From eeb18c67fd3c3d9457237a0b3a75f3ccdaf4f952 Mon Sep 17 00:00:00 2001 From: Bill Rassieur Date: Tue, 22 Feb 2022 14:32:34 -0800 Subject: [PATCH 01/78] Initial empty repository From aa2098ee189025b14460084299e383fb7a68c0af Mon Sep 17 00:00:00 2001 From: Roger Liao Date: Tue, 8 Mar 2022 23:10:42 +0800 Subject: [PATCH 02/78] Initial device tangorpro sepolicy Bug: 220073297 Change-Id: Icbae09127d46c74aaa49bf417be263e62ce0c0ca --- OWNERS | 3 +++ bluetooth/device.te | 1 + bluetooth/file_contexts | 5 +++++ bluetooth/genfs_contexts | 1 + bluetooth/hal_bluetooth_default.te | 9 +++++++++ bluetooth/hwservice.te | 2 ++ bluetooth/hwservice_contexts | 3 +++ tangorpro-sepolicy.mk | 2 ++ vendor/README.txt | 2 ++ vendor/device.te | 2 ++ vendor/file_contexts | 12 ++++++++++++ vendor/hal_wifi_ext.te | 1 + 12 files changed, 43 insertions(+) create mode 100644 OWNERS create mode 100644 bluetooth/device.te create mode 100644 bluetooth/file_contexts create mode 100644 bluetooth/genfs_contexts create mode 100644 bluetooth/hal_bluetooth_default.te create mode 100644 bluetooth/hwservice.te create mode 100644 bluetooth/hwservice_contexts create mode 100644 tangorpro-sepolicy.mk create mode 100644 vendor/README.txt create mode 100644 vendor/device.te create mode 100644 vendor/file_contexts create mode 100644 vendor/hal_wifi_ext.te diff --git a/OWNERS b/OWNERS new file mode 100644 index 0000000..791abb4 --- /dev/null +++ b/OWNERS @@ -0,0 +1,3 @@ +include platform/system/sepolicy:/OWNERS + +rurumihong@google.com diff --git a/bluetooth/device.te b/bluetooth/device.te new file mode 100644 index 0000000..7ed13ad --- /dev/null +++ b/bluetooth/device.te @@ -0,0 +1 @@ +type bt_device, dev_type; diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts new file mode 100644 index 0000000..da02008 --- /dev/null +++ b/bluetooth/file_contexts @@ -0,0 +1,5 @@ +# Bluetooth +/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 + +/dev/btpower u:object_r:bt_device:s0 +/dev/ttySAC18 u:object_r:hci_attach_dev:s0 diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts new file mode 100644 index 0000000..2b2d437 --- /dev/null +++ b/bluetooth/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/odm/odm:btqcom/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te new file mode 100644 index 0000000..dcd2b7f --- /dev/null +++ b/bluetooth/hal_bluetooth_default.te @@ -0,0 +1,9 @@ +allow hal_bluetooth_default bt_device:chr_file rw_file_perms; + +add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice) + +userdebug_or_eng(` + allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir rw_dir_perms; + allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file { create_file_perms }; + set_prop(hal_bluetooth_default, vendor_ssrdump_prop) +') diff --git a/bluetooth/hwservice.te b/bluetooth/hwservice.te new file mode 100644 index 0000000..8a5ae49 --- /dev/null +++ b/bluetooth/hwservice.te @@ -0,0 +1,2 @@ +# Bluetooth HAL extension +type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts new file mode 100644 index 0000000..edd952b --- /dev/null +++ b/bluetooth/hwservice_contexts @@ -0,0 +1,3 @@ +# Bluetooth HAL extension +hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk new file mode 100644 index 0000000..97cf380 --- /dev/null +++ b/tangorpro-sepolicy.mk @@ -0,0 +1,2 @@ +# sepolicy that are shared among devices using whitechapel +BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/vendor diff --git a/vendor/README.txt b/vendor/README.txt new file mode 100644 index 0000000..67a320f --- /dev/null +++ b/vendor/README.txt @@ -0,0 +1,2 @@ +This folder holds sepolicy exclusively for one device. For example, genfs_contexts +paths that are affected by device tree. diff --git a/vendor/device.te b/vendor/device.te new file mode 100644 index 0000000..3e16875 --- /dev/null +++ b/vendor/device.te @@ -0,0 +1,2 @@ +# Wifi +type vendor_wlan_device, dev_type; \ No newline at end of file diff --git a/vendor/file_contexts b/vendor/file_contexts new file mode 100644 index 0000000..46faec0 --- /dev/null +++ b/vendor/file_contexts @@ -0,0 +1,12 @@ +# Devices +/dev/lwis-act-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx712 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx712-uw u:object_r:lwis_device:s0 +/dev/lwis-ois-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx712 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx712-uw u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx787 u:object_r:lwis_device:s0 + +# Wifi +/dev/wlan u:object_r:vendor_wlan_device:s0 diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te new file mode 100644 index 0000000..c5cf260 --- /dev/null +++ b/vendor/hal_wifi_ext.te @@ -0,0 +1 @@ +allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms; From b72de76e7b132acf7264793148fccfb2824a86b5 Mon Sep 17 00:00:00 2001 From: Super Liu Date: Wed, 4 May 2022 11:02:31 +0800 Subject: [PATCH 03/78] Initial touch sepolicy. Bug: 193467774 Test: check touch sepolicy attribute from TreeHugger build rom. Signed-off-by: Super Liu Change-Id: Ie3ccb47133dd9812ea91df59e1f9124bea1867c6 --- vendor/genfs_contexts | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 vendor/genfs_contexts diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts new file mode 100644 index 0000000..b369f4c --- /dev/null +++ b/vendor/genfs_contexts @@ -0,0 +1,10 @@ +# Touch +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 +genfscon proc /nvt_baseline u:object_r:proc_touch:s0 +genfscon proc /nvt_cc_uniformity u:object_r:proc_touch:s0 +genfscon proc /nvt_diff u:object_r:proc_touch:s0 +genfscon proc /nvt_fw_update u:object_r:proc_touch:s0 +genfscon proc /nvt_fw_version u:object_r:proc_touch:s0 +genfscon proc /nvt_heatmap u:object_r:proc_touch:s0 +genfscon proc /nvt_raw u:object_r:proc_touch:s0 +genfscon proc /nvt_selftest u:object_r:proc_touch:s0 From 2d23765f0b0f53d701c1f32d0be7fe7da5064983 Mon Sep 17 00:00:00 2001 From: Super Liu Date: Wed, 4 May 2022 13:27:00 +0800 Subject: [PATCH 04/78] sepolicy: allow system_server to read sysfs_touch. Bug: 231385413 Test: presubmit pass. Signed-off-by: Super Liu Change-Id: Ica2e457d951e3de28fa7271eef03437c3203a373 --- vendor/system_server.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 vendor/system_server.te diff --git a/vendor/system_server.te b/vendor/system_server.te new file mode 100644 index 0000000..b17b985 --- /dev/null +++ b/vendor/system_server.te @@ -0,0 +1 @@ +allow system_server sysfs_touch:file r_file_perms; From 37bb48c05ed24fd71b2d182b88d8e8b70f328b6d Mon Sep 17 00:00:00 2001 From: Himanshu Rawat Date: Wed, 18 May 2022 08:26:58 +0000 Subject: [PATCH 05/78] T6Pro Bluetooth bringup SE policy update for Synaptics BT HAL Bug: 224685891 Test: Manual Change-Id: Ib80bece50509d01828b3f6e8c3794ee3d3ed1e56 --- bluetooth/file_contexts | 3 +-- bluetooth/genfs_contexts | 4 +++- bluetooth/hal_bluetooth_default.te | 26 +++++++++++++++++++------- 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts index da02008..66d690f 100644 --- a/bluetooth/file_contexts +++ b/bluetooth/file_contexts @@ -1,5 +1,4 @@ # Bluetooth -/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 +/vendor/bin/hw/android\.hardware\.bluetooth@1\.1-service\.synabtlinux u:object_r:hal_bluetooth_synabtlinux_exec:s0 -/dev/btpower u:object_r:bt_device:s0 /dev/ttySAC18 u:object_r:hci_attach_dev:s0 diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts index 2b2d437..d18d164 100644 --- a/bluetooth/genfs_contexts +++ b/bluetooth/genfs_contexts @@ -1 +1,3 @@ -genfscon sysfs /devices/platform/odm/odm:btqcom/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te index dcd2b7f..b8091d9 100644 --- a/bluetooth/hal_bluetooth_default.te +++ b/bluetooth/hal_bluetooth_default.te @@ -1,9 +1,21 @@ -allow hal_bluetooth_default bt_device:chr_file rw_file_perms; +type hal_bluetooth_synabtlinux, domain; +type hal_bluetooth_synabtlinux_exec, exec_type, file_type, vendor_file_type; -add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice) +hal_server_domain(hal_bluetooth_synabtlinux, hal_bluetooth) +init_daemon_domain(hal_bluetooth_synabtlinux) -userdebug_or_eng(` - allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir rw_dir_perms; - allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file { create_file_perms }; - set_prop(hal_bluetooth_default, vendor_ssrdump_prop) -') +allow hal_bluetooth_synabtlinux self:socket { create bind read write }; +allow hal_bluetooth_synabtlinux self:bluetooth_socket { create bind read write }; +allow hal_bluetooth_synabtlinux hci_attach_dev:chr_file rw_file_perms; +allow hal_bluetooth_synabtlinux hal_power_stats_vendor_service:service_manager find; +add_hwservice(hal_bluetooth_synabtlinux, hal_bluetooth_coexistence_hwservice) +vndbinder_use(hal_bluetooth_synabtlinux) + +allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; + + userdebug_or_eng(` + allow hal_bluetooth_synabtlinux logbuffer_device:chr_file r_file_perms; + allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:file create_file_perms; + ') From 07b7d71e5b9f10c91f02d87ed6c3404e4edf8db8 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Fri, 17 Jun 2022 16:04:00 +0800 Subject: [PATCH 06/78] sepolicy: allows dock power supply permission Bug: 232723240 Test: can dump dock power supply in dumpstate Signed-off-by: Jack Wu Change-Id: I955d72393bbe3413e56e6931a35e8cfa046001be Signed-off-by: Jonglin Lee --- vendor/genfs_contexts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index b369f4c..eb64267 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1,3 +1,6 @@ +# Dock +genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 + # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 genfscon proc /nvt_baseline u:object_r:proc_touch:s0 @@ -8,3 +11,6 @@ genfscon proc /nvt_fw_version u:object_ genfscon proc /nvt_heatmap u:object_r:proc_touch:s0 genfscon proc /nvt_raw u:object_r:proc_touch:s0 genfscon proc /nvt_selftest u:object_r:proc_touch:s0 + +# system suspend wakeup files +genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 From 904d1b1e5b92ef29a4ee0e099c1841222d2776a1 Mon Sep 17 00:00:00 2001 From: eddielan Date: Tue, 28 Jun 2022 18:47:07 +0800 Subject: [PATCH 07/78] fingerprint: Add new lable for capacitance fingerprint u:object_r:hal_fingerprint_capacitance_exec:s0 android.hardware.biometrics.fingerprint-service.fpc42 Bug: 232500959 Test: make selinux_policy -j128 Test: Check binary sepolicy on device Change-Id: I565030896b6e3ce2d0eec380415148ebfb623469 --- fingerprint_capacitance/file.te | 1 + fingerprint_capacitance/file_contexts | 1 + fingerprint_capacitance/genfs_contexts | 1 + .../hal_fingerprint_capacitance.te | 24 +++++++++++++++++++ tangorpro-sepolicy.mk | 3 +++ 5 files changed, 30 insertions(+) create mode 100644 fingerprint_capacitance/file.te create mode 100644 fingerprint_capacitance/file_contexts create mode 100644 fingerprint_capacitance/genfs_contexts create mode 100644 fingerprint_capacitance/hal_fingerprint_capacitance.te diff --git a/fingerprint_capacitance/file.te b/fingerprint_capacitance/file.te new file mode 100644 index 0000000..0218b46 --- /dev/null +++ b/fingerprint_capacitance/file.te @@ -0,0 +1 @@ +type sysfs_fingerprint, sysfs_type, fs_type; diff --git a/fingerprint_capacitance/file_contexts b/fingerprint_capacitance/file_contexts new file mode 100644 index 0000000..aa6d801 --- /dev/null +++ b/fingerprint_capacitance/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42 u:object_r:hal_fingerprint_capacitance_exec:s0 diff --git a/fingerprint_capacitance/genfs_contexts b/fingerprint_capacitance/genfs_contexts new file mode 100644 index 0000000..9fe2a86 --- /dev/null +++ b/fingerprint_capacitance/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te new file mode 100644 index 0000000..23b31e4 --- /dev/null +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -0,0 +1,24 @@ +# hal_fingerprint_capacitance definition +type hal_fingerprint_capacitance, domain; +hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint) + +type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_fingerprint_capacitance) + +set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop) + +# allow fingerprint to access file +allow hal_fingerprint_capacitance fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms; + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_capacitance, hal_power); + +# allow fingerprint to find fwk service +allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; + +# allow fingerprint to access input_device +allow hal_fingerprint_capacitance input_device:dir r_dir_perms; +allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index 97cf380..6df37be 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -1,2 +1,5 @@ # sepolicy that are shared among devices using whitechapel BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/vendor + +# fingerprint +BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance From 24d426e003d3d8eb089a1b1aaa54ef406e6b96bf Mon Sep 17 00:00:00 2001 From: Chungjui Fan Date: Wed, 8 Jun 2022 21:55:56 +0800 Subject: [PATCH 08/78] Add sepolicy to support lights HAL Bug: 230288032 Test: atest VtsHalLightTargetTest Change-Id: I4fd54341d4ef6a91cb84f0881725985f05abf2d5 --- vendor/file.te | 2 ++ vendor/file_contexts | 4 ++++ vendor/genfs_contexts | 3 +++ vendor/hal_lights.te | 5 +++++ 4 files changed, 14 insertions(+) create mode 100644 vendor/file.te create mode 100644 vendor/hal_lights.te diff --git a/vendor/file.te b/vendor/file.te new file mode 100644 index 0000000..61f075b --- /dev/null +++ b/vendor/file.te @@ -0,0 +1,2 @@ +# Privacy LED +type persist_leds_file, file_type, vendor_persist_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 46faec0..67ce2c0 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -10,3 +10,7 @@ # Wifi /dev/wlan u:object_r:vendor_wlan_device:s0 + +# Privacy LED +/vendor/bin/hw/android\.hardware\.lights-service\.tangorpro u:object_r:hal_light_default_exec:s0 +/mnt/vendor/persist/led(/.*)? u:object_r:persist_leds_file:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index eb64267..c72c5db 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -14,3 +14,6 @@ genfscon proc /nvt_selftest u:object_ # system suspend wakeup files genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 + +# Privacy LED +genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0 diff --git a/vendor/hal_lights.te b/vendor/hal_lights.te new file mode 100644 index 0000000..ac536de --- /dev/null +++ b/vendor/hal_lights.te @@ -0,0 +1,5 @@ +allow hal_light_default sysfs_leds:dir search; +allow hal_light_default sysfs_leds:file rw_file_perms; +allow hal_light_default mnt_vendor_file:dir search; +allow hal_light_default persist_file:dir search; +r_dir_file(hal_light_default, persist_leds_file); From ae3a1d0737b8e1563c248710a9cd14c53df76a4c Mon Sep 17 00:00:00 2001 From: horngchuang Date: Mon, 27 Jun 2022 17:35:16 +0800 Subject: [PATCH 09/78] sepolicy: Correct the camera sepolicy for T6Pro Bug: 233171614 Test: local build Pass, boot to Home Change-Id: Id0af2fb48e4e79e7900a9e3fb33224e5f8f52bc4 --- vendor/file_contexts | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 46faec0..4b23578 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,12 +1,8 @@ # Devices -/dev/lwis-act-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx712 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx712-uw u:object_r:lwis_device:s0 -/dev/lwis-ois-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx712 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx712-uw u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx787 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-front u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-rear u:object_r:lwis_device:s0 +/dev/lwis-sensor-medusa-front u:object_r:lwis_device:s0 +/dev/lwis-sensor-medusa-rear u:object_r:lwis_device:s0 # Wifi /dev/wlan u:object_r:vendor_wlan_device:s0 From 3c989e7f018e8fcf34c06b825fe5a078d5d9a464 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 14 Jul 2022 13:02:07 +0800 Subject: [PATCH 10/78] Setup tracking folder Bug: 234547283 Test: build pass Change-Id: I30b74797c2556fcf19636ed2cea401d58f85cbc2 --- tangorpro-sepolicy.mk | 1 + tracking_denials/README.txt | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 tracking_denials/README.txt diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index 6df37be..dcd4384 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -1,5 +1,6 @@ # sepolicy that are shared among devices using whitechapel BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/vendor +BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/tracking_denials # fingerprint BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance diff --git a/tracking_denials/README.txt b/tracking_denials/README.txt new file mode 100644 index 0000000..6cfc62d --- /dev/null +++ b/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. From 5cc0905307e4b5be727a88f1d11a5c3e399e3616 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 15 Jul 2022 10:23:55 +0800 Subject: [PATCH 11/78] Update SELinux error Test: checkSensors Bug: 239115418 Test: checkLockScreen Bug: 239115418 Test: scanBugreport Bug: 239115418 Change-Id: I36ba54820939f24d8f5293e1ba252fd0f6a9e970 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) create mode 100644 tracking_denials/bug_map diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..3cf5e4c --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1 @@ +hal_dumpstate_default modem_stat_data_file dir b/239115418 From 834dc1b842d8aac9b3ac3180c7e5777627bfbcfd Mon Sep 17 00:00:00 2001 From: Super Liu Date: Mon, 18 Jul 2022 10:19:19 +0800 Subject: [PATCH 12/78] Allow vendor_init to read gesture_prop. Logs: 07-15 04:04:39.052 1 1 I auditd : type=1107 audit(0.0:4): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { read } for property=persist.sys.tap_gesture pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:gesture_prop:s0 tclass=file permissive=0' 07-15 04:04:39.087 1 1 E init : /vendor/etc/init/hw/init.tangorpro.rc: 48: ParseTriggers() failed: unexported property trigger found: persist.sys.tap_gesture Test: check Treehugger build for sepolicy. Bug: 201610482 Signed-off-by: Super Liu Change-Id: I2072ce786bf9f3590487b1807672e993764cc6f0 --- vendor/vendor_init.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 vendor/vendor_init.te diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 0000000..de38b6f --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1 @@ +get_prop(vendor_init, gesture_prop) From aebc367bfa11485f663db8f09ad10f4719f76540 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Tue, 23 Aug 2022 19:56:46 +0000 Subject: [PATCH 13/78] Port pogo sepolicy for target This is port of <0fe78c45624ac71c303f28d214d04f5382744110> and from previous target. Bug: 242751127 Signed-off-by: Badhri Jagan Sridharan Change-Id: I20205c63dc226c6863215b29e11b8c4b626b6010 --- vendor/file.te | 3 +++ vendor/genfs_contexts | 9 +++++++++ vendor/hal_usb_impl.te | 2 ++ 3 files changed, 14 insertions(+) create mode 100644 vendor/hal_usb_impl.te diff --git a/vendor/file.te b/vendor/file.te index 61f075b..fbe56b3 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,2 +1,5 @@ # Privacy LED type persist_leds_file, file_type, vendor_persist_type; + +#Pogo USB control & status +type sysfs_pogo_usb, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index c72c5db..c88c459 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -17,3 +17,12 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_ # Privacy LED genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0 + + +# Pogo usb control & status +genfscon sysfs /devices/platform/google,pogo/pogo_usb_active u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/pogo_usb_capable u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/pogo_docked u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/equal_priority u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/move_data_to_usb u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/extcon u:object_r:sysfs_extcon:s0 diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te new file mode 100644 index 0000000..4f1bfbc --- /dev/null +++ b/vendor/hal_usb_impl.te @@ -0,0 +1,2 @@ +# For Pogo usb management +allow hal_usb_impl sysfs_pogo_usb:file rw_file_perms; From f7be842d13a4b301b35db11a77e940eb1f69ce86 Mon Sep 17 00:00:00 2001 From: Chungjui Fan Date: Thu, 8 Sep 2022 09:12:30 +0000 Subject: [PATCH 14/78] Migrate LED sepolicy used by dumpstate to gs201 Bug: 242300919 Change-Id: I1b7f4be6670ef645df932207ece4746fcedb9e39 --- vendor/file.te | 3 --- vendor/file_contexts | 1 - vendor/genfs_contexts | 4 ---- 3 files changed, 8 deletions(-) diff --git a/vendor/file.te b/vendor/file.te index fbe56b3..0b57fda 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,5 +1,2 @@ -# Privacy LED -type persist_leds_file, file_type, vendor_persist_type; - #Pogo USB control & status type sysfs_pogo_usb, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 33c5854..cd84223 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -9,4 +9,3 @@ # Privacy LED /vendor/bin/hw/android\.hardware\.lights-service\.tangorpro u:object_r:hal_light_default_exec:s0 -/mnt/vendor/persist/led(/.