Evolution-X-Tensor/device_google_gs201
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
460 commits 1 branch 0 tags 63 MiB
Commit graph

460 commits

This branch
This branch
All branches
Author SHA1 Message Date
Darren Hsu
c3524aa570 sepolicy: label wakeup source for usbc port am: ab8e1fdc58 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17129070

Change-Id: I719c86ff9275562322fa1a8741e45f038d813e7c
 2022-03-10 06:32:26 +00:00
Darren Hsu
ab8e1fdc58 sepolicy: label wakeup source for usbc port 
Bug: 223475365
Test: run vts -m SuspendSepolicyTests
Change-Id: I2116c5f4fd19c5995f1612d593532cc7e065a560
Signed-off-by: Darren Hsu <darrenhsu@google.com>
 2022-03-10 11:29:15 +08:00
Adam Shih
e2bfc6f47f Remove obsolete sepolicy am: e989d0087a 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17130105

Change-Id: I1fd83076b7693667b95055e0feef410344720934
 2022-03-09 08:57:02 +00:00
Adam Shih
e989d0087a Remove obsolete sepolicy 
Bug: 207300335
Test: do bugreport without relevant error log showing up
Change-Id: I38e4544c59c49543e746775ec686874ee8ae2473
 2022-03-09 08:14:24 +00:00
Darren Hsu
971ad610df sepolicy: fix VTS failure for SuspendSepolicyTests am: 284b775f21 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17118583

Change-Id: I2c33087c2413db910e3ad4968be605dbc10c6ccf
 2022-03-09 05:56:22 +00:00
Darren Hsu
284b775f21 sepolicy: fix VTS failure for SuspendSepolicyTests 
Label the common parent wakeup path instead of each
individual wakeup source to avoid bloating the genfs
contexts.

Bug: 221174227
Test: run vts -m SuspendSepolicyTests
Change-Id: I38e3a349af04f83e63735ea7ca010cf634c2f1ab
 2022-03-09 05:29:09 +00:00
SalmaxChang
e0e47e1d51 incident: Fix avc errors am: 1f72ffdec6 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17129066

Change-Id: I70701611ef3193e945f8f3fb6fb18707ac2ddf36
 2022-03-09 05:04:17 +00:00
SalmaxChang
1f72ffdec6 incident: Fix avc errors 
avc: denied { use } for comm="incident" dev="dm-47" ino=10911 scontext=u:r:incident:s0 tcontext=u:r:logger_app:s0:c239,c256,c512,c768 tclass=fd
avc: denied { append } for dev="dm-7" ino=12639 scontext=u:r:incident:s0 tcontext=u:object_r:media_rw_data_file:s0:c30,c257,c512,c768 tclass=file

Bug: 222209243
Change-Id: I9e622e2af1a036eab818cd2b66c07b137fe9cc99
 2022-03-09 04:55:08 +00:00
sukiliu
82778d58cc Update avc error on ROM 8268341 am: b82a5ab98b 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17118587

Change-Id: I9b5926633555e0cfb2af2a92db05ac2c05bdf4ad
 2022-03-09 04:51:53 +00:00
sukiliu
b82a5ab98b Update avc error on ROM 8268341 
Bug: 223332748
Bug: 208721808
Test: PtsSELinuxTestCases
Change-Id: Ie3c6fdb9c8f29cac41db2750e71d3163132d4951
 2022-03-09 04:25:38 +00:00
Michael Eastwood
4724d39907 Update SELinux policy to allow camera HAL to send Perfetto trace packets am: 07bf62c387 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17080874

Change-Id: Ib655baa67317b7da8f9b8cea62d7e93c87461dc2
 2022-03-09 01:49:54 +00:00
SalmaxChang
ea7d1c1e1a dumpstate: Grant to access media_rw_data_file am: db1196932e 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17106207

Change-Id: I8b415b700c0a3253776e934a1fa073c54fb16e38
 2022-03-09 01:49:49 +00:00
Michael Eastwood
07bf62c387 Update SELinux policy to allow camera HAL to send Perfetto trace packets 
Example denials:

03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:31): avc: denied { use } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:r:tr
aced:s0 tclass=fd permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:32): avc: denied { read write } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext
=u:object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:33): avc: denied { getattr } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:
object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:34): avc: denied { map } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Bug: 222684359
Test: Build and push new SELinux policy. Verify that trace packets are received by Perfetto.
Change-Id: I443e84c5bcc701c1c983db19280719655ff02080
 2022-03-09 01:29:20 +00:00
SalmaxChang
db1196932e dumpstate: Grant to access media_rw_data_file 
avc: denied { append } for comm="binder:1426_9" dev="dm-43" ino=15392 scontext=u:r:dumpstate:s0 tcontext=u:object_r:media_rw_data_file:s0:c232,c256,c512,c768 tclass=file permissive=0

