudit statements in tracking_denials are actually the correct policy. Move them to the correct file and add comments. Bug: 205780065 Bug: 218585004 Test: build & camera check Change-Id: Ie0338f0d2a6fd0c589777a82c22a014e462bd5c2 --- tracking_denials/hal_camera_default.te | 5 ----- whitechapel_pro/hal_camera_default.te | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/hal_camera_default.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index f423e497..00000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205780065 -dontaudit hal_camera_default system_data_file:dir { search }; -# b/218585004 -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 92c629ed..437060ea 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -91,3 +91,11 @@ allow hal_camera_default sysfs_leds:file r_file_perms; # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') + +# Some file searches attempt to access system data and are denied. +# This is benign and can be ignored. +dontaudit hal_camera_default system_data_file:dir { search }; + +# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; \ No newline at end of file From 4a6cfb5a9cc46b6c2c1d456ca6874f9aa92bd085 Mon Sep 17 00:00:00 2001 From: Nishok Kumar S Date: Thu, 12 May 2022 06:33:22 +0000 Subject: [PATCH 517/900] Label GCA-Eng app - Add policies for GCA-Eng to access GXP device. - Allow GCA-Eng to access edgetpu service. Test: Build selinux and test GCA-Eng on device with adb shell setprop camera.artemis_dsp TRUE Bug: 230773733 Change-Id: I8d04f6e1aef0899b3862ddbb80174cd086156d92 --- edgetpu/debug_camera_app.te | 5 +++++ whitechapel_pro/certs/camera_eng.x509.pem | 17 +++++++++++++++++ whitechapel_pro/debug_camera_app.te | 18 ++++++++++++++++++ whitechapel_pro/keys.conf | 3 +++ whitechapel_pro/mac_permissions.xml | 3 +++ whitechapel_pro/seapp_contexts | 3 +++ 6 files changed, 49 insertions(+) create mode 100644 edgetpu/debug_camera_app.te create mode 100644 whitechapel_pro/certs/camera_eng.x509.pem create mode 100644 whitechapel_pro/debug_camera_app.te diff --git a/edgetpu/debug_camera_app.te b/edgetpu/debug_camera_app.te new file mode 100644 index 00000000..44382239 --- /dev/null +++ b/edgetpu/debug_camera_app.te @@ -0,0 +1,5 @@ +userdebug_or_eng(` + # Allows GCA-Eng to find and access the EdgeTPU. + allow debug_camera_app edgetpu_app_service:service_manager find; + allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; +') \ No newline at end of file diff --git a/whitechapel_pro/certs/camera_eng.x509.pem b/whitechapel_pro/certs/camera_eng.x509.pem new file mode 100644 index 00000000..011a9ec4 --- /dev/null +++ b/whitechapel_pro/certs/camera_eng.x509.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx +EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw +NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO +OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR ++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb ++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg +UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX +TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj +rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB +TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK +pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY +DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG +ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4 +rscXTxYEf4Tqovc= +-----END CERTIFICATE----- diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te new file mode 100644 index 00000000..7c14ef03 --- /dev/null +++ b/whitechapel_pro/debug_camera_app.te @@ -0,0 +1,18 @@ +type debug_camera_app, domain, coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows camera app to access the GXP device. + allow debug_camera_app gxp_device:chr_file rw_file_perms; + + # Allows camera app to search for GXP firmware file. + allow debug_camera_app vendor_fw_file:dir search; +') \ No newline at end of file diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 80522c4e..e4247437 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -9,3 +9,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem [@EUICCSUPPORTPIXEL] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem + +[@CAMERAENG] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 821f660c..f1eb85e3 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -33,4 +33,7 @@ + + + diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index f2fd47f9..22148b59 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -57,6 +57,9 @@ user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detecto # Google Camera user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all From 145f7b5b9379ce88f352e0779ace9676aa68635d Mon Sep 17 00:00:00 2001 From: Nishok Kumar S Date: Thu, 12 May 2022 13:23:04 +0000 Subject: [PATCH 518/900] Use google_camera_app label for GCA-Next fishfood app. Bug: 230773733 Test: Build selinux and test with GCA-Next on device. Change-Id: I757e7de2293e25bd027262a5fbf4ece2a44f10d1 --- whitechapel_pro/certs/camera_fishfood.x509.pem | 15 +++++++++++++++ whitechapel_pro/keys.conf | 3 +++ whitechapel_pro/mac_permissions.xml | 3 +++ whitechapel_pro/seapp_contexts | 3 +++ 4 files changed, 24 insertions(+) create mode 100644 whitechapel_pro/certs/camera_fishfood.x509.pem diff --git a/whitechapel_pro/certs/camera_fishfood.x509.pem b/whitechapel_pro/certs/camera_fishfood.x509.pem new file mode 100644 index 00000000..fb11572f --- /dev/null +++ b/whitechapel_pro/certs/camera_fishfood.x509.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n +bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w +HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL +MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv +b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93 +bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/ +jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B +IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe +tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td +0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg +Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b +aIOMFB0Km9HbEZHLKg33kOoMsS2zpA== +-----END CERTIFICATE----- diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index e4247437..54130ea2 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -12,3 +12,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509. [@CAMERAENG] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem + +[@CAMERAFISHFOOD] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index f1eb85e3..b57e61c7 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -36,4 +36,7 @@ + + + diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 22148b59..786ca84e 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -60,6 +60,9 @@ user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera doma # Google Camera Eng user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all From 95845654bfc9c0781ddb412c666a6e41d713a6e7 Mon Sep 17 00:00:00 2001 From: Jerry Huang Date: Fri, 6 May 2022 16:05:57 +0800 Subject: [PATCH 519/900] Allow mediacodec to access vendor_data_file For dumping output buffer of HDR to SDR fliter. This patch fixes the following denial: 05-10 21:42:49.427 890 890 W HwBinder:890_4: type=1400 audit(0.0:2944): avc: denied { search } for name="data" dev="dm-41" ino=105 scontext=u:r:mediacodec_samsung:s0 tcontext=u:object_r:system_data_file:s0:c512,c768 tclass=dir permissive=0 05-10 21:42:49.499 890 890 W HwBinder:890_4: type=1400 audit(0.0:2946): avc: denied { getattr } for name="/" dev="dmabuf" ino=1 scontext=u:r:mediacodec_samsung:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=0 05-10 21:46:27.735 885 885 W google.hardware: type=1400 audit(0.0:3198): avc: denied { search } for name="data" dev="dm-41" ino=105 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:system_data_file:s0:c512,c768 tclass=dir permissive=0 05-10 21:46:27.795 885 885 W google.hardware: type=1400 audit(0.0:3200): avc: denied { getattr } for name="/" dev="dmabuf" ino=1 scontext=u:r:mediacodec_google:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=0 Bug: 229360116 Test: atest android.media.decoder.cts.DecoderTest Change-Id: I11403b20e8608f50907db561b8232b1b64bea298 --- whitechapel_pro/mediacodec_google.te | 5 +++++ whitechapel_pro/mediacodec_samsung.te | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te index fb719b16..713255c1 100644 --- a/whitechapel_pro/mediacodec_google.te +++ b/whitechapel_pro/mediacodec_google.te @@ -29,3 +29,8 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; + +userdebug_or_eng(` + allow mediacodec_google vendor_media_data_file:dir rw_dir_perms; + allow mediacodec_google vendor_media_data_file:file create_file_perms; +') diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te index 2c5d7ede..ce05fa5f 100644 --- a/whitechapel_pro/mediacodec_samsung.te +++ b/whitechapel_pro/mediacodec_samsung.te @@ -31,3 +31,8 @@ neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *; neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *; + +userdebug_or_eng(` + allow mediacodec_samsung vendor_media_data_file:dir rw_dir_perms; + allow mediacodec_samsung vendor_media_data_file:file create_file_perms; +') From e5f837784920e2c159de538127df326d5d9d22ec Mon Sep 17 00:00:00 2001 From: Austin Wang Date: Fri, 13 May 2022 13:52:45 +0800 Subject: [PATCH 520/900] Add P22 reverse wireless charging selinux policy Allow Settings to call hal_wlc Error: 05-13 09:28:20.508 1000 7293 7293 W ndroid.settings: type=1400 audit(0.0:29): avc: denied { call } for scontext=u:r:system_app:s0 tcontext=u:r:hal_wlc:s0 tclass=binder permissive=0 Bug: 231420451 Test: Enable battery share from settings and charge another device. Change-Id: Ic761bee47ea41f6db8b1838fb3fc2a9f7ef7bb5c --- whitechapel_pro/system_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/system_app.te b/whitechapel_pro/system_app.te index cb6287b9..c1560e6e 100644 --- a/whitechapel_pro/system_app.te +++ b/whitechapel_pro/system_app.te @@ -1 +1,2 @@ allow system_app hal_wlc_hwservice:hwservice_manager find; +binder_call(system_app, hal_wlc) From b6971e353f9e7c57c63c992fb45ed3a9eb11de80 Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 16 May 2022 09:08:13 -0700 Subject: [PATCH 521/900] dumpstate: Add BCL mitigation info to user build Bug: 232793927 Test: Confirm user build bugreport has mitigation info Signed-off-by: George Lee Change-Id: I9945a0f005bee6e25580c122df4c8932607fa51a --- whitechapel_pro/hal_dumpstate_default.te | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 4f0922fa..88de3775 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -29,6 +29,9 @@ allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_pe allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; allow hal_dumpstate_default sysfs_thermal:file r_file_perms; +allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; +allow hal_dumpstate_default sysfs_bcl:file r_file_perms; + allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; allow hal_dumpstate_default sysfs_wifi:file r_file_perms; @@ -99,8 +102,6 @@ userdebug_or_eng(` allow hal_dumpstate_default mnt_vendor_file:dir search; allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; - allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; - allow hal_dumpstate_default sysfs_bcl:file r_file_perms; allow hal_dumpstate_default debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; From 43e827c01a690f2e7e6502058e79088ad817a6b3 Mon Sep 17 00:00:00 2001 From: Nishok Kumar S Date: Mon, 16 May 2022 09:35:45 +0000 Subject: [PATCH 522/900] Add label for GCA fishfood app built with debug keys - label as debug_camera_app. Test: Build GCA-Next manually and install on device. Test with selinux on. Bug: 230773733 Change-Id: Ifc2fd29a74bf66444501327feac391ddf812c867 --- whitechapel_pro/seapp_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 786ca84e..0fbe0333 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -63,6 +63,9 @@ user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_ # Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all + # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all From e40cd2ac421e2e585d52820d81f3966c4831b50e Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Wed, 4 May 2022 16:06:07 +0000 Subject: [PATCH 523/900] Add SEPolicy settings for android logging/tracing service for GXP This change also adds support for SEPolicy to access perfetto which was missing in ag/17818623. Bug: 217289052 Change-Id: Ic5599d0be783b65102b3b0ffef27e66f1f6904da --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/gxp_logging.te | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 whitechapel_pro/gxp_logging.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 6858daaa..294a1b82 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -36,6 +36,7 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/whitechapel_pro/gxp_logging.te b/whitechapel_pro/gxp_logging.te new file mode 100644 index 00000000..107942d1 --- /dev/null +++ b/whitechapel_pro/gxp_logging.te @@ -0,0 +1,9 @@ +type gxp_logging, domain; +type gxp_logging_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gxp_logging) + +# The logging service accesses /dev/gxp +allow gxp_logging gxp_device:chr_file rw_file_perms; + +# Allow gxp tracing service to send packets to Perfetto +userdebug_or_eng(`perfetto_producer(gxp_logging)') From c169cd75ce4ed4087508ea294f6a56e521877e8b Mon Sep 17 00:00:00 2001 From: Jacqueline Wong Date: Wed, 18 May 2022 22:50:36 +0000 Subject: [PATCH 524/900] be able to dump coredump Bug: 218358165 Test: adb root; adb remount -R; adb bugreport Signed-off-by: Jacqueline Wong Change-Id: I42c2db7902064e1508676ad93def2e0e4f5c2b28 --- whitechapel_pro/hal_dumpstate_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 88de3775..de49f46c 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -25,6 +25,8 @@ allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; +allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; +allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; allow hal_dumpstate_default sysfs_thermal:file r_file_perms; From 4364d96ac875817a3d28906fdc5b410069b088d8 Mon Sep 17 00:00:00 2001 From: Jacqueline Wong Date: Wed, 18 May 2022 22:50:36 +0000 Subject: [PATCH 525/900] be able to dump coredump Bug: 218358165 Test: adb root; adb remount -R; adb bugreport Signed-off-by: Jacqueline Wong Change-Id: I42c2db7902064e1508676ad93def2e0e4f5c2b28 --- whitechapel_pro/hal_dumpstate_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 88de3775..de49f46c 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -25,6 +25,8 @@ allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; +allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; +allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; allow hal_dumpstate_default sysfs_thermal:file r_file_perms; From 6513479fe84ecd4d4d50aeef5a8a19b39404ee9a Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Thu, 19 May 2022 08:30:02 +0000 Subject: [PATCH 526/900] Add SEPolicy for gxp_metrics_logger.so logging to stats service In order to access the gxp metrics library from the google camera app (product partition), we need to create an SELinux exception for the related shared library (in vendor) it uses. This CL adds the same_process_hal_file tag to allow this exception. Bug: 177236353 Test: App can load the .so and creates a VLOG message after this change. Before: No permission to access namespace. After: GCA able to access the gxp_metrics_logger.so Change-Id: I453b66b30eb51ebd22fda750d272cf35574301f6 Signed-off-by: Dinesh Yadav --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 294a1b82..6df95855 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -59,6 +59,7 @@ /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 # Graphics /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 From 91a1f49a8afdd50742dcc26afe4586eb4d4717b5 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Sun, 22 May 2022 16:40:52 -0700 Subject: [PATCH 527/900] Allow gadget hal to search i2c dir and write to usb_limit_accessory_enable auditd : type=1400 audit(0.0:4): avc: denied { search } for comm="HwBinder:879_1" name="10d60000.hsi2c" dev="sysfs" ino=23606 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0 Bug: 206635552 Signed-off-by: Badhri Jagan Sridharan Change-Id: Ibc4ec27ad7d1b7a26c9935aa0c4aff5f03a8d59c --- whitechapel_pro/hal_usb_gadget_impl.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/whitechapel_pro/hal_usb_gadget_impl.te index 30041467..ddda7eb9 100644 --- a/whitechapel_pro/hal_usb_gadget_impl.te +++ b/whitechapel_pro/hal_usb_gadget_impl.te @@ -15,3 +15,7 @@ allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; # change irq to other cores allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; allow hal_usb_gadget_impl proc_irq:file w_file_perms; + +# allow gadget hal to search hsi2c dir and write to usb_limit_accessory_enable/current +allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; From 8b2c6f8187c0cfdcd450f0473a2bc45fdf2b7dbe Mon Sep 17 00:00:00 2001 From: Yichi Chen Date: Wed, 18 May 2022 03:56:38 +0800 Subject: [PATCH 528/900] RRS: Apply the default config from persist prop vendor_config plays as another role to control the display config during the boot time. To change the default configuration of the user selected mode, we use persist config to store the value. Bug: 232721840 Test: Boot w/ and w/o user selected configs and check the resolution Change-Id: Ideed75f0a29368ff95916fb1fa87f21482c17613 --- whitechapel_pro/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 2b5e6740..b6741954 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -31,3 +31,6 @@ allow vendor_init modem_img_file:filesystem { getattr }; # Battery set_prop(vendor_init, vendor_battery_defender_prop) + +# Display +set_prop(vendor_init, vendor_display_prop) From cf23b50955716b0b751a58531e8d1f8db385c79f Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Mon, 23 May 2022 16:39:21 -0700 Subject: [PATCH 529/900] Allow sysfs_devices_block to f2fs-tools The fsck.f2fs checks the sysfs entries of block devices to get disk information. Note that, the block device entries are device-specific. 1. fsck.f2fs avc: denied { search } for comm="fsck.f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="fsck.f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda7/partition" dev="sysfs" ino=60672 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 2. mkfs.f2fs avc: denied { search } for comm="make_f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="make_f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda8/partition" dev="sysfs" ino=61046 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 Bug: 172377740 Signed-off-by: Jaegeuk Kim Change-Id: I409feec84565f965baa96b06a5b08bcfc1a8db02 --- whitechapel_pro/e2fs.te | 2 ++ whitechapel_pro/fsck.te | 2 ++ 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/e2fs.te b/whitechapel_pro/e2fs.te index a6664594..3e72adfb 100644 --- a/whitechapel_pro/e2fs.te +++ b/whitechapel_pro/e2fs.te @@ -4,3 +4,5 @@ allow e2fs modem_userdata_block_device:blk_file rw_file_perms; allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET }; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/whitechapel_pro/fsck.te b/whitechapel_pro/fsck.te index d29555b3..cb9470d0 100644 --- a/whitechapel_pro/fsck.te +++ b/whitechapel_pro/fsck.te @@ -1,3 +1,5 @@ allow fsck persist_block_device:blk_file rw_file_perms; allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; From 81d01513de9d1ccd478c82997f851b8324165a97 Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Mon, 23 May 2022 16:39:21 -0700 Subject: [PATCH 530/900] Allow sysfs_devices_block to f2fs-tools The fsck.f2fs checks the sysfs entries of block devices to get disk information. Note that, the block device entries are device-specific. 1. fsck.f2fs avc: denied { search } for comm="fsck.f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="fsck.f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda7/partition" dev="sysfs" ino=60672 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 2. mkfs.f2fs avc: denied { search } for comm="make_f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="make_f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda8/partition" dev="sysfs" ino=61046 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 Bug: 233835698 Bug: 172377740 Signed-off-by: Jaegeuk Kim Change-Id: I409feec84565f965baa96b06a5b08bcfc1a8db02 --- whitechapel_pro/e2fs.te | 2 ++ whitechapel_pro/fsck.te | 2 ++ 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/e2fs.te b/whitechapel_pro/e2fs.te index a6664594..3e72adfb 100644 --- a/whitechapel_pro/e2fs.te +++ b/whitechapel_pro/e2fs.te @@ -4,3 +4,5 @@ allow e2fs modem_userdata_block_device:blk_file rw_file_perms; allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET }; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/whitechapel_pro/fsck.te b/whitechapel_pro/fsck.te index d29555b3..cb9470d0 100644 --- a/whitechapel_pro/fsck.te +++ b/whitechapel_pro/fsck.te @@ -1,3 +1,5 @@ allow fsck persist_block_device:blk_file rw_file_perms; allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; From 2ddc8ee33315d26848cf0a5446bef533e35420ae Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Mon, 23 May 2022 16:39:21 -0700 Subject: [PATCH 531/900] Allow sysfs_devices_block to f2fs-tools The fsck.f2fs checks the sysfs entries of block devices to get disk information. Note that, the block device entries are device-specific. 1. fsck.f2fs avc: denied { search } for comm="fsck.f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="fsck.f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda7/partition" dev="sysfs" ino=60672 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 2. mkfs.f2fs avc: denied { search } for comm="make_f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="make_f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda8/partition" dev="sysfs" ino=61046 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 Bug: 233835698 Bug: 172377740 Signed-off-by: Jaegeuk Kim Change-Id: I409feec84565f965baa96b06a5b08bcfc1a8db02 --- whitechapel_pro/e2fs.te | 2 ++ whitechapel_pro/fsck.te | 2 ++ 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/e2fs.te b/whitechapel_pro/e2fs.te index a6664594..3e72adfb 100644 --- a/whitechapel_pro/e2fs.te +++ b/whitechapel_pro/e2fs.te @@ -4,3 +4,5 @@ allow e2fs modem_userdata_block_device:blk_file rw_file_perms; allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET }; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/whitechapel_pro/fsck.te b/whitechapel_pro/fsck.te index d29555b3..cb9470d0 100644 --- a/whitechapel_pro/fsck.te +++ b/whitechapel_pro/fsck.te @@ -1,3 +1,5 @@ allow fsck persist_block_device:blk_file rw_file_perms; allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; From 36a6b238047415a0dc6a1ee2159955b7fe1e1aa2 Mon Sep 17 00:00:00 2001 From: eddielan Date: Fri, 6 May 2022 11:05:38 +0800 Subject: [PATCH 532/900] sepolicy: Add SW35 HIDL factory service into sepolicy Bug: 231549391 Test: Build Pass Change-Id: If5c1bc5ddf6a1fa753ac65b6b4c5983775f2f704 (cherry picked from commit aeb9bd0406de5d986faed8e60c6a5efb7061c3d9) Merged-In: If5c1bc5ddf6a1fa753ac65b6b4c5983775f2f704 --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/fingerprint_factory_service.te | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 whitechapel_pro/fingerprint_factory_service.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 6df95855..adba0274 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -40,6 +40,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/fingerprint_factory_service.te b/whitechapel_pro/fingerprint_factory_service.te new file mode 100644 index 00000000..86ab35cc --- /dev/null +++ b/whitechapel_pro/fingerprint_factory_service.te @@ -0,0 +1,3 @@ +type fingerprint_factory_service, service_manager_type; +type fingerprint_factory_service_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(fingerprint_factory_service) From bc2cf5c1535d1c8d2c5aa7fe6193c4968322202a Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 19 May 2022 12:37:35 -0700 Subject: [PATCH 533/900] bcl: Add Mitigation Logger - sepolicy Mitigation Logger logs battery related information for 1 second when it is triggered by under voltage or over current interrupts. Information collected is to help debug system brownout. Bug: 228383769 Test: Boot and Test Signed-off-by: George Lee Change-Id: I9ac873d03d57d9a6db8d9233f25c8fabdfc399a5 --- whitechapel_pro/battery_mitigation.te | 16 ++++++++++++++++ whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 2 ++ 3 files changed, 19 insertions(+) create mode 100644 whitechapel_pro/battery_mitigation.te diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te new file mode 100644 index 00000000..59af9d53 --- /dev/null +++ b/whitechapel_pro/battery_mitigation.te @@ -0,0 +1,16 @@ +type battery_mitigation, domain; +type battery_mitigation_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(battery_mitigation) +get_prop(battery_mitigation, boot_status_prop) + +hal_client_domain(battery_mitigation, hal_thermal); +hal_client_domain(battery_mitigation, hal_health); + +r_dir_file(battery_mitigation, sysfs_batteryinfo) +r_dir_file(battery_mitigation, sysfs_iio_devices) +r_dir_file(battery_mitigation, sysfs_thermal) +r_dir_file(battery_mitigation, thermal_link_device) +r_dir_file(battery_mitigation, sysfs_odpm) +allow battery_mitigation sysfs_thermal:lnk_file r_file_perms; +allow battery_mitigation mitigation_vendor_data_file:dir rw_dir_perms; +allow battery_mitigation mitigation_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index a9f38963..9ec86284 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -15,6 +15,7 @@ type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; +type mitigation_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index adba0274..09b28259 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -41,6 +41,7 @@ /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 +/vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -207,6 +208,7 @@ /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 +/data/vendor/mitigation(/.*)? u:object_r:mitigation_vendor_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 From ee92ac374a9892f7001623483484ab0940237c4d Mon Sep 17 00:00:00 2001 From: George Lee Date: Wed, 25 May 2022 14:40:33 -0700 Subject: [PATCH 534/900] dumpstate: Mitigation logger readout - sepolicy Mitigation Logger logs battery related information for 1 second when it is triggered by under voltage or over current interrupts. Information collected is to help debug system brownout. This change is to enable bugreport reading out the mitigation log. Bug: 228383769 Test: Boot and Test Signed-off-by: George Lee Change-Id: Ic0291e05bcf20839a66d50d159bb5ef41681c45d --- whitechapel_pro/hal_dumpstate_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index de49f46c..d5bc6799 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -34,6 +34,9 @@ allow hal_dumpstate_default sysfs_thermal:file r_file_perms; allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; allow hal_dumpstate_default sysfs_bcl:file r_file_perms; +allow hal_dumpstate_default mitigation_vendor_data_file:dir r_dir_perms; +allow hal_dumpstate_default mitigation_vendor_data_file:file r_file_perms; + allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; allow hal_dumpstate_default sysfs_wifi:file r_file_perms; From eb4d432dd873b9b155bcb2cb9f11e3d2a40a4987 Mon Sep 17 00:00:00 2001 From: Taeju Park Date: Fri, 27 May 2022 18:46:22 +0000 Subject: [PATCH 535/900] Pixel-EM-DriverV2: sepolicy: allows Power HAL to modify em_profile related sysfs nodes Bug: 170647767 Signed-off-by: Taeju Park Change-Id: I160741f172a5713535852e7fb0d12126ddf0395e --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/hal_power_default.te | 1 + 3 files changed, 7 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 9ec86284..55d05757 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -28,6 +28,9 @@ type vendor_fw_file, vendor_file_type, file_type; # Trusty type sysfs_trusty, sysfs_type, fs_type; +# EM Profile +type sysfs_em_profile, sysfs_type, fs_type; + # sysfs type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 9c989045..e226d1e5 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -376,3 +376,6 @@ genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 + +# EM Profile +genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0 diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te index 807d9a47..4d6d0e05 100644 --- a/whitechapel_pro/hal_power_default.te +++ b/whitechapel_pro/hal_power_default.te @@ -7,4 +7,5 @@ allow hal_power_default sysfs_gpu:file rw_file_perms; allow hal_power_default sysfs_fabric:file rw_file_perms; allow hal_power_default sysfs_camera:file rw_file_perms; allow hal_power_default sysfs_trusty:file rw_file_perms; +allow hal_power_default sysfs_em_profile:file rw_file_perms; set_prop(hal_power_default, vendor_camera_prop) From 5be857af43ddd96c627bd52d8e557eda12939969 Mon Sep 17 00:00:00 2001 From: Ankit Goyal Date: Fri, 27 May 2022 14:46:26 -0700 Subject: [PATCH 536/900] Add SE policies for memtrack HAL Bug: 220360577 Test: adb shell dumpsys meminfo Change-Id: I4dfc0c016ccf980b4f7dabd2fb70d2466b69b5cc --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/hal_memtrack_default.te | 1 + 3 files changed, 5 insertions(+) create mode 100644 whitechapel_pro/hal_memtrack_default.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 09b28259..aba24f37 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -42,6 +42,7 @@ /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 /vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 +/vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index e226d1e5..885b568b 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -47,6 +47,9 @@ genfscon sysfs /module/bcmdhd4389 u # GPU genfscon sysfs /devices/platform/28000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/28000000.mali/power_policy u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/28000000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/28000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/28000000.mali/kprcs u:object_r:sysfs_gpu:s0 # Fabric genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 diff --git a/whitechapel_pro/hal_memtrack_default.te b/whitechapel_pro/hal_memtrack_default.te new file mode 100644 index 00000000..7554c6ff --- /dev/null +++ b/whitechapel_pro/hal_memtrack_default.te @@ -0,0 +1 @@ +r_dir_file(hal_memtrack_default, sysfs_gpu) From 38ddaa255eebe4cf333f884b6c34dc03169c55a4 Mon Sep 17 00:00:00 2001 From: Andy Hsu Date: Thu, 26 May 2022 20:12:09 +0800 Subject: [PATCH 537/900] Add policy to allow GoogleCameraApp access HAL to apply CPU/GPU boost. To fix the denial message: avc: denied { find } for pid=4646 uid=10134 name=android.hardware.power.IPower/default scontext=u:r:google_camera_app:s0:c134,c256,c512,c768 tcontext=u:object_r:hal_power_service:s0 tclass=service_manager permissive=0 Reference: go/sepolicy. On P21, we have ag/14692156 to access PowerHAL in GCA. On P22, we currently don't have the permission (b/233998391#comment10). This change fixes this issue. Bug: 233998391 Bug: 232184722 Bug: 232022128 Test: Boost is applied successfully b/233998391#comment11. GCA. Change-Id: Id1a938fc0af0ad9280aa49e7f6cbdf45c16f8b38 --- whitechapel_pro/google_camera_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index ad097810..99a4d1bf 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -13,3 +13,6 @@ allow google_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to search for GXP firmware file. allow google_camera_app vendor_fw_file:dir search; + +# Allows camera app to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) From 851a643c9e1145f91f5ac3ada0f608234952a72c Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 30 Mar 2022 22:34:13 +0800 Subject: [PATCH 538/900] Update nfc from hidl to aidl service Bug: 216290344 Test: atest NfcNciInstrumentationTests Test: atest VtsAidlHalNfcTargetTest Merged-In: If1f57af334033f9bd7174c052767715c9916700f Change-Id: If1f57af334033f9bd7174c052767715c9916700f --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index aba24f37..79bb698f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -32,7 +32,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 From 2a7ecbdce0aad66e0c0d90d8056733acee80558a Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 1 Jun 2022 06:46:02 +0000 Subject: [PATCH 539/900] update error on ROM 8666963 Bug: 234547497 Test: boot Change-Id: Ic5a9d39449af035a32aaea71b06d7bd33e16cf4b --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) create mode 100644 tracking_denials/bug_map diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 00000000..600908ad --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1 @@ +shell sysfs_wlc dir b/234547497 From 1240fdefbbcb34c6f983468d60f037a80bdcb5ae Mon Sep 17 00:00:00 2001 From: Andy Hsu Date: Tue, 31 May 2022 17:59:26 +0800 Subject: [PATCH 540/900] Add policy to allow debug camera app (GCAEng and locally built GCANext) to access HAL to apply CPU/GPU boost on userdebug builds. Bug: 233998391 Test: Boost applied successfully for all flavors b/233998391#comment15. GCA. Change-Id: If339705cf4daec0f12e81c2c8efdc1eb4a063267 --- whitechapel_pro/debug_camera_app.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 7c14ef03..50379b54 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -15,4 +15,7 @@ userdebug_or_eng(` # Allows camera app to search for GXP firmware file. allow debug_camera_app vendor_fw_file:dir search; -') \ No newline at end of file + + # Allows camera app to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') From ec7b23cf03f55adda1fdee0966d1b5172f555f9d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 9 Jun 2022 13:20:48 +0800 Subject: [PATCH 541/900] remove obsolete entries Bug: 227694693 Bug: 226850644 Bug: 227121550 Bug: 229677756 Bug: 234547497 Test: adb bugreport Change-Id: I94a7466ece0a1e79dc31d737b89845343ea7d301 --- tracking_denials/bug_map | 1 - tracking_denials/dumpstate.te | 3 --- tracking_denials/incidentd.te | 2 -- tracking_denials/kernel.te | 5 +---- tracking_denials/servicemanager.te | 2 -- 5 files changed, 1 insertion(+), 12 deletions(-) delete mode 100644 tracking_denials/bug_map delete mode 100644 tracking_denials/incidentd.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map deleted file mode 100644 index 600908ad..00000000 --- a/tracking_denials/bug_map +++ /dev/null @@ -1 +0,0 @@ -shell sysfs_wlc dir b/234547497 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index aaff71e5..29678370 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,6 +1,3 @@ # b/221384768 -dontaudit dumpstate app_zygote:process { signal }; dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; dontaudit dumpstate sysfs:file { read }; -# b/227694693 -dontaudit dumpstate incident:process { signal }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index 90b1025f..00000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/226850644 -dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index d75b1fb1..53df8fea 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -2,10 +2,7 @@ dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 allow kernel same_process_hal_file:file r_file_perms; -# b/227121550 -dontaudit kernel vendor_usb_debugfs:dir { search }; -dontaudit kernel vendor_votable_debugfs:dir { search }; # b/227286343 dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/228181404 -dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file +dontaudit kernel vendor_maxfg_debugfs:dir { search }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te index 4b54ceb1..72e6e6e9 100644 --- a/tracking_denials/servicemanager.te +++ b/tracking_denials/servicemanager.te @@ -1,4 +1,2 @@ # b/214122471 dontaudit servicemanager hal_fingerprint_default:binder { call }; -# b/229677756 -dontaudit servicemanager hal_dumpstate_default:binder { call }; From d0bbe7121780b28060f23e44e23b601229767fa2 Mon Sep 17 00:00:00 2001 From: Ken Chen Date: Fri, 10 Jun 2022 14:49:57 +0800 Subject: [PATCH 542/900] fix sepolicy for net devices bug: 222232008 Test: atest NetdSELinuxTest#CheckProperMTULabels Change-Id: I99f70eefa3259a2da556fed6ced70f32d03ff4bb --- whitechapel_pro/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 885b568b..8d7fa897 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -35,6 +35,9 @@ genfscon proc /focaltech_touch u # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 +# Networking +genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/ieee802154/phy0/net u:object_r:sysfs_net:s0 + # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 From e2b042c30702d31212441c0ff0f1f537968cf577 Mon Sep 17 00:00:00 2001 From: Myung-jong Kim Date: Thu, 9 Jun 2022 09:22:09 +0900 Subject: [PATCH 543/900] sepolicy: add net_domain macro for vendor_rcs_app [Problem] sepolicy denial during ShannonGbaService process [Cause] Missing sepolicies [Solution] Add net_domain(vendor_rcs_app) to give base set of permissions required for network access Bug: 235011726 Signed-off-by: Myung-jong Kim Change-Id: Iaac1d7b5a4303338ed2c763b62714e14aed7d728 --- whitechapel_pro/vendor_rcs_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/vendor_rcs_app.te b/whitechapel_pro/vendor_rcs_app.te index b0a46284..37cadef2 100644 --- a/whitechapel_pro/vendor_rcs_app.te +++ b/whitechapel_pro/vendor_rcs_app.te @@ -1,5 +1,6 @@ type vendor_rcs_app, domain; app_domain(vendor_rcs_app) +net_domain(vendor_rcs_app) allow vendor_rcs_app app_api_service:service_manager find; allow vendor_rcs_app radio_service:service_manager find; From 2d44b5d5d07c7b94b3afc5aa1e45cdf5c494f690 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Tue, 10 May 2022 05:35:27 +0000 Subject: [PATCH 544/900] Add dontaudit statements to camera HAL policy. The autogenerated dontaudit statements in tracking_denials are actually the correct policy. Move them to the correct file and add comments. Bug: 218585004 Test: build & camera check Change-Id: Ie0338f0d2a6fd0c589777a82c22a014e462bd5c2 (cherry picked from commit 26b2d2e33ee14ed8a3f482cab9197e27cd69c50e) --- tracking_denials/hal_camera_default.te | 5 ----- whitechapel_pro/hal_camera_default.te | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/hal_camera_default.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index f423e497..00000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205780065 -dontaudit hal_camera_default system_data_file:dir { search }; -# b/218585004 -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 92c629ed..437060ea 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -91,3 +91,11 @@ allow hal_camera_default sysfs_leds:file r_file_perms; # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') + +# Some file searches attempt to access system data and are denied. +# This is benign and can be ignored. +dontaudit hal_camera_default system_data_file:dir { search }; + +# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; \ No newline at end of file From dc339dc7800ca187c8e179eea8fb24ecf3adf163 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Jun 2022 11:09:23 +0800 Subject: [PATCH 545/900] remove obsolete entry Bug: 229354991 Test: take a bug report without showing relevant logs Change-Id: I3c75ca4e79085205f50c07b8ceea9757760a8763 --- tracking_denials/untrusted_app.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tracking_denials/untrusted_app.te diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te deleted file mode 100644 index 337bab8f..00000000 --- a/tracking_denials/untrusted_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/229354991 -dontaudit untrusted_app isolated_app:process { getsched }; -dontaudit untrusted_app shell_test_data_file:dir { search }; From 8d011823ed26bdd7386c0af8dcb31419a38859af Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Jun 2022 13:11:12 +0800 Subject: [PATCH 546/900] allow dumpstate to access sde partition Bug: 221384768 Test: do bugreport without relevant error log Change-Id: I26b0246f8d99a5efce8f7d1b65fa50faafb599e2 --- tracking_denials/dumpstate.te | 3 +-- whitechapel_pro/genfs_contexts | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 29678370..ffb8518c 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,3 +1,2 @@ -# b/221384768 +# b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -dontaudit dumpstate sysfs:file { read }; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 51a79b97..0cd3d358 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -185,6 +185,7 @@ genfscon sysfs /devices/platform/google,battery/power_supply/battery genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/pseudo_0/adapter0/host1/target1:0:0/1:0:0:0/block/sde u:object_r:sysfs_devices_block:s0 # P22 battery genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 From c7bcfba2cb148ccb24dc585b717b6e3ae24eab61 Mon Sep 17 00:00:00 2001 From: Oleg Matcovschi Date: Fri, 10 Jun 2022 11:37:09 -0700 Subject: [PATCH 547/900] sepolicy: add sscoredump mali genfs rule Bug: 235492324 Signed-off-by: Oleg Matcovschi Change-Id: I8a5db9b4d0a6f63819820213e20165dbe920ab07 --- whitechapel_pro/genfs_contexts | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 8d7fa897..45490e43 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -60,11 +60,12 @@ genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_i genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 # sscoredump (per device) -genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/mali/sscoredump/sscd_mali/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 # Power Stats genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 From b3576ef751c3ac38ebaec8d4b63b7d4c32b260fb Mon Sep 17 00:00:00 2001 From: xiaofanj Date: Tue, 7 Jun 2022 03:06:13 +0000 Subject: [PATCH 548/900] modem_svc_sit: create oem test iodev - Create radio_test_device for oem_test iodev. - Grant modem_svc_sit to access radio_test_device. Bug: 231380480 Signed-off-by: Xiaofan Jiang Change-Id: Id06deedadf04c70b57e405a05533ed85764bdd1d --- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/modem_svc_sit.te | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 6b81f2a1..952a1675 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -18,6 +18,7 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; type battery_history_device, dev_type; +type radio_test_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 79bb698f..a7aba25f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -149,6 +149,7 @@ /dev/st33spi u:object_r:st33spi_device:s0 /dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/oem_test u:object_r:radio_test_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_ipc1 u:object_r:radio_device:s0 diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index d3e79c93..9954f493 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -24,3 +24,7 @@ get_prop(modem_svc_sit, vendor_rild_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +userdebug_or_eng(` + allow modem_svc_sit radio_test_device:chr_file rw_file_perms; +') From 4bc7128afe15bd4e0ae7b2f6ebb450aefe30c421 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Fri, 10 Jun 2022 10:09:48 -0700 Subject: [PATCH 549/900] allow hal_dumpstate_default to access cma debugfs It's useful for CMA memory debugging. Bug: 233535442 Test: adb bugreport contains cma information in dumpstate_board.txt Signed-off-by: Minchan Kim Change-Id: I65170d6b84f642e038a7901427c3673b40832af9 --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 55d05757..98a8d28f 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -67,6 +67,7 @@ type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_dmabuf_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; type vendor_page_pinner_debugfs, fs_type, debugfs_type; +type vendor_cma_debugfs, fs_type, debugfs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 45490e43..797344af 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -180,6 +180,7 @@ genfscon debugfs /gvotables u:object genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 +genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Battery genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index d5bc6799..0f153f22 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -124,6 +124,8 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; ') dontaudit hal_dumpstate_default mnt_vendor_file:dir search; @@ -146,3 +148,5 @@ dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; From 20053909665d58a75595b17324ff3209aff0d935 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Jun 2022 11:32:27 +0800 Subject: [PATCH 550/900] remove obsolete entry Bug: 228181404 Test: boot with no avc error log Change-Id: Ic8d71ef8ddb99eafb366929af695a50d4779ac0c --- tracking_denials/kernel.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 53df8fea..7f80734a 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -4,5 +4,5 @@ dontaudit kernel vendor_battery_debugfs:dir { search }; allow kernel same_process_hal_file:file r_file_perms; # b/227286343 dontaudit kernel vendor_regmap_debugfs:dir { search }; -# b/228181404 -dontaudit kernel vendor_maxfg_debugfs:dir { search }; +# b/227121550 +dontaudit kernel vendor_votable_debugfs:dir search; From 73f69714752c5bfec6cb26546e95f8289779d2c5 Mon Sep 17 00:00:00 2001 From: yixuanjiang Date: Mon, 17 Jan 2022 20:20:50 +0800 Subject: [PATCH 551/900] aoc: add audio property for audio CCA module Bug: 213545113 Test: local test Signed-off-by: yixuanjiang Change-Id: Ic58d944d30d0367a7c3afdf5f1bb1f696c8edda9 --- aoc/property_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aoc/property_contexts b/aoc/property_contexts index d5028300..e957de69 100644 --- a/aoc/property_contexts +++ b/aoc/property_contexts @@ -9,3 +9,5 @@ vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.cca.updated u:object_r:vendor_audio_prop:s0 +vendor.audiodump.cca.config u:object_r:vendor_audio_prop:s0 From 1b954eef3b6ceb9731c5d565981c23243dcc4f04 Mon Sep 17 00:00:00 2001 From: Nucca Chen Date: Mon, 13 Jun 2022 03:25:31 +0000 Subject: [PATCH 552/900] Remove clatd tracking_denial Bug: 210363983 Change-Id: Ie3a38ef9cdb4447a3684912d2a65b0167c484cc6 Test: boot with no relevant error log --- tracking_denials/clatd.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tracking_denials/clatd.te diff --git a/tracking_denials/clatd.te b/tracking_denials/clatd.te deleted file mode 100644 index 3c27ad97..00000000 --- a/tracking_denials/clatd.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/210363983 -#dontaudit clatd netd:rawip_socket { read write }; -#dontaudit clatd netd:rawip_socket { setopt }; From 31981dfaea45d12bc5ef5e577aece0ff9f508949 Mon Sep 17 00:00:00 2001 From: Robb Glasser Date: Wed, 8 Jun 2022 14:43:52 -0700 Subject: [PATCH 553/900] Allow sensors HAL to rw the sensors registry. The sensors HAL needs full permissions to read and write the sensors registry for things like runtime calibration. Bug: 227695036 Test: Denial goes away. Change-Id: I5ccec3497219acca7c172c1cb0cf1d070996b42b --- whitechapel_pro/hal_sensors_default.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index 4e1b8ca1..a645b502 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -30,8 +30,8 @@ allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; r_dir_file(hal_sensors_default, persist_camera_file) # Allow creation and writing of sensor registry data files. -allow hal_sensors_default sensor_reg_data_file:dir r_dir_perms; -allow hal_sensors_default sensor_reg_data_file:file r_file_perms; +allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; +allow hal_sensors_default sensor_reg_data_file:file create_file_perms; # Allow access to the display info for ALS. allow hal_sensors_default sysfs_display:file rw_file_perms; From 6e578b68253bc4af8d56f63006ac03981f323196 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Thu, 16 Jun 2022 10:40:57 +0800 Subject: [PATCH 554/900] Update avc error on ROM 8732242 Bug: 236200710 Test: PtsSELinuxTestCases Change-Id: I9b4b487aa78a69fe981a542aef1a7dbe368a30ce --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) create mode 100644 tracking_denials/bug_map diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 00000000..208522d4 --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1 @@ +hal_input_processor_default vendor_display_prop file b/236200710 \ No newline at end of file From c25afee26a9c8b26392ac71328a44a91e05ea7d0 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Thu, 16 Jun 2022 10:40:57 +0800 Subject: [PATCH 555/900] [Do not merge]Update avc error on ROM 8732242 Bug: 236200710 Test: PtsSELinuxTestCases Merged-In: I9b4b487aa78a69fe981a542aef1a7dbe368a30ce Change-Id: I9b4b487aa78a69fe981a542aef1a7dbe368a30ce --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 600908ad..17b0bbab 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1 +1,2 @@ shell sysfs_wlc dir b/234547497 +hal_input_processor_default vendor_display_prop file b/236200710 From f90d992b0cdf557a569ec5d84cfaa534d915f90f Mon Sep 17 00:00:00 2001 From: JimiChen Date: Sat, 11 Jun 2022 15:49:28 +0800 Subject: [PATCH 556/900] allow rlsservice read vendor camera property Bug: 233020488 Test: no avc denied Change-Id: Ie7e68a6e18ba64c18e90e39cadacea5a15364eff --- whitechapel_pro/rlsservice.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te index 2297900c..e5f1acef 100644 --- a/whitechapel_pro/rlsservice.te +++ b/whitechapel_pro/rlsservice.te @@ -28,3 +28,5 @@ allow rlsservice aoc_device:chr_file rw_file_perms; # For observing apex file changes allow rlsservice apex_info_file:file r_file_perms; +# Allow read camera property +get_prop(rlsservice, vendor_camera_prop); From ced9e0ebbf3ab6d2402f6fda183756496439970c Mon Sep 17 00:00:00 2001 From: Siarhei Vishniakou Date: Thu, 16 Jun 2022 15:59:46 -0700 Subject: [PATCH 557/900] Allow InputProcessor HAL to read display resolution Currently, there's no API to read the resolution from the system domain, so the HAL has to read this from the sysprop provided by the display code. Allow the HAL to do so in this CL. Bug: 236200710 Test: adb shell dmesg | grep input_processor Change-Id: I23285c21a82748c63fbe20988af42884b9261b66 --- whitechapel_pro/hal_input_processor_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 whitechapel_pro/hal_input_processor_default.te diff --git a/whitechapel_pro/hal_input_processor_default.te b/whitechapel_pro/hal_input_processor_default.te new file mode 100644 index 00000000..00d4c695 --- /dev/null +++ b/whitechapel_pro/hal_input_processor_default.te @@ -0,0 +1,2 @@ +# allow InputProcessor HAL to read the display resolution system property +get_prop(hal_input_processor_default, vendor_display_prop) From 2ee67a6bf30fae8ef76be26e9456abb7c1d1da6a Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Mon, 13 Jun 2022 19:14:44 +0800 Subject: [PATCH 558/900] sepolicy: allows pixelstat to access pca file nodes Bug: 235050913 Test: no Permission denied while accessing the file node Signed-off-by: Jack Wu Change-Id: I7de0a374e1c98f4e9bbf36e39cb0131b0e9ffebc --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 7 +++++++ whitechapel_pro/pixelstats_vendor.te | 3 +++ 3 files changed, 11 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 98a8d28f..ea0caf2a 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -54,6 +54,7 @@ type sysfs_odpm, sysfs_type, fs_type; type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; +type sysfs_pca, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 797344af..87cd5c61 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -217,6 +217,13 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0057/chg_stats u:object_r:sysfs_pca:s0 # Extcon genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index d16acc0b..068e7fb8 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -19,3 +19,6 @@ allow pixelstats_vendor battery_history_device:chr_file r_file_perms; # storage smart idle maintenance get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); + +# Pca charge +allow pixelstats_vendor sysfs_pca:file rw_file_perms; From 2c5af2b633284a313e38431b5ac7870c239ded25 Mon Sep 17 00:00:00 2001 From: Lawrence Huang Date: Thu, 9 Jun 2022 00:02:30 +0000 Subject: [PATCH 559/900] Add network permissions for google camera Investigation here: https://docs.google.com/document/d/1dARYZBxeJFPTEIMr-0U80Ka68BoPY6-h9VcBDZ8Uon8/edit# Bug: 230434151 Change-Id: I9b37906ba4c7ba2cdbb23fc7a07f1e9e2aa8d1ab Test: no more avc errors --- whitechapel_pro/google_camera_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 99a4d1bf..54f2d664 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -1,5 +1,6 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) +net_domain(google_camera_app) allow google_camera_app app_api_service:service_manager find; allow google_camera_app audioserver_service:service_manager find; From 8b103bff0714cc0ebfe73dee7ebdd1bd8603fc4a Mon Sep 17 00:00:00 2001 From: Siarhei Vishniakou Date: Thu, 16 Jun 2022 15:59:46 -0700 Subject: [PATCH 560/900] Allow InputProcessor HAL to read display resolution Currently, there's no API to read the resolution from the system domain, so the HAL has to read this from the sysprop provided by the display code. Allow the HAL to do so in this CL. Bug: 236200710 Test: adb shell dmesg | grep input_processor Change-Id: I23285c21a82748c63fbe20988af42884b9261b66 Merged-In: I23285c21a82748c63fbe20988af42884b9261b66 --- whitechapel_pro/hal_input_processor_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 whitechapel_pro/hal_input_processor_default.te diff --git a/whitechapel_pro/hal_input_processor_default.te b/whitechapel_pro/hal_input_processor_default.te new file mode 100644 index 00000000..00d4c695 --- /dev/null +++ b/whitechapel_pro/hal_input_processor_default.te @@ -0,0 +1,2 @@ +# allow InputProcessor HAL to read the display resolution system property +get_prop(hal_input_processor_default, vendor_display_prop) From 555d8a9aca57c8bd2aab1e2d7841f3d9c6eb3b51 Mon Sep 17 00:00:00 2001 From: Siarhei Vishniakou Date: Fri, 17 Jun 2022 20:50:13 +0000 Subject: [PATCH 561/900] Revert "Update avc error on ROM 8732242" This reverts commit 6e578b68253bc4af8d56f63006ac03981f323196. Bug: 236200710 Test: verified locally Reason for revert: sepolicy was fixed, no more need for the exception Change-Id: Ic343b513c5426e5caca77bcd8c56f7336834b4ec --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) delete mode 100644 tracking_denials/bug_map diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map deleted file mode 100644 index 208522d4..00000000 --- a/tracking_denials/bug_map +++ /dev/null @@ -1 +0,0 @@ -hal_input_processor_default vendor_display_prop file b/236200710 \ No newline at end of file From d3d4af1aace8ccfa134f95bf74a0e52988eeca5d Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Tue, 14 Jun 2022 04:58:44 +0000 Subject: [PATCH 562/900] Remove obsolete sepolicy of silentlogging Bug: 221384996 Test: adb bugreport Change-Id: I35a9dae665f11196ec900346c41a3c786bfdf5fa --- tracking_denials/vendor_telephony_silentlogging_app.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tracking_denials/vendor_telephony_silentlogging_app.te diff --git a/tracking_denials/vendor_telephony_silentlogging_app.te b/tracking_denials/vendor_telephony_silentlogging_app.te deleted file mode 100644 index a74e3e3a..00000000 --- a/tracking_denials/vendor_telephony_silentlogging_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/221384996 -dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { getattr }; -dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { search }; From a48fe668fe01e4864622f89329d75440449c4135 Mon Sep 17 00:00:00 2001 From: Carter Hsu Date: Thu, 21 Apr 2022 08:51:50 +0800 Subject: [PATCH 563/900] audio: allow Audio HAL to write the audio vendor property Bug: 206065000 Test: use test build to check the property Signed-off-by: Carter Hsu Change-Id: I0007459fcfd3a4718af9af00de9f54d125627dd2 --- aoc/hal_audio_default.te | 2 +- whitechapel_pro/vendor_init.te | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te index 0755cba1..aa462bf3 100644 --- a/aoc/hal_audio_default.te +++ b/aoc/hal_audio_default.te @@ -21,7 +21,7 @@ allow hal_audio_default sysfs_pixelstats:file rw_file_perms; #allow access to DMABUF Heaps for AAudio API allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; -get_prop(hal_audio_default, vendor_audio_prop); +set_prop(hal_audio_default, vendor_audio_prop); hal_client_domain(hal_audio_default, hal_health); hal_client_domain(hal_audio_default, hal_thermal); diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index b6741954..25b38beb 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -11,6 +11,7 @@ set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, logpersistd_logging_prop) set_prop(vendor_init, vendor_logger_prop) +set_prop(vendor_init, vendor_audio_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; From d893b6e7f8270819e7adc81231e2956dac041c26 Mon Sep 17 00:00:00 2001 From: Peter Csaszar Date: Wed, 22 Jun 2022 03:20:39 -0700 Subject: [PATCH 564/900] Remove ssr_detector_app dontaudits Bug: 207571417 Test: pts-tradefed run pts -m PtsSELinuxTest Signed-off-by: Peter Csaszar Change-Id: I2e92edf4d22a142a3817b5f399edd65ebbe4b32f --- tracking_denials/ssr_detector_app.te | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te index 182b08e1..dd4768b2 100644 --- a/tracking_denials/ssr_detector_app.te +++ b/tracking_denials/ssr_detector_app.te @@ -3,10 +3,3 @@ dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; -# b/207571417 -dontaudit ssr_detector_app cgroup:file { open }; -dontaudit ssr_detector_app cgroup:file { write }; -dontaudit ssr_detector_app sysfs:file { getattr }; -dontaudit ssr_detector_app sysfs:file { open }; -dontaudit ssr_detector_app sysfs:file { read }; -dontaudit ssr_detector_app sysfs:file { write }; From ffec0c64b4316cbaf467e9d7292d5726c405db05 Mon Sep 17 00:00:00 2001 From: jimmyshiu Date: Thu, 23 Jun 2022 07:33:47 +0000 Subject: [PATCH 565/900] Remove dontaudit since read early_wakeup completed The display file node, early_wakeup, just for trigger the worker for display and it doesn't have meaningful read function. But PowerHAL read all nodes and try to dump their valuesi while triggering bugreport. As the read operation has been completed, so we can remove the clause. 07-02 00:53:56.888 522 522 W android.hardwar: type=1400 audit(0.0:8): avc: denied { dac_read_search } for capability=2 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0 07-02 00:53:56.888 522 522 W android.hardwar: type=1400 audit(0.0:9): avc: denied { dac_override } for capability=1 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0 Bug: 192617242 Bug: 208909174 Bug: 221384860 Test: adb shell dumpsys android.hardware.power.IPower/default Change-Id: Ice57c5cda51db150ec313337bb2385503f43529f --- tracking_denials/hal_power_default.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hal_power_default.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index 731d4baa..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/208909174 -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; -# b/221384860 -dontaudit hal_power_default hal_power_default:capability { dac_override }; From 1f681630c4a1b98a8f70e5896df5609b259a2aeb Mon Sep 17 00:00:00 2001 From: sukiliu Date: Mon, 13 Jun 2022 18:36:18 +0800 Subject: [PATCH 566/900] [Do not merge] Remove regmap from list Bug: 227286343 Test: PtsSELinuxTestCases Change-Id: If32c472dcd6c0e0b83008a660ca6bbe6d79f44e3 --- tracking_denials/kernel.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index d75b1fb1..38fcbb6d 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -5,7 +5,5 @@ allow kernel same_process_hal_file:file r_file_perms; # b/227121550 dontaudit kernel vendor_usb_debugfs:dir { search }; dontaudit kernel vendor_votable_debugfs:dir { search }; -# b/227286343 -dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/228181404 -dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file +dontaudit kernel vendor_maxfg_debugfs:dir { search }; From 65bdbc486227cd11b8baa095bc2312eee9917c3c Mon Sep 17 00:00:00 2001 From: Sam Ou Date: Thu, 23 Jun 2022 03:34:23 +0000 Subject: [PATCH 567/900] sepolicy: fix odpm avc denials add wakeup permissions for odpm driver since we update acc_data based on alarmtimer Bug: 236798116 Change-Id: Ib898eeebf0e26a723f260a2a8ddb5e5f64d255ed Signed-off-by: Sam Ou --- whitechapel_pro/genfs_contexts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 797344af..b1b34058 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -90,6 +90,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 @@ -100,6 +109,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From da328e0a0fea6f2ad2cfacfd572a72e97d2c22da Mon Sep 17 00:00:00 2001 From: xiaofanj Date: Tue, 7 Jun 2022 03:06:13 +0000 Subject: [PATCH 568/900] modem_svc_sit: create oem test iodev - Create radio_test_device for oem_test iodev. - Grant modem_svc_sit to access radio_test_device. Bug: 231380480 Signed-off-by: Xiaofan Jiang Change-Id: Id06deedadf04c70b57e405a05533ed85764bdd1d Merged-In: Id06deedadf04c70b57e405a05533ed85764bdd1d --- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/modem_svc_sit.te | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 6b81f2a1..952a1675 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -18,6 +18,7 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; type battery_history_device, dev_type; +type radio_test_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 79bb698f..a7aba25f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -149,6 +149,7 @@ /dev/st33spi u:object_r:st33spi_device:s0 /dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/oem_test u:object_r:radio_test_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_ipc1 u:object_r:radio_device:s0 diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index d3e79c93..9954f493 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -24,3 +24,7 @@ get_prop(modem_svc_sit, vendor_rild_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +userdebug_or_eng(` + allow modem_svc_sit radio_test_device:chr_file rw_file_perms; +') From f131707b2a56a10217115aed4b5f44db5506a0c3 Mon Sep 17 00:00:00 2001 From: sashwinbalaji Date: Thu, 23 Jun 2022 11:35:23 +0800 Subject: [PATCH 569/900] thermal: added property persist.vendor.disable.thermal.dfs.control Updated the sepolicy to access tmu register Bug: 235156080 Test: Used local build to verify security context of tmu_reg file Change-Id: I3d43a393d76e7245e48ebcf9592c7e230c58d9bd --- whitechapel_pro/genfs_contexts | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index fe049804..c3bb542d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -377,12 +377,7 @@ genfscon sysfs /devices/platform/100b0000.G3D u:obje genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.AUR u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters u:object_r:sysfs_thermal:s0 genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 From a7127617ba0b1e58c6528e2df47872c5bbf08fb1 Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Mon, 20 Jun 2022 16:58:15 +0800 Subject: [PATCH 570/900] ssr_detector_app: remove tracking denials Avc errors already fixed. Remove tracking denials. Bug: 207571417 Bug: 205202542 Change-Id: I97d5f732e038dbdaf7885bdb9ca63bc518a97d51 --- tracking_denials/ssr_detector_app.te | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 tracking_denials/ssr_detector_app.te diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te deleted file mode 100644 index 182b08e1..00000000 --- a/tracking_denials/ssr_detector_app.te +++ /dev/null @@ -1,12 +0,0 @@ -# b/205202542 -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; -# b/207571417 -dontaudit ssr_detector_app cgroup:file { open }; -dontaudit ssr_detector_app cgroup:file { write }; -dontaudit ssr_detector_app sysfs:file { getattr }; -dontaudit ssr_detector_app sysfs:file { open }; -dontaudit ssr_detector_app sysfs:file { read }; -dontaudit ssr_detector_app sysfs:file { write }; From b5edce085f8150d45659cc4a1d03b38f81bef3eb Mon Sep 17 00:00:00 2001 From: sukiliu Date: Wed, 29 Jun 2022 14:07:37 +0800 Subject: [PATCH 571/900] Update avc error on ROM 8780665 Bug: 237491813 Bug: 237492145 Bug: 237491814 Bug: 237492146 Bug: 237492091 Test: PtsSELinuxTestCases Change-Id: I615453d58ea17306ceefe6195bc95974de0f259b --- tracking_denials/bug_map | 5 +++++ tracking_denials/dumpstate.te | 2 ++ tracking_denials/hal_drm_widevine.te | 2 ++ tracking_denials/hal_googlebattery.te | 2 ++ tracking_denials/hal_power_default.te | 3 +++ tracking_denials/incidentd.te | 2 ++ 6 files changed, 16 insertions(+) create mode 100644 tracking_denials/bug_map create mode 100644 tracking_denials/hal_googlebattery.te create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/incidentd.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 00000000..d53dde6c --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1,5 @@ +dumpstate app_zygote process b/237491813 +hal_drm_widevine default_prop file b/237492145 +hal_googlebattery dumpstate fd b/237491814 +hal_power_default hal_power_default capability b/237492146 +incidentd debugfs_wakeup_sources file b/237492091 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index ffb8518c..e93762d6 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,2 +1,4 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; +# b/237491813 +dontaudit dumpstate app_zygote:process { signal }; diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te index cfe7fcf7..b0124389 100644 --- a/tracking_denials/hal_drm_widevine.te +++ b/tracking_denials/hal_drm_widevine.te @@ -1,2 +1,4 @@ # b/229209076 dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; +# b/237492145 +dontaudit hal_drm_widevine default_prop:file { read }; diff --git a/tracking_denials/hal_googlebattery.te b/tracking_denials/hal_googlebattery.te new file mode 100644 index 00000000..da7f8c6f --- /dev/null +++ b/tracking_denials/hal_googlebattery.te @@ -0,0 +1,2 @@ +# b/237491814 +dontaudit hal_googlebattery dumpstate:fd { use }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..a2ce6fdb --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,3 @@ +# b/237492146 +dontaudit hal_power_default hal_power_default:capability { dac_override }; +dontaudit hal_power_default hal_power_default:capability { dac_read_search }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 00000000..e6fce309 --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,2 @@ +# b/237492091 +dontaudit incidentd debugfs_wakeup_sources:file { read }; From 5631fe741c402f63853a1a3dba56a23c56b18daf Mon Sep 17 00:00:00 2001 From: SalmaxChang Date: Thu, 30 Jun 2022 02:23:47 +0800 Subject: [PATCH 572/900] ssr_detector_app: remove tracking denials Avc errors already fixed. Remove tracking denials. Bug: 205202542 Change-Id: I08522d563de58e4bc2be2c4a1bea54bbeac6adb8 --- tracking_denials/ssr_detector_app.te | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 tracking_denials/ssr_detector_app.te diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te deleted file mode 100644 index dd4768b2..00000000 --- a/tracking_denials/ssr_detector_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205202542 -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; From a1b5481877b4a4ed19da6d1f260ccd56141a022b Mon Sep 17 00:00:00 2001 From: matthuang Date: Sun, 8 May 2022 23:35:03 +0800 Subject: [PATCH 573/900] Add acd-com.google.usf.non_wake_up file to AoC file context. Bug: 195077076 Test: ls -lZ dev/acd-com.google.usf.non_wake_up Change-Id: Ib97da81a01f566c7bd600512bb01fda27f34b217 --- aoc/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/file_contexts b/aoc/file_contexts index 71fb097b..93052d2e 100644 --- a/aoc/file_contexts +++ b/aoc/file_contexts @@ -14,6 +14,7 @@ /dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 /dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 /dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 /dev/acd-logging u:object_r:aoc_device:s0 /dev/aoc u:object_r:aoc_device:s0 /dev/amcs u:object_r:amcs_device:s0 From 3439f51f287e566ed5dfaf7dc3c51cf8b315c2d5 Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Fri, 1 Jul 2022 16:59:04 +0800 Subject: [PATCH 574/900] Remove googlebattery from dontaduit list Bug: 237700766 Bug: 237491814 Test: PtsSELinuxTestCases Change-Id: Ic4119e552827a490ba829a80cd10c5fc3ba1d35e --- tracking_denials/bug_map | 1 - tracking_denials/hal_googlebattery.te | 2 -- 2 files changed, 3 deletions(-) delete mode 100644 tracking_denials/hal_googlebattery.