*)? u:object_r:persist_leds_file:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index c88c459..8c343a0 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -15,10 +15,6 @@ genfscon proc /nvt_selftest u:object_ # system suspend wakeup files genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 -# Privacy LED -genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0 - - # Pogo usb control & status genfscon sysfs /devices/platform/google,pogo/pogo_usb_active u:object_r:sysfs_pogo_usb:s0 genfscon sysfs /devices/platform/google,pogo/pogo_usb_capable u:object_r:sysfs_pogo_usb:s0 From f3b6df78dafdf7693310c7a2bdd460c28e426009 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Mon, 12 Sep 2022 16:02:38 +0800 Subject: [PATCH 15/78] sepolicy: add missing sysfs_wakeup labels Bug: 245434941 Test: run vts -m SuspendSepolicyTests Change-Id: I4873bbba4e6e276722037680056d4e003f8a0da9 Signed-off-by: Darren Hsu --- vendor/genfs_contexts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index c88c459..3125367 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -13,7 +13,10 @@ genfscon proc /nvt_raw u:object_ genfscon proc /nvt_selftest u:object_r:proc_touch:s0 # system suspend wakeup files -genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/nvt-pen-battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/input/input2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0 # Privacy LED genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0 From ccd9f49f2bfafe83993345558d03ac344db3295a Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Tue, 13 Sep 2022 10:19:09 +0800 Subject: [PATCH 16/78] RESTRICT AUTOMERGE sepolicy: allow binder call for hal_power_stats and hal_bluetooth avc: denied { call } for comm="bluetooth@1.1-s" scontext=u:r:hal_bluetooth_synabtlinux:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=0 avc: denied { call } for scontext=u:r:hal_bluetooth_synabtlinux:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=1 avc: denied { read } for comm="android.hardwar" name="u:object_r:boot_status_prop:s0" dev="tmpfs" ino=109 scontext=u:r:hal_bluetooth_synabtlinux:s0 tcontext=u:object_r:boot_status_prop:s0 tclass=file permissive=0 Bug: 215487801 Test: captured bugreport and didn't see powerstats avc denials Change-Id: I34840b7f8031084270477635c2bde5d702a0507c Signed-off-by: Darren Hsu --- bluetooth/hal_bluetooth_default.te | 2 ++ vendor/hal_power_stats_default.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 vendor/hal_power_stats_default.te diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te index b8091d9..c764133 100644 --- a/bluetooth/hal_bluetooth_default.te +++ b/bluetooth/hal_bluetooth_default.te @@ -10,6 +10,8 @@ allow hal_bluetooth_synabtlinux hci_attach_dev:chr_file rw_file_perms; allow hal_bluetooth_synabtlinux hal_power_stats_vendor_service:service_manager find; add_hwservice(hal_bluetooth_synabtlinux, hal_bluetooth_coexistence_hwservice) vndbinder_use(hal_bluetooth_synabtlinux) +binder_call(hal_bluetooth_synabtlinux, hal_power_stats_default) +get_prop(hal_bluetooth_synabtlinux, boot_status_prop) allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te new file mode 100644 index 0000000..a81c9ba --- /dev/null +++ b/vendor/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_synabtlinux) From 39b4f3823a8349c043f1f098262d46db0e79b479 Mon Sep 17 00:00:00 2001 From: kuanyuhuang Date: Tue, 20 Sep 2022 09:35:22 +0000 Subject: [PATCH 17/78] Add binder call for grilservice and hal_bluetooth Gril calls setBluetoothModeBasedTxPowerCap to bluetooh HAL for SAR feature. Bug: 244409539 Test: build pass and check grilservice can bind with IBluetoothSar Change-Id: Ie563cdbe126371d50bb996a0d4d10fd5f52e8d6f --- vendor/grilservice_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 vendor/grilservice_app.te diff --git a/vendor/grilservice_app.te b/vendor/grilservice_app.te new file mode 100644 index 0000000..763121c --- /dev/null +++ b/vendor/grilservice_app.te @@ -0,0 +1,2 @@ +# setBluetoothModeBasedTxPowerCap for SAR +binder_call(grilservice_app, hal_bluetooth_synabtlinux) From 36714befbb443261a2a3f7c0b0986e12a15d0df7 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Wed, 28 Sep 2022 09:36:26 +0800 Subject: [PATCH 18/78] sepolicy: add sysfs_wakeup labels for acpm Bug: 248974063 Test: run vts -m SuspendSepolicyTests Change-Id: Ie96d282d7a6b61bafff4b66f63ff320d80a3b4f2 Signed-off-by: Darren Hsu --- vendor/genfs_contexts | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 527f89f..a56fbc8 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -13,10 +13,15 @@ genfscon proc /nvt_raw u:object_ genfscon proc /nvt_selftest u:object_r:proc_touch:s0 # system suspend wakeup files -genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/nvt-pen-battery/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/input/input2/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/nvt-pen-battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/input/input2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0 # Pogo usb control & status genfscon sysfs /devices/platform/google,pogo/pogo_usb_active u:object_r:sysfs_pogo_usb:s0 From 938a12a2dc68108268754c93e99f253628fff0e7 Mon Sep 17 00:00:00 2001 From: matthuang Date: Tue, 27 Sep 2022 11:29:45 +0800 Subject: [PATCH 19/78] Sepolicy for hall effect notification. Bug: 241474630 Test: Check selinux log. Change-Id: Ia4dc303849c98a7c067a2fb0426b7a7b6d3d0301 --- vendor/genfs_contexts | 3 +++ vendor/hal_sensors_default.te | 6 ++++++ 2 files changed, 9 insertions(+) create mode 100644 vendor/hal_sensors_default.te diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 527f89f..ec05c4d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -25,3 +25,6 @@ genfscon sysfs /devices/platform/google,pogo/pogo_docked u:object_ genfscon sysfs /devices/platform/google,pogo/equal_priority u:object_r:sysfs_pogo_usb:s0 genfscon sysfs /devices/platform/google,pogo/move_data_to_usb u:object_r:sysfs_pogo_usb:s0 genfscon sysfs /devices/platform/google,pogo/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/google,pogo/hall1_s u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/hall1_n u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/hall2_s u:object_r:sysfs_pogo_usb:s0 diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te new file mode 100644 index 0000000..978d9b4 --- /dev/null +++ b/vendor/hal_sensors_default.te @@ -0,0 +1,6 @@ +# +# USF sensor HAL SELinux type enforcements. +# + +# Allow sensor HAL to access pogo driver hall file node. +allow hal_sensors_default sysfs_pogo_usb:file rw_file_perms; From c579440a1f924577bc2cd33e80311211b0db5bdf Mon Sep 17 00:00:00 2001 From: Ryan Chung Date: Thu, 29 Sep 2022 18:15:15 -0700 Subject: [PATCH 20/78] CastAuth: SELinux rules for the MediaDrm plugin Bug: 229298787 Test: Access Cast creds with MediaDrm plugin Change-Id: Iff9386dc1223a9f5a088d7ba2d2bc8bd73eebc00 --- vendor/file.te | 3 +++ vendor/file_contexts | 4 ++++ vendor/hal_drm_cast.te | 10 ++++++++++ vendor/service_contexts | 2 ++ 4 files changed, 19 insertions(+) create mode 100644 vendor/hal_drm_cast.te create mode 100644 vendor/service_contexts diff --git a/vendor/file.te b/vendor/file.te index 0b57fda..32ab75b 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,2 +1,5 @@ #Pogo USB control & status type sysfs_pogo_usb, sysfs_type, fs_type; + +# Cast device certificate +type device_cert_file, file_type, vendor_persist_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index cd84223..792f30a 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -9,3 +9,7 @@ # Privacy LED /vendor/bin/hw/android\.hardware\.lights-service\.tangorpro u:object_r:hal_light_default_exec:s0 + +# Cast Factory Credentials +/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0 +/mnt/vendor/persist/nest/cast_auth\.crt u:object_r:device_cert_file:s0 diff --git a/vendor/hal_drm_cast.te b/vendor/hal_drm_cast.te new file mode 100644 index 0000000..8ff3aee --- /dev/null +++ b/vendor/hal_drm_cast.te @@ -0,0 +1,10 @@ +type hal_drm_cast, domain; +type hal_drm_cast_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_cast) +hal_server_domain(hal_drm_cast, hal_drm) + +allow hal_drm_cast mnt_vendor_file:dir search; +allow hal_drm_cast persist_file:dir search; +allow hal_drm_cast device_cert_file:file r_file_perms; +neverallow { domain -init -vendor_init -hal_drm_cast } device_cert_file:file no_rw_file_perms; diff --git a/vendor/service_contexts b/vendor/service_contexts new file mode 100644 index 0000000..f93a0e0 --- /dev/null +++ b/vendor/service_contexts @@ -0,0 +1,2 @@ +# Cast Factory Credentials +android.hardware.drm.IDrmFactory/castkey u:object_r:hal_drm_service:s0 From fae580c5ce2762b5ecae4183aefe7a31e78070c8 Mon Sep 17 00:00:00 2001 From: Ryan Ki Sing Chung Date: Tue, 4 Oct 2022 17:33:50 +0000 Subject: [PATCH 21/78] Revert "CastAuth: SELinux rules for the MediaDrm plugin" This reverts commit c579440a1f924577bc2cd33e80311211b0db5bdf. Reason for revert: Broke continuous build Bug: 250900568 Change-Id: I69982e605c645373c38040d4b8527180a4efcecc --- vendor/file.te | 3 --- vendor/file_contexts | 4 ---- vendor/hal_drm_cast.te | 10 ---------- vendor/service_contexts | 2 -- 4 files changed, 19 deletions(-) delete mode 100644 vendor/hal_drm_cast.te delete mode 100644 vendor/service_contexts diff --git a/vendor/file.te b/vendor/file.te index 32ab75b..0b57fda 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,5 +1,2 @@ #Pogo USB control & status type sysfs_pogo_usb, sysfs_type, fs_type; - -# Cast device certificate -type device_cert_file, file_type, vendor_persist_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 792f30a..cd84223 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -9,7 +9,3 @@ # Privacy LED /vendor/bin/hw/android\.hardware\.lights-service\.tangorpro u:object_r:hal_light_default_exec:s0 - -# Cast Factory Credentials -/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0 -/mnt/vendor/persist/nest/cast_auth\.crt u:object_r:device_cert_file:s0 diff --git a/vendor/hal_drm_cast.te b/vendor/hal_drm_cast.te deleted file mode 100644 index 8ff3aee..0000000 --- a/vendor/hal_drm_cast.te +++ /dev/null @@ -1,10 +0,0 @@ -type hal_drm_cast, domain; -type hal_drm_cast_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hal_drm_cast) -hal_server_domain(hal_drm_cast, hal_drm) - -allow hal_drm_cast mnt_vendor_file:dir search; -allow hal_drm_cast persist_file:dir search; -allow hal_drm_cast device_cert_file:file r_file_perms; -neverallow { domain -init -vendor_init -hal_drm_cast } device_cert_file:file no_rw_file_perms; diff --git a/vendor/service_contexts b/vendor/service_contexts deleted file mode 100644 index f93a0e0..0000000 --- a/vendor/service_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Cast Factory Credentials -android.hardware.drm.IDrmFactory/castkey