Evolution-X-Tensor/device_google_gs201
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
540 commits 1 branch 0 tags 63 MiB
Commit graph

540 commits

This branch
This branch
All branches
Author SHA1 Message Date
Adam Shih
2e18f20056 init: change overlayfs_file rule to dontaudit am: 47b4ca882d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17102583

Change-Id: I5d0bbc490eb3ef4f1fc3f8fd0ceaec8c361705b3
 2022-03-07 22:10:44 +00:00
Adam Shih
47b4ca882d init: change overlayfs_file rule to dontaudit 
Workaround for modem_img being unlabeled after disable-verity.

Bug: 193113005
Bug: 221384981
Test: remount with no avc error
Change-Id: Ie2479470c095f4ee2a9508714565b1088a8d7dce
 2022-03-07 21:39:11 +00:00
Ruofei Ma
3b586d3fe6 [automerger skipped] Allow mediacodec_google to access secure dma heap am: 67e8f968b2 am: a9bdff3482 -s ours 
am skip reason: Merged-In I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009 with SHA-1 67e8f968b2 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17084044

Change-Id: Iec8f108b5010a637b29f870a9e4811066d8570a6
 2022-03-07 20:17:47 +00:00
Ruofei Ma
a9bdff3482 Allow mediacodec_google to access secure dma heap am: 67e8f968b2 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17084044

Change-Id: Ib949c42ff406ae58148154d6c7d8100293ab0050
 2022-03-07 19:42:45 +00:00
Ruofei Ma
ac80df1872 [automerger skipped] Allow mediacodec_google to access secure dma heap am: 67e8f968b2 -s ours 
am skip reason: Merged-In I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009 with SHA-1 e239561061 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17084044

Change-Id: I24a79b8815bd128f95b4fc0c17caac324d2c6555
 2022-03-07 19:40:15 +00:00
Ruofei Ma
67e8f968b2 Allow mediacodec_google to access secure dma heap 
The change is for following error:
HwBinder:867_1: type=1400 audit(0.0:9): avc: denied { read } for
name="vframe-secure" dev="tmpfs" ino=425 scontext=u:r:mediacodec_google:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0
tclass=chr_file permissive=0

Bug:221500257

Change-Id: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009
(cherry picked from commit e239561061)
Merged-In: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009
 2022-03-07 19:13:35 +00:00
Ray Chi
5f05099e62 Allow hal_usb_gadget_impl to access proc_irq am: 455c3c1653 am: 2fd433348f 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17041067

Change-Id: If1b05627324722b6b97370beb6fd23817b9bf0f8
 2022-03-07 08:29:19 +00:00
Ray Chi
ee3ddad840 Allow hal_usb_gadget_impl to access proc_irq am: 455c3c1653 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17041067

Change-Id: I4b223ff4282fce938d27ee1c35e5130b387f4efb
 2022-03-07 08:08:59 +00:00
Ray Chi
2fd433348f Allow hal_usb_gadget_impl to access proc_irq am: 455c3c1653 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17041067

Change-Id: I7391e7c65ce2bd2b79bb8fcbf3ffb2a4eb2041ed
 2022-03-07 08:07:43 +00:00
Ray Chi
455c3c1653 Allow hal_usb_gadget_impl to access proc_irq 
Bug: 220996010
Test: build pass
Change-Id: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891
 2022-03-07 11:18:28 +08:00
Tommy Chiu
df872eb420 sepolicy: add permissions to let recovery wipe citadel am: 94995cd0d3 am: ba00764692 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17071752

Change-Id: I298bbfe10202de42fc540a100ea4bcd9f63dcb4d
 2022-03-07 01:12:03 +00:00
Tommy Chiu
e8ee3d3789 sepolicy: add permissions to let recovery wipe citadel am: 94995cd0d3 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17071752

Change-Id: I0e86ea1a8a5aa49cf78b6892a0e895c7b759cd57
 2022-03-07 00:49:12 +00:00
Tommy Chiu
ba00764692 sepolicy: add permissions to let recovery wipe citadel am: 94995cd0d3 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17071752

