Evolution-X-Tensor/device_google_gs201
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
466 commits 1 branch 0 tags 63 MiB
Commit graph

466 commits

This branch
This branch
All branches
Author SHA1 Message Date
Adam Shih
bedd866505 reject mnt_vendor_file access in user ROM 
Bug: 224429437
Test: android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I318f11866f7b9c6cc0b7ecf151f789f35ab290cd
 2022-03-16 14:08:09 +08:00
Denny cy Lee
38c2803c54 Sepolicy: add pixelstats/HardwareInfo sepolicy 
avc denials to fix (after apply ag/17120763)
[   50.171564] type=1400 audit(1647222380.884:28): avc: denied { read } for comm="pixelstats-vend" name="battery_history" dev="tmpfs" ino=639 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0
[   54.519375] type=1400 audit(1647222385.228:29): avc: denied { read } for comm="id.hardwareinfo" name="battery_history" dev="tmpfs" ino=639 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 app=com.google.android.hardwareinfo

Bug: 222019890
Test: manually check debug logcat
Change-Id: I0e4f3f3a66783383b0d1327cec4dcd145ae9a7af
 2022-03-15 03:09:18 +00:00
Darren Hsu
6d25430600 sepolicy: reorder genfs labels for system suspend 
Bug: 223683748
Test: check bugreport without relevant avc denials
Change-Id: I295d3dfb96cc87e8faaf16f949918445cc3a0d44
Signed-off-by: Darren Hsu <darrenhsu@google.com>
 2022-03-15 02:52:48 +00:00
Roshan Pius
c5710ad18e gs-sepolicy(uwb): Changes for new UCI stack 
1. Rename uwb vendor app.
2. Rename uwb vendor HAL binary name & service name.
3. Allow vendor HAL to host the AOSP UWB HAL service.
4. Allow NFC HAL to access uwb calibration files.

Bug: 186585880
Bug: 204718220
Bug: 206045367
Test: Manual Tests
Change-Id: Ib0456617d0f5cf116d11a9412f47f36e2b8df570
 2022-03-14 16:09:02 +00:00
Roshan Pius
5ddc8be4f4 gs-sepolicy(uwb): Allow uwb hal permission to net_admin 
This was alloed under gs101-sepolicy. There is an ongoing discussion on
how to resolve this for the long term in b/190461440. But, without this
uwb functionality is broken on new devices.

Bug: 206045367
Bug: 222194886
Change-Id: I6729352f2b7bb93b01990a790e62aa69f60342fe
 2022-03-14 16:09:02 +00:00
Tim Lin
e42c7120dd ril: dump radio hal from user build. 
To get radio hal debug info on user build as we do on previous Pixels.

Bug: 221391981
Test: Trigger bugreport on USERDEBUG with dumpstate.unroot set
to true and check IRadio log

Change-Id: I354d5770272b518761db4aab8da726de97e472bb
 2022-03-14 10:49:07 +00:00
Chungjui Fan
e02f501377 sepolicy: allow fastbootd to access gsc device node 
audit: type=1400 audit(1646614793.912:8): avc:  denied  { getattr }
for pid=347 comm="fastbootd" path="/dev/gsc0" dev="tmpfs" ino=469
scontext=u:r:fastbootd:s0 tcontext=u:object_r:citadel_device:s0
tclass=chr_file permissive=0

