From b8c6a55162f9cd7fdf08bbb2450537288df7991b Mon Sep 17 00:00:00 2001 From: Inna Palant Date: Tue, 5 Sep 2023 13:10:44 -0700 Subject: [PATCH 01/23] Initial empty repository From 674448e17bd632ca20aaf1a941a8474d11ddb72d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 14 Sep 2023 22:57:40 +0800 Subject: [PATCH 02/23] Initialize Tegu Bug: 298309659 Change-Id: I8b6498685893b6f8009dd48b6259ebae7523cc4e --- OWNERS | 2 ++ README.txt | 2 ++ file_contexts | 1 + genfs_contexts | 1 + tegu-sepolicy.mk | 3 +++ 5 files changed, 9 insertions(+) create mode 100644 OWNERS create mode 100644 README.txt create mode 100644 file_contexts create mode 100644 genfs_contexts create mode 100644 tegu-sepolicy.mk diff --git a/OWNERS b/OWNERS new file mode 100644 index 0000000..1cbf919 --- /dev/null +++ b/OWNERS @@ -0,0 +1,2 @@ +# per-file for Pixel device makefiles, see go/pixel-device-mk-owner-checklist for details. +per-file *.mk=file:device/google/gs-common:master:/OWNERS diff --git a/README.txt b/README.txt new file mode 100644 index 0000000..67a320f --- /dev/null +++ b/README.txt @@ -0,0 +1,2 @@ +This folder holds sepolicy exclusively for one device. For example, genfs_contexts +paths that are affected by device tree. diff --git a/file_contexts b/file_contexts new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/file_contexts @@ -0,0 +1 @@ + diff --git a/genfs_contexts b/genfs_contexts new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/genfs_contexts @@ -0,0 +1 @@ + diff --git a/tegu-sepolicy.mk b/tegu-sepolicy.mk new file mode 100644 index 0000000..50dd9f8 --- /dev/null +++ b/tegu-sepolicy.mk @@ -0,0 +1,3 @@ +# sepolicy that are shared among devices using ZumaPro +BOARD_SEPOLICY_DIRS += device/google/tegu-sepolicy + From 54fd016eec57c05c67e65137ed34976af1bd761e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Thu, 28 Sep 2023 00:29:41 +0000 Subject: [PATCH 03/23] OWNERS: master -> main Change-Id: I8f782bd4f895613f75fc0481bd075dea104eb442 --- OWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OWNERS b/OWNERS index 1cbf919..4bdbb97 100644 --- a/OWNERS +++ b/OWNERS @@ -1,2 +1,2 @@ # per-file for Pixel device makefiles, see go/pixel-device-mk-owner-checklist for details. -per-file *.mk=file:device/google/gs-common:master:/OWNERS +per-file *.mk=file:device/google/gs-common:main:/OWNERS From cbc7768ed92cc1f839c8fd0b54c2d9e91f36b024 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 25 Oct 2023 08:09:31 +0000 Subject: [PATCH 04/23] Initial SEpolicy tracking_denials Bug: 296187211 Change-Id: I129f00a1d90d46dee99bc74a89bd7ebb94ef9b36 --- tracking_denials/README.txt | 2 ++ tracking_denials/bug_map | 1 + 2 files changed, 3 insertions(+) create mode 100644 tracking_denials/README.txt create mode 100644 tracking_denials/bug_map diff --git a/tracking_denials/README.txt b/tracking_denials/README.txt new file mode 100644 index 0000000..6cfc62d --- /dev/null +++ b/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1 @@ + From 2d10925a7a79288db885c8efbb0389333eb7f59d Mon Sep 17 00:00:00 2001 From: Kamal Shafi Date: Mon, 27 Nov 2023 10:00:06 +0000 Subject: [PATCH 05/23] sepolicy: migrate zumapro devices sepolicy - Move device specific sepolicy Bug: 312869113 Test: build Change-Id: Ic84b8765d0794249347069d518c2be25f2791f92 --- file_contexts | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/file_contexts b/file_contexts index 8b13789..0f19b2e 100644 --- a/file_contexts +++ b/file_contexts @@ -1 +1,10 @@ - +# Devices +/dev/lwis-act-nessie u:object_r:lwis_device:s0 +/dev/lwis-eeprom-nessie u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-leshen u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-leshen-uw u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-ois-nessie u:object_r:lwis_device:s0 +/dev/lwis-sensor-barghest u:object_r:lwis_device:s0 +/dev/lwis-sensor-leshen u:object_r:lwis_device:s0 +/dev/lwis-sensor-leshen-uw u:object_r:lwis_device:s0 From 499a8cf3ce73c379443858ad23d64212fd441154 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 6 Dec 2023 06:31:02 +0000 Subject: [PATCH 06/23] Add tegu vendor folder Bug: 296187211 Change-Id: Iad3ed3ff3b11fda32c02654d2d1f0160031b62b6 --- tegu-sepolicy.mk | 3 ++- file_contexts => vendor/file_contexts | 0 genfs_contexts => vendor/genfs_contexts | 0 3 files changed, 2 insertions(+), 1 deletion(-) rename file_contexts => vendor/file_contexts (100%) rename genfs_contexts => vendor/genfs_contexts (100%) diff --git a/tegu-sepolicy.mk b/tegu-sepolicy.mk index 50dd9f8..1d59a75 100644 --- a/tegu-sepolicy.mk +++ b/tegu-sepolicy.mk @@ -1,3 +1,4 @@ # sepolicy that are shared among devices using ZumaPro -BOARD_SEPOLICY_DIRS += device/google/tegu-sepolicy +BOARD_SEPOLICY_DIRS += device/google/tegu-sepolicy/vendor +BOARD_SEPOLICY_DIRS += device/google/tegu-sepolicy/tracking_denials diff --git a/file_contexts b/vendor/file_contexts similarity index 100% rename from file_contexts rename to vendor/file_contexts diff --git a/genfs_contexts b/vendor/genfs_contexts similarity index 100% rename from genfs_contexts rename to vendor/genfs_contexts From a2f203e90f014d10ff8a09313e01ab895da16a86 Mon Sep 17 00:00:00 2001 From: Joe Huang Date: Thu, 30 Nov 2023 15:54:44 +0800 Subject: [PATCH 07/23] gps: add sepolicy rules for gps Bug: 314051269 Test: Test GPS Change-Id: I525172bebe931c6611730758691b1bfe2e80455f --- vendor/README.txt | 2 ++ vendor/file.te | 2 ++ vendor/file_contexts | 14 ++++++++++++++ vendor/genfs_contexts | 3 ++- vendor/gnssd.te | 28 ++++++++++++++++++++++++++++ vendor/hal_gnss_default.te | 7 +++++++ vendor/rild.te | 1 + vendor/sctd.te | 3 +++ vendor/spad.te | 3 +++ vendor/swcnd.te | 3 +++ 10 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 vendor/README.txt create mode 100644 vendor/file.te create mode 100644 vendor/gnssd.te create mode 100644 vendor/hal_gnss_default.te create mode 100644 vendor/rild.te create mode 100644 vendor/sctd.te create mode 100644 vendor/spad.te create mode 100644 vendor/swcnd.te diff --git a/vendor/README.txt b/vendor/README.txt new file mode 100644 index 0000000..67a320f --- /dev/null +++ b/vendor/README.txt @@ -0,0 +1,2 @@ +This folder holds sepolicy exclusively for one device. For example, genfs_contexts +paths that are affected by device tree. diff --git a/vendor/file.te b/vendor/file.te new file mode 100644 index 0000000..4fded5a --- /dev/null +++ b/vendor/file.te @@ -0,0 +1,2 @@ +type sysfs_modem_state, sysfs_type, fs_type; +type sysfs_gps, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 0f19b2e..f563cd9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -8,3 +8,17 @@ /dev/lwis-sensor-barghest u:object_r:lwis_device:s0 /dev/lwis-sensor-leshen u:object_r:lwis_device:s0 /dev/lwis-sensor-leshen-uw u:object_r:lwis_device:s0 + +# GPS +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/gnss_boot u:object_r:vendor_gnss_device:s0 +/dev/gnss_dump u:object_r:vendor_gnss_device:s0 + +/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 +/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 +/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 +/vendor/bin/hw/spad u:object_r:spad_exec:s0 +/vendor/bin/hw/android.hardware.gnss-service u:object_r:hal_gnss_default_exec:s0 + +# gnss/gps data/log files +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8b13789..d19427c 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1 +1,2 @@ - +# gps coredump node +genfscon sysfs /devices/platform/gnssif/coredump u:object_r:sysfs_gps:s0 diff --git a/vendor/gnssd.te b/vendor/gnssd.te new file mode 100644 index 0000000..2b569e5 --- /dev/null +++ b/vendor/gnssd.te @@ -0,0 +1,28 @@ +type gnssd, domain; +type gnssd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gnssd); + +# Allow gnssd to access rild +binder_call(gnssd, rild); +binder_call(gnssd, hwservicemanager) +allow gnssd hal_exynos_rild_hwservice:hwservice_manager find; +allow gnssd radio_device:chr_file rw_file_perms; + +# Allow gnssd to acess gnss device +allow gnssd vendor_gnss_device:chr_file rw_file_perms; +allow gnssd vendor_gps_file:dir create_dir_perms; +allow gnssd vendor_gps_file:file create_file_perms; +allow gnssd vendor_gps_file:fifo_file create_file_perms; + +# Allow gnssd to obtain wakelock +wakelock_use(gnssd); + +# Allow a base set of permissions required for network access. +net_domain(gnssd); + +# Allow gnssd to get boot complete +get_prop(gnssd, bootanim_system_prop); + +allow gnssd sysfs_soc:file r_file_perms; + +allow gnssd sysfs_gps:file rw_file_perms; diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te new file mode 100644 index 0000000..0a45e91 --- /dev/null +++ b/vendor/hal_gnss_default.te @@ -0,0 +1,7 @@ +allow hal_gnss_default fwk_sensor_service:service_manager find; +allow hal_gnss_default gnssd:unix_stream_socket connectto; +allow hal_gnss_default vendor_gps_file:dir create_dir_perms; +allow hal_gnss_default vendor_gps_file:file create_file_perms; +allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; + +allow hal_gnss_default sysfs_gps:file rw_file_perms; diff --git a/vendor/rild.te b/vendor/rild.te new file mode 100644 index 0000000..c620a19 --- /dev/null +++ b/vendor/rild.te @@ -0,0 +1 @@ +binder_call(rild, gnssd) diff --git a/vendor/sctd.te b/vendor/sctd.te new file mode 100644 index 0000000..8966ef8 --- /dev/null +++ b/vendor/sctd.te @@ -0,0 +1,3 @@ +type sctd, domain; +type sctd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(sctd); diff --git a/vendor/spad.te b/vendor/spad.te new file mode 100644 index 0000000..eaf8b1c --- /dev/null +++ b/vendor/spad.te @@ -0,0 +1,3 @@ +type spad, domain; +type spad_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(spad); diff --git a/vendor/swcnd.te b/vendor/swcnd.te new file mode 100644 index 0000000..c366cad --- /dev/null +++ b/vendor/swcnd.te @@ -0,0 +1,3 @@ +type swcnd, domain; +type swcnd_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(swcnd); From 5ea33555b23b0a753d0c9dbc217fa0337fffbb57 Mon Sep 17 00:00:00 2001 From: Wayne Lin Date: Wed, 31 Jan 2024 16:17:31 +0800 Subject: [PATCH 08/23] gps: use common gps sepolicy Bug: 323105941 Test: build pass and device boot up without problem Change-Id: Ic680c41cd1726ab998d8d8e9f58aaad7e2734cb2 --- vendor/file.te | 2 -- vendor/file_contexts | 14 -------------- vendor/genfs_contexts | 2 -- vendor/gnssd.te | 28 ---------------------------- vendor/hal_gnss_default.te | 7 ------- vendor/rild.te | 1 - vendor/sctd.te | 3 --- vendor/spad.te | 3 --- vendor/swcnd.te | 3 --- 9 files changed, 63 deletions(-) delete mode 100644 vendor/file.te delete mode 100644 vendor/genfs_contexts delete mode 100644 vendor/gnssd.te delete mode 100644 vendor/hal_gnss_default.te delete mode 100644 vendor/rild.te delete mode 100644 vendor/sctd.te delete mode 100644 vendor/spad.te delete mode 100644 vendor/swcnd.te diff --git a/vendor/file.te b/vendor/file.te deleted file mode 100644 index 4fded5a..0000000 --- a/vendor/file.te +++ /dev/null @@ -1,2 +0,0 @@ -type sysfs_modem_state, sysfs_type, fs_type; -type sysfs_gps, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index f563cd9..0f19b2e 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -8,17 +8,3 @@ /dev/lwis-sensor-barghest u:object_r:lwis_device:s0 /dev/lwis-sensor-leshen u:object_r:lwis_device:s0 /dev/lwis-sensor-leshen-uw u:object_r:lwis_device:s0 - -# GPS -/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 -/dev/gnss_boot u:object_r:vendor_gnss_device:s0 -/dev/gnss_dump u:object_r:vendor_gnss_device:s0 - -/vendor/bin/hw/gnssd u:object_r:gnssd_exec:s0 -/vendor/bin/hw/sctd u:object_r:sctd_exec:s0 -/vendor/bin/hw/swcnd u:object_r:swcnd_exec:s0 -/vendor/bin/hw/spad