Bug: 222209243
Change-Id: I38efe11117c15f99ad1bce54cafbd0f3b038eff2
 2022-03-08 04:57:26 +00:00
Adam Shih
1797d3c16a init: change overlayfs_file rule to dontaudit am: 47b4ca882d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17102583

Change-Id: I57c63f5fdcd3f97e1fe8788031842b395ff63b6f
 2022-03-07 22:09:48 +00:00
Adam Shih
47b4ca882d init: change overlayfs_file rule to dontaudit 
Workaround for modem_img being unlabeled after disable-verity.

Bug: 193113005
Bug: 221384981
Test: remount with no avc error
Change-Id: Ie2479470c095f4ee2a9508714565b1088a8d7dce
 2022-03-07 21:39:11 +00:00
Ruofei Ma
a9bdff3482 Allow mediacodec_google to access secure dma heap am: 67e8f968b2 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17084044

Change-Id: Ib949c42ff406ae58148154d6c7d8100293ab0050
 2022-03-07 19:42:45 +00:00
Ruofei Ma
67e8f968b2 Allow mediacodec_google to access secure dma heap 
The change is for following error:
HwBinder:867_1: type=1400 audit(0.0:9): avc: denied { read } for
name="vframe-secure" dev="tmpfs" ino=425 scontext=u:r:mediacodec_google:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0
tclass=chr_file permissive=0

Bug:221500257

Change-Id: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009
(cherry picked from commit e239561061)
Merged-In: I03e8c9b4f1d2099e6d7cd6d56f8d7f0834fd0009
 2022-03-07 19:13:35 +00:00
Ray Chi
2fd433348f Allow hal_usb_gadget_impl to access proc_irq am: 455c3c1653 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17041067

Change-Id: I7391e7c65ce2bd2b79bb8fcbf3ffb2a4eb2041ed
 2022-03-07 08:07:43 +00:00
Ray Chi
455c3c1653 Allow hal_usb_gadget_impl to access proc_irq 
Bug: 220996010
Test: build pass
Change-Id: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891
 2022-03-07 11:18:28 +08:00
Tommy Chiu
ba00764692 sepolicy: add permissions to let recovery wipe citadel am: 94995cd0d3 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17071752

Change-Id: Ibc606f4def81adfbf1182d083c9bdb034025d550
 2022-03-07 00:47:59 +00:00
Tommy Chiu
94995cd0d3 sepolicy: add permissions to let recovery wipe citadel 
This gives recovery the ability to remove user data from citadel in the
same manner as issuing a `fastboot -w` does.  This doesn't allow for
resetting FRP data, just user data.

audit: type=1400 audit(1646379959.016:9): avc:  denied  { getattr } for
  pid=348 comm="recovery" path="/dev/gsc0" dev="tmpfs" ino=754
  scontext=u:r:recovery:s0 tcontext=u:object_r:citadel_device:s0
  tclass=chr_file permissive=0

Bug: 222005928
Change-Id: Ia6113999aecacbbbb31d7a8659a45c0e5a0db2c9
 2022-03-07 00:24:55 +00:00
Tri Vo
b2f8313c88 Don't audit storageproxyd unlabeled access am: 9fe6aa97af 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17072560

Change-Id: Ied191c3251cbfddeb9acb4c952d83d897c5c7ecd
 2022-03-04 18:07:19 +00:00
Tri Vo
9fe6aa97af Don't audit storageproxyd unlabeled access 
Test: m sepolicy
Bug: 197502330
Change-Id: Ibe7292dc659dd454d3c842f6c48d2d90bc77117d
 2022-03-04 17:45:38 +00:00
Adam Shih
9817dff3d6 remove obsolete code after SELinux is enforced am: 9ba4c9120d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17076606

Change-Id: I9a3cc9a9fd9e67d4dc59d9a93040e538c63844f5
 2022-03-04 09:12:13 +00:00
Adam Shih
9ba4c9120d remove obsolete code after SELinux is enforced 
Bug: 207720645
Bug: 208527900
Bug: 208721673
Bug: 205072922
Test: boot with no relevant errors
Change-Id: I68931cc24c55beea52c246a06f268ea2be7d1ecf
 2022-03-04 08:47:59 +00:00
Midas Chien
8d4bd895eb Allow composer to read panel_idle_handle_exit sysfs node am: bef935f43d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17005599

Change-Id: I8669fb4aee3b42dd8b1b9e62aa6220f33b627580
 2022-03-04 07:21:53 +00:00
Midas Chien
bef935f43d Allow composer to read panel_idle_handle_exit sysfs node 
Change panel_idle_exit_handle selinux type to sysfs_display to allow
composer to access it.