Bug: 221410358
Test: fastboot -w in fastbootd mode
Change-Id: I5680515865c2656ffa91dfe593459aab1ade81cb
Signed-off-by: Chungjui Fan <chungjuifan@google.com>
 2022-03-14 04:47:31 +00:00
Ramji Jiyani
cec1d2a769 dumpstate: Remove do not audit for /system_dlkm 
FixedBy: http://aosp/2022375
Bug: 223332748
Test: atest SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I46e427cccec27118fad4440dc6822196d26f4a1b
 2022-03-13 18:32:07 -07:00
Taeju Park
dc99069f1e Allow accessing power_policy sysfs node for GPU 
Bug: 223440487
Signed-off-by: Taeju Park <taeju@google.com>
Change-Id: Iae2e4a0dc8d474d04200e79b4b4014010eedb147
 2022-03-10 10:03:59 +00:00
Darren Hsu
ab8e1fdc58 sepolicy: label wakeup source for usbc port 
Bug: 223475365
Test: run vts -m SuspendSepolicyTests
Change-Id: I2116c5f4fd19c5995f1612d593532cc7e065a560
Signed-off-by: Darren Hsu <darrenhsu@google.com>
 2022-03-10 11:29:15 +08:00
Adam Shih
e989d0087a Remove obsolete sepolicy 
Bug: 207300335
Test: do bugreport without relevant error log showing up
Change-Id: I38e4544c59c49543e746775ec686874ee8ae2473
 2022-03-09 08:14:24 +00:00
Darren Hsu
284b775f21 sepolicy: fix VTS failure for SuspendSepolicyTests 
Label the common parent wakeup path instead of each
individual wakeup source to avoid bloating the genfs
contexts.

Bug: 221174227
Test: run vts -m SuspendSepolicyTests
Change-Id: I38e3a349af04f83e63735ea7ca010cf634c2f1ab
 2022-03-09 05:29:09 +00:00
SalmaxChang
1f72ffdec6 incident: Fix avc errors 
avc: denied { use } for comm="incident" dev="dm-47" ino=10911 scontext=u:r:incident:s0 tcontext=u:r:logger_app:s0:c239,c256,c512,c768 tclass=fd
avc: denied { append } for dev="dm-7" ino=12639 scontext=u:r:incident:s0 tcontext=u:object_r:media_rw_data_file:s0:c30,c257,c512,c768 tclass=file

Bug: 222209243
Change-Id: I9e622e2af1a036eab818cd2b66c07b137fe9cc99
 2022-03-09 04:55:08 +00:00
sukiliu
b82a5ab98b Update avc error on ROM 8268341 
Bug: 223332748
Bug: 208721808
Test: PtsSELinuxTestCases
Change-Id: Ie3c6fdb9c8f29cac41db2750e71d3163132d4951
 2022-03-09 04:25:38 +00:00
Michael Eastwood
07bf62c387 Update SELinux policy to allow camera HAL to send Perfetto trace packets 
Example denials:

03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:31): avc: denied { use } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:r:tr
aced:s0 tclass=fd permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:32): avc: denied { read write } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext
=u:object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:33): avc: denied { getattr } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:
object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:34): avc: denied { map } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Bug: 222684359
Test: Build and push new SELinux policy. Verify that trace packets are received by Perfetto.
Change-Id: I443e84c5bcc701c1c983db19280719655ff02080
 2022-03-09 01:29:20 +00:00
SalmaxChang
db1196932e dumpstate: Grant to access media_rw_data_file 
avc: denied { append } for comm="binder:1426_9" dev="dm-43" ino=15392 scontext=u:r:dumpstate:s0 tcontext=u:object_r:media_rw_data_file:s0:c232,c256,c512,c768 tclass=file permissive=0

Bug: 222209243
Change-Id: I38efe11117c15f99ad1bce54cafbd0f3b038eff2
 2022-03-08 04:57:26 +00:00
Adam Shih
47b4ca882d init: change overlayfs_file rule to dontaudit 
Workaround for modem_img being unlabeled after disable-verity.