u:object_r:spad_exec:s0 -/vendor/bin/hw/android.hardware.gnss-service u:object_r:hal_gnss_default_exec:s0 - -# gnss/gps data/log files -/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts deleted file mode 100644 index d19427c..0000000 --- a/vendor/genfs_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# gps coredump node -genfscon sysfs /devices/platform/gnssif/coredump u:object_r:sysfs_gps:s0 diff --git a/vendor/gnssd.te b/vendor/gnssd.te deleted file mode 100644 index 2b569e5..0000000 --- a/vendor/gnssd.te +++ /dev/null @@ -1,28 +0,0 @@ -type gnssd, domain; -type gnssd_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(gnssd); - -# Allow gnssd to access rild -binder_call(gnssd, rild); -binder_call(gnssd, hwservicemanager) -allow gnssd hal_exynos_rild_hwservice:hwservice_manager find; -allow gnssd radio_device:chr_file rw_file_perms; - -# Allow gnssd to acess gnss device -allow gnssd vendor_gnss_device:chr_file rw_file_perms; -allow gnssd vendor_gps_file:dir create_dir_perms; -allow gnssd vendor_gps_file:file create_file_perms; -allow gnssd vendor_gps_file:fifo_file create_file_perms; - -# Allow gnssd to obtain wakelock -wakelock_use(gnssd); - -# Allow a base set of permissions required for network access. -net_domain(gnssd); - -# Allow gnssd to get boot complete -get_prop(gnssd, bootanim_system_prop); - -allow gnssd sysfs_soc:file r_file_perms; - -allow gnssd sysfs_gps:file rw_file_perms; diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te deleted file mode 100644 index 0a45e91..0000000 --- a/vendor/hal_gnss_default.te +++ /dev/null @@ -1,7 +0,0 @@ -allow hal_gnss_default fwk_sensor_service:service_manager find; -allow hal_gnss_default gnssd:unix_stream_socket connectto; -allow hal_gnss_default vendor_gps_file:dir create_dir_perms; -allow hal_gnss_default vendor_gps_file:file create_file_perms; -allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; - -allow hal_gnss_default sysfs_gps:file rw_file_perms; diff --git a/vendor/rild.te b/vendor/rild.te deleted file mode 100644 index c620a19..0000000 --- a/vendor/rild.te +++ /dev/null @@ -1 +0,0 @@ -binder_call(rild, gnssd) diff --git a/vendor/sctd.te b/vendor/sctd.te deleted file mode 100644 index 8966ef8..0000000 --- a/vendor/sctd.te +++ /dev/null @@ -1,3 +0,0 @@ -type sctd, domain; -type sctd_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(sctd); diff --git a/vendor/spad.te b/vendor/spad.te deleted file mode 100644 index eaf8b1c..0000000 --- a/vendor/spad.te +++ /dev/null @@ -1,3 +0,0 @@ -type spad, domain; -type spad_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(spad); diff --git a/vendor/swcnd.te b/vendor/swcnd.te deleted file mode 100644 index c366cad..0000000 --- a/vendor/swcnd.te +++ /dev/null @@ -1,3 +0,0 @@ -type swcnd, domain; -type swcnd_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(swcnd); From 35858317eb3cea0120e1f4a0d8b7b6fbba27fffe Mon Sep 17 00:00:00 2001 From: YiHsiang Peng Date: Wed, 20 Mar 2024 13:48:51 +0000 Subject: [PATCH 09/23] Fix WLC charging sign android.hardwar: type=1400 audit(0.0:4): avc: denied { getattr } for path="/sys/devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/capacity" dev="sysfs" ino=79124 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 329564860 Change-Id: Ia5d5e2e1b05f64ae14afaa0c25deee31a859dcbc Signed-off-by: YiHsiang Peng --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) create mode 100644 vendor/genfs_contexts diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts new file mode 100644 index 0000000..48df86c --- /dev/null +++ b/vendor/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply u:object_r:sysfs_batteryinfo:s0 \ No newline at end of file From 032063e1bc47188b241aef00f9c0f1639df6c220 Mon Sep 17 00:00:00 2001 From: YiKai Peng Date: Mon, 6 May 2024 09:52:45 +0000 Subject: [PATCH 10/23] selinux: label wakeup