Evolution-X-Tensor/device_google_gs201
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
484 commits 1 branch 0 tags 63 MiB
Commit graph

484 commits

This branch
This branch
All branches
Author SHA1 Message Date
yixuanjiang
5143119a16 audio: sync aocdump setting from gs101 am: 9206ceb227 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17248005

Change-Id: Id7c3c9f2606fe13023a72744230adc6c7ebcc66b
 2022-03-21 02:26:21 +00:00
yixuanjiang
9206ceb227 audio: sync aocdump setting from gs101 
Bug: 225309469
Test: local
Signed-off-by: yixuanjiang <yixuanjiang@google.com>
Change-Id: Ia9be16c74de666c945d76ca514423b030c0f90d0
 2022-03-21 02:08:55 +00:00
Mason Wang
ae166c90eb vendor_init: Fix touch avc denial of high_sensitivity.[DO NOT MERGE] am: 296823785d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17229066

Change-Id: I5fd10c80b5a1911818334615c4c900b858a4dae7
 2022-03-18 06:22:19 +00:00
Mason Wang
296823785d vendor_init: Fix touch avc denial of high_sensitivity.[DO NOT MERGE] 
Fixed following avc denial:
avc: denied { write } for name="high_sensitivity" dev="proc" ino=4026534550 scontext=u:r:vendor_init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
//The file node is proc/focaltech_touch/high_sensitivity


Bug: 199105136
Test: Verify pass by checking device log are w/o above errors while
switching setting/display/increase touch sensitivity.

Change-Id: I8dbe4190056767407413082580320593292725fe
 2022-03-17 10:01:37 +00:00
George Lee
6548900ffe health: Add sysfs_thermal access am: 2cc598cc9b 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17164869

Change-Id: I92b98ee674757c4f68ea5626bff3ac9e18d9df93
 2022-03-17 05:27:52 +00:00
George Lee
2cc598cc9b health: Add sysfs_thermal access 
health-service has trouble accessing /dev/thermal.  This change fixes
this.

Bug: 223928339
Test: dev/thermal/tz-by-name/soc/mode error:Permission denied no longer
exist
Signed-off-by: George Lee <geolee@google.com>
Change-Id: I6077e841d179b6cda50d578e584dd249ce970db0
 2022-03-17 04:55:59 +00:00
Adam Shih
66f8cc7ba0 reject mnt_vendor_file access in user ROM am: bedd866505 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17213986

Change-Id: Id9efbf8949047e65c36ccf33a465189aa3be6302
 2022-03-16 09:29:29 +00:00
Adam Shih
bedd866505 reject mnt_vendor_file access in user ROM 
Bug: 224429437
Test: android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I318f11866f7b9c6cc0b7ecf151f789f35ab290cd
 2022-03-16 14:08:09 +08:00
Denny cy Lee
cf97709e3e Sepolicy: add pixelstats/HardwareInfo sepolicy am: 38c2803c54 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17118585

Change-Id: I4188f44a34d19106ddfa4664d38e0950a4d9dcfc
 2022-03-15 03:16:24 +00:00
Darren Hsu
ef2662e4b8 sepolicy: reorder genfs labels for system suspend am: 6d25430600 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17149073

Change-Id: I1d560b9316d343a6354704b1602643880fd20882
 2022-03-15 03:15:39 +00:00
Denny cy Lee
38c2803c54 Sepolicy: add pixelstats/HardwareInfo sepolicy 
avc denials to fix (after apply ag/17120763)
[   50.171564] type=1400 audit(1647222380.884:28): avc: denied { read } for comm="pixelstats-vend" name="battery_history" dev="tmpfs" ino=639 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0
[   54.519375] type=1400 audit(1647222385.228:29): avc: denied { read } for comm="id.hardwareinfo" name="battery_history" dev="tmpfs" ino=639 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 app=com.google.android.hardwareinfo

Bug: 222019890
Test: manually check debug logcat
Change-Id: I0e4f3f3a66783383b0d1327cec4dcd145ae9a7af
 2022-03-15 03:09:18 +00:00
Darren Hsu
6d25430600 sepolicy: reorder genfs labels for system suspend 
Bug: 223683748
Test: check bugreport without relevant avc denials
Change-Id: I295d3dfb96cc87e8faaf16f949918445cc3a0d44
Signed-off-by: Darren Hsu <darrenhsu@google.com>
 2022-03-15 02:52:48 +00:00
Roshan Pius
54840dce7d gs-sepolicy(uwb): Changes for new UCI stack am: c5710ad18e 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17002833