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d53dde6c..5bd008ba 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,4 @@ dumpstate app_zygote process b/237491813 hal_drm_widevine default_prop file b/237492145 -hal_googlebattery dumpstate fd b/237491814 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/237492091 diff --git a/tracking_denials/hal_googlebattery.te b/tracking_denials/hal_googlebattery.te deleted file mode 100644 index da7f8c6f..00000000 --- a/tracking_denials/hal_googlebattery.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/237491814 -dontaudit hal_googlebattery dumpstate:fd { use }; From c0ec14b9b185596674ac230d74111e53d615f48e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 5 Jul 2022 10:48:03 +0800 Subject: [PATCH 575/900] Update error on ROM 8765438 Bug: 238037492 Bug: 237093466 Test: SELinuxUncheckedDenialBootTest Change-Id: I4b067085dc0c9f79b715505a5831cab63fda6381 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5bd008ba..47bfbdb3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,3 +2,4 @@ dumpstate app_zygote process b/237491813 hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/237492091 +hal_radioext_default radio_vendor_data_file file b/237093466 From 74ff6db973a9b290eaf54abc87445b2318354a76 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 5 Jul 2022 10:48:03 +0800 Subject: [PATCH 576/900] Update error on ROM 8765438 Bug: 238037492 Bug: 237093466 Test: SELinuxUncheckedDenialBootTest Change-Id: I4b067085dc0c9f79b715505a5831cab63fda6381 Merged-In: I4b067085dc0c9f79b715505a5831cab63fda6381 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 17b0bbab..bb392fb3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,2 +1,3 @@ shell sysfs_wlc dir b/234547497 hal_input_processor_default vendor_display_prop file b/236200710 +hal_radioext_default radio_vendor_data_file file b/237093466 From 7bb9a6aaf4bb14967e9540f4497d3a7eaf9999e8 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Mon, 4 Jul 2022 10:50:25 +0800 Subject: [PATCH 577/900] HwInfo: remove -sepolicy/tracking_denials/hardware_info_app.te Bug: 208909060 Test: not avc log for hardware_info_app Change-Id: I52dd55bcea0dd70f60d9156937861ef2036dc46d Signed-off-by: Denny cy Lee --- tracking_denials/hardware_info_app.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hardware_info_app.te diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te deleted file mode 100644 index 2975d243..00000000 --- a/tracking_denials/hardware_info_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/208909060 -dontaudit hardware_info_app vendor_maxfg_debugfs:dir search; From 2bd613cfe6efc44be93bc505d58cda3bb7b678a6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 5 Jul 2022 11:16:51 +0800 Subject: [PATCH 578/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 227121550 Change-Id: I3e5c653a63b099aa44a880c4d1b2a327415f4d97 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 47bfbdb3..2345b263 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,3 +3,4 @@ hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/237492091 hal_radioext_default radio_vendor_data_file file b/237093466 +kernel vendor_usb_debugfs dir b/227121550 From e87fbe539d2221822c86cbda96586c5c919c14ea Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 7 Jul 2022 10:19:39 +0800 Subject: [PATCH 579/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 238260726 Bug: 238260742 Bug: 238260741 Change-Id: Ia3796d62a044b6c0e55c280918251f48143cfd0f --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2345b263..d3f11d1f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,3 +4,6 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/237492091 hal_radioext_default radio_vendor_data_file file b/237093466 kernel vendor_usb_debugfs dir b/227121550 +dumpstate hal_input_processor_default process b/238260726 +hal_googlebattery dumpstate fd b/238260742 +shell sysfs_wlc dir b/238260741 From eeced97ca94f544f07f0bbf362831781bb35fbfa Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Thu, 7 Jul 2022 03:17:41 +0000 Subject: [PATCH 580/900] fix avc error for fg_model/registers remove tracking with fix http://ag/19145061 Bug: 226271913 Signed-off-by: Jenny Ho Change-Id: Idaa9e75a013dc7c78234bff041819c3c131f3793 --- tracking_denials/vendor_init.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 850099a9..ea8ff1e4 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,4 +1,2 @@ # b/205656950 dontaudit vendor_init thermal_link_device:file { create }; -# b/226271913 -dontaudit vendor_init vendor_maxfg_debugfs:file setattr; From c466a683050fcffeced82de01290b200f11b9569 Mon Sep 17 00:00:00 2001 From: Star Chang Date: Thu, 30 Jun 2022 12:07:32 +0000 Subject: [PATCH 581/900] wifi_sniffer: Add policy to allow wifi sniffer to access wifi firmware related files. Add policy to allow wifi_sniffer daemon to access wifi firmware related files. To fix the denial message: [85544.205505] type=1400 audit(1656381950.486:90): avc: denied { search } for comm="wifi_sniffer" name="wifi" dev="sysfs" ino=97256 scontext=u:r:wifi_sniffer:s0 tcontext=u:object_r:sysfs_wifi:s0 tclass=dir permissive=1 [85544.206027] type=1400 audit(1656381950.486:91): avc: denied { write } for comm="wifi_sniffer" name="firmware_path" dev="sysfs" ino=97268 scontext=u:r:wifi_sniffer:s0 tcontext=u:object_r:sysfs_wifi:s0 tclass=file permissive=1 [85544.206206] type=1400 audit(1656381950.486:92): avc: denied { open } for comm="wifi_sniffer" path="/sys/wifi/firmware_path" dev="sysfs" ino=97268 scontext=u:r:wifi_sniffer:s0 tcontext=u:object_r:sysfs_wifi:s0 tclass=file permissive=1 [85544.206349] type=1400 audit(1656381950.486:93): avc: denied { getattr } for comm="wifi_sniffer" path="/sys/wifi/firmware_path" dev="sysfs" ino=97268 scontext=u:r:wifi_sniffer:s0 tcontext=u:object_r:sysfs_wifi:s0 tclass=file permissive=1 Bug: 237465412 Test: wifi_sniffer is workable Change-Id: I5500be87d2b670e29c08d026872a6b304109f7a3 --- whitechapel_pro/wifi_sniffer.te | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 whitechapel_pro/wifi_sniffer.te diff --git a/whitechapel_pro/wifi_sniffer.te b/whitechapel_pro/wifi_sniffer.te new file mode 100644 index 00000000..1faffcea --- /dev/null +++ b/whitechapel_pro/wifi_sniffer.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` +allow wifi_sniffer sysfs_wifi:dir search; +allow wifi_sniffer sysfs_wifi:file rw_file_perms; +') From 3adb31f0041043ee3ee6688ba571a7d7bc480660 Mon Sep 17 00:00:00 2001 From: Daniel Angell Date: Fri, 1 Jul 2022 20:24:05 +0000 Subject: [PATCH 582/900] Remove dontaudit rules related to storageproxyd's /data access. Removing dontaudits for both tracking_denials/tee.te and whitechapel_pro/tee.te results in no new audit log messages related to storageproxyd, so they can both be removed. Bug: 215649571 Test: adb logcat | grep -iE 'storageproxyd' Change-Id: I8dc735bcaf0725c8d4eab4587f7a7fce21f4e25c --- tracking_denials/tee.te | 3 --- whitechapel_pro/tee.te | 4 ---- 2 files changed, 7 deletions(-) diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te index 3a56e037..9a1070ab 100644 --- a/tracking_denials/tee.te +++ b/tracking_denials/tee.te @@ -1,5 +1,2 @@ # TODO(b/205904330): avoid using setuid, setgid permission allow tee tee:capability { setuid setgid }; -# b/215649571 -dontaudit tee gsi_metadata_file:dir { search }; -dontaudit tee metadata_file:dir { search }; diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index 58228b5a..f93bf59e 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -11,7 +11,3 @@ allow tee sg_device:chr_file rw_file_perms; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) - -# storageproxyd starts before /data is mounted. It handles /data not being there -# gracefully. However, attempts to access /data trigger a denial. -dontaudit tee unlabeled:dir { search }; From c2ed52536e9b9ccbbbf62d1c5fec8dffb3268d97 Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Sat, 25 Jun 2022 00:10:22 +0800 Subject: [PATCH 583/900] Add logbuffer file_contexts Bug: 237082721 Signed-off-by: Kyle Tso Change-Id: Ieaf04f7381db1febe5a3899a727b6a49726bf10b --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index a7aba25f..be4f5506 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -90,6 +90,7 @@ /dev/watchdog0 u:object_r:watchdog_device:s0 /dev/mali0 u:object_r:gpu_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_pogo_transport u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 /dev/logbuffer_wireless u:object_r:logbuffer_device:s0 /dev/logbuffer_ttf u:object_r:logbuffer_device:s0 From 1e606d96f145978b267d4d4c1647b3704e251879 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 11 Jul 2022 10:24:25 +0800 Subject: [PATCH 584/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 238571150 Change-Id: Idb8c4f3e99d23e73fe2e63beec1142d1207c0a05 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d3f11d1f..687d7ba2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,3 +7,4 @@ kernel vendor_usb_debugfs dir b/227121550 dumpstate hal_input_processor_default process b/238260726 hal_googlebattery dumpstate fd b/238260742 shell sysfs_wlc dir b/238260741 +kernel vendor_charger_debugfs dir b/238571150 From 9899069adb55eedbaee330c82d962f1902304e46 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 12 Jul 2022 12:49:17 +0800 Subject: [PATCH 585/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 238705599 Change-Id: Ia78ce7f5b2adc41f7d64b99279681acce647e8bb --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 687d7ba2..1ef8e72f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,3 +8,4 @@ dumpstate hal_input_processor_default process b/238260726 hal_googlebattery dumpstate fd b/238260742 shell sysfs_wlc dir b/238260741 kernel vendor_charger_debugfs dir b/238571150 +cat_engine_service_app system_app_data_file dir b/238705599 From 46c457148564b28f5b43e462510f1c0cac622559 Mon Sep 17 00:00:00 2001 From: Robb Glasser Date: Wed, 13 Jul 2022 11:06:04 -0700 Subject: [PATCH 586/900] Remove HAL sensors dontaudits. Sensors HAL sepolicy is written, but the dontaudit parts were not cleaned up at the time. Removing these as they are no longer needed. Bug: 227695036 Test: No denials as expected. Change-Id: Idc0ed7f380cb07bfc7695ef3019f335fd8fad0a2 --- tracking_denials/hal_sensors_default.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_sensors_default.te diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te deleted file mode 100644 index fb1bb237..00000000 --- a/tracking_denials/hal_sensors_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/227695036 -dontaudit hal_sensors_default sensor_reg_data_file:dir { write }; From 5eda61d1e030bd3e797785a47c837cb4465cfdaa Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 14 Jul 2022 06:47:30 +0000 Subject: [PATCH 587/900] Update SELinux error Bug: 234547283 Change-Id: I81b2885e2b7c7f77f76bc6048c901dfc4226a4fb --- tracking_denials/bug_map | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1ef8e72f..6349be5c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,11 +1,11 @@ -dumpstate app_zygote process b/237491813 -hal_drm_widevine default_prop file b/237492145 -hal_power_default hal_power_default capability b/237492146 -incidentd debugfs_wakeup_sources file b/237492091 -hal_radioext_default radio_vendor_data_file file b/237093466 -kernel vendor_usb_debugfs dir b/227121550 -dumpstate hal_input_processor_default process b/238260726 -hal_googlebattery dumpstate fd b/238260742 -shell sysfs_wlc dir b/238260741 -kernel vendor_charger_debugfs dir b/238571150 cat_engine_service_app system_app_data_file dir b/238705599 +dumpstate app_zygote process b/237491813 +dumpstate hal_input_processor_default process b/238260726 +hal_drm_widevine default_prop file b/237492145 +hal_googlebattery dumpstate fd b/238260742 +hal_power_default hal_power_default capability b/237492146 +hal_radioext_default radio_vendor_data_file file b/237093466 +incidentd debugfs_wakeup_sources file b/237492091 +kernel vendor_charger_debugfs dir b/238571150 +kernel vendor_usb_debugfs dir b/227121550 +shell sysfs_wlc dir b/238260741 From 52ec99ce413120c21706012a01719396abd4add0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 18 Jul 2022 10:55:53 +0800 Subject: [PATCH 588/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 239364360 Change-Id: I6ea0b1a4fabd7ac29470afa48a0d84beccf0af28 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 6349be5c..ae341e70 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ hal_googlebattery dumpstate fd b/238260742 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 +init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 shell sysfs_wlc dir b/238260741 From dfc95d07741b42d92a4c06565d829d592aeb8be0 Mon Sep 17 00:00:00 2001 From: Robin Peng Date: Mon, 18 Jul 2022 12:47:38 +0800 Subject: [PATCH 589/900] init-insmod-sh: fix avc error avc: denied { set } for property=vendor.all.modules.ready pid=1238 uid=0 gid=0 scontext=u:r:init-insmod-sh:s0 tcontext=u:object_r:vendor_ready_prop:s0 tclass=property_service permissive=0 Bug: 238853979 Signed-off-by: Robin Peng Change-Id: Ic8d7af3c1d73f3079e126b66b38d728fe4d70ea4 --- whitechapel_pro/init-insmod-sh.te | 1 + whitechapel_pro/vendor_init.te | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te index ca98618c..1e56c094 100644 --- a/whitechapel_pro/init-insmod-sh.te +++ b/whitechapel_pro/init-insmod-sh.te @@ -10,6 +10,7 @@ allow init-insmod-sh self:capability sys_nice; allow init-insmod-sh kernel:process setsched; set_prop(init-insmod-sh, vendor_device_prop) +set_prop(init-insmod-sh, vendor_ready_prop) dontaudit init-insmod-sh proc_cmdline:file r_file_perms; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 25b38beb..97c0f381 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -3,7 +3,6 @@ allow vendor_init bootdevice_sysdev:file create_file_perms; set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_cbd_prop) -set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) From 2c3812aac3244c3ad68f0f3f6e26ab494c359a9b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 19 Jul 2022 09:07:27 +0800 Subject: [PATCH 590/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 239484651 Bug: 239484612 Change-Id: If07a3611f40324d985a387c6dd7f2570c90c7c11 --- tracking_denials/bug_map | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ae341e70..050f91f6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,7 @@ cat_engine_service_app system_app_data_file dir b/238705599 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 +dumpstate system_data_file dir b/239484651 hal_drm_widevine default_prop file b/237492145 hal_googlebattery dumpstate fd b/238260742 hal_power_default hal_power_default capability b/237492146 @@ -9,4 +10,13 @@ incidentd debugfs_wakeup_sources file b/237492091 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 +shell adb_keys_file file b/239484612 +shell cache_file lnk_file b/239484612 +shell init_exec lnk_file b/239484612 +shell linkerconfig_file dir b/239484612 +shell metadata_file dir b/239484612 +shell mirror_data_file dir b/239484612 +shell postinstall_mnt_dir dir b/239484612 +shell rootfs file b/239484612 shell sysfs_wlc dir b/238260741 +shell system_dlkm_file dir b/239484612 From 1c7154c453bb8ced0908f047dd7dfda9c4520247 Mon Sep 17 00:00:00 2001 From: matthuang Date: Mon, 18 Jul 2022 14:44:06 +0800 Subject: [PATCH 591/900] Add security context for com.google.usf.non_wake_up/wakeup. Bug: 195077076 Test: Confirm there is no avc denied log. Change-Id: I86c787d59203464fc3b8b2b94b4883cbd07196b0 --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 0c2cd112..70252d16 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -343,6 +343,7 @@ genfscon sysfs /devices/platform/11210000.usb/wakeup genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 From ebd7170495640b82154915363dc74ea3b9dbc442 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Jul 2022 09:12:17 +0800 Subject: [PATCH 592/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 239632439 Change-Id: I42608d6fc5b3128915f7801e9000548a12ce7efa --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 050f91f6..bc6f2d07 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,7 @@ cat_engine_service_app system_app_data_file dir b/238705599 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 +dumpstate incident process b/239632439 dumpstate system_data_file dir b/239484651 hal_drm_widevine default_prop file b/237492145 hal_googlebattery dumpstate fd b/238260742 From c50018a543df55e1d4104ed1f53051fe74b1004e Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Thu, 21 Jul 2022 21:17:41 +0800 Subject: [PATCH 593/900] Update SELinux error Bug: 238398889 Test: no avc denied in TreeHugger verified Signed-off-by: Jack Wu Change-Id: Ia18714461cb9f30fe110917489adddee98de194f --- tracking_denials/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 38fcbb6d..605f1fa6 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,3 +1,5 @@ +# b/238398889 +dontaudit kernel vendor_charger_debugfs:dir { search }; # b/213817227 dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 From c09b0f9873ca9d712ea80af428bb9c9f8490d3be Mon Sep 17 00:00:00 2001 From: Edmond Chung Date: Thu, 21 Jul 2022 09:59:23 -0700 Subject: [PATCH 594/900] Allow vendor_init to set camera properties Bug: 239368308 Test: Camera CTS Change-Id: Ia34804235729d5230123431a4b315bb2967c4cc8 --- whitechapel_pro/vendor_init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index b6741954..f1163e47 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -5,6 +5,7 @@ set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_cbd_prop) set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) +set_prop(vendor_init, vendor_camera_prop) set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_usb_config_prop) From eabd74399198c79552bb98317e642414a6d89d3b Mon Sep 17 00:00:00 2001 From: sukiliu Date: Wed, 20 Jul 2022 11:09:47 +0800 Subject: [PATCH 595/900] Remove regmap from list Bug: 227286343 Test: PtsSELinuxTestCases Change-Id: I0df048e6944623d992f66688550e534c038714d9 --- tracking_denials/kernel.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 91fa7a46..d743b75c 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -4,7 +4,5 @@ dontaudit kernel vendor_charger_debugfs:dir { search }; dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 allow kernel same_process_hal_file:file r_file_perms; -# b/227286343 -dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/227121550 dontaudit kernel vendor_votable_debugfs:dir search; From 13f3fdc8ff979f0d3990b2cf5471c5de04a84c04 Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Fri, 15 Jul 2022 13:24:25 -0700 Subject: [PATCH 596/900] storageproxyd: Remove setuid/setgid SELinux permissions Bug: 205904330 Test: fingerprint enrollment/authentication Change-Id: Ied64163f1142c1dd05274867c2863592e49042f3 --- tracking_denials/tee.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/tee.te diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te deleted file mode 100644 index 9a1070ab..00000000 --- a/tracking_denials/tee.te +++ /dev/null @@ -1,2 +0,0 @@ -# TODO(b/205904330): avoid using setuid, setgid permission -allow tee tee:capability { setuid setgid }; From aacf5c43fc303568dc8ed5f8220168daa3c7a5dd Mon Sep 17 00:00:00 2001 From: Stephane Lee Date: Fri, 22 Jul 2022 16:59:07 -0700 Subject: [PATCH 597/900] Bug fixed in ag/19153533 Bug: 238260742 Test: N/A Change-Id: I4f7494eb37b04f994e14b7ff418bc9e2819e25cb --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bc6f2d07..ee5b954a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,7 +4,6 @@ dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 dumpstate system_data_file dir b/239484651 hal_drm_widevine default_prop file b/237492145 -hal_googlebattery dumpstate fd b/238260742 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 From b34d1c1ed086e8420e0df1645d72caf909226c34 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 19 Jul 2022 09:37:26 +0800 Subject: [PATCH 598/900] sync bug_map with downstream Bug: 239403666 Test: boot Change-Id: I7e95cc5169ce56f1bba031b4d8a83ab1d5c80b26 Merged-In: If07a3611f40324d985a387c6dd7f2570c90c7c11 --- tracking_denials/bug_map | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bb392fb3..3bc07df7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,13 @@ -shell sysfs_wlc dir b/234547497 hal_input_processor_default vendor_display_prop file b/236200710 +cat_engine_service_app system_app_data_file dir b/238705599 +dumpstate app_zygote process b/237491813 +dumpstate hal_input_processor_default process b/238260726 +hal_drm_widevine default_prop file b/237492145 +hal_googlebattery dumpstate fd b/238260742 +hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 +incidentd debugfs_wakeup_sources file b/237492091 +init-insmod-sh vendor_ready_prop property_service b/239364360 +kernel vendor_charger_debugfs dir b/238571150 +kernel vendor_usb_debugfs dir b/227121550 +shell sysfs_wlc dir b/238260741 From d889102a8fb19576f285ecddec13723d4a14850e Mon Sep 17 00:00:00 2001 From: Wiwit Rifa'i Date: Tue, 5 Jul 2022 14:12:23 +0800 Subject: [PATCH 599/900] Add SE policies for HWC logs Bug: 230361290 Test: adb bugreport Test: adb shell vndservice call Exynos.HWCService 11 i32 0 i32 308 i32 1 Change-Id: I12e6c1b4527829699211dae379f1e44da069b974 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 3 +++ whitechapel_pro/hal_graphics_composer_default.te | 4 ++++ 4 files changed, 9 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index af98aebb..4fff5c7f 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,6 +1,7 @@ # Data type rild_vendor_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; +type vendor_hwc_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index be4f5506..11786215 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -197,6 +197,7 @@ /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 0f153f22..78b77a9a 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -9,6 +9,9 @@ allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; +allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; + allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te index 61972c75..24966746 100644 --- a/whitechapel_pro/hal_graphics_composer_default.te +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -52,3 +52,7 @@ vndbinder_use(hal_graphics_composer_default) # allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) + +# allow HWC to write log file +allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; +allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; From f10b9bf2cd710fa8e67388fc4b5fe72cac82d38f Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Tue, 26 Jul 2022 23:53:54 +0000 Subject: [PATCH 600/900] Remove vendor_service. We want to avoid associating types with where they can be used. Bug: 237115222 Test: build Change-Id: I6795d960aa2a3b3832be8e0f6a11cb0fc3337982 --- whitechapel_pro/service.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index 8d5dc1ee..b87c99e1 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -1,2 +1,2 @@ -type hal_pixel_display_service, service_manager_type, vendor_service; -type hal_uwb_vendor_service, service_manager_type, vendor_service; +type hal_pixel_display_service, service_manager_type, hal_service_type; +type hal_uwb_vendor_service, service_manager_type, hal_service_type; From 89781162e95a57298a1d9bbd107628517033abd0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 29 Jul 2022 15:38:05 +0800 Subject: [PATCH 601/900] Update SELinux error Test: testAtomicWrite Bug: 240653918 Test: testCheckSQLiteJournalMode Bug: 240653918 Test: testConfigMaxSectorsKB Bug: 240653918 Test: testConfigReadAhead Bug: 240653918 Test: testDirectWrite Bug: 240653918 Test: testDirectWriteDirectReadInEncryptedDir Bug: 240653918 Test: testDirectWriteDirectReadInNonEncryptedDir Bug: 240653918 Test: testDirectWriteDirectReadInPerBootEncryptedDir Bug: 240653918 Test: testDirectWriteNormalReadInEncryptedDir Bug: 240653918 Test: testDirectWriteNormalReadInNonEncryptedDir Bug: 240653918 Test: testDirectWriteNormalReadInPerBootEncryptedDir Bug: 240653918 Test: testInvalidWrite Bug: 240653918 Test: testLargeReadRequestSize Bug: 240653918 Test: testLoopMaxPartDefined Bug: 240653918 Test: testMetadataEncryptionEnabled Bug: 240653918 Test: testNormalWrite Bug: 240653918 Test: testNormalWriteDirectReadInEncryptedDir Bug: 240653918 Test: testNormalWriteDirectReadInNonEncryptedDir Bug: 240653918 Test: testNormalWriteDirectReadInPerBootEncryptedDir Bug: 240653918 Test: testNormalWriteNormalReadInPerBootEncryptedDir Bug: 240653918 Test: testPinFile Bug: 240653918 Test: testPtssBashToolFindBdevOfData Bug: 240653918 Test: testPtssBashToolFindRawBdevOfData Bug: 240653918 Test: testPtssBashToolGetDevNameOnlyOfData Bug: 240653918 Test: testPtssBashToolGetFsOfData Bug: 240653918 Test: testPtssBashToolGetMaxSectorsOfData Bug: 240653918 Test: testPtssBashToolGetReadAheadOfData Bug: 240653918 Test: testPtssBashToolStorageModel Bug: 240653918 Test: testPtssBashToolUsagePercentOfData Bug: 240653918 Test: testPxlIOCreateLargeFile Bug: 240653918 Test: testSmallFileInEncryptedDir Bug: 240653918 Test: testSmallFileInPerBootEncryptedDir Bug: 240653918 Test: testStorageTestUtilGetReqStatPath Bug: 240653918 Change-Id: I40c87c191644238e81516555f73aeebcd1abf0f6 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ee5b954a..71c12792 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -20,3 +20,4 @@ shell postinstall_mnt_dir dir b/239484612 shell rootfs file b/239484612 shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 +su modem_img_file filesystem b/240653918 From ee1b7d6bb405b03783913de5dc9f0bdd2bb690de Mon Sep 17 00:00:00 2001 From: lucaslin Date: Fri, 29 Jul 2022 16:38:51 +0800 Subject: [PATCH 602/900] Add sepolicy for dumpstate to zip tcpdump into bugreport Bug: 239634976 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: I01b9b25a6236bcfa1ce2b89afb3ed1bc2ef49cae --- whitechapel_pro/hal_dumpstate_default.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 78b77a9a..77d1b7db 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -129,6 +129,10 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; + allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; + allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; + + set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) ') dontaudit hal_dumpstate_default mnt_vendor_file:dir search; @@ -153,3 +157,6 @@ dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; +dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms; From 81616f3ad067b37a8d038ecce47175c52a21055f Mon Sep 17 00:00:00 2001 From: lucaslin Date: Fri, 29 Jul 2022 16:38:51 +0800 Subject: [PATCH 603/900] Add sepolicy for dumpstate to zip tcpdump into bugreport Bug: 239634976 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: I01b9b25a6236bcfa1ce2b89afb3ed1bc2ef49cae Merged-In: I01b9b25a6236bcfa1ce2b89afb3ed1bc2ef49cae (cherry picked from commit ee1b7d6bb405b03783913de5dc9f0bdd2bb690de) --- whitechapel_pro/hal_dumpstate_default.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 0f153f22..e819eb16 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -126,6 +126,10 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; + allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; + allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; + + set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) ') dontaudit hal_dumpstate_default mnt_vendor_file:dir search; @@ -150,3 +154,6 @@ dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; +dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms; From 07af2808d5285376958664823fb1d2a5c9576958 Mon Sep 17 00:00:00 2001 From: Konstantin Vyshetsky Date: Thu, 21 Jul 2022 18:57:49 -0700 Subject: [PATCH 604/900] convert_to_ext4.sh: add sepolicy Add entries for convert_to_ext4.sh executable. Bug: 239632964 Signed-off-by: Konstantin Vyshetsky Change-Id: I0d89aa88dab0ae5a4cf3d7b2e4423d1761868bea --- whitechapel_pro/convert-to-ext4-sh.te | 47 +++++++++++++++++++++++++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 48 insertions(+) create mode 100644 whitechapel_pro/convert-to-ext4-sh.te diff --git a/whitechapel_pro/convert-to-ext4-sh.te b/whitechapel_pro/convert-to-ext4-sh.te new file mode 100644 index 00000000..fa8df643 --- /dev/null +++ b/whitechapel_pro/convert-to-ext4-sh.te @@ -0,0 +1,47 @@ +type convert-to-ext4-sh, domain, coredomain; +type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type; + +userdebug_or_eng(` + permissive convert-to-ext4-sh; + + init_daemon_domain(convert-to-ext4-sh) + + allow convert-to-ext4-sh block_device:dir search; + allow convert-to-ext4-sh e2fs_exec:file rx_file_perms; + allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms; + allow convert-to-ext4-sh kernel:process setsched; + allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms; + allow convert-to-ext4-sh persist_audio_file:dir { rw_file_perms search }; + allow convert-to-ext4-sh persist_audio_file:file rw_file_perms; + allow convert-to-ext4-sh persist_block_device:blk_file rw_file_perms; + allow convert-to-ext4-sh persist_camera_file:dir { rw_file_perms search }; + allow convert-to-ext4-sh persist_camera_file:file rw_file_perms; + allow convert-to-ext4-sh persist_display_file:dir { rw_file_perms search }; + allow convert-to-ext4-sh persist_display_file:file rw_file_perms; + allow convert-to-ext4-sh persist_file:dir { getattr open read search }; + allow convert-to-ext4-sh persist_file:file rw_file_perms; + allow convert-to-ext4-sh persist_haptics_file:dir { rw_file_perms search }; + allow convert-to-ext4-sh persist_haptics_file:file rw_file_perms; + allow convert-to-ext4-sh persist_sensor_reg_file:dir { rw_file_perms search }; + allow convert-to-ext4-sh persist_sensor_reg_file:file rw_file_perms; + allow convert-to-ext4-sh persist_ss_file:dir { rw_file_perms search }; + allow convert-to-ext4-sh persist_ss_file:file rw_file_perms; + allow convert-to-ext4-sh persist_uwb_file:dir { rw_file_perms search }; + allow convert-to-ext4-sh persist_uwb_file:file rw_file_perms; + allow convert-to-ext4-sh shell_exec:file rx_file_perms; + allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search }; + allow convert-to-ext4-sh sysfs_fs_ext4_features:file read; + allow convert-to-ext4-sh tmpfs:dir { add_name create mounton open }; + allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr }; + allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink }; + allow convert-to-ext4-sh toolbox_exec:file rx_file_perms; + + allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl { + BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD + }; + + dontaudit convert-to-ext4-sh labeledfs:filesystem { mount unmount }; + dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio }; + dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr }; + dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr }; +') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 79bb698f..35b84fe0 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -43,6 +43,7 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 /vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 +/system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From b969be2277027f1e13ce6581c11e188ce56b4bb5 Mon Sep 17 00:00:00 2001 From: Lei Ju Date: Tue, 26 Jul 2022 13:51:21 -0700 Subject: [PATCH 605/900] Allow chre to use WakeLock on whitechapel pro. Test: Manual test to confirm wakelock is acquired. Bug: 202447392 Change-Id: Iecd3aca411b43abed4c318e9e584b6713ca119a8 --- whitechapel_pro/chre.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index 6d826217..4eda4096 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -22,3 +22,6 @@ allow chre hal_wifi_ext_hwservice:hwservice_manager find; # Allow CHRE host to talk to stats service allow chre fwk_stats_service:service_manager find; binder_call(chre, stats_service_server) + +# Allow CHRE to use WakeLock +wakelock_use(chre) From c44f96b66ac14e6aea7b737105bfd61f1aa40eee Mon Sep 17 00:00:00 2001 From: Konstantin Vyshetsky Date: Mon, 1 Aug 2022 18:35:07 -0700 Subject: [PATCH 606/900] convert_to_ext4.sh: modify sepolicy Combine individual rules under persist into vendor_persist_type. Bug: 239632964 Signed-off-by: Konstantin Vyshetsky Change-Id: I4f90a3b30f9d0dd8b8386ef57728fa098a630081 --- whitechapel_pro/convert-to-ext4-sh.te | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/whitechapel_pro/convert-to-ext4-sh.te b/whitechapel_pro/convert-to-ext4-sh.te index fa8df643..cbf633de 100644 --- a/whitechapel_pro/convert-to-ext4-sh.te +++ b/whitechapel_pro/convert-to-ext4-sh.te @@ -11,23 +11,7 @@ userdebug_or_eng(` allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms; allow convert-to-ext4-sh kernel:process setsched; allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms; - allow convert-to-ext4-sh persist_audio_file:dir { rw_file_perms search }; - allow convert-to-ext4-sh persist_audio_file:file rw_file_perms; - allow convert-to-ext4-sh persist_block_device:blk_file rw_file_perms; - allow convert-to-ext4-sh persist_camera_file:dir { rw_file_perms search }; - allow convert-to-ext4-sh persist_camera_file:file rw_file_perms; - allow convert-to-ext4-sh persist_display_file:dir { rw_file_perms search }; - allow convert-to-ext4-sh persist_display_file:file rw_file_perms; - allow convert-to-ext4-sh persist_file:dir { getattr open read search }; - allow convert-to-ext4-sh persist_file:file rw_file_perms; - allow convert-to-ext4-sh persist_haptics_file:dir { rw_file_perms search }; - allow convert-to-ext4-sh persist_haptics_file:file rw_file_perms; - allow convert-to-ext4-sh persist_sensor_reg_file:dir { rw_file_perms search }; - allow convert-to-ext4-sh persist_sensor_reg_file:file rw_file_perms; - allow convert-to-ext4-sh persist_ss_file:dir { rw_file_perms search }; - allow convert-to-ext4-sh persist_ss_file:file rw_file_perms; - allow convert-to-ext4-sh persist_uwb_file:dir { rw_file_perms search }; - allow convert-to-ext4-sh persist_uwb_file:file rw_file_perms; + allow convert-to-ext4-sh persist_block_device:blk_file { getattr ioctl open read write }; allow convert-to-ext4-sh shell_exec:file rx_file_perms; allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search }; allow convert-to-ext4-sh sysfs_fs_ext4_features:file read; @@ -35,6 +19,8 @@ userdebug_or_eng(` allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr }; allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink }; allow convert-to-ext4-sh toolbox_exec:file rx_file_perms; + allow convert-to-ext4-sh vendor_persist_type:dir { rw_file_perms search }; + allow convert-to-ext4-sh vendor_persist_type:file rw_file_perms; allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl { BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD From 613f6bf6af3c11c9cef925177530f5e941cf3487 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 2 Aug 2022 14:14:19 +0800 Subject: [PATCH 607/900] Update error on ROM 8846993 Bug: 241050831 Test: SELinuxUncheckedDenialBootTest Change-Id: I6517ffc33ccea453b796fd1ebaee687516de8b5c --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 71c12792..defd25f4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -21,3 +21,4 @@ shell rootfs file b/239484612 shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 +dumpstate incident process b/241050831 From d4e0af01054737a0972a758af4aa4e95819b57b9 Mon Sep 17 00:00:00 2001 From: Bruce Po Date: Fri, 29 Jul 2022 23:24:01 +0000 Subject: [PATCH 608/900] Allow aocd to access acd-offload nodes For 3-ch hotword feature, aocd daemon will access two new file nodes (b/235648212), which will be used for transmitting audio to/from AOC. BUG: 240744178 Change-Id: I67b6d6b539f1e436eacfd80d0e1299e1d63b4a1d --- aoc/file_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aoc/file_contexts b/aoc/file_contexts index 93052d2e..fcdeca47 100644 --- a/aoc/file_contexts +++ b/aoc/file_contexts @@ -17,6 +17,8 @@ /dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 /dev/acd-logging u:object_r:aoc_device:s0 /dev/aoc u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0 /dev/amcs u:object_r:amcs_device:s0 # AoC vendor binaries From 03f00703592f3abe456083e8f54be17911f4f4fd Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 3 Aug 2022 01:08:49 +0000 Subject: [PATCH 609/900] Update SELinux error Test: checkSensors Bug: 241172220 Test: checkLockScreen Bug: 241172220 Test: scanBugreport Bug: 241172220 Test: testAtomicWrite Bug: 241172220 Test: testConfigMaxSectorsKB Bug: 241172186 Test: testConfigReadAhead Bug: 241172220 Test: testInvalidWrite Bug: 241172220 Test: testLoopMaxPartDefined Bug: 241172220 Test: testPinFile Bug: 241172220 Test: testSysfsHealth Bug: 241172220 Change-Id: I1e8e927e6850bf03f7d62774e979c0e26551b9a6 --- tracking_denials/bug_map | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index defd25f4..a5af186b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,11 +2,20 @@ cat_engine_service_app system_app_data_file dir b/238705599 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 +dumpstate incident process b/241050831 dumpstate system_data_file dir b/239484651 hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 +init app_data_file dir b/241172186 +init app_data_file dir b/241172220 +init gsi_data_file file b/241172186 +init gsi_data_file file b/241172220 +init privapp_data_file dir b/241172186 +init privapp_data_file dir b/241172220 +init system_app_data_file dir b/241172186 +init system_app_data_file dir b/241172220 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 @@ -21,4 +30,3 @@ shell rootfs file b/239484612 shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 -dumpstate incident process b/241050831 From d64d7fa852c36c219e96688c7900e27912bb29e5 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Thu, 21 Jul 2022 10:07:31 +0000 Subject: [PATCH 610/900] HwInfo: Move hardware info sepolicy to pixel common Bug: 215271971 Test: no sepolicy for hardware info Change-Id: Ic887e59878352fa5784a172af0453f3bb881e1f2 Signed-off-by: Denny cy Lee --- aoc/file.te | 1 - whitechapel_pro/device.te | 1 - whitechapel_pro/file.te | 4 ---- whitechapel_pro/hardware_info_app.te | 26 -------------------------- whitechapel_pro/seapp_contexts | 3 --- 5 files changed, 35 deletions(-) delete mode 100644 whitechapel_pro/hardware_info_app.te diff --git a/aoc/file.te b/aoc/file.te index 3e0baf8a..649e161a 100644 --- a/aoc/file.te +++ b/aoc/file.te @@ -4,7 +4,6 @@ type sysfs_aoc_boottime, sysfs_type, fs_type; type sysfs_aoc_firmware, sysfs_type, fs_type; type sysfs_aoc, sysfs_type, fs_type; type sysfs_aoc_reset, sysfs_type, fs_type; -type sysfs_pixelstats, fs_type, sysfs_type; # persist type persist_aoc_file, file_type, vendor_persist_type; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 952a1675..b1f5ecbf 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -17,7 +17,6 @@ type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; -type battery_history_device, dev_type; type radio_test_device, dev_type; # SecureElement SPI device diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4fff5c7f..142cf543 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -36,15 +36,12 @@ type sysfs_em_profile, sysfs_type, fs_type; type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; -type sysfs_display, sysfs_type, fs_type; -type sysfs_scsi_devices_0000, sysfs_type, fs_type; type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcl, sysfs_type, fs_type; -type sysfs_chip_id, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; @@ -52,7 +49,6 @@ type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; type sysfs_odpm, sysfs_type, fs_type; -type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te deleted file mode 100644 index 751bb885..00000000 --- a/whitechapel_pro/hardware_info_app.te +++ /dev/null @@ -1,26 +0,0 @@ -type hardware_info_app, domain; -app_domain(hardware_info_app) - -allow hardware_info_app app_api_service:service_manager find; - -# Storage -allow hardware_info_app sysfs_scsi_devices_0000:dir search; -allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; - -# Audio -allow hardware_info_app sysfs_pixelstats:file r_file_perms; - -# Batteryinfo -allow hardware_info_app sysfs_batteryinfo:dir search; -allow hardware_info_app sysfs_batteryinfo:file r_file_perms; - -# Display -allow hardware_info_app sysfs_display:dir search; -allow hardware_info_app sysfs_display:file r_file_perms; - -# SoC -allow hardware_info_app sysfs_soc:file r_file_perms; -allow hardware_info_app sysfs_chip_id:file r_file_perms; - -# Batery history -allow hardware_info_app battery_history_device:chr_file r_file_perms; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 0fbe0333..223c931a 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -17,9 +17,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma # Samsung S.LSI engineer mode user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all -# Hardware Info Collection -user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user - # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all From 17659673a4acb133e42397d7efad319cc830d376 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 8 Aug 2022 02:14:53 +0000 Subject: [PATCH 611/900] Update error on ROM 8892407 Bug: 241714943 Bug: 241714944 Test: SELinuxUncheckedDenialBootTest Change-Id: I38e6cc9da23c72aed05e79346a3a6c8188fc8556 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a5af186b..3d52f1fd 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 dumpstate incident process b/241050831 dumpstate system_data_file dir b/239484651 +hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 @@ -27,6 +28,7 @@ shell metadata_file dir b/239484612 shell mirror_data_file dir b/239484612 shell postinstall_mnt_dir dir b/239484612 shell rootfs file b/239484612 +shell sscoredump_vendor_data_crashinfo_file dir b/241714944 shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 From 2e4daadb2ec323124f2efc50774a05ceaa6014b3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 8 Aug 2022 10:11:18 +0800 Subject: [PATCH 612/900] Update error on ROM 8892407 Bug: 241714943 Bug: 241714944 Bug: 240297563 Test: SELinuxUncheckedDenialBootTest Change-Id: I0aab196ab21ec411540b7a033578a1670e83187a Merged-In: I38e6cc9da23c72aed05e79346a3a6c8188fc8556 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3bc07df7..fcebf544 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,3 +11,5 @@ init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 shell sysfs_wlc dir b/238260741 +hal_contexthub_default fwk_stats_service service_manager b/241714943 +shell sscoredump_vendor_data_crashinfo_file dir b/241714944 From 5ef0888e04f7eaeeb9210b611081df3915212fa9 Mon Sep 17 00:00:00 2001 From: TeYuan Wang Date: Wed, 27 Jul 2022 16:05:31 +0800 Subject: [PATCH 613/900] sepolicy: fix odpm avc denials Fix permissions for ODPM by adding additional bus path Bug: 240380970 Test: Build Change-Id: I7bf02ce016f2cdbf4b45f1a797896a00fb8aa454 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 70252d16..c01c1b55 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -109,6 +109,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -118,6 +119,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From 27f55d7da7b7b29f1a96c092bf4ea5fb5cd458e6 Mon Sep 17 00:00:00 2001 From: Konstantin Vyshetsky Date: Mon, 8 Aug 2022 17:20:04 -0700 Subject: [PATCH 614/900] convert_to_ext4.sh: suppress test error Add exclusion to fix issue with SELinuxUncheckedDenialBootTest Bug: 241072524 Signed-off-by: Konstantin Vyshetsky Change-Id: Id9088f728c34d3c764e1aef66a5e1a126f6243e9 --- whitechapel_pro/convert-to-ext4-sh.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/convert-to-ext4-sh.te b/whitechapel_pro/convert-to-ext4-sh.te index cbf633de..d64382df 100644 --- a/whitechapel_pro/convert-to-ext4-sh.te +++ b/whitechapel_pro/convert-to-ext4-sh.te @@ -30,4 +30,5 @@ userdebug_or_eng(` dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio }; dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr }; dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr }; + dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override }; ') From b5fcd3b4dbc2792d0df644acb063475ff85f3fe9 Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Mon, 8 Aug 2022 21:15:06 -0700 Subject: [PATCH 615/900] Label GPU dvfs period setting Bug: 239887528 Test: Build Signed-off-by: Wei Wang Change-Id: I35766555f13f586e37d03843dae153d02f189976 --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index b1b34058..0d349b9f 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -53,6 +53,7 @@ genfscon sysfs /devices/platform/28000000.mali/power_policy u genfscon sysfs /devices/platform/28000000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/28000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/28000000.mali/kprcs u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/28000000.mali/dvfs_period u:object_r:sysfs_gpu:s0 # Fabric genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 From 8deeec1a30e5bda1c057ef125c2bdcf38ea8fc61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Tue, 16 Aug 2022 15:57:25 +1000 Subject: [PATCH 616/900] Revert "Update SELinux error" This reverts commit 03f00703592f3abe456083e8f54be17911f4f4fd. Remove duplicate entry for dumpstate. These are ignored by auditd. Bug: 241172220 Bug: 241172186 Test: TH Change-Id: Ia72eecbb6055876aa7903e13cd4dc72952d3125e --- tracking_denials/bug_map | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3d52f1fd..0f9c92d7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,21 +2,12 @@ cat_engine_service_app system_app_data_file dir b/238705599 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 -dumpstate incident process b/241050831 dumpstate system_data_file dir b/239484651 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_drm_widevine default_prop file b/237492145 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 -init app_data_file dir b/241172186 -init app_data_file dir b/241172220 -init gsi_data_file file b/241172186 -init gsi_data_file file b/241172220 -init privapp_data_file dir b/241172186 -init privapp_data_file dir b/241172220 -init system_app_data_file dir b/241172186 -init system_app_data_file dir b/241172220 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 From 4e4608185966c60b3b3b7e0b65e48e183e9ece52 Mon Sep 17 00:00:00 2001 From: Weizhung Ding Date: Fri, 22 Jul 2022 09:26:07 +0800 Subject: [PATCH 617/900] Add coredomain for hbmsvmanager Sync the coredomain from gs101 Bug: 239902607 Test: without denied log Change-Id: I220ce6b2f67877637189fcfcc0f6b328c8be6eae --- whitechapel_pro/hbmsvmanager_app.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index 3ed4f823..b7058090 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -1,4 +1,4 @@ -type hbmsvmanager_app, domain; +type hbmsvmanager_app, domain, coredomain; app_domain(hbmsvmanager_app); From 74eb33d057d47330daeb7e0d0d48ce90e81f8f7f Mon Sep 17 00:00:00 2001 From: Roger Fang Date: Fri, 19 Aug 2022 15:58:25 +0800 Subject: [PATCH 618/900] sepolicy: add permission for AMS rate of pixelstats-vend pixelstats-vend: type=1400 audit(0.0:618): avc: denied { read } for name="ams_rate_read_once" dev="sysfs" ino=100493 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 pixelstats-vend: type=1400 audit(0.0:619): avc: denied { open } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" dev="sysfs" ino=100493 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 pixelstats-vend: type=1400 audit(0.0:620): avc: denied { getattr } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" Bug: 239508478 Test: Manually test passed Signed-off-by: Roger Fang Change-Id: I3e171b35ebdcf11b0da559361f382f1cf01b0f2f --- aoc/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index 46773bb0..63216766 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -25,4 +25,5 @@ genfscon sysfs /devices/platform/audiometrics/speaker_temp u:ob genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 From b69195ebe96f678b1babb14c231c14eb421debcb Mon Sep 17 00:00:00 2001 From: Jinting Lin Date: Fri, 12 Aug 2022 07:56:30 +0000 Subject: [PATCH 619/900] Fix avc denied for vendor telephony debug app avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 pid=8533 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0 avc: denied { getattr } for path="/data/user/0/com.samsung.slsi.sysdebugmode" dev="dm-39" ino=7431 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 avc: denied { search } for name="com.samsung.slsi.sysdebugmode" dev="dm-39" ino=7431 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=150 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 avc: denied { getattr } for path="/data/user/0/com.samsung.slsi.sysdebugmode" dev="dm-39" ino=7431 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0 avc: denied { read } for name="u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=344 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=0 avc: denied { write } for name="property_service" dev="tmpfs" ino=379 scontext=u:r:vendor_telephony_debug_app:s0:c232,c259,c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Test: manual test Bug: 241976048 Change-Id: I5aa49a8e243d212180c7da6f65da9021164fca44 --- whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/rild.te | 1 + whitechapel_pro/vendor_telephony_debug_app.te | 16 ++++++++++++++++ 4 files changed, 22 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index bc898f47..ec7d84ed 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -34,3 +34,5 @@ system_vendor_config_prop(vendor_uwb_calibration_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) +# Telephony debug app +vendor_internal_prop(vendor_telephony_app_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index ce737004..98a7980a 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -103,3 +103,6 @@ vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop # for ims service persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 + +# for vendor telephony debug app +vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index d8c8c290..88b88716 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -26,6 +26,7 @@ binder_call(rild, oemrilservice_app) binder_call(rild, hal_secure_element_uicc) binder_call(rild, grilservice_app) binder_call(rild, vendor_engineermode_app) +binder_call(rild, vendor_telephony_debug_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) diff --git a/whitechapel_pro/vendor_telephony_debug_app.te b/whitechapel_pro/vendor_telephony_debug_app.te index 946460cc..539fffce 100644 --- a/whitechapel_pro/vendor_telephony_debug_app.te +++ b/whitechapel_pro/vendor_telephony_debug_app.te @@ -2,3 +2,19 @@ type vendor_telephony_debug_app, domain; app_domain(vendor_telephony_debug_app) allow vendor_telephony_debug_app app_api_service:service_manager find; +allow vendor_telephony_debug_app hal_exynos_rild_hwservice:hwservice_manager find; + +binder_call(vendor_telephony_debug_app, rild) + +# RIL property +set_prop(vendor_telephony_debug_app, vendor_rild_prop) + +# Debug property +set_prop(vendor_telephony_debug_app, vendor_telephony_app_prop) + +userdebug_or_eng(` +# System Debug Mode +dontaudit vendor_telephony_debug_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_debug_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_debug_app default_prop:file r_file_perms; +') From f43976db9f7dde2977d8f84d2a64c71013dfa94c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 22 Aug 2022 13:48:10 +0800 Subject: [PATCH 620/900] modularize gsc dump Bug: 242479757 Test: do bugreport that has the same content as before Change-Id: I1ca725b77f98012ebe63cf640cca18b44a5c7d57 --- whitechapel_pro/hal_dumpstate_default.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 77d1b7db..244ebc15 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -60,10 +60,6 @@ allow hal_dumpstate_default vendor_slog_file:file r_file_perms; allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; -allow hal_dumpstate_default citadeld_service:service_manager find; -allow hal_dumpstate_default citadel_updater:file execute_no_trans; -binder_call(hal_dumpstate_default, citadeld); - allow hal_dumpstate_default device:dir r_dir_perms; allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; From feba667c23016d719837423079ef6c1d99724fbe Mon Sep 17 00:00:00 2001 From: Robb Glasser Date: Thu, 18 Aug 2022 16:57:40 -0700 Subject: [PATCH 621/900] Give permissions to save usf stats and dump them in bugreports. Creating a mechanism to save some USF stat history to device and pipe it to bugreports. Granting permissions so that this can work. Bug: 242320914 Test: Stats save and are visible in a bugreport. Change-Id: Ie08fce80e79bd564ea58dab66ce8f0d9892d7020 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 5 +++++ whitechapel_pro/hal_sensors_default.te | 6 ++++++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index ea0caf2a..1ec9e095 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -10,6 +10,7 @@ type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_camera_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; +type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 78a43624..a78c7163 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -208,6 +208,7 @@ /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 +/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /dev/battery_history u:object_r:battery_history_device:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index e819eb16..4676641f 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -6,6 +6,11 @@ allow hal_dumpstate_default sysfs_cpu:file r_file_perms; allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; +userdebug_or_eng(` + allow hal_dumpstate_default sensor_debug_data_file:dir r_dir_perms; + allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms; +') + allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index a645b502..bb3a9139 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -33,6 +33,12 @@ r_dir_file(hal_sensors_default, persist_camera_file) allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; allow hal_sensors_default sensor_reg_data_file:file create_file_perms; +userdebug_or_eng(` + # Allow creation and writing of sensor debug data files. + allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms; + allow hal_sensors_default sensor_debug_data_file:file create_file_perms; +') + # Allow access to the display info for ALS. allow hal_sensors_default sysfs_display:file rw_file_perms; From 21b6c72d26e8ec8e07ddcbd5f7bb8dd1290a1c6a Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 30 Aug 2022 11:29:11 +0800 Subject: [PATCH 622/900] Move dauntless settings to gs-common Bug: 242479757 Test: build pass on all Gchip devices Change-Id: Ifb33ea566117392dbdf57c212db2741732abcfdb --- dauntless/citadel_provision.te | 6 ------ dauntless/citadeld.te | 13 ------------- dauntless/device.te | 1 - dauntless/file.te | 1 - dauntless/file_contexts | 9 --------- dauntless/hal_identity_citadel.te | 11 ----------- dauntless/hal_keymint_citadel.te | 9 --------- dauntless/hal_weaver_citadel.te | 11 ----------- dauntless/init_citadel.te | 15 --------------- dauntless/service_contexts | 3 --- dauntless/vndservice.te | 1 - dauntless/vndservice_contexts | 1 - whitechapel_pro/vndservice.te | 1 - 13 files changed, 82 deletions(-) delete mode 100644 dauntless/citadel_provision.te delete mode 100644 dauntless/citadeld.te delete mode 100644 dauntless/device.te delete mode 100644 dauntless/file.te delete mode 100644 dauntless/file_contexts delete mode 100644 dauntless/hal_identity_citadel.te delete mode 100644 dauntless/hal_keymint_citadel.te delete mode 100644 dauntless/hal_weaver_citadel.te delete mode 100644 dauntless/init_citadel.te delete mode 100644 dauntless/service_contexts delete mode 100644 dauntless/vndservice.te delete mode 100644 dauntless/vndservice_contexts diff --git a/dauntless/citadel_provision.te b/dauntless/citadel_provision.te deleted file mode 100644 index 56050857..00000000 --- a/dauntless/citadel_provision.te +++ /dev/null @@ -1,6 +0,0 @@ -type citadel_provision, domain; -type citadel_provision_exec, exec_type, vendor_file_type, file_type; - -userdebug_or_eng(` - init_daemon_domain(citadel_provision) -') diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te deleted file mode 100644 index 86cb61c7..00000000 --- a/dauntless/citadeld.te +++ /dev/null @@ -1,13 +0,0 @@ -type citadeld, domain; -type citadeld_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(citadeld) - -add_service(citadeld, citadeld_service) -binder_use(citadeld) -vndbinder_use(citadeld) -binder_call(citadeld, system_server) - -allow citadeld citadel_device:chr_file rw_file_perms; -allow citadeld fwk_stats_service:service_manager find; -allow citadeld hal_power_stats_vendor_service:service_manager find; diff --git a/dauntless/device.te b/dauntless/device.te deleted file mode 100644 index f63186f4..00000000 --- a/dauntless/device.te +++ /dev/null @@ -1 +0,0 @@ -type citadel_device, dev_type; diff --git a/dauntless/file.te b/dauntless/file.te deleted file mode 100644 index cfc0dea1..00000000 --- a/dauntless/file.te +++ /dev/null @@ -1 +0,0 @@ -type citadel_updater, vendor_file_type, file_type; diff --git a/dauntless/file_contexts b/dauntless/file_contexts deleted file mode 100644 index 76a25023..00000000 --- a/dauntless/file_contexts +++ /dev/null @@ -1,9 +0,0 @@ -/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 -/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 -/vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0 -/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 - -/dev/gsc0 u:object_r:citadel_device:s0 diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te deleted file mode 100644 index c181e27c..00000000 --- a/dauntless/hal_identity_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_identity_citadel, domain; -type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_identity_citadel) -binder_call(hal_identity_citadel, citadeld) -allow hal_identity_citadel citadeld_service:service_manager find; -allow hal_identity_citadel hal_keymint_citadel:binder call; - -hal_server_domain(hal_identity_citadel, hal_identity) -hal_server_domain(hal_identity_citadel, hal_keymint) -init_daemon_domain(hal_identity_citadel) diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te deleted file mode 100644 index e1a6177d..00000000 --- a/dauntless/hal_keymint_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_keymint_citadel, domain; -type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type; - -hal_server_domain(hal_keymint_citadel, hal_keymint) -init_daemon_domain(hal_keymint_citadel) -vndbinder_use(hal_keymint_citadel) -get_prop(hal_keymint_citadel, vendor_security_patch_level_prop) -allow hal_keymint_citadel citadeld_service:service_manager find; -binder_call(hal_keymint_citadel, citadeld) diff --git a/dauntless/hal_weaver_citadel.te b/dauntless/hal_weaver_citadel.te deleted file mode 100644 index c47287b9..00000000 --- a/dauntless/hal_weaver_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_weaver_citadel, domain; -type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hal_weaver_citadel) -hal_server_domain(hal_weaver_citadel, hal_weaver) -hal_server_domain(hal_weaver_citadel, hal_oemlock) -hal_server_domain(hal_weaver_citadel, hal_authsecret) -vndbinder_use(hal_weaver_citadel) -binder_call(hal_weaver_citadel, citadeld) - -allow hal_weaver_citadel citadeld_service:service_manager find; diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te deleted file mode 100644 index 2e986d08..00000000 --- a/dauntless/init_citadel.te +++ /dev/null @@ -1,15 +0,0 @@ -type init_citadel, domain; -type init_citadel_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(init_citadel) - -# Citadel communication must be via citadeld -vndbinder_use(init_citadel) -binder_call(init_citadel, citadeld) -allow init_citadel citadeld_service:service_manager find; - -# Many standard utils are actually vendor_toolbox (like xxd) -allow init_citadel vendor_toolbox_exec:file rx_file_perms; - -# init_citadel needs to invoke citadel_updater -allow init_citadel citadel_updater:file rx_file_perms; diff --git a/dauntless/service_contexts b/dauntless/service_contexts deleted file mode 100644 index ac6a1867..00000000 --- a/dauntless/service_contexts +++ /dev/null @@ -1,3 +0,0 @@ -android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 -android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 -android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox u:object_r:hal_remotelyprovisionedcomponent_service:s0 diff --git a/dauntless/vndservice.te b/dauntless/vndservice.te deleted file mode 100644 index 880c09ca..00000000 --- a/dauntless/vndservice.te +++ /dev/null @@ -1 +0,0 @@ -type citadeld_service, vndservice_manager_type; diff --git a/dauntless/vndservice_contexts b/dauntless/vndservice_contexts deleted file mode 100644 index b4df996b..00000000 --- a/dauntless/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index d1483600..7f116c48 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1,4 +1,3 @@ -type hal_power_stats_vendor_service, vndservice_manager_type; type rls_service, vndservice_manager_type; type vendor_displaycolor_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; From 39570f2d0334cc002697390fe1e918b6f864ebe0 Mon Sep 17 00:00:00 2001 From: chungkai Date: Wed, 31 Aug 2022 09:27:14 +0000 Subject: [PATCH 623/900] sepolicy: ignore avc denial dont audit since it's debugfs Bug: 228181404 Test: boot without avc denial Signed-off-by: chungkai Change-Id: I8c9922d71cef6eaef7d95ad2abdbeac912490ca7 --- whitechapel_pro/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index c34e7f72..fa6c2fac 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -9,3 +9,4 @@ allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; dontaudit kernel vendor_battery_debugfs:dir search; +dontaudit kernel vendor_maxfg_debugfs:dir { search }; From 8064010f8a43b3772c25a7d1c342cf1f2be1637e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 6 Sep 2022 12:41:01 +0800 Subject: [PATCH 624/900] use gs-common insert module script Bug: 243763292 Test: boot to home Change-Id: I6f0c1a020ea2962f03df6794a6011a31d2244b1a --- whitechapel_pro/file_contexts | 5 +---- whitechapel_pro/init-display-sh.te | 10 ++++++++++ whitechapel_pro/init-insmod-sh.te | 18 ------------------ whitechapel_pro/insmod-sh.te | 7 +++++++ whitechapel_pro/property.te | 2 -- whitechapel_pro/property_contexts | 8 -------- 6 files changed, 18 insertions(+), 32 deletions(-) create mode 100644 whitechapel_pro/init-display-sh.te delete mode 100644 whitechapel_pro/init-insmod-sh.te create mode 100644 whitechapel_pro/insmod-sh.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 6072042f..41074125 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -11,7 +11,7 @@ /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 -/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 +/vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 @@ -70,9 +70,6 @@ /vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 -# Vendor kernel modules -/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 - # Devices /dev/trusty-log0 u:object_r:logbuffer_device:s0 /dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 diff --git a/whitechapel_pro/init-display-sh.te b/whitechapel_pro/init-display-sh.te new file mode 100644 index 00000000..54ff7d6e --- /dev/null +++ b/whitechapel_pro/init-display-sh.te @@ -0,0 +1,10 @@ +type init-display-sh, domain; +type init-display-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(init-display-sh) + +allow init-display-sh self:capability sys_module; +allow init-display-sh vendor_kernel_modules:system module_load; +allow init-display-sh vendor_toolbox_exec:file execute_no_trans; + +dontaudit init-display-sh proc_cmdline:file r_file_perms; + diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te deleted file mode 100644 index 1e56c094..00000000 --- a/whitechapel_pro/init-insmod-sh.te +++ /dev/null @@ -1,18 +0,0 @@ -type init-insmod-sh, domain; -type init-insmod-sh_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(init-insmod-sh) - -allow init-insmod-sh self:capability sys_module; -allow init-insmod-sh vendor_kernel_modules:system module_load; -allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; - -allow init-insmod-sh self:capability sys_nice; -allow init-insmod-sh kernel:process setsched; - -set_prop(init-insmod-sh, vendor_device_prop) -set_prop(init-insmod-sh, vendor_ready_prop) - -dontaudit init-insmod-sh proc_cmdline:file r_file_perms; - -allow init-insmod-sh debugfs_mgm:dir search; -allow init-insmod-sh vendor_regmap_debugfs:dir search; diff --git a/whitechapel_pro/insmod-sh.te b/whitechapel_pro/insmod-sh.te new file mode 100644 index 00000000..c7bbdc6f --- /dev/null +++ b/whitechapel_pro/insmod-sh.te @@ -0,0 +1,7 @@ +allow insmod-sh self:capability sys_nice; +allow insmod-sh kernel:process setsched; + +dontaudit insmod-sh proc_cmdline:file r_file_perms; + +allow insmod-sh debugfs_mgm:dir search; +allow insmod-sh vendor_regmap_debugfs:dir search; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ec7d84ed..32895e7b 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -17,8 +17,6 @@ vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_tcpdump_log_prop) -vendor_internal_prop(vendor_device_prop) -vendor_internal_prop(vendor_ready_prop) vendor_internal_prop(vendor_gps_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 98a7980a..14c5b07d 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -4,14 +4,6 @@ persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 vendor.sys.diag. u:object_r:vendor_diag_prop:s0 -# Kernel modules related -vendor.common.modules.ready u:object_r:vendor_device_prop:s0 -vendor.device.modules.ready u:object_r:vendor_device_prop:s0 - -# Indicating signal that all modules and devices are ready -vendor.all.modules.ready u:object_r:vendor_ready_prop:s0 -vendor.all.devices.ready u:object_r:vendor_ready_prop:s0 - # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 From c252f3ffa8e74b82025a1e9e0d8ac07e9920c146 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Wed, 7 Sep 2022 11:57:09 +0800 Subject: [PATCH 625/900] remove selinux avc error Bug: 238398889 Test: no avc denied in TreeHugger verified Signed-off-by: Jack Wu Change-Id: Icf2a89462574e2f0eea29d0601e77728d67e6e0d --- tracking_denials/kernel.