Bug: 193113005
Bug: 221384981
Test: remount with no avc error
Change-Id: Ie2479470c095f4ee2a9508714565b1088a8d7dce
 2022-03-07 21:39:11 +00:00
Ruofei Ma
67e8f968b2 Allow mediacodec_google to access secure dma heap 
The change is for following error:
HwBinder:867_1: type=1400 audit(0.0:9): avc: denied { read } for
name="vframe-secure" dev="tmpfs" ino=425 scontext=u:r:mediacodec_google:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0
tclass=chr_file permissive=0

Bug:221500257

Change-Id: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009
(cherry picked from commit e239561061)
Merged-In: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009
 2022-03-07 19:13:35 +00:00
Ray Chi
455c3c1653 Allow hal_usb_gadget_impl to access proc_irq 
Bug: 220996010
Test: build pass
Change-Id: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891
 2022-03-07 11:18:28 +08:00
Tommy Chiu
94995cd0d3 sepolicy: add permissions to let recovery wipe citadel 
This gives recovery the ability to remove user data from citadel in the
same manner as issuing a `fastboot -w` does.  This doesn't allow for
resetting FRP data, just user data.

audit: type=1400 audit(1646379959.016:9): avc:  denied  { getattr } for
  pid=348 comm="recovery" path="/dev/gsc0" dev="tmpfs" ino=754
  scontext=u:r:recovery:s0 tcontext=u:object_r:citadel_device:s0
  tclass=chr_file permissive=0

Bug: 222005928
Change-Id: Ia6113999aecacbbbb31d7a8659a45c0e5a0db2c9
 2022-03-07 00:24:55 +00:00
Tri Vo
9fe6aa97af Don't audit storageproxyd unlabeled access 
Test: m sepolicy
Bug: 197502330
Change-Id: Ibe7292dc659dd454d3c842f6c48d2d90bc77117d
 2022-03-04 17:45:38 +00:00
Adam Shih
9ba4c9120d remove obsolete code after SELinux is enforced 
Bug: 207720645
Bug: 208527900
Bug: 208721673
Bug: 205072922
Test: boot with no relevant errors
Change-Id: I68931cc24c55beea52c246a06f268ea2be7d1ecf
 2022-03-04 08:47:59 +00:00
Midas Chien
bef935f43d Allow composer to read panel_idle_handle_exit sysfs node 
Change panel_idle_exit_handle selinux type to sysfs_display to allow
composer to access it.

Bug: 202182467
Test: ls -Z to check selinux type
Test: composer can access it in enforce mode
Change-Id: I5e6c5036a946417c782f1389f4423cce69c4df77
 2022-03-04 06:55:04 +00:00
millerliang
801b87fe71 Fix AAudio avc denied 
I auditd  : type=1400 audit(0.0:35): avc:
denied { map } for comm="binder:896_4" path="/dev/snd/pcmC0D0p"
dev="tmpfs" ino=1138 scontext=u:r:audioserver:s0
tcontext=u:object_r:audio_device:s0 tclass=chr_file permissive=0

E SELinux : avc:  denied  { find } for pid=887 uid=1041 name=audio
scontext=u:r:audioserver:s0 tcontext=u:object_r:audio_service:s0
tclass=service_manager permissive=0

Bug: 222191260
Test: Flash TH ROM and test it by the following command
Test: test_steal_exclusive -c0

Signed-off-by: millerliang <millerliang@google.com>
Change-Id: I8ea6741f3682b568de089d040d511b68938374ab
 2022-03-04 06:14:55 +00:00
Adam Shih
1616b97465 grant bugreport access to camera debug system property 
Bug: 221384770
Test: do bugreport without seeing relevant error
Change-Id: Ie27ac5f2c6e13ec31ccec2adb11762dacab1fbdf
 2022-03-04 05:58:20 +00:00
Jack Yu
450f61d51b Allow platform_app to access Nfc service 
Fix selinux denial below.
avc:  denied  { find } for pid=11183 uid=10224 name=nfc
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:nfc_service:s0 tclass=service_manager
permissive=0

Bug: 222387662
Test: build pass
Change-Id: If97d8141acab23b4e13ea65ce28589195ef7ad9e
 2022-03-04 02:46:29 +00:00
Jinting Lin
c3612c7097 Allow modem diagnostic app to access default prop 
log:
avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=154 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.google.mds

Bug: 222509956
Change-Id: I50302b38f074e3f1a078ee48896154353e0937b6
 2022-03-04 01:35:39 +00:00
Devin Moore
ac44b340d3 Add the init_boot partition sepolicy 
Tagging the partition as a boot_block_device so everything that had
permission to read/write to the boot partition now also has permissions
for this new init_boot partition.