u:object_r:hal_drm_service:s0 From c3ea668daa0e2f44abe26440def84d01cb7364ea Mon Sep 17 00:00:00 2001 From: Ryan Ki Sing Chung Date: Wed, 5 Oct 2022 01:06:19 +0000 Subject: [PATCH 22/78] Revert "Revert "CastAuth: SELinux rules for the MediaDrm plugin"" This reverts commit fae580c5ce2762b5ecae4183aefe7a31e78070c8. Reason for revert: Relanding with fix Bug: 250900568 Change-Id: I242a8b710d7d44e7390a1d63e39f7ebd7d406a4c --- vendor/file.te | 3 +++ vendor/file_contexts | 4 ++++ vendor/hal_drm_cast.te | 9 +++++++++ vendor/service_contexts | 2 ++ 4 files changed, 18 insertions(+) create mode 100644 vendor/hal_drm_cast.te create mode 100644 vendor/service_contexts diff --git a/vendor/file.te b/vendor/file.te index 0b57fda..32ab75b 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,2 +1,5 @@ #Pogo USB control & status type sysfs_pogo_usb, sysfs_type, fs_type; + +# Cast device certificate +type device_cert_file, file_type, vendor_persist_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index cd84223..792f30a 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -9,3 +9,7 @@ # Privacy LED /vendor/bin/hw/android\.hardware\.lights-service\.tangorpro u:object_r:hal_light_default_exec:s0 + +# Cast Factory Credentials +/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0 +/mnt/vendor/persist/nest/cast_auth\.crt u:object_r:device_cert_file:s0 diff --git a/vendor/hal_drm_cast.te b/vendor/hal_drm_cast.te new file mode 100644 index 0000000..800a231 --- /dev/null +++ b/vendor/hal_drm_cast.te @@ -0,0 +1,9 @@ +type hal_drm_cast, domain; +type hal_drm_cast_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_cast) +hal_server_domain(hal_drm_cast, hal_drm) + +allow hal_drm_cast mnt_vendor_file:dir search; +allow hal_drm_cast persist_file:dir search; +allow hal_drm_cast device_cert_file:file r_file_perms; diff --git a/vendor/service_contexts b/vendor/service_contexts new file mode 100644 index 0000000..f93a0e0 --- /dev/null +++ b/vendor/service_contexts @@ -0,0 +1,2 @@ +# Cast Factory Credentials +android.hardware.drm.IDrmFactory/castkey u:object_r:hal_drm_service:s0 From bfba5df7e50b96b816fe5ab4d8ed22b410fcdb78 Mon Sep 17 00:00:00 2001 From: eddielan Date: Mon, 17 Oct 2022 15:07:54 +0800 Subject: [PATCH 23/78] Fix FPS hwservice sepolicy issue avc: denied { find } for interface=com.fingerprints42.extension::IFingerprintEngineering sid=u:r:hal_fingerprint_capacitance:s0 pid=895 scontext=u:r:hal_fingerprint_capacitance:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 253533883 Test: make selinux_policy -j128 Change-Id: I745e01fa2337843a8f16dadb71a07706a6681284 --- fingerprint_capacitance/hal_fingerprint_capacitance.te | 4 ++++ fingerprint_capacitance/hwservice.te | 1 + fingerprint_capacitance/hwservice_contexts | 2 ++ 3 files changed, 7 insertions(+) create mode 100644 fingerprint_capacitance/hwservice.te create mode 100644 fingerprint_capacitance/hwservice_contexts diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te index 23b31e4..8cc623f 100644 --- a/fingerprint_capacitance/hal_fingerprint_capacitance.te +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -22,3 +22,7 @@ allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; # allow fingerprint to access input_device allow hal_fingerprint_capacitance input_device:dir r_dir_perms; allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; + +# allow fingerprint to access hwservice +hwbinder_use(hal_fingerprint_capacitance) +add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) diff --git a/fingerprint_capacitance/hwservice.te b/fingerprint_capacitance/hwservice.te new file mode 100644 index 0000000..68c51ab --- /dev/null +++ b/fingerprint_capacitance/hwservice.te @@ -0,0 +1 @@ +type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type; diff --git a/fingerprint_capacitance/hwservice_contexts b/fingerprint_capacitance/hwservice_contexts new file mode 100644 index 0000000..ed09300 --- /dev/null +++ b/fingerprint_capacitance/hwservice_contexts @@ -0,0 +1,2 @@ +com.fingerprints42.extension::IFingerprintEngineering u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 +com.fingerprints42.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 From 8b78d57efad6426cdfd3156c330e6ad91090a33e Mon Sep 17 00:00:00 2001 From: eddielan Date: Tue, 25 Oct 2022 18:06:35 +0800 Subject: [PATCH 24/78] Fix FPS servicemanager sepolicy issue 10-25 03:25:07.740 429 429 I auditd : type=1400 audit(0.0:4): avc: denied { call } for comm="servicemanager" scontext=u:r:servicemanager:s0 tcontext=u:r:hal_fingerprint_capacitance:s0 tclass=binder permissive=0 Bug: 253533883 Test: make selinux_policy -j128 && check log on device Change-Id: Iea8655fead4398317f0d682e632df8377883d1ea --- fingerprint_capacitance/servicemanager.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 fingerprint_capacitance/servicemanager.te diff --git a/fingerprint_capacitance/servicemanager.te b/fingerprint_capacitance/servicemanager.te new file mode 100644 index 0000000..6e1afe9 --- /dev/null +++ b/fingerprint_capacitance/servicemanager.te @@ -0,0 +1 @@ +binder_call(servicemanager, hal_fingerprint_capacitance) From 58e5a0da266d2a89e480019547d24a53cdb47591 Mon Sep 17 00:00:00 2001 From: eddielan Date: Fri, 11 Nov 2022 20:09:32 +0800 Subject: [PATCH 25/78] sepolicy: Allow fingerprint to access fwk hwservice 11-11 19:57:30.203 464 464 E SELinux : avc: denied { find } for interface=android.frameworks.sensorservice::ISensorManager sid=u:r:hal_fingerprint_capacitance:s0 pid=903 scontext=u:r:hal_fingerprint_capacitance:s0 tcontext=u:object_r:fwk_sensor_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 258783592 Test: Build pass Change-Id: If2185f8f8a095f68ecb70df82c3253f3d5ee32cc --- fingerprint_capacitance/hal_fingerprint_capacitance.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te index 8cc623f..6100d44 100644 --- a/fingerprint_capacitance/hal_fingerprint_capacitance.te +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -26,3 +26,6 @@ allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; # allow fingerprint to access hwservice hwbinder_use(hal_fingerprint_capacitance) add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) + +# allow fingerprint to access fwk sensor hwservice +allow hal_fingerprint_capacitance fwk_sensor_hwservice:hwservice_manager find; From 0fe5303cf599602015fdbeaa5b773265b81c3992 Mon Sep 17 00:00:00 2001 From: Sandeep Vijayasekar Date: Wed, 19 Oct 2022 13:13:00 -0700 Subject: [PATCH 26/78] [AudioProxy] SEPolicy for AudioProxy 1. MediaShell use its own selinux domain mediashell_app. 2. Allow mediashell_app to access AudioProxy service. Bug: 197547824 Bug: 254515298 Test: Build and local run Change-Id: Ia543225e2cbdbfc7296a101372d203274b108af4 --- tangorpro-sepolicy.mk | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index dcd4384..ddb98de 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -4,3 +4,8 @@ BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/tracking_denials # fingerprint BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance + +# for mediashell +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public +BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor +PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/google/gms/src/sepolicy/tv From e1e330d587a03763dfef0a3a8bebf8f10f4761d1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 24 Nov 2022 10:55:04 +0800 Subject: [PATCH 27/78] remove obsolete entry Bug: 260175281 Test: build pass Change-Id: I0f6d070416b5fac8711434b84fc9c552b8a6a64d --- vendor/genfs_contexts | 8 -------- 1 file changed, 8 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index dc21018..4b06cfb 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -3,14 +3,6 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_ # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 -genfscon proc /nvt_baseline u:object_r:proc_touch:s0 -genfscon proc /nvt_cc_uniformity u:object_r:proc_touch:s0 -genfscon proc /nvt_diff u:object_r:proc_touch:s0 -genfscon proc /nvt_fw_update u:object_r:proc_touch:s0 -genfscon proc /nvt_fw_version u:object_r:proc_touch:s0 -genfscon proc /nvt_heatmap u:object_r:proc_touch:s0 -genfscon proc /nvt_raw u:object_r:proc_touch:s0 -genfscon proc /nvt_selftest u:object_r:proc_touch:s0 # system suspend wakeup files genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 From 33c84b77d2e648f6972810e25cc7941adc2c53ee Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 25 Nov 2022 14:09:21 +0800 Subject: [PATCH 28/78] fix declaration missing error Bug: 260175281 Test: build pass Change-Id: Ibe07a278639afa3d0783785374502607ba81eb6e --- vendor/file.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index 32ab75b..a863220 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -3,3 +3,6 @@ type sysfs_pogo_usb, sysfs_type, fs_type; # Cast device certificate type device_cert_file, file_type, vendor_persist_type; + +# Avoid GPS se failed +type sysfs_gps, sysfs_type, fs_type; From d5db8fa0e232e3479745a73a85e9f018fb78cbd9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 2 Dec 2022 13:08:28 +0800 Subject: [PATCH 29/78] rename sysfs_touch Bug: 256521567 Test: adb bugreport Change-Id: Ic10339198209b7e1c8874610f69c515a95d6e7da --- vendor/system_server.