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 605f1fa6..38fcbb6d 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,5 +1,3 @@ -# b/238398889 -dontaudit kernel vendor_charger_debugfs:dir { search }; # b/213817227 dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 From 4b3ae5b9bf8a712072414fb92608d1cb30df146b Mon Sep 17 00:00:00 2001 From: JJ Lee Date: Tue, 23 Aug 2022 20:58:47 +0800 Subject: [PATCH 626/900] sepolicy: add nodes for aoc memory votes stats Bug: 223674292 Test: build pass, not blocking bugreport Change-Id: Iae1c5dc42b3e6213d4399025cb91dc57822fd2cc Signed-off-by: JJ Lee --- aoc/genfs_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index 63216766..abfc5a99 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -13,7 +13,8 @@ genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:ob genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 # pixelstat_vendor genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 From a658683689c11c8da3a612abb644ad26c703b3b4 Mon Sep 17 00:00:00 2001 From: Jeffrey Carlyle Date: Fri, 26 Aug 2022 10:10:30 -0700 Subject: [PATCH 627/900] dck: allow st54spi devivce to be accessed by recovery and fastbootd This is needed so that Digital Car Keys can be cleared from the ST54 during a user data wipe. Bug: 203234558 Test: data wipe in Android recovery mode on raven Test: data wipe in Android recovery mode on c10 Test: data wipe in user mode fastbootd mode on raven Test: data wipe in user mode fastbootd mode on c10 Signed-off-by: Jeffrey Carlyle Change-Id: Icaa3d62aa6b3b88b8db6c1c11807907a06e51019 --- whitechapel_pro/fastbootd.te | 1 + whitechapel_pro/recovery.te | 1 + 2 files changed, 2 insertions(+) diff --git a/whitechapel_pro/fastbootd.te b/whitechapel_pro/fastbootd.te index 0d215a84..5945ef24 100644 --- a/whitechapel_pro/fastbootd.te +++ b/whitechapel_pro/fastbootd.te @@ -4,4 +4,5 @@ allow fastbootd devinfo_block_device:blk_file rw_file_perms; allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; allow fastbootd citadel_device:chr_file rw_file_perms; +allow fastbootd st54spi_device:chr_file rw_file_perms; ') diff --git a/whitechapel_pro/recovery.te b/whitechapel_pro/recovery.te index bfa3c7dc..a498af07 100644 --- a/whitechapel_pro/recovery.te +++ b/whitechapel_pro/recovery.te @@ -1,4 +1,5 @@ recovery_only(` allow recovery sysfs_ota:file rw_file_perms; allow recovery citadel_device:chr_file rw_file_perms; + allow recovery st54spi_device:chr_file rw_file_perms; ') From 9c9ae24f647dca080b686bbefc47d41f21c38430 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 12 Sep 2022 12:58:29 +0800 Subject: [PATCH 628/900] remove global access to firmware mali Bug: 220801802 Test: device can resume Change-Id: Idf0fd84c2efa37c94e30c3f682a09e6546f50235 --- tracking_denials/kernel.te | 2 +- whitechapel_pro/file_contexts | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 0e6f2e78..dba5af95 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,6 +1,6 @@ # b/213817227 dontaudit kernel vendor_battery_debugfs:dir { search }; -# b/220801802 +# b/246218258 allow kernel same_process_hal_file:file r_file_perms; # b/227121550 dontaudit kernel vendor_votable_debugfs:dir search; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 41074125..51221baa 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -47,7 +47,6 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 -/vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 /vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 # Vendor libraries From aa55cb6f2e9fe60660dd5734dd5797954a25a60a Mon Sep 17 00:00:00 2001 From: Chungjui Fan Date: Thu, 8 Sep 2022 09:50:57 +0000 Subject: [PATCH 629/900] Add sepolicy of dumping LED file in dumpstate Bug: 242300919 Change-Id: I14b0af18244c4a71fd7908fdb35e2e86354e02e0 --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/hal_dumpstate_default.te | 7 +++++++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 1ec9e095..d20b6f58 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -83,6 +83,7 @@ type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; type persist_display_file, file_type, vendor_persist_type; +type persist_leds_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index a78c7163..e5467e81 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -223,6 +223,7 @@ /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 +/mnt/vendor/persist/led(/.*)? u:object_r:persist_leds_file:s0 # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6ca38c63..452f93b2 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -416,3 +416,7 @@ genfscon sysfs /module/trusty_core/parameters/use_high_wq u:obje # EM Profile genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0 + +# Privacy LED +genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/pwmleds/leds/green/max_brightness u:object_r:sysfs_leds:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 4676641f..21fa7025 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -99,6 +99,13 @@ allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; +userdebug_or_eng(` + allow hal_dumpstate_default sysfs_leds:dir search; + allow hal_dumpstate_default sysfs_leds:file rw_file_perms; + allow hal_dumpstate_default persist_file:dir search; + r_dir_file(hal_dumpstate_default, persist_leds_file); +') + get_prop(hal_dumpstate_default, vendor_camera_debug_prop); get_prop(hal_dumpstate_default, boottime_public_prop) get_prop(hal_dumpstate_default, vendor_camera_prop) From 6cb9f4e6239790a6bb0ff6a33ba06de3091c37fa Mon Sep 17 00:00:00 2001 From: Estefany Torres Date: Fri, 9 Sep 2022 19:27:42 +0000 Subject: [PATCH 630/900] Add rules for letting logger app send the command to ril 08-31 23:40:57.354 458 458 E SELinux : avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:logger_app:s0:c252,c256,c512,c768 pid=2901 scontext=u:r:logger_app:s0:c252,c256,c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0 09-01 00:08:19.600 2881 2881 W oid.pixellogger: type=1400 audit(0.0:10): avc: denied { call } for scontext=u:r:logger_app:s0:c252,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=0 app=com.android.pixellogger Bug: 241412942 Test: tested on C10 with pixel logger change Change-Id: I845eefc609be2b7fbc22c9b37d1eb2b3195e014f --- whitechapel_pro/logger_app.te | 4 ++++ whitechapel_pro/rild.te | 1 + 2 files changed, 5 insertions(+) diff --git a/whitechapel_pro/logger_app.te b/whitechapel_pro/logger_app.te index 9809f309..684e94ad 100644 --- a/whitechapel_pro/logger_app.te +++ b/whitechapel_pro/logger_app.te @@ -5,6 +5,10 @@ userdebug_or_eng(` allow logger_app vendor_gps_file:file create_file_perms; allow logger_app vendor_gps_file:dir create_dir_perms; allow logger_app sysfs_sscoredump_level:file r_file_perms; + allow logger_app hal_exynos_rild_hwservice:hwservice_manager find; + + binder_call(logger_app, rild) + r_dir_file(logger_app, ramdump_vendor_data_file) r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 88b88716..bfabf428 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -27,6 +27,7 @@ binder_call(rild, hal_secure_element_uicc) binder_call(rild, grilservice_app) binder_call(rild, vendor_engineermode_app) binder_call(rild, vendor_telephony_debug_app) +binder_call(rild, logger_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) From 9dd930e4c2f4e0e98cc9b2ded5674d895f5da368 Mon Sep 17 00:00:00 2001 From: Sherry Luo Date: Fri, 9 Sep 2022 21:29:43 +0000 Subject: [PATCH 631/900] Add network permissions for debug camera Noticed that Estrella upload failing w/ java.lang.SecurityException: Permission denied (missing INTERNET permission?) Followed investigation in b/230434151. Verified that upload working once this change is flashed. Test: Flash build w/ local change Test: Take a picture and upload using Estrella Test: Verify that the upload succeeded BUG=245995782 Change-Id: I505af355f25e9063927c946ee8af21de25758ef1 --- whitechapel_pro/debug_camera_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 50379b54..7ef8ab46 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -2,6 +2,7 @@ type debug_camera_app, domain, coredomain; userdebug_or_eng(` app_domain(debug_camera_app) + net_domain(debug_camera_app) allow debug_camera_app app_api_service:service_manager find; allow debug_camera_app audioserver_service:service_manager find; From 7c6154bdcea3432c9eecabce8760a9d24dc8cb0b Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Fri, 16 Sep 2022 14:00:24 +0800 Subject: [PATCH 632/900] Remove the tracking denials code. Bug: 213817227 Test: Check the bugreport Signed-off-by: Ted Lin Change-Id: I94a64f6ea05757b9c74657647ef7f0d14fa34c55 --- tracking_denials/kernel.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index dba5af95..4238f339 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,5 +1,3 @@ -# b/213817227 -dontaudit kernel vendor_battery_debugfs:dir { search }; # b/246218258 allow kernel same_process_hal_file:file r_file_perms; # b/227121550 From 87bc6d189d36b2aa0c31553fb672b7173418f9a5 Mon Sep 17 00:00:00 2001 From: Vova Sharaienko Date: Fri, 16 Sep 2022 18:58:26 +0000 Subject: [PATCH 633/900] hal_health_default: updated sepolicy This allows the android.hardware.health service to access AIDL Stats service Bug: 237639591 Test: Build, flash, boot & and logcat | grep "avc" Change-Id: I71013c0b17ee5e526387efa0afb823f97775e572 --- whitechapel_pro/hal_health_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index e7406a76..8285eb2c 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -7,6 +7,9 @@ set_prop(hal_health_default, vendor_battery_defender_prop) allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_health_default fwk_stats_service:service_manager find; +binder_use(hal_health_default) + allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; From 37c32d672f0031f02bfde14f00eb8e18d70fe471 Mon Sep 17 00:00:00 2001 From: "Jinhee.k" Date: Thu, 15 Sep 2022 19:15:31 +0000 Subject: [PATCH 634/900] sepolicy: allowed permissions required for network access : add permission to allow create, connect udp socket Apply to add network access permissions Bug: 242231557 Test: Verified no IMS exception and avc denied Change-Id: I4a4bd1efb22b5538b1679aad8f543d00203e0b48 Signed-off-by: Jinhee.k --- whitechapel_pro/vendor_ims_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te index 38e63646..ed65eae1 100644 --- a/whitechapel_pro/vendor_ims_app.te +++ b/whitechapel_pro/vendor_ims_app.te @@ -1,5 +1,6 @@ type vendor_ims_app, domain; app_domain(vendor_ims_app) +net_domain(vendor_ims_app) allow vendor_ims_app app_api_service:service_manager find; allow vendor_ims_app audioserver_service:service_manager find; @@ -11,6 +12,8 @@ allow vendor_ims_app mediaserver_service:service_manager find; allow vendor_ims_app cameraserver_service:service_manager find; allow vendor_ims_app mediametrics_service:service_manager find; +allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl }; + binder_call(vendor_ims_app, rild) set_prop(vendor_ims_app, vendor_rild_prop) set_prop(vendor_ims_app, radio_prop) From 5acc68de3b727163a3703a17489b7a52e1b9fa0d Mon Sep 17 00:00:00 2001 From: jintinglin Date: Mon, 19 Sep 2022 13:08:39 +0800 Subject: [PATCH 635/900] Allows modem_svc to read the logging related properties avc: denied { read } for comm="modem_svc_sit" name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=347 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0 Bug: 243039758 Change-Id: Ib3031552faf03771f86e72e7dbd81c3610c518cc --- whitechapel_pro/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 9954f493..9d4cba72 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -25,6 +25,9 @@ get_prop(modem_svc_sit, vendor_rild_prop) allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) +# logging property +get_prop(modem_svc_sit, vendor_logger_prop) + userdebug_or_eng(` allow modem_svc_sit radio_test_device:chr_file rw_file_perms; ') From 7054110441d661b00ea987cf5f10e8a81ef249b0 Mon Sep 17 00:00:00 2001 From: timmyli Date: Wed, 21 Sep 2022 21:15:54 +0000 Subject: [PATCH 636/900] Allow camera_hal to access always on compute device As a part of RLSRefactor efforst, we need to access libusf from within camera_hal. Bug: 248089742 Test: Compiles, Manual test that we can access aoc device Change-Id: Ie79a2ee544067de69f402e2dd5ce6e55c200be13 --- whitechapel_pro/hal_camera_default.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 437060ea..ba2b5304 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -98,4 +98,7 @@ dontaudit hal_camera_default system_data_file:dir { search }; # google3 prebuilts attempt to connect to the wrong trace socket, ignore them. dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; \ No newline at end of file +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; + +# Allow access to always-on compute device node +allow hal_camera_default aoc_device:chr_file rw_file_perms; From cbb62de10cfa34f1a6c3acc27031967d8a6596eb Mon Sep 17 00:00:00 2001 From: Sayanna Chandula Date: Mon, 22 Aug 2022 16:15:13 -0700 Subject: [PATCH 637/900] thermal: enable pixelstats access to thermal metrics Allow pixelstats daemon to access thermal metric nodes Bug: 228247740 Test: Build and boot on device. Check thermal stats Change-Id: Iada717b92782bc9c085928462b2e06d2db136cab Signed-off-by: Sayanna Chandula --- whitechapel_pro/pixelstats_vendor.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 068e7fb8..371bef41 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -22,3 +22,7 @@ get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); # Pca charge allow pixelstats_vendor sysfs_pca:file rw_file_perms; + +#Thermal +r_dir_file(pixelstats_vendor, sysfs_thermal) +allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; From 6580ccce50aead345307b2b1acb464e8781cb056 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 23 Sep 2022 13:07:27 +0800 Subject: [PATCH 638/900] dump f2fs in gs-common Bug: 248143736 Test: adb bugreport Change-Id: Id3b62464fb80cb6178e5b8fc4a53c8c3dfe1b27e --- whitechapel_pro/file.te | 1 - whitechapel_pro/genfs_contexts | 1 - whitechapel_pro/hal_dumpstate_default.te | 5 ----- 3 files changed, 7 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index abbdc663..cb17558c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -55,7 +55,6 @@ type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; # debugfs -type debugfs_f2fs, debugfs_type, fs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_regmap_debugfs, fs_type, debugfs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6bc52ad0..b05283e6 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -188,7 +188,6 @@ genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 # debugfs -genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 9992df4f..c41cbfcd 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -106,7 +106,6 @@ userdebug_or_eng(` ') get_prop(hal_dumpstate_default, vendor_camera_debug_prop); -get_prop(hal_dumpstate_default, boottime_public_prop) get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) set_prop(hal_dumpstate_default, vendor_modem_prop) @@ -121,8 +120,6 @@ userdebug_or_eng(` allow hal_dumpstate_default debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; - allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; - allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; @@ -149,8 +146,6 @@ dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; -dontaudit hal_dumpstate_default debugfs_f2fs:file r_file_perms; dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; From df53edb110ce2b8dfc9d323403f85628f50d3647 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 28 Sep 2022 13:27:03 +0800 Subject: [PATCH 639/900] move UFS dump to gs-common Bug: 248143736 Test: adb bugreport Change-Id: I06374e41f2e4c4695780d7f1f2ff12d27f77351f --- whitechapel_pro/hal_dumpstate_default.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index c41cbfcd..a8ee4a52 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -71,9 +71,6 @@ allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; allow hal_dumpstate_default proc_f2fs:file r_file_perms; -allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; - allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; allow hal_dumpstate_default sysfs_touch:file rw_file_perms; From 9bb5e3e05bddcdd977ac041b26eba96c680aaa3f Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Wed, 28 Sep 2022 10:58:59 +0800 Subject: [PATCH 640/900] Set sepolicy for shell script of disabling contaminant detection (ported from Ib2e3cf498851c0c9e5e74aacc9bf391549c0ad1a) Bug: 244658328 Signed-off-by: Kyle Tso Change-Id: Idbfa55d4c7091ce2861600ff3881fcc7217ec662 --- whitechapel_pro/disable-contaminant-detection-sh.te | 7 +++++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 8 insertions(+) create mode 100644 whitechapel_pro/disable-contaminant-detection-sh.te diff --git a/whitechapel_pro/disable-contaminant-detection-sh.te b/whitechapel_pro/disable-contaminant-detection-sh.te new file mode 100644 index 00000000..95845a18 --- /dev/null +++ b/whitechapel_pro/disable-contaminant-detection-sh.te @@ -0,0 +1,7 @@ +type disable-contaminant-detection-sh, domain; +type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(disable-contaminant-detection-sh) + +allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans; +allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms; +allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 29bca7a4..bf45934b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 +/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From c18eea71d7b441e8ba17f4ac5150324d3285db0f Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Wed, 28 Sep 2022 10:58:59 +0800 Subject: [PATCH 641/900] Set sepolicy for shell script of disabling contaminant detection (ported from Ib2e3cf498851c0c9e5e74aacc9bf391549c0ad1a) Bug: 244658328 Signed-off-by: Kyle Tso Change-Id: Idbfa55d4c7091ce2861600ff3881fcc7217ec662 Merged-In: Idbfa55d4c7091ce2861600ff3881fcc7217ec662 --- whitechapel_pro/disable-contaminant-detection-sh.te | 7 +++++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 8 insertions(+) create mode 100644 whitechapel_pro/disable-contaminant-detection-sh.te diff --git a/whitechapel_pro/disable-contaminant-detection-sh.te b/whitechapel_pro/disable-contaminant-detection-sh.te new file mode 100644 index 00000000..95845a18 --- /dev/null +++ b/whitechapel_pro/disable-contaminant-detection-sh.te @@ -0,0 +1,7 @@ +type disable-contaminant-detection-sh, domain; +type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(disable-contaminant-detection-sh) + +allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans; +allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms; +allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index e5467e81..83232f1e 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 +/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From bdf3d6abcce8bf7626e6dbfc5e9a2a3043aaa8c4 Mon Sep 17 00:00:00 2001 From: Vova Sharaienko Date: Fri, 16 Sep 2022 18:58:26 +0000 Subject: [PATCH 642/900] hal_health_default: updated sepolicy This allows the android.hardware.health service to access AIDL Stats service Bug: 237639591 Bug: 249827340 Test: Build, flash, boot & and logcat | grep "avc" Change-Id: I71013c0b17ee5e526387efa0afb823f97775e572 (cherry picked from commit 87bc6d189d36b2aa0c31553fb672b7173418f9a5) Merged-In: I71013c0b17ee5e526387efa0afb823f97775e572 --- whitechapel_pro/hal_health_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 0e393765..d953d4b2 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -7,6 +7,9 @@ set_prop(hal_health_default, vendor_battery_defender_prop) allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_health_default fwk_stats_service:service_manager find; +binder_use(hal_health_default) + allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; From 8902c457d7b8e315640ba7a5c2f3307211cd82f8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 19 Sep 2022 11:31:01 +0800 Subject: [PATCH 643/900] move trusty device to gs-common Bug: 244504232 Test: adb bugreport Change-Id: If0df8122e5655b659ac001d42b9a6cf28a59a627 --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/logd.te | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index bf45934b..77345d68 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -71,7 +71,6 @@ /vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 # Devices -/dev/trusty-log0 u:object_r:logbuffer_device:s0 /dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 /dev/ttySAC0 u:object_r:tty_device:s0 /dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 diff --git a/whitechapel_pro/logd.te b/whitechapel_pro/logd.te index cc55e204..ca969d80 100644 --- a/whitechapel_pro/logd.te +++ b/whitechapel_pro/logd.te @@ -1,2 +1,4 @@ r_dir_file(logd, logbuffer_device) allow logd logbuffer_device:chr_file r_file_perms; +allow logd trusty_log_device:chr_file r_file_perms; + From d03b6f3be2f758a5d1a5c13d0e5a739f59629c07 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 3 Oct 2022 13:39:41 +0800 Subject: [PATCH 644/900] move ramdump relate dumpstate to gs-common Bug: 248428203 Test: adb bugreport Change-Id: I40d9aff0e8069acc5d5ecbd0a596a850315e0b22 --- whitechapel_pro/hal_dumpstate_default.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index a8ee4a52..184b43ae 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -112,8 +112,6 @@ set_prop(hal_dumpstate_default, vendor_logger_prop) userdebug_or_eng(` allow hal_dumpstate_default mnt_vendor_file:dir search; - allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; - allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; allow hal_dumpstate_default debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; From 455201b20dd64b7ab89b277c7ab0e43f9080eafa Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 4 Oct 2022 13:01:37 +0800 Subject: [PATCH 645/900] move soc dump to gs-common Bug: 248428203 Test: adb bugreport Change-Id: I225029624d4bd254dee3997b80ff322bacd07b23 --- whitechapel_pro/genfs_contexts | 6 ------ whitechapel_pro/hal_dumpstate_default.te | 2 -- 2 files changed, 8 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index b05283e6..24c60704 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -4,12 +4,6 @@ genfscon sysfs /devices/platform/exynos-bts/bts_stats u genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 -genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 # CPU genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 184b43ae..f01a4e6d 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -20,8 +20,6 @@ allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; -allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; - allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; allow hal_dumpstate_default sysfs_wlc:file r_file_perms; From b47db82964eb83b03cfd44241ddca547fe9ba883 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 7 Oct 2022 09:31:29 +0800 Subject: [PATCH 646/900] move modem dump to gs-common Bug: 250475732 Test: adb bugreport Change-Id: I8f7f1538b5e236a2c6e0ff5a1d9224c539ef9836 --- whitechapel_pro/hal_dumpstate_default.te | 7 ------- 1 file changed, 7 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index f01a4e6d..5889ba87 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -11,9 +11,6 @@ userdebug_or_eng(` allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms; ') -allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; - allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; @@ -29,8 +26,6 @@ allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; -allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; @@ -57,8 +52,6 @@ allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; allow hal_dumpstate_default modem_efs_file:dir search; allow hal_dumpstate_default modem_efs_file:file r_file_perms; -allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms; -allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; allow hal_dumpstate_default vendor_slog_file:file r_file_perms; allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; From 2260099ad39288cc8ea29f0973a0e972acf8c8dc Mon Sep 17 00:00:00 2001 From: George Lee Date: Wed, 5 Oct 2022 14:03:34 -0700 Subject: [PATCH 647/900] bcl: Add mitigation ready device sepolicy Instead of relying on vendor.thermal.link_ready property to gate write to BCL's SYSFS node, adding mitigation ready SYSFS so that writes to BCL's SYSFS node would not cause NULL pointer dereference. Bug: 249130916 Test: Confirm property vendor.brownout.mitigation.ready is set Signed-off-by: George Lee Change-Id: I1b21a1c745e7e17f78e9d4c001032dd2c46673cf --- whitechapel_pro/battery_mitigation.te | 4 ++++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ 3 files changed, 10 insertions(+) diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 59af9d53..5fecbcba 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -2,6 +2,7 @@ type battery_mitigation, domain; type battery_mitigation_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) +set_prop(battery_mitigation, vendor_mitigation_ready_prop) hal_client_domain(battery_mitigation, hal_thermal); hal_client_domain(battery_mitigation, hal_health); @@ -11,6 +12,9 @@ r_dir_file(battery_mitigation, sysfs_iio_devices) r_dir_file(battery_mitigation, sysfs_thermal) r_dir_file(battery_mitigation, thermal_link_device) r_dir_file(battery_mitigation, sysfs_odpm) +allow battery_mitigation sysfs_bcl:dir r_dir_perms; +allow battery_mitigation sysfs_bcl:file r_file_perms; +allow battery_mitigation sysfs_bcl:lnk_file r_file_perms; allow battery_mitigation sysfs_thermal:lnk_file r_file_perms; allow battery_mitigation mitigation_vendor_data_file:dir rw_dir_perms; allow battery_mitigation mitigation_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ec7d84ed..b88506be 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -36,3 +36,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) + +# Battery Mitigation +vendor_internal_prop(vendor_mitigation_ready_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 98a7980a..f4c5eeb0 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -106,3 +106,6 @@ persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 # for vendor telephony debug app vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 + +# Battery Mitigation +vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 From b72e47e1b0d13dc52883276b1350144efdb9d7a0 Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 10 Oct 2022 09:40:51 -0700 Subject: [PATCH 648/900] bcl: Add brownout boot reason sepolicy Lastmeal.txt may be generated from after device rebooted from IRQ triggering. By applying limit on the time when it generates, lastmeal.txt will not be generated after device rebooted. Bug: 246817058 Test: Confirm lastmeal.txt generation Signed-off-by: George Lee Change-Id: I02515fc452dbfa5c8a40041cbb8731664dace62e --- whitechapel_pro/battery_mitigation.te | 1 + whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 2 ++ whitechapel_pro/vendor_init.te | 4 ++++ 4 files changed, 9 insertions(+) diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 5fecbcba..56b83733 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -2,6 +2,7 @@ type battery_mitigation, domain; type battery_mitigation_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) +get_prop(battery_mitigation, vendor_startup_bugreport_requested_prop) set_prop(battery_mitigation, vendor_mitigation_ready_prop) hal_client_domain(battery_mitigation, hal_thermal); diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index b88506be..151cefc3 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -39,3 +39,5 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) +vendor_internal_prop(vendor_brownout_boot_reason_prop) +vendor_internal_prop(vendor_startup_bugreport_requested_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index f4c5eeb0..02b9ce80 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -109,3 +109,5 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Battery Mitigation vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 +vendor.brownout_boot_reason u:object_r:vendor_brownout_boot_reason_prop:s0 +vendor.startup_bugreport_requested u:object_r:vendor_startup_bugreport_requested_prop:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 3287d344..0dedd097 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -35,3 +35,7 @@ set_prop(vendor_init, vendor_battery_defender_prop) # Display set_prop(vendor_init, vendor_display_prop) + +# Battery Mitigation +set_prop(vendor_init, vendor_brownout_boot_reason_prop) +set_prop(vendor_init, vendor_startup_bugreport_requested_prop) From 083ba629028b15373d54f1338b1236bc3f0e8272 Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 13 Oct 2022 12:52:20 -0700 Subject: [PATCH 649/900] bcl: Remove unused brownout boot reason sepolicy vendor_brownout_boot_reason was added under previous change. It should be added as part of follow on change to enable metric collection. Bug: 246817058 Test: Confirm brownout_boot_reason non existent Signed-off-by: George Lee Change-Id: I1fed12e851750314f53a0d6517a9eff92c44e247 --- whitechapel_pro/property.te | 1 - whitechapel_pro/property_contexts | 1 - whitechapel_pro/vendor_init.te | 1 - 3 files changed, 3 deletions(-) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 151cefc3..1bca1a73 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -39,5 +39,4 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) -vendor_internal_prop(vendor_brownout_boot_reason_prop) vendor_internal_prop(vendor_startup_bugreport_requested_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 02b9ce80..814d0184 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -109,5 +109,4 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Battery Mitigation vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 -vendor.brownout_boot_reason u:object_r:vendor_brownout_boot_reason_prop:s0 vendor.startup_bugreport_requested u:object_r:vendor_startup_bugreport_requested_prop:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 0dedd097..a82ad9f1 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -37,5 +37,4 @@ set_prop(vendor_init, vendor_battery_defender_prop) set_prop(vendor_init, vendor_display_prop) # Battery Mitigation -set_prop(vendor_init, vendor_brownout_boot_reason_prop) set_prop(vendor_init, vendor_startup_bugreport_requested_prop) From 39ffb227b33c85dfb09cd5efd19b4177988f946e Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 13 Oct 2022 09:19:07 -0700 Subject: [PATCH 650/900] betterbug: Add selinux policy for betterbug Enable Betterbug to read reboot reason such that Betterbug can file bugreport when *uvlo* or *ocp* is found within reboot reason. Bug: 237287659 Test: Load Betterbug for accessing boot reason property Signed-off-by: George Lee Change-Id: Id699be34d2e060ee7827737982403fd58f133c4a --- whitechapel_pro/better_bug_app.te | 6 ++++++ whitechapel_pro/seapp_contexts | 3 +++ 2 files changed, 9 insertions(+) create mode 100644 whitechapel_pro/better_bug_app.te diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te new file mode 100644 index 00000000..7a8c3818 --- /dev/null +++ b/whitechapel_pro/better_bug_app.te @@ -0,0 +1,6 @@ +type better_bug_app, domain; + +userdebug_or_eng(` + app_domain(better_bug_app) + get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) +') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 0fbe0333..7a908751 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -71,3 +71,6 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all + +# BetterBug +user=_app seinfo=platform name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=user From e2ad2a0fd9587a59e9406cce2c3b70af416e21f8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 13 Oct 2022 10:57:36 +0800 Subject: [PATCH 651/900] remove redundant permission that has moved to gs-common Bug: 248426917 Test: adb bugreport Change-Id: I8df8d6197aea78caf6f9903e7fd7953eab567e8c --- whitechapel_pro/hal_dumpstate_default.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 5889ba87..04d1a994 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -23,9 +23,6 @@ allow hal_dumpstate_default sysfs_wlc:file r_file_perms; allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; -allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; -allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; - allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; From 5c48a9028512d067de0b4add8ce30f27a7a9203a Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 13 Oct 2022 18:43:09 -0700 Subject: [PATCH 652/900] pixelstats: add bcl directory permission Bug: 253522156 Test: Local test $>cmd stats print-logs $>logcat | grep Signed-off-by: George Lee Change-Id: I934f6efb043893666dac88257619556e30d82751 --- whitechapel_pro/pixelstats_vendor.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 371bef41..d327a30d 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -26,3 +26,7 @@ allow pixelstats_vendor sysfs_pca:file rw_file_perms; #Thermal r_dir_file(pixelstats_vendor, sysfs_thermal) allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; + +# BCL +allow pixelstats_vendor sysfs_bcl:dir search; +allow pixelstats_vendor sysfs_bcl:file r_file_perms; From 36df3f715f8d3aa6216bfb1baffba6e089f6d606 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Fri, 14 Oct 2022 13:54:34 +0000 Subject: [PATCH 653/900] Use generic wildcard for vendor libprotobuf. The suffix changes on each upgrade and the newest release uses a two-part version number instead of a three-part one. Use a regex that will match any suffix. Bug: 203713560 Test: presubmit, log check Change-Id: I7a3357d11c162a9bc24196bb232f58be9ba062ec --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 83232f1e..d6db670d 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -62,7 +62,7 @@ /vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 From 19419cbdb30c6efc358b4ed4f92ab205507c179d Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Fri, 14 Oct 2022 09:26:40 +0800 Subject: [PATCH 654/900] allow vendor_init to acces watermark_scale_factor Bug: 251881967 Test: boot Signed-off-by: Martin Liu Change-Id: I0840cf19f9c3120aaacc49de751fdd0a55aebf5f --- whitechapel_pro/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index a82ad9f1..5de29166 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -38,3 +38,6 @@ set_prop(vendor_init, vendor_display_prop) # Battery Mitigation set_prop(vendor_init, vendor_startup_bugreport_requested_prop) + +# MM +allow vendor_init proc_watermark_scale_factor:file w_file_perms; From 91b093f51e330712e167f54c7310d2690eb8876e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Oct 2022 11:24:07 +0800 Subject: [PATCH 655/900] move aoc settings to gs-common Bug: 248426917 Test: boot with aoc launched Change-Id: Icf7e819e7e0a25695a2fb7b05d08273918e19823 --- aoc/aocd.te | 21 ------------------ aoc/aocdump.te | 18 --------------- aoc/device.te | 5 ----- aoc/file.te | 16 ------------- aoc/file_contexts | 37 ------------------------------- aoc/genfs_contexts | 30 ------------------------- aoc/hal_audio_default.te | 35 ----------------------------- aoc/hal_audiometricext_default.te | 12 ---------- aoc/hwservice.te | 6 ----- aoc/hwservice_contexts | 4 ---- aoc/property.te | 4 ---- aoc/property_contexts | 13 ----------- whitechapel_pro/genfs_contexts | 19 ++++++++++++++++ 13 files changed, 19 insertions(+), 201 deletions(-) delete mode 100644 aoc/aocd.te delete mode 100644 aoc/aocdump.te delete mode 100644 aoc/device.te delete mode 100644 aoc/file.te delete mode 100644 aoc/file_contexts delete mode 100644 aoc/genfs_contexts delete mode 100644 aoc/hal_audio_default.te delete mode 100644 aoc/hal_audiometricext_default.te delete mode 100644 aoc/hwservice.te delete mode 100644 aoc/hwservice_contexts delete mode 100644 aoc/property.te delete mode 100644 aoc/property_contexts diff --git a/aoc/aocd.te b/aoc/aocd.te deleted file mode 100644 index 69b0af0d..00000000 --- a/aoc/aocd.te +++ /dev/null @@ -1,21 +0,0 @@ -type aocd, domain; -type aocd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(aocd) - -# access persist files -allow aocd mnt_vendor_file:dir search; -allow aocd persist_file:dir search; -r_dir_file(aocd, persist_aoc_file); - -# sysfs operations -allow aocd sysfs_aoc:dir search; -allow aocd sysfs_aoc_firmware:file w_file_perms; - -# dev operations -allow aocd aoc_device:chr_file rw_file_perms; - -# allow inotify to watch for additions/removals from /dev -allow aocd device:dir r_dir_perms; - -# set properties -set_prop(aocd, vendor_aoc_prop) diff --git a/aoc/aocdump.te b/aoc/aocdump.te deleted file mode 100644 index 0801ec0e..00000000 --- a/aoc/aocdump.te +++ /dev/null @@ -1,18 +0,0 @@ -type aocdump, domain; -type aocdump_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(aocdump) - -userdebug_or_eng(` - # Permit communication with AoC - allow aocdump aoc_device:chr_file rw_file_perms; - - allow aocdump radio_vendor_data_file:dir rw_dir_perms; - allow aocdump radio_vendor_data_file:file create_file_perms; - allow aocdump wifi_logging_data_file:dir create_dir_perms; - allow aocdump wifi_logging_data_file:file create_file_perms; - set_prop(aocdump, vendor_audio_prop); - r_dir_file(aocdump, proc_asound) - - allow aocdump self:unix_stream_socket create_stream_socket_perms; - allow aocdump audio_vendor_data_file:sock_file { create unlink }; -') diff --git a/aoc/device.te b/aoc/device.te deleted file mode 100644 index fbd2b327..00000000 --- a/aoc/device.te +++ /dev/null @@ -1,5 +0,0 @@ -# AOC device -type aoc_device, dev_type; - -# AMCS device -type amcs_device, dev_type; diff --git a/aoc/file.te b/aoc/file.te deleted file mode 100644 index 649e161a..00000000 --- a/aoc/file.te +++ /dev/null @@ -1,16 +0,0 @@ -# sysfs -type sysfs_aoc_dumpstate, sysfs_type, fs_type; -type sysfs_aoc_boottime, sysfs_type, fs_type; -type sysfs_aoc_firmware, sysfs_type, fs_type; -type sysfs_aoc, sysfs_type, fs_type; -type sysfs_aoc_reset, sysfs_type, fs_type; - -# persist -type persist_aoc_file, file_type, vendor_persist_type; -type persist_audio_file, file_type, vendor_persist_type; - -# vendor -type aoc_audio_file, file_type, vendor_file_type; - -# data -type audio_vendor_data_file, file_type, data_file_type; diff --git a/aoc/file_contexts b/aoc/file_contexts deleted file mode 100644 index fcdeca47..00000000 --- a/aoc/file_contexts +++ /dev/null @@ -1,37 +0,0 @@ -# AoC devices -/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 -/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 -/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 -/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 -/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 -/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 -/dev/acd-sound_trigger u:object_r:aoc_device:s0 -/dev/acd-hotword_notification u:object_r:aoc_device:s0 -/dev/acd-hotword_pcm u:object_r:aoc_device:s0 -/dev/acd-ambient_pcm u:object_r:aoc_device:s0 -/dev/acd-model_data u:object_r:aoc_device:s0 -/dev/acd-debug u:object_r:aoc_device:s0 -/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 -/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 -/dev/acd-com.google.usf u:object_r:aoc_device:s0 -/dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 -/dev/acd-logging u:object_r:aoc_device:s0 -/dev/aoc u:object_r:aoc_device:s0 -/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 -/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0 -/dev/amcs u:object_r:amcs_device:s0 - -# AoC vendor binaries -/vendor/bin/aocd u:object_r:aocd_exec:s0 -/vendor/bin/aocdump u:object_r:aocdump_exec:s0 -/vendor/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 - -# AoC audio files -/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 - -# Aoc persist files -/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 -/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 - -# Audio data files -/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts deleted file mode 100644 index abfc5a99..00000000 --- a/aoc/genfs_contexts +++ /dev/null @@ -1,30 +0,0 @@ -# AOC -genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 -genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 -genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 -genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 -genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 - -# pixelstat_vendor -genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 - diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te deleted file mode 100644 index aa462bf3..00000000 --- a/aoc/hal_audio_default.te +++ /dev/null @@ -1,35 +0,0 @@ -vndbinder_use(hal_audio_default) -hwbinder_use(hal_audio_default) - -allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; -allow hal_audio_default audio_vendor_data_file:file create_file_perms; - -r_dir_file(hal_audio_default, aoc_audio_file); -r_dir_file(hal_audio_default, mnt_vendor_file); -r_dir_file(hal_audio_default, persist_audio_file); - -allow hal_audio_default persist_file:dir search; -allow hal_audio_default aoc_device:file rw_file_perms; -allow hal_audio_default aoc_device:chr_file rw_file_perms; - -allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; - -allow hal_audio_default amcs_device:file rw_file_perms; -allow hal_audio_default amcs_device:chr_file rw_file_perms; -allow hal_audio_default sysfs_pixelstats:file rw_file_perms; - -#allow access to DMABUF Heaps for AAudio API -allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; - -set_prop(hal_audio_default, vendor_audio_prop); - -hal_client_domain(hal_audio_default, hal_health); -hal_client_domain(hal_audio_default, hal_thermal); -allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; - -userdebug_or_eng(` - allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; - allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; -') - -wakelock_use(hal_audio_default); diff --git a/aoc/hal_audiometricext_default.te b/aoc/hal_audiometricext_default.te deleted file mode 100644 index 5358eac4..00000000 --- a/aoc/hal_audiometricext_default.te +++ /dev/null @@ -1,12 +0,0 @@ -type hal_audiometricext_default, domain; -type hal_audiometricext_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_audiometricext_default) - -allow hal_audiometricext_default amcs_device:chr_file rw_file_perms; -allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms; - -get_prop(hal_audiometricext_default, vendor_audio_prop); -get_prop(hal_audiometricext_default, hwservicemanager_prop); - -hwbinder_use(hal_audiometricext_default); -add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice); diff --git a/aoc/hwservice.te b/aoc/hwservice.te deleted file mode 100644 index b7bf5d92..00000000 --- a/aoc/hwservice.te +++ /dev/null @@ -1,6 +0,0 @@ -# Audio -type hal_audio_ext_hwservice, hwservice_manager_type; - -# AudioMetric -type hal_audiometricext_hwservice, hwservice_manager_type; - diff --git a/aoc/hwservice_contexts b/aoc/hwservice_contexts deleted file mode 100644 index f06c8461..00000000 --- a/aoc/hwservice_contexts +++ /dev/null @@ -1,4 +0,0 @@ -# Audio -vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 -vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 - diff --git a/aoc/property.te b/aoc/property.te deleted file mode 100644 index d38e3ec8..00000000 --- a/aoc/property.te +++ /dev/null @@ -1,4 +0,0 @@ -# AoC -vendor_internal_prop(vendor_aoc_prop) -# Audio -vendor_internal_prop(vendor_audio_prop) diff --git a/aoc/property_contexts b/aoc/property_contexts deleted file mode 100644 index e957de69..00000000 --- a/aoc/property_contexts +++ /dev/null @@ -1,13 +0,0 @@ -# AoC -vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 - -# for audio -vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 -vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 -persist.vendor.audio. u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 -vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 -vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.cca.updated u:object_r:vendor_audio_prop:s0 -vendor.audiodump.cca.config u:object_r:vendor_audio_prop:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 24c60704..ae9258aa 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -411,3 +411,22 @@ genfscon sysfs /kernel/pixel_em/active_profile u:obje # Privacy LED genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/pwmleds/leds/green/max_brightness u:object_r:sysfs_leds:s0 + +# AOC +genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 + From 3805fb18954619ca370a7417b4e00030ae420b7b Mon Sep 17 00:00:00 2001 From: Lucas Wei Date: Thu, 6 Oct 2022 10:29:59 +0800 Subject: [PATCH 656/900] SEPolicy: Don't audit search regmap by kernel Bug: 247948906 Signed-off-by: Lucas Wei Change-Id: I8886b5c3790036a9fe2d1ed8f524a0555b900dbb --- whitechapel_pro/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index fa6c2fac..2cddb45b 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -10,3 +10,4 @@ allow kernel self:perf_event cpu; dontaudit kernel vendor_battery_debugfs:dir search; dontaudit kernel vendor_maxfg_debugfs:dir { search }; +dontaudit kernel vendor_regmap_debugfs:dir search; From 939d05cbf811c7979477a2916032ef2c5b13470c Mon Sep 17 00:00:00 2001 From: Lucas Wei Date: Thu, 6 Oct 2022 10:29:59 +0800 Subject: [PATCH 657/900] SEPolicy: Don't audit search regmap by kernel Bug: 247948906 Signed-off-by: Lucas Wei Change-Id: I8886b5c3790036a9fe2d1ed8f524a0555b900dbb Merged-In: I8886b5c3790036a9fe2d1ed8f524a0555b900dbb --- whitechapel_pro/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index c34e7f72..376d8e14 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -9,3 +9,4 @@ allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; dontaudit kernel vendor_battery_debugfs:dir search; +dontaudit kernel vendor_regmap_debugfs:dir search; From 7c683d8496fb79593ea682812e574a76ae461bdf Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 21 Oct 2022 12:38:00 +0800 Subject: [PATCH 658/900] move brcm gps solution to gs-common Bug: 254758553 Test: google map can locate on pixel Change-Id: I2c97ac6c327a0c32dbc9223597758bbceb72d2a3 --- gps/device.te | 1 - gps/file.te | 7 ------- gps/file_contexts | 12 ------------ gps/genfs_contexts | 4 ---- gps/gpsd.te | 28 ---------------------------- gps/hal_gnss_default.te | 4 ---- gps/lhd.te | 23 ----------------------- gps/scd.te | 17 ----------------- whitechapel_pro/device.te | 1 + whitechapel_pro/file.te | 2 ++ whitechapel_pro/gpsd.te | 9 +++++++++ 11 files changed, 12 insertions(+), 96 deletions(-) delete mode 100644 gps/device.te delete mode 100644 gps/file.te delete mode 100644 gps/file_contexts delete mode 100644 gps/genfs_contexts delete mode 100644 gps/gpsd.te delete mode 100644 gps/hal_gnss_default.te delete mode 100644 gps/lhd.te delete mode 100644 gps/scd.te create mode 100644 whitechapel_pro/gpsd.te diff --git a/gps/device.te b/gps/device.te deleted file mode 100644 index 15d049fa..00000000 --- a/gps/device.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_gnss_device, dev_type; diff --git a/gps/file.te b/gps/file.te deleted file mode 100644 index 537afdbc..00000000 --- a/gps/file.te +++ /dev/null @@ -1,7 +0,0 @@ -type vendor_gps_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute vendor_gps_file mlstrustedobject; -') - -type sysfs_gps, sysfs_type, fs_type; -type sysfs_gps_assert, sysfs_type, fs_type; diff --git a/gps/file_contexts b/gps/file_contexts deleted file mode 100644 index 8ae128e1..00000000 --- a/gps/file_contexts +++ /dev/null @@ -1,12 +0,0 @@ -# gnss/gps data/log files -/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 - -# devices -/dev/bbd_control u:object_r:vendor_gnss_device:s0 -/dev/ttyBCM u:object_r:vendor_gnss_device:s0 - -# vendor binaries -/vendor/bin/hw/scd u:object_r:scd_exec:s0 -/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 -/vendor/bin/hw/gpsd u:object_r:gpsd_exec:s0 -/vendor/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 diff --git a/gps/genfs_contexts b/gps/genfs_contexts deleted file mode 100644 index 49dfdd05..00000000 --- a/gps/genfs_contexts +++ /dev/null @@ -1,4 +0,0 @@ -# GPS -genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 -genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed u:object_r:sysfs_gps_assert:s0 - diff --git a/gps/gpsd.te b/gps/gpsd.te deleted file mode 100644 index 791a02e4..00000000 --- a/gps/gpsd.te +++ /dev/null @@ -1,28 +0,0 @@ -type gpsd, domain; -type gpsd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(gpsd) - -# Allow gpsd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute gpsd mlstrustedsubject; - allow gpsd logger_app:unix_stream_socket connectto; -') - -# Allow gpsd to obtain wakelock -wakelock_use(gpsd) - -# Allow gpsd access data vendor gps files -allow gpsd vendor_gps_file:dir create_dir_perms; -allow gpsd vendor_gps_file:file create_file_perms; -allow gpsd vendor_gps_file:fifo_file create_file_perms; - -# Allow gpsd to access rild -binder_call(gpsd, rild); -allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; - -# Allow gpsd to access sensor service -binder_call(gpsd, system_server); -allow gpsd fwk_sensor_hwservice:hwservice_manager find; - -# Allow gpsd to access pps gpio -allow gpsd sysfs_gps_assert:file r_file_perms; diff --git a/gps/hal_gnss_default.te b/gps/hal_gnss_default.te deleted file mode 100644 index e3004237..00000000 --- a/gps/hal_gnss_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# Allow hal_gnss_default access data vendor gps files -allow hal_gnss_default vendor_gps_file:dir create_dir_perms; -allow hal_gnss_default vendor_gps_file:file create_file_perms; -allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; diff --git a/gps/lhd.te b/gps/lhd.te deleted file mode 100644 index e980897c..00000000 --- a/gps/lhd.te +++ /dev/null @@ -1,23 +0,0 @@ -type lhd, domain; -type lhd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(lhd) - -# Allow lhd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute lhd mlstrustedsubject; - allow lhd logger_app:unix_stream_socket connectto; -') - -# Allow lhd access data vendor gps files -allow lhd vendor_gps_file:dir create_dir_perms; -allow lhd vendor_gps_file:file create_file_perms; -allow lhd vendor_gps_file:fifo_file create_file_perms; - -# Allow lhd to obtain wakelock -wakelock_use(lhd) - -# Allow lhd access /dev/bbd_control file -allow lhd vendor_gnss_device:chr_file rw_file_perms; - -# Allow lhd access nstandby gpio -allow lhd sysfs_gps:file rw_file_perms; diff --git a/gps/scd.te b/gps/scd.te deleted file mode 100644 index 28aaee0a..00000000 --- a/gps/scd.te +++ /dev/null @@ -1,17 +0,0 @@ -type scd, domain; -type scd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(scd) - -# Allow scd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute scd mlstrustedsubject; - allow scd logger_app:unix_stream_socket connectto; -') - -# Allow a base set of permissions required for network access. -net_domain(scd); - -# Allow scd access data vendor gps files -allow scd vendor_gps_file:dir create_dir_perms; -allow scd vendor_gps_file:file create_file_perms; -allow scd vendor_gps_file:fifo_file create_file_perms; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index b1f5ecbf..426ebadb 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -18,6 +18,7 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; type radio_test_device, dev_type; +type vendor_gnss_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index cb17558c..475a3bfe 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -18,7 +18,9 @@ type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type mitigation_vendor_data_file, file_type, data_file_type; +type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; typeattribute radio_vendor_data_file mlstrustedobject; diff --git a/whitechapel_pro/gpsd.te b/whitechapel_pro/gpsd.te new file mode 100644 index 00000000..79055ecc --- /dev/null +++ b/whitechapel_pro/gpsd.te @@ -0,0 +1,9 @@ +type gpsd, domain; +type gpsd_exec, vendor_file_type, exec_type, file_type; +# Allow gpsd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute gpsd mlstrustedsubject; + allow gpsd logger_app:unix_stream_socket connectto; +') + + From ba0eb551e97aff2575cd7ec8c37409ec10fced5f Mon Sep 17 00:00:00 2001 From: eddielan Date: Mon, 22 Aug 2022 17:43:18 +0800 Subject: [PATCH 659/900] fingerprint: Allow fingerprint to access thermal hal SELinux : avc: denied { find } for interface=android.hardware.thermal::IThermal sid=u:r:hal_fingerprint_default:s0 pid=1064 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:hal_thermal_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 243115023 Test: make selinux_policy -j128 Test: Check avc log on device Change-Id: Ida1b18536468df11be5bf44fb6fb79b03a35f4b9 --- whitechapel_pro/hal_fingerprint_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te index ec02f9c4..912776dd 100644 --- a/whitechapel_pro/hal_fingerprint_default.te +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -30,3 +30,6 @@ allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; # Allow fingerprint to access display hal allow hal_fingerprint_default hal_pixel_display_service:service_manager find; binder_call(hal_fingerprint_default, hal_graphics_composer_default) + +# allow fingerprint to access thermal hal +hal_client_domain(hal_fingerprint_default, hal_thermal); From 7e6dc0eabb9be5055ffb13deaa8f5ec869f80e59 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Sat, 29 Oct 2022 11:02:08 +0800 Subject: [PATCH 660/900] ignore shell access on wlc Bug: 238260741 Test: boot Change-Id: I5f1d321df2daa2ec785e2ad1ac2e02478568b688 Signed-off-by: Jack Wu --- tracking_denials/bug_map | 1 - whitechapel_pro/shell.te | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 0f9c92d7..f2b65774 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -20,6 +20,5 @@ shell mirror_data_file dir b/239484612 shell postinstall_mnt_dir dir b/239484612 shell rootfs file b/239484612 shell sscoredump_vendor_data_crashinfo_file dir b/241714944 -shell sysfs_wlc dir b/238260741 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te index 978a5426..44ae0768 100644 --- a/whitechapel_pro/shell.te +++ b/whitechapel_pro/shell.te @@ -3,3 +3,6 @@ userdebug_or_eng(` allow shell sysfs_sjtag:dir r_dir_perms; allow shell sysfs_sjtag:file rw_file_perms; ') + +# wlc +dontaudit shell sysfs_wlc:dir search; From 13fbaff253534219edf831bf99ecd8af6744dbc5 Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 27 Oct 2022 16:20:45 +0000 Subject: [PATCH 661/900] bcl: Add Mitigation Logger - Del gs201-sepolicy Mitigation Logger logs battery related information for 1 second when it is triggered by under voltage or over current interrupts. Information collected is to help debug system brownout. Bug: 228383769 Test: Boot and Test Change-Id: Ia13f6b16dd35803873f20514c21a95ed8dd20a55 Signed-off-by: George Lee --- whitechapel_pro/battery_mitigation.te | 21 --------------------- whitechapel_pro/file.te | 3 --- whitechapel_pro/file_contexts | 2 -- whitechapel_pro/genfs_contexts | 1 - whitechapel_pro/property.te | 4 ---- whitechapel_pro/property_contexts | 4 ---- 6 files changed, 35 deletions(-) delete mode 100644 whitechapel_pro/battery_mitigation.te diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te deleted file mode 100644 index 56b83733..00000000 --- a/whitechapel_pro/battery_mitigation.te +++ /dev/null @@ -1,21 +0,0 @@ -type battery_mitigation, domain; -type battery_mitigation_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(battery_mitigation) -get_prop(battery_mitigation, boot_status_prop) -get_prop(battery_mitigation, vendor_startup_bugreport_requested_prop) -set_prop(battery_mitigation, vendor_mitigation_ready_prop) - -hal_client_domain(battery_mitigation, hal_thermal); -hal_client_domain(battery_mitigation, hal_health); - -r_dir_file(battery_mitigation, sysfs_batteryinfo) -r_dir_file(battery_mitigation, sysfs_iio_devices) -r_dir_file(battery_mitigation, sysfs_thermal) -r_dir_file(battery_mitigation, thermal_link_device) -r_dir_file(battery_mitigation, sysfs_odpm) -allow battery_mitigation sysfs_bcl:dir r_dir_perms; -allow battery_mitigation sysfs_bcl:file r_file_perms; -allow battery_mitigation sysfs_bcl:lnk_file r_file_perms; -allow battery_mitigation sysfs_thermal:lnk_file r_file_perms; -allow battery_mitigation mitigation_vendor_data_file:dir rw_dir_perms; -allow battery_mitigation mitigation_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 475a3bfe..abd14b81 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -17,7 +17,6 @@ type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; -type mitigation_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; @@ -44,14 +43,12 @@ type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; -type sysfs_bcl, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; -type sysfs_odpm, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 210866fc..9425e56f 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -41,7 +41,6 @@ /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 -/vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 @@ -210,7 +209,6 @@ /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 -/data/vendor/mitigation(/.*)? u:object_r:mitigation_vendor_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ae9258aa..8a9820cf 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -3,7 +3,6 @@ genfscon sysfs /devices/platform/exynos-bts u genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 -genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 # CPU genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ba0aeaac..32895e7b 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -34,7 +34,3 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) - -# Battery Mitigation -vendor_internal_prop(vendor_mitigation_ready_prop) -vendor_internal_prop(vendor_startup_bugreport_requested_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 9ffb51a1..14c5b07d 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -98,7 +98,3 @@ persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 # for vendor telephony debug app vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 - -# Battery Mitigation -vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 -vendor.startup_bugreport_requested u:object_r:vendor_startup_bugreport_requested_prop:s0 From d1e0b924ae1e76151985687bdb11ee25fc9a82f5 Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 24 Oct 2022 17:00:13 -0700 Subject: [PATCH 662/900] betterbug: Update selinux policy for betterbug Update startup_bugreport_requested property to vendor_public for betterbug to access. Bug: 237287659 Test: Load Betterbug for accessing startup bugreport reason property Signed-off-by: George Lee Change-Id: Idc07e3f4ce425c0167654743fbe1ad8b7ece5e15 --- whitechapel_pro/better_bug_app.te | 7 ++++++- whitechapel_pro/property.te | 2 +- whitechapel_pro/seapp_contexts | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te index 7a8c3818..506e832f 100644 --- a/whitechapel_pro/better_bug_app.te +++ b/whitechapel_pro/better_bug_app.te @@ -1,6 +1,11 @@ -type better_bug_app, domain; +type better_bug_app, domain, coredomain; userdebug_or_eng(` app_domain(better_bug_app) + net_domain(better_bug_app) + allow better_bug_app app_api_service:service_manager find; + allow better_bug_app system_api_service:service_manager find; + allow better_bug_app privapp_data_file:file execute; + get_prop(better_bug_app, default_prop); get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) ') diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 1bca1a73..ca17222c 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -39,4 +39,4 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) -vendor_internal_prop(vendor_startup_bugreport_requested_prop) +vendor_public_prop(vendor_startup_bugreport_requested_prop) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 7a908751..ce467c3b 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -73,4 +73,4 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all # BetterBug -user=_app seinfo=platform name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=all From 441a3ad3ef14ddcde44b0a9897eaa607db466b16 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Fri, 30 Sep 2022 16:56:57 +0800 Subject: [PATCH 663/900] Add permission for logbuffer_bd Bug: 242679204 Signed-off-by: Jenny Ho Change-Id: Ie5c9829ee1a4980689c933273a273f1f4ac612b6 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 83232f1e..8b382741 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -107,6 +107,7 @@ /dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_bd u:object_r:logbuffer_device:s0 /dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/lwis-act-jotnar u:object_r:lwis_device:s0 /dev/lwis-act-slenderman u:object_r:lwis_device:s0 From 0810814b496c8135336831bedcebfb88bbb96039 Mon Sep 17 00:00:00 2001 From: pointerkung Date: Fri, 7 Oct 2022 14:59:53 +0800 Subject: [PATCH 664/900] Add required sepolicy rule for Camera Grant access for TNR max_freq to let libperfmgr can control it via powerhint. Bug: 243729855 Test: Build pass, GCA, Control TNR max_freq via powerhint Change-Id: I8f8faa360d9908afe3fe0de3c322a2be356b86c8 --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 452f93b2..b7e4a6fe 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -389,6 +389,7 @@ genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:obj # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 # USB-C throttling stats From 6202c44816525e1bd1489eef7c81ad762a078fb9 Mon Sep 17 00:00:00 2001 From: Gabriel Biren Date: Wed, 26 Oct 2022 23:29:29 +0000 Subject: [PATCH 665/900] Update gs201 sepolicy to allow the wifi_ext AIDL service. Changes should be similar to aosp/2262723. Bug: 205044134 Test: m + Pre-submit tests Change-Id: Ia1c784953225cb48b5320d8f1f5346a3cace005b --- whitechapel_pro/chre.te | 1 + whitechapel_pro/grilservice_app.te | 1 + 2 files changed, 2 insertions(+) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index 4eda4096..ebee19df 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -18,6 +18,7 @@ usf_low_latency_transport(chre) # Allow CHRE to talk to the WiFi HAL allow chre hal_wifi_ext:binder { call transfer }; allow chre hal_wifi_ext_hwservice:hwservice_manager find; +allow chre hal_wifi_ext_service:service_manager find; # Allow CHRE host to talk to stats service allow chre fwk_stats_service:service_manager find; diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te index 6e0dd667..7809537d 100644 --- a/whitechapel_pro/grilservice_app.te +++ b/whitechapel_pro/grilservice_app.te @@ -5,6 +5,7 @@ allow grilservice_app app_api_service:service_manager find; allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; binder_call(grilservice_app, hal_bluetooth_btlinux) From be2e1b2edee58a3c3fc8298c9bae97fc45a2a607 Mon Sep 17 00:00:00 2001 From: Amith Dsouza Date: Tue, 1 Nov 2022 04:01:49 +0000 Subject: [PATCH 666/900] Fix untracked SELinux denials on boot Error: avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:platform_app:s0:c512,c768 pid=2641 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 254453654 Test: Flash device, rebuild driver blobs, check logs after boot Change-Id: I43d524f781c1dda1d3d5291f661bc549fdbb99d6 --- whitechapel_pro/platform_app.te | 3 +++ whitechapel_pro/rild.te | 1 + 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 356167ab..9021c1a8 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -1,3 +1,6 @@ +binder_call(platform_app, rild) +allow platform_app hal_exynos_rild_hwservice:hwservice_manager find; + allow platform_app hal_pixel_display_service:service_manager find; allow platform_app hal_wlc_hwservice:hwservice_manager find; allow platform_app nfc_service:service_manager find; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index d8c8c290..db749f41 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -16,6 +16,7 @@ allow rild mnt_vendor_file:dir r_dir_perms; r_dir_file(rild, modem_img_file) +binder_call(rild, platform_app) binder_call(rild, bipchmgr) binder_call(rild, gpsd) binder_call(rild, hal_audio_default) From f03c6fb1d8824e4218f8ef589cb77b500e49da04 Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 24 Oct 2022 17:00:13 -0700 Subject: [PATCH 667/900] betterbug: Update selinux policy for betterbug Update startup_bugreport_requested property to vendor_public for betterbug to access. Bug: 237287659 Test: Load Betterbug for accessing startup bugreport reason property Signed-off-by: George Lee Change-Id: Idc07e3f4ce425c0167654743fbe1ad8b7ece5e15 (cherry picked from commit d1e0b924ae1e76151985687bdb11ee25fc9a82f5) --- whitechapel_pro/better_bug_app.te | 11 ----------- whitechapel_pro/seapp_contexts | 3 --- whitechapel_pro/vendor_init.te | 3 --- 3 files changed, 17 deletions(-) delete mode 100644 whitechapel_pro/better_bug_app.te diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te deleted file mode 100644 index 506e832f..00000000 --- a/whitechapel_pro/better_bug_app.te +++ /dev/null @@ -1,11 +0,0 @@ -type better_bug_app, domain, coredomain; - -userdebug_or_eng(` - app_domain(better_bug_app) - net_domain(better_bug_app) - allow better_bug_app app_api_service:service_manager find; - allow better_bug_app system_api_service:service_manager find; - allow better_bug_app privapp_data_file:file execute; - get_prop(better_bug_app, default_prop); - get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) -') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 77a7bd73..223c931a 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -68,6 +68,3 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all - -# BetterBug -user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 5de29166..dfdbf8b3 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -36,8 +36,5 @@ set_prop(vendor_init, vendor_battery_defender_prop) # Display set_prop(vendor_init, vendor_display_prop) -# Battery Mitigation -set_prop(vendor_init, vendor_startup_bugreport_requested_prop) - # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; From 9877742035e91b2e7d4f57d147b020776d6f3b24 Mon Sep 17 00:00:00 2001 From: Puma Hsu Date: Wed, 26 Oct 2022 16:58:59 +0800 Subject: [PATCH 668/900] Add xhci-hcd-exynos.6 wakeup path for suspend_control Bug: 255270480 Test: verified with forrest test build Change-Id: I5e2eed4d5e20361d86f6d6be8c92ca337e4ee004 Signed-off-by: Puma Hsu --- whitechapel_pro/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index b7e4a6fe..85dc310d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -342,6 +342,9 @@ genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.au genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.6.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.6.