Change-Id: Ibc606f4def81adfbf1182d083c9bdb034025d550
 2022-03-07 00:47:59 +00:00
Tommy Chiu
94995cd0d3 sepolicy: add permissions to let recovery wipe citadel 
This gives recovery the ability to remove user data from citadel in the
same manner as issuing a `fastboot -w` does.  This doesn't allow for
resetting FRP data, just user data.

audit: type=1400 audit(1646379959.016:9): avc:  denied  { getattr } for
  pid=348 comm="recovery" path="/dev/gsc0" dev="tmpfs" ino=754
  scontext=u:r:recovery:s0 tcontext=u:object_r:citadel_device:s0
  tclass=chr_file permissive=0

Bug: 222005928
Change-Id: Ia6113999aecacbbbb31d7a8659a45c0e5a0db2c9
 2022-03-07 00:24:55 +00:00
Tri Vo
f24a32c5c2 Don't audit storageproxyd unlabeled access am: 9fe6aa97af am: b2f8313c88 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17072560

Change-Id: I39081f31ef8f3885227a6fc16a4c39bdd018c5d0
 2022-03-04 18:28:58 +00:00
Tri Vo
b2f8313c88 Don't audit storageproxyd unlabeled access am: 9fe6aa97af 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17072560

Change-Id: Ied191c3251cbfddeb9acb4c952d83d897c5c7ecd
 2022-03-04 18:07:19 +00:00
Tri Vo
c4e4e45c43 Don't audit storageproxyd unlabeled access am: 9fe6aa97af 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17072560

Change-Id: I61b7cabc61d1e6aa286390a90c0b5b8d04f6c35a
 2022-03-04 18:07:05 +00:00
Tri Vo
9fe6aa97af Don't audit storageproxyd unlabeled access 
Test: m sepolicy
Bug: 197502330
Change-Id: Ibe7292dc659dd454d3c842f6c48d2d90bc77117d
 2022-03-04 17:45:38 +00:00
Adam Shih
afd0fe1d97 remove obsolete code after SELinux is enforced am: 9ba4c9120d am: 9817dff3d6 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17076606

Change-Id: I1f331b7772f4c2696e046dda290352d41e5c62f0
 2022-03-04 09:34:59 +00:00
Adam Shih
ba54c02dae remove obsolete code after SELinux is enforced am: 9ba4c9120d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17076606

Change-Id: I11026c637a65f3c34a09a4852305ca7d1bc7bc2f
 2022-03-04 09:13:53 +00:00
Adam Shih
9817dff3d6 remove obsolete code after SELinux is enforced am: 9ba4c9120d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17076606

Change-Id: I9a3cc9a9fd9e67d4dc59d9a93040e538c63844f5
 2022-03-04 09:12:13 +00:00
Adam Shih
9ba4c9120d remove obsolete code after SELinux is enforced 
Bug: 207720645
Bug: 208527900
Bug: 208721673
Bug: 205072922
Test: boot with no relevant errors
Change-Id: I68931cc24c55beea52c246a06f268ea2be7d1ecf
 2022-03-04 08:47:59 +00:00
Midas Chien
2818690b9b Allow composer to read panel_idle_handle_exit sysfs node am: bef935f43d am: 8d4bd895eb 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17005599

Change-Id: Iedf4175dab78e4ca9af08b10aae1f2d98ef19e35
 2022-03-04 07:45:10 +00:00
Midas Chien
07be5a9e09 Allow composer to read panel_idle_handle_exit sysfs node am: bef935f43d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17005599

Change-Id: Ib3a236dbb535e41050b3535c0e8e8c7e6ac3431a
 2022-03-04 07:22:59 +00:00
Midas Chien
8d4bd895eb Allow composer to read panel_idle_handle_exit sysfs node am: bef935f43d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17005599

Change-Id: I8669fb4aee3b42dd8b1b9e62aa6220f33b627580
 2022-03-04 07:21:53 +00:00
Midas Chien
bef935f43d Allow composer to read panel_idle_handle_exit sysfs node 
Change panel_idle_exit_handle selinux type to sysfs_display to allow
composer to access it.