This is required for update_engine to be able to write to init_boot on
builds that are enforcing sepolicy.

Bug: 222052598
Test: adb shell setenforce 1 && update_device.py ota.zip

Merged-In: Ic991fa314c8a6fdb848199a626852a68a57d1df5
Change-Id: Ic991fa314c8a6fdb848199a626852a68a57d1df5
 2022-03-03 20:01:09 +00:00
Robb Glasser
990294708f Add hal_graphics_composer_default to sensors sepolicy. 
Bug: 221396170
Test: No avc denial.

Change-Id: I23299524dec50d8c589c6acc9da8b3c8c3399f97
 2022-03-03 18:42:58 +00:00
Nishok Kumar S
e95f5edafe Allow camera HAL and GCA to access Aurora GXP device. 
The camera HAL and Google Camera App
need selinux permission to run workloads on Aurora DSP. This
change adds the selinux rules too allow these clients to
access the GXP device and load firmware onto DSP cores
in order to execute workloads on DSP.

Bug: 220086991
Test: Verified that the camera HAL service and GCA app is able to access the GXP device and load GXP firmware.
Change-Id: I1bd327cfbe5b37c88154acda54bf6c396e939289
 2022-03-03 04:02:33 +00:00
Robert Lee
129ef29bc8 Fix selinux error for aocd 
allow write permission to fix following error
auditd  : type=1400 audit(0.0:4): avc: denied { write } for comm="aocd" name="aoc" dev="tmpfs" ino=497 scontext=u:r:aocd:s0 tcontext=u:object_r:aoc_device:s0 tclass=chr_file permissive=0

Bug: 198490099
Test: no avc deny when enable no_ap_restart
Change-Id: I06dc99f1a5859589b33f89ce435745d15e2e5749
Signed-off-by: Robert Lee <lerobert@google.com>
 2022-03-03 02:22:53 +00:00
Siddharth Kapoor
2d43200489 Add libgpudataproducer as sphal 
Bug: 222042714
Test: CtsGpuProfilingDataTestCases passes on User build

Signed-off-by: Siddharth Kapoor <ksiddharth@google.com>
Change-Id: I1997f3e66327486f15b1aa742aa8e82855b07e05
 2022-03-03 01:08:52 +00:00
Jinting Lin
94d7f6cce6 Fix avc denied for slsi engineermode app 
log:
avc: denied  { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:platform_app:s0:c512,c768 pid=5111 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0
avc: denied { call } for comm="si.engineermode" scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=0 app=com.samsung.slsi.engineermode
avc: denied { call } for comm="HwBinder:1016_1" scontext=u:r:rild:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=binder permissive=0
avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=154 scontext=u:r:vendor_engineermode_app:s0:c225,c256,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.samsung.slsi.engineermode

Test: side load the trail build sepolicy, then check the app

Bug: 221482792
Change-Id: I84768ed128a2b8c57d6a3e0a0f0aa8c4d4b91857
 2022-03-03 01:01:08 +00:00
sukiliu
b1c5fcff3d update error on ROM 8223177 
Bug: 221384981
Bug: 221384939
Bug: 221384996
Bug: 221384768
Bug: 221384770
Bug: 221384860
Test: PtsSELinuxTestCases
Change-Id: I50916dca7548bce0e77d90a36ad8f9ba1ca7c711
 2022-03-02 06:30:05 +00:00
Roshan Pius
a1f0d2aa9a gs-sepolicy: Fix legacy UWB stack sepolicy rules 
This rule was present on previous devices.