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.6.auto/usb3 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 From f9552297fa6bb3c4c720d321aa52a346565f9d60 Mon Sep 17 00:00:00 2001 From: Star Chang Date: Thu, 6 Oct 2022 06:47:49 +0000 Subject: [PATCH 669/900] Add sepolicy for TWT to dumpstate Bug: 253348062 Test: dump bugreport ok Signed-off-by: Star Chang Change-Id: I0958fef496302df3f5e6e188f15117de78988a62 --- whitechapel_pro/file.te | 2 +- whitechapel_pro/genfs_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index d20b6f58..e3a6bd52 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -56,7 +56,7 @@ type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; - +type sysfs_ptracker, sysfs_type, fs_type; # debugfs type debugfs_f2fs, debugfs_type, fs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 85dc310d..9939bbf4 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -40,6 +40,7 @@ genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/ieee80215 # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 +genfscon sysfs /wlan_ptracker u:object_r:sysfs_ptracker:s0 # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 21fa7025..11f2fc7e 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -45,6 +45,9 @@ allow hal_dumpstate_default mitigation_vendor_data_file:file r_file_perms; allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; allow hal_dumpstate_default sysfs_wifi:file r_file_perms; +allow hal_dumpstate_default sysfs_ptracker:dir r_dir_perms; +allow hal_dumpstate_default sysfs_ptracker:file r_file_perms; + allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; From 40be3818e112434f63532ab2f1c226d9e155c0f6 Mon Sep 17 00:00:00 2001 From: George Lee Date: Sat, 5 Nov 2022 10:03:43 -0700 Subject: [PATCH 670/900] betterbug: Fixed sepolicy related to mediaserver [DO NOT MERGE] Added mediaserver sepolicy for betterbug Bug: 237287659 Test: Run same video capture on Betterbug to confirm video can be captured. Signed-off-by: George Lee Change-Id: I5226bdbf9d4fccb991161bbe6ac4edf8fd3b15a7 --- whitechapel_pro/better_bug_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te index 506e832f..41d403b8 100644 --- a/whitechapel_pro/better_bug_app.te +++ b/whitechapel_pro/better_bug_app.te @@ -6,6 +6,7 @@ userdebug_or_eng(` allow better_bug_app app_api_service:service_manager find; allow better_bug_app system_api_service:service_manager find; allow better_bug_app privapp_data_file:file execute; + allow better_bug_app mediaserver_service:service_manager find; get_prop(better_bug_app, default_prop); get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) ') From 293b13687fe11ac83341f0dfcad35a11d6f489e1 Mon Sep 17 00:00:00 2001 From: George Lee Date: Sat, 5 Nov 2022 10:03:43 -0700 Subject: [PATCH 671/900] betterbug: Fixed sepolicy related to mediaserver [DO NOT MERGE] Added mediaserver sepolicy for betterbug Bug: 237287659 Test: Run same video capture on Betterbug to confirm video can be captured. Signed-off-by: George Lee Change-Id: I5226bdbf9d4fccb991161bbe6ac4edf8fd3b15a7 (cherry picked from commit 40be3818e112434f63532ab2f1c226d9e155c0f6) Merged-In: I5226bdbf9d4fccb991161bbe6ac4edf8fd3b15a7 --- whitechapel_pro/better_bug_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te index 506e832f..41d403b8 100644 --- a/whitechapel_pro/better_bug_app.te +++ b/whitechapel_pro/better_bug_app.te @@ -6,6 +6,7 @@ userdebug_or_eng(` allow better_bug_app app_api_service:service_manager find; allow better_bug_app system_api_service:service_manager find; allow better_bug_app privapp_data_file:file execute; + allow better_bug_app mediaserver_service:service_manager find; get_prop(better_bug_app, default_prop); get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) ') From a85164a440ea15f1c98ce480aca367ba796823e6 Mon Sep 17 00:00:00 2001 From: George Lee Date: Sat, 5 Nov 2022 10:03:43 -0700 Subject: [PATCH 672/900] betterbug: Fixed sepolicy related to mediaserver [DO NOT MERGE] Added mediaserver sepolicy for betterbug Bug: 237287659 Test: Run same video capture on Betterbug to confirm video can be captured. Signed-off-by: George Lee Change-Id: I5226bdbf9d4fccb991161bbe6ac4edf8fd3b15a7 (cherry picked from commit 40be3818e112434f63532ab2f1c226d9e155c0f6) Merged-In: I5226bdbf9d4fccb991161bbe6ac4edf8fd3b15a7 --- whitechapel_pro/better_bug_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te index 506e832f..41d403b8 100644 --- a/whitechapel_pro/better_bug_app.te +++ b/whitechapel_pro/better_bug_app.te @@ -6,6 +6,7 @@ userdebug_or_eng(` allow better_bug_app app_api_service:service_manager find; allow better_bug_app system_api_service:service_manager find; allow better_bug_app privapp_data_file:file execute; + allow better_bug_app mediaserver_service:service_manager find; get_prop(better_bug_app, default_prop); get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) ') From 35112bba62a73e3517f9ba70011b6050db3019af Mon Sep 17 00:00:00 2001 From: Roger Fang Date: Wed, 2 Nov 2022 16:31:48 +0800 Subject: [PATCH 673/900] [DO NOT MERGE] sepolicy: add permission for CCA rate of pixelstats-vend pixelstats-vend: type=1400 audit(0.0:7): avc: denied { read } for name="cca_rate_read_once" dev="sysfs" ino=100809 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 249225148 Test: Manually test passed Change-Id: I802b79417cd9ce23386bb62eccb151610bfb8ac1 Signed-off-by: Roger Fang --- aoc/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index abfc5a99..f474c77b 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -27,4 +27,5 @@ genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:ob genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/cca_rate_read_once u:object_r:sysfs_pixelstats:s0 From 8427e1db8de95939cd72131cdf30b46e64333d4b Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 7 Nov 2022 16:57:22 -0800 Subject: [PATCH 674/900] betterbug: Fixed sepolicy related to File [DO NOT MERGE] Added File Attachment sepolicy for betterbug Bug: 237287659 Test: Attach files from local directory and confirm it can be attached. Signed-off-by: George Lee Change-Id: Ie2ee163794a4b955915a1b62b12d5aa625931034 --- whitechapel_pro/better_bug_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te index 41d403b8..6813024b 100644 --- a/whitechapel_pro/better_bug_app.te +++ b/whitechapel_pro/better_bug_app.te @@ -3,6 +3,7 @@ type better_bug_app, domain, coredomain; userdebug_or_eng(` app_domain(better_bug_app) net_domain(better_bug_app) + allow better_bug_app shell_data_file:file read; allow better_bug_app app_api_service:service_manager find; allow better_bug_app system_api_service:service_manager find; allow better_bug_app privapp_data_file:file execute; From 25ea0f418ac60689ad7dfdab5018b23446220c65 Mon Sep 17 00:00:00 2001 From: Sandeep Dhavale Date: Tue, 8 Nov 2022 23:32:50 +0000 Subject: [PATCH 675/900] Add sepolicy rules for fastboot AIDL service Bug: 205760652 Test: Build & Flash Change-Id: I02fe5ca6c0276fd08cf5127b7d8b7313374f0cfe Signed-off-by: Sandeep Dhavale --- whitechapel_pro/hal_fastboot_default.te | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 whitechapel_pro/hal_fastboot_default.te diff --git a/whitechapel_pro/hal_fastboot_default.te b/whitechapel_pro/hal_fastboot_default.te new file mode 100644 index 00000000..134f4302 --- /dev/null +++ b/whitechapel_pro/hal_fastboot_default.te @@ -0,0 +1,18 @@ +binder_use(hal_fastboot_default) + +# For get-off-mode charge state +allow hal_fastboot_default devinfo_block_device:blk_file { open read }; +allow hal_fastboot_default kmsg_device:chr_file { open write }; + +# For dev/block/by-name dir +allow hal_fastboot_default block_device:dir r_dir_perms; + +allow hal_fastboot_default tmpfs:dir rw_dir_perms; +allow hal_fastboot_default rootfs:dir r_dir_perms; + +# For set-brightness +allow hal_fastboot_default sysfs_leds:dir search; +allow hal_fastboot_default sysfs_leds:file rw_file_perms; +allow hal_fastboot_default sysfs_leds:lnk_file read; + +allow hal_fastboot_default citadel_device:chr_file getattr; From 8140a508451466f19a95097d0ce936468801b1da Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Tue, 8 Nov 2022 22:44:09 +0800 Subject: [PATCH 676/900] Allow CHRE to use EPOLLWAKEUP [DO NOT MERGE] avc: denied { block_suspend } for comm="UsfTransport" capability=36 scontext=u:r:chre:s0 tcontext=u:r:chre:s0 tclass=capability2 permissive=0 Bug: 238666865 Test: Check no chre avc denied. Change-Id: Ie936055550c6221beae394c264d664c1e76f946b Signed-off-by: Rick Chen --- whitechapel_pro/chre.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index 6d826217..26c1675f 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -22,3 +22,6 @@ allow chre hal_wifi_ext_hwservice:hwservice_manager find; # Allow CHRE host to talk to stats service allow chre fwk_stats_service:service_manager find; binder_call(chre, stats_service_server) + +# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP. +allow chre self:global_capability2_class_set block_suspend; From e43ab3c52a0e4eb5fa06ae90df35ea5238abb627 Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Tue, 8 Nov 2022 22:44:09 +0800 Subject: [PATCH 677/900] Allow CHRE to use EPOLLWAKEUP avc: denied { block_suspend } for comm="UsfTransport" capability=36 scontext=u:r:chre:s0 tcontext=u:r:chre:s0 tclass=capability2 permissive=0 Bug: 238666865 Test: Check no chre avc denied. Change-Id: Ie936055550c6221beae394c264d664c1e76f946b Signed-off-by: Rick Chen --- whitechapel_pro/chre.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te index ebee19df..2531af89 100644 --- a/whitechapel_pro/chre.te +++ b/whitechapel_pro/chre.te @@ -26,3 +26,6 @@ binder_call(chre, stats_service_server) # Allow CHRE to use WakeLock wakelock_use(chre) + +# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP. +allow chre self:global_capability2_class_set block_suspend; From e8712e4c93a5d291a47943ec77fe9abe9e1e5dff Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 8 Nov 2022 13:31:14 +0800 Subject: [PATCH 678/900] remove edgetpu folder Bug: 258114806 Test: build pass with the setting still active Change-Id: I9cdf2bbe318647e1f02f152661e57f8430a9a1cb --- edgetpu/debug_camera_app.te | 5 ----- edgetpu/file_contexts | 2 -- edgetpu/genfs_contexts | 2 -- edgetpu/google_camera_app.te | 3 --- whitechapel_pro/debug_camera_app.te | 5 +++++ whitechapel_pro/file_contexts | 1 + whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/google_camera_app.te | 4 ++++ 8 files changed, 13 insertions(+), 12 deletions(-) delete mode 100644 edgetpu/debug_camera_app.te delete mode 100644 edgetpu/file_contexts delete mode 100644 edgetpu/genfs_contexts delete mode 100644 edgetpu/google_camera_app.te diff --git a/edgetpu/debug_camera_app.te b/edgetpu/debug_camera_app.te deleted file mode 100644 index 44382239..00000000 --- a/edgetpu/debug_camera_app.te +++ /dev/null @@ -1,5 +0,0 @@ -userdebug_or_eng(` - # Allows GCA-Eng to find and access the EdgeTPU. - allow debug_camera_app edgetpu_app_service:service_manager find; - allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; -') \ No newline at end of file diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts deleted file mode 100644 index 7b5d25ab..00000000 --- a/edgetpu/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# EdgeTPU device (DarwiNN) -/dev/janeiro u:object_r:edgetpu_device:s0 diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts deleted file mode 100644 index 78e7e959..00000000 --- a/edgetpu/genfs_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 diff --git a/edgetpu/google_camera_app.te b/edgetpu/google_camera_app.te deleted file mode 100644 index a0ad7316..00000000 --- a/edgetpu/google_camera_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allows GCA to find and access the EdgeTPU. -allow google_camera_app edgetpu_app_service:service_manager find; -allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 7ef8ab46..5342fb74 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -20,3 +20,8 @@ userdebug_or_eng(` # Allows camera app to access the PowerHAL. hal_client_domain(debug_camera_app, hal_power) ') +userdebug_or_eng(` + # Allows GCA-Eng to find and access the EdgeTPU. + allow debug_camera_app edgetpu_app_service:service_manager find; + allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; +') \ No newline at end of file diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 19bc8442..4aea8c79 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -80,6 +80,7 @@ /dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/janeiro u:object_r:edgetpu_device:s0 /dev/bigocean u:object_r:video_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 12ab5b97..54d97fb6 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -4,6 +4,9 @@ genfscon sysfs /devices/platform/exynos-bts/bts_stats u genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 + # CPU genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 54f2d664..43e3c16e 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -17,3 +17,7 @@ allow google_camera_app vendor_fw_file:dir search; # Allows camera app to access the PowerHAL. hal_client_domain(google_camera_app, hal_power) + +# Allows GCA to find and access the EdgeTPU. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; From 92e5ed6d554f7277b350bf6a582c511d936a2447 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 17 Oct 2022 13:38:12 +0800 Subject: [PATCH 679/900] move sensors dump to gs-common Bug: 250475720 Test: adb bugreport Change-Id: I09553d0facd7fdca13a8a3e4bdcb70be8265db25 --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 2 -- whitechapel_pro/hal_dumpstate_default.te | 11 ----------- 3 files changed, 15 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index d7ee4425..846b578b 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -87,8 +87,6 @@ type chre_socket, file_type; type proc_f2fs, proc_type, fs_type; # Vendor tools -type vendor_usf_stats, vendor_file_type, file_type; -type vendor_usf_reg_edit, vendor_file_type, file_type; type vendor_dumpsys, vendor_file_type, file_type; # Modem diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4aea8c79..1a0a9ec6 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -14,8 +14,6 @@ /vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 -/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 -/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 88c7073d..2dcbe872 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -3,14 +3,6 @@ allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; allow hal_dumpstate_default sysfs_cpu:file r_file_perms; -allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; -allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; - -userdebug_or_eng(` - allow hal_dumpstate_default sensor_debug_data_file:dir r_dir_perms; - allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms; -') - allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; @@ -56,9 +48,6 @@ allow hal_dumpstate_default vendor_slog_file:file r_file_perms; allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; -allow hal_dumpstate_default device:dir r_dir_perms; -allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; - allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; allow hal_dumpstate_default proc_f2fs:file r_file_perms; From e43c8b3913f0a6dfe8738318690584740b7bebb7 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Fri, 21 Oct 2022 14:59:31 -0700 Subject: [PATCH 680/900] gs201-sepolicy: pixelstats: enable pixelstats access to perf-metrics enable pixelstats access to sysfs path, define sysfs_perfmetrics Bug: 227809911 Bug: 232541623 Test: Tested perf-metrics Signed-off-by: Ziyi Cui Change-Id: If1b95148b59a6816c6795921018dfae68d80550b --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/pixelstats_vendor.te | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 846b578b..f4578773 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -113,3 +113,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type; # Touch type proc_touch, proc_type, fs_type; + +#perf-metrics +type sysfs_vendor_metrics, fs_type, sysfs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 54d97fb6..427c8f0e 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -384,6 +384,10 @@ genfscon sysfs /module/gs_thermal/parameters u:object_r:sysfs_thermal:s0 genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 +#perf-metrics +genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 + # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index d327a30d..4ec563f6 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -30,3 +30,7 @@ allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; + +#perf-metrics +r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) +allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; From 4baa8bea9c1bc4211ff113929dfcfd501b7bb702 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Mon, 7 Nov 2022 10:35:42 -0800 Subject: [PATCH 681/900] dumpstate: allow dumpstate access pixel specific trace events At bugreport, it's useful to debug problems with having trace events. Allow dumpstate access pixel trace event directory and files. Test: "adb bugreport" includes trace event capture. Bug: 238728493 Change-Id: Ia3fe7c149bfa0d0d192070ff28513384898af917 Signed-off-by: Minchan Kim --- whitechapel_pro/hal_dumpstate_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 11f2fc7e..606ec046 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -139,6 +139,8 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; + allow hal_dumpstate_default debugfs_tracing_instances:dir search; + allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; @@ -167,6 +169,8 @@ dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default debugfs_tracing_instances:dir search; +dontaudit hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; From 60b73a5b2876323672db1be57912ed9f0b697b17 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 8 Nov 2022 10:31:13 +0800 Subject: [PATCH 682/900] remove raven touch path Bug: 256521567 Test: device does not have the file Change-Id: I1c0335536f7039724f7e6594fd3959610b56335e --- whitechapel_pro/genfs_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 427c8f0e..7376b023 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -25,7 +25,6 @@ genfscon sysfs /devices/soc0/revision u # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 -genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 genfscon proc /focaltech_touch u:object_r:proc_touch:s0 # tracefs From d59612c409a9869f77797c619e8163d5394bf38e Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 14 Nov 2022 10:12:24 -0800 Subject: [PATCH 683/900] gs201-sepolicy: Add BrownoutDetection app [DO NOT MERGE] This app files bugreport for user-debug build with reboot reason = ocp or uvlo. Removed the dependency on BetterBug. Bug: 237287659 Test: Ensure bugreport is generated under user-debug build with reboot reason = ocp or uvlo. Signed-off-by: George Lee Change-Id: Ib8fceb62e66e9d561a6597687ea3cbe5ac9a832d --- whitechapel_pro/battery_mitigation.te | 1 - whitechapel_pro/better_bug_app.te | 13 ------------- whitechapel_pro/brownout_detection_app.te | 9 +++++++++ whitechapel_pro/property.te | 2 +- whitechapel_pro/property_contexts | 2 +- whitechapel_pro/seapp_contexts | 4 ++-- whitechapel_pro/vendor_init.te | 2 +- 7 files changed, 14 insertions(+), 19 deletions(-) delete mode 100644 whitechapel_pro/better_bug_app.te create mode 100644 whitechapel_pro/brownout_detection_app.te diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 56b83733..5fecbcba 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -2,7 +2,6 @@ type battery_mitigation, domain; type battery_mitigation_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) -get_prop(battery_mitigation, vendor_startup_bugreport_requested_prop) set_prop(battery_mitigation, vendor_mitigation_ready_prop) hal_client_domain(battery_mitigation, hal_thermal); diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te deleted file mode 100644 index 6813024b..00000000 --- a/whitechapel_pro/better_bug_app.te +++ /dev/null @@ -1,13 +0,0 @@ -type better_bug_app, domain, coredomain; - -userdebug_or_eng(` - app_domain(better_bug_app) - net_domain(better_bug_app) - allow better_bug_app shell_data_file:file read; - allow better_bug_app app_api_service:service_manager find; - allow better_bug_app system_api_service:service_manager find; - allow better_bug_app privapp_data_file:file execute; - allow better_bug_app mediaserver_service:service_manager find; - get_prop(better_bug_app, default_prop); - get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) -') diff --git a/whitechapel_pro/brownout_detection_app.te b/whitechapel_pro/brownout_detection_app.te new file mode 100644 index 00000000..6146a745 --- /dev/null +++ b/whitechapel_pro/brownout_detection_app.te @@ -0,0 +1,9 @@ +type brownout_detection_app, domain, coredomain; + +userdebug_or_eng(` + app_domain(brownout_detection_app) + net_domain(brownout_detection_app) + allow brownout_detection_app app_api_service:service_manager find; + allow brownout_detection_app system_api_service:service_manager find; + get_prop(brownout_detection_app, vendor_brownout_reason_prop) +') diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ca17222c..6a377573 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -39,4 +39,4 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) -vendor_public_prop(vendor_startup_bugreport_requested_prop) +vendor_public_prop(vendor_brownout_reason_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 814d0184..9aa97f1b 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -109,4 +109,4 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Battery Mitigation vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 -vendor.startup_bugreport_requested u:object_r:vendor_startup_bugreport_requested_prop:s0 +vendor.brownout_reason u:object_r:vendor_brownout_reason_prop:s0 diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index ce467c3b..720081c7 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -72,5 +72,5 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all -# BetterBug -user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=all +# BrownoutDetection +user=_app isPrivApp=true name=com.google.android.brownoutdetection domain=brownout_detection_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 5de29166..dae9fa6c 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -37,7 +37,7 @@ set_prop(vendor_init, vendor_battery_defender_prop) set_prop(vendor_init, vendor_display_prop) # Battery Mitigation -set_prop(vendor_init, vendor_startup_bugreport_requested_prop) +set_prop(vendor_init, vendor_brownout_reason_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; From 4952bdc68c424a97893721778860d974ae343919 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 17 Nov 2022 10:33:25 +0800 Subject: [PATCH 684/900] move syna settings to gs-common Bug: 256521567 Test: adb bugreport Change-Id: Idbec89a1a2c8bac63850ad4915a40500d067d49e --- whitechapel_pro/genfs_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7376b023..ed314310 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -24,7 +24,6 @@ genfscon sysfs /devices/soc0/machine u genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 # Touch -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 genfscon proc /focaltech_touch u:object_r:proc_touch:s0 # tracefs From 80f2221562f5e48c00c4c2cb3f89f8ce13411151 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 18 Nov 2022 13:27:11 +0800 Subject: [PATCH 685/900] move focaltech sepolicy to gs-common Bug: 256521567 Test: adb bugreport Change-Id: If58b8df0b89dc4d20240af46502a94eebe81f66f --- whitechapel_pro/file.te | 3 --- whitechapel_pro/genfs_contexts | 3 --- whitechapel_pro/hal_dumpstate_default.te | 3 --- whitechapel_pro/vendor_init.te | 3 --- 4 files changed, 12 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index f4578773..621af916 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -111,8 +111,5 @@ userdebug_or_eng(` # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; -# Touch -type proc_touch, proc_type, fs_type; - #perf-metrics type sysfs_vendor_metrics, fs_type, sysfs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ed314310..c3558ccb 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -23,9 +23,6 @@ genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 -# Touch -genfscon proc /focaltech_touch u:object_r:proc_touch:s0 - # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index c81af2fa..91f4a8ce 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -54,9 +54,6 @@ allow hal_dumpstate_default proc_f2fs:file r_file_perms; allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; allow hal_dumpstate_default sysfs_touch:file rw_file_perms; -allow hal_dumpstate_default proc_touch:dir r_dir_perms; -allow hal_dumpstate_default proc_touch:file rw_file_perms; - allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); allow hal_dumpstate_default sysfs_display:dir r_dir_perms; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index dfdbf8b3..6727a0ac 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -25,9 +25,6 @@ allow vendor_init sysfs_st33spi:file w_file_perms; # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) -# Touch -allow vendor_init proc_touch:file w_file_perms; - allow vendor_init modem_img_file:filesystem { getattr }; # Battery From 71560f74028a12f43276636f760fcaf4c33803cb Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 14 Nov 2022 10:12:24 -0800 Subject: [PATCH 686/900] gs201-sepolicy: Add BrownoutDetection app [DO NOT MERGE] This app files bugreport for user-debug build with reboot reason = ocp or uvlo. Removed the dependency on BetterBug. Bug: 237287659 Test: Ensure bugreport is generated under user-debug build with reboot reason = ocp or uvlo. Signed-off-by: George Lee Change-Id: Ib8fceb62e66e9d561a6597687ea3cbe5ac9a832d (cherry picked from commit d59612c409a9869f77797c619e8163d5394bf38e) Merged-In: Ib8fceb62e66e9d561a6597687ea3cbe5ac9a832d --- whitechapel_pro/battery_mitigation.te | 1 - whitechapel_pro/better_bug_app.te | 13 ------------- whitechapel_pro/brownout_detection_app.te | 9 +++++++++ whitechapel_pro/property.te | 2 +- whitechapel_pro/property_contexts | 2 +- whitechapel_pro/seapp_contexts | 4 ++-- whitechapel_pro/vendor_init.te | 2 +- 7 files changed, 14 insertions(+), 19 deletions(-) delete mode 100644 whitechapel_pro/better_bug_app.te create mode 100644 whitechapel_pro/brownout_detection_app.te diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 56b83733..5fecbcba 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -2,7 +2,6 @@ type battery_mitigation, domain; type battery_mitigation_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) -get_prop(battery_mitigation, vendor_startup_bugreport_requested_prop) set_prop(battery_mitigation, vendor_mitigation_ready_prop) hal_client_domain(battery_mitigation, hal_thermal); diff --git a/whitechapel_pro/better_bug_app.te b/whitechapel_pro/better_bug_app.te deleted file mode 100644 index 6813024b..00000000 --- a/whitechapel_pro/better_bug_app.te +++ /dev/null @@ -1,13 +0,0 @@ -type better_bug_app, domain, coredomain; - -userdebug_or_eng(` - app_domain(better_bug_app) - net_domain(better_bug_app) - allow better_bug_app shell_data_file:file read; - allow better_bug_app app_api_service:service_manager find; - allow better_bug_app system_api_service:service_manager find; - allow better_bug_app privapp_data_file:file execute; - allow better_bug_app mediaserver_service:service_manager find; - get_prop(better_bug_app, default_prop); - get_prop(better_bug_app, vendor_startup_bugreport_requested_prop) -') diff --git a/whitechapel_pro/brownout_detection_app.te b/whitechapel_pro/brownout_detection_app.te new file mode 100644 index 00000000..6146a745 --- /dev/null +++ b/whitechapel_pro/brownout_detection_app.te @@ -0,0 +1,9 @@ +type brownout_detection_app, domain, coredomain; + +userdebug_or_eng(` + app_domain(brownout_detection_app) + net_domain(brownout_detection_app) + allow brownout_detection_app app_api_service:service_manager find; + allow brownout_detection_app system_api_service:service_manager find; + get_prop(brownout_detection_app, vendor_brownout_reason_prop) +') diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ca17222c..6a377573 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -39,4 +39,4 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) -vendor_public_prop(vendor_startup_bugreport_requested_prop) +vendor_public_prop(vendor_brownout_reason_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 814d0184..9aa97f1b 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -109,4 +109,4 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Battery Mitigation vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 -vendor.startup_bugreport_requested u:object_r:vendor_startup_bugreport_requested_prop:s0 +vendor.brownout_reason u:object_r:vendor_brownout_reason_prop:s0 diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index ce467c3b..720081c7 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -72,5 +72,5 @@ user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_ # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all -# BetterBug -user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=app_data_file levelFrom=all +# BrownoutDetection +user=_app isPrivApp=true name=com.google.android.brownoutdetection domain=brownout_detection_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 5de29166..dae9fa6c 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -37,7 +37,7 @@ set_prop(vendor_init, vendor_battery_defender_prop) set_prop(vendor_init, vendor_display_prop) # Battery Mitigation -set_prop(vendor_init, vendor_startup_bugreport_requested_prop) +set_prop(vendor_init, vendor_brownout_reason_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; From a2e6c51431608cdd72b1b23e15c27811622dfaff Mon Sep 17 00:00:00 2001 From: Steve Pfetsch Date: Fri, 18 Nov 2022 08:45:41 +0000 Subject: [PATCH 687/900] gs201-sepolicy: provide permission for TouchInspector app [DO NOT MERGE] Resolve these access violations: avc: denied { write } for name="driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { open } for path="/proc/fts/driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { getattr } for path="/proc/fts/driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { read } for name="driver_test" dev="proc" ino=4026535572 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { open } for path="/proc/fts_ext/driver_test" dev="proc" ino=4026535574 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector avc: denied { getattr } for path="/proc/fts_ext/driver_test" dev="proc" ino=4026535574 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc_touch:s0 tclass=file permissive=1 app=com.google.touch.touchinspector Bug: 182118395 Signed-off-by: Steve Pfetsch Change-Id: Ia3bd2323b77134b8e47d858f36756780dec98c19 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/google_touch_app.te | 11 +++++++++++ whitechapel_pro/seapp_contexts | 3 +++ 3 files changed, 17 insertions(+) create mode 100644 whitechapel_pro/google_touch_app.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index e3a6bd52..288bb7c2 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -109,6 +109,9 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type; # Touch type proc_touch, proc_type, fs_type; +userdebug_or_eng(` + typeattribute proc_touch mlstrustedobject; +') # Vendor sched files userdebug_or_eng(` diff --git a/whitechapel_pro/google_touch_app.te b/whitechapel_pro/google_touch_app.te new file mode 100644 index 00000000..f90fde1e --- /dev/null +++ b/whitechapel_pro/google_touch_app.te @@ -0,0 +1,11 @@ +type google_touch_app, domain; + +userdebug_or_eng(` + app_domain(google_touch_app) + + allow google_touch_app app_api_service:service_manager find; + + allow google_touch_app sysfs_touch:dir r_dir_perms; + allow google_touch_app sysfs_touch:file rw_file_perms; + allow google_touch_app proc_touch:file rw_file_perms; +') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 720081c7..d7fd69de 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -44,6 +44,9 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user +# Touch app +user=_app seinfo=platform name=com.google.touch.touchinspector domain=google_touch_app type=app_data_file levelFrom=user + # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all From 2dc65d6b5c004499c34bd9772fc41a8e2910180c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 23 Nov 2022 14:38:22 +0800 Subject: [PATCH 688/900] use gs-common thermal dump Bug: 257880034 Test: adb bugreport Change-Id: Ib5940bce520ca04ee6cb31f5268f0f86dedadf6e --- whitechapel_pro/genfs_contexts | 2 -- whitechapel_pro/hal_dumpstate_default.te | 3 --- 2 files changed, 5 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index c3558ccb..cc626730 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -375,8 +375,6 @@ genfscon sysfs /devices/platform/100b0000.G3D u:obje genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100b0000.AUR u:object_r:sysfs_thermal:s0 -genfscon sysfs /module/gs_thermal/parameters u:object_r:sysfs_thermal:s0 - genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 #perf-metrics diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 91f4a8ce..3337e35e 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -18,9 +18,6 @@ allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; -allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; -allow hal_dumpstate_default sysfs_thermal:file r_file_perms; - allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; allow hal_dumpstate_default sysfs_bcl:file r_file_perms; From c03e9b58db7b7525d0e0a00e1dd4bf8788919dd6 Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Tue, 22 Nov 2022 23:38:29 +0000 Subject: [PATCH 689/900] Allow Trusty storageproxy property Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready when the data filesystems are ready for use, and allows vendor init to query and wait on this property. Test: build, flash, test app loading Bug: 258018785 Change-Id: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/tee.te | 2 ++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 11 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 32895e7b..2d4714ae 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -34,3 +34,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) + +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 14c5b07d..c6f1428e 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -98,3 +98,6 @@ persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 # for vendor telephony debug app vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 + +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index f93bf59e..256fb384 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -11,3 +11,5 @@ allow tee sg_device:chr_file rw_file_perms; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 6727a0ac..dfbd3d75 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -35,3 +35,6 @@ set_prop(vendor_init, vendor_display_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; + +# Trusty storage FS ready +get_prop(vendor_init, vendor_trusty_storage_prop) From 2e98f5f763a23487c9abcb5a74d9ebc2deae49c8 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Wed, 23 Nov 2022 02:49:13 +0000 Subject: [PATCH 690/900] gs201-sepolicy: pixelstats:remove type definition to perf-metrics move type definition to gs-common Bug: 227809911 Bug: 232541623 Test: Tested perf-metrics Change-Id: I8120f682b12137dfea164912efa0fa0417cb5dd3 Signed-off-by: Ziyi Cui --- whitechapel_pro/file.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 621af916..b7495d67 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -110,6 +110,3 @@ userdebug_or_eng(` # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; - -#perf-metrics -type sysfs_vendor_metrics, fs_type, sysfs_type; From 5b3d90132a984db3d52cc6fc8e37ae8b7147b9d5 Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Wed, 23 Nov 2022 07:02:09 +0000 Subject: [PATCH 691/900] gps: nstandby path depend on platform Bug: 259353063 Test: no avc denied about nstandby Change-Id: Ibf72cfd37837d2a9024b82118cd045a2724c9179 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index cc626730..30cf5273 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -434,3 +434,5 @@ genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:ob genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 +# GPS +genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 From 4293206c86e7506a284a2c400abf63d6b4c013a6 Mon Sep 17 00:00:00 2001 From: Nicolas Geoffray Date: Mon, 28 Nov 2022 17:27:46 +0000 Subject: [PATCH 692/900] Allow ssr_detector_app writes to system_app_data_file. Bug: 260557058 Test: m Change-Id: Ibd028690a9d8661be8769d1b8f0c4e3a1f0fe985 --- whitechapel_pro/ssr_detector.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index 60ec1bb5..cfc104e4 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -4,7 +4,8 @@ app_domain(ssr_detector_app) allow ssr_detector_app app_api_service:service_manager find; allow ssr_detector_app radio_service:service_manager find; -allow ssr_detector_app system_app_data_file:dir r_dir_perms; +allow ssr_detector_app system_app_data_file:dir rw_dir_perms; +allow ssr_detector_app system_app_data_file:file rw_file_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; From 89f5fff66865417710ed5acfd2fbfa325f158576 Mon Sep 17 00:00:00 2001 From: Sandeep Dhavale Date: Thu, 24 Nov 2022 04:16:33 +0000 Subject: [PATCH 693/900] Add fastboot sepolicy changes to allow wiping of device With new AIDL fastboot service, wiping permissions need to be added for hal_fastboot_default. Bug: 260140380 Test: fastboot -w Change-Id: I08e98461d0697d7539e14435acdacc3cc64eab3d Signed-off-by: Sandeep Dhavale --- whitechapel_pro/hal_fastboot_default.te | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/hal_fastboot_default.te b/whitechapel_pro/hal_fastboot_default.te index 134f4302..396120e2 100644 --- a/whitechapel_pro/hal_fastboot_default.te +++ b/whitechapel_pro/hal_fastboot_default.te @@ -15,4 +15,10 @@ allow hal_fastboot_default sysfs_leds:dir search; allow hal_fastboot_default sysfs_leds:file rw_file_perms; allow hal_fastboot_default sysfs_leds:lnk_file read; -allow hal_fastboot_default citadel_device:chr_file getattr; +#for fastboot -w (wiping device) +allow hal_fastboot_default citadel_device:chr_file { rw_file_perms }; +allow hal_fastboot_default proc_bootconfig:file { rw_file_perms }; +allow hal_fastboot_default proc_cmdline:file { rw_file_perms }; +allow hal_fastboot_default st54spi_device:chr_file { rw_file_perms }; +allow hal_fastboot_default metadata_block_device:blk_file { rw_file_perms }; +allowxperm hal_fastboot_default metadata_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; From 5cd114d3a0aa1173d842f068dccb3c0899c5c306 Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Tue, 22 Nov 2022 23:38:29 +0000 Subject: [PATCH 694/900] Allow Trusty storageproxy property Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready when the data filesystems are ready for use, and allows vendor init to query and wait on this property. Test: build, flash, test app loading Bug: 258018785 Change-Id: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d Merged-In: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/tee.te | 2 ++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 11 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 6a377573..b5bf04c2 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -40,3 +40,6 @@ vendor_internal_prop(vendor_telephony_app_prop) # Battery Mitigation vendor_internal_prop(vendor_mitigation_ready_prop) vendor_public_prop(vendor_brownout_reason_prop) + +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 9aa97f1b..32b304b1 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -110,3 +110,6 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Battery Mitigation vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 vendor.brownout_reason u:object_r:vendor_brownout_reason_prop:s0 + +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index 58228b5a..811dcbbc 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -15,3 +15,5 @@ read_fstab(tee) # storageproxyd starts before /data is mounted. It handles /data not being there # gracefully. However, attempts to access /data trigger a denial. dontaudit tee unlabeled:dir { search }; + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index dae9fa6c..5b828e93 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -41,3 +41,6 @@ set_prop(vendor_init, vendor_brownout_reason_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; + +# Trusty storage FS ready +get_prop(vendor_init, vendor_trusty_storage_prop) From 8586ba78c296a83688003863a77b51fb7e980a75 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Fri, 25 Nov 2022 05:49:15 +0000 Subject: [PATCH 695/900] gs201-sepolicy:move perf_metrics genf_contexts from gs201 to gs-common Bug: 227809911 Bug: 232541623 Test: test adb bugreport Change-Id: I83fc6c8b1adffe9a58e1a3389036461db49efe77 Signed-off-by: Ziyi Cui --- whitechapel_pro/genfs_contexts | 4 ---- 1 file changed, 4 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 30cf5273..6c6cadd5 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -377,10 +377,6 @@ genfscon sysfs /devices/platform/100b0000.AUR u:obje genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 -#perf-metrics -genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 -genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 - # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 From 304509819e650f5d01579ba042786d20ebd5bcc2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 28 Nov 2022 14:14:42 +0800 Subject: [PATCH 696/900] move touch dump to gs-common Bug: 256521567 Test: adb bugreport Change-Id: I198c227508606baf434de456f80477ce6bebcede --- whitechapel_pro/file.te | 1 - whitechapel_pro/hal_dumpstate_default.te | 3 --- 2 files changed, 4 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index b7495d67..9281a8b2 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -43,7 +43,6 @@ type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; -type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 3337e35e..2f7e1d91 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -48,9 +48,6 @@ allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; allow hal_dumpstate_default proc_f2fs:file r_file_perms; -allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; -allow hal_dumpstate_default sysfs_touch:file rw_file_perms; - allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); allow hal_dumpstate_default sysfs_display:dir r_dir_perms; From 2295e34d687925994225bd79a4eeca0f11be22c2 Mon Sep 17 00:00:00 2001 From: Vaibhav Devmurari Date: Mon, 21 Nov 2022 17:39:22 +0000 Subject: [PATCH 697/900] Add SePolicy for system_server accessing sysfs for USB devices Add SePolicy to allow Android input manager accessing sysfs nodes for external USB devices To support input device lights manager feature in frameworks, provide sysfs node access to system server process. DD: go/pk_backlight_control (For keyboard backlight control for external keyboards) Similar changes: ag/20092266 Kernel provides a standardized LED interface to expose LED controls over sysfs: https://docs.kernel.org/leds/leds-class.html The feature will be provided for devices with kernel sysfs class led support and vendor kernel driver for input controllers that do have lights. The kernel sysfs class led support is a kernel config option (LEDS_CLASS), and an input device driver will create the sysfs class node interface. By giving system_server the access to these sysfs nodes, the feature will work on devices with the kernel option and kernel input/hid driver support. We do use CTS tests to enforce the kernel options and the input device drivers. What's already supported? - We already support access to UHID sysfs node which used for all bluetooth based external peripherals What's included in this CL? - Adding support to access sysfs nodes for USB based external devices Test: manual Bug: 245506418 Change-Id: I51c642ffe7293f793b7b6a131e8d2a37aea4a547 --- whitechapel_pro/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6c6cadd5..2cbc6919 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -127,6 +127,10 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo # OTA genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 +# Input +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 + # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 From 24cfe388c5f6e0c25a42dd3a252a1b0102b981ae Mon Sep 17 00:00:00 2001 From: Wasb Liu Date: Mon, 14 Nov 2022 09:49:24 +0000 Subject: [PATCH 698/900] hal_health_default: updated sepolicy allow android.hardware.health service to access persist_battery_file 11-14 13:53:39.242 872 872 W android.hardwar: type=1400 audit(0.0:17): avc: denied { search } for name="battery" dev="sda1" ino=84 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=0 Bug: 258535661 Test: check for no avc denied on persist_battery_file Change-Id: I7564b03339e17f9eea4aa5a8feda31bcfdd6100c Signed-off-by: Wasb Liu --- whitechapel_pro/hal_health_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index d953d4b2..6c3c6940 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -1,5 +1,7 @@ allow hal_health_default mnt_vendor_file:dir search; allow hal_health_default persist_file:dir search; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; set_prop(hal_health_default, vendor_battery_defender_prop) From 2d4a9c02fce0ec81afa33e8b7964e2844510fe46 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Wed, 9 Nov 2022 18:35:41 -0800 Subject: [PATCH 699/900] [ DO NOT MERGE ] gs201-sepolicy: pixelstats: enable pixelstats access to temp-residency-metrics enable pixelstats access to sysfs path Bug: 246799997 Test: Verified the existence of atom and correctness of atom stats Signed-off-by: Ziyi Cui Change-Id: I4a731d40a586e01c484cf95c57fb16a03f5e6ceb --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/pixelstats_vendor.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 288bb7c2..8b79dbe4 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -96,6 +96,9 @@ type vendor_usf_stats, vendor_file_type, file_type; type vendor_usf_reg_edit, vendor_file_type, file_type; type vendor_dumpsys, vendor_file_type, file_type; +#vendor-metrics +type sysfs_vendor_metrics, fs_type, sysfs_type; + # Modem type modem_efs_file, file_type; type modem_userdata_file, file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 9939bbf4..b06d7e55 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -391,6 +391,9 @@ genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:obj genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +#vendor-metrics +genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats u:object_r:sysfs_vendor_metrics:s0 + # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index d327a30d..a8d7b123 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -27,6 +27,9 @@ allow pixelstats_vendor sysfs_pca:file rw_file_perms; r_dir_file(pixelstats_vendor, sysfs_thermal) allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; +#vendor-metrics +r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) + # BCL allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; From 521334a3667b74ac1149087e4aedba639213dce4 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Mon, 14 Nov 2022 19:00:27 -0800 Subject: [PATCH 700/900] gs201-sepolicy:dumpstate: allow dumpstate access sysfs_vendor_metrics Test: "adb bugreport" includes metrics capture. Bug: 246799997 Signed-off-by: Ziyi Cui Change-Id: I1c2f4aaf1cd875a37497ca8beacb555d39eeb51e --- whitechapel_pro/hal_dumpstate_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 606ec046..e9d7271c 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -141,6 +141,8 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; allow hal_dumpstate_default debugfs_tracing_instances:dir search; allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; + allow hal_dumpstate_default sysfs_vendor_metrics:dir search; + allow hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; @@ -171,6 +173,8 @@ dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; dontaudit hal_dumpstate_default debugfs_tracing_instances:dir search; dontaudit hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; +dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search; +dontaudit hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; From 30e01ffb8c5662216a59eae2bc9a35dd2d025029 Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Fri, 21 Oct 2022 14:59:31 -0700 Subject: [PATCH 701/900] [ DO NOT MERGE ] gs201-sepolicy: pixelstats: enable pixelstats access to perf-metrics enable pixelstats access to sysfs path, define sysfs_perfmetrics Bug: 227809911 Bug: 232541623 Test: Verified the existence of atom and correctness of resume latency, irq stats Signed-off-by: Ziyi Cui Change-Id: If1b95148b59a6816c6795921018dfae68d80550b --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index b06d7e55..5ee9a609 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -393,6 +393,8 @@ genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:obj #vendor-metrics genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 From daeff5e18c09bb3bd225da85539cb5a396417cf0 Mon Sep 17 00:00:00 2001 From: Wasb Liu Date: Mon, 14 Nov 2022 09:49:24 +0000 Subject: [PATCH 702/900] hal_health_default: updated sepolicy allow android.hardware.health service to access persist_battery_file 11-14 13:53:39.242 872 872 W android.hardwar: type=1400 audit(0.0:17): avc: denied { search } for name="battery" dev="sda1" ino=84 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=0 Bug: 258535661 Bug: 260878511 Test: check for no avc denied on persist_battery_file Change-Id: I7564b03339e17f9eea4aa5a8feda31bcfdd6100c Signed-off-by: Wasb Liu Signed-off-by: Ken Tsou (cherry picked from commit 24cfe388c5f6e0c25a42dd3a252a1b0102b981ae) --- whitechapel_pro/hal_health_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 0e393765..cfe602df 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -1,5 +1,7 @@ allow hal_health_default mnt_vendor_file:dir search; allow hal_health_default persist_file:dir search; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; set_prop(hal_health_default, vendor_battery_defender_prop) From 0237351f526afce11bc26adf4d0344919fb385b2 Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 1 Dec 2022 16:19:17 -0800 Subject: [PATCH 703/900] Battery Mitigation: Use Brownout Reason - sepolicy Brownout Reason replaces startup_bugreport_requested. Battery Mitigation needs to be updated. Bug: 237287659 Test: Ensure lastmeal.txt is properly generated. Merged-In: Ia03da290f5cb90ebbc7616d46e90064e346a402c Change-Id: Ic123d704e37aa6d1dcd7377c291b537069ede829 Signed-off-by: George Lee --- whitechapel_pro/battery_mitigation.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 5fecbcba..643b2fc6 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -3,6 +3,7 @@ type battery_mitigation_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) set_prop(battery_mitigation, vendor_mitigation_ready_prop) +get_prop(battery_mitigation, vendor_brownout_reason_prop) hal_client_domain(battery_mitigation, hal_thermal); hal_client_domain(battery_mitigation, hal_health); From 48acf9683f5657e4422473a2c81429528a9d4fbe Mon Sep 17 00:00:00 2001 From: Nicolas Geoffray Date: Mon, 5 Dec 2022 13:58:36 +0000 Subject: [PATCH 704/900] Allow ssr_detector_app to create files of type system_app_data_file. Bug: 260557058 Test: m Change-Id: I0ff85b542a84ed7d5e5ffd1010ca1a9f7f86c8f1 --- whitechapel_pro/ssr_detector.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index cfc104e4..3a8c56b1 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -5,7 +5,7 @@ allow ssr_detector_app app_api_service:service_manager find; allow ssr_detector_app radio_service:service_manager find; allow ssr_detector_app system_app_data_file:dir rw_dir_perms; -allow ssr_detector_app system_app_data_file:file rw_file_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; From 5df8045c3bf0c76041584ad36c9388575ea2784f Mon Sep 17 00:00:00 2001 From: chiayupei Date: Mon, 14 Nov 2022 08:42:46 +0000 Subject: [PATCH 705/900] hal_sensors_default: Add sepolicy for MagCC. avc: denied { search } for name="battery" dev="sysfs" ino=78703 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1 avc: denied { read } for name="status" dev="sysfs" ino=78714 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/devices/platform/google,battery/power_supply/battery/status" dev="sysfs" ino=78714 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 avc: denied { getattr } for path="/sys/devices/platform/google,battery/power_supply/battery/status" dev="sysfs" ino=78714 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 avc: denied { read } for name="status" dev="sysfs" ino=78714 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 avc: denied { search } for name="i2c-p9222" dev="sysfs" ino=69679 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1 Bug: 254155730 Test: Manually test no avc denied for MagCC Change-Id: Ie5261b39187ffcdf645ae64727c54643bdbc1c47 Signed-off-by: chiayupei --- whitechapel_pro/hal_sensors_default.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index bb3a9139..fcd758a4 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -81,3 +81,8 @@ binder_call(hal_sensors_default, hal_graphics_composer_default); # Allow display_info_service access to the backlight driver. allow hal_sensors_default sysfs_write_leds:file rw_file_perms; + +# Allow access to the power supply files for MagCC. +r_dir_file(hal_sensors_default, sysfs_batteryinfo) +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; + From 812312fb1cfebb3b313b50b563bf22800010b1b3 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Sat, 29 Oct 2022 11:02:08 +0800 Subject: [PATCH 706/900] ignore shell access on wlc Bug: 261804136 Test: boot Change-Id: I5f1d321df2daa2ec785e2ad1ac2e02478568b688 Merged-In: I5f1d321df2daa2ec785e2ad1ac2e02478568b688 Signed-off-by: Jack Wu --- whitechapel_pro/shell.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te index 978a5426..44ae0768 100644 --- a/whitechapel_pro/shell.te +++ b/whitechapel_pro/shell.te @@ -3,3 +3,6 @@ userdebug_or_eng(` allow shell sysfs_sjtag:dir r_dir_perms; allow shell sysfs_sjtag:file rw_file_perms; ') + +# wlc +dontaudit shell sysfs_wlc:dir search; From 123262b869c69ff6edb87884d3fbb8f8d0cdd6bd Mon Sep 17 00:00:00 2001 From: Nicolas Geoffray Date: Thu, 8 Dec 2022 14:49:22 +0000 Subject: [PATCH 707/900] Also put .ShannonImsService in the vendor_ims_app domain. For consistency when running com.shannon.imsservice code. Test: m Bug: 260557058 Change-Id: Idb145723d053eb93dbae2b71f7204347253c8a50 --- whitechapel_pro/seapp_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 0fbe0333..68fe8176 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -1,4 +1,5 @@ # Samsung S.LSI IMS +user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all From 72a65a01009d614260fc9e9ade2f4ce127c31dd7 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Sat, 29 Oct 2022 11:02:08 +0800 Subject: [PATCH 708/900] ignore shell access on wlc Bug: 238260741 Test: boot Change-Id: I5f1d321df2daa2ec785e2ad1ac2e02478568b688 Merged-In: I5f1d321df2daa2ec785e2ad1ac2e02478568b688 Signed-off-by: Jack Wu --- tracking_denials/bug_map | 1 - whitechapel_pro/shell.te | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index fcebf544..40082dba 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -10,6 +10,5 @@ incidentd debugfs_wakeup_sources file b/237492091 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 -shell sysfs_wlc dir b/238260741 hal_contexthub_default fwk_stats_service service_manager b/241714943 shell sscoredump_vendor_data_crashinfo_file dir b/241714944 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te index 978a5426..44ae0768 100644 --- a/whitechapel_pro/shell.te +++ b/whitechapel_pro/shell.te @@ -3,3 +3,6 @@ userdebug_or_eng(` allow shell sysfs_sjtag:dir r_dir_perms; allow shell sysfs_sjtag:file rw_file_perms; ') + +# wlc +dontaudit shell sysfs_wlc:dir search; From f5a88c35a4fc5e8875ef6ad3d49c9980fe23b081 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Wed, 14 Dec 2022 15:11:13 +0800 Subject: [PATCH 709/900] Add sepolicy rule to allow dump battery maxfg history android.hardwar: type=1400 audit(0.0:7): avc: denied { getattr } for path="/dev/maxfg_history" dev="tmpfs" ino=580 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 bug=b/240632721 Bug: 254164096 Change-Id: I64ff95ba8db62a8f831d012b4cdf4e6ec973f086 Signed-off-by: Jenny Ho --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 2 ++ 2 files changed, 3 insertions(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 8b382741..dc1101bc 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -213,6 +213,7 @@ /data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 /data/vendor/mitigation(/.*)? u:object_r:mitigation_vendor_data_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index e9d7271c..fbfbd227 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -102,6 +102,8 @@ allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; +allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; + userdebug_or_eng(` allow hal_dumpstate_default sysfs_leds:dir search; allow hal_dumpstate_default sysfs_leds:file rw_file_perms; From 5712ba4dec1cc583b8d2e19590b735be2cb25ff2 Mon Sep 17 00:00:00 2001 From: George Lee Date: Sun, 11 Dec 2022 21:02:09 -0800 Subject: [PATCH 710/900] Add BrownoutDetected Events - gs201 sepolicy Brownout Detection is detected during the boot sequence. If the previous shutdown resulted in a reboot reason that has *ocp* or *uvlo* in it, the shutdown was due to brownout. Mitigation Logger should have logged the device state during the brownout. This event metric is to surface the logged data. Bug: 250009365 Test: Confirm triggering of events Ignore-AOSP-First: to detect brownout. Change-Id: Idfc02a8bde6088a5c504ee72014537555af78b04 Signed-off-by: George Lee --- whitechapel_pro/pixelstats_vendor.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 4ec563f6..48877bd9 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -34,3 +34,10 @@ allow pixelstats_vendor sysfs_bcl:file r_file_perms; #perf-metrics r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; + +# BCL +allow pixelstats_vendor sysfs_bcl:dir search; +allow pixelstats_vendor sysfs_bcl:file r_file_perms; +allow pixelstats_vendor mitigation_vendor_data_file:dir search; +allow pixelstats_vendor mitigation_vendor_data_file:file { read write }; +get_prop(pixelstats_vendor, vendor_brownout_reason_prop); From 691897a0bf66e36bfabd207b0ab78c70ec14f19f Mon Sep 17 00:00:00 2001 From: Devin Moore Date: Mon, 19 Dec 2022 23:03:58 +0000 Subject: [PATCH 711/900] Allow pixelstats hal to talk to the new AIDL sensorservice This is being used in libsensorndkbridge now, so permissions are required. Test: m Bug: 205764765 Change-Id: Ife9688c62398bef83ae5636e915568658098e12d --- whitechapel_pro/pixelstats_vendor.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 371bef41..4ba9ccd7 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -13,6 +13,9 @@ allow pixelstats_vendor sysfs_wlc:file rw_file_perms; get_prop(pixelstats_vendor, hwservicemanager_prop); hwbinder_use(pixelstats_vendor); allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; +# android.frameworks.sensorservice through libsensorndkbridge +allow pixelstats_vendor fwk_sensor_service:service_manager find; + # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; From ca38b9685bcf7fdc91482daaeb0bd0c701446575 Mon Sep 17 00:00:00 2001 From: Taylor Nelms Date: Mon, 5 Dec 2022 15:21:32 +0000 Subject: [PATCH 712/900] Modify permissions to allow dumpstate process to access decon_counters node Bug: 240346564 Test: Build for Cheetah device with "user" build, check bugreport for decon_counters content Change-Id: I656ebdcd0f92f2cc3e16de19075e94ada339a39b Signed-off-by: Taylor Nelms --- whitechapel_pro/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 2cbc6919..d74ed5d4 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -141,6 +141,9 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/osc2_clk_kh genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c241000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c242000.drmdecon/counters u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 From 37b0c417d170555c2360be1ffad25db8ee1d3c10 Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Tue, 22 Nov 2022 23:38:29 +0000 Subject: [PATCH 713/900] Allow Trusty storageproxy property Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready when the data filesystems are ready for use, and allows vendor init to query and wait on this property. Test: build, flash, test app loading Bug: 258018785 Change-Id: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d Merged-In: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/tee.te | 2 ++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 11 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ec7d84ed..923c6ccf 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -36,3 +36,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) + +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 98a7980a..a411368b 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -106,3 +106,6 @@ persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 # for vendor telephony debug app vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 + +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index 58228b5a..811dcbbc 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -15,3 +15,5 @@ read_fstab(tee) # storageproxyd starts before /data is mounted. It handles /data not being there # gracefully. However, attempts to access /data trigger a denial. dontaudit tee unlabeled:dir { search }; + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 3287d344..fc6e5474 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -35,3 +35,6 @@ set_prop(vendor_init, vendor_battery_defender_prop) # Display set_prop(vendor_init, vendor_display_prop) + +# Trusty storage FS ready +get_prop(vendor_init, vendor_trusty_storage_prop) From f70e73af584eca1e5231a60e529cd48e62a45bc3 Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Wed, 30 Nov 2022 00:45:48 +0000 Subject: [PATCH 714/900] Allow Trusty storageproxy property Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready when the data filesystems are ready for use, and allows vendor init to query and wait on this property. Test: build, flash, test app loading Bug: 258018785 Change-Id: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d Merged-In: I0b4f80371385bf0ddb0c44e81b1893bb80c7a63d --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/tee.te | 2 ++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 11 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index ec7d84ed..923c6ccf 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -36,3 +36,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) + +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 98a7980a..a411368b 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -106,3 +106,6 @@ persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 # for vendor telephony debug app vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 + +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index 58228b5a..811dcbbc 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -15,3 +15,5 @@ read_fstab(tee) # storageproxyd starts before /data is mounted. It handles /data not being there # gracefully. However, attempts to access /data trigger a denial. dontaudit tee unlabeled:dir { search }; + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 3287d344..fc6e5474 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -35,3 +35,6 @@ set_prop(vendor_init, vendor_battery_defender_prop) # Display set_prop(vendor_init, vendor_display_prop) + +# Trusty storage FS ready +get_prop(vendor_init, vendor_trusty_storage_prop) From 46ae2b14628d3f73ab11002e4c8c122d340e112f Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Mon, 19 Dec 2022 06:15:13 +0000 Subject: [PATCH 715/900] WLC: Remove sysfs_wlc sepolicy Bug: 237600973 Change-Id: Iadd90d55aca37fead3e5528d39df7866c9807205 Signed-off-by: Ken Yang --- whitechapel_pro/file.te | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 9281a8b2..521671af 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -44,7 +44,6 @@ type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; -type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; From 946b7e5e36e64e79650327673dc5e55a1369c7f7 Mon Sep 17 00:00:00 2001 From: Super Liu Date: Fri, 23 Dec 2022 02:21:50 +0000 Subject: [PATCH 716/900] [DO NOT MERGE] Add sepolicy for procfs_touch_gti type Bug: 262796907 Test: TreeHugger build pass. Change-Id: I2b89aa6e0e9b8fbe42121f34e4c70639bdc225d2 --- whitechapel_pro/file.te | 2 ++ whitechapel_pro/genfs_contexts | 1 + whitechapel_pro/google_touch_app.te | 1 + whitechapel_pro/hal_dumpstate_default.te | 3 +++ 4 files changed, 7 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 8b79dbe4..90fe2fbf 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -112,8 +112,10 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type; # Touch type proc_touch, proc_type, fs_type; +type proc_touch_gti, proc_type, fs_type; userdebug_or_eng(` typeattribute proc_touch mlstrustedobject; + typeattribute proc_touch_gti mlstrustedobject; ') # Vendor sched files diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 5ee9a609..04bd9a9c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -31,6 +31,7 @@ genfscon sysfs /devices/soc0/revision u genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 genfscon proc /focaltech_touch u:object_r:proc_touch:s0 +genfscon proc /goog_touch_interface u:object_r:proc_touch_gti:s0 # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/whitechapel_pro/google_touch_app.te b/whitechapel_pro/google_touch_app.te index f90fde1e..8428ff80 100644 --- a/whitechapel_pro/google_touch_app.te +++ b/whitechapel_pro/google_touch_app.te @@ -8,4 +8,5 @@ userdebug_or_eng(` allow google_touch_app sysfs_touch:dir r_dir_perms; allow google_touch_app sysfs_touch:file rw_file_perms; allow google_touch_app proc_touch:file rw_file_perms; + allow google_touch_app proc_touch_gti:file rw_file_perms; ') diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index fbfbd227..12fb8a7e 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -84,6 +84,9 @@ allow hal_dumpstate_default sysfs_touch:file rw_file_perms; allow hal_dumpstate_default proc_touch:dir r_dir_perms; allow hal_dumpstate_default proc_touch:file rw_file_perms; +allow hal_dumpstate_default proc_touch_gti:dir r_dir_perms; +allow hal_dumpstate_default proc_touch_gti:file rw_file_perms; + allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; binder_call(hal_dumpstate_default, hal_graphics_composer_default); allow hal_dumpstate_default sysfs_display:dir r_dir_perms; From 1b4f3771ee5e0b89953d16ee28823b0b9c749cd5 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Tue, 6 Dec 2022 15:40:05 +0000 Subject: [PATCH 717/900] Map Rust KeyMint to same SELinux policy as C++ Allow the Rust and C++ implementations of the KeyMint HAL service to be toggled easily, by mapping them to the same SELinux policy. Bug: 197891150 Bug: 225036046 Test: VtsAidlKeyMintTargetTest with local changes, TreeHugger Change-Id: I37f8016240097381410903f0f326dc16fc24db1e --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index d0a92a9c..4c5f92e1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -18,6 +18,7 @@ /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 From 41e9042885b8362501865e6e4ba62f6e8b96334c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 6 Jan 2023 10:30:46 +0800 Subject: [PATCH 718/900] update error on ROM Bug: 242203678 Test: pass boot test Change-Id: I4b9aefdea9b54b4fb1743af6c7e7169c210c7ad0 Merged-In: Iadd90d55aca37fead3e5528d39df7866c9807205 --- tracking_denials/bug_map | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 40082dba..f2b65774 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,14 +1,24 @@ -hal_input_processor_default vendor_display_prop file b/236200710 cat_engine_service_app system_app_data_file dir b/238705599 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 +dumpstate incident process b/239632439 +dumpstate system_data_file dir b/239484651 +hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_drm_widevine default_prop file b/237492145 -hal_googlebattery dumpstate fd b/238260742 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 -hal_contexthub_default fwk_stats_service service_manager b/241714943 +shell adb_keys_file file b/239484612 +shell cache_file lnk_file b/239484612 +shell init_exec lnk_file b/239484612 +shell linkerconfig_file dir b/239484612 +shell metadata_file dir b/239484612 +shell mirror_data_file dir b/239484612 +shell postinstall_mnt_dir dir b/239484612 +shell rootfs file b/239484612 shell sscoredump_vendor_data_crashinfo_file dir b/241714944 +shell system_dlkm_file dir b/239484612 +su modem_img_file filesystem b/240653918 From b3bbcd45541913bf08a2b217ed7e418f1c06d2eb Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Thu, 5 Jan 2023 06:51:08 +0000 Subject: [PATCH 719/900] WLC: Cleanup the sysfs_wlc policies The sepolicy must be self-contained without including wirelss_charger to avoid build break in AOSP Bug: 263830018 Change-Id: Ib3e36c9bb4b3048ce97592c3f68260035a32239d Signed-off-by: Ken Yang --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/genfs_contexts | 7 ------- whitechapel_pro/hal_dumpstate_default.te | 3 --- whitechapel_pro/hal_health_default.te | 1 - whitechapel_pro/hal_sensors_default.te | 2 -- whitechapel_pro/hal_wireless_charger.te | 2 ++ whitechapel_pro/hal_wlc.te | 2 -- whitechapel_pro/pixelstats_vendor.te | 3 --- whitechapel_pro/platform_app.te | 4 ++++ whitechapel_pro/service.te | 3 +++ whitechapel_pro/service_contexts | 2 ++ whitechapel_pro/shell.te | 3 --- whitechapel_pro/system_app.te | 5 +++-- 13 files changed, 17 insertions(+), 23 deletions(-) create mode 100644 whitechapel_pro/hal_wireless_charger.