Change-Id: Ie20b0208354b16ebd1da8b5334836fad50adbe1a
 2022-03-14 16:40:52 +00:00
Roshan Pius
b27000aab9 gs-sepolicy(uwb): Allow uwb hal permission to net_admin am: 5ddc8be4f4 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17092573

Change-Id: Ie187d9ecdea4c00c4f08bd2d1dea82ce3ffd9a5e
 2022-03-14 16:40:40 +00:00
Roshan Pius
c5710ad18e gs-sepolicy(uwb): Changes for new UCI stack 
1. Rename uwb vendor app.
2. Rename uwb vendor HAL binary name & service name.
3. Allow vendor HAL to host the AOSP UWB HAL service.
4. Allow NFC HAL to access uwb calibration files.

Bug: 186585880
Bug: 204718220
Bug: 206045367
Test: Manual Tests
Change-Id: Ib0456617d0f5cf116d11a9412f47f36e2b8df570
 2022-03-14 16:09:02 +00:00
Roshan Pius
5ddc8be4f4 gs-sepolicy(uwb): Allow uwb hal permission to net_admin 
This was alloed under gs101-sepolicy. There is an ongoing discussion on
how to resolve this for the long term in b/190461440. But, without this
uwb functionality is broken on new devices.

Bug: 206045367
Bug: 222194886
Change-Id: I6729352f2b7bb93b01990a790e62aa69f60342fe
 2022-03-14 16:09:02 +00:00
Tim Lin
a5cb956b5a ril: dump radio hal from user build. am: e42c7120dd 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17155484

Change-Id: I4b32ed5c0e662d424eb562589a9cf5b38ca04a1a
 2022-03-14 11:17:19 +00:00
Tim Lin
e42c7120dd ril: dump radio hal from user build. 
To get radio hal debug info on user build as we do on previous Pixels.

Bug: 221391981
Test: Trigger bugreport on USERDEBUG with dumpstate.unroot set
to true and check IRadio log

Change-Id: I354d5770272b518761db4aab8da726de97e472bb
 2022-03-14 10:49:07 +00:00
Chungjui Fan
a0f0f1e049 sepolicy: allow fastbootd to access gsc device node am: e02f501377 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17157683

Change-Id: I4234b878168d327657f3114bf96da9e6f056334e
 2022-03-14 05:17:37 +00:00
Chungjui Fan
e02f501377 sepolicy: allow fastbootd to access gsc device node 
audit: type=1400 audit(1646614793.912:8): avc:  denied  { getattr }
for pid=347 comm="fastbootd" path="/dev/gsc0" dev="tmpfs" ino=469
scontext=u:r:fastbootd:s0 tcontext=u:object_r:citadel_device:s0
tclass=chr_file permissive=0

Bug: 221410358
Test: fastboot -w in fastbootd mode
Change-Id: I5680515865c2656ffa91dfe593459aab1ade81cb
Signed-off-by: Chungjui Fan <chungjuifan@google.com>
 2022-03-14 04:47:31 +00:00
Ramji Jiyani
3b53f750cd dumpstate: Remove do not audit for /system_dlkm am: cec1d2a769 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17180360

Change-Id: I2e71cdc8d343e82a83cf40c5aa6d653458c16625
 2022-03-14 04:02:45 +00:00
Ramji Jiyani
cec1d2a769 dumpstate: Remove do not audit for /system_dlkm 
FixedBy: http://aosp/2022375
Bug: 223332748
Test: atest SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I46e427cccec27118fad4440dc6822196d26f4a1b
 2022-03-13 18:32:07 -07:00
Taeju Park
127bdb6c52 Allow accessing power_policy sysfs node for GPU am: dc99069f1e 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17147970

Change-Id: Ie859536806978c4e9edca66601bd1a99572c7b87
 2022-03-10 10:26:57 +00:00
Taeju Park
dc99069f1e Allow accessing power_policy sysfs node for GPU 
Bug: 223440487
Signed-off-by: Taeju Park <taeju@google.com>
Change-Id: Iae2e4a0dc8d474d04200e79b4b4014010eedb147
 2022-03-10 10:03:59 +00:00
Darren Hsu
c3524aa570 sepolicy: label wakeup source for usbc port am: ab8e1fdc58 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17129070

