From e1e330d587a03763dfef0a3a8bebf8f10f4761d1 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 24 Nov 2022 10:55:04 +0800 Subject: [PATCH 01/18] remove obsolete entry Bug: 260175281 Test: build pass Change-Id: I0f6d070416b5fac8711434b84fc9c552b8a6a64d --- vendor/genfs_contexts | 8 -------- 1 file changed, 8 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index dc21018..4b06cfb 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -3,14 +3,6 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_ # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 -genfscon proc /nvt_baseline u:object_r:proc_touch:s0 -genfscon proc /nvt_cc_uniformity u:object_r:proc_touch:s0 -genfscon proc /nvt_diff u:object_r:proc_touch:s0 -genfscon proc /nvt_fw_update u:object_r:proc_touch:s0 -genfscon proc /nvt_fw_version u:object_r:proc_touch:s0 -genfscon proc /nvt_heatmap u:object_r:proc_touch:s0 -genfscon proc /nvt_raw u:object_r:proc_touch:s0 -genfscon proc /nvt_selftest u:object_r:proc_touch:s0 # system suspend wakeup files genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 From 33c84b77d2e648f6972810e25cc7941adc2c53ee Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 25 Nov 2022 14:09:21 +0800 Subject: [PATCH 02/18] fix declaration missing error Bug: 260175281 Test: build pass Change-Id: Ibe07a278639afa3d0783785374502607ba81eb6e --- vendor/file.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index 32ab75b..a863220 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -3,3 +3,6 @@ type sysfs_pogo_usb, sysfs_type, fs_type; # Cast device certificate type device_cert_file, file_type, vendor_persist_type; + +# Avoid GPS se failed +type sysfs_gps, sysfs_type, fs_type; From d5db8fa0e232e3479745a73a85e9f018fb78cbd9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 2 Dec 2022 13:08:28 +0800 Subject: [PATCH 03/18] rename sysfs_touch Bug: 256521567 Test: adb bugreport Change-Id: Ic10339198209b7e1c8874610f69c515a95d6e7da --- vendor/system_server.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/system_server.te b/vendor/system_server.te index b17b985..ba82449 100644 --- a/vendor/system_server.te +++ b/vendor/system_server.te @@ -1 +1 @@ -allow system_server sysfs_touch:file r_file_perms; +allow system_server sysfs_touch_gti:file r_file_perms; From 483f42925df6aaeb8ffb5233a356bf75f2ae01b9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 6 Dec 2022 12:01:08 +0800 Subject: [PATCH 04/18] align sysfs_touch_gti type Bug: 256521567 Test: build pass Change-Id: I2452e2551ea47a3bbf1c4b084259e73c37e02f04 --- vendor/genfs_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 4b06cfb..2192a0e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -2,7 +2,7 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 # Touch -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch_gti:s0 # system suspend wakeup files genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 From 6f45c41a7612c0978db78d0cd8281dadd393cdb5 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Tue, 13 Sep 2022 10:19:09 +0800 Subject: [PATCH 05/18] sepolicy: allow binder call for hal_power_stats and hal_bluetooth avc: denied { call } for comm="bluetooth@1.1-s" scontext=u:r:hal_bluetooth_synabtlinux:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=0 avc: denied { call } for scontext=u:r:hal_bluetooth_synabtlinux:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=1 avc: denied { read } for comm="android.hardwar" name="u:object_r:boot_status_prop:s0" dev="tmpfs" ino=109 scontext=u:r:hal_bluetooth_synabtlinux:s0 tcontext=u:object_r:boot_status_prop:s0 tclass=file permissive=0 Bug: 215487801 , 262386677 Test: captured bugreport and didn't see powerstats avc denials Change-Id: I34840b7f8031084270477635c2bde5d702a0507c Signed-off-by: Darren Hsu (cherry picked from commit ccd9f49f2bfafe83993345558d03ac344db3295a) --- bluetooth/hal_bluetooth_default.te | 2 ++ vendor/hal_power_stats_default.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 vendor/hal_power_stats_default.te diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te index b8091d9..c764133 100644 --- a/bluetooth/hal_bluetooth_default.te +++ b/bluetooth/hal_bluetooth_default.te @@ -10,6 +10,8 @@ allow hal_bluetooth_synabtlinux hci_attach_dev:chr_file rw_file_perms; allow hal_bluetooth_synabtlinux hal_power_stats_vendor_service:service_manager find; add_hwservice(hal_bluetooth_synabtlinux, hal_bluetooth_coexistence_hwservice) vndbinder_use(hal_bluetooth_synabtlinux) +binder_call(hal_bluetooth_synabtlinux, hal_power_stats_default) +get_prop(hal_bluetooth_synabtlinux, boot_status_prop) allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te new file mode 100644 index 0000000..a81c9ba --- /dev/null +++ b/vendor/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_synabtlinux) From 0afa8d077dfc8ef49b822c7b1a0407abbede525a Mon Sep 17 00:00:00 2001 From: Super Liu Date: Thu, 22 Dec 2022 05:37:24 +0000 Subject: [PATCH 06/18] Suppress linux denials Bug: 263430971 Test: TreeHugger build. Signed-off-by: Super Liu Change-Id: Ic0e235cd44fa5114749b3d1c84df24745ecc0ec5 --- tracking_denials/shell.