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 521671af..9852b023 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -108,3 +108,6 @@ userdebug_or_eng(` # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; + +# WLC +type sysfs_wlc, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index d74ed5d4..a1e00e11 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -210,25 +210,18 @@ genfscon sysfs /devices/pseudo_0/adapter0/host1/target1:0:0/1:0:0:0/block/sde # P22 battery genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412 u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply u:object_r:sysfs_batteryinfo:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 2e8ac6d7..80116c44 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -9,9 +9,6 @@ allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; -allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; -allow hal_dumpstate_default sysfs_wlc:file r_file_perms; - allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index f9c888d9..bd6efecb 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -12,7 +12,6 @@ allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_health_default fwk_stats_service:service_manager find; binder_use(hal_health_default) -allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index fcd758a4..06f395a8 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -84,5 +84,3 @@ allow hal_sensors_default sysfs_write_leds:file rw_file_perms; # Allow access to the power supply files for MagCC. r_dir_file(hal_sensors_default, sysfs_batteryinfo) -allow hal_sensors_default sysfs_wlc:dir r_dir_perms; - diff --git a/whitechapel_pro/hal_wireless_charger.te b/whitechapel_pro/hal_wireless_charger.te new file mode 100644 index 00000000..04b3e5e2 --- /dev/null +++ b/whitechapel_pro/hal_wireless_charger.te @@ -0,0 +1,2 @@ +type hal_wireless_charger, domain; +type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; diff --git a/whitechapel_pro/hal_wlc.te b/whitechapel_pro/hal_wlc.te index 80eb1674..1cf9d034 100644 --- a/whitechapel_pro/hal_wlc.te +++ b/whitechapel_pro/hal_wlc.te @@ -7,8 +7,6 @@ add_hwservice(hal_wlc, hal_wlc_hwservice) get_prop(hal_wlc, hwservicemanager_prop) r_dir_file(hal_wlc, sysfs_batteryinfo) -allow hal_wlc sysfs_wlc:dir r_dir_perms; -allow hal_wlc sysfs_wlc:file rw_file_perms; allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 90094635..b5b1594f 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -6,9 +6,6 @@ hwbinder_use(pixelstats_vendor) allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; -# Wireless charge -allow pixelstats_vendor sysfs_wlc:dir search; -allow pixelstats_vendor sysfs_wlc:file rw_file_perms; # Wireless charge/OrientationCollector get_prop(pixelstats_vendor, hwservicemanager_prop); hwbinder_use(pixelstats_vendor); diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te index 9021c1a8..1891caef 100644 --- a/whitechapel_pro/platform_app.te +++ b/whitechapel_pro/platform_app.te @@ -17,3 +17,7 @@ binder_call(platform_app, hal_wlc) # allow udfps of systemui access lhbm binder_call(platform_app, hal_graphics_composer_default) + +# WLC +allow platform_app hal_wireless_charger_service:service_manager find; +binder_call(platform_app, hal_wireless_charger) diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index b87c99e1..1c49d4f8 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -1,2 +1,5 @@ type hal_pixel_display_service, service_manager_type, hal_service_type; type hal_uwb_vendor_service, service_manager_type, hal_service_type; + +# WLC +type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index 5df34411..a3849bb7 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -1,2 +1,4 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 + +vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te index 44ae0768..978a5426 100644 --- a/whitechapel_pro/shell.te +++ b/whitechapel_pro/shell.te @@ -3,6 +3,3 @@ userdebug_or_eng(` allow shell sysfs_sjtag:dir r_dir_perms; allow shell sysfs_sjtag:file rw_file_perms; ') - -# wlc -dontaudit shell sysfs_wlc:dir search; diff --git a/whitechapel_pro/system_app.te b/whitechapel_pro/system_app.te index c1560e6e..4677e980 100644 --- a/whitechapel_pro/system_app.te +++ b/whitechapel_pro/system_app.te @@ -1,2 +1,3 @@ -allow system_app hal_wlc_hwservice:hwservice_manager find; -binder_call(system_app, hal_wlc) +# WLC +allow system_app hal_wireless_charger_service:service_manager find; +binder_call(system_app, hal_wireless_charger) From 68bf64905bc3ab4237e27d3f7a982de3bd63d355 Mon Sep 17 00:00:00 2001 From: Doug Zobel Date: Wed, 11 Jan 2023 18:44:08 -0600 Subject: [PATCH 720/900] Add sepolicy for PCIe link statistics PCIe link statistics collected by dumpstate and pixelstats. Test: adb bugreport && unzip bugreport*.zip && grep link_stats dumpstate_board.txt; adb logcat "pixelstats-vendor:D *:S" Bug: 264287533 Change-Id: I173ba399a60f29aa8a5edf1e86f97f214b4879c8 Signed-off-by: Doug Zobel --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/hal_dumpstate_default.te | 3 +++ whitechapel_pro/pixelstats_vendor.te | 4 ++++ 4 files changed, 12 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 9852b023..740eebb9 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -43,6 +43,7 @@ type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; +type sysfs_exynos_pcie_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a1e00e11..68caba73 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -377,6 +377,10 @@ genfscon sysfs /devices/platform/100b0000.AUR u:obje genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 +# PCIe link +genfscon sysfs /devices/platform/14520000.pcie/link_stats u:object_r:sysfs_exynos_pcie_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/link_stats u:object_r:sysfs_exynos_pcie_stats:s0 + # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 80116c44..23832cf1 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -12,6 +12,9 @@ allow hal_dumpstate_default vendor_gps_file:file r_file_perms; allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; +allow hal_dumpstate_default sysfs_exynos_pcie_stats:dir r_dir_perms; +allow hal_dumpstate_default sysfs_exynos_pcie_stats:file r_file_perms; + allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index b5b1594f..23bff0ba 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -31,6 +31,10 @@ allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; +# PCIe statistics +allow pixelstats_vendor sysfs_exynos_pcie_stats:dir search; +allow pixelstats_vendor sysfs_exynos_pcie_stats:file rw_file_perms; + #perf-metrics r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; From 59de0efcca82b576feb6f25238286d536c1df818 Mon Sep 17 00:00:00 2001 From: Long Ling Date: Mon, 23 Jan 2023 17:46:11 -0800 Subject: [PATCH 721/900] Set context for sysfs file refresh_rate Bug: 263821118 Change-Id: Icdba0553fd5228822ce271ef16b877d4bef9f73e --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 68caba73..ebb78283 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -149,11 +149,13 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 From 959825045e362d989ed418765fe5fa93eef638d8 Mon Sep 17 00:00:00 2001 From: Doug Zobel Date: Wed, 11 Jan 2023 18:44:08 -0600 Subject: [PATCH 722/900] Add sepolicy for PCIe link statistics PCIe link statistics collected by dumpstate and pixelstats. Test: adb bugreport && unzip bugreport*.zip && grep link_stats dumpstate_board.txt; adb logcat "pixelstats-vendor:D *:S" Bug: 264287533 Change-Id: I173ba399a60f29aa8a5edf1e86f97f214b4879c8 Merged-In: I173ba399a60f29aa8a5edf1e86f97f214b4879c8 Signed-off-by: Doug Zobel --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 4 ++++ whitechapel_pro/hal_dumpstate_default.te | 3 +++ whitechapel_pro/pixelstats_vendor.te | 4 ++++ 4 files changed, 12 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 90fe2fbf..1c10354e 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -46,6 +46,7 @@ type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcl, sysfs_type, fs_type; type sysfs_chip_id, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; +type sysfs_exynos_pcie_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 04bd9a9c..5ec2e546 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -397,6 +397,10 @@ genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats u:obje genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 +# PCIe link +genfscon sysfs /devices/platform/14520000.pcie/link_stats u:object_r:sysfs_exynos_pcie_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/link_stats u:object_r:sysfs_exynos_pcie_stats:s0 + # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 12fb8a7e..68fbaf15 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -25,6 +25,9 @@ allow hal_dumpstate_default sysfs_wlc:file r_file_perms; allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; +allow hal_dumpstate_default sysfs_exynos_pcie_stats:dir r_dir_perms; +allow hal_dumpstate_default sysfs_exynos_pcie_stats:file r_file_perms; + allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index a8d7b123..4faad03c 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -33,3 +33,7 @@ r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) # BCL allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; + +# PCIe statistics +allow pixelstats_vendor sysfs_exynos_pcie_stats:dir search; +allow pixelstats_vendor sysfs_exynos_pcie_stats:file rw_file_perms; From 75521ed6d8cb5e46f9babb760c9a94123f5c37f1 Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 19 Jan 2023 14:15:12 -0800 Subject: [PATCH 723/900] battery_mitigation: fix brownout reporting selinux [DO NOT MERGE] Ensure ro.boot.bootreason equals sys.boot.reason before filing bugreport for Brownout. Bug: 263274350 Test: Local testing to confirm Change-Id: I7c0cab8811775d52bfb95f23ad19baa87f2ae64e Signed-off-by: George Lee (cherry picked from commit 4b3a85cac0206e70dddf7663aa771195c0026eea) --- whitechapel_pro/battery_mitigation.te | 1 + whitechapel_pro/vendor_init.te | 1 + 2 files changed, 2 insertions(+) diff --git a/whitechapel_pro/battery_mitigation.te b/whitechapel_pro/battery_mitigation.te index 643b2fc6..4d7e259c 100644 --- a/whitechapel_pro/battery_mitigation.te +++ b/whitechapel_pro/battery_mitigation.te @@ -4,6 +4,7 @@ init_daemon_domain(battery_mitigation) get_prop(battery_mitigation, boot_status_prop) set_prop(battery_mitigation, vendor_mitigation_ready_prop) get_prop(battery_mitigation, vendor_brownout_reason_prop) +get_prop(battery_mitigation, system_boot_reason_prop) hal_client_domain(battery_mitigation, hal_thermal); hal_client_domain(battery_mitigation, hal_health); diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 5b828e93..8a2f267f 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -38,6 +38,7 @@ set_prop(vendor_init, vendor_display_prop) # Battery Mitigation set_prop(vendor_init, vendor_brownout_reason_prop) +get_prop(vendor_init, system_boot_reason_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; From 80f1fbbf9d5f296493a3496e69e93bcaff628910 Mon Sep 17 00:00:00 2001 From: Kadyr Narmamatov Date: Tue, 31 Jan 2023 06:15:02 +0000 Subject: [PATCH 724/900] modem_svc_sit: Grant permission to read vendor_fw_file Bug: 267259670 Change-Id: I45d43e6bb17c3849cd6a19579ea1b2fdb1aa032a Signed-off-by: kadirpili --- whitechapel_pro/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 9d4cba72..d1c90a77 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -14,6 +14,9 @@ allow modem_svc_sit radio_vendor_data_file:file create_file_perms; allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; allow modem_svc_sit modem_stat_data_file:file create_file_perms; +allow modem_svc_sit vendor_fw_file:dir search; +allow modem_svc_sit vendor_fw_file:file r_file_perms; + allow modem_svc_sit mnt_vendor_file:dir search; allow modem_svc_sit modem_userdata_file:dir create_dir_perms; allow modem_svc_sit modem_userdata_file:file create_file_perms; From eb745cabd11e531cf3e4a9d0fd06a6adcaff65d8 Mon Sep 17 00:00:00 2001 From: Sajid Dalvi Date: Mon, 23 Jan 2023 15:22:24 -0600 Subject: [PATCH 725/900] logbuffer: Add pcie driver support Add logbuffer support to pcie driver to reduce dmesg spam. Bug: 267495494 Change-Id: Id62006860e161730880aba61ea9974e006884e3e Signed-off-by: Sajid Dalvi --- whitechapel_pro/file_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index dc1101bc..30fa96f9 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -108,6 +108,8 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_bd u:object_r:logbuffer_device:s0 +/dev/logbuffer_pcie0 u:object_r:logbuffer_device:s0 +/dev/logbuffer_pcie1 u:object_r:logbuffer_device:s0 /dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/lwis-act-jotnar u:object_r:lwis_device:s0 /dev/lwis-act-slenderman u:object_r:lwis_device:s0 From 029a072be5ba0e43d597cc4d3c0a63309e69d971 Mon Sep 17 00:00:00 2001 From: Nicolas Geoffray Date: Fri, 3 Feb 2023 13:08:30 +0000 Subject: [PATCH 726/900] Allow ssr_detector_app directory creation in system_app_data_file. Bug: 260557058 Test: m Change-Id: Ia8917316fc653465070a875a806b9707d8112230 --- whitechapel_pro/ssr_detector.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index 3a8c56b1..2caf6d77 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -4,7 +4,7 @@ app_domain(ssr_detector_app) allow ssr_detector_app app_api_service:service_manager find; allow ssr_detector_app radio_service:service_manager find; -allow ssr_detector_app system_app_data_file:dir rw_dir_perms; +allow ssr_detector_app system_app_data_file:dir create_dir_perms; allow ssr_detector_app system_app_data_file:file create_file_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; From 6e04b082f7a93bfe52959497c6dd657d2f7c899c Mon Sep 17 00:00:00 2001 From: Taylor Nelms Date: Mon, 5 Dec 2022 15:21:32 +0000 Subject: [PATCH 727/900] Modify permissions to allow dumpstate process to access decon_counters node Bug: 240346564 Test: Build for Cheetah device with "user" build, check bugreport for decon_counters content Merged-In: I656ebdcd0f92f2cc3e16de19075e94ada339a39b Change-Id: I6aea0bc545805f9f066272e08f5c37f71baf304e Signed-off-by: Taylor Nelms --- whitechapel_pro/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 5ec2e546..fb54565c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -147,6 +147,9 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/osc2_clk_kh genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c241000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c242000.drmdecon/counters u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 From 03fb0f6ceb6bfee492299b9d5a5578f5b2f50822 Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Wed, 14 Dec 2022 15:38:22 +0800 Subject: [PATCH 728/900] [DO NOT MERGE] usb: Add sepolicy for extcon access USB gadget hal will access extcon folder so that this patch will add new rule to allow USB gadget hal to access extcon. Bug: 263435622 Test: build pass Change-Id: I971732c6a40700a85df61170dcf1c3660307b96c --- whitechapel_pro/hal_usb_gadget_impl.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/whitechapel_pro/hal_usb_gadget_impl.te index ddda7eb9..361e0f71 100644 --- a/whitechapel_pro/hal_usb_gadget_impl.te +++ b/whitechapel_pro/hal_usb_gadget_impl.te @@ -19,3 +19,7 @@ allow hal_usb_gadget_impl proc_irq:file w_file_perms; # allow gadget hal to search hsi2c dir and write to usb_limit_accessory_enable/current allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; + +# allow gadget hal to access extcon node +allow hal_usb_gadget_impl sysfs_extcon:dir search; +allow hal_usb_gadget_impl sysfs_extcon:file r_file_perms; From 1d9a7c5877e9c914c159397a82a2224edabfca62 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 31 Jan 2023 15:10:41 +0000 Subject: [PATCH 729/900] WLC: Add required sysfs_wlc sepolicies The sysfs_wlc is still required for certain services like hal_health_default. Add these sepolicies to pass the tests. Bug: 267171670 Change-Id: Id2687a4ac72e04e537704d036155167b68aeca7c Signed-off-by: Ken Yang --- whitechapel_pro/hal_dumpstate_default.te | 4 ++++ whitechapel_pro/hal_health_default.te | 1 + whitechapel_pro/hal_sensors_default.te | 1 + whitechapel_pro/pixelstats_vendor.te | 3 +++ whitechapel_pro/shell.te | 3 +++ 5 files changed, 12 insertions(+) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 23832cf1..bdf64e85 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -9,6 +9,10 @@ allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; +allow hal_dumpstate_default sysfs_wlc:dir search; +allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_wlc:file r_file_perms; + allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index bd6efecb..f9c888d9 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -12,6 +12,7 @@ allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; allow hal_health_default fwk_stats_service:service_manager find; binder_use(hal_health_default) +allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index 06f395a8..076ceaf7 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -84,3 +84,4 @@ allow hal_sensors_default sysfs_write_leds:file rw_file_perms; # Allow access to the power supply files for MagCC. r_dir_file(hal_sensors_default, sysfs_batteryinfo) +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 23bff0ba..48fd6e8f 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -6,6 +6,9 @@ hwbinder_use(pixelstats_vendor) allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; +# Wireless charge +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; # Wireless charge/OrientationCollector get_prop(pixelstats_vendor, hwservicemanager_prop); hwbinder_use(pixelstats_vendor); diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te index 978a5426..44ae0768 100644 --- a/whitechapel_pro/shell.te +++ b/whitechapel_pro/shell.te @@ -3,3 +3,6 @@ userdebug_or_eng(` allow shell sysfs_sjtag:dir r_dir_perms; allow shell sysfs_sjtag:file rw_file_perms; ') + +# wlc +dontaudit shell sysfs_wlc:dir search; From b05ec9c753955c3e385ac6d6537a54f65d09fcc2 Mon Sep 17 00:00:00 2001 From: Subrahmanyaman Date: Tue, 7 Feb 2023 22:15:58 +0000 Subject: [PATCH 730/900] Map AIDL Gatekeeper to same policy as HIDL version Bug: 268342724 Test: VtsHalGatekeeperTargetTest Change-Id: Ic2849f8f00aea80e707a85334364f8ecfe7a64e3 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 83232f1e..318d29f6 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -19,6 +19,7 @@ /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 From 4c372ff5cd9c4a26aa64af33f757f7d8dd989503 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Fri, 10 Feb 2023 10:20:48 +0800 Subject: [PATCH 731/900] Update SELinux error Test: scanBugreport Bug: 268147113 Bug: 268566483 Bug: 268147092 Change-Id: Ia0755baf0d2b9cd02e9d69da29cf87120ae13bbe --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f2b65774..db7752dd 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,13 +1,16 @@ cat_engine_service_app system_app_data_file dir b/238705599 +dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 dumpstate hal_input_processor_default process b/238260726 dumpstate incident process b/239632439 dumpstate system_data_file dir b/239484651 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_drm_widevine default_prop file b/237492145 +hal_dumpstate_default dump_thermal process b/268566483 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 +incidentd incidentd anon_inode b/268147092 init-insmod-sh vendor_ready_prop property_service b/239364360 kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 From 333b450ee7544e34a7ea945405f18d965e787710 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Feb 2023 12:39:37 +0800 Subject: [PATCH 732/900] move tablet settings to gs-common Bug: 240530709 Test: adb bugreport Change-Id: I2bac842aaab1737b2fcecd232e82d49f00439607 --- whitechapel_pro/file.te | 1 - whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_dumpstate_default.te | 7 ------- 3 files changed, 9 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 740eebb9..80f42f25 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -77,7 +77,6 @@ type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; type persist_display_file, file_type, vendor_persist_type; -type persist_leds_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 34232390..df0a82c4 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -222,7 +222,6 @@ /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 -/mnt/vendor/persist/led(/.*)? u:object_r:persist_leds_file:s0 # Extra mount images /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index bdf64e85..2ae050ab 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -72,13 +72,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; -userdebug_or_eng(` - allow hal_dumpstate_default sysfs_leds:dir search; - allow hal_dumpstate_default sysfs_leds:file rw_file_perms; - allow hal_dumpstate_default persist_file:dir search; - r_dir_file(hal_dumpstate_default, persist_leds_file); -') - get_prop(hal_dumpstate_default, vendor_camera_debug_prop); get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) From 6defd8cbc8be14b8387fc3877b1894310cf51f78 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Feb 2023 11:34:54 +0800 Subject: [PATCH 733/900] Move memory dump to gs-common Bug: 240530709 Test: adb bugreport Change-Id: I304899f1c9eb1a77ef7559194ab4cfed9daf30ef --- whitechapel_pro/dumpstate.te | 1 - whitechapel_pro/file.te | 2 -- whitechapel_pro/genfs_contexts | 2 -- whitechapel_pro/hal_dumpstate_default.te | 6 ------ 4 files changed, 11 deletions(-) diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te index 8ff47509..eaab9b2f 100644 --- a/whitechapel_pro/dumpstate.te +++ b/whitechapel_pro/dumpstate.te @@ -14,4 +14,3 @@ allow dumpstate modem_userdata_file:dir r_dir_perms; allow dumpstate modem_img_file:dir r_dir_perms; allow dumpstate fuse:dir search; -dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 80f42f25..3a0f932a 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -60,9 +60,7 @@ type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_charger_debugfs, fs_type, debugfs_type; type vendor_votable_debugfs, fs_type, debugfs_type; type vendor_battery_debugfs, fs_type, debugfs_type; -type vendor_dmabuf_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; -type vendor_page_pinner_debugfs, fs_type, debugfs_type; type vendor_cma_debugfs, fs_type, debugfs_type; # vendor extra images diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ebb78283..dc1f8836 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -190,7 +190,6 @@ genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object # debugfs genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 @@ -200,7 +199,6 @@ genfscon debugfs /max77729_pmic u:object genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 -genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Battery diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 2ae050ab..8dfe7cb7 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -89,14 +89,11 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; - allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; allow hal_dumpstate_default debugfs_tracing_instances:dir search; allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; allow hal_dumpstate_default sysfs_vendor_metrics:dir search; @@ -119,14 +116,11 @@ dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; -dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; -dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; dontaudit hal_dumpstate_default debugfs_tracing_instances:dir search; dontaudit hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search; From 3a7647d59cc9e28a396d44d63ba88aaa87e69b59 Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Wed, 14 Dec 2022 15:38:22 +0800 Subject: [PATCH 734/900] [DO NOT MERGE] usb: Add sepolicy for extcon access USB gadget hal will access extcon folder so that this patch will add new rule to allow USB gadget hal to access extcon. Bug: 263435622 Test: build pass Change-Id: I971732c6a40700a85df61170dcf1c3660307b96c (cherry picked from commit 03fb0f6ceb6bfee492299b9d5a5578f5b2f50822) Merged-In: I971732c6a40700a85df61170dcf1c3660307b96c --- whitechapel_pro/hal_usb_gadget_impl.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/whitechapel_pro/hal_usb_gadget_impl.te index ddda7eb9..361e0f71 100644 --- a/whitechapel_pro/hal_usb_gadget_impl.te +++ b/whitechapel_pro/hal_usb_gadget_impl.te @@ -19,3 +19,7 @@ allow hal_usb_gadget_impl proc_irq:file w_file_perms; # allow gadget hal to search hsi2c dir and write to usb_limit_accessory_enable/current allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; + +# allow gadget hal to access extcon node +allow hal_usb_gadget_impl sysfs_extcon:dir search; +allow hal_usb_gadget_impl sysfs_extcon:file r_file_perms; From 1a72a34a919dcb887786ad3cdefa2de8ddd193d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 15 Feb 2023 10:35:26 +1100 Subject: [PATCH 735/900] Remove bug_map entry for incident hal_input_processor_default was fixed in b/219172252 Bug: 239632439 Test: presubmit Change-Id: Idaa9bff7130d54bf24260e26b43605a60dcb7525 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index db7752dd..ad15880a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,8 +1,6 @@ cat_engine_service_app system_app_data_file dir b/238705599 dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 -dumpstate hal_input_processor_default process b/238260726 -dumpstate incident process b/239632439 dumpstate system_data_file dir b/239484651 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_drm_widevine default_prop file b/237492145 From d1daf18a6a23ab576badb29233bf643f54c01fe3 Mon Sep 17 00:00:00 2001 From: Jeffrey Kardatzke Date: Tue, 14 Feb 2023 15:11:39 -0800 Subject: [PATCH 736/900] tracking_denials: Remove b/237492145 Bug: 237492145 Test: TreeHugger Change-Id: I2874665d4166e951de6b9f6ab15be62a35777ad2 --- tracking_denials/bug_map | 1 - tracking_denials/hal_drm_widevine.te | 2 -- 2 files changed, 3 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ad15880a..b944d0e1 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,7 +3,6 @@ dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 dumpstate system_data_file dir b/239484651 hal_contexthub_default fwk_stats_service service_manager b/241714943 -hal_drm_widevine default_prop file b/237492145 hal_dumpstate_default dump_thermal process b/268566483 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te index b0124389..cfe7fcf7 100644 --- a/tracking_denials/hal_drm_widevine.te +++ b/tracking_denials/hal_drm_widevine.te @@ -1,4 +1,2 @@ # b/229209076 dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; -# b/237492145 -dontaudit hal_drm_widevine default_prop:file { read }; From 8c4ca7b5a48ee219b3724bbe152ee68e6fc73d75 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 12 Sep 2022 14:47:57 +0800 Subject: [PATCH 737/900] remove same_process_hal access from gxp firmware Bug: 246218258 Test: boot with no relevant SELinux errors Change-Id: I52c82ff4c70cb16057cf719059f63c3f9c381c46 --- tracking_denials/kernel.te | 2 -- whitechapel_pro/file_contexts | 1 - 2 files changed, 3 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 4238f339..a2e21639 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,4 +1,2 @@ -# b/246218258 -allow kernel same_process_hal_file:file r_file_perms; # b/227121550 dontaudit kernel vendor_votable_debugfs:dir search; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 300e836f..36ccdc92 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -47,7 +47,6 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 -/vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 From 55d345c5e86701f03ea1f7306aa01719301976c9 Mon Sep 17 00:00:00 2001 From: Ken Tsou Date: Thu, 16 Feb 2023 10:34:13 +0800 Subject: [PATCH 738/900] hal_health_default: allow to access persist.vendor.shutdown.* msg='avc: denied { set } for property=persist.vendor.shutdown.voltage_avg pid=908 uid=1000 gid=1000 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0' Bug: 266181615 Change-Id: Ia87610f0363bbfbe4fe446244b44818c273841f4 Signed-off-by: Ken Tsou --- whitechapel_pro/hal_health_default.te | 1 + whitechapel_pro/property.te | 1 + whitechapel_pro/property_contexts | 1 + 3 files changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 6c3c6940..eeaab1a7 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -4,6 +4,7 @@ allow hal_health_default persist_battery_file:file create_file_perms; allow hal_health_default persist_battery_file:dir rw_dir_perms; set_prop(hal_health_default, vendor_battery_defender_prop) +set_prop(hal_health_default, vendor_shutdown_prop) # Access to /sys/devices/platform/14700000.ufs/* allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index b5bf04c2..080a186e 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -11,6 +11,7 @@ vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_battery_defender_prop) +vendor_internal_prop(vendor_shutdown_prop) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_camera_debug_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 32b304b1..6707794a 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -57,6 +57,7 @@ persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_pro # Battery vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 +persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0 # NFC persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 From 62eebf952ffdb477401bf48c49f8b3f76abcb633 Mon Sep 17 00:00:00 2001 From: leochuang Date: Tue, 21 Feb 2023 08:49:55 +0800 Subject: [PATCH 739/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 270079857 Change-Id: I1755253d915e7d9ff1fe624ecf8e6439f7a1bcd6 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b944d0e1..b7acf725 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -22,3 +22,4 @@ shell rootfs file b/239484612 shell sscoredump_vendor_data_crashinfo_file dir b/241714944 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 +vndservicemanager hal_keymint_citadel binder b/270079857 From 4183daf7f19e5bb80abe87a9b7ab07ee1cd0e1ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Wagner?= Date: Tue, 27 Dec 2022 14:00:23 +0000 Subject: [PATCH 740/900] Update Mali DDK to r40 : Additional SELinux settings Expose DDK's dynamic configuration options through the Android Sysprop interface, following recommendations from Arm's Android Integration Manual. b/261718474 Change-Id: I75457d2d4f6e37bdd85329bac7fd81327cfff628 --- whitechapel_pro/domain.te | 4 ++++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te index fd876e09..ad32036f 100644 --- a/whitechapel_pro/domain.te +++ b/whitechapel_pro/domain.te @@ -1,2 +1,6 @@ allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; + +# Mali +get_prop(domain, vendor_arm_runtime_option_prop) + diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d276e851..2ea19553 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -38,3 +38,6 @@ vendor_internal_prop(vendor_telephony_app_prop) # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) + +# Mali Integration +vendor_public_prop(vendor_arm_runtime_option_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index acc73a66..947018e8 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -102,3 +102,6 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 + +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index dfbd3d75..acf6b05d 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -38,3 +38,6 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Trusty storage FS ready get_prop(vendor_init, vendor_trusty_storage_prop) + +# Mali +set_prop(vendor_init, vendor_arm_runtime_option_prop) From 12a731b61ea4075f1016d2b55903842db0386ff6 Mon Sep 17 00:00:00 2001 From: Salmax Chang Date: Wed, 1 Mar 2023 01:17:49 +0800 Subject: [PATCH 741/900] modem_svc_sit: grant modem property access Bug: 247669574 Change-Id: I02f58f04ee0daca9cabb055ed2fb7fe2653831af --- whitechapel_pro/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index d1c90a77..fa5298f8 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -24,6 +24,9 @@ allow modem_svc_sit modem_userdata_file:file create_file_perms; # RIL property get_prop(modem_svc_sit, vendor_rild_prop) +# Modem property +set_prop(modem_svc_sit, vendor_modem_prop) + # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) From 3c494301c8bd463b38ac5006d638a790ece79f68 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 7 Mar 2023 12:35:16 +0800 Subject: [PATCH 742/900] Move display dump to gs-common Bug: 269212897 Test: adb bugreport Change-Id: I8d2d0413987629bd3774034a5f99f5b7feb4b3ba --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 1 - whitechapel_pro/genfs_contexts | 1 - whitechapel_pro/hal_dumpstate_default.te | 12 ------------ whitechapel_pro/vndservice.te | 1 - whitechapel_pro/vndservice_contexts | 1 - 6 files changed, 18 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 3a0f932a..5b5b82e1 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,7 +1,6 @@ # Data type rild_vendor_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; -type vendor_hwc_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; @@ -60,7 +59,6 @@ type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_charger_debugfs, fs_type, debugfs_type; type vendor_votable_debugfs, fs_type, debugfs_type; type vendor_battery_debugfs, fs_type, debugfs_type; -type vendor_dri_debugfs, fs_type, debugfs_type; type vendor_cma_debugfs, fs_type, debugfs_type; # vendor extra images diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 36ccdc92..87fc1d94 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -196,7 +196,6 @@ /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 -/data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index dc1f8836..a7c8a48a 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -198,7 +198,6 @@ genfscon debugfs /max77759_chg u:object genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 -genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Battery diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 8dfe7cb7..fccaed7f 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -3,9 +3,6 @@ allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; allow hal_dumpstate_default sysfs_cpu:file r_file_perms; -allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; - allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; allow hal_dumpstate_default vendor_gps_file:file r_file_perms; @@ -52,11 +49,6 @@ allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; allow hal_dumpstate_default proc_f2fs:file r_file_perms; -allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; -binder_call(hal_dumpstate_default, hal_graphics_composer_default); -allow hal_dumpstate_default sysfs_display:dir r_dir_perms; -allow hal_dumpstate_default sysfs_display:file r_file_perms; - vndbinder_use(hal_dumpstate_default) allow hal_dumpstate_default shell_data_file:file getattr; @@ -92,8 +84,6 @@ userdebug_or_eng(` allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; allow hal_dumpstate_default debugfs_tracing_instances:dir search; allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; allow hal_dumpstate_default sysfs_vendor_metrics:dir search; @@ -107,8 +97,6 @@ userdebug_or_eng(` ') dontaudit hal_dumpstate_default mnt_vendor_file:dir search; -dontaudit hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index 7f116c48..bd59e836 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1,4 +1,3 @@ type rls_service, vndservice_manager_type; -type vendor_displaycolor_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; type eco_service, vndservice_manager_type; diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts index e7fb4338..16ae43a4 100644 --- a/whitechapel_pro/vndservice_contexts +++ b/whitechapel_pro/vndservice_contexts @@ -1,4 +1,3 @@ rlsservice u:object_r:rls_service:s0 -displaycolor u:object_r:vendor_displaycolor_service:s0 Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 media.ecoservice u:object_r:eco_service:s0 From 3758cdb733b1bbc20a866917c720682254776d1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Thu, 9 Mar 2023 20:12:27 +0000 Subject: [PATCH 743/900] Clean up Google Camera App tracking_denials. EdgeTPU access is already allowed. Vendor property access should be denied and is not an error (most likely from library code that tries to access nonexistent Mediatek-specific properties). Fix: 209889068 Test: presubmit, run GCA Change-Id: Id200da6627ceae1ca6315ea9b4473f61fdc285d0 --- tracking_denials/google_camera_app.te | 8 -------- whitechapel_pro/google_camera_app.te | 3 +++ 2 files changed, 3 insertions(+), 8 deletions(-) delete mode 100644 tracking_denials/google_camera_app.te diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te deleted file mode 100644 index 72796c22..00000000 --- a/tracking_denials/google_camera_app.te +++ /dev/null @@ -1,8 +0,0 @@ -# b/209889068 -dontaudit google_camera_app edgetpu_app_service:service_manager { find }; -dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; -dontaudit google_camera_app edgetpu_device:chr_file { map }; -dontaudit google_camera_app edgetpu_device:chr_file { read write }; -dontaudit google_camera_app vendor_default_prop:file { getattr }; -dontaudit google_camera_app vendor_default_prop:file { map }; -dontaudit google_camera_app vendor_default_prop:file { open }; diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 43e3c16e..d73cd3db 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -21,3 +21,6 @@ hal_client_domain(google_camera_app, hal_power) # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; From c50fcf47940c77471035e841eda30f4657c7bbe1 Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Wed, 8 Mar 2023 13:07:10 +0800 Subject: [PATCH 744/900] audio: move sepolicy about audio to gs-common Bug: 259161622 Test: build pass and check with audio ext hidl/aidl Change-Id: Id9fa7130db9b94a25381d10984ad245658847345 Signed-off-by: Jasmine Cha --- whitechapel_pro/rild.te | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 7b8bc1c7..559fa674 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -32,7 +32,6 @@ binder_call(rild, logger_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) -allow rild hal_audio_ext_hwservice:hwservice_manager find; # Allow rild to access files on modem img. allow rild modem_img_file:dir r_dir_perms; From fc86ce114c7e4dd2372e5b2fb83809a0843b387f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 10 Mar 2023 12:14:54 +0800 Subject: [PATCH 745/900] move modem operation to dump_modemlog Bug: 240530709 Test: adb bugreport Change-Id: I1b5c7defc0b6cb04899d03f1f71f0ac1fe21ed80 --- whitechapel_pro/hal_dumpstate_default.te | 5 ----- 1 file changed, 5 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index fccaed7f..9b403c6d 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -40,10 +40,6 @@ allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; -allow hal_dumpstate_default modem_efs_file:dir search; -allow hal_dumpstate_default modem_efs_file:file r_file_perms; -allow hal_dumpstate_default vendor_slog_file:file r_file_perms; - allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; @@ -67,7 +63,6 @@ allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; get_prop(hal_dumpstate_default, vendor_camera_debug_prop); get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) -set_prop(hal_dumpstate_default, vendor_modem_prop) get_prop(hal_dumpstate_default, vendor_rild_prop) get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) set_prop(hal_dumpstate_default, vendor_logger_prop) From b38886146a0cbd6222b1dc8c55a7f1faf1422697 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Fri, 10 Mar 2023 15:25:51 +0800 Subject: [PATCH 746/900] SSRestarDetector: modify the SELinux policy to allow access files owned by system for Whitechapel Pro. It needs to access a file pushed by hosts of test suites (details: http://go/pd-client-for-lab#heading=h.wtp07hbqvwgx) Bug: 234359369 Design: http://go/pd-client-for-lab Test: manual (http://b/271555983#comment3) Change-Id: I0ecc64407118107860db434f0eb22cab0f55a2ba --- whitechapel_pro/ssr_detector.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index 60ec1bb5..2caf6d77 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -4,7 +4,8 @@ app_domain(ssr_detector_app) allow ssr_detector_app app_api_service:service_manager find; allow ssr_detector_app radio_service:service_manager find; -allow ssr_detector_app system_app_data_file:dir r_dir_perms; +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; From 915841aadabce0723a1bfb79bbca8dabdd47867f Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Mon, 13 Mar 2023 10:55:25 +0800 Subject: [PATCH 747/900] audio: move set_prop to gs-common Bug: 259161622 Test: build pass Change-Id: If9c6d5641a05768446a7b618e447a1d11ad5daab Signed-off-by: Jasmine Cha --- whitechapel_pro/vendor_init.te | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index dfbd3d75..0118ddbe 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -11,7 +11,6 @@ set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, logpersistd_logging_prop) set_prop(vendor_init, vendor_logger_prop) -set_prop(vendor_init, vendor_audio_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; From f5a068e2bfa6b0ddd59f72dcaa11560fa1d54e63 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Mar 2023 10:51:44 +0800 Subject: [PATCH 748/900] use gs-common soc dump Bug: 273380509 Test: adb bugreport Change-Id: I81cd197c1a7c9f19ad9a3c30b65b4499de04b184 --- whitechapel_pro/file.te | 3 --- whitechapel_pro/genfs_contexts | 13 ------------- whitechapel_pro/hal_dumpstate_default.te | 3 --- 3 files changed, 19 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 5b5b82e1..9d1cc959 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -40,13 +40,10 @@ type bootdevice_sysdev, dev_type; type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; -type sysfs_exynos_bts, sysfs_type, fs_type; -type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_exynos_pcie_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; -type sysfs_cpu, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a7c8a48a..64d90d47 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -1,22 +1,9 @@ -# Exynos -genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 -genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 - genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 # EdgeTPU genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 # CPU -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/28000000.mali/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 9b403c6d..f303e9a0 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -10,9 +10,6 @@ allow hal_dumpstate_default sysfs_wlc:dir search; allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; allow hal_dumpstate_default sysfs_wlc:file r_file_perms; -allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; -allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; - allow hal_dumpstate_default sysfs_exynos_pcie_stats:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_pcie_stats:file r_file_perms; From 0e62b47df908713118b58a5e1de3104254486c99 Mon Sep 17 00:00:00 2001 From: Mahesh Kallelil Date: Wed, 15 Mar 2023 15:45:32 -0700 Subject: [PATCH 749/900] Update selinux-policy for ModemService. Allowing the ModemService write access to the sysfs attribute cp_temp which is used to update the thermal zones. Test: Verified sysfs attribute security labels Bug: 267485434 Change-Id: I0915969bfa6354e1884088476fc59cd8027bd2f1 Signed-off-by: Mahesh Kallelil --- whitechapel_pro/file.te | 1 + whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/modem_svc_sit.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 9d1cc959..4f3e7edc 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -83,6 +83,7 @@ type vendor_dumpsys, vendor_file_type, file_type; # Modem type modem_efs_file, file_type; type modem_userdata_file, file_type; +type sysfs_modem, sysfs_type, fs_type; # SecureElement type sysfs_st33spi, sysfs_type, fs_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 64d90d47..2c2cb23e 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -60,6 +60,9 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/power_stats genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 +# Modem +genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 + # Power ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index fa5298f8..040082e8 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -5,6 +5,9 @@ init_daemon_domain(modem_svc_sit) hwbinder_use(modem_svc_sit) binder_call(modem_svc_sit, rild) +# Grant sysfs modem access +allow modem_svc_sit sysfs_modem:file rw_file_perms; + # Grant radio device access allow modem_svc_sit radio_device:chr_file rw_file_perms; From 0f80193c30c2bc519c7cf69abff3a31a1706259b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 20 Mar 2023 11:14:44 +0800 Subject: [PATCH 750/900] use gs-common camera dump Bug: 273380509 Test: adb bugreport Change-Id: I925fbbba81a92689c4590df4a8d7529cc8b57bf8 --- whitechapel_pro/file.te | 1 - whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_dumpstate_default.te | 4 ---- whitechapel_pro/property.te | 1 - whitechapel_pro/property_contexts | 1 - 5 files changed, 8 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4f3e7edc..bb26b4fa 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -7,7 +7,6 @@ type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; -type vendor_camera_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 87fc1d94..76518071 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,7 +202,6 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 -/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index f303e9a0..07e8402b 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,6 +1,3 @@ -allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; - allow hal_dumpstate_default sysfs_cpu:file r_file_perms; allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; @@ -57,7 +54,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; -get_prop(hal_dumpstate_default, vendor_camera_debug_prop); get_prop(hal_dumpstate_default, vendor_camera_prop) get_prop(hal_dumpstate_default, vendor_gps_prop) get_prop(hal_dumpstate_default, vendor_rild_prop) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d276e851..a8fce4a7 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -14,7 +14,6 @@ vendor_internal_prop(vendor_battery_defender_prop) vendor_internal_prop(vendor_shutdown_prop) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_camera_prop) -vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_tcpdump_log_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index acc73a66..17899cd5 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -68,7 +68,6 @@ persist.vendor.display. u:object_r:vendor_display_prop:s0 # Camera persist.vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for logger app From 831323cd8114b51bd28ac1b3b55a819dc2a0a619 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 21 Mar 2023 11:19:21 +0800 Subject: [PATCH 751/900] use gxp dump in gs-common Bug: 273380509 Test: adb bugreport;unzip *zip;tar -xvf dumpstate_board.bin And found gxp content Change-Id: I5a1e77f756a0ec045a578c4ca9bced689d8d9d9c --- whitechapel_pro/hal_dumpstate_default.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 07e8402b..4e3399b1 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -10,9 +10,6 @@ allow hal_dumpstate_default sysfs_wlc:file r_file_perms; allow hal_dumpstate_default sysfs_exynos_pcie_stats:dir r_dir_perms; allow hal_dumpstate_default sysfs_exynos_pcie_stats:file r_file_perms; -allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:dir r_dir_perms; -allow hal_dumpstate_default sscoredump_vendor_data_coredump_file:file r_file_perms; - allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; allow hal_dumpstate_default sysfs_bcl:file r_file_perms; From 28503a8706a382f7b89086b6c506e2023cad8f28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Wagner?= Date: Tue, 27 Dec 2022 14:00:23 +0000 Subject: [PATCH 752/900] Update Mali DDK to r40 : Additional SELinux settings Expose DDK's dynamic configuration options through the Android Sysprop interface, following recommendations from Arm's Android Integration Manual. Bug: 261718474 (cherry picked from commit 4183daf7f19e5bb80abe87a9b7ab07ee1cd0e1ac) Merged-In: I75457d2d4f6e37bdd85329bac7fd81327cfff628 Change-Id: Ic40d6576537fc6699e3315040236e79aba16af18 --- whitechapel_pro/domain.te | 4 ++++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 13 insertions(+) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te index fd876e09..ad32036f 100644 --- a/whitechapel_pro/domain.te +++ b/whitechapel_pro/domain.te @@ -1,2 +1,6 @@ allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; + +# Mali +get_prop(domain, vendor_arm_runtime_option_prop) + diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index a8fce4a7..2b16b5a9 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -37,3 +37,6 @@ vendor_internal_prop(vendor_telephony_app_prop) # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) + +# Mali Integration +vendor_public_prop(vendor_arm_runtime_option_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 17899cd5..d8e3e033 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -101,3 +101,6 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 + +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 0118ddbe..e27855d0 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -37,3 +37,6 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Trusty storage FS ready get_prop(vendor_init, vendor_trusty_storage_prop) + +# Mali +set_prop(vendor_init, vendor_arm_runtime_option_prop) From 1cdfdb426280f0dec360a471c52da8cda3bed2a1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Mar 2023 12:26:10 +0800 Subject: [PATCH 753/900] use gs-common gps dump Bug: 273380509 Test: adb bugreport Change-Id: I7d5fa2f086aeab1b94fe33b3f419d5fb58bfbda5 --- whitechapel_pro/hal_dumpstate_default.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 4e3399b1..d5dfd1b5 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -1,8 +1,5 @@ allow hal_dumpstate_default sysfs_cpu:file r_file_perms; -allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_gps_file:file r_file_perms; - allow hal_dumpstate_default sysfs_wlc:dir search; allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; allow hal_dumpstate_default sysfs_wlc:file r_file_perms; @@ -52,7 +49,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; get_prop(hal_dumpstate_default, vendor_camera_prop) -get_prop(hal_dumpstate_default, vendor_gps_prop) get_prop(hal_dumpstate_default, vendor_rild_prop) get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) set_prop(hal_dumpstate_default, vendor_logger_prop) From ba0b76de163a6ff7e30f0ba14463a4b203f7baf6 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Tue, 21 Mar 2023 20:17:31 +0800 Subject: [PATCH 754/900] Allow fingerprint hal to read sysfs_leds Fix the following avc denials: avc: denied { search } for name="backlight" dev="sysfs" ino=79316 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1 avc: denied { read } for name="state" dev="sysfs" ino=79365 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1 Bug: 271072126 Test: Authenticate fingerprint. Change-Id: I9f346cb72ef660712b2bfb610df959667958c36a --- whitechapel_pro/hal_fingerprint_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te index 912776dd..8ec45a9f 100644 --- a/whitechapel_pro/hal_fingerprint_default.te +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -33,3 +33,7 @@ binder_call(hal_fingerprint_default, hal_graphics_composer_default) # allow fingerprint to access thermal hal hal_client_domain(hal_fingerprint_default, hal_thermal); + +# allow fingerprint to read sysfs_leds +allow hal_fingerprint_default sysfs_leds:file r_file_perms; +allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; From dcc7112f6fd810177cca9f0ea963412c4977f490 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 24 Mar 2023 11:11:48 +0800 Subject: [PATCH 755/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 275001783 Change-Id: I6514b7efbd02a5ddcb65ab329f0f01cc2d61e50a --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b944d0e1..f984e872 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,6 +2,8 @@ cat_engine_service_app system_app_data_file dir b/238705599 dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 dumpstate system_data_file dir b/239484651 +hal_camera_default boot_status_prop file b/275001783 +hal_camera_default edgetpu_app_service service_manager b/275001783 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_dumpstate_default dump_thermal process b/268566483 hal_power_default hal_power_default capability b/237492146 From 0350bd250be421f840345be1b11642dcaaf29f79 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 24 Mar 2023 12:41:23 +0800 Subject: [PATCH 756/900] use radio dump in gs-common Bug: 273380509 Test: adb bugreport Change-Id: I5e4318a427c0b503c47fb81ddb9e813fa9a41ab4 --- whitechapel_pro/hal_dumpstate_default.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index d5dfd1b5..42d727e0 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -49,8 +49,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; get_prop(hal_dumpstate_default, vendor_camera_prop) -get_prop(hal_dumpstate_default, vendor_rild_prop) -get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) set_prop(hal_dumpstate_default, vendor_logger_prop) userdebug_or_eng(` From 86faa5607c74f3a929fbb3e3fcbbb44c3d0090b9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 24 Mar 2023 12:41:23 +0800 Subject: [PATCH 757/900] use radio dump in gs-common Bug: 273380509 Test: adb bugreport Change-Id: I5e4318a427c0b503c47fb81ddb9e813fa9a41ab4 Merged-In: I5e4318a427c0b503c47fb81ddb9e813fa9a41ab4 --- whitechapel_pro/hal_dumpstate_default.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index d5dfd1b5..42d727e0 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -49,8 +49,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; get_prop(hal_dumpstate_default, vendor_camera_prop) -get_prop(hal_dumpstate_default, vendor_rild_prop) -get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) set_prop(hal_dumpstate_default, vendor_logger_prop) userdebug_or_eng(` From a3348957899001d16a1221923674ce149bc6a554 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 28 Mar 2023 12:52:52 +0800 Subject: [PATCH 758/900] create a dump for gs201 Bug: 273380509 Test: adb bugreport Change-Id: Ic47e0d43d9a5aef4381880eabbba74633ee260a1 --- whitechapel_pro/dump_gs201.te | 5 +++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 6 insertions(+) create mode 100644 whitechapel_pro/dump_gs201.te diff --git a/whitechapel_pro/dump_gs201.te b/whitechapel_pro/dump_gs201.te new file mode 100644 index 00000000..c2314753 --- /dev/null +++ b/whitechapel_pro/dump_gs201.te @@ -0,0 +1,5 @@ + +pixel_bugreport(dump_gs201) +allow dump_gs201 debugfs_tracing_instances:dir r_dir_perms; +allow dump_gs201 debugfs_tracing_instances:file r_file_perms; + diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 76518071..3a354adc 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 +/vendor/bin/dump/dump_gs201 u:object_r:dump_gs201_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From bb305281856a1b33c91717ea58061045d55329fc Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 29 Mar 2023 10:49:39 +0800 Subject: [PATCH 759/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 275645892 Change-Id: Ib6aa5d2fe4a401cadc02a60b06725156f37aaccf --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f984e872..f132d62c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -24,3 +24,4 @@ shell rootfs file b/239484612 shell sscoredump_vendor_data_crashinfo_file dir b/241714944 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 +system_app proc_pagetypeinfo file b/275645892 From 933e6a172bdbee9962c9da6d96d7c2b6d6ae958d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 29 Mar 2023 13:04:17 +0800 Subject: [PATCH 760/900] Move power dump out of hal_dumpstate_default Bug: 273380509 Test: adb bugreport Change-Id: I0963af3f8f90b4f05724df31017b0d21d10c59ca --- whitechapel_pro/dump_power_gs201.te | 27 +++++++++++++++++++++++++++ whitechapel_pro/file_contexts | 1 + 2 files changed, 28 insertions(+) create mode 100644 whitechapel_pro/dump_power_gs201.te diff --git a/whitechapel_pro/dump_power_gs201.te b/whitechapel_pro/dump_power_gs201.te new file mode 100644 index 00000000..6c6ca245 --- /dev/null +++ b/whitechapel_pro/dump_power_gs201.te @@ -0,0 +1,27 @@ + +pixel_bugreport(dump_power_gs201) +allow dump_power_gs201 sysfs_acpm_stats:dir r_dir_perms; +allow dump_power_gs201 sysfs_acpm_stats:file r_file_perms; +allow dump_power_gs201 sysfs_cpu:file r_file_perms; +allow dump_power_gs201 vendor_toolbox_exec:file execute_no_trans; +allow dump_power_gs201 logbuffer_device:chr_file r_file_perms; +allow dump_power_gs201 mitigation_vendor_data_file:dir r_dir_perms; +allow dump_power_gs201 sysfs:dir r_dir_perms; +allow dump_power_gs201 sysfs_batteryinfo:dir r_dir_perms; +allow dump_power_gs201 sysfs_batteryinfo:file r_file_perms; +allow dump_power_gs201 sysfs_bcl:dir r_dir_perms; +allow dump_power_gs201 sysfs_bcl:file r_file_perms; +allow dump_power_gs201 sysfs_wlc:dir r_dir_perms; +allow dump_power_gs201 sysfs_wlc:file r_file_perms; + +userdebug_or_eng(` + allow dump_power_gs201 debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_battery_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_battery_debugfs:file r_file_perms; + allow dump_power_gs201 vendor_charger_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_charger_debugfs:file r_file_perms; + allow dump_power_gs201 vendor_pm_genpd_debugfs:file r_file_perms; + allow dump_power_gs201 vendor_maxfg_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_votable_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_votable_debugfs:file r_file_perms; +') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 3a354adc..4054e6f7 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -45,6 +45,7 @@ /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 /vendor/bin/dump/dump_gs201 u:object_r:dump_gs201_exec:s0 +/vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From 33b2f0043c43bdfa728adc553cd2601ab19bb847 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 31 Mar 2023 10:55:21 +0800 Subject: [PATCH 761/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 276386138 Bug: 276385494 Change-Id: Idcd05416ca84e0b47629637f8d3287a40d80a6ab --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f132d62c..d05de12f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ cat_engine_service_app system_app_data_file dir b/238705599 +dex2oat privapp_data_file dir b/276386138 dump_pixel_metrics sysfs file b/268147113 dumpstate app_zygote process b/237491813 dumpstate system_data_file dir b/239484651 @@ -25,3 +26,4 @@ shell sscoredump_vendor_data_crashinfo_file dir b/241714944 shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 system_app proc_pagetypeinfo file b/275645892 +system_server privapp_data_file lnk_file b/276385494 From 0161b6fbfa0064ba595abd4c855f6d0c01db5fb9 Mon Sep 17 00:00:00 2001 From: feiyuchen Date: Tue, 4 Apr 2023 21:30:45 +0000 Subject: [PATCH 762/900] Allow camera HAL to access edgetpu_app_service in gs201 We are seeing SELinux error b/276911450. It turns out that I only added the SE policy for 2023 device ag/22248613, but I forgot to add it for gs101 and gs201. So I created this CL. See more background in ag/22248613. Test: For gs201, I tested on my Pixel7 and I saw no more error. For gs101, I just did mm. Bug: 275016466 Bug: 276911450 Change-Id: I223770eb0bc7e09a5dfb4f4188b7fc605c3d1a61 --- whitechapel_pro/hal_camera_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index ba2b5304..96f272d6 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -23,6 +23,10 @@ allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; allow hal_camera_default sysfs_edgetpu:file r_file_perms; allow hal_camera_default edgetpu_vendor_service:service_manager find; binder_call(hal_camera_default, edgetpu_vendor_server) +# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging +# library has a dependency on edgetpu_app_service, see b/275016466. +allow hal_camera_default edgetpu_app_service:service_manager find; +binder_call(hal_camera_default, edgetpu_app_server) # Allow the camera hal to access the GXP device. allow hal_camera_default gxp_device:chr_file rw_file_perms; From 1f54dc72561df7145c246006a162cc5e3e677fc2 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Fri, 17 Mar 2023 00:33:30 +0000 Subject: [PATCH 763/900] Support sending vendor command to GL852G via libusbhost libusbhost need access to USB device fs. Bug: 261923350 Test: no audit log in logcat after command execution Change-Id: I4b0c8cc750eff12d2494504f9f215d5b1bab35fd --- whitechapel_pro/hal_usb_impl.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index a5da3ce1..5d2a65e7 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -24,3 +24,8 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For reading the usb-c throttling stats allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; + +# For issuing vendor commands to USB hub via libusbhost +allow hal_usb_impl device:dir r_dir_perms; +allow hal_usb_impl usb_device:chr_file rw_file_perms; +allow hal_usb_impl usb_device:dir r_dir_perms; From 187dcc4e0829a58965a9494267d15f535b1ecc6a Mon Sep 17 00:00:00 2001 From: Victor Liu Date: Thu, 27 Oct 2022 13:06:39 -0700 Subject: [PATCH 764/900] uwb: add permission for ccc ranging Bug: 255649425 Change-Id: I83ce369e52f382d76723b2b045e09607483a0a6a --- whitechapel_pro/hal_nfc_default.te | 2 ++ whitechapel_pro/property.te | 2 ++ whitechapel_pro/property_contexts | 2 ++ whitechapel_pro/uwb_vendor_app.te | 4 ++++ 4 files changed, 10 insertions(+) diff --git a/whitechapel_pro/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te index 247ca3d7..11e0617b 100644 --- a/whitechapel_pro/hal_nfc_default.te +++ b/whitechapel_pro/hal_nfc_default.te @@ -13,3 +13,5 @@ allow hal_nfc_default uwb_data_vendor:file r_file_perms; # allow nfc to read uwb calibration file get_prop(hal_nfc_default, vendor_uwb_calibration_prop) +get_prop(hal_nfc_default, vendor_uwb_calibration_country_code) + diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 2b16b5a9..d57ce902 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -28,6 +28,8 @@ vendor_internal_prop(vendor_fingerprint_prop) # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) +# Country code must be vendor_public to be written by UwbVendorService and read by NFC HAL +vendor_internal_prop(vendor_uwb_calibration_country_code) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index d8e3e033..5c19ed48 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -89,6 +89,8 @@ vendor.gf. u:object_r:vendor_fingerprint_prop:s0 #uwb ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string +vendor.uwb.calibration.country_code u:object_r:vendor_uwb_calibration_country_code:s0 exact string + # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index 364bee36..aa4564e6 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -16,6 +16,10 @@ allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; +# UwbVendorService must be able to read USRA version from vendor_secure_element_prop get_prop(uwb_vendor_app, vendor_secure_element_prop) +# UwbVendorService must be able to write country code prop +set_prop(uwb_vendor_app, vendor_uwb_calibration_country_code) + binder_call(uwb_vendor_app, hal_uwb_vendor_default) ') From 4d92dd61f2119d1cccf079b2766e2d930126151f Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 7 Apr 2023 15:02:41 +0800 Subject: [PATCH 765/900] Update error on ROM 9890523 Bug: 277155245 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Iffbc691cff0e3a8d19ca3acef918cb4c1243feae --- tracking_denials/dumpstate.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index e93762d6..0dc30ea7 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -2,3 +2,5 @@ dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; # b/237491813 dontaudit dumpstate app_zygote:process { signal }; +# b/277155245 +dontaudit dumpstate default_android_service:service_manager { find }; From 9519323a9830524f3843b80c09d43208276d2e21 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 7 Apr 2023 13:01:27 +0800 Subject: [PATCH 766/900] use dumpsate from gs-common Bug: 273380985 Test: adb bugreport Change-Id: Ibd54c0049480810e2aa14074e0ec9c4d611d51ff --- whitechapel_pro/file.te | 2 - whitechapel_pro/file_contexts | 2 - whitechapel_pro/hal_dumpstate_default.te | 99 ------------------------ whitechapel_pro/property.te | 1 - whitechapel_pro/property_contexts | 1 - 5 files changed, 105 deletions(-) delete mode 100644 whitechapel_pro/hal_dumpstate_default.