for BMS gccd Bug: 338487056 Test: v2/pixel-health-guard/device-boot-health-check-extra Change-Id: Ia3f1ef388f74c6dc387824c0851fc63377013257 Signed-off-by: YiKai Peng --- vendor/genfs_contexts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 48df86c..8f1e7e4 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1 +1,4 @@ -genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply u:object_r:sysfs_batteryinfo:s0 \ No newline at end of file +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply u:object_r:sysfs_batteryinfo:s0 + +# wake up nodes +genfscon sysfs /devices/platform/google,ccd/power_supply/gccd/wakeup u:object_r:sysfs_wakeup:s0 From f7603040fcf610d99b409e286aee69f6c8799c50 Mon Sep 17 00:00:00 2001 From: YiKai Peng Date: Mon, 6 May 2024 15:05:49 +0000 Subject: [PATCH 11/23] selinux: allow sysfs read for hal_health_default Bug: 338487056 Test: v2/pixel-health-guard/device-boot-health-check-extra Change-Id: I5a97403fcb5773f86349cbcc1308741fdb255328 Signed-off-by: YiKai Peng --- vendor/hal_health_default.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 vendor/hal_health_default.te diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te new file mode 100644 index 0000000..189034c --- /dev/null +++ b/vendor/hal_health_default.te @@ -0,0 +1 @@ +allow hal_health_default sysfs:file r_file_perms; From e72702516526f3908ed06e02a43ce19391bb33a8 Mon Sep 17 00:00:00 2001 From: Blackbear Chou Date: Thu, 23 May 2024 17:13:00 +0800 Subject: [PATCH 12/23] sepolicy: add wakeup sepolicy for spi20 Bug: 341854820 Test: build, make sepolicy Change-Id: Ie8940d36f21fbaef8c24633d771b33031ee25310 Signed-off-by: Blackbear Chou --- vendor/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8f1e7e4..b0b3b9c 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -2,3 +2,6 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply # wake up nodes genfscon sysfs /devices/platform/google,ccd/power_supply/gccd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/synaptics_tcm.0/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 + From cfb03f0a5dcc1163daf36abd37826352e08f934f Mon Sep 17 00:00:00 2001 From: Cyan_Hsieh Date: Fri, 24 May 2024 15:54:03 +0800 Subject: [PATCH 13/23] Switch makefile owners to MK_OWNERS Bug: 278167548 Change-Id: I728c4b4150029efe70a0d2f8d0ff5fe9e6ff2a25 --- OWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OWNERS b/OWNERS index 4bdbb97..e6ce5d0 100644 --- a/OWNERS +++ b/OWNERS @@ -1,2 +1,2 @@ # per-file for Pixel device makefiles, see go/pixel-device-mk-owner-checklist for details. -per-file *.mk=file:device/google/gs-common:main:/OWNERS +per-file *.mk=file:device/google/gs-common:main:/MK_OWNERS From 281f3af6a6fd133d58b44cd20f176e4a43375984 Mon Sep 17 00:00:00 2001 From: Frank Yu Date: Fri, 31 May 2024 07:08:45 +0000 Subject: [PATCH 14/23] Update sepolicy for radioext AIDL service. avc logs for each rule: SELinux : avc: denied { find } for pid=1965 uid=10238 name=vendor.google.radio_ext.IRadioExt/default scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0 auditd : type=1400 audit(0.0:12): avc: denied { call } for comm="oid.grilservice" scontext=u:r:grilservice_app:s0:c238,c256,c512,c768 tcontext=u:r:hal_radio_ext:s0 tclass=binder permissive=0 app=com.google.android.grilservice Bug: 343576955 Test: Manual. grilservice_app invoke method in radio ext successfully. Change-Id: I7cff95231430d78a7e2436b2ba10acf45cd5dbd8 Change-Id: Ide8934503593804fcc141cd87e3eeffc0f5f55e2 --- vendor/grilservice_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 vendor/grilservice_app.te diff --git a/vendor/grilservice_app.te b/vendor/grilservice_app.te new file mode 100644 index 0000000..287053a --- /dev/null +++ b/vendor/grilservice_app.te @@ -0,0 +1,2 @@ +allow grilservice_app hal_radio_ext_service:service_manager find; +binder_call(grilservice_app, hal_radio_ext) \ No newline at