Denial logs:
02-24 09:22:08.214   427   427 E SELinux : avc:  denied  { find } for
pid=1479 uid=1000 name=uwb_vendor scontext=u:r:system_server:s0
tcontext=u:object_r:uwb_vendor_service:s0 tclass=service_manager permissive=0

Bug: 221292100
Test: Compiles
Change-Id: I6de4000a9cebf46a0d94032aade7b2d40b94ca16
 2022-03-01 18:25:00 +00:00
Tommy Chiu
b7790aa7a8 RKP: Add IRemotelyProvisionedComponent service 
Bug: 212643050
Bug: 221503025
Change-Id: I7932ba96d0d7dd603d360cd7319997a7c108500a
 2022-03-01 06:10:23 +00:00
Badhri Jagan Sridharan
fc08341bd6 android.hardware.usb.IUsb AIDL migration 
Cherry-pick of <775523d1eb>

android.hardware.usb.IUsb is migrated to AIDL and runs in
its own process. android.hardware.usb.gadget.IUsbGadget
is now published in its own exclusive process
(android.hardware.usb.gadget-service). Creating
file_context and moving the selinux linux rules
for IUsbGadget implementation.

[   37.177042] type=1400 audit(1645536157.528:3): avc: denied { wake_alarm } for comm="android.hardwar" capability=35 scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_usb_impl:s0 tclass=capability2 permissive=1
[   37.177139] type=1400 audit(1645536157.528:4): avc: denied { block_suspend } for comm="android.hardwar" capability=36 scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_usb_impl:s0 tclass=capability2 permissive=1
[   39.936357] type=1400 audit(1645536160.292:5): avc: denied { call } for comm="HwBinder:875_1" scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1
[   39.936403] type=1400 audit(1645536160.292:6): avc: denied { transfer } for comm="HwBinder:875_1" scontext=u:r:hal_usb_impl:s0 tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1
...
[   42.845054] type=1400 audit(1645550991.268:8): avc: denied { read } for comm="HwBinder:860_1" name="u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1
[   42.877781] type=1400 audit(1645550991.268:9): avc: denied { open } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1
[   42.915532] type=1400 audit(1645550991.268:10): avc: denied { getattr } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1
[   42.962130] type=1400 audit(1645550991.268:11): avc: denied { map } for comm="HwBinder:860_1" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=351 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1
[   43.003097] type=1400 audit(1645550991.268:12): avc: denied { watch watch_reads } for comm="HwBinder:860_1" path="/dev/usb-ffs/adb" dev="functionfs" ino=40814 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
[   43.024529] type=1400 audit(1645550991.268:13): avc: denied { write } for comm="HwBinder:860_1" name="property_service" dev="tmpfs" ino=376 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1
[   43.057605] type=1400 audit(1645550991.268:14): avc: denied { connectto } for comm="HwBinder:860_1" path="/dev/socket/property_service" scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
[   43.084549] type=1107 audit(1645550991.268:15): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.usb.dwc3_irq pid=860 uid=0 gid=0 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=property_service permissive=1'

Bug: 200993386
Change-Id: Ia8c24610244856490c8271433710afb57d3da157
Merged-In: Ia8c24610244856490c8271433710afb57d3da157
 2022-03-01 03:32:23 +00:00
YiHo Cheng
be92764669 thermal: Label tmu register dump sysfs 
Allow dumpstate to access tmu register dump sysfs