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index bb26b4fa..a1e20f88 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -4,7 +4,6 @@ type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; -type radio_vendor_data_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; @@ -20,7 +19,6 @@ userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; - typeattribute radio_vendor_data_file mlstrustedobject; ') # Exynos Firmware diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4054e6f7..8c1f3827 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -24,7 +24,6 @@ /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 @@ -195,7 +194,6 @@ # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te deleted file mode 100644 index 42d727e0..00000000 --- a/whitechapel_pro/hal_dumpstate_default.te +++ /dev/null @@ -1,99 +0,0 @@ -allow hal_dumpstate_default sysfs_cpu:file r_file_perms; - -allow hal_dumpstate_default sysfs_wlc:dir search; -allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; -allow hal_dumpstate_default sysfs_wlc:file r_file_perms; - -allow hal_dumpstate_default sysfs_exynos_pcie_stats:dir r_dir_perms; -allow hal_dumpstate_default sysfs_exynos_pcie_stats:file r_file_perms; - -allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; -allow hal_dumpstate_default sysfs_bcl:file r_file_perms; - -allow hal_dumpstate_default mitigation_vendor_data_file:dir r_dir_perms; -allow hal_dumpstate_default mitigation_vendor_data_file:file r_file_perms; - -allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; -allow hal_dumpstate_default sysfs_wifi:file r_file_perms; - -allow hal_dumpstate_default sysfs_ptracker:dir r_dir_perms; -allow hal_dumpstate_default sysfs_ptracker:file r_file_perms; - -allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; -allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; - -allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; -allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; - -allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; -allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; - -allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; - -allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; -allow hal_dumpstate_default proc_f2fs:file r_file_perms; - -vndbinder_use(hal_dumpstate_default) - -allow hal_dumpstate_default shell_data_file:file getattr; - -allow hal_dumpstate_default vendor_log_file:dir search; -allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; - -allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; -allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; - -allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; -allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; - -allow hal_dumpstate_default battery_history_device:chr_file r_file_perms; - -get_prop(hal_dumpstate_default, vendor_camera_prop) -set_prop(hal_dumpstate_default, vendor_logger_prop) - -userdebug_or_eng(` - allow hal_dumpstate_default mnt_vendor_file:dir search; - allow hal_dumpstate_default debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; - allow hal_dumpstate_default debugfs_tracing_instances:dir search; - allow hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; - allow hal_dumpstate_default sysfs_vendor_metrics:dir search; - allow hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; - allow hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; - allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; - allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; - - set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) -') - -dontaudit hal_dumpstate_default mnt_vendor_file:dir search; -dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; -dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; -dontaudit hal_dumpstate_default debugfs_tracing_instances:dir search; -dontaudit hal_dumpstate_default debugfs_tracing_instances:file r_file_perms; -dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search; -dontaudit hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; -dontaudit hal_dumpstate_default vendor_cma_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_cma_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; -dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; -dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d57ce902..d537c83d 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -20,7 +20,6 @@ vendor_internal_prop(vendor_tcpdump_log_prop) vendor_internal_prop(vendor_gps_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) -vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_display_prop) # Fingerprint diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 5c19ed48..b9a563f3 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -73,7 +73,6 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # vendor default ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 From 5a0bb72bf06c955ca84117d98737ec23ccd626c1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 11 Apr 2023 11:29:41 +0800 Subject: [PATCH 767/900] Remove obsolete entries Bug: 268147113 Bug: 237491813 Bug: 239484651 Bug: 268566483 Test: adb bugreport Change-Id: Iceafe7e413a3ffe5d342a222f76093c7110639e6 --- tracking_denials/bug_map | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d05de12f..4ce15ecf 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,12 +1,8 @@ cat_engine_service_app system_app_data_file dir b/238705599 dex2oat privapp_data_file dir b/276386138 -dump_pixel_metrics sysfs file b/268147113 -dumpstate app_zygote process b/237491813 -dumpstate system_data_file dir b/239484651 hal_camera_default boot_status_prop file b/275001783 hal_camera_default edgetpu_app_service service_manager b/275001783 hal_contexthub_default fwk_stats_service service_manager b/241714943 -hal_dumpstate_default dump_thermal process b/268566483 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 incidentd debugfs_wakeup_sources file b/237492091 From 3430e752afb315e884fc5efb0d7d50963fe7d17e Mon Sep 17 00:00:00 2001 From: Tommy Kardach Date: Wed, 22 Mar 2023 10:01:01 -0700 Subject: [PATCH 768/900] Update sepolicy for Camera HAL Edit SE policay for WHI_PRO to allow camera HAL to acquire wake locks Bug: 249567788 Test: Flash and manual testing Change-Id: I450b0b53000c5b9649e354350ec80af3528120fb --- whitechapel_pro/hal_camera_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 96f272d6..05909984 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -106,3 +106,6 @@ dontaudit hal_camera_default traced_producer_socket:sock_file { write }; # Allow access to always-on compute device node allow hal_camera_default aoc_device:chr_file rw_file_perms; + +# Allow the Camera HAL to acquire wakelocks +wakelock_use(hal_camera_default) From b7393fd8d897dcf4f70474e9caca94b1dc13f300 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Tue, 4 Apr 2023 08:38:20 -0700 Subject: [PATCH 769/900] move vendor_cma_debugfs into gs-common The CMA dump is common feature for pixel devices so move it to gs-common. Bug: 276901078 Test: dumpstate_board.txt on adb bugreport includes the info Change-Id: I3997e27e3037f013338de5bc36687c63338769aa Signed-off-by: Minchan Kim --- whitechapel_pro/file.te | 1 - whitechapel_pro/genfs_contexts | 1 - 2 files changed, 2 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index a1e20f88..f474d9c0 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -53,7 +53,6 @@ type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_charger_debugfs, fs_type, debugfs_type; type vendor_votable_debugfs, fs_type, debugfs_type; type vendor_battery_debugfs, fs_type, debugfs_type; -type vendor_cma_debugfs, fs_type, debugfs_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 2c2cb23e..bde62aef 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -188,7 +188,6 @@ genfscon debugfs /max77759_chg u:object genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 -genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Battery genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 From dc35b4158b8fc4eb8ee714212cdedee40a270a24 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Thu, 6 Apr 2023 20:50:20 -0700 Subject: [PATCH 770/900] remove dump_gs201 sepolicy Bug: 276901078 Test: dumpstate_board.txt on adb bugreport includes the info Change-Id: I39c01692d959a63c091f98969a69ab35b2debe1a Signed-off-by: Minchan Kim --- whitechapel_pro/dump_gs201.te | 5 ----- whitechapel_pro/file_contexts | 1 - 2 files changed, 6 deletions(-) delete mode 100644 whitechapel_pro/dump_gs201.te diff --git a/whitechapel_pro/dump_gs201.te b/whitechapel_pro/dump_gs201.te deleted file mode 100644 index c2314753..00000000 --- a/whitechapel_pro/dump_gs201.te +++ /dev/null @@ -1,5 +0,0 @@ - -pixel_bugreport(dump_gs201) -allow dump_gs201 debugfs_tracing_instances:dir r_dir_perms; -allow dump_gs201 debugfs_tracing_instances:file r_file_perms; - diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 8c1f3827..b3357a77 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -43,7 +43,6 @@ /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 -/vendor/bin/dump/dump_gs201 u:object_r:dump_gs201_exec:s0 /vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 # Vendor Firmwares From 1af348b01f23b6df79b51495a29a267bfc9c8645 Mon Sep 17 00:00:00 2001 From: kadirpili Date: Thu, 23 Mar 2023 03:19:24 +0000 Subject: [PATCH 771/900] gs201: Allow GRIL Service to access radio_vendor_data_file Bug: 274737512 Change-Id: I1c0b045f8a25c5d58be02c2036d2fcaad7d9a8e7 --- whitechapel_pro/grilservice_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te index 7809537d..2525baba 100644 --- a/whitechapel_pro/grilservice_app.te +++ b/whitechapel_pro/grilservice_app.te @@ -8,6 +8,8 @@ allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +allow grilservice_app radio_vendor_data_file:dir create_dir_perms; +allow grilservice_app radio_vendor_data_file:file create_file_perms; binder_call(grilservice_app, hal_bluetooth_btlinux) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) From 5adecc74332d9356c821be0207318b6694655754 Mon Sep 17 00:00:00 2001 From: Leo Liou Date: Tue, 14 Mar 2023 15:14:34 +0800 Subject: [PATCH 772/900] gs201: add sepolicy for ufs_firmware_update process Allow the script to access the specified partition and sysfs. Bug: 273305212 Test: full build and test ffu flow Change-Id: Iefeacea2d4c07e7a5b39713c9575e86bd25ce008 Signed-off-by: Leo Liou --- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 2 ++ whitechapel_pro/genfs_contexts | 3 +++ whitechapel_pro/ufs_firmware_update.te | 10 ++++++++++ 4 files changed, 16 insertions(+) create mode 100644 whitechapel_pro/ufs_firmware_update.te diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 426ebadb..b66248a7 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -19,6 +19,7 @@ type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; type radio_test_device, dev_type; type vendor_gnss_device, dev_type; +type fips_block_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index b3357a77..2a6eaa98 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 /vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 +/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -190,6 +191,7 @@ /dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/fips u:object_r:fips_block_device:s0 # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index bde62aef..7a9672df 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -177,6 +177,9 @@ genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/vendor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/model u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/rev u:object_r:sysfs_scsi_devices_0000:s0 # debugfs genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 diff --git a/whitechapel_pro/ufs_firmware_update.te b/whitechapel_pro/ufs_firmware_update.te new file mode 100644 index 00000000..53ceba56 --- /dev/null +++ b/whitechapel_pro/ufs_firmware_update.te @@ -0,0 +1,10 @@ +type ufs_firmware_update, domain; +type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(ufs_firmware_update) + +allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; +allow ufs_firmware_update block_device:dir r_dir_perms; +allow ufs_firmware_update fips_block_device:blk_file rw_file_perms; +allow ufs_firmware_update sysfs:dir r_dir_perms; +allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; From c1ee9afdef729c06aa428dc78c8fae04885b7811 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 31 Mar 2023 12:57:55 +0000 Subject: [PATCH 773/900] Use restricted vendor property for ARM runtime options They need to be read by everything that links with libmali, but we don't expect anybody to actually write to them. Bug: b/272740524 Test: CtsDeqpTestCases (dEQP-VK.protected_memory.stack.stacksize_*) Change-Id: I4cd468302da02603cccd9b4b98cb95745129daf5 --- whitechapel_pro/property.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d537c83d..723379ba 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -40,4 +40,4 @@ vendor_internal_prop(vendor_telephony_app_prop) vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration -vendor_public_prop(vendor_arm_runtime_option_prop) +vendor_restricted_prop(vendor_arm_runtime_option_prop) From 4cc8eec22dc59f97b106f98a1334aecce65ff90f Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 18 Apr 2023 11:27:46 +0800 Subject: [PATCH 774/900] Update error on ROM 9954737 Bug: 278639040 Bug: 278639040 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I0d71ec80ea0136f90336d8f80cb75b38b61ebced --- tracking_denials/vndservicemanager.te | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 tracking_denials/vndservicemanager.te diff --git a/tracking_denials/vndservicemanager.te b/tracking_denials/vndservicemanager.te new file mode 100644 index 00000000..9931d437 --- /dev/null +++ b/tracking_denials/vndservicemanager.te @@ -0,0 +1,4 @@ +# b/278639040 +dontaudit vndservicemanager hal_keymint_citadel:binder { call }; +# b/278639040 +dontaudit vndservicemanager hal_keymint_citadel:binder { call }; From 0f6b14dc9582edba67233cc8b716476d7a8c7f12 Mon Sep 17 00:00:00 2001 From: jimsun Date: Wed, 8 Mar 2023 17:17:01 +0800 Subject: [PATCH 775/900] rild: allow rild to ptrace 06-20 18:47:41.940000 8708 8708 I auditd : type=1400 audit(0.0:7): avc: denied { ptrace } for comm="libmemunreachab" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=process permissive=0 06-20 18:47:41.940000 8708 8708 W libmemunreachab: type=1400 audit(0.0:7): avc: denied { ptrace } for scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=process permissive=0 Bug: 263757077 Test: manual Change-Id: I4720650488eca100372d148313e04d6d8950ead5 --- whitechapel_pro/rild.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 559fa674..484dda08 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -37,3 +37,8 @@ add_hwservice(rild, hal_exynos_rild_hwservice) allow rild modem_img_file:dir r_dir_perms; allow rild modem_img_file:file r_file_perms; allow rild modem_img_file:lnk_file r_file_perms; + +# Allow rild to ptrace for memory leak detection +userdebug_or_eng(` +allow rild self:process ptrace; +') From 9d61da55a193a12b7552e67e67d968c46d4dec86 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 13:48:05 +0000 Subject: [PATCH 776/900] Add ArmNN config sysprops SELinux rules Bug: b/205202540 Test: manual - reboot device and check the absence of AVC denials Change-Id: I90af8201d5fae44f73d709491f272a113b44ca67 --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/vendor_init.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 723379ba..d297abea 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -41,3 +41,6 @@ vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# ArmNN +vendor_internal_prop(vendor_armnn_config_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index b9a563f3..08eb601b 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,3 +105,6 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# ArmNN configuration +ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index e27855d0..4d8516a2 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -40,3 +40,6 @@ get_prop(vendor_init, vendor_trusty_storage_prop) # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) + +# ArmNN +set_prop(vendor_init, vendor_armnn_config_prop) From 4f1ca4a7ad3895f5a5adc25fc2cf3a532eac79f6 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 5 Apr 2023 14:56:12 +0000 Subject: [PATCH 777/900] Remove 'hal_neuralnetworks_armnn' sysprop exceptions Bug: b/205202540 Test: manual - reboot device and check the absence of AVC denials Change-Id: Ief9f33ea3aca3f6b0756c92feb1753462e86b894 --- tracking_denials/hal_neuralnetworks_armnn.te | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index b58f29fe..16b6b131 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -1,8 +1,2 @@ -# b/205073167 -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/205202540 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; # b/205779871 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; From bb69b32fc5b6f468561017f6bd5628626a571696 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 15:21:42 +0000 Subject: [PATCH 778/900] Remove 'hal_neuralnetworks_armnn' '/data' access exception The mali driver has been configured not to look there anymore. Bug: b/205779871 Test: manual - reboot device and check the absence of AVC denials Change-Id: Ie651cd788e6f057cd902d1c14880bd1ad71ec5a5 --- tracking_denials/hal_neuralnetworks_armnn.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index 16b6b131..00000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205779871 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; From 2a5c26c9b4ed5abc3b6cb6d0e3e567b235c4ad13 Mon Sep 17 00:00:00 2001 From: Joseph Jang Date: Mon, 24 Apr 2023 08:03:30 +0000 Subject: [PATCH 779/900] Move recovery.te to device/google/gs-common/dauntless/sepolicy Bug: 279381809 Change-Id: I80fbd9ef0c7e988de21d07ada57fc6a038b9b585 --- whitechapel_pro/fastbootd.te | 1 - whitechapel_pro/recovery.te | 1 - 2 files changed, 2 deletions(-) diff --git a/whitechapel_pro/fastbootd.te b/whitechapel_pro/fastbootd.te index 5945ef24..e7909d26 100644 --- a/whitechapel_pro/fastbootd.te +++ b/whitechapel_pro/fastbootd.te @@ -3,6 +3,5 @@ recovery_only(` allow fastbootd devinfo_block_device:blk_file rw_file_perms; allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; -allow fastbootd citadel_device:chr_file rw_file_perms; allow fastbootd st54spi_device:chr_file rw_file_perms; ') diff --git a/whitechapel_pro/recovery.te b/whitechapel_pro/recovery.te index a498af07..1974ebb1 100644 --- a/whitechapel_pro/recovery.te +++ b/whitechapel_pro/recovery.te @@ -1,5 +1,4 @@ recovery_only(` allow recovery sysfs_ota:file rw_file_perms; - allow recovery citadel_device:chr_file rw_file_perms; allow recovery st54spi_device:chr_file rw_file_perms; ') From 2b913d29a96519e3381b8ea35c03120d10ca7ad0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 24 Apr 2023 14:47:12 +0800 Subject: [PATCH 780/900] Update error on ROM 9784808 Bug: 274727778 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I56784948658365e8c9ecdf63d163109d8f29e5c3 --- tracking_denials/hal_vibrator_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te new file mode 100644 index 00000000..390bfa3c --- /dev/null +++ b/tracking_denials/hal_vibrator_default.te @@ -0,0 +1,2 @@ +# b/274727778 +dontaudit hal_vibrator_default default_android_service:service_manager { find }; From b7e90ec616c5335310209cf9631f3340b44855f8 Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 16:22:01 +0000 Subject: [PATCH 781/900] Remove tcpdump sepolicy from gs201 and move sepolicy to gs-common Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: I0eb9352e349ae8f06e469e953f137b00204f1c3b --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 1 - 2 files changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index f474d9c0..4a232600 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,7 +5,6 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -17,7 +16,6 @@ type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2a6eaa98..c4f5b098 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,7 +202,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 From c6d08c178194934305b6ac2cede6253483b7955d Mon Sep 17 00:00:00 2001 From: Martin Wu Date: Thu, 27 Apr 2023 02:20:48 +0000 Subject: [PATCH 782/900] Revert "Remove tcpdump sepolicy from gs201 and move sepolicy to ..." Revert submission 22814097-Fix-tcpdump-sepolicy Reason for revert: build break Reverted changes: /q/submissionid:22814097-Fix-tcpdump-sepolicy Change-Id: I5b1c00cc6a1ae186eb51acc2c99171578c43bace --- whitechapel_pro/file.te | 2 ++ whitechapel_pro/file_contexts | 1 + 2 files changed, 3 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..f474d9c0 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,6 +5,7 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; +type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -16,6 +17,7 @@ type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; + typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c4f5b098..2a6eaa98 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,6 +202,7 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 From ee3fe73de0ee738c67d603fa6b3827d23f282e2d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 13:48:05 +0000 Subject: [PATCH 783/900] Add ArmNN config sysprops SELinux rules Bug: 205202540 Bug: 264489188 Test: manual - reboot device and check the absence of AVC denials (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9d61da55a193a12b7552e67e67d968c46d4dec86) Merged-In: I90af8201d5fae44f73d709491f272a113b44ca67 Change-Id: I90af8201d5fae44f73d709491f272a113b44ca67 --- whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 3 +++ whitechapel_pro/vendor_init.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 723379ba..d297abea 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -41,3 +41,6 @@ vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# ArmNN +vendor_internal_prop(vendor_armnn_config_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index b9a563f3..08eb601b 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,3 +105,6 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# ArmNN configuration +ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index e27855d0..4d8516a2 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -40,3 +40,6 @@ get_prop(vendor_init, vendor_trusty_storage_prop) # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) + +# ArmNN +set_prop(vendor_init, vendor_armnn_config_prop) From 01a2e70a17145770089015e126a3a2dfcfb0d09d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 5 Apr 2023 14:56:12 +0000 Subject: [PATCH 784/900] Remove 'hal_neuralnetworks_armnn' sysprop exceptions Bug: 205202540 Bug: 264489188 Test: manual - reboot device and check the absence of AVC denials (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4f1ca4a7ad3895f5a5adc25fc2cf3a532eac79f6) Merged-In: Ief9f33ea3aca3f6b0756c92feb1753462e86b894 Change-Id: Ief9f33ea3aca3f6b0756c92feb1753462e86b894 --- tracking_denials/hal_neuralnetworks_armnn.te | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index b58f29fe..16b6b131 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -1,8 +1,2 @@ -# b/205073167 -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/205202540 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; # b/205779871 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; From a43d300afff870459847f65705189af163609d7f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 15:21:42 +0000 Subject: [PATCH 785/900] Remove 'hal_neuralnetworks_armnn' '/data' access exception The mali driver has been configured not to look there anymore. Bug: 205779871 Bug: 264489188 Test: manual - reboot device and check the absence of AVC denials (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb69b32fc5b6f468561017f6bd5628626a571696) Merged-In: Ie651cd788e6f057cd902d1c14880bd1ad71ec5a5 Change-Id: Ie651cd788e6f057cd902d1c14880bd1ad71ec5a5 --- tracking_denials/hal_neuralnetworks_armnn.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index 16b6b131..00000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205779871 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; From ee611cfb51cbf80e137ae1bcd8ef7d39bba64d73 Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 16:22:01 +0000 Subject: [PATCH 786/900] [TSV2] Remove tcpdump sepolicy from gs201 and move sepolicy to gs-common Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: Ic804a3a4739ec5a9604320cb8e0fdae91b8429c1 --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 1 - 2 files changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index f474d9c0..4a232600 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,7 +5,6 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -17,7 +16,6 @@ type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2a6eaa98..c4f5b098 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,7 +202,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 From f265749f1def872e0ad35f39fa2e11ce313a475e Mon Sep 17 00:00:00 2001 From: Jinyoung Jeong Date: Wed, 26 Apr 2023 07:39:50 +0000 Subject: [PATCH 787/900] Fix SELinux error for com.google.android.euicc Bug: 279548423 Test: http://fusion2/b7c803be-2dca-4195-b91f-6c4939746b5b Change-Id: Idd231c2412e8f597dea1bfa11f9d1a0fa1e17034 --- private/property.te | 8 ++++++++ private/property_contexts | 4 ++++ whitechapel_pro/certs/EuiccGoogle.x509.pem | 23 ++++++++++++++++++++++ whitechapel_pro/euicc_app.te | 15 ++++++++++++++ whitechapel_pro/keys.conf | 3 +++ whitechapel_pro/mac_permissions.xml | 3 +++ whitechapel_pro/seapp_contexts | 3 +++ 7 files changed, 59 insertions(+) create mode 100644 private/property.te create mode 100644 whitechapel_pro/certs/EuiccGoogle.x509.pem create mode 100644 whitechapel_pro/euicc_app.te diff --git a/private/property.te b/private/property.te new file mode 100644 index 00000000..a6bee3b3 --- /dev/null +++ b/private/property.te @@ -0,0 +1,8 @@ +product_restricted_prop(masterclear_esim_prop) +product_restricted_prop(euicc_seamless_transfer_prop) + +neverallow { domain -init } masterclear_esim_prop:property_service set; +neverallow { domain -init } euicc_seamless_transfer_prop:property_service set; + +get_prop(appdomain, masterclear_esim_prop) +get_prop(appdomain, euicc_seamless_transfer_prop) diff --git a/private/property_contexts b/private/property_contexts index abcdd419..c7321c07 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -3,3 +3,7 @@ persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int + +#eSIM +masterclear.allow_retain_esim_profiles_after_fdr u:object_r:masterclear_esim_prop:s0 exact bool +euicc.seamless_transfer_enabled_in_non_qs u:object_r:euicc_seamless_transfer_prop:s0 exact bool diff --git a/whitechapel_pro/certs/EuiccGoogle.x509.pem b/whitechapel_pro/certs/EuiccGoogle.x509.pem new file mode 100644 index 00000000..be6c715c --- /dev/null +++ b/whitechapel_pro/certs/EuiccGoogle.x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqugAwIBAgIJAOZ2d46ckK9JMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW +aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEUMBIG +A1UEAwwLRXVpY2NHb29nbGUwHhcNMTYxMjE3MDEyMTEzWhcNNDQwNTA0MDEyMTEz +WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN +TW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0Fu +ZHJvaWQxFDASBgNVBAMMC0V1aWNjR29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA1S7b8bGk4fNm3cckWJx2sbnvC39BroHNwk6am6jVP4MZAYuc +PN6QQ7/2s7hvtn91w6VbeGi2fryIMc7jXjlixheotD2Ns+/7qsPpQ+ZovfaQO5Xw +/c4J+1CfiqrLtd4TyO+4uFGTCO/vs4qhMH58QrhnYPZUqeuq0Zs1Irp0FlVFe1qm +1heU2zJy5locjb9UJXY33sVc9vfWy+sM8TLX40nWxIXGdbzJHJNyjjr/NA+0+drx +anJCtac6+evehH6o8+t8RQBU44PEZiyGkM8poNgRTAcFdRFXU8pitZXp3QZQk6HO +JsVuqqADwsfxGSdVyHFmOW7gxpkB9+IuJJEmkQIDAQABo1AwTjAdBgNVHQ4EFgQU +lVkGDn/XmF7HjP0K3ykCNnnZ8jMwHwYDVR0jBBgwFoAUlVkGDn/XmF7HjP0K3ykC +NnnZ8jMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkDOpQMXcuKwt +CPu5/tdskpfoBMrpYJOwfvpj/JwrudnXUHZXnBnH9PtHprghGtNiWPXHTbZSzKUS +Aojpo1Lev7DtowFILA54oY6d1NqbCIJy+Knwt3W5H7Rg8u8LqvzkpX5CBKAhRwkQ +0t3yrlEkI7kx805vg484gAe+AXyBx0dGe6ov4/yrzv9E+1jhIgP7tF/f+x8zX6Tr +mDCjzz4mgKahMbmsHQg430wlbZczrciMMfPiRc3xEHKLUqGL0ARtE01hJiJ4TY/X +iL/8QUA3nBcpUyEwHFwUao40Gjca9xteKd7MtmiZ6BM2JJSQ4nSNkcwQW8PU/7Qb +0QMwPRPLbQ== +-----END CERTIFICATE----- diff --git a/whitechapel_pro/euicc_app.te b/whitechapel_pro/euicc_app.te new file mode 100644 index 00000000..d7259159 --- /dev/null +++ b/whitechapel_pro/euicc_app.te @@ -0,0 +1,15 @@ +type euicc_app, domain; +app_domain(euicc_app) + +allow euicc_app activity_service:service_manager find; +allow euicc_app radio_service:service_manager find; +allow euicc_app content_capture_service:service_manager find; +allow euicc_app virtual_device_service:service_manager find; +allow euicc_app game_service:service_manager find; +allow euicc_app netstats_service:service_manager find; +allow euicc_app registry_service:service_manager find; + +get_prop(euicc_app, setupwizard_esim_prop) +get_prop(euicc_app, bootloader_prop) +get_prop(euicc_app, exported_default_prop) +get_prop(euicc_app, vendor_modem_prop) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..187184ac 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,3 +15,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem + +[@EUICCGOOGLE] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccGoogle.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..24d88e61 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,4 +39,7 @@ + + + diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 149e2287..b91b1a04 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -49,6 +49,9 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all +# Domain for EuiccGoogle +user=_app isPrivApp=true seinfo=EuiccGoogle name=com.google.android.euicc domain=euicc_app type=app_data_file levelFrom=all + # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user From 5f9732a97a0e9cb8cd3f53d68aed3162ab13c18d Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 16:22:01 +0000 Subject: [PATCH 788/900] [TSV2] Remove tcpdump sepolicy from gs201 and move sepolicy to gs-common Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: Ic804a3a4739ec5a9604320cb8e0fdae91b8429c1 Merged-In: Ic804a3a4739ec5a9604320cb8e0fdae91b8429c1 --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 1 - 2 files changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index f474d9c0..4a232600 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,7 +5,6 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -17,7 +16,6 @@ type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 2a6eaa98..c4f5b098 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -202,7 +202,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 From 306bf73c79f75d3e7022e716520f483588d02905 Mon Sep 17 00:00:00 2001 From: Hongbo Zeng Date: Thu, 27 Apr 2023 10:15:18 +0000 Subject: [PATCH 789/900] Fix denials for radio service to access files under /data/venodr/radio Bug: 270561266 Test: get PASS result with go/ril-config-service-test and the original denial logs in http://b/270561266#comment8 are gone Change-Id: I17155852bb2408b4389a86d32228292885e14c46 --- whitechapel_pro/radio.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 8cb144d9..47278465 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,2 +1,5 @@ allow radio proc_vendor_sched:dir r_dir_perms; -allow radio proc_vendor_sched:file w_file_perms; \ No newline at end of file +allow radio proc_vendor_sched:file w_file_perms; + +allow radio radio_vendor_data_file:dir rw_dir_perms; +allow radio radio_vendor_data_file:file create_file_perms; From 2d7181e3fc1f5c9147eeeac3a0322f2dc2d69ff8 Mon Sep 17 00:00:00 2001 From: Jinyoung Jeong Date: Tue, 2 May 2023 06:25:55 +0000 Subject: [PATCH 790/900] Fix LPA crash due to selinux denial Bug: 280336861 Test: No crash found during LPA basic tests: download eSIM, enable/disalbe eSIM. Change-Id: Ie4fd8fccce5ec98cf0b2afff9a41f27206e52626 --- whitechapel_pro/euicc_app.te | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/whitechapel_pro/euicc_app.te b/whitechapel_pro/euicc_app.te index d7259159..2e36435b 100644 --- a/whitechapel_pro/euicc_app.te +++ b/whitechapel_pro/euicc_app.te @@ -1,14 +1,12 @@ type euicc_app, domain; app_domain(euicc_app) +net_domain(euicc_app) -allow euicc_app activity_service:service_manager find; +allow euicc_app app_api_service:service_manager find; allow euicc_app radio_service:service_manager find; -allow euicc_app content_capture_service:service_manager find; -allow euicc_app virtual_device_service:service_manager find; -allow euicc_app game_service:service_manager find; -allow euicc_app netstats_service:service_manager find; -allow euicc_app registry_service:service_manager find; +allow euicc_app cameraserver_service:service_manager find; +get_prop(euicc_app, camera_config_prop) get_prop(euicc_app, setupwizard_esim_prop) get_prop(euicc_app, bootloader_prop) get_prop(euicc_app, exported_default_prop) From 96789e18c75ecb716215be8f5cd7e33e45a9d76f Mon Sep 17 00:00:00 2001 From: Zixuan Lan Date: Thu, 4 May 2023 14:25:29 -0700 Subject: [PATCH 791/900] remove fixed selinux bug from bug map. TPU permission was fixed to avoid error in hal_camera_defaul.The corresponding bug for tracking should be removed from the bug map. Please see bug for more details. Bug: 275001783 Test: logcat grep for selinux error Change-Id: I7a1bf9fd994187f969b68b9fc3504a5411b0807f --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4ce15ecf..a8cafdb2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,7 +1,5 @@ cat_engine_service_app system_app_data_file dir b/238705599 dex2oat privapp_data_file dir b/276386138 -hal_camera_default boot_status_prop file b/275001783 -hal_camera_default edgetpu_app_service service_manager b/275001783 hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 From 2a02fe5fc5b21fe7df44b146dd2653026ae854bf Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 10 May 2023 10:56:55 +0800 Subject: [PATCH 792/900] add missing permission for gs201 power dump Bug: 281602658 Test: adb bugreport Change-Id: Ibf765c9da65d2c9f6a3825c91cb22771f583457a --- whitechapel_pro/dump_power_gs201.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/dump_power_gs201.te b/whitechapel_pro/dump_power_gs201.te index 6c6ca245..44520b08 100644 --- a/whitechapel_pro/dump_power_gs201.te +++ b/whitechapel_pro/dump_power_gs201.te @@ -13,6 +13,8 @@ allow dump_power_gs201 sysfs_bcl:dir r_dir_perms; allow dump_power_gs201 sysfs_bcl:file r_file_perms; allow dump_power_gs201 sysfs_wlc:dir r_dir_perms; allow dump_power_gs201 sysfs_wlc:file r_file_perms; +allow dump_power_gs201 battery_history_device:chr_file r_file_perms; +allow dump_power_gs201 mitigation_vendor_data_file:file r_file_perms; userdebug_or_eng(` allow dump_power_gs201 debugfs:dir r_dir_perms; From c2d912818c9b20f673e74ef38656bbab82ad9a07 Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Mon, 24 Apr 2023 16:42:56 -0700 Subject: [PATCH 793/900] Add chre channel sepolicy entries Bug: 241960170 Test: in-device verification. Change-Id: I3151d25c4a1cd7a858b84e0c8989dc160d368ca5 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7a9672df..902584c7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -333,6 +333,8 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 From 83712c5243166cafa3a057d5347515e04947cde8 Mon Sep 17 00:00:00 2001 From: Samuel Gosselin Date: Wed, 10 May 2023 18:03:56 +0000 Subject: [PATCH 794/900] genfs_contexts: add raw s2mpg12mfd and s2mpg13mfd node. This adds the appropriate raw i2c numberings to the sepolicy for the 6.1 kernel driver which does not use the i2c vendor hook to rename these numberings. This is required for the thermal hal to work. Test: Boot to Android Home on WHI PRO with 6.1 kernel, no Thermal HAL crashes. Change-Id: I8c2633b33cef8ca2b55029190fe42bd66b17390f Signed-off-by: Samuel Gosselin --- whitechapel_pro/genfs_contexts | 39 ++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c7..59d579b7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -73,6 +73,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -82,6 +92,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 @@ -93,6 +112,17 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/9-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -103,6 +133,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From dc0f13eb032bdf08eb54478b9d782df2b8a4b7dc Mon Sep 17 00:00:00 2001 From: JohnnLee Date: Wed, 10 May 2023 16:08:07 +0800 Subject: [PATCH 795/900] Remove obsolete entries Test: adb bugreport Bug: 241714943 Bug: 241714944 Bug: 268147092 Bug: 237492091 Bug: 214122471 Bug: 239484612 Bug: 270079857 Bug: 239364360 Bug: 238705599 Bug: 238571150 Change-Id: I1cc1aa8d7a48a9fe8b5c84817d827c8915a701c7 --- tracking_denials/bug_map | 17 ----------------- tracking_denials/incidentd.te | 2 -- tracking_denials/servicemanager.te | 2 -- 3 files changed, 21 deletions(-) delete mode 100644 tracking_denials/incidentd.te delete mode 100644 tracking_denials/servicemanager.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index efb18261..c588f134 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,24 +1,7 @@ -cat_engine_service_app system_app_data_file dir b/238705599 dex2oat privapp_data_file dir b/276386138 -hal_contexthub_default fwk_stats_service service_manager b/241714943 hal_power_default hal_power_default capability b/237492146 hal_radioext_default radio_vendor_data_file file b/237093466 -incidentd debugfs_wakeup_sources file b/237492091 -incidentd incidentd anon_inode b/268147092 -init-insmod-sh vendor_ready_prop property_service b/239364360 -kernel vendor_charger_debugfs dir b/238571150 kernel vendor_usb_debugfs dir b/227121550 -shell adb_keys_file file b/239484612 -shell cache_file lnk_file b/239484612 -shell init_exec lnk_file b/239484612 -shell linkerconfig_file dir b/239484612 -shell metadata_file dir b/239484612 -shell mirror_data_file dir b/239484612 -shell postinstall_mnt_dir dir b/239484612 -shell rootfs file b/239484612 -shell sscoredump_vendor_data_crashinfo_file dir b/241714944 -shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 -vndservicemanager hal_keymint_citadel binder b/270079857 system_app proc_pagetypeinfo file b/275645892 system_server privapp_data_file lnk_file b/276385494 diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index e6fce309..00000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/237492091 -dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te deleted file mode 100644 index 72e6e6e9..00000000 --- a/tracking_denials/servicemanager.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/214122471 -dontaudit servicemanager hal_fingerprint_default:binder { call }; From 5cd759d29538dcae5daa5579a8e774e0920ec601 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 12 May 2023 02:11:38 +0000 Subject: [PATCH 796/900] Introduce new sepoilcy owner Bug: 281631102 Test: N/A Change-Id: I9bb7c6299f970a410481dd541523bec6df68cf23 --- OWNERS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/OWNERS b/OWNERS index 791abb4a..5232bc31 100644 --- a/OWNERS +++ b/OWNERS @@ -1,3 +1,4 @@ -include platform/system/sepolicy:/OWNERS +include device/google/gs-common:/sepolicy/OWNERS + +adamshih@google.com -rurumihong@google.com From d19337894ad62474b9e52f10c623382d01942db7 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 12 May 2023 12:09:08 +0800 Subject: [PATCH 797/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 282096141 Change-Id: I0725e78a76436a0904205f83655755bf7c76c05f --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d05de12f..f8217325 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -27,3 +27,4 @@ shell system_dlkm_file dir b/239484612 su modem_img_file filesystem b/240653918 system_app proc_pagetypeinfo file b/275645892 system_server privapp_data_file lnk_file b/276385494 +system_server system_userdir_file dir b/282096141 From 3992c42501a543651270a6f4fa5b5b9aedb5226a Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Mon, 24 Apr 2023 16:42:56 -0700 Subject: [PATCH 798/900] Add chre channel sepolicy entries Bug: 281814892 Fix: 281814892 Test: in-device verification. Change-Id: I3151d25c4a1cd7a858b84e0c8989dc160d368ca5 Merged-In: I3151d25c4a1cd7a858b84e0c8989dc160d368ca5 --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7a9672df..902584c7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -333,6 +333,8 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 From 64111ee561b3c34aed54cf137006eb8aaa81d0aa Mon Sep 17 00:00:00 2001 From: Samuel Gosselin Date: Wed, 10 May 2023 18:03:56 +0000 Subject: [PATCH 799/900] genfs_contexts: add raw s2mpg12mfd and s2mpg13mfd node. This adds the appropriate raw i2c numberings to the sepolicy for the 6.1 kernel driver which does not use the i2c vendor hook to rename these numberings. This is required for the thermal hal to work. Test: Boot to Android Home on WHI PRO with 6.1 kernel, no Thermal HAL crashes. Bug: 276464780 Signed-off-by: Samuel Gosselin (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:83712c5243166cafa3a057d5347515e04947cde8) Merged-In: I8c2633b33cef8ca2b55029190fe42bd66b17390f Change-Id: I8c2633b33cef8ca2b55029190fe42bd66b17390f --- whitechapel_pro/genfs_contexts | 39 ++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c7..59d579b7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -73,6 +73,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -82,6 +92,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 @@ -93,6 +112,17 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/9-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -103,6 +133,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From 918335e2a9c1aaad90ec5c70d5e6fbdd787f99bc Mon Sep 17 00:00:00 2001 From: Samuel Gosselin Date: Wed, 10 May 2023 18:03:56 +0000 Subject: [PATCH 800/900] genfs_contexts: add raw s2mpg12mfd and s2mpg13mfd node. This adds the appropriate raw i2c numberings to the sepolicy for the 6.1 kernel driver which does not use the i2c vendor hook to rename these numberings. This is required for the thermal hal to work. Test: Boot to Android Home on WHI PRO with 6.1 kernel, no Thermal HAL crashes. Bug: 276464780 Signed-off-by: Samuel Gosselin (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:83712c5243166cafa3a057d5347515e04947cde8) Merged-In: I8c2633b33cef8ca2b55029190fe42bd66b17390f Change-Id: I8c2633b33cef8ca2b55029190fe42bd66b17390f (cherry picked from commit 64111ee561b3c34aed54cf137006eb8aaa81d0aa) --- whitechapel_pro/genfs_contexts | 39 ++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c7..59d579b7 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -73,6 +73,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -82,6 +92,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 @@ -93,6 +112,17 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/9-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 + genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 @@ -103,6 +133,15 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 From 7f19e81d6152b3e0762d72cd03e5498e094651b4 Mon Sep 17 00:00:00 2001 From: Anthony Zhang Date: Wed, 17 May 2023 10:40:07 -0700 Subject: [PATCH 801/900] [DO NOT MERGE] Allow fingerprint to access persist property Bug: 258901849 Test: Local test on enrollment/delete, version update Change-Id: I96acb79b3e600e0a4dd7b7a1cf494b20a876ca63 --- whitechapel_pro/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 08eb601b..947adf2c 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -83,6 +83,7 @@ vendor.gps. u:object_r:vendor_gps_prop:s0 persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Fingerprint +persist.vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.gf. u:object_r:vendor_fingerprint_prop:s0 From 980c71bea4312d539f3c5ad5146ee623d08ca930 Mon Sep 17 00:00:00 2001 From: Jin Jeong Date: Fri, 12 May 2023 04:18:25 +0000 Subject: [PATCH 802/900] Revert "Fix LPA crash due to selinux denial" Revert submission 22955599-euicc_selinux_fix2 Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules Bug: 279988311 Reverted changes: /q/submissionid:22955599-euicc_selinux_fix2 Change-Id: I2799c61ab5464e5551168f471740afe76edd1113 --- whitechapel_pro/euicc_app.te | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/whitechapel_pro/euicc_app.te b/whitechapel_pro/euicc_app.te index 2e36435b..d7259159 100644 --- a/whitechapel_pro/euicc_app.te +++ b/whitechapel_pro/euicc_app.te @@ -1,12 +1,14 @@ type euicc_app, domain; app_domain(euicc_app) -net_domain(euicc_app) -allow euicc_app app_api_service:service_manager find; +allow euicc_app activity_service:service_manager find; allow euicc_app radio_service:service_manager find; -allow euicc_app cameraserver_service:service_manager find; +allow euicc_app content_capture_service:service_manager find; +allow euicc_app virtual_device_service:service_manager find; +allow euicc_app game_service:service_manager find; +allow euicc_app netstats_service:service_manager find; +allow euicc_app registry_service:service_manager find; -get_prop(euicc_app, camera_config_prop) get_prop(euicc_app, setupwizard_esim_prop) get_prop(euicc_app, bootloader_prop) get_prop(euicc_app, exported_default_prop) From 10ef6d8619602de44dd481680d060770374f167c Mon Sep 17 00:00:00 2001 From: Jin Jeong Date: Fri, 12 May 2023 04:17:26 +0000 Subject: [PATCH 803/900] Revert "Fix SELinux error for com.google.android.euicc" Revert submission 22899490-euicc_selinux_fix Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules Bug: 279988311 Reverted changes: /q/submissionid:22899490-euicc_selinux_fix Change-Id: I50ff4f8e48389d034c3f6c716dad1a81e9b73e64 --- private/property.te | 8 -------- private/property_contexts | 4 ---- whitechapel_pro/certs/EuiccGoogle.x509.pem | 23 ---------------------- whitechapel_pro/euicc_app.te | 15 -------------- whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 3 --- 7 files changed, 59 deletions(-) delete mode 100644 private/property.te delete mode 100644 whitechapel_pro/certs/EuiccGoogle.x509.pem delete mode 100644 whitechapel_pro/euicc_app.te diff --git a/private/property.te b/private/property.te deleted file mode 100644 index a6bee3b3..00000000 --- a/private/property.te +++ /dev/null @@ -1,8 +0,0 @@ -product_restricted_prop(masterclear_esim_prop) -product_restricted_prop(euicc_seamless_transfer_prop) - -neverallow { domain -init } masterclear_esim_prop:property_service set; -neverallow { domain -init } euicc_seamless_transfer_prop:property_service set; - -get_prop(appdomain, masterclear_esim_prop) -get_prop(appdomain, euicc_seamless_transfer_prop) diff --git a/private/property_contexts b/private/property_contexts index c7321c07..abcdd419 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -3,7 +3,3 @@ persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int - -#eSIM -masterclear.allow_retain_esim_profiles_after_fdr u:object_r:masterclear_esim_prop:s0 exact bool -euicc.seamless_transfer_enabled_in_non_qs u:object_r:euicc_seamless_transfer_prop:s0 exact bool diff --git a/whitechapel_pro/certs/EuiccGoogle.x509.pem b/whitechapel_pro/certs/EuiccGoogle.x509.pem deleted file mode 100644 index be6c715c..00000000 --- a/whitechapel_pro/certs/EuiccGoogle.x509.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDwzCCAqugAwIBAgIJAOZ2d46ckK9JMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV -BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW -aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEUMBIG -A1UEAwwLRXVpY2NHb29nbGUwHhcNMTYxMjE3MDEyMTEzWhcNNDQwNTA0MDEyMTEz -WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN -TW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0Fu -ZHJvaWQxFDASBgNVBAMMC0V1aWNjR29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA1S7b8bGk4fNm3cckWJx2sbnvC39BroHNwk6am6jVP4MZAYuc -PN6QQ7/2s7hvtn91w6VbeGi2fryIMc7jXjlixheotD2Ns+/7qsPpQ+ZovfaQO5Xw -/c4J+1CfiqrLtd4TyO+4uFGTCO/vs4qhMH58QrhnYPZUqeuq0Zs1Irp0FlVFe1qm -1heU2zJy5locjb9UJXY33sVc9vfWy+sM8TLX40nWxIXGdbzJHJNyjjr/NA+0+drx -anJCtac6+evehH6o8+t8RQBU44PEZiyGkM8poNgRTAcFdRFXU8pitZXp3QZQk6HO -JsVuqqADwsfxGSdVyHFmOW7gxpkB9+IuJJEmkQIDAQABo1AwTjAdBgNVHQ4EFgQU -lVkGDn/XmF7HjP0K3ykCNnnZ8jMwHwYDVR0jBBgwFoAUlVkGDn/XmF7HjP0K3ykC -NnnZ8jMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkDOpQMXcuKwt -CPu5/tdskpfoBMrpYJOwfvpj/JwrudnXUHZXnBnH9PtHprghGtNiWPXHTbZSzKUS -Aojpo1Lev7DtowFILA54oY6d1NqbCIJy+Knwt3W5H7Rg8u8LqvzkpX5CBKAhRwkQ -0t3yrlEkI7kx805vg484gAe+AXyBx0dGe6ov4/yrzv9E+1jhIgP7tF/f+x8zX6Tr -mDCjzz4mgKahMbmsHQg430wlbZczrciMMfPiRc3xEHKLUqGL0ARtE01hJiJ4TY/X -iL/8QUA3nBcpUyEwHFwUao40Gjca9xteKd7MtmiZ6BM2JJSQ4nSNkcwQW8PU/7Qb -0QMwPRPLbQ== ------END CERTIFICATE----- diff --git a/whitechapel_pro/euicc_app.te b/whitechapel_pro/euicc_app.te deleted file mode 100644 index d7259159..00000000 --- a/whitechapel_pro/euicc_app.te +++ /dev/null @@ -1,15 +0,0 @@ -type euicc_app, domain; -app_domain(euicc_app) - -allow euicc_app activity_service:service_manager find; -allow euicc_app radio_service:service_manager find; -allow euicc_app content_capture_service:service_manager find; -allow euicc_app virtual_device_service:service_manager find; -allow euicc_app game_service:service_manager find; -allow euicc_app netstats_service:service_manager find; -allow euicc_app registry_service:service_manager find; - -get_prop(euicc_app, setupwizard_esim_prop) -get_prop(euicc_app, bootloader_prop) -get_prop(euicc_app, exported_default_prop) -get_prop(euicc_app, vendor_modem_prop) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 187184ac..54130ea2 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,6 +15,3 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem - -[@EUICCGOOGLE] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccGoogle.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 24d88e61..b57e61c7 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,7 +39,4 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index b91b1a04..149e2287 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -49,9 +49,6 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# Domain for EuiccGoogle -user=_app isPrivApp=true seinfo=EuiccGoogle name=com.google.android.euicc domain=euicc_app type=app_data_file levelFrom=all - # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user From 1113c66dea0dc8d4023551ea5c5460ad85d9c0da Mon Sep 17 00:00:00 2001 From: sashwinbalaji Date: Mon, 8 May 2023 12:57:54 +0800 Subject: [PATCH 804/900] thermal: thermal_metrics: Update selinux to reset stats Bug: 193833982 Test: Local build and verify statsD logs adb shell cmd stats print-logs && adb logcat -b all | grep -i 105045 Change-Id: I0dc1c557797d7fe97da7f0fcb2d600485526c979 --- whitechapel_pro/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 48fd6e8f..6aba16ae 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -41,6 +41,7 @@ allow pixelstats_vendor sysfs_exynos_pcie_stats:file rw_file_perms; #perf-metrics r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; +allow pixelstats_vendor sysfs_vendor_metrics:file w_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; From 955ae6825f4b98cb8633da83e19ff0b998f53224 Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Wed, 24 May 2023 16:51:46 +0200 Subject: [PATCH 805/900] Allow vendor_init to fix permissions of TEE data file Background: * vendor_init needs to be able to possibly fix ownership of tee_data_file Bug: 280325952 Test: Changed permissions and confirmed user transitions Change-Id: I27681589c9d0b0aa88463e6476fb75119ea89e8a Signed-off-by: Donnie Pollitz --- whitechapel_pro/vendor_init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 4d8516a2..415d7c8f 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -37,6 +37,7 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Trusty storage FS ready get_prop(vendor_init, vendor_trusty_storage_prop) +allow vendor_init tee_data_file:lnk_file read; # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) From ee160b5880496559fda584ca04cf3b35337495a3 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Tue, 30 May 2023 12:01:25 +0800 Subject: [PATCH 806/900] Add permissions for maxfg_base/maxfg_secondary Bug: 284878175 Change-Id: I3fe3030ecd36773405f0e70b767d4a28062d91ad Signed-off-by: Jenny Ho --- whitechapel_pro/dump_power_gs201.te | 1 + whitechapel_pro/genfs_contexts | 3 +++ 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/dump_power_gs201.te b/whitechapel_pro/dump_power_gs201.te index 44520b08..b61001cb 100644 --- a/whitechapel_pro/dump_power_gs201.te +++ b/whitechapel_pro/dump_power_gs201.te @@ -24,6 +24,7 @@ userdebug_or_eng(` allow dump_power_gs201 vendor_charger_debugfs:file r_file_perms; allow dump_power_gs201 vendor_pm_genpd_debugfs:file r_file_perms; allow dump_power_gs201 vendor_maxfg_debugfs:dir r_dir_perms; + allow dump_power_gs201 vendor_maxfg_debugfs:file r_file_perms; allow dump_power_gs201 vendor_votable_debugfs:dir r_dir_perms; allow dump_power_gs201 vendor_votable_debugfs:file r_file_perms; ') diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 902584c7..57f0237c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -183,6 +183,8 @@ genfscon sysfs /devices/platform/14700000.ufs/rev u:object # debugfs genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /maxfg_base u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /maxfg_secondary u:object_r:vendor_maxfg_debugfs:s0 genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 @@ -214,6 +216,7 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-0050/eeprom genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0069/power_supply u:object_r:sysfs_batteryinfo:s0 From 1714d4f6f39c3f04142ceca949c2ad83996a74a5 Mon Sep 17 00:00:00 2001 From: DesmondH Date: Wed, 31 May 2023 01:57:26 +0000 Subject: [PATCH 807/900] Remove obsolete entries Bug: 227121550 Bug: 275645892 Bug: 276385494 Bug: 278639040 Fix: 282096141 Fix: 229209076 Fix: 205904328 Fix: 208721505 Fix: 205656950 Change-Id: I9b8a178ff7ef17f050183159d8fae286a6666056 --- tracking_denials/bug_map | 7 ------- tracking_denials/hal_drm_widevine.te | 2 -- tracking_denials/hal_thermal_default.te | 7 ------- tracking_denials/hal_uwb_vendor_default.te | 3 --- tracking_denials/surfaceflinger.te | 4 ---- tracking_denials/vendor_init.te | 2 -- tracking_denials/vndservicemanager.te | 4 ---- 7 files changed, 29 deletions(-) delete mode 100644 tracking_denials/hal_drm_widevine.te delete mode 100644 tracking_denials/hal_thermal_default.te delete mode 100644 tracking_denials/hal_uwb_vendor_default.te delete mode 100644 tracking_denials/surfaceflinger.te delete mode 100644 tracking_denials/vendor_init.te delete mode 100644 tracking_denials/vndservicemanager.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5b00e311..4397c4cb 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,8 +1 @@ -dex2oat privapp_data_file dir b/276386138 hal_power_default hal_power_default capability b/237492146 -hal_radioext_default radio_vendor_data_file file b/237093466 -kernel vendor_usb_debugfs dir b/227121550 -su modem_img_file filesystem b/240653918 -system_app proc_pagetypeinfo file b/275645892 -system_server privapp_data_file lnk_file b/276385494 -system_server system_userdir_file dir b/282096141 diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te deleted file mode 100644 index cfe7fcf7..00000000 --- a/tracking_denials/hal_drm_widevine.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/229209076 -dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te deleted file mode 100644 index abbd2f97..00000000 --- a/tracking_denials/hal_thermal_default.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/205904328 -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { bind }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { create }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { getattr }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { read }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { setopt }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { write }; diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te deleted file mode 100644 index 2e0025fc..00000000 --- a/tracking_denials/hal_uwb_vendor_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/208721505 -dontaudit hal_uwb_vendor_default dumpstate:fd { use }; -dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te deleted file mode 100644 index cd7b63d9..00000000 --- a/tracking_denials/surfaceflinger.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/215042694 -dontaudit surfaceflinger kernel:process { setsched }; -# b/208721808 -dontaudit surfaceflinger hal_graphics_composer_default:dir { search }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te deleted file mode 100644 index ea8ff1e4..00000000 --- a/tracking_denials/vendor_init.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205656950 -dontaudit vendor_init thermal_link_device:file { create }; diff --git a/tracking_denials/vndservicemanager.te b/tracking_denials/vndservicemanager.te deleted file mode 100644 index 9931d437..00000000 --- a/tracking_denials/vndservicemanager.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/278639040 -dontaudit vndservicemanager hal_keymint_citadel:binder { call }; -# b/278639040 -dontaudit vndservicemanager hal_keymint_citadel:binder { call }; From 61abd02cd3163c335cdde4d3988db55ef9d56bf4 Mon Sep 17 00:00:00 2001 From: changyan Date: Fri, 26 May 2023 02:50:41 +0000 Subject: [PATCH 808/900] Updating sepolicy for dump_modem to read /dev/logbuffer_cpif. This is required as part of bugreport. Test: Pts SELinuxTest#scanBugreport Bug: 277300226 Fix: 282626702 Change-Id: I129116ab78ec89da1529e33be1cfd403715889af --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c4f5b098..8819cdc3 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -103,6 +103,7 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_bd u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpif u:object_r:logbuffer_device:s0 /dev/logbuffer_pcie0 u:object_r:logbuffer_device:s0 /dev/logbuffer_pcie1 u:object_r:logbuffer_device:s0 /dev/bbd_pwrstat u:object_r:power_stats_device:s0 From c3c3f7fd0c9abd02dfc00b9c5fed08711e7fa62e Mon Sep 17 00:00:00 2001 From: changyan Date: Mon, 22 May 2023 06:51:00 +0000 Subject: [PATCH 809/900] Fix avc denied for cat_engine_service_app Test: SELinuxUncheckedDenialBootTest Bug: 282626814 Change-Id: I742e2b20bff09812d2a3ae07903b29e8eae45915 --- whitechapel_pro/cat_engine_service_app.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/cat_engine_service_app.te b/whitechapel_pro/cat_engine_service_app.te index eacf9621..876b7967 100644 --- a/whitechapel_pro/cat_engine_service_app.te +++ b/whitechapel_pro/cat_engine_service_app.te @@ -4,5 +4,6 @@ userdebug_or_eng(` app_domain(cat_engine_service_app) get_prop(cat_engine_service_app, vendor_rild_prop) allow cat_engine_service_app app_api_service:service_manager find; - allow cat_engine_service_app system_app_data_file:dir r_dir_perms; + allow cat_engine_service_app system_app_data_file:dir create_dir_perms; + allow cat_engine_service_app system_app_data_file:file create_file_perms; ') From a66e949591f1aebc746fd31fbb220b1d9c5c2d30 Mon Sep 17 00:00:00 2001 From: DesmondH Date: Wed, 14 Jun 2023 16:59:22 +0000 Subject: [PATCH 810/900] Remove fixed or obsolete entries Bug: 227121550 Bug: 237491813 Change-Id: I6e3ca53d92ae0a1db1565feb7e70d72b57f697e1 --- tracking_denials/dumpstate.te | 2 -- tracking_denials/kernel.te | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 tracking_denials/kernel.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 0dc30ea7..423d4a4a 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,6 +1,4 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -# b/237491813 -dontaudit dumpstate app_zygote:process { signal }; # b/277155245 dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te deleted file mode 100644 index a2e21639..00000000 --- a/tracking_denials/kernel.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/227121550 -dontaudit kernel vendor_votable_debugfs:dir search; From 513fa361c8c7af21d4fc7f279ec413044e646d45 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Tue, 20 Jun 2023 07:25:10 +0000 Subject: [PATCH 811/900] Create telephony.ril.silent_reset system_ext property for RILD restart RILD listens for changes to this property. If the value changes to 1, RILD will restart itself and set this property back to 0. The TelephonyGoogle app will set this property to 1 when it receives a request from the SCONE app. Since TelephonyGoogle runs in the com.android.phone process, we also need to give the radio domain permission to set the telephony.ril.silent_reset property. Bug: 286476107 Test: manual Change-Id: I689e75f4ebf3f44915bd7f795755f297935e7946 --- system_ext/private/property_contexts | 3 +++ system_ext/public/property.te | 7 +++++++ whitechapel_pro/radio.te | 2 ++ whitechapel_pro/rild.te | 2 ++ 4 files changed, 14 insertions(+) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 9f462bda..ffb1793c 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,5 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool + +# Telephony +telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 8908e485..823acf59 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,2 +1,9 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle system_vendor_config_prop(fingerprint_ghbm_prop) + +# Telephony +system_public_prop(telephony_ril_prop) + +userdebug_or_eng(` + set_prop(shell, telephony_ril_prop) +') \ No newline at end of file diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 47278465..2864bc97 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,3 +1,5 @@ +set_prop(radio, telephony_ril_prop) + allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 484dda08..534bea17 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -6,6 +6,8 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) +set_prop(rild, telephony_ril_prop) + allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; From 4d0eeef36fc29b816ad7aafe8bb10475532c3f64 Mon Sep 17 00:00:00 2001 From: Sebastian Pickl Date: Tue, 27 Jun 2023 08:46:41 +0000 Subject: [PATCH 812/900] Revert "Create telephony.ril.silent_reset system_ext property fo..." Revert submission 23736941-tpsr-ril-property Reason for revert: culprit for b/289014054 verified by abtd run: https://android-build.googleplex.com/builds/abtd/run/L54800000961620143 Bug: 289014054 Reverted changes: /q/submissionid:23736941-tpsr-ril-property Change-Id: I4fa5b2803392e0db03bb622392f3d4afab6a45ea --- system_ext/private/property_contexts | 3 --- system_ext/public/property.te | 7 ------- whitechapel_pro/radio.te | 2 -- whitechapel_pro/rild.te | 2 -- 4 files changed, 14 deletions(-) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index ffb1793c..9f462bda 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,5 +1,2 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool - -# Telephony -telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 823acf59..8908e485 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,9 +1,2 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle system_vendor_config_prop(fingerprint_ghbm_prop) - -# Telephony -system_public_prop(telephony_ril_prop) - -userdebug_or_eng(` - set_prop(shell, telephony_ril_prop) -') \ No newline at end of file diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 2864bc97..47278465 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,5 +1,3 @@ -set_prop(radio, telephony_ril_prop) - allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 534bea17..484dda08 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -6,8 +6,6 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) -set_prop(rild, telephony_ril_prop) - allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; From 3219a0a19faf364327cb7464a91c749c426ce0c6 Mon Sep 17 00:00:00 2001 From: DesmondH Date: Wed, 28 Jun 2023 05:28:11 +0000 Subject: [PATCH 813/900] Remove obsolete entries Fix: 274727778 Change-Id: I1334cd68043d6ef8c36a42fb47d888f9b061bfb4 --- tracking_denials/hal_vibrator_default.