end of file From 546fb5912e87e3728c3e88c18215875bb5480b7c Mon Sep 17 00:00:00 2001 From: YiKai Peng Date: Wed, 12 Jun 2024 06:08:23 +0000 Subject: [PATCH 15/23] selinux: label sysfs_wlc with static i2c Bug: 346493425 Test: v2/pixel-health-guard/device-boot-health-check-extra Change-Id: I031516772e8c8c80f00d1afa7c6565fc917cb5f0 Signed-off-by: YiKai Peng --- vendor/genfs_contexts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index b0b3b9c..8e68e07 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1,7 +1,9 @@ -genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply u:object_r:sysfs_batteryinfo:s0 # wake up nodes -genfscon sysfs /devices/platform/google,ccd/power_supply/gccd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,ccd/power_supply/gccd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/synaptics_tcm.0/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 +# WLC +genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061 u:object_r:sysfs_wlc:s0 From b45ba6253a690249fa132139fdff78cb9628f617 Mon Sep 17 00:00:00 2001 From: Sergey Volk Date: Tue, 18 Jun 2024 19:00:02 +0000 Subject: [PATCH 16/23] tegu: Add sepolicy for drmdp wakeup node DisplayPort driver has recently added a wakeup node init code, so we need to add it to sepolicy. Bug: 347852488 Test: None Flag: NONE (follow up fix for merged non-flagged CL pa/2839256) Change-Id: I7f0cd7a80ab67f14fe1551434709e4f19983197e --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8e68e07..4730cb2 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -4,6 +4,7 @@ genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply genfscon sysfs /devices/platform/google,ccd/power_supply/gccd/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/synaptics_tcm.0/power/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/wakeup u:object_r:sysfs_wakeup:s0 # WLC genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061 u:object_r:sysfs_wlc:s0 From 81f405049f3001e9f5fe9324c66125df6dca993c Mon Sep 17 00:00:00 2001 From: Frank Yu Date: Fri, 28 Jun 2024 04:06:29 +0000 Subject: [PATCH 17/23] Update sepolicy for grilservie_app to call twoshay service. Related avc error log: auditd : type=1400 audit(0.0:7): avc: denied { call } for comm="pool-2-thread-1" scontext=u:r:grilservice_app:s0:c248,c256,c512,c768 tcontext=u:r:twoshay:s0 tclass=binder permissive=0 app=com.google.android.grilservice Bug: 347853101 Test: Manual test and tested v2/pixel-health-guard/device-boot-health-check-extra on abtd. No error log after this update. Change-Id: I5083e0ce549fd98d3d12f5005c02abe0fd988208 --- vendor/grilservice_app.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vendor/grilservice_app.te b/vendor/grilservice_app.te index 287053a..ed2c444 100644 --- a/vendor/grilservice_app.te +++ b/vendor/grilservice_app.te @@ -1,2 +1,3 @@ allow grilservice_app hal_radio_ext_service:service_manager find; -binder_call(grilservice_app, hal_radio_ext) \ No newline at end of file +binder_call(grilservice_app, hal_radio_ext) +binder_call(grilservice_app, twoshay) \ No newline at end of file From 94f5344dbfa41c5ee53029db9376f03cd457ad29 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 13 Aug 2024 07:32:06 +0000 Subject: [PATCH 18/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 359428163 Flag: EXEMPT bugFix Change-Id: I92f34e1b9794ed5eace45410c265b8c4d3934704 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8b13789..3a9095a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1 +1,2 @@ +servicemanager bipchmgr binder b/359428163 From 86744204b3a7808708cfbca7747c3270a5b54de5 Mon Sep 17 00:00:00 2001 From: Tim Lin Date: Tue, 13 Aug 2024 14:27:00 +0000 Subject: [PATCH 19/23] Remove obsolete entries Fixed by ag/28780271 Bug: 359428163 Change-Id: I6282035e5d2624220b4ffde7bf674aeca7cdc961 Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT bugfix --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3a9095a..e69de29 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,2 +0,0 @@ - -servicemanager bipchmgr binder b/359428163 From b0fc4e7390379be127ea5ee702d4128b3a54163e Mon Sep 17 00:00:00 2001 From: Frank Yu Date: Wed, 28 Aug 2024 11:56:46 +0000 Subject: [PATCH 20/23] Move hal_radio_ext_service related policy to gs-common. Bug: 361210953 Flag: EXEMPT sepolicy refactor Change-Id: Ife1f85269e086cba19c87ca1da20a219f68ada2c Test: Verify with test ROM --- vendor/grilservice_app.