[  174.114566] type=1400 audit(1645790696.920:13): avc: denied { read }
for comm="dumpstate@1.1-s" name="tmu_reg_dump_state" dev="sysfs"
ino=65178
 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0
 tclass=file permissive=0
 [  174.115092] type=1400 audit(1645790696.920:14): avc: denied { read }
 for comm="dumpstate@1.1-s" name="tmu_reg_dump_current_temp" dev="sysfs"
 in
 o=65179 scontext=u:r:hal_dumpstate_default:s0
 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
 [  174.115208] type=1400 audit(1645790696.920:15): avc: denied { read }
 for comm="dumpstate@1.1-s" name="tmu_top_reg_dump_rise_thres"
 dev="sysfs"
 ino=65180 scontext=u:r:hal_dumpstate_default:s0
 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
 [  174.115398] type=1400 audit(1645790696.920:16): avc: denied { read }
 for comm="dumpstate@1.1-s" name="tmu_top_reg_dump_fall_thres"
 dev="sysfs"
 ino=65182 scontext=u:r:hal_dumpstate_default:s0
 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
 [  174.115498] type=1400 audit(1645790696.920:17): avc: denied { read }
 for comm="dumpstate@1.1-s" name="tmu_sub_reg_dump_rise_thres"
 dev="sysfs"
 ino=65181 scontext=u:r:hal_dumpstate_default:s0
 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 215040856
Test: check tmu register dump sysfs output in dumpstate
Change-Id: Ica48e37344a69264d4b4367af7856ec20b566a9e
 2022-03-01 01:24:00 +00:00
Yu-Chi Cheng
172271fdbc Allowed GCA to access EdgeTPU for P22 devices. 
This change includes the google_camera_app domain
into the EdgeTPU selinux rules. With it the GCA
is now able to access EdgeTPU.

Bug: 221020793
Test: verified GCA to work on P22.
Change-Id: I69010e2a8cca1429df402ae587b939d38e20a287
 2022-02-25 23:36:01 +00:00
Jinting Lin
e44f3c867c Fix avc denied for vendor silent logging app 
log:
avc: denied { getattr } for comm="y.silentlogging" path="/data/user/0/com.samsung.slsi.telephony.silentlogging" dev="dm-42" ino=6793 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0
avc: denied { search } for comm="y.silentlogging" name="com.samsung.slsi.telephony.silentlogging" dev="dm-42" ino=6793 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0
denied { read } for comm="y.silentlogging" name="u:object_r:vendor_slog_prop:s0" dev="tmpfs" ino=338 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_prop:s0 tclass=file permissive=0
avc: denied { search } for comm="y.silentlogging" name="slog" dev="dm-42" ino=314 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=0
avc: denied { read } for comm="y.silentlogging" name="u:object_r:default_prop:s0" dev="tmpfs" ino=150 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
avc:  denied  { find } for interface=vendor.samsung_slsi.telephony.hardware.oemservice::IOemService sid=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 pid=7322 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:hal_vendor_oem_hwservice:s0 tclass=hwservice_manager permissive=0
avc: denied { call } for comm="y.silentlogging" scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:r:dmd:s0 tclass=binder permissive=0
avc: denied { call } for comm="y.silentlogging" scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:r:sced:s0 tclass=binder permissive=0
avc: denied { read } for comm="getenforce" name="enforce" dev="selinuxfs" ino=4 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=0
avc: denied { set } for property=persist.vendor.modem.logging.shannon_app pid=7279 uid=1000 gid=1000 scontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_modem_prop:s0 tclass=property_service permissive=0'

avc: denied { call } for comm="HwBinder:1001_1" scontext=u:r:sced:s0 tcontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tclass=binder permissive=0

avc: denied { call } for scontext=u:r:dmd:s0 tcontext=u:r:vendor_telephony_silentlogging_app:s0:c232,c259,c512,c768 tclass=binder permissive=0

avc: denied { getattr } for comm="tlogging:remote" path="/data/user/0/com.samsung.slsi.telephony.silentlogging" dev="dm-42" ino=6793 scontext=u:r:vendor_silentlogging_remote_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0
avc: denied { read } for name="slog" dev="dm-42" ino=314 scontext=u:r:vendor_silentlogging_remote_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=0

Test: flash TH build then run basic test of silent logging app

Bug: 220847487
Change-Id: Ib5ac1e796e8e816d024cebc584b5699ab8ed1162
 2022-02-25 05:35:06 +00:00
SalmaxChang
7cb9cc182b Add missing vendor_logger_prop rule 
init    : Do not have permissions to set 'persist.vendor.verbose_logging_enabled' to 'true' in property file '/vendor/build.prop': SELinux permission check failed

Bug: 221173724
Bug: 221154649
Change-Id: Ic35e6f1d40f15efefead4530f8d320b72d7366e4
 2022-02-24 07:45:39 +00:00
Zachary Iqbal
4bbc6969e5 Give gralloc access to the faceauth_heap_device. 
Notes:
- This is required for face authentication.