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te deleted file mode 100644 index 390bfa3c..00000000 --- a/tracking_denials/hal_vibrator_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/274727778 -dontaudit hal_vibrator_default default_android_service:service_manager { find }; From 1a52c8b95207975246ef3b373257d1e61350a42e Mon Sep 17 00:00:00 2001 From: Patty Huang Date: Wed, 28 Jun 2023 22:22:30 +0800 Subject: [PATCH 814/900] Allow bthal to access vendor bluetooth folder Bug:289055382 Test: enable vendor debug log and check the vendor snoop log contain the vendor log Change-Id: I89164330998d7fbea45dab65931c2a3db22a4c92 --- whitechapel_pro/bluetooth.te | 3 --- whitechapel_pro/file.te | 3 +++ whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_bluetooth_btlinux.te | 5 +++++ 4 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 whitechapel_pro/hal_bluetooth_btlinux.te diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te index 3795e299..aff0e1a4 100644 --- a/whitechapel_pro/bluetooth.te +++ b/whitechapel_pro/bluetooth.te @@ -1,5 +1,2 @@ allow bluetooth proc_vendor_sched:dir r_dir_perms; allow bluetooth proc_vendor_sched:file w_file_perms; - -allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; -allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..0038103c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -68,6 +68,9 @@ type persist_display_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; +# BT +type vendor_bt_data_file, file_type, data_file_type; + # Storage Health HAL type proc_f2fs, proc_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c4f5b098..35f991ba 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -211,6 +211,7 @@ /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 +/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/hal_bluetooth_btlinux.te b/whitechapel_pro/hal_bluetooth_btlinux.te new file mode 100644 index 00000000..dc746294 --- /dev/null +++ b/whitechapel_pro/hal_bluetooth_btlinux.te @@ -0,0 +1,5 @@ +allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; +allow hal_bluetooth_btlinux device:dir r_dir_perms; + +allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; From 41ed8e83ea86b2670d4c192fb716140dcdd1029f Mon Sep 17 00:00:00 2001 From: Sebastian Pickl Date: Wed, 5 Jul 2023 09:45:56 +0000 Subject: [PATCH 815/900] Revert "Allow bthal to access vendor bluetooth folder" Revert submission 23844270-P22-vendor-log-udc-qpr Reason for revert: causes selinux tests to fail b/289989584 go/abtd: https://android-build.googleplex.com/builds/abtd/run/L37600000961782595 Bug:289989584 Reverted changes: /q/submissionid:23844270-P22-vendor-log-udc-qpr Change-Id: I4e9ccf17050702a6405c549340e7fe97eba0eb65 --- whitechapel_pro/bluetooth.te | 3 +++ whitechapel_pro/file.te | 3 --- whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_bluetooth_btlinux.te | 5 ----- 4 files changed, 3 insertions(+), 9 deletions(-) delete mode 100644 whitechapel_pro/hal_bluetooth_btlinux.te diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te index aff0e1a4..3795e299 100644 --- a/whitechapel_pro/bluetooth.te +++ b/whitechapel_pro/bluetooth.te @@ -1,2 +1,5 @@ allow bluetooth proc_vendor_sched:dir r_dir_perms; allow bluetooth proc_vendor_sched:file w_file_perms; + +allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; +allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 0038103c..4a232600 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -68,9 +68,6 @@ type persist_display_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; -# BT -type vendor_bt_data_file, file_type, data_file_type; - # Storage Health HAL type proc_f2fs, proc_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 35f991ba..c4f5b098 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -211,7 +211,6 @@ /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 -/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/whitechapel_pro/hal_bluetooth_btlinux.te b/whitechapel_pro/hal_bluetooth_btlinux.te deleted file mode 100644 index dc746294..00000000 --- a/whitechapel_pro/hal_bluetooth_btlinux.te +++ /dev/null @@ -1,5 +0,0 @@ -allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; -allow hal_bluetooth_btlinux device:dir r_dir_perms; - -allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; -allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; From d02a8eef29706ad803726ed635cd3cb4a11dcc1b Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Wed, 28 Jun 2023 06:16:30 +0000 Subject: [PATCH 816/900] Revert "Revert "Create telephony.ril.silent_reset system_ext pro..." Revert submission 23817868-revert-23736941-tpsr-ril-property-WQVGKEVBKX Reason for revert: The root cause is missing property definition in gs101-sepolicy. This CL can be merged safely. Verified by abtd run: https://android-build.googleplex.com/builds/abtd/run/L48900000961646046 Reverted changes: /q/submissionid:23817868-revert-23736941-tpsr-ril-property-WQVGKEVBKX Bug: 286476107 Change-Id: Ia80e4400ff555a637c42193cab3e3acf72bc36a2 --- system_ext/private/property_contexts | 3 +++ system_ext/public/property.te | 7 +++++++ whitechapel_pro/radio.te | 2 ++ whitechapel_pro/rild.te | 2 ++ 4 files changed, 14 insertions(+) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 9f462bda..ffb1793c 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,5 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool + +# Telephony +telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 8908e485..823acf59 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,2 +1,9 @@ # Fingerprint (UDFPS) GHBM/LHBM toggle system_vendor_config_prop(fingerprint_ghbm_prop) + +# Telephony +system_public_prop(telephony_ril_prop) + +userdebug_or_eng(` + set_prop(shell, telephony_ril_prop) +') \ No newline at end of file diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te index 47278465..2864bc97 100644 --- a/whitechapel_pro/radio.te +++ b/whitechapel_pro/radio.te @@ -1,3 +1,5 @@ +set_prop(radio, telephony_ril_prop) + allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 484dda08..534bea17 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -6,6 +6,8 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) +set_prop(rild, telephony_ril_prop) + allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; From e96a14a9d273783ee66f375ace010de24c77f69e Mon Sep 17 00:00:00 2001 From: David Anderson Date: Tue, 11 Jul 2023 09:41:52 -0700 Subject: [PATCH 817/900] Allow fastbootd to flash dtbo. This line is copied from gs101-sepolicy, and fixes the following denial: audit: type=1400 audit(1689093038.396:14): avc: denied { write } for pid=409 comm="fastbootd" name="sda24" dev="tmpfs" ino=493 scontext=u:r:fastbootd:s0 tcontext=u:object_r:custom_ab_block_device:s0 tclass=blk_file permissive=0 Bug: N/A Test: fastboot flashall in fastbootd Change-Id: I765aedeb204cc862434a56a97f242640465f84b8 --- whitechapel_pro/fastbootd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/fastbootd.te b/whitechapel_pro/fastbootd.te index 5945ef24..867eda14 100644 --- a/whitechapel_pro/fastbootd.te +++ b/whitechapel_pro/fastbootd.te @@ -5,4 +5,5 @@ allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; allow fastbootd citadel_device:chr_file rw_file_perms; allow fastbootd st54spi_device:chr_file rw_file_perms; +allow fastbootd custom_ab_block_device:blk_file rw_file_perms; ') From d45ff39442710d2a679e5132efeaef4c65128891 Mon Sep 17 00:00:00 2001 From: Utku Utkan Date: Tue, 11 Jul 2023 17:49:27 -0700 Subject: [PATCH 818/900] Introduce CameraServices seinfo tag for PixelCameraServices Bug: 287069860 Test: m && flashall && check against 'avc: denied' errors Change-Id: I41b435ae0a34fe9c797b9316887c4b56091a26a5 --- whitechapel_pro/keys.conf | 3 +++ whitechapel_pro/mac_permissions.xml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..bff9addf 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,3 +15,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem + +[@CAMERASERVICES] +ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..7627b9d0 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,4 +39,7 @@ + + + From b29cf7645ac03683bc048c25890c417c7e083384 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Mon, 10 Jul 2023 05:10:03 +0000 Subject: [PATCH 819/900] [Cleanup]: Move gxp sepolicies to gs-common for P22 These policies are moved to gs-common as part of ag/24002524 Bug: 288368306 Change-Id: If7466983009021c642db998e1c30071ee548846e Signed-off-by: Dinesh Yadav --- whitechapel_pro/debug_camera_app.te | 5 +++-- whitechapel_pro/device.te | 1 - whitechapel_pro/file_contexts | 3 --- whitechapel_pro/google_camera_app.te | 3 ++- whitechapel_pro/gxp_logging.te | 9 --------- whitechapel_pro/hal_camera_default.te | 3 --- 6 files changed, 5 insertions(+), 19 deletions(-) delete mode 100644 whitechapel_pro/gxp_logging.te diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 5342fb74..cdd58c9b 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -11,8 +11,9 @@ userdebug_or_eng(` allow debug_camera_app mediametrics_service:service_manager find; allow debug_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. + # Allows camera app to access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; + get_prop(debug_camera_app, vendor_gxp_prop) # Allows camera app to search for GXP firmware file. allow debug_camera_app vendor_fw_file:dir search; @@ -24,4 +25,4 @@ userdebug_or_eng(` # Allows GCA-Eng to find and access the EdgeTPU. allow debug_camera_app edgetpu_app_service:service_manager find; allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; -') \ No newline at end of file +') diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index b66248a7..93059b7f 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -12,7 +12,6 @@ type lwis_device, dev_type; type logbuffer_device, dev_type; type rls_device, dev_type; type fingerprint_device, dev_type; -type gxp_device, dev_type, mlstrustedobject; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 8819cdc3..91662c8b 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -35,7 +35,6 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 @@ -61,8 +60,6 @@ /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 # Graphics /vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index d73cd3db..8cdbaa30 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -9,8 +9,9 @@ allow google_camera_app mediaextractor_service:service_manager find; allow google_camera_app mediametrics_service:service_manager find; allow google_camera_app mediaserver_service:service_manager find; -# Allows camera app to access the GXP device. +# Allows camera app to access the GXP device and properties. allow google_camera_app gxp_device:chr_file rw_file_perms; +get_prop(google_camera_app, vendor_gxp_prop) # Allows camera app to search for GXP firmware file. allow google_camera_app vendor_fw_file:dir search; diff --git a/whitechapel_pro/gxp_logging.te b/whitechapel_pro/gxp_logging.te deleted file mode 100644 index 107942d1..00000000 --- a/whitechapel_pro/gxp_logging.te +++ /dev/null @@ -1,9 +0,0 @@ -type gxp_logging, domain; -type gxp_logging_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(gxp_logging) - -# The logging service accesses /dev/gxp -allow gxp_logging gxp_device:chr_file rw_file_perms; - -# Allow gxp tracing service to send packets to Perfetto -userdebug_or_eng(`perfetto_producer(gxp_logging)') diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index 05909984..c16b2481 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -28,9 +28,6 @@ binder_call(hal_camera_default, edgetpu_vendor_server) allow hal_camera_default edgetpu_app_service:service_manager find; binder_call(hal_camera_default, edgetpu_app_server) -# Allow the camera hal to access the GXP device. -allow hal_camera_default gxp_device:chr_file rw_file_perms; - # Allow access to data files used by the camera HAL allow hal_camera_default mnt_vendor_file:dir search; allow hal_camera_default persist_file:dir search; From c420cef154a02c8de5ad05fa09fb6175b2203089 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 19 Jul 2023 01:15:07 +0000 Subject: [PATCH 820/900] Revert "Introduce CameraServices seinfo tag for PixelCameraServices" Revert submission 24056607-pixel-camera-services-extensions-sepolicy Reason for revert: build breakage on git_main-without-vendor Reverted changes: /q/submissionid:24056607-pixel-camera-services-extensions-sepolicy Change-Id: I9869874507230f59ac3b8cdc2538e4f223216b45 --- whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- 2 files changed, 6 deletions(-) diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index bff9addf..54130ea2 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,6 +15,3 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem - -[@CAMERASERVICES] -ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 7627b9d0..b57e61c7 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,7 +39,4 @@ - - - From 34bda7b2b8cd7fa3acf60f5b25aaea1baa568898 Mon Sep 17 00:00:00 2001 From: Utku Utkan Date: Wed, 19 Jul 2023 02:47:43 +0000 Subject: [PATCH 821/900] Revert^2 "Introduce CameraServices seinfo tag for PixelCameraServices" Revert submission 24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL Reason for revert: Relanding the original topic after copying the certificates under `device/google` for `without-vendor` branches Reverted changes: /q/submissionid:24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL Bug: 287069860 Test: m && flashall Change-Id: I5326b61822d367beaff0ac97a34708d306c60007 --- ...ogle_android_apps_camera_services.x509.pem | 30 +++++++++++++++++++ whitechapel_pro/keys.conf | 3 ++ whitechapel_pro/mac_permissions.xml | 3 ++ 3 files changed, 36 insertions(+) create mode 100644 whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem b/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem new file mode 100644 index 00000000..7b8c5b22 --- /dev/null +++ b/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIGCzCCA/OgAwIBAgIVAIHtywgrR7O/EgQ+PeYSfHDaUDt8MA0GCSqGSIb3DQEBCwUAMIGUMQsw +CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU +MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxMDAuBgNVBAMMJ2NvbV9nb29n +bGVfYW5kcm9pZF9hcHBzX2NhbWVyYV9zZXJ2aWNlczAgFw0yMTA2MzAyMzI2MThaGA8yMDUxMDYz +MDIzMjYxOFowgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N +b3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEwMC4G +A1UEAwwnY29tX2dvb2dsZV9hbmRyb2lkX2FwcHNfY2FtZXJhX3NlcnZpY2VzMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAof2MqYxoQkV05oUZULYlNLDIJKryWjC8ha300YUktBNNVBSP +1y33+ZTBldm7drcBGo54S1JE1lCIP1dMxby0rNTJ8/Zv2bMVMjXX0haF5vULt64itDcR0SqUDfFR +UsHapPVmRmMpDOMOUYUbN7gjU7iYAc9oWBo6BFfckdpwwKfzYY/sgieen1E/MN7Zpzmefct3WDU5 +4Dc8mpoNsen3oqquieYAgv9FOw5gCIgsDaOfYFBgvAE08Pqo3J/zU6dAuqUJztNH8EhgTNbcaNVL +jCmofa+iIAjSpmP69jcgaUyfmH0EE3/m55qouVRJzqARvmEO/M7LEr3n1ZKKhDZdO6TJysMzP9g8 +pONPO8/3hTQ+GP+7fOQooNQJEGNgJuZOHSyNL/8nGCgHBZKgZdZPKk8HV2M578UDf8yNyV5AYpx0 +VK1JdoBtNMzp0cv7Q6TTugIuDEzT3jmgGGp6WmXE6B9dJOq+cnVC7cSYva8wctFS3RpoqT79vkW3 +A7g2b26bM5GMQ8KcGC4qm4pJkrX5kKZWZGWXjm0F8gRJQ5D0S/AcUw3B+sG/AmfQzLm8SCK36HhO +sFnPsQJ/VdL7kg9HHWrQYVexNaQnD/QLOCenk09COUzSwexws+kQhUH45OSbQFjOJwPbS4YAn9qV +eV+DPlvemZEFYF5+MVlDwOGQ3JsCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtjMO +nlaC4nsk4PwT+fcIYpg52JQwHwYDVR0jBBgwFoAUtjMOnlaC4nsk4PwT+fcIYpg52JQwDQYJKoZI +hvcNAQELBQADggIBABhYDqPD2yWiXNCVtHk6h7Kb2H2U3rc8G7Or1/mwrXSCEgqHnCkpiWeb1h/5 +YNS9fRrexQD+O0hukCpjvIFccQvk8EkZdWpn4kDlrUqfakWpASzlwEqRviS31Hiybn/+QUpYuDTm +FYorrHzDzPiNttzxVK0ENt4T4ETDWVqiGB7tbTlLPr6tz/oxDjRH8y4iS/For7SkfdI512txJgDr +njvRVY9WJykySs+AAqwS1PIMXGoI03UmLJUsFNUjHehaqguPS1uiewlKiQq07blWbnQXdcyH7QTI +hOUPY2rRBh8ciXu4L0Uk4To7+DP/8nHSGC7qXPvP6W3gqW1hj0d6GviMEfJ9fBSUEzaCRF3aL/5e +JOGQQKxh7Jsl/zZs4+MYg0Q2cyg/BQVNNOhESG4et4OV5go9W+1oAy20FV0NgtdPoeb9ABNoi4T3 +IrKLgxOsbACpoDt3zPhncqiJhX3feFtyVV4oRiylydiiYO927qNdfMGmcnGFSG4814kUxSdpkoCA +V7WCQD42zfBYj4pkdZwiJW4yZSaPWN/Eodi3PBsV+10Y1O1WOvebJuTGmcvWWMCPGtFQJDijUy4H +r8rDe3ZmRGQ+vEGPJZC8nx9+qxLQ314ZCzdS0R1HwRRuOji3fCSCnaPQuCFe3YlzhB2j6fRGNf7F +DB17LhMLl0GxX9j1 +-----END CERTIFICATE----- diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..09999382 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -15,3 +15,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_fishfood.x509.pem + +[@CAMERASERVICES] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..7627b9d0 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -39,4 +39,7 @@ + + + From 3054cb6eecdab0a574b1fb5a896626368519f292 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 25 Jul 2023 13:12:32 +0000 Subject: [PATCH 822/900] SELinux: fix the wakeup avc denials Fix the wakeup avc denials in a more common place Bug: 292076108 Change-Id: I52627f19cb0fec3dd0851d21d0608048ebc7d45d Signed-off-by: Ken Yang --- whitechapel_pro/genfs_contexts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 57f0237c..c57ea3ea 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -307,6 +307,13 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 @@ -321,6 +328,8 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wir genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 From e5bfccd0fdba6d01d0482d7412091082620969a0 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Thu, 27 Jul 2023 01:42:03 +0000 Subject: [PATCH 823/900] SELinux: fix sysfs_wlc avc denials Bug: 291541479 Change-Id: I94bed765b89ee538f77398ce432315c907ac1a9a Signed-off-by: Ken Yang --- whitechapel_pro/genfs_contexts | 11 +++++++++++ whitechapel_pro/hal_wireless_charger.te | 5 +++++ 2 files changed, 16 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ffc3dbd6..55684b0d 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -480,3 +480,14 @@ genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:ob # GPS genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 + +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/1-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0 \ No newline at end of file diff --git a/whitechapel_pro/hal_wireless_charger.te b/whitechapel_pro/hal_wireless_charger.te index 04b3e5e2..8d6c0118 100644 --- a/whitechapel_pro/hal_wireless_charger.te +++ b/whitechapel_pro/hal_wireless_charger.te @@ -1,2 +1,7 @@ type hal_wireless_charger, domain; type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; + +r_dir_file(hal_wireless_charger, sysfs_wlc) + +allow hal_wireless_charger sysfs_wlc:dir search; +allow hal_wireless_charger sysfs_wlc:file rw_file_perms; From 36313e7bc9f1c54be8f15edce8053cb212c5bc02 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Tue, 11 Jul 2023 23:04:24 +0000 Subject: [PATCH 824/900] Support monitoring USB sysfs attributes in USB HAL Grant access to USB sysfs attributes. Bug: 285199434 Test: no audit log in logcat after command execution Change-Id: Ida489f0f8788100795613de900fd06317087d9cc --- whitechapel_pro/hal_usb_impl.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te index 5d2a65e7..4c997733 100644 --- a/whitechapel_pro/hal_usb_impl.te +++ b/whitechapel_pro/hal_usb_impl.te @@ -29,3 +29,7 @@ allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; allow hal_usb_impl device:dir r_dir_perms; allow hal_usb_impl usb_device:chr_file rw_file_perms; allow hal_usb_impl usb_device:dir r_dir_perms; + +# For monitoring usb sysfs attributes +allow hal_usb_impl sysfs_wakeup:dir search; +allow hal_usb_impl sysfs_wakeup:file r_file_perms; From 62014f17268a2ec269892845b297256203647ffc Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 21 Jul 2023 15:09:58 +0900 Subject: [PATCH 825/900] Move coredomain policies to system_ext/product Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 --- gs201-sepolicy.mk | 1 + private/debug_camera_app.te | 16 ++++++++++++++++ private/google_camera_app.te | 17 +++++++++++++++++ private/seapp_contexts | 11 +++++++++++ public/debug_camera_app.te | 1 + public/google_camera_app.te | 1 + system_ext/private/con_monitor.te | 7 +++++++ system_ext/private/hbmsvmanager_app.te | 11 +++++++++++ system_ext/private/seapp_contexts | 5 +++++ system_ext/public/con_monitor.te | 2 ++ system_ext/public/hbmsvmanager_app.te | 1 + whitechapel_pro/con_monitor.te | 8 -------- whitechapel_pro/debug_camera_app.te | 16 ---------------- whitechapel_pro/google_camera_app.te | 17 ----------------- whitechapel_pro/hbmsvmanager_app.te | 12 ------------ whitechapel_pro/seapp_contexts | 18 ------------------ 16 files changed, 73 insertions(+), 71 deletions(-) create mode 100644 private/debug_camera_app.te create mode 100644 private/google_camera_app.te create mode 100644 private/seapp_contexts create mode 100644 public/debug_camera_app.te create mode 100644 public/google_camera_app.te create mode 100644 system_ext/private/con_monitor.te create mode 100644 system_ext/private/hbmsvmanager_app.te create mode 100644 system_ext/private/seapp_contexts create mode 100644 system_ext/public/con_monitor.te create mode 100644 system_ext/public/hbmsvmanager_app.te diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 664b851f..2c5da1fc 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -4,6 +4,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/public PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private # system_ext diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te new file mode 100644 index 00000000..c14637be --- /dev/null +++ b/private/debug_camera_app.te @@ -0,0 +1,16 @@ +typeattribute debug_camera_app coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows camera app to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/private/google_camera_app.te b/private/google_camera_app.te new file mode 100644 index 00000000..6a9dff32 --- /dev/null +++ b/private/google_camera_app.te @@ -0,0 +1,17 @@ +typeattribute google_camera_app coredomain; + +app_domain(google_camera_app) +net_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 00000000..bfe5a549 --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,11 @@ +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te new file mode 100644 index 00000000..6f497680 --- /dev/null +++ b/public/debug_camera_app.te @@ -0,0 +1 @@ +type debug_camera_app, domain; diff --git a/public/google_camera_app.te b/public/google_camera_app.te new file mode 100644 index 00000000..c93038cc --- /dev/null +++ b/public/google_camera_app.te @@ -0,0 +1 @@ +type google_camera_app, domain; diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te new file mode 100644 index 00000000..c68ec1f8 --- /dev/null +++ b/system_ext/private/con_monitor.te @@ -0,0 +1,7 @@ +typeattribute con_monitor_app coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te new file mode 100644 index 00000000..6f5ff7ac --- /dev/null +++ b/system_ext/private/hbmsvmanager_app.te @@ -0,0 +1,11 @@ +typeattribute hbmsvmanager_app coredomain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts new file mode 100644 index 00000000..25318ffe --- /dev/null +++ b/system_ext/private/seapp_contexts @@ -0,0 +1,5 @@ +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te new file mode 100644 index 00000000..6a4d1dac --- /dev/null +++ b/system_ext/public/con_monitor.te @@ -0,0 +1,2 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te new file mode 100644 index 00000000..4fcf2bdb --- /dev/null +++ b/system_ext/public/hbmsvmanager_app.te @@ -0,0 +1 @@ +type hbmsvmanager_app, domain; diff --git a/whitechapel_pro/con_monitor.te b/whitechapel_pro/con_monitor.te index 8695ccaa..32c2056d 100644 --- a/whitechapel_pro/con_monitor.te +++ b/whitechapel_pro/con_monitor.te @@ -1,10 +1,2 @@ -# ConnectivityMonitor app -type con_monitor_app, domain, coredomain; - -app_domain(con_monitor_app) - -set_prop(con_monitor_app, radio_prop) -allow con_monitor_app app_api_service:service_manager find; -allow con_monitor_app radio_service:service_manager find; allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index cdd58c9b..427a7735 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -1,16 +1,4 @@ -type debug_camera_app, domain, coredomain; - userdebug_or_eng(` - app_domain(debug_camera_app) - net_domain(debug_camera_app) - - allow debug_camera_app app_api_service:service_manager find; - allow debug_camera_app audioserver_service:service_manager find; - allow debug_camera_app cameraserver_service:service_manager find; - allow debug_camera_app mediaextractor_service:service_manager find; - allow debug_camera_app mediametrics_service:service_manager find; - allow debug_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; get_prop(debug_camera_app, vendor_gxp_prop) @@ -18,10 +6,6 @@ userdebug_or_eng(` # Allows camera app to search for GXP firmware file. allow debug_camera_app vendor_fw_file:dir search; - # Allows camera app to access the PowerHAL. - hal_client_domain(debug_camera_app, hal_power) -') -userdebug_or_eng(` # Allows GCA-Eng to find and access the EdgeTPU. allow debug_camera_app edgetpu_app_service:service_manager find; allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 8cdbaa30..0ef04cc4 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -1,14 +1,3 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) -net_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device and properties. allow google_camera_app gxp_device:chr_file rw_file_perms; get_prop(google_camera_app, vendor_gxp_prop) @@ -16,12 +5,6 @@ get_prop(google_camera_app, vendor_gxp_prop) # Allows camera app to search for GXP firmware file. allow google_camera_app vendor_fw_file:dir search; -# Allows camera app to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; - -# Library code may try to access vendor properties, but should be denied -dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index b7058090..bbedea8c 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -1,14 +1,2 @@ -type hbmsvmanager_app, domain, coredomain; - -app_domain(hbmsvmanager_app); - -allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; - allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 149e2287..8ff78b87 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -27,15 +27,9 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user @@ -52,18 +46,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Google Camera Eng -user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera -user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Also label GoogleCameraNext, built with debug keys as debug_camera_app. -user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all From da30985fa54b3441422952a7466626237a37644b Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 21 Jul 2023 15:09:58 +0900 Subject: [PATCH 826/900] Move coredomain policies to system_ext/product Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 Merged-In: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 --- gs201-sepolicy.mk | 1 + private/debug_camera_app.te | 16 ++++++++++++++++ private/google_camera_app.te | 14 ++++++++++++++ private/seapp_contexts | 11 +++++++++++ public/debug_camera_app.te | 1 + public/google_camera_app.te | 1 + system_ext/private/con_monitor.te | 7 +++++++ system_ext/private/hbmsvmanager_app.te | 11 +++++++++++ system_ext/private/seapp_contexts | 5 +++++ system_ext/public/con_monitor.te | 2 ++ system_ext/public/hbmsvmanager_app.te | 1 + whitechapel_pro/con_monitor.te | 8 -------- whitechapel_pro/debug_camera_app.te | 15 --------------- whitechapel_pro/google_camera_app.te | 14 -------------- whitechapel_pro/hbmsvmanager_app.te | 12 ------------ whitechapel_pro/seapp_contexts | 18 ------------------ 16 files changed, 70 insertions(+), 67 deletions(-) create mode 100644 private/debug_camera_app.te create mode 100644 private/google_camera_app.te create mode 100644 private/seapp_contexts create mode 100644 public/debug_camera_app.te create mode 100644 public/google_camera_app.te create mode 100644 system_ext/private/con_monitor.te create mode 100644 system_ext/private/hbmsvmanager_app.te create mode 100644 system_ext/private/seapp_contexts create mode 100644 system_ext/public/con_monitor.te create mode 100644 system_ext/public/hbmsvmanager_app.te diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 664b851f..2c5da1fc 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -4,6 +4,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/public PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private # system_ext diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te new file mode 100644 index 00000000..c14637be --- /dev/null +++ b/private/debug_camera_app.te @@ -0,0 +1,16 @@ +typeattribute debug_camera_app coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows camera app to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/private/google_camera_app.te b/private/google_camera_app.te new file mode 100644 index 00000000..dc7ee288 --- /dev/null +++ b/private/google_camera_app.te @@ -0,0 +1,14 @@ +typeattribute google_camera_app coredomain; + +app_domain(google_camera_app) +net_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 00000000..bfe5a549 --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,11 @@ +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te new file mode 100644 index 00000000..6f497680 --- /dev/null +++ b/public/debug_camera_app.te @@ -0,0 +1 @@ +type debug_camera_app, domain; diff --git a/public/google_camera_app.te b/public/google_camera_app.te new file mode 100644 index 00000000..c93038cc --- /dev/null +++ b/public/google_camera_app.te @@ -0,0 +1 @@ +type google_camera_app, domain; diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te new file mode 100644 index 00000000..c68ec1f8 --- /dev/null +++ b/system_ext/private/con_monitor.te @@ -0,0 +1,7 @@ +typeattribute con_monitor_app coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te new file mode 100644 index 00000000..6f5ff7ac --- /dev/null +++ b/system_ext/private/hbmsvmanager_app.te @@ -0,0 +1,11 @@ +typeattribute hbmsvmanager_app coredomain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts new file mode 100644 index 00000000..25318ffe --- /dev/null +++ b/system_ext/private/seapp_contexts @@ -0,0 +1,5 @@ +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te new file mode 100644 index 00000000..6a4d1dac --- /dev/null +++ b/system_ext/public/con_monitor.te @@ -0,0 +1,2 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te new file mode 100644 index 00000000..4fcf2bdb --- /dev/null +++ b/system_ext/public/hbmsvmanager_app.te @@ -0,0 +1 @@ +type hbmsvmanager_app, domain; diff --git a/whitechapel_pro/con_monitor.te b/whitechapel_pro/con_monitor.te index 8695ccaa..32c2056d 100644 --- a/whitechapel_pro/con_monitor.te +++ b/whitechapel_pro/con_monitor.te @@ -1,10 +1,2 @@ -# ConnectivityMonitor app -type con_monitor_app, domain, coredomain; - -app_domain(con_monitor_app) - -set_prop(con_monitor_app, radio_prop) -allow con_monitor_app app_api_service:service_manager find; -allow con_monitor_app radio_service:service_manager find; allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 5342fb74..add4b9e7 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -1,24 +1,9 @@ -type debug_camera_app, domain, coredomain; - userdebug_or_eng(` - app_domain(debug_camera_app) - net_domain(debug_camera_app) - - allow debug_camera_app app_api_service:service_manager find; - allow debug_camera_app audioserver_service:service_manager find; - allow debug_camera_app cameraserver_service:service_manager find; - allow debug_camera_app mediaextractor_service:service_manager find; - allow debug_camera_app mediametrics_service:service_manager find; - allow debug_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. allow debug_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to search for GXP firmware file. allow debug_camera_app vendor_fw_file:dir search; - - # Allows camera app to access the PowerHAL. - hal_client_domain(debug_camera_app, hal_power) ') userdebug_or_eng(` # Allows GCA-Eng to find and access the EdgeTPU. diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index d73cd3db..572d1d61 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -1,23 +1,9 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) -net_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. allow google_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to search for GXP firmware file. allow google_camera_app vendor_fw_file:dir search; -# Allows camera app to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index b7058090..bbedea8c 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -1,14 +1,2 @@ -type hbmsvmanager_app, domain, coredomain; - -app_domain(hbmsvmanager_app); - -allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; - allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 149e2287..8ff78b87 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -27,15 +27,9 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user @@ -52,18 +46,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Google Camera Eng -user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera -user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Also label GoogleCameraNext, built with debug keys as debug_camera_app. -user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all From 656f7b5aa1dec85c8b04612ed262de8138122b7f Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 21 Jul 2023 15:09:58 +0900 Subject: [PATCH 827/900] Move coredomain policies to system_ext/product Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 Merged-In: If768b5cb9f3b4024893117d8e3bf49adb7c5b070 (cherry picked from commit da30985fa54b3441422952a7466626237a37644b) --- gs201-sepolicy.mk | 1 + private/debug_camera_app.te | 16 ++++++++++++++++ private/google_camera_app.te | 14 ++++++++++++++ private/seapp_contexts | 11 +++++++++++ public/debug_camera_app.te | 1 + public/google_camera_app.te | 1 + system_ext/private/con_monitor.te | 7 +++++++ system_ext/private/hbmsvmanager_app.te | 11 +++++++++++ system_ext/private/seapp_contexts | 5 +++++ system_ext/public/con_monitor.te | 2 ++ system_ext/public/hbmsvmanager_app.te | 1 + whitechapel_pro/con_monitor.te | 8 -------- whitechapel_pro/debug_camera_app.te | 15 --------------- whitechapel_pro/google_camera_app.te | 14 -------------- whitechapel_pro/hbmsvmanager_app.te | 12 ------------ whitechapel_pro/seapp_contexts | 18 ------------------ 16 files changed, 70 insertions(+), 67 deletions(-) create mode 100644 private/debug_camera_app.te create mode 100644 private/google_camera_app.te create mode 100644 private/seapp_contexts create mode 100644 public/debug_camera_app.te create mode 100644 public/google_camera_app.te create mode 100644 system_ext/private/con_monitor.te create mode 100644 system_ext/private/hbmsvmanager_app.te create mode 100644 system_ext/private/seapp_contexts create mode 100644 system_ext/public/con_monitor.te create mode 100644 system_ext/public/hbmsvmanager_app.te diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk index 664b851f..2c5da1fc 100644 --- a/gs201-sepolicy.mk +++ b/gs201-sepolicy.mk @@ -4,6 +4,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/public PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private # system_ext diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te new file mode 100644 index 00000000..c14637be --- /dev/null +++ b/private/debug_camera_app.te @@ -0,0 +1,16 @@ +typeattribute debug_camera_app coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows camera app to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/private/google_camera_app.te b/private/google_camera_app.te new file mode 100644 index 00000000..dc7ee288 --- /dev/null +++ b/private/google_camera_app.te @@ -0,0 +1,14 @@ +typeattribute google_camera_app coredomain; + +app_domain(google_camera_app) +net_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 00000000..bfe5a549 --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,11 @@ +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te new file mode 100644 index 00000000..6f497680 --- /dev/null +++ b/public/debug_camera_app.te @@ -0,0 +1 @@ +type debug_camera_app, domain; diff --git a/public/google_camera_app.te b/public/google_camera_app.te new file mode 100644 index 00000000..c93038cc --- /dev/null +++ b/public/google_camera_app.te @@ -0,0 +1 @@ +type google_camera_app, domain; diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te new file mode 100644 index 00000000..c68ec1f8 --- /dev/null +++ b/system_ext/private/con_monitor.te @@ -0,0 +1,7 @@ +typeattribute con_monitor_app coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te new file mode 100644 index 00000000..6f5ff7ac --- /dev/null +++ b/system_ext/private/hbmsvmanager_app.te @@ -0,0 +1,11 @@ +typeattribute hbmsvmanager_app coredomain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts new file mode 100644 index 00000000..25318ffe --- /dev/null +++ b/system_ext/private/seapp_contexts @@ -0,0 +1,5 @@ +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te new file mode 100644 index 00000000..6a4d1dac --- /dev/null +++ b/system_ext/public/con_monitor.te @@ -0,0 +1,2 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te new file mode 100644 index 00000000..4fcf2bdb --- /dev/null +++ b/system_ext/public/hbmsvmanager_app.te @@ -0,0 +1 @@ +type hbmsvmanager_app, domain; diff --git a/whitechapel_pro/con_monitor.te b/whitechapel_pro/con_monitor.te index 8695ccaa..32c2056d 100644 --- a/whitechapel_pro/con_monitor.te +++ b/whitechapel_pro/con_monitor.te @@ -1,10 +1,2 @@ -# ConnectivityMonitor app -type con_monitor_app, domain, coredomain; - -app_domain(con_monitor_app) - -set_prop(con_monitor_app, radio_prop) -allow con_monitor_app app_api_service:service_manager find; -allow con_monitor_app radio_service:service_manager find; allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te index 7ef8ab46..9f7d1e0b 100644 --- a/whitechapel_pro/debug_camera_app.te +++ b/whitechapel_pro/debug_camera_app.te @@ -1,22 +1,7 @@ -type debug_camera_app, domain, coredomain; - userdebug_or_eng(` - app_domain(debug_camera_app) - net_domain(debug_camera_app) - - allow debug_camera_app app_api_service:service_manager find; - allow debug_camera_app audioserver_service:service_manager find; - allow debug_camera_app cameraserver_service:service_manager find; - allow debug_camera_app mediaextractor_service:service_manager find; - allow debug_camera_app mediametrics_service:service_manager find; - allow debug_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. allow debug_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to search for GXP firmware file. allow debug_camera_app vendor_fw_file:dir search; - - # Allows camera app to access the PowerHAL. - hal_client_domain(debug_camera_app, hal_power) ') diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te index 54f2d664..a88be694 100644 --- a/whitechapel_pro/google_camera_app.te +++ b/whitechapel_pro/google_camera_app.te @@ -1,19 +1,5 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) -net_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - # Allows camera app to access the GXP device. allow google_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to search for GXP firmware file. allow google_camera_app vendor_fw_file:dir search; - -# Allows camera app to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te index b7058090..bbedea8c 100644 --- a/whitechapel_pro/hbmsvmanager_app.te +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -1,14 +1,2 @@ -type hbmsvmanager_app, domain, coredomain; - -app_domain(hbmsvmanager_app); - -allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; - allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 3171c163..c58bf9b3 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -30,15 +30,9 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for omadm user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user @@ -58,18 +52,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Google Camera Eng -user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera -user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Also label GoogleCameraNext, built with debug keys as debug_camera_app. -user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all From 1f1f647570cc5e1faa6273c69dfd66d055eebb03 Mon Sep 17 00:00:00 2001 From: Renato Grottesi Date: Thu, 17 Aug 2023 09:00:21 +0000 Subject: [PATCH 828/900] Cleanup unused ArmNN settings. Test: pre-submit Bug: 294463729 Change-Id: If623bee7f1050f814a2a3531bfa5de414fa32104 --- whitechapel_pro/property.te | 3 --- whitechapel_pro/property_contexts | 3 --- whitechapel_pro/vendor_init.te | 3 --- 3 files changed, 9 deletions(-) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index d297abea..723379ba 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -41,6 +41,3 @@ vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) - -# ArmNN -vendor_internal_prop(vendor_armnn_config_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index 08eb601b..b9a563f3 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,6 +105,3 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix - -# ArmNN configuration -ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 415d7c8f..c8acdbb5 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -41,6 +41,3 @@ allow vendor_init tee_data_file:lnk_file read; # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) - -# ArmNN -set_prop(vendor_init, vendor_armnn_config_prop) From f4eada749fb3abf944524d5d7979b6f131bf2cc3 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 4 Sep 2023 15:33:41 +0800 Subject: [PATCH 829/900] Update SELinux error Bug: 290766628 Merged-In: If623bee7f1050f814a2a3531bfa5de414fa32104 Change-Id: I13d2fb464c80b0be2d6524a58b441fcd8eaaa830 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f8217325..b8ca75ac 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -28,3 +28,4 @@ su modem_img_file filesystem b/240653918 system_app proc_pagetypeinfo file b/275645892 system_server privapp_data_file lnk_file b/276385494 system_server system_userdir_file dir b/282096141 +platform_app hal_uwb_vendor_service find b/290766628 From 93f3237f8a927959eeca25c74654aa83bd98e68a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 5 Sep 2023 16:25:52 +0800 Subject: [PATCH 830/900] Move uwb to system_ext Bug: 290766628 Change-Id: I00a1c45f05cc52a9ce93234921d0b759a3143f16 --- .../private}/certs/com_qorvo_uwb.x509.pem | 0 system_ext/private/file.te | 2 ++ system_ext/private/keys.conf | 3 +++ system_ext/private/mac_permissions.xml | 27 +++++++++++++++++++ system_ext/private/seapp_contexts | 5 ++++ system_ext/private/uwb_vendor_app.te | 12 +++++++++ system_ext/public/uwb_vendor_app.te | 2 ++ whitechapel_pro/file.te | 1 - whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 4 --- whitechapel_pro/uwb_vendor_app.te | 12 +-------- 12 files changed, 52 insertions(+), 22 deletions(-) rename {whitechapel_pro => system_ext/private}/certs/com_qorvo_uwb.x509.pem (100%) create mode 100644 system_ext/private/file.te create mode 100644 system_ext/private/keys.conf create mode 100644 system_ext/private/mac_permissions.xml create mode 100644 system_ext/private/uwb_vendor_app.te create mode 100644 system_ext/public/uwb_vendor_app.te diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem rename to system_ext/private/certs/com_qorvo_uwb.x509.pem diff --git a/system_ext/private/file.te b/system_ext/private/file.te new file mode 100644 index 00000000..9344be7e --- /dev/null +++ b/system_ext/private/file.te @@ -0,0 +1,2 @@ + +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf new file mode 100644 index 00000000..c2228db6 --- /dev/null +++ b/system_ext/private/keys.conf @@ -0,0 +1,3 @@ +[@UWB] +ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem + diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml new file mode 100644 index 00000000..51af79f6 --- /dev/null +++ b/system_ext/private/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 25318ffe..82f4347c 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te new file mode 100644 index 00000000..3ae5ecd3 --- /dev/null +++ b/system_ext/private/uwb_vendor_app.te @@ -0,0 +1,12 @@ +app_domain(uwb_vendor_app) + +not_recovery(` + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +') diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te new file mode 100644 index 00000000..6824e4e9 --- /dev/null +++ b/system_ext/public/uwb_vendor_app.te @@ -0,0 +1,2 @@ +type uwb_vendor_app, domain; + diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..fb4bad8c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -10,7 +10,6 @@ type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..2a7a6d56 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem -[@UWB] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem - [@EUICCSUPPORTPIXEL] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..e9031e5f 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -27,9 +27,6 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 8ff78b87..dcaaf664 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -36,10 +36,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index aa4564e6..cc5a9de4 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -1,18 +1,8 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb_vendor) - -allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; -allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; From 7627d8a7f8a05838434020b82c75128546b53d96 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 5 Sep 2023 16:25:52 +0800 Subject: [PATCH 831/900] Move uwb to system_ext Bug: 290766628 Test: Boot-to-home, no uwb related avc error Change-Id: I00a1c45f05cc52a9ce93234921d0b759a3143f16 --- .../private}/certs/com_qorvo_uwb.x509.pem | 0 system_ext/private/file.te | 2 ++ system_ext/private/keys.conf | 3 +++ system_ext/private/mac_permissions.xml | 27 +++++++++++++++++++ system_ext/private/seapp_contexts | 5 ++++ system_ext/private/uwb_vendor_app.te | 12 +++++++++ system_ext/public/uwb_vendor_app.te | 2 ++ whitechapel_pro/file.te | 1 - whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 4 --- whitechapel_pro/uwb_vendor_app.te | 12 +-------- 12 files changed, 52 insertions(+), 22 deletions(-) rename {whitechapel_pro => system_ext/private}/certs/com_qorvo_uwb.x509.pem (100%) create mode 100644 system_ext/private/file.te create mode 100644 system_ext/private/keys.conf create mode 100644 system_ext/private/mac_permissions.xml create mode 100644 system_ext/private/uwb_vendor_app.te create mode 100644 system_ext/public/uwb_vendor_app.te diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem rename to system_ext/private/certs/com_qorvo_uwb.x509.pem diff --git a/system_ext/private/file.te b/system_ext/private/file.te new file mode 100644 index 00000000..9344be7e --- /dev/null +++ b/system_ext/private/file.te @@ -0,0 +1,2 @@ + +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf new file mode 100644 index 00000000..c2228db6 --- /dev/null +++ b/system_ext/private/keys.conf @@ -0,0 +1,3 @@ +[@UWB] +ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem + diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml new file mode 100644 index 00000000..51af79f6 --- /dev/null +++ b/system_ext/private/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 25318ffe..82f4347c 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te new file mode 100644 index 00000000..3ae5ecd3 --- /dev/null +++ b/system_ext/private/uwb_vendor_app.te @@ -0,0 +1,12 @@ +app_domain(uwb_vendor_app) + +not_recovery(` + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +') diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te new file mode 100644 index 00000000..6824e4e9 --- /dev/null +++ b/system_ext/public/uwb_vendor_app.te @@ -0,0 +1,2 @@ +type uwb_vendor_app, domain; + diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..fb4bad8c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -10,7 +10,6 @@ type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 09999382..8890aff4 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem -[@UWB] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem - [@EUICCSUPPORTPIXEL] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index 7627b9d0..290daa9c 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -27,9 +27,6 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 8ff78b87..dcaaf664 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -36,10 +36,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index aa4564e6..cc5a9de4 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -1,18 +1,8 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb_vendor) - -allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; -allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; From 5e75eaa1a5c084207b561ef982623320c851e14d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 5 Sep 2023 16:25:52 +0800 Subject: [PATCH 832/900] Move uwb to system_ext Bug: 290766628 Test: Boot-to-home, no uwb related avc error Change-Id: I00a1c45f05cc52a9ce93234921d0b759a3143f16 --- .../private}/certs/com_qorvo_uwb.x509.pem | 0 system_ext/private/file.te | 2 ++ system_ext/private/keys.conf | 3 +++ system_ext/private/mac_permissions.xml | 27 +++++++++++++++++++ system_ext/private/seapp_contexts | 5 ++++ system_ext/private/uwb_vendor_app.te | 12 +++++++++ system_ext/public/uwb_vendor_app.te | 2 ++ whitechapel_pro/file.te | 1 - whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 4 --- whitechapel_pro/uwb_vendor_app.te | 12 +-------- 12 files changed, 52 insertions(+), 22 deletions(-) rename {whitechapel_pro => system_ext/private}/certs/com_qorvo_uwb.x509.pem (100%) create mode 100644 system_ext/private/file.te create mode 100644 system_ext/private/keys.conf create mode 100644 system_ext/private/mac_permissions.xml create mode 100644 system_ext/private/uwb_vendor_app.te create mode 100644 system_ext/public/uwb_vendor_app.te diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem rename to system_ext/private/certs/com_qorvo_uwb.x509.pem diff --git a/system_ext/private/file.te b/system_ext/private/file.te new file mode 100644 index 00000000..9344be7e --- /dev/null +++ b/system_ext/private/file.te @@ -0,0 +1,2 @@ + +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf new file mode 100644 index 00000000..c2228db6 --- /dev/null +++ b/system_ext/private/keys.conf @@ -0,0 +1,3 @@ +[@UWB] +ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem + diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml new file mode 100644 index 00000000..51af79f6 --- /dev/null +++ b/system_ext/private/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 25318ffe..82f4347c 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te new file mode 100644 index 00000000..3ae5ecd3 --- /dev/null +++ b/system_ext/private/uwb_vendor_app.te @@ -0,0 +1,12 @@ +app_domain(uwb_vendor_app) + +not_recovery(` + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +') diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te new file mode 100644 index 00000000..6824e4e9 --- /dev/null +++ b/system_ext/public/uwb_vendor_app.te @@ -0,0 +1,2 @@ +type uwb_vendor_app, domain; + diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 4a232600..fb4bad8c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -10,7 +10,6 @@ type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..2a7a6d56 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem -[@UWB] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem - [@EUICCSUPPORTPIXEL] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..e9031e5f 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -27,9 +27,6 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index 8ff78b87..dcaaf664 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -36,10 +36,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_ # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index aa4564e6..cc5a9de4 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -1,18 +1,8 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb_vendor) - -allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; -allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; From 02343c4ca29a81881c310500cf81439d614c12f4 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 5 Sep 2023 16:25:52 +0800 Subject: [PATCH 833/900] Move uwb to system_ext Bug: 290766628 Test: boot-to-home Merged-In: I00a1c45f05cc52a9ce93234921d0b759a3143f16 Change-Id: I00a1c45f05cc52a9ce93234921d0b759a3143f16 --- .../private}/certs/com_qorvo_uwb.x509.pem | 0 system_ext/private/file.te | 2 ++ system_ext/private/keys.conf | 3 +++ system_ext/private/mac_permissions.xml | 27 +++++++++++++++++++ system_ext/private/seapp_contexts | 5 ++++ system_ext/private/uwb_vendor_app.te | 12 +++++++++ system_ext/public/uwb_vendor_app.te | 2 ++ whitechapel_pro/file.te | 1 - whitechapel_pro/keys.conf | 3 --- whitechapel_pro/mac_permissions.xml | 3 --- whitechapel_pro/seapp_contexts | 4 --- whitechapel_pro/uwb_vendor_app.te | 12 +-------- 12 files changed, 52 insertions(+), 22 deletions(-) rename {whitechapel_pro => system_ext/private}/certs/com_qorvo_uwb.x509.pem (100%) create mode 100644 system_ext/private/file.te create mode 100644 system_ext/private/keys.conf create mode 100644 system_ext/private/mac_permissions.xml create mode 100644 system_ext/private/uwb_vendor_app.te create mode 100644 system_ext/public/uwb_vendor_app.te diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem rename to system_ext/private/certs/com_qorvo_uwb.x509.pem diff --git a/system_ext/private/file.te b/system_ext/private/file.te new file mode 100644 index 00000000..9344be7e --- /dev/null +++ b/system_ext/private/file.te @@ -0,0 +1,2 @@ + +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf new file mode 100644 index 00000000..c2228db6 --- /dev/null +++ b/system_ext/private/keys.conf @@ -0,0 +1,3 @@ +[@UWB] +ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem + diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml new file mode 100644 index 00000000..51af79f6 --- /dev/null +++ b/system_ext/private/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 25318ffe..82f4347c 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te new file mode 100644 index 00000000..3ae5ecd3 --- /dev/null +++ b/system_ext/private/uwb_vendor_app.te @@ -0,0 +1,12 @@ +app_domain(uwb_vendor_app) + +not_recovery(` + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +') diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te new file mode 100644 index 00000000..6824e4e9 --- /dev/null +++ b/system_ext/public/uwb_vendor_app.te @@ -0,0 +1,2 @@ +type uwb_vendor_app, domain; + diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 1c10354e..c7f63c67 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -13,7 +13,6 @@ type vendor_misc_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type mitigation_vendor_data_file, file_type, data_file_type; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 54130ea2..2a7a6d56 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem [@MDS] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem -[@UWB] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem - [@EUICCSUPPORTPIXEL] ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml index b57e61c7..e9031e5f 100644 --- a/whitechapel_pro/mac_permissions.xml +++ b/whitechapel_pro/mac_permissions.xml @@ -27,9 +27,6 @@ - - - diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index c58bf9b3..eac38157 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -42,10 +42,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= # Touch app user=_app seinfo=platform name=com.google.touch.touchinspector domain=google_touch_app type=app_data_file levelFrom=user -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te index 364bee36..787858d7 100644 --- a/whitechapel_pro/uwb_vendor_app.te +++ b/whitechapel_pro/uwb_vendor_app.te @@ -1,18 +1,8 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb_vendor) - -allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; -allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; allow hal_uwb_vendor_default kernel:process setsched; From 98620c3b106b705364954588111b70ade8f1fee6 Mon Sep 17 00:00:00 2001 From: Woody Lin Date: Fri, 1 Sep 2023 10:11:34 +0800 Subject: [PATCH 834/900] Add vendor_sjtag_lock_state_prop and init-check_ap_pd_auth-sh 1. Add init-check_ap_pd_auth-sh for the vendor daemon script `/vendor/bin/init.check_ap_pd_auth.sh`. 2. Add policy for properties `ro.vendor.sjtag_{ap,gsa}_is_unlocked` for init, init-check_ap_pd_auth-sh and ssr_detector to access them. SjtagService: type=1400 audit(0.0:1005): avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1006): avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1007): avc: denied { map } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1008): avc: denied { write } for name="property_service" dev="tmpfs" ino=446 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 SjtagService: type=1400 audit(0.0:1009): avc: denied { connectto } for path="/dev/socket/property_service" scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 Bug: 298314432 Change-Id: Ib5dbcc50e266e33797626280504ea9e2cdc9f942 --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/init-check_ap_pd_auth-sh.te | 14 ++++++++++++++ whitechapel_pro/property.te | 3 +++ whitechapel_pro/property_contexts | 4 ++++ whitechapel_pro/ssr_detector.te | 2 ++ 5 files changed, 24 insertions(+) create mode 100644 whitechapel_pro/init-check_ap_pd_auth-sh.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 91662c8b..75f8ccc1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -44,6 +44,7 @@ /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 /vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 +/vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/init-check_ap_pd_auth-sh.te b/whitechapel_pro/init-check_ap_pd_auth-sh.te new file mode 100644 index 00000000..bcd855c2 --- /dev/null +++ b/whitechapel_pro/init-check_ap_pd_auth-sh.te @@ -0,0 +1,14 @@ +type init-check_ap_pd_auth-sh, domain; +type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(init-check_ap_pd_auth-sh) + + set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop) + + allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms; + allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms; + + allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms; + allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms; +') diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index 723379ba..559511a0 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -41,3 +41,6 @@ vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# SJTAG lock state +vendor_internal_prop(vendor_sjtag_lock_state_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index b9a563f3..0ff833e8 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -105,3 +105,7 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# SJTAG lock state +ro.vendor.sjtag_ap_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 +ro.vendor.sjtag_gsa_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te index 2caf6d77..a93d5bdb 100644 --- a/whitechapel_pro/ssr_detector.te +++ b/whitechapel_pro/ssr_detector.te @@ -13,11 +13,13 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; get_prop(ssr_detector_app, vendor_aoc_prop) + set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop) allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms; allow ssr_detector_app proc_vendor_sched:dir search; allow ssr_detector_app proc_vendor_sched:file rw_file_perms; allow ssr_detector_app cgroup:file write; + allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans; ') get_prop(ssr_detector_app, vendor_ssrdump_prop) From 9b94fedda85953541451c28430d877dd12d7beb8 Mon Sep 17 00:00:00 2001 From: Desmond Huang Date: Wed, 13 Sep 2023 01:22:38 +0800 Subject: [PATCH 835/900] Remove obsolete entries Bug: 299029620 Change-Id: I12d75de143c76a338806938755d6e08767314aa6 --- tracking_denials/dumpstate.te | 2 -- tracking_denials/hal_power_default.te | 3 --- 2 files changed, 5 deletions(-) delete mode 100644 tracking_denials/hal_power_default.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 423d4a4a..ffb8518c 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,4 +1,2 @@ # b/185723618 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -# b/277155245 -dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index a2ce6fdb..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/237492146 -dontaudit hal_power_default hal_power_default:capability { dac_override }; -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; From 8cec9e510e556bd55ed0480b2cc36941bddd3fd2 Mon Sep 17 00:00:00 2001 From: Desmond Huang Date: Thu, 14 Sep 2023 14:18:28 +0800 Subject: [PATCH 836/900] Relocate common tracking denial entries Bug: 299029620 Change-Id: I1db32cbefb531f48c5a45dcf0f564e89e1b5c4e7 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4397c4cb..4538e4ed 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1 +1,3 @@ hal_power_default hal_power_default capability b/237492146 +incidentd debugfs_wakeup_sources file b/282626428 +incidentd incidentd anon_inode b/282626428 From e39998954f1318a78d20ae0a2aa90cc355165efe Mon Sep 17 00:00:00 2001 From: Leo Liou Date: Thu, 14 Sep 2023 13:45:26 +0800 Subject: [PATCH 837/900] gs201: ufs_firmware_update: add scsi directory permission Bug: 273305600 Test: run ufs ffu flow Change-Id: I36715c1b3500da64863db4cbec08c037df74d3e6 Signed-off-by: Leo Liou --- whitechapel_pro/ufs_firmware_update.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/ufs_firmware_update.te b/whitechapel_pro/ufs_firmware_update.te index 53ceba56..f33c2da9 100644 --- a/whitechapel_pro/ufs_firmware_update.te +++ b/whitechapel_pro/ufs_firmware_update.te @@ -7,4 +7,5 @@ allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; allow ufs_firmware_update block_device:dir r_dir_perms; allow ufs_firmware_update fips_block_device:blk_file rw_file_perms; allow ufs_firmware_update sysfs:dir r_dir_perms; +allow ufs_firmware_update sysfs_scsi_devices_0000:dir search; allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; From b256bc86c018c0df39374d55056af1efa745e895 Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Thu, 28 Sep 2023 15:22:58 +0000 Subject: [PATCH 838/900] Grant the MDS access to the IPowerStats hal service. ref logs: 09-06 10:07:18.006 536 536 I auditd : avc: denied { find } for pid=22543 uid=10225 name=android.hardware.power.stats.IPowerStats/default scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:hal_power_stats_service:s0 tclass=service_manager permissive=1 09-06 10:07:18.010 22543 22543 I auditd : type=1400 audit(0.0:65): avc: denied { call } for comm="pool-4-thread-1" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=1 app=com.google.mds Test: Tested with MDS app and the MDS can get IPowerStats binder and call the interface. Bug: 297250368 Change-Id: I54b6b93179987b9db23d5327711338553906134c --- whitechapel_pro/modem_diagnostic_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te index 8c4a0cac..b5cce03a 100644 --- a/whitechapel_pro/modem_diagnostic_app.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -7,6 +7,8 @@ allow modem_diagnostic_app app_api_service:service_manager find; allow modem_diagnostic_app radio_service:service_manager find; userdebug_or_eng(` + hal_client_domain(modem_diagnostic_app, hal_power_stats); + binder_call(modem_diagnostic_app, dmd) set_prop(modem_diagnostic_app, vendor_cbd_prop) From 151844f3ad8554d13bcb83b59385ec14fb607507 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 16 Oct 2023 12:18:43 +0800 Subject: [PATCH 839/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 305601096 Bug: 305600808 Change-Id: I5552e22e252b257156891eab5fcea35faaef9485 --- tracking_denials/bug_map | 1 + tracking_denials/dmd.te | 2 ++ tracking_denials/servicemanager.te | 2 ++ 3 files changed, 5 insertions(+) create mode 100644 tracking_denials/dmd.te create mode 100644 tracking_denials/servicemanager.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4538e4ed..7a4b5596 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ +hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 diff --git a/tracking_denials/dmd.te b/tracking_denials/dmd.te new file mode 100644 index 00000000..68719b9b --- /dev/null +++ b/tracking_denials/dmd.te @@ -0,0 +1,2 @@ +#b/303391666 +dontaudit dmd servicemanager:binder { call }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te new file mode 100644 index 00000000..a6b549ff --- /dev/null +++ b/tracking_denials/servicemanager.te @@ -0,0 +1,2 @@ +# b/305600595 +dontaudit servicemanager hal_thermal_default:binder call; From b289045b3932c7e4ff93fd0685c2ed0993b52cea Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 17 Oct 2023 04:02:26 +0000 Subject: [PATCH 840/900] Supress kernel avc log before SELinux initialized Fix: 305600863 Bug: 305880925 Change-Id: I795c7cd3b1df318a9164d0e3ec15d2930ecd7e21 --- vendor/kernel.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 vendor/kernel.te diff --git a/vendor/kernel.te b/vendor/kernel.te new file mode 100644 index 00000000..ead4d436 --- /dev/null +++ b/vendor/kernel.te @@ -0,0 +1,3 @@ +dontaudit kernel vendor_usb_debugfs:dir search; +dontaudit kernel vendor_votable_debugfs:dir search; + From 5f50ee6ebb5fea1461778d7432b45501a636727a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 18 Oct 2023 09:11:04 +0000 Subject: [PATCH 841/900] Move kernel avc error to bug_map Bug: 305880925 Test: SELinuxUncheckedDenialBootTest Change-Id: Id153cd26801a6b3f635954515e0e8aead5b22f41 --- tracking_denials/bug_map | 2 ++ vendor/kernel.te | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) delete mode 100644 vendor/kernel.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7a4b5596..c3f960e3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,3 +2,5 @@ hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 +kernel vendor_usb_debugfs dir b/305880925 +kernel vendor_votable_debugfs dir b/305880925 diff --git a/vendor/kernel.te b/vendor/kernel.te deleted file mode 100644 index ead4d436..00000000 --- a/vendor/kernel.te +++ /dev/null @@ -1,3 +0,0 @@ -dontaudit kernel vendor_usb_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; - From 042122f0dd6192e5f75be227a535311c9da18bc0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 26 Oct 2023 07:46:20 +0000 Subject: [PATCH 842/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 306344298 Test: scanBugreport Bug: 307863753 Change-Id: I8da3045a59949d41992ac4240f63609f9cc49fa3 --- tracking_denials/hal_vibrator_default.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te new file mode 100644 index 00000000..d9199c77 --- /dev/null +++ b/tracking_denials/hal_vibrator_default.te @@ -0,0 +1,3 @@ +# b/306344298 +dontaudit hal_vibrator_default service_manager_type:service_manager find; + From 037d5cccf328e0d78d3e501377dcfd094fad5575 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 26 Oct 2023 13:41:45 +0800 Subject: [PATCH 843/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 307863370 Change-Id: I6efdf65cee3cb3c13fbf091659a7afaf01222d55 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c3f960e3..71b647ea 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,5 +2,6 @@ hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 +kernel vendor_charger_debugfs dir b/307863370 kernel vendor_usb_debugfs dir b/305880925 kernel vendor_votable_debugfs dir b/305880925 From 435e0aafa887e72ad900505696983ae3646c56a8 Mon Sep 17 00:00:00 2001 From: George Lee Date: Tue, 31 Oct 2023 02:55:49 +0000 Subject: [PATCH 844/900] pixelstats: Add Brownout Detection sepolicy Bug: 307392882 Test: Confirm lastmeal data upload Change-Id: I9f7386c6c813c2790dcba1c79ce80531b6819b65 Signed-off-by: George Lee --- whitechapel_pro/pixelstats_vendor.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 6aba16ae..15856a17 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -33,6 +33,9 @@ allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; +allow pixelstats_vendor mitigation_vendor_data_file:dir search; +allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms; +get_prop(pixelstats_vendor, vendor_brownout_reason_prop); # PCIe statistics allow pixelstats_vendor sysfs_exynos_pcie_stats:dir search; From 4f1d96210d0a090d4f2bde23cee1ccfe011478bf Mon Sep 17 00:00:00 2001 From: JimiChen Date: Fri, 27 Oct 2023 19:45:33 +0800 Subject: [PATCH 845/900] Update SELinux policies for rlsservice 1. Move rls_service context from vndservice_contexts to service_contexts. 