Change-Id: I719c86ff9275562322fa1a8741e45f038d813e7c
 2022-03-10 06:32:26 +00:00
Darren Hsu
ab8e1fdc58 sepolicy: label wakeup source for usbc port 
Bug: 223475365
Test: run vts -m SuspendSepolicyTests
Change-Id: I2116c5f4fd19c5995f1612d593532cc7e065a560
Signed-off-by: Darren Hsu <darrenhsu@google.com>
 2022-03-10 11:29:15 +08:00
Adam Shih
e2bfc6f47f Remove obsolete sepolicy am: e989d0087a 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17130105

Change-Id: I1fd83076b7693667b95055e0feef410344720934
 2022-03-09 08:57:02 +00:00
Adam Shih
e989d0087a Remove obsolete sepolicy 
Bug: 207300335
Test: do bugreport without relevant error log showing up
Change-Id: I38e4544c59c49543e746775ec686874ee8ae2473
 2022-03-09 08:14:24 +00:00
Darren Hsu
971ad610df sepolicy: fix VTS failure for SuspendSepolicyTests am: 284b775f21 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17118583

Change-Id: I2c33087c2413db910e3ad4968be605dbc10c6ccf
 2022-03-09 05:56:22 +00:00
Darren Hsu
284b775f21 sepolicy: fix VTS failure for SuspendSepolicyTests 
Label the common parent wakeup path instead of each
individual wakeup source to avoid bloating the genfs
contexts.

Bug: 221174227
Test: run vts -m SuspendSepolicyTests
Change-Id: I38e3a349af04f83e63735ea7ca010cf634c2f1ab
 2022-03-09 05:29:09 +00:00
SalmaxChang
e0e47e1d51 incident: Fix avc errors am: 1f72ffdec6 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17129066

Change-Id: I70701611ef3193e945f8f3fb6fb18707ac2ddf36
 2022-03-09 05:04:17 +00:00
SalmaxChang
1f72ffdec6 incident: Fix avc errors 
avc: denied { use } for comm="incident" dev="dm-47" ino=10911 scontext=u:r:incident:s0 tcontext=u:r:logger_app:s0:c239,c256,c512,c768 tclass=fd
avc: denied { append } for dev="dm-7" ino=12639 scontext=u:r:incident:s0 tcontext=u:object_r:media_rw_data_file:s0:c30,c257,c512,c768 tclass=file

Bug: 222209243
Change-Id: I9e622e2af1a036eab818cd2b66c07b137fe9cc99
 2022-03-09 04:55:08 +00:00
sukiliu
82778d58cc Update avc error on ROM 8268341 am: b82a5ab98b 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17118587

Change-Id: I9b5926633555e0cfb2af2a92db05ac2c05bdf4ad
 2022-03-09 04:51:53 +00:00
sukiliu
b82a5ab98b Update avc error on ROM 8268341 
Bug: 223332748
Bug: 208721808
Test: PtsSELinuxTestCases
Change-Id: Ie3c6fdb9c8f29cac41db2750e71d3163132d4951
 2022-03-09 04:25:38 +00:00
Michael Eastwood
4724d39907 Update SELinux policy to allow camera HAL to send Perfetto trace packets am: 07bf62c387 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17080874

Change-Id: Ib655baa67317b7da8f9b8cea62d7e93c87461dc2
 2022-03-09 01:49:54 +00:00
SalmaxChang
ea7d1c1e1a dumpstate: Grant to access media_rw_data_file am: db1196932e 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17106207

Change-Id: I8b415b700c0a3253776e934a1fa073c54fb16e38
 2022-03-09 01:49:49 +00:00
Michael Eastwood
07bf62c387 Update SELinux policy to allow camera HAL to send Perfetto trace packets 
Example denials:

03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:31): avc: denied { use } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:r:tr
aced:s0 tclass=fd permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:32): avc: denied { read write } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext
=u:object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:33): avc: denied { getattr } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:
object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:34): avc: denied { map } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Bug: 222684359
Test: Build and push new SELinux policy. Verify that trace packets are received by Perfetto.
Change-Id: I443e84c5bcc701c1c983db19280719655ff02080
 2022-03-09 01:29:20 +00:00
SalmaxChang
db1196932e dumpstate: Grant to access media_rw_data_file 
avc: denied { append } for comm="binder:1426_9" dev="dm-43" ino=15392 scontext=u:r:dumpstate:s0 tcontext=u:object_r:media_rw_data_file:s0:c232,c256,c512,c768 tclass=file permissive=0