Bug: 202182467
Test: ls -Z to check selinux type
Test: composer can access it in enforce mode
Change-Id: I5e6c5036a946417c782f1389f4423cce69c4df77
 2022-03-04 06:55:04 +00:00
millerliang
68e9f1eda3 Fix AAudio avc denied am: 801b87fe71 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17052084

Change-Id: If2469a66fe436e6183912d7a43a005f4900accdf
 2022-03-04 06:19:06 +00:00
Adam Shih
32040ce078 grant bugreport access to camera debug system property am: 1616b97465 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17071447

Change-Id: Ie1362e9f46201122818b21355022368d3d383799
 2022-03-04 06:18:39 +00:00
millerliang
801b87fe71 Fix AAudio avc denied 
I auditd  : type=1400 audit(0.0:35): avc:
denied { map } for comm="binder:896_4" path="/dev/snd/pcmC0D0p"
dev="tmpfs" ino=1138 scontext=u:r:audioserver:s0
tcontext=u:object_r:audio_device:s0 tclass=chr_file permissive=0

E SELinux : avc:  denied  { find } for pid=887 uid=1041 name=audio
scontext=u:r:audioserver:s0 tcontext=u:object_r:audio_service:s0
tclass=service_manager permissive=0

Bug: 222191260
Test: Flash TH ROM and test it by the following command
Test: test_steal_exclusive -c0

Signed-off-by: millerliang <millerliang@google.com>
Change-Id: I8ea6741f3682b568de089d040d511b68938374ab
 2022-03-04 06:14:55 +00:00
Adam Shih
1616b97465 grant bugreport access to camera debug system property 
Bug: 221384770
Test: do bugreport without seeing relevant error
Change-Id: Ie27ac5f2c6e13ec31ccec2adb11762dacab1fbdf
 2022-03-04 05:58:20 +00:00
Jack Yu
0a4921d8ea Allow platform_app to access Nfc service am: 450f61d51b 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17049976

Change-Id: I444b7cd68f067ad4490f975884d05bd7fab81189
 2022-03-04 03:11:59 +00:00
Jack Yu
450f61d51b Allow platform_app to access Nfc service 
Fix selinux denial below.
avc:  denied  { find } for pid=11183 uid=10224 name=nfc
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:nfc_service:s0 tclass=service_manager
permissive=0

Bug: 222387662
Test: build pass
Change-Id: If97d8141acab23b4e13ea65ce28589195ef7ad9e
 2022-03-04 02:46:29 +00:00
Jinting Lin
b95ad92096 Allow modem diagnostic app to access default prop am: c3612c7097 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17072663

Change-Id: Iba2f39b55334d40dc8339433b0b955dc29f1be80
 2022-03-04 01:54:47 +00:00
Jinting Lin
c3612c7097 Allow modem diagnostic app to access default prop 
log:
avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=154 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.google.mds

Bug: 222509956
Change-Id: I50302b38f074e3f1a078ee48896154353e0937b6
 2022-03-04 01:35:39 +00:00
Devin Moore
6ce3b8a590 Add the init_boot partition sepolicy am: ac44b340d3 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17070163

Change-Id: If8db325971ac8ecd1d3ae318ab942df98bc847d8
 2022-03-03 20:30:36 +00:00
Devin Moore
ac44b340d3 Add the init_boot partition sepolicy 
Tagging the partition as a boot_block_device so everything that had
permission to read/write to the boot partition now also has permissions
for this new init_boot partition.

This is required for update_engine to be able to write to init_boot on
builds that are enforcing sepolicy.