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/vendor/grilservice_app.te b/vendor/grilservice_app.te index ed2c444..2ee3ef2 100644 --- a/vendor/grilservice_app.te +++ b/vendor/grilservice_app.te @@ -1,3 +1 @@ -allow grilservice_app hal_radio_ext_service:service_manager find; -binder_call(grilservice_app, hal_radio_ext) -binder_call(grilservice_app, twoshay) \ No newline at end of file +binder_call(grilservice_app, twoshay) From 83232d7bdf0a43d6cb47cc5397bc565b782925af Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 4 Sep 2024 03:27:14 +0000 Subject: [PATCH 21/23] Update SELinux error Test: scanBugreport Bug: 364446770 Test: scanAvcDeniedLogRightAfterReboot Bug: 364446680 Flag: EXEMPT sepolicy bugFix Change-Id: Ie75428e754dab7e6f75e6a0e71b5036903f48424 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e69de29..37a688a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -0,0 +1,2 @@ +modem_svc_sit modem_ml_svc_sit process b/364446680 +modem_svc_sit modem_ml_svc_sit process b/364446770 From 8ed14fc8c7562a5b0610a34a3a8a1a61e008f826 Mon Sep 17 00:00:00 2001 From: Xiaofan Jiang Date: Fri, 4 Oct 2024 18:42:04 +0000 Subject: [PATCH 22/23] Remove SELinux error from tracking bug map Test: scanBugreport Bug: 364446770 Test: scanAvcDeniedLogRightAfterReboot Bug: 364446680 Flag: EXEMPT sepolicy bugFix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e672cc166561b1be569075d27852c0a2c60b9075) Merged-In: Id6bc03f6ede97f31b5fe0b34388cfe543f62663d Change-Id: Id6bc03f6ede97f31b5fe0b34388cfe543f62663d --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 37a688a..e69de29 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,2 +0,0 @@ -modem_svc_sit modem_ml_svc_sit process b/364446680 -modem_svc_sit modem_ml_svc_sit process b/364446770 From ab4fddf3cc74e050bd4a6a2762fbc2dd0886f21b Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Mon, 7 Oct 2024 10:59:21 +0800 Subject: [PATCH 23/23] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 371877928 Bug: 371877868 Bug: 371878208 Test: scanBugreport Bug: 371877930 Test: scanAvcDeniedLogRightAfterReboot Bug: 371877715 FLAG: EXEMPT NDK (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2478d5ee8e35acc85906fecdbd5eda4a9a6ae9d0) Merged-In: I4e90473549adb6bc3fc3224c1241c3e5a07b1934 Change-Id: I4e90473549adb6bc3fc3224c1241c3e5a07b1934 --- tracking_denials/bug_map | 1 + tracking_denials/grilservice_app.te | 3 +++ tracking_denials/hal_camera_default.te | 3 +++ 3 files changed, 7 insertions(+) create mode 100644 tracking_denials/grilservice_app.te create mode 100644 tracking_denials/hal_camera_default.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e69de29..7e15f18 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -0,0 +1 @@ +system_suspend sysfs dir b/371877715 diff --git a/tracking_denials/grilservice_app.te b/tracking_denials/grilservice_app.te new file mode 100644 index 0000000..bd47db7 --- /dev/null +++ b/tracking_denials/grilservice_app.te @@ -0,0 +1,3 @@ +# b/371877868 +dontaudit grilservice_app default_android_hwservice:hwservice_manager find; + diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te new file mode 100644 index 0000000..1bdb5ce --- /dev/null +++ b/tracking_denials/hal_camera_default.te @@ -0,0 +1,3 @@ +# b/371878208 +dontaudit hal_camera_default default_android_hwservice:hwservice_manager find; +