Bug: 202182467
Test: ls -Z to check selinux type
Test: composer can access it in enforce mode
Change-Id: I5e6c5036a946417c782f1389f4423cce69c4df77
 2022-03-04 06:55:04 +00:00
millerliang
3d5df2e177 Fix AAudio avc denied am: 801b87fe71 am: 68e9f1eda3 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17052084

Change-Id: I8a2559c151525f2e593114dd4eb9796484d7a3db
 2022-03-04 06:40:45 +00:00
Adam Shih
003f35e2f6 grant bugreport access to camera debug system property am: 1616b97465 am: 32040ce078 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17071447

Change-Id: Ia13316d88043d7f1c3e50db548c56425358a4aa8
 2022-03-04 06:40:12 +00:00
millerliang
620c3df5ca Fix AAudio avc denied am: 801b87fe71 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17052084

Change-Id: I3e1c7e2aa3e21ca17e0258598f832a392b13004a
 2022-03-04 06:20:31 +00:00
Adam Shih
2ac8aadf75 grant bugreport access to camera debug system property am: 1616b97465 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17071447

Change-Id: I1984811f41d0b7e40efd2cd166bdf57e9f212a7e
 2022-03-04 06:20:18 +00:00
millerliang
68e9f1eda3 Fix AAudio avc denied am: 801b87fe71 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17052084

Change-Id: If2469a66fe436e6183912d7a43a005f4900accdf
 2022-03-04 06:19:06 +00:00
Adam Shih
32040ce078 grant bugreport access to camera debug system property am: 1616b97465 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17071447

Change-Id: Ie1362e9f46201122818b21355022368d3d383799
 2022-03-04 06:18:39 +00:00
millerliang
801b87fe71 Fix AAudio avc denied 
I auditd  : type=1400 audit(0.0:35): avc:
denied { map } for comm="binder:896_4" path="/dev/snd/pcmC0D0p"
dev="tmpfs" ino=1138 scontext=u:r:audioserver:s0
tcontext=u:object_r:audio_device:s0 tclass=chr_file permissive=0

E SELinux : avc:  denied  { find } for pid=887 uid=1041 name=audio
scontext=u:r:audioserver:s0 tcontext=u:object_r:audio_service:s0
tclass=service_manager permissive=0

Bug: 222191260
Test: Flash TH ROM and test it by the following command
Test: test_steal_exclusive -c0

Signed-off-by: millerliang <millerliang@google.com>
Change-Id: I8ea6741f3682b568de089d040d511b68938374ab
 2022-03-04 06:14:55 +00:00
Adam Shih
1616b97465 grant bugreport access to camera debug system property 
Bug: 221384770
Test: do bugreport without seeing relevant error
Change-Id: Ie27ac5f2c6e13ec31ccec2adb11762dacab1fbdf
 2022-03-04 05:58:20 +00:00
Jack Yu
bdcdaecc8f Allow platform_app to access Nfc service am: 450f61d51b am: 0a4921d8ea 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17049976

Change-Id: I00b0602f68ce7f0a979b7b0fa7efb9de9381f81e
 2022-03-04 03:46:09 +00:00
Jack Yu
0a4921d8ea Allow platform_app to access Nfc service am: 450f61d51b 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17049976

Change-Id: I444b7cd68f067ad4490f975884d05bd7fab81189
 2022-03-04 03:11:59 +00:00
Jack Yu
2adfcd0067 Allow platform_app to access Nfc service am: 450f61d51b 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17049976

Change-Id: I2c36dcaa473827137e3cd1c44553f93ae9c6392a
 2022-03-04 03:11:28 +00:00
Jack Yu
450f61d51b Allow platform_app to access Nfc service 
Fix selinux denial below.
avc:  denied  { find } for pid=11183 uid=10224 name=nfc
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:nfc_service:s0 tclass=service_manager
permissive=0