Bug: 222209243
Change-Id: I38efe11117c15f99ad1bce54cafbd0f3b038eff2
 2022-03-08 04:57:26 +00:00
Adam Shih
1797d3c16a init: change overlayfs_file rule to dontaudit am: 47b4ca882d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17102583

Change-Id: I57c63f5fdcd3f97e1fe8788031842b395ff63b6f
 2022-03-07 22:09:48 +00:00
Adam Shih
47b4ca882d init: change overlayfs_file rule to dontaudit 
Workaround for modem_img being unlabeled after disable-verity.

Bug: 193113005
Bug: 221384981
Test: remount with no avc error
Change-Id: Ie2479470c095f4ee2a9508714565b1088a8d7dce
 2022-03-07 21:39:11 +00:00
Ruofei Ma
a9bdff3482 Allow mediacodec_google to access secure dma heap am: 67e8f968b2 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17084044

Change-Id: Ib949c42ff406ae58148154d6c7d8100293ab0050
 2022-03-07 19:42:45 +00:00
Ruofei Ma
67e8f968b2 Allow mediacodec_google to access secure dma heap 
The change is for following error:
HwBinder:867_1: type=1400 audit(0.0:9): avc: denied { read } for
name="vframe-secure" dev="tmpfs" ino=425 scontext=u:r:mediacodec_google:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0
tclass=chr_file permissive=0

Bug:221500257

Change-Id: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009
(cherry picked from commit e239561061)
Merged-In: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009
 2022-03-07 19:13:35 +00:00
Ray Chi
2fd433348f Allow hal_usb_gadget_impl to access proc_irq am: 455c3c1653 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17041067

Change-Id: I7391e7c65ce2bd2b79bb8fcbf3ffb2a4eb2041ed
 2022-03-07 08:07:43 +00:00
Ray Chi
455c3c1653 Allow hal_usb_gadget_impl to access proc_irq 
Bug: 220996010
Test: build pass
Change-Id: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891
 2022-03-07 11:18:28 +08:00
Tommy Chiu
ba00764692 sepolicy: add permissions to let recovery wipe citadel am: 94995cd0d3 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17071752

Change-Id: Ibc606f4def81adfbf1182d083c9bdb034025d550
 2022-03-07 00:47:59 +00:00
Tommy Chiu
94995cd0d3 sepolicy: add permissions to let recovery wipe citadel 
This gives recovery the ability to remove user data from citadel in the
same manner as issuing a `fastboot -w` does.  This doesn't allow for
resetting FRP data, just user data.

audit: type=1400 audit(1646379959.016:9): avc:  denied  { getattr } for
  pid=348 comm="recovery" path="/dev/gsc0" dev="tmpfs" ino=754
  scontext=u:r:recovery:s0 tcontext=u:object_r:citadel_device:s0
  tclass=chr_file permissive=0

Bug: 222005928
Change-Id: Ia6113999aecacbbbb31d7a8659a45c0e5a0db2c9
 2022-03-07 00:24:55 +00:00
Tri Vo
b2f8313c88 Don't audit storageproxyd unlabeled access am: 9fe6aa97af 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17072560

Change-Id: Ied191c3251cbfddeb9acb4c952d83d897c5c7ecd
 2022-03-04 18:07:19 +00:00
Tri Vo
9fe6aa97af Don't audit storageproxyd unlabeled access 
Test: m sepolicy
Bug: 197502330
Change-Id: Ibe7292dc659dd454d3c842f6c48d2d90bc77117d
 2022-03-04 17:45:38 +00:00
Adam Shih
9817dff3d6 remove obsolete code after SELinux is enforced am: 9ba4c9120d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17076606

Change-Id: I9a3cc9a9fd9e67d4dc59d9a93040e538c63844f5
 2022-03-04 09:12:13 +00:00
Adam Shih
9ba4c9120d remove obsolete code after SELinux is enforced 
Bug: 207720645
Bug: 208527900
Bug: 208721673
Bug: 205072922
Test: boot with no relevant errors
Change-Id: I68931cc24c55beea52c246a06f268ea2be7d1ecf
 2022-03-04 08:47:59 +00:00