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/system_server.te b/vendor/system_server.te index b17b985..ba82449 100644 --- a/vendor/system_server.te +++ b/vendor/system_server.te @@ -1 +1 @@ -allow system_server sysfs_touch:file r_file_perms; +allow system_server sysfs_touch_gti:file r_file_perms; From 483f42925df6aaeb8ffb5233a356bf75f2ae01b9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 6 Dec 2022 12:01:08 +0800 Subject: [PATCH 30/78] align sysfs_touch_gti type Bug: 256521567 Test: build pass Change-Id: I2452e2551ea47a3bbf1c4b084259e73c37e02f04 --- vendor/genfs_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4b06cfb..2192a0e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -2,7 +2,7 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 # Touch -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch_gti:s0 # system suspend wakeup files genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 From 965a3fb846e1757010a9c62cb88d8ff52329c358 Mon Sep 17 00:00:00 2001 From: Mariia Sandrikova Date: Wed, 7 Dec 2022 01:28:47 +0000 Subject: [PATCH 31/78] [5/n][Pro] Change natural device orientation to portrait. Introduce debug.sf.ignore_hwc_physical_display_orientation to allow ignoring physical orientation provided through hwc API in favour of 'ro.surface_flinger.primary_display_orientation' to avoid breaking the build even for a short period of time since there is no direct way to synchronize landing of this CLs chain with pa/2342172 Test: manual Bug: 246793311 Change-Id: Iffbdc13149f517f0b59b313f1fe1f7900cc8597e --- system_ext/private/property_contexts | 2 ++ tangorpro-sepolicy.mk | 3 +++ 2 files changed, 5 insertions(+) create mode 100644 system_ext/private/property_contexts diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 0000000..44ac29f --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# TODO(b/246793311): Clean up a temporary property once pa/2342172 lands +debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool \ No newline at end of file diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index ddb98de..f16f331 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -9,3 +9,6 @@ BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/google/gms/src/sepolicy/tv + +# system_ext +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private From 11808aa59bae0fa058a7dad42b9108390d710b4a Mon Sep 17 00:00:00 2001 From: Mariia Sandrikova Date: Sat, 10 Dec 2022 02:49:39 +0000 Subject: [PATCH 32/78] [1/2][Pro] Set orientation for boot animation and default display rotation. Introduce ro.bootanim.set_orientation_ sysprop that allows to change the default display rotation value and boot animation orientation to be different from the natural display orientation Context: go/tangor-natural-orientation Bug: 260627934 Test: manual test with all 4 values Change-Id: I14461e143c37440c4a655a1b175add86b60233b2 --- system_ext/private/property_contexts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 44ac29f..f08d9e4 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,6 @@ # TODO(b/246793311): Clean up a temporary property once pa/2342172 lands -debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool \ No newline at end of file +debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool + +# Default orienation for boot animation counted from natural orienation of the device +# Id at the end corresponds to the display id on the device. See b/246793311 for context. +ro.bootanim.set_orientation_4619827677550801152 u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_90 ORIENTATION_180 ORIENTATION_270 From 6f12e9fcafa805bbf67cea3fe2f3d14f6eae246c Mon Sep 17 00:00:00 2001 From: Super Liu Date: Tue, 13 Dec 2022 05:17:59 +0000 Subject: [PATCH 33/78] [DO NOT MERGE] Suppress linux denials Bug: 262179373 Test: TreeHugger build. Change-Id: I40cbdb22976fdb233a3f23868cde688b3b263e13 Signed-off-by: Super Liu --- tracking_denials/shell.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 tracking_denials/shell.te diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te new file mode 100644 index 0000000..44ae520 --- /dev/null +++ b/tracking_denials/shell.te @@ -0,0 +1,3 @@ +# b/262179373 +dontaudit shell sysfs_touch:dir { search }; + From 6f45c41a7612c0978db78d0cd8281dadd393cdb5 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Tue, 13 Sep 2022 10:19:09 +0800 Subject: [PATCH 34/78] sepolicy: allow binder call for hal_power_stats and hal_bluetooth avc: denied { call } for comm="bluetooth@1.1-s" scontext=u:r:hal_bluetooth_synabtlinux:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=0 avc: denied { call } for scontext=u:r:hal_bluetooth_synabtlinux:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=1 avc: denied { read } for comm="android.hardwar" name="u:object_r:boot_status_prop:s0" dev="tmpfs" ino=109 scontext=u:r:hal_bluetooth_synabtlinux:s0 tcontext=u:object_r:boot_status_prop:s0 tclass=file permissive=0 Bug: 215487801 , 262386677 Test: captured bugreport and didn't see powerstats avc denials Change-Id: I34840b7f8031084270477635c2bde5d702a0507c Signed-off-by: Darren Hsu (cherry picked from commit ccd9f49f2bfafe83993345558d03ac344db3295a) --- bluetooth/hal_bluetooth_default.te | 2 ++ vendor/hal_power_stats_default.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 vendor/hal_power_stats_default.te diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te index b8091d9..c764133 100644 --- a/bluetooth/hal_bluetooth_default.te +++ b/bluetooth/hal_bluetooth_default.te @@ -10,6 +10,8 @@ allow hal_bluetooth_synabtlinux hci_attach_dev:chr_file rw_file_perms; allow hal_bluetooth_synabtlinux hal_power_stats_vendor_service:service_manager find; add_hwservice(hal_bluetooth_synabtlinux, hal_bluetooth_coexistence_hwservice) vndbinder_use(hal_bluetooth_synabtlinux) +binder_call(hal_bluetooth_synabtlinux, hal_power_stats_default) +get_prop(hal_bluetooth_synabtlinux, boot_status_prop) allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te new file mode 100644 index 0000000..a81c9ba --- /dev/null +++ b/vendor/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_synabtlinux) From 6d590c369542511e0aa3c4afbdb67f4fbbb03302 Mon Sep 17 00:00:00 2001 From: eddielan Date: Thu, 15 Dec 2022 19:57:44 +0800 Subject: [PATCH 35/78] fingerprint: allow fps to access sysfs_leds Bug: 261151317 Test: make selinux_policy -j112 Change-Id: I930ebbb5c5478cb2669dd169a8e03db7b5222c8f --- fingerprint_capacitance/hal_fingerprint_capacitance.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te index 6100d44..8c78ee5 100644 --- a/fingerprint_capacitance/hal_fingerprint_capacitance.te +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -19,6 +19,10 @@ hal_client_domain(hal_fingerprint_capacitance, hal_power); # allow fingerprint to find fwk service allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; +# allow fingerprint to access sysfs_leds +allow hal_fingerprint_capacitance sysfs_leds:dir search; +allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms; + # allow fingerprint to access input_device allow hal_fingerprint_capacitance input_device:dir r_dir_perms; allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; From e729f1b95e1c672ae9d7184a6fe0c0b3014358ea Mon Sep 17 00:00:00 2001 From: Sandeep Vijayasekar Date: Wed, 21 Dec 2022 11:47:01 -0800 Subject: [PATCH 36/78] Add SElinux policy for mediashell suffix property Bug: 263263027 Test: mediashell can read this property Change-Id: I05cea67085a534aa9d862fc8af853d191a7d11c9 --- product_private/property.te | 1 + product_private/property_contexts | 1 + tangorpro-sepolicy.mk | 1 + 3 files changed, 3 insertions(+) create mode 100644 product_private/property.te create mode 100644 product_private/property_contexts diff --git a/product_private/property.te b/product_private/property.te new file mode 100644 index 0000000..ef8470a --- /dev/null +++ b/product_private/property.te @@ -0,0 +1 @@ +product_internal_prop(odm_cast_prop) diff --git a/product_private/property_contexts b/product_private/property_contexts new file mode 100644 index 0000000..9946d1e --- /dev/null +++ b/product_private/property_contexts @@ -0,0 +1 @@ +ro.odm.cast.ssid_suffix u:object_r:odm_cast_prop:s0 \ No newline at end of file diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index f16f331..b0695bc 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -9,6 +9,7 @@ BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/google/gms/src/sepolicy/tv +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/product_private # system_ext SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private From 0afa8d077dfc8ef49b822c7b1a0407abbede525a Mon Sep 17 00:00:00 2001 From: Super Liu Date: Thu, 22 Dec 2022 05:37:24 +0000 Subject: [PATCH 37/78] Suppress linux denials Bug: 263430971 Test: TreeHugger build. Signed-off-by: Super Liu Change-Id: Ic0e235cd44fa5114749b3d1c84df24745ecc0ec5 --- tracking_denials/shell.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/shell.te diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te new file mode 100644 index 0000000..797b2af --- /dev/null +++ b/tracking_denials/shell.te @@ -0,0 +1,2 @@ +# b/263430971 +dontaudit shell sysfs_touch_gti:dir { search }; From 8b4d4d634ba341b8598e1411c62b966de4a304e2 Mon Sep 17 00:00:00 2001 From: Sandeep Vijayasekar Date: Thu, 22 Dec 2022 23:56:38 +0000 Subject: [PATCH 38/78] Revert "Add SElinux policy for mediashell suffix property" Revert submission 20796423-mediashell_wifi_suffix Reason for revert: breaks build. Reverted changes: /q/submissionid:20796423-mediashell_wifi_suffix Change-Id: I2d6f66f38b04555a6095d0d5f610d3c6f30dd4e6 --- product_private/property.te | 1 - product_private/property_contexts | 1 - tangorpro-sepolicy.mk | 1 - 3 files changed, 3 deletions(-) delete mode 100644 product_private/property.te delete mode 100644 product_private/property_contexts diff --git a/product_private/property.te b/product_private/property.te deleted file mode 100644 index ef8470a..0000000 --- a/product_private/property.te +++ /dev/null @@ -1 +0,0 @@ -product_internal_prop(odm_cast_prop) diff --git a/product_private/property_contexts b/product_private/property_contexts deleted file mode 100644 index 9946d1e..0000000 --- a/product_private/property_contexts +++ /dev/null @@ -1 +0,0 @@ -ro.odm.cast.ssid_suffix u:object_r:odm_cast_prop:s0 \ No newline at end of file diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index b0695bc..f16f331 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -9,7 +9,6 @@ BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/google/gms/src/sepolicy/tv -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/product_private # system_ext SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private From 02379ea5d9ab8ef2ce92904af38778311c002499 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Fri, 23 Dec 2022 11:05:52 +0000 Subject: [PATCH 39/78] WLC: Add device specific sepolicy for wireless_charger Bug: 263561134 Bug: 237600973 Change-Id: I95af98c9b7c2244522ba7e943b769e3e454edc20 Signed-off-by: Ken Yang --- vendor/platform_app.te | 2 ++ vendor/system_app.