Bug: 222052598
Test: adb shell setenforce 1 && update_device.py ota.zip

Merged-In: Ic991fa314c8a6fdb848199a626852a68a57d1df5
Change-Id: Ic991fa314c8a6fdb848199a626852a68a57d1df5
 2022-03-03 20:01:09 +00:00
Robb Glasser
3bd74d90b2 Add hal_graphics_composer_default to sensors sepolicy. am: 990294708f 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17051308

Change-Id: I692867ec79753dbd0c4f3909d26549d51c5e8f7d
 2022-03-03 19:11:41 +00:00
Robb Glasser
990294708f Add hal_graphics_composer_default to sensors sepolicy. 
Bug: 221396170
Test: No avc denial.

Change-Id: I23299524dec50d8c589c6acc9da8b3c8c3399f97
 2022-03-03 18:42:58 +00:00
Nishok Kumar S
dd3de4d24e Allow camera HAL and GCA to access Aurora GXP device. am: e95f5edafe 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17035623

Change-Id: If5cbce0c7a2489272853813e915a58560e1cfe86
 2022-03-03 04:30:16 +00:00
Nishok Kumar S
e95f5edafe Allow camera HAL and GCA to access Aurora GXP device. 
The camera HAL and Google Camera App
need selinux permission to run workloads on Aurora DSP. This
change adds the selinux rules too allow these clients to
access the GXP device and load firmware onto DSP cores
in order to execute workloads on DSP.

Bug: 220086991
Test: Verified that the camera HAL service and GCA app is able to access the GXP device and load GXP firmware.
Change-Id: I1bd327cfbe5b37c88154acda54bf6c396e939289
 2022-03-03 04:02:33 +00:00
Robert Lee
fd043e784a Fix selinux error for aocd am: 129ef29bc8 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17050631

Change-Id: I12907f22900800c745b69d263208dae82f0b4d4d
 2022-03-03 02:52:11 +00:00
Robert Lee
129ef29bc8 Fix selinux error for aocd 
allow write permission to fix following error
auditd  : type=1400 audit(0.0:4): avc: denied { write } for comm="aocd" name="aoc" dev="tmpfs" ino=497 scontext=u:r:aocd:s0 tcontext=u:object_r:aoc_device:s0 tclass=chr_file permissive=0

Bug: 198490099
Test: no avc deny when enable no_ap_restart
Change-Id: I06dc99f1a5859589b33f89ce435745d15e2e5749
Signed-off-by: Robert Lee <lerobert@google.com>
 2022-03-03 02:22:53 +00:00
Siddharth Kapoor
dbefffd54b Add libgpudataproducer as sphal am: 2d43200489 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17052905

Change-Id: I92c4b3a7dee9578980ca4850e744921782ea16f8
 2022-03-03 01:24:36 +00:00
Jinting Lin
b0cb6083a9 Fix avc denied for slsi engineermode app am: 94d7f6cce6 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17041066

Change-Id: I300f01cc8f98c7b740f327ef655dfcd5648b13ca
 2022-03-03 01:24:31 +00:00
Siddharth Kapoor
2d43200489 Add libgpudataproducer as sphal 
Bug: 222042714
Test: CtsGpuProfilingDataTestCases passes on User build

Signed-off-by: Siddharth Kapoor <ksiddharth@google.com>
Change-Id: I1997f3e66327486f15b1aa742aa8e82855b07e05
 2022-03-03 01:08:52 +00:00
Jinting Lin
94d7f6cce6 Fix avc denied for slsi engineermode app 
log:
avc: denied  { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:platform_app:s0:c512,c768 pid=5111 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0
avc: denied { call } for comm="si.engineermode" scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=0 app=com.samsung.slsi.engineermode
avc: denied { call } for comm="HwBinder:1016_1" scontext=u:r:rild:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=binder permissive=0
avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=154 scontext=u:r:vendor_engineermode_app:s0:c225,c256,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.samsung.slsi.engineermode

Test: side load the trail build sepolicy, then check the app

Bug: 221482792
Change-Id: I84768ed128a2b8c57d6a3e0a0f0aa8c4d4b91857
 2022-03-03 01:01:08 +00:00
sukiliu
d0afc4ccf5 update error on ROM 8223177 am: b1c5fcff3d 
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs201-sepolicy/+/17005595

Change-Id: I43a4d7d92ba5bb868d0e9167afbb5af5dac852c9
 2022-03-02 06:49:10 +00:00
sukiliu
b1c5fcff3d update error on ROM 8223177 
Bug: 221384981
Bug: 221384939
Bug: 221384996
Bug: 221384768
Bug: 221384770
Bug: 221384860
Test: PtsSELinuxTestCases
Change-Id: I50916dca7548bce0e77d90a36ad8f9ba1ca7c711
 2022-03-02 06:30:05 +00:00