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/shell.te diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te new file mode 100644 index 0000000..797b2af --- /dev/null +++ b/tracking_denials/shell.te @@ -0,0 +1,2 @@ +# b/263430971 +dontaudit shell sysfs_touch_gti:dir { search }; From 02379ea5d9ab8ef2ce92904af38778311c002499 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Fri, 23 Dec 2022 11:05:52 +0000 Subject: [PATCH 07/18] WLC: Add device specific sepolicy for wireless_charger Bug: 263561134 Bug: 237600973 Change-Id: I95af98c9b7c2244522ba7e943b769e3e454edc20 Signed-off-by: Ken Yang --- vendor/platform_app.te | 2 ++ vendor/system_app.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 vendor/platform_app.te create mode 100644 vendor/system_app.te diff --git a/vendor/platform_app.te b/vendor/platform_app.te new file mode 100644 index 0000000..6ac0514 --- /dev/null +++ b/vendor/platform_app.te @@ -0,0 +1,2 @@ +allow platform_app hal_wireless_charger_service:service_manager find; +binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/system_app.te b/vendor/system_app.te new file mode 100644 index 0000000..ca56668 --- /dev/null +++ b/vendor/system_app.te @@ -0,0 +1,2 @@ +allow system_app hal_wireless_charger_service:service_manager find; +binder_call(system_app, hal_wireless_charger) From 5df51157c390f0ba95668f0079a4e0ca369666b2 Mon Sep 17 00:00:00 2001 From: Super Liu Date: Tue, 3 Jan 2023 01:46:10 +0000 Subject: [PATCH 08/18] Add sepolicy for sysfs_touch type. Bug: 263108813 Test: TreeHugger build pass. Signed-off-by: Super Liu Change-Id: I83edfd28a116fe61cec323aecc30089b3298550f --- vendor/genfs_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 2192a0e..4b06cfb 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -2,7 +2,7 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 # Touch -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch_gti:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 # system suspend wakeup files genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-6/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 From 12579828b0feeb0024fc1f37472e8a88ee081778 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Thu, 5 Jan 2023 07:37:13 +0000 Subject: [PATCH 09/18] WLC: Remove unused wireless_charger policies Bug: 263830018 Change-Id: I5378ad328d4a431413d296afd68d79f5c72bec5e Signed-off-by: Ken Yang --- vendor/platform_app.te | 2 -- vendor/system_app.te | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 vendor/platform_app.te delete mode 100644 vendor/system_app.te diff --git a/vendor/platform_app.te b/vendor/platform_app.te deleted file mode 100644 index 6ac0514..0000000 --- a/vendor/platform_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow platform_app hal_wireless_charger_service:service_manager find; -binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/system_app.te b/vendor/system_app.te deleted file mode 100644 index ca56668..0000000 --- a/vendor/system_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow system_app hal_wireless_charger_service:service_manager find; -binder_call(system_app, hal_wireless_charger) From 903888aa95b9f85d6d39ab1e8749c6e1df26fa71 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Mon, 9 Jan 2023 12:15:45 +0800 Subject: [PATCH 10/18] Update error on ROM 9467565 Bug: 264823366 Test: SELinuxUncheckedDenialBootTest Change-Id: Ie484c1999f76eee4e1a9c49deda7b1fe0e0bbbdd --- tracking_denials/shell.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te index 797b2af..a6a5568 100644 --- a/tracking_denials/shell.te +++ b/tracking_denials/shell.te @@ -1,2 +1,4 @@ # b/263430971 dontaudit shell sysfs_touch_gti:dir { search }; +# b/264823366 +dontaudit shell sysfs_touch:dir { search }; From a6ce6beb10c1ca5c4e61c935ca1196d164dc3017 Mon Sep 17 00:00:00 2001 From: Joshua McCloskey Date: Thu, 5 Jan 2023 04:28:14 +0000 Subject: [PATCH 11/18] Allow SystemUI to access fp hal. Bug: 261209932 Test: Verified SystemUI can access HAL extension. Change-Id: If1a2c7debafad70b6aece6c8ac63852e4b2b6276 --- fingerprint_capacitance/system_app.