Bug: 222387662
Test: build pass
Change-Id: If97d8141acab23b4e13ea65ce28589195ef7ad9e
 2022-03-04 02:46:29 +00:00
Jinting Lin
f8e707d628 Allow modem diagnostic app to access default prop am: c3612c7097 am: b95ad92096 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17072663

Change-Id: I524ae98f67e4f3c859e3528d6886318d8147084e
 2022-03-04 02:17:05 +00:00
Jinting Lin
b463b5aa9f Allow modem diagnostic app to access default prop am: c3612c7097 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17072663

Change-Id: If23f46cc3e47c9496310bd9081d0a7461e49eee0
 2022-03-04 01:56:04 +00:00
Jinting Lin
b95ad92096 Allow modem diagnostic app to access default prop am: c3612c7097 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17072663

Change-Id: Iba2f39b55334d40dc8339433b0b955dc29f1be80
 2022-03-04 01:54:47 +00:00
Jinting Lin
c3612c7097 Allow modem diagnostic app to access default prop 
log:
avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=154 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.google.mds

Bug: 222509956
Change-Id: I50302b38f074e3f1a078ee48896154353e0937b6
 2022-03-04 01:35:39 +00:00
Ruofei Ma
e239561061 Allow mediacodec_google to access secure dma heap 
The change is for following error:
HwBinder:867_1: type=1400 audit(0.0:9): avc: denied { read } for
name="vframe-secure" dev="tmpfs" ino=425 scontext=u:r:mediacodec_google:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0
tclass=chr_file permissive=0

Bug:221500257

Change-Id: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009
 2022-03-04 01:21:32 +00:00
Devin Moore
7bff4ad858 [automerger skipped] Add the init_boot partition sepolicy am: ac44b340d3 am: 6ce3b8a590 -s ours 
am skip reason: Merged-In Ic991fa314c8a6fdb848199a626852a68a57d1df5 with SHA-1 ac44b340d3 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17070163

Change-Id: Ia7aed68cf3e0783b60b5879d782e621f314f3518
 2022-03-03 20:54:31 +00:00
Devin Moore
6ce3b8a590 Add the init_boot partition sepolicy am: ac44b340d3 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17070163

Change-Id: If8db325971ac8ecd1d3ae318ab942df98bc847d8
 2022-03-03 20:30:36 +00:00
Devin Moore
bfb5875873 [automerger skipped] Add the init_boot partition sepolicy am: ac44b340d3 -s ours 
am skip reason: Merged-In Ic991fa314c8a6fdb848199a626852a68a57d1df5 with SHA-1 b3a10db9d6 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17070163

Change-Id: If2c578b3c59cc42c44d34255cee3a252de6ca405
 2022-03-03 20:30:18 +00:00
Devin Moore
ac44b340d3 Add the init_boot partition sepolicy 
Tagging the partition as a boot_block_device so everything that had
permission to read/write to the boot partition now also has permissions
for this new init_boot partition.

This is required for update_engine to be able to write to init_boot on
builds that are enforcing sepolicy.

Bug: 222052598
Test: adb shell setenforce 1 && update_device.py ota.zip

Merged-In: Ic991fa314c8a6fdb848199a626852a68a57d1df5
Change-Id: Ic991fa314c8a6fdb848199a626852a68a57d1df5
 2022-03-03 20:01:09 +00:00
Robb Glasser
3f56033179 Add hal_graphics_composer_default to sensors sepolicy. am: 990294708f am: 3bd74d90b2 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17051308

Change-Id: I629dc58eaf6f9b09cb35f0eafc7b1878ecdf63da
 2022-03-03 19:35:45 +00:00
Robb Glasser
44953b58b3 Add hal_graphics_composer_default to sensors sepolicy. am: 990294708f 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17051308

Change-Id: Idf592c4d84da206ddc8cd6ed64d0f23c57d02717
 2022-03-03 19:11:54 +00:00
Robb Glasser
3bd74d90b2 Add hal_graphics_composer_default to sensors sepolicy. am: 990294708f 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17051308

Change-Id: I692867ec79753dbd0c4f3909d26549d51c5e8f7d
 2022-03-03 19:11:41 +00:00