2. Allow binder calls from rlsservice to servicemanager 3. Change rls_service type from vndservice_manager_type to service_manager_type. Bug: 301520085 Test: GCA Change-Id: Ief845b5691487f48d570c531de1ea99945087e42 --- whitechapel_pro/rlsservice.te | 2 ++ whitechapel_pro/service.te | 2 ++ whitechapel_pro/service_contexts | 2 ++ whitechapel_pro/vndservice.te | 1 - whitechapel_pro/vndservice_contexts | 1 - 5 files changed, 6 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te index e5f1acef..967389a1 100644 --- a/whitechapel_pro/rlsservice.te +++ b/whitechapel_pro/rlsservice.te @@ -16,6 +16,8 @@ allow rlsservice mnt_vendor_file:dir search; allow rlsservice rls_device:chr_file rw_file_perms; binder_call(rlsservice, hal_camera_default) +binder_call(rlsservice, servicemanager) + # Allow access to display backlight information allow rlsservice sysfs_leds:dir search; diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index 1c49d4f8..2fff6689 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -3,3 +3,5 @@ type hal_uwb_vendor_service, service_manager_type, hal_service_type; # WLC type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; + +type rls_service, service_manager_type; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index a3849bb7..e3ae0e74 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -2,3 +2,5 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_ hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 + +rlsservice u:object_r:rls_service:s0 diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index bd59e836..06ef0b2d 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1,3 +1,2 @@ -type rls_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; type eco_service, vndservice_manager_type; diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts index 16ae43a4..6ddcabfe 100644 --- a/whitechapel_pro/vndservice_contexts +++ b/whitechapel_pro/vndservice_contexts @@ -1,3 +1,2 @@ -rlsservice u:object_r:rls_service:s0 Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 media.ecoservice u:object_r:eco_service:s0 From ac39f865e182a4a8cc9ce65670d02c1e088d36ee Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Fri, 29 Sep 2023 21:33:53 +0000 Subject: [PATCH 846/900] Add selinux policy change to allow MDS access Samsung OemRil hal. Bug: 301641283 selinux log: 11-03 15:32:38.850 2643 2643 I auditd : type=1400 audit(0.0:1616): avc: denied { call } for comm="binder:2643_3" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.850 2643 2643 I binder:2643_3: type=1400 audit(0.0:1616): avc: denied { call } for scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.854 2643 2643 I auditd : type=1400 audit(0.0:1617): avc: denied { transfer } for comm="binder:2643_3" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.854 2643 2643 I binder:2643_3: type=1400 audit(0.0:1617): avc: denied { transfer } for scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.854 1095 1095 I auditd : type=1400 audit(0.0:1618): avc: denied { call } for comm="HwBinder:1095_1" scontext=u:r:rild:s0 tcontext=u:r:modem_diagnostic_app:s0:c512,c768 tclass=binder permissive=1 11-03 15:32:38.854 1095 1095 I HwBinder:1095_1: type=1400 audit(0.0:1618): avc: denied { call } for scontext=u:r:rild:s0 tcontext=u:r:modem_diagnostic_app:s0:c512,c768 tclass=binder permissive=1 Change-Id: I62986e4bb0a4ed04616f8f3a8521f01934e63d74 --- whitechapel_pro/modem_diagnostic_app.te | 3 +++ whitechapel_pro/rild.te | 2 ++ 2 files changed, 5 insertions(+) diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te index b5cce03a..b21b7929 100644 --- a/whitechapel_pro/modem_diagnostic_app.te +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -9,6 +9,9 @@ allow modem_diagnostic_app radio_service:service_manager find; userdebug_or_eng(` hal_client_domain(modem_diagnostic_app, hal_power_stats); + allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find; + binder_call(modem_diagnostic_app, rild) + binder_call(modem_diagnostic_app, dmd) set_prop(modem_diagnostic_app, vendor_cbd_prop) diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te index 534bea17..356e8727 100644 --- a/whitechapel_pro/rild.te +++ b/whitechapel_pro/rild.te @@ -43,4 +43,6 @@ allow rild modem_img_file:lnk_file r_file_perms; # Allow rild to ptrace for memory leak detection userdebug_or_eng(` allow rild self:process ptrace; + +binder_call(rild, modem_diagnostic_app) ') From d50939ab22f2c8db84d230489e960d4337cf4dcf Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 6 Nov 2023 08:01:29 +0000 Subject: [PATCH 847/900] Update SELinux error Test: scanBugreport Bug: 309379465 Bug: 309379994 Test: scanAvcDeniedLogRightAfterReboot Bug: 309379994 Change-Id: I45a01648f4c412b99e3fdcb70008e21c5d99fef3 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 71b647ea..3df2958a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ +dumpstate rlsservice binder b/309379465 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 @@ -5,3 +6,4 @@ incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 kernel vendor_usb_debugfs dir b/305880925 kernel vendor_votable_debugfs dir b/305880925 +kernel vendor_votable_debugfs dir b/309379994 From e22b188d9d7a7aa4f199bf89a95f8cc0663937c9 Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Fri, 3 Nov 2023 20:07:11 +0800 Subject: [PATCH 848/900] sensors: Move USF related sepolicy to gs-common. Bug: 305120274 Test: Compile pass. Flash the build to WHI_PRO devices and no sensor related avc denied log. Change-Id: I48d959d439565e9c31ce83812bf29b6d8025c35b Signed-off-by: Rick Chen --- whitechapel_pro/file.te | 3 -- whitechapel_pro/file_contexts | 3 -- whitechapel_pro/hal_sensors_default.te | 74 +++----------------------- whitechapel_pro/te_macros | 14 ----- 4 files changed, 7 insertions(+), 87 deletions(-) delete mode 100644 whitechapel_pro/te_macros diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index fb4bad8c..b6630138 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -7,8 +7,6 @@ type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; -type sensor_debug_data_file, file_type, data_file_type; -type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; @@ -59,7 +57,6 @@ allow modem_img_file self:filesystem associate; type persist_battery_file, file_type, vendor_persist_type; type persist_camera_file, file_type, vendor_persist_type; type persist_modem_file, file_type, vendor_persist_type; -type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; type persist_display_file, file_type, vendor_persist_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 75f8ccc1..c7203b50 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -204,8 +204,6 @@ /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 -/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0 -/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 @@ -215,7 +213,6 @@ /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 -/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te index 076ceaf7..620095d0 100644 --- a/whitechapel_pro/hal_sensors_default.te +++ b/whitechapel_pro/hal_sensors_default.te @@ -2,15 +2,14 @@ # USF sensor HAL SELinux type enforcements. # -# Allow access to the AoC communication driver. -allow hal_sensors_default aoc_device:chr_file rw_file_perms; +# Allow reading of camera persist files. +r_dir_file(hal_sensors_default, persist_camera_file) -# Allow access to CHRE socket to connect to nanoapps. -allow hal_sensors_default chre:unix_stream_socket connectto; -allow hal_sensors_default chre_socket:sock_file write; +# Allow access to the files of CDT information. +r_dir_file(hal_sensors_default, sysfs_chosen) -# Allow create thread to watch AOC's device. -allow hal_sensors_default device:dir r_dir_perms; +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_write_leds:file rw_file_perms; # Allow access for dynamic sensor properties. get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) @@ -18,70 +17,11 @@ get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) # Allow access to raw HID devices for dynamic sensors. allow hal_sensors_default hidraw_device:chr_file rw_file_perms; -# Allow SensorSuez to connect AIDL stats. -allow hal_sensors_default fwk_stats_service:service_manager find; - -# Allow reading of sensor registry persist files and camera persist files. -allow hal_sensors_default mnt_vendor_file:dir search; -allow hal_sensors_default persist_file:dir search; -allow hal_sensors_default persist_file:file r_file_perms; -allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; -allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; -r_dir_file(hal_sensors_default, persist_camera_file) - -# Allow creation and writing of sensor registry data files. -allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; -allow hal_sensors_default sensor_reg_data_file:file create_file_perms; - -userdebug_or_eng(` - # Allow creation and writing of sensor debug data files. - allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms; - allow hal_sensors_default sensor_debug_data_file:file create_file_perms; -') - -# Allow access to the display info for ALS. -allow hal_sensors_default sysfs_display:file rw_file_perms; - -# Allow access to the sysfs_aoc. -allow hal_sensors_default sysfs_aoc:dir search; -allow hal_sensors_default sysfs_aoc:file r_file_perms; - -# Allow access for AoC properties. -get_prop(hal_sensors_default, vendor_aoc_prop) - -# Allow sensor HAL to read AoC dumpstate. -allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; - -# Allow access to the AoC clock and kernel boot time sys FS node. This is needed -# to synchronize the AP and AoC clock timestamps. -allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; - -# Allow access to the files of CDT information. -allow hal_sensors_default sysfs_chosen:dir search; -allow hal_sensors_default sysfs_chosen:file r_file_perms; - -# Allow access to sensor service for sensor_listener. -binder_call(hal_sensors_default, system_server); - -# Allow sensor HAL to reset AOC. -allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; - -# Allow sensor HAL to read AoC dumpstate. -allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; - # Allow sensor HAL to access the display service HAL allow hal_sensors_default hal_pixel_display_service:service_manager find; -# Allow display_info_service access to the backlight driver. -allow hal_sensors_default sysfs_leds:dir search; -allow hal_sensors_default sysfs_leds:file r_file_perms; - # Allow sensor HAL to access the graphics composer. -binder_call(hal_sensors_default, hal_graphics_composer_default); - -# Allow display_info_service access to the backlight driver. -allow hal_sensors_default sysfs_write_leds:file rw_file_perms; +binder_call(hal_sensors_default, hal_graphics_composer_default) # Allow access to the power supply files for MagCC. -r_dir_file(hal_sensors_default, sysfs_batteryinfo) allow hal_sensors_default sysfs_wlc:dir r_dir_perms; diff --git a/whitechapel_pro/te_macros b/whitechapel_pro/te_macros deleted file mode 100644 index 01ac13c1..00000000 --- a/whitechapel_pro/te_macros +++ /dev/null @@ -1,14 +0,0 @@ -# -# USF SELinux type enforcement macros. -# - -# -# usf_low_latency_transport(domain) -# -# Allows domain use of the USF low latency transport. -# -define(`usf_low_latency_transport', ` - allow $1 hal_graphics_mapper_hwservice:hwservice_manager find; - hal_client_domain($1, hal_graphics_allocator) -') - From 551b83f7c585d62a273dffd4207eb4d74aa695d9 Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Wed, 8 Nov 2023 05:23:35 +0000 Subject: [PATCH 849/900] Change the MDS to platform app in selinux ap context. The MDS will be signed with platform key and become a platform app. To make the selinux rules for modem_diagnostic_app work, need to set it to platform app in app context. Bug: 287683516 Test: Tested with both dev key or platform key signed MDS apps and the selinux rules works. Change-Id: Ia0dacafc5e096c101e115b7356d8490391cb6bbd --- whitechapel_pro/seapp_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index dcaaf664..eda8c10c 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -32,6 +32,7 @@ user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_ # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user +user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user From b204558a731d6a6a79b701dc8d7c017f59e9af93 Mon Sep 17 00:00:00 2001 From: Daniel Norman Date: Fri, 10 Nov 2023 22:44:31 +0000 Subject: [PATCH 850/900] Removes duplicate hidraw_device type definition. This type is now defined by the platform. Bug: 303522222 Change-Id: Ia2f817ce99548c30f39a5164c8f6ec323db66155 Test: ls -z /dev/hidraw0 --- whitechapel_pro/device.te | 4 ---- whitechapel_pro/file_contexts | 3 --- 2 files changed, 7 deletions(-) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 93059b7f..446e2725 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -23,7 +23,3 @@ type fips_block_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; type st33spi_device, dev_type; - -# Raw HID device -type hidraw_device, dev_type; - diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c7203b50..55bca671 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -222,6 +222,3 @@ /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 - -# Raw HID device -/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 From 7411947a02ec33a343ab3860f903bf8c1892ccff Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Wed, 15 Nov 2023 16:46:52 +0800 Subject: [PATCH 851/900] dontaudit on dir search for vendor_votable_debugfs Bug: 305880925 Bug: 309379994 Change-Id: I7317bdb4ec80eb73a57cbb924d3132579e0b4f98 Signed-off-by: Kyle Tso --- tracking_denials/bug_map | 2 -- whitechapel_pro/kernel.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3df2958a..a462fcff 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,5 +5,3 @@ incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 kernel vendor_usb_debugfs dir b/305880925 -kernel vendor_votable_debugfs dir b/305880925 -kernel vendor_votable_debugfs dir b/309379994 diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index 2cddb45b..0ed0410d 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -11,3 +11,4 @@ allow kernel self:perf_event cpu; dontaudit kernel vendor_battery_debugfs:dir search; dontaudit kernel vendor_maxfg_debugfs:dir { search }; dontaudit kernel vendor_regmap_debugfs:dir search; +dontaudit kernel vendor_votable_debugfs:dir search; From 3b40f18e299c2b8f3ee7604fa39568f2651c20bb Mon Sep 17 00:00:00 2001 From: Devika Krishnadas Date: Thu, 16 Nov 2023 01:20:23 +0000 Subject: [PATCH 852/900] Add Pixel Mapper as a sp-HAL Bug: 267352318 Change-Id: I460f379d8d6904f5bda3f67a7158c0ac6f2e7b5f Signed-off-by: Devika Krishnadas --- whitechapel_pro/file_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 55bca671..56a2e5ee 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -49,6 +49,9 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +# Gralloc +/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so u:object_r:same_process_hal_file:s0 + # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 From 8f30df1dcf2ef47fb039237845e51714f409e308 Mon Sep 17 00:00:00 2001 From: Alex Iacobucci Date: Fri, 10 Nov 2023 18:23:22 +0000 Subject: [PATCH 853/900] aoc: add sysfs file entry Test: on device Bug: 309950738 Change-Id: Ie5437a02b3a4f69d05ecb274169b4bd328315a22 Signed-off-by: Alex Iacobucci --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 55684b0d..ff6464f4 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -477,6 +477,7 @@ genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:ob genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0 # GPS genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 From 2bd12254f48fedb0ea1800a6c4e215931e3e1122 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Wed, 22 Nov 2023 14:16:38 +0800 Subject: [PATCH 854/900] Move sg_device related policy Bug: 312582937 Test: make selinux_policy Change-Id: I18617643e66d6d2fe5ff19e440dea204206b3035 Signed-off-by: Randall Huang --- whitechapel_pro/device.te | 1 - whitechapel_pro/file_contexts | 1 - whitechapel_pro/tee.te | 1 - 3 files changed, 3 deletions(-) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 446e2725..6ba793fa 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -6,7 +6,6 @@ type persist_block_device, dev_type; type efs_block_device, dev_type; type modem_userdata_block_device, dev_type; type mfg_data_block_device, dev_type; -type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; type logbuffer_device, dev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 56a2e5ee..3f03822c 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -146,7 +146,6 @@ /dev/gxp u:object_r:gxp_device:s0 /dev/dit2 u:object_r:vendor_toe_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 -/dev/sg1 u:object_r:sg_device:s0 /dev/st21nfc u:object_r:nfc_device:s0 /dev/st54spi u:object_r:st54spi_device:s0 /dev/st33spi u:object_r:st33spi_device:s0 diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index 256fb384..bfff0a91 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -7,7 +7,6 @@ allow tee persist_file:dir r_dir_perms; allow tee mnt_vendor_file:dir r_dir_perms; allow tee tee_data_file:dir rw_dir_perms; allow tee tee_data_file:lnk_file r_file_perms; -allow tee sg_device:chr_file rw_file_perms; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) From a2847d44754c7acbb01424b73c5a98c3e1eabf7f Mon Sep 17 00:00:00 2001 From: Khoa Hong Date: Thu, 30 Nov 2023 14:59:09 +0800 Subject: [PATCH 855/900] Suppress avc error log on debugfs's usb folder. The XHCI driver in kernel will write debugging information to DebugFS on some USB host operations (for example: plugging in a USB headphone). We are not using those information right now. Bug: 305880925 Bug: 311088739 Test: No error when plugging a USB headphone in. Change-Id: I3b53a3924a1fb3f2a37b0d8a1ae9df037cbc1dd2 --- tracking_denials/bug_map | 1 - whitechapel_pro/kernel.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a462fcff..302c2017 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,4 +4,3 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 -kernel vendor_usb_debugfs dir b/305880925 diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index 0ed0410d..9f5bf882 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -12,3 +12,4 @@ dontaudit kernel vendor_battery_debugfs:dir search; dontaudit kernel vendor_maxfg_debugfs:dir { search }; dontaudit kernel vendor_regmap_debugfs:dir search; dontaudit kernel vendor_votable_debugfs:dir search; +dontaudit kernel vendor_usb_debugfs:dir search; From da3e268e93a52483132a58652d094398b8c02243 Mon Sep 17 00:00:00 2001 From: Daniel Norman Date: Thu, 30 Nov 2023 23:27:56 +0000 Subject: [PATCH 856/900] Removes duplicate hidraw_device type definition. This type is now defined by the platform. Bug: 303522222 Test: ls -z /dev/hidraw0 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b204558a731d6a6a79b701dc8d7c017f59e9af93) Merged-In: Ia2f817ce99548c30f39a5164c8f6ec323db66155 Change-Id: Ia2f817ce99548c30f39a5164c8f6ec323db66155 --- whitechapel_pro/device.te | 4 ---- whitechapel_pro/file_contexts | 3 --- 2 files changed, 7 deletions(-) diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index b66248a7..1b17239c 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -24,7 +24,3 @@ type fips_block_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; type st33spi_device, dev_type; - -# Raw HID device -type hidraw_device, dev_type; - diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c4f5b098..80bf8721 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -226,6 +226,3 @@ /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 - -# Raw HID device -/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 From e2d97955585ca6dbed6d6622a240c6879d171864 Mon Sep 17 00:00:00 2001 From: Jason Chiu Date: Thu, 9 Nov 2023 21:30:13 +0800 Subject: [PATCH 857/900] gs201: move sepolicy related to bootctrl hal to gs-common Bug: 265063384 Change-Id: I30a71900c2a305b05ae6e17d658df32d95097d14 Signed-off-by: Jason Chiu --- whitechapel_pro/device.te | 2 -- whitechapel_pro/file.te | 1 - whitechapel_pro/file_contexts | 1 - whitechapel_pro/hal_bootctl_default.te | 3 --- 4 files changed, 7 deletions(-) delete mode 100644 whitechapel_pro/hal_bootctl_default.te diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 6ba793fa..ae74fea2 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -1,5 +1,3 @@ -type sda_block_device, dev_type; -type devinfo_block_device, dev_type; type modem_block_device, dev_type; type custom_ab_block_device, dev_type; type persist_block_device, dev_type; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index b6630138..378c466c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -27,7 +27,6 @@ type sysfs_em_profile, sysfs_type, fs_type; # sysfs type sysfs_chosen, sysfs_type, fs_type; -type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 3f03822c..67cfcfb8 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -22,7 +22,6 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 diff --git a/whitechapel_pro/hal_bootctl_default.te b/whitechapel_pro/hal_bootctl_default.te deleted file mode 100644 index 30db79bd..00000000 --- a/whitechapel_pro/hal_bootctl_default.te +++ /dev/null @@ -1,3 +0,0 @@ -allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; -allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; -allow hal_bootctl_default sysfs_ota:file rw_file_perms; From eca39285c5e3ab798f4291248a21ee1eeec02615 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Tue, 14 Nov 2023 13:49:42 +0000 Subject: [PATCH 858/900] Add Secretkeeper HAL Test: VtsAidlAuthGraphSessionTest Bug: 306364873 Change-Id: I84d4098960d6445da1eb7e58e25a015cd591d6b3 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 67cfcfb8..e5defcc1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -20,6 +20,7 @@ /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 From bf2cd60aaad8eb98ebb2cf23edfdf978fe891109 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 6 Dec 2023 10:43:28 +0000 Subject: [PATCH 859/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 315104803 Test: scanBugreport Bug: 315104594 Bug: 315104803 Test: scanAvcDeniedLogRightAfterReboot Bug: 315104803 Change-Id: Iad6a4ea7a3a58c161359a87a6083a015665d5b14 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 302c2017..efd9764b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,3 +4,6 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 +surfaceflinger selinuxfs file b/315104594 +vendor_init default_prop file b/315104803 +vendor_init default_prop property_service b/315104803 From c118ee96abdf9c6399fa70954fc53fa55f5fa54b Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 11 Dec 2023 02:54:55 +0000 Subject: [PATCH 860/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 315720727 Test: scanBugreport Bug: 315721328 Bug: 315104479 Test: scanAvcDeniedLogRightAfterReboot Bug: 315104479 Bug: 315720727 Change-Id: I936dba39a2d2cfbd6c2924aed7c1e2f8b9e00fb2 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index efd9764b..17977519 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,9 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 +rild default_prop file b/315720727 +rild default_prop file b/315721328 surfaceflinger selinuxfs file b/315104594 +vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 vendor_init default_prop property_service b/315104803 From a4fa4427bc2f646b47ade202c969df088d3f0ba5 Mon Sep 17 00:00:00 2001 From: Boon Jun Soh Date: Fri, 8 Dec 2023 18:54:45 +0800 Subject: [PATCH 861/900] Fix rlsservice sepolicy Allows bugreport generation Bug: 315255760 Bug: 309379465 Test: abd bugreport & ensure lack of rls avc denied logs Change-Id: Ic390d6ddd6bac78e5979c78bc6d02262f08b3468 --- tracking_denials/bug_map | 1 - whitechapel_pro/dumpstate.te | 2 +- whitechapel_pro/rlsservice.te | 4 ++++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 17977519..39726296 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,3 @@ -dumpstate rlsservice binder b/309379465 hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te index eaab9b2f..da71a845 100644 --- a/whitechapel_pro/dumpstate.te +++ b/whitechapel_pro/dumpstate.te @@ -13,4 +13,4 @@ allow dumpstate modem_efs_file:dir r_dir_perms; allow dumpstate modem_userdata_file:dir r_dir_perms; allow dumpstate modem_img_file:dir r_dir_perms; allow dumpstate fuse:dir search; - +allow dumpstate rlsservice:binder call; \ No newline at end of file diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te index 967389a1..e531b0d6 100644 --- a/whitechapel_pro/rlsservice.te +++ b/whitechapel_pro/rlsservice.te @@ -32,3 +32,7 @@ allow rlsservice apex_info_file:file r_file_perms; # Allow read camera property get_prop(rlsservice, vendor_camera_prop); + +# Allow rlsservice bugreport generation +allow rlsservice dumpstate:fd use; +allow rlsservice dumpstate:fifo_file write; \ No newline at end of file From 04bc1d210a874f0e90d93bd65048091da8fe9ee0 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Wed, 13 Dec 2023 15:27:23 +0800 Subject: [PATCH 862/900] sepolicy: add read wlc sysfs permission 12-12 18:33:17.960000 1000 906 906 I auditd : type=1400 audit(0.0:10): avc: denied { read } for comm="android.hardwar" name="type" dev="sysfs" ino=75851 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0 Bug: 306534100 Change-Id: I3381aaa1e08637c1cc8eb278bd775c81b32ed3bd Signed-off-by: Jenny Ho --- whitechapel_pro/hal_health_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index fbbad6bb..805b707d 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -18,3 +18,4 @@ allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; allow hal_health_default thermal_link_device:dir search; +allow hal_health_default sysfs_wlc:file r_file_perms; From c131634ccf02594a6c5b8ebd87834e164cffb503 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 18 Dec 2023 03:26:48 +0000 Subject: [PATCH 863/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 316816342 Test: scanBugreport Bug: 316817103 Bug: 315104803 Test: scanAvcDeniedLogRightAfterReboot Bug: 316816342 Bug: 315104803 Change-Id: I4806c007ce70fab72a3754afbf3cf218dfc4b4fc --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 39726296..b8c95023 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,6 +3,8 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 +modem_svc_sit vendor_volte_mif_off file b/316816342 +modem_svc_sit vendor_volte_mif_off file b/316817103 rild default_prop file b/315720727 rild default_prop file b/315721328 surfaceflinger selinuxfs file b/315104594 From c45f36f10ee6273f0ce55c33eea160d797ff0566 Mon Sep 17 00:00:00 2001 From: Chi Zhang Date: Wed, 29 Nov 2023 16:34:52 -0800 Subject: [PATCH 864/900] Allow GRIL to get power stats. SELinux : avc: denied { find } for pid=3147 uid=10219 name=android.hardware.power.stats.IPowerStats/default scontext=u:r:grilservice_app:s0:c219,c256,c512,c768 tcontext=u:object_r:hal_power_stats_service:s0 tclass=service_manager permissive=1 Bug: 286187143 Test: build and boot Change-Id: I4588708267fc0f582c767a93e5a422a6e40b6369 --- whitechapel_pro/grilservice_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te index 2525baba..251fe1b2 100644 --- a/whitechapel_pro/grilservice_app.te +++ b/whitechapel_pro/grilservice_app.te @@ -15,3 +15,4 @@ binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) binder_call(grilservice_app, hal_audiometricext_default) binder_call(grilservice_app, rild) +hal_client_domain(grilservice_app, hal_power_stats) From 8751aabb8a9a708267fba7cce5550c9dd8b7b42b Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 26 Dec 2023 03:34:26 +0000 Subject: [PATCH 865/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 317734397 Test: scanBugreport Bug: 317734683 Bug: 315104803 Test: scanAvcDeniedLogRightAfterReboot Bug: 317734963 Bug: 315104803 Change-Id: If88b24f947ed750b9e6ca8d83c1762e09b9cfebb --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b8c95023..cc0d597c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,6 +5,7 @@ incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 modem_svc_sit vendor_volte_mif_off file b/316816342 modem_svc_sit vendor_volte_mif_off file b/316817103 +rfsd vendor_cbd_prop file b/317734397 rild default_prop file b/315720727 rild default_prop file b/315721328 surfaceflinger selinuxfs file b/315104594 From 8c955289cafddd344d18b516f6a79ef4a86475ad Mon Sep 17 00:00:00 2001 From: timtmlin Date: Wed, 27 Dec 2023 15:41:55 +0800 Subject: [PATCH 866/900] Remove obsolete entries Bug: 315720727 Bug: 315721328 Test: make Change-Id: I176dd469a78d8c6c80bdfc72f377951955ffd543 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index cc0d597c..b8268f16 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,8 +6,6 @@ kernel vendor_charger_debugfs dir b/307863370 modem_svc_sit vendor_volte_mif_off file b/316816342 modem_svc_sit vendor_volte_mif_off file b/316817103 rfsd vendor_cbd_prop file b/317734397 -rild default_prop file b/315720727 -rild default_prop file b/315721328 surfaceflinger selinuxfs file b/315104594 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 From 997782c603150e81455a972c21d5a52f536a1860 Mon Sep 17 00:00:00 2001 From: wenchangliu Date: Thu, 4 Jan 2024 14:18:04 +0000 Subject: [PATCH 867/900] gs201: move mediacodec_samsung sepolicy to gs-common remove mediacodec_samsung sepolicy in legacy path since we will include it from gs-common. Bug: 318793681 Test: build pass, camera record, youtube Change-Id: I08a9ce89155324b0ac749bde4a9d205585a57320 Signed-off-by: wenchangliu --- whitechapel_pro/file.te | 2 -- whitechapel_pro/file_contexts | 2 -- whitechapel_pro/genfs_contexts | 5 +--- whitechapel_pro/hal_camera_default.te | 1 - whitechapel_pro/mediacodec_samsung.te | 38 --------------------------- whitechapel_pro/vndservice.te | 1 - whitechapel_pro/vndservice_contexts | 1 - 7 files changed, 1 insertion(+), 49 deletions(-) delete mode 100644 whitechapel_pro/mediacodec_samsung.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 378c466c..1d71d1df 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -5,7 +5,6 @@ type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; -type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_data_vendor, file_type, data_file_type; @@ -34,7 +33,6 @@ type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_pcie_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; -type sysfs_mfc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index e5defcc1..28a6cc33 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -24,7 +24,6 @@ /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 @@ -203,7 +202,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index ff6464f4..2ebaa3c4 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -195,9 +195,6 @@ genfscon sysfs /devices/platform/exynos-drm/tui_status genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 -# mediacodec_samsung -genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 - # Storage genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 @@ -491,4 +488,4 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-003c u:obje genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-003c u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-003c u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0 \ No newline at end of file +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0 diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te index c16b2481..25f2ffc4 100644 --- a/whitechapel_pro/hal_camera_default.te +++ b/whitechapel_pro/hal_camera_default.te @@ -69,7 +69,6 @@ binder_call(hal_camera_default, system_server); # Allow Binder calls to ECO service, needed by Entropy-Aware Filtering allow hal_camera_default eco_service:service_manager find; -binder_call(hal_camera_default, mediacodec); binder_call(hal_camera_default, mediacodec_samsung); # Allow camera HAL to query preferred camera frequencies from the radio HAL diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te deleted file mode 100644 index ce05fa5f..00000000 --- a/whitechapel_pro/mediacodec_samsung.te +++ /dev/null @@ -1,38 +0,0 @@ -type mediacodec_samsung, domain; -type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(mediacodec_samsung) - -hal_server_domain(mediacodec_samsung, hal_codec2) -add_service(mediacodec_samsung, eco_service) - -# can route /dev/binder traffic to /dev/vndbinder -vndbinder_use(mediacodec_samsung) - -allow mediacodec_samsung video_device:chr_file rw_file_perms; -allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; -allow mediacodec_samsung gpu_device:chr_file rw_file_perms; - -allow mediacodec_samsung sysfs_mfc:file r_file_perms; -allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; - -# can use graphics allocator -hal_client_domain(mediacodec_samsung, hal_graphics_allocator) - -binder_call(mediacodec_samsung, hal_camera_default) - -crash_dump_fallback(mediacodec_samsung) - -# mediacodec_samsung should never execute any executable without a domain transition -neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; - -# Media processing code is inherently risky and thus should have limited -# permissions and be isolated from the rest of the system and network. -# Lengthier explanation here: -# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html -neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *; -neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *; - -userdebug_or_eng(` - allow mediacodec_samsung vendor_media_data_file:dir rw_dir_perms; - allow mediacodec_samsung vendor_media_data_file:file create_file_perms; -') diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index 06ef0b2d..12a48194 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1,2 +1 @@ type vendor_surfaceflinger_vndservice, vndservice_manager_type; -type eco_service, vndservice_manager_type; diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts index 6ddcabfe..4f9f5a70 100644 --- a/whitechapel_pro/vndservice_contexts +++ b/whitechapel_pro/vndservice_contexts @@ -1,2 +1 @@ Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 -media.ecoservice u:object_r:eco_service:s0 From f1c2498079396072cc5f24b3ee6144574220ac4b Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Wed, 10 Jan 2024 06:12:19 +0000 Subject: [PATCH 868/900] selinux: label wakeup for BMS I2C 0x36, 0x69 Bug: 319035561 Change-Id: I45a80157d2a1d12a27a748aed31bb0ae5b08e7b5 Signed-off-by: Ken Yang --- whitechapel_pro/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 2ebaa3c4..e024ed17 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -330,9 +330,11 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_sup genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0036/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 From 00d82676e9c539e9833e0f6033beb158689ab5da Mon Sep 17 00:00:00 2001 From: Mahesh Kallelil Date: Thu, 11 Jan 2024 09:51:17 -0800 Subject: [PATCH 869/900] Remove modem_svc selinux error from denials bug_map This property was removed and is not being used anymore. So modem_svc will not need to read it. Bug: 316816342 Change-Id: I9fe6002e34f7dd5fea0371d41d417c778c3d0905 Signed-off-by: Mahesh Kallelil --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b8268f16..3fdaf978 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,8 +3,6 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 -modem_svc_sit vendor_volte_mif_off file b/316816342 -modem_svc_sit vendor_volte_mif_off file b/316817103 rfsd vendor_cbd_prop file b/317734397 surfaceflinger selinuxfs file b/315104594 vendor_init default_prop file b/315104479 From 25835bcc6188be603080157b1c0f70ad39941725 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 16 Jan 2024 19:19:52 +0000 Subject: [PATCH 870/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 319403445 Test: scanBugreport Bug: 319403445 Test: scanAvcDeniedLogRightAfterReboot Bug: 319403445 Change-Id: I739ae803828538555a92989e71d85df5c77c0bd2 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3fdaf978..d76cfed9 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,6 +2,7 @@ hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 +kernel dm_device blk_file b/319403445 kernel vendor_charger_debugfs dir b/307863370 rfsd vendor_cbd_prop file b/317734397 surfaceflinger selinuxfs file b/315104594 From f52acbf0cff8d54fee7136e310cca2261f74d681 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 22 Jan 2024 17:41:28 +0000 Subject: [PATCH 871/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 321731318 Test: scanBugreport Bug: 315104803 Test: scanAvcDeniedLogRightAfterReboot Bug: 315104803 Change-Id: I5fc3c161edc102c2418145c69c1f94125d73783e --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d76cfed9..9f7735bd 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -3,6 +3,7 @@ hal_power_default hal_power_default capability b/237492146 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel dm_device blk_file b/319403445 +kernel tmpfs chr_file b/321731318 kernel vendor_charger_debugfs dir b/307863370 rfsd vendor_cbd_prop file b/317734397 surfaceflinger selinuxfs file b/315104594 From bbb8e0618f290b7acb414968eb3e450e0206c19f Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 23 Jan 2024 22:22:36 +0000 Subject: [PATCH 872/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 322036333 Test: scanBugreport Bug: 322035303 Bug: 315104803 Test: scanAvcDeniedLogRightAfterReboot Bug: 322036333 Bug: 315104803 Change-Id: Ide2a5f5d6636d0374e724de9991a71123396a85f --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 9f7735bd..dd0118a6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,8 @@ kernel tmpfs chr_file b/321731318 kernel vendor_charger_debugfs dir b/307863370 rfsd vendor_cbd_prop file b/317734397 surfaceflinger selinuxfs file b/315104594 +system_suspend sysfs dir b/322035303 +system_suspend sysfs dir b/322036333 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 vendor_init default_prop property_service b/315104803 From f32bd56cb0ec1e345f9cdb656b6b5f4137bba1ea Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Fri, 26 Jan 2024 20:11:02 +0800 Subject: [PATCH 873/900] dontaudit on dir search for vendor_charger_debugfs Bug: 307863370 Change-Id: I6da7b9426cdcc6152ff05ef7cd0cf18b718ab875 Signed-off-by: Jack Wu --- tracking_denials/bug_map | 1 - whitechapel_pro/kernel.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index dd0118a6..bbdb0a74 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,7 +4,6 @@ incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 kernel dm_device blk_file b/319403445 kernel tmpfs chr_file b/321731318 -kernel vendor_charger_debugfs dir b/307863370 rfsd vendor_cbd_prop file b/317734397 surfaceflinger selinuxfs file b/315104594 system_suspend sysfs dir b/322035303 diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index 9f5bf882..d5ed958e 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -13,3 +13,4 @@ dontaudit kernel vendor_maxfg_debugfs:dir { search }; dontaudit kernel vendor_regmap_debugfs:dir search; dontaudit kernel vendor_votable_debugfs:dir search; dontaudit kernel vendor_usb_debugfs:dir search; +dontaudit kernel vendor_charger_debugfs:dir search; From 1f8b299ace66b44ffbfb16de4085bad4d171a8b0 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Fri, 26 Jan 2024 17:22:41 +0800 Subject: [PATCH 874/900] sepolicy: allow hal_power_stats to read sysfs_display avc: denied { read } for name="available_disp_stats" dev="sysfs" ino=76162 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 317767775 Test: dumpsys android.hardware.power.stats.IPowerStats/default Change-Id: I272f69f4c4720eb4800a8a13ef62e1ab34cbaedf Signed-off-by: Darren Hsu --- whitechapel_pro/genfs_contexts | 2 ++ whitechapel_pro/hal_power_stats_default.te | 1 + 2 files changed, 3 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index e024ed17..5873a584 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -161,12 +161,14 @@ genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.au genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 # Display +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/osc2_clk_khz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index 4160fcda..770af5b7 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -5,6 +5,7 @@ r_dir_file(hal_power_stats_default, sysfs_aoc) r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) r_dir_file(hal_power_stats_default, sysfs_acpm_stats) r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_display) r_dir_file(hal_power_stats_default, sysfs_edgetpu) r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) From 51d66f9b5849a391fbbeff5aebd2e9262281d232 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 31 Jan 2024 02:58:24 +0000 Subject: [PATCH 875/900] Update SELinux error Test: scanBugreport Bug: 323086890 Test: scanAvcDeniedLogRightAfterReboot Bug: 323086703 Change-Id: Idfe9e28e668b0b268acbaa68ae23083972dd146f --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bbdb0a74..d8d00242 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -10,4 +10,6 @@ system_suspend sysfs dir b/322035303 system_suspend sysfs dir b/322036333 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 +vendor_init default_prop file b/323086703 +vendor_init default_prop file b/323086890 vendor_init default_prop property_service b/315104803 From 28c042f51a0ccd460636f0d023e7bfd8abfe2518 Mon Sep 17 00:00:00 2001 From: Jacky Liu Date: Mon, 5 Feb 2024 17:14:27 +0800 Subject: [PATCH 876/900] Update i2c device paths Update i2c device paths with static bus numbers. Bug: 323447554 Test: Boot to home Change-Id: I3d41e1819aa7df896322a0dca44449c1e871dff8 --- whitechapel_pro/genfs_contexts | 257 ++++----------------------------- 1 file changed, 30 insertions(+), 227 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 5873a584..c32a901a 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -51,97 +51,18 @@ genfscon sysfs /devices/platform/mali/sscoredump/sscd_mali/report_count genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0008/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 # Modem genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 # Power ODPM -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/0-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-1/1-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-2/2-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-3/3-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-4/4-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-5/5-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/6-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/7-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-8/8-001f/s2mpg12-meter/s2mpg12-odpm/wakeup u:object_r:sysfs_wakeup:s0 - -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/9-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 - -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-9/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-0/0-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/1-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-2/2-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-3/3-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-4/4-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-5/5-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-6/6-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/7-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/8-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/iio:device u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/s2mpg13-meter/s2mpg13-odpm/wakeup u:object_r:sysfs_wakeup:s0 # Devfreq current frequency genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 @@ -240,136 +161,31 @@ genfscon sysfs /devices/platform/10d60000.hsi2c genfscon sysfs /devices/pseudo_0/adapter0/host1/target1:0:0/1:0:0:0/block/sde u:object_r:sysfs_devices_block:s0 # P22 battery -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0057/chg_stats u:object_r:sysfs_pca:s0 # Extcon -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0025/extcon u:object_r:sysfs_extcon:s0 # Haptics -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043 u:object_r:sysfs_vibrator:s0 # system suspend wakeup files -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-2/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-3/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-4/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0036/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0036/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0025/power_supply/tcpm-source-psy-13-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 @@ -389,16 +205,11 @@ genfscon sysfs /devices/platform/19000000.aoc/com.google.chre/wakeup genfscon sysfs /devices/platform/19000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-20/20-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-21/21-002f/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 @@ -483,13 +294,5 @@ genfscon sysfs /devices/platform/19000000.aoc/notify_timeout_aoc_status u:ob # GPS genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/1-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0 +# WLC +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-003c u:object_r:sysfs_wlc:s0 From 967204e3738a72e4170080ac1c14de5b3767123b Mon Sep 17 00:00:00 2001 From: Lei Ju Date: Sat, 17 Feb 2024 14:46:14 -0800 Subject: [PATCH 877/900] [gs201] Use common settings for Contexthub HAL The change also labeled files under /data/vendor/chre/ to grant required access. Test: compilation Bug: 248615564 Change-Id: Ia96b7a592523e7b5e64acb8cb7ae4f0f1fc3a78b --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 1d71d1df..e528d458 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,4 +1,5 @@ # Data +type chre_data_file, file_type, data_file_type; type rild_vendor_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 28a6cc33..f7216f60 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -22,7 +22,6 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 @@ -194,6 +193,7 @@ /dev/block/platform/14700000\.ufs/by-name/fips u:object_r:fips_block_device:s0 # Data +/data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 From 9be1081f00f13b1ce2b5eecec00ff22bfad866af Mon Sep 17 00:00:00 2001 From: Will McVicker Date: Fri, 16 Feb 2024 15:06:19 -0800 Subject: [PATCH 878/900] Update tcpm i2c sepolicy with new device name The new name fixes uninformative kernel wakelock names. Bug: 315190967 Bug: 323447554 Change-Id: I88ecec344fd1eb84c5ca12a6bd3fad38cc40295b --- whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index c32a901a..1b769182 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -182,6 +182,7 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0069/power_supply/dc/w genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0025/power_supply/tcpm-source-psy-13-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 From 4baa59a176f6c4d287871f297b1d6481c8882379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 21 Feb 2024 13:46:04 +1100 Subject: [PATCH 879/900] Remove persist.bootanim.color property definitions These now belong to the platform policy. Bug: 321088135 Test: build Change-Id: I9d92456d7e790398a79a941738e3290975f7b659 --- private/property_contexts | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 private/property_contexts diff --git a/private/property_contexts b/private/property_contexts deleted file mode 100644 index abcdd419..00000000 --- a/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Boot animation dynamic colors -persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int From d9b51a61ce69372c2ed9eea1a3e169a85ee58f2a Mon Sep 17 00:00:00 2001 From: Rubin Xu Date: Fri, 23 Feb 2024 12:12:26 +0000 Subject: [PATCH 880/900] Revert "Remove persist.bootanim.color property definitions" Revert submission 26301396-bootanim_prop Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/quarterdeck/?branch=git_main&target=sdk_goog3_x86_64-trunk_staging-userdebug&lkgb=11487950&lkbb=11488141&fkbb=11488141 Bug: 326521604 Reverted changes: /q/submissionid:26301396-bootanim_prop Change-Id: Ia393a62bd05546f19e326cce013a009ad77c5d52 --- private/property_contexts | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 private/property_contexts diff --git a/private/property_contexts b/private/property_contexts new file mode 100644 index 00000000..abcdd419 --- /dev/null +++ b/private/property_contexts @@ -0,0 +1,5 @@ +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int From 988131fe3d13606f931bfdd93418f09d0f3f737d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Sun, 25 Feb 2024 23:58:44 +0000 Subject: [PATCH 881/900] Revert^2 "Remove persist.bootanim.color property definitions" d9b51a61ce69372c2ed9eea1a3e169a85ee58f2a Change-Id: I18c3a290947c21a572754eeecd1d5204c2cbe523 --- private/property_contexts | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 private/property_contexts diff --git a/private/property_contexts b/private/property_contexts deleted file mode 100644 index abcdd419..00000000 --- a/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Boot animation dynamic colors -persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int From 1e0e9963e3906a56886135c3db8a34dff4db3847 Mon Sep 17 00:00:00 2001 From: Nathan Kulczak Date: Tue, 27 Feb 2024 02:16:45 +0000 Subject: [PATCH 882/900] Remove SELinux exception Remove SELinux dontaudit section after cl to fix race condition was merged. Bug: 306344298 Test: Passed on local and automated SELinuxUncheckedDenialBootTest Change-Id: I5b17c49d47775253491c61e54f1a268fd16081a1 Signed-off-by: Nathan Kulczak --- tracking_denials/hal_vibrator_default.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te deleted file mode 100644 index d9199c77..00000000 --- a/tracking_denials/hal_vibrator_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/306344298 -dontaudit hal_vibrator_default service_manager_type:service_manager find; - From 1c7d8f80f2e8adfd0b44a3a5b9c35e9fcb71ee1e Mon Sep 17 00:00:00 2001 From: Peter Lin Date: Fri, 2 Feb 2024 01:13:39 +0000 Subject: [PATCH 883/900] add dsim wakeup labels Bug: 322035303 Bug: 321733124 test: ls sys/devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/wakeup -Z Change-Id: Ifcf73176620f44743a8aa252f8afed85c3af475c --- tracking_denials/bug_map | 2 -- whitechapel_pro/genfs_contexts | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d8d00242..264c8ba6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,8 +6,6 @@ kernel dm_device blk_file b/319403445 kernel tmpfs chr_file b/321731318 rfsd vendor_cbd_prop file b/317734397 surfaceflinger selinuxfs file b/315104594 -system_suspend sysfs dir b/322035303 -system_suspend sysfs dir b/322036333 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 vendor_init default_prop file b/323086703 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 1b769182..d8e63eb1 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -219,6 +219,8 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 From 9088b1a9be05d70ce6363ec4707b7d1610ba9038 Mon Sep 17 00:00:00 2001 From: Sungtak Lee Date: Mon, 29 Jan 2024 20:55:09 +0000 Subject: [PATCH 884/900] Add AIDL media.c2 into service_contexts Bug: 321808716 Change-Id: Ib2426b1997517b23d1301f3a1a30d9029d129971 --- whitechapel_pro/service_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index e3ae0e74..0158b562 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -4,3 +4,5 @@ hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_ve vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 rlsservice u:object_r:rls_service:s0 + +android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0 From ece5909d1caeb9d0ffee95bd21cece507d547c9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Fri, 8 Mar 2024 01:38:12 +0000 Subject: [PATCH 885/900] Remove persist.bootanim.color property definitions These now belong to the platform policy. Bug: 321088135 Test: build (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4baa59a176f6c4d287871f297b1d6481c8882379) Merged-In: I9d92456d7e790398a79a941738e3290975f7b659 Change-Id: I9d92456d7e790398a79a941738e3290975f7b659 --- private/property_contexts | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 private/property_contexts diff --git a/private/property_contexts b/private/property_contexts deleted file mode 100644 index abcdd419..00000000 --- a/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Boot animation dynamic colors -persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int From 2747579f1e47e3655db26829e66c01c5f8eb1006 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 13 Mar 2024 09:28:36 +0000 Subject: [PATCH 886/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 329380891 Test: scanBugreport Bug: 329381126 Test: scanAvcDeniedLogRightAfterReboot Bug: 329380363 Change-Id: I604c091a24f3f13f7a354c08c210deeaa9ac9cb1 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 264c8ba6..44035952 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,9 +5,12 @@ incidentd incidentd anon_inode b/282626428 kernel dm_device blk_file b/319403445 kernel tmpfs chr_file b/321731318 rfsd vendor_cbd_prop file b/317734397 +shell sysfs_net file b/329380891 surfaceflinger selinuxfs file b/315104594 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 vendor_init default_prop file b/323086703 vendor_init default_prop file b/323086890 +vendor_init default_prop file b/329380363 +vendor_init default_prop file b/329381126 vendor_init default_prop property_service b/315104803 From 269f1640d8dfe3e898227989223f2576641244c0 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:53:25 +0000 Subject: [PATCH 887/900] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I7ca3804056bbfd8459bac2c029a494767f3ae1a6 Signed-off-by: Spade Lee --- whitechapel_pro/kernel.te | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index d5ed958e..d44eed68 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -8,9 +8,11 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_maxfg_debugfs:dir { search }; -dontaudit kernel vendor_regmap_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; -dontaudit kernel vendor_usb_debugfs:dir search; -dontaudit kernel vendor_charger_debugfs:dir search; +userdebug_or_eng(` + allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; +') From 596f6ab1998c584fc2a223831f6f59202e9ad4c5 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Thu, 21 Mar 2024 00:31:01 +0000 Subject: [PATCH 888/900] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Change-Id: Ia591a091fe470c2c367b80b8f1ef9eea6002462c Signed-off-by: Spade Lee --- whitechapel_pro/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 15856a17..4002807e 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -19,6 +19,7 @@ allow pixelstats_vendor fwk_sensor_service:service_manager find; # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; # storage smart idle maintenance get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); From 2b9b7cc6888f0b316fb7aecd0e74d40a0aabf451 Mon Sep 17 00:00:00 2001 From: Hungyen Weng Date: Thu, 21 Mar 2024 17:44:21 +0000 Subject: [PATCH 889/900] Allow modem_svc to access modem files and perfetto Bug: 330730987 Test: Confirmed that modem_svc is able to access token db files in modem partition Test: Confiemed that modem_svc can send traces to perfetto Change-Id: Id50a1fc3b343be9eec834418638c689d8ea56b35 --- whitechapel_pro/modem_svc_sit.te | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 040082e8..5a703c9e 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -20,7 +20,7 @@ allow modem_svc_sit modem_stat_data_file:file create_file_perms; allow modem_svc_sit vendor_fw_file:dir search; allow modem_svc_sit vendor_fw_file:file r_file_perms; -allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit mnt_vendor_file:dir r_dir_perms; allow modem_svc_sit modem_userdata_file:dir create_dir_perms; allow modem_svc_sit modem_userdata_file:file create_file_perms; @@ -40,3 +40,12 @@ get_prop(modem_svc_sit, vendor_logger_prop) userdebug_or_eng(` allow modem_svc_sit radio_test_device:chr_file rw_file_perms; ') + +# Write trace data to the Perfetto traced daemon. This requires connecting to +# its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(modem_svc_sit) + +# Allow modem_svc_sit to access modem image file/dir +allow modem_svc_sit modem_img_file:dir r_dir_perms; +allow modem_svc_sit modem_img_file:file r_file_perms; +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file From 60c66448ef3438a40e7ff5a21cf1cff69b1a7ee9 Mon Sep 17 00:00:00 2001 From: kadirpili Date: Fri, 22 Mar 2024 02:46:30 +0000 Subject: [PATCH 890/900] gs201: telephony property for cbd Bug: 315104803 Change-Id: I2560871e9477a5f8dcd9519b6c60353e89c5df82 --- system_ext/private/pixelntnservice_app.te | 5 +++++ system_ext/private/property_contexts | 1 + system_ext/private/seapp_contexts | 2 ++ system_ext/public/pixelntnservice_app.te | 1 + system_ext/public/property.te | 3 ++- whitechapel_pro/cbd.te | 1 + whitechapel_pro/rfsd.te | 1 + whitechapel_pro/vendor_init.te | 2 ++ 8 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 system_ext/private/pixelntnservice_app.te create mode 100644 system_ext/public/pixelntnservice_app.te diff --git a/system_ext/private/pixelntnservice_app.te b/system_ext/private/pixelntnservice_app.te new file mode 100644 index 00000000..8bf71cc9 --- /dev/null +++ b/system_ext/private/pixelntnservice_app.te @@ -0,0 +1,5 @@ +typeattribute pixelntnservice_app coredomain; + +app_domain(pixelntnservice_app); +allow pixelntnservice_app app_api_service:service_manager find; +set_prop(pixelntnservice_app, telephony_modem_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index ffb1793c..4e60110f 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -2,4 +2,5 @@ persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool # Telephony +telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 82f4347c..0a2050e2 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -8,3 +8,5 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all +# PixelNtnService +user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all diff --git a/system_ext/public/pixelntnservice_app.te b/system_ext/public/pixelntnservice_app.te new file mode 100644 index 00000000..10661b66 --- /dev/null +++ b/system_ext/public/pixelntnservice_app.te @@ -0,0 +1 @@ +type pixelntnservice_app, domain; diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 823acf59..e194720a 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -3,7 +3,8 @@ system_vendor_config_prop(fingerprint_ghbm_prop) # Telephony system_public_prop(telephony_ril_prop) +system_restricted_prop(telephony_modem_prop) userdebug_or_eng(` set_prop(shell, telephony_ril_prop) -') \ No newline at end of file +') diff --git a/whitechapel_pro/cbd.te b/whitechapel_pro/cbd.te index c4cfe7a6..9cb7ee2a 100644 --- a/whitechapel_pro/cbd.te +++ b/whitechapel_pro/cbd.te @@ -5,6 +5,7 @@ init_daemon_domain(cbd) set_prop(cbd, vendor_modem_prop) set_prop(cbd, vendor_cbd_prop) set_prop(cbd, vendor_rild_prop) +get_prop(cbd, telephony_modem_prop) # Allow cbd to set gid/uid from too to radio allow cbd self:capability { setgid setuid }; diff --git a/whitechapel_pro/rfsd.te b/whitechapel_pro/rfsd.te index 2d1f0928..b4508328 100644 --- a/whitechapel_pro/rfsd.te +++ b/whitechapel_pro/rfsd.te @@ -32,6 +32,7 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) +set_prop(cbd, vendor_cbd_prop) # Allow rfsd to access modem image file/dir allow rfsd modem_img_file:dir r_dir_perms; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index c8acdbb5..7ee3c95b 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -11,6 +11,8 @@ set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, logpersistd_logging_prop) set_prop(vendor_init, vendor_logger_prop) +get_prop(vendor_init, telephony_modem_prop) + allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; From 17ab68a5ac296847c0c442dc28559a4001d4c2a8 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:53:25 +0000 Subject: [PATCH 891/900] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I7ca3804056bbfd8459bac2c029a494767f3ae1a6 Signed-off-by: Spade Lee --- whitechapel_pro/kernel.te | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te index d5ed958e..d44eed68 100644 --- a/whitechapel_pro/kernel.te +++ b/whitechapel_pro/kernel.te @@ -8,9 +8,11 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_maxfg_debugfs:dir { search }; -dontaudit kernel vendor_regmap_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; -dontaudit kernel vendor_usb_debugfs:dir search; -dontaudit kernel vendor_charger_debugfs:dir search; +userdebug_or_eng(` + allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; +') From 66254ad14d1401cb3992b64352efa5c243203bc3 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:22:11 +0800 Subject: [PATCH 892/900] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual Change-Id: I57f9b8b77aa070ad2216cae1e84630a26a03618d --- whitechapel_pro/ramdump_app.te | 24 ------------------------ whitechapel_pro/seapp_contexts | 6 ------ whitechapel_pro/ssr_detector.te | 26 -------------------------- 3 files changed, 56 deletions(-) delete mode 100644 whitechapel_pro/ramdump_app.te delete mode 100644 whitechapel_pro/ssr_detector.te diff --git a/whitechapel_pro/ramdump_app.te b/whitechapel_pro/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/whitechapel_pro/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index eda8c10c..271e8574 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -18,9 +18,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma # Samsung S.LSI engineer mode user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user @@ -40,9 +37,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# Sub System Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te deleted file mode 100644 index a93d5bdb..00000000 --- a/whitechapel_pro/ssr_detector.te +++ /dev/null @@ -1,26 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - get_prop(ssr_detector_app, vendor_aoc_prop) - set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop) - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; - allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) From db99d33eb7fabc26c095d961b900b910184ab377 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 11 Apr 2024 22:29:08 +0000 Subject: [PATCH 893/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 329380891 Test: scanBugreport Bug: 329381126 Test: scanAvcDeniedLogRightAfterReboot Bug: 329380363 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f8de02b7c75ddc3fa0a5873b3b36128cde15d6f) Merged-In: I604c091a24f3f13f7a354c08c210deeaa9ac9cb1 Change-Id: I604c091a24f3f13f7a354c08c210deeaa9ac9cb1 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 39726296..6fd47615 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,7 +5,10 @@ incidentd incidentd anon_inode b/282626428 kernel vendor_charger_debugfs dir b/307863370 rild default_prop file b/315720727 rild default_prop file b/315721328 +shell sysfs_net file b/329380891 surfaceflinger selinuxfs file b/315104594 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 +vendor_init default_prop file b/329380363 +vendor_init default_prop file b/329381126 vendor_init default_prop property_service b/315104803 From 768c83d78ca761e808e30f5655f3850dbae06616 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 13 Mar 2024 09:28:36 +0000 Subject: [PATCH 894/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 329380891 Test: scanBugreport Bug: 329381126 Test: scanAvcDeniedLogRightAfterReboot Bug: 329380363 Merged-In: I604c091a24f3f13f7a354c08c210deeaa9ac9cb1 Change-Id: I604c091a24f3f13f7a354c08c210deeaa9ac9cb1 From b826a9bf8e1e6fcebe76deadcb52e8b654d7b5e5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 23 Apr 2024 06:52:49 +0000 Subject: [PATCH 895/900] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 336451433 Bug: 336451874 Bug: 336451113 Bug: 336451787 Change-Id: I5124448d8e35615da861011235a45ce890297564 --- tracking_denials/bug_map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 44035952..75fe53cf 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,12 +1,16 @@ hal_face_default traced_producer_socket sock_file b/305600808 hal_power_default hal_power_default capability b/237492146 +hal_sensors_default sysfs file b/336451433 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 +insmod-sh insmod-sh key b/336451874 kernel dm_device blk_file b/319403445 +kernel kernel capability b/336451113 kernel tmpfs chr_file b/321731318 rfsd vendor_cbd_prop file b/317734397 shell sysfs_net file b/329380891 surfaceflinger selinuxfs file b/315104594 +vendor_init debugfs_trace_marker file b/336451787 vendor_init default_prop file b/315104479 vendor_init default_prop file b/315104803 vendor_init default_prop file b/323086703 From 9a131d961bc77a17d2ad308df17f33be72b0313d Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Thu, 21 Mar 2024 00:31:01 +0000 Subject: [PATCH 896/900] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Signed-off-by: Spade Lee (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:596f6ab1998c584fc2a223831f6f59202e9ad4c5) Merged-In: Ia591a091fe470c2c367b80b8f1ef9eea6002462c Change-Id: Ia591a091fe470c2c367b80b8f1ef9eea6002462c --- whitechapel_pro/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te index 15856a17..4002807e 100644 --- a/whitechapel_pro/pixelstats_vendor.te +++ b/whitechapel_pro/pixelstats_vendor.te @@ -19,6 +19,7 @@ allow pixelstats_vendor fwk_sensor_service:service_manager find; # Batery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; # storage smart idle maintenance get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); From ceab5d174064639b1b5ba9778e0d2b166be8cc39 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:22:11 +0800 Subject: [PATCH 897/900] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:66254ad14d1401cb3992b64352efa5c243203bc3) Merged-In: I57f9b8b77aa070ad2216cae1e84630a26a03618d Change-Id: I57f9b8b77aa070ad2216cae1e84630a26a03618d --- whitechapel_pro/ramdump_app.te | 24 ------------------------ whitechapel_pro/seapp_contexts | 6 ------ whitechapel_pro/ssr_detector.te | 26 -------------------------- 3 files changed, 56 deletions(-) delete mode 100644 whitechapel_pro/ramdump_app.te delete mode 100644 whitechapel_pro/ssr_detector.te diff --git a/whitechapel_pro/ramdump_app.te b/whitechapel_pro/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/whitechapel_pro/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index eda8c10c..271e8574 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -18,9 +18,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma # Samsung S.LSI engineer mode user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user @@ -40,9 +37,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# Sub System Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user - # Domain for CatEngineService user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te deleted file mode 100644 index a93d5bdb..00000000 --- a/whitechapel_pro/ssr_detector.te +++ /dev/null @@ -1,26 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - get_prop(ssr_detector_app, vendor_aoc_prop) - set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop) - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; - allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) From 5a1bb0df6eb80c38b929cc1f86af0a1d22be7efb Mon Sep 17 00:00:00 2001 From: chenkris Date: Wed, 20 Mar 2024 10:29:38 +0000 Subject: [PATCH 898/900] Allow fingerprint to access the folder /data/vendor/fingerprint Fix the following avc denial: android.hardwar: type=1400 audit(0.0:20): avc: denied { write } for name="fingerprint" dev="dm-56" ino=36703 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0 Bug: 267766859 Test: Tested fingerprint under enforcing mode Change-Id: I11c465fe89fcbfa7d9132ccee1c7666d1cd75a24 --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index f7216f60..4bed0472 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -208,6 +208,7 @@ /dev/maxfg_history u:object_r:battery_history_device:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 +/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0 # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 From d1fe9f8f80193e8c006fbbec1727b638dadf3be6 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 14 May 2024 05:14:55 +0000 Subject: [PATCH 899/900] SELinux: fix avc denials Bug: 338332877 Change-Id: I5fb0a73cdc0d276ec14e55906c9bbd9c6875c786 Signed-off-by: Ken Yang --- whitechapel_pro/hal_health_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 805b707d..8dc2b599 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -19,3 +19,4 @@ allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; allow hal_health_default thermal_link_device:dir search; allow hal_health_default sysfs_wlc:file r_file_perms; +dontaudit hal_health_default sysfs_touch:dir *; From 9d3f39622cb16759c3f555cb6cf32ee323a4ed2c Mon Sep 17 00:00:00 2001 From: Chaitanya Cheemala Date: Tue, 14 May 2024 15:07:58 +0000 Subject: [PATCH 900/900] Revert "SELinux: fix avc denials" This reverts commit d1fe9f8f80193e8c006fbbec1727b638dadf3be6. Reason for revert: Likely culprit for b/340511525 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted. Change-Id: I65790202886298f9862d68d65cf794e67db5a878 --- whitechapel_pro/hal_health_default.te | 1 - 1 file changed, 1 deletion(-) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 8dc2b599..805b707d 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -19,4 +19,3 @@ allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; allow hal_health_default thermal_link_device:dir search; allow hal_health_default sysfs_wlc:file r_file_perms; -dontaudit hal_health_default sysfs_touch:dir *;