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 vendor/platform_app.te create mode 100644 vendor/system_app.te diff --git a/vendor/platform_app.te b/vendor/platform_app.te new file mode 100644 index 0000000..6ac0514 --- /dev/null +++ b/vendor/platform_app.te @@ -0,0 +1,2 @@ +allow platform_app hal_wireless_charger_service:service_manager find; +binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/system_app.te b/vendor/system_app.te new file mode 100644 index 0000000..ca56668 --- /dev/null +++ b/vendor/system_app.te @@ -0,0 +1,2 @@ +allow system_app hal_wireless_charger_service:service_manager find; +binder_call(system_app, hal_wireless_charger) From 940816885f3e76197a5f456b72fc92b3648efd29 Mon Sep 17 00:00:00 2001 From: Alvin Abdagic Date: Fri, 23 Dec 2022 15:27:57 +0000 Subject: [PATCH 40/78] Revert^2 "Add SElinux policy for mediashell suffix property" 8b4d4d634ba341b8598e1411c62b966de4a304e2 Change-Id: I4ec5ff093103a42d271de92b7b1b26a93a7d64a0 Bug:263540972 --- product_private/property.te | 1 + product_private/property_contexts | 1 + tangorpro-sepolicy.mk | 1 + 3 files changed, 3 insertions(+) create mode 100644 product_private/property.te create mode 100644 product_private/property_contexts diff --git a/product_private/property.te b/product_private/property.te new file mode 100644 index 0000000..ef8470a --- /dev/null +++ b/product_private/property.te @@ -0,0 +1 @@ +product_internal_prop(odm_cast_prop) diff --git a/product_private/property_contexts b/product_private/property_contexts new file mode 100644 index 0000000..9946d1e --- /dev/null +++ b/product_private/property_contexts @@ -0,0 +1 @@ +ro.odm.cast.ssid_suffix u:object_r:odm_cast_prop:s0 \ No newline at end of file diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index f16f331..b0695bc 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -9,6 +9,7 @@ BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/google/gms/src/sepolicy/tv +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/product_private # system_ext SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private From 5df51157c390f0ba95668f0079a4e0ca369666b2 Mon Sep 17 00:00:00 2001 From: Super Liu Date: Tue, 3 Jan 2023 01:46:10 +0000 Subject: [PATCH 41/78] Add sepolicy for sysfs_touch type. Bug: 263108813 Test: TreeHugger build pass. Signed-off-by: Super Liu Change-Id: I83edfd28a116fe61cec323aecc30089b3298550f --- vendor/genfs_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 2192a0e..4b06cfb 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -2,7 +2,7 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 # Touch -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch_gti:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 # system suspend wakeup files genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 From 74bdc8089b1a54f69bab28c51ecea0c0b70e3175 Mon Sep 17 00:00:00 2001 From: Chungjui Fan Date: Tue, 3 Jan 2023 15:41:03 +0000 Subject: [PATCH 42/78] Add sepolicy to allow lights to access display Avc denied logs in b/264023021#comment2 Bug: 264023021 Change-Id: Ib8527aa6cb65511488495e58bca51287107d6d53 Signed-off-by: Chungjui Fan --- vendor/hal_lights.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/hal_lights.te b/vendor/hal_lights.te index ac536de..7c43a93 100644 --- a/vendor/hal_lights.te +++ b/vendor/hal_lights.te @@ -2,4 +2,6 @@ allow hal_light_default sysfs_leds:dir search; allow hal_light_default sysfs_leds:file rw_file_perms; allow hal_light_default mnt_vendor_file:dir search; allow hal_light_default persist_file:dir search; +allow hal_light_default hal_pixel_display_service:service_manager find; +binder_call(hal_light_default, hal_graphics_composer_default); r_dir_file(hal_light_default, persist_leds_file); From a2b43990705d892757e6c0c96de59c799b3e8195 Mon Sep 17 00:00:00 2001 From: Sandeep Vijayasekar Date: Tue, 3 Jan 2023 18:55:09 -0800 Subject: [PATCH 43/78] Add odm_cast_prop for Tangorpro Bug: 263263027 Test: treehugger Change-Id: I4f8e228c6cebca34d8b4494d43e1096f406da888 --- product_private/mediashell_app.te | 2 ++ product_private/property_contexts | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 product_private/mediashell_app.te diff --git a/product_private/mediashell_app.te b/product_private/mediashell_app.te new file mode 100644 index 0000000..d714e05 --- /dev/null +++ b/product_private/mediashell_app.te @@ -0,0 +1,2 @@ + +get_prop(mediashell_app, odm_cast_prop) diff --git a/product_private/property_contexts b/product_private/property_contexts index 9946d1e..becbb24 100644 --- a/product_private/property_contexts +++ b/product_private/property_contexts @@ -1 +1,2 @@ -ro.odm.cast.ssid_suffix u:object_r:odm_cast_prop:s0 \ No newline at end of file + +ro.odm.cast.ssid_suffix u:object_r:odm_cast_prop:s0 From 12579828b0feeb0024fc1f37472e8a88ee081778 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Thu, 5 Jan 2023 07:37:13 +0000 Subject: [PATCH 44/78] WLC: Remove unused wireless_charger policies Bug: 263830018 Change-Id: I5378ad328d4a431413d296afd68d79f5c72bec5e Signed-off-by: Ken Yang --- vendor/platform_app.te | 2 -- vendor/system_app.te | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 vendor/platform_app.te delete mode 100644 vendor/system_app.te diff --git a/vendor/platform_app.te b/vendor/platform_app.te deleted file mode 100644 index 6ac0514..0000000 --- a/vendor/platform_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow platform_app hal_wireless_charger_service:service_manager find; -binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/system_app.te b/vendor/system_app.te deleted file mode 100644 index ca56668..0000000 --- a/vendor/system_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow system_app hal_wireless_charger_service:service_manager find; -binder_call(system_app, hal_wireless_charger) From e1c1a2e4c921428d1f0191e44af73f946aac31e7 Mon Sep 17 00:00:00 2001 From: Ioannis Ilkos Date: Thu, 5 Jan 2023 11:35:28 +0000 Subject: [PATCH 45/78] Revert "Add odm_cast_prop for Tangorpro" This reverts commit a2b43990705d892757e6c0c96de59c799b3e8195. Reason for revert: b/264514289 breaks build Change-Id: Ibc75544493cf5e6522a767a126b3e616ea30cb42 --- product_private/mediashell_app.te | 2 -- product_private/property_contexts | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 product_private/mediashell_app.te diff --git a/product_private/mediashell_app.te b/product_private/mediashell_app.te deleted file mode 100644 index d714e05..0000000 --- a/product_private/mediashell_app.te +++ /dev/null @@ -1,2 +0,0 @@ - -get_prop(mediashell_app, odm_cast_prop) diff --git a/product_private/property_contexts b/product_private/property_contexts index becbb24..9946d1e 100644 --- a/product_private/property_contexts +++ b/product_private/property_contexts @@ -1,2 +1 @@ - -ro.odm.cast.ssid_suffix u:object_r:odm_cast_prop:s0 +ro.odm.cast.ssid_suffix u:object_r:odm_cast_prop:s0 \ No newline at end of file From 37cb898e4dbe43c35b45d1a5b1650ae47d59c580 Mon Sep 17 00:00:00 2001 From: Mariia Sandrikova Date: Fri, 6 Jan 2023 01:23:20 +0000 Subject: [PATCH 46/78] Clean up debug.sf.ignore_hwc_physical_display_orientation Temporary property was introduced in Iffbdc13149f517f0b59b313f1fe1f7900cc8597e Test: manual Bug: 246793311 Change-Id: I000feb9e54a9f3b897eb4867fb285788cdb2fc46 --- system_ext/private/property_contexts | 3 --- 1 file changed, 3 deletions(-) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index f08d9e4..d555ab6 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,6 +1,3 @@ -# TODO(b/246793311): Clean up a temporary property once pa/2342172 lands -debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool - # Default orienation for boot animation counted from natural orienation of the device # Id at the end corresponds to the display id on the device. See b/246793311 for context. ro.bootanim.set_orientation_4619827677550801152 u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_90 ORIENTATION_180 ORIENTATION_270 From 903888aa95b9f85d6d39ab1e8749c6e1df26fa71 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Mon, 9 Jan 2023 12:15:45 +0800 Subject: [PATCH 47/78] Update error on ROM 9467565 Bug: 264823366 Test: SELinuxUncheckedDenialBootTest Change-Id: Ie484c1999f76eee4e1a9c49deda7b1fe0e0bbbdd --- tracking_denials/shell.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te index 797b2af..a6a5568 100644 --- a/tracking_denials/shell.te +++ b/tracking_denials/shell.te @@ -1,2 +1,4 @@ # b/263430971 dontaudit shell sysfs_touch_gti:dir { search }; +# b/264823366 +dontaudit shell sysfs_touch:dir { search }; From a6ce6beb10c1ca5c4e61c935ca1196d164dc3017 Mon Sep 17 00:00:00 2001 From: Joshua McCloskey Date: Thu, 5 Jan 2023 04:28:14 +0000 Subject: [PATCH 48/78] Allow SystemUI to access fp hal. Bug: 261209932 Test: Verified SystemUI can access HAL extension. Change-Id: If1a2c7debafad70b6aece6c8ac63852e4b2b6276 --- fingerprint_capacitance/system_app.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 fingerprint_capacitance/system_app.te diff --git a/fingerprint_capacitance/system_app.te b/fingerprint_capacitance/system_app.te new file mode 100644 index 0000000..f583431 --- /dev/null +++ b/fingerprint_capacitance/system_app.te @@ -0,0 +1,3 @@ +# TODO (b/264266705) Remove this and make it specific to the app +# allow SystemUIGoogle to access fingerprint hal +hal_client_domain(system_app, hal_fingerprint) From d8820e6b6923db1c2cd1e5a88e12f08a07d8d8b4 Mon Sep 17 00:00:00 2001 From: Neha Jain Date: Mon, 9 Jan 2023 23:10:42 +0000 Subject: [PATCH 49/78] Revert "Clean up debug.sf.ignore_hwc_physical_display_orientation" Revert submission 20881991-clean-up-temp-sysprop Reason for revert: b/264735287 Reverted changes: /q/submissionid:20881991-clean-up-temp-sysprop Change-Id: Id102118883fa35e99e16b6cbe26cae9d009fa4f9 --- system_ext/private/property_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index d555ab6..f08d9e4 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,3 +1,6 @@ +# TODO(b/246793311): Clean up a temporary property once pa/2342172 lands +debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool + # Default orienation for boot animation counted from natural orienation of the device # Id at the end corresponds to the display id on the device. See b/246793311 for context. ro.bootanim.set_orientation_4619827677550801152 u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_90 ORIENTATION_180 ORIENTATION_270 From 9a9efabc88ae3402e9d995f1ab22743af7b4aa7a Mon Sep 17 00:00:00 2001 From: Joshua McCloskey Date: Thu, 5 Jan 2023 04:28:14 +0000 Subject: [PATCH 50/78] Allow SystemUI to access fp hal. Bug: 261209932 Test: Verified SystemUI can access HAL extension. Change-Id: If1a2c7debafad70b6aece6c8ac63852e4b2b6276 Merged-In: If1a2c7debafad70b6aece6c8ac63852e4b2b6276 --- fingerprint_capacitance/system_app.