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 fingerprint_capacitance/system_app.te diff --git a/fingerprint_capacitance/system_app.te b/fingerprint_capacitance/system_app.te new file mode 100644 index 0000000..f583431 --- /dev/null +++ b/fingerprint_capacitance/system_app.te @@ -0,0 +1,3 @@ +# TODO (b/264266705) Remove this and make it specific to the app +# allow SystemUIGoogle to access fingerprint hal +hal_client_domain(system_app, hal_fingerprint) From dc359f21780ca731fb6537c27dd2c0eefe907bff Mon Sep 17 00:00:00 2001 From: Myles Watson Date: Tue, 10 Jan 2023 06:27:23 -0800 Subject: [PATCH 12/18] TangorPro: Use common sepolicy for bt_device Bug: 205758693 Test: build Ignore-AOSP-First: Some devices in internal define bt_device Change-Id: I29ca448d60af312d7dbe241f93592233d16bfcbe --- bluetooth/device.te | 1 - 1 file changed, 1 deletion(-) delete mode 100644 bluetooth/device.te diff --git a/bluetooth/device.te b/bluetooth/device.te deleted file mode 100644 index 7ed13ad..0000000 --- a/bluetooth/device.te +++ /dev/null @@ -1 +0,0 @@ -type bt_device, dev_type; From 306f6c5e8c3780fd0cee8287e7eadf842cda29c2 Mon Sep 17 00:00:00 2001 From: matthuang Date: Tue, 31 Jan 2023 17:30:19 +0800 Subject: [PATCH 13/18] Allow sensor hal to access uhid devices. Bug: 262056923 Test: Screen is off when put a magnet close to hall sensor. Change-Id: I2031c167f242b10b0a03076f0bc4184dd21e2cd5 --- vendor/hal_sensors_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te index 978d9b4..da6b54e 100644 --- a/vendor/hal_sensors_default.te +++ b/vendor/hal_sensors_default.te @@ -4,3 +4,6 @@ # Allow sensor HAL to access pogo driver hall file node. allow hal_sensors_default sysfs_pogo_usb:file rw_file_perms; + +# Allow access to the uhid devices. +allow hal_sensors_default uhid_device:chr_file rw_file_perms; From a026b453c49b503b989d5a26ee7f7e338c79cb7b Mon Sep 17 00:00:00 2001 From: Super Liu Date: Tue, 14 Feb 2023 08:45:57 +0000 Subject: [PATCH 14/18] Remove unnecessary denials. Bug: 263430971 Test: TreeHugger build. Signed-off-by: Super Liu Change-Id: Icd6a9e1ba2f779ad20be44e186919cb621705c21 --- tracking_denials/shell.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/shell.te diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te deleted file mode 100644 index a6a5568..0000000 --- a/tracking_denials/shell.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/263430971 -dontaudit shell sysfs_touch_gti:dir { search }; -# b/264823366 -dontaudit shell sysfs_touch:dir { search }; From a32c0da2f61389b253904a098d905e06029d6790 Mon Sep 17 00:00:00 2001 From: leochuang Date: Wed, 22 Feb 2023 10:30:21 +0800 Subject: [PATCH 15/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 264823366 Change-Id: I9b6c67192c19d74429606653cd322a4686a21e4d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3cf5e4c..8836618 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1 +1,2 @@ hal_dumpstate_default modem_stat_data_file dir b/239115418 +shell sysfs_touch dir b/264823366 From 5acd6da7935aa98ab7225ae2183643dcbbf63715 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 24 Mar 2023 11:12:09 +0800 Subject: [PATCH 16/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 275001805 Change-Id: Ia930f873d1471bf38416e74b7c1dcf23da0470c0 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8836618..c77f421 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,2 +1,4 @@ +hal_camera_default boot_status_prop file b/275001805 +hal_camera_default edgetpu_app_service service_manager b/275001805 hal_dumpstate_default modem_stat_data_file dir b/239115418 shell sysfs_touch dir b/264823366 From 6a684e0fccf209315671ae01cfcdecd96934b284 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 10 May 2023 20:02:05 +0800 Subject: [PATCH 17/18] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 281814892 Fix: 281663915 Change-Id: Ib2cd9aa4e42441c1d7bdb9c7df20f7ab2108cda4 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c77f421..75770a5 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,3 +2,4 @@ hal_camera_default boot_status_prop file b/275001805 hal_camera_default edgetpu_app_service service_manager b/275001805 hal_dumpstate_default modem_stat_data_file dir b/239115418 shell sysfs_touch dir b/264823366 +system_suspend sysfs_aoc dir b/281814892 From 468e83b490e8308197787db13a52c11980ff5ca3 Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Tue, 16 May 2023 08:54:29 -0700 Subject: [PATCH 18/18] Remove bugmap for aoc sepolicy error. The sepolicy error was fixed by adding the necessary entries to the gs201 sepolicy. Removing the bug map. Bug: 281814892 Test: N/A Change-Id: I0650636d7177ea7748f3690eef98ccb47a1eaf1b --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 75770a5..c77f421 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,4 +2,3 @@ hal_camera_default boot_status_prop file b/275001805 hal_camera_default edgetpu_app_service service_manager b/275001805 hal_dumpstate_default modem_stat_data_file dir b/239115418 shell sysfs_touch dir b/264823366 -system_suspend sysfs_aoc dir b/281814892