Fixes: 221098313
Test: Built locally.
Change-Id: I6292c76c0809f091108ac73bef2d9e2db430a680
 2022-02-24 05:20:30 +00:00
Alex Hong
4443c79bbb Remove the sepolicy for tetheroffload service 
Test: m checkvintf
      run vts -m VtsHalTetheroffloadControlV1_0TargetTest
Bug: 207076973
Bug: 214494717
Change-Id: I5ecec46512ff4e1ae6c52147cfa0179e5fc93420
Merged-In: I5ecec46512ff4e1ae6c52147cfa0179e5fc93420
 2022-02-24 04:03:32 +00:00
Joseph Jang
5fb066e143 identity: Add sepolicy permission for hal_identity_citadel to find hal_remotelyprovisionedcomponent_service 
log:
SELinux : avc:  denied  { find } for pid=885 uid=9999
name=android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox
scontext=u:r:hal_identity_citadel:s0
tcontext=u:object_r:hal_remotelyprovisionedcomponent_service:s0
tclass=service_manager permissive=0

Bug: 218613398
Change-Id: I124ea5898609a3f68bee13b6db931878252d4081
 2022-02-24 02:20:37 +00:00
Jack Yu
97a25bf259 uwb: permissions for factory uwb calibration file 
Allow nfc hal accessing /data/vendor/uwb.

Bug: 220167093
Test: build pass
Merged-In: I33093231577b71c24d5bf6f980c7021cc546fa98
Change-Id: I33093231577b71c24d5bf6f980c7021cc546fa98
 2022-02-24 01:02:52 +00:00
Darren Hsu
8f90cf5408 Allow hal_power_stats to read UWB sysfs nodes 
Bug: 219369324
Test: Dump power stats and see no avc denials
Change-Id: Ib1ac15867f51069bef3f68e91bf65b842b7c0734
Signed-off-by: Darren Hsu <darrenhsu@google.com>
 2022-02-24 01:02:11 +00:00
Jinting Lin
e6af74a6c4 Adds mnt file and batt info permissions for modem app 
Bug: 220076340
Merged-In: Icd02d4f8757719afed020c27a90812921d5f37ec
Change-Id: Icd02d4f8757719afed020c27a90812921d5f37ec
(cherry picked from commit 2c914cd02c)
 2022-02-23 05:55:57 +00:00
Jinting Lin
7ba8b12bb8 Adds logging related properties for logger app 
Bug: 220073302
Merged-In: I3917ce13f51a5ccb3304eb2db860f4da8424438b
Change-Id: I3917ce13f51a5ccb3304eb2db860f4da8424438b
(cherry picked from commit e65363450c)
 2022-02-23 03:16:00 +00:00
Krzysztof Kosiński
3884738538 Camera: re-add TEE access. 
Face auth is being investigated for Android T, so this access
is still needed. It was initially omitted from ag/16719985 because
it did not launch in Android S.

Bug: 220886644
Test: build for P10
Change-Id: I61ecc685397fcab6f356e98abfc88e8cb34254f4
 2022-02-23 02:51:40 +00:00
Adam Shih
b158d7b088 avoid pixellogger from crashing 
Bug: 220935985
Test: pixellogger stays alive for 2 minutes
Change-Id: I9f70f1a936731332ada3abfa945e60f8aff58279
 2022-02-23 09:58:37 +08:00