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 fingerprint_capacitance/system_app.te diff --git a/fingerprint_capacitance/system_app.te b/fingerprint_capacitance/system_app.te new file mode 100644 index 0000000..f583431 --- /dev/null +++ b/fingerprint_capacitance/system_app.te @@ -0,0 +1,3 @@ +# TODO (b/264266705) Remove this and make it specific to the app +# allow SystemUIGoogle to access fingerprint hal +hal_client_domain(system_app, hal_fingerprint) From dc359f21780ca731fb6537c27dd2c0eefe907bff Mon Sep 17 00:00:00 2001 From: Myles Watson Date: Tue, 10 Jan 2023 06:27:23 -0800 Subject: [PATCH 51/78] TangorPro: Use common sepolicy for bt_device Bug: 205758693 Test: build Ignore-AOSP-First: Some devices in internal define bt_device Change-Id: I29ca448d60af312d7dbe241f93592233d16bfcbe --- bluetooth/device.te | 1 - 1 file changed, 1 deletion(-) delete mode 100644 bluetooth/device.te diff --git a/bluetooth/device.te b/bluetooth/device.te deleted file mode 100644 index 7ed13ad..0000000 --- a/bluetooth/device.te +++ /dev/null @@ -1 +0,0 @@ -type bt_device, dev_type; From d83126782ffa3dec36db7f50fe8d783ee4b62250 Mon Sep 17 00:00:00 2001 From: Sandeep Vijayasekar Date: Tue, 27 Dec 2022 20:08:38 +0000 Subject: [PATCH 52/78] Revert^3 "Add SElinux policy for mediashell suffix property" Bug: 263263027 Test: mediashell can read this property Change-Id: Iebf5ced8e5c81777a7e14ed3c6d63aee8ff409b2 --- product_private/property.te | 1 - product_private/property_contexts | 1 - tangorpro-sepolicy.mk | 1 - 3 files changed, 3 deletions(-) delete mode 100644 product_private/property.te delete mode 100644 product_private/property_contexts diff --git a/product_private/property.te b/product_private/property.te deleted file mode 100644 index ef8470a..0000000 --- a/product_private/property.te +++ /dev/null @@ -1 +0,0 @@ -product_internal_prop(odm_cast_prop) diff --git a/product_private/property_contexts b/product_private/property_contexts deleted file mode 100644 index 9946d1e..0000000 --- a/product_private/property_contexts +++ /dev/null @@ -1 +0,0 @@ -ro.odm.cast.ssid_suffix u:object_r:odm_cast_prop:s0 \ No newline at end of file diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index b0695bc..f16f331 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -9,7 +9,6 @@ BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/google/gms/src/sepolicy/tv -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/product_private # system_ext SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private From bb7ac209e53147942a02495b14475efcdcd18380 Mon Sep 17 00:00:00 2001 From: Myles Watson Date: Tue, 10 Jan 2023 06:27:23 -0800 Subject: [PATCH 53/78] TangorPro: Use common sepolicy for bt_device Bug: 205758693 Test: build Ignore-AOSP-First: Some devices in internal define bt_device Change-Id: I29ca448d60af312d7dbe241f93592233d16bfcbe (cherry picked from commit dc359f21780ca731fb6537c27dd2c0eefe907bff) Merged-In: I29ca448d60af312d7dbe241f93592233d16bfcbe --- bluetooth/device.te | 1 - 1 file changed, 1 deletion(-) delete mode 100644 bluetooth/device.te diff --git a/bluetooth/device.te b/bluetooth/device.te deleted file mode 100644 index 7ed13ad..0000000 --- a/bluetooth/device.te +++ /dev/null @@ -1 +0,0 @@ -type bt_device, dev_type; From 0f733764c246a7d7cd02373c0efcf3dcf8c40839 Mon Sep 17 00:00:00 2001 From: Mariia Sandrikova Date: Sun, 22 Jan 2023 23:57:56 +0000 Subject: [PATCH 54/78] DO NOT MERGE Revert "Revert "Clean up debug.sf.ignore_hwc_physical_display_or..." Clean up debug.sf.ignore_hwc_physical_display_orientation Temporary property was introduced in Iffbdc13149f517f0b59b313f1fe1f7900cc8597e Test: manual Bug: 246793311 Revert submission 20920163-revert-20881991-clean-up-temp-sysprop-FZOZHLNEBL Reason for revert: Revert a revert of I000feb9e54a9f3b897eb4867fb285788cdb2fc46 to land it again Reverted changes: /q/submissionid:20920163-revert-20881991-clean-up-temp-sysprop-FZOZHLNEBL Change-Id: Id4658d31b73adfa9e0996891d0529a7277043ed3 --- system_ext/private/property_contexts | 3 --- 1 file changed, 3 deletions(-) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index f08d9e4..d555ab6 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,6 +1,3 @@ -# TODO(b/246793311): Clean up a temporary property once pa/2342172 lands -debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool - # Default orienation for boot animation counted from natural orienation of the device # Id at the end corresponds to the display id on the device. See b/246793311 for context. ro.bootanim.set_orientation_4619827677550801152 u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_90 ORIENTATION_180 ORIENTATION_270 From 306f6c5e8c3780fd0cee8287e7eadf842cda29c2 Mon Sep 17 00:00:00 2001 From: matthuang Date: Tue, 31 Jan 2023 17:30:19 +0800 Subject: [PATCH 55/78] Allow sensor hal to access uhid devices. Bug: 262056923 Test: Screen is off when put a magnet close to hall sensor. Change-Id: I2031c167f242b10b0a03076f0bc4184dd21e2cd5 --- vendor/hal_sensors_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te index 978d9b4..da6b54e 100644 --- a/vendor/hal_sensors_default.te +++ b/vendor/hal_sensors_default.te @@ -4,3 +4,6 @@ # Allow sensor HAL to access pogo driver hall file node. allow hal_sensors_default sysfs_pogo_usb:file rw_file_perms; + +# Allow access to the uhid devices. +allow hal_sensors_default uhid_device:chr_file rw_file_perms; From add3a605351a4107121d0a8c4321e0bc000376be Mon Sep 17 00:00:00 2001 From: eddielan Date: Tue, 7 Feb 2023 17:46:08 +0800 Subject: [PATCH 56/78] fingerprint: Allow fps HAL to access sysfs_batteryinfo avc: denied { search } for name="dock" dev="sysfs" ino=68869 scontext=u:r:hal_fingerprint_capacitance:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1 Bug: 268158443 Test: make selinux_policy -j112 Change-Id: I28a50a68019bdf474df4de27d31df06ec13b2a7a --- fingerprint_capacitance/hal_fingerprint_capacitance.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te index 8c78ee5..632086a 100644 --- a/fingerprint_capacitance/hal_fingerprint_capacitance.te +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -23,6 +23,10 @@ allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; allow hal_fingerprint_capacitance sysfs_leds:dir search; allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms; +# allow fingerprint to access sysfs_batteryinfo +allow hal_fingerprint_capacitance sysfs_batteryinfo:dir search; +allow hal_fingerprint_capacitance sysfs_batteryinfo:file rw_file_perms; + # allow fingerprint to access input_device allow hal_fingerprint_capacitance input_device:dir r_dir_perms; allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; From a026b453c49b503b989d5a26ee7f7e338c79cb7b Mon Sep 17 00:00:00 2001 From: Super Liu Date: Tue, 14 Feb 2023 08:45:57 +0000 Subject: [PATCH 57/78] Remove unnecessary denials. Bug: 263430971 Test: TreeHugger build. Signed-off-by: Super Liu Change-Id: Icd6a9e1ba2f779ad20be44e186919cb621705c21 --- tracking_denials/shell.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/shell.te diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te deleted file mode 100644 index a6a5568..0000000 --- a/tracking_denials/shell.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/263430971 -dontaudit shell sysfs_touch_gti:dir { search }; -# b/264823366 -dontaudit shell sysfs_touch:dir { search }; From a32c0da2f61389b253904a098d905e06029d6790 Mon Sep 17 00:00:00 2001 From: leochuang Date: Wed, 22 Feb 2023 10:30:21 +0800 Subject: [PATCH 58/78] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 264823366 Change-Id: I9b6c67192c19d74429606653cd322a4686a21e4d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3cf5e4c..8836618 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1 +1,2 @@ hal_dumpstate_default modem_stat_data_file dir b/239115418 +shell sysfs_touch dir b/264823366 From 7e59945dbb988b7ffb5be826dd9881212dc8bfce Mon Sep 17 00:00:00 2001 From: Marcello Galhardo Date: Wed, 15 Mar 2023 09:18:56 +0000 Subject: [PATCH 59/78] Allow platform_app:systemui to access system_update info Test: manual Bug: 273684235 Change-Id: I516e792e926827471b04b336038fab1b1cd540ec --- system_ext/private/platform_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 system_ext/private/platform_app.te diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 0000000..cd094a3 --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# Allow platform apps to access system_update_service (e.g. check if update info is available). +allow platform_app system_update_service:service_manager find; \ No newline at end of file From 7e7ab2d6041171a638cfbec22e462fdbefff4ed8 Mon Sep 17 00:00:00 2001 From: matthuang Date: Tue, 31 Jan 2023 17:30:19 +0800 Subject: [PATCH 60/78] Allow sensor hal to access uhid devices. Bug: 262056923 Bug: 274537630 Test: Screen is off when put a magnet close to hall sensor. Change-Id: I2031c167f242b10b0a03076f0bc4184dd21e2cd5 Merged-In: I2031c167f242b10b0a03076f0bc4184dd21e2cd5 --- vendor/hal_sensors_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te index 978d9b4..da6b54e 100644 --- a/vendor/hal_sensors_default.te +++ b/vendor/hal_sensors_default.te @@ -4,3 +4,6 @@ # Allow sensor HAL to access pogo driver hall file node. allow hal_sensors_default sysfs_pogo_usb:file rw_file_perms; + +# Allow access to the uhid devices. +allow hal_sensors_default uhid_device:chr_file rw_file_perms; From 5acd6da7935aa98ab7225ae2183643dcbbf63715 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 24 Mar 2023 11:12:09 +0800 Subject: [PATCH 61/78] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 275001805 Change-Id: Ia930f873d1471bf38416e74b7c1dcf23da0470c0 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8836618..c77f421 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,2 +1,4 @@ +hal_camera_default boot_status_prop file b/275001805 +hal_camera_default edgetpu_app_service service_manager b/275001805 hal_dumpstate_default modem_stat_data_file dir b/239115418 shell sysfs_touch dir b/264823366 From 6a684e0fccf209315671ae01cfcdecd96934b284 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 10 May 2023 20:02:05 +0800 Subject: [PATCH 62/78] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 281814892 Fix: 281663915 Change-Id: Ib2cd9aa4e42441c1d7bdb9c7df20f7ab2108cda4 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c77f421..75770a5 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,3 +2,4 @@ hal_camera_default boot_status_prop file b/275001805 hal_camera_default edgetpu_app_service service_manager b/275001805 hal_dumpstate_default modem_stat_data_file dir b/239115418 shell sysfs_touch dir b/264823366 +system_suspend sysfs_aoc dir b/281814892 From 8bfc8ce40c6a0e4facb374c7d4152ce432de89b5 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 12 May 2023 02:29:41 +0000 Subject: [PATCH 63/78] introduce a new sepolicy owner Bug: 281631102 Test: N/A Change-Id: Ia857a34560dc7709effba2ccb4d83052c46b46dc --- OWNERS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/OWNERS b/OWNERS index 791abb4..5232bc3 100644 --- a/OWNERS +++ b/OWNERS @@ -1,3 +1,4 @@ -include platform/system/sepolicy:/OWNERS +include device/google/gs-common:/sepolicy/OWNERS + +adamshih@google.com -rurumihong@google.com From 468e83b490e8308197787db13a52c11980ff5ca3 Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Tue, 16 May 2023 08:54:29 -0700 Subject: [PATCH 64/78] Remove bugmap for aoc sepolicy error. The sepolicy error was fixed by adding the necessary entries to the gs201 sepolicy. Removing the bug map. Bug: 281814892 Test: N/A Change-Id: I0650636d7177ea7748f3690eef98ccb47a1eaf1b --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 75770a5..c77f421 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,4 +2,3 @@ hal_camera_default boot_status_prop file b/275001805 hal_camera_default edgetpu_app_service service_manager b/275001805 hal_dumpstate_default modem_stat_data_file dir b/239115418 shell sysfs_touch dir b/264823366 -system_suspend sysfs_aoc dir b/281814892 From 84e2bd8231d48b97f5c8f913ca282e7a8373ea2e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 31 May 2023 01:45:12 +0000 Subject: [PATCH 65/78] remove obsolete entry Bug: 239115418 Test: adb bugreport Change-Id: I5bc086c3cf5dd742307109f22bf7e9ee154a3d72 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c77f421..d505993 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,3 @@ hal_camera_default boot_status_prop file b/275001805 hal_camera_default edgetpu_app_service service_manager b/275001805 -hal_dumpstate_default modem_stat_data_file dir b/239115418 shell sysfs_touch dir b/264823366 From 7d9914d66e7c22c3934488f67f51bf039e169ab4 Mon Sep 17 00:00:00 2001 From: changyan Date: Tue, 20 Jun 2023 06:44:33 +0000 Subject: [PATCH 66/78] Remove the tracking_denials entry as the issue Bug: 275001805 Test: SELinuxUncheckedDenialBootTest Change-Id: I0b15523fdbfb6d96467719a45a9e5c4f46715cc5 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d505993..0043272 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1 @@ -hal_camera_default boot_status_prop file b/275001805 -hal_camera_default edgetpu_app_service service_manager b/275001805 shell sysfs_touch dir b/264823366 From 076dee1318a70809f98dca91f1cb13871481790d Mon Sep 17 00:00:00 2001 From: Nikhil Kumar Date: Thu, 29 Jun 2023 14:26:40 +0100 Subject: [PATCH 67/78] Tracked SELinux denials for HSUM tangorpro mode Bug: 289358324 Test: Run the boot health test to verify if the Denials are ignored. Change-Id: I74063ed1634dc4b9bff524203e537b0dfc36b02e --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c77f421..affe07f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,3 +2,4 @@ hal_camera_default boot_status_prop file b/275001805 hal_camera_default edgetpu_app_service service_manager b/275001805 hal_dumpstate_default modem_stat_data_file dir b/239115418 shell sysfs_touch dir b/264823366 +platform_app system_data_file dir b/289358324 From 1ef0169b1f2bc4bb9674c5bf96b43e29e179d68f Mon Sep 17 00:00:00 2001 From: eddielan Date: Tue, 8 Aug 2023 17:37:51 +0800 Subject: [PATCH 68/78] Correct fps sepolicy error E SELinux : avc: denied { find } name=android.frameworks.sensorservice.ISensorManager/default scontext=u:r:hal_fingerprint_capacitance:s0 tcontext=u:object_r:fwk_sensor_service:s0 tclass=service_manager permissive=0 Bug: 294959986 Test: make selinux_policy -j128 Change-Id: I987349032bdf7b79e1985a321949987860a08098 --- fingerprint_capacitance/hal_fingerprint_capacitance.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te index 632086a..f35912f 100644 --- a/fingerprint_capacitance/hal_fingerprint_capacitance.te +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -36,4 +36,4 @@ hwbinder_use(hal_fingerprint_capacitance) add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) # allow fingerprint to access fwk sensor hwservice -allow hal_fingerprint_capacitance fwk_sensor_hwservice:hwservice_manager find; +allow hal_fingerprint_capacitance fwk_sensor_service:service_manager find; From 4320e842e1d6bb47ff041df95109a8e536a45b4a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 16 Oct 2023 12:20:36 +0800 Subject: [PATCH 69/78] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 305600863 Change-Id: I7922325ac2ae83a2974a00bdf7a62b96f9b328fd --- tracking_denials/bug_map | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 69faad8..72c60a3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,2 +1,4 @@ -shell sysfs_touch dir b/264823366 +kernel vendor_usb_debugfs dir b/305600863 +kernel vendor_votable_debugfs dir b/305600863 platform_app system_data_file dir b/289358324 +shell sysfs_touch dir b/264823366 From f4bf916b05d4275bf949b8b5c46f5763d117fdaa Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 17 Oct 2023 04:02:26 +0000 Subject: [PATCH 70/78] Supress kernel avc log before SELinux initialized Fix: 305600863 Change-Id: I795c7cd3b1df318a9164d0e3ec15d2930ecd7e21 --- tracking_denials/bug_map | 3 +-- vendor/kernel.te | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 vendor/kernel.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 72c60a3..7836967 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,3 @@ -kernel vendor_usb_debugfs dir b/305600863 -kernel vendor_votable_debugfs dir b/305600863 platform_app system_data_file dir b/289358324 shell sysfs_touch dir b/264823366 + diff --git a/vendor/kernel.te b/vendor/kernel.te new file mode 100644 index 0000000..ead4d43 --- /dev/null +++ b/vendor/kernel.te @@ -0,0 +1,3 @@ +dontaudit kernel vendor_usb_debugfs:dir search; +dontaudit kernel vendor_votable_debugfs:dir search; + From 4d67b2011b6a1012d57e37941d78951851289b1d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 17 Oct 2023 07:21:57 +0000 Subject: [PATCH 71/78] Move kernel.te to gs201-sepolicy Bug: 305880925 Fix: 305880925 Change-Id: Ie387dc9c424e41321e2ffce807f7245b6e189efc --- vendor/kernel.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 vendor/kernel.te diff --git a/vendor/kernel.te b/vendor/kernel.te deleted file mode 100644 index ead4d43..0000000 --- a/vendor/kernel.te +++ /dev/null @@ -1,3 +0,0 @@ -dontaudit kernel vendor_usb_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; - From f074293d7b8414fd80f92a699936df08014a9f8f Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 20 Nov 2023 03:15:04 +0000 Subject: [PATCH 72/78] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 312069156 Change-Id: I8c6fd9908e126e23ced56fccea3275a0bddb4311 --- tracking_denials/bug_map | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7836967..d2a2b01 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,3 +1,4 @@ + +audioserver vendor_file file b/312069156 platform_app system_data_file dir b/289358324 shell sysfs_touch dir b/264823366 - From ad3e118f4f9fa4d9c1334cd97e941041fe08fddc Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 21 Nov 2023 07:41:36 +0000 Subject: [PATCH 73/78] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 312375728 Change-Id: Ia58c0e4b3378f63aaafd2317353ca2779fab14d7 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d2a2b01..bae1538 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,3 +2,4 @@ audioserver vendor_file file b/312069156 platform_app system_data_file dir b/289358324 shell sysfs_touch dir b/264823366 +system_app proc_pagetypeinfo file b/312375728 From af4ca9a019862b5b225d71c3514c635a4efc1525 Mon Sep 17 00:00:00 2001 From: Jacky Liu Date: Tue, 23 Jan 2024 18:15:59 +0800 Subject: [PATCH 74/78] Add additional rfkill path for bluetooth Add another possible rfkill path for bluetooth. Test: Enable bluetooth successfully Bug: 316820336 Change-Id: I444b083a5dd985f98e507311ee79d22ff172ee16 --- bluetooth/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts index d18d164..fbad5b3 100644 --- a/bluetooth/genfs_contexts +++ b/bluetooth/genfs_contexts @@ -1,3 +1,4 @@ genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 From 567253e387582b6bf108b01748d7dee9df110751 Mon Sep 17 00:00:00 2001 From: Jacky Liu Date: Tue, 6 Feb 2024 19:59:24 +0800 Subject: [PATCH 75/78] Update i2c device paths Remove entries which are already in gs201-sepolicy. Bug: 323447554 Test: Boot to home Change-Id: I3643ce79da93b8873843a06eb86a5af5c26df449 --- vendor/genfs_contexts | 5 ----- 1 file changed, 5 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4b06cfb..4f0385d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -5,11 +5,6 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_ genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 # system suspend wakeup files -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-7/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/nvt-pen-battery/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/input/input2/wakeup u:object_r:sysfs_wakeup:s0 From 301e7513b060ce7140d22254687e1e8d0a44b2c5 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Wed, 15 May 2024 00:40:22 +0000 Subject: [PATCH 76/78] SELinux: fix avc denials Fix avc denials for hal_health_default. Add this as tangorpro specific rule to avoid bad build on other devices. Bug: 338332877 Change-Id: Ifecd53cf053f1e00dd8d7c76acdb24eaebe6217e Signed-off-by: Ken Yang --- vendor/hal_health_default.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 vendor/hal_health_default.te diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te new file mode 100644 index 0000000..f75cab4 --- /dev/null +++ b/vendor/hal_health_default.te @@ -0,0 +1 @@ +dontaudit hal_health_default sysfs_touch:dir *; \ No newline at end of file From a6f591bdff47457345cd8dc3e8bc942b628f6bb7 Mon Sep 17 00:00:00 2001 From: Hyungwoo Yang Date: Tue, 28 May 2024 05:52:46 +0000 Subject: [PATCH 77/78] selinux: add sysfs_wake label for USI pen battery Bug: 337984471, 342968299 Change-Id: Ia190f99eb684bddcd59dae8f560b4a8eb8979446 Signed-off-by: Hyungwoo Yang --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4f0385d..91f9912 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -7,6 +7,7 @@ genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_ # system suspend wakeup files genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/nvt-pen-battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/USI_Stylus_Battery/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/input/input2/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0 From 04b05427fc6de58c21fcd4718b05b5e66efdb459 Mon Sep 17 00:00:00 2001 From: Erin Yan Date: Mon, 22 Apr 2024 14:35:47 -0700 Subject: [PATCH 78/78] Remove SEPolicy for Mediashell from device level make file Bug: 343288392 Test: Verified L1 content Cast working on Tangorpro and no avc error on mediashell_app in logs with forest build. Change-Id: I7d27c3d1aa5f6e5e666b05e157333fd217f776c0 --- tangorpro-sepolicy.mk | 1 - 1 file changed, 1 deletion(-) diff --git a/tangorpro-sepolicy.mk b/tangorpro-sepolicy.mk index f16f331..c771713 100644 --- a/tangorpro-sepolicy.mk +++ b/tangorpro-sepolicy.mk @@ -8,7 +8,6 @@ BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance # for mediashell PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor -PRODUCT_PRIVATE_SEPOLICY_DIRS += vendor/google